Table of Contents Author Guidelines Submit a Manuscript
Wireless Communications and Mobile Computing
Volume 2018, Article ID 1701675, 12 pages
https://doi.org/10.1155/2018/1701675
Research Article

Traceable Ciphertext-Policy Attribute-Based Encryption with Verifiable Outsourced Decryption in eHealth Cloud

1School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
2Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
3Jiangsu Innovative Coordination Center of Internet of Things, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
4School of Computer Science and Technology, Anhui University, Hefei 230601, China
5School of Computer Science and Technology, Xidian University, Xian 710071, China

Correspondence should be addressed to Qi Li; nc.ude.tpujn@sciqil

Received 8 March 2018; Revised 19 April 2018; Accepted 7 May 2018; Published 6 June 2018

Academic Editor: Kim-Kwang Raymond Choo

Copyright © 2018 Qi Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

In cloud-assisted electronic health care (eHealth) systems, a patient can enforce access control on his/her personal health information (PHI) in a cryptographic way by employing ciphertext-policy attribute-based encryption (CP-ABE) mechanism. There are two features worthy of consideration in real eHealth applications. On the one hand, although the outsourced decryption technique can significantly reduce the decryption cost of a physician, the correctness of the returned result should be guaranteed. On the other hand, the malicious physician who leaks the private key intentionally should be caught. Existing systems mostly aim to provide only one of the above properties. In this work, we present a verifiable and traceable CP-ABE scheme (VTCP-ABE) in eHealth cloud, which simultaneously supports the properties of verifiable outsourced decryption and white-box traceability without compromising the physician’s identity privacy. An authorized physician can obtain an ElGamal-type partial decrypted ciphertext (PDC) element of original ciphertext from the eHealth cloud decryption server (CDS) and then verify the correctness of returned PDC. Moreover, the illegal behaviour of malicious physician can be precisely (white-box) traced. We further exploit a delegation method to help the resource-limited physician authorize someone else to interact with the CDS. The formal security proof and extensive simulations illustrate that our VTCP-ABE scheme is secure, efficient, and practical.

1. Introduction

Electronic health care (eHealth) system is regarded as an outstanding approach to provide well health care service through various emerging technologies, including Internet of Things, cloud computing, mobile computing, and wireless sensor networks. In cloud-assisted eHealth systems, an individual patient integrates his/her personal health information (PHI) collected via various wearable and embedded sensors, stores the PHI in the cloud, and receives real-time and high-quality medical treatment. Unfortunately, when the patient enjoys convenient storage services provided by cloud server, the risk of privacy exposure also raises. The sensitive PHI may be exposed to the cloud server which can not be fully trusted. Even worse, the PHI may be widely propagated to unauthorized parties for commerce benefit or other purposes. Thus, the PHI must be encrypted before hosted to the eHealth cloud. Meanwhile, an access policy must be specified to point out who are authorized to access the PHI.

Aiming to realize access control on encrypted message, attribute-based encryption (ABE) [1] was presented to provide an efficient solution to this kind of applications. According to the place where the access policy is embedded, the ABE schemes are divided into two forms, key-policy ABE (KP-ABE) [2] and another type of ABE named ciphertext-policy ABE (CP-ABE) [3]. In the former framework, every user’s key is labeled with an access policy while the ciphertexts are annotated with chosen sets of attributes. On the contrary, the user’s key in CP-ABE is issued according to his/her attributes while the ciphertext is encrypted under an access policy. Since that ABE is a feasible mechanism which preserves the security and privacy of patients’ PHI, a series of attribute-based access control systems [48] have been proposed, aiming at expressive policies, security, or efficiency. In particular, there remain two significant features to be considered in utilizing ABE technique in eHealth systems.

The first feature is verifiability of outsourced decryption. In most ABE systems [13, 912], the decryption overhead is linear to the scale of involved attributes and expensive for energy-constrained terminals. The decryption outsourcing technique [13] is proposed to reduce the number of exponential operations and bilinear pairing operations on user side by offloading the heavy decryption computation to a third-party server, e.g., the cloud server. The user then recovers the plaintext by executing only one exponential operation over ElGamal-style partial decrypted ciphertext element generated by the third-party server. However, such outsourced scheme can not guarantee the correctness of returned ElGamal-style element. Lai et al. [14] presented the verifiable approach in ABE to check whether the third-party server has honestly executed the decryption service. They also bring redundant overhead in both encryption computation and ciphertext size. Qin et al. [15] provided an efficient verifiable ABE scheme which significantly reduces the computation cost in encryption and the decryption overhead for users.

Another considerable feature is traceability. We take CP-ABE as an instance; the private key is generated from some descriptive attributes rather than from a unique identity. Each attribute may be possessed by multiple users. It could be impossible to distinguish who is the original owner of a given private key. Imagine two physicians in eHealth systems, Tomas and Jack. They have the attribute set ‘ department, chief ’ which is not possessed by any other users. By the key delegate technique [3], both Tomas and Jack can regenerate a private key responding to the set ‘ department, chief ’, if there is a third user who can decrypt the ciphertext labeled by access policy ‘‘orthopedics department’ AND ‘chief physician’’. Where did the key come from? Tomas or Jack? To solve the problem above, Liu et al. [16] extended an adaptively secure CP-ABE scheme [9] to support ‘white-box’ traceability, where the malicious user directly leaks his/her private key. Subsequently, Ning et al. [17] constructed a large attribute universe and traceable CP-ABE scheme. On the contrary to the ‘small universe’ in [3, 10, 1416], the ‘large universe’ means that the scale of attribute universe is unbounded [18].

However, existing works mostly aimed to support the property of verifiable outsourced decryption or traceability separately. There is no CP-ABE scheme with both verifiable outsourced decryption and white-box traceability in practice: (1) the CP-ABE schemes [16, 17] support the traceability well, but the user’s decryption cost grow with the attribute number; (2) these CP-ABE schemes [14, 15, 19, 20] provide decryption assistance for users, and the correctness of returned PDC element is guaranteed; however, the traceability property is not addressed.

In this work, we propose a novel verifiable and traceable CP-ABE scheme named VTCP-ABE for eHealth cloud applications. The VTCP-ABE scheme is the first scheme which simultaneously achieves white-box traceability and verifiable outsourced decryption without exposing the physician’s identity information. Since we take the ‘large universe’ scheme [18] as the basis, the attribute universe in our scheme is inherently unbounded. We further extend the VTCP-ABE to support another delegation property. We also provide the formal proof of the selective CPA security, verifiability, and traceability for VTCP-ABE. The comparison and simulation results show that our VTCP-ABE is applicable for practical eHealth cloud applications. In particularly, we make the following contributions:

(1) We propose a new VTCP-ABE scheme which simultaneously achieves the properties of verifiable outsourced decryption, white-box traceability, and large universe. An authorized physician can check the correctness of partial decrypted ciphertext (PDC) which is requested from the eHealth CDS. Given a private key, the original owner can be precisely tracked. The attribute universe can be exponentially large and the number of public parameter elements is constant no matter how many attributes are chosen.

(2) We present an efficient approach to prevent the CDS from knowing the fixed identification information of physician during offering decryption service. The original ciphertext and the transmission private key will be pre-processed before being sent to the CDS. This method is acceptable since only two additional exponential operations for each decryption request are added.

(3) We exploit an additional property of delegation for our VTCP-ABE, with which a resource-constrained physician can delegate someone to obtain a PDC element without compromising the privacy of PHI.

1.1. Related Works

ABE was first introduced in [1]. The first KP-ABE scheme with threshold tree access structures was presented in [2]. The first CP-ABE scheme with the same structures was presented in [3]. Waters [21] presented several CP-ABE schemes to support the access policy defined as Linear Secret Sharing Schemes (LSSS). Yu et al. [22] demonstrated the deployment of ABE technique in cloud computing. In [4], Li et al. presented a personal health record (PHR) secure sharing scheme in cloud computing. Subsequently, various constructions of ABE schemes were presented in [9, 2329].

Green et al. [13] constructed the first decryption outsourcing ABE, where the most decryption overhead is hosted to a third party. With the returned partial decrypted ciphertext, a user could recover the plaintext message by executing only one exponential operation. Based on the outsourced method [13], Li et al. [7] presented a PHR data sharing scheme for cloud storage applications in the multi-authority settings. In both [7, 13], the correctness of returned PDC is not guaranteed. Lai et al. [14] presented an approach to check whether the partial decrypted ciphertext element (transformed ciphertext element) is correctly calculated. Their technique incurred noticeable overhead in both decryption and encryption. Based on key encapsulation mechanism, Lin et al. [19] and Qin et al. [15] separately proposed a fascinating method to support verifiable outsourced decryption in ABE. The difference between [19] and [15] is that, in [19], the hash value of a random group element is set as the symmetric key to encrypt the original data, then is encrypted by a ABE scheme to obtain a ABE-type ciphertext, which will be used to generate the verification key. In [15], the original data is encrypted along with a randomly chosen bit string , while the verification key is set by executing exponential operations in the group by taking the hash values of and as exponents.

Liu et al. presented the first adaptively secure and white-box traceable CP-ABE scheme in [16], where any monotonic LSSS access structure is supported. They further constructed another CP-ABE scheme with black-box traceability in [30]. Based on the scheme [31], Ning et al. [17] exploited the white-box traceability for CP-ABE in large universe settings. From then on, many traceable ABE constructions are proposed in [6, 32, 33]. However, in these traceable schemes [6, 16, 17, 30, 32, 33], the decryption overhead grows with the scale of attribute set adopted in decryption.

Table 1 compares the characteristics between some related works and our VTCP-ABE. From Table 1, our VTCP-ABE scheme is the only practical scheme to simultaneously support the properties of large universe, verifiable outsourced decryption, white-box traceability, and delegation in CP-ABE.

Table 1: Comparison between ours and some related works.

2. Preliminaries

2.1. Bilinear Maps

Denote and as two multiplicative cyclic groups with prime order . is a generator of group . The bilinear map has the following properties:(1)Bilinearity: and , .(2)Non-degeneracy: .(3)Computability: for all , are efficiently computable.

Since that , is symmetric.

2.2. Linear Secret Sharing Schemes (LSSS)

Definition 1. Linear Secret Sharing Schemes [21, 34]: let denote a set of attributes, and let be a chosen prime. Let be a matrix. For all , a function labels the -th row of with an attribute (i.e.,). A secret sharing scheme over the attribute universe is linear if one has the following:
(1) The shares for each attribute make a vector over .
(2) In order to generate the shares of a secret , we select the column vector , where are randomly selected from , then is the shares of according to . The share belongs to the attribute .

As demonstrated in [34], the linear reconstruction property of LSSS is defined as follows: Suppose is the access structure and is an authorized set. Let be the index set of rows which are linked with the attributes in . There exist constants which satisfy that if are valid, then we have .

2.3. -Type Assumption

The security of VTCP-ABE is reduced to a -type assumption [18].

Suppose is a cyclic group and prime is the group order. Randomly pick and choose . If an adversary is given the group description and including all of the following terms:, , with , with with

It must be hard for to distinguish the element from a randomly chosen element .

The advantage of an algorithm which solves the above -type problem is

Definition 2. We claim that the -type assumption holds if the advantage of all polynomial time adversaries is negligible in the above -type game.

2.4. -Strong Diffie-Hellman Assumption (-SDH)

The -SDH problem [35, 36]: suppose is a cyclic group. Let prime be the group order. is randomly selected from . Given a -tuple , output a pair . An algorithm has advantage in solving -SDH problem if , where the probability is over the random bits consumed by and the randomness of .

Definition 3. We claim that the -SDH assumption holds if the advantage of all -time adversaries is at most in solving the above -SDH problem.

3. System Architecture and Security Model

3.1. System Description

As shown in Figure 1, our VTCP-ABE framework in the eHealth cloud mainly consists of the following components.

Figure 1: Architecture of VTCP-ABE in eHealth cloud.

The authority: the authority produces the system parameters and generates private keys for the legal physicians depending on their attributes. It is also in charge of tracing the malicious physicians.

The patient: with the help of IOT techniques, the patient integrates and then encrypts his/her PHI under appropriate access policy and further uploads the ciphertext to the eHealth cloud storage server.

The eHealth cloud storage server (CSS): the eHealth CSS provides storage service for the patient. If necessary, the patient can call CSS to delete his/her PHI data.

The eHealth cloud decryption server (CDS): the eHealth CDS provides pre-decryption service of the encrypted PHI and returns the partial decrypted ciphertext to the authorized physician.

The physician: the physician takes responsibility of medical treatment for the patient whose access policy accepts his/her attributes. The physician is also enabled to check the correctness of returned pre-decryption results from the CDS. The malicious physician may leak his private key for economic benefit or some malignant purpose.

We note that the eHealth CSS and CDS are assumed to be semi-trusted as in [22]. That is, the CSS and CDS honestly execute the pre-set algorithms. But they attempts to get useful information of the encrypted PHI as much as possible. In addition, the eHealth CDS may want to obtain the identification information of physician.

As one of the important applications in IOT environments, the eHealth cloud system enables the patient to collect his PHI via wearable devices, physiologic sensor nodes and body area networks, etc. Before uploading the PHI to the cloud sever to get real-time health care services, the patient can define expressive access policy of his PHI over descriptive attributes by VTCP-ABE. According to the assigned attributes, the individual physicians have differential flexible access rights. They can provide various (free or paid) health care services by smart devices on condition that their attributes match the access policy of patient’s PHI. Our VTCP-ABE also offers the traceability to prevent the key abuse problem and the verifiable outsourced decryption technique to offload most decryption cost to the cloud server and guarantee the returned results.

3.2. Definition of VTCP-ABE

Our VTCP-ABE is comprised by the following seven algorithms.

Setup: this algorithm takes in a security parameter and the system attribute universe . It then outputs the system public parameters and the master secret key . Besides, it initializes an identity table .

Encrypt. This algorithm takes in a message , , and an access structure . It then outputs a ciphertext and a verification key .

KeyGen. This algorithm takes in , , an identity information and an attribute set . It then outputs a transmission private key and a user decryption key .

Pre-Process. This algorithm takes in and . It then outputs a pre-processed ciphertext and a pre-processed private key .

Pre-Decrypt. This algorithm takes in and . If matches , the algorithm outputs a partial decrypted ciphertext . Otherwise, it outputs .

Decrypt. This algorithm takes in , , and . If is not valid, it outputs . Otherwise, it outputs a message .

Trace or . This algorithm takes in , , , and . It first verifies whether and are well-formed. If so, this algorithm outputs the annotated with and . Otherwise, it outputs implying that and are not required to be traced. If and can pass a "key sanity check" which means that they can be used in the normal decryption phase, they are called well-formed [16].

3.3. CPA Security Model

Similar to [17, 18], the definition of selective security model of VTCP-ABE against chosen plaintext attack (CPA) is given as follows:

Init. The adversary gives the simulator the challenge access policy .

Setup. runs Setup to produce and passes to .

Phase 1. can ask to produce the private keys for . For each , returns by the corresponding private key pairs . Note that, for each , can not match .

Challenge Phase. submits two messages and of equal length. encrypts under to obtain and , where is randomly chosen from . It then gives and to .

Phase 2. As in Phase 1, is asked to produce the private keys of .

Guess. guesses for . ’s advantage is defined as .

Definition 4. We claim that a VTCP-ABE scheme is selectively CPA secure if the advantage is negligible for all PPT adversaries in the above selective security game.

3.4. Security Game for Verifiability

Based on the replayable chosen ciphertext attack (RCCA) security model [13, 15], we briefly introduce the verifiability game as follows.

Setup. The challenger generates and sends to the attacker .

Phase 1. queries the results from the , , and oracles as in [15].

Challenge Phase. The attacker submits an access policy and a message . encrypts under to obtain and sends them to .

Phase 2. repeats the key queries as in Phase 1.

Output. gives    and an attribute set which satisfies .

The attacker wins the above game if Decrypt  . ’s advantage in this game is defined as .

Definition 5. We claim that a VTCP-ABE scheme is verifiable if is negligible for all PPT attackers in the above game.

3.5. Security Game for Traceability

The traceability game of our VTCP-ABE is defined as follows.

Setup. The challenger generates and sends to the attacker . It keeps as a secret key.

Key Query. submits the tuples to , where refers to the query number that can make.

Key Forgery. outputs and . wins if Trace   and Trace. ’s advantage is defined as .

Definition 6. We claim that a VTCP-ABE scheme is fully traceable if the advantage is negligible for all PPT attackers in the above game.

4. The Proposed VTCP-ABE

In this section, we first briefly introduce the techniques of constructing a verifiable and traceable CP-ABE scheme and then give the details of VTCP-ABE construction.

4.1. Technical Overview

To achieve the traceability in [17], each private key is associated with a unique fixed number so that the key owner cannot re-randomize his own private key to get a completely new key. In the verifiable CP-ABE scheme with outsourced decryption [15], the private key is composed of a transmission key and a user decryption key. The transmission key is sent to a third party to get the partial decryption result and the user decryption key is used to decrypt the partial decryption result and check its correctness.

Our goal is to achieve the efficient user decryption and traceability without compromising the security and privacy. However, if we combine the traceable CP-ABE [17] and the verifiable outsourced decryption approach [15] in a naive way, the fixed identifier number will be exposed to the eHealth CDS. Even worse, the CDS may use and the transmission private key to fabricate a key which could pass the check in the traceable algorithm of [17]. That is, a legal physician may be framed to be malicious and further revoked from the system. To prevent the CDS from knowing , we process the transmission private key and original ciphertext before submitting them to the eHealth CDS. Meanwhile, we add the user decryption key as input of the traceable algorithm. Finally, we add the property of verifiable outsourced decryption into the traceable CP-ABE scheme [17] at a very low cost on the physician side (one additional element in private key, two additional exponential operations in pre-processing)

4.2. Detailed Construction

We now give the detailed construction of the VTCP-ABE.

Setup. Given a group description , where prime order is the order of groups and denotes a map . The system attribute universe is set as . Then randomly pick and .

Select two collision-resistant hash functions and . refers to a one-time symmetric encryption scheme and the key space is defined as . Select from , which denotes a party of pairwise independent hash functions.

It sets as and as . It also initializes .

Encrypt. Given the PHI data and a LSSS policy , the encryption algorithm acts as follows.

Randomly select and . Calculate . Choose randomly from and compute,,.

For each , compute , and .

The ciphertext of is .

After that, this algorithm sets and computes a symmetric key . Then it calls to create a ciphertext and the verification key .

Finally, the ciphertext of PHI data is uploaded to the eHealth CSS as well as .

KeyGen. Given a tuple , this algorithm randomly selects and then calculates,,,.

For each , it computes and .

Finally, it outputs the private key for as and . Simultaneously, the tuple is added to .

Pre-Process. The physician can request the PHI ciphertext and from the eHealth CSS, which will response by the elements , , , and while the other elements will be sent to the eHealth CDS.

Before calling the pre-decryption service, he/she processes the , , and by calculating and .

Then and are sent to the eHealth CDS.

Pre-Decrypt. Once receiving and , this algorithm works as follows.

If does not match , this algorithm aborts. Otherwise, it sets and calculates constants such that , where refers to the -th row of . Then it calculates

Finally, it outputs .

Decrypt. This algorithm first computes . Then it calculates . If , it aborts immediately. Otherwise, it calculates and recovers .

Trace. This algorithm first verifies whether and are well-formed by the following checks:

(1) is expressed as , where and .

(2) .

(3) .

(4) .

(5) , s.t..

If and fail to pass the above five checks, it outputs . Otherwise, it searches in : if exists, it outputs the corresponding . If does not exist, it aborts.

5. Security Proof

5.1. CPA Security

For simplicity, the security of the presented VTCP-ABE scheme is reduced to that of the traceable scheme [17] which is proved under the -type assumption. We let and denote the traceable scheme [17] and our VTCP-ABE scheme, respectively.

Theorem 7. Suppose that is selectively secure, the one-time symmetric encryption scheme is semantically secure, is chosen from a party of pairwise independent hash functions, and the parameters satisfy . Then, the proposed is selectively secure.

Proof. Similar to the proof in [15], we define a series of hybrid argument of games as in [37].
. Identical to the original security game as defined in Section 3.3.
. Identical to , except that and are computed by selecting another random key rather than in .
. Identical to , except that we replace by a randomly selected string .
Let be the success probability of the attacker in .

Lemma 8. If is selectively secure, then the attacker can not distinguish from with a non-negligible advantage.

Proof. Suppose that an attacker can distinguish from , then we can build a PPT algorithm to break .
Init. The attacker submits the challenge access policy to . then sends to .
Setup. Based on , gives the parameter as in [17]. After that, chooses and sets , and as random oracles. It also sets . Finally, it sends to .
Phase 1. To reply the key query of from , transmits to and obtains , where,,,., and . randomly picks and sets,,,.

For each , it computes and .

implicitly sets and .

Finally, sends and to . Simultaneously, it adds to .

Challenge. submits two equal-length messages and , and first picks two independent random keys and from . It sends to . responds by a challenge ciphertext . Then, computes and . It randomly picks and calculates . It also computes .

Finally, it sends and to the attacker.

Note that, if the key encrypted under in is , is regarded as a challenge ciphertext in . Otherwise, can be regarded as a challenge ciphertext in .

Phase 2. Similar to Phase 1.

Finally, gives a . then sends to . From the above game, we have .

Lemma 9. Suppose that is a family of pairwise independent hash functions, then can not be distinguished from with a non-negligible advantage.

Proof. The key is completely independent of , , and in both and . Moreover, the number of possible values of is at most . According to the analysis in [15] and , the is -statistically indistinguishable from the randomly selected . Hence, we have .

Lemma 10. Suppose that is a semantically secure symmetric encryption scheme, then the attacker can not win with a non-negligible advantage.

Proof. In , is a truly random symmetric key. An algorithm can be directly constructed from to break the semantic security of . Therefore, we have .

Remark that is identical to the selective security game for our proposed VTCP-ABE scheme. The advantage is . Thus, the security of our follows.

5.2. Verifiability

Theorem 11. Suppose that these two hash functions and are collision-resistant, our proposed VTCP-ABE scheme is privately verifiable.

Proof. Suppose that an attacker can win the verifiability game, we can employ to build an algorithm to break the collision-resistance of and .
Given the challenge hash functions and , processes as follows.
runs Setup to generate and , except for and . To answer the key queries, acts as in Phase 1 and Phase 2.
In the Challenge phase, invokes the Encrypt to obtain the . Then, it computes and . It also calculates and . It sends and to .
outputs an attribute set which satisfies and a partially decrypted ciphertext and .
If wins the verifiability game, will get a message . Note that the Decrypt algorithm outputs if , where and is recovered from and .
We now analyze the success probability of by considering the following cases:
(1) . If this case happens, gets a collision of immediately.
(2) , but . Note that . Thus, gets a collision of .

5.3. Traceability

Theorem 12. If the -SDH assumption holds, then our proposed VTCP-ABE scheme is fully traceable on condition that , where is the number of key queries made by the attacker .

Proof. We here briefly introduce the traceability proof. Given , the simulator has to generate a pair to solve the -SDH problem.
Setup. Assuming , sets for each and randomly selects distinct numbers from . It then sets , where are the coefficients of . The simulator computes and . It then randomly picks and . Finally, sets () as , where , , , , and are set as in the CPA game. It gives to .
Key Query. answers the -th query of as follows.
sets and computes . Then randomly selects and calculates by computing:,,,.For each , it computes and .
It gives and to and add to .
Key Forgery. submits and to . refers to the event that wins, i.e., and are well-formed and .
If happens, writes as for some polynomial and some . Note that in is unknown to . then computes,,.Since , is the solution for the -SDH problem.
If does not happen, randomly picks as the solution.
As analyzed in [17], ’s advantage is non-negligible in solving the -SDH problem.

6. Performance Comparison

We here compare the performance of the VTCP-ABE scheme with the TCP-ABE scheme [17] and the VCP-ABE scheme [15] in the setting of key encapsulation, where the PHI data is encrypted by a symmetric encryption key which will be encrypted under an access policy in ABE.

6.1. Numeric Result

Tables 2 and 3 show the numeric comparison between our scheme and other two schemes [15, 17]. Let , , and be the overhead in executing a bilinear pairing, an exponential operation in and , respectively. denotes the system attribute universe. , , and refer to the set of attributes used in encryption, key generation, and decryption, respectively. Let be the output length of .

Table 2: Computation cost comparison.
Table 3: The parameter length comparison.

In Table 2, we calculate the computation cost incurred in the following phases: encryption, key generation, pre-decryption, and user decryption. The user in VCP-ABE and our VTCP-ABE expends constant size computation cost of exponential operation in . Note that our VTCP-ABE requires two additional exponential operations in the user side since that the ciphertext and transmission key need to be processed before being transmitted to the eHealth CDS.

In Table 3, the length of system public parameter, private key, and ciphertext is calculated by the number of group elements. The VCP-ABE scheme requires more public parameters which are linear with the scale of system attribute universe due to the fact that all the possible attributes need to be listed during the system initialization phase. Compared with the non-outsourced TCP-ABE scheme, our VTCP-ABE requires an additional element as the user decryption key and an output of as the verification key.

6.2. Implementation

We implement VCP-ABE scheme [15], TCP-ABE scheme [17], and the proposed VTCP-ABE on a windows 7 platform of an Intel(R) Core(TM) i5-3450 CPU at 3.10 GHz with 8.00 GB Memory. A Type A elliptic curve group is chosen from the JPBC library [38] and the order is a 512-bit prime. We mainly count the computation cost incurred by ABE relevant operations. The computation time of each algorithm is the average of 20 trials.

Figure 2 illustrates the computation cost comparison among VCP-ABE scheme, TCP-ABE scheme, and our proposed VTCP-ABE scheme.

Figure 2: Comparisons of computation cost.

Figure 2(a) shows the computation time in the initialization phase. In the three schemes, the computation cost is mainly incurred by computing the parameters and .

Figures 2(b) and 2(c) show the computation time in the key generation phase and the encryption phase, respectively. It is observed that the key generation cost and encryption overhead in three schemes are linearly with the number of used attributes. More precisely, TCP-ABE and ours require more computation operation than VCP-ABE since that the combination of parameters and is employed to indicate an attribute.

Figure 2(d) shows the computation cost in the pre-process phase of our VTCP-ABE. Two exponential and multiplicative operations in group are required in computing and no matter how many attributes are involved.

Figure 2(e) illustrates the computation cost comparison in the user decryption phase among three schemes. We can find that the user decryption cost in TCP-ABE scheme increases with the number of attributes. Thanks to the efficient outsourced decryption approach, the final decryption costs on the user side in VCP-ABE scheme and ours are significantly lower than that in TCP-ABE and independent of the attribute number.

Figure 2(f) gives the computation cost comparison in tracing the malicious users between TCP-ABE and ours. We can observe that the computation cost in both scheme grows with the number of attributes and our scheme only requires one additional exponential operation in group .

7. Delegate Extension

If a physician is in trouble to connect to the eHealth CSS and CDS, he/she can delegate someone to download the PHI ciphertext from the CSS and request the partial decrypted ciphertext from the CDS. However, the access privilege of delegated user has to be restricted. Inspired by [20, 39, 40], we employ a verifiable random function to limit the access of delegated users to maximum times and propose a verifiable and traceable CP-ABE scheme with key delegation (VTDCP-ABE).

Setup. Besides generating and as in VTCP-ABE, this algorithm calculates and chooses a hash function . The public parameter is .

The Encrypt, KeyGen, Pre-Process, Pre-Decrypt, and Trace algorithms are as well as that in VTCP-ABE.

Delegate KeyGen. Given a transmission key of an for a set , an identity information and a set . This algorithm generates a delegated transmission key as follows.

Randomly select and compute , and , where refers to the unique and random pseudonym of a delegated user. Set as the maximum number of pre-decryption request that a delegated user can make.

Then compute,,,.

For each , compute and .

The -times delegated transmission key is set as

Delegate Pre-Process. The same as Pre-Process, the delegated user requests from eHealth CSS and computes and .

The delegated user then sends and to the eHealth CDS, where

Delegate Pre-Decrypt. The eHealth CDS first initializes a counter and a set for each delegated user and stores the tuple in a delegation list . Once receiving the Pre-Decrypt request from a delegated user, the CDS responds by the following way.

If does not match , it outputs .

Otherwise, it searches in related to and checks

(1) and ;

(2) ;

(3) .

If the above three conditions do not hold, it aborts. Otherwise, it updates and computes the partial decryption ciphertext as

Finally, the CDS responds the delegated user by . Then the delegated user gives and to the physician.

Decrypt. If the physician interacts with the CSS and CDS directly, this algorithm acts exactly as in the Decrypt algorithm of VTCP-ABE. If the physician asks a delegated user to get the ciphertext and request the outsourced decryption service, is recovered by . The verification and PHI decryption operations are identical to that of VTCP-ABE.

Since that the of physician and are kept secretly, the delegated user can not obtain any content of the PHI ciphertext except a partial decrypted ciphertext.

8. Conclusion

In this paper, we have constructed a verifiable and traceable CP-ABE (VTCP-ABE) scheme for eHealth cloud applications, which also achieves the properties of large universe and delegation. With VTCP-ABE, the patient can enforce fine-grained access control over his/her PHI in a cryptographical way. Before submitting the encrypted PHI to the eHealth cloud decryption server, a pre-process on the ciphertext and transmission key is employed to preserve the identity privacy of the physician. The correctness of returned ciphertext can be efficiently verified. Moreover, the malicious physician who leaks the private key can be precisely tracked. Besides, we extend the proposed VTCP-ABE to support the delegation property, with which a resource-limited physician can authorize someone else to obtain a partial decrypted ciphertext without exposing the PHI content. The security of VTCP-ABE is proved in the selective model. The extensive experiments illustrate that our VTCP-ABE scheme efficiently achieves verifiability, traceability, and large attribute universe.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research is supported by the National Natural Science Foundation of China under Grants nos. 61502248, 61427801, u1405255, and 61602365, China Postdoctoral Science Foundation (Grant no. 2018M632350), and NUPTSF (Grant no. NY215008).

References

  1. A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology—EUROCRYPT 2005, R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, pp. 457–473, Springer Berlin Heidelberg, 2005. View at Publisher · View at Google Scholar · View at MathSciNet
  2. V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, New York, NY, USA, November 2006. View at Publisher · View at Google Scholar · View at Scopus
  3. J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, May 2007. View at Publisher · View at Google Scholar · View at Scopus
  4. M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 1, pp. 131–143, 2013. View at Publisher · View at Google Scholar · View at Scopus
  5. J. Zhou, Z. Cao, X. Dong, and X. Lin, “TR-MABE: white-box traceable and revocable multi-authority attribute-based encryption and its applications to multi-level privacy-preserving e-healthcare cloud computing systems,” in Proceedings of the 34th IEEE Annual Conference on Computer Communications and Networks (IEEE INFOCOM '15), pp. 2398–2406, April 2015. View at Publisher · View at Google Scholar · View at Scopus
  6. C. Hahn, H. Kwon, and J. Hur, “Efficient attribute-based secure data sharing with hidden policies and traceability in mobile health networks,” Mobile Information Systems, vol. 2016, Article ID 6545873, 13 pages, 2016. View at Publisher · View at Google Scholar · View at Scopus
  7. Q. Li, J. Ma, R. Li, X. Liu, J. Xiong, and D. Chen, “Secure, efficient and revocable multi-authority access control system in cloud storage,” Computers & Security, vol. 59, pp. 45–59, 2016. View at Publisher · View at Google Scholar · View at Scopus
  8. Y. Zhang, X. Chen, J. Li, D. S. Wong, H. Li, and I. You, “Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing,” Information Sciences, vol. 379, pp. 42–61, 2017. View at Publisher · View at Google Scholar · View at Scopus
  9. A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption,” in Advances in Cryptology—EUROCRYPT 2010, H. Gilbert, Ed., vol. 6110 of Lecture Notes in Computer Science, pp. 62–91, Springer Berlin Heidelberg, 2010. View at Publisher · View at Google Scholar · View at MathSciNet
  10. K. Xue, Y. Xue, J. Hong et al., “RAAC: Robust and Auditable Access Control with Multiple Attribute Authorities for Public Cloud Storage,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 4, pp. 953–967, 2017. View at Publisher · View at Google Scholar · View at Scopus
  11. W. Li, K. Xue, Y. Xue, and J. Hong, “TMACS: a robust and verifiable threshold multi-authority access control system in public cloud storage,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 5, pp. 1484–1496, 2016. View at Publisher · View at Google Scholar · View at Scopus
  12. S. Wang, K. Liang, J. K. Liu, J. Chen, J. Yu, and W. Xie, “Attribute-based data sharing scheme revisited in cloud computing,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 8, pp. 1661–1673, 2016. View at Publisher · View at Google Scholar · View at Scopus
  13. M. Green, S Hohenberger, and B. Waters, “Outsourcing the decryption of abe ciphertexts,” in Proceedings of the 20th USENIX Conference on Security (SEC '11), pp. 34–34, USENIX Association, Berkeley, CA, USA, 2011.
  14. J.-Z. Lai, R. H. Deng, C. Guan, and J. Weng, “Attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 8, pp. 1343–1354, 2013. View at Publisher · View at Google Scholar · View at Scopus
  15. B. Qin, R. H. Deng, S. Liu, and S. Ma, “Attribute-based encryption with efficient verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1384–1393, 2015. View at Publisher · View at Google Scholar · View at Scopus
  16. Z. Liu, Z. Cao, and D. S. Wong, “White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 76–88, 2013. View at Publisher · View at Google Scholar · View at Scopus
  17. J. Ning, X. Dong, Z. Cao, L. Wei, and X. Lin, “White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 6, pp. 1274–1288, 2015. View at Publisher · View at Google Scholar · View at Scopus
  18. Y. Rouselakis and B. Waters, “Practical constructions and new proof methods for large universe attribute-based encryption,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS '13), pp. 463–474, New York, NY, USA, November 2013. View at Publisher · View at Google Scholar · View at Scopus
  19. S. Lin, R. Zhang, H. Ma, and M. Wang, “Revisiting attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 10, pp. 2119–2130, 2015. View at Publisher · View at Google Scholar · View at Scopus
  20. J. Ning, Z. Cao, X. Dong, K. Liang, H. Ma, and L. Wei, “Auditable sigma-time outsourced attribute-based encryption for access control in cloud computing,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 1, pp. 94–105, 2018. View at Publisher · View at Google Scholar
  21. B. Waters, Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization, vol. 6571 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2011. View at Publisher · View at Google Scholar · View at MathSciNet
  22. S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, and fine-grained data access control in cloud computing,” in Proceedings of the IEEE INFOCOM, pp. 1–9, March 2010. View at Publisher · View at Google Scholar · View at Scopus
  23. L. Cheung and C. Newport, “Provably secure ciphertext policy ABE,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 456–465, New York, NY, USA, November 2007. View at Publisher · View at Google Scholar · View at Scopus
  24. J. Li, Q. Huang, X. Chen, S. S. M. Chow, D. S. Wong, and D. Xie, “Multi-authority ciphertext-policy attribute-based encryption with accountability,” in Proceedings of the 6th International Symposium on Information, Computer and Communications Security (ASIACCS '11), pp. 386–390, New York, NY, USA, March 2011. View at Publisher · View at Google Scholar · View at Scopus
  25. F. Guo, Y. Mu, W. Susilo, D. S. Wong, and V. Varadharajan, “CP-ABE with constant-size keys for lightweight devices,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 5, pp. 763–771, 2014. View at Publisher · View at Google Scholar · View at Scopus
  26. Q. Li, J. Ma, R. Li, J. Xiong, and X. Liu, “Large universe decentralized key-policy attribute-based encryption,” Security and Communication Networks, vol. 8, no. 3, pp. 501–509, 2015. View at Publisher · View at Google Scholar · View at Scopus
  27. Q. Li, J. Ma, R. Li, J. Xiong, and X. Liu, “Provably secure unbounded multi-authority ciphertext-policy attribute-based encryption,” Security and Communication Networks, vol. 8, no. 18, pp. 4098–4109, 2015. View at Publisher · View at Google Scholar · View at Scopus
  28. Q. M. Malluhi, A. Shikfa, and V. C. Trinh, “A ciphertext-policy attribute-based encryption scheme with optimized ciphertext size and fast decryption,” in Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security (ASIA CCS '17), pp. 230–240, New York, NY, USA, April 2017. View at Publisher · View at Google Scholar · View at Scopus
  29. J. Ning, Z. Cao, X. Dong, K. Liang, L. Wei, and K. R. Choo, “CryptCloud+: secure and expressive data access control for cloud storage,” IEEE Transactions on Services Computing, vol. 99, 2018. View at Publisher · View at Google Scholar
  30. Z. Liu, Z. Cao, and D. S. Wong, “Blackbox traceable CP-ABE: how to catch people leaking their keys by selling decryption devices on eBay,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS '13), pp. 475–486, New York, NY, USA, November 2013. View at Publisher · View at Google Scholar · View at Scopus
  31. Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” in Financial Cryptography and Data Security, R. Böhme and T. Okamoto, Eds., vol. 8975 of Lecture Notes in Computer Science, pp. 315–332, Springer Berlin Heidelberg, 2015. View at Publisher · View at Google Scholar · View at MathSciNet
  32. J. Ning, Z. Cao, X. Dong, J. Gong, and J. Chen, “Traceable CP-ABE with short ciphertexts: How to catch people selling decryption devices on ebay efficiently,” in Computer Security—ESORICS 2016, I. Askoxylakis, S. Ioannidis, S. Katsikas, and C. Meadows, Eds., vol. 9879, pp. 551–569, Springer International Publishing, 2016. View at Publisher · View at Google Scholar · View at Scopus
  33. G. Yu, Z. Cao, G. Zeng, and W. Han, “Accountable ciphertext-policy attribute-based encryption scheme supporting public verifiability and nonrepudiation,” in Provable Security, vol. 10005 of Lecture Notes in Computer Science, pp. 3–18, Springer International Publishing, Cham, Switzerland, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  34. A. Beimel, Secure Schemes for Secret Sharing and Key Distribution [Mater Thesis], 1996.
  35. D. Boneh and X. Boyen, Short Signatures Without Random Oracles, vol. 3027 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2004. View at Publisher · View at Google Scholar · View at MathSciNet
  36. V. Goyal, Reducing Trust in the PKG in Identity Based Cryptosystems, vol. 4622 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2007. View at Publisher · View at Google Scholar · View at MathSciNet
  37. V. Shoup, “Sequences of games: a tool for taming complexity in security proofs, 2004,” shoup@cs.nyu.edu 13166 received 30 Nov 2004, last revised 18 Jan 2006.
  38. A. de Caro and V. Iovino, “jPBC: Java pairing based cryptography,” in Proceedings of the 16th IEEE Symposium on Computers and Communications (ISCC '11), pp. 850–855, Kerkyra, Corfu, Greece, July 2011. View at Publisher · View at Google Scholar · View at Scopus
  39. D. Yevgeniy and A. Yampolskiy, “A verifiable random function with short proofs and keys,” in Public Key Cryptography—PKC 2005, S. Vaudenay, Ed., pp. 416–431, Springer Berlin Heidelberg, 2005. View at Google Scholar
  40. T. H. Yuen, J. K. Liu, M. H. Au, X. Huang, W. Susilo, and J. Zhou, “k-times attribute-based anonymous access control for cloud computing,” Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 64, no. 9, pp. 2595–2608, 2015. View at Publisher · View at Google Scholar · View at MathSciNet