Security and Privacy for Smart, Connected, and Mobile IoT Devices and Platforms
View this Special IssueResearch Article  Open Access
A Secure and PrivacyAware Smart Health System with Secret Key Leakage Resilience
Abstract
With the development of the smart health (shealth), data security and patient privacy are becoming more and more important. However, some traditional cryptographic schemes can not guarantee data security and patient privacy under various forms of leakage attacks. To prevent the adversary from capturing the part of private keys by leakage attacks, we propose a secure leakageresilient shealth system which realizes privacy protection and the safe transmission of medical information in the case of leakage attacks. The key technique is a promising public key cryptographic primitive called leakageresilient anonymous Hierarchical IdentityBased Encryption. Our construction is proved to be secure against chosen plaintext attacks in the standard model under the DiffieHellman exponent assumption and decisional linear assumption. We also blind the public parameters and ciphertexts by using double exponent technique to achieve the recipient anonymity. Finally, the performance analysis shows the practicability of our scheme, and the leakage rate of the private key approximates to 1/6.
1. Introduction
With the development of information technology, the Internet of Things (IoT) has become a very important technology for government departments, businesses, and academic circles in various countries with its huge application scenes. The technology of IoT is based on the Internet to achieve the communication between information and terminal equipment, information, and real goods. At present, IoT has been widely used in many fields, like food safety, smart health (shealth), urban construction, cloud storage, etc. [1–4].
The cloudbased shealth systems play an important role in our daily life. At present, doctors use computers to store and retrieve patients’ electronic health records (EHRs). EHRs systems replace paper systems and thus increase efficiency in the recording, storage, and retrieval of patients information [5–7]. However, EHRs which reveal highly confidential personal information stored in the cloud and exchanged over the Internet can be vulnerable to attack [8–10], such as data loss, hackers hijacking information, and integrity. In recent years, a large number of medical information leaks in cloud storage have attracted more and more people’s attention. Data privacy and security is believed to be the major challenge in the deployment of EHRbased healthcare system. There has been a lot of work that deals with data privacy and security problems [11–15].
However, the traditional cryptographic schemes may not be secure under various forms of leakage attacks, such as sidechannel attacks [16] and coldboot attack [17]. Such attacks exploit various forms of information leakage by observing physical implementations of cryptosystems, such as running time [18], electromagnetic radiation [19], power consumption, and fault detection [20]. IoT generally adopts discrete network structure, and most of the nodes are located outdoors, which makes it easy for attackers to obtain sensitive information [21–23]. Therefore, it is very meaningful to construct a secure and privacyaware smart health system with secret key leakage resilience in the case of leakage attacks. Based on the paper of Zhang et al. [24], we construct a leakageresilient anonymous HIBE scheme in shealth data sharing [25–27] scenarios.
1.1. Our Contributions
To address the medical information security and privacy of the patients issues in shealth, we propose a secure shealth system which allows a medical information owner to securely share data in the case of leakage attacks. The main contributions of this paper as follows.(i)Firstly, we present the system model of a secure shealth system based on a leakageresilient anonymous HIBE scheme. Our system addresses the problem of key management and reduces the pressure of PKG.(ii)Secondly, we blind the public parameters and ciphertexts using double exponent technique to achieve the anonymity, so as to achieve the effect of protecting privacy.(iii)Finally, our scheme is built in prime order groups that are more computationally efficient than composite order groups. The proposed scheme is proved to be secure against chosen plaintext attacks in the standard model.
1.2. Related Work
More attention to identitybased encryption (IBE) has been attracted since the notion of IBE was introduced by Shamir [28]. The private key for the user in traditional IBE schemes [29] is generated by the Private Key Generation Center (PKG). However, in a large scale network, such as shealth, the number of users is huge, and the task of PKG is too heavy and it is difficult to manage the user’s private key. In order to solve this problem, the notion of Hierarchical IdentityBased Encryption (HIBE) was proposed [30] and then many HIBE schemes were proposed [31, 32]. What is more, many anonymous HIBE schemes were proposed [33–36] where the ciphertext does not leak the identity of the recipient. However, their sizes of private keys and ciphertexts increase with the depth of identity hierarchy. Zhang et al. [24] proposed an anonymous HIBE scheme over prime order groups where both private keys and ciphertext have a constant size.
Dillema et al. [37] proposed a simple cryptographic access control method in the prehospital environment. However, this system provides access privilege if and only if patient and health worker meet in the physical world. Zhang et al. [38] proposed a reference model of the security and privacy issues in the EHR cloud and requirements for secure access of EHR data. A secure EHR system demonstrated to be resilient to various attacks to protect patient privacy and enable emergency healthcare was proposed by Sun et al. [39]. In eHealth and Mobile Health network, Guo et al. [40, 41] proposed a privacypreserving attributebased authentication system, which leverages users verifiable attributes to authenticate users while preserving their privacy issues. Kumar et al. [42] proposed a biometric based authentication scheme which is lightweight and solely uses symmetric key based operations. A secure data sharing using IBE scheme for the implementation of data sharing in the eHealthcare system was proposed by Sudarson et al. [43]. Zhang et al. [44] proposed a system architecture and adversary model of a secure shealth system which realizes finegrained access control on shealth cloud data and hence ensures users privacy protection. Dawoud et al. [45] defined different scenarios for the integration of the ehealth systems with the cloud computing systems and these scenarios discussed the authentication and data processing in the different parts of the system. Zhang et al. [46] proposed a threefactor authenticated key agreement scheme based on a dynamic authentication mechanism to protect the users privacy using for ehealth systems, and it was proved to be semantically secure under the real or random model. Sahi et al. [47] reviewed the latest research with regard to privacy preservation in eHealthcare and explored whether this research offers any possible solutions to patient privacy requirements for eHealthcare. However, these schemes may not be secure under various forms of leakage attacks.
The first leakageresilient cryptographic scheme was proposed by Dziembowski and Pietrzak [48] that can capture most of the key leakage attacks. However, they constructed the leakageresilient encryption scheme based on “only computation leaks information” which can not capture the coldboot attack. To resist the coldboot attack, the boundedleakage model [49] was proposed by Akavia et al. What is more, the relativeleakage model [50] was proposed by Naor et al. Leakage resilience (anonymous) IBE schemes have been discussed previously. A leakageresilient IBE scheme was proposed and showed being secure in the standard model by Alwen et al. [51]. Chow et al. [52] proposed three new leakageresilient IBE schemes under the respective static assumptions of the original systems. Li et al. [53] proposed a new leakageresilient public key encryption and showed that it was secure under Decisional DiffieHellman (DDH) assumption. Liu et al. [54] showed that the techniques of dual system technique lead to leakage resilience and proposed an anonymous leakageresilient identitybased encryption scheme. Li et al. [55] proposed a new leakageresilient IBE scheme in the boundedleakage model and showed being semantically secure against adaptive chosen ciphertext attack in the standard model.
1.3. Organization
Some preliminaries are reviewed in Section 2. In Section 3, we define the usage scenario for smart healthcare system and present the system model and leakageresilient security model. The secure shealth system based on leakageresilient anonymous HIBE is described in Section 4. In Section 5, our security analysis and leakage resilience analysis are described. Finally, we draw our conclusions in Section 6.
2. Preliminaries
2.1. Notations
For ease of reference, important notations are summarized in Table 1.

2.2. Random Extractor
We define the statistical distance between two random variables and over a finite domain to be The minentropy of a random variable X is defined as The average minentropy of a random variable X conditioned on another random variable Y is defined as follows:
Definition 1. If, for all pairs of random variables such that and , it holds that where is uniform over , we call polynomialtime function an averagecase strong extractor.
Lemma 2. If has possible values and is random variable, we have
2.3. Bilinear Groups
Let and be two cyclic groups of prime order and be a bilinear map. We call a bilinear group if it has the following properties:(i)Bilinearity: and , we have .(ii)Nondegeneracy: for the generator , we have .(iii)Computability: , the bilinear map can be efficiently computed.
2.4. Computational Assumptions
2.4.1. Bilinear DiffieHellman Exponent (BDHE) Assumption
Let be a generator of group and . We define the computational BDHE problem [56] to be where , . Algorithm has advantage in solving the computational BDHE problem if
The decisional version of the BDHE problem is defined in the usual manner. Let ; Algorithm has advantage in solving the decisional BDHE problem if
2.4.2. Decisional Linear Assumption
The decisional linear problem [57] is defined as Algorithm goal is to output 1 when or 0 otherwise. We give three weak versions of the decisional linear problem [35] as follows:(i)Version (1): Algorithm goal is to output 1 when or 0 otherwise.(ii)Version (2): Algorithm goal is to output 1 when or 0 otherwise.(iii)Version (3): Algorithm goal is to output 1 when or 0 otherwise.
3. System Model
3.1. Usage Scenario
The hospital uses the system software developed by our proposal, and each member of the hospital is registered in the system at a certain level. The system allocates private keys to them through the key generation algorithm; however, the private key generated may be leaked partly by malicious attackers through various forms of leakage attacks.
A patient, named Alice, visits a doctor in this hospital. According to condition, a nurse assigns Alice to the doctor named Bob. Through diagnosis, Bob thinks that Alice needs the doctor named Carol to treat the illness together. And Bob uploads Alice’s EHRs to the cloud server with public key of Carol through the system. Carol uses his private key to download and decrypt Alice’s EHRs. They complete the diagnosis and treatment of Alice.
During the entire process, Bob sends Alice’s EHRs to Carol through the cloud, but Carol’s private key may have leaked partly. If the general system is used, Alice’s EHRs may be leaked, but our program can ensure that Alice’s EHRs will not be leaked. Thus, the patient’s EHRs have been protected safely.
3.2. System Model
We divide the system model into two parts, and the first part is shown in Figure 1, which is to produce the private keys to the different level of users (patients, doctors). The SHealth Authority (SHA) is an entity that produces the public key parameters and the master secret key. In our system, the level is divided into levels. The private key of users in the first level is defined as the root private key. The private key of the  level users is related to the private key of the  level users, where .
The second part is shown in Figure 2, which is to share medical information among all users. It is described in the picture where doctor A shares medical information to patient B. A encrypts medical information with B’s public key (identity) and then uploads it to the shealth cloud (SHC). Then B decrypts medical information with its own private key. The adversary can know part of the private keys information of B through the leak attack.
We define an description of the proposed secure shealth system:(i)Initialization: SHA produces the public key parameters and the master secret key . All users can obtain .(ii)User Registration: A user (a patient, a doctor) can join the shealth system by confirming its level to SHA.(iii)Information Upload: A user encrypts medical information based on a leakageresilient anonymous HIBE scheme and uploads the final ciphertext to SHC.(iv)Information Access: A user downloads a ciphertext from SHC. The ciphertext can be decrypted if and only if the private keys correspond to the public key used for encryption.
3.3. LeakageResilient Security Model for Anonymous HIBE
The security of leakageresilient anonymous HIBE is defined by the following game () between an adversary and a challenger .(i)Init: The adversary gives the challenge identity to the challenger .(ii)Setup: computes . gives to and keeps to itself. will initialize a set , which will be the set of tuples of identities; private keys have been created and the number of leaked bits corresponds to the private key . Let be a leakage parameter.(iii)Phase 1: adaptively issues the following two kinds of queries:(a)Private Key Queries: adaptively queries with where and is not a prefix of ; responds with the private key corresponding to the identity .(b)Leak Queries: gives a polynomialtime leakage function and adaptively queries with . finds the tuple and replies with when or a reject symbol .(iv)Challenge: selects two messages on which it wishes to be challenged. chooses a random bit and gives to .(v)Phase 2: answers the queries in the same way as phase 1 with the added restriction that can not execute leakage queries.(vi)Guess: outputs a bit and wins if .
Definition 3. We say that an anonymous HIBE scheme is leakageresilient and selectively secure against chosen plaintext attacks (ANOINDsIDCPA) if all polynomialtime adversaries ’s advantage is negligible in the above game. We define ’s advantage to be
4. Secure sHealth System
4.1. A LeakageResilient Anonymous HIBE Scheme
For an HIBE of maximum depth and an identity where , a leakageresilient anonymous HIBE scheme is defined as follows:(i)Setup: The Setup algorithm takes a security parameter and produces the public key parameters and the master secret key . All users can obtain .(ii)KenGen: The KenGen algorithm takes as input the public key , an identity , and the private key corresponding to the identity . It outputs the private key .(iii)Encrypt: The Encrypt algorithm takes as input the public key , an identity , and a message . It outputs a ciphertext .(iv)Decrypt: The Decrypt algorithm takes as input the public key , a ciphertext , and the private key corresponding to the identity . It outputs the message or a reject symbol if the ciphertext is invalid.
4.2. Description of Secure sHealth System
Let be a large prime number and be a group of order . Let be the HIBE of maximum depth and represent identity information as bit strings of length [58].(i)Initialization: SHA randomly chooses . Set , , , , and then pick in group at random. The public key parameters are The master secret key is .(ii)User Registration: The user joins the shealth system and gets its private keys. The user initiates the following key generation protocol. KeyGen: The KeyGen algorithm is defined as follows.(a)Root private keys: For the first level user where and , root randomly chooses and produces the auxiliary parameters where , , and is outputted as the public key. Root outputs the private key for as and where and are used to rerandomize the private keys.(b)Delegate: For the  level user where , and , by using the private key corresponding to the  level user : and randomly chooses and it produces the auxiliary parameters where and . Let ; then one can obtain and . outputs the private key for as and where .(iii)Information Upload: A user encrypts medical information based on a leakageresilient anonymous HIBE scheme as follows. Encrypt: The encryptor randomly chooses and a random seed . The encryptor creates the ciphertext as follows: (iv)Information Access: A user downloads and decrypts a ciphertext from SHC as follows. Decrypt: The  level user decrypts a ciphertext using the private key and computes
4.3. Correctness
The correctness can be checked:
5. Analysis
5.1. Security Analysis
Following [59], the security proof can be completed by a series of hybrid games. Let denote the challenge ciphertext given to the adversary during a . We define the hybrid games to be(1)Game 1: ;(2)Game 2: ;(3)Game 3: ;(4)Game 4: ,
where and .
We will show these games are indistinguishable in the following lemmas.
Lemma 4. Suppose the decision BDHE assumption holds, there is no polynomialtime adversary that can distinguish Game 1 and Game 2.
Proof. The proof follows from the security of the BonehBoyen selectiveID scheme [60] and Abdalla’s security analysis [58]. Suppose there is adversary that can distinguish between Game 1 and Game 2 with advantage . Then challenge will be made to solve the decision BDHE assumption.
receives a challenge tuple where , , and is either or a random element of . interacts with as follows:(i)Init: The adversary gives the challenge identity to the challenger where .(ii)Setup: randomly chooses , where , . It sets The public key parameters are . The master secret key is , which is unknown to .(iii)Phase 1: adaptively queries with where and is not a prefix of . This condition ensures that there is such that . produces the private key corresponding to the identity , where denotes the first element such that . Let be the number of sites such that in . To respond to the query, produces the auxiliary parameters as follows. For , compute Finally, the auxiliary parameters can be computed as follows. where randomly chooses and sets . The private keys corresponding to the identity are simulated as follows. In fact, In addition, Then we can obtain also produces . uses to derive a private key for the descendant identity and gives the result. Then, submits the leak queries to .(iv)Challenge: selects two messages on which it wishes to be challenged. first produces the auxiliary parameters as for challenge identity , where . then randomly chooses and a random seed and responds to the ciphertexts as where .(v)Phase 2: answers the queries in the same way as phase 1 with the added restriction that the can not execute leakage queries.(vi)Guess: outputs a bit and wins if . From the above game, we can see that if , is playing Game 1. The challenge ciphertexts are valid encryption to . In fact, let . Then one can obtain Otherwise, is a random element in ; is playing Game 2. Thus, Game 1 and Game 2 are computationally indistinguishable.
Lemma 5. Suppose the decisional linear assumption holds. Then Game 2 and Game 3 are indistinguishable.
Proof. Suppose there is adversary that can distinguish between Game 2 and Game 3 with advantage . Then a challenge will be made to solve the decision linear problem.
receives a challenge tuple is either or a random element of G. interacts with as follows:(i)Init: The adversary gives the challenge identity to the challenger where .(ii)Setup: randomly chooses where , . It sets where The public key parameters are . The master secret key is which is unknown to , where .(iii)Phase 1: adaptively queries with where and is not a prefix of . This condition ensures that there is such that . produces the private key corresponding to the identity where denotes the first element such that . Let be the number of sites such that in . To respond to the query, produces the auxiliary parameters as follows. For , Finally, the auxiliary information parameters can be computed as follows. where randomly chooses and sets . The private keys corresponding to the identity are simulated as follows.