Mobile health (also written as mHealth) provisions the practice of public health supported by mobile devices. mHealth systems let patients and healthcare providers collect and share sensitive information, such as electronic and personal health records (EHRs) at any time, allowing more rapid convergence to optimal treatment. Key to achieving this is securely sharing data by providing enhanced access control and reliability. Typically, such sharing follows policies that depend on patient and physician preferences defined by a set of attributes. In mHealth systems, not only the data but also the policies for sharing it may be sensitive since they directly contain sensitive information which can reveal the underlying data protected by the policy. Also, since the policies usually incur linearly increasing communication costs, mHealth is inapplicable to resource-constrained environments. Lastly, access privileges may be publicly known to users, so a malicious user could illegally share his access privileges without the risk of being traced. In this paper, we propose an efficient attribute-based secure data sharing scheme in mHealth. The proposed scheme guarantees a hidden policy, constant-sized ciphertexts, and traces, with security analyses. The computation cost to the user is reduced by delegating approximately 50% of the decryption operations to the more powerful storage systems.

1. Introduction

mHealth is an abbreviation for mobile health, which can encompass a wide range of healthcare technologies such as mobile computing, medical sensors, and communication technologies [1]. Rapid growth in wireless communications, availability and miniaturization of mobile devices, and computing resources in parallel with mobile and wearable systems can boost the wide adoption of mHealth. Such developments can greatly impact on and reshape the processes of existing healthcare services. For instance, semiconductor-implanted smart intelligent sensors will allow drugs to be delivered in real time to a personal server when they sense a patient who needs a dose of drugs. Personal servers, such as mobile devices, supply global connectivity to the storage center, which can thereby serve clinical healthcare from a distance [2]. The storage center holds the information that forms the electronic health record (EHR), a digital version of a patient’s paper chart. Physicians intermittently upload diagnostic reports based on their observations of the EHRs stored in the storage center. Figure 1 shows an example of an mHealth monitoring and data transfer system. Reportedly, a growing number of healthcare-specific mobile applications are available, and it has been estimated that about 500 million patients around the globe will be in the reach of such apps as of 2015 [3].

EHRs contain sensitive information such as patients’ medical history, diagnoses, immunization dates, allergies, and medications, which are bound to the real identities of patients. That is, whoever can freely access the storage center is able to learn both the identity and clinical information of a specific patient, which clearly threatens the patient’s privacy. Thus, privacy concerns are arguably a major issue, and related requirements are enacted nationwide. For example, in the United States compliance to HIPPA (Health Information Technology for Economic and Clinical Health Act) encourages healthcare providers to not only adopt EHRs but also keep them confidential [4]. This clearly indicates that EHRs must be kept under strict conditions and be accessible only by the authorized user.

Unfortunately, standard encryption schemes are not suitable for mHealth systems for the following reasons [5].(i)Absence of Proper Access Control. Well-known encryption schemes, such as AES, guarantee the confidentiality of data if security parameters are well-chosen. However, such schemes are not designed to support fine-grained access control.(ii)Expensive Key Management. Public key encryption schemes do not support one-to-many relationships between the ciphertext and decryption key, necessitating the burdensome distribution and management of public keys.

Since healthcare delivery is a decentralized process taking place across many institutional boundaries, standard approaches to securing health records include role-based access control because the flexible assignment of permissions to a wide range of user is possible only with fine-grained access control. At the same time, the confidentiality of EHRs must be maintained without hindering clinical care by denying legitimate access requests of authorized users, such as doctors, nurses, lab technicians, researchers, and receptionists [6, 7]. Thus, a variety of policy-based encryption schemes have been proposed to share data securely and provide reliable access control [811]. These schemes are promising in that the accessibility of shared data is dependent on the user’s capacity to satisfy a given policy. Furthermore, encryptors do not require a priori knowledge of the recipients, such as identities or certificates. Specifically, ciphertext policy attribute-based encryption (CP-ABE) allows the construction of policies by utilizing attributes as public keys, thereby protecting shared data against unauthorized users [1216]. As access to EHRs varies across the space of uneven distributions of healthcare providers and consumers and among population groups with different socioeconomic and demographic characteristics [17], CP-ABE is a convincing alternative to the conventional cryptographic primitive for mHealth. CP-ABE can provide fine-grained and flexible access control to the shared data in mHealth systems.

It is notable that not only the data, but also the policies for sharing that data are sensitive. Typically, the access policies may reveal sensitive information, such as the underlying data, the identity of a patient, or symptoms indicating what diseases a patient is suffering from. To some extent, patients are reluctant to expose such private information, preferring instead to keep their privacy intact through securing both the EHRs and their access policies. Although CP-ABE provides a desirable access policy, it has one drawback: the access policies attached to ciphertexts are public. From these access policies, unauthorized users can learn information about the underlying data itself. This weakness is known as the policy privacy problem.

To overcome the policy privacy problem, several CP-ABE schemes with hidden access policies were proposed [9, 18]. In these schemes, the encryptor-chosen access policies are associated with each ciphertext in a way hidden such that even an authorized user learns no information about the underlying policy other than that he is authorized to decrypt. Although these schemes feature hidden policies, they suffer from being inefficient; that is, the ciphertext size is linear with respect to the number of attributes in the access policy.

To limit ciphertext size, Zhou et al. introduced a CP-ABE scheme which provides both a hidden access policy and a constant-sized ciphertext [19]. However, their scheme lacks user traceability. In general, most CP-ABE schemes supporting constant-sized ciphertext or hidden access policies cannot trace malicious users who illegally share their decryption keys. Specifically, the secret keys of policy-based encryption consist of sharable attributes so that the decryption keys have no uniquely identifiable information. Thus, if a malicious user leaks his decryption key to others, then there is no clear evidence indicating that the key belongs to him. Although Li et al. proposed a CP-ABE scheme featuring a hidden access policy and traceability [20], it lacks constant-sized ciphertext, resulting in increased communication and storage costs.

Contribution. In this paper, we propose an efficient attribute-based secure data sharing scheme for mHealth with hidden policies and traceability. The proposed scheme enforces hidden access policies with wildcards and supports constant-sized ciphertext, regardless of the number of attributes. Also, we embed a uniquely identifiable point into each decryption key in order to prevent the user from intentionally distributing the decryption key to others, thereby achieving traceability. Additionally, the proposed scheme allows users to outsource part of the decryption process to the more powerful storage center to minimize computation cost at the user side. Our performance results show that the storage center computes almost 50% of the decryption process on behalf of users. To the best of our knowledge, this is the first construction that achieves all these functionalities simultaneously.

Organization. The rest of this paper is organized as follows. We begin with a discussion of related work in Section 2. In Section 3, we describe the cryptographic background and define a general CP-ABE with a hidden policy, constant-sized ciphertext, and traceability. Section 4 describes the mHealth architecture and security model. In Section 5, we present the construction of the proposed scheme in detail, followed by a performance analysis in Section 6. We analyze its security in Section 7 and conclude the paper in Section 8.

The idea of Identity-Based Encryption (IBE) was first introduced by Shamir [21]. In IBE, the encryptor makes an access policy based on an identity, and only a user with the matching identity obtains the decryption privilege. Encryption by identity, however, leads to the following limitations: lack of one-to-many relationship between the ciphertext and decryption key and the need for the encryptor to know each user’s identity in advance. Later, Sahai and Waters introduced Fuzzy Identity-Based Encryption, which is the first prototype of attribute-based encryption (ABE) [22]. While the IBE scheme views an identity as a string of characters, in ABE, an identity is viewed as a set of descriptive attributes (a.k.a., identity set) such as name and affiliation. The ABE scheme allows the encryption of a message based on some identity set , and the decryption ability is given if and only if a user’s set is close enough to to satisfy a system-defined threshold. This property enables fine-grained access control and a one-to-many relationship between a ciphertext and its receivers since anyone whose identity set satisfies a given threshold can obtain the decryption privilege. However, the threshold semantics are not very expressive and cannot support fine-grained access control. This drawback means that the threshold-based ABE scheme cannot be applied to more general systems.

In CP-ABE [1216], a ciphertext is associated with an access policy and decryption keys are labeled with an arbitrary number of attributes. The encryptor specifies an access policy over encryptor-chosen attributes. The access right is given if and only if the attributes in the decryption key satisfy the access policy in the ciphertext. In these schemes, however, the size of a ciphertext has a linear relationship with the number of attributes in the access policies, resulting in inapplicability for resource-constrained environments.

To limit the size of ciphertexts, Zhou and Huang proposed constant-sized CP-ABE (C-CP-ABE) with a logical AND access policy with wildcards [23]. This scheme limits the size of each ciphertext to up to 300 bytes in total, where a ciphertext consists of encrypted data, an access policy, and 2 bilinear group elements. Chen et al. further improved the C-CP-ABE scheme in terms of security [24] making it CPA-secure under a well-established assumption in the standard model without loss of efficiency. Overall, these schemes successfully make the size of ciphertexts constant. However, they reveal the underlying access policy publicly.

While previous works feature open access policies, Hur introduced a CP-ABE scheme with hidden access policy in smart grid [9]. To preserve policy privacy, a one-way anonymous key agreement scheme is used as a building block in order to replace identity hashes with user-generated pseudonyms. However, this scheme does not support constant-sized ciphertext. Interestingly, an efficient CP-ABE scheme with a hidden policy was proposed [19]. In this scheme, AND-gate access policies with wildcards are used and each ciphertext header requires 2 bilinear group elements, each of which is limited to 100 bytes in total. Also, access policies are obfuscated by computing the intersection between a given access policy and an all-wildcard attribute set. This technique, however, partially leaks the access policy, because unauthorized users can guess at a minimum which attributes are treated as do not care. In addition, the user must run the decryption algorithm at least once, to determine whether he satisfies the access policy, since only decryption failure notifies whether the decryption key satisfies the underlying access policy.

The ability to resist illegal key sharing is a highly desirable characteristic for ABE. To achieve this, Li et al. introduced a user-accountable CP-ABE scheme that binds user identity in the private key, thereby allowing illegally-shared keys to be traced [25]. Although this methodology has also been adopted by other traceable CP-ABE schemes [26, 27], none of them fully support either constant-sized ciphertext or hidden access policies. In addition to supporting these features, in this paper, we also insert a unique identifier into each private key such that any key can be traced in constant time, regardless of the number of attributes.

3. Preliminaries

3.1. Bilinear Map

Let be a multiplicative cyclic group of large prime order . The bilinear map is defined as follows: , where is the codomain of . The bilinear map has the following properties:(i)Bilinearty. , where (ii)Symmetry. One has (iii)Nondegeneracy. , where is the generator of (iv)Computability. There exists an efficient algorithm to compute the bilinear map .

3.2. Security Assumption

The security of the proposed scheme is based on the Bilinear Diffie-Hellman Exponent assumption (BDHE) [28]. Let be a bilinear group of large prime order and let be a generator of . The -BDHE problem in is defined as follows. Given the vector of elements as the input where is not in the vector, the goal of the computational -BDHE problem is to compute . Define the set as Then, we have the following definition.

Definition 1 (Decisional K-BDHE). The decisional -BDHE assumption is said to be hold in if there is no probabilistic polynomial time adversary who is able to distinguish with nonnegligible advantage, where and are chosen independently and uniformly at random.

We exploit Boneh et al.’s -Strong Diffie-Hellman assumption (-SDH) to prove traceability [29]. Given a -tuple as input where is chosen uniformly at random, the -SDH assumption is stated as follows: there is no probabilistic polynomial time adversary who is able to output with nonnegligible probability, where is not allowed to be zero.

Formally, we have the following -SDH assumption.

Assumption 2 (l-SDH). The -Strong Diffie-Hellman problem in is defined as follows: given a -tuple as input, output . An algorithm has advantage in solving -SDH in if the following holds:where the probability is over the random choice of in .

Definition 3. The -SDH assumption is -secure if no -time algorithm has advantage at least in solving the -SDH problem in .

3.3. Access Policy

Given an attribute universe , each has one of three values , where denotes that the user has , denotes that the user does not have or is not a proper attribute of this user, and denotes a wildcard specifying do not care. We define the user’s attribute set as follows.

Definition 4. Let be a user’s attribute set, where and is the order of the attribute universe. Then, , where and . One has .

Next we define the AND-gate access policy as follows.

Definition 5. Let be an AND-gate access policy where . Denote that the user’s attribute set satisfies . Then,

3.4. One-Way Anonymous Key Agreement

In this paper, the key idea used to obfuscate attributes in the policy starts from Boneh-Franklin Identity-Based Encryption [30]. In their scheme, a private key generator (PKG) takes the role of issuing private keys. It generates a private key for each user using a master secret , where is a cryptographic hash function.

Based on [30], Kate et al. proposed a one-way anonymous key agreement scheme by replacing with a pseudonym chosen by each user [31]. This scheme guarantees anonymity for just one receiver when two users engage in it. We give a specific example as follows. Suppose Alice and Bob hold identity and identity , respectively, and they are clients of the same key authority which holds a master secret . Given the private key , Alice wants to communicate with Bob, without disclosing her identity.

To achieve this, the key agreement protocol runs as follows:(1)Alice computes , chooses a random , sets a pseudonym , and computes the session key . She sends the pseudonym to Bob.(2)Given his private key , Bob computes the session key .

In this noninteractive manner, the session key is implicitly authenticated such that Alice is assured that the no one can derive the key other than Bob. Based on the BDH assumption, this protocol is proved to be secure in the random oracle model satisfying unconditional anonymity, no impersonation, and session key secrecy. To hide the policy we exploit the technique used in [9] as a building block instead of building a new method for policy obfuscation from scratch.

3.5. Definitions

In this section, we define a general CP-ABE with hidden policy, constant-sized ciphertexts, and traceability capabilities for secure data sharing. The scheme consists of the following seven algorithms:(i). The Setup algorithm takes as input the number of attributes . It outputs a public key PK and a master key MK and initializes an identity table .(ii). The key generation algorithm takes as input the master key MK, the public key PK, and the user’s attribute set with identity . It outputs a decryption key SK and inserts into .(iii). The encryption algorithm takes as input the public key PK, an access policy , and a message . It outputs a ciphertext such that only the users whose decryption keys satisfying should be able to extract . is associated with the obfuscated policy .(iv). The token generation algorithm takes as input the user ’s secret key and a set of attributes . It outputs a token .(v). The partial decryption algorithm takes as input the token and outputs a partially decrypted ciphertext for a user .(vi) or . The decryption algorithm takes as input the public key PK, a decryption key SK, and ciphertexts , . If , then it outputs a message , where is the user’s attribute set and is the access policy. Otherwise, it outputs which indicates the failure of decryption.(vii) or . The tracing algorithm takes as input the public key PK, a decryption key SK, and the table . It determines whether SK is well-formed indicating that SK is the real output of KeyGen. If SK is well-formed, the algorithm outputs an identity which corresponds to SK. Otherwise it outputs implying that SK is not well-formed. The well-formed decryption key is guaranteed to work correctly in the well-formed decryption process.

In the proposed scheme, each public key component is mapped to an attribute value . When encrypting data, the encryptor specifies an access policy , where . The decryption succeeds only when the user’s attribute set satisfies the (obfuscated) policy .

4. mHealth Architecture

4.1. System Model

In mHealth systems, intelligent wireless sensors perform data acquisition and processing [32]. Individual sensors monitor certain physiological signals and communicate with each other and the personal server such as a tablet PC as shown in Figure 1. Then, the personal server integrates the data received from the different sensors and plays the role of a gateway by sending data to the upper layer of the mHealth system. From a security point of view, the mHealth system components are categorized as follows:(1)Trust Authority. This is a key entity that issues the public and secret parameters for the mHealth system. It publishes diverse access privileges to individual entities based on their attributes. The trust authority is assumed to be fully trusted in the mHealth system [10].(2)Storage Center. This is a data repository center that stores EHRs. In mHealth systems, hospitals or clinics with certain qualifications certified by the trust authority can be employed as a storage center. It is assumed to be honest-but-curious [10]. Thus, it will honestly execute the assigned tasks and like to learn as much information from the encrypted data as possible.(3)Encryptor. This is a patient who generates data and sends it to the storage center. It uses mobile devices to interact with the storage center. Encryptors are responsible for defining access policy based on attributes, obfuscating the policy, associating it with the data, and encrypting the data according to the policy. Hereafter, we will use “encryptor” and “patient” interchangeably.(4)User. This includes entities such as the patient, physicians, nurses, lab technicians, researchers, or receptionists who want to access EHRs contained in the storage center. A user will be authorized to decrypt a ciphertext given by the storage center if and only if his key satisfies the access policy of that ciphertext.

4.2. Security Model

CPA Security. The security model of the proposed scheme is similar to that of the CP-ABE scheme with constant-sized ciphertexts [23] except that each key query is labeled with an explicit identity and attributes are obfuscated. We first introduce the semantic security game. A CP-ABE scheme is considered to be CPA-secure if no probabilistic polynomial time adversaries have nonnegligible advantages in the following CPA security game.(i)Init. The adversary chooses a challenge access policy and gives it to the challenger.(ii)Setup. The challenger runs the Setup algorithm and gives the adversary the public parameter PK.(iii)Phase 1. The adversary queries the challenger for decryption keys corresponding to , where . The challenger answers with a decryption key SK for . The adversary repeats this phase adaptively.(iv)Challenge. The challenger obtains by running the Encrypt algorithm. The challenger sets and picks a random of the same length as . It then flips a random coin and gives to the adversary.(v)Phase 2. It is the same as Phase 1.(vi)Guess. The adversary outputs a guess .

The adversary wins the game if under the restriction that cannot satisfy the access policy . The adversary may run Phase 2 to make multiple key queries in the midst of the challenge. Note that the adversary declares the access policy at the start of the game.

The advantage of an adversary in this game is defined as

Traceability. The traceability definition for the proposed scheme is described by the following security game:(i)Setup. The challenger runs the Setup algorithm to obtain the public parameter PK. Then, the challenger gives PK to the adversary.(ii)KeyQuery. The adversary makes decryption key queries -times to the challenger, where sets of attributes correspond to decryption keys.(iii)KeyForgery. The adversary outputs a decryption key .

The adversary wins the game if the following holds:(1).(2).

Then, the advantage of the adversary in this game is

Definition 6. A traceable ciphertext policy attribute-based encryption scheme is fully traceable if all polynomial time adversaries have at most negligible advantage in this game.

Policy Privacy. While sharing data in the mHealth system, the storage center or unauthorized users must learn no information about the attributes associated with the access policy of the encrypted data. Also, even authorized users should not obtain any information about these attributes other than the fact that they are authorized to access the data.

5. Proposed Scheme

5.1. System Architecture

The proposed data sharing process in the mHealth system runs as follows. An encryptor defines the access policy with a set of attributes, encrypts the EHRs associated with clinical reports under the policy, and uploads the ciphertext and the obfuscated policy to the storage center. When a user wants to access the uploaded data, he first generates a token using his attributes and sends it to the storage center. If the attributes in the token satisfy the access policy, then the storage center partially decrypts the ciphertext and sends the result to the user. Then, the user finishes the decryption of the ciphertext using his secret key and the partially decrypted ciphertext as inputs. The outline of data sharing process is depicted in Figure 2.

5.2. Scheme Construction

The proposed scheme is constructed on the basis of the following seven algorithms as follows.

. Given attributes as the attribute universe, the proposed scheme has attribute values such that . Specifically, we map to , to , and to .

Let be a bilinear group of prime order . The Setup algorithm chooses a random generator and random . For , it computes . Then, it computes and . The master and public keys are set to ; . The algorithm initializes an identity table .

. Assume that each user is tagged with an attribute set , where and . The KeyGen algorithm randomly chooses , . Then, it computes , and . For all , it computes , where is a hash function .

Next, the algorithm computes the following:(i)For every , compute , where .(ii)For every , compute , where .(iii)For every , compute , where .

The decryption key for user is set toNote that is computed modulo . If or is already in , the algorithm is run repeatedly with another random . Then, it puts a tuple into and uploads to the storage center.

. is an AND-gate access policy with attributes specified by an encryptor , where each attribute is either positive/negative or wildcard. The algorithm chooses a random and computes , for all , where is a hash function . Then, the access policy is obfuscated by replacing each attribute with .

Next, the algorithm picks a random and computes a one-time symmetric key . It encrypts the message as and computes . Then, it computes . The ciphertext is set to The encryptor uploads to the storage center.

. When a user needs to access the ciphertext of in the storage center with a set of attributes , receives from the storage center and generates the token for as follows. For all , the algorithm computes . Then, it constructs the token . Each will be used as an index for the obfuscated attribute . The user sends to the storage center.

. Given from the user , the storage center checks if each in the token satisfies the access policy associated with . If satisfied, the storage center partially decrypts using as for all . Then, it computes a production of all as . The storage center sends to .

or . On receipt of the partially decrypted ciphertext from the storage center, the user computes for all as Then, it computes and divides by . Using the quotient term , the user concludes decryption as follows:Then,The user decrypts .

or . is called well-formed if it passes the following conditions hold: If is well-formed, the algorithm searches in . If is in , the algorithm outputs the corresponding , and if not, the algorithm outputs the corresponding indicating that the corresponding identity never appears in . If is not well-formed, the algorithm outputs .

6. Performance Analysis

In this section, we analyze the performance of the proposed scheme compared with the previous schemes including a constant-sized ciphertexts scheme [23], a hidden policy scheme [25], and a traceability scheme [26]. We compare each scheme in several ways such as the computational cost of encryption and decryption and the ciphertext length and in terms of the complexity assumption. Also, we implemented the proposed scheme to evaluate its actual performance. We programmed our system using the Java-based pairing based cryptography (jPBC) library [33] on a GIGABYTE desktop with 4 Intel Core i5-3570 3.40 GHz CPUs, 4 GB RAM, and running Windows 7 Ultimate K.

Table 1 shows the results of comparing the different schemes. The notations we use in the table are as follows: denotes the number of attributes involved in the access policy, denotes the number of attributes in the attribute universe, denotes the exponentiation operation, and denotes the paring operation. Note that, following convention, the bit-length of the expression of the access policy and its computational costs over are ignored.

In terms of computational cost, the constant-sized ciphertext scheme [23] shows the best encryption phase efficiency, requiring a constant number of exponentiations. The proposed scheme also needs two exponentiations in data encryption, but an additional operations are required to obfuscate the access policy. In the decryption phase, the proposed scheme requires more computations than [23] since the user identity is exponentiated to every attribute value to support traceability. In contrast to [25, 26], the proposed scheme requires approximately number of exponentiations. With regard to the ciphertext length, the proposed scheme and [23] guarantee constant-sized ciphertext. On the other hand, the hidden policy scheme [25] and the traceability scheme [26] incur linearly increasing ciphertexts as the attribute number increases. Overall, the proposed scheme is efficient in terms of the ciphertext size and provides hidden policy traceability at the cost of more exponentiation operations.

Figure 3 shows the computation overhead incurred in the core algorithms, Setup, KeyGen, Encrypt, GenToken, Decrypt, PDecrypt, and Trace, under various conditions. Figure 3(a) shows how system-wide setup time varies according to the number of attributes. Figure 3(b) shows the total key generation time against different numbers of attributes. The setup occurs only once at the start of the system, and key generation occurs every time a new user joins. Figure 3(c) shows encryption time against different numbers of attributes. It increases linearly due to the time taken to obfuscate the policy attached to the data. Figure 3(d) shows the token generation time against the number of attributes. The token generation process requires a pairing operation time linear to the number of attributes. Figure 3(e) shows the partial decryption time at the storage center and decryption time at the user against the number of attributes. Interestingly, the storage center can undertake nearly 50% of whole decryption process on behalf of users. This property can be most useful for relatively resource-constrained user side devices. Lastly, Figure 3(f) shows the trace time with different numbers of attributes and users. The trace time depends only but not strongly on the number of users.

Further Efficiency Improvement. jPBC is a complete Java port of the PBC library which was originally written in C [34]. Java is widely considered to be slower than C because Java programs run on the Java Virtual Machine rather than directly on the computer’s processor. Based on this, we additionally provide benchmark comparison results between jPBC and PBC in order to demonstrate how fast the proposed scheme can be when it is implemented in C language [33]. Table 2 shows the performance comparison between Java and C with respect to pairing and exponentiation operations conducted on the same machine. The two libraries were applied to the curve over the field for some prime . The order of is some prime factor of [33]. Since the cost of the pairing operation in PBC is approximately 12 seconds less than in jPBC, PBC is expected to improve the performance of pairing-dependent algorithms, such as GenToken and policy obfuscation process in Encrypt, by up to . Similarly, the cost of the exponentiation operations in and are reduced by and seconds, respectively. Such a difference between the two libraries implies that moving from Java to C implementation of the proposed scheme can speed up the Setup and KeyGen algorithms by approximately and the PDecrypt and Decrypt algorithms by approximately .

7. Security Analysis

7.1. Data Confidentiality

In this section, we reduce the chosen plaintext attack (CPA) security of the proposed scheme to a decisional -BDHE problem. Given an access policy , a user with an attribute set colludes with decryption proxies. Intuitively, this attack works successfully if . Based on the CPA security game in Section 4.2, we have the following.

Theorem 7. If a probabilistic polynomial time adversary wins the CPA security game with a nonnegligible advantage, then one can construct a simulator that distinguishes a -DBHE tuple with a nonnegligible advantage.

Proof. Suppose that an adversary ’s advantage for winning the game is . Then, we can construct a simulator which solves the decisional -BDHE problem with the advantage . The simulator takes an input vector , where is either or a random element in . Then, breaks the decisional -BDHE problem with the advantage . Specifically, takes a random decisional -BDHE challenge as input, where is either or a random value.
Next, runs the following CPA game with the role of challenger. (i) Init. sends an access policy to .(ii) Setup. runs the Setup algorithm to obtain PK and chooses a random . Then, computes outputs the public key .Phase 1. The adversary submits , where . Then, there exists such that , where , or , where .
For , picks random and sets . Next, randomly chooses and computes Next, computes where falls into one of the following conditions: () for all , () for all , and () for all .
Then, each is valid such that Challenge. sets and and gives the challenge to . Note that for some such that and if .
Phase 2. Repeat Phase 1.
Guess. The adversary outputs a guess , where implies that . If , then is a random element which indicates that . Note that each decryption proxy simulates a legal decryption key component with a random . Specifically, the adversary passes as a guess of which is embedded in , where . We further define a decryption proxy to model collusion attacks.

Definition 8. Given decryption proxies in the security game, each decryption proxy , where and .

Lemma 9 (collision with 1 decryption proxy). Suppose that has issued queries and there is only 1 attribute , where makes queries to . The probability that none of the queries returns a legal decryption key component of any is .

Proof. The probability that at least one query returns an illegal decryption key component of any is . Thus, if none of the queries succeeds, then , where is a random number in the decryption proxy and is a random number in the decryption key.

Lemma 10 (collision with multiple decryption proxies). Suppose has issued queries and there are attributes dissatisfying , where makes queries to each decryption proxy , . The probability that none of the queries returns a legal decryption key component of any is .

Proof. The probability that one decryption proxy fails is . Thus, the probability that all decryption proxies succeed is .

In case of , we have 3 collusion scenarios as follows.

0-Collusion. If no decryption proxy is used, then has at least advantage in breaking the proposed scheme. Thus, has at least the following advantage in breaking -BDHE problem:

1-Collusion. If one decryption proxy is used, then we have . Thus, if has at least advantage in breaking the proposed scheme, then has at least advantage in breaking the -BDHE problem.

-Collusion. If decryption proxies are used, then we have Thus, if has at least advantage in breaking the proposed scheme, then has at least the following advantage in breaking the -BDHE problem:

7.2. Traceability

In this section, we prove the traceability of the proposed scheme based on the -SDH assumption.

Theorem 11. If -SDH assumption holds, then the proposed scheme is fully traceable provided that .

Proof. Suppose that there is a PPT adversary who wins the traceability game with nonnegligible advantage after key queries. Without loss of generality, assume that . Then, we can construct a PPT simulator that breaks -SDH assumption with nonnegligible advantage.
is given an instance of the -SDH problem as follows. Let be a bilinear group of prime order , let , let be a bilinear map, and let . is given as in instance of the -SDH problem. ’s goal is to output a pair satisfying for solving the -SDH problem. sets for and interacts with in the traceability game as follows.
Setup. randomly picks distinct values . Let be the polynomial . Expand and write , where are the coefficients of the polynomial . computes randomly chooses and computes . For , , sets , where . then gives the public parameter KeyQuery. submits to to request a decryption key. Assume that it is the th query. For , let be the polynomial . Expand and write , where . computes randomly chooses . Then, it computes , and .
Finally, computes the following: (i)For every , compute , where .(ii)For every , compute , where .(iii)For every , compute , where . responds to with as puts tuple into .
KeyForgery. submits to a decryption key .
Note that the distributions of PK and SK in the above game are the same as in the real game. Let denote the event that wins the game; that is, is well-formed, and . The adversary’s advantage over the game is since there is no decryption proxy used. If does not happen, chooses a random a random pair as its solution for -SDH problem. If happens, writes the polynomial for some polynomial and some . Then, since , where and . Thus does not divide . computes the value of .
Next, let denote the event that is a solution to the -SDH problem. Note that when chooses randomly, happens with negligible probability, say zero. solves the -SDH problem with probabilityThus, can break the -SDH assumption with advantage ≤ .

7.3. Policy Privacy

When an encryptor uploads its ciphertext to the storage center, every attribute in the access policy is obfuscated as with a random using the one-way anonymous key agreement protocol [31] such that only users in possession of valid corresponding attributes are able to compute the same value. It is infeasible to guess from without having the corresponding attributes due to which is chosen uniformly at random by the encryptor. Specifically, the storage center does not have which is a secret key component owned by users whose attribute sets satisfy the access policy. Due to the secrecy property of the key agreement protocol [31], the storage center cannot compute .

In token generation phase, a user computes indices for each (obfuscated) attribute . Due to the secrecy property of the key agreement protocol, only the authorized users are able to construct indices corresponding to . Thus, the storage center cannot generate correct indices for the attributes in the access policy. Also, even though the storage center conducts partial decryptions, the user learns nothing about the underlying access policy except that he can decrypt the ciphertext since he receives only the partially decrypted value and no more. Therefore, the proposed scheme guarantees the policy privacy against the storage center and authorized users.

8. Conclusion

In this paper, we proposed an efficient attribute-based secure mHealth data sharing scheme with hidden policies and traceability. The proposed scheme significantly reduces storage and communication costs. The access policies are obfuscated such that not only data privacy but also policy privacy is preserved. The computational costs of users are reduced by delegating approximately 50% of the decryption operation to the more powerful storage systems. Lastly, the proposed scheme is able to trace malicious users who illegally leak their keys. Our security analysis shows that the proposed scheme is secure against chosen-ciphertext and key forgery attacks under the decisional -BDHE and -SDE assumptions. We also prove that the policy privacy of the proposed scheme is preserved against the storage center and authorized users.

Competing Interests

The authors declare that they have no competing interests.


This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (no. 2016R1A2A2A05005402). This work was also supported by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (no. B0190-15-2028). This work was also supported by the research fund of Signal Intelligence Research Center supervised by the Defense Acquisition Program Administration and Agency for Defense Development of Korea.