Research Article Efficient Attribute-Based Secure Data ...downloads.hindawi.com/journals/misy/2016/6545873.pdf · Research Article Efficient Attribute-Based Secure Data ... the secret

Research ArticleEfficient Attribute-Based Secure Data Sharing with HiddenPolicies and Traceability in Mobile Health Networks

Changhee Hahn Hyunsoo Kwon and Junbeom Hur

Department of Computer Science and Engineering Korea University Seoul 136-701 Republic of Korea

Correspondence should be addressed to Junbeom Hur jbhurkoreaackr

Received 26 November 2015 Accepted 12 June 2016

Academic Editor Wenyao Xu

Copyright copy 2016 Changhee Hahn et alThis is an open access article distributed under theCreativeCommonsAttribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Mobile health (also written as mHealth) provisions the practice of public health supported by mobile devices mHealth systems letpatients and healthcare providers collect and share sensitive information such as electronic and personal health records (EHRs)at any time allowing more rapid convergence to optimal treatment Key to achieving this is securely sharing data by providingenhanced access control and reliability Typically such sharing follows policies that depend on patient and physician preferencesdefined by a set of attributes In mHealth systems not only the data but also the policies for sharing it may be sensitive sincethey directly contain sensitive information which can reveal the underlying data protected by the policy Also since the policiesusually incur linearly increasing communication costs mHealth is inapplicable to resource-constrained environments Lastlyaccess privileges may be publicly known to users so a malicious user could illegally share his access privileges without the riskof being traced In this paper we propose an efficient attribute-based secure data sharing scheme in mHealth The proposedscheme guarantees a hidden policy constant-sized ciphertexts and traces with security analyses The computation cost to theuser is reduced by delegating approximately 50 of the decryption operations to the more powerful storage systems

1 Introduction

mHealth is an abbreviation for mobile health which canencompass a wide range of healthcare technologies suchas mobile computing medical sensors and communicationtechnologies [1] Rapid growth in wireless communicationsavailability and miniaturization of mobile devices and com-puting resources in parallel withmobile andwearable systemscan boost the wide adoption of mHealth Such develop-ments can greatly impact on and reshape the processes ofexisting healthcare services For instance semiconductor-implanted smart intelligent sensors will allow drugs to bedelivered in real time to a personal server when they sensea patient who needs a dose of drugs Personal servers suchas mobile devices supply global connectivity to the storagecenter which can thereby serve clinical healthcare from adistance [2] The storage center holds the information thatforms the electronic health record (EHR) a digital versionof a patientrsquos paper chart Physicians intermittently uploaddiagnostic reports based on their observations of the EHRs

stored in the storage center Figure 1 shows an example ofanmHealthmonitoring and data transfer system Reportedlya growing number of healthcare-specific mobile applicationsare available and it has been estimated that about 500millionpatients around the globe will be in the reach of such apps asof 2015 [3]

EHRs contain sensitive information such as patientsrsquomedical history diagnoses immunization dates allergiesand medications which are bound to the real identities ofpatients That is whoever can freely access the storage centeris able to learn both the identity and clinical information of aspecific patient which clearly threatens the patientrsquos privacyThus privacy concerns are arguably amajor issue and relatedrequirements are enacted nationwide For example in theUnited States compliance to HIPPA (Health InformationTechnology for Economic and Clinical Health Act) encour-ages healthcare providers to not only adopt EHRs but alsokeep them confidential [4] This clearly indicates that EHRsmust be kept under strict conditions and be accessible onlyby the authorized user

Hindawi Publishing CorporationMobile Information SystemsVolume 2016 Article ID 6545873 13 pageshttpdxdoiorg10115520166545873

2 Mobile Information Systems

EEG EOGsensors

ECGrespirationmovement

sensors

SPO2 bloodpressuresensors

Temperaturenoise sensors

Internet

Figure 1 Typical system architecture of mHealth monitoringsystems

Unfortunately standard encryption schemes are not suit-able for mHealth systems for the following reasons [5]

(i) Absence of ProperAccess ControlWell-known encryp-tion schemes such as AES guarantee the confiden-tiality of data if security parameters are well-chosenHowever such schemes are not designed to supportfine-grained access control

(ii) Expensive Key Management Public key encryptionschemes do not support one-to-many relationshipsbetween the ciphertext and decryption key necessi-tating the burdensome distribution and managementof public keys

Since healthcare delivery is a decentralized process tak-ing place across many institutional boundaries standardapproaches to securing health records include role-basedaccess control because the flexible assignment of permissionsto a wide range of user is possible only with fine-grainedaccess control At the same time the confidentiality ofEHRs must be maintained without hindering clinical careby denying legitimate access requests of authorized userssuch as doctors nurses lab technicians researchers andreceptionists [6 7]Thus a variety of policy-based encryptionschemes have been proposed to share data securely andprovide reliable access control [8ndash11] These schemes arepromising in that the accessibility of shared data is dependenton the userrsquos capacity to satisfy a given policy Furthermoreencryptors do not require a priori knowledge of the recip-ients such as identities or certificates Specifically cipher-text policy attribute-based encryption (CP-ABE) allows theconstruction of policies by utilizing attributes as public keysthereby protecting shared data against unauthorized users[12ndash16] As access to EHRs varies across the space of unevendistributions of healthcare providers and consumers andamong population groups with different socioeconomic anddemographic characteristics [17] CP-ABE is a convincingalternative to the conventional cryptographic primitive formHealth CP-ABE can provide fine-grained and flexibleaccess control to the shared data in mHealth systems

It is notable that not only the data but also the policies forsharing that data are sensitive Typically the access policiesmay reveal sensitive information such as the underlyingdata the identity of a patient or symptoms indicating whatdiseases a patient is suffering from To some extent patientsare reluctant to expose such private information preferringinstead to keep their privacy intact through securing both theEHRs and their access policies Although CP-ABE providesa desirable access policy it has one drawback the accesspolicies attached to ciphertexts are public From these accesspolicies unauthorized users can learn information about theunderlying data itself This weakness is known as the policyprivacy problem

To overcome the policy privacy problem several CP-ABEschemes with hidden access policies were proposed [9 18]In these schemes the encryptor-chosen access policies areassociated with each ciphertext in a way hidden such thateven an authorized user learns no information about theunderlying policy other than that he is authorized to decryptAlthough these schemes feature hidden policies they sufferfrom being inefficient that is the ciphertext size is linear withrespect to the number of attributes in the access policy

To limit ciphertext size Zhou et al introduced a CP-ABEscheme which provides both a hidden access policy and aconstant-sized ciphertext [19] However their scheme lacksuser traceability In general most CP-ABE schemes support-ing constant-sized ciphertext or hidden access policies cannottrace malicious users who illegally share their decryptionkeys Specifically the secret keys of policy-based encryptionconsist of sharable attributes so that the decryption keys haveno uniquely identifiable informationThus if amalicious userleaks his decryption key to others then there is no clearevidence indicating that the key belongs to him Although Liet al proposed a CP-ABE scheme featuring a hidden accesspolicy and traceability [20] it lacks constant-sized ciphertextresulting in increased communication and storage costs

Contribution In this paper we propose an efficient attribute-based secure data sharing scheme for mHealth with hiddenpolicies and traceability The proposed scheme enforceshidden access policies with wildcards and supports constant-sized ciphertext regardless of the number of attributesAlso we embed a uniquely identifiable point into eachdecryption key in order to prevent the user from intentionallydistributing the decryption key to others thereby achievingtraceability Additionally the proposed scheme allows usersto outsource part of the decryption process to the morepowerful storage center to minimize computation cost at theuser side Our performance results show that the storagecenter computes almost 50 of the decryption processon behalf of users To the best of our knowledge this isthe first construction that achieves all these functionalitiessimultaneously

Organization The rest of this paper is organized as followsWe begin with a discussion of related work in Section 2 InSection 3 we describe the cryptographic background anddefine a general CP-ABE with a hidden policy constant-sizedciphertext and traceability Section 4 describes the mHealth

Mobile Information Systems 3

architecture and security model In Section 5 we present theconstruction of the proposed scheme in detail followed by aperformance analysis in Section 6 We analyze its security inSection 7 and conclude the paper in Section 8

2 Related Work

The idea of Identity-Based Encryption (IBE) was first intro-duced by Shamir [21] In IBE the encryptor makes an accesspolicy based on an identity and only a user with thematchingidentity obtains the decryption privilege Encryption byidentity however leads to the following limitations lackof one-to-many relationship between the ciphertext anddecryption key and the need for the encryptor to know eachuserrsquos identity in advance Later Sahai andWaters introducedFuzzy Identity-Based Encryption which is the first prototypeof attribute-based encryption (ABE) [22] While the IBEscheme views an identity as a string of characters in ABEan identity is viewed as a set of descriptive attributes (akaidentity set) such as name and affiliation The ABE schemeallows the encryption of a message based on some identityset 120596

1015840 and the decryption ability is given if and only ifa userrsquos set 120596 is close enough to 120596

1015840 to satisfy a system-defined threshold This property enables fine-grained accesscontrol and a one-to-many relationship between a ciphertextand its receivers since anyone whose identity set satisfies agiven threshold can obtain the decryption privilegeHoweverthe threshold semantics are not very expressive and cannotsupport fine-grained access control This drawback meansthat the threshold-based ABE scheme cannot be applied tomore general systems

In CP-ABE [12ndash16] a ciphertext is associated with anaccess policy and decryption keys are labeled with an arbi-trary number of attributes The encryptor specifies an accesspolicy over encryptor-chosen attributes The access right isgiven if and only if the attributes in the decryption keysatisfy the access policy in the ciphertext In these schemeshowever the size of a ciphertext has a linear relationship withthe number of attributes in the access policies resulting ininapplicability for resource-constrained environments

To limit the size of ciphertexts Zhou andHuang proposedconstant-sized CP-ABE (C-CP-ABE) with a logical ANDaccess policy with wildcards [23] This scheme limits thesize of each ciphertext to up to 300 bytes in total where aciphertext consists of encrypted data an access policy and2 bilinear group elements Chen et al further improved theC-CP-ABE scheme in terms of security [24] making it CPA-secure under a well-established assumption in the standardmodel without loss of efficiency Overall these schemessuccessfully make the size of ciphertexts constant Howeverthey reveal the underlying access policy publicly

While previous works feature open access policiesHur introduced a CP-ABE scheme with hidden accesspolicy in smart grid [9] To preserve policy privacy aone-way anonymous key agreement scheme is used as abuilding block in order to replace identity hashes withuser-generated pseudonyms However this scheme does notsupport constant-sized ciphertext Interestingly an efficientCP-ABE scheme with a hidden policy was proposed [19] In

this scheme AND-gate access policies with wildcards areused and each ciphertext header requires 2 bilinear groupelements each of which is limited to 100 bytes in total Alsoaccess policies are obfuscated by computing the intersectionbetween a given access policy and an all-wildcard attributeset This technique however partially leaks the access policybecause unauthorized users can guess at a minimum whichattributes are treated as do not care In addition the user mustrun the decryption algorithm at least once to determinewhether he satisfies the access policy since only decryptionfailure notifies whether the decryption key satisfies theunderlying access policy

The ability to resist illegal key sharing is a highly desirablecharacteristic for ABE To achieve this Li et al introduceda user-accountable CP-ABE scheme that binds user identityin the private key thereby allowing illegally-shared keys tobe traced [25] Although this methodology has also beenadopted by other traceable CP-ABE schemes [26 27] none ofthem fully support either constant-sized ciphertext or hiddenaccess policies In addition to supporting these featuresin this paper we also insert a unique identifier into eachprivate key such that any key can be traced in constant timeregardless of the number of attributes

3 Preliminaries

31 Bilinear Map Let G0be a multiplicative cyclic group of

large prime order 119901 The bilinear map 119890 is defined as follows119890 G

0timesG

0rarr G

1 whereG

1is the codomain of 119890The bilinear

map 119890 has the following properties

(i) Bilinearty 119890(119875119886 119876

119887) = 119890(119875 119876)

119886119887 where forall119875119876 isin

G0 forall119886 119887 isin Zlowast

119901

(ii) Symmetry One has forall119875119876 isin G0 119890(119875 119876) = 119890(119876 119875)

(iii) Nondegeneracy 119890(119892 119892) = 1 where 119892 is the generatorof G

0

(iv) Computability There exists an efficient algorithm tocompute the bilinear map 119890

32 Security Assumption The security of the proposedscheme is based on the Bilinear Diffie-Hellman Exponentassumption (BDHE) [28] Let G

0be a bilinear group of large

prime order 119901 and let 119892 be a generator of G0 The 119870-BDHE

problem inG0is defined as follows Given the vector of 2119870+1

elements

(ℎ 119892 119892120572 119892

1205722

119892120572119870

119892120572119870+2

1198921205722119870

) isin G2119870+1

0(1)

as the input where 119892120572119870+1

is not in the vector the goal of thecomputational 119870-BDHE problem is to compute 119890(119892 ℎ)

120572119870+1

Define the set 119884

119892120572119870as

119884119892120572119870

= 119892120572 119892

1205722

119892120572119870

119892120572119870+2

1198921205722119870

(2)

Then we have the following definition


Definition 1 (Decisional 119870-BDHE) The decisional 119870-BDHEassumption is said to be hold inG

0if there is no probabilistic

polynomial time adversary who is able to distinguish

⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)120572(119870+1)

⟩

⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)119877

⟩

(3)

with nonnegligible advantage where 120572 119877 isin Z119901and 119892 ℎ isin G

0

are chosen independently and uniformly at random

We exploit Boneh et alrsquos 119897-StrongDiffie-Hellman assump-tion (119897-SDH) to prove traceability [29] Given a (119897 + 1)-tuple (119892 119892

119909 119892

1199092

119892119909119897

) as input where 119909 isin Zlowast

119901is chosen

uniformly at random the 119897-SDH assumption is stated asfollows there is no probabilistic polynomial time adversarywho is able to output (119888 1198921(119909+119888)) isin Zlowast

119901timesG

0with nonnegligible

probability where 119888 is not allowed to be zeroFormally we have the following 119897-SDH assumption

Assumption 2 (119897-SDH) The 119897-Strong Diffie-Hellman prob-lem in G

0is defined as follows given a (119897 + 1)-tuple

(119892 119892119909 119892

1199092

119892119909119897

) as input output (119888 1198921(119909+119888)) isin Zlowast

119901times G

0

An algorithmA has advantage 120598 in solving 119897-SDH inG0if the

following holds

Pr [A (119892 119892119909 119892

1199092

119892119909119897

) = (119888 1198921(119909+119888)

)] ge 120598 (4)

where the probability is over the random choice of 119909 in Zlowast

119901

Definition 3 The 119897-SDH assumption is (119905 120598)-secure if no 119905-time algorithm has advantage at least 120598 in solving the 119897-SDHproblem in G

0

33 Access Policy Given an attribute universe 119880 = 1198601

1198602 119860

119896 each 119860

119894has one of three values 119860

+

119894 119860

minus

119894 119860

lowast

119894

where 119860+

119894denotes that the user has 119860

119894 119860minus

119894denotes that the

user does not have 119860119894or 119860

119894is not a proper attribute of this

user and 119860lowast

119894denotes a wildcard specifying do not care We

define the userrsquos attribute set as follows

Definition 4 Let 119871 = 119860+minus

1 119860

+minus

2 119860

+minus

119896 be a userrsquos

attribute set where 119860+minus

119894isin 119860

+

119894 119860

minus

119894 and 119896 is the order of the

attribute universe Then 119871 = 119871+cup 119871

minus where 119871+

= 119860+

119894|

forall119894 isin 1 119896 and 119871minus

= 119860minus

119894| forall119894 isin 1 119896 One has

119871+cap 119871

minus= 0

Next we define the AND-gate access policy as follows

Definition 5 Let 119882 = 1198601 119860

119896 be an AND-gate access

policy where119860119894isin 119860

+

119894 119860

minus

119894 119860

lowast

119894 Denote 119871 ⊨ 119882 that the userrsquos

attribute set 119871 satisfies119882 Then

119871 ⊨ 119882 lArrrArr 119882 sub 119871 cup 119860lowast

1 119860

lowast

119896 (5)

34 One-Way Anonymous Key Agreement In this paper thekey idea used to obfuscate attributes in the policy starts

from Boneh-Franklin Identity-Based Encryption [30] Intheir scheme a private key generator (PKG) takes the role ofissuing private keys It generates a private key 119889

119894= 119867(ID

119894)119904isin

G0for each user ID

119894using a master secret 119904 where 119867

0 1lowastrarr G

0is a cryptographic hash function

Based on [30] Kate et al proposed a one-way anony-mous key agreement scheme by replacing 119867(ID

119894) with a

pseudonym chosen by each user [31]This scheme guaranteesanonymity for just one receiver when two users engage in itWe give a specific example as follows Suppose Alice and Bobhold identity ID

119860and identity ID

119861 respectively and they are

clients of the same key authority which holds a master secret119904 Given the private key 119889

119860= 119876

119904

119860= 119867(ID

119860)119904 Alice wants to

communicate with Bob without disclosing her identityTo achieve this the key agreement protocol runs as

follows(1) Alice computes119876

119861= 119867(ID

119861) chooses a random 119903

119860isin

Zlowast

119901 sets a pseudonym 119875

119860= 119876

119903119860

119860 and computes the

session key 119870119860119861

= 119890(119889119860 119876

119861)119903119860

= 119890(119876119860 119876

119861)119904119903119860 She

sends the pseudonym 119875119860to Bob

(2) Given his private key 119889119861 Bob computes the session

key 119870119860119861

= 119890(119875119860 119889

119861) = 119890(119876

119860 119876

119861)119904119903119860

In this noninteractive manner the session key is implicitlyauthenticated such that Alice is assured that the no onecan derive the key other than Bob Based on the BDHassumption this protocol is proved to be secure in therandomoraclemodel satisfying unconditional anonymity noimpersonation and session key secrecy To hide the policy weexploit the technique used in [9] as a building block instead ofbuilding a new method for policy obfuscation from scratch

35 Definitions In this section we define a general CP-ABE with hidden policy constant-sized ciphertexts andtraceability capabilities for secure data sharing The schemeconsists of the following seven algorithms

(i) 119878119890119905119906119901 (119896) rarr (119872119870 119875119870) The Setup algorithm takesas input the number of attributes 119896 It outputs apublic key PK and a master key MK and initializes anidentity table 119879 = 0

(ii) 119870119890119910119866119890119899 (119872119870 119875119870 119871 119894119889) rarr (119878119870) The key generationalgorithm takes as input the master key MK thepublic key PK and the userrsquos attribute set 119871 withidentity id It outputs a decryption key SK and insertsid into 119879

(iii) 119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) The encryption algo-rithm takes as input the public key PK an accesspolicy 119882 and a message 119872 It outputs a ciphertextCT such that only the users whose decryption keyssatisfying 119882 should be able to extract 119872 CT isassociated with the obfuscated policy119882

(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870

Λ119906) The token generation

algorithm takes as input the user 119906rsquos secret key SK119906

and a set of attributesΛ ⊨ 119882 It outputs a tokenTKΛ119906

(v) 119875119863119890119888119903119910119901119905 (119879119870

Λ119906 119862119879) rarr (119862119879

1015840) The partial decryp-

tion algorithm takes as input the token and outputs apartially decrypted ciphertext CT1015840 for a user 119906


(vi) 119863119890119888119903119910119901119905 (119875119870 119878119870 1198621198791015840 119862119879) rarr 119872 or perp The decryp-

tion algorithm takes as input the public key PK adecryption key SK and ciphertexts CT1015840 CT If119871 ⊨ 119882then it outputs a message 119872 where 119871 is the userrsquosattribute set and 119882 is the access policy Otherwise itoutputs perp which indicates the failure of decryption

(vii) 119879119903119886119888119890 (119875119870 119878119870 119879) rarr 119894119889 or ⊤ The tracing algorithmtakes as input the public key PK a decryption keySK and the table 119879 It determines whether SK iswell-formed indicating that SK is the real output ofKeyGen If SK is well-formed the algorithm outputsan identity id which corresponds to SK Otherwiseit outputs ⊤ implying that SK is not well-formedThewell-formed decryption key is guaranteed to workcorrectly in the well-formed decryption process

In the proposed scheme each public key component ismapped to an attribute value 119860

119894 When encrypting data the

encryptor specifies an access policy 119882 where 119860119894isin + minus lowast

The decryption succeeds only when the userrsquos attribute set 119871satisfies the (obfuscated) policy119882

4 mHealth Architecture

41 System Model In mHealth systems intelligent wire-less sensors perform data acquisition and processing [32]Individual sensors monitor certain physiological signals andcommunicate with each other and the personal server suchas a tablet PC as shown in Figure 1 Then the personal serverintegrates the data received from the different sensors andplays the role of a gateway by sending data to the upper layerof the mHealth system From a security point of view themHealth system components are categorized as follows

(1) Trust Authority This is a key entity that issues thepublic and secret parameters for the mHealth systemIt publishes diverse access privileges to individualentities based on their attributes The trust authorityis assumed to be fully trusted in the mHealth system[10]

(2) Storage Center This is a data repository center thatstores EHRs In mHealth systems hospitals or clin-ics with certain qualifications certified by the trustauthority can be employed as a storage center It isassumed to be honest-but-curious [10] Thus it willhonestly execute the assigned tasks and like to learnas much information from the encrypted data aspossible

(3) Encryptor This is a patient who generates dataand sends it to the storage center It uses mobiledevices to interact with the storage center Encryptorsare responsible for defining access policy based onattributes obfuscating the policy associating it withthe data and encrypting the data according to the pol-icy Hereafter we will use ldquoencryptorrdquo and ldquopatientrdquointerchangeably

(4) User This includes entities such as the patientphysicians nurses lab technicians researchers or

receptionists who want to access EHRs contained inthe storage center Auserwill be authorized to decrypta ciphertext given by the storage center if and only ifhis key satisfies the access policy of that ciphertext

42 Security Model

CPA Security The security model of the proposed scheme issimilar to that of the CP-ABE scheme with constant-sizedciphertexts [23] except that each key query is labeled withan explicit identity and attributes are obfuscated We firstintroduce the semantic security game A CP-ABE scheme isconsidered to be CPA-secure if no probabilistic polynomialtime adversaries have nonnegligible advantages in the follow-ing CPA security game

(i) Init The adversary chooses a challenge access policy119882 and gives it to the challenger

(ii) Setup The challenger runs the Setup algorithm andgives the adversary the public parameter PK

(iii) Phase 1 The adversary queries the challenger fordecryption keys corresponding to (id 119871) where 119871 ⊭

119882 The challenger answers with a decryption key SKfor 119871 The adversary repeats this phase adaptively

(iv) Challenge The challenger obtains ⟨1198620 119862

1⟩Key by

running the Encrypt algorithm The challenger setsKey

0= Key and picks a random Key

1of the same

length as Key0 It then flips a random coin 120573 isin 0 1

and gives ⟨1198620 119862

1⟩Key

120573 to the adversary

(v) Phase 2 It is the same as Phase 1(vi) Guess The adversary outputs a guess 1205731015840 isin 0 1

The adversary wins the game if 1205731015840 = 120573 under the restrictionthat 119871 cannot satisfy the access policy119882 The adversary mayrun Phase 2 to make multiple key queries in the midst of thechallenge Note that the adversary declares the access policyat the start of the game

The advantage of an adversary in this game is defined as1003816100381610038161003816100381610038161003816

Pr [1205731015840 = 120573] minus

1

2

1003816100381610038161003816100381610038161003816

(6)

Traceability The traceability definition for the proposedscheme is described by the following security game

(i) Setup The challenger runs the Setup algorithm toobtain the public parameter PK Then the challengergives PK to the adversary

(ii) KeyQuery The adversary makes decryption keyqueries 119902-times to the challenger where sets ofattributes (id

1 119871

1) (id

119902 119871

119902) correspond to

decryption keys(iii) KeyForgery The adversary outputs a decryption key

SKlowast

The adversary wins the game if the following holds

(1) Trace (PK SKlowast 119879) = perp

(2) Trace (PK SKlowast 119879) notin id

1 id

119902


Storage center User

(1) Encrypt(2) Token

(3) Partially decrypt(4) Decrypt

Encryptor

Figure 2 Overview of the proposed data sharing process

Then the advantage of the adversary in this game is

Pr [Trace (PK SKlowast 119879) notin perp cup id

1 id

119902] (7)

Definition 6 A traceable ciphertext policy attribute-basedencryption scheme is fully traceable if all polynomial timeadversaries have at most negligible advantage in this game

Policy Privacy While sharing data in the mHealth systemthe storage center or unauthorized users must learn noinformation about the attributes associated with the accesspolicy of the encrypted data Also even authorized usersshould not obtain any information about these attributesother than the fact that they are authorized to access the data

5 Proposed Scheme

51 System Architecture The proposed data sharing processin the mHealth system runs as follows An encryptor definesthe access policy with a set of attributes encrypts the EHRsassociated with clinical reports under the policy and uploadsthe ciphertext and the obfuscated policy to the storagecenter When a user wants to access the uploaded data hefirst generates a token using his attributes and sends it tothe storage center If the attributes in the token satisfy theaccess policy then the storage center partially decrypts theciphertext and sends the result to the user Then the userfinishes the decryption of the ciphertext using his secret keyand the partially decrypted ciphertext as inputs The outlineof data sharing process is depicted in Figure 2

52 Scheme Construction The proposed scheme is con-structed on the basis of the following seven algorithms asfollows

119878119890119905119906119901 (119896) rarr (119872119870 119875119870) Given 119896 attributes 1198601 119860

2 119860

119896

as the attribute universe the proposed scheme has 119870 = 3119896

attribute values such that 119860119894isin 119860

+

119894 119860

minus

119894 119860

lowast

119894 Specifically we

map 119860+

1 119860

+

2 119860

+

119896 to 1 2 119896 119860minus

1 119860

minus

2 119860

minus

119896 to 119896+

1 119896+2 2119896 and 119860lowast

1 119860

lowast

2 119860

lowast

119896 to 2119896+1 2119896+2 3119896

Let G0be a bilinear group of prime order 119901 The Setup

algorithm chooses a random generator 119892 isin G0and random

120572 120573 120574 isin Z119901 For 119894 = 1 2 119870119870 + 2 2119870 it computes

119892119894

= 119892(120572119894) Then it computes V = 119892

120574 and ℎ = 119892120573 The

master and public keys are set to MK = (120572 120573 120574) PK =

(119892 1198921 119892

119870 119892119870+2

1198922119870

V ℎ) isin G2119870+10

The algorithminitializes an identity table 119879 = 0

119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905

119894119889119906119905

) rarr (119878119870119906119905

) Assume that eachuser 119906

119905is tagged with an attribute set 119871

119906119905

= 119871+

119906119905

cup 119871minus

119906119905

where119871+

119906119905

sub 1 2 119896 and 119871minus

119906119905

sub 119896+1 119896+2 2119896TheKeyGen

algorithm randomly chooses 119886 119888 isin Zlowast

119901 119903

1 1199032 119903

119896 isin Z

119901

Then it computes 119903 = sum119896

119894=1119903119894 11986310158401015840

= 119892119903 and 119863 = 119892

119903120574(119886+119888)For all 119895 isin 119871

119906119905

it computes 119863101584010158401015840= 119867(119895)

120573 where 119867 is a hashfunction119867 0 1

lowastrarr G

0

Next the algorithm computes the following

(i) For every 119894 isin 119871+

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894

(ii) For every 119894 isin 119871minus

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 119896

(iii) For every 119894 isin 119871lowast

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 2119896

The decryption key for user 119906119905is set to

SK119906119905

= (119863 = 119892119903120574(119886+119888)

119863119894| 119894 isin 119871

+

119906119905

119871minus

119906119905

119871lowast

119906119905

1198631015840

= 11988811986310158401015840= 119892

119903 119863

101584010158401015840= 119867 (119895)

120573

119863119886= 119892

119886)

(8)

Note that 1(119886 + 119888) is computed modulo 119901 If gcd (119886 + 119888 119901) =

1 or 119888 is already in 119879 the algorithm is run repeatedly withanother random 119888 isin Zlowast

119901 Then it puts a tuple (119888 id

119906119905

) into 119879

and uploads (id119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) to the storage center

119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) 119882 is an AND-gate accesspolicy with 119896 attributes specified by an encryptor 119906

119887 where

each attribute is either positivenegative or wildcard Thealgorithm chooses a random 119887 isin Zlowast

119901and computes 119904

119895=

119890(ℎ119887 119867(119895))119867

1(119904119895) for all 119895 isin 119882 where119867

1is a hash function

119867 G1rarr 0 1

log119901 Then the access policy 119882 is obfuscatedby replacing each attribute with119867

1(119904119895)

Next the algorithm picks a random 119905 isin Z119901and computes

a one-time symmetric key Key = 119890(119892119870 1198921)119896119905 It encrypts the

message 119872 as 119872Key and computes 119892119905 Then it computes

(Vprod119895isin119882

119892119870+1minus119895

)119905 The ciphertext CT is set to

CT = (119882 119872Key 1198620 = 119892119905 119862

1

= (Vprod119895isin119882

119892119870+1minus119895

)

119905

id119906119905

119892119887)

(9)

The encryptor uploads CT to the storage center

119866119890119899119879119900119896119890119899 (119878119870119906119905

Λ) rarr (119879119870Λ119906119905

) When a user 119906119905needs to

access the ciphertext of 119906119887in the storage center with a set

of attributes Λ ⊨ 119882 119906119905receives 119892

119887 from the storage centerand generates the token for Λ as follows For all 119895 isin Λ thealgorithm computes 119904

119895= 119890(119892

119887 119863

101584010158401015840

119895) = 119890(119892

119887 119867(119895)

120573) Then it

constructs the token TKΛ119906119905

= 119868119895| forall119895 isin Λ 119868

119895= 119867

1(119904119895)

Each 119868119895will be used as an index for the obfuscated attribute

119895 The user 119906119905sends TK

Λ119906119905

to the storage center

119875119863119890119888119903119910119901119905 (119879119870Λ119906119905

119862119879) rarr (1198621198791015840) Given TK

Λ119906119905

from the user119906119905 the storage center checks if each 119868

119895in the token satisfies


Table 1 Comparison of different schemes

Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G

0| + |G

1| 119899-DBDH

Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G

1| DBDH

Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G

1| 119897-BDHI

Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G

1| 119899-BDHE

the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id

119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) as

119860119894= 119890 (119892

1198631015840

119894 119862

1) = 119890(119892 Vprod

119895isin119882

119892119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892120574+sum119895isin119882

120572119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882

120572119870+1minus119895+119894

(10)

for all 119894 isin 119882 Then it computes a production of all 119860119894as

CT1015840 = prod119894isin119882

119860119894 The storage center sends CT1015840 to 119906

119905

119863119890119888119903119910119901119905 (119875119870 119878119870119906119905

1198621198791015840 119862119879) rarr 119872 or perp On receipt of the

partially decrypted ciphertext CT1015840 from the storage centerthe user 119906

119905computes 119861

119894for all 119894 isin 119882 as

119861119894= 119890(119862

0 ( prod

119895isin119882119895 =119894

119892119870+1minus119895+119894

)

1198631015840

sdot 119863119894)

= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894

120572119870+1minus119895+119894

+119905120574(1198631015840120572119894+119903119894(119886+119888))

(11)

Then it computes 119861 = prod119894isin119882

119861119894and divides CT1015840 by 119861 Using

the quotient term CT1015840119861 the user concludes decryption asfollows

CT1015840

119861

sdot 119890 (119863 1198620) =

CT1015840

119861

sdot 119890 (119892120574119903(119886+119888)

119892119905)

= 119890 (119892 119892)1198631015840119896119905120572119870+1

(12)

Then

(

CT1015840

119861

sdot 119890 (119863 1198620))

11198631015840

= 119890 (119892 119892)119896119905120572119870+1

= 119890 (119892120572119870

119892120572)

119896119905

= 119890 (119892119870 1198921)119896119905

= Key

(13)

The user decrypts 119872Key

119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889

119906or ⊤ SK

119906is called well-formed if

it passes the following conditions hold

1198631015840isin Z

lowast

119901

119863119863119894 119863

10158401015840isin G

2119870+1

0

119890 (119863119886sdot 119892

1198631015840

119863) = 119890 (V 11986310158401015840) = 1

(14)

If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is

in 119879 the algorithm outputs the corresponding id119906 and if not

the algorithm outputs the corresponding id0indicating that

the corresponding identity never appears in 119879 If SK119906is not

well-formed the algorithm outputs ⊤

6 Performance Analysis

In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K

Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901

the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z

119901are ignored

In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations

Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according


0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500

Number of attributes

Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time

0 10 20 30 40 50Number of attributes

KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)

(b) Key generation time


Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)

(d) Token generation time


Decrypt timePDecrypt time

0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)

(e) Decryption and partial decryption time


Trace (1000)Trace (10000)

Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)

(f) Trace time with different number of users

Figure 3 Time costs of different algorithms

to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows

encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token


Table 2 jPBC and PBC benchmark comparison results [33]

Operation jPBC PBCPairing 14654 2688Exponentiation in G

118592 4122

Exponentiation in G119879

2112 0529Exponentiation in Z

1199030068 0087

generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users

Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910

2= 119909

3+ 119909 over the field F

119902for

some prime 119902 = 3mod 4 The order of F119902is some prime

factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G

1and G

119879are reduced by 1447 and

1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749

7 Security Analysis

71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896

decryption proxies Intuitively this attack works successfullyif 119871 cup 119894

1 119894

119909 ⊨ 119882 Based on the CPA security game in

Section 42 we have the following

Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage

Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884

119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1

or a random element in G0

Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884

119892120572119870 119885⟩ as input where 119885 is either

119885 = 119890(119892 ℎ)120572119870+1

or a random valueNext B runs the following CPA game with the role of

challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and

chooses a random 119889 isin Z119901 ThenB computes

V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)

B outputs the public key PK = (119892 119884119892120572119870

V) isin G2119870+10

Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896

For 119894 = 1 119896 B picks 119896 random 119903119894isin Z

119901and sets 119903 =

1199031+sdot sdot sdot+119903

119896 NextB randomly chooses 119886 119888 isin Zlowast

119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)

where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882

for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871

minus and (3) 119894 notin 119882 for all119894 isin 119871

lowastThen each119863

119894is valid such that

119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)

ChallengeB sets 1198620= ℎ and 119862

1= ℎ

119889 and gives the challenge⟨119862

0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892

119905 for some 119905 such that

ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)


Phase 2 Repeat Phase 1

Guess The adversary A outputs a guess 1198871015840 where 119887

1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1

If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884

119892120572119870 119885) = 0] =

12 Note that each decryption proxy 119901119894(119903) simulates a legal

decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903

1198941015840 which is embedded in

119863119894 where 119894 isin 119882 We further define a decryption proxy to

model collusion attacks

Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901

119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896

Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901

119894(119903) The probability that none of

the queries returns a legal decryption key component of any 119902

is (1 minus 119902119901)119897

Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903

1198941015840] = (1minus119902119901)

119897 where 119903 isa randomnumber in the decryption proxy and 119903

1198941015840 is a random

number in the decryption key

Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901

1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898

(119903119898) The probability that none of


is (1 minus (1 minus 119902119901)119897)119898

Proof The probability that one decryption proxy fails isPr [119903 = 119903

1198941015840] = (1 minus 119902119901)

119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)

119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)

we have 3 collusion scenariosas follows

0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem

1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)

1-Collusion If one decryption proxy 119901119894(119903) is used then we

have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)

119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)

1198971205982 advantage in breaking the 119870-BDHE

problem

119898-Collusion If 119898 decryption proxies 1199011198941

(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895

exist119895 le 119898] = (1 minus (1 minus

119902

119901

)

119897

)

119898

(21)

Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem

(1 minus (1 minus (1 minus

119902

119901

)

119897

)

119898

) sdot

120598

2

(22)

72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption

Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897

Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage

B is given an instance of the 119897-SDH problem as followsLet G

0be a bilinear group of prime order 119901 let 119892 isin G

0 let

119890 G0timesG

0rarr G

1be a bilinearmap and let 119886 isin Z

119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897

) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888

119903 119908

119903) isin Zlowast

119901times G

0

satisfying 119908119903

= 1198921(119886+119888

119903) for solving the 119897-SDH problem B

sets 119860119894= 119892

119886119894

for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows

SetupB randomly picks 119902 distinct values 1198881 119888

119902isin Zlowast

119901 Let

119891(119910) be the polynomial 119891(119910) = prod119902

119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the

coefficients of the polynomial 119891(119910)B computes

119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)

B randomly chooses 120572 120574 isin Z119901and computes V = 119892

120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where

119870 = 3119896 = 119897B then givesA the public parameter

PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)

KeyQuery A submits (id119909 119871) to B to request a decryption

key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the

polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)

B randomly chooses 1199031 1199032 119903

119896 isin Z

119901 Then it computes

119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909


FinallyB computes the following

(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896

B responds toA with SKid119909119871119909

as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)

B puts tuple (119888119909 id

119909) into 119879

KeyForgeryA submits toB a decryption key SKlowast

Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK

lowastis well-formed and

119888119903notin 119888

1 1198882 119888

119902 The adversaryrsquos advantage over the game

is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888

119903 119908


119901timesG

0

as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863

1015840) + 120574

minus1for some polynomial

120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902

Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of

gcd(120574minus1 119901)

Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908

119903) is a

solution to the 119897-SDH problem Note that when B chooses(119888119903 119908

119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-

ability say zeroB solves the 119897-SDH problemwith probability

Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]

sdot Pr [ΥA and gcd (120574minus1 119901) = 1]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598

(27)

Thus B can break the 119897-SDH assumption with advantage le

120598

73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867

1(119890(ℎ

119887 119867(119895))) with a random 119887 using the

one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867

1(119890(ℎ

119887 119867(119895))) without having the corresponding

attributes due to 119887 which is chosen uniformly at random by

the encryptor Specifically the storage center does not have119863101584010158401015840

= 119867(119895)120573 which is a secret key component owned by

users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)

120573)

In token generation phase a user computes indices 119868119895=

1198671(119890(119892

119887 119867(119895)

120573)) for each (obfuscated) attribute 119895 Due to

the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users

8 Conclusion

In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea

References

[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for


e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005

[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003

[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013

[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml

[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012

[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011

[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011

[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009

[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013

[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012

[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007

[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007

[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011

[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008

[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009

[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013

[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005

[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004

[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015

[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009

[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985

[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005

[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010

[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011

[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009

[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013

[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013

[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005

[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004

[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001

[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P


Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007

[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006

[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011

[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



EEG EOGsensors

ECGrespirationmovement

sensors

SPO2 bloodpressuresensors

Temperaturenoise sensors

Internet

Figure 1 Typical system architecture of mHealth monitoringsystems

Unfortunately standard encryption schemes are not suit-able for mHealth systems for the following reasons [5]

(i) Absence of ProperAccess ControlWell-known encryp-tion schemes such as AES guarantee the confiden-tiality of data if security parameters are well-chosenHowever such schemes are not designed to supportfine-grained access control

(ii) Expensive Key Management Public key encryptionschemes do not support one-to-many relationshipsbetween the ciphertext and decryption key necessi-tating the burdensome distribution and managementof public keys

Since healthcare delivery is a decentralized process tak-ing place across many institutional boundaries standardapproaches to securing health records include role-basedaccess control because the flexible assignment of permissionsto a wide range of user is possible only with fine-grainedaccess control At the same time the confidentiality ofEHRs must be maintained without hindering clinical careby denying legitimate access requests of authorized userssuch as doctors nurses lab technicians researchers andreceptionists [6 7]Thus a variety of policy-based encryptionschemes have been proposed to share data securely andprovide reliable access control [8ndash11] These schemes arepromising in that the accessibility of shared data is dependenton the userrsquos capacity to satisfy a given policy Furthermoreencryptors do not require a priori knowledge of the recip-ients such as identities or certificates Specifically cipher-text policy attribute-based encryption (CP-ABE) allows theconstruction of policies by utilizing attributes as public keysthereby protecting shared data against unauthorized users[12ndash16] As access to EHRs varies across the space of unevendistributions of healthcare providers and consumers andamong population groups with different socioeconomic anddemographic characteristics [17] CP-ABE is a convincingalternative to the conventional cryptographic primitive formHealth CP-ABE can provide fine-grained and flexibleaccess control to the shared data in mHealth systems

It is notable that not only the data but also the policies forsharing that data are sensitive Typically the access policiesmay reveal sensitive information such as the underlyingdata the identity of a patient or symptoms indicating whatdiseases a patient is suffering from To some extent patientsare reluctant to expose such private information preferringinstead to keep their privacy intact through securing both theEHRs and their access policies Although CP-ABE providesa desirable access policy it has one drawback the accesspolicies attached to ciphertexts are public From these accesspolicies unauthorized users can learn information about theunderlying data itself This weakness is known as the policyprivacy problem

To overcome the policy privacy problem several CP-ABEschemes with hidden access policies were proposed [9 18]In these schemes the encryptor-chosen access policies areassociated with each ciphertext in a way hidden such thateven an authorized user learns no information about theunderlying policy other than that he is authorized to decryptAlthough these schemes feature hidden policies they sufferfrom being inefficient that is the ciphertext size is linear withrespect to the number of attributes in the access policy

To limit ciphertext size Zhou et al introduced a CP-ABEscheme which provides both a hidden access policy and aconstant-sized ciphertext [19] However their scheme lacksuser traceability In general most CP-ABE schemes support-ing constant-sized ciphertext or hidden access policies cannottrace malicious users who illegally share their decryptionkeys Specifically the secret keys of policy-based encryptionconsist of sharable attributes so that the decryption keys haveno uniquely identifiable informationThus if amalicious userleaks his decryption key to others then there is no clearevidence indicating that the key belongs to him Although Liet al proposed a CP-ABE scheme featuring a hidden accesspolicy and traceability [20] it lacks constant-sized ciphertextresulting in increased communication and storage costs

Contribution In this paper we propose an efficient attribute-based secure data sharing scheme for mHealth with hiddenpolicies and traceability The proposed scheme enforceshidden access policies with wildcards and supports constant-sized ciphertext regardless of the number of attributesAlso we embed a uniquely identifiable point into eachdecryption key in order to prevent the user from intentionallydistributing the decryption key to others thereby achievingtraceability Additionally the proposed scheme allows usersto outsource part of the decryption process to the morepowerful storage center to minimize computation cost at theuser side Our performance results show that the storagecenter computes almost 50 of the decryption processon behalf of users To the best of our knowledge this isthe first construction that achieves all these functionalitiessimultaneously

Organization The rest of this paper is organized as followsWe begin with a discussion of related work in Section 2 InSection 3 we describe the cryptographic background anddefine a general CP-ABE with a hidden policy constant-sizedciphertext and traceability Section 4 describes the mHealth



2 Related Work









3 Preliminaries



0timesG

0rarr G

1 whereG



(i) Bilinearty 119890(119875119886 119876

119887) = 119890(119875 119876)



119901



0






elements

(ℎ 119892 119892120572 119892

1205722

119892120572119870

119892120572119870+2

1198921205722119870

) isin G2119870+1

0(1)



120572119870+1


119892120572119870as

119884119892120572119870

= 119892120572 119892

1205722

119892120572119870

119892120572119870+2

1198921205722119870

(2)






⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)120572(119870+1)

⟩

⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)119877

⟩

(3)


0



119909 119892

1199092

119892119909119897


119901is chosen


119901timesG

0with nonnegligible




(119892 119892119909 119892

1199092

119892119909119897


119901times G

0


following holds

Pr [A (119892 119892119909 119892

1199092

119892119909119897

) = (119888 1198921(119909+119888)

)] ge 120598 (4)


119901


0


1198602 119860

119896 each 119860


+

119894 119860

minus

119894 119860

lowast

119894

where 119860+


119894 119860minus








1 119860

+minus

2 119860

+minus



119894isin 119860

+

119894 119860

minus



minus where 119871+

= 119860+

119894|


= 119860minus


119871+cap 119871

minus= 0


Definition 5 Let 119882 = 1198601 119860



+

119894 119860

minus

119894 119860

lowast




1 119860

lowast

119896 (5)



119894= 119867(ID

119894)119904isin

G0for each user ID


0 1lowastrarr G



119894) with a





119860= 119876

119904

119860= 119867(ID




119861= 119867(ID


119860isin

Zlowast


119860= 119876

119903119860


session key 119870119860119861

= 119890(119889119860 119876

119861)119903119860

= 119890(119876119860 119876

119861)119904119903119860 She



key 119870119860119861

= 119890(119875119860 119889

119861) = 119890(119876

119860 119876

119861)119904119903119860






(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870




(v) 119875119863119890119888119903119910119901119905 (119879119870

Λ119906 119862119879) rarr (119862119879


















42 Security Model







1⟩Key by



1of the same


and gives ⟨1198620 119862

1⟩Key





Pr [1205731015840 = 120573] minus

1

2

1003816100381610038161003816100381610038161003816

(6)




1 119871

1) (id

119902 119871



SKlowast




1 id

119902


Storage center User



Encryptor




1 id

119902] (7)



5 Proposed Scheme




2 119860

119896



+

119894 119860

minus

119894 119860

lowast


map 119860+

1 119860

+

2 119860

+

119896 to 1 2 119896 119860minus

1 119860

minus

2 119860

minus

119896 to 119896+

1 119896+2 2119896 and 119860lowast

1 119860

lowast

2 119860

lowast

119896 to 2119896+1 2119896+2 3119896




119892119894


120574 and ℎ = 119892120573 The


(119892 1198921 119892

119870 119892119870+2

1198922119870

V ℎ) isin G2119870+10


119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905

119894119889119906119905

) rarr (119878119870119906119905



119906119905

= 119871+

119906119905

cup 119871minus

119906119905

where119871+

119906119905

sub 1 2 119896 and 119871minus

119906119905

sub 119896+1 119896+2 2119896TheKeyGen


119901 119903

1 1199032 119903

119896 isin Z

119901


119894=1119903119894 11986310158401015840

= 119892119903 and 119863 = 119892

119903120574(119886+119888)For all 119895 isin 119871

119906119905

it computes 119863101584010158401015840= 119867(119895)


lowastrarr G

0


(i) For every 119894 isin 119871+

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 119896


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 2119896


SK119906119905

= (119863 = 119892119903120574(119886+119888)

119863119894| 119894 isin 119871

+

119906119905

119871minus

119906119905

119871lowast

119906119905

1198631015840

= 11988811986310158401015840= 119892

119903 119863

101584010158401015840= 119867 (119895)

120573

119863119886= 119892

119886)

(8)




119906119905

) into 119879


1198921198631015840

119894| forall119894 isin 119871

119906119905



119887 where



119895=

119890(ℎ119887 119867(119895))119867


1is a hash function

119867 G1rarr 0 1


1(119904119895)





119892119870+1minus119895


CT = (119882 119872Key 1198620 = 119892119905 119862

1

= (Vprod119895isin119882

119892119870+1minus119895

)

119905

id119906119905

119892119887)

(9)


119866119890119899119879119900119896119890119899 (119878119870119906119905

Λ) rarr (119879119870Λ119906119905





119895= 119890(119892

119887 119863

101584010158401015840

119895) = 119890(119892

119887 119867(119895)

120573) Then it


= 119868119895| forall119895 isin Λ 119868

119895= 119867

1(119904119895)


119895 The user 119906119905sends TK

Λ119906119905


119875119863119890119888119903119910119901119905 (119879119870Λ119906119905

119862119879) rarr (1198621198791015840) Given TK

Λ119906119905






0| + |G

1| 119899-DBDH


1| DBDH


1| 119897-BDHI

Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G

1| 119899-BDHE


119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) as

119860119894= 119890 (119892

1198631015840

119894 119862

1) = 119890(119892 Vprod

119895isin119882

119892119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892120574+sum119895isin119882

120572119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882

120572119870+1minus119895+119894

(10)


CT1015840 = prod119894isin119882


119905

119863119890119888119903119910119901119905 (119875119870 119878119870119906119905



119905computes 119861

119894for all 119894 isin 119882 as

119861119894= 119890(119862

0 ( prod

119895isin119882119895 =119894

119892119870+1minus119895+119894

)

1198631015840

sdot 119863119894)

= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894

120572119870+1minus119895+119894

+119905120574(1198631015840120572119894+119903119894(119886+119888))

(11)




CT1015840

119861

sdot 119890 (119863 1198620) =

CT1015840

119861

sdot 119890 (119892120574119903(119886+119888)

119892119905)

= 119890 (119892 119892)1198631015840119896119905120572119870+1

(12)

Then

(

CT1015840

119861

sdot 119890 (119863 1198620))

11198631015840

= 119890 (119892 119892)119896119905120572119870+1

= 119890 (119892120572119870

119892120572)

119896119905

= 119890 (119892119870 1198921)119896119905

= Key

(13)


119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889

119906or ⊤ SK



1198631015840isin Z

lowast

119901

119863119863119894 119863

10158401015840isin G

2119870+1

0

119890 (119863119886sdot 119892

1198631015840

119863) = 119890 (V 11986310158401015840) = 1

(14)










119901are ignored




0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500


Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time


KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)



Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)




0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)




Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)








118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





2 Related Work









3 Preliminaries



0timesG

0rarr G

1 whereG



(i) Bilinearty 119890(119875119886 119876

119887) = 119890(119875 119876)



119901



0






elements

(ℎ 119892 119892120572 119892

1205722

119892120572119870

119892120572119870+2

1198921205722119870

) isin G2119870+1

0(1)



120572119870+1


119892120572119870as

119884119892120572119870

= 119892120572 119892

1205722

119892120572119870

119892120572119870+2

1198921205722119870

(2)






⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)120572(119870+1)

⟩

⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)119877

⟩

(3)


0



119909 119892

1199092

119892119909119897


119901is chosen


119901timesG

0with nonnegligible




(119892 119892119909 119892

1199092

119892119909119897


119901times G

0


following holds

Pr [A (119892 119892119909 119892

1199092

119892119909119897

) = (119888 1198921(119909+119888)

)] ge 120598 (4)


119901


0


1198602 119860

119896 each 119860


+

119894 119860

minus

119894 119860

lowast

119894

where 119860+


119894 119860minus








1 119860

+minus

2 119860

+minus



119894isin 119860

+

119894 119860

minus



minus where 119871+

= 119860+

119894|


= 119860minus


119871+cap 119871

minus= 0


Definition 5 Let 119882 = 1198601 119860



+

119894 119860

minus

119894 119860

lowast




1 119860

lowast

119896 (5)



119894= 119867(ID

119894)119904isin

G0for each user ID


0 1lowastrarr G



119894) with a





119860= 119876

119904

119860= 119867(ID




119861= 119867(ID


119860isin

Zlowast


119860= 119876

119903119860


session key 119870119860119861

= 119890(119889119860 119876

119861)119903119860

= 119890(119876119860 119876

119861)119904119903119860 She



key 119870119860119861

= 119890(119875119860 119889

119861) = 119890(119876

119860 119876

119861)119904119903119860






(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870




(v) 119875119863119890119888119903119910119901119905 (119879119870

Λ119906 119862119879) rarr (119862119879


















42 Security Model







1⟩Key by



1of the same


and gives ⟨1198620 119862

1⟩Key





Pr [1205731015840 = 120573] minus

1

2

1003816100381610038161003816100381610038161003816

(6)




1 119871

1) (id

119902 119871



SKlowast




1 id

119902


Storage center User



Encryptor




1 id

119902] (7)



5 Proposed Scheme




2 119860

119896



+

119894 119860

minus

119894 119860

lowast


map 119860+

1 119860

+

2 119860

+

119896 to 1 2 119896 119860minus

1 119860

minus

2 119860

minus

119896 to 119896+

1 119896+2 2119896 and 119860lowast

1 119860

lowast

2 119860

lowast

119896 to 2119896+1 2119896+2 3119896




119892119894


120574 and ℎ = 119892120573 The


(119892 1198921 119892

119870 119892119870+2

1198922119870

V ℎ) isin G2119870+10


119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905

119894119889119906119905

) rarr (119878119870119906119905



119906119905

= 119871+

119906119905

cup 119871minus

119906119905

where119871+

119906119905

sub 1 2 119896 and 119871minus

119906119905

sub 119896+1 119896+2 2119896TheKeyGen


119901 119903

1 1199032 119903

119896 isin Z

119901


119894=1119903119894 11986310158401015840

= 119892119903 and 119863 = 119892

119903120574(119886+119888)For all 119895 isin 119871

119906119905

it computes 119863101584010158401015840= 119867(119895)


lowastrarr G

0


(i) For every 119894 isin 119871+

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 119896


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 2119896


SK119906119905

= (119863 = 119892119903120574(119886+119888)

119863119894| 119894 isin 119871

+

119906119905

119871minus

119906119905

119871lowast

119906119905

1198631015840

= 11988811986310158401015840= 119892

119903 119863

101584010158401015840= 119867 (119895)

120573

119863119886= 119892

119886)

(8)




119906119905

) into 119879


1198921198631015840

119894| forall119894 isin 119871

119906119905



119887 where



119895=

119890(ℎ119887 119867(119895))119867


1is a hash function

119867 G1rarr 0 1


1(119904119895)





119892119870+1minus119895


CT = (119882 119872Key 1198620 = 119892119905 119862

1

= (Vprod119895isin119882

119892119870+1minus119895

)

119905

id119906119905

119892119887)

(9)


119866119890119899119879119900119896119890119899 (119878119870119906119905

Λ) rarr (119879119870Λ119906119905





119895= 119890(119892

119887 119863

101584010158401015840

119895) = 119890(119892

119887 119867(119895)

120573) Then it


= 119868119895| forall119895 isin Λ 119868

119895= 119867

1(119904119895)


119895 The user 119906119905sends TK

Λ119906119905


119875119863119890119888119903119910119901119905 (119879119870Λ119906119905

119862119879) rarr (1198621198791015840) Given TK

Λ119906119905






0| + |G

1| 119899-DBDH


1| DBDH


1| 119897-BDHI

Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G

1| 119899-BDHE


119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) as

119860119894= 119890 (119892

1198631015840

119894 119862

1) = 119890(119892 Vprod

119895isin119882

119892119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892120574+sum119895isin119882

120572119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882

120572119870+1minus119895+119894

(10)


CT1015840 = prod119894isin119882


119905

119863119890119888119903119910119901119905 (119875119870 119878119870119906119905



119905computes 119861

119894for all 119894 isin 119882 as

119861119894= 119890(119862

0 ( prod

119895isin119882119895 =119894

119892119870+1minus119895+119894

)

1198631015840

sdot 119863119894)

= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894

120572119870+1minus119895+119894

+119905120574(1198631015840120572119894+119903119894(119886+119888))

(11)




CT1015840

119861

sdot 119890 (119863 1198620) =

CT1015840

119861

sdot 119890 (119892120574119903(119886+119888)

119892119905)

= 119890 (119892 119892)1198631015840119896119905120572119870+1

(12)

Then

(

CT1015840

119861

sdot 119890 (119863 1198620))

11198631015840

= 119890 (119892 119892)119896119905120572119870+1

= 119890 (119892120572119870

119892120572)

119896119905

= 119890 (119892119870 1198921)119896119905

= Key

(13)


119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889

119906or ⊤ SK



1198631015840isin Z

lowast

119901

119863119863119894 119863

10158401015840isin G

2119870+1

0

119890 (119863119886sdot 119892

1198631015840

119863) = 119890 (V 11986310158401015840) = 1

(14)










119901are ignored




0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500


Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time


KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)



Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)




0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)




Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)








118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)120572(119870+1)

⟩

⟨ℎ 119892 119884119892120572119870

119890 (119892 ℎ)119877

⟩

(3)


0



119909 119892

1199092

119892119909119897


119901is chosen


119901timesG

0with nonnegligible




(119892 119892119909 119892

1199092

119892119909119897


119901times G

0


following holds

Pr [A (119892 119892119909 119892

1199092

119892119909119897

) = (119888 1198921(119909+119888)

)] ge 120598 (4)


119901


0


1198602 119860

119896 each 119860


+

119894 119860

minus

119894 119860

lowast

119894

where 119860+


119894 119860minus








1 119860

+minus

2 119860

+minus



119894isin 119860

+

119894 119860

minus



minus where 119871+

= 119860+

119894|


= 119860minus


119871+cap 119871

minus= 0


Definition 5 Let 119882 = 1198601 119860



+

119894 119860

minus

119894 119860

lowast




1 119860

lowast

119896 (5)



119894= 119867(ID

119894)119904isin

G0for each user ID


0 1lowastrarr G



119894) with a





119860= 119876

119904

119860= 119867(ID




119861= 119867(ID


119860isin

Zlowast


119860= 119876

119903119860


session key 119870119860119861

= 119890(119889119860 119876

119861)119903119860

= 119890(119876119860 119876

119861)119904119903119860 She



key 119870119860119861

= 119890(119875119860 119889

119861) = 119890(119876

119860 119876

119861)119904119903119860






(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870




(v) 119875119863119890119888119903119910119901119905 (119879119870

Λ119906 119862119879) rarr (119862119879


















42 Security Model







1⟩Key by



1of the same


and gives ⟨1198620 119862

1⟩Key





Pr [1205731015840 = 120573] minus

1

2

1003816100381610038161003816100381610038161003816

(6)




1 119871

1) (id

119902 119871



SKlowast




1 id

119902


Storage center User



Encryptor




1 id

119902] (7)



5 Proposed Scheme




2 119860

119896



+

119894 119860

minus

119894 119860

lowast


map 119860+

1 119860

+

2 119860

+

119896 to 1 2 119896 119860minus

1 119860

minus

2 119860

minus

119896 to 119896+

1 119896+2 2119896 and 119860lowast

1 119860

lowast

2 119860

lowast

119896 to 2119896+1 2119896+2 3119896




119892119894


120574 and ℎ = 119892120573 The


(119892 1198921 119892

119870 119892119870+2

1198922119870

V ℎ) isin G2119870+10


119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905

119894119889119906119905

) rarr (119878119870119906119905



119906119905

= 119871+

119906119905

cup 119871minus

119906119905

where119871+

119906119905

sub 1 2 119896 and 119871minus

119906119905

sub 119896+1 119896+2 2119896TheKeyGen


119901 119903

1 1199032 119903

119896 isin Z

119901


119894=1119903119894 11986310158401015840

= 119892119903 and 119863 = 119892

119903120574(119886+119888)For all 119895 isin 119871

119906119905

it computes 119863101584010158401015840= 119867(119895)


lowastrarr G

0


(i) For every 119894 isin 119871+

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 119896


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 2119896


SK119906119905

= (119863 = 119892119903120574(119886+119888)

119863119894| 119894 isin 119871

+

119906119905

119871minus

119906119905

119871lowast

119906119905

1198631015840

= 11988811986310158401015840= 119892

119903 119863

101584010158401015840= 119867 (119895)

120573

119863119886= 119892

119886)

(8)




119906119905

) into 119879


1198921198631015840

119894| forall119894 isin 119871

119906119905



119887 where



119895=

119890(ℎ119887 119867(119895))119867


1is a hash function

119867 G1rarr 0 1


1(119904119895)





119892119870+1minus119895


CT = (119882 119872Key 1198620 = 119892119905 119862

1

= (Vprod119895isin119882

119892119870+1minus119895

)

119905

id119906119905

119892119887)

(9)


119866119890119899119879119900119896119890119899 (119878119870119906119905

Λ) rarr (119879119870Λ119906119905





119895= 119890(119892

119887 119863

101584010158401015840

119895) = 119890(119892

119887 119867(119895)

120573) Then it


= 119868119895| forall119895 isin Λ 119868

119895= 119867

1(119904119895)


119895 The user 119906119905sends TK

Λ119906119905


119875119863119890119888119903119910119901119905 (119879119870Λ119906119905

119862119879) rarr (1198621198791015840) Given TK

Λ119906119905






0| + |G

1| 119899-DBDH


1| DBDH


1| 119897-BDHI

Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G

1| 119899-BDHE


119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) as

119860119894= 119890 (119892

1198631015840

119894 119862

1) = 119890(119892 Vprod

119895isin119882

119892119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892120574+sum119895isin119882

120572119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882

120572119870+1minus119895+119894

(10)


CT1015840 = prod119894isin119882


119905

119863119890119888119903119910119901119905 (119875119870 119878119870119906119905



119905computes 119861

119894for all 119894 isin 119882 as

119861119894= 119890(119862

0 ( prod

119895isin119882119895 =119894

119892119870+1minus119895+119894

)

1198631015840

sdot 119863119894)

= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894

120572119870+1minus119895+119894

+119905120574(1198631015840120572119894+119903119894(119886+119888))

(11)




CT1015840

119861

sdot 119890 (119863 1198620) =

CT1015840

119861

sdot 119890 (119892120574119903(119886+119888)

119892119905)

= 119890 (119892 119892)1198631015840119896119905120572119870+1

(12)

Then

(

CT1015840

119861

sdot 119890 (119863 1198620))

11198631015840

= 119890 (119892 119892)119896119905120572119870+1

= 119890 (119892120572119870

119892120572)

119896119905

= 119890 (119892119870 1198921)119896119905

= Key

(13)


119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889

119906or ⊤ SK



1198631015840isin Z

lowast

119901

119863119863119894 119863

10158401015840isin G

2119870+1

0

119890 (119863119886sdot 119892

1198631015840

119863) = 119890 (V 11986310158401015840) = 1

(14)










119901are ignored




0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500


Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time


KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)



Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)




0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)




Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)








118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in


















42 Security Model







1⟩Key by



1of the same


and gives ⟨1198620 119862

1⟩Key





Pr [1205731015840 = 120573] minus

1

2

1003816100381610038161003816100381610038161003816

(6)




1 119871

1) (id

119902 119871



SKlowast




1 id

119902


Storage center User



Encryptor




1 id

119902] (7)



5 Proposed Scheme




2 119860

119896



+

119894 119860

minus

119894 119860

lowast


map 119860+

1 119860

+

2 119860

+

119896 to 1 2 119896 119860minus

1 119860

minus

2 119860

minus

119896 to 119896+

1 119896+2 2119896 and 119860lowast

1 119860

lowast

2 119860

lowast

119896 to 2119896+1 2119896+2 3119896




119892119894


120574 and ℎ = 119892120573 The


(119892 1198921 119892

119870 119892119870+2

1198922119870

V ℎ) isin G2119870+10


119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905

119894119889119906119905

) rarr (119878119870119906119905



119906119905

= 119871+

119906119905

cup 119871minus

119906119905

where119871+

119906119905

sub 1 2 119896 and 119871minus

119906119905

sub 119896+1 119896+2 2119896TheKeyGen


119901 119903

1 1199032 119903

119896 isin Z

119901


119894=1119903119894 11986310158401015840

= 119892119903 and 119863 = 119892

119903120574(119886+119888)For all 119895 isin 119871

119906119905

it computes 119863101584010158401015840= 119867(119895)


lowastrarr G

0


(i) For every 119894 isin 119871+

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 119896


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 2119896


SK119906119905

= (119863 = 119892119903120574(119886+119888)

119863119894| 119894 isin 119871

+

119906119905

119871minus

119906119905

119871lowast

119906119905

1198631015840

= 11988811986310158401015840= 119892

119903 119863

101584010158401015840= 119867 (119895)

120573

119863119886= 119892

119886)

(8)




119906119905

) into 119879


1198921198631015840

119894| forall119894 isin 119871

119906119905



119887 where



119895=

119890(ℎ119887 119867(119895))119867


1is a hash function

119867 G1rarr 0 1


1(119904119895)





119892119870+1minus119895


CT = (119882 119872Key 1198620 = 119892119905 119862

1

= (Vprod119895isin119882

119892119870+1minus119895

)

119905

id119906119905

119892119887)

(9)


119866119890119899119879119900119896119890119899 (119878119870119906119905

Λ) rarr (119879119870Λ119906119905





119895= 119890(119892

119887 119863

101584010158401015840

119895) = 119890(119892

119887 119867(119895)

120573) Then it


= 119868119895| forall119895 isin Λ 119868

119895= 119867

1(119904119895)


119895 The user 119906119905sends TK

Λ119906119905


119875119863119890119888119903119910119901119905 (119879119870Λ119906119905

119862119879) rarr (1198621198791015840) Given TK

Λ119906119905






0| + |G

1| 119899-DBDH


1| DBDH


1| 119897-BDHI

Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G

1| 119899-BDHE


119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) as

119860119894= 119890 (119892

1198631015840

119894 119862

1) = 119890(119892 Vprod

119895isin119882

119892119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892120574+sum119895isin119882

120572119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882

120572119870+1minus119895+119894

(10)


CT1015840 = prod119894isin119882


119905

119863119890119888119903119910119901119905 (119875119870 119878119870119906119905



119905computes 119861

119894for all 119894 isin 119882 as

119861119894= 119890(119862

0 ( prod

119895isin119882119895 =119894

119892119870+1minus119895+119894

)

1198631015840

sdot 119863119894)

= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894

120572119870+1minus119895+119894

+119905120574(1198631015840120572119894+119903119894(119886+119888))

(11)




CT1015840

119861

sdot 119890 (119863 1198620) =

CT1015840

119861

sdot 119890 (119892120574119903(119886+119888)

119892119905)

= 119890 (119892 119892)1198631015840119896119905120572119870+1

(12)

Then

(

CT1015840

119861

sdot 119890 (119863 1198620))

11198631015840

= 119890 (119892 119892)119896119905120572119870+1

= 119890 (119892120572119870

119892120572)

119896119905

= 119890 (119892119870 1198921)119896119905

= Key

(13)


119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889

119906or ⊤ SK



1198631015840isin Z

lowast

119901

119863119863119894 119863

10158401015840isin G

2119870+1

0

119890 (119863119886sdot 119892

1198631015840

119863) = 119890 (V 11986310158401015840) = 1

(14)










119901are ignored




0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500


Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time


KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)



Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)




0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)




Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)








118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Storage center User



Encryptor




1 id

119902] (7)



5 Proposed Scheme




2 119860

119896



+

119894 119860

minus

119894 119860

lowast


map 119860+

1 119860

+

2 119860

+

119896 to 1 2 119896 119860minus

1 119860

minus

2 119860

minus

119896 to 119896+

1 119896+2 2119896 and 119860lowast

1 119860

lowast

2 119860

lowast

119896 to 2119896+1 2119896+2 3119896




119892119894


120574 and ℎ = 119892120573 The


(119892 1198921 119892

119870 119892119870+2

1198922119870

V ℎ) isin G2119870+10


119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905

119894119889119906119905

) rarr (119878119870119906119905



119906119905

= 119871+

119906119905

cup 119871minus

119906119905

where119871+

119906119905

sub 1 2 119896 and 119871minus

119906119905

sub 119896+1 119896+2 2119896TheKeyGen


119901 119903

1 1199032 119903

119896 isin Z

119901


119894=1119903119894 11986310158401015840

= 119892119903 and 119863 = 119892

119903120574(119886+119888)For all 119895 isin 119871

119906119905

it computes 119863101584010158401015840= 119867(119895)


lowastrarr G

0


(i) For every 119894 isin 119871+

119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 119896


119906119905

compute119863119894= 119892

120574(119888120572119894+1199031198941015840 (119886+119888)) where

1198941015840= 119894 minus 2119896


SK119906119905

= (119863 = 119892119903120574(119886+119888)

119863119894| 119894 isin 119871

+

119906119905

119871minus

119906119905

119871lowast

119906119905

1198631015840

= 11988811986310158401015840= 119892

119903 119863

101584010158401015840= 119867 (119895)

120573

119863119886= 119892

119886)

(8)




119906119905

) into 119879


1198921198631015840

119894| forall119894 isin 119871

119906119905



119887 where



119895=

119890(ℎ119887 119867(119895))119867


1is a hash function

119867 G1rarr 0 1


1(119904119895)





119892119870+1minus119895


CT = (119882 119872Key 1198620 = 119892119905 119862

1

= (Vprod119895isin119882

119892119870+1minus119895

)

119905

id119906119905

119892119887)

(9)


119866119890119899119879119900119896119890119899 (119878119870119906119905

Λ) rarr (119879119870Λ119906119905





119895= 119890(119892

119887 119863

101584010158401015840

119895) = 119890(119892

119887 119867(119895)

120573) Then it


= 119868119895| forall119895 isin Λ 119868

119895= 119867

1(119904119895)


119895 The user 119906119905sends TK

Λ119906119905


119875119863119890119888119903119910119901119905 (119879119870Λ119906119905

119862119879) rarr (1198621198791015840) Given TK

Λ119906119905






0| + |G

1| 119899-DBDH


1| DBDH


1| 119897-BDHI

Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G

1| 119899-BDHE


119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) as

119860119894= 119890 (119892

1198631015840

119894 119862

1) = 119890(119892 Vprod

119895isin119882

119892119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892120574+sum119895isin119882

120572119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882

120572119870+1minus119895+119894

(10)


CT1015840 = prod119894isin119882


119905

119863119890119888119903119910119901119905 (119875119870 119878119870119906119905



119905computes 119861

119894for all 119894 isin 119882 as

119861119894= 119890(119862

0 ( prod

119895isin119882119895 =119894

119892119870+1minus119895+119894

)

1198631015840

sdot 119863119894)

= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894

120572119870+1minus119895+119894

+119905120574(1198631015840120572119894+119903119894(119886+119888))

(11)




CT1015840

119861

sdot 119890 (119863 1198620) =

CT1015840

119861

sdot 119890 (119892120574119903(119886+119888)

119892119905)

= 119890 (119892 119892)1198631015840119896119905120572119870+1

(12)

Then

(

CT1015840

119861

sdot 119890 (119863 1198620))

11198631015840

= 119890 (119892 119892)119896119905120572119870+1

= 119890 (119892120572119870

119892120572)

119896119905

= 119890 (119892119870 1198921)119896119905

= Key

(13)


119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889

119906or ⊤ SK



1198631015840isin Z

lowast

119901

119863119863119894 119863

10158401015840isin G

2119870+1

0

119890 (119863119886sdot 119892

1198631015840

119863) = 119890 (V 11986310158401015840) = 1

(14)










119901are ignored




0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500


Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time


KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)



Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)




0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)




Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)








118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






0| + |G

1| 119899-DBDH


1| DBDH


1| 119897-BDHI

Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G

1| 119899-BDHE


119906119905

1198921198631015840

119894| forall119894 isin 119871

119906119905

) as

119860119894= 119890 (119892

1198631015840

119894 119862

1) = 119890(119892 Vprod

119895isin119882

119892119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892120574+sum119895isin119882

120572119870+1minus119895

)

1205721198941199051198631015840

= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882

120572119870+1minus119895+119894

(10)


CT1015840 = prod119894isin119882


119905

119863119890119888119903119910119901119905 (119875119870 119878119870119906119905



119905computes 119861

119894for all 119894 isin 119882 as

119861119894= 119890(119862

0 ( prod

119895isin119882119895 =119894

119892119870+1minus119895+119894

)

1198631015840

sdot 119863119894)

= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894

120572119870+1minus119895+119894

+119905120574(1198631015840120572119894+119903119894(119886+119888))

(11)




CT1015840

119861

sdot 119890 (119863 1198620) =

CT1015840

119861

sdot 119890 (119892120574119903(119886+119888)

119892119905)

= 119890 (119892 119892)1198631015840119896119905120572119870+1

(12)

Then

(

CT1015840

119861

sdot 119890 (119863 1198620))

11198631015840

= 119890 (119892 119892)119896119905120572119870+1

= 119890 (119892120572119870

119892120572)

119896119905

= 119890 (119892119870 1198921)119896119905

= Key

(13)


119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889

119906or ⊤ SK



1198631015840isin Z

lowast

119901

119863119863119894 119863

10158401015840isin G

2119870+1

0

119890 (119863119886sdot 119892

1198631015840

119863) = 119890 (V 11986310158401015840) = 1

(14)










119901are ignored




0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500


Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time


KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)



Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)




0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)




Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)








118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




0 10 20 30 40 500

500

1000

1500

2000

2500

3000

3500

4000

4500


Setu

p tim

e (m

illise

cond

s)

Setup time

(a) Setup time


KeyGen time

0

200

400

600

800

1000

1200

1400

KeyG

en ti

me (

mill

iseco

nds)



Encrypt time

0

200

400

600

800

1000

1200

Encr

ypt t

ime (

mill

iseco

nds)

(c) Encryption time


GenToken time

0100200300400500600700800900

10001100

Gen

Toke

n tim

e (m

illise

cond

s)




0100200300400500600700800900

10001100

Dec

rypt

tim

e (m

illise

cond

s)




Trace (50000)Trace (100000)

0

5

10

15

20

25

30

35

40

Trac

e tim

e (m

illise

cond

s)








118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






118592 4122



1199030068 0087



2= 119909


119902for



1and G



7 Security Analysis



1 119894





119892120572119870 119885)

where 119885 is either 119890(119892 ℎ)120572119870+1




119885 = 119890(119892 ℎ)120572119870+1




V = 119892119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

= 119892120574 (15)


V) isin G2119870+10



119901and sets 119903 =



119901and computes

119863 = (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

)

119903(119886+119888)

= 119892120574119903(119886+119888)

(16)

NextB computes

119863119894= 119892

119889

119894prod

119895isin119882

(119892119870+1minus119895+119894

)

minus119888

sdot prod

119895isin119882

(119892119870+1minus119895

)

minus1199031198941015840 (119886+119888)

(17)






119863119894= (119892

119889(prod

119895isin119882

119892119870+1minus119895

)

minus1

)

119888120572119894+1199031198941015840 (119886+119888)

= 119892120574(119888120572119894+1199031198941015840 (119886+119888))

(18)


1= ℎ


0 119862

1 119885

119896⟩ toA Note that 119862

0= ℎ = 119892


ℎ119889= (119892

119889)

119905

= (119892119889prod

119895isin119882

(119892119870+1minus119895

)

minus1

sdot prod

119895isin119882

(119892119870+1minus119895

))

119905

= (Vprod119895isin119882

(119892119870+1minus119895

))

119905

(19)

and 119885119896= Key if 119885 = 119890(119892 ℎ)

120572(119870+1)




1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






1015840= 0

implies that 119885 = 119890(119892 ℎ)120572119870+1


119892120572119870 119885) = 0] =







119894(119903) = 119892

120574(119888120572119894+119903(119886+119888)) where

119903 isin Z119901and 119894 isin 1 2119896




is (1 minus 119902119901)119897


1198941015840] = (1minus119902119901)


1198941015840 is a random



1198941

(1199031) 119901

1198942

(1199032) 119901

119894119898



is (1 minus (1 minus 119902119901)119897)119898


1198941015840] = (1 minus 119902119901)


119897)119898

In case of 119885 = 119890(119892 ℎ)120572(119870+1)



1003816100381610038161003816100381610038161003816

Pr [B (ℎ 119892 119884119892120572119870

119885) = 0] minus

1

2

1003816100381610038161003816100381610038161003816

ge

120598

2

(20)


have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)



problem


(1199031) 119901

119894119898

(119903119898) are

used then we have

Pr [119903119894119895

= 1199031198941015840

119895


119902

119901

)

119897

)

119898

(21)



119902

119901

)

119897

)

119898

) sdot

120598

2

(22)






0 let

119890 G0timesG

0rarr G


119901B is given

INSDH = (119901G0G

1 119890 119892 119892

119886 119892

119886119897


119903 119908


119901times G

0


= 1198921(119886+119888


sets 119860119894= 119892

119886119894



119902isin Zlowast

119901 Let


119894=1(119910 + 119888

119894) Expand 119891(119910)

and write 119891(119910) = sum119902

119894=0120572119894119910119894 where 120572

0 1205721 120572

119902isin Z

119901are the


119892 larr997888

119902

prod

119894=0

(119860119894)120572119894

= 119892119891(119886)

119892119886larr997888

119902+1

prod

119894=1

(119860119894)120572119894minus1

= 119892119891(119886)sdot119886

(23)


120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892

119894= 119892

(120572119894) where


PK = (119892 1198921 119892

119870 119892119870+2

1198922119870

V) isin G2119870+1

0 (24)



polynomial 119891119909(119910) = 119891(119910)(119910+119888

119909) = prod

119902

119895=1119895 =119909(119910+119888

119895) Expand

119891119909(119910) and write 119891

119909(119910) = sum

119902minus1

119895=0120573119895119910119895 where 120573

0 120573

1 120573

119902minus1isin

Z119901B computes

120590119909larr997888

119902minus1

prod

119895=0

(119860119895)

120573119895

= 119892119891119909(119886)

= 119892119891(119886)(119886+119888

119909)= 119892

1(119886+119888119909) (25)


119896 isin Z


119903 = sum119896

119894=1119903119894 119863

10158401015840= 119892

119903 and119863 = 120590119903120574

119909



(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





(i) For every 119894 isin 119871+

119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 119896


119906 compute 119863

119894= 119892

120574119888119909120572119894

120590

1205741199031198941015840

119909 where1198941015840= 119894 minus 2119896


as

SKid119909119871119909

= (119863 = 120590119903120574

119909 119863

119894| 119894 isin 119871

+

119906 119871

minus

119906 119871

lowast

119906 119863

1015840

= 119888119909 119863

10158401015840= 119892

119903)

(26)


119909) into 119879




119888119903notin 119888

1 1198882 119888



119903 119908


119901timesG

0


1015840) + 120574


120574(119910) = sum119902minus1

119894=0(120574119894119910119894) and some 120574

minus1isin Z

119901 Then 120574

minus1= 0 since

119891(119910) = prod119902

119894=1(119910 + 119888

119894) where 119888

119894isin Zlowast

119901and 119863

1015840notin 119888

1 1198882 119888

119902


gcd(120574minus1 119901)


119903) is a




Pr [ΩSDH (119888119903 119908

119903)]

= Pr [ΩSDH (119888119903 119908

119903) | ΥA] sdot Pr [ΥA]

+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]


+ Pr [ΩSDH (119888119903 119908

119903) | ΥA and gcd (120574

minus1 119901) = 1]



(27)


120598


1(119890(ℎ



1(119890(ℎ






120573)


1198671(119890(119892

119887 119867(119895)



8 Conclusion


Competing Interests


Acknowledgments


References














































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in















Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



Documents

Research Article Efficient Attribute-Based Secure Data ...downloads.hindawi.com/journals/misy/2016/6545873.pdf · Research Article Efficient Attribute-Based Secure Data ... the secret