Research Article  Open Access
Secure Information Sharing System for Online Patient Networks
Abstract
Recently, privacy emerged as a hot issue again, as the General Data Protection Regulation (GDPR) of EU has become enforceable since May 25, 2018. This paper deals with the problem of health information sharing on a website securely and with preserving privacy. In the context of patient networks (such as ‘PatientsLikeMe’ or ‘CureTogether’), we propose the model Secure Information Sharing System (SISS) with the main method of group key cryptosystem. SISS addresses important problems of group key systems. (1) The new developed equations for encryption and decryption can eliminate the rekeying and redistribution process for every membershipchange of the group, keeping the security requirements. (2) The new 3D Stereoscopic Image Mobile Security Technology with AR (augmented reality) solves the problem of conspiracy by group members. (3) SISS uses the reversed oneway hash chain to guarantee forward secrecy and backward accessibility (security requirements for information sharing in a group). We conduct a security analysis of SISS according to group information sharing secrecy and an experiment on its performance. Consequently, although current IT paradigm is changing to be more and more ‘complicated’, ‘overlapped’, and ‘virtualized’, SISS makes it possible to securely share sensitive information from collaborative work.
1. Introduction
Patients around the world want to connect to people who are suffering from the same symptoms and try to find the best treatments. These days, there are some online patient websites for health information sharing such as “PatientsLikeMe”[1] or “CureTogether”[2], where patients talk about their symptoms and successful (or failed) experiences. Researchers can also discover new and better solutions based on the patientcontributed data.
1.1. Problem Identification
The problem is that these kinds of health data may be sensitive and private information. Therefore, patients want the sensitive health data to be protected and managed with safety, and the data to be revealed to only limited persons. That is, the individuals' right to privacy and control over the circulation of their information [3]. In particular, privacy emerged as a hot issue again, as the General Data Protection Regulation (GDPR) of EU has become enforceable since May 25, 2018.
One of the substantial ways to share patients’ information and to protect privacy is a group key management system. However, a group key system has some peculiar characteristics; the group key should be updated whenever members leave or join the group. This is called rekeying and redistribution. These processes need a complicated and high level of security. Another feature that differentiates an information sharing system from other general group key management systems is that leaving members cannot access the group’s information anymore, but joining members can access all the previous group’s information to get more information for better treatment. Moreover, current members may conspire with leaving members or other people by revealing their group key [4].
In this paper, the proposed model SISS (Secure Information Sharing System) addresses the above problems in the context of online patient networks such as PatientsLikeMe or CureTogether. The main methods are group key management system, including the newly developed encryption/decryption algorithm and reversed hash key chain, and 3D Stereoscopic Image Mobile Security Technology (augmented reality technique). Namely, that is the secure version for the websites which can make people with the same symptoms share their health information safely and securely.
1.2. Main Goals
The SISS’s principle to manage users’ information with safety is that general information should be presented in plaintexts but sensitive information should be managed in ciphertexts. The solution for sharing ciphertexts with users is group key management system. The following is the main goals of SISS’s group key system.
There Should Be No Processes of Rekeying and Redistribution. Whenever membershipchanges (users leaving or joining groups) happen in the general group key system, the system should generate a new group key and distribute the new key to all members very quickly. This process needs more complicated and secure level of techniques, so ‘rekeying and redistribution’ falls under the hard problem in group key systems. To solve this problem, we develop new equations of the encryption and decryption with the group key. Therefore, SISS has no process of rekeying and redistribution for membershipchanges. To the best of my knowledge, this is the first trial to eliminate the process of rekeying and redistribution keeping the security of the group key.
SISS Guarantees Forward Secrecy and Backward Accessibility. The representative security requirements for general group key systems are forward secrecy and backward secrecy. However, the security requirements of SISS to share information with group members are forward secrecy and backward accessibility, not backward secrecy. The reversed hash chain can guarantee the security properties of SISS.
SISS is CollusionResistant with New Technology. In every group member system, one of the important security problems is the potential for conspiracy between users and illegal members. As a solution, SISS proposes a new concept of 3D Stereoscopic Image Mobile Security Technology using VR/AR technique.
1.3. Methods and Contributions
The main methods and contributions are listed in detail as follows:
The group key system for encryption and decryption: Only valid users can share the secret information with their group keys and pseudonyms. Others (invalid users) cannot know the contents and ownership for the information: ‘what about’ and ‘whose information’.
SISS addresses the security problem with reversed hash chain and 3D Stereoscopic Image Mobile Security Technology. And, the newly developed encryption and decryption algorithms are used for efficiency. It is because the information sharing has been and will be highly increased in the networked collaborative computing environments.
(2.1) Equations for Encryption and Decryption: SISS has no need for rekeying and redistribution for membershipchanges. The principle of group key generation for each member is that a fixed master group key is assigned to each group, and random numbers for each user and every session are newly generated by applying random numbers to hash function respectfully, reversedly, and repeatedly s times. Thereafter, each random number and the master group key are combined according to the developed equation algorithm. Then, a total of five subgroup keys are generated as each member’s group session key for every session. Hence, every member has completely different group keys for each session and each member because of generating different random number each time. However, one of the most important things is that the results after calculation of all other group keys for the developed equation (for encryption and decryption) are the same as the result of master group key for encryption and decryption, which makes it possible for SISS not to have rekeying and redistribution processes whenever there are membershipchanges.
(2.2) 3D Stereoscopic Image Mobile Security Technology: It is a new concept of a security solution using VR/AR techniques against conspiracy. The combination of human’s facial expressions and gestures which are identified at the registration time of a legitimate group member (LGM) should be rendered as a 3D image in the login process to authenticate a legitimate user. Consequently, the rendering of users’ own facial expressions and gestures can prohibit conspiracy between users and invalid persons.
(2.3) Reversed Hash Chain: SISS should guarantee forward secrecy and backward accessibility, along with group key secrecy [5], which are security requirements in group information sharing system. In SISS, every member’s group key is generated based on reversed oneway hash chain. Due to oneway properties of reversed hash function[6], a leaving member cannot know the next group key (forward secrecy) but a joining member can know all the previous keys and information (backward accessibility). Therefore, SISS is suitable for secret collaborative work and sensitive information sharing among group members.
(2.4) All Different Random Numbers for Each Member and Each Session: In SISS system, every member’s group session key looks like private key because their group key has completely different values with different random numbers for each member. Nevertheless, the key plays a role of a group key, with which every group member can share their sensitive health information with other members in a group.
Stronger authentication for login: The proposed model uses LGM (legitimate group member) for stronger authentication. Moreover, the authentication processes are mutual, so that the proposed model is secure against spoofing or masquerading attack.
Scalability to other group project systems and mobile phone applicability: SISS is scalable to other group project systems on websites. Although application scenario is about patient networks on the web, SISS is extendable to other secure group projects. Furthermore, it is applicable to even LGM of mobile phones, because the next smartphone will feature a frontfacing 3D laser scanner for facial recognition, which was the expectation of upcoming iPhone 8 in early 2018 [7] (but Apple released it without 3D laser scanner in late 2017).
Privacy preserving system: SISS can meet the privacy requirements: pseudonymity (partial anonymity), unlinkability, and unobservability.
Blinding: In every flow, SISS uses newly generated random numbers. This masking method does not allow an attacker to know or to guess real contents correctly.
2. Related Works and Application
2.1. Related Works
In this section, we introduce our main solution’s research area of group key.
Many researchers have worked on group key in various views such as group key agreement, exchange, revocation, and multicast/broadcast. However, this paper only focuses on the group key application for sharing information among multiple users. In particular, SISS has a little different property from the general group key in that the security requirement of SISS is not backward secrecy (a joining member cannot know all the previous keys and information) but backward accessibility (a joining member can know all the previous keys and information). It is caused by the different application’s goal from other group key systems, which can enable current group members to share all their information securely. That is the reason why SISS is related to the research area of keyword search schemes for multiuser setting.
At first, we address the researches about ‘multiuser setting’. In [8], Park et. al firstly proposed privacy preserving keywordbased retrieval protocols for dynamic groups (multiuser setting) based on reversed hash key chain. In multiuser setting environments like companies and municipal offices, a server contains heterogeneous documents accessible by different groups or persons. A leaving member from a group should not have access to any documents of the group anymore, that is, forward secrecy. Because a newly joining member should perform the tasks of the group to which he belongs, all documents accessible to the group must be still available and he should be able to obtain all the group keys, that is, backward accessibility. They accomplished both security properties with reversed hash key chain. Thereafter, they made the formal definition for ‘backward accessibility’ firstly in [5], where they proposed two practical group search schemes in the respect of efficiency in cloud datacenter. As for the researches not based on reversed hash key chain, Wang et. al. [9] analyzed Park et. al’s scheme[8] on various views including security and efficiency. They achieved backward accessibility for multiple users with public key and Pallier’s cryptosystem instead of reversed hash key chain. The next year, Wang et. al proposed another scheme of keyword fieldfree conjunctive keyword searches on encrypted data in the dynamic group setting [10]. In [11], Li et al. suggested a new effective fuzzy keyword search in a multiuser system over encrypted cloud data. This system supports differential searching and privileges based on the techniques attributebased encryption and Edit Distance.
In respect of keyupdating and redistribution, there have been also many researches until now, because group key’s rekeying and redistribution to all group members are complicated and hard tasks. Generally, this research area is divided into four categories: a centralized distribution scheme, a distributed key agreement scheme, a hybrid group key management scheme, and a selfhealing group key distribution scheme (SGKD). The significant point of centralized key distribution schemes [12–20] is that a centralized key management center as a trusted party generates, updates, and distributes the group keys to all members. As to distributed key agreement schemes [21–28], all group members participate in generation, rekeying, and redistribution of their group keys. Hybrid group key management schemes [29–32] are about the best use of both schemes: a centralized distribution scheme and a distributed key agreement scheme. Lastly, a selfhealing group key distribution scheme (SGKD) is for wireless networks including sensor networks [33–50]. In this paper, we focus on SGKD schemes because SISS’s application includes both networks of wired and wireless and SISS has more relations with SGKD schemes than other schemes.
The main point of selfhealing schemes is that group members can recover the missing session keys without retransmission of the missing messages from the GM (group manager). A SGKD scheme is largely divided into four categories again: polynomial based SGKD (PSGKD) schemes [33–37], vector space secret sharing based SGKD schemes [38–41], bilinear pairings based SGKD schemes [42, 43], and exponential arithmetic based SGKD (ESGKD) schemes [44–51]. PSGKD and vector space secret sharing based SGKD schemes are generally known as “not efficient”. A polynomial secret sharing scheme is the most common technique, where two types of polynomials are constructed: the revocation polynomial and the access polynomial. In [44], Rams et al. pointed out that almost all of the polynomial based SGKD schemes can be converted to ESGKD schemes. PSGKD schemes can be divided into two types based on using Lagrange Interpolation or not. In [33, 45–47] ESGKD schemes are constructed from PSGKD schemes with Lagrange Interpolation. The other PSGKD schemes without Lagrange Interpolation can be classified into two types again based on using hash chains or not. Scheme 3 in [48] and Scheme 2 in [49] are ESGKD schemes transformed from revocation polynomial based PSGKD schemes without hash chains. In [50], Gou et. al first proposed ESGKD scheme with high efficiency and backward secrecy by combining dual chains: a traditional hash chain and a key chain.
2.2. Entities and Application Scenario
SISS has three parties: users, SM (security manager), and SISS server. SM (security manager) is a kind of a client, which is granted a special role of a security manager. SM is assumed as a TTP (trusted third party) and it is located in front of the SISS server. SM controls group key and keyrelated information, all sensitive information, and all other events with powerful computational and storage abilities. Figure 1 shows the system configuration of SISS.
The main participants of SISS are group members who want to get help through information sharing. The information scope is health conditions and patient profile. Mostly, the health information could be shared but some secret personal data in patient profile should be revealed to the allowed people only.
With the mobile devices or PC, Secure Information Sharing System (SISS) is constructed for online website patients with any disease all over the world. The needs are as follows: Many patients want to get in such kind of patient networks and to be helped more easily and securely. Each member uploads his/her conditions or information to his/her personal ciphertext pages (for sensitive data) or plaintext pages (for public data).
One more important thing is that the augmented reality (AR) technique of 3D image rendering is applied to external devices. The rendered image is selected from the contentslist consisting of the randomly repeated and rearranged human’s facial expressions and gestures. As the first process, every user should register at SM; thereafter they should get through the authentication processes every session and then they start some actions. When some sensitive information is shared with other patients (it means that the ciphertext pages are generated), we know the page is encrypted by the group’s encryption key. Only the legitimate users (who registered at SM and kept the information given by SM at their devices for authentication) can pass authentication processes and know the sharing information. In the last step of the authentication, 3dimensional image is rendered. This image can be called a legitimate group member.
3. Preliminaries
3.1. Notations
The notations for SISS are explained in Table 1.

3.2. Algorithms for SISS Model
A SISS model consists of the following eight algorithms.(1): Parameter Generation algorithm takes as an input a security parameter k and produces a system parameter .(2): Taking as input, Key Generation algorithm produces group session random numbers set RH, group member keys set K, and member pseudonym keys set P.(3): Taking , , , as input, Information Generation and Storage algorithm produces LGM (legitimate group member) and other information for authentication.(4)): Given RH, K, P, Query algorithm produces Query Value .(5). Given , Verification algorithm verifies , and Query algorithm produces Query Value .(6): Given , Verification algorithm verifies .(7): This algorithm encrypts and uploads message M.(8): This algorithm downloads and decrypts message M.
3.3. Security Building Blocks and Model
Definition 1 (oneway hash chain). It is generated by selecting the last value at random and applying it to oneway hash function h repeatedly. The initially chosen value is the last value of the key chain. Following are two properties of oneway hash chain.
Property 2. Anybody can deduce the earlier value belonging to the oneway key chain with the later value by checking which equals with the later value .
Property 3. Given the latest released value of oneway key chain, an adversary cannot find a later value such that equals . Even when value is released, the second preimage collision resistant property prevents an adversary from finding different from such that equals [6].
Remark. We call property 1 of oneway hash key chain ‘backward accessibility’ and property 2 ‘forward security’.
Definition 4 (PRF (pseudorandom function) ). We say that ‘ is secure pseudorandom function’ if every oracle algorithm making at most oracle queries and with running time at most has advantage . The advantage is defined as where represents a random function selected uniformly from the set of all maps from to , and where the probabilities are taken over the choice of and [51].
Definition 5 (PRG (pseudorandom generator) ). We say that ‘ is a secure pseudorandom generator’ if every algorithm with running time at most has advantage . The advantage is defined as , where , are random variables distributed uniformly on , [51].
Definition 6 (DDH (decisional DiffieHellman) ). Let be a group of prime order and a generator of . The DDH problem is to distinguish between triplets of the form and , where are random elements of .
Definition 7 (collusion resistance). The leaving member colluding with the members in the after sessions cannot recover even knowing and [50], where is a group G at th session.
Definition 8 (security game ICRIS). (Indistinguishability of Ciphertexts from Random Bit Strings in Information Sharing)
Setup. The challenger C creates a ciphertext set B of pages and gives this to the adversary . chooses a polynomial number of subsets from B. This collection of subsets is called ; runs algorithm and encrypts each subset running algorithm . Finally, sends A all ciphertexts with their associated subsets.
Queries. may request the encryption of any B and any verification .
Challenge. chooses a and its subsets such that none of the algorithms given in the step Queries distinguishes from . The challenger C chooses a random bit b and gives to . again asks for encrypted pages and their verifications with the restriction that may not ask for the algorithm that distinguishes from . The total number of ciphertexts and verifications is in k.
Response. outputs . If , is successful. In security game ICRIS, adversary’s advantage is defined as .
3.4. Legitimate Group Member (LGM)
Every user (member) registers at SM with the contentslist which is the combination set for gestures and facial expressions of the user. All the gestures and facial expressions are randomly repeated and rearranged in the contentslist. Then, the user keeps the contentslist in their device for later authentication. is put as the stereoscopic image information for the gesture and facial expression of the member i of group t at the jth session. Every session, SM selects one of the combinations of gestures and facial expressions from the contentslist and challenges the member of the group. Then, the member renders his own gesture and facial expression for .
4. Construction of SISS Model
In this section, SISS is constructed by using the eight algorithms described before. This SISS model is divided largely into four processes: system setting, registration, authentication for login, and action. The whole process is shown in Table 2 and the details are addressed in Section 4.1.

4.1. System Setting
4.1.1. Construction
The basis of security system SISS is established.(i)Input; k: a security parameter.(ii)Output;: system parameters’ set.
is a pseudorandom function and is a oneway hash function. is a pseudorandom generator. G is a group of order q which is a large prime. is a generator of a group G, n is the total members of group G, j is the session number, and i is each member of group G. E and D are encryption and decryption function.
4.2. Registration
The registration process consists of two algorithms: , .
4.2.1. Construction
Key materials are generated.(i)Input; .(ii)Output;, , .
(1) Group Session Random Numbers RH: Reversed OneWay Hash Chain. It is assumed that the total number of sessions is s. For every member i, each different random number is generated for the last session. Here, each is applied to oneway hash function times repeatedly to generate all sessions’ random numbers and, respectively, for each user as follows.Therefore, the first session’s random number of member i is and the tth session’s random number of member i is .
With these different random numbers, we can make all different group keys for each member and each session, respectively.
Oneway hash function plays the important role in group information sharing. OneWay hash chain is generated by randomly selecting the last value, which is repeatedly applied to oneway hash function . The initially selected value is the last value of the hash chain. Oneway hash chain has two properties as mentioned in Definition 1 in Section 3. Therefore, the two properties make it possible that a leaving member cannot compute new keys after leaving the group and any newly joining member can obtain all previous keys and information through applying the current key to hash function repeatedly.
(2) Group Keys Set K. It is assumed that there are ‘n’ members of the group ‘G’, and the group session keys for each member i of group G are . Here, j is a session number and s is the last session. The each member i’s group key consists of totally five subkeys; . SM selects the master group key of group G and generates a random number to blind the master key in five subkeys, which is the way to construct a group member’s session key and, therefore, the last session group key of user i.
The generation principle of group keys is that every different random number for each member and each session ( random numbers) is combined to the master group key . Table 3 shows the random numbers and group keys for each member and each session which belong to the group G. The group G is one of the groups .

(3) Group Members’ Pseudonym Keys Set P: Reversed OneWay Hash Chain. For stronger security and privacy, SISS uses each member’s pseudonyms, which are generated with the reversed oneway hash chain in the same way as group session keys. Thus, each member has also s pseudonyms which are denoted as (for each member i, ).
4.2.2. Construction
The values to be used for authentication are generated and saved.(i)Input; : system parameters’ set.(ii)Output; , , , , , , , .
At the registration process, every user is given some information from SM and stores them in one’s own device such as in smartphone or PC: , , , , , . SM also stores some information for each member i: , , , , , .
As such, the output of is the values created by the SM and each user during the registration process, which means the values are stored in advance for later use in the authentication process.
Additional Explanation for Encryption (E) and Decryption (D) with Group Keys. Here, means ciphertext C with group members’ group key ‘’ for a message M. The encryption with the master key is assumed .
For simplicity, we put as , and as . Then, the encryption with each member’s group key , for example, in the last session (i.e., , ) is as follows:The decryption method with the group master key ‘’ is . Then, the decryption method with each member’s group key in the last session is as follows:We can check whether the result of encryption/decryption with the master group key ‘’ is the same as anything of each member’s group key = . Because of the properties of this developed encryption and decryption algorithms, SISS has no need for rekeying processes whenever membershipchanges happen.
4.3. Login by Authentication
The login process consists of four algorithms: , , , and .
4.3.1. Construction
A member i makes loginrequest to SM with the stored information.(i)Input; .(ii)Output; (1st querying value of a user).
(1) Compute: ; with the stored value , a member i computes .
(2) A member i queries SM with :Here, is also the stored value at registration time. Because is the member i’s group key in the first session, means Here, for simplicity, are denoted as the member i’s subkeys for its group key in the first session. are also the subkeys (for decryption) of .
4.3.2. Construction
The SM verifies the loginrequest of member i and sends the next session information, the group key and the pseudorandom number, to member i.(i)Input; .(ii)Output; (2nd querying value of SM).
(1) Find:
SM checks and finds the corresponding values from its storage.
(2) SM decrypts with .
(3) Compute and Verify: , .
For the found value , SM applies to hash function repeatedly, up to times. If he obtains the result , then SM computes ;Then, SM verifies or not.
(4) Compute and Verify with : .
Here, is the stored value at the registration time and the encryption method is the same as the above 1.
(5) Compute:
SM applies to hash function times and then computes ;
(6) Compute and Query with :
= , where is also the stored value.
4.3.3. Construction
A member i verifies the received information from SM, then stores it for the next session, and renders the stereoscopic image on his page.(i)Input; .(ii)Output; (rendering of ).
(1) Decrypt: i decrypts with the value .
(2) Compute and Verify: , .
With the decrypted values , the group member i computes and verifies if this is the same as . Then, i hashes the value and verifies . If the verifications are successful, and become and .
(3) Decrypt with : .
(4) Render and Upload: at a page.
4.3.4. Construction
SM verifies what the member i has rendered.(i)Input; .(ii)Output; 1 or 0.
(1) Verify: (3D facial expression and gesture).
In this process, a legitimate group member authentication is processed by rendering the decrypted with the member’s external device. If SM’s verification is successful (return message: 1), the member i can begin to act (login allowed). The action means uploading, downloading, and reading (decryption).
4.4. Action
The Action Process consists of two algorithms: , .
4.4.1. Construction
A member i encrypts and uploads the sharing information.(i)Input; M.(ii)Output; .
(1) Encrypt and Upload M by a member i.
4.4.2. Construction
Another member u downloads and decrypts the sharing information.(i)Input; .(ii)Output; M.
(1) Download: .
Another member u downloads from SISS bulletin (server).
(2) Decrypt : = = .
[The Second Session]. From the second session, most processes are similar to the first session. As the session is changed, the corresponding pseudonym keys and group session keys are also changed. As for the stereoscopic image information S for 3D real model, a member sends the information kept from the first session to SM, and then SM challenges the member with the newly selected information at (6) of the algorithm . Lastly, the member renders 3D real model at his page. Action stage is also similar to the first session.
5. Security Analysis
The security requirements related to group key are as follows:
(1) Group Key Secrecy: It should be computationally impossible that a passive adversary discovers any secret group key.
(2) Forward Secrecy: Any passive adversary with a subset of old group keys cannot discover any subsequent (later) group key.
(3) Backward Secrecy: Any passive adversary with a subset of subsequent group keys cannot discover any preceding (earlier) group key.
(4) Key Independence: Any passive adversary with any subset of group keys cannot discover any other group key [4].
In this paper, the term negligible function refers to a function such that for any , there exists , such that for all [5].
The model SISS satisfies group information sharing secrecy as follows: (1) forward secrecy, (2) backward accessibility, (3) group key secrecy, and (4) collusion resistance.
Theorem 1 (forward secrecy). For any group, an adversary A (including a participant ) cannot know valid group key for (j+l)th authentication when the adversary A knows group key , where , , .
Proof. By Property 3 of Definition 1, if the latest released group key is , no one can know a later value such that . Therefore, the probability that a participant can generate valid group keys for the next lth session is negligible, where (). It means that all leaving group members cannot access any of the next documents of the group anymore.
Theorem 2 (backward accessibility). For any group , an adversary A (including a participant ) can generate valid group key for (jl)th authentication when the adversary A knows group key , where (). Namely, all joining members to a group can access all of the previous information of the group.
Proof. By Property 2 of Definition 1, if the latest released group key is , anyone can deduce earlier values () by applying the later value to oneway hash key chain like this: . Therefore, the probability that a participant can generate valid group keys for the earlier lth session is , where (). Namely, all members joining a group can access all of the previous information of the group.
Theorem 3 (group key secrecy). For any group , when a revelation of group key happens, the probability that an adversary A (including a participant ) can guess correctly the encrypted information message M of group at the session is negligible.
Corollary 4. SISS is semantic secure according to the security game ICR IS, if DDH is hard and the key material is chosen as described in the algorithm construction.
The cryptographic elements for authentication and whole protocol are PRF (pseudorandom function, e.g., 128 bitAES), PRG (pseudorandom generator, e.g., middlesquare method, NaorReingold pseudorandom function, etc.), and hash function (HAS160), generally known as secure cryptographic function. Through the cooperative processes of these elements, the final encryption is . Hence, we have only to show the security under the condition of ‘DDH is hard’.
Proof (it is proved by contraposition) . A is assumed as an adversary that wins the security game ICRIS with advantage . We construct an adversary , which uses A as a subroutine and breaks the DDH with nonnegligible advantage.
(i) Setup. Algorithm creates m message pages and gives this to the adversary A.
A chooses a polynomial number of subsets from messages set M. This collection of subsets is called . A sends them to again. invokes algorithm . After creating all ciphertext pages for , gives them and their associated subsets to A.
Here, let be a DiffieHellman triplet; the challenge is to determine . guesses a value for the page that A will choose in the game ICRIS, by picking uniformly at random in . simulates the algorithm on as follows. maps every ciphertext page to a random value . For B= =