Security and Communication Networks

Security and Communication Networks / 2018 / Article

Research Article | Open Access

Volume 2018 |Article ID 6174830 |

Xin Wang, Bo Yang, Zhe Xia, Yanqi Zhao, Huifang Yu, "A Cheating Detectable Privacy-Preserving Data Sharing Scheme for Cloud Computing", Security and Communication Networks, vol. 2018, Article ID 6174830, 13 pages, 2018.

A Cheating Detectable Privacy-Preserving Data Sharing Scheme for Cloud Computing

Academic Editor: Jun Zhou
Received06 Feb 2018
Revised02 Jul 2018
Accepted07 Aug 2018
Published16 Oct 2018


Cloud computing provides a new, attractive paradigm for the effective sharing of storage and computing resources among global consumers. More and more enterprises have begun to enter the field of cloud computing and storing data in the cloud to facilitate the sharing data among users. However, in many cases, users may be concerned about data privacy, trust, and integrity. It is challenging to provide data sharing services without sacrificing these security requirements. In this paper, a data sharing scheme of reliable, secure, and privacy protection based on general access structure is introduced. The proposed scheme is not only effective and flexible, but also is capable of protecting privacy for the cloud owner, supporting data sharing under supervision, enabling accountability of users’ decryption keys, and identifying cheaters if some users behave dishonestly. Security analysis and efficiency analysis demonstrate that our proposed scheme has better performance in computational costs compared with most related works. The scheme is versatile to be used in various environments. For example, it is particularly suitable to be employed to protect personal health data and medical diagnostic data in information medical environment.

1. Introduction

At present, new technologies and new industries emerge in an endless stream based on big data and cloud computing. Data production, management, and emerging business models based on big data are springing up. In recent years, with the transformation of large number of businesses into digitalization and informatization, mass data is constantly being manufactured and consumed, which promotes the rapid development of big data technology in research, development, and application. In the context of this industry, the quantity and quality of data become extremely important. Cloud computing provides a new and appealing paradigm to share the resources of storage and computation efficiently among the global consumers. Compared with the traditional data storage methods, cloud users can more conveniently access the data without considering the arrangement of the hardware or infrastructure by data storing and sharing on cloud. However, the cloud presents the value attraction for its huge functionality and convenience, and it brings a lot of new challenge. One reason is that the data owner has lost the physical control on the data when he stored the data on the cloud, and meanwhile, the cloud server is faced to the public. Hence, the owner’s data may be subjected to various kinds of threats and malicious attacks. For instance, the data’s confidentiality requirement may be disobeyed by some clouds for financial purposes, or they may even sell their business competitors confidential information. Thus, although cloud computing is very attractive to enterprises and consumers by economically sharing massive data among the users, it may fail to guarantee data storage security and privacy to individual of the data owner. Furthermore, in some uses, after the data possessor has put out his encrypted data to the cloud, he may yet wish to keep the data’s some controls, for example, update the data or revoke the access rights for some other users [1]. In consequence, many recent works have devoted to guarantee security and privacy using remotely storing the shared data and in the meantime assuring the desirable security characteristics. In 2010, the first scheme achieving secure data access control with provable security in cloud storage has been proposed by Yu et al. [2], using key-policy attribute-based encryption and symmetric encryption (KP-ABE) [3]. The scheme can reach fine-grained data access by combing KP-ABE with proxy reencryption (PRE) and lazy reencryption. The scheme’s performance still needs to be improved, though a part of the private key update calculation can be put out to the cloud. Dong et al. subsequently give a scheme [4] employing symmetric encryption with ciphertext-policy attribute-based encryption [5, 6] (CP-ABE). To sum up, regarding the employed technologies, KP-ABE or CP-ABE has either been used by these above schemes under the symmetric encryption to design data security secure access control. Some other design methods are based on hierarchical identity-based encryption (HIBE) [7], but they have appealed to less attention. These schemes have simply considered how to supply data privacy against the cloud, but they do not have the preservation of private information of owner and the possible dishonest behaviors by some authorized users when storing the data in cloud. For instance, some authorized users may provide fake share deliberately to cause decryption failure. In the personal health medical information surroundings, some extra security demands are required. Since in certain special circumstances, such as medical accidents, abnormal deaths, and traffic accidents, medical disputes claim should be considered. In these situations, while medical evidence is needed, electronic medical records of the patient should be able to be right decrypted by the authorized users. Assuming someone has had an accident or been killed in serious incidents. In case supposing that there are disputes, historic records of the users will be the crucial evidences and they need to be recovered for expert testimony. These existing schemes, however, focus on the confidentiality and privacy of the data itself and the cost of performance mainly, but they are not suitable for medical records scenarios’ needs. To realize an effectual, scalable, and privacy-preserving data sharing service in the cloud, the following requirements should be consequently satisfied:

(1) the data owner can authorize who can access the data, and the authorized users should be able to get to shared data in the cloud under the constraints that are defined by the data owner;

(2) the cloud needs to be able to give support to dynamic requirements so that data owners can update the data file and add or revoke users;

(3) when data owner stores his information on the cloud without suitable protection, the data are readable by anyone since the cloud is publicly accessible. The personal private information, for example, their medical information and users’ telephone number, consequently needs to be protected against the cloud, and it should not be made public;

(4) the data decryption operation should be carried out under mutual supervision, and the dishonest users need to be identified if they submit false shares. How to settle the above important issues has not been considered in cloud that computes yet, although a number of schemes have been proposed in the literature.

In this paper, we propose an effective, scalable and flexible privacy-preserving data sharing scheme to ensure semantic security and effective utilization of owner’s data. In order to preserve the privacy of owner’s sensitive information that may be unrelated to the data itself, Bloom filter hash function is used to hide data storage in cloud. The scheme employs secret sharing based on general access structure to preserve confidentiality of the owner’s data against the cloud. In addition, Reed-Solomon (RS) encoding technique has been adopted to identify the dishonest user who presents a false share. In the proposed scheme, all authorized users are divided into groups by their identity when they register themselves with the protocol. Each data file is described by a set of group secrets, and for every group, such as , has been assigned one master key so that the data file can be successfully decrypted when these group secrets are correctly recovered. In addition, each cloud user is assigned into a group and every group secret is shared among the group users by utilizing secret sharing of general access structure.

To ensure correct sharing of the secret, this scheme defines a public-private key pair for each user. By combing secret sharing access structure and user’s public key, the share or secret key is sent to user in every group. Therefore, each user could get a different key and he can check this share key by his private key . The secret keys of group users are defined to reflect their group access privileges, so that all of the users should present their correctly shared keys without cheating. RS encoding technique is used to enable the identification of the cheater when he provided a fake share.

In the proposed protocol, the secret is shared among multiple participants, and only a quorum of these participants work together can recover the secret. In an ideal secret sharing, the secret share held by each participant has exactly the same size as the secret, and the size of all secret shares together is proportional to the number of the participants. Therefore, when considering the protocol as a whole, more information needs to be dealt with, but each participant’s task remains the same. The benefit is that the secrecy and availability of the secret key are enhanced. Suppose the adversary wants to learn the secret key or destroy it. She needs to compromise multiple participants to achieve her objective instead of compromising a single one in the traditional protocols.

Compared with the existing schemes, our analysis shows that the proposed scheme provides the following benefits regarding both security and efficiency:

(1) The cloud server can assist search record by data file tag and it can learn nothing about owner’s data in plaintext and owner’s personal sensitive information.

(2) The user who can access the data file is authorized by the data owner, and he can verify the secret key sent by the owner.

(3) The dishonest cloud users who present fake decryption keys can be identified, so that the ciphertext can be safely and correctly decrypted under the supervision of these users.

The rest of this paper is organized as follows. The preliminaries are briefly described in Section 2. Section 3 discusses system models and security requirement. Our proposed scheme is introduced in Section 4, and its security is analyzed in Section 5. Efficiency analysis as well as its comparison with the related existing schemes is presented in Section 6. Finally, we present an example of the practical impact of our work and conclude this paper in Sections 7 and 8, respectively.

2. Preliminaries

2.1. Bilinear Maps

Let and be two multiplicative cyclic groups with prime order and be a generator of group . Moreover, let be the bilinear map that satisfies the following properties:(1)Bilinearity: for all and there must be .(2)Nondegeneracy: there must be .

2.2. Secret Sharing Schemes

Secret sharing schemes (SSS) [8] are used to divide a secret among a number of parties. The value given to a party is called the share (of the secret) for that party. Every SSS realizes some access structure that defines the sets of parties who should be able to reconstruct the secret using their shares.

2.3. Access Structure and Monotone Span Programs

Definition 1 (access structure [9, 10]). Let be a set of parties. A collection is monotone for : if and , then . An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) of nonempty subsets of ; i.e., . The sets in are called the authorized sets; otherwise, they are called the unauthorized sets.

In a linear secret sharing scheme [9], to realize an access structure , the dealer who possesses the secret can distribute these shares of to a number of parties such that can be reconstructed by a linear combination of these shares of any authorized set. However, an unauthorized set can obtain no information about the secret .

There is a close relationship between linear secret sharing scheme and a linear algebraic model called monotone span programs (MSP) [11]. It has been shown that the existence of a linear secret sharing scheme for some access structure is equivalent to the existence of a monotone span program for that access structure.

Definition 2 (monotone span program). Let be a field and be a set of variables. A monotone span program over is a labeled matrix where is a matrix over and is a labeling of the rows of by literals from (every row is labeled by one literal).

A monotone span program accepts or rejects an input by the following criteria. For every input set of literals, let be the submatrix composing of those rows whose labels are in . The monotone span program accepts if and only if .

2.4. Bloom Filter

Bloom filter (BF) [12] is a simple and effective random data storage structure. It is constructed by a set of hash functions and it has two operations: and , where indicates in the proposed scheme. The operation handles an element with multiple hash functions , so that the element is uniformly mapped to a number, for example, , and sets the -th bit in the array to be one (the array is initialized to zeroes). The operation repeats the same hashing procedure and then checks if the appropriate bits are set as 1. In 2012, the partially hidden access structure in ABE was proposed [13, 14]. In addition, the Bloom filter was employed to hide the value of the attribute in partially hidden access structures in [15]. In this proposed scheme, we use the Bloom filter to protect the privacy of the data owner as Figure 1.

In order to prevent the cloud server from learning information that may invade personal privacy, like name, mobile number, and home address, each attribute information is split into two parts: an attribute name and its value. The general attribute name is made public while the personal privacy information’s specific attribute values are kept secret, when the data file is stored in the cloud server. For example, let the data owner’s name be Alice, the phone number be 1-626-780-7552, and home address be . Then, let the general attribute name of personal information to be protected be , then the owner’s specific values is . The data owner builds the data file label and then constructs a Bloom filter using . In Figure 1, let .

To check whether a Tag is in set that is stored in the cloud, we should firstly compute the values , and verify if each is 1, where . If the check fails, we can insure that Tag is not in . Otherwise, we say that Tag is in with a high probability, because the bloom filter has always a false positive rate. The false positive rate will be analyzed in detail in Section 6. The Bloom filter has an attractive feature of convenient query and concise space. When applying standard Bloom filter, there is a necessity to do hash operations, where the time complexity to insert one element is . When determining whether an element is in the set, the hash calculation is also needed. In addition, it needs the time complexity to finish an element query. For a set with elements, it just needs a bit array with size , so the space complexity is . It is then very concise to use only bits to save each element. The storage space of the traditional tree query algorithm and hash query algorithm is directly associated with the size of the element itself and the size of the set, while the Bloom filter query algorithm is independent of the number of the elements and it is simply connected the number of the vector’s bits, where the mapping comes from the element to the vector.

2.5. Reed-Solomon Code

In coding theory, RS code could detect and correct a number of random information errors. McEliece and Sarwate [16] pointed out that Shamir’s Secret Sharing Scheme (SSS) is closely related to the RS error correction. They observed that a list of shares of Shamir’s threshold SSS forms a codeword of RS code. Thus, if shares containing invalid shares are provided in the reconstruction phase, the secret reconstruction algorithm can identify all cheaters with certain probability. In addition, it is obvious, by using Lagrange interpolation, that a polynomial of degree is uniquely determined by if and only if , where is the number of the cheaters. In 2011, using a single keyed message authentication code, Obana designed an efficient threshold SSS with unconditional security, which is capable of identifying up to cheaters under the condition [17, 18].

3. System Model and Security Goals

3.1. System Model

In our system model, there are four participants: data owner, data consumers, cloud server, and public key generator (PKG). The data owner, e.g., the patient, stores his medical data in the cloud. In this way, he can outsource the data maintenance to the cloud. The data consumers download the data file shared by the data owner and decrypt it using their decryption keys. For the sake of simplicity, the data consumers are referred to as users in this paper. When decrypting data file, these users are collaborating with each other. The cloud server offers a high-quality service utilizing a large number of servers. It has considerable storage space and computation power. The data owner can interact with the cloud server dynamically to update or delete his data files. The public key generator maintains the public key infrastructure. It is a trusted third party with responsibility to deliver the decryption key safely from the data owner to the users. This framework for privacy-preserving data sharing in the cloud is shown as in Figure 2.

Note that, the communication channels between users and cloud server are secured under existing protocols in the system model.

3.2. Adversary Model

The adversary model defines malicious behaviors based on whether they intimidate the confidentiality of the cloud data. In contrast, the cloud server in our model is semitrusted (also known as honest-but-curious or passive. In other words, it will follow the protocol most of the time). The cloud server is assumed not to collude with the cloud user. Note that although the semitrusted adversary model is weaker than the malicious model, it is a realistic model that is widely used in similar protocols.

We have made it clear that the cloud server is semitrusted in our adversary model. This implies that the cloud server will not violate from the protocol but may try to learn more information that she is not authorized to access. Phishing attack is an important issue that needs to be considered in practice, but we will not address this issue since it is an actively attack. We will further consider this issue in our future works.

Hence, the following three types of attackers are considered: (1) data exposure: data owner’s personal sensitive information might be leaked; (2) inner threats: some authorized users might present fake decryption key, causing failure when decrypting the data file; (3) outer threats: the channel that used to transmit the secret keys might be insecure.

Different from publicly verifiability [19], the user could verify by himself about the decryption key delivered by the owner, and this property is called secret verifiability.

3.3. Design Goals

With the purpose of secure data sharing and data access control in the cloud, our main goal is to minimize the leakage of the data owner’s privacy information and prevent the malicious users from accessing the cloud data, including the deceptive users and collusive users. Then, the main design goals of our system can be summarized as follows.

(1) Personal Privacy Protection. We use bloom filter to design a secure mechanism so that the data owner and the cloud server can share data through the cloud. The operation only involves some hash operations, so the computational cost is very low.

(2) Data Access Control and Confidentiality. The proposed scheme employs secret sharing method to share data. The data owner has the authority to specify policy how these cloud users can access the data, and those unauthorized users cannot obtain the information of the data file.

(3) Secret Verifiability of the Decryption Key. In order to ensure secure communications over insecure channels, the decryption key can be verified by the user himself that it has been correctly delivered by the owner. This property is called secret verifiability, while in publicly verifiability, the key can be verified by anyone who is interesting to.

(4) Recognition of the Dishonest User. If some cloud users misbehave, they could be efficiently identified using the RS encoding method.

4. The Proposed Scheme

4.1. System Initialization

The public key generator chooses two groups and of prime order , two independent generators , a bilinear map , and an injective function (for example, [18]) and a collision-resistant hash function .(1)User registration: the user registers to the public key generator. He first randomly chooses as the private key and then computes as the public key.(2)Here, denotes the set of users who want to share an owner’s data file. Firstly, the public key generator takes a grouping function and divides these users into different groups, such as doctors and nurses, relatives and friends, legal officers, and so on by user’s identity, which are denoted as that satisfy . Suppose the user is partitioned into , where is defined as . If , where , then the user group is also denoted as for short, namely, the group ID.(3)PKG takes random exponents for group (4)The system public key is published as is denoted as the system master key.

4.2. Data File Generation (Data File Sharing)

(1) is a partitioned group and the number of the users in the group is . The data owner chooses a linear secret sharing access structure and an exponent for every group. For group , the data owner chooses a random secret sharing access structure , where associates rows of the matrix and corresponding to the th row of . Then it takes random exponents . is the data to be encrypted; the data file is published as(2)In order to protect the private information of the data owner, the data owner computes the data file tag , and then constructs a Bloom filter by using .(3)The data owner selects a unique ID for this data file and uploads the anonymous data file to the cloud server.

Finally, each data file is stored on the cloud in the format as shown in Table 1.

Document number

4.3. Key Generation

User is a user of the universal user set, which is partitioned into group by grouping function . To sign the user in group , if user is the th in group , then it is denoted as , for short .(1)As mentioned earlier, the user takes random as private key and computes as his public key.(2)The data owner distributes the shared key to user in group .(a) is the secret sharing access structure for group , where . Then the data owner chooses a random vector as secret vector, where is the encryption exponent to share in the group . Then the share vector is computed as , where is the -th row vector of the matrix .(b)The data owner chooses random and computes the share key and the share verification of the key for user , where .(c)The data owner takes a random degree polynomial and computes , denoted as , in short , with the injective function .(d) is encrypted by the user’s public key, so that only the user can decrypt it by his private key. In other words, the data owner sends the share key safely to the user by the public key infrastructure.(3)The user receives the and computes the decryption key by his private key as follows.(a)The user first verifies with share verification information , share key , and the user’s private key . The effective of this verification can be proved in Claim 2.(b)The user then recovers from by his private key .(c)Finally the user computes the decryption key .

4.4. Decryption of Data File

is an authority set of the group and are the union of the authority sets for groups.(1)These authorized users of the sets compute the tag of data file that they want to decrypt and then send it to cloud server.(2)The cloud server receives the tag .

The cloud server verifies using provided by these users. If it is satisfied, two decryption approaches can be adopted to get the plaintext: (a) decrypting by these authorized users and (b) outsourcing the decryption to the cloud. We describe them as follows:

(a) Decrypting by these authorized users.

After the authorized users receive the corresponding data file sent by the cloud server, one has the following:

(1) All the authority users from those authority sets use their decryption keys to verify the correctness of these decryption keys.

Firstly, it is recovered from using Berlekamp algorithm. Then, the users of the group verify for every decryption key . If it is unequal then is a fake share key. The user is added to the list of cheaters . Moreover, every group can identify the cheaters of the group in this way.

(2) If there are no cheaters in all of the authority users, then these authority users recover the blind factor of data as follows.

Firstly, for every authority set, there exists constant satisfying , where . Then, the blind factor of data is computed asFinally, .

(b) Outsourcing the decryption to the cloud.

In this situation, these authorized users first generate the transformation key in groups for the cloud before they are outsourcing the decryption and then obtaining group decryption , where . To generate and , the authorized user group chooses a random value and computes the transformation key as and outputs the group decryption key , for . We allow these authorized users themselves to generate the transformation key in group, which is more flexible. Then they send transformation key to the cloud server for outsourced decryption.

The cloud computes the following equation using : and then it sends to the user groups , for . After receiving , all the user groups compute message as .

5. Security Analysis

5.1. Provable Security

In the proposed scheme, we utilize a symmetric encryption to hide the message data and use secret sharing based on general access structure to share the session key with users in every group. Since the security of secret sharing based on general access structure does not rely on any computational complexity assumption, it is unconditionally secure. Therefore, the modification does not disclose any information, and the proposed scheme is chosen plaintext secure.

5.2. Privacy of the Data Owner’s Personal Information

In order to protect privacy of the data owner, the data owner first computes the tag of the data file with public hash function and constructs the bloom filter of the tag . Then the bloom filter with the ciphertext is constructed as data file and uploaded to cloud server. To decrypt the ciphertext they want to access, the cloud users firstly compute the of the data file with public hash function . Then they present the to the cloud server; the cloud finds the item of the data file by verifying the bloom filter . If it passes the verification, the ciphertext of the data file is sent to users. Then the users decrypt the ciphertext to recover the plaintext with their decryption key. It is easy to see that the personal privacy of the owner can be protected from the cloud.

Claim 1. The correctness of the search result can be ensured if the rate of false search result is acceptable.
A false positive probability exists when determining whether an element belongs to a set because of the possible collisions in the hash functions. We can compute as follows [15]:where is the number of elements in set and is the size of the bit array. Obviously, when , the false positive probability can be minimized to a negligible value, i.e., .

5.3. Verifiability of the Share Key Distribution

In the following, we prove that the user can verify the correctness of share key distributed by the data owner.

Claim 2. Suppose a user is ; if he accepts the share verification from the owner, then there exists a unique value such that .

Suppose the owner distributes a share verification to the user ; if the user accepts the value , then , , which leads to ; that is to say .

Therefore, the share key can be verified by the user.

5.4. Identification of the Cheater

The RS code is employed here to prevent the cheaters from changing the polynomial , which is used to test the validity of the shares, due to the fact that RS code has the ability to perform error correction. In other words, a polynomial of degree is uniquely determined by if and only if , even if there are some fake shares they cannot prevent the correct reconstruction of . Thus, we have the following conclusion.

Claim 3. If in every group , then the proposed scheme is a cheater identifiable data sharing scheme that no cheater can succeed in cheating without being identified with probability better than , where is the number of the cheaters and is the threshold for every group.

5.5. Mutual Supervision between Groups

Claim 4. The proposed scheme is collision-resistant and mutual supervision between different groups.

The proposed scheme not only identifies the cheater in group but also can achieve mutual supervision between groups, because the secret is distributed to each group, if and only if all of the groups present the correct secret share, then the plaintext is recovered correctly. If some users present a fake share in any authorized user set, it would cause the group share error, which leads the decryption process to failure.

6. Performance Analyses

In this section, we briefly compare our scheme with some other classical data sharing schemes, like Yu scheme [2] and Dong scheme [4]. Yu scheme is relaying on KP-ABE, while Dong scheme is based on CP-ABE. In our scheme, can also be seen as the attribute that involved in the group . These schemes have applications in healthcare or library scenarios to share data. Besides, our scheme is more suitable for medical supervision scenario, especially when evidence is needed like EMR in medical disputes or accident. Data confidentiality is achieved in all these schemes since the data owner stores the ciphertext of data file into cloud server, and the cloud servers are not able to learn the plaintext of any data file. The data decryption keys are not known by the cloud server in any one of these schemes [2, 4] as well as in our scheme, although the proxy reencryption key is given to the cloud server in [2]. The comparison of our scheme with the schemes in [2, 4], regarding the security properties, is summarized in Table 2.

SchemeCollusion-resistantAnonymous storageHaving verification propertyIdentifiable cheater


In order to make the comparison fair and meaningful, when comparing the computational cost in the decryption phase, we consider the general situation that all users have participated. In case when the decryption is partially outsourced to the cloud, this will further reduce the computational cost for the users obviously.

6.1. Dynamic Operation

The dynamic operations such as user addition/revocation and file creation/deletion are processed in a similar way as in all these schemes, then the operation are introduced briefly.

(1) File Operation. There are three operations for file operation: file creation, file deletion, and file updating. In these operations, the data owner has the right to delete the new file in [2, 4] and ours. He makes a unique tag and defines the access policy or attributes set for file creation. For file updating, the data owner ought to rearrange the access policy in our scheme and in [4], while updating the file’s attribute in ciphertext and the proxy reencryption key in scheme [2].

(2) User Operation. There are two operations for user operations: new user grant and user revocation. Similarly, the data owner assigns the corresponding secret key to the new user according the type of the scheme, KP-ABE or CP-ABE. The data owner may revoke the access privileges from some users. It has been a great challenge to achieve an effective user revocation.

In most existing schemes, it can take a direct manner in which the data owner reupdates the access policy, reencrypts the relevant files, and distributes the renewed keys to the nonrevoked users via the cloud server. This method is applicable in [2, 4] and our scheme. Based on the above reasons, the data owner needs to guarantee that all the operations are processed faithfully by the cloud servers.

6.2. Computation Complexity

In this section, we analyze and compare the computation overhead of the proposed scheme with [2, 4], considering the encryption and decryption operation. In the proposed scheme, the main computational cost involved in encryption and decryption algorithms are pairing and scalar multiplication. The ciphertext of the proposed scheme is . Pairing is the most expensive operation. For each different file, data owner only needs to calculate once at the beginning. Thus, we do not consider the overhead of pairing operation in the computational complexity when comparing the proposed scheme with those in [2, 4]. In the computational complexity analysis, we only take into account scalar multiplication operation. During encrypting, all encryption operations are at the data owner’s side. The data owner needs to do scalar multiplication for and scalar multiplications for ; thus, the owner should take scalar multiplication in total for encryption. Then the computation complexity of encryption is .

In the decryption stage, to recover ciphertext, the user needs at most scalar multiplications to calculateThus, the computation complexity of decryption is at most about .

In the key generation stage, it needs one scalar multiplication to calculate for each user and two scalar multiplications to calculate and for each group . Therefore, the computational complexity of key generation is at most .

For the cloud server, the main computational overhead is caused by the execution of tag testing algorithm by Bloom filter hash function. So the computation complexity for cloud server is .

In [4], the data owner needs to do two scalar multiplications to calculate , one scalar multiplication for , and two for . Therefore, the data owner needs at most scalar multiplications. Thus, the computation complexity of encryption is . To recover the ciphertext, the user needs another scalar multiplications at most to calculate , so the time complexity is also at most . The time complexity for key generation is .

While in [2], the data owner needs to do one scalar multiplications to calculate and one scalar multiplication for . Therefore the computation complexity of the data owner for encryption is . To recover the ciphertext one has to compute for each leaf node firstly. Then, it aggregates these pairing results in the bottom-up manner using the polynomial interpolation technique. Finally, it recovers the blind factor and outputs the message if only if attributes satisfy access tree . So the time complexity for decryption is about . And the time complexity for generation of the key is .

The computational complexity of our scheme, as well as [2, 4], is given in Table 3, where denotes the attributes of the user, denotes the attributes of access structure, set represents the universal users, and is the number of the partitioned groups in our scheme.

SchemeEncryptionDecryptionKey Generation
(Data owner)(User)


6.3. Experiment Results

The evaluation is conducted through experiment evaluating the time cost of the proposed scheme on a computer with Windows7 Intel i5-4590S -3.00GHz CPU, and 4-GB RAM. All results presented here are the average value in 100 different trials.

6.3.1. The Overhead of Encryption Algorithm

In our scheme, the encryption is to calculate . In [2], the calculation of ciphertext is based on and . And the calculation of ciphertext in scheme [4] is based on . Let the number of attributes equals the number of users , and then the encryption speed of our scheme and other schemes with the number of the attribute is to 10 and to 50 is given, respectively, in Figures 3 and 4.

From Figures 3 and 4, we can see that the encryption cost increases linearly with the attributes in the three schemes, and our scheme has almost the same cost as [2] and it is much lower than [4].

6.3.2. The Overhead of Decryption Algorithm

In our scheme, the decryption is to compute . As we see the cost of decryption depends on the number of groups and the user number in each group. The decryption overload about 10 groups and 10 users in every group of our scheme is showed in Figure 5.

The decryption overload of [2] is to compute the pairing operation which is not only due to the number of the attributes but also due to intermediate node, the size of the concrete tree structure. If the structure of the tree is a large number, then the overload will be very large. Here, we only give the comparison of decryption overload between our scheme and [4], where the number of users in our scheme is the same as the number of attributes in [4]. Every star in Figure 6 is denoted as a number of the groups in brackets under the same number of the attributes in our scheme. From Figure 6, we can see that the more groups, the greater the consumption.

When all users are in one group in our scheme, the overhead of decryption are showed in Figures 7 and 8, where attributes of access structure are up to 10 and 50, respectively. Then it can be seen that our scheme overhead is less than [4].

6.3.3. The Overhead of Key Generation Algorithm

The key generation algorithm is to compute the power exponent in all of three schemes. In order to simplify the comparison, we take all users in one group, then key generation overloads of three schemes are showed in Figure 9. From the Figure 9, it can be seen that the overload in our scheme is much less than [4] and a little more than [2].

6.4. Communication Cost

In our scheme, the communication cost is mainly attributed to the encrypted data and key distribution transmission. The encrypted data is sent by the data owner to the cloud: the value of and requires bits. The share keys are sent by the data owner to the users: the value for every requires , at most requires and requires bits. Thus the communication cost of the share key from owner to users is given by . The private key is usually a few hundred bits, and in general, it does not need to be compressed. We need to assume that before the cloud environment is established, the private key is initialized in advance, and each participant can securely store and use the private key. Thus the whole communication cost of the protocol is given by . The communication expenses comparison between our scheme, KP-ABE-based schemes, and CP-ABE-based schemes is shown as Table 4. We can see that the communication cost of our scheme is nearly the same as CP-ABE-based schemes and our scheme and [4] is slightly more than KP-ABE-based schemes. However, in practice, the file is described by just a limited attributes or shared with limited users. In addition, even though the order of cyclic group is large, bits is far less than the file size (data). In other words, the extra communication cost can be ignored.

SchemeCommunication costs


7. Application to Secure Medical Information Sharing Scene

In personal health medical information environment, like personal medical information, medical record information of a person is cumulated consistently during his life; he will have a lot of contact with nurses and doctors over his life. From perspective of the patient, he is the data owner. When his health medical record is stored in the cloud server, he also wishes to control his medical data and he needs to specify who can to access his information; those users are called authorized users. As shown in Figure 10, these authorized users might be some friends, specialists, nurses, and public security investigators. To ensure impartiality and fairness, to prevent tampering, forgery, and other illegal acts, the access of medical record data of the owner should be carried out under the above different groups’ supervision. And scheme should have the properties of data confidentiality and privacy protection and cheater identification. To achieve this goal, a privacy protection approach is taken to use bloom filter, to hide some personal information that is not closely related to health conditions of the patient, such as name, gender, telephone number, ID card number, family address, and property, when medical record of owner is stored on cloud. Moreover, since each group has a group secret, data’s access is carried out under an effective supervision mechanism according to the portioned groups. Besides, it can be made sure that the participants conspiring or deceive can be found and identified applying an error correction function of RS encoding technique. In summary, the proposed scheme is helpful for patient to achieve flexible and supervised control on his case file stored on cloud server.

8. Conclusion

In this paper, a personal medical information privacy protection scheme in the cloud was proposed, which can be used to set the electronic medical records system up for patients efficiently. The proposed scheme has flexible data access control through combing the techniques of the secret sharing methods and symmetric encryption. The performance analysis shows that the proposed scheme has low overhead and high efficiency. In this proposed scheme, we use RS encoding method to identify the dishonest user. It means there are not too much misbehave users in every group. As indicate in Section 2.5, this scheme has the capability of identifying up to cheaters under the condition . Hence, in the future works, we will investigate how to remove this condition and to achieve more efficiency of recognition of the dishonest user. Moreover, we will investigate how to achieve efficient data file updated flexibly and how to process multifile convergence in batches.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work is supported by National Key R&D Program of China (no. 2017YFB0802000), the National Natural Science Foundation of China (61572303, 61772326, 61802241, 61802242, and 61872289), National Cryptography Development Fund during the 13th Five-year Plan Period (MMJJ20180217), the Foundation of State Key Laboratory of Information Security (2017-MS-03), the Provincial Natural Science Foundation Research Project of Shaanxi (no. 2017JQ6029), the Shaanxi Provincial Department of Education Special Scientific Research Project (no. 16JK1109), and the Doctoral Scientific Fund Project of Shaanxi University of Science and Technology (BJ11-12).


  1. M. Kallahalla, E. Riedel, R. Swaminathan et al., “Scalable secure file sharing on untrusted storage,” in Proceedings of the FAST'03 Proceedings of the 2nd USENIX Conference on File and Storage Technologies, pp. 29–42, 2003. View at: Google Scholar
  2. S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, and fine-grained data access control in cloud computing,” in Proceedings of the IEEE INFOCOM, pp. 1–9, March 2010. View at: Publisher Site | Google Scholar
  3. V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, November 2006. View at: Publisher Site | Google Scholar
  4. X. Dong, J. Yu, Y. Luo, Y. Chen, G. Xue, and M. Li, “Achieving an effective, scalable and privacy-preserving data sharing service in cloud computing,” Computers & Security, vol. 42, pp. 151–164, 2014. View at: Publisher Site | Google Scholar
  5. J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, May 2007. View at: Publisher Site | Google Scholar
  6. B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Public Key Cryptography (PKC '11), pp. 53–70, Springer, Berlin, Germany, 2011. View at: Publisher Site | Google Scholar | MathSciNet
  7. X. Boyen and B. Waters, “Anonymous hierarchical identity-based encryption (without random oracles),” in Advances in Cryptology—CRYPTO 2006, vol. 4117 of Lecture Notes in Computer Science, pp. 209–307, Springer, Berlin, Germany, 2006. View at: Publisher Site | Google Scholar
  8. Beimel., Secure schemes for secret sharing and key distribution [Ph.D. thesis], Israel Institute of Technology, Technion, Haifa, Israel, 1996.
  9. M. Ito, A. Saito, and T. Nishizeki, “Secret sharing scheme realizing general access structure,” Electronics & Communications in Japan, vol. 72, no. 9, pp. 56–64, 1989. View at: Google Scholar
  10. J. Benaloh and J. Leichter, “Generalized secret sharing and monotone functions,” On Advances in Cryptology, vol. 403, pp. 27–36, 1988. View at: Google Scholar
  11. M. Karchmer and A. Wigderson, “On span programs,” The Eighth Annual Structure in Complexity Theory, pp. 102–111, 1993. View at: Google Scholar
  12. B. H. Bloom, “Space/time trade-offs in hash coding with allowable errors,” Communications of the ACM, vol. 13, no. 7, pp. 422–426, 1970. View at: Publisher Site | Google Scholar
  13. T. Nishide, K. Yoneyama, and K. Ohta, “Attribute-based encryption with partially hidden encryptor-specified access structures,” in Proceedings of the International Conference on Applied Cryptography & Network Security, vol. 5037, pp. 111–129, 2008. View at: Google Scholar
  14. J. Lai, R. H. Deng, and Y. Li, “Expressive CP-ABE with partially hidden access structures,” in Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2012, pp. 18-19, Republic of Korea, May 2012. View at: Google Scholar
  15. S. Jiang, X. Zhu, and L. Wang, “EPPS: Efficient and privacy-preserving personal health information sharing in mobile healthcare social networks,” Sensors, vol. 15, no. 9, pp. 22419–22438, 2015. View at: Publisher Site | Google Scholar
  16. R. J. McEliece and D. V. Sarwate, “On sharing secrets and Reed-Solomon codes,” Communications of the ACM, vol. 24, no. 9, pp. 583-584, 1981. View at: Publisher Site | Google Scholar | MathSciNet
  17. S. Obana, “Almost optimum t-cheater identifiable secret sharing schemes,” in EUROCRYPT, vol. 6632, pp. 284–302, 2011. View at: Google Scholar
  18. H. Hoshino and S. Obana, “Cheating detectable secret sharing scheme suitable for implementation,” in Proceedings of the 4th International Symposium on Computing and Networking, CANDAR 2016, pp. 623–628, Japan, November 2016. View at: Google Scholar
  19. Z. Chen, S. Li, Q. Huang, J. Yan, and Y. Ding, “A joint random secret sharing scheme with public verifiability,” International Journal of Network Security, vol. 18, no. 5, pp. 917–925, 2016. View at: Google Scholar

Copyright © 2018 Xin Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

More related articles

 PDF Download Citation Citation
 Download other formatsMore
 Order printed copiesOrder

Related articles

We are committed to sharing findings related to COVID-19 as quickly as possible. We will be providing unlimited waivers of publication charges for accepted research articles as well as case reports and case series related to COVID-19. Review articles are excluded from this waiver policy. Sign up here as a reviewer to help fast-track new submissions.