With the rapid development of information technology and the Internet of Things Technology (IOT), data security and healthy privacy are getting a lot of attention. In order to store, access, and share electronic health records, storage of this data is transferred to a third-party-cloud server. The security and privacy of electronic health records stored at date center or cloud server are not guaranteed. Before being sent to date center or cloud server, this data should be encrypted. Designing an efficient and secure fine-grained access control strategy for personal health records is facing enormous challenges. Security and privacy for electronic health records are very important because the electronic health data which plays an important role in medical server and treatment is directly associated with a particular patient. Attribute-based encryption (ABE) can effectively achieve fine-grained access control. However, the computation of bilinear pairings requires a large amount of computation overhead in ABE scheme. In order to decrease the computational overhead and ensure the confidentiality of electronic health records, a distributed fine-grained access control scheme with outsourced computation for IOT is proposed in this paper. Little calculation is executed by the receiver and sender in our proposed scheme. Outsourcing computing reduces the computing burden. The analyses of safety and performance show that our proposed scheme is safe and effective compared with previous schemes.

1. Introduction

With the development of cloud computing and IOT in several years, electronic health information systems provide real-time, fast, and effective services between patients and healthcare organizations. To cut down the burden of the terminal smart device, the patient outsources his/her e-health records to cloud service provider. Terminal devices or cloud servers are not completely trusted by data owners or patients. Security and privacy for electronic health data is very important because the electronic health data is directly associated with a particular patient, which plays an important role in medical server and treatment.

Fog computing which works between cloud computing and terminal devices can solve the bottleneck problem of data storage and data transmission in a certain extent [1, 2]. It can provide many services such as outsourced computing, network routing, and data storage. As shown from Figure 1, terminal equipment can communicate with fog device which can be attached to cloud service. With the rapid development of mobile internet, as shown from Figure 2 we can see that people are becoming more and more dependent on cloud service platform. The number of intelligent terminal device in the network is increasing greatly. It will not only occupy a large number of network bandwidth but also increase the burden of cloud server or data center and network latency. Data acquisition and data transmission are greatly affected. Therefore, in the cloud computing or fog computing environment, how to design an efficient and secure access control scheme still faces a challenge [3, 4]. Compared to the traditional data access control scheme, the system model and the network structure in the fog computing environment are different. Fog device can provide users with computing, transmission, and storage services, so the cost of communication and computation is less for users. Therefore, the new access control scheme should be considered in IOT environment for users.

Attribute-based encryption (ABE) can be widely used in fine-grained access strategy for data storage in cloud environment [57]. The computation cost for ABE is large, and the computation cost linearly increases with the number of attributes in access control structure. Therefore, ABE is not suitable for the mobile terminals with limited power resources. Literature [8] first proposed the attribute-based encryption in multiauthority scheme. In literature [9], a distributed authorization scheme was proposed for wireless sensor nodes, but the authors did not consider the power resources of the sensor nodes. Outsourced computing can reduce the computing cost in the encryption and decryption phase [1012]. Single authorized institution has problems of security risks and scale expansion. Literature [13], a fast encryption scheme for multiauthority scheme was proposed.

An attribute-based encryption scheme is proposed for multiuser environment based on personal health records system in literature [14]. Compared with previous similar works, this scheme had higher computing performance and security. Liu et al. [15] addressed an effective attribute-based signature scheme with fine-grained access control strategy in cloud data center for personal health records. Hu et al. [16] designed a fuzzy attribute-based signature strategy for wireless body area networks (WBAN). It can protect patients’ privacy and support emergency personnel to access encrypted information. This scheme has strong practical value. To solve the privacy of the patients, Zhang et al. [17] proposed a secure smart health system. In this system, data owner can securely share data to resistance the leakage attacks. Rao et al. [18] also proposed a ciphertext policy attribute-based signcryption mechanism for personal health management system. This mechanism can simultaneously achieve confidentiality, privacy protection, public verifiability and fine-grained access control.

In ABE mechanism, the length of ciphertext or the number of bilinear pairs grows with the number of attributes. To deal with this problem, ABE schemes which had constant ciphertext length were addressed in literature [1921]. In order to guarantee the privacy and security of medical health data, Wang et al. [22] proposed an efficient pairing-based fair remote retrieval scheme for outsourced private medical health data. In order to protect the content of e-health records for medical information records, some authors [23] proposed the idea of multiauthority content-based encryption mechanism to ensure the privacy of the patients. The article [24] gave a comprehensive overview of health data between searchable encryption and outsourcing computing services. To ensure the privacy of patients, access control policies IOT-based were proposed [25, 26]. Fan et al. [27] proposed a multiauthority mechanism in fog computing and cloud data center. Data owners and users can encrypt and decrypt data with only a small amount of computation. The authorized institutions in this scheme are independent of each other, and there is no information interaction among them. Based on literature [9, 27], we propose a distributed fine-grained access control scheme with outsourced computation in fog computing for electronic health records. Gope et al. [28] proposed a new secure communication architecture for fog computing. The authors introduced an extended concept of fog computing. Edge device and fog device were regarded as extensive fog computing layer. Moreover, the scheme in literature [28] can reduce the communication cost. The proposed scheme in literature [28] is suitable for resource-limited IOT device because they use lightweight cryptographic operations, such as one-way hash function and xor operations.

The proposed scheme is similar to the work of Ruj et al. [9]. However, our scheme is different from that of Ruj et al. in the following aspects. Firstly, Outsourcing encryption and outsourcing decryption strategies are not used in literature [9]. Secondly, distributed access control was used for wireless sensor network in literature [9], but they did not consider the computing ability of the sensor node, and our distributed authority is used in fog computing in this work. The main intention of our encryption scheme is to reduce to computational burden and guarantee the data confidentiality and security.

The remaining section of this work is organized as follows. Section 2 provides the related cryptology backgrounds of this work. Section 3 describes construction of our proposed scheme. Section 4 gives the analysis of security and performance for the proposed scheme. Finally, Section 5 concludes this work.

2. Cryptographic Backgrounds

In this part, some cryptographic backgrounds used in this paper are listed as follows.

2.1. Bilinear Maps

Let and be two cyclic groups of prime order . Let be a generator of . A bilinear map with the following property.

(1) Bilinearity. and ; we have .

(2) Nondegeneracy. , such that .

(3) Computability. ; there is an efficient algorithm to calculate .

2.2. Key-Policy Attribute-Based Encryption

Key-policy ABE (KP-ABE) was proposed by Goyal et al. in literature [29]. In this subsection, we reviewed the KP-ABE scheme. KP-ABE scheme mainly consists of the following four algorithms.

(1) Setup . This algorithm outputs the public key and the system master secret key . The security parameter is used as input parameter

(2) Encryption. The message , public key , and the set of attributes are used as input parameters. This algorithm outputs the ciphertext .

(3) Key Generation. The access control structure, master secret key, and public key are used as input parameters. This algorithm outputs the secret key if the set of attributes matches the access control structure.

(4) Decryption. The private key and ciphertext are used as input parameters. This algorithm outputs the message if the set of attributes matches the access control structure .

3. System Model and Access Control Construction

In this part, system model and security model of the proposed scheme are described in detail.

3.1. System Model

The system model of our proposed scheme consists of six entities: data owner, data center, fog device, distribute authority (DA), data user, and authority center (AC), as shown in Figure 3.

The system model of our proposed scheme consists of six entities: data owner (patient), data center, fog device, distribute authority (DA), data user, and authority center (AC), as shown in Figure 3.

(1) Data Owner. In Figure 3 data owner is also called patient in our scheme. The data owner can use the mobile terminal to communicate with the fog device and outsources the message to the fog device. Power resources and computing ability of the mobile device is limited, but it has enough storage space. All data owned by data owner can be stored in the data center.

(2) Data Center. Data center provides data access control services, which is honest and curious. That is to say, data center is semitrusted. It can store huge amounts of data and has powerful computing power and electricity. It belongs to centralized cloud computing.

(3) Fog Device. It is responsible for data transmission and temporary storage. It is also responsible for the encryption and decryption data. The fog device encrypts the data partially and then sends the ciphertext to data center. The fog device can decrypt the data partially and send it to the legitimate users. Fog device is semitrusted. It provides data storage, data processing, and other network services between mobile device and traditional cloud data center.

(4) Distribute Authority. The distribute authority is fully trusted. It can independently manage each type of attribute. The distribute authority jointly generates the private key for legitimate users. In addition, a single authority cannot extract the user’s private key. Each distributed authorization center has fixed attributes.

(5) Data User . The data user is equipped with smart device which is attached to fog devices. It can obtain its private key from DA. If the access structure of data user satisfies attribute sets of the ciphertext, fog device can partially decrypts ciphertext with the conversion key. Once receiving the partially decryption ciphertext from the fog device, the data user can obtain symmetric key with its secret key, and then it can decrypt the ciphertext using symmetric key.

(6) Authority Center. It is responsible for publishing the identity of each distributed authorization center and each user. Authority center assigns access control structures for each user.

3.2. System Definition

Eight algorithms in the proposed scheme are described as follows.

(1) System Setup . System setup algorithm is performed by authority center (AC). The symbol represents the set of attributes. The parameter is used as input parameter. This algorithm has three outputs. They are the identity and attribute owned by each distributed authority (DA), the identity of each fog device.

(2) Authority Setup . Authority setup algorithm is performed by each DA. The symbols represent each distributed authority, security parameter, and attributes which are owned by each distributed authority , respectively. The identity and attribute of each distributed authority and security parameter are used as input parameters. This algorithm outputs the system global parameter . In this paper, the attributes which are owned by each distributed authority satisfy the following equations:

(3) Keygen-FD . Keygen-FD algorithm is run by fog device (FD). The symbol represents the identity of FD. It is used as input parameter. This algorithm outputs public key and secret key for FD.

(4) Encrypt-Owner . Encrypt-owner algorithm is run by data owner (DO). Message and symmetric key are used as input parameters. This algorithm outputs symmetrically encrypted ciphertext .

(5) Encrypt-Out . Encrypt-Out algorithm is performed by FD. The symbol represents attributes of DO. The public parameter , symmetrically encrypted ciphertext and are used as input parameters. This algorithm outputs the final ciphertext .

(6) Keygen-User . Keygen-User algorithm is performed by each DA. The public parameter and access control structure of the data user are used as input parameters. This algorithm outputs the private key for data user.

(7) Decrypt-Out . Decrypt-Out algorithm is run by FD. The final ciphertext is used as input parameter . This algorithm outputs the symmetrically encrypted ciphertext .

(8) Decrypt-User . Decrypt-User algorithm is run by data user. The symmetrically encrypted ciphertext is used as input parameter. This algorithm outputs the message .

3.3. Access Control Construction

In this section, the access control construction of this paper is given. Compared to literature [9], the main difference is that the distributed outsourcing encryption and decryption are used for electronic health record environment in fog computing. In order to make this work more complete, detailed description of the proposed scheme is given as follows.

3.3.1. System Setup

(1) AC Initialization. Authority center distributes identity information for each entity, and it chooses a hash function.In this work, the hash function is denoted by

(2) DA Initialization. (1) DA executes the corresponding algorithm and outputs the global parameter .

(2) In this work, the set of DA is denoted by . Each distribute authority randomly chooses a number and computes . The result of calculation is sent to all distribute authorities. The following information can be obtained by each distribute authority. (3) For any two distribute authorities , they can share the data with each other, but any other distribute authority cannot obtain the number . For all distribute authorities, the following symmetric matrix can be obtained. The data element of the main diagonal in symmetric matrix is .

(4) Each randomly chooses a number and computes , The message is broadcast to others. For a user , and can compute the following message.The and share the same number , so they can obtain for a user .

(5) The picks for each attribute owned by device , a random number , and calculates . The symbol denotes the set of attributes that possesses. The private key of fog device is .

The public parameters of the whole system are .

In the above initialization (1)-(5), the fog device randomly selects four parameters .

3.3.2. Key Generation

The private key of the user (the receiver of the data or decipher of the data) can be calculated by as follows:

(1) Each randomly chooses a number . When is equal to , is zero. For all devices, the following two matrices can be determined.

where (2) randomly selects a degree polynomial according to the access control structure owned by user. when is equal to 0 we can obtain the following equation.

The value of is related to access control structure of the data user. can be calculated in the following way:where denotes all the attributes owned by the user (see Figures 4, 5, and 6).

(3) Each calculates the secret key and sends it to the user . (4) According to (1)-(3), the following expression can be obtained by the mutual cooperation of .

3.3.3. The Generation of Public and Private Key for Fog Device

Fog device randomly chooses a number . The public key and private key can be calculated in the following way.Before the user sends the information, the user requests the attributes registration in the fog device. After the successful registration, the user randomly chooses a number and computes .

3.3.4. Master Key Encryption and Message Encryption

The task to be completed at this stage is that the data sender (data owner) sends the ciphertext to fog device based on its owned attributes, public parameters, and message. The fog device encrypts the data based on KP-ABE.

(1) Data owner randomly selects a number . The message is encrypted using the symmetric key by data owner.

(2) Data owner sends the symmetric encrypted ciphertext to fog device. The symbol denotes the symmetric encrypted ciphertext. Fog device can reencrypt the data and obtain the following ciphertext.

3.3.5. Decryption

Authorized data user whose access control structure satisfies the attribute requirement in ciphertext can decrypt ciphertext.

The data user requests for data access to data center. If the data user is an authorized user, he/she can obtain ciphertext from data center. The authorized user can decrypt the ciphertext using secret key in traditional decryption scheme. The decryption process requires a lot of computational energy consumption. The computing power of users is limited, so authorized users can request outsourcing decryption. In our scheme, fog device can solve this problem. Fog device can obtain corresponding ciphertext from data center. The fog device can partially encrypt the ciphertext using conversion key of data user. The detailed process is as follows.

(1) The data user randomly chooses a numerical value . The conversion key is sent to fog device by data user. For each attribute , FD can compute as follows.(2) If the number of attributes is , FD can compute according to Lagrange interpolation theorem [30].

(1) Compute

(2) Compute

FD can obtain .FD can compute the partially ciphertext and send it to the user .

(3) The symmetrical private key is computed by the data user . Finally, the data user decrypts using .

In order to understand our proposed scheme clearly, we depict in detail the workflow of our solution in Figure 7. The workflow of our solution is outlined as follows.

(1) The authorization center is responsible for assigning identity information for data owner, fog device, data user, and distributed authority. It also distributes attribute set to each distributed authority.

(2) Distributed authorities work with each other. They produce the public parameters of the system.

(3) Data owner registers the owned attributes in fog device. The registration of attributes is prepared for the partial outsourced encryption.

(4) Data owner encrypts the original information by symmetric scheme. To guarantee the security of symmetric keydata owner can blind the symmetric key and then send the message to corresponding fog device.

(5) Fog device encrypts the message which is sent by data owner.

(6) DA sends the secret key to data user according to access control structure of the data user.

(7) If authorized user requests data access, she/he can decrypt the ciphertext in traditional scheme.

(8) Because computing power of the user is limited, the data center sends the ciphertext to the corresponding fog device.

(9) Data user sends the conversion key to fog device. Fog device can partly decrypt the ciphertext.

(10) Fog device sends the partly encrypted ciphertext to the user. Users can use less computation cost to obtain symmetrical secret key and obtain the original message.

4. Security Analysis and Performance Analysis

In this section, the security and performance analysis of our scheme are given.

4.1. Security Analysis

Each user has the unique identity information in the proposed scheme. The private key is issued by different DAs. In single authorized institution if the authority has been captured, the whole system will be paralyzed, and the private key will be leaked. Assume that there have been authorized institutions in our scheme. Our proposed scheme is secure unless authorized institutions have been captured. Moreover, the users do not collude to obtain the original message.

Theorem 1. Our distributed authorization scheme can ensure the correctness and privacy.

Proof. In literature [31], the range of private keys is the finite field . Assume that are distinct nonzero values. All parties can know the values. In order to share the secret value , values from are randomly chosen. These randomly numbers and the secrets can make up a randomly polynomial function . The share of participant is . The proof idea of correctness and privacy originates from literature [32]. For distinct numbers , they denote distinct parties and numbers denote the share of participant. There has been a unique polynomial of degree , such that for each
(1) Correctness. There have been points in set for the polynomial function . The polynomial function can be reconstructed according to Lagrange’s interpolation. We can compute According to reconfiguration strategy, function is calculated as follows.When knowing the polynomial function, the parties in set can reconstruct the secret value as follows.(2) Privacy. Any unauthorized set with parties has points for the polynomial function. According to possible share value , a polynomial function with the degree can be restructured. According to the interpolation theorem, for set and any , there has been a unique polynomial function with the degree . That is to say, and . We can compute the following probability distribution.The above distribution probability is the same for all. The probability of their consistency can be negligible. The privacy of the private key can be followed. Theorem 1 is established no matter in single authority or the distributed authority.

4.2. Performance Analysis

We analyze the performance of our scheme in this part and compare to literature [7, 9, 29]. In this work, we only list the computation cost of the data user and data owner for encryption and decryption phase. A lot of calculation is done by fog device. The computation cost accomplished by fog device is not listed.

To computer computation cost, we define the following notations. To improve the reading, the symbols and their explanations should be given in Table 1. The symbol denotes the number of the attribute that the sender possesses. The symbols , , and denote the computing time of a bilinear pair, computing time of one scalar multiplication in , and the computing time of exponentiation in , respectively. The symbol denotes the computing time of general hash function. The symbol denotes the computing time of symmetric encryption operation. The value of is related to access control structure of data user. The implementation environment for related operations is a mobile device with 2GB RAM, 16GB ROM, Android 4.4 operating system, 2.45G processor, and battery capacity 2800mA [33]. Computation cost for encryption and decryption are listed in Tables 2 and 3. The implementation results [33, 34] of the main operations are listed in Table 4.

Figures 8 and 9 show the comparison of encryption cost and decryption cost, respectively. When the value equals 1 or 2, the encryption cost of our scheme is worse than that in scheme [2, 9]. The encryption cost of our scheme is better than that in scheme [7, 9]. Decryption cost is related to two parameters, so our scheme only compared to scheme [9] in Figure 9. As shown from Figures 8 and 9, the computation consumption for encryption operation and decryption operation in the proposed scheme is constant. In our scheme, computation cost of the data user and data owner is independent of the number of attributes. The main reason is that many computation operations are executed by fog device. The computation consumption linearly increases with the number of attributes in literature [7, 9, 29]. Our scheme is more suitable for mobile terminal users with limited computing power and limited power consumption.

5. Conclusions

In this work, a distributed access control with outsourced encryption and decryption for electronic health records is introduced. The most computational cost of attribute-based encryption is performed by fog device. Our solution reduces computational effort of the sender and receiver. Our scheme can achieve fine-grained access control and guarantee the confidentiality of the message. The proposed scheme is more suitable for mobile terminal users with limited computing power and limited power consumption, such as smart phone and wireless sensor node. The analysis shows that our proposed scheme is safe and effective based on current computing technology. Our scheme is a practical and novel solution. It can also be extended to other application environments. When message is stored in data center, the proposed solution is necessary.

Data Availability

The data used in this study is available from references [33, 34].

Conflicts of Interest

The authors declare no conflict of interest.


The work is supported by Supporting Fund for Teachers’ Research of Jining Medical University (No. JY2017KJ053 and No. JY2017KJ055), NSFC cultivation project of Jining Medical University (JYP2018KJ14), doctoral research fund of Jining Medical University (No. 600589002), National Natural Science Foundation of China (No. 61872192), Natural Science Foundation of Jiangsu Province (No. BK20181394), Qing Lan Project of Jiangsu Province, 1311 Talent Plan Foundation of NUPT, and Opening Project of Shaanxi Key Laboratory of Information Communication Network and Security (No. ICNS201806).