Table of Contents Author Guidelines Submit a Manuscript
Mobile Information Systems
Volume 2017, Article ID 7514867, 15 pages
https://doi.org/10.1155/2017/7514867
Research Article

Flexible and Lightweight Access Control for Online Healthcare Social Networks in the Context of the Internet of Things

School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China

Correspondence should be addressed to Hu Xiong; moc.liamg@ctseu.uhgnoix

Received 27 November 2016; Revised 6 March 2017; Accepted 12 April 2017; Published 28 May 2017

Academic Editor: Tao Han

Copyright © 2017 Zhen Qin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Online healthcare social networks (OHSNs) play an essential role in sharing information among medical experts and patients who are equipped with similar experiences. To access other patients’ data or experts’ diagnosis anywhere and anytime, it is necessary to integrate the OHSN into the Internet as part of the Internet of Things (IoT). Therefore, it is crucial to design an efficient and versatile access control scheme that can grant and revoke a user to access the OHSN. In this paper, we propose novel attribute-based encryption (ABE) features with user revocation and verifiable decryption outsourcing to control the access privilege of the users. The security of the proposed ABE scheme is given in the well-studied random oracle model. With the proposed ABE scheme, the malicious users can be excluded from the system and the user can offload most of the overhead in the decryption to an untrusted cloud server in a verifiable manner. An access control scheme for the OHSN has been given in the context of the IoT based on the proposed ABE scheme. The simulation demonstrates that our access control mechanism is practical.

1. Introduction

Fueled with wireless medical sensors implanted or worn on human body, personal health information (PHI) can be extracted anytime and from any location handily. To share the PHI with the medical experts or other patients from the same community, the online healthcare social networks (OHSNs) [13] can be formed and integrated into the Internet of Things (IoT) [46] by exchanging the PHI via the portable devices such as the smart phones (Figure 1). With the support of OHSN, users can easily identify other users with certain symptoms in the community and share diagnosis information with each other. Furthermore, accurate and positive treatment information from medical experts can also be disseminated in OHSN to improve the online healthcare environment.

Figure 1: PHI data sharing system.

In OHSNs, PHI data are extremely sensitive since these data are closely related to the patients’ health status. Naturally, one main requirement of PHI data sharing is to ensure that the data owners could fully control the access to their PHI data and hinder unauthorized users from obtaining the PHI data. One simple approach to achieve access control on the PHI data is to encrypt the shared data with the conventional asymmetric encryption by considering the bulky key management overhead of the symmetric encryption. In asymmetric cryptography (also known as public key cryptography), each user is equipped with a public/private key pair where the public key is distributed in the system and the private key is kept a secret by the user. To share PHI data with close friend or medical expert securely, data owner needs to encrypt the shared data under the public key of the receiver. In this way, only the receiver can read this data with his/her private key. However, this approach is not scalable in the system with a huge number of users. Let us consider the following scenario. Assume the user Alice intends to share her PHI data with her attending physician Bob, her colleague Carol, and her friend David with the conventional public key cryptography. To ensure her data can be accessed by these three users, Alice has to perform the encryption over the shared data three times under the public key of Bob, Carol, and David, respectively. Thus, it is not a trivial task to construct an access control mechanism for the OHSNs in the context of the IoT due to the large-scale nature of OHSNs.

Attribute-based encryption (ABE) [7, 8] seems to be a possible promising solution to provide flexible and versatile access control over the encrypted sharing data due to its one-to-many encryption pattern. In an (ciphertext policy) ABE system, user’s private key and ciphertext are, respectively, labeled with a set of attributes and an access policy. Without enumerating the public key of all of the intended receivers, the ciphertext can be read by a group of users as long as the set of attributes associated with the users satisfy the access structure embedded in the ciphertext. That is to say, the one-to-many encryption can be achieved by ABE directly, which makes the ABE primitive particularly appropriate to the large-scale OHSNs. However, two major barriers impede ABE schemes from direct deployment in OHSNs. First, tremendous amounts of wireless and portable sensors/devices interconnected in OHSNs can be easily infiltrated or breached by hackers; therefore, the function with revocation should be considered in ABE schemes to deal with this situation. Second, the ciphertext size and the computational cost of ABE usually grow with the complexity of the access policy because of its expressiveness. By considering the limited battery and computational capabilities of the wireless and portable sensors/devices [9, 10], the existing ABE scheme cannot be directly used to secure the OHSNs.

The motivation of the paper is to construct a practical access control mechanism suitable for the large-scale OHSNs in the context of the IoT. In OHSNs, the users equipped with portable devices may be compromised and thus excluded from the system. By considering the limited computation capabilities of the mobile users, the mechanism should be designed to be lightweight. To tackle the above-mentioned issues, we design our ABE scheme featured with user revocation and verifiable decryption outsourcing and apply the proposed ABE scheme to OHSNs. The contributions of this paper include the following two points:(1)We design a novel ABE scheme with user revocation by incorporating the ciphertext update and key update function such that any legitimate users in social group can access the PHI data from other data owners in the community and revoked users cannot read the encrypted data again even if they intend to collude their attributes with other legitimate social group users. Moreover, our scheme offloads most of the computation task on the data sharers’ side to the untrusted cloud server provider. Concretely, the data sharer sends the transformation key to the cloud server, which in turn sends the partially decrypted ciphertexts to the data sharers and thus contributes to offloading the original decryption task. Moreover, the outsourced result can be easily validated by users whether it is true or not.(2)Based on our ABE scheme, we present a versatile personal health information (PHI) data sharing architecture to achieve flexible and fine-grained access control. Security proof in the random oracle model and simulation result demonstrate that our scheme is secure and practical.

Organization. The rest of this paper is organized as follows. Related works are illustrated in Section 2. Some preliminaries are presented in Section 3. Section 4 describes the formal definition of proposed scheme, our system model, and the security model. In Section 5, the concrete construction is given. Sections 6 and 7 show the security analysis and the performance analysis, respectively. Finally, our conclusion is stated in Section 8.

2. Related Work

2.1. Attribute-Based Encryption

The notion of attribute-based encryption, which was suggested by Sahai and Waters as fuzzy identity-based encryption in [11], was extended by Goyal et al. [7]. Up to now, two flavors of ABE, key policy attribute-based encryption (KP-ABE) [7, 1214] and ciphertext policy attribute-based encryption (CP-ABE) [8, 15, 16], have been proposed referring to the fact that access control policy is embedded to the private key or the ciphertext. In a KP-ABE system, keys are associated with an access policy and the ciphertext with a set of attributes. Contrarily, in a CP-ABE system, ciphertexts are assigned to an access structure and the key to a set of attributes. A user can decipher the ciphertext, only if the set of attributes holds the access structure.

Although ABE enjoys high expressive and versatile access control policies, the ciphertext size and the computational cost grow with the complexity of the access policy in existing ABE schemes. To offload high computational overload, Green et al. [17] introduced the notion of outsourced decryption into ABE systems, which largely eliminates the decryption overhead for users. In [17], user’s secret key was blinded with a random number and then was delivered to a cloud server to translate the ABE ciphertext into a simper ciphertext. Unfortunately, the verifiability of the cloud’s transformation is not guaranteed for users. By offloading all the access policy and attribute related operation to the key generation service provider (KGSP) and the decryption cloud server provider (DSP), respectively, a secure OABE scheme, which was introduced by Li et al. [18], supplied checkability with supporting both outsourced key issuing and decryption. Presently, Lai et al. [19] formally defined the verifiability of ABE and presented an ABE scheme with verifiable outsourced decryption. Although [19] achieved the desirable effect of the verifiability, double overhead on both the length of ciphertext and the computational cost is reluctant to be accepted for users. To resolve the double overhead problem, Ma et al. [20] suggested a verifiable and exculpable outsourced OABE scheme, which not only largely leverages the ciphertext size and computational cost, but also brings the strong verifiability and exculpability, which effectively addresses the dispute between a user and an outsource computation service provider.

2.2. User Revocation

The issue of applying ABE to the data outsourcing architecture also faces many challenges with regard to user revocation or attribute revocation. Key revocation mechanisms in KP-ABE and CP-ABE, respectively, first proposed by Bethencourt et al. [8] and Boldyreva et al. [21], was realized by incorporating with encrypting the message to the attribute and its validation time. However, it was confirmed that these schemes [8, 21] had the security degradation problem considering the forward and backward secrecy [22]. In such a data sharing revocable ABE scenario, a revoked user might still be able to retrieve the original data by attribute-collusion even if his/her attributes do not hold access policy. Of course, a new user might be able to access the previous encrypted data before joining the system until the data are reencrypted with the current updated attribute keys. It is not desirable that a user, revoked from a single attribute group, loses all the access rights to the system in many pragmatic scenarios since the other attributes may still be valid. Attrapadung and Imai [23] realized a conjunctive broadcast and attribute-based encryption scheme with revocation ability; in [23], the data owner was able to perform the user direct revocation by maintaining all user membership lists for each attribute group. However, this scheme was unsuitable to be applied to the data sharing system mainly considering that the data owner will no longer take direct control of data after outsourcing data to the cloud storage server. These schemes [2426] also addressed the user revocation in the ABE-based data sharing system. In [25], in order to revoke users, the trusted authority should generate all secret keys including the proxy key; simultaneously, the server would reencrypt the ciphertext to hamper revoked users from deciphering the ciphertext after receiving the proxy key from the trusted authority. Therefore, the key escrow problem described in [26] may appear. To address this problem, Hur [26] integrated a key issuing protocol with the proxy encryption mechanism. Very recently, Li et al. [24] presented a flexible and fine-grained attribute-based data storage in cloud computing; however, several issues, key-unblinding, unverifiability, and high key-updating times, cannot be well addressed.

2.3. Online Healthcare Social Networks

Several research works that are closely related to the online healthcare social networks (OHSNs) have been introduced [2730]. Chen et al. [27] present an event-aided packet forwarding (EPF) protocol, which enables patients who suffer from the same diseases to discuss health conditions with other wardmates in OHSNs. Zhou et al. [29] show a secure and privacy-preserving key management scheme for cloud-assisted wireless body area network in OHSNs; in [29], it can tamper both time-based and location-based mobile attacks from the collaboration of the patients having the same diseases in the same social group. Jiang et al. [30] propose an efficient and privacy-preserving personal health information sharing scheme in OHSNs; in [30], it provides the privacy-preserving of data recipients by hidden access policy and the lightweight decryption overhead on decryptors’ sides by the server-aided outsourcing technique. However, the above schemes do not consider the dynamicity of social group in OHSNs. Featuring with dynamic group can provide the OHSNs with extendibility, flexibility, and practicability.

Most of the existing ABE schemes applied to online healthcare social networks for data sharing can only protect the data confidentiality/privacy. They do not consider the dynamic characteristics of social group and the decryption overhead on recovering the original message. In our paper, the above gaps are bridged well by suggesting a flexible and lightweight access control for online healthcare social networks in the context of the Internet of Things.

3. Preliminaries

In this section, we briefly describe notion description, bilinear map, hardness assumption, linear secret-sharing scheme, proxy reencryption, and key derivation function.

3.1. Notions

The notions used in this paper are listed in Table 1.

Table 1: Notions for our proposed system.
3.2. Bilinear Pairing

Let represent an algorithm that takes as input a security parameter , it outputs a group tuple , where denote multiplicative cyclic groups with prime order , and is a computable bilinear map such that the following are defined:(1)Bilinearity: for all , and .(2)Nondegeneracy: , whenever

Definition 1 (DCDH assumption). Given a group tuple with its generator , where , the divisible computation Diffie-Hellman (DCDH) problem is to output . Let be a bilinear generator; we say that the DCDH holds for if, for all probabilistic polynomial-time (PPT) algorithms , the function is a negligible function of .

3.3. Linear Secret-Sharing Scheme (LSSS)

A secret-sharing scheme over a set of parties is called linear (over ) with two properties: () A vector over is shared by a set of parties. () For the secret-sharing scheme , a share-generating matrix with rows and columns can be established. Besides, there also exists a function that maps each row of the matrix to an associated party. In other words, for , the value equals the party associated with row . When we share a secret , the column vector is established, where . Then is the vector of shares of the secret , and the share belongs to party .

A linear secret-sharing scheme also enjoys the linear reconstruction property: Suppose that there exists a LSSS for the access structure . Let denote the attribute set which satisfies the access structure , and let be defined as . Then, there exist constants such that if are valid shares of any secret according to , then .

3.4. Proxy Reencryption

Proxy reencryption [24] allows an entity of honest but curious proxy cloud server, using reencryption key, to transform an encrypted message under ’s public key into an encrypted same message under ’s public key without exposing any valuable information about .

3.5. Key Derivation Function (KDF)

Key derivation function (KDF [31]), as a cryptographic primitive, provides a key-expansion capability that converts the initial keying material containing semi-secret randomness into one or more pseudorandom keys. The pseudorandom keys derived from KDF are indistinguishable from a randomly and uniformly distributed string of the same length. Furthermore, portion of the bits generated by the KDF cannot disclose knowledge on the other bits. The definition and the security of the KDF are illustrated as follows.

Definition 2 (KDF). Given a sampled value derived from initial keying material and a length value , a KDF generates a string with length .

Definition 3 (security of KDF). A KDF is said to be secure against any PPT adversary , in case the following advantage is negligible: where refers to a randomly and uniformly chosen string of the length bits.

4. Formal Definition, System, and Security Model

In this section, the definition of our proposed scheme, system model, and security model are presented as follows.

4.1. Formal Definition of Our Proposed Scheme

We now describe the framework of our online healthcare social network by exploiting CP-ABE system. Let represent a set of attributes, and stands for an access structure LSSS. Our scheme consists of the following algorithms.

. The SystemSetup algorithm, implemented by trusted authority, outputs the system master key msk and public key pk taking as input a security parameter .

. The GroupSetup algorithm, executed by trusted group administrator, generates the group master key gmk, the group public key gpk, and a dictionary dic with recording the version status.

. The CertGen algorithm, also performed by group administrator, takes as input the system public key pk, the user’s identity uid, and the group master secret key gmkver; it generates a certificateδver.

. The KeyGen algorithm, carried out by trusted authority, takes as input the system public key pk, the system master secret key msk, attribute set , the public group public key gpkver, the user’s identity uid, and the user’s authenticated certificate ; it produces the user decryption keys and the user tuple .

. With the system public key pk, the group public key gpkver, a message , and a LSSS access structure , the Encrypt algorithm, run by PHI data owner, generates the ciphertext stored in cloud server.

. Given the system public key , the group master key gmkver, and a dictionary , the GroupUpdate algorithm, executed by group administrator, updates the group master key as and the group public key as ; besides, it outputs a new dictionary and generates a reencryption key delivered to proxy server.

. The UserUpdate algorithm, performed by users themselves, takes as input the user’s decryption secret key and current tuple ; it outputs the updated decryption secret key .

. The ReEncrypt algorithm, executed by proxy server, takes as input the ciphertext and the reencryption key ; it generates a updated ciphertext .

. The GenTK algorithm, run by data sharer, takes as input the system public key and the user’s decryption secret key ; it outputs a blinded decryption secret key and a transformation key .

. The Transform algorithm, implemented by DSP, takes as input the ciphertext and the transformation key from data sharer (i.e., mobile patients or mobile physicians); if does not satisfy access structure, it then outputs . Otherwise, it outputs a transformation ciphertext .

. The Decrypt algorithm, run by data sharers, takes as input the transformation ciphertext and the updated decryption secret key ; it outputs the decrypted message if validating the correctness of transformed ciphertext .

4.2. System Model

We consider an efficient personal health information (PHI) data sharing architecture [32, 33] by an example that mobile patients featured with the same symptoms [3] or physicians can form a social group and can rent a cloud server to store and share PHI data with each other in a flexible access manner. Based upon the above premise, several different entities are involved in our system model (Figure 2): PHI cloud storage server, trusted authority, decryption cloud server provider, trusted group administrator, and a large number of social group users including PHI data owners and PHI data sharers. The trusted authority undertakes the responsibility concerning attribute authentication and key distribution. The trusted group administrator takes charge of group management, certificate generation, key update for social group users, and ciphertext update for reencryption requests. The users (i.e., mobile patients and mobile physicians) in the same social group share their health conditions and medical care experiences with their mobile devices. PHI cloud storage server, which is assumed to be a honest but curious entity, provides social group users with some storage and reencryption services; that is, it faithfully implements all operations requested by users and purposefully retrieves the stored ciphertext to collect additional valuable PHI information. The decryption cloud server provider [20] offers the services that can help users to convert a complex decryption task into a simple one.

Figure 2: Architecture of the proposed PHI data sharing protocol.
4.3. Security Model

We now give the definition of the chosen plaintext security (CPA) security for CP-ABE scheme with verifiability. In this security model, the revoked user may collude with unrevoked user to obtain some unauthorized data [34]. We suppose that the revoked user can get private keys that satisfy the access structure; the version however differs from the current version. Contrarily, the unrevoked user can achieve private keys that do not satisfy the access structure, but the version is the current version. To formalize the security model, the game is described between an adversary and a challenger as follows.

Init. The adversary gives the challenger its challenge LSSS access structure , group identity , and the version .

Setup. first executes SystemSetup() algorithm to obtain the system master secret key msk and the public parameter pk. then performs GroupSetup() algorithm to achieve the group master key gmk0 and the group public key gpk0 for . Moreover, runs GroupUpdate() algorithm to get the group master key gmkver, the group public key gpkver, and reencryption key , where    finally sends the public parameter and the group public keys and keeps the system mater key , the group master keys , and the reencryption key .

Phase 1. repeatedly issues queries as follows, including Type-A query, Type-B query, User update query, and Reencryption query. (i)Type-A query:(1) Certificate query, on input user’s identity , group identity , and the version number , where : runs , and then it returns to the certificate .(2) Private key query, on input user’s identity , group identity , a set of attributes satisfying the access structure , and the certificate : executes and then issues the private secret key to .(3) Transformation key query, on input the system public key , the version number , and the corresponding private key : runs , where Then it issues the new private secret key to .(ii)Type- query:(1) Certificate query, on input user’s identity , group identity , and the version number : runs and then returns the certificate to .(2) Private key query, on input user’s identity , group identity , a set of attributes dissatisfying the access structure , and the certificate :   executes and then issues the private key to .(3) Transformation key query, on input the system public key , the version number , and the corresponding private key : runs , where Then it issues the new private secret key to .(iii) User update query, on user’s identify and the decryption private : sends to the tuple . Then performs .(iv) Reencryption query, on input : runs and returns to .

Challenge. submits two equal length messages and to . picks a random bit , sets , and sends to .

Phase 2. continues to send Type-A, Type-B, User update, and Reencryption queries as in Phase .

Guess. outputs its guess for and wins the game if

The advantage of the adversary in this game is defined as .

5. Concrete Construction

Our scheme is based on flexible and fine-grained attribute-based data storage [24]. In this section, we suggest an efficient CP-ABE scheme based on LSSS structure under the aforementioned DCDH assumption.

can be denoted as a multiplicative cyclic bilinear group pair and these two group elements in pair have the same large prime order . Let be a generator of group and be a bilinear map. Let and denote that a hash function maps an identity or an attribute to a group value in and a hash function maps an elements in to a random number in , respectively.

. This algorithm is executed by trusted authority (TA). TA first picks and and chooses a key derivation function   with the output length . Then it calculates . Finally, it publishes public parameters , keeps the master key , and simultaneously issues to trusted group administrator (GA) to execute the revocation operation.

. This algorithm is run by GA. GA first selects a random and sets the group master secret key . Then, GA calculates . Lastly, it publishes the group public parameters , where denotes group identity. stands for a dictionary which initializes an empty version. In our system, for example, 0 denotes initial version. The version will be updated to a new version when any user leaves the system. Let be the current version.

. This algorithm is implemented by GA. When a new user who wants to join the group system requests a group certificate. Once the GA accepts his/her request, it produces a certificate as and sends it to the user.

. This algorithm is performed by TA. User’s attributes and identity could be authenticated by TA and then this algorithm is run to generate decryption secret key as follows:(1)TA first validates the authenticity of certificate to recognize whether the user is a group member or not by . If the equation is true, then the certificate is valid and goes to the next step. Otherwise, it returns an error symbol .(2)TA generates decryption secret key for user according to his/her identity and a set of user attributes . TA picks at random and computes ; then the private key is produced as follows: (3)TA sets the decryption key and sends it to the user in the group; besides, it also delivers the current tuple to GA.

. This algorithm is run by PHI data owner. This algorithm takes as input the system public key , the group public key , a plaintext message , and a LSSS access structure , where denotes a matrix and is the vector corresponding to the th row of . is a map from each of to the party . The algorithm first picks a random vector such that can be shared. For to , it is easy to compute . The detailed steps by PHR data owner proceed as follows:(1)Choose randomly and generate a new session key ssk with the encapsulated key ; besides, compute (2)Pick randomly, and calculate (3)Output the ciphertextAnd, then upload to CSS.. This algorithm is carried out by GA. When social group members leave the group, the group master key and public key should be updated by GA as follows: (1)Pick as a updated group master key , and update the group public key . Moreover, compute a reencryption key .(2)Update the current tuple and issue to each group member.

. This algorithm is performed by PHI data sharer in the social group. When a sharer leaves the group, the group keys need to be updated by GA as above. Besides, other sharers in the group also need to update their decryption keys by themselves. is updated as follows:(1)Calculate (2)Update (3)The updated decryption secret key is denoted as . This algorithm is executed by CSS. After updating user’s decryption keys, the user who uses his/her updated key cannot decrypt the original ciphertext stored in CSS anymore; therefore, the ciphertext needs to be updated by reencryption operations as follows: (1)Calculate (2)Output the updated ciphertext

. This algorithm is run by the existing social group sharer. Given the user’s decryption secret key , it can convert the original decryption secret key into a blinded decryption secret key in the following:(1)Pick a random and compute Note that herein we set which is not blinded.(2)Set the decryption secret key , where the blinded transformation key and the retrieval key , and then send to the DSP.

. This algorithm is performed by DSP. The Transform algorithm takes as input the ciphertext and the transformation key from user; if does not satisfy access structure, it then outputs . Assume that satisfies the access structure and let be defined as . It could calculate constants such that if are valid shares of any secret according to , then . The algorithm partially deciphers the ciphertext as follows and sends the partially decrypted ciphertext to the PHI data sharer.(1)Calculate(2)Similarly, compute (3)DSP issues the partial decrypted ciphertext to the social group sharers.

. This algorithm is executed by PHI data sharer. the algorithm could decipher the decrypted ciphertext as follows:(1)Calculate , , , as (2)Compute the encapsulated key and the session key as (3)If , it outputs the encapsulated key and then retrieves the message as . Otherwise, it outputs .

6. Security Analysis

In this section, we present the security for our proposed CP-ABE scheme. The main issue in our scheme is also to resist the collusion attack between the revoked users and existing legitimate users.

Theorem 4. Suppose that the construction of Li [24] is a selectively CPA secure CP-ABE scheme; then our scheme proposed is also selectively CPA secure. In our construction, provided that the hash function is a random oracle, if there exists a probabilistic polynomial-time adversary that can break our scheme with a nonnegligible advantage after Type-A queries and Type-B queries, then there exists a challenger that can solve the DCDH problem with the advantage

Let be a DCDH attacker who receives a random instance of DCDH problem in and has to calculate the value of . is an adversary who interacts with the attacker as modeled in aforementioned game of security model. We present how the attacker can use the adversary to solve the DCDH problem, that is, how to compute the value of .

To easily understand the proof, the reduction is briefly presented. When the game starts, the attacker first initializes the instance of the DCDH problem and then simulates hash functions as random oracles. During the simulation, the attacker needs to guess the adversary ’s target identity and message. the attacker finally will set and (please consult our proof for the settings). At the end of game, the adversary can output the value of as his answer by the evidence .

Proof. is given a challenge instance where . interacts with as follows.
Init. The adversary gives the challenger its challenge LSSS access structure , group identity , and the version .
Setup. does the following steps to set the public parameter and the group public key :(1)Choose random , and pick a key derivation function   with the output length . Also pick a collision-resistant hash function , and then calculate , and set .(2)Pick at random, compute , , and set , Note that is unknown to .(3)Issue , to , and keep , in himself.H-Queries. uses three lists , , to reply ’s queries (user’s identity, group identity, and queries). (1)User’s identity query : if already exists in as , then returns . Otherwise, flips a random coin with the probability . If , then picks randomly and inserts the tuple into . If , then chooses random and adds the tuple into . gives the user’s identity query (2)Group identity query : if already exists in as , then returns . Otherwise, chooses random and adds the tuple into the . gives the group identity query (3) query : if already exists in as , then returns . Otherwise, chooses random and adds the tuple into . gives the query Phase 1. repeatedly issues queries to as follows; utilizes two lists to send queries , (initially empty).(i)Type- query: (1) Certificate query : suppose that exists in as ; otherwise, runs a request himself as in . If , then generates a certificate , and if , then outputs .(2) Private key query , where satisfies a LSSS access structure : if has already appeared in as , then outputs . Otherwise, first obtains , from , , respectively, and picks randomly and calculates the private key as follows:(3) Transformation key query , : chooses a random exponent and then sets finally sends to and adds into the list (ii)Type- query:(1) Certificate query : suppose that exists in as ; otherwise, runs a request himself as in . If , then generates a certificate , and if , then outputs .(2) Private key query , where dissatisfies a LSSS access structure : if has already appeared in as , then outputs . Otherwise, first obtains , from , , respectively, and picks randomly and calculates the private key as follows:(3) Transformation key query , : chooses a random exponent and then sets finally sends to and adds into the list (iii) User update query , where already exists in Type- private key query. achieves from and calculates , ; then transmits the tuple to ; finally uses the algorithm UserUpdate() to update his private key.(iv) Reencryption query : first calculates reencryption key as and executes . Then returns to .Challenge. submits two equal length messages , ; then picks a random and proceeds as follows: (1) selects randomly and achieves from Moreover, chooses at random and obtains from .(2) then generates the challenge ciphertext in the following. (3) runs Encrypt algorithm to obtain and selects a random bit . If , it sets . If , it chooses a random key and sets and then sends to . computes , .(4) finally delivers to .Phase 2. continues to request the above queries not issues as in Phase , and sends the queries as in Phase .
Guess. If wins the game, then can compute Eventually, omits output and chooses from and from randomly. If wants to decipher the challenge ciphertext, he needs to obtain keys , of and of . Namely, can be achieved from , and can be obtained from . Therefore, we could formalize the above theory evidence as and we have the equation . finally outputs as the solution of DCDH problem.
Provided that makes Type- queries and Type- queries, the probability that does not return in Phase is . The equation value reaches maximum when . Also, the probability that always selects correct , is . Therefore, it is very easy to compute advantage at most .
Analysis. In our security model, we define the attack capability for an adversary who can not only get private keys (transformation key) that satisfy the access policy, the version not being the current version, but also can receive private keys (transformation key) that do not satisfy the access policy, the version being the current version. The aforementioned statements imply that if the adversary can break our scheme, she/he can of course getfrom and from These two private keys would be used to decrypt the challenge ciphertext as follows: If an adversary can break our scheme, then the adversary can compute And the can successfully decipher the challenge ciphertext. That is to say, we can obtain . Therefore, we can get the equation . If the adversary can break our scheme such that , the result can be taken as his/her answer.

7. Performance Analysis

In this chapter, the performance of our system is first theoretically evaluated concerning the computational overhead of key update, decryption for DSP and user, and communication cost, and the quantitative analysis of our scheme then is given compared to previous Li et al.’s scheme [24].

In Li et al.’s proposed scheme [24], the private keys have not been blinded, but partially, to be delivered to the trusted third party (DSP) to transform the original ciphertext into a simple ciphertext. Once receiving the transformed ciphertexts, the decryptor can easily recover the plaintext message without checking the correctness of transformed ciphertexts. However, it is not suitable for real outsourced applications because the third party is generally assumed as an untrusted one. In our proposed scheme, the private keys, first blinded by GenTK algorithm, are divided into the transformation key and retrieval key. After that, the blinded transformation key is sent to the untrusted third party (DSP) to translate the complex ciphertext into a simple one. Finally, once partial decrypted ciphertexts are verified as true, the plaintext message can be recovered by the retrieval key.

We express by , , and the time to a pairing computation, an exponentiation in , and an exponentiation in , respectively (other operations are ignored). From Table 2, we can learn that the computational cost of user’s decryption key updating in Li et al.’s [24] follows a linear relationship with the number of attributes while the corresponding cost in our scheme only achieves constant. As for the time-cost of decryption (for server or user), from Table 2, we explicitly learn that the time-efficiency for decryption for DSP in ours is higher than Li et al.’s [24], which indirectly illustrates that the efficiency for decryption for user in ours is higher than Li et al.’s [24] without outsourcing. Besides, our scheme achieves a similar time-efficiency for decryption for user with outsourcing as Li et al.’s [24]. Moreover, our scheme provides the verifiable property of outsourcing while the scheme in Li et al.’s [24] fails. For the communication overhead, our scheme and Li et al.’s [24] also have an approximate size in terms of the ciphertext size and the transformed ciphertext size. Besides, both our scheme and Li et al.’s [24] scheme feature the property of revocation by incorporating the ciphertext update and key update function such that any legitimate users in group can access the data from other data owners in the community. Moreover, revoked users cannot read the encrypted data again even if they intend to collude their attributes with other legitimate group users or revoked group users.