The growing need to store, share, and manage medical and health records has resulted in electronic medical health sharing system (mHealth), which provides intelligent medical treatment for people. Attribute-based encryption (ABE) is regarded as a new cryptology to enhance fine-grained access control over encrypted sharing data in mHealth. However, some existing attribute-based mHealth systems not only violate the one-to-many application characteristics of attribute-based encryption mechanism but also destroy the anonymity of user. In this study, an efficient scheme is proposed to tackle the above defaults and offer two-way anonymity of data owner and data user by introducing a pseudoidentity. The computation of hidden access policy is reduced by removing the bilinear pairing, whereas the interaction between cloud storage and data user is avoided to save bandwidth during trapdoor generation. We also consider the temporal factor of the uploaded information by introducing access validity. Security and performance analyses show that the proposed scheme is efficient without reducing security.

1. Introduction

Given the rapid progress of cloud computing and mobile communication technology with ubiquitous mobile intelligent devices, the electronic medical health sharing system (mHealth) has been developed, which can provide intelligent healthcare services without temporal and spatial restrictions; specifically, mHealth allows patients to record body indicators and upload records, physicians to diagnose patients’ illness remotely, and researchers to explore medical records [1]. The application of mHealth reshapes healthcare services model [2]. Figure 1 shows a typical architecture of mHealth sharing system, wherein implanted and wearable sensor devices collect various physiological indicators of patients and then deliver the gathered information to a personal server, such as mobile device. Patients may upload these data to a cloud server (CS) to save a personal storage space and allow doctors, family, other patients, and researchers to access such information. CS provides storage and retrieval services, wherein all kinds of users can apply for access to cloud data according to their own requirements. These services are also fast and efficient.

Although mHealth provides convenience in people’s lives, promotes better quality of life, and exhibits good application prospect, it also raises a series of security issues [3]. After a patient uploads his/her electronic health records (EHRs) to cloud using personal service provider, other users may access such data in the cloud through various devices, laptops, personal computer, and mobile phones. EHRs contain physiological data (heartbeat, blood pressure, medications, and dosages) and sensitive information of patients (patient name, medical history, ID number, and phone number) and hospitals (hospital name and attending doctor). If EHRs are directly uploaded to the cloud for sharing, then the information of patients and hospitals will inevitably be leaked to the cloud server and various users, which may cause hidden danger to patients’ health, threaten users’ life and health, and affect hospitals. One of the solutions to these security issues is to encrypt EHRs before uploading them [4]. However, new problems may arise as follows: Firstly, who and how to obtain access? Secondly, patients and users operate EHRs through mobile devices, but the storage capacity, computing power, and overall capability of mobile devices are limited. Thirdly, patients do not want others to know their real identity, and users do not want to reveal what EHRs they have accessed.

In sum, the mHealth system needs to solve the abovementioned problems through the following steps:(1)Ensure data confidentiality: ensure CS and illegal users cannot obtain any information about EHRs.(2)Proper access control: a patient needs to grant access permissions for different potential users to achieve flexible access control on EHRs in the mHealth system by encrypting once. In this way, unauthorised users cannot access shared EHRs.(3)Lightweight cryptography: given the limitations of intelligent and mobile devices, an algorithm with little computation and communication costs should be provided.(4)Two-way anonymity: ensure anonymity for both patients and data users.

To reduce local storage load and achieve resource sharing, increasing numbers of personal and medical institutions upload EHRs to CS. However, CS is not completely trusted and patients do not want to public their EHRs. Hence, EHRs must be encrypted by patients before uploading to CS, which can avoid information leakage. For example, encrypting EHRs of infected patients and then uploading them to the cloud can protect the privacy of patients and hospitals. However, encrypted EHRs can no longer be provided to other data users. Hence, user access authorisation has become a research focus. In general, public key cryptography (such identity-based encryption and certificateless encryption) solves the authorisation problem by sending the key to potential users in advance [5, 6]. However, predicting the exact identity of users is impossible, whereas data owners cannot provide authorisation service each time data users send authorisation requests. Hence, traditional public key cryptography is not suitable for online healthcare system. Attribute-based encryption (ABE) is the most attractive and popular in one-to-many application. Data owners usually use ABE technique to solve the problem of multiple users’ flexible authorisation without the need to know the identity of potential users’ in advance. In ABE, only the users whose attribute set can satisfy the access policy can obtain access to ensure the anonymity of data users [79].

However, in mHealth system, EHRs are important and sensitive, but in which the access policy includes sensitive information. For example, a patient with heart disease uploads his own EHR encrypted by the defined access policy , which will easily categorise such EHR as heart disease. Therefore, the access policy should also be hidden. Existing research on hidden access policy provided answers to maintain the confidentiality of access policy [10, 11].

In the general scheme of attribute cryptography, the length of ciphertext and the computation of encryption and decryption are related to the number of attributes, which increases linearly and hence limits the application of this technique. Therefore, the use of fixed or small length ciphertext is a popular solution [12, 13], whereas outsourcing decryption is a good alternative [14].

This solution can help patients and data owners who do not want to disclose their identity preserve their anonymity whilst sharing their own EHRs. Specifically, an infected patient who wants to upload personal encrypted records to provide information to scientific research, but due to some social factors, he/she does not want to let other users know his/her real identity [15]. In this case, the anonymity is of great significance.

In addition to the abovementioned problems, time is also an important factor to be considered in the system. The delay of medical data transmission and access may cause serious consequences, including patient casualties.

1.1. Related Work

Sahai and Waters presented attribute-based encryption firstly [16]. Compared with traditional public key encryption, ciphertext can only be decrypted by one user, while the ABE ciphertext can be provided to multiple users. The encryptor encrypts a message based on an access policy, and only the user whose attributes set satisfies the requirement of encryptor can obtain the message. This mechanism establishes the one-to-many relationship between data owner and data users and enables the fine-grained access control. Key-Policy Attribute-Based Encryption (KP-ABE) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE) are the two categories of ABE technique, whose division is proposed in literature [17].

ABE is an excellent approach to ensure the secure access control of encrypted data and is widely used in many fields, such as cloud computing [18] and searchable encryption [19]. Most of the existing researches focus on the expressiveness of access policies [20]. However, in most ABE schemes, the policy is uploaded with the related ciphertext, which is public to CS and all users including illegal users [2124]. Hence, any user who obtains the ciphertext can know what the content is about, which will disclose sensitive information about the shared data. Meanwhile, the access policy must be properly handled before sharing with ciphertex, that is, hidden. A series of research results on hidden access policy have been published [2528]. Frikken et al. presented a protocol that protected both sensitive credentials and sensitive policies [25]. Lai et al. proposed another construction of CP-ABE scheme, which is a partially hidden access policy [26]. In response to the question of confidentiality, Hahn et al. proposed an attribute-based secure data sharing with hidden policies, which can be used in resource constrained environment [27]. These results provide better confidentiality of shared data and the anonymity of data user.

In general ABE schemes, the length of ciphertext, computation of encryption, and decryption are related with the number of attributes of data user, which restricts the use of this technique. To resolve this defect, there are two main solutions. One is to reduce the length of ciphertext as much as possible or adopt fixed length ciphertext. To address this problem, Emura et al. introduced the concept of constant ciphetext length in 2009 [29]. After that, many similar schemes were proposed for constant ciphertext length [23, 30]. The other is to introduce outsourcing decryption to reduce the computation load [3133]. Li et al. gave a solution to implement attribute-based access control system by introducing secure outsourcing techniques into ABE [31]. In order to decrease computation, Zuo et al. proposed the CCA security model for ABE with outsourced decryption and then presented a concrete CCA-secure ABE scheme with outsourced decryption [32]. In these schemes, data users only perform a small amount of computation by outsourcing a large amount of computing to the cloud service provider.

Some studies with other characteristics have also been proposed, such as decentralized multiauthority scheme [34, 35], traceable scheme [36], and leakage-resilience scheme [37] and reduce online computation load scheme [38]. These studies provide applications in different focus areas.

1.2. Contribution

Given the continuous development of modern mobile communication and sensor technology, mHealth becomes a hot topic in the academe and healthcare industry. In view of the problems existing in the current mHealth system and the problems discussed in [27], this work proposes an improved attribute-based secure data sharing scheme for mHealth with hidden policies and traceability. Specifically, this study aims to (1) solve the problem of identity disclosure by introducing a concept of public pseudo-identity, wherein the real identity is only known by the centre authority (CA); (2) save bandwidth, wherein the interaction between CS and data user is avoided during token generation; and (3) meet the application needs of mobile medical system, wherein the temporal factor is introduced by setting the validity period of shared information by the data owner.

1.3. Organization

The rest of paper is organized as follows. We introduce the cryptographic primitives and describe the access policy and mHealth system model in Section 2. In Section 3, we review the scheme in [27] and give a detailed discussion. Section 4 gives an improved scheme, followed by security and performance analysis. Finally, Section 5 shows a conclusion of this paper.

2. Preliminaries

2.1. Bilinear Map

Let and be two groups with prime order . , a bilinear map, , satisfies the following properties:(1)Bilinearty., where and (2)Nondegenerate., where is the generator of (3)Computable. There is an efficient algorithm to compute the bilinear map

2.2. Security Assumption
2.2.1. Problem (Bilinear Diffie–Hellman Exponent) [39]

Let be a bilinear group with prime order and is the generator of . The problem in states that given a vector of elements , it is computationally intractable to compute the value .

Define the set as .

Definition 1 (Decisional). The decisional assumption is said to be held in , if there is no probabilistic polynomial time adversary with nonnegligible advantage to distinguishwhere and .

2.2.2. Assumption (Strong Diffie–Hellman) [40]

Given a –tuple as input, output . An algorithm has advantage in solving in if the following holds:where random .

Definition 2. The assumption is secure if no time algorithm has advantage at least in solving the problem in .

2.3. Access Policy

The attribute universe is , each , where denotes that the user has , denotes that the user has no , denotes a wildcard specifying do not care, . Let be an attribute set of user, where .

Let be an AND-gate access policy, where . Denote that the attribute set of user satisfies . Then,

2.4. A System Model

In mHealth systems, individual intelligent sensors monitor certain physiological signal and send to the mobile device. Then, the mobile devices upload the received data to the cloud. Users with requirements can initiate requests to obtain retrieval authorisation. In Figure 2, there exist four types of entities in the improved scheme as follows:(1)Centre authority (CA): it is a trusted entity that generates the system master key and public parameters and issues user’s private key on his attributes(2)Data owner: this is a patient who encrypts his data and generates the encrypted keyword index and then uploads them to cloud server(3)Data user: patient, physician, nurse, researcher, etc. can be such entities who obtain his private key from CA; he/she generates the token of keyword and gets search authorized to decrypt a ciphertext only if his/her attribute set satisfies the corresponding access policy(4)Cloud sever (CS): this is a storage centre that stores electric medical and health records and carries searching and some other work, such as partially decryption.

Table 1 gives the notations used in the paper.

3. The Scheme in Reference [27]

In this section, we review the scheme in Reference [27] and give a detailed discussion.

3.1. Review of the Scheme
3.1.1. Setup

Let be two bilinear groups of prime order with generator , , and random .is a hash function. CA computes , , . Then, it computes and . The public and master keys are, , and an identity table is initialized.

3.1.2. KeyGen

Assume that each data user with identity and an attribute set , if has attribute , , else . CA randomly chooses , and computes , , , , and . For each , the following are computed:

The private key of user is

At last, CA puts a tuple into table and uploads tuple to the CS.

3.1.3. Encrypt

The data owner specifies an access policy , where each attribute is either positive/negative or wildcard. chooses a random and computes , , , and .

Next, chooses a random , computer , , for , then the is obfuscated as . Then, the cipher is

3.1.4. GenToken

The data user with a set of attribute wants to access the shared data of owner , gets from CS, and computes , As a result, the attribute set is transformed into . The token is

3.1.5. PDecrypt

The CS checks whether the attribute set satisfies the access policy . If satisfies, CSP searches to partially decrypt as follows:for all . Then, it computes a production of all as and sends to the data user .

3.1.6. Decrypt

Once the partially decrypted ciphertext is received, computes the following:where , and obtains ; next, carries the decryption as follows:

Then, decrypts .

3.1.7. Trace

is well-formed if the following conditions hold:

If is well-formed, CA searches in If is in , then it can output the corresponding identity .

3.2. Analysis of the Scheme

Problems in the scheme are observed. A detailed analysis is given follows.

3.2.1. Destroy One-to-Many Mechanism

The data owner must know exactly the identity of data user in advance, wherein can decide if he/she will provide access to the target user . In this case, the identity of data user is sent to CS with ciphertext. CS can confirm which users can view or access shared messages by providing access rules, which may threaten the security of data users. As a result, this feature is not in line with the feature of developed in the attribute encryption mechanism, given that it cannot guarantee the anonymity of data users.

3.2.2. Identity Leakage

Before constructing the search token, the data user firstly obtains of the data owner from the cloud service provider (CSP) firstly. In this case, data users may know the identity of the data owner who shared the information he/she is interested in. Therefore, the anonymity of the data owner cannot be guaranteed and the application scope of the scheme is limited.

3.2.3. Interaction Problem

While generating the token, an interaction exists between data user and the CSP. The data user submits the identity of the data owner he/she wants to access. Then, the CS feeds back corresponding to the given identity , which increases the communication load.

4. Improved Scheme

In this section, we propose an improved scheme that can overcome the defects in [27] by introducing new features without weakening security or setting any particular conditions. (1) Public pseudo-identity is introduced, wherein the real identity is only known by the CA. (2) The access policy is hidden, and the user attribute set is made complicated by eliminating the bilinear pairings to reduce the calculation load. As a result, users will not apply to CS for aid information of the data owner when generating the token. (3) Access validity is added to the ciphertext.

4.1. Concrete Scheme
4.1.1. Access Validity

In order to introduce the temporal factor, we give a mechanism to determine the access validity.

is the access validity of shared data, is the time stamp, and is divided into based on different time units of application requirements. Then , where , is redundant data, and. Let be the current time; if , then satisfies (Figure 3).

For example, access validity days, which can be expressed as and time stamp . A request occurred at time and then , so the request is within the validity period.

4.1.2. Concrete Construction

Figure 4 shows the overview of the improved scheme, which is described below.

(1) Setup. The same as in [27].,.

(2) KeyGen. Assume an user with identity and attribute set , where can be either or . is the data owner and is the data user. , , and the private key and public identity are

At last, put a tuple into the table and upload to CS.

Instantly, having with identity and attribute set , the private key and public identity are

Having with identity and attribute set , the private key and public identity are

(3) Encrypt. Only the differences are shown. computes and obfuscates as follows: if , , else , so only and are in the hidden access policy . Next, sets access validity of and computes as shown in Section 4.1.1. Then the cipher is

(4) GenToken. chooses randomly and computes , . The token is

(5) PDecrypt. Once the query is received, CS gets current time and computes whether . If it holds, CS goes on to judge whether the attributes set satisfies the access policy by verifying equation (17). Then, CS performs the same operations as in the literature [27] and returns results to :

(6) Decryp. The difference in this step is ; as long as is a legitimate user, it can correctly meet the requirements of the hidden access policy at one time.

(7) Trace. When something goes wrong, only pseudoidentity is submitted to CA who can find the true identity from .

4.2. Security Model

The security model of the improved scheme is similar to that of the scheme in [27]. The data confidentiality of the improved scheme is considered to be guaranteed if there is no probabilistic polynomial-time adversary A with nonnegligible advantages in the following security game.

4.2.1. Init

The adversary A chooses a challenge access policy and sends it to the challenger B.

4.2.2. Setup

The challenger B runs the algorithm and publishes the public parameter .

Phase 1. The adversary A submits to query decryption keys where . The challenger B answers with a decryption key . A repeats this phase adaptively.

4.2.3. Challenge

The challenger B runs algorithm to obtain . Next, B sets and picks a random of same length as . It then flips a random coin and gives to the adversary.

Phase 2. The adversary A repeats Phase 1.

4.2.4. Guess

The adversary A outputs a guess .

The adversary A wins the game if under the restriction that . The advantage of an adversary in this game is defined as

4.3. Security Analysis
4.3.1. Data Confidentiality

The security of improved scheme is still based on the problem.

Theorem 1. If a probabilistic polynomial-time adversary A can break our scheme with a nonnegligible advantage, then we can construct a simulator B to solve problem with a nonnegligible advantage.

Proof. A is an adversary who can break our scheme, and then we can construct a simulator B which solves the problem.

Then, A and B play the interactive game in Figure 5.

(1) Init. A submits a challenged access policy to B.

(2) Setup. The simulator B runs the algorithm to generate the public parameter . B chooses random and generateswhere B outputs .

Phase 3. The adversary A submits to query private keys, where . The challenger B first selects random numbers for and sets . Then, B randomly chooses and computesFor ,(3) Challenge. B sets for some and and gives to A. Thus , and if .

Phase 4. The adversary A repeats Phase 1.
(4) Guess. The adversary A outputs a guess . If the adversary A outputs , is a random element; if , is . When , B breaks the problem.
Note that in attribute-based cryptography, collusion attack is an important discussion point. In order to model the collusion attacks, a decrypting proxy is presented. Each decryption proxy simulates a legal decryption key component with a random . The definition of decryption proxy and the detail of model collusion attacks are given in [27], which will not be discussed here.
If there is 0-collusion, B has at least advantage in breaking the problem.
If there is 1-collusion, B has at least advantage in breaking the problem.
If there is -collusion, B has at least advantage in breaking problem.
So, the advantage of B to solve the problem is .

4.3.2. Policy Privacy

In the proposed scheme, no extra computation is needed for policy hiding, given that exist in . Hence, when the CS receives the encrypted sharing data with , it can obtain nothing about the content and the access policy. The CS carries out partial decryption and sends the result to . Likewise, unauthorised users, as adversaries, either from the server or users, can only obtain hidden access policies (Figure 6). Thus, our scheme provides policy privacy.

4.3.3. Two-Way Anonymity

When an entity joins the system, the CA generates a pseudo-identity instead of his/her true identity . Firstly, the data owner shares information under a pseudo-identity , and thus the CS and data users cannot obtain the true identity of the data owner. Secondly, potential data users’ can have an access without revealing their true identity, given that their attribute set satisfies the access policy. In this way, the data owner and the CS cannot know who access the encrypted information uploaded in the system. Therefore, the improved scheme ensures the two-way anonymity whilst realising flexible authorisation.

4.3.4. Traceability

The security of improved scheme is still based on problem. When a user identity is questioned, only the CA can trace his/her true identity by detecting the corresponding key and querying . In particular, , where true identity is used to generate , which further enhances the accuracy of tracking.

4.3.5. Access Validity

We also include the temporal factor with ciphertext in the improved scheme by giving a judgment mechanism, given that some EHRs have no shared value after a certain period of time. To prevent attack, access validity and time stamp are hashed, which provides evidence for CS verification. For example, the emergency message uploaded by a patient is invalid after his/her treatment time.

4.4. Performance Analysis

In this section, we conduct a performance analysis on the improved scheme compared with that on the existing schemes [15, 20, 27]. For the sake of simplicity, we define some notations on the main operation: : the number of attributes; : modular exponentiation operation; : pairing operation; : hash operation; and : the length of element in and , respectively.

4.4.1. Computation and Communication Costs

As shown in Table 2, computation cost during encryption phase is constant in our scheme, whereas it increases with the number of attributes in other schemes. During the decryption phase, the computation cost is equal to scheme [27], whereas in scheme [15, 20], it is relatively higher. Compared with the computation in the token generation phase, is observed in our scheme, whereas in scheme [27]. Therefore, the calculation amount of our scheme is low.

In the case of ciphertext, is used in our scheme and in [27]. However, communication cost in other two schemes are and , respectively. Thus, the proposed scheme has lesser communication cost, which is independent of the number of attributes.

4.4.2. Features

Table 3 shows the comparison amongst the features of different schemes. The proposed scheme provides one-to-many application requirement and two-way anonymity of data owner and data user, supports noninteractive relationship in token generation, and considers access validity.

Next, we give the thorough experimental evaluation of our scheme. Our simulation experiment is on Intel(R) Core(TM) i7-6500U CPU at 2.5 GHz and 8.00 GB RAM. The algorithms are implemented using the pairing-based cryptography (PBC) library version 0.4.7-vc.zip [41]. Concretely, we select the Type A elliptic curve parameter with the 160-bit order in PBC library. For comparison convenience, we set , and all of the experimental results are averages of 200 trials. Meanwhile, we just show the experimental results of Encrypt, Decrypt, and GenToken algorithms.

As shown in Figure 7(a), the encryption time in the proposed scheme is constant , whereas in other three schemes, they are , , and , respectively; they increase with the number of attributes in the access policy. In the decryption phase, the time cost of our scheme is almost the same as that in scheme [27], while the time cost of the other two schemes is relatively high, as shown in Figure 7(b). Figure 7(c) shows that the token generation time of the improved scheme is slightly lower than that in [27], given that no bilinear pairing exists in our scheme. Thus, the improved scheme is efficient without reducing the security.

4.4.3. Further Efficiency Comparison

In order to show the efficiency of improved scheme, we also simulate the main phase of our scheme on the laptop with Intel(R) Core(TM) i7-8550U CPU at 1.80 GHz and 8.00 GB RAM. Figure 8 shows the results on different devices.

5. Conclusions

In this study, we propose an improved secure sharing scheme using ABE for mHealth. Our improved scheme has advantages of two-way anonymity of data owner and data user, noninteractive relationship, and low computation costs without weakening security or setting any particular conditions. The improved scheme helps to protect EHRs from the unauthorised online entities in mHealth. The proposed scheme also considers access validity of EHRs. Through security and evaluative results of comparison, our scheme is found more efficient in terms of computational cost and energy consumption than three of the existing schemes.

As part of our future work, we aim to design efficient attribute-based signcryption schemes for mHealth. Additionally, we aim to provide different access rights for different users.

Data Availability

All relevant data are included within the article.

Conflicts of Interest

All the authors declare that there are no conflicts of interest regarding the publication of this paper.


The work was supported by the National Natural Science Foundation of China under grants 61662071 and 61562077 and the Young Teacher’s Scientific Research Ability Promotion Program of Northwest Normal University (NWNU-LKQN-14-1).