HA-Med: A Blockchain-Based Solution for Sharing Medical Data with Hidden Policies and Attributes

Yang, Xiaohui; Liu, Jing

doi:https://doi.org/10.1049/2024/2498245

IET Information Security

On this page

Abstract Introduction Related Work Conclusion Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2024 | Article ID 2498245 | https://doi.org/10.1049/2024/2498245

HA-Med: A Blockchain-Based Solution for Sharing Medical Data with Hidden Policies and Attributes

Xiaohui Yang¹and Jing Liu¹

Academic Editor: Hyun-A Park

Received16 Jun 2023

Revised14 Feb 2024

Accepted15 Apr 2024

Published26 Apr 2024

Abstract

Existing healthcare data-sharing solutions often combine attribute-based encryption techniques with blockchain technology to achieve fine-grained access control. However, the transparency of blockchain technology may introduce potential risks of exposing access structures and user attributes. To address these concerns, this paper proposes a novel healthcare data-sharing scheme called HA-Med. By leveraging blockchain technology, HA-Med ensures the concealment of access policies and attributes, providing a secure solution for fine-grained access control of medical data. Furthermore, the scheme supports attribute revocation and forward secrecy to enhance user privacy. The security of HA-Med is rigorously verified through theoretical analysis, and its feasibility is demonstrated through experiments conducted using the Java-based JPBC library.

1. Introduction

Due to the rapid development of the Internet, the medical field has undergone tremendous changes, and electronic health records [1] have become widely used. Electronic health records encompass patients’ treatment records, condition status, and other medical documentation generated during treatment. They enable medical staff to easily access a patient’s past medical history online. However, with the increasing popularity of electronic health records [2], it has become increasingly challenging to store electronic medical records in hospitals due to the varying storage models. Additionally, integrating a patient’s medical data across different hospitals has proven difficult, leading to the introduction of cloud storage [3] as a solution to these issues. Nonetheless, the adoption of cloud storage has given rise to numerous privacy and security concerns, as many services are outsourced to third parties due to the semi-trusted nature of cloud service providers. When a patient uploads data to the cloud, the data are no longer under the direct control of the data owner, potentially resulting in tampering and significant data loss. Furthermore, if a malicious user tampers with a patient’s medical data, it may be challenging to trace the source of the tampering [4, 5].

In recent years, attribute-based encryption (ABE) has been widely used in healthcare in combination with cloud storage because of its ability to protect the privacy of data and to have fine-grained access control [6, 7]. According to the role of the access control policymaker, ABE can be divided into two categories, which are key-based policy ABE (KP-ABE) and ciphertext-based policy ABE (CP-ABE) [8]. CP-ABE, since the policy is embedded in the ciphertext, means that the data owner can set the policy to decide which attributes of the people who have access to this ciphertext, which is equivalent to doing an encrypted access control to this data. Therefore, CP-ABE is more suitable than KP-ABE for electronic medical health record access [8].

Blockchain is decentralized, traceable, and transparent. Once data are on the chain, it cannot be tampered with and can be traced when malicious users perform malicious operations. This feature of blockchain can effectively protect the security of medical data and provide new ideas to solve the above problems [9, 10]. The combination of blockchain technology, cloud storage, and CP-ABE has now started to be applied to the medical field [11, 12].

But at the same time, a new problem arises. Due to the transparency characteristic of blockchain, the data on the chain can be viewed by all. When applying traditional CP-ABE for fine-grained access, the access structure is explicitly sent along with the ciphertext, which can potentially allow untrusted third parties to access the explicit attributes of the user in the access policy [13] and consequently infer important information. Since medical data contain a large amount of sensitive information about patients, compromising these data can lead to significant damage.

1.1. Policy Hiding

The current work on hiding access policies takes two forms: complete hiding [14] and partial hiding [15]. Complete hiding means that the attributes in the access policy are concealed so that the access policy does not reveal any attributes. Partial hiding involves concealing sensitive attributes in the access policy [16]. It can be observed that in terms of efficiency, partial hiding is more efficient than complete hiding, but complete hiding provides better privacy protection. This is particularly important when ABE is applied to medical care, as medical data contain a lot of private patient information, and compromising these data can lead to irreparable harm to patients. Additionally, when the policy is hidden, a new problem arises in that the user also does not know the values of the attributes in the access policy, requiring a verification algorithm to determine whether the user’s attribute set satisfies the access policy or not [13].

1.2. Attribute Hiding

Most current schemes involving ABE require the data user to provide a set of attributes used to obtain the key to an intermediate entity, such as an authority. However, if the intermediate entity is compromised, the attributes may be leaked, posing a significant threat to attribute privacy [17]. In this context, attribute privacy refers to the privacy of the user’s attribute set. Therefore, it is necessary to implement attribute hiding in the ABE scheme.

Therefore, to address the aforementioned issues, this paper proposes a secure blockchain-based scheme for concealing policies and attributes in medical data sharing. We design a verification method that combines bilinear pairing and predicate encryption to achieve policy and attribute hiding, named HA-Med, which ensures secure access to medical data while safeguarding the privacy of users and patients.

The contribution of this paper is as follows:(i)In this paper, we propose a novel, trusted, and secure access control scheme for medical data called HA-Med. HA-Med introduces a new authentication method that addresses the issue of access policy and attribute exposure during ABE, achieving complete policy concealment while satisfying the access requirements of large universes.(ii)Combining the blockchain with the authentication method proposed by the scheme resolves the issue of distributing permissions by a third party in traditional ABE, while simultaneously addressing the problem of overburdening the user with computation and storage in schemes that eliminate the third party.(iii)The security of the proposed scheme was demonstrated theoretically, and its effectiveness was validated through comprehensive experiments.

2.1. Blockchain

Blockchain has been widely used in healthcare over the years due to its anonymity and immutability. Ivan [18] proposed that blockchain can be used as a method to secure health data storage. Chen et al. [19] proposed a personal healthcare data storage scheme based on blockchain and cloud storage. Ekblaw et al. [20] proposed a blockchain-based electronic health record management system called MedRec. Xia et al. [21] proposed a blockchain-based data-sharing framework called BBDS. Dagher et al. [22] proposed a secure blockchain-based medical record-sharing framework called Ancile, which employs smart contracts to enhance the access control functionality. Dubovitskaya et al. [23] proposed a blockchain-based framework for cancer patient care to manage and share EMR data. However, these solutions suffer from the problem of not having fine-grained access to the data. Zheng et al. [24] proposed a blockchain-based attribute encryption access control scheme in which an access control model with multiple authorization authorities is established. Sun et al. [25] proposed a blockchain-based case data-sharing model supporting fine-grained access, and this model uses ABAC to realize fine-grained access to cases in research institutions. Han et al. [26] proposed a traceable access control scheme for medical attribute passes to achieve traceability of the access process. However, although the above scheme realizes the fine-grained access control of medical data, the policies and attributes are not hidden, which exposes the user’s privacy.

2.2. CP-ABE

ABE has also been widely used in recent years as it provides fine-grained access to data. Riad et al. [27] proposed an access control mechanism that adaptively assigns appropriate permissions based on user roles. Wei et al. [28] proposed an encryption method based on revocable storage hierarchical attributes. Pournaghi et al. [12] proposed a scheme for medical data sharing called MedSBA. This scheme is based on blockchain, CP-ABE, and KP-ABE. Liu et al. [29] proposed a blockchain-assisted searchable ABE scheme with efficient undo performance. Deb et al. [11] proposed a scheme that combines blockchain and property-based encryption to preserve information about patients suffering from a novel coronavirus. Guo et al. [30] proposed an outsourced and online/offline revocable ciphertext policy attribute encryption scheme for medical Internet applications. However, although the above schemes can achieve fine-grained access to medical data, an attacker can infer many privacy attributes from the access policy in the ciphertext, which can lead to the exposure of patients’ sensitive privacy. Li et al. [31] proposed a controlled and regulated privacy protection scheme for blockchain multiorganizational transactions based on attribute encryption. This scheme achieves fine-grained access control but suffers from the problem of distributing attributes by third-party authoritative centers, which distribute attributes to the members of the system, creating a corresponding privacy and security problem. Feng et al. [32] proposed a blockchain data-sharing scheme based on localized differential privacy and attribute-based searchable encryption, which can withstand attacks from untrustworthy third parties. However, the computational burden on users in this scheme is too heavy and not very practical.

2.3. Attribute and Policy hiding

As the application of CP-ABE for medical data sharing becomes more widespread, related security issues arise because most CP-ABE schemes embed attribute values into ciphertexts, and attackers can easily infer private attributes from ciphertexts, leading to the exposure of patients’ privacy. Lai et al. [33] proposed a method to hide access policy by inner product encryption, which achieves complete policy hiding and is proven to be completely secure. However, the scheme applies to small universes, and in short, the key becomes larger with the increase in the number of attributes, making it less scalable and unsuitable to be combined with blockchain due to its high scalability requirement. Hur [34] proposed a hidden access structure applied to smart grids in which the access policy can be represented by an arbitrary access formula. However, in this scheme, the length of the private key possessed by the user is too long, greatly increasing the storage burden of the user, and there is no security proof to demonstrate the security of this scheme. Gao et al. [17] proposed a completely secure blockchain-based policy-hiding scheme called TrustAccess, which resolves the problem of centralization and a small universe. Nonetheless, in this scheme, the ciphertext is stored locally by the data owner, i.e., the patient, who is also responsible for generating the key. When applied to a medical data-sharing system, it is impractical due to the huge amount of medical data, which cannot be handled by ordinary devices such as the patient’s cell phone. Michalevsky and Joye [35] proposed an ABE scheme for hiding attributes, which supports conjunctions, disjunctions, and threshold policies. However, in this scheme, although the entire set of attributes is hidden, the attributes controlled by the attribute authority are still displayed.

3. Preparations

First, we present the symbols used in this paper in Table 1.

3.1. Blockchain

The blockchain originated from the Bitcoin system proposed by Satoshi Nakamoto in 2008 [36]. The consortium blockchain requires permission for nodes to join the network and needs to be jointly maintained by all nodes, with some of the nodes in the consortium blockchain assumed to be trusted [37, 38]. The scheme used in this study involves the consortium blockchain. In terms of the structure of a blockchain, each data block consists of a block header and a block body. To ensure data integrity and tamper resistance, each block header contains the cryptographic hash of the previous block, while the block body contains detailed information about the transactions. An important component in the blockchain is the consensus algorithm, in blockchain, since nodes are untrustworthy to each other, when nodes update data between them, a consensus algorithm is needed to reach consensus to update data [38, 39]. Most of the current coalition chains use the PBFT algorithm, which is based on the Byzantine general problem and has the advantages of high consistency of consensus results and fast confirmation [40]. The consensus algorithm used in this scheme is the PBFT algorithm. This algorithm is based on the Byzantine general’s problem and has the advantages of high consensus result consistency and fast confirmation.

3.2. Composite Order Bilinear Groups

The use of composite order bilinear groups in algorithms such as encryption in this scheme was first introduced by Boneh et al. [41].

Definition 1 (Composite Order Bilinear Groups). Let and be multiplicative cyclic groups of order , where are distinct prime numbers. is a mapping, where , , to denote the subgroups of with order , and , respectively, can be obtained as × × , and for any , have with the following properties:(1)Bilinearity: .(2)Nondegeneracy: , such that has ordered in .(3)Computability: ∀ ∈ , there exists a polynomial-time algorithm associated with a given safety constant λ that can efficiently compute .

3.3. Attribute Sets and Access Policies

Definition 2 (Attribute Sets and Access Policies [17, 36]). First associate each attribute with a unique element , which is implemented with the ⟶ collision-resistant hash function H. Let the matrix of be the possible attributes, where vectors . is the possible value of the attribute in the ith attribute category, so when the user’s attribute set is , it can be expressed as , where . If there is an access policy , where , the set of attributes matches the access policy, then when and only when .

3.4. Inner Product Predicate

The access policy is represented as a tree structure. The following describes how the access policy is represented as an equation and how the set of attributes is represented as a vector. It is first known that the set of attributes is representable as a vector of elements, where denotes the class of the attribute and denotes the number of attribute values [17, 42].

Define that predicates and can be encoded as polynomials if .

Defining the predicate or can be encoded as a polynomial, if or .

Here is an example to illustrate how to represent the access policy by a polynomial and the set of attributes by vector. Suppose there are = 3 classes of attributes in a healthcare data-sharing system, section, position, and title, respectively, = 1, so the access structure is as follows:

. Then, the access structure can be expressed by the following polynomial:when the user has an attribute set of

. Then, the set of attributes of the user can be represented by the following vector:

3.5. System Framework

3.5.1. System Model

As shown in Figure 1, in the HA-Med system, there are five entities involved, which are the data owner (DO), data user (DU), blockchain (CB), trusted authority (TA), and cloud system (CS).

(1) Data Owner (DO). The DO is the patient, the entity that generates the medical data. The DO is responsible for developing the access policy, as well as encrypting the data. All ciphertexts are sent to the CS. To achieve secure access control, the DO sends the ciphertext address and access structure polynomial to the CB by storing the transaction.

(2) Data User (DU). The DU is a hospital, medical research center, etc. The DU uses a private identity key to send the attribute set of a hidden access structure to the CB and TA for verification. If it meets the access policy, then the DU can obtain the key and decrypt the medical data.

(3) Blockchain (CB). The consortium blockchain selected in this scheme is a peer-to-peer network, a distributed platform for recording storage and access transactions, consisting of DO, DU, and a selected trusted institution TA. Due to the immutability and data recording characteristics of the blockchain, medical data can be securely shared and collaborated through the blockchain. Additionally, the blockchain enables secure and transparent access control, thereby ensuring the security of medical data. Moreover, the blockchain can also achieve traceability of medical data, allowing the source and usage of data to be traced and verified.

(4) Trusted Authority (TA). Trusted authorities (TA) are, for example, government agencies and trusted third parties selected by the blockchain consensus algorithm. They generate public parameters for the system and perform off-chain verification. If the hidden access policy and attributes are matched successfully, the key is generated for the DU, and the TA does not know the access policy and attributes during the verification process.

(5) Cloud Storage System (CS). The DO stores encrypted medical data and an encrypted symmetric key on the cloud. When the DU has the decryption key, the cloud returns the data to the patient’s address for decryption.

3.5.2. Overview of the Program

(1) Initialization Phase. This phase initializes the parameters in the system, such as the complex order bilinear group, etc. DO and DU generate the public and private keys for signing transactions in this phase.

(2) Encryption Phase. First DO decides its access structure based on a set of attributes and then encrypts the medical data using a symmetric key to obtain , next encrypts the symmetric key with the encryption algorithm to get the ciphertext , upload and to the cloud storage, and the cloud returns to the DO storage address.

(3) Verification Stage.(1)DO register transactions that send encrypted access policies to the blockchain.(2)All the DUs who want to access the medical data send the stored transactions with encrypted attributes to the blockchain.(3)The TA receives both transactions and gets the encrypted access policy and attributes for off-chain matching.(4)TA generates a decryption key for DU.

(4) Decryption and Access Phase.(1)When DU gets the decryption key, it will request the ciphertext from CS.(2)CS returns to DU ciphertext, and DU decrypts the symmetric key, in which the symmetric key is used to decrypt the medical data, and then access the medical data.

The exact process is described in detail in Section 5.

3.5.3. Algorithms Overview

(1) Initialization. . This phase initializes the parameters in the system, and the trusted authority TA runs the algorithm to generate the public key and the master key.

(2) Encryption. DO run the encryption algorithm to generate the encrypted ciphertext . To achieve the hiding of the access policy, the access structure is not embedded in the ciphertext, and it is decrypted only for users who conform to the access policy.

(3) Key Generation. . When the TA verifies that the DU attributes match the DO access policy, run the algorithm and enter the public key and the master key , generate a key for the DU that can decrypt the ciphertext and issue it to the DU.

(4) Decryption. . When DU gets the decryption key, it will request the ciphertext from CS, CS returns the ciphertext to DU, and DU decrypts it.

3.5.4. Security Model

Since this scheme uses a consortium blockchain, it is considered that each node is honest but also curious [43], and the nodes, although they will follow the protocol of this scheme and will also try to find out as much secret data as possible [17]. In the following, the security model will be given, described as a security game between a challenger and an adversary, based on [42], the security game is described as follows:

(1) Setup. The challenger runs an algorithm to obtain the public key and the master key . The public key is given to the adversary, and the master key is kept by itself.

(2) Inquiry Phase 1. The adversary adaptive query queries the challenger for the key and in response, the challenger runs the algorithm to generate the key to the adversary.

(3) Challenge. The adversary submits two messages and two restricted access structures . These strategies cannot be satisfied by any of the attributes set being queried. The challenger chooses a random bit and runs and sends as a challenge cipher to the adversary.

(4) Query Phase 2. The adversary continues to adaptively query the challenger for the key and adds the restriction that none of these attributes satisfy the restrictions.

(5) Guess. The opponent outputs a guess for β, . If , wins the game.

In this game, the opponent’s advantage is defined as , where the probability is occupied by the random bits used by the challenger and the opponent.

Definition 3. If the polynomial-time adversary has at most a negligible advantage in this security game, then the proposed CP-ABE with hidden strategies and properties is completely secure.

3.6. Detailed Solutions

In this section, the detailed construction of the HA-Med program is described.

3.6.1. Initialization Phase

Taking the safety parameter λ as input and running the group generator G () gives and are cyclic groups of order . algorithm run by TA, It selects generators and of and , respectively. Then, randomly selects , and chooses and ∈ uniformly at random to obtain the public key.

The master key is as follows:

3.6.2. Encryption Phase

In this phase, the DO decides on a set of access policies . = (), which . First, DO encrypts the medical data with the symmetric key to get ciphertext . the algorithm is run by the DO, which first randomly selects ∈ ∈ . Then, choose randomly and calculate , , when then calculate the following:

The final generation of ciphertext . DO uploads and to the cloud storage and the cloud returns to the DO storage address.

3.6.3. Verification Phase

This phase is divided into four parts: the registration of transactions containing hidden access policies and attributes for DU and DO, the verification of DU compliance with DO’s access policies, and key generation by TA.

(1) Generating Txst Storage Transactions. First, DO generates the transaction as follows:where is the identification of the transaction; is the digital signature generated by the DO’s private key registered in the CB; is a polynomial expression of the access structure; is the full check digit of the ciphertext, used to ensure the integrity of ciphertext; is the address where the ciphertext is stored in the cloud.

(2) Generating Txac Access Transactions. When DU wants to request access to medical data, it first multiplies the elements in the vector generated by the attribute set by the same factor , where ∈, get , For example, when = (, , , , , , , 1) obtain = (, , , , , , , ) generate the transaction as follows:where is the transaction identifier; is the digital signature generated by DU’s private key registered in CB; is the attribute hiding vector; is the address of the medical data that DU requests to access.

(3) Verification. and are broadcast to the CB, respectively, if the attributes of DU satisfy the access structure of DO, then it is known that the elements in the DU attribute vector are solutions of the polynomial of the access structure of DO, then TA performs the following operations after receiving.

For example , set = 0 and perform the following operation:

Then, TA verifies whether can make the equation hold.

(4) Key Generation. When the TA verifies that the DU matches the DO access structure, a key is generated for the DU and the algorithm is run. Randomly choose ∈ , where and set , then calculate the following:

The key is obtained as follows:

(5) Decryption Phase. This stage is the DU decryption stage; when the DU conforms to the access policy to get the access key, the DU requests medical data from the CS; at this time, the CS will return to DU and . First DU runs the algorithm to get the symmetric key .

After getting the symmetric key, decrypt the medical data with the symmetric key .

3.7. Security Analysis

3.7.1. Privacy

The current access control scheme, based on the combination of attribute encryption and blockchain, directly stores the attributes and access policies on the blockchain, leading to potential privacy leakage due to the transparency of the blockchain. In HA-Med, access policies and attributes are initially hidden through polynomials and vectors, preventing eavesdroppers from accessing them. Additionally, although third-party verification is involved, they only receive hidden access policies and attributes during verification and cannot obtain the actual data. They solely perform calculations, and sensitive data such as attributes and access structures are not exposed. Finally, the data transmitted to the blockchain is only the hidden data, thus eliminating the risk of exposure.

3.7.2. Integrity

In this scheme, the TA can get the complete data to prevent the tampering of the data address on the chain. The complete ciphertext checksum is included in the transaction, so the integrity of the ciphertext can be checked by the ciphertext checksum at any time.

3.7.3. Traceability

Because this solution introduces blockchain, which is traceable, any access by DU is recorded as immutable stored transactions for traceability and accountability. In addition, DO can know all access records of DU, including who accessed the data and what data were accessed.

3.7.4. Security Analysis of CP-ABE with Hidden Attributes and Access Structures

The security proof of this scheme is based on the following several complexity assumptions, where Assumptions 1, 2, and 3 are the same as those in [17, 33, 44, 45], and Assumption 4 is the same as those in [17, 33, 44, 46], and these assumptions are also used to prove security in the above paper, as described below:

Assumption 1. Given a group generator G, the following distribution is then defined.
G, ,
, ,
The advantage of algorithm A in breaking this assumption is defined as follows:

Definition 4. If is negligible for any probabilistic time polynomial time algorithm A, then G satisfies Assumption 1.

Assumption 2. Given a group generator G, the following distribution is then defined.
G, , , , ,
, , ,
。
The advantage of algorithm A in breaking this assumption is defined as follows:

Definition 5. If is negligible for any probabilistic time polynomial time algorithm A, then G satisfies Assumption 2.

Assumption 3. Given a group generator G, the following distribution is then defined.
G, , , , ,
,
。
The advantage of algorithm A in breaking this assumption is defined as follows:

Definition 6. If is negligible for any probabilistic time polynomial time algorithm A, then G satisfies Assumption 3.

Assumption 4. Given a group generator G, the following distribution is then defined.
G, , , , , , , , 。
The advantage of algorithm A in breaking this assumption is defined as follows:

Definition 7. If is negligible for any probabilistic time polynomial time algorithm A, then G satisfies Assumption 4.

Theorem 1. The proposed CP-ABE with hidden access structure and policy are completely secure if G satisfies Assumptions 1, 2, 3, and 4.

Proof. The proof of security is given in the appendix.

3.8. Analysis of Performance

In this section, separate theoretical and experimental analyses are performed to evaluate the performance of HA-Med. Some of the relevant symbols used are shown in Table 2.

3.8.1. Theoretical Analysis

In Table 3, this scheme is compared with some related schemes [12, 28, 29, 47] in five aspects: access policy, whether it supports policy hiding, auditability, whether it has forward secrecy, and attribute revocation, respectively. In Table 2, it can be seen that [12], although the combination with blockchain achieves a trusted access process, also due to the transparency of blockchain, the access policy and attributes are sent directly to the blockchain, which can cause privacy leakage to users and data owners [29] proposed an access control scheme that combines with blockchain and distributes keys through consensus nodes, which solves the problem of third parties but does not have forward confidentiality also due to the transparency of blockchain, no policy hiding is performed, which can cause privacy leakage of access policies and user attributes [47], achieves attribute and access policy hiding, but does not have forward confidentiality and attribute revocation [28], achieved secure sharing of attribute revocation EHRs by combining them with public clouds. However, the same privacy protection in this aspect of attributes is not achieved. The proposed HA-Med scheme improves the schemes of Phuong et al. [47] and Gao et al. [17] to achieve a blockchain-based attribute-hiding medical data-sharing scheme.

As for the computational cost of the HA-Med scheme, in terms of encryption, the symmetric encryption algorithm is first performed once by the DO, and then N + 2 powers are taken in . In [29], one symmetric encryption algorithm is performed followed by taking 4N + 2 powers and one power in and , respectively. For key generation, only N + 1 powers in are needed. In [47, 48], we also need to take more powers in , respectively; in decryption, DU first performs N + 1 pairing operations and then decrypts the ciphertext by performing one symmetric decryption. In [29, 47, 48], the pairing operations of constant order are also required, respectively. In Table 4, this scheme is compared with [29, 47, 48], and it can be seen that the computational costs are all within a reasonable range.

In conclusion, the above theoretical analysis shows that HA-Med achieves better security, exhibits better functionality, protects patient and user privacy, and enables easy access to medical data without any increase in computational cost compared to other solutions.

3.8.2. Experimental Analysis

The consensus algorithm has a significant impact on the efficiency of the blockchain. In HA-Med, we have adopted the PBFT consensus algorithm to improve efficiency. Additionally, in our system, we do not store the ciphertext on the blockchain; instead, we store the ciphertext address on the blockchain, which also enhances the scalability of the blockchain. Given that the focus of this scheme is on the security and performance of ABE, the main emphasis is on the efficiency of ABE.

The main implementation of this solution utilizes the JPBC library in Java, which was carried out on a Windows 10 laptop with a 2.70 GHz Intel (R) Core (TM) i5-7200U CPU and 8 GB RAM. Comparative experiments were conducted on ABE algorithms, specifically comparing the encryption, key generation, and decryption phases with the schemes proposed by Lewko and Waters [49] and Lai et al. [33]. HA-Med introduces attribute-hiding functionality compared to the scheme by Lewko and Waters [49], and it satisfies the large universe access requirement compared to the scheme by Lai et al. [33], thereby enhancing scalability. The experimental results are presented in Figures 2−4. As depicted in the figures, the encryption time, key generation time, and decryption time all increase with the number of attributes. HA-Med demonstrates shorter processing times compared to the schemes proposed by Lewko and Waters [49] and Lai et al. [33]. Overall, it is evident that this solution achieves complete hiding of access policies and attributes within a reasonable CP-ABE algorithm time frame, ensuring the security of data owners and users.

4. Conclusion

In this paper, we propose a healthcare data access control scheme that achieves fine-grained access control while integrating with blockchain for improved scalability. We introduce a verification method to address the privacy leakage problem of user attributes and access policies in the current CP-ABE scheme, achieving complete policy hiding, forward confidentiality, and attribute revocation. Additionally, traceability is achieved by registering transactions on the blockchain to access medical data. Considering the large size of realistic medical data, storing the data in the cloud instead of on the user side reduces the storage overhead for the user. Finally, theoretical and experimental analysis demonstrates the feasibility of this scheme, showing better security and higher scalability than existing schemes. However, HA-Med still has shortcomings in the efficiency of the verification method, and future work will primarily focus on improving the efficiency of the verification method.

Appendix

Security Proof CP-ABE on Hiding Strategy

Proof. To prove the security of CP-ABE for our proposed hiding strategy, we introduce the concept of dual-system encryption introduced by Waters [50], where first we define two additional structures, a semi-functional ciphertext and a semi-functional key. These two structures will not be used in the actual system but will be used in our proof.
Semi-functional ciphertext. Let denote the generating element of the subgroup . Create a semi-functional ciphertext as follows: first, generate a normal ciphertext using the encryption algorithm as follows:

Then, when , we randomly choose ∈ , the final semi-functional ciphertext is as follows:

Semi-Functional Keys. Let denote the generating element of the subgroup . Create a semi-functional key as follows, first generating a common key using the key generation algorithm as follows:

Then, when 1 ≤ i ≤ n, we randomly choose the indices ∈ , and the final semi-functional key as follows:

We will use the following series of games to prove security by mixed arguments. The first game, , is a truly secure game, where both the ciphertext and the key are secure. In (or ), the key is normal and the ciphertext is semi-functional. In , the ciphertext is semi-functional, the first k keys are semi-functional, and the rest are normal. In , all ciphertexts and keys are semi-functional, but the ciphertext is a semi-functional encryption of a random message and not a message provided by the adversary. In , the game is the same as , except that the ciphertext is independent of what the adversary provides , neither of the adversary’s advantages in can be greater than 0.

Our proof requires the following four lemmas, which are formally described below:

Lemma A.1. Suppose G satisfies Assumption 1, then and are indistinguishable.

Proof. Assuming that algorithm A can distinguish between and , then we construct an algorithm B that has a nonnegligible advantage for breaking Assumption 1. B is given , and A simulates and .

B random selection , setting , , , , and sends the public key to A.

B can run the key generation algorithm to generate a normal key in response to A’s key request. A sends B two messages of equal length and two access policies . B randomly selects and performs the following actions:(1)B random selection , , and .(2)B calculate , and when , , and calculate the following:(3)B set the challenge cipher at this time, and send this to A.

If , then let , , and when , calculate

Therefore, the ciphertext is semi-functional, and B simulates .

If , the ciphertext is the normal ciphertext, and B simulates . Finally, B distinguishes the possibility of T by the output of A.

Lemma A.2. Suppose G satisfies Assumption 2, then and are indistinguishable.

Proof. Suppose an algorithm A can distinguish between and , then we construct an algorithm B for breaking hypothesis 2 with a nonnegligible advantage. B was given , and A simulation and .

B random selection , set , , , , and send the public key to Aand B knows the master key , next let us explain how B answers the query for the jth key.

For , B creates a semi-functional key by uniformly choosing , where , and setting , calculate . We can notice that this is a distributed semi-functional key.

For , B runs the key generation algorithm to generate the common key.

For , B creates a semi-functional key by uniformly choosing , where , and setting , when is calculated as follows:

This is a semi-functional key. If , it is a normal key.

At some point, A sends two messages of equal length and two access policies to B. B randomly selects and performs the following actions:(1)B random choice and .(2)B calculated , and when , , and , compute the following:(3)B sets the challenge ciphertext at this point and sends this to A.

If , then let , , , and when calculate

If , B simulation . If , B simulation . Finally, B distinguishes the possibility of T by the output of A.

Lemma A.3. Suppose G satisfies Assumption 3, then and are indistinguishable.

Proof. Assuming that algorithm A can distinguish between and , we construct an algorithm B that has a nonnegligible advantage for breaking Assumption 3. B is given , , , and A simulation and .

B randomly selected , setting , and sends the public key to A.

B randomly selected , set to create a semi-functional key, and then calculate , we can notice that this is a distributed semi-functional key.

At some point, A sends two messages of equal length and two access policies to B. B randomly selects and performs the following actions:(1)B random choice and .(2)B calculated , and when and , compute the following:(3)B sets the challenge ciphertext at this point and sends this to A. Setting 。 when andcalculate

If , this is a properly distributed semi-functional encryption of , and B simulates ; if , this is a properly distributed semi-functional encryption of a random message in , and B simulates . Finally, B distinguishes the possibility of by the output of A.

Lemma A.4. Suppose G satisfies Assumption 4, then and are indistinguishable.

Proof. Assuming that algorithm A can distinguish between and , we construct algorithm B that has a nonnegligible advantage for breaking Assumption 4. B is given , , , and A simulation and .

B random choice , setting , , and sends the public key to A.

B random choice , , setting , create a semi-functional key and then calculate , . If we let , we can get , which . We can notice that this is a distributed semi-functional key.

At some point, A sends two messages of equal length and two access policies to B. B randomly selects and performs the following actions:(1)B random choice and .(2)B calculated , and when compute the following:(3)B sets the challenge ciphertext at this point and sends this to A.

Setting and , when andcalculatewhen , B simulates , when , B simulates , and finally B distinguishes the possibility of by the output of A.

Data Availability

The [DATA TYPE] data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work is supported by the Natural Science Foundation of Hebei Province under grant number F2021201052.

References

D. Zhang, “Analysis and thinking on the application of electronic medical record data,” Digital Technology & Application, no. 1, pp. 44–46, 2021.
View at: Google Scholar
H. Löhr, A.-R. Sadeghi, and M. Winandy, “Securing the e-health cloud,” in Proceedings of the 1st ACM International Health Informatics Symposium, pp. 220–229, ACM, 2010.
View at: Publisher Site | Google Scholar
S. Liu, “Exploration on electronic medical record management system based on cloud computing technology,” Wireless Internet Technology, no. 3, pp. 61-62.
View at: Google Scholar
T. Feng, F. Kong, C. Liu, R. Ma, and M. Albettar, “Dual verifiable cloud storage scheme based on blockchain,” Journal on Communication, vol. 42, no. 12, pp. 192–201, 2021.
View at: Google Scholar
K. Xu, Y. Fu, W. Chen, and Y. Zheng, “Research progress on blockchain-based cloud storage security mechanism,” Computer Science, vol. 48, no. 11, pp. 102–115, 2021.
View at: Google Scholar
H. Li, Y. Yang, Y. Dai, S. Yu, and Y. Xiang, “Achieving secure and efficient dynamic searchable symmetric encryption over medical cloud data,” IEEE Transactions on Cloud Computing, vol. 8, no. 2, pp. 484–494, 2017.
View at: Publisher Site | Google Scholar
M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and secure sharing of personal health records in cloud computing using attribute-based,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 1, pp. 131–143, 2013.
View at: Publisher Site | Google Scholar
L. Fang, L. Yin, Y. Guo, and B. Fang, “A survey of key technologies in attribute-based access control scheme,” Chinese Journal of Computers, vol. 40, no. 7, pp. 1680–1698, 2017.
View at: Google Scholar
Z. Chen, W. Xu, B. Wang, and H. Yu, “A blockchain-based preserving and sharing system for medical data privacy,” Future Generation Computer Systems, vol. 124, pp. 338–350, 2021.
View at: Publisher Site | Google Scholar
T.-F. Lee, H.-Z. Li, and Y.-P. Hsieh, “A blockchain-based medical data preservation scheme for telecare medical information systems,” International Journal of Information Security, vol. 20, pp. 589–601, 2021.
View at: Publisher Site | Google Scholar
P. K. Deb, A. Mukherjee, and S. Misra, “CovChain: blockchain-enabled identity preservation and anti-infodemics for COVID-19,” IEEE Network, vol. 35, no. 3, pp. 42–47, 2021.
View at: Publisher Site | Google Scholar
S. M. Pournaghi, M. Bayat, and Y. Farjami, “MedSBA: a novel and secure scheme to share medical data based on blockchain technology and attribute-based encryption,” Journal of Ambient Intelligence and Humanized, vol. 11, pp. 4613–4641, 2020.
View at: Publisher Site | Google Scholar
Z. Zhang, W. Zhang, and Z. Qin, “A partially hidden policy CP-ABE scheme against attribute values guessing attacks with online privacy-protective decryption testing in IoT assisted cloud computing,” Future Generation Computer Systems, vol. 123, pp. 181–195, 2021.
View at: Publisher Site | Google Scholar
R. Du, T. Zhang, and P. Shi, “Ciphertext policy hidden access control scheme based on blockchain and supporting data sharing,” Journal on Communications, vol. 6, pp. 168–178, 2022.
View at: Google Scholar
T. Nishide, K. Yoneyama, and K. Ohta, “Attribute-based encryption with partially hidden encryptor-specified access structures,” in Applied Cryptography and Network Security, vol. 5037 of Lecture Notes in Computer Science, pp. 111–129, Springer, Berlin Heidelberg, 2008.
View at: Publisher Site | Google Scholar
Y. Zhang, D. Zheng, and R. H. Deng, “Security and privacy in smart health: efficient policy-hiding attribute-based access control,” IEEE Internet of Things Journal, vol. 5, no. 3, pp. 2130–2145, 2018.
View at: Publisher Site | Google Scholar
S. Gao, G. Piao, J. Zhu, X. Ma, and J. Ma, “Trustaccess: a trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain,” IEEE Transactions on Vehicular Technology, vol. 69, no. 6, pp. 5784–5798, 2020.
View at: Publisher Site | Google Scholar
D. Ivan, “Moving toward a blockchain-based method for the secure storage of patient records,” in ONC/NIST Use of Blockchain for Healthcare and Research Workshop, pp. 1–11, ONC/NIST, Gaithersburg, Maryland, United States, 2016.
View at: Google Scholar
Y. Chen, S. Ding, Z. Xu, H. Zheng, and S. Yang, “Blockchain-based medical records secure storage and medical service framework,” Journal of Medical Systems, vol. 43, no. 1, pp. 1–9, 2019.
View at: Publisher Site | Google Scholar
A. Ekblaw, A. Azaria, J. D. Halamka, and A. Lippman, “A case study for blockchain in healthcare: “MedRec” prototype for electronic health records and medical research data,” in Proceedings of IEEE Open & Big Data Conference, vol. 13, pp. 1–13, IEEE, 2016.
View at: Google Scholar
Q. Xia, E. Sifah, A. Smahi, S. Amofa, and X. Zhang, “BBDS: blockchain-based data sharing for electronic medical records in cloud environments,” Information-an International Interdisciplinary Journal, vol. 8, no. 2, Article ID 44, 2017.
View at: Publisher Site | Google Scholar
G. G. Dagher, J. Mohler, M. Milojkovic, and P. B. Marella, “Ancile: privacy-preserving framework for access control and interoperability of electronic health records using blockchain technology,” Sustainable Cities and Society, vol. 39, pp. 283–297, 2018.
View at: Publisher Site | Google Scholar
A. Dubovitskaya, Z. Xu, S. Ryu, M. Schumacher, and F. Wang, “Secure and trustable electronic medical records sharing using blockchain,” AMIA Annual Symposium Proceedings, vol. 2017, pp. 650–659, 2017.
View at: Google Scholar
L. Zhang, J. Liu, Y. Tao et al., “Blockchain-based encrypted access control scheme for medical information attributes,” Journal of Cyber Security, vol. 8, no. 1, 2023.
View at: Google Scholar
X. Sun, F. Xin, D. Wang, and B. Cheng, “A study of case sharing blockchain model for research organizations,” Journal of the Hebei Academy of Sciences, no. 2, pp. 24–28, 2023.
View at: Google Scholar
G. Han, J. Wang, W. Luo, and Y. Lu, “Research on access control and secure sharing of medical data during public health events,” Journal of Cyber Security, vol. 8, no. 1, pp. 40–54, 2023.
View at: Google Scholar
K. Riad, R. Hamza, and H. Yan, “Sensitive and energetic IoT access control for managing cloud electronic health records,” IEEE Access, vol. 7, pp. 86384–86393, 2019.
View at: Publisher Site | Google Scholar
J. Wei, X. Chen, X. Huang, X. Hu, and W. Susilo, “RS-HABE: revocable-storage and hierarchical attribute-based access scheme for secure sharing of e-health records in public cloud,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 5, pp. 2301–2315, 2019.
View at: Publisher Site | Google Scholar
S. Liu, J. Yu, Y. Xiao, Z. Wan, S. Wang, and B. Yan, “BC-SABE: blockchain-aided searchable attribute-based encryption for cloud-IoT,” IEEE Internet of Things Journal, vol. 7, no. 9, pp. 7851–7867, 2020.
View at: Publisher Site | Google Scholar
R. Guo, G. Yang, H. Shi, Y. Zhang, and D. Zheng, “O³ -R-CP-ABE: an efficient and revocable attribute-based encryption scheme in the cloud-assisted IoMT system,” IEEE Internet of Things Journal, vol. 8, no. 11, pp. 8949–8963, 2021.
View at: Publisher Site | Google Scholar
J. Li, S. Qin, F. Gao, and D. Sun, “Controllable and regulated privacy protection scheme for controlled and regulated transactions of blockchain organizations based on attribute encryption,” Netinfo Security, vol. 23, no. 12, pp. 103–112, 2023.
View at: Google Scholar
T. Feng, Q. Chen, J. Fang, and J. Shi, “A blockchain data sharing scheme based on localized differential privacy and attribute-based searchable encryption,” Journal on Communications, vol. 44, no. 5, pp. 224–233, 2023.
View at: Google Scholar
J. Lai, R. H. Deng, and Y. Li, “Fully secure cipertext-policy hiding CP-ABE,” in Information Security Practice and Experience, vol. 6672 of Lecture Notes in Computer Science, pp. 24–39, Springer, Berlin Heidelberg, 2011.
View at: Publisher Site | Google Scholar
J. Hur, “Attribute-based secure data sharing with hidden policies in smart gird,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 11, pp. 2171–2180, 2013.
View at: Publisher Site | Google Scholar
Y. Michalevsky and M. Joye, “Decentralized policy-hiding ABE with receiver privacy,” in Computer Security. ESORICS 2018, vol. 11099 of Lecture Notes in Computer Science, pp. 548–567, Springer International Publishing, Cham, 2018.
View at: Publisher Site | Google Scholar
C. Dai, H. Luan, X. Yang, X. Guo, Z. Lu, and B. Niu, “Overview of blockchain technology,” Computer Science, no. S2, pp. 500–508, 2021.
View at: Google Scholar
Q. Yao and D.-W. Zhang, “Survey on identity management in blockchain,” Journal of Software, vol. 32, no. 7, pp. 2260–2286, 2021.
View at: Google Scholar
Z. Zhang, G. Wang, J. Xu, and X. Du, “Survey on data management in blockchain systems,” Journal of Software, vol. 31, no. 9, pp. 2903–2925, 2020.
View at: Google Scholar
S. Jin, X. Zhang, J. Ge et al., “Overview of blockchain consensus algorithm,” Journal of Cyber Security, no. 2, pp. 85–100, 2021.
View at: Google Scholar
M. Zheng, H. Wang, H. Liu, and C. Tan, “Survey on consensus algorithms of blockchain,” Netinfo Security, vol. 7, pp. 8–24, 2019.
View at: Google Scholar
D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-DNF formulas on ciphertexts,” in Theory of Cryptography, vol. 3378 of Lecture Notes in Computer Science, pp. 325–341, Springer, Berlin, Heidelberg, 2005.
View at: Google Scholar
J. Katz, A. Sahai, and B. Waters, “Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in Advances in Cryptology–EUROCRYPT 2008, vol. 4965 of Lecture Notes in Computer Science, pp. 146–162, Springer, Berlin Heidelberg, 2008.
View at: Publisher Site | Google Scholar
G. Xu, H. Li, S. Liu, M. Wen, and R. Lu, “Efficient and privacy-preserving truth discovery in mobile crowd sensing systems,” IEEE Transactions on Vehicular Technology, vol. 68, no. 4, pp. 3854–3865, 2019.
View at: Publisher Site | Google Scholar
J. Lai, R. H. Deng, and Y. Li, “Expressive CP-ABE with partially hidden access structures,” in Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 18-19, ACM, 2012.
View at: Publisher Site | Google Scholar
A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully secure functional encryption: attribute-based encryption and (Hierarchical) inner product encryption,” in Advances in Cryptology-EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 62–91, Springer, Berlin Heidelberg, 2010.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, “New proof methods for attribute-based encryption: achieving full security through selective techniques,” in Advances in Cryptology–CRYPTO 2012, vol. 7417 of Lecture Notes in Computer Science, pp. 180–198, Springer, Berlin Heidelberg, 2012.
View at: Publisher Site | Google Scholar
T. V. X. Phuong, G. Yang, and W. Susilo, “Hidden ciphertext policy attribute-based encryption under standard assumptions,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 1, pp. 35–45, 2016.
View at: Publisher Site | Google Scholar
M. Chase and S. S. M. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in Proceedings of the 16th ACM conference on Computer and Communications Security, pp. 121–130, ACM, 2009.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in Advances in Cryptology–EUROCRYPT 2011, vol. 6632, pp. 568–588, Springer, Berlin, Heidelberg, 2011.
View at: Publisher Site | Google Scholar
B. Waters, “Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions,” in Advances in Cryptology-CRYPTO 2009, vol. 5677 of Lecture Notes in Computer Science, pp. 619–636, Springer, Berlin, Heidelberg, 2009.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2024 Xiaohui Yang and Jing Liu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

49

Downloads

47

Citations

IET Information Security

HA-Med: A Blockchain-Based Solution for Sharing Medical Data with Hidden Policies and Attributes

Abstract

1. Introduction

1.1. Policy Hiding

1.2. Attribute Hiding

2. Related Work

2.1. Blockchain

2.2. CP-ABE

2.3. Attribute and Policy hiding

3. Preparations

3.1. Blockchain

3.2. Composite Order Bilinear Groups

3.3. Attribute Sets and Access Policies

3.4. Inner Product Predicate

3.5. System Framework

3.5.1. System Model

3.5.2. Overview of the Program

3.5.3. Algorithms Overview

3.5.4. Security Model

3.6. Detailed Solutions

3.6.1. Initialization Phase

3.6.2. Encryption Phase

3.6.3. Verification Phase

3.7. Security Analysis

3.7.1. Privacy

3.7.2. Integrity

3.7.3. Traceability

3.7.4. Security Analysis of CP-ABE with Hidden Attributes and Access Structures

3.8. Analysis of Performance

3.8.1. Theoretical Analysis

3.8.2. Experimental Analysis

4. Conclusion

Appendix

Security Proof CP-ABE on Hiding Strategy

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright