Table of Contents Author Guidelines Submit a Manuscript
Wireless Communications and Mobile Computing
Volume 2019, Article ID 9340808, 12 pages
Research Article

A Lightweight Fine-Grained Search Scheme over Encrypted Data in Cloud-Assisted Wireless Body Area Networks

1School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China
2University of Electronic Science and Technology of China, Chengdu 611731, China

Correspondence should be addressed to Zhiguang Qin; nc.ude.ctseu@gzniq

Received 3 October 2018; Revised 20 November 2018; Accepted 4 December 2018; Published 1 January 2019

Guest Editor: Feng Ye

Copyright © 2019 Mingsheng Cao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


The wireless body area networks (WBANs) have emerged as a highly promising technology that allows patients’ demographics to be collected by tiny wearable and implantable sensors. These data can be used to analyze and diagnose to improve the healthcare quality of patients. However, security and privacy preserving of the collected data is a major challenge on resource-limited WBANs devices and the urgent need for fine-grained search and lightweight access. To resolve these issues, in this paper, we propose a lightweight fine-grained search over encrypted data in WBANs by employing ciphertext policy attribute based encryption and searchable encryption technologies, of which the proposed scheme can provide resource-constraint end users with fine-grained keyword search and lightweight access simultaneously. We also formally define its security and prove that it is secure against both chosen plaintext attack and chosen keyword attack. Finally, we make a performance evaluation to demonstrate that our scheme is much more efficient and practical than the other related schemes, which makes the scheme more suitable for the real-world applications.

1. Introduction

With the rapid advancement of wireless communication technology and wearable medical sensors, medical area will be largely revolutionized by the emergence of wireless body area networks (WBANs) as a highly innovative technique [1, 2]. A typical WBAN consists of a controller and a number of wearable and implantable medical sensors. These sensors are exploited to place on human body for continuously monitoring physiological symptoms or collecting related body parameters. The aggregated data via wireless networks (like Bluetooth, Zigbee, Wifi, or GPRS) are finally transferred from one mobile terminal (such as a smart phone or a PAD) to cloud servers for remotely storing and accessing. With WBANs, two great benefits can be rendered for patients and healthcare providers. One hand is that medical patient’s conditions can be remotely diagnosed instead of being measured in the traditional face-to-face way. For another one, healthcare provider can access medical records remotely to provide medical treatment in real time. Although great potential in improving healthcare quality has been shown, security and privacy protection of data collected from WBANs remains to be a major concern [3, 4], which hampers the far-ranging application of WBANs since the data stored on servers are no longer out of physical control by data owners.

To protect the data privacy, a frequently adopted method is to encrypt the medical data prior to transmitting them to servers; however, data encryption makes information retrieval over the encrypted data greatly difficult. In addition, a naive solution for data users is to download-then-decipher all the ciphertexts locally since it incurs too much computational overhead and wastes considerable bandwidth resources. Accordingly, preserving the confidentiality of medical data and achieving efficient data retrieval simultaneously are of significant importance in cloud-assisted WBANs scenarios. To resolve the issue of efficient searching over the encrypted medical data, the searchable encryption (SE) technique [5, 6], which allows users to delegate their searchability to cloud server for securely and selectively retrieving the encrypted medical data of interest, has been extensively researched. At present, a lot of work focusing on SE has been explored to gain various searching functionalities like single keyword search [7, 8], multikeyword search [9, 10], fuzzy keyword search [11, 12], and so on. Although much attention in SE technology has been attracted in both academical and industrial fields, it is still unsuitable for WBANs as patients commonly desire that their medical data could be shareable and accessible by different data users (e.g., government agencies, healthcare providers, medical researchers, and insurance underwriters). To furnish access control with fine-granularity over medical data in SE solutions, ciphertext policy attribute based keyword search (CP-ABKS) is proposed [13, 14]. In a CP-ABKS scheme, data users can decipher the ciphertexts of interest on the premise that the attributes match the access policy attached to the ciphertexts and meanwhile the submitted trapdoors satisfy the keyword indexes.

Despite the fact that both fine-grained access control and search functionalities can be implemented in CP-ABKS, the computational and storage costs of much of existing CP-ABKS schemes increase linearly with the complexity of access policies, which severely impedes the use of resource-limited mobile devices. Consequently, in practice, it is greatly essential to provide lightweight operations for data users.

In this paper, we devise a novelly lightweight fine-grained keyword search over encrypted medical data in WBANs. With our proposed scheme, flexible and fine-grained access control in multiple data user setting and lightweight keyword search over the encrypted medical data can be achieved. Furthermore, lightweight computational and storage overhead on end users throughout our scheme can also be gained as our primary design objective. To sum up, the main contributions are provided below:(i)Fine-grained keyword search. Our proposed scheme can achieve one-to-many encryption instead of one-to-one encryption and enforce fine-grained access control over the medical data such that the medical data can only be searched and accessed if the attributes of data user match the access policy.(ii)Lightweight search algorithm. Our proposed scheme can support data user in retrieving the ciphertexts of interest according to the queried keyword. To be specific, after receiving the trapdoor from the data user, the cloud server performs a search algorithm to search the encrypted medical data. During the searching process, only three pairing computations are needed for the cloud server to compete a searching operation.(iii)Lightweight decryption and verification. In our proposed scheme, the great majority of decryption operations are offloaded to the cloud server such that considerable decryption overhead of an end user is relieved and only an exponentiation is required by the end user. Further, the end user can validate that the transformed ciphertext completed by the cloud server is correct.(iv)Security and practicability. The detailed security proof is presented to indicate that not only the chosen plaintext attack but also chosen keyword attack can be resisted in our scheme. Besides, the performance evaluation to be shown indeed depicts its practicability of our scheme for the WBANs.

2. Related Work

In cloud-assisted WBANs, SE [5, 6] can furnish a fundamental solution for data users to issue search queries over the encrypted medical data of a patient generated by WBANs according to his/her interested keywords. Song et al. [5] proposed the first SE scheme, which takes little communication but the computational overhead is proportional to the size of search query. To address this issue, public key encryption with keyword search was proposed [6]. Since then, many different SE schemes were proposed to enrich distinct features such as single keyword search [7, 8], multiple keyword search [9, 10] and fuzzy keyword search [11, 12]. However, the above-mentioned SE schemes with different features do not support data owner to grant the search capability to multiple data users.

To enforce flexible access control over the data, attribute based encryption (ABE) [1821], including key policy ABE and ciphertext policy ABE, was proposed. Nevertheless, the keyword search functionality is not provided in existing ABE schemes. Motivated by the idea of providing the flexible data search and data share, Zheng et al. [13] introduced two attribute based keyword search (ABKS) schemes, i.e., key policy ABKS (KP-ABKS) and ciphertext policy ABKS (CP-ABKS), by combining the conceptions of SE and ABE together. For the WBANs, CP-ABKS is more suitable than KP-ABKS since data owners are permitted to independently designate access policies themselves to determine who can flexibly search and access the encrypted medical data. Subsequently, several CP-ABKS schemes were also proposed [1416], whereas these schemes still are inappropriate for the WBANs due to their large computation, communication, and storage costs. To be more specific, in Liang et al.’s scheme [14], the number of pairing and exponentiation operations in both search and decryption phases increases linearly with the complexity of access policy hidden in the ciphertext and the ciphertext size also follows the linear relationship with the complexity of access policy. Although the scheme [15] improves the search efficiency compared to [14], it does not solve the prohibitive computation and communication cost problem like [14, 22]. Besides, this scheme only provides data users with search function but does not support data sharing. In Li et al.’s schemes [16], the computation and storage overhead in both search and decryption phases also follows the linear relationship with the complexity of access policy.

Very recently, although the CP-ABKS [17] that achieves fine-grained access control and search functionality is proposed, its computational and storage overhead is still much more larger. In addition, the reliability of the converted ciphertext returned from the cloud server is not verified. To achieve practicability, feasibility, and verifiability in WBANs, we build a lightweight fine-grained keyword search system based on the scheme [23], which supports flexible access control and single keyword with lightweight and verifiable decryption.

Organization. The rest of organization is introduced as follows. Specifically, Section 3 reviews some basic knowledge including bilinear pairing, hardness assumption, linear secret sharing scheme matrices, etc. Section 4 introduces our system model involving system architecture and threat model. Our proposed system containing system overview and its concrete construction is presented in Section 5. Then, the security analysis and performance analysis are shown in Sections 6 and 7, respectively. Finally, a summary is concluded in the Section 8.

3. Preliminaries

The prime knowledge, including bilinear pairing, hardness assumption, linear secret sharing scheme matrices, and so on, is presented in this part.

3.1. Bilinear Pairing

An algorithm based on input a security parameter can create a group tuple , where of same prime order denote multiplicative cyclic groups, and a computable bilinear map is represented as with the properties below: (1) Bilinearity: for all , and . Nondegeneracy:

Denote as two -tuples of -variate polynomials over , where are integers. That is to say, are two lists that contain multivariate polynomials. Here, we redenote , with setting . For vector and function , we denote as . We employ the similar notion for -tuple . We say that is based on , where . We denote when there is a linear decomposition , where . Then, the definition of -GDHE assumption is shown as follows.

Definition 1 (-GDHE assumption [23]). Given the tuple , the goal is to compute .

Definition 2 (-GDDHE assumption [23]). Given the tuple , the goal is to decide whether .

3.2. Linear Secret Sharing Scheme (LSSS) Matrices

Denote and as a prime order and a universe of attributes. If a collection is an access structure on , then an LSSS matrix and a function can be found, in which the attribute can be mapped with the function to the rows of matrix . In this way, an LSSS access policy can be expressed as . Consider the column vector , where is the shared secret, and . There exist constants in for any shares of a sharing secret , , where and denotes the authorized set.

3.3. Conversion from a Boolean Formula to an LSSS Matrix

The elaborated working principle of the algorithm in conversion from a Boolean formula to an LSSS matrix can be found in [24]. Here, we briefly introduce its works below: the Boolean formula can be easily converted into an access tree, where AND or OR gates are interior nodes and user attributes acted as the leaf nodes. Here we specify the sharing vector of LSSS matrix as . As a starting point, the vector is first availed for labelling the root node of the tree and then the levels of the tree are gone down. In this manner, a vector decided by the assigned vector from its parent node is labelled to each node. Besides, an initially global counter variable to be maintained is set . If the parent node is an OR gate with its vector , then its children are also marked by . If the parent node is an AND gate with its vector , 0’s at the end are appended after to make it of length . Then, vector is distributed to remark one of its children and the vector is used for labelling another node. It is noteworthy that the summation of these two vectors is . The value of is incremented with . Once the whole tree is finished labelling, the rows of LSSS matrix can be built by the vectors. Finally, if the vectors have various lengths, we pad with 0’s at the end on the shorter ones to achieve the same length vectors.

3.4. Definition and Security Model of Lightweight Fine-Grained Keyword Search over Encrypted Data

The following algorithms are involved in our lightweight fine-grained keyword search system.(i). Inputting the security parameter and the attribute universe description, produce the master secret key and the public parameter .(ii). Upon input , , and an attribute set of a user, create the secret key for users.(iii). Upon input , a keyword , an access Boolean formula , and the message , generate the ciphertext with encrypted keyword.(iv). On input , , the picked keyword , and , produce a search token for keyword search and a retrieval key for message recovery.(v). On input , , , and , retrieve the intended keyword and then generate the simpler transformed ciphertext .(vi). On input , , , and , determine the correctness of the decrypted plaintext message and then recover if the determined result is true.

Security Model. The security model for our scheme comprises two following probabilistic games between an adversary and a challenger . These two games are used to prove that not only chosen plaintext attack (CPA) but also chosen keyword attack (CKA) can be resisted by our scheme.

CPA-security:(i) Init. The challenge access policy is picked-then-committed to the challenge by the adversary .(ii) Setup. algorithm is done by to gain public parameter and master secret key . After that, is sent to .(iii) Phase 1&2. oracle is adaptively queried by to obtain secret key by submitting a user attribute where .(iv) Challenge. Two messages satisfying picked by are provided to . Then, a coin is first randomly flipped by and then the partially generated ciphertext by running is transmitted to .(v) Guess. A guess upon is returned by .

CKA-Security:(i) Init. The challenge access policy is picked-then-committed to the challenge by the adversary .(ii) Setup. algorithm is done by to gain public parameter and master secret key . After that, is sent to .(iii) Phase 1&2. oracle is adaptively queried by to gain keyword trapdoor by submitting a user attribute where .(iv) Challenge. Two keywords meeting picked by are provided to . Then, a coin is first randomly flipped by and then the partially generated ciphertext by running is transmitted to .(v) Guess. A guess upon is returned by .

4. System Model

The system architecture and threat model are presented in the following.

4.1. System Architecture

Figure 1 expressively illustrates the architecture of our proposed scheme, mainly comprising three kinds of entities: the cloud server, the wireless body area networks (WBANs) and the healthcare providers, in which the last two entities are correspondingly regarded as data owners and data users. The function of each entity is described in detail below.(i)WBANs (Data Owner). Tiny wireless sensors commonly surface-attached on patients’ body are comprised in a WBAN. These wireless sensors are employed to monitor the vital physiology parameters such as diabetes, heart rate, and asthma. The collected health data are first aggregated and then delivered to a smart device. After that, keyword to elucidate the information of health data is extracted. Subsequently, the health data with its keyword information are together encrypted into a ciphertext under a self-chosen access policy. Lastly, the encrypted health data are outsourced to the cloud server for remotely sharing data.(ii)Healthcare provider (Data User). Healthcare providers in our architecture are viewed as data users. Every user owns a list of attributes and red should be allowed to retrieve the encrypted health data relied upon his/her possessed attributes. To search and access the encrypted health data, the data user first creates the keyword trapdoor according to his/her private key and delegates it via wireless channel (e.g., Wifi, Zigbee, and GPRS) to the cloud server for data retrieval. After receiving the returned ciphertex of health data, the data user then decrypts it and verifies the correctness of decryption.(iii)Cloud Server. The cloud server has almost unlimited storage and computing resources to perform remote storage tasks and respond on data search requests. Besides, in our architecture, the cloud server can also help data user to transform the complex ciphertext of health data into a simple one such that the encrypted health data can be deciphered by the data user in a lightweight way.

Figure 1: The architecture of our proposed system.

Here, note that a fully trusted entity that is called the key generation centre takes charges of authenticating the attributes of users and distributing secret key to data users, which is not provided in our system architecture.

4.2. Threat Model

We suppose that key generation centre is a completely reliable entity and the server is considered as semitrusted and curious. In detail, cloud server is deemed to follow the predefined operations to implement the retrieval task over the encrypted health data but is still curious to gain some sensitive information from the trapdoor or the encrypted health data. Besides, the cloud server may give the incorrectly transformed ciphertext back to the delegated data user for saving its computation resources or bandwidth. In our threat model, all malicious hackers are supposed to own polynomial time bounded computation ability such that they cannot solve the hardness problems.

5. Proposed System

In this section, we first give our system overview and afterward present the detailed construction.

5.1. System Overview

The highlight of our proposed system is to ease the computation overburdens on the user’s smart device. The desirable way for data retrieval and data access is to migrate much of the computation-heavy tasks to the cloud server such that data users with the smart device only require to perform certain marginal operations.

The system workflow is in detail described below (shown in Figure 2):(1)The patient P first asks to join the proposed system. As a response, the healthcare authority (HA) first authenticates the attributes of P and generates the key pair (private key and public key) by implementing Setup & KeyGen algorithm.(2)The health data of P are collected and aggregated to a smart device via a WBAN. The P extracts a keyword to describe the health data. Then, both the keyword and health data are created in the form of ciphertext by performing Encrypt algorithm. Then P connects via patient’s gateway to the cloud server and transmits the encrypted health data with its keyword information. During this process, the access policy picked by the P is also attached to the encrypted health data.(3)When an authorized health provider (HP) intends to issue data retrieval and data access request, HP first produces a keyword trapdoor by using Trapdoor algorithm and delivers it to the cloud server via a monitoring application.(4)Once gaining the request of search and access, the cloud server uses Search algorithm to discover the matched health data and transform the complex ciphertext into a simpler ciphertext, which is then delivered to the HP.(5)After downloading the simpler ciphertext about health data of the P, HP recovers the health data and checks the correctness of decryption by performing Decrypt algorithm.

Figure 2: The workflow of our system architecture.
5.2. Concrete Construction

. Master secret key and public system parameter are produced below according to input security parameter and attribute universe description. Let denote the maximal number of attributes in the system and = express the bilinear group system. This algorithm first chooses integers and one generator of in random manners. As well, it selects group elements from and two hash functions , . Finally, it publishes and keeps secretly.

. On input an attribute set of a user, the public parameter , and the system master key , this algorithm creates the secret key for the user as follows: This algorithm first picks and then computes the secret key for the user as , . Note that user just requires to keep secret and the rest of other secret key could be published to the public domain [23].

. Upon input the public parameter , a keyword , an access Boolean formula , and the message , this algorithm performs the following procedures: The DNF access policy is described as , where is an attribute set, and denotes the size of .(1)For the certain keyword , this algorithm first chooses , this algorithm computes , , .(2)For the plaintext message, it first selects and sets . After that, is selected and -bit string is concatenated after the plaintext message , which will be exploited to proceed decryption verification. Besides, it computes and , . Then, it compares between and . If , it computes , , . Else, it reverts to the encryption of the scheme [25]. This algorithm first sets up an LSSS matrix that denotes a map and a Boolean formula . Next, it picks a vector . For to , is calculated, where the vector is equivalent to -th row of matrix . Subsequently, it calculates , where .(3)It finally outputs the ciphertext with a description of . Or, it returns the ciphertext with a description of .

. When a user intends to access the data containing the queried keyword, the search token can be created as follows: it randomly selects and subsequently calculates the search token as , and sets retrieval key , where , , , , , , .

. On input the attribute set of the user, the search token , the public parameter , and the ciphertext , this algorithm first checks the number elements of in and whether or not the set of user attributes contents the access policy.(1)If and the set of user attributes meets the access policy, it computes If the attribute set matches the access policy and , let denote a collect of constants satisfying if the shares of are valid. It computes Otherwise, it aborts and returns .(2)It checks whether . If it holds, it returns the outsourced ciphertext . Otherwise, it also aborts and returns .

. This algorithm executes the following process to recover the encrypted value . After that, it computes and . Then, it judges whether a redundancy is affixed after the decrypted message. If holds, could be gained in the way of truncating -bit string. Otherwise, it indicates the returned result from the cloud server is incorrect and outputs the symbol .

6. Security Analysis

The elaborated security analysis to be presented in this part proves that our scheme is secure. Specifically, not only CPA-security but also CKA-security can be reached. The following two theorems are utilized to prove its security of the formulated scheme.

Theorem 3. Our scheme is said to reach the CPA-security under the modified BDHE problem.

Proof. Provided that the adversary can breach our scheme, then there exists another algorithm that could be built to address the modified BDHE problem by exploiting the interaction chance with . Given the modified BDHE-assumption instance , , . avails of and simulates the process of the game to determine if , or is an element randomly chosen from .

Setup. A challenge access policy is picked by and sent to . Here suppose that denotes the size of the challenge access policy , where are disjoint sets. Then creates by considering the cases below.(i)Case 1. If , the process of the public system parameter generation in our scheme is almost the same as that in the scheme [25]. Here we refer readers to the proof in [25]. It is worth noting that the modified BDHE assumption is an extension of the BDHE assumption.(ii)Case 2. If , the challenger first builds LSSS matrix . Next, picks and sets . Next, discovers disjoint sets of rows of , where . is described as . Then, the vector is implicitly defined by such that . Specifically, for . In addition, also discovers set satisfying . For each , if , where there exists an index , then picks and computes . Otherwise, picks and computes . Finally, is published by .

Phase 1&2. The challenger generates the secret key as follows: first issues the set of indices of attributes to ; here (this means that the set of indices of attributes does not match the matrix ). A vector , satisfying and the inner product , is first picked by . Then, picks and computes where

For if there exists no matching , computes . For such that there exists an index matching ; computes . Note that . Thus, the partial secret key can be created as .

Challenge. Two plaintext messages and with equal length are picked-then-delivered to . Then, selects and subsequently computes as follows: Note that here we use instead of the selected symmetry key to simulate the whole game.

Guess. A guess with upon is responded by , then gives to guess if holding . Otherwise, guesses that is an element randomly picked from

Theorem 4. The proposed scheme is said to achieve the CKA-security in the general bilinear group model, where is regarded as a random oracle.

Proof. In this game, the adversary will intend to distinguish from . Given , the probability of distinguishing from is the same as that of differentiating from . If has an advantage in breaching this game, then has the same advantage in differentiating from . In this way, we can modify the above game as that can distinguish from . The elaborated proof of the modified game is explained below.(i)Setup. The challenger randomly picks , transmits the produced tuple to . Subsequently, chooses an access policy and sends it to . Lastly, proceeds the following simulation. Concretely, if submits the attribute that has not been issued before, picks , then added to the list and returns . Otherwise, directly returns by picking out from .(ii)Phase 1&2. will query and to gain secret key and search token below.(a): After receiving the attribute set from , first chooses and computes , , , , . Then, returns the secret key .(b): queries the oracle to get . Then, chooses and produces the search token , , where , , , , , , and also embeds the keyword into the keyword list .(iii)Challenge. On giving two challenge keywords with equal length, where , first chooses . Next, picks a random bit . If , then computes and returns , , , and . Otherwise, sets and returns , , , and . Finally, sends the challenge ciphertext to . We can gain that if can build for some which is comprised by the outputs in 1&2, then can differentiate from . Here, we still require to demonstrate that for some could be built by with a negligible advantage. That is to say, cannot breach the CKA game with a nonnegligible advantage.

In the general group, given the two groups and , where and are two random injective maps from into a set of elements, can guess the image of and with a negligible advantage. So let us consider how to construct for . Since only the term contains the element , so in order to build the , must include the factor . In other words, and desires to build . Here, can use and to get . Although can get , still needs to cancel by using , , , and . However, cannot build these items since can only be built on the condition that the attributes content the access policy . Therefore, we cannot derive that can breach the CKA game.

7. Performance Analysis

With respect to function, storage cost, and computation overhead, this part presents comparisons among other existing attribute based keyword search schemes and our proposed scheme.

7.1. Qualitative Analysis

Table 1 shows the function comparison with other schemes [1317]. From the Table 1, we can learn that all schemes provide fine-grained keyword search. Data sharing is achieved in our scheme and [14, 16, 17]. Verifiable decryption among [14, 16, 17] and ours is only dealt with in our scheme. In summary, our scheme is only one that can achieve all functionalities including fine-grained keyword search and data sharing and verifiable decryption.

Table 1: Function comparison with other schemes.

Table 2 presents performance comparisons with other schemes with regard to the storage and computation overhead. In this table, , , and denote the sizes of public parameter, secret key, ciphertext and trapdoor. Let and in turn represent the sizes of attribute set and universe attribute set. Denote as the number of rows in the matrix. In addition, an element bit length in corresponding group , , and is denoted as , , and . Let , stand for the time consuming in modular exponentiations on group , , and be time cost in a bilinear pairing, respectively.

Table 2: Storage and computation overhead comparison with other schemes.

Table 2 shows that our proposed scheme has optimal sizes no matter what the sizes are secret key size, ciphertext size, and even trapdoor size. Besides, it has higher computation efficiency on encryption, search, and decryption algorithm. The detailed analyzing is presented as follows: It is easy to see that our scheme consists of an element size on group and element sizes on group . Obviously, it is much more smaller than that in [14, 15, 17]. For the secret key size, our scheme only has an element in group , which is the smallest compared to the other schemes. For user’s resource-limited mobile device, smaller secret key size commonly implies smaller storage cost. Our scheme also has a smaller size in both the ciphertext size and trapdoor size. For the computation overhead for encryption, search, and decryption, our scheme could use exponentiation operations on group and an exponentiation on group for encryption. which has a little higher than that in other schemes. For the computation overhead of search, our scheme has three bilinear pairing operations and exponentiation operations on group , which reaches the best efficiency compared to other schemes, since the time consuming of other schemes follows linear relationship with the number of bilinear pairing operations whereas it in ours is growing linearly with the amount of exponentiation operations on group . For the computation overhead on decryption, only our scheme can achieve constant computation while other schemes cannot achieve it. This signifies that our scheme is still stable even though the number of involved attributes are too lager, which makes our scheme practical for the mobile device.

7.2. Experimental Result

The type A elliptic curve of 160-bit group order in pbc library [26], as the best curve to produce the fast bilinear pairing, is picked for experimental test, which is commonly deemed to have 80-bit security level. The curve expression is denoted as over finite field. Both group and with same prime order are subgroup of . Then, we can get bytes, bytes. In our experiment test, data owners equipped with personal computers (PC) are commonly considered to have abundant resources to perform encryption to produce the data ciphertext, which will be remotely shared on the cloud server, which has powerful computing capabilities to perform the search and outsourcing decryption tasks. Due to the capacity limited mobile devices, end users (data users) require to delegate the computation-intensive operation of search and decryption to cloud server for releasing their burdens such that few lightweight operations are only done by themselves. Here, we proceed our experimental simulation according to the data from Yang et al.’s scheme [27]. More concretely, the computation times on PC for a bilinear pairing operation, an exponentiation on group , and an exponentiation on group are 18.02ms, 9.17ms, and 2.78ms, respectively. The computation times on smart phone for those are 195.11ms, 90.12ms, and 33.40ms. Note that PC and smart phone act as cloud server and data user, respectively. Here, the schemes [14, 16, 17] achieving keyword search and data access simultaneously are compared to our scheme in terms of the storage and computation overhead in Figure 3. In detail, the secret key size comparison, ciphertext size comparison, and trapdoor size comparison are given in Figures 3(a), 3(b), and 3(c), respectively. The encryption time comparison, search time comparison, and decryption time comparison are given, respectively, in Figures 3(d), 3(e), and 3(f). It is explicit to see that our scheme has a satisfactory performance in smaller secret key size, trapdoor size, and decryption cost.

Figure 3: Storage and computation overhead comparison.

In summary, our proposed scheme is almost superior to the existing related schemes since it has an extremely lightweight data access, which proves that our scheme is more feasible if being applied in IoT applications.

8. Conclusion

In this paper, a lightweight search with fine-granularity over encrypted data in WBANs is proposed. With our proposed scheme, the healthcare provider can achieve fast keyword search and lightweight verifiable decryption in the manner of fine-granularity. In addition, this paper also formally defines the security of the proposed scheme and proves its security in the random oracle. Finally, the qualitative analysis and practical simulations to be presented in this paper confirm that our proposed scheme is indeed of high efficiency and good feasibility for WBANs. Constructing a scheme that achieves conjunctive keyword search, attribute update, or the verifiability for both decryption and search would be our main future focus.

Data Availability

The data used to support the findings of this study are included within the article. In detail, please refer to the detailed descriptions in experimental result part.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work is supported by NSFC (no. 61472064).


  1. S. Movassaghi, M. Abolhasan, J. Lipman, D. Smith, and A. Jamalipour, “Wireless body area networks: a survey,” IEEE Communications Surveys & Tutorials, vol. 16, no. 3, pp. 1658–1686, 2014. View at Publisher · View at Google Scholar · View at Scopus
  2. M. Li, W. J. Lou, and K. Ren, “Data security and privacy in wireless body area networks,” IEEE Wireless Communications Magazine, vol. 17, no. 1, pp. 51–58, 2010. View at Publisher · View at Google Scholar · View at Scopus
  3. D. Chen, N. Zhang, R. Lu, N. Cheng, K. Zhang, and Z. Qin, “Channel Precoding Based Message Authentication in Wireless Networks: Challenges and Solutions,” IEEE Network, pp. 1–7. View at Publisher · View at Google Scholar
  4. Q. Wang, D. Chen, and N. Zhang, “LACS: A Lightweight Label-Based Access Control Scheme in IoT-Based 5G Caching Context,” IEEE Access, 4027 pages, 2017. View at Publisher · View at Google Scholar
  5. D. X. Song, D. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data,” in Proceedings of the IEEE Symposium on Security and Privacy (S&P '00), pp. 44–55, IEEE, Berkeley, Calif, USA, May 2000. View at Publisher · View at Google Scholar · View at Scopus
  6. D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public key encryption with keyword search,” in Advances in Cryptology—EUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 506–522, Springer, Berlin, Germany, 2004. View at Publisher · View at Google Scholar
  7. H. Li, D. Liu, Y. Dai, T. H. Luan, and S. Yu, “Personalized search over encrypted data with efficient and secure updates in mobile clouds,” IEEE Transactions on Emerging Topics in Computing, vol. 6, no. 1, pp. 97–109, 2018. View at Publisher · View at Google Scholar · View at Scopus
  8. Y. Miao, J. Ma, and Z. Liu, “Revocable and anonymous searchable encryption in multi-user setting,” Concurrency Computation, vol. 28, no. 4, pp. 1204–1218, 2016. View at Publisher · View at Google Scholar · View at Scopus
  9. Y. Yang and M. Ma, “Conjunctive keyword search with designated tester and timing enabled proxy re-encryption function for e-health clouds,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 4, pp. 746–759, 2016. View at Publisher · View at Google Scholar · View at Scopus
  10. N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving multi-keyword ranked search over encrypted cloud data,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 1, pp. 222–233, 2014. View at Publisher · View at Google Scholar
  11. C. Liu, L. Zhu, L. Li, and Y. Tan, “Fuzzy keyword search on encrypted cloud storage data with small index,” in Proceedings of the 2011 IEEE International Conference on Cloud Computing and Intelligence Systems, CCIS2011, pp. 269–273, China, September 2011. View at Scopus
  12. J. Wang, H. Ma, Q. Tang et al., “Efficient verifiable fuzzy keyword search over encrypted data in cloud computing,” Computer Science and Information Systems, vol. 10, no. 2, pp. 667–684, 2013. View at Publisher · View at Google Scholar · View at Scopus
  13. S. Hu, Q. Wang, J. Wang, Z. Qin, and K. Ren, “Securing SIFT: privacy-preserving outsourcing computation of feature extractions over encrypted image data,” IEEE Transactions on Image Processing, vol. 25, no. 7, pp. 3411–3425, 2016. View at Publisher · View at Google Scholar · View at Scopus
  14. K. Liang and W. Susilo, “Searchable Attribute-Based Mechanism With Efficient Data Sharing for Secure Cloud Storage,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1981–1992, 2015. View at Publisher · View at Google Scholar · View at Scopus
  15. W. Sun, S. Yu, W. Lou, Y. T. Hou, and H. Li, “Protecting Your Right: Verifiable Attribute-Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 4, pp. 1187–1198, 2016. View at Publisher · View at Google Scholar · View at Scopus
  16. J. G. Li, X. N. Lin, Y. C. Zhang, and J. G. Han, “KSF-OABE: outsourced attribute-based encryption with keyword search function for cloud storage,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 715–725, 2017. View at Publisher · View at Google Scholar
  17. Y. Miao, J. Ma, X. Liu, J. Weng, H. Li, and H. Li, “Lightweight Fine-Grained Search over Encrypted Data in Fog Computing,” IEEE Transactions on Services Computing, 2018. View at Publisher · View at Google Scholar
  18. V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, November 2006. View at Publisher · View at Google Scholar · View at Scopus
  19. J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, May 2007. View at Publisher · View at Google Scholar · View at Scopus
  20. B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Public Key Cryptography (PKC '11), pp. 53–70, Springer, Berlin, Germany, 2011. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  21. X. Fu, X. Nie, T. Wu, and F. Li, “Large universe attribute based access control with efficient decryption in cloud storage system,” The Journal of Systems and Software, vol. 135, pp. 157–164, 2018. View at Publisher · View at Google Scholar · View at Scopus
  22. Q. Wang, D. Chen, N. Zhang, Z. Ding, and Z. Qin, “PCP: A Privacy-Preserving Content-Based Publish-Subscribe Scheme with Differential Privacy in Fog Computing,” IEEE Access, vol. 5, pp. 17962–17974, 2017. View at Publisher · View at Google Scholar · View at Scopus
  23. Q. M. Malluhi, A. Shikfa, and V. C. Trinh, “A ciphertext-policy attribute-based encryption scheme with optimized ciphertext size and fast decryption,” in Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security (ASIA CCS '17), pp. 230–240, New York, NY, USA, April 2017. View at Publisher · View at Google Scholar · View at Scopus
  24. A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in Proceedings of the Annual international conference on the theory and applications of cryptographic techniques, pp. 568–588, Springer, Berlin, Heidelberg, 2011. View at Publisher · View at Google Scholar · View at MathSciNet
  25. S. Hohenberger and B. Waters, “Attribute-Based Encryption with Fast Decryption,” in Public-Key Cryptography – PKC 2013, vol. 7778 of Lecture Notes in Computer Science, pp. 162–179, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013. View at Publisher · View at Google Scholar
  26. B. Lynn, Pbc library, 2006,
  27. Y. Yang, X. Liu, R. H. Deng, and Y. Li, “Lightweight Sharable and Traceable Secure Mobile Health System,” IEEE Transactions on Dependable and Secure Computing, 2017. View at Publisher · View at Google Scholar