Research Article  Open Access
Efficient AttributeBased Secure Data Sharing with Hidden Policies and Traceability in Mobile Health Networks
Abstract
Mobile health (also written as mHealth) provisions the practice of public health supported by mobile devices. mHealth systems let patients and healthcare providers collect and share sensitive information, such as electronic and personal health records (EHRs) at any time, allowing more rapid convergence to optimal treatment. Key to achieving this is securely sharing data by providing enhanced access control and reliability. Typically, such sharing follows policies that depend on patient and physician preferences defined by a set of attributes. In mHealth systems, not only the data but also the policies for sharing it may be sensitive since they directly contain sensitive information which can reveal the underlying data protected by the policy. Also, since the policies usually incur linearly increasing communication costs, mHealth is inapplicable to resourceconstrained environments. Lastly, access privileges may be publicly known to users, so a malicious user could illegally share his access privileges without the risk of being traced. In this paper, we propose an efficient attributebased secure data sharing scheme in mHealth. The proposed scheme guarantees a hidden policy, constantsized ciphertexts, and traces, with security analyses. The computation cost to the user is reduced by delegating approximately 50% of the decryption operations to the more powerful storage systems.
1. Introduction
mHealth is an abbreviation for mobile health, which can encompass a wide range of healthcare technologies such as mobile computing, medical sensors, and communication technologies [1]. Rapid growth in wireless communications, availability and miniaturization of mobile devices, and computing resources in parallel with mobile and wearable systems can boost the wide adoption of mHealth. Such developments can greatly impact on and reshape the processes of existing healthcare services. For instance, semiconductorimplanted smart intelligent sensors will allow drugs to be delivered in real time to a personal server when they sense a patient who needs a dose of drugs. Personal servers, such as mobile devices, supply global connectivity to the storage center, which can thereby serve clinical healthcare from a distance [2]. The storage center holds the information that forms the electronic health record (EHR), a digital version of a patient’s paper chart. Physicians intermittently upload diagnostic reports based on their observations of the EHRs stored in the storage center. Figure 1 shows an example of an mHealth monitoring and data transfer system. Reportedly, a growing number of healthcarespecific mobile applications are available, and it has been estimated that about 500 million patients around the globe will be in the reach of such apps as of 2015 [3].
EHRs contain sensitive information such as patients’ medical history, diagnoses, immunization dates, allergies, and medications, which are bound to the real identities of patients. That is, whoever can freely access the storage center is able to learn both the identity and clinical information of a specific patient, which clearly threatens the patient’s privacy. Thus, privacy concerns are arguably a major issue, and related requirements are enacted nationwide. For example, in the United States compliance to HIPPA (Health Information Technology for Economic and Clinical Health Act) encourages healthcare providers to not only adopt EHRs but also keep them confidential [4]. This clearly indicates that EHRs must be kept under strict conditions and be accessible only by the authorized user.
Unfortunately, standard encryption schemes are not suitable for mHealth systems for the following reasons [5].(i)Absence of Proper Access Control. Wellknown encryption schemes, such as AES, guarantee the confidentiality of data if security parameters are wellchosen. However, such schemes are not designed to support finegrained access control.(ii)Expensive Key Management. Public key encryption schemes do not support onetomany relationships between the ciphertext and decryption key, necessitating the burdensome distribution and management of public keys.
Since healthcare delivery is a decentralized process taking place across many institutional boundaries, standard approaches to securing health records include rolebased access control because the flexible assignment of permissions to a wide range of user is possible only with finegrained access control. At the same time, the confidentiality of EHRs must be maintained without hindering clinical care by denying legitimate access requests of authorized users, such as doctors, nurses, lab technicians, researchers, and receptionists [6, 7]. Thus, a variety of policybased encryption schemes have been proposed to share data securely and provide reliable access control [8–11]. These schemes are promising in that the accessibility of shared data is dependent on the user’s capacity to satisfy a given policy. Furthermore, encryptors do not require a priori knowledge of the recipients, such as identities or certificates. Specifically, ciphertext policy attributebased encryption (CPABE) allows the construction of policies by utilizing attributes as public keys, thereby protecting shared data against unauthorized users [12–16]. As access to EHRs varies across the space of uneven distributions of healthcare providers and consumers and among population groups with different socioeconomic and demographic characteristics [17], CPABE is a convincing alternative to the conventional cryptographic primitive for mHealth. CPABE can provide finegrained and flexible access control to the shared data in mHealth systems.
It is notable that not only the data, but also the policies for sharing that data are sensitive. Typically, the access policies may reveal sensitive information, such as the underlying data, the identity of a patient, or symptoms indicating what diseases a patient is suffering from. To some extent, patients are reluctant to expose such private information, preferring instead to keep their privacy intact through securing both the EHRs and their access policies. Although CPABE provides a desirable access policy, it has one drawback: the access policies attached to ciphertexts are public. From these access policies, unauthorized users can learn information about the underlying data itself. This weakness is known as the policy privacy problem.
To overcome the policy privacy problem, several CPABE schemes with hidden access policies were proposed [9, 18]. In these schemes, the encryptorchosen access policies are associated with each ciphertext in a way hidden such that even an authorized user learns no information about the underlying policy other than that he is authorized to decrypt. Although these schemes feature hidden policies, they suffer from being inefficient; that is, the ciphertext size is linear with respect to the number of attributes in the access policy.
To limit ciphertext size, Zhou et al. introduced a CPABE scheme which provides both a hidden access policy and a constantsized ciphertext [19]. However, their scheme lacks user traceability. In general, most CPABE schemes supporting constantsized ciphertext or hidden access policies cannot trace malicious users who illegally share their decryption keys. Specifically, the secret keys of policybased encryption consist of sharable attributes so that the decryption keys have no uniquely identifiable information. Thus, if a malicious user leaks his decryption key to others, then there is no clear evidence indicating that the key belongs to him. Although Li et al. proposed a CPABE scheme featuring a hidden access policy and traceability [20], it lacks constantsized ciphertext, resulting in increased communication and storage costs.
Contribution. In this paper, we propose an efficient attributebased secure data sharing scheme for mHealth with hidden policies and traceability. The proposed scheme enforces hidden access policies with wildcards and supports constantsized ciphertext, regardless of the number of attributes. Also, we embed a uniquely identifiable point into each decryption key in order to prevent the user from intentionally distributing the decryption key to others, thereby achieving traceability. Additionally, the proposed scheme allows users to outsource part of the decryption process to the more powerful storage center to minimize computation cost at the user side. Our performance results show that the storage center computes almost 50% of the decryption process on behalf of users. To the best of our knowledge, this is the first construction that achieves all these functionalities simultaneously.
Organization. The rest of this paper is organized as follows. We begin with a discussion of related work in Section 2. In Section 3, we describe the cryptographic background and define a general CPABE with a hidden policy, constantsized ciphertext, and traceability. Section 4 describes the mHealth architecture and security model. In Section 5, we present the construction of the proposed scheme in detail, followed by a performance analysis in Section 6. We analyze its security in Section 7 and conclude the paper in Section 8.
2. Related Work
The idea of IdentityBased Encryption (IBE) was first introduced by Shamir [21]. In IBE, the encryptor makes an access policy based on an identity, and only a user with the matching identity obtains the decryption privilege. Encryption by identity, however, leads to the following limitations: lack of onetomany relationship between the ciphertext and decryption key and the need for the encryptor to know each user’s identity in advance. Later, Sahai and Waters introduced Fuzzy IdentityBased Encryption, which is the first prototype of attributebased encryption (ABE) [22]. While the IBE scheme views an identity as a string of characters, in ABE, an identity is viewed as a set of descriptive attributes (a.k.a., identity set) such as name and affiliation. The ABE scheme allows the encryption of a message based on some identity set , and the decryption ability is given if and only if a user’s set is close enough to to satisfy a systemdefined threshold. This property enables finegrained access control and a onetomany relationship between a ciphertext and its receivers since anyone whose identity set satisfies a given threshold can obtain the decryption privilege. However, the threshold semantics are not very expressive and cannot support finegrained access control. This drawback means that the thresholdbased ABE scheme cannot be applied to more general systems.
In CPABE [12–16], a ciphertext is associated with an access policy and decryption keys are labeled with an arbitrary number of attributes. The encryptor specifies an access policy over encryptorchosen attributes. The access right is given if and only if the attributes in the decryption key satisfy the access policy in the ciphertext. In these schemes, however, the size of a ciphertext has a linear relationship with the number of attributes in the access policies, resulting in inapplicability for resourceconstrained environments.
To limit the size of ciphertexts, Zhou and Huang proposed constantsized CPABE (CCPABE) with a logical AND access policy with wildcards [23]. This scheme limits the size of each ciphertext to up to 300 bytes in total, where a ciphertext consists of encrypted data, an access policy, and 2 bilinear group elements. Chen et al. further improved the CCPABE scheme in terms of security [24] making it CPAsecure under a wellestablished assumption in the standard model without loss of efficiency. Overall, these schemes successfully make the size of ciphertexts constant. However, they reveal the underlying access policy publicly.
While previous works feature open access policies, Hur introduced a CPABE scheme with hidden access policy in smart grid [9]. To preserve policy privacy, a oneway anonymous key agreement scheme is used as a building block in order to replace identity hashes with usergenerated pseudonyms. However, this scheme does not support constantsized ciphertext. Interestingly, an efficient CPABE scheme with a hidden policy was proposed [19]. In this scheme, ANDgate access policies with wildcards are used and each ciphertext header requires 2 bilinear group elements, each of which is limited to 100 bytes in total. Also, access policies are obfuscated by computing the intersection between a given access policy and an allwildcard attribute set. This technique, however, partially leaks the access policy, because unauthorized users can guess at a minimum which attributes are treated as do not care. In addition, the user must run the decryption algorithm at least once, to determine whether he satisfies the access policy, since only decryption failure notifies whether the decryption key satisfies the underlying access policy.
The ability to resist illegal key sharing is a highly desirable characteristic for ABE. To achieve this, Li et al. introduced a useraccountable CPABE scheme that binds user identity in the private key, thereby allowing illegallyshared keys to be traced [25]. Although this methodology has also been adopted by other traceable CPABE schemes [26, 27], none of them fully support either constantsized ciphertext or hidden access policies. In addition to supporting these features, in this paper, we also insert a unique identifier into each private key such that any key can be traced in constant time, regardless of the number of attributes.
3. Preliminaries
3.1. Bilinear Map
Let be a multiplicative cyclic group of large prime order . The bilinear map is defined as follows: , where is the codomain of . The bilinear map has the following properties:(i)Bilinearty. , where (ii)Symmetry. One has (iii)Nondegeneracy. , where is the generator of (iv)Computability. There exists an efficient algorithm to compute the bilinear map .
3.2. Security Assumption
The security of the proposed scheme is based on the Bilinear DiffieHellman Exponent assumption (BDHE) [28]. Let be a bilinear group of large prime order and let be a generator of . The BDHE problem in is defined as follows. Given the vector of elements as the input where is not in the vector, the goal of the computational BDHE problem is to compute . Define the set as Then, we have the following definition.
Definition 1 (Decisional KBDHE). The decisional BDHE assumption is said to be hold in if there is no probabilistic polynomial time adversary who is able to distinguish with nonnegligible advantage, where and are chosen independently and uniformly at random.
We exploit Boneh et al.’s Strong DiffieHellman assumption (SDH) to prove traceability [29]. Given a tuple as input where is chosen uniformly at random, the SDH assumption is stated as follows: there is no probabilistic polynomial time adversary who is able to output with nonnegligible probability, where is not allowed to be zero.
Formally, we have the following SDH assumption.
Assumption 2 (lSDH). The Strong DiffieHellman problem in is defined as follows: given a tuple as input, output . An algorithm has advantage in solving SDH in if the following holds:where the probability is over the random choice of in .
Definition 3. The SDH assumption is secure if no time algorithm has advantage at least in solving the SDH problem in .
3.3. Access Policy
Given an attribute universe , each has one of three values , where denotes that the user has , denotes that the user does not have or is not a proper attribute of this user, and denotes a wildcard specifying do not care. We define the user’s attribute set as follows.
Definition 4. Let be a user’s attribute set, where and is the order of the attribute universe. Then, , where and . One has .
Next we define the ANDgate access policy as follows.
Definition 5. Let be an ANDgate access policy where . Denote that the user’s attribute set satisfies . Then,
3.4. OneWay Anonymous Key Agreement
In this paper, the key idea used to obfuscate attributes in the policy starts from BonehFranklin IdentityBased Encryption [30]. In their scheme, a private key generator (PKG) takes the role of issuing private keys. It generates a private key for each user using a master secret , where is a cryptographic hash function.
Based on [30], Kate et al. proposed a oneway anonymous key agreement scheme by replacing with a pseudonym chosen by each user [31]. This scheme guarantees anonymity for just one receiver when two users engage in it. We give a specific example as follows. Suppose Alice and Bob hold identity and identity , respectively, and they are clients of the same key authority which holds a master secret . Given the private key , Alice wants to communicate with Bob, without disclosing her identity.
To achieve this, the key agreement protocol runs as follows:(1)Alice computes , chooses a random , sets a pseudonym , and computes the session key . She sends the pseudonym to Bob.(2)Given his private key , Bob computes the session key .
In this noninteractive manner, the session key is implicitly authenticated such that Alice is assured that the no one can derive the key other than Bob. Based on the BDH assumption, this protocol is proved to be secure in the random oracle model satisfying unconditional anonymity, no impersonation, and session key secrecy. To hide the policy we exploit the technique used in [9] as a building block instead of building a new method for policy obfuscation from scratch.
3.5. Definitions
In this section, we define a general CPABE with hidden policy, constantsized ciphertexts, and traceability capabilities for secure data sharing. The scheme consists of the following seven algorithms:(i). The Setup algorithm takes as input the number of attributes . It outputs a public key PK and a master key MK and initializes an identity table .(ii). The key generation algorithm takes as input the master key MK, the public key PK, and the user’s attribute set with identity . It outputs a decryption key SK and inserts into .(iii). The encryption algorithm takes as input the public key PK, an access policy , and a message . It outputs a ciphertext such that only the users whose decryption keys satisfying should be able to extract . is associated with the obfuscated policy .(iv). The token generation algorithm takes as input the user ’s secret key and a set of attributes . It outputs a token .(v). The partial decryption algorithm takes as input the token and outputs a partially decrypted ciphertext for a user .(vi) or . The decryption algorithm takes as input the public key PK, a decryption key SK, and ciphertexts , . If , then it outputs a message , where is the user’s attribute set and is the access policy. Otherwise, it outputs which indicates the failure of decryption.(vii) or . The tracing algorithm takes as input the public key PK, a decryption key SK, and the table . It determines whether SK is wellformed indicating that SK is the real output of KeyGen. If SK is wellformed, the algorithm outputs an identity which corresponds to SK. Otherwise it outputs implying that SK is not wellformed. The wellformed decryption key is guaranteed to work correctly in the wellformed decryption process.
In the proposed scheme, each public key component is mapped to an attribute value . When encrypting data, the encryptor specifies an access policy , where . The decryption succeeds only when the user’s attribute set satisfies the (obfuscated) policy .
4. mHealth Architecture
4.1. System Model
In mHealth systems, intelligent wireless sensors perform data acquisition and processing [32]. Individual sensors monitor certain physiological signals and communicate with each other and the personal server such as a tablet PC as shown in Figure 1. Then, the personal server integrates the data received from the different sensors and plays the role of a gateway by sending data to the upper layer of the mHealth system. From a security point of view, the mHealth system components are categorized as follows:(1)Trust Authority. This is a key entity that issues the public and secret parameters for the mHealth system. It publishes diverse access privileges to individual entities based on their attributes. The trust authority is assumed to be fully trusted in the mHealth system [10].(2)Storage Center. This is a data repository center that stores EHRs. In mHealth systems, hospitals or clinics with certain qualifications certified by the trust authority can be employed as a storage center. It is assumed to be honestbutcurious [10]. Thus, it will honestly execute the assigned tasks and like to learn as much information from the encrypted data as possible.(3)Encryptor. This is a patient who generates data and sends it to the storage center. It uses mobile devices to interact with the storage center. Encryptors are responsible for defining access policy based on attributes, obfuscating the policy, associating it with the data, and encrypting the data according to the policy. Hereafter, we will use “encryptor” and “patient” interchangeably.(4)User. This includes entities such as the patient, physicians, nurses, lab technicians, researchers, or receptionists who want to access EHRs contained in the storage center. A user will be authorized to decrypt a ciphertext given by the storage center if and only if his key satisfies the access policy of that ciphertext.
4.2. Security Model
CPA Security. The security model of the proposed scheme is similar to that of the CPABE scheme with constantsized ciphertexts [23] except that each key query is labeled with an explicit identity and attributes are obfuscated. We first introduce the semantic security game. A CPABE scheme is considered to be CPAsecure if no probabilistic polynomial time adversaries have nonnegligible advantages in the following CPA security game.(i)Init. The adversary chooses a challenge access policy and gives it to the challenger.(ii)Setup. The challenger runs the Setup algorithm and gives the adversary the public parameter PK.(iii)Phase 1. The adversary queries the challenger for decryption keys corresponding to , where . The challenger answers with a decryption key SK for . The adversary repeats this phase adaptively.(iv)Challenge. The challenger obtains by running the Encrypt algorithm. The challenger sets and picks a random of the same length as . It then flips a random coin and gives to the adversary.(v)Phase 2. It is the same as Phase 1.(vi)Guess. The adversary outputs a guess .
The adversary wins the game if under the restriction that cannot satisfy the access policy . The adversary may run Phase 2 to make multiple key queries in the midst of the challenge. Note that the adversary declares the access policy at the start of the game.
The advantage of an adversary in this game is defined as
Traceability. The traceability definition for the proposed scheme is described by the following security game:(i)Setup. The challenger runs the Setup algorithm to obtain the public parameter PK. Then, the challenger gives PK to the adversary.(ii)KeyQuery. The adversary makes decryption key queries times to the challenger, where sets of attributes correspond to decryption keys.(iii)KeyForgery. The adversary outputs a decryption key .
The adversary wins the game if the following holds:(1).(2).
Then, the advantage of the adversary in this game is
Definition 6. A traceable ciphertext policy attributebased encryption scheme is fully traceable if all polynomial time adversaries have at most negligible advantage in this game.
Policy Privacy. While sharing data in the mHealth system, the storage center or unauthorized users must learn no information about the attributes associated with the access policy of the encrypted data. Also, even authorized users should not obtain any information about these attributes other than the fact that they are authorized to access the data.
5. Proposed Scheme
5.1. System Architecture
The proposed data sharing process in the mHealth system runs as follows. An encryptor defines the access policy with a set of attributes, encrypts the EHRs associated with clinical reports under the policy, and uploads the ciphertext and the obfuscated policy to the storage center. When a user wants to access the uploaded data, he first generates a token using his attributes and sends it to the storage center. If the attributes in the token satisfy the access policy, then the storage center partially decrypts the ciphertext and sends the result to the user. Then, the user finishes the decryption of the ciphertext using his secret key and the partially decrypted ciphertext as inputs. The outline of data sharing process is depicted in Figure 2.
5.2. Scheme Construction
The proposed scheme is constructed on the basis of the following seven algorithms as follows.
. Given attributes as the attribute universe, the proposed scheme has attribute values such that . Specifically, we map to , to , and to .
Let be a bilinear group of prime order . The Setup algorithm chooses a random generator and random . For , it computes . Then, it computes and . The master and public keys are set to ; . The algorithm initializes an identity table .
. Assume that each user is tagged with an attribute set , where and . The KeyGen algorithm randomly chooses , . Then, it computes , and . For all , it computes , where is a hash function .
Next, the algorithm computes the following:(i)For every , compute , where .(ii)For every , compute , where .(iii)For every , compute , where .
The decryption key for user is set toNote that is computed modulo . If or is already in , the algorithm is run repeatedly with another random . Then, it puts a tuple into and uploads to the storage center.
. is an ANDgate access policy with attributes specified by an encryptor , where each attribute is either positive/negative or wildcard. The algorithm chooses a random and computes , for all , where is a hash function . Then, the access policy is obfuscated by replacing each attribute with .
Next, the algorithm picks a random and computes a onetime symmetric key . It encrypts the message as and computes . Then, it computes . The ciphertext is set to The encryptor uploads to the storage center.
. When a user needs to access the ciphertext of in the storage center with a set of attributes , receives from the storage center and generates the token for as follows. For all , the algorithm computes . Then, it constructs the token . Each will be used as an index for the obfuscated attribute . The user sends to the storage center.
. Given from the user , the storage center checks if each in the token satisfies the access policy associated with . If satisfied, the storage center partially decrypts using as for all . Then, it computes a production of all as . The storage center sends to .
or . On receipt of the partially decrypted ciphertext from the storage center, the user computes for all as Then, it computes and divides by . Using the quotient term , the user concludes decryption as follows:Then,The user decrypts .
or . is called wellformed if it passes the following conditions hold: If is wellformed, the algorithm searches in . If is in , the algorithm outputs the corresponding , and if not, the algorithm outputs the corresponding indicating that the corresponding identity never appears in . If is not wellformed, the algorithm outputs .
6. Performance Analysis
In this section, we analyze the performance of the proposed scheme compared with the previous schemes including a constantsized ciphertexts scheme [23], a hidden policy scheme [25], and a traceability scheme [26]. We compare each scheme in several ways such as the computational cost of encryption and decryption and the ciphertext length and in terms of the complexity assumption. Also, we implemented the proposed scheme to evaluate its actual performance. We programmed our system using the Javabased pairing based cryptography (jPBC) library [33] on a GIGABYTE desktop with 4 Intel Core i53570 3.40 GHz CPUs, 4 GB RAM, and running Windows 7 Ultimate K.
Table 1 shows the results of comparing the different schemes. The notations we use in the table are as follows: denotes the number of attributes involved in the access policy, denotes the number of attributes in the attribute universe, denotes the exponentiation operation, and denotes the paring operation. Note that, following convention, the bitlength of the expression of the access policy and its computational costs over are ignored.
In terms of computational cost, the constantsized ciphertext scheme [23] shows the best encryption phase efficiency, requiring a constant number of exponentiations. The proposed scheme also needs two exponentiations in data encryption, but an additional operations are required to obfuscate the access policy. In the decryption phase, the proposed scheme requires more computations than [23] since the user identity is exponentiated to every attribute value to support traceability. In contrast to [25, 26], the proposed scheme requires approximately number of exponentiations. With regard to the ciphertext length, the proposed scheme and [23] guarantee constantsized ciphertext. On the other hand, the hidden policy scheme [25] and the traceability scheme [26] incur linearly increasing ciphertexts as the attribute number increases. Overall, the proposed scheme is efficient in terms of the ciphertext size and provides hidden policy traceability at the cost of more exponentiation operations.
Figure 3 shows the computation overhead incurred in the core algorithms, Setup, KeyGen, Encrypt, GenToken, Decrypt, PDecrypt, and Trace, under various conditions. Figure 3(a) shows how systemwide setup time varies according to the number of attributes. Figure 3(b) shows the total key generation time against different numbers of attributes. The setup occurs only once at the start of the system, and key generation occurs every time a new user joins. Figure 3(c) shows encryption time against different numbers of attributes. It increases linearly due to the time taken to obfuscate the policy attached to the data. Figure 3(d) shows the token generation time against the number of attributes. The token generation process requires a pairing operation time linear to the number of attributes. Figure 3(e) shows the partial decryption time at the storage center and decryption time at the user against the number of attributes. Interestingly, the storage center can undertake nearly 50% of whole decryption process on behalf of users. This property can be most useful for relatively resourceconstrained user side devices. Lastly, Figure 3(f) shows the trace time with different numbers of attributes and users. The trace time depends only but not strongly on the number of users.
(a) Setup time
(b) Key generation time
(c) Encryption time
(d) Token generation time
(e) Decryption and partial decryption time
(f) Trace time with different number of users
Further Efficiency Improvement. jPBC is a complete Java port of the PBC library which was originally written in C [34]. Java is widely considered to be slower than C because Java programs run on the Java Virtual Machine rather than directly on the computer’s processor. Based on this, we additionally provide benchmark comparison results between jPBC and PBC in order to demonstrate how fast the proposed scheme can be when it is implemented in C language [33]. Table 2 shows the performance comparison between Java and C with respect to pairing and exponentiation operations conducted on the same machine. The two libraries were applied to the curve over the field for some prime . The order of is some prime factor of [33]. Since the cost of the pairing operation in PBC is approximately 12 seconds less than in jPBC, PBC is expected to improve the performance of pairingdependent algorithms, such as GenToken and policy obfuscation process in Encrypt, by up to . Similarly, the cost of the exponentiation operations in and are reduced by and seconds, respectively. Such a difference between the two libraries implies that moving from Java to C implementation of the proposed scheme can speed up the Setup and KeyGen algorithms by approximately and the PDecrypt and Decrypt algorithms by approximately .

7. Security Analysis
7.1. Data Confidentiality
In this section, we reduce the chosen plaintext attack (CPA) security of the proposed scheme to a decisional BDHE problem. Given an access policy , a user with an attribute set colludes with decryption proxies. Intuitively, this attack works successfully if . Based on the CPA security game in Section 4.2, we have the following.
Theorem 7. If a probabilistic polynomial time adversary wins the CPA security game with a nonnegligible advantage, then one can construct a simulator that distinguishes a DBHE tuple with a nonnegligible advantage.
Proof. Suppose that an adversary ’s advantage for winning the game is . Then, we can construct a simulator which solves the decisional BDHE problem with the advantage . The simulator takes an input vector , where is either or a random element in . Then, breaks the decisional BDHE problem with the advantage . Specifically, takes a random decisional BDHE challenge as input, where is either or a random value.
Next, runs the following CPA game with the role of challenger. (i) Init. sends an access policy to .(ii) Setup. runs the Setup algorithm to obtain PK and chooses a random . Then, computes outputs the public key .Phase 1. The adversary submits , where . Then, there exists such that , where , or , where .
For , picks random and sets . Next, randomly chooses and computes Next, computes where falls into one of the following conditions: () for all , () for all , and () for all .
Then, each is valid such that Challenge. sets and and gives the challenge to . Note that for some such that and if .
Phase 2. Repeat Phase 1.
Guess. The adversary outputs a guess , where implies that . If , then is a random element which indicates that . Note that each decryption proxy simulates a legal decryption key component with a random . Specifically, the adversary passes as a guess of which is embedded in , where . We further define a decryption proxy to model collusion attacks.
Definition 8. Given decryption proxies in the security game, each decryption proxy , where and .
Lemma 9 (collision with 1 decryption proxy). Suppose that has issued queries and there is only 1 attribute , where makes queries to . The probability that none of the queries returns a legal decryption key component of any is .
Proof. The probability that at least one query returns an illegal decryption key component of any is . Thus, if none of the queries succeeds, then , where is a random number in the decryption proxy and is a random number in the decryption key.
Lemma 10 (collision with multiple decryption proxies). Suppose has issued queries and there are attributes dissatisfying , where makes queries to each decryption proxy , . The probability that none of the queries returns a legal decryption key component of any is .
Proof. The probability that one decryption proxy fails is . Thus, the probability that all decryption proxies succeed is .
In case of , we have 3 collusion scenarios as follows.
0Collusion. If no decryption proxy is used, then has at least advantage in breaking the proposed scheme. Thus, has at least the following advantage in breaking BDHE problem:
1Collusion. If one decryption proxy is used, then we have . Thus, if has at least advantage in breaking the proposed scheme, then has at least advantage in breaking the BDHE problem.
Collusion. If decryption proxies are used, then we have Thus, if has at least advantage in breaking the proposed scheme, then has at least the following advantage in breaking the BDHE problem:
7.2. Traceability
In this section, we prove the traceability of the proposed scheme based on the SDH assumption.
Theorem 11. If SDH assumption holds, then the proposed scheme is fully traceable provided that .
Proof. Suppose that there is a PPT adversary who wins the traceability game with nonnegligible advantage after key queries. Without loss of generality, assume that . Then, we can construct a PPT simulator that breaks SDH assumption with nonnegligible advantage.
is given an instance of the SDH problem as follows. Let be a bilinear group of prime order , let , let be a bilinear map, and let . is given as in instance of the SDH problem. ’s goal is to output a pair satisfying for solving the SDH problem. sets for and interacts with in the traceability game as follows.
Setup. randomly picks distinct values . Let be the polynomial . Expand and write , where are the coefficients of the polynomial . computes randomly chooses and computes . For , , sets , where . then gives the public parameter KeyQuery. submits to to request a decryption key. Assume that it is the th query. For , let be the polynomial . Expand and write , where . computes randomly chooses . Then, it computes , and .
Finally, computes the following: (i)For every , compute , where .(ii)For every , compute , where .(iii)For every , compute , where . responds to with as puts tuple into .
KeyForgery. submits to a decryption key .
Note that the distributions of PK and SK in the above game are the same as in the real game. Let denote the event that wins the game; that is, is wellformed, and . The adversary’s advantage over the game is since there is no decryption proxy used. If does not happen, chooses a random a random pair as its solution for SDH problem. If happens, writes the polynomial for some polynomial and some . Then, since , where and . Thus does not divide . computes the value of .
Next, let denote the event that is a solution to the SDH problem. Note that when chooses randomly, happens with negligible probability, say zero. solves the SDH problem with probabilityThus, can break the SDH assumption with advantage ≤ .
7.3. Policy Privacy
When an encryptor uploads its ciphertext to the storage center, every attribute in the access policy is obfuscated as with a random using the oneway anonymous key agreement protocol [31] such that only users in possession of valid corresponding attributes are able to compute the same value. It is infeasible to guess from without having the corresponding attributes due to which is chosen uniformly at random by the encryptor. Specifically, the storage center does not have which is a secret key component owned by users whose attribute sets satisfy the access policy. Due to the secrecy property of the key agreement protocol [31], the storage center cannot compute .
In token generation phase, a user computes indices for each (obfuscated) attribute . Due to the secrecy property of the key agreement protocol, only the authorized users are able to construct indices corresponding to . Thus, the storage center cannot generate correct indices for the attributes in the access policy. Also, even though the storage center conducts partial decryptions, the user learns nothing about the underlying access policy except that he can decrypt the ciphertext since he receives only the partially decrypted value and no more. Therefore, the proposed scheme guarantees the policy privacy against the storage center and authorized users.
8. Conclusion
In this paper, we proposed an efficient attributebased secure mHealth data sharing scheme with hidden policies and traceability. The proposed scheme significantly reduces storage and communication costs. The access policies are obfuscated such that not only data privacy but also policy privacy is preserved. The computational costs of users are reduced by delegating approximately 50% of the decryption operation to the more powerful storage systems. Lastly, the proposed scheme is able to trace malicious users who illegally leak their keys. Our security analysis shows that the proposed scheme is secure against chosenciphertext and key forgery attacks under the decisional BDHE and SDE assumptions. We also prove that the policy privacy of the proposed scheme is preserved against the storage center and authorized users.
Competing Interests
The authors declare that they have no competing interests.
Acknowledgments
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (no. 2016R1A2A2A05005402). This work was also supported by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (no. B0190152028). This work was also supported by the research fund of Signal Intelligence Research Center supervised by the Defense Acquisition Program Administration and Agency for Defense Development of Korea.
References
 P. Germanakos, C. Mourlas, and G. Samaras, “A mobile agent approach for ubiquitous and personalized eHealth information systems,” in Proceedings of the Workshop on ‘Personalization for eHealth’ of the 10th International Conference on User Modeling, pp. 67–70, Edinburgh, UK, July 2005. View at: Google Scholar
 E. Jovanov, A. O'Donnell Lords, D. Raskovic, P. G. Cox, R. Adhami, and F. Andrasik, “Stress monitoring using a distributed wireless intelligent sensor system,” IEEE Engineering in Medicine and Biology Magazine, vol. 22, no. 3, pp. 49–55, 2003. View at: Publisher Site  Google Scholar
 J. A. Wolf, J. F. Moreau, O. Akilov et al., “Diagnostic inaccuracy of smartphone applications for melanoma detection,” JAMA Dermatology, vol. 149, no. 4, pp. 422–426, 2013. View at: Publisher Site  Google Scholar
 United States Department of Health & Human Services, Health Information Privacy, 2011, http://www.hhs.gov/ocr/privacy/index.html.
 S. Alshehri, S. P. Radziszowski, and R. K. Raj, “Secure access for healthcare data in the cloud using Ciphertextpolicy attributebased encryption,” in Proceedings of the IEEE 28th International Conference on Data Engineering Workshops (ICDEW '12), pp. 143–146, IEEE, Arlington, Va, USA, April 2012. View at: Publisher Site  Google Scholar
 M. Poulymenopoulou, F. Malamateniou, and G. Vassilacopoulos, “EEPR: a cloudbased architecture of an electronic emergency patient record,” in Proceedings of the 4th ACM International Conference on PErvasive Technologies Related to Assistive Environments (PETRA '11), article 35, Crete, Greece, May 2011. View at: Publisher Site  Google Scholar
 H. A. J. Narayanan and M. H. Gunes, “Ensuring access control in cloud provisioned healthcare systems,” in Proceedings of the IEEE Consumer Communications and Networking Conference (CCNC '11), pp. 247–251, Las Vegas, Nev, USA, January 2011. View at: Publisher Site  Google Scholar
 R. Bobba, H. Khurana, M. Alturki, and F. Ashraf, “PBES: a policy based encryption system with application to data sharing in the power grid,” in Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security (ASIACCS '09), pp. 262–275, March 2009. View at: Publisher Site  Google Scholar
 J. Hur, “Attributebased secure data sharing with hidden policies in smart grid,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 11, pp. 2171–2180, 2013. View at: Publisher Site  Google Scholar
 L. Guo, C. Zhang, J. Sun, and Y. Fang, “PAAS: a privacypreserving attributebased authentication system for eHealth networks,” in Proceedings of the 32nd IEEE International Conference on Distributed Computing Systems (ICDCS '12), pp. 224–233, IEEE, Macau, June 2012. View at: Publisher Site  Google Scholar
 A. Kapadia, P. P. Tsang, and S. W. Smith, “Attributebased publishing with hidden credentials and hidden policies,” Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS '07), vol. 7, pp. 179–192, 2007. View at: Google Scholar
 J. Bethencourt, A. Sahai, and B. Waters, “Ciphertextpolicy attributebased encryption,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 321–334, Berkeley, Calif, USA, May 2007. View at: Google Scholar
 B. Waters, “Ciphertextpolicy attributebased encryption: an expressive, efficient, and provably secure realization,” in Public Key CryptographyPKC, pp. 53–70, 2011. View at: Google Scholar
 V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded ciphertext policy attribute based encryption,” in Automata, Languages and Programming: 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 7–11, 2008, Proceedings, Part II, vol. 5126 of Lecture Notes in Computer Science, pp. 579–591, Springer, Berlin, Germany, 2008. View at: Publisher Site  Google Scholar
 L. Ibraimi, M. Petkovic, S. Nikova, P. Hartel, and W. Jonker, “Mediated ciphertextpolicy attributebased encryption and its application,” in Information Security Applications, H. Y. Youm and M. Yung, Eds., vol. 5932 of Lecture Notes in Computer Science, pp. 309–323, 2009. View at: Publisher Site  Google Scholar
 T. Jung, X.Y. Li, Z. Wan, and M. Wan, “Privacy preserving cloud data access with multiauthorities,” in Proceedings of the IEEE INFOCOM, pp. 2625–2633, Turin, Italy, April 2013. View at: Publisher Site  Google Scholar
 F. Wang and W. Luo, “Assessing spatial and nonspatial factors for healthcare access: towards an integrated approach to defining health professional shortage areas,” Health & Place, vol. 11, no. 2, pp. 131–146, 2005. View at: Publisher Site  Google Scholar
 R. W. Bradshaw, J. E. Holt, and K. E. Seamons, “Concealing complex policies with hidden credentials,” in Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS '04), pp. 146–157, October 2004. View at: Google Scholar
 Z. Zhou, D. Huang, and Z. Wang, “Efficient privacypreserving ciphertextpolicy attribute basedencryption and broadcast encryption,” IEEE Transactions on Computers, vol. 64, no. 1, pp. 126–138, 2015. View at: Publisher Site  Google Scholar  MathSciNet
 J. Li, K. Ren, B. Zhu, and Z. Wan, “Privacyaware attributebased encryption with user accountability,” in Information Security, pp. 347–362, Springer, Berlin, Germany, 2009. View at: Google Scholar
 A. Shamir, “Identitybased cryptosystems and signature schemes,” in Advances in Cryptology, G. R. Blakley and D. Chaum, Eds., vol. 196 of Lecture Notes in Computer Science, pp. 47–53, 1985. View at: Publisher Site  Google Scholar
 A. Sahai and B. Waters, “Fuzzy identitybased encryption,” in Advances in Cryptology—EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 457–473, Springer, Berlin, Germany, 2005. View at: Publisher Site  Google Scholar  MathSciNet
 Z. Zhou and D. Huang, “On efficient ciphertextpolicy attribute based encryption and broadcast encryption,” in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS '10), pp. 753–755, ACM, Chicago, Ill, USA, October 2010. View at: Publisher Site  Google Scholar
 C. Chen, Z. Zhang, and D. Feng, “Efficient ciphertext policy attributebased encryption with constantsize ciphertext and constant computationcost,” in Provable Security: 5th International Conference, ProvSec 2011, Xi'an, China, October 16–18, 2011. Proceedings, vol. 6980 of Lecture Notes in Computer Science, pp. 84–101, Springer, Berlin, Germany, 2011. View at: Publisher Site  Google Scholar
 J. Li, K. Ren, and Z. Wan, “Privacyaware attributebased encryption with user accountability,” in Information Security, pp. 347–362, Springer, Berlin, Germany, 2009. View at: Google Scholar
 Z. Liu, Z. Cao, and D. S. Wong, “Whitebox traceable ciphertextpolicy attributebased encryption supporting any monotone access structures,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 76–88, 2013. View at: Publisher Site  Google Scholar
 Z. Liu, Z. Cao, and D. S. Wong, “Blackbox traceable CPABE: How to catch people leaking their keys by selling decryption devices on eBay,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13), pp. 475–486, ACM, November 2013. View at: Publisher Site  Google Scholar
 D. Boneh, X. Boyen, and E. J. Goh, “Hierarchical identity based encryption with constant size ciphertext,” in Advances in Cryptology—EUROCRYPT 2005, pp. 440–456, Springer, Berlin, Germany, 2005. View at: Google Scholar
 D. Boneh and X. Boyen, “Short signatures without random oracles,” in Advances in CryptologyEUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 56–73, Springer, Berlin, Germany, 2004. View at: Google Scholar
 D. Boneh and M. Franklin, “Identitybased encryption from the Weil pairing,” in Advances in Cryptology—CRYPTO 2001, pp. 213–229, Springer, Berlin, Germany, 2001. View at: Publisher Site  Google Scholar  MathSciNet
 A. Kate, G. Zaverucha, and I. Goldberg, “Pairingbased onion routing,” in Privacy Enhancing Technologies, N. Borisov and P. Golle, Eds., vol. 4776 of Lecture Notes in Computer Science, pp. 95–112, Springer, Berlin, Germany, 2007. View at: Publisher Site  Google Scholar
 E. Jovanov and D. Raskovic, “Wireless intelligent sensors,” in MHealth, pp. 33–49, Springer, New York, NY, USA, 2006. View at: Google Scholar
 A. De Caro and V. Iovino, “jPBC: java pairing based cryptography,” in Proceedings of the IEEE Symposium on Computers and Communications (ISCC '11), pp. 850–855, JuneJuly 2011. View at: Google Scholar
 B. Lynn, The PairingBased Cryptography (PBC) Library, 2010, http://crypto.stanford.edu/pbc.
Copyright
Copyright © 2016 Changhee Hahn et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.