Security and Privacy for Smart, Connected, and Mobile IoT Devices and PlatformsView this Special Issue
A Secure and Privacy-Aware Smart Health System with Secret Key Leakage Resilience
With the development of the smart health (s-health), data security and patient privacy are becoming more and more important. However, some traditional cryptographic schemes can not guarantee data security and patient privacy under various forms of leakage attacks. To prevent the adversary from capturing the part of private keys by leakage attacks, we propose a secure leakage-resilient s-health system which realizes privacy protection and the safe transmission of medical information in the case of leakage attacks. The key technique is a promising public key cryptographic primitive called leakage-resilient anonymous Hierarchical Identity-Based Encryption. Our construction is proved to be secure against chosen plaintext attacks in the standard model under the Diffie-Hellman exponent assumption and decisional linear assumption. We also blind the public parameters and ciphertexts by using double exponent technique to achieve the recipient anonymity. Finally, the performance analysis shows the practicability of our scheme, and the leakage rate of the private key approximates to 1/6.
With the development of information technology, the Internet of Things (IoT) has become a very important technology for government departments, businesses, and academic circles in various countries with its huge application scenes. The technology of IoT is based on the Internet to achieve the communication between information and terminal equipment, information, and real goods. At present, IoT has been widely used in many fields, like food safety, smart health (s-health), urban construction, cloud storage, etc. [1–4].
The cloud-based s-health systems play an important role in our daily life. At present, doctors use computers to store and retrieve patients’ electronic health records (EHRs). EHRs systems replace paper systems and thus increase efficiency in the recording, storage, and retrieval of patients information [5–7]. However, EHRs which reveal highly confidential personal information stored in the cloud and exchanged over the Internet can be vulnerable to attack [8–10], such as data loss, hackers hijacking information, and integrity. In recent years, a large number of medical information leaks in cloud storage have attracted more and more people’s attention. Data privacy and security is believed to be the major challenge in the deployment of EHR-based healthcare system. There has been a lot of work that deals with data privacy and security problems [11–15].
However, the traditional cryptographic schemes may not be secure under various forms of leakage attacks, such as side-channel attacks  and cold-boot attack . Such attacks exploit various forms of information leakage by observing physical implementations of cryptosystems, such as running time , electromagnetic radiation , power consumption, and fault detection . IoT generally adopts discrete network structure, and most of the nodes are located outdoors, which makes it easy for attackers to obtain sensitive information [21–23]. Therefore, it is very meaningful to construct a secure and privacy-aware smart health system with secret key leakage resilience in the case of leakage attacks. Based on the paper of Zhang et al. , we construct a leakage-resilient anonymous HIBE scheme in s-health data sharing [25–27] scenarios.
1.1. Our Contributions
To address the medical information security and privacy of the patients issues in s-health, we propose a secure s-health system which allows a medical information owner to securely share data in the case of leakage attacks. The main contributions of this paper as follows.(i)Firstly, we present the system model of a secure s-health system based on a leakage-resilient anonymous HIBE scheme. Our system addresses the problem of key management and reduces the pressure of PKG.(ii)Secondly, we blind the public parameters and ciphertexts using double exponent technique to achieve the anonymity, so as to achieve the effect of protecting privacy.(iii)Finally, our scheme is built in prime order groups that are more computationally efficient than composite order groups. The proposed scheme is proved to be secure against chosen plaintext attacks in the standard model.
1.2. Related Work
More attention to identity-based encryption (IBE) has been attracted since the notion of IBE was introduced by Shamir . The private key for the user in traditional IBE schemes  is generated by the Private Key Generation Center (PKG). However, in a large scale network, such as s-health, the number of users is huge, and the task of PKG is too heavy and it is difficult to manage the user’s private key. In order to solve this problem, the notion of Hierarchical Identity-Based Encryption (HIBE) was proposed  and then many HIBE schemes were proposed [31, 32]. What is more, many anonymous HIBE schemes were proposed [33–36] where the ciphertext does not leak the identity of the recipient. However, their sizes of private keys and ciphertexts increase with the depth of identity hierarchy. Zhang et al.  proposed an anonymous HIBE scheme over prime order groups where both private keys and ciphertext have a constant size.
Dillema et al.  proposed a simple cryptographic access control method in the prehospital environment. However, this system provides access privilege if and only if patient and health worker meet in the physical world. Zhang et al.  proposed a reference model of the security and privacy issues in the EHR cloud and requirements for secure access of EHR data. A secure EHR system demonstrated to be resilient to various attacks to protect patient privacy and enable emergency healthcare was proposed by Sun et al. . In e-Health and Mobile Health network, Guo et al. [40, 41] proposed a privacy-preserving attribute-based authentication system, which leverages users verifiable attributes to authenticate users while preserving their privacy issues. Kumar et al.  proposed a biometric based authentication scheme which is lightweight and solely uses symmetric key based operations. A secure data sharing using IBE scheme for the implementation of data sharing in the e-Healthcare system was proposed by Sudarson et al. . Zhang et al.  proposed a system architecture and adversary model of a secure s-health system which realizes fine-grained access control on s-health cloud data and hence ensures users privacy protection. Dawoud et al.  defined different scenarios for the integration of the e-health systems with the cloud computing systems and these scenarios discussed the authentication and data processing in the different parts of the system. Zhang et al.  proposed a three-factor authenticated key agreement scheme based on a dynamic authentication mechanism to protect the users privacy using for e-health systems, and it was proved to be semantically secure under the real or random model. Sahi et al.  reviewed the latest research with regard to privacy preservation in e-Healthcare and explored whether this research offers any possible solutions to patient privacy requirements for e-Healthcare. However, these schemes may not be secure under various forms of leakage attacks.
The first leakage-resilient cryptographic scheme was proposed by Dziembowski and Pietrzak  that can capture most of the key leakage attacks. However, they constructed the leakage-resilient encryption scheme based on “only computation leaks information” which can not capture the cold-boot attack. To resist the cold-boot attack, the bounded-leakage model  was proposed by Akavia et al. What is more, the relative-leakage model  was proposed by Naor et al. Leakage resilience (anonymous) IBE schemes have been discussed previously. A leakage-resilient IBE scheme was proposed and showed being secure in the standard model by Alwen et al. . Chow et al.  proposed three new leakage-resilient IBE schemes under the respective static assumptions of the original systems. Li et al.  proposed a new leakage-resilient public key encryption and showed that it was secure under Decisional Diffie-Hellman (DDH) assumption. Liu et al.  showed that the techniques of dual system technique lead to leakage resilience and proposed an anonymous leakage-resilient identity-based encryption scheme. Li et al.  proposed a new leakage-resilient IBE scheme in the bounded-leakage model and showed being semantically secure against adaptive chosen ciphertext attack in the standard model.
Some preliminaries are reviewed in Section 2. In Section 3, we define the usage scenario for smart healthcare system and present the system model and leakage-resilient security model. The secure s-health system based on leakage-resilient anonymous HIBE is described in Section 4. In Section 5, our security analysis and leakage resilience analysis are described. Finally, we draw our conclusions in Section 6.
For ease of reference, important notations are summarized in Table 1.
2.2. Random Extractor
We define the statistical distance between two random variables and over a finite domain to be The min-entropy of a random variable X is defined as The average min-entropy of a random variable X conditioned on another random variable Y is defined as follows:
Definition 1. If, for all pairs of random variables such that and , it holds that where is uniform over , we call polynomial-time function an average-case -strong extractor.
Lemma 2. If has possible values and is random variable, we have
2.3. Bilinear Groups
Let and be two cyclic groups of prime order and be a bilinear map. We call a bilinear group if it has the following properties:(i)Bilinearity: and , we have .(ii)Nondegeneracy: for the generator , we have .(iii)Computability: , the bilinear map can be efficiently computed.
2.4. Computational Assumptions
2.4.1. Bilinear Diffie-Hellman Exponent (BDHE) Assumption
Let be a generator of group and . We define the computational BDHE problem  to be where , . Algorithm has advantage in solving the computational BDHE problem if
The decisional version of the BDHE problem is defined in the usual manner. Let ; Algorithm has advantage in solving the decisional BDHE problem if
2.4.2. Decisional Linear Assumption
The decisional linear problem  is defined as Algorithm goal is to output 1 when or 0 otherwise. We give three weak versions of the decisional linear problem  as follows:(i)Version (1): Algorithm goal is to output 1 when or 0 otherwise.(ii)Version (2): Algorithm goal is to output 1 when or 0 otherwise.(iii)Version (3): Algorithm goal is to output 1 when or 0 otherwise.
3. System Model
3.1. Usage Scenario
The hospital uses the system software developed by our proposal, and each member of the hospital is registered in the system at a certain level. The system allocates private keys to them through the key generation algorithm; however, the private key generated may be leaked partly by malicious attackers through various forms of leakage attacks.
A patient, named Alice, visits a doctor in this hospital. According to condition, a nurse assigns Alice to the doctor named Bob. Through diagnosis, Bob thinks that Alice needs the doctor named Carol to treat the illness together. And Bob uploads Alice’s EHRs to the cloud server with public key of Carol through the system. Carol uses his private key to download and decrypt Alice’s EHRs. They complete the diagnosis and treatment of Alice.
During the entire process, Bob sends Alice’s EHRs to Carol through the cloud, but Carol’s private key may have leaked partly. If the general system is used, Alice’s EHRs may be leaked, but our program can ensure that Alice’s EHRs will not be leaked. Thus, the patient’s EHRs have been protected safely.
3.2. System Model
We divide the system model into two parts, and the first part is shown in Figure 1, which is to produce the private keys to the different level of users (patients, doctors). The S-Health Authority (SHA) is an entity that produces the public key parameters and the master secret key. In our system, the level is divided into levels. The private key of users in the first level is defined as the root private key. The private key of the - level users is related to the private key of the - level users, where .
The second part is shown in Figure 2, which is to share medical information among all users. It is described in the picture where doctor A shares medical information to patient B. A encrypts medical information with B’s public key (identity) and then uploads it to the s-health cloud (SHC). Then B decrypts medical information with its own private key. The adversary can know part of the private keys information of B through the leak attack.
We define an description of the proposed secure s-health system:(i)Initialization: SHA produces the public key parameters and the master secret key . All users can obtain .(ii)User Registration: A user (a patient, a doctor) can join the s-health system by confirming its level to SHA.(iii)Information Upload: A user encrypts medical information based on a leakage-resilient anonymous HIBE scheme and uploads the final ciphertext to SHC.(iv)Information Access: A user downloads a ciphertext from SHC. The ciphertext can be decrypted if and only if the private keys correspond to the public key used for encryption.
3.3. Leakage-Resilient Security Model for Anonymous HIBE
The security of leakage-resilient anonymous HIBE is defined by the following game () between an adversary and a challenger .(i)Init: The adversary gives the challenge identity to the challenger .(ii)Setup: computes . gives to and keeps to itself. will initialize a set , which will be the set of tuples of identities; private keys have been created and the number of leaked bits corresponds to the private key . Let be a leakage parameter.(iii)Phase 1: adaptively issues the following two kinds of queries:(a)Private Key Queries: adaptively queries with where and is not a prefix of ; responds with the private key corresponding to the identity .(b)Leak Queries: gives a polynomial-time leakage function and adaptively queries with . finds the tuple and replies with when or a reject symbol .(iv)Challenge: selects two messages on which it wishes to be challenged. chooses a random bit and gives to .(v)Phase 2: answers the queries in the same way as phase 1 with the added restriction that can not execute leakage queries.(vi)Guess: outputs a bit and wins if .
Definition 3. We say that an anonymous HIBE scheme is leakage-resilient and selectively secure against chosen plaintext attacks (ANO-IND-sID-CPA) if all polynomial-time adversaries ’s advantage is negligible in the above game. We define ’s advantage to be
4. Secure s-Health System
4.1. A Leakage-Resilient Anonymous HIBE Scheme
For an HIBE of maximum depth and an identity where , a leakage-resilient anonymous HIBE scheme is defined as follows:(i)Setup: The Setup algorithm takes a security parameter and produces the public key parameters and the master secret key . All users can obtain .(ii)KenGen: The KenGen algorithm takes as input the public key , an identity , and the private key corresponding to the identity . It outputs the private key .(iii)Encrypt: The Encrypt algorithm takes as input the public key , an identity , and a message . It outputs a ciphertext .(iv)Decrypt: The Decrypt algorithm takes as input the public key , a ciphertext , and the private key corresponding to the identity . It outputs the message or a reject symbol if the ciphertext is invalid.
4.2. Description of Secure s-Health System
Let be a large prime number and be a group of order . Let be the HIBE of maximum depth and represent identity information as bit strings of length .(i)Initialization: SHA randomly chooses . Set , , , , and then pick in group at random. The public key parameters are The master secret key is .(ii)User Registration: The user joins the s-health system and gets its private keys. The user initiates the following key generation protocol. KeyGen: The KeyGen algorithm is defined as follows.(a)Root private keys: For the first level user where and , root randomly chooses and produces the auxiliary parameters where , , and is outputted as the public key. Root outputs the private key for as and where and are used to rerandomize the private keys.(b)Delegate: For the - level user where , and , by using the private key corresponding to the - level user : and randomly chooses and it produces the auxiliary parameters where and . Let ; then one can obtain and . outputs the private key for as and where .(iii)Information Upload: A user encrypts medical information based on a leakage-resilient anonymous HIBE scheme as follows. Encrypt: The encryptor randomly chooses and a random seed . The encryptor creates the ciphertext as follows: (iv)Information Access: A user downloads and decrypts a ciphertext from SHC as follows. Decrypt: The - level user decrypts a ciphertext using the private key and computes
The correctness can be checked:
5.1. Security Analysis
Following , the security proof can be completed by a series of hybrid games. Let denote the challenge ciphertext given to the adversary during a . We define the hybrid games to be(1)Game 1: ;(2)Game 2: ;(3)Game 3: ;(4)Game 4: ,
where and .
We will show these games are indistinguishable in the following lemmas.
Lemma 4. Suppose the decision -BDHE assumption holds, there is no polynomial-time adversary that can distinguish Game 1 and Game 2.
Proof. The proof follows from the security of the Boneh-Boyen selective-ID scheme  and Abdalla’s security analysis . Suppose there is adversary that can distinguish between Game 1 and Game 2 with advantage . Then challenge will be made to solve the decision -BDHE assumption.
receives a challenge tuple where , , and is either or a random element of . interacts with as follows:(i)Init: The adversary gives the challenge identity to the challenger where .(ii)Setup: randomly chooses , where , . It sets The public key parameters are . The master secret key is , which is unknown to .(iii)Phase 1: adaptively queries with where and is not a prefix of . This condition ensures that there is such that . produces the private key corresponding to the identity , where denotes the first element such that . Let be the number of sites such that in . To respond to the query, produces the auxiliary parameters as follows. For , compute Finally, the auxiliary parameters can be computed as follows. where randomly chooses and sets . The private keys corresponding to the identity are simulated as follows. In fact, In addition, Then we can obtain also produces . uses to derive a private key for the descendant identity and gives the result. Then, submits the leak queries to .(iv)Challenge: selects two messages on which it wishes to be challenged. first produces the auxiliary parameters as for challenge identity , where . then randomly chooses and a random seed and responds to the ciphertexts as where .(v)Phase 2: answers the queries in the same way as phase 1 with the added restriction that the can not execute leakage queries.(vi)Guess: outputs a bit and wins if . From the above game, we can see that if , is playing Game 1. The challenge ciphertexts are valid encryption to . In fact, let . Then one can obtain Otherwise, is a random element in ; is playing Game 2. Thus, Game 1 and Game 2 are computationally indistinguishable.
Lemma 5. Suppose the decisional linear assumption holds. Then Game 2 and Game 3 are indistinguishable.
Proof. Suppose there is adversary that can distinguish between Game 2 and Game 3 with advantage . Then a challenge will be made to solve the decision linear problem.
receives a challenge tuple is either or a random element of G. interacts with as follows:(i)Init: The adversary gives the challenge identity to the challenger where .(ii)Setup: randomly chooses where , . It sets where The public key parameters are . The master secret key is which is unknown to , where .(iii)Phase 1: adaptively queries with where and is not a prefix of . This condition ensures that there is such that . produces the private key corresponding to the identity where denotes the first element such that . Let be the number of sites such that in . To respond to the query, produces the auxiliary parameters as follows. For , Finally, the auxiliary information parameters can be computed as follows. where randomly chooses and sets . The private keys corresponding to the identity are simulated as follows. In fact, In addition, Then we can obtain also produces . uses to derive a private key for the descendant identity and gives the result. Then, submits the leak queries to .(iv)Challenge: selects two messages on which it wishes to be challenged. first produces the auxiliary parameters as for challenge identity , where . then randomly chooses and a random seed and responds to the ciphertexts as(v)Phase 2: answers the queries in the same way as phase 1 with the added restriction that can not execute leakage queries.(vi)Guess: outputs a bit and wins if .From the above game, we can see that if , is playing Game 2. In fact, let . Then one can obtain Otherwise, is a random element in