An Efficient and Secure Data Sharing Method Using Asymmetric Pairing with Shorter Ciphertext to Enable Rapid Learning in Healthcare

Yadav, Snehlata; Tiwari, Namita

doi:https://doi.org/10.1155/2022/4788031

Computational Intelligence and Neuroscience

On this page

Abstract Introduction Preliminaries Analysis Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Special Issue

Lightweight Deep Learning Models for Resource Constrained Devices

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 4788031 | https://doi.org/10.1155/2022/4788031

An Efficient and Secure Data Sharing Method Using Asymmetric Pairing with Shorter Ciphertext to Enable Rapid Learning in Healthcare

Snehlata Yadav¹and Namita Tiwari¹

Academic Editor: Vijay Kumar

Received26 Dec 2021

Revised27 Jan 2022

Accepted03 Feb 2022

Published20 Apr 2022

Abstract

The recent advent of cloud computing provides a flexible way to effectively share data among multiple users. Cloud computing and cryptographic primitives are changing the way of healthcare unprecedentedly by providing real-time data sharing cost-effectively. Sharing various data items from different users to multiple sets of legitimate subscribers in the cloud environment is a challenging issue. The online electronic healthcare system requires multiple data items to be shared by different users for various purposes. In the present scenario, COVID-19 data is sensitive and must be encrypted to ensure data privacy. Secure sharing of such information is crucial. The standard broadcast encryption system is inefficient for this purpose. Multichannel broadcast encryption is a mechanism that enables secure sharing of different messages to different set of users efficiently. We propose an efficient and secure data sharing method with shorter ciphertext in public key setting using asymmetric (Type-III) pairings. The Type-III setting is the most efficient form among all pairing types regarding operations required and security. The semantic security of this method is proven under decisional BDHE complexity assumption without random oracle model.

1. Introduction

Cloud computing is a new paradigm of computing system that has revolutionized many sectors of Government and corporate such as academic, healthcare, online social networking, banking, and automobile. To enhance productivity, all these sectors consider data sharing as a vital tool to overcome the time and location constraints of resource usage such as computing power or data storage according to the need of users. Cloud computing environment provides large storage capacity and strong computation power. Thus, it brings ultimate convenience to the legitimate users. The outstanding advantage of cloud computing is that cloud service users can use their computing resources as a service with minimal cost at any time through the Internet that transcends geographical limits. Software as a Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS) and Data-as-a-Service (DaaS) [1] are the four major services offered by cloud. Different cloud models support different services. There are many advantages in cloud, one of which is virtualization. Virtualization is also one of the strong pillars of cloud computing. Cloud computing system helps multiple users across the world to share and exchange their data in secure manner. Data sharing service is regarded as the most exciting use-case of cloud storage system, which has become the most important area in cloud computing. Apple’s iCloud, Microsoft’s Azure [2], and Amazon’s S3 [3] are renowned for offering a more flexible and easy way to share data over the Internet. Despite this, they are susceptible to various security threats, which are the primary concerns of cloud users [2]. Security threats from external adversary are a bit obvious. However, nowadays, data owners outsource their data in the cloud server and want to share these data securely with other legitimate cloud users; various cryptography techniques can be adopted to enhance the secure exchange of data among subscribed users.

1.1. Problem Formulation

Consider an online e-healthcare system (Figure 1) where the data of patients such as COVID-19 data and OPD data from various data owners (doctors from several hospitals) are collected and uploaded to the centralized storage server, say cloud server, in encrypted form for security perspective, using a key, given by some authority such as hospital consortium. This is an example of data in transit. If this issue is not taken into consideration, the patients may suffer from enormous consequence of information leak. Recently millions of user data have been compromised. As per Government guidelines, there is a necessity to keep COVID-19 data private and secure.

In addition to COVID-19 and OPD data of patients, online healthcare system consists of doctors data, healthcare workers data, hospital data, pharmaceutical data, and so forth. Such crucial data uploaded in encrypted form are supposed to be analyzed and used by different legitimate data users; for example, due to this pandemic, a doctor could use information of patients to provide treatment and follow-up remotely, and a researcher/scientist at the research center could analyze patients record to find new symptoms appearing in patients. Based on their observation, they come up with the solutions and prevention methods. A business intelligence professional (BIF) could analyze patients records to generate the visualization of periodic health analysis report. A patient could search for a doctor (specialist) of their interest for better healthcare. An insurance company could use hospital data and pharmaceutical data for mediclaim disbursement and so forth. To accomplish all these tasks, the encrypted data stored on the server must be shared in efficient and flexible manner. However, an online healthcare system consists of multiple disjoint entities for data generation and data access. Since online healthcare data most of the time resides in shared environments, ensuring sharing and accessing the data securely on the cloud is a nontrivial task. One way to share data among a group of legitimate subscribers is broadcast encryption. Transmitting data to many groups of subscribers needs multiple instances of broadcast encryption which is highly inefficient. Multichannel broadcast encryption (Figure 2) is the efficient solution for sharing multiple data among multiple groups of legitimate subscribers in the cloud environment.

For example, we assume that our system model has 4 databases (m = 4): COVID-19 patient data, OPD patient data, doctors’ data, and hospital data. The maximum number of subscribers for each database is 50 (n = 50). Assume that Alice (User1) is doctor, Bob (User2) is a researcher or scientist, Kim (User3) is a BI professional, and Ram (User4) is an officer from Insurance Company. If Dr. Alice is required to share COVID-19 patient data and OPD patient data, she subscribes to databases 1 and 2 and receives the corresponding decryption keys by hospital consortium. Bob wants to access COVID-19 data; he subscribes to database 1. Kim requires COVID-19 patient data, OPD patient data, doctors’ data, and hospital data for making dashboards; she subscribes to databases 1, 2, 3, and 4. Ram requires doctors’ data and hospital data for mediclaim and so forth; he subscribes to databases 3 and 4. The broadcaster encrypts data for the subscribers Alice, Bob, Kim, and Ram, using public parameters provided by hospital consortium. The broadcaster creates four target sets as follows:(i)Set corresponding to database 1 (COVID-19 patient data), which is intended for Alice (User1), Bob (User2), and Kim (User3). The session key would be . The legitimate subscribers are given as = {User1,User2,User3}.(ii)Set corresponding to database 1 (OPD patient data), which is intended for Alice (User1) and Kim (User3). The session key would be . The legitimate subscribers are given as = {User1,User3}.(iii)Set corresponding to database 1 (doctors’ data), which is intended for Kim (User3) and Ram (User4). The session key would be . The legitimate subscribers are given as = {User3, User4}.(iv)Set corresponding to database 1 (hospitals data), which is intended for Kim (User3) and Ram (User4). The session key would be . The legitimate subscribers are given as = {User3,User4}.

In the above example, we have four subsets . Thus, here targeted set of subscribers t = 4, where . The detailed mathematical description of the scheme is presented in Section 3.

Another scenario could be an online academic system where online exam papers are distributed by some central authority. Let us take an example of Language paper; suppose that central authority of exam has to take 28 language papers corresponding to various states. The authority wants to send these exam question papers to authorised exam centers in a secure way. Multichannel broadcast encryption provides an efficient way for solving this problem. There are many real-time cases where multichannel broadcast encryption can be applied.

In this paper, we propose an efficient method of data sharing by multiple different users to multiple different legitimate subscribers in a secure and flexible way. The major contribution is listed as follows:(i)Multichannel broadcast encryption scheme [4] is based on the setting of symmetric pairings. Type-I setting is slower as compared to Type-III setting [6]. The proposed scheme is constructed in Type-III setting. It is of interest to convert MCBE construction from symmetric to asymmetric bilinear pairings [5]. The asymmetric variant is definitely faster and efficient and has compact implementation, which will arise from the benefit over the symmetric setting.(ii)Most of the schemes available in literature are in private key setting but the proposed scheme is in public key setting and has a small ciphertext size.(iii)The semantic security of the scheme is based on Decisional Bilinear Diffie-Hellman Exponent (DBDHE) hardness assumption.(iv)The proposed construction achieves selective security in the random oracle model (ROM).

The rest of the manuscript is organized as follows: Section 2 covers mathematical notations and computational complexity assumptions on which broadcast encryption schemes are constructed. The framework of conversion from symmetric setting to asymmetric setting is described in Section 3. In Section 4, the security model and correctness proof of conversion to asymmetric pairing are covered. The proposed scheme is then analyzed based on scheme complexity in Section 5. Section 6 concludes the paper including some open problems.

1.2. Related Work

Broadcast encryption [6] is a useful cryptographic primitive and has been widely studied as it is the fundamental primitive for many real-life applications. It was introduced by the seminal work of Fiat and Naor in year 1993, but it received much attention after the realization of Naor, Naor, and Lotspiech scheme [7]. Broadcast encryption cryptographic primitive provides a solution to the problem of communicating an encrypted message to only set of legitimate users over insecure public channel. In more detail, users who get access to ciphertext are called privileged subscribers. They are members of set and nonmembers of are called revoked users. Thus, the broadcast algorithm is considered to work on the partition of revoked and legitimate users and the partition may vary for each broadcast message. Revoked users cannot learn a single bit of encrypted message even if they collude in some way. This property is called collusion resistance property. Due to this, broadcast encryption (BE) [8] has potential applications in fields such as pay TV, satellite TV, encrypted mailing services, and encrypted file system in cloud applications. Broadcast encryption is deployed in two ways based on keys, namely, symmetric-key setting and asymmetric-key setting. In symmetric-key setting, a key generation center distributes the secret decryption key to all legitimate users in advance even before the message is transmitted. In such a scenario, only broadcaster acts as an emitter of message. The plaintext is encrypted by the emitter using a session key and in turn the session key is encrypted using the keys of the legitimate users of set . So, for every new broadcast message, if new user joins and existing user leaves the system, the secret key has to be refreshed. Modifying and refreshing key, when at least one user leaves or joins in the system, is called one-affects-all problem. The problem is efficiently addressed by the broadcast encryption in public-key (asymmetric-key) setting. In this kind of setting, all users of have a pair of keys: encryption key and decryption key. Broadcaster and other entities can act as emitter; however, only legitimate subscribers can decrypt the message and read the actual plaintext. It also alleviates the problem of refreshing the secret keys when a new member joins the system. The secure transmission of secret keys to all users of system has a problem of key compromise by members of . Broadcast encryption is put forth by the seminal work of Fiat and Naor [6] followed by many constructions that have been proposed in [9] with different objectives of reducing decryption key size, encryption key size, encrypted message size, and computational cost of construction. Broadcast encryption in public-key setting is well studied and further categorized in Figure 3 as follows: identity-based broadcast encryption, attribute-based broadcast encryption, anonymous broadcast encryption, hierarchical broadcast encryption, dynamic broadcast encryption, and distributed broadcast encryption. Thus, it has many practical applications such as secure e-mail system, digital rights management system, pay TV, database security system, online social network system, and blockchain. Waters and Sahai [10] realized an extension of identity-based encryption which was later named as attribute-based encryption, in which inspite of identity as a public key, attributes of legitimate recipients are used for encrypting messages. ABE constructions’ major problem is collusion resistance and recipient revocation. In some circumstances, one may want to give access right to a subset of recipients rather than only one specific recipient; to facilitate this, the notion of attribute-based broadcast encryption [11] has been realized. Figure 3 represents the broad categorization of broadcast encryption variants of it in public key framework.(1)Identity-based broadcast encryption: the notion of identity-based broadcast encryption (IBBE) scheme was first introduced by Delerablée [12]. It is an extension of identity-based encryption scheme in public-key setting where, instead of public keys of the legitimate users, their identity, such as an e-mail id, passport number, and driving license number (strings of characters, alphanumeric values, and numerals), was used as encryption key to encode the message. IBBE is a practical cryptographic primitive that allows exponential number of recipients to exchange messages in secure manner; this implies that the public parameters are not correlated to decryption key of recipients and to ciphertext transmitted among subscribers. The first optimal IBBE scheme [13] has been constructed from pairings and learning with errors (LWE).(2)Attribute-based broadcast encryption: Sahai and Waters [10] realized an extension of fuzzy identity-based encryption which was later termed as attribute-based encryption. In this, despite identity being a public key, attributes of legitimate recipients have been taken into account for encrypting messages which can be decrypted by a set of subscribers, that is, those who belong to attribute set. ABE schemes suffer from the problem of collusion resistance and recipient revocation. Some scenario requires to provide access right to a subset of recipients rather than only one specific recipient. To facilitate this, the notion of attribute-based broadcast encryption [11] has been realized. ABBE has been well studied by the research community in recent years [14] which includes various hardness assumptions such as bilinear map, multilinear map, LWE, and R-LWE. LWE and R-LWE constructions are quantum-resistant but are not good candidates for resource-constrained environment as key size and ciphertext size become large for light weight devices [14].(3)Anonymous broadcast encryption: in the standard broadcast encryption (BE) cryptosystem, recipients’ information is revealed from the encrypted message. This is also considered as a security gap since it enables automatic disclosure of identity. However, many BE scenarios demand to hide the target identity, as the identity also conveys sensitive information and can cause identity threat, if it gets disclosed. The notion of anonymous BE gets rid of this and enables users to search on encrypted data. In year 2006, Barth et al. [15] introduced another variant of broadcast encryption (BE), known as anonymous broadcast encryption (Ano-BE) which is chosen-ciphertext-attack- (CCA-) secure in random oracle model (ROM). Subsequently, [16–18] have shown enhancement on this primitive.(4)Dynamic broadcast encryption: in SCN 2012, Phan et al. [19] first introduced a primitive of BE called dynamic decentralized BE (D-BE). In the traditional broadcast encryption system, a central authority was responsible for management of a set of subscribers. To decentralize such a system, D-BE primitive uses subset cover framework with DDH hardness assumption.(5)Hierarchical broadcast encryption: this variant of BE is constructed on pairing based cryptographic primitive that enables key delegation property to subsequent descendants in the hierarchical system. This was first proposed by [20] for identity-based BE scheme. The later scheme is IND-CCA secure with constant ciphertext size in standard model.(6)Functional broadcast encryption: this variant of BE enables access control along with public-key cryptography for sending encrypted file to specific subset of subscriber [21]. This scheme is based on indistinguishability obfuscation and achieves selective IND-CCA security.(7)Multichannel broadcast encryption: this variant of BE enables sending an encrypted message to different groups of users. Consider a scenario of secret space program where the scientists of various states of a country are working together and the project coordinator wants to transmit different kinds of encrypted data to the various teams located in different geographical locations simultaneously. Multichannel broadcast encryption scheme was first presented by [4] in ASIA CCS 13. The scheme was designed in symmetric-key setting and achieves chosen-plaintext (CPA) and chosen-ciphertext security in standard model. It was further modified by [22]. In CANS 2018, [16] designed the scheme in public-key framework using decisional BDHE-sum assumption. The scheme has constant header size and achieves selective security. Acharya’s [23] one construction achieves semistatic security and another construction achieves selective security with high computation cost. Both schemes are constructed in Type-I pairing [5]. Very recently, Le et al. [24] have constructed a scheme using GDDHE hardness assumption in public-key setting. The scheme achieves selective security in random oracle model.

Cloud is the most promising platform to share health related data. Online e-healthcare models [25, 26] are deploying cloud for sensitive data sharing. Many broadcast encryption primitives [27, 28] have been used for data sharing in cloud environment. These primitives are available in private- as well as public-key setting [29]. As far as our problem is concerned, we are interested in multichannel broadcast cryptographic primitives that allow sharing of different messages to different users. Most of the constructions are in private-key setting and Type-I pairing. However, these schemes suffer from the limitations of private-key settings as well as Type-I pairing setting.

2. Preliminaries

2.1. Notations

We introduce same notations as presented in [4]. The notations are summarized in Table 1. For a set , let indicate that is a uniformly selected random element from set . In the following, we will assume that there exists an asymmetric bilinear map , where and are groups of the elliptic curve of the same prime order with generators and , respectively. As both groups are of prime order, any nonidentity elements of and are the generators of the group. Finally, any element in group , , or is assumed to have size , respectively.

Let be a uniformly chosen random element of . For any element from either or , let , where .

Consider as a set of elements. The term is not included in , so that the bilinear pairing would be of a little help in evaluating .

2.2. Bilinear Map Based on Prime Order Groups

Let and be two additive groups of same prime order and let be multiplicative cyclic group of prime order for some large prime . is a generator of and is a generator of ; pairing is defined as a function [30].

A pairing is defined to be admissible if it satisfies the following properties:(1)Bilinearity: , , , and .(2)Nondegeneracy: is a generator element of ; that is, , where .(3)Computability: a pairing is defined as computable if there exists an algorithm that can compute , , and efficiently. There are three types of bilinear maps [31, 32] used in the construction of various pairing-based schemes:

(i)If , the pairing is termed as symmetric pairing or Type-I pairing(ii)If and there exists an efficiently computable homomorphism , the pairing is referred to as Type-II pairing(iii)If and there does not exist an efficiently computable homomorphism , the pairing is referred to as asymmetric pairing or Type-III pairing

2.3. Computational Complexity Assumption

In this section, the computational complexity assumption of multichannel broadcast encryption scheme is introduced. The symmetric and asymmetric versions of decisional BDHE assumption are proposed [28, 33].

2.3.1. Bilinear Diffie–Hellman Exponent (BDHE) Assumption in the Symmetric Pairing Setting

Let and be two random generators of cyclic group of prime order and such that . The n-BDHE problem in is defined as follows: Let Input instance: Output:

An algorithm has advantage in solving n-BDHE problem in if , where the probability is over the random choices of generator , random choice of , the random choice of , and the random bits used by .

Definition 1. The decisional -BDHE hardness assumption holds in if no -time algorithm has advantage at least in solving the BDHE problem in [33].

2.3.2. Bilinear Diffie–Hellman Exponent (BDHE) Assumption in the Asymmetric Pairing Setting

Security of multichannel broadcast encryption schemes in asymmetric bilinear pairing is based on the well-studied complexity assumption known as Bilinear Diffie-Hellman Exponent (BDHE) assumption [33]. Consider two bilinear groups and of same prime order . Given , , and in either or , for , .

The asymmetric decisional BDHE problem is defined as follows.

Input instance: .

Output: .

Since the term is missing from the sequence of powers, the bilinear map appears to be of no help in computation of . The bilinear pairing decides whether holds or not. As a shorthand, once , , and are specified, is set as , where is in either or .

Let Adversarial algorithm be a -time algorithm that receives an input challenge for asymmetric BDHE problem and produces a decision bit as output. has advantage in solving asymmetric decisional BDHE problem when the difference between and is , where the probability is over the random choices of , random bits consumed by , random choice of , and the random choices of generators and of and , respectively.

Definition 2. The asymmetric decisional-BDHE hardness assumption holds inif no-time algorithm has advantage at leastin solving the asymmetricBDHE problem in [28].

2.4. Multichannel Broadcast Encryption

Multichannel broadcast encryption (MCBE) is a variant of broadcast encryption introduced by [4] inspired by the construction of [34]. In this cryptosystem, a Private-Key Generation Centre (PKGC) generates decryption keys and global public parameters. A broadcaster generates ciphertexts corresponding to a message for disjoint groups of legitimate users . A legitimate user retrieves the plaintext using own decryption key. The description of MCBE cryptographic primitive scheme is as follows.

2.4.1. Syntax of MCBE

An MCBE scheme is four-tuple of algorithms: MCBE .(1): is also known as which takes as input maximum count of users accumulated in the system and security parameter . The outputs the public parameter and a master secret key . is made public for all and is kept secret.(2): it takes , , and a legitimate user as inputs and produces a decryption key corresponding to user as output. is sent to over a secure communication link established between and the legitimate user .(3): it takes input and set of legitimate users , with each . The broadcaster entity outputs a session key for each group and a ciphertext for all groups. The broadcaster entity makes ciphertext available publicly and session keys are kept secret in the system. To recover a ciphertext for plaintext message , one must have session key . This scheme is based on symmetric-key encryption algorithm. If (null set) then the broadcaster entity sets .(4): a subscribed user retrieves his/her session key corresponding to group using .

Correctness-The MCBE scheme holds correctly if, for a legitimate user , the session key can be fetched from ciphertext correctly.

3. Conversion from Type-I Pairing to Type-III Pairing

Many novel applications have been constructed using pairing-based cryptographic protocols that are based on bilinear pairing map , where and are candidate prime order groups of a meticulously chosen elliptic curve over a finite field , and is a subgroup of finite field . Bilinear pairing is realizable from Weil, Tate, and other optimal pairings of elliptic curves [31].

Bilinear maps are studied extensively and have been efficiently implemented in past decades [35]. Bilinear pairings are broadly categorized into the following:(1)Asymmetric pairing(2)Symmetric pairing(3)Composite order pairing

An asymmetric pairing is a general bilinear map that efficiently computes , where is a -prime order group of points of an elliptic curve over a finite field and is also of the same prime order group of that elliptic curve over an extension field of . When the domains of bilinear map are identical, such a pairing function is referred to as a symmetric pairing. The third type of pairing is composite order pairing [36], where is of composite order. The provision of additional flexibility makes computation of composite pairing slower. Waters’ dual encryption system [37] was first constructed using composite order groups and in his later work composite order identity-based encryption is transformed and constructed using prime order bilinear pairing in asymmetric setting. The conversion from composite order bilinear pairing to prime order bilinear pairing was due to efficiency consideration. Studies have recommended that asymmetric pairings are faster and compact from the implementation viewpoint. Asymmetric bilinear pairings have the possibility to reduce the size of group in ciphertext and keys (public key and private key). There have been enormous cryptographic constructions realized on bilinear maps . Here, multichannel broadcast encryption (MCBE) cryptographic primitive is built from bilinear pairings. Asymmetric bilinear pairings are further categorized into Type-II and Type-III bilinear pairings. In case of Type-II setting, there exists an efficiently computable isomorphism from group to group or vice versa, whereas in the Type-III pairing no such kind of isomorphism is known. Previous work has shown that the Type-III setting is the most efficient (among all pairing types) form in terms of operations required and security.

The following steps show the conversion from Type-I MCBE to Type-III MCBE for all the four algorithms .(1)Setup:(a)Randomly select .(b)Given , , .(c)Select random scalars .(d)Evaluate .(e)Set .(2)Keygen:(a)Randomly select and set .(b)Set .(c)Set public key .(d)Secret key for users is computed as .(3)Encrypt:(a)Select a random scalar .(b)Set .(c)Evaluate(d)Set .(e)Communicate .(4)Decrypt: if then compute

Substituting the value of

4. Security Model

We also define the formal framework of security of MCBE scheme in asymmetric-pairing setting by the following game between the adversarial algorithm and a simulator algorithm in a real or random setting [38], as shown in Figure 4.(1)Setup: the simulator algorithm runs the Setup algorithm and outputs , , and encryption key .(2)Query Phase-I: adaptively asks queries to which is also known as a Challenger. For some -th user , where , sends the decryption keys to . In response to the encryption query, evaluates to produce as output.(3)Challenge: at this stage, forwards the challenge set , where each for , as well as a target set , where , to . In response to this, forwards . Then, selects random . Depending on the value of , replies with the following response :(4)Query Phase-II: continuously asks queries similar to Query Phase-I.(5)Guess: now, eventually returns decision bit for .

Theorem 1. Thescheme in asymmetric setting is selectively secure under DBDHE assumption if it holds in. For maximumnumber of legitimate users,, for, wheredenotes time complexity for exponentiation computation andrepresents maximum number of available channels in the system.

Proof. Let us consider that there exists Probabilistic Polynomial Time (PPT) algorithm, , such that for an MCBE system. We build a simulator algorithm that has advantage in solving the DBDHE problem in . Algorithm takes as input a challenge , where is either or a random element .

(1)Setup

(1) generates global public parameters and secret keys for . It selects a random scalar .(2)Set for all .(3)Select random scalars for and compute .(4)Choose a random index .(5). All scalars are known except .(6) provides adversary the global public parameters: .(7) performs computation of secret decryption keys except for .(8)Select a random legitimate user and define

Substituting the value of , we get

Moreover, since , it satisfies the specification parameters of the construction.

(2)Challenge

(1)Challenge C is simulator algorithm. while is part of header, denotes cipher text both C and .(2) and . Evaluate as Substituting the value of Q^u, we get The following notations were used: and .(3)Set .(4) and .(5)Thus, to generate session keys, computes, for all , and sets(6) produces the output as a challenge to adversarial algorithm .(7)If is the correct value, then

Substituting the value of , we get

If the value of element is random, then produces as output.

(3) Guess

outputs a guess bit for . wins the game if . produces the output :

represents ; otherwise, when , .

’s advantage in breaking the security of the MCBE in asymmetric setting is defined in terms of the fact that the probability of occurrence of the event that in the mentioned game is evaluated as

5. Result and Analysis

We have presented multichannel broadcast encryption scheme in asymmetric-pairing setting. The number of scalars, which have been used in the construction of MCBE (in symmetric-pairing setting), is analyzed. The following observations were made:(1) uses scalars and . uses scalars , and .(2)Encrypt algorithm uses scalars (no. of groups).(3)Ciphertext uses scalars.(4), , , and ciphertext consist of elements of group .(5) [4].

Based on the above points, we have attempted a transformation of the scheme into Type-III pairing setting. The MCBE in asymmetric setting has the following points:(1) uses elements of and elements of . uses scalars , and .(2)Enc algorithm uses scalar only.(3)Ciphertext uses and .(4) and ciphertext consist of elements of groups and .(5) and consist of elements of group .(6) consists of elements of (, ).(7).

A comparison of features of MCBE scheme based on various complexity assumptions is shown in Table 2. The rows , , , , , and represent the numbers of group elements in public parameter, public key, secret key, ciphertext, encryption key, and master secret key, respectively.

Group consists of two parameters, and ciphertext. On the other hand, and decryption keys are elements of . All MCBE schemes appearing in literature are included in Table 3.

Based on Tables 2 and 3, the following has been observed:(i)The proposed scheme uses asymmetric pairings, whereas the rest of the schemes use asymmetric pairings. So, one could have , which in turn leads to the smaller size ciphertext, reduced storage space, and enhanced performance [31].(ii)As we have taken two group elements and and achieved compact size ciphertext which is the most important design consideration of broadcast encryption schemes, the public parameter size has increased in the proposed method. It is the limitation of this work. The public parameter is independent of the number of channels and users need to download it once. It does not increase any communication overhead.

6. Conclusion and Future Work

We have proposed an efficient and secure method for data sharing using asymmetric pairing (Type-III) with compact size ciphertext in public-key setting to enable rapid learning in healthcare environment. Our construction serves as an efficient solution for various practical data sharing applications such as healthcare environment, distribution of consumer product licence, and collaborative sharing to enable learning. Our construction is collusion-resistant and the security of the scheme is based on standard hardness assumption. We have demonstrated how this construction is modified to symmetric pairing to achieve compact size ciphertext. The analysis and result establish that the proposed scheme outperforms other existing schemes in terms of performance, storage, and transmission cost. The proposed method offers the same level of security with reduced memory requirement. Reducing the size of public parameter as well as constructing the traitor tracing system for this scheme is left as open problem.

Data Availability

The data that support the findings of this study are available from the corresponding author upon request. The dataset is not required for this study.

Conflicts of Interest

The authors declare no conflicts of interest.

References

“Market and trends,” https://blogs.idc.com/2021/04/19/the-data-as-a-service-market-in-2021-at-a-glance/.
View at: Google Scholar
S. Sabitha and M. S. Rajasree, “Multi-level on-demand access control for flexible data sharing in cloud,” Cluster Computing, vol. 24.
View at: Google Scholar
“iCloud. (2014) Apple storage service,” 2014, https://www.icloud.com/.
View at: Google Scholar
D. H. Phan, D. Pointcheval, and V. C. Trinh, “Multi-channel broadcast encryption,” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS ’13, pp. 277–286, ACM, Hangzhou China, May 2013.
View at: Publisher Site | Google Scholar
O. Uzunkol and M. S. Kiraz, “Still wrong use of pairings in cryptography,” Applied Mathematics and Computation, vol. 333, pp. 467–479, 2018.
View at: Publisher Site | Google Scholar
A. Fiat and M. Naor, Broadcast Encryption, pp. 480–491, 1993.
D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” Advances in Cryptology CRYPTO 2001, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 41–62, 2001.
View at: Publisher Site | Google Scholar
M. Ak, “Optimization techniques and new methods for broadcast encryption and traitor tracing,” https://www.thesis.bilkent.edu.tr/0006211.pdf.
View at: Google Scholar
K. Fukushima, S. Kiyomoto, T. Tanaka, and K. Sakurai, “Ternary subset difference method and its quantitative analysis,” Information Security Applications, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 225–239, 2009.
View at: Publisher Site | Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” Advances in Cryptology - EUROCRYPT 2005, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 457–473, 2005.
View at: Publisher Site | Google Scholar
D. Lubicz and T. Sirvent, “Attribute-based broadcast encryption scheme made efficient,” in Proceedings of the Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, pp. 325–342, Casablanca, Morocco, June 2008.
View at: Google Scholar
C. Delerablée, “Identity-based broadcast encryption with constant size ciphertexts and private keys,” in Proceedings of the Advances in Crypotology 13th International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT’07, pp. 200–215, Springer-Verlag, Kuching Malaysia, December 2007.
View at: Publisher Site | Google Scholar
S. Agrawal and S. Yamada, “Optimal broadcast encryption from pairings and LWE,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, A. Canteaut and Y. Ishai, Eds., pp. 13–43, Springer, Zagreb, Croatia, May 2020.
View at: Google Scholar
T. V. X. Phuong, G. Yang, W. Susilo, and X. Chen, Attribute Based Broadcast Encryption with Short Ciphertext and Decryption Key, University of Wollongong Australia, Australia, pp. 252–269, 2015.
View at: Publisher Site
A. Barth, D. Boneh, and B. Waters, “Privacy in encrypted content distribution using private broadcast encryption,” Financial Cryptography and Data Security, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 52–64, 2006.
View at: Publisher Site | Google Scholar
K. Acharya and R. Dutta, “Constructions of secure multi-channel broadcast encryption schemes in public key framework,” Cryptology and Network Security, Springer International Publishing, Cham, pp. 495–515, 2018.
View at: Publisher Site | Google Scholar
X. Li and R. Yanli, “Efficient anonymous identity-based broadcast encryption without random oracles,” International Journal of Digital Crime and Forensics, vol. 6, no. 2, pp. 40–51, 2014.
View at: Publisher Site | Google Scholar
N. Fazio and I. M. Perera, “Outsider-anonymous broadcast encryption with sublinear ciphertexts,” in Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography, PKC’12, pp. 225–242, Springer-Verlag, Darmstadt Germany, May 2012.
View at: Publisher Site | Google Scholar
D. H. Phan, D. Pointcheval, and M. Strefler, “Decentralized dynamic broadcast encryption,” Security and Cryptography for Networks, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 166–183, 2012.
View at: Publisher Site | Google Scholar
W. Liu, J. Liu, Q. Wu, B. Qin, and Y. Li, “Practical chosen-ciphertext secure hierarchical identity-based broadcast encryption,” International Journal of Information Security, vol. 15, no. 1, pp. 35–50, 2016.
View at: Publisher Site | Google Scholar
H. Wang, Y. Zhang, K. Chen, G. Sui, Y. Zhao, and X. Huang, “Functional broadcast encryption with applications to data sharing for cloud storage,” Information Sciences, vol. 502, pp. 109–124, 2019, https://www.sciencedirect.com/science/article/pii/S0020025519305663.
View at: Publisher Site | Google Scholar
X. W. Zhao and H. Li, “Improvement on a multi-channel broadcast encryption scheme,” Applied Mechanics and Materials, vol. 427-429, pp. 2163–2169, 2013.
View at: Publisher Site | Google Scholar
K. Acharya, “Secure and efficient public key multi-channel broadcast encryption schemes,” Journal of Information Security and Applications, vol. 51, p. 102436, 2020.
View at: Publisher Site | Google Scholar
M. H. Le, V. D. Tran, V. A. Trinh, and V. C. Trinh, “Compacting ciphertext in multi-channel broadcast encryption and attribute-based encryption,” Theoretical Computer Science, vol. 804, pp. 219–235, 2020.
View at: Publisher Site | Google Scholar
T. Kanwal, A. Anjum, and A. Khan, “Privacy preservation in e-health cloud: taxonomy, privacy requirements, feasibility analysis, and opportunities,” Cluster Computing, vol. 24, no. 1, pp. 293–317, 2021.
View at: Publisher Site | Google Scholar
M. L. Florence and D. Suresh, “Enhanced secure sharing of PHR’s in cloud using user usage based attribute based encryption and signature with keyword search,” Cluster Computing, vol. 22, no. S6, pp. 13119–13130, 2019.
View at: Publisher Site | Google Scholar
M. Mandal and K. Nuida, “Identity-based outsider anonymous broadcast encryption with simultaneous individual messaging,” Network and System Security, pp. 167–186, 2020.
View at: Publisher Site | Google Scholar
S. Patranabis, Y. Shrivastava, and D. Mukhopadhyay, “Provably secure key-aggregate cryptosystems with broadcast aggregate keys for online data sharing on the cloud,” IEEE Transactions on Computers, vol. 66, no. 5, pp. 891–904, 2017.
View at: Publisher Site | Google Scholar
S. Agrawal and S. Yamada, Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 12105 LNCS, Springer, New York, US, pp. 13–43, 2020.
View at: Publisher Site
“Elliptic curves , group law , and efficient computation,” 2010.
View at: Google Scholar
S. D. Galbraith, K. G. Paterson, and N. P. Smart, “Pairings for cryptographers,” Discrete Applied Mathematics, vol. 156, no. 16, pp. 3113–3121, 2008, https://www.sciencedirect.com/science/article/pii/S0166218X08000449.
View at: Publisher Site | Google Scholar
D. Moody, R. Peralta, R. Perlner, A. Regenscheid, A. Roginsky, and L. Chen, “Report on pairing-based cryptography,” Journal of Research of the National Institute of Standards and Technology, vol. 120, p. 11, 2015.
View at: Publisher Site | Google Scholar
D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity based encryption with constant size ciphertext,” in Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’05, pp. 440–456, Springer-Verlag, Aarhus Denmark, May 2005.
View at: Publisher Site | Google Scholar
D. Boneh, C. Gentry, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys,” Advances in Cryptology - CRYPTO 2005, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 258–275, 2005.
View at: Publisher Site | Google Scholar
B. Lynn, Ben Lynn June 2007 (June), pp. 1–126, 2007.
D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-dnf formulas on ciphertexts,” Theory of Cryptography, vol. 3378, pp. 325–341, 2005.
View at: Publisher Site | Google Scholar
B. Waters, “Dual system encryption: realizing fully secure ibe and hibe under simple assumptions,” in Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’09, pp. 619–636, Springer-Verlag, Santa Barbara CA, August 2009.
View at: Publisher Site | Google Scholar
M. Abdalla, P.-A. Fouque, and D. Pointcheval, “Password-based authenticated key exchange in the three-party setting,” in Proceedings of the 8th International Conference on Theory and Practice in Public Key Cryptography, PKC’05, pp. 65–84, Springer-Verlag, Berlin, Heidelberg, 2005.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Snehlata Yadav and Namita Tiwari. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

290

Downloads

546

Citations