Abstract

The application of cloud storage system has been deployed widely in recent years. A lot of electronic medical records (EMRs) are collected and uploaded to the cloud for scalable sharing among the authority users. It is necessary to guarantee the confidentiality of EMRs and the privacy of EMR owners. To achieve this target, we summarize a series of attack behaviors in the cloud storage system and present the security model against many types of unexpected privacy leakage. Privacy of unassailed EMRs is guaranteed in this model, and the influence of privacy leakage is controlled in a certain scope. We also propose a role-based access control scheme to achieve flexible access control on these private EMRs. One can access medical records only if his/her role satisfies the defined access policy, which implies a fine-grained access control. Theoretical and experimental analyses show the efficiency of our scheme in terms of computation and communication.

1. Introduction

Cloud communication has been envisioned as one of the most influential technologies in the medical field. Without being measured face-to-face, medical staff could give guidance to patients in a real-time way, which greatly improves the healthcare quality. For instance, a patient with heart disease history can deploy a medical sensor at home for the purpose of health monitoring. His health data are uploaded to cloud server and used by remote hospitals. The doctors in their duties could download his EMR and prepare the patient for treatment if needed. This method brings convenience for both patients and hospitals. However, once a patient’s data are uploaded to the cloud storage system, they lose the physical control over the data and the cloud provider can obtain the access on it. Privacy threats experienced by users of Google Inc., Apple Inc., and Amazon Inc. [1] clearly indicate that cloud is intrinsically insecure from the users’ point of view [2]. Most users would like to keep their personal information confidential to outsiders, let alone those patients whose EMRs include a lot of sensitive information. Data confidentiality is one of the important security concerns in the cloud storage system.

A common solution for data confidentiality is to encrypt them using public key encryption [3] before transmitting to the cloud system. We first generate two cryptographic keys: one is public and the other is secret. The public key is distributed by the data owner who is responsible for encryption. The secret key is private and assigned to each recipient in duty for decryption, such as the medical staff who is responsible for a patient.

While public key encryption ensures data confidentiality commendably, we admit that no matter what measures we take, unexpected privacy leakage sometimes happens. There are mainly three potential leakage risks in a typical cloud storage system: vulnerable medical devices, a semitrust cloud server, and the association among EMRs themselves. In the first type of risk, the data collected by medical devices will be firstly handled in a local but relatively open place (such as in a ward or on an ambulance), then it is uploaded to the cloud. The data are easily accessible for unauthorized persons in an emergency. In the second type of risk, since the cloud provider is a semitrusted organization, it honestly follows the rules but does everything possible to spy on the stored files. Patients’ information might be leaked by internal staff of the cloud provider. The third type of risk is due to EMRs’ internal association for a patient and his family, i.e., a father’s heart attack record may reflect a similar heart disease of his son. Leaking one record might infer unassailed ones. Besides the above three potential risks, we also need to consider that there are many malicious adversaries who keep trying to gain access to the cloud storage system, i.e., the communication among the devices (such as body sensors), the cloud and the EMR recipients. There are lots of ways to do this [4]. One way is to break the random-number generator (RNG) [5] and thus gain the randomness used for encryption. Another way is to break into the cloud part. For instance, Albrecht and Paterson [6] introduced a powerful attack that an adversary runs malicious JavaScript in a targeted browser and completely recovers HTTP session cookies or user credentials such as passwords.

All these unexpected events might cause parts of database corrupted and data exposed. The cloud storage system should be resilient in the case of security breach. In other words, once the privacy leakage happens, the leakage effect should be controllable, so that the confidentiality of the “unleaked” information is guaranteed. Therefore, controllability of privacy leakage is another important security concern in the cloud storage system.

Furthermore, we need to consider that the cloud storage system is usually associated with a multiparty communication environment, as Figure 1 describes. The health data are scalably shared among authorized users. From the recipients’ point of view, the access control manner needs to be flexible enough to deal with the changes of users’ roles and permissions [7].

1.1. Our Contributions

Based on the aforementioned security concerns in the cloud storage system, we propose a leakage controllable scheme to achieve data confidentiality with a flexible access manner. Since our scheme is based on a multiuser access policy, it quite matches the real world’s scenario which includes many users in a hierarchical organization. Specific techniques are highlighted as follows.Privacy Leakage Controllability. As unexpected privacy leakage always happens in various forms, we propose new security models, called role-based access control against unexpected leakage (RBAC-UL) to capture further leakage on the remaining “unleaked” EMRs. RBAC-UL security is achieved if confidentiality of unassailed EMRs is still guaranteed.Flexible Access Control. We offer an efficient approach to support fine-grained access control for a hierarchical healthcare organization. A user can comprehend an EMR only if his identity satisfies the associated access policy.Scalable Data Sharing. It is achieved by letting higher-level medical staff delegate access privilege for his subordinates.Constant Size Ciphertext. Our scheme achieves constant size of encapsulated EMR no matter how many users satisfy the defined access policy.Rigorous Security Analysis. To ensure that our proposal is qualified enough for the series of security concerns, we present rigorous security analysis. The analysis shows that our proposal achieves a high privacy-preserving capacity, where data confidentiality, leakage controllability, and access control flexibility can be achieved simultaneously in the cloud storage system.

Privacy-preserving access control in the cloud storage system has received more and more attention recently. Cryptography and authentication methods are utilized in the cloud network to offer secure healthcare services via wireless communications [8]. For the security of EMR, encryption is an efficient and cost-saving choice to guarantee patients’ privacy. A lot of prominent schemes have been proposed to achieve this target. The scheme applying identity-based encryption (IBE) [9, 10] presents efficient solutions for the body sensor network. While considering fine-grained sharing of encrypted data, attribute-based encryption (ABE) [11, 12] is promising. This is because ABE provides differential access privileges for a set of users such as healthcare providers and allows flexibility in designating the access privileges of individual users over the encrypted data [13]. An immediate attribute modification method is used to achieve fine-grained user revocation and the outsourced e-health records security [14]. The searchable ABE scheme is a promising technique that can ensure the protection of patients’ private information without compromising on performance [15]. When applying ABE schemes in the medical systems, it shows the security and flexibility as the user tries to access the outsourced EMRs. Besides, a role-based access control framework [16, 17] is proposed by using hierarchical identity-based broadcast encryption (HIBBE) [18] without ABE, which ensures the security, scalability, and flexibility for the outsourced EMRs. A secure role-based cloud storage system for encrypted patient-centric health records is achieved in commercial healthcare systems [19]. An auditing revocable privacy-preserving access control scheme for the e-health records shows the efficiency of RBAC in terms of communication and computation [20]. An enhancing medical data security scheme in the cloud using RBAC provides security to the data over an alien environment [21].

Although the aforementioned schemes devote to securing the outsourced EMRs, they are unable to deal with the situation of unexpected privacy leakage, let alone to minimize its effect. In a cloud storage system, the leakage threats mainly include secret credential leakage [22, 23], encapsulation-related randomness leakage [24, 25], internal files, accounts or other records leakage, etc. The target of our paper is to minimize the impact of leakage in the event that these unexpected issues happen. We notice that a lot of schemes have been put forward theoretically against these unexpected leakages, including the public-key encryption [2628] and the identity-based encryption schemes [2931]. They are different from our RBAC-UL mechanism. The former mainly guarantee the confidentiality of the remaining “unleaked” records, while ours not only ensures the confidentiality of “unleaked” data, but also achieves scalable sharing and flexible access control of all the outsourced EMRs.

3. Preliminaries

This section provides some mathematical basis for our proposal. The notations that are used in our scheme are given in Table 1. For ease of description, some of them are borrowed from [16, 17].

3.1. Bilinear Groups

Let be a group generation algorithm that takes a security parameter λ as input and outputs the description of a bilinear group . In our case, outputs where are distinct prime factors, and are cyclic groups of order , and is an efficient bilinear map satisfying the two properties: (i) bilinearity: For all and all , ; (ii) nondegeneracy: there exists at least a generator in such that generates . We, respectively, denote the subgroups of order in by , and . We use to denote the subgroup of order in . These four subgroups additionally satisfy the orthogonality property, i.e., and for , . This orthogonality property will be a principal tool in our constructions. Composite-order bilinear groups were first introduced in [32].

3.2. Theoretical Assumptions

Our security analysis is based on the following mathematical assumptions.

Assumption 1. Given a group generator , we define the following distribution:Assumption 1 determines whether a given element T is randomly chosen from G or from , namely, or . The advantage of an algorithm that outputs a bit in breaking Assumption 1 is defined as

Definition 1. satisfies Assumption 1 if is a negligible function for any PPT algorithm .

Assumption 2. Given a group generator , we define the following distribution:Assumption 2 determines whether a given element is or . The advantage of an algorithm that outputs in breaking the Assumption 2 is defined as

Definition 2. satisfies the Assumption 2 if is a negligible function for any PPT algorithm .

Assumption 3. Given a group generator , we define the following distribution:Assumption 3 determines whether a given element is or . The advantage of an algorithm that outputs in breaking Assumption 3 is defined as

Definition 3. satisfies Assumption 3 if is a negligible function for any PPT algorithm .

Assumption 4. Given a group generator , we define the following distribution:Assumption 4 determines whether a given element is or . The advantage of an algorithm that outputs in breaking Assumption 4 is defined as

Definition 4. satisfies Assumption 4 if is a negligible function for any PPT algorithm .

Assumption 5. Given a group generator , we define the following distribution:Assumption 5 determines whether a given element is or . The advantage of an algorithm that outputs in breaking Assumption 5 is defined as

Definition 5. satisfies Assumption 5 if is a negligible function for any PPT algorithm .

4. System Model

In Figure 1, we describe a typical medical cloud storage system. It is a multiuser setting environment consisting of four entities: an EMR owner, a cloud server, an EMR recipient, and a trusted key authority (TKA).

The EMR owner is usually a patient who is monitored by different types of medical sensors. His/her medical records are sent via wireless networks. Each record is encrypted and associated with its own access policy and then stored on the cloud server for sharing with the entitled medical staff.

The cloud provides a large number of servers for many organizations. It is honest but curious, i.e., it obeys rules of the cloud system, but could do everything possible to spy on the stored EMRs.

The EMR recipient consists of groups of medical staff who are entitled to read the patients’ EMRs and provide services for them. The medical staff are semitrusted. If they are authorized, they do not reveal any information. Otherwise, they might be potential adversaries. The staff at the higher-level is responsible for managing lower-level ones, which derives a tree-like organization. For example, the role of a nurse consisting of ordered atom roles “department psychiatry, chief doctor, head nurse, nurse,” is administrated by the head nurse whose role is “department psychiatry, chief doctor, head nurse.” The head nurse is administrated by the chief doctor and so on. We group the chief doctor, the head nurse, and the nurse in one access policy, where all of them are responsible for a certain patient. The patient is identified by his name or identity information. Each medical staff can encapsulate the patient’s EMR, but only the one whose role satisfies the corresponding access policy can decapsulate it.

The TKA is responsible for generating and distributing system parameters.

A role-based access control scheme consists of the following algorithms:: the setup algorithm is run by TKA. It takes as inputs a security parameter λ and a maximal size n of users. It outputs a masker key and a public key .: the secret credential generation algorithm of medical staff takes as inputs a public key , a master key , and a role for a medical staff. It outputs a secret credential for the medical staff with role .: the secret credential delegation algorithm of medical staff takes as inputs a public key , a secret credential for a medical staff with role , and an atom role R. It returns the secret credential for the medical staff with role . The medical staff with role is the supervisor of the one with role .: the EMR encapsulation algorithm takes as inputs a public key , an access policy P, and an EMR file . It outputs an encapsulated EMR file .: the EMR decapsulation algorithm takes as inputs a public key , a medical staff’s role R, an encapsulated EMR , and a secret credential for the medical staff with role . It outputs an EMR file .

5. Security Requirements

In practice, all entities except TKA are likely to attack the cloud storage system. A dishonest party may try to get useful information from the encapsulated EMRs, which is not authorized to access or derive from the leaked EMRs. In the context of such attack, our scheme is expected to meet the following security requirements.(i)Data privacy: EMRs need to be obfuscated before being uploaded and securely stored on cloud servers, until an authorized user downloads and deobfuscates them.(ii)Leakage controllability: when a privacy leakage happens unavoidably, it must be possible to minimize the leakage effect, which means the privacy of nonleaked EMRs should be guaranteed.

5.1. The Adversary Model for RBAC-UL

The adversary model for RBAC-UL is aimed to satisfy the requirement of leakage controllability. Since the content of EMRs may be internally related, partial leakage might expose information on those EMRs. Therefore, it is necessary to clarify what it means for the unleaked EMRs to remain confidential. In the RBAC-UL model, we assume two roles: an adversary and a simulator. The adversary’s goal is to collect as much information from the unleaked EMRs as possible, i.e., the corrupted EMRs, the encapsulated EMRs, and the randomness used for encapsulation. The simulator acts like a normal person with neutral characters: he can get the same input as the adversary when a leakage happens, and he has the ability to corrupt the EMR owners to learn their EMRs. Apart from that, the simulator cannot get any further information. We claim that if any adversary cannot obtain more information from the unleaked EMRs than the simulator, then the security of the remaining EMRs is guaranteed.

We formally define the adversary model for RBAC-UL, which is inspired by the work [29]. In the model, the corrputed EMR is encapsulated with a target access policy set containing all the medical staff who are allowed to decapsulate. The adversary is allowed to do the following: (a) it can obtain secret credentials associated with roles , which implies the adversary can collude any medical staff with roles that do not satisfy the target access policy; (b) it can obtain all the targeted encapsulated EMRs, ; (c) it can randomly corrupt any encapsulated EMRs from and then obtain their files with the randomness used for encapsulation , which implies that the adversary has the ability to corrupt the EMR owners.

We use two security games for further illustration. The first one is played between an adversary and a challenger . It describes what an adversary could obtain in the real world. The second one is played between a simulator and a challenger . It describes what a simulator could obtain in an ideal experiment.

The real game of RBAC-UL:Setup: the challenger runs Setup to obtain the system parameter and gives to the adversary .Challenge: outputs a set of EMRs, on which it wishes to challenge, together with a set of access policy including all the broadcast groups that it wishes to attack. In our case, a broadcast group represents a group of medical staff who are eligible to read a certain kind of EMR. For example, the medical staff in the access policy group are authorized to fetch , but no authority for other EMRs. Each access policy should satisfy that for all the secret credential queries issued in Query Phase 1, there is . randomly chooses for each , where and , and computes . Finally, the challenger returns the encapsulated EMRs to .Query Phase 1: issues a secret credential query for a medical staff associated with role . The challenger generates a secret credential for and returns it to .Challenge: outputs a set of EMRs, on which it wishes to challenge, together with a set of access policy including all the broadcast groups that it wishes to attack. In our case, a broadcast group represents a group of medical staff who are eligible to read a certain kind of EMR. For example, the medical staff in the access policy group are authorized to fetch , but no authority for other EMRs. Each access policy should satisfy that for all the secret credential queries issued in Query Phase 1, there is . randomly chooses for each , where and , and computes . Finally, the challenger returns the encapsulated EMRs to .Corrupt: the adversary outputs a set to on which wishes to corrupt. corrupts the corresponding EMRs to get and returns them to the adversary.Query Phase 2: issues a secret credential query for the medical staff with role such that . The challenger responds the same as Query Phase 1.Output: the adversary outputs a bit .

The simulated game of RBAC-UL:Setup: the simulator gets system parameters from the challenger .Challenge: outputs a set of EMRs, on which it wishes to challenge, together with a set of access policy including all the broadcast groups that it wishes to attack. The challenger gets these inputs, but gives no feedback to the adversary .Corrupt: outputs a set to . The challenger picks up the corresponding and returns them to the simulator.Output: the simulator outputs a bit .

We claim that if for every PPT adversary there exists a PPT simulator who can generate an indistinguishable output without seeing any encapsulated EMR and randomness, then the scheme achieves RBAC-UL security.

Definition 6. The advantage of a RBAC-UL adversary against a RBAC scheme with a simulator is defined as follows:

Definition 7. (RBAC-UL Security). Given an RBAC scheme, if no PPT distinguisher can distinguish the output from and , namely,where ϵ is a negligible function in the security parameter, then we claim that the scheme achieves RBAC-UL security.

5.2. The Adversary Model for RBAC-IND

The adversary model for RBAC-Indistinguishability (RBAC-IND) is aimed to satisfy the requirement of data privacy. The indistinguishability can be illustrated as follows: a recipient (the medical staff who are eligible to get access on one EMR) generates a credential pair; a sender (EMR owner) encapsulates one out of two EMRs and send it to the adversary; the RBAC-IND adversary tries to find out which one it was. Here, importantly, the adversary has the authority to issue secret credential query. If the adversary cannot distinguish an encapsulation of challenge EMR from an encapsulation of random message, we claim that our system achieves RBAC-IND security.

The RBAC-IND model is defined by a security game played between a challenger and an adversary . We apply the full security notion [33, 34] to the RBAC-IND model. That means the adversary can adaptively output the access policy that it wishes to attack during the system interaction.

The security game : let be a role-based access control scheme.Setup: the challenger runs the setup algorithm to obtain a public key and gives it to the adversary .Query Phase 1: issues a secret credential query for the medical staff with role . The challenger generates a secret credential for and gives it to the adversary.Challenge: the adversary outputs two equal-length EMR files, , and on which it wishes to challenge. outputs a challenge access policy either. The access policy should satisfy that for all the secret credential queries for issued in Query Phase, . The challenger flips a random coin and encapsulates under the challenge access policy . Then, it returns the encapsulated EMR to .Query Phase 2: issues a credential query for the medical staff with role such that . The challenger responds the same as in Query Phase.Guess: the adversary guesses . It ouputs 1 if and 0 otherwise. We say succeeds if .

Definition 8. Given an RBAC scheme , we define the probability advantage for an RBAC-IND adversary of winning the security game to be

Definition 9 (RBAC-IND security). Given an RBAC scheme , if for each polynomial-time RBAC-IND adversary, its advantage is a negligible function in security parameter λ, then the scheme achieves RBAC-IND security.

6. Proposed Solution

Our technical solution leverages hierarchical identity-based encryption (HIBE) [35] and extends it to a multireceiver scenario. In HIBE, an encryptor can only encrypt a single path, which implies either repetitive encryption or constrained access policy for multiple receivers. Our role-based access control solution supports fine-grained access by encapsulating EMRs to any subset of hierarchically organized users, which is based on HIBBE. Furthermore, it resists many types of unexpected leakage, so that the leakage effect can be controlled in a certain scope. The following subsections show how we achieve this target. In Section 6.1, we construct a one-bit RBAC scheme with one-sided public leakage (1SPL) functionality. 1SPL means there exists a public procedure that given the one-bit encapsulation message of “1” can compute the randomness r under which the encapsulation applied to “1” would generate . is used to denote the encapsulation message of “1.” The idea comes from the notion of one-side public openability [36]. In Section 6.2, we provide security analysis for the proposed one-bit RBAC scheme with 1SPL. In Section 6.4, we provide a reduction showing that if a one-bit RBAC scheme with 1SPL functionality is secure, the normal multibit scheme with RBAC-UL model is secure. Our solution achieves data privacy, leakage controllability, and flexible access control.

6.1. Construction of One-Bit RBAC Scheme with 1SPL

Setup. The system setup algorithm is run by TKA. It chooses a bilinear group G of order N, and random elements from , random exponents , and computes , , , , , , , for . It outputs a public key and a master secret key .SCGen. This is the secret credential generation algorithm. For the medical staff with role , we denote . When a medical staff at the top-level joins a hospital organization, TKA generates a secret credential for them:where .SCDeleg. This is the secret credential delegation algorithm. A junior medical staff with role is authenticated by a supervisor with role . His supervisor delegates a secret credential for them:where and . It can be computed as

The delegated credential is well formed as if it is generated by TKA with SCGen algorithm.EMREnc: this is the EMR encapsulation algorithm. For an access policy P, we denote . When a single bit 0 from EMR data needs to be encapsulated under P, a medical staff chooses random and computes . When a single bit 1 needs to be encapsulated, a medical staff sets .EMRDec: this is the EMR decapsulation algorithm. The medical staff with role satisfied by an access policy P can use his secret credential to recover all one-bit messages for EMR data. If , a medical staff returns bit 0. Otherwise, he returns bit 1.Correctness: We need to verify when input a well-formed encapsulation with a valid credential for 0 bit, whether holds.

Due to the orthogonality property, we get . Therefore, when is a well-formed EMR encapsulation, the decapsulation algorithm can correctly recover EMR with a valid credential .

6.2. Security Analysis of One-Bit RBAC Scheme

We prove the security by contradiction. Assume a PPT adversary can break the one-bit RBAC scheme in polynomial time. Then we solve a series of hard-to-solve problems based on subgroup decision assumptions, which are introduced in Section 3.2. Since no PPT algorithm could solve these problems, we reach a contradiction and conclude our proposed scheme is secure.

Theorem 1. Suppose is a group of composite order , equipped with an efficient bilinear map. Suppose that the Assumption 15 hold in . Then our one-bit RBAC scheme is secure under the formal security model.

We apply the dual system encapsulation technique [37] to the one-bit RBAC scheme, where the encapsulated message and the credential can take one of two indistinguishable form: normal form and semifunctional form. The correlation between them is shown in Table 2. “” means is decapsulation allowed and “” means decapsulation is not allowed. When all the EMR encapsulations and credentials are semifunctional, the adversary obtains no information for the challenge encapsulated EMR since none of the given credential is useful to decapsulate it.

In the next section, we show that no PPT algorithm can distinguish between and . All the components in the encapsulation of are random elements, so it does not leak any EMR information. The indistinguishability between those games proves Theorem 1.

Semifunctional ciphertext: a user runs EHRGen to construct a normal ciphertext . Then they pick up random exponents and sets , .Semifunctional secret credential TKA runs the algorithm SCGenM to generate a normal key . It chooses random exponents . The semifunctional key is set as , .It is straightforward that the EHRDecM algorithm correctly outputs when decrypting a semifunctional ciphertext by a semifunctional key since the added elements in can be cleared due to orthogonality property. However, the blinding factor is multiplied by an additional term . If , decryption still works. In this case, we call the secret credential is nominally semifunctional. We prove Theorem 1 through following games between an adversary and a challenger.: this is the real game.: this game is the same as except that all the secret credential queries are answered by the secret credential generation algorithm, not by the secret credential delegation algorithm.: this game is the same as except that the adversary cannot ask for secret credentials for the roles which are the prefixes of the challenge role modulo . Namely, it is not allowed that, for any queried role , with , . is the set of challenge access policy.: this game is identical with except that the EMR encapsulation given to adversary is semifunctional and the first k credentials are semifunctional () for bit 0. We notice that in , the EMR encapsulation and all credentials are semifunctional.: this game is identical with except that challenge EMR encapsulation is a semifunctional encapsulation for a random message in subgroup of for bit 0, not one of the messages given by the adversary.: this game is identical with except that replaces the challenge EMR encapsulation of 0 by a pair of random points in the full group .
6.3. Proof of Theorem 1

In this section, we use six lemmas to prove Theorem 1. Each lemma demonstrates the indistinguishability between the neighbouring games.

Lemma 1. For any PPT algorithm , it holds that:

Proof of Lemma 1. We note that the secret credentials are identically distributed whether they are generated by the credential generated algorithm or by the credential delegation algorithm. So, there is no difference between and from the adversary’s view.

Lemma 2. Suppose there exists a PPT algorithm such that . Then, we can build a polynomial-time algorithm with advantage in breaking Assumption 1.

Proof of Lemma 2. If there exists a PPT adversary that distinguishes and with probability , by the definition of , knows that it issues a secret credential query for the medical staff with role from others satisfying that with , . Then the factor of N can be extracted by computing , from which we design an algorithm breaking Assumption 1 as follows.
receives , and produces a nontrivial factor of N by computing . We want to use r to generate a point in , where denotes the unique subgroup with order . We set but so that can be used to test T with orthogonality. Enumerate the cases for r, , and the resulting k and Q in Table 3. As is the complementary set of r, it covers all the possibilities for the subgroup with different orders.
Due to the rule that but , we get from Table 3 at least one choice of k that allows us to use r or to construct a point in . immediately decides T by orthogonality. For example, if r is , T is chosen from or . Also we can get elements from , i.e., we select . Then learns whether T has a component or not by testing if . If not, T has a component. From the point of ’s view, the choice of i is independent, and at least has chance to pick an i that works.
Compared with , the challenge encapsulation of a 0 bit is replaced with a semifunctional one in , meaning its components are multiplied by points in . As the adversary does not know the factor of , it cannot determine whether the components of the challenge encapsulation of a 0 are in or in . Hence, the adversary is not able to know which form the given challenge encapsulation is.

Lemma 3. Suppose there exists a PPT algorithm such that . We can build a polynomial-time algorithm with advantage in breaking Assumption 2.

Proof of Lemma 3. The input of algorithm is the challenge tuple of Assumption 2. has to decide whether T is in or in .Setup: on inputs , picks random exponents from , and sets , , It sends public paramter Query Phase 1: when the adversary issues a secret credential query for a medical staff with role , randomly chooses exponents where and setsIt has the same distribution as that of the normal secret credential.Challenge: outputs two EMR files and and a challenge access policy . The challenge access policy must satisfy the property that no revealed role in Query Phase 1 was a prefix of its components. picks a random coin and gives the challenge EMR encapsulation as following. We denote that .(i). lets and sets . If ’s challenge bit , . We write for random and getThis implicitly sets and . The challenge encapsulation is semifunctional formed in . If ’s challenge bit , . We write for random , and getThis implicitly sets . The challenge EMR encapsulation is normally formed in .(ii). sets .Query Phase 2: Query Phase 1 is repeated adaptively except that .Guess: the adversary outputs a guess that it is in or . The simulator guesses if decides it is in . outputs if decides it is in . If has the advantage to distinguish and , can break Assumption 2 with advantage . and are two distinguishable games. The way to decide whether the kth queried credential is normal or semifunctional is to decide whether the credential components are in or in . This is computationally difficult without knowing factor .

Lemma 4. Suppose there exists a PPT algorithm such that . Then, we can build a polynomial-time algorithm with advantage in breaking Assumption 3.

Proof of Lemma 4. The input of is the challenge tuple of Assumption 3. has to decide whether T is in or in .Setup: receives . It picks random exponents from , and sets , and . It sends the public parameters to .Query Phase 1: when requests the th credential for where , we consider three cases: , , and .(i)When , creates a semifunction credential by picking up random exponents from and settingConsider as for random , thenThis is a properly distributed semifunctional credential.(ii)When , creates a normal credential by invoking the usual credential generation algorithm.(iii)When , creates the kth credential. lets and setsIf , for random , thenIt has the same distribution as the normal credential.If , we write for random , thenIt has the same distribution as the semifunctional credential.Challenge: at some points, decides that it obtains enough secret credentials, it outputs two EMR files EMR0 and EMR1 and a challenge access policy . This policy must satisfy that no revealed role in Query Phase 1 was a prefix of its components. picks up a random coin and gives the challenge EMR encapsulation as follows:(i). picks up and sets . Consider as for random , and getThis implicitly sets , and for .(ii).The challenge encapsulation for is formed as the semifunctional form with . Since from , the role associated with the kth secret credential is not a prefix of the challenge receiver role modulo , the variables and are randomly distributed to the adversary . The relationship between and do not help to distinguish the two games.Query Phase 2: Query Phase 1 is repeated except .Guess: the adversary outputs a guess that it is in or . outputs if decides it is in , where all components in the kth secret credential by algorithm are in . Otherwise, outputs if decides it is in , where all components in the kth secret credential by algorithm are in . If has the advantage to distinguish and , can break Assumption 3 with advantage .

Lemma 5. Suppose there exists a PPT algorithm such that . Then we can build a polynomial-time algorithm with advantage in breaking Assumption 4.

Proof of Lemma 5. The input of algorithm is the challenge tuple of Assumption 4. Algorithm has to answer whether T is in or in .Setup: first receives . It then picks random exponents from , and sets , . It sends these public parameters to .Query Phase 1: When requests the secret credential for the medical staff with role , lets , randomly chooses exponents where , and setsConsider for random , and getThis implicitly sets , , , , , and . The simulated key is distributed as the semifunctional credential.Challenge: outputs two EMR files and , and a challenge access policy . This policy must satisfy that no revealed role in Query Phase 1 was a prefix of its components. picks a random coin and gives the challenge EMR encapsulation as follows. We denote that .(i) randomly chooses and sets(a)If ’s challenge bit is , then . Hence, the challenge ciphertexts and are random in as in .(b)If ’s challenge bit is , then . We write for random and get(c)This implicitly sets mod . The challenge encapsulation is formed as the semifunctional form in .(ii). sets .Query Phase 2: Query Phase 1 is repeated adaptively except .Guess: the adversary outputs a guess that it is in or .The simulator guesses if decides it is in . Otherwise, outputs . If has an advantage to distinguish and , breaks Assumption 4 with advantage . Since all the credentials and EMR encapsulations are semifunctional in , cannot get any information about the challenge EMR encapsulation due to none of the given credentials are useful to decapsulate it. Hence, cannot find that the challenge EMR encapsulation has been replaced by a random component. This implies the indistinguishability between and .

Lemma 6. Suppose there exists a PPT algorithm such that . Then we construct a PPT algorithm with advantage in breaking Assumption 5.

Proof of Lemma 6. The input of is the challenge tuple of Assumption 5. has to answer T is in or in G.Setup: first receives . It then picks up random exponents from , and sets , . It sends the public parameters to .Query Phase 1: when requests a secret credential for a medical staff with role , lets , chooses exponents where , and setsWe write for random and getThis implicitly sets , , , , , and . The simulated credential is distributed as the semifunctional credential.Challenge: outputs two EMR files and , and a challenge access policy . This policy must satisfy that no revealed role in Query Phase 1 was a prefix of its components. picks up a random exponent z and a random coin . It gives the challenge encapsulation: . If ’s challenge bit is then . Hence, the challenge ciphertexts and are random components in as in .If ’s challenge bit is , then . Hence, the challenge ciphertexts and are random components in as in .Query Phase 2: repeat Query phase 1 except .Guess: the adversary outputs a guess whether it is in or in . The simulator guesses if decides it is in . Otherwise, outputs . If has the advantage to distinguish and , can break Assumption 5 with advantage . replaces the challenge encapsulation of 0 by a pair of random points in the full group. From the view of adversary, it cannot find that the challenge EMR encapsulation has been replaced by a random component in the full group or in the subgroup. Hence, it implies the indistinguishability between and .

Proof of Theorem 1. If a group generator algorithm satisfies Assumption i with advantage , then Lemmas 0–5 show that there is no polynomial time adversary to distinguish Gamereal and Gamefinal with advantage , which can be expanded as follows:All the components in are random elements in , and the messages are hidden from the adversary. Therefore, if the group with composite order satisfies Assumption 15 with advantage respectively, then our one-bit RBAC is secure with advantage .

6.4. From One-Bit RBAC with 1SPL to Multibit RBAC-UL

We provide security analysis for the RBAC-UL model. The key point is to reduce RBAC-UL security from a secured one-bit RBAC with 1SPL functionality. We use a specific 1SPL algorithm “” which exposes the randomness as if it is randomly chosen for bit 1, and fails with probability δ when it cannot find out the randomness to 1. In the security analysis, we assume that all the roles in the access policy set or its subset are ordered from high-level staff to the lower level one.

Theorem 2. Let be a one-bit RBAC scheme, and be the -bit RBAC scheme built from it. Let k be the number of leaked EMRs and δ be the failing probability of . Suppose there exists an RBAC-UL adversary , RBAC-UL simulator , and RBAC adversary . If is secure with , then is secure with .

We prove it by a series of game transitions.(i): this is the real game.(ii): this game reselects the randomness for the “0” bit encapsulation at Corrupt phase.(iii): this game runs algorithm for the “0” bit encapsulation at Corrupt phase. If fails, it reselects the randomness as does.(iv): compared with , it does nothing if algorithm fails.(v): the first bits from the challenge EMRs are replaced by bit “0” and then encapsulated. The remaining bits are encapsulated normally. At Corrupt phase, if it needs to open an encapsulation component to a “0” bit, it directly gives the randomness it used when creating the encapsulation. If it needs to open an encapsulation to a “1” bit, it runs to find the randomness.(vi): all the bits from challenge EMRs are replaced by “0” and all the “0” bits are encapsulated.(vii): this game is run by the simulator .

In the next subsection, we show that no PPT algorithm can distinguish between and and between and . Then we demonstrate that, if any execution of fails at most δ, no PPT algorithm has advantage to distinguish between and . Following that, if no adversary has the advantage to break one-bit RBAC scheme, then no algorithm has the advantage to distinguish between and , so that no algorithm has the advantage to distinguish between and . From the above deductions, we get . We also show that the simulator runs identically to the , which means the is distinguishable from the . Finally, we get which is defined in Definition 6.

6.5. Proof of Theorem 2

Let be a RBAC-UL adversary against . We can construct a simulator that runs Setup to generate and . It runs to answer the following queries. (1) When outputs the set of EMRs on which it wishes to challenge, then generates a set of EMR encapsulations where each encryption is an encryption of the all-zero message and returns them to . (2) When decides to corrupt some of these EMR encapsulations, the simulator queries its own Corrupt procedure, learns the EMRs it needs to corrupt, and opens them bit-by-bit. If it needs to open an encapsulation component to a 0, it directly gives the randomness it used when creating the encapsulation. Otherwise, needs to open an encapsulation to a 1, it runs algorithm to find the randomness. (3) When issues a secret credential query, simply uses to answer correctly. Through the above ways, the simulator can generate the same output as . We use and to describe the games that and runs, respectively. Based on Definition 6, the target of Theorem 2 is to prove

Lemma 7. For any PPT algorithm ,

Proof of Lemma 7. Since the randomness in and are uniformly and independently chosen from , they are identically distributed from the view of .

Lemma 8. For any PPT algorithm ,

Proof of Lemma 8. If does not fail, its output is identically distributed as that in from the view of ’s. If does fail, does the same operations as that in .

Lemma 9. Suppose that any execution of fails at most δ. For any PPT algorithm , the following holds:

Proof of Lemma 9. Since there are at most bits that have to be opened by algorithm in phase Corrupt, the worst event is that all the bits are failed to be opened and does not make any response to the failure. The probability for the worst event is .

Lemma 10. If a PPT adversary can break the one-bit RBAC-IND scheme with , then there exists a PPT algorithm so that

Proof of Lemma 10. Suppose is the event that in the execution of , the st bits sampled from the set of EMR are 1.
Let denote that is run in the condition that the event happens. is the complementary event for . Notice that in the event that the st bit sampled in is 0, the game and are identical, because ignores the actual bit and encapsulates it as a bit 0 based on its definition, and encapsulates the actual st bit which is 0. Thus, . Next, we compute as follows (we use G to represent ):Since in the event both and are identical, the first item in the above formula is 0. It means thatNext, we consider the adversary against the one-bit RBAC scheme with 1SPL. runs while simulating its RBAC-IND environment as in either or . Note that Challenge is used to denote that the adversary runs the Challenge phase in the RBAC-IND experiment.Setup: generates a public key by running the system setup algorithm, and it sends to .Query Phase 1: issues a secret credential query for the medical staff associated with role . creates the secret credential by running the credential generation algorithm and return the secret credential to .Challenge: the adversary outputs a set of EMR files and a challenge access policy set to . Each challenge access policy in the set should satisfy that for all the secret credential queries for issued in Query Phase 1, . We note that each EMR file for constitutes of bits since we let the be a -bit RBAC scheme. randomly chooses and . For each and , we consider three cases:(i)When , is ignored and replaced by 0. randomly chooses , computes , and returns it to .(ii)When , encrypts the st bit in two different conditions. If , runs the Challenge algorithm against the RBAC-IND scheme. Specifically speaking, flips a random coin to decide whether it encapsulates 0 or 1 under the challenge access policy . Then returns the cihpertext to . If , is encapsulated normally. randomly chooses , executes and returns it to .(iii)When , is encapsulated normally. randomly chooses , computes , and returns it to .Corrupt: outputs a set and then learns . For each index and each , generates the randomness as follows:(i)If , returns the actual randomness it used to generated .(ii)If , runs algorithm to get randomness under which the EMREnc algorithm applied to 1 would produce , namely,Finally, returns to .Query Phase 2: Query Phase 1 is repeated adaptively except that .Output: when halts with out, halts and outputs The adversary only runs Challenge in the event in the Challenge phase, such that all of its advantage comes from this case. It means that and . It is important to notice that in the event , if decides to encapsulate 1, it simulates its environment as in playing with . If decides to encapsulate 0, it simulates the environment as in . Therefore, the advantage of to distinguish and depends on the advantage of to distinguish that the challenge EMR-encapsulation is for 1 or 0. It is easy to see thatCombined with equation (38), we getFurthermore, sincewe conclude

Lemma 11. For any PPT algorithm ,

Proof of Lemma 11. First, we compare two games and .
works as follows:Setup: receives a public key from the challenger .Query Phase 1: issues a secret credential query for the medical staff associated with role . The challenger creates the secret credential by running the credential generation algorithm and returns the secret credential to .Challenge: the adversary outputs a set of EMR files and the challenge access policy set to the challenger . Each challenge access policy in the set should satisfy that for all the access credential queries for issued in Query Phase 1, . randomly chooses elements where . We denote . ignores the input EMRs and regards the components as all-0 messages. Then it encrypts each message as follows: returns the set of EMR encapsulation to .Corrupt: outputs a set and then opens the corresponding ciphertext to get . For each index and each , makes the randomness as follows:(i)If , returns the actual randomness it used to generated .(ii)If , runs to get the randomness used by EMREnc to compute when encrypting 1, namely, .Finally, returns to .Query Phase 2: Query Phase 1 is repeated adaptively except that .Output: When the adversary halts with out, halts and outputs works as follows:Setup: generates the public key by running the system setup algorithm and then sends the public key to .Query Phase 1: requests the secret credential for the medical staff associated with role . creates the secret credential by running the credential generation algorithm and return the secret credential to .Challenge: outputs a set of EMR and the challenge access policy set to . Each challenge access policy in the set should satisfy that for all the access credential queries for issued in Query Phase 1, . Note that each for consists of bits since we let be a -bit RBAC scheme. randomly chooses elements where . We denote . ignores the input EMRs and regards the components as all-0 messages. Then it encapsulates each message as . Finally, returns the EMR encapsulations to .Corrupt: outputs a set and then learns . For each index and each , makes the randomness as follows:(i)If , returns the actual randomness used to generate .(ii)If , runs to get randomness used by EMREnc to compute for encapsulation of 1, namely, .Finally, returns to .Query Phase 2: Query Phase 1 is repeated adaptively except that .Output: when halts with output out, halts and outputs queries its own Corrupt procedure on I and learns instead of getting them directly as in . From the view of the adversary , there is no difference of the corrupted EMRs and the sampled randomness. Therefore, runs identically with .

Proof of Theorem 2. From the above analysis, the simulator described in runs identically to . So we have . Combining all the above lemmas, we getAccording to Definition 6, we get , which proves Theorem 2.

7. Performance Analyses

7.1. Improve User Experience

To achieve better user experience, we speed up credential generation and EMR encapsulation by applying online/offine cryptography [38]. The offline phase executes most of heavy computations by assuming a set of random roles, while the online phase only performs light computations to produce the EMR encapsulation and the secret credential once the true roles are available. “Ours&RBAC” is denoted as the scheme with improved efficiency.

7.2. Theoretical Analysis

Table 4 shows the efficiency of the proposed one-bit RBAC scheme. We denote as one exponent operation time, as one multiplication time, and as one pairing operation time. The maximal depth of the hierarchy for a access policy is . is the number of atom roles in a secret credential. In the procedure of SCGen, SCDeleg, EMREnc, and EMRDec, exponentiations can be precomputed by choosing the random exponents.

Table 5 compares several schemes in different perspectives. The properties of scalable sharing, flexible access, and leakage controllability support further rendering our scheme with improved efficiency to practice.

7.3. Performance Analysis

We conduct experiment on Intel Core i7 processor with 8 GB RAM and 2.6 GHZ CPU. We use elliptic curve type A1 for the Tate symmetric pairing. Both group order of and element size in are configured as 512 bits. The experiment is executed with jPBC library. We test the single computation execution times , , and for the prime order bilinear group and the composite order bilinear group, which are used in the related work and our work separately. Table 6 shows the compared running time.

We also test the operational time for system setup, credential generation, delegation, EMR encapsulation, and decapsulation for our system, as Figure 2 illustrates. Figure 2(f) and 2(g) show the operational time when user experience is improved.

Figures 3(a) and 3(b) show the operational time for the compared related work, where prime order bilinear groups are used. The computation of SC generation time and EHR encapsulation time shows superior efficiency when compared with our work without performance improved. That is why we apply the performance improvement algorithm in our system, so as to ensure both efficiency and security. The Y-axis represents the operational time in milliseconds. The X-axis in Figures 2(b), 2(c), 2(f), and 3(a) means the number of related atom roles included in a role of medical staff. The X-axis in Figures 2(a), 2(d), 2(e), 2(g), and 3(b) means the number of atom roles in an access policy.

8. Conclusion

We consider a multiparty communication scenario in a medical cloud storage system. A lot of medical records are outsourced on the cloud and accessed by medical staff with hierarchical privileges. We summarize different adversarial behaviours and construct a RBAC-UL scheme against many kinds of leakages. Performance analyses show that our scheme has advantages in scalability, flexibility, and the controllability of privacy leakage.

Data Availability

No specific data are available.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Key R&D Program of China (2017YFB1400702), the National Natural Science Foundation of China (61972017, 61972018, 61932014), the Beijing Natural Science Foundation (4182033), the National Cryptography Development Fund (MMJJ20180215), and the Special Scientific Research for Civil Aircraft of Ministry of Industry and Information Technology.