Upload
doliem
View
225
Download
2
Embed Size (px)
Citation preview
Research ArticleEfficient Attribute-Based Secure Data Sharing with HiddenPolicies and Traceability in Mobile Health Networks
Changhee Hahn Hyunsoo Kwon and Junbeom Hur
Department of Computer Science and Engineering Korea University Seoul 136-701 Republic of Korea
Correspondence should be addressed to Junbeom Hur jbhurkoreaackr
Received 26 November 2015 Accepted 12 June 2016
Academic Editor Wenyao Xu
Copyright copy 2016 Changhee Hahn et alThis is an open access article distributed under theCreativeCommonsAttribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Mobile health (also written as mHealth) provisions the practice of public health supported by mobile devices mHealth systems letpatients and healthcare providers collect and share sensitive information such as electronic and personal health records (EHRs)at any time allowing more rapid convergence to optimal treatment Key to achieving this is securely sharing data by providingenhanced access control and reliability Typically such sharing follows policies that depend on patient and physician preferencesdefined by a set of attributes In mHealth systems not only the data but also the policies for sharing it may be sensitive sincethey directly contain sensitive information which can reveal the underlying data protected by the policy Also since the policiesusually incur linearly increasing communication costs mHealth is inapplicable to resource-constrained environments Lastlyaccess privileges may be publicly known to users so a malicious user could illegally share his access privileges without the riskof being traced In this paper we propose an efficient attribute-based secure data sharing scheme in mHealth The proposedscheme guarantees a hidden policy constant-sized ciphertexts and traces with security analyses The computation cost to theuser is reduced by delegating approximately 50 of the decryption operations to the more powerful storage systems
1 Introduction
mHealth is an abbreviation for mobile health which canencompass a wide range of healthcare technologies suchas mobile computing medical sensors and communicationtechnologies [1] Rapid growth in wireless communicationsavailability and miniaturization of mobile devices and com-puting resources in parallel withmobile andwearable systemscan boost the wide adoption of mHealth Such develop-ments can greatly impact on and reshape the processes ofexisting healthcare services For instance semiconductor-implanted smart intelligent sensors will allow drugs to bedelivered in real time to a personal server when they sensea patient who needs a dose of drugs Personal servers suchas mobile devices supply global connectivity to the storagecenter which can thereby serve clinical healthcare from adistance [2] The storage center holds the information thatforms the electronic health record (EHR) a digital versionof a patientrsquos paper chart Physicians intermittently uploaddiagnostic reports based on their observations of the EHRs
stored in the storage center Figure 1 shows an example ofanmHealthmonitoring and data transfer system Reportedlya growing number of healthcare-specific mobile applicationsare available and it has been estimated that about 500millionpatients around the globe will be in the reach of such apps asof 2015 [3]
EHRs contain sensitive information such as patientsrsquomedical history diagnoses immunization dates allergiesand medications which are bound to the real identities ofpatients That is whoever can freely access the storage centeris able to learn both the identity and clinical information of aspecific patient which clearly threatens the patientrsquos privacyThus privacy concerns are arguably amajor issue and relatedrequirements are enacted nationwide For example in theUnited States compliance to HIPPA (Health InformationTechnology for Economic and Clinical Health Act) encour-ages healthcare providers to not only adopt EHRs but alsokeep them confidential [4] This clearly indicates that EHRsmust be kept under strict conditions and be accessible onlyby the authorized user
Hindawi Publishing CorporationMobile Information SystemsVolume 2016 Article ID 6545873 13 pageshttpdxdoiorg10115520166545873
2 Mobile Information Systems
EEG EOGsensors
ECGrespirationmovement
sensors
SPO2 bloodpressuresensors
Temperaturenoise sensors
Internet
Figure 1 Typical system architecture of mHealth monitoringsystems
Unfortunately standard encryption schemes are not suit-able for mHealth systems for the following reasons [5]
(i) Absence of ProperAccess ControlWell-known encryp-tion schemes such as AES guarantee the confiden-tiality of data if security parameters are well-chosenHowever such schemes are not designed to supportfine-grained access control
(ii) Expensive Key Management Public key encryptionschemes do not support one-to-many relationshipsbetween the ciphertext and decryption key necessi-tating the burdensome distribution and managementof public keys
Since healthcare delivery is a decentralized process tak-ing place across many institutional boundaries standardapproaches to securing health records include role-basedaccess control because the flexible assignment of permissionsto a wide range of user is possible only with fine-grainedaccess control At the same time the confidentiality ofEHRs must be maintained without hindering clinical careby denying legitimate access requests of authorized userssuch as doctors nurses lab technicians researchers andreceptionists [6 7]Thus a variety of policy-based encryptionschemes have been proposed to share data securely andprovide reliable access control [8ndash11] These schemes arepromising in that the accessibility of shared data is dependenton the userrsquos capacity to satisfy a given policy Furthermoreencryptors do not require a priori knowledge of the recip-ients such as identities or certificates Specifically cipher-text policy attribute-based encryption (CP-ABE) allows theconstruction of policies by utilizing attributes as public keysthereby protecting shared data against unauthorized users[12ndash16] As access to EHRs varies across the space of unevendistributions of healthcare providers and consumers andamong population groups with different socioeconomic anddemographic characteristics [17] CP-ABE is a convincingalternative to the conventional cryptographic primitive formHealth CP-ABE can provide fine-grained and flexibleaccess control to the shared data in mHealth systems
It is notable that not only the data but also the policies forsharing that data are sensitive Typically the access policiesmay reveal sensitive information such as the underlyingdata the identity of a patient or symptoms indicating whatdiseases a patient is suffering from To some extent patientsare reluctant to expose such private information preferringinstead to keep their privacy intact through securing both theEHRs and their access policies Although CP-ABE providesa desirable access policy it has one drawback the accesspolicies attached to ciphertexts are public From these accesspolicies unauthorized users can learn information about theunderlying data itself This weakness is known as the policyprivacy problem
To overcome the policy privacy problem several CP-ABEschemes with hidden access policies were proposed [9 18]In these schemes the encryptor-chosen access policies areassociated with each ciphertext in a way hidden such thateven an authorized user learns no information about theunderlying policy other than that he is authorized to decryptAlthough these schemes feature hidden policies they sufferfrom being inefficient that is the ciphertext size is linear withrespect to the number of attributes in the access policy
To limit ciphertext size Zhou et al introduced a CP-ABEscheme which provides both a hidden access policy and aconstant-sized ciphertext [19] However their scheme lacksuser traceability In general most CP-ABE schemes support-ing constant-sized ciphertext or hidden access policies cannottrace malicious users who illegally share their decryptionkeys Specifically the secret keys of policy-based encryptionconsist of sharable attributes so that the decryption keys haveno uniquely identifiable informationThus if amalicious userleaks his decryption key to others then there is no clearevidence indicating that the key belongs to him Although Liet al proposed a CP-ABE scheme featuring a hidden accesspolicy and traceability [20] it lacks constant-sized ciphertextresulting in increased communication and storage costs
Contribution In this paper we propose an efficient attribute-based secure data sharing scheme for mHealth with hiddenpolicies and traceability The proposed scheme enforceshidden access policies with wildcards and supports constant-sized ciphertext regardless of the number of attributesAlso we embed a uniquely identifiable point into eachdecryption key in order to prevent the user from intentionallydistributing the decryption key to others thereby achievingtraceability Additionally the proposed scheme allows usersto outsource part of the decryption process to the morepowerful storage center to minimize computation cost at theuser side Our performance results show that the storagecenter computes almost 50 of the decryption processon behalf of users To the best of our knowledge this isthe first construction that achieves all these functionalitiessimultaneously
Organization The rest of this paper is organized as followsWe begin with a discussion of related work in Section 2 InSection 3 we describe the cryptographic background anddefine a general CP-ABE with a hidden policy constant-sizedciphertext and traceability Section 4 describes the mHealth
Mobile Information Systems 3
architecture and security model In Section 5 we present theconstruction of the proposed scheme in detail followed by aperformance analysis in Section 6 We analyze its security inSection 7 and conclude the paper in Section 8
2 Related Work
The idea of Identity-Based Encryption (IBE) was first intro-duced by Shamir [21] In IBE the encryptor makes an accesspolicy based on an identity and only a user with thematchingidentity obtains the decryption privilege Encryption byidentity however leads to the following limitations lackof one-to-many relationship between the ciphertext anddecryption key and the need for the encryptor to know eachuserrsquos identity in advance Later Sahai andWaters introducedFuzzy Identity-Based Encryption which is the first prototypeof attribute-based encryption (ABE) [22] While the IBEscheme views an identity as a string of characters in ABEan identity is viewed as a set of descriptive attributes (akaidentity set) such as name and affiliation The ABE schemeallows the encryption of a message based on some identityset 120596
1015840 and the decryption ability is given if and only ifa userrsquos set 120596 is close enough to 120596
1015840 to satisfy a system-defined threshold This property enables fine-grained accesscontrol and a one-to-many relationship between a ciphertextand its receivers since anyone whose identity set satisfies agiven threshold can obtain the decryption privilegeHoweverthe threshold semantics are not very expressive and cannotsupport fine-grained access control This drawback meansthat the threshold-based ABE scheme cannot be applied tomore general systems
In CP-ABE [12ndash16] a ciphertext is associated with anaccess policy and decryption keys are labeled with an arbi-trary number of attributes The encryptor specifies an accesspolicy over encryptor-chosen attributes The access right isgiven if and only if the attributes in the decryption keysatisfy the access policy in the ciphertext In these schemeshowever the size of a ciphertext has a linear relationship withthe number of attributes in the access policies resulting ininapplicability for resource-constrained environments
To limit the size of ciphertexts Zhou andHuang proposedconstant-sized CP-ABE (C-CP-ABE) with a logical ANDaccess policy with wildcards [23] This scheme limits thesize of each ciphertext to up to 300 bytes in total where aciphertext consists of encrypted data an access policy and2 bilinear group elements Chen et al further improved theC-CP-ABE scheme in terms of security [24] making it CPA-secure under a well-established assumption in the standardmodel without loss of efficiency Overall these schemessuccessfully make the size of ciphertexts constant Howeverthey reveal the underlying access policy publicly
While previous works feature open access policiesHur introduced a CP-ABE scheme with hidden accesspolicy in smart grid [9] To preserve policy privacy aone-way anonymous key agreement scheme is used as abuilding block in order to replace identity hashes withuser-generated pseudonyms However this scheme does notsupport constant-sized ciphertext Interestingly an efficientCP-ABE scheme with a hidden policy was proposed [19] In
this scheme AND-gate access policies with wildcards areused and each ciphertext header requires 2 bilinear groupelements each of which is limited to 100 bytes in total Alsoaccess policies are obfuscated by computing the intersectionbetween a given access policy and an all-wildcard attributeset This technique however partially leaks the access policybecause unauthorized users can guess at a minimum whichattributes are treated as do not care In addition the user mustrun the decryption algorithm at least once to determinewhether he satisfies the access policy since only decryptionfailure notifies whether the decryption key satisfies theunderlying access policy
The ability to resist illegal key sharing is a highly desirablecharacteristic for ABE To achieve this Li et al introduceda user-accountable CP-ABE scheme that binds user identityin the private key thereby allowing illegally-shared keys tobe traced [25] Although this methodology has also beenadopted by other traceable CP-ABE schemes [26 27] none ofthem fully support either constant-sized ciphertext or hiddenaccess policies In addition to supporting these featuresin this paper we also insert a unique identifier into eachprivate key such that any key can be traced in constant timeregardless of the number of attributes
3 Preliminaries
31 Bilinear Map Let G0be a multiplicative cyclic group of
large prime order 119901 The bilinear map 119890 is defined as follows119890 G
0timesG
0rarr G
1 whereG
1is the codomain of 119890The bilinear
map 119890 has the following properties
(i) Bilinearty 119890(119875119886 119876
119887) = 119890(119875 119876)
119886119887 where forall119875119876 isin
G0 forall119886 119887 isin Zlowast
119901
(ii) Symmetry One has forall119875119876 isin G0 119890(119875 119876) = 119890(119876 119875)
(iii) Nondegeneracy 119890(119892 119892) = 1 where 119892 is the generatorof G
0
(iv) Computability There exists an efficient algorithm tocompute the bilinear map 119890
32 Security Assumption The security of the proposedscheme is based on the Bilinear Diffie-Hellman Exponentassumption (BDHE) [28] Let G
0be a bilinear group of large
prime order 119901 and let 119892 be a generator of G0 The 119870-BDHE
problem inG0is defined as follows Given the vector of 2119870+1
elements
(ℎ 119892 119892120572 119892
1205722
119892120572119870
119892120572119870+2
1198921205722119870
) isin G2119870+1
0(1)
as the input where 119892120572119870+1
is not in the vector the goal of thecomputational 119870-BDHE problem is to compute 119890(119892 ℎ)
120572119870+1
Define the set 119884
119892120572119870as
119884119892120572119870
= 119892120572 119892
1205722
119892120572119870
119892120572119870+2
1198921205722119870
(2)
Then we have the following definition
4 Mobile Information Systems
Definition 1 (Decisional 119870-BDHE) The decisional 119870-BDHEassumption is said to be hold inG
0if there is no probabilistic
polynomial time adversary who is able to distinguish
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)120572(119870+1)
⟩
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)119877
⟩
(3)
with nonnegligible advantage where 120572 119877 isin Z119901and 119892 ℎ isin G
0
are chosen independently and uniformly at random
We exploit Boneh et alrsquos 119897-StrongDiffie-Hellman assump-tion (119897-SDH) to prove traceability [29] Given a (119897 + 1)-tuple (119892 119892
119909 119892
1199092
119892119909119897
) as input where 119909 isin Zlowast
119901is chosen
uniformly at random the 119897-SDH assumption is stated asfollows there is no probabilistic polynomial time adversarywho is able to output (119888 1198921(119909+119888)) isin Zlowast
119901timesG
0with nonnegligible
probability where 119888 is not allowed to be zeroFormally we have the following 119897-SDH assumption
Assumption 2 (119897-SDH) The 119897-Strong Diffie-Hellman prob-lem in G
0is defined as follows given a (119897 + 1)-tuple
(119892 119892119909 119892
1199092
119892119909119897
) as input output (119888 1198921(119909+119888)) isin Zlowast
119901times G
0
An algorithmA has advantage 120598 in solving 119897-SDH inG0if the
following holds
Pr [A (119892 119892119909 119892
1199092
119892119909119897
) = (119888 1198921(119909+119888)
)] ge 120598 (4)
where the probability is over the random choice of 119909 in Zlowast
119901
Definition 3 The 119897-SDH assumption is (119905 120598)-secure if no 119905-time algorithm has advantage at least 120598 in solving the 119897-SDHproblem in G
0
33 Access Policy Given an attribute universe 119880 = 1198601
1198602 119860
119896 each 119860
119894has one of three values 119860
+
119894 119860
minus
119894 119860
lowast
119894
where 119860+
119894denotes that the user has 119860
119894 119860minus
119894denotes that the
user does not have 119860119894or 119860
119894is not a proper attribute of this
user and 119860lowast
119894denotes a wildcard specifying do not care We
define the userrsquos attribute set as follows
Definition 4 Let 119871 = 119860+minus
1 119860
+minus
2 119860
+minus
119896 be a userrsquos
attribute set where 119860+minus
119894isin 119860
+
119894 119860
minus
119894 and 119896 is the order of the
attribute universe Then 119871 = 119871+cup 119871
minus where 119871+
= 119860+
119894|
forall119894 isin 1 119896 and 119871minus
= 119860minus
119894| forall119894 isin 1 119896 One has
119871+cap 119871
minus= 0
Next we define the AND-gate access policy as follows
Definition 5 Let 119882 = 1198601 119860
119896 be an AND-gate access
policy where119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Denote 119871 ⊨ 119882 that the userrsquos
attribute set 119871 satisfies119882 Then
119871 ⊨ 119882 lArrrArr 119882 sub 119871 cup 119860lowast
1 119860
lowast
119896 (5)
34 One-Way Anonymous Key Agreement In this paper thekey idea used to obfuscate attributes in the policy starts
from Boneh-Franklin Identity-Based Encryption [30] Intheir scheme a private key generator (PKG) takes the role ofissuing private keys It generates a private key 119889
119894= 119867(ID
119894)119904isin
G0for each user ID
119894using a master secret 119904 where 119867
0 1lowastrarr G
0is a cryptographic hash function
Based on [30] Kate et al proposed a one-way anony-mous key agreement scheme by replacing 119867(ID
119894) with a
pseudonym chosen by each user [31]This scheme guaranteesanonymity for just one receiver when two users engage in itWe give a specific example as follows Suppose Alice and Bobhold identity ID
119860and identity ID
119861 respectively and they are
clients of the same key authority which holds a master secret119904 Given the private key 119889
119860= 119876
119904
119860= 119867(ID
119860)119904 Alice wants to
communicate with Bob without disclosing her identityTo achieve this the key agreement protocol runs as
follows(1) Alice computes119876
119861= 119867(ID
119861) chooses a random 119903
119860isin
Zlowast
119901 sets a pseudonym 119875
119860= 119876
119903119860
119860 and computes the
session key 119870119860119861
= 119890(119889119860 119876
119861)119903119860
= 119890(119876119860 119876
119861)119904119903119860 She
sends the pseudonym 119875119860to Bob
(2) Given his private key 119889119861 Bob computes the session
key 119870119860119861
= 119890(119875119860 119889
119861) = 119890(119876
119860 119876
119861)119904119903119860
In this noninteractive manner the session key is implicitlyauthenticated such that Alice is assured that the no onecan derive the key other than Bob Based on the BDHassumption this protocol is proved to be secure in therandomoraclemodel satisfying unconditional anonymity noimpersonation and session key secrecy To hide the policy weexploit the technique used in [9] as a building block instead ofbuilding a new method for policy obfuscation from scratch
35 Definitions In this section we define a general CP-ABE with hidden policy constant-sized ciphertexts andtraceability capabilities for secure data sharing The schemeconsists of the following seven algorithms
(i) 119878119890119905119906119901 (119896) rarr (119872119870 119875119870) The Setup algorithm takesas input the number of attributes 119896 It outputs apublic key PK and a master key MK and initializes anidentity table 119879 = 0
(ii) 119870119890119910119866119890119899 (119872119870 119875119870 119871 119894119889) rarr (119878119870) The key generationalgorithm takes as input the master key MK thepublic key PK and the userrsquos attribute set 119871 withidentity id It outputs a decryption key SK and insertsid into 119879
(iii) 119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) The encryption algo-rithm takes as input the public key PK an accesspolicy 119882 and a message 119872 It outputs a ciphertextCT such that only the users whose decryption keyssatisfying 119882 should be able to extract 119872 CT isassociated with the obfuscated policy119882
(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870
Λ119906) The token generation
algorithm takes as input the user 119906rsquos secret key SK119906
and a set of attributesΛ ⊨ 119882 It outputs a tokenTKΛ119906
(v) 119875119863119890119888119903119910119901119905 (119879119870
Λ119906 119862119879) rarr (119862119879
1015840) The partial decryp-
tion algorithm takes as input the token and outputs apartially decrypted ciphertext CT1015840 for a user 119906
Mobile Information Systems 5
(vi) 119863119890119888119903119910119901119905 (119875119870 119878119870 1198621198791015840 119862119879) rarr 119872 or perp The decryp-
tion algorithm takes as input the public key PK adecryption key SK and ciphertexts CT1015840 CT If119871 ⊨ 119882then it outputs a message 119872 where 119871 is the userrsquosattribute set and 119882 is the access policy Otherwise itoutputs perp which indicates the failure of decryption
(vii) 119879119903119886119888119890 (119875119870 119878119870 119879) rarr 119894119889 or ⊤ The tracing algorithmtakes as input the public key PK a decryption keySK and the table 119879 It determines whether SK iswell-formed indicating that SK is the real output ofKeyGen If SK is well-formed the algorithm outputsan identity id which corresponds to SK Otherwiseit outputs ⊤ implying that SK is not well-formedThewell-formed decryption key is guaranteed to workcorrectly in the well-formed decryption process
In the proposed scheme each public key component ismapped to an attribute value 119860
119894 When encrypting data the
encryptor specifies an access policy 119882 where 119860119894isin + minus lowast
The decryption succeeds only when the userrsquos attribute set 119871satisfies the (obfuscated) policy119882
4 mHealth Architecture
41 System Model In mHealth systems intelligent wire-less sensors perform data acquisition and processing [32]Individual sensors monitor certain physiological signals andcommunicate with each other and the personal server suchas a tablet PC as shown in Figure 1 Then the personal serverintegrates the data received from the different sensors andplays the role of a gateway by sending data to the upper layerof the mHealth system From a security point of view themHealth system components are categorized as follows
(1) Trust Authority This is a key entity that issues thepublic and secret parameters for the mHealth systemIt publishes diverse access privileges to individualentities based on their attributes The trust authorityis assumed to be fully trusted in the mHealth system[10]
(2) Storage Center This is a data repository center thatstores EHRs In mHealth systems hospitals or clin-ics with certain qualifications certified by the trustauthority can be employed as a storage center It isassumed to be honest-but-curious [10] Thus it willhonestly execute the assigned tasks and like to learnas much information from the encrypted data aspossible
(3) Encryptor This is a patient who generates dataand sends it to the storage center It uses mobiledevices to interact with the storage center Encryptorsare responsible for defining access policy based onattributes obfuscating the policy associating it withthe data and encrypting the data according to the pol-icy Hereafter we will use ldquoencryptorrdquo and ldquopatientrdquointerchangeably
(4) User This includes entities such as the patientphysicians nurses lab technicians researchers or
receptionists who want to access EHRs contained inthe storage center Auserwill be authorized to decrypta ciphertext given by the storage center if and only ifhis key satisfies the access policy of that ciphertext
42 Security Model
CPA Security The security model of the proposed scheme issimilar to that of the CP-ABE scheme with constant-sizedciphertexts [23] except that each key query is labeled withan explicit identity and attributes are obfuscated We firstintroduce the semantic security game A CP-ABE scheme isconsidered to be CPA-secure if no probabilistic polynomialtime adversaries have nonnegligible advantages in the follow-ing CPA security game
(i) Init The adversary chooses a challenge access policy119882 and gives it to the challenger
(ii) Setup The challenger runs the Setup algorithm andgives the adversary the public parameter PK
(iii) Phase 1 The adversary queries the challenger fordecryption keys corresponding to (id 119871) where 119871 ⊭
119882 The challenger answers with a decryption key SKfor 119871 The adversary repeats this phase adaptively
(iv) Challenge The challenger obtains ⟨1198620 119862
1⟩Key by
running the Encrypt algorithm The challenger setsKey
0= Key and picks a random Key
1of the same
length as Key0 It then flips a random coin 120573 isin 0 1
and gives ⟨1198620 119862
1⟩Key
120573 to the adversary
(v) Phase 2 It is the same as Phase 1(vi) Guess The adversary outputs a guess 1205731015840 isin 0 1
The adversary wins the game if 1205731015840 = 120573 under the restrictionthat 119871 cannot satisfy the access policy119882 The adversary mayrun Phase 2 to make multiple key queries in the midst of thechallenge Note that the adversary declares the access policyat the start of the game
The advantage of an adversary in this game is defined as1003816100381610038161003816100381610038161003816
Pr [1205731015840 = 120573] minus
1
2
1003816100381610038161003816100381610038161003816
(6)
Traceability The traceability definition for the proposedscheme is described by the following security game
(i) Setup The challenger runs the Setup algorithm toobtain the public parameter PK Then the challengergives PK to the adversary
(ii) KeyQuery The adversary makes decryption keyqueries 119902-times to the challenger where sets ofattributes (id
1 119871
1) (id
119902 119871
119902) correspond to
decryption keys(iii) KeyForgery The adversary outputs a decryption key
SKlowast
The adversary wins the game if the following holds
(1) Trace (PK SKlowast 119879) = perp
(2) Trace (PK SKlowast 119879) notin id
1 id
119902
6 Mobile Information Systems
Storage center User
(1) Encrypt(2) Token
(3) Partially decrypt(4) Decrypt
Encryptor
Figure 2 Overview of the proposed data sharing process
Then the advantage of the adversary in this game is
Pr [Trace (PK SKlowast 119879) notin perp cup id
1 id
119902] (7)
Definition 6 A traceable ciphertext policy attribute-basedencryption scheme is fully traceable if all polynomial timeadversaries have at most negligible advantage in this game
Policy Privacy While sharing data in the mHealth systemthe storage center or unauthorized users must learn noinformation about the attributes associated with the accesspolicy of the encrypted data Also even authorized usersshould not obtain any information about these attributesother than the fact that they are authorized to access the data
5 Proposed Scheme
51 System Architecture The proposed data sharing processin the mHealth system runs as follows An encryptor definesthe access policy with a set of attributes encrypts the EHRsassociated with clinical reports under the policy and uploadsthe ciphertext and the obfuscated policy to the storagecenter When a user wants to access the uploaded data hefirst generates a token using his attributes and sends it tothe storage center If the attributes in the token satisfy theaccess policy then the storage center partially decrypts theciphertext and sends the result to the user Then the userfinishes the decryption of the ciphertext using his secret keyand the partially decrypted ciphertext as inputs The outlineof data sharing process is depicted in Figure 2
52 Scheme Construction The proposed scheme is con-structed on the basis of the following seven algorithms asfollows
119878119890119905119906119901 (119896) rarr (119872119870 119875119870) Given 119896 attributes 1198601 119860
2 119860
119896
as the attribute universe the proposed scheme has 119870 = 3119896
attribute values such that 119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Specifically we
map 119860+
1 119860
+
2 119860
+
119896 to 1 2 119896 119860minus
1 119860
minus
2 119860
minus
119896 to 119896+
1 119896+2 2119896 and 119860lowast
1 119860
lowast
2 119860
lowast
119896 to 2119896+1 2119896+2 3119896
Let G0be a bilinear group of prime order 119901 The Setup
algorithm chooses a random generator 119892 isin G0and random
120572 120573 120574 isin Z119901 For 119894 = 1 2 119870119870 + 2 2119870 it computes
119892119894
= 119892(120572119894) Then it computes V = 119892
120574 and ℎ = 119892120573 The
master and public keys are set to MK = (120572 120573 120574) PK =
(119892 1198921 119892
119870 119892119870+2
1198922119870
V ℎ) isin G2119870+10
The algorithminitializes an identity table 119879 = 0
119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905
119894119889119906119905
) rarr (119878119870119906119905
) Assume that eachuser 119906
119905is tagged with an attribute set 119871
119906119905
= 119871+
119906119905
cup 119871minus
119906119905
where119871+
119906119905
sub 1 2 119896 and 119871minus
119906119905
sub 119896+1 119896+2 2119896TheKeyGen
algorithm randomly chooses 119886 119888 isin Zlowast
119901 119903
1 1199032 119903
119896 isin Z
119901
Then it computes 119903 = sum119896
119894=1119903119894 11986310158401015840
= 119892119903 and 119863 = 119892
119903120574(119886+119888)For all 119895 isin 119871
119906119905
it computes 119863101584010158401015840= 119867(119895)
120573 where 119867 is a hashfunction119867 0 1
lowastrarr G
0
Next the algorithm computes the following
(i) For every 119894 isin 119871+
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 2119896
The decryption key for user 119906119905is set to
SK119906119905
= (119863 = 119892119903120574(119886+119888)
119863119894| 119894 isin 119871
+
119906119905
119871minus
119906119905
119871lowast
119906119905
1198631015840
= 11988811986310158401015840= 119892
119903 119863
101584010158401015840= 119867 (119895)
120573
119863119886= 119892
119886)
(8)
Note that 1(119886 + 119888) is computed modulo 119901 If gcd (119886 + 119888 119901) =
1 or 119888 is already in 119879 the algorithm is run repeatedly withanother random 119888 isin Zlowast
119901 Then it puts a tuple (119888 id
119906119905
) into 119879
and uploads (id119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) to the storage center
119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) 119882 is an AND-gate accesspolicy with 119896 attributes specified by an encryptor 119906
119887 where
each attribute is either positivenegative or wildcard Thealgorithm chooses a random 119887 isin Zlowast
119901and computes 119904
119895=
119890(ℎ119887 119867(119895))119867
1(119904119895) for all 119895 isin 119882 where119867
1is a hash function
119867 G1rarr 0 1
log119901 Then the access policy 119882 is obfuscatedby replacing each attribute with119867
1(119904119895)
Next the algorithm picks a random 119905 isin Z119901and computes
a one-time symmetric key Key = 119890(119892119870 1198921)119896119905 It encrypts the
message 119872 as 119872Key and computes 119892119905 Then it computes
(Vprod119895isin119882
119892119870+1minus119895
)119905 The ciphertext CT is set to
CT = (119882 119872Key 1198620 = 119892119905 119862
1
= (Vprod119895isin119882
119892119870+1minus119895
)
119905
id119906119905
119892119887)
(9)
The encryptor uploads CT to the storage center
119866119890119899119879119900119896119890119899 (119878119870119906119905
Λ) rarr (119879119870Λ119906119905
) When a user 119906119905needs to
access the ciphertext of 119906119887in the storage center with a set
of attributes Λ ⊨ 119882 119906119905receives 119892
119887 from the storage centerand generates the token for Λ as follows For all 119895 isin Λ thealgorithm computes 119904
119895= 119890(119892
119887 119863
101584010158401015840
119895) = 119890(119892
119887 119867(119895)
120573) Then it
constructs the token TKΛ119906119905
= 119868119895| forall119895 isin Λ 119868
119895= 119867
1(119904119895)
Each 119868119895will be used as an index for the obfuscated attribute
119895 The user 119906119905sends TK
Λ119906119905
to the storage center
119875119863119890119888119903119910119901119905 (119879119870Λ119906119905
119862119879) rarr (1198621198791015840) Given TK
Λ119906119905
from the user119906119905 the storage center checks if each 119868
119895in the token satisfies
Mobile Information Systems 7
Table 1 Comparison of different schemes
Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G
0| + |G
1| 119899-DBDH
Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G
1| DBDH
Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G
1| 119897-BDHI
Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G
1| 119899-BDHE
the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id
119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) as
119860119894= 119890 (119892
1198631015840
119894 119862
1) = 119890(119892 Vprod
119895isin119882
119892119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892120574+sum119895isin119882
120572119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882
120572119870+1minus119895+119894
(10)
for all 119894 isin 119882 Then it computes a production of all 119860119894as
CT1015840 = prod119894isin119882
119860119894 The storage center sends CT1015840 to 119906
119905
119863119890119888119903119910119901119905 (119875119870 119878119870119906119905
1198621198791015840 119862119879) rarr 119872 or perp On receipt of the
partially decrypted ciphertext CT1015840 from the storage centerthe user 119906
119905computes 119861
119894for all 119894 isin 119882 as
119861119894= 119890(119862
0 ( prod
119895isin119882119895 =119894
119892119870+1minus119895+119894
)
1198631015840
sdot 119863119894)
= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894
120572119870+1minus119895+119894
+119905120574(1198631015840120572119894+119903119894(119886+119888))
(11)
Then it computes 119861 = prod119894isin119882
119861119894and divides CT1015840 by 119861 Using
the quotient term CT1015840119861 the user concludes decryption asfollows
CT1015840
119861
sdot 119890 (119863 1198620) =
CT1015840
119861
sdot 119890 (119892120574119903(119886+119888)
119892119905)
= 119890 (119892 119892)1198631015840119896119905120572119870+1
(12)
Then
(
CT1015840
119861
sdot 119890 (119863 1198620))
11198631015840
= 119890 (119892 119892)119896119905120572119870+1
= 119890 (119892120572119870
119892120572)
119896119905
= 119890 (119892119870 1198921)119896119905
= Key
(13)
The user decrypts 119872Key
119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889
119906or ⊤ SK
119906is called well-formed if
it passes the following conditions hold
1198631015840isin Z
lowast
119901
119863119863119894 119863
10158401015840isin G
2119870+1
0
119890 (119863119886sdot 119892
1198631015840
119863) = 119890 (V 11986310158401015840) = 1
(14)
If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is
in 119879 the algorithm outputs the corresponding id119906 and if not
the algorithm outputs the corresponding id0indicating that
the corresponding identity never appears in 119879 If SK119906is not
well-formed the algorithm outputs ⊤
6 Performance Analysis
In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K
Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901
the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z
119901are ignored
In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations
Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
2 Mobile Information Systems
EEG EOGsensors
ECGrespirationmovement
sensors
SPO2 bloodpressuresensors
Temperaturenoise sensors
Internet
Figure 1 Typical system architecture of mHealth monitoringsystems
Unfortunately standard encryption schemes are not suit-able for mHealth systems for the following reasons [5]
(i) Absence of ProperAccess ControlWell-known encryp-tion schemes such as AES guarantee the confiden-tiality of data if security parameters are well-chosenHowever such schemes are not designed to supportfine-grained access control
(ii) Expensive Key Management Public key encryptionschemes do not support one-to-many relationshipsbetween the ciphertext and decryption key necessi-tating the burdensome distribution and managementof public keys
Since healthcare delivery is a decentralized process tak-ing place across many institutional boundaries standardapproaches to securing health records include role-basedaccess control because the flexible assignment of permissionsto a wide range of user is possible only with fine-grainedaccess control At the same time the confidentiality ofEHRs must be maintained without hindering clinical careby denying legitimate access requests of authorized userssuch as doctors nurses lab technicians researchers andreceptionists [6 7]Thus a variety of policy-based encryptionschemes have been proposed to share data securely andprovide reliable access control [8ndash11] These schemes arepromising in that the accessibility of shared data is dependenton the userrsquos capacity to satisfy a given policy Furthermoreencryptors do not require a priori knowledge of the recip-ients such as identities or certificates Specifically cipher-text policy attribute-based encryption (CP-ABE) allows theconstruction of policies by utilizing attributes as public keysthereby protecting shared data against unauthorized users[12ndash16] As access to EHRs varies across the space of unevendistributions of healthcare providers and consumers andamong population groups with different socioeconomic anddemographic characteristics [17] CP-ABE is a convincingalternative to the conventional cryptographic primitive formHealth CP-ABE can provide fine-grained and flexibleaccess control to the shared data in mHealth systems
It is notable that not only the data but also the policies forsharing that data are sensitive Typically the access policiesmay reveal sensitive information such as the underlyingdata the identity of a patient or symptoms indicating whatdiseases a patient is suffering from To some extent patientsare reluctant to expose such private information preferringinstead to keep their privacy intact through securing both theEHRs and their access policies Although CP-ABE providesa desirable access policy it has one drawback the accesspolicies attached to ciphertexts are public From these accesspolicies unauthorized users can learn information about theunderlying data itself This weakness is known as the policyprivacy problem
To overcome the policy privacy problem several CP-ABEschemes with hidden access policies were proposed [9 18]In these schemes the encryptor-chosen access policies areassociated with each ciphertext in a way hidden such thateven an authorized user learns no information about theunderlying policy other than that he is authorized to decryptAlthough these schemes feature hidden policies they sufferfrom being inefficient that is the ciphertext size is linear withrespect to the number of attributes in the access policy
To limit ciphertext size Zhou et al introduced a CP-ABEscheme which provides both a hidden access policy and aconstant-sized ciphertext [19] However their scheme lacksuser traceability In general most CP-ABE schemes support-ing constant-sized ciphertext or hidden access policies cannottrace malicious users who illegally share their decryptionkeys Specifically the secret keys of policy-based encryptionconsist of sharable attributes so that the decryption keys haveno uniquely identifiable informationThus if amalicious userleaks his decryption key to others then there is no clearevidence indicating that the key belongs to him Although Liet al proposed a CP-ABE scheme featuring a hidden accesspolicy and traceability [20] it lacks constant-sized ciphertextresulting in increased communication and storage costs
Contribution In this paper we propose an efficient attribute-based secure data sharing scheme for mHealth with hiddenpolicies and traceability The proposed scheme enforceshidden access policies with wildcards and supports constant-sized ciphertext regardless of the number of attributesAlso we embed a uniquely identifiable point into eachdecryption key in order to prevent the user from intentionallydistributing the decryption key to others thereby achievingtraceability Additionally the proposed scheme allows usersto outsource part of the decryption process to the morepowerful storage center to minimize computation cost at theuser side Our performance results show that the storagecenter computes almost 50 of the decryption processon behalf of users To the best of our knowledge this isthe first construction that achieves all these functionalitiessimultaneously
Organization The rest of this paper is organized as followsWe begin with a discussion of related work in Section 2 InSection 3 we describe the cryptographic background anddefine a general CP-ABE with a hidden policy constant-sizedciphertext and traceability Section 4 describes the mHealth
Mobile Information Systems 3
architecture and security model In Section 5 we present theconstruction of the proposed scheme in detail followed by aperformance analysis in Section 6 We analyze its security inSection 7 and conclude the paper in Section 8
2 Related Work
The idea of Identity-Based Encryption (IBE) was first intro-duced by Shamir [21] In IBE the encryptor makes an accesspolicy based on an identity and only a user with thematchingidentity obtains the decryption privilege Encryption byidentity however leads to the following limitations lackof one-to-many relationship between the ciphertext anddecryption key and the need for the encryptor to know eachuserrsquos identity in advance Later Sahai andWaters introducedFuzzy Identity-Based Encryption which is the first prototypeof attribute-based encryption (ABE) [22] While the IBEscheme views an identity as a string of characters in ABEan identity is viewed as a set of descriptive attributes (akaidentity set) such as name and affiliation The ABE schemeallows the encryption of a message based on some identityset 120596
1015840 and the decryption ability is given if and only ifa userrsquos set 120596 is close enough to 120596
1015840 to satisfy a system-defined threshold This property enables fine-grained accesscontrol and a one-to-many relationship between a ciphertextand its receivers since anyone whose identity set satisfies agiven threshold can obtain the decryption privilegeHoweverthe threshold semantics are not very expressive and cannotsupport fine-grained access control This drawback meansthat the threshold-based ABE scheme cannot be applied tomore general systems
In CP-ABE [12ndash16] a ciphertext is associated with anaccess policy and decryption keys are labeled with an arbi-trary number of attributes The encryptor specifies an accesspolicy over encryptor-chosen attributes The access right isgiven if and only if the attributes in the decryption keysatisfy the access policy in the ciphertext In these schemeshowever the size of a ciphertext has a linear relationship withthe number of attributes in the access policies resulting ininapplicability for resource-constrained environments
To limit the size of ciphertexts Zhou andHuang proposedconstant-sized CP-ABE (C-CP-ABE) with a logical ANDaccess policy with wildcards [23] This scheme limits thesize of each ciphertext to up to 300 bytes in total where aciphertext consists of encrypted data an access policy and2 bilinear group elements Chen et al further improved theC-CP-ABE scheme in terms of security [24] making it CPA-secure under a well-established assumption in the standardmodel without loss of efficiency Overall these schemessuccessfully make the size of ciphertexts constant Howeverthey reveal the underlying access policy publicly
While previous works feature open access policiesHur introduced a CP-ABE scheme with hidden accesspolicy in smart grid [9] To preserve policy privacy aone-way anonymous key agreement scheme is used as abuilding block in order to replace identity hashes withuser-generated pseudonyms However this scheme does notsupport constant-sized ciphertext Interestingly an efficientCP-ABE scheme with a hidden policy was proposed [19] In
this scheme AND-gate access policies with wildcards areused and each ciphertext header requires 2 bilinear groupelements each of which is limited to 100 bytes in total Alsoaccess policies are obfuscated by computing the intersectionbetween a given access policy and an all-wildcard attributeset This technique however partially leaks the access policybecause unauthorized users can guess at a minimum whichattributes are treated as do not care In addition the user mustrun the decryption algorithm at least once to determinewhether he satisfies the access policy since only decryptionfailure notifies whether the decryption key satisfies theunderlying access policy
The ability to resist illegal key sharing is a highly desirablecharacteristic for ABE To achieve this Li et al introduceda user-accountable CP-ABE scheme that binds user identityin the private key thereby allowing illegally-shared keys tobe traced [25] Although this methodology has also beenadopted by other traceable CP-ABE schemes [26 27] none ofthem fully support either constant-sized ciphertext or hiddenaccess policies In addition to supporting these featuresin this paper we also insert a unique identifier into eachprivate key such that any key can be traced in constant timeregardless of the number of attributes
3 Preliminaries
31 Bilinear Map Let G0be a multiplicative cyclic group of
large prime order 119901 The bilinear map 119890 is defined as follows119890 G
0timesG
0rarr G
1 whereG
1is the codomain of 119890The bilinear
map 119890 has the following properties
(i) Bilinearty 119890(119875119886 119876
119887) = 119890(119875 119876)
119886119887 where forall119875119876 isin
G0 forall119886 119887 isin Zlowast
119901
(ii) Symmetry One has forall119875119876 isin G0 119890(119875 119876) = 119890(119876 119875)
(iii) Nondegeneracy 119890(119892 119892) = 1 where 119892 is the generatorof G
0
(iv) Computability There exists an efficient algorithm tocompute the bilinear map 119890
32 Security Assumption The security of the proposedscheme is based on the Bilinear Diffie-Hellman Exponentassumption (BDHE) [28] Let G
0be a bilinear group of large
prime order 119901 and let 119892 be a generator of G0 The 119870-BDHE
problem inG0is defined as follows Given the vector of 2119870+1
elements
(ℎ 119892 119892120572 119892
1205722
119892120572119870
119892120572119870+2
1198921205722119870
) isin G2119870+1
0(1)
as the input where 119892120572119870+1
is not in the vector the goal of thecomputational 119870-BDHE problem is to compute 119890(119892 ℎ)
120572119870+1
Define the set 119884
119892120572119870as
119884119892120572119870
= 119892120572 119892
1205722
119892120572119870
119892120572119870+2
1198921205722119870
(2)
Then we have the following definition
4 Mobile Information Systems
Definition 1 (Decisional 119870-BDHE) The decisional 119870-BDHEassumption is said to be hold inG
0if there is no probabilistic
polynomial time adversary who is able to distinguish
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)120572(119870+1)
⟩
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)119877
⟩
(3)
with nonnegligible advantage where 120572 119877 isin Z119901and 119892 ℎ isin G
0
are chosen independently and uniformly at random
We exploit Boneh et alrsquos 119897-StrongDiffie-Hellman assump-tion (119897-SDH) to prove traceability [29] Given a (119897 + 1)-tuple (119892 119892
119909 119892
1199092
119892119909119897
) as input where 119909 isin Zlowast
119901is chosen
uniformly at random the 119897-SDH assumption is stated asfollows there is no probabilistic polynomial time adversarywho is able to output (119888 1198921(119909+119888)) isin Zlowast
119901timesG
0with nonnegligible
probability where 119888 is not allowed to be zeroFormally we have the following 119897-SDH assumption
Assumption 2 (119897-SDH) The 119897-Strong Diffie-Hellman prob-lem in G
0is defined as follows given a (119897 + 1)-tuple
(119892 119892119909 119892
1199092
119892119909119897
) as input output (119888 1198921(119909+119888)) isin Zlowast
119901times G
0
An algorithmA has advantage 120598 in solving 119897-SDH inG0if the
following holds
Pr [A (119892 119892119909 119892
1199092
119892119909119897
) = (119888 1198921(119909+119888)
)] ge 120598 (4)
where the probability is over the random choice of 119909 in Zlowast
119901
Definition 3 The 119897-SDH assumption is (119905 120598)-secure if no 119905-time algorithm has advantage at least 120598 in solving the 119897-SDHproblem in G
0
33 Access Policy Given an attribute universe 119880 = 1198601
1198602 119860
119896 each 119860
119894has one of three values 119860
+
119894 119860
minus
119894 119860
lowast
119894
where 119860+
119894denotes that the user has 119860
119894 119860minus
119894denotes that the
user does not have 119860119894or 119860
119894is not a proper attribute of this
user and 119860lowast
119894denotes a wildcard specifying do not care We
define the userrsquos attribute set as follows
Definition 4 Let 119871 = 119860+minus
1 119860
+minus
2 119860
+minus
119896 be a userrsquos
attribute set where 119860+minus
119894isin 119860
+
119894 119860
minus
119894 and 119896 is the order of the
attribute universe Then 119871 = 119871+cup 119871
minus where 119871+
= 119860+
119894|
forall119894 isin 1 119896 and 119871minus
= 119860minus
119894| forall119894 isin 1 119896 One has
119871+cap 119871
minus= 0
Next we define the AND-gate access policy as follows
Definition 5 Let 119882 = 1198601 119860
119896 be an AND-gate access
policy where119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Denote 119871 ⊨ 119882 that the userrsquos
attribute set 119871 satisfies119882 Then
119871 ⊨ 119882 lArrrArr 119882 sub 119871 cup 119860lowast
1 119860
lowast
119896 (5)
34 One-Way Anonymous Key Agreement In this paper thekey idea used to obfuscate attributes in the policy starts
from Boneh-Franklin Identity-Based Encryption [30] Intheir scheme a private key generator (PKG) takes the role ofissuing private keys It generates a private key 119889
119894= 119867(ID
119894)119904isin
G0for each user ID
119894using a master secret 119904 where 119867
0 1lowastrarr G
0is a cryptographic hash function
Based on [30] Kate et al proposed a one-way anony-mous key agreement scheme by replacing 119867(ID
119894) with a
pseudonym chosen by each user [31]This scheme guaranteesanonymity for just one receiver when two users engage in itWe give a specific example as follows Suppose Alice and Bobhold identity ID
119860and identity ID
119861 respectively and they are
clients of the same key authority which holds a master secret119904 Given the private key 119889
119860= 119876
119904
119860= 119867(ID
119860)119904 Alice wants to
communicate with Bob without disclosing her identityTo achieve this the key agreement protocol runs as
follows(1) Alice computes119876
119861= 119867(ID
119861) chooses a random 119903
119860isin
Zlowast
119901 sets a pseudonym 119875
119860= 119876
119903119860
119860 and computes the
session key 119870119860119861
= 119890(119889119860 119876
119861)119903119860
= 119890(119876119860 119876
119861)119904119903119860 She
sends the pseudonym 119875119860to Bob
(2) Given his private key 119889119861 Bob computes the session
key 119870119860119861
= 119890(119875119860 119889
119861) = 119890(119876
119860 119876
119861)119904119903119860
In this noninteractive manner the session key is implicitlyauthenticated such that Alice is assured that the no onecan derive the key other than Bob Based on the BDHassumption this protocol is proved to be secure in therandomoraclemodel satisfying unconditional anonymity noimpersonation and session key secrecy To hide the policy weexploit the technique used in [9] as a building block instead ofbuilding a new method for policy obfuscation from scratch
35 Definitions In this section we define a general CP-ABE with hidden policy constant-sized ciphertexts andtraceability capabilities for secure data sharing The schemeconsists of the following seven algorithms
(i) 119878119890119905119906119901 (119896) rarr (119872119870 119875119870) The Setup algorithm takesas input the number of attributes 119896 It outputs apublic key PK and a master key MK and initializes anidentity table 119879 = 0
(ii) 119870119890119910119866119890119899 (119872119870 119875119870 119871 119894119889) rarr (119878119870) The key generationalgorithm takes as input the master key MK thepublic key PK and the userrsquos attribute set 119871 withidentity id It outputs a decryption key SK and insertsid into 119879
(iii) 119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) The encryption algo-rithm takes as input the public key PK an accesspolicy 119882 and a message 119872 It outputs a ciphertextCT such that only the users whose decryption keyssatisfying 119882 should be able to extract 119872 CT isassociated with the obfuscated policy119882
(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870
Λ119906) The token generation
algorithm takes as input the user 119906rsquos secret key SK119906
and a set of attributesΛ ⊨ 119882 It outputs a tokenTKΛ119906
(v) 119875119863119890119888119903119910119901119905 (119879119870
Λ119906 119862119879) rarr (119862119879
1015840) The partial decryp-
tion algorithm takes as input the token and outputs apartially decrypted ciphertext CT1015840 for a user 119906
Mobile Information Systems 5
(vi) 119863119890119888119903119910119901119905 (119875119870 119878119870 1198621198791015840 119862119879) rarr 119872 or perp The decryp-
tion algorithm takes as input the public key PK adecryption key SK and ciphertexts CT1015840 CT If119871 ⊨ 119882then it outputs a message 119872 where 119871 is the userrsquosattribute set and 119882 is the access policy Otherwise itoutputs perp which indicates the failure of decryption
(vii) 119879119903119886119888119890 (119875119870 119878119870 119879) rarr 119894119889 or ⊤ The tracing algorithmtakes as input the public key PK a decryption keySK and the table 119879 It determines whether SK iswell-formed indicating that SK is the real output ofKeyGen If SK is well-formed the algorithm outputsan identity id which corresponds to SK Otherwiseit outputs ⊤ implying that SK is not well-formedThewell-formed decryption key is guaranteed to workcorrectly in the well-formed decryption process
In the proposed scheme each public key component ismapped to an attribute value 119860
119894 When encrypting data the
encryptor specifies an access policy 119882 where 119860119894isin + minus lowast
The decryption succeeds only when the userrsquos attribute set 119871satisfies the (obfuscated) policy119882
4 mHealth Architecture
41 System Model In mHealth systems intelligent wire-less sensors perform data acquisition and processing [32]Individual sensors monitor certain physiological signals andcommunicate with each other and the personal server suchas a tablet PC as shown in Figure 1 Then the personal serverintegrates the data received from the different sensors andplays the role of a gateway by sending data to the upper layerof the mHealth system From a security point of view themHealth system components are categorized as follows
(1) Trust Authority This is a key entity that issues thepublic and secret parameters for the mHealth systemIt publishes diverse access privileges to individualentities based on their attributes The trust authorityis assumed to be fully trusted in the mHealth system[10]
(2) Storage Center This is a data repository center thatstores EHRs In mHealth systems hospitals or clin-ics with certain qualifications certified by the trustauthority can be employed as a storage center It isassumed to be honest-but-curious [10] Thus it willhonestly execute the assigned tasks and like to learnas much information from the encrypted data aspossible
(3) Encryptor This is a patient who generates dataand sends it to the storage center It uses mobiledevices to interact with the storage center Encryptorsare responsible for defining access policy based onattributes obfuscating the policy associating it withthe data and encrypting the data according to the pol-icy Hereafter we will use ldquoencryptorrdquo and ldquopatientrdquointerchangeably
(4) User This includes entities such as the patientphysicians nurses lab technicians researchers or
receptionists who want to access EHRs contained inthe storage center Auserwill be authorized to decrypta ciphertext given by the storage center if and only ifhis key satisfies the access policy of that ciphertext
42 Security Model
CPA Security The security model of the proposed scheme issimilar to that of the CP-ABE scheme with constant-sizedciphertexts [23] except that each key query is labeled withan explicit identity and attributes are obfuscated We firstintroduce the semantic security game A CP-ABE scheme isconsidered to be CPA-secure if no probabilistic polynomialtime adversaries have nonnegligible advantages in the follow-ing CPA security game
(i) Init The adversary chooses a challenge access policy119882 and gives it to the challenger
(ii) Setup The challenger runs the Setup algorithm andgives the adversary the public parameter PK
(iii) Phase 1 The adversary queries the challenger fordecryption keys corresponding to (id 119871) where 119871 ⊭
119882 The challenger answers with a decryption key SKfor 119871 The adversary repeats this phase adaptively
(iv) Challenge The challenger obtains ⟨1198620 119862
1⟩Key by
running the Encrypt algorithm The challenger setsKey
0= Key and picks a random Key
1of the same
length as Key0 It then flips a random coin 120573 isin 0 1
and gives ⟨1198620 119862
1⟩Key
120573 to the adversary
(v) Phase 2 It is the same as Phase 1(vi) Guess The adversary outputs a guess 1205731015840 isin 0 1
The adversary wins the game if 1205731015840 = 120573 under the restrictionthat 119871 cannot satisfy the access policy119882 The adversary mayrun Phase 2 to make multiple key queries in the midst of thechallenge Note that the adversary declares the access policyat the start of the game
The advantage of an adversary in this game is defined as1003816100381610038161003816100381610038161003816
Pr [1205731015840 = 120573] minus
1
2
1003816100381610038161003816100381610038161003816
(6)
Traceability The traceability definition for the proposedscheme is described by the following security game
(i) Setup The challenger runs the Setup algorithm toobtain the public parameter PK Then the challengergives PK to the adversary
(ii) KeyQuery The adversary makes decryption keyqueries 119902-times to the challenger where sets ofattributes (id
1 119871
1) (id
119902 119871
119902) correspond to
decryption keys(iii) KeyForgery The adversary outputs a decryption key
SKlowast
The adversary wins the game if the following holds
(1) Trace (PK SKlowast 119879) = perp
(2) Trace (PK SKlowast 119879) notin id
1 id
119902
6 Mobile Information Systems
Storage center User
(1) Encrypt(2) Token
(3) Partially decrypt(4) Decrypt
Encryptor
Figure 2 Overview of the proposed data sharing process
Then the advantage of the adversary in this game is
Pr [Trace (PK SKlowast 119879) notin perp cup id
1 id
119902] (7)
Definition 6 A traceable ciphertext policy attribute-basedencryption scheme is fully traceable if all polynomial timeadversaries have at most negligible advantage in this game
Policy Privacy While sharing data in the mHealth systemthe storage center or unauthorized users must learn noinformation about the attributes associated with the accesspolicy of the encrypted data Also even authorized usersshould not obtain any information about these attributesother than the fact that they are authorized to access the data
5 Proposed Scheme
51 System Architecture The proposed data sharing processin the mHealth system runs as follows An encryptor definesthe access policy with a set of attributes encrypts the EHRsassociated with clinical reports under the policy and uploadsthe ciphertext and the obfuscated policy to the storagecenter When a user wants to access the uploaded data hefirst generates a token using his attributes and sends it tothe storage center If the attributes in the token satisfy theaccess policy then the storage center partially decrypts theciphertext and sends the result to the user Then the userfinishes the decryption of the ciphertext using his secret keyand the partially decrypted ciphertext as inputs The outlineof data sharing process is depicted in Figure 2
52 Scheme Construction The proposed scheme is con-structed on the basis of the following seven algorithms asfollows
119878119890119905119906119901 (119896) rarr (119872119870 119875119870) Given 119896 attributes 1198601 119860
2 119860
119896
as the attribute universe the proposed scheme has 119870 = 3119896
attribute values such that 119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Specifically we
map 119860+
1 119860
+
2 119860
+
119896 to 1 2 119896 119860minus
1 119860
minus
2 119860
minus
119896 to 119896+
1 119896+2 2119896 and 119860lowast
1 119860
lowast
2 119860
lowast
119896 to 2119896+1 2119896+2 3119896
Let G0be a bilinear group of prime order 119901 The Setup
algorithm chooses a random generator 119892 isin G0and random
120572 120573 120574 isin Z119901 For 119894 = 1 2 119870119870 + 2 2119870 it computes
119892119894
= 119892(120572119894) Then it computes V = 119892
120574 and ℎ = 119892120573 The
master and public keys are set to MK = (120572 120573 120574) PK =
(119892 1198921 119892
119870 119892119870+2
1198922119870
V ℎ) isin G2119870+10
The algorithminitializes an identity table 119879 = 0
119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905
119894119889119906119905
) rarr (119878119870119906119905
) Assume that eachuser 119906
119905is tagged with an attribute set 119871
119906119905
= 119871+
119906119905
cup 119871minus
119906119905
where119871+
119906119905
sub 1 2 119896 and 119871minus
119906119905
sub 119896+1 119896+2 2119896TheKeyGen
algorithm randomly chooses 119886 119888 isin Zlowast
119901 119903
1 1199032 119903
119896 isin Z
119901
Then it computes 119903 = sum119896
119894=1119903119894 11986310158401015840
= 119892119903 and 119863 = 119892
119903120574(119886+119888)For all 119895 isin 119871
119906119905
it computes 119863101584010158401015840= 119867(119895)
120573 where 119867 is a hashfunction119867 0 1
lowastrarr G
0
Next the algorithm computes the following
(i) For every 119894 isin 119871+
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 2119896
The decryption key for user 119906119905is set to
SK119906119905
= (119863 = 119892119903120574(119886+119888)
119863119894| 119894 isin 119871
+
119906119905
119871minus
119906119905
119871lowast
119906119905
1198631015840
= 11988811986310158401015840= 119892
119903 119863
101584010158401015840= 119867 (119895)
120573
119863119886= 119892
119886)
(8)
Note that 1(119886 + 119888) is computed modulo 119901 If gcd (119886 + 119888 119901) =
1 or 119888 is already in 119879 the algorithm is run repeatedly withanother random 119888 isin Zlowast
119901 Then it puts a tuple (119888 id
119906119905
) into 119879
and uploads (id119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) to the storage center
119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) 119882 is an AND-gate accesspolicy with 119896 attributes specified by an encryptor 119906
119887 where
each attribute is either positivenegative or wildcard Thealgorithm chooses a random 119887 isin Zlowast
119901and computes 119904
119895=
119890(ℎ119887 119867(119895))119867
1(119904119895) for all 119895 isin 119882 where119867
1is a hash function
119867 G1rarr 0 1
log119901 Then the access policy 119882 is obfuscatedby replacing each attribute with119867
1(119904119895)
Next the algorithm picks a random 119905 isin Z119901and computes
a one-time symmetric key Key = 119890(119892119870 1198921)119896119905 It encrypts the
message 119872 as 119872Key and computes 119892119905 Then it computes
(Vprod119895isin119882
119892119870+1minus119895
)119905 The ciphertext CT is set to
CT = (119882 119872Key 1198620 = 119892119905 119862
1
= (Vprod119895isin119882
119892119870+1minus119895
)
119905
id119906119905
119892119887)
(9)
The encryptor uploads CT to the storage center
119866119890119899119879119900119896119890119899 (119878119870119906119905
Λ) rarr (119879119870Λ119906119905
) When a user 119906119905needs to
access the ciphertext of 119906119887in the storage center with a set
of attributes Λ ⊨ 119882 119906119905receives 119892
119887 from the storage centerand generates the token for Λ as follows For all 119895 isin Λ thealgorithm computes 119904
119895= 119890(119892
119887 119863
101584010158401015840
119895) = 119890(119892
119887 119867(119895)
120573) Then it
constructs the token TKΛ119906119905
= 119868119895| forall119895 isin Λ 119868
119895= 119867
1(119904119895)
Each 119868119895will be used as an index for the obfuscated attribute
119895 The user 119906119905sends TK
Λ119906119905
to the storage center
119875119863119890119888119903119910119901119905 (119879119870Λ119906119905
119862119879) rarr (1198621198791015840) Given TK
Λ119906119905
from the user119906119905 the storage center checks if each 119868
119895in the token satisfies
Mobile Information Systems 7
Table 1 Comparison of different schemes
Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G
0| + |G
1| 119899-DBDH
Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G
1| DBDH
Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G
1| 119897-BDHI
Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G
1| 119899-BDHE
the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id
119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) as
119860119894= 119890 (119892
1198631015840
119894 119862
1) = 119890(119892 Vprod
119895isin119882
119892119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892120574+sum119895isin119882
120572119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882
120572119870+1minus119895+119894
(10)
for all 119894 isin 119882 Then it computes a production of all 119860119894as
CT1015840 = prod119894isin119882
119860119894 The storage center sends CT1015840 to 119906
119905
119863119890119888119903119910119901119905 (119875119870 119878119870119906119905
1198621198791015840 119862119879) rarr 119872 or perp On receipt of the
partially decrypted ciphertext CT1015840 from the storage centerthe user 119906
119905computes 119861
119894for all 119894 isin 119882 as
119861119894= 119890(119862
0 ( prod
119895isin119882119895 =119894
119892119870+1minus119895+119894
)
1198631015840
sdot 119863119894)
= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894
120572119870+1minus119895+119894
+119905120574(1198631015840120572119894+119903119894(119886+119888))
(11)
Then it computes 119861 = prod119894isin119882
119861119894and divides CT1015840 by 119861 Using
the quotient term CT1015840119861 the user concludes decryption asfollows
CT1015840
119861
sdot 119890 (119863 1198620) =
CT1015840
119861
sdot 119890 (119892120574119903(119886+119888)
119892119905)
= 119890 (119892 119892)1198631015840119896119905120572119870+1
(12)
Then
(
CT1015840
119861
sdot 119890 (119863 1198620))
11198631015840
= 119890 (119892 119892)119896119905120572119870+1
= 119890 (119892120572119870
119892120572)
119896119905
= 119890 (119892119870 1198921)119896119905
= Key
(13)
The user decrypts 119872Key
119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889
119906or ⊤ SK
119906is called well-formed if
it passes the following conditions hold
1198631015840isin Z
lowast
119901
119863119863119894 119863
10158401015840isin G
2119870+1
0
119890 (119863119886sdot 119892
1198631015840
119863) = 119890 (V 11986310158401015840) = 1
(14)
If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is
in 119879 the algorithm outputs the corresponding id119906 and if not
the algorithm outputs the corresponding id0indicating that
the corresponding identity never appears in 119879 If SK119906is not
well-formed the algorithm outputs ⊤
6 Performance Analysis
In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K
Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901
the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z
119901are ignored
In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations
Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 3
architecture and security model In Section 5 we present theconstruction of the proposed scheme in detail followed by aperformance analysis in Section 6 We analyze its security inSection 7 and conclude the paper in Section 8
2 Related Work
The idea of Identity-Based Encryption (IBE) was first intro-duced by Shamir [21] In IBE the encryptor makes an accesspolicy based on an identity and only a user with thematchingidentity obtains the decryption privilege Encryption byidentity however leads to the following limitations lackof one-to-many relationship between the ciphertext anddecryption key and the need for the encryptor to know eachuserrsquos identity in advance Later Sahai andWaters introducedFuzzy Identity-Based Encryption which is the first prototypeof attribute-based encryption (ABE) [22] While the IBEscheme views an identity as a string of characters in ABEan identity is viewed as a set of descriptive attributes (akaidentity set) such as name and affiliation The ABE schemeallows the encryption of a message based on some identityset 120596
1015840 and the decryption ability is given if and only ifa userrsquos set 120596 is close enough to 120596
1015840 to satisfy a system-defined threshold This property enables fine-grained accesscontrol and a one-to-many relationship between a ciphertextand its receivers since anyone whose identity set satisfies agiven threshold can obtain the decryption privilegeHoweverthe threshold semantics are not very expressive and cannotsupport fine-grained access control This drawback meansthat the threshold-based ABE scheme cannot be applied tomore general systems
In CP-ABE [12ndash16] a ciphertext is associated with anaccess policy and decryption keys are labeled with an arbi-trary number of attributes The encryptor specifies an accesspolicy over encryptor-chosen attributes The access right isgiven if and only if the attributes in the decryption keysatisfy the access policy in the ciphertext In these schemeshowever the size of a ciphertext has a linear relationship withthe number of attributes in the access policies resulting ininapplicability for resource-constrained environments
To limit the size of ciphertexts Zhou andHuang proposedconstant-sized CP-ABE (C-CP-ABE) with a logical ANDaccess policy with wildcards [23] This scheme limits thesize of each ciphertext to up to 300 bytes in total where aciphertext consists of encrypted data an access policy and2 bilinear group elements Chen et al further improved theC-CP-ABE scheme in terms of security [24] making it CPA-secure under a well-established assumption in the standardmodel without loss of efficiency Overall these schemessuccessfully make the size of ciphertexts constant Howeverthey reveal the underlying access policy publicly
While previous works feature open access policiesHur introduced a CP-ABE scheme with hidden accesspolicy in smart grid [9] To preserve policy privacy aone-way anonymous key agreement scheme is used as abuilding block in order to replace identity hashes withuser-generated pseudonyms However this scheme does notsupport constant-sized ciphertext Interestingly an efficientCP-ABE scheme with a hidden policy was proposed [19] In
this scheme AND-gate access policies with wildcards areused and each ciphertext header requires 2 bilinear groupelements each of which is limited to 100 bytes in total Alsoaccess policies are obfuscated by computing the intersectionbetween a given access policy and an all-wildcard attributeset This technique however partially leaks the access policybecause unauthorized users can guess at a minimum whichattributes are treated as do not care In addition the user mustrun the decryption algorithm at least once to determinewhether he satisfies the access policy since only decryptionfailure notifies whether the decryption key satisfies theunderlying access policy
The ability to resist illegal key sharing is a highly desirablecharacteristic for ABE To achieve this Li et al introduceda user-accountable CP-ABE scheme that binds user identityin the private key thereby allowing illegally-shared keys tobe traced [25] Although this methodology has also beenadopted by other traceable CP-ABE schemes [26 27] none ofthem fully support either constant-sized ciphertext or hiddenaccess policies In addition to supporting these featuresin this paper we also insert a unique identifier into eachprivate key such that any key can be traced in constant timeregardless of the number of attributes
3 Preliminaries
31 Bilinear Map Let G0be a multiplicative cyclic group of
large prime order 119901 The bilinear map 119890 is defined as follows119890 G
0timesG
0rarr G
1 whereG
1is the codomain of 119890The bilinear
map 119890 has the following properties
(i) Bilinearty 119890(119875119886 119876
119887) = 119890(119875 119876)
119886119887 where forall119875119876 isin
G0 forall119886 119887 isin Zlowast
119901
(ii) Symmetry One has forall119875119876 isin G0 119890(119875 119876) = 119890(119876 119875)
(iii) Nondegeneracy 119890(119892 119892) = 1 where 119892 is the generatorof G
0
(iv) Computability There exists an efficient algorithm tocompute the bilinear map 119890
32 Security Assumption The security of the proposedscheme is based on the Bilinear Diffie-Hellman Exponentassumption (BDHE) [28] Let G
0be a bilinear group of large
prime order 119901 and let 119892 be a generator of G0 The 119870-BDHE
problem inG0is defined as follows Given the vector of 2119870+1
elements
(ℎ 119892 119892120572 119892
1205722
119892120572119870
119892120572119870+2
1198921205722119870
) isin G2119870+1
0(1)
as the input where 119892120572119870+1
is not in the vector the goal of thecomputational 119870-BDHE problem is to compute 119890(119892 ℎ)
120572119870+1
Define the set 119884
119892120572119870as
119884119892120572119870
= 119892120572 119892
1205722
119892120572119870
119892120572119870+2
1198921205722119870
(2)
Then we have the following definition
4 Mobile Information Systems
Definition 1 (Decisional 119870-BDHE) The decisional 119870-BDHEassumption is said to be hold inG
0if there is no probabilistic
polynomial time adversary who is able to distinguish
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)120572(119870+1)
⟩
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)119877
⟩
(3)
with nonnegligible advantage where 120572 119877 isin Z119901and 119892 ℎ isin G
0
are chosen independently and uniformly at random
We exploit Boneh et alrsquos 119897-StrongDiffie-Hellman assump-tion (119897-SDH) to prove traceability [29] Given a (119897 + 1)-tuple (119892 119892
119909 119892
1199092
119892119909119897
) as input where 119909 isin Zlowast
119901is chosen
uniformly at random the 119897-SDH assumption is stated asfollows there is no probabilistic polynomial time adversarywho is able to output (119888 1198921(119909+119888)) isin Zlowast
119901timesG
0with nonnegligible
probability where 119888 is not allowed to be zeroFormally we have the following 119897-SDH assumption
Assumption 2 (119897-SDH) The 119897-Strong Diffie-Hellman prob-lem in G
0is defined as follows given a (119897 + 1)-tuple
(119892 119892119909 119892
1199092
119892119909119897
) as input output (119888 1198921(119909+119888)) isin Zlowast
119901times G
0
An algorithmA has advantage 120598 in solving 119897-SDH inG0if the
following holds
Pr [A (119892 119892119909 119892
1199092
119892119909119897
) = (119888 1198921(119909+119888)
)] ge 120598 (4)
where the probability is over the random choice of 119909 in Zlowast
119901
Definition 3 The 119897-SDH assumption is (119905 120598)-secure if no 119905-time algorithm has advantage at least 120598 in solving the 119897-SDHproblem in G
0
33 Access Policy Given an attribute universe 119880 = 1198601
1198602 119860
119896 each 119860
119894has one of three values 119860
+
119894 119860
minus
119894 119860
lowast
119894
where 119860+
119894denotes that the user has 119860
119894 119860minus
119894denotes that the
user does not have 119860119894or 119860
119894is not a proper attribute of this
user and 119860lowast
119894denotes a wildcard specifying do not care We
define the userrsquos attribute set as follows
Definition 4 Let 119871 = 119860+minus
1 119860
+minus
2 119860
+minus
119896 be a userrsquos
attribute set where 119860+minus
119894isin 119860
+
119894 119860
minus
119894 and 119896 is the order of the
attribute universe Then 119871 = 119871+cup 119871
minus where 119871+
= 119860+
119894|
forall119894 isin 1 119896 and 119871minus
= 119860minus
119894| forall119894 isin 1 119896 One has
119871+cap 119871
minus= 0
Next we define the AND-gate access policy as follows
Definition 5 Let 119882 = 1198601 119860
119896 be an AND-gate access
policy where119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Denote 119871 ⊨ 119882 that the userrsquos
attribute set 119871 satisfies119882 Then
119871 ⊨ 119882 lArrrArr 119882 sub 119871 cup 119860lowast
1 119860
lowast
119896 (5)
34 One-Way Anonymous Key Agreement In this paper thekey idea used to obfuscate attributes in the policy starts
from Boneh-Franklin Identity-Based Encryption [30] Intheir scheme a private key generator (PKG) takes the role ofissuing private keys It generates a private key 119889
119894= 119867(ID
119894)119904isin
G0for each user ID
119894using a master secret 119904 where 119867
0 1lowastrarr G
0is a cryptographic hash function
Based on [30] Kate et al proposed a one-way anony-mous key agreement scheme by replacing 119867(ID
119894) with a
pseudonym chosen by each user [31]This scheme guaranteesanonymity for just one receiver when two users engage in itWe give a specific example as follows Suppose Alice and Bobhold identity ID
119860and identity ID
119861 respectively and they are
clients of the same key authority which holds a master secret119904 Given the private key 119889
119860= 119876
119904
119860= 119867(ID
119860)119904 Alice wants to
communicate with Bob without disclosing her identityTo achieve this the key agreement protocol runs as
follows(1) Alice computes119876
119861= 119867(ID
119861) chooses a random 119903
119860isin
Zlowast
119901 sets a pseudonym 119875
119860= 119876
119903119860
119860 and computes the
session key 119870119860119861
= 119890(119889119860 119876
119861)119903119860
= 119890(119876119860 119876
119861)119904119903119860 She
sends the pseudonym 119875119860to Bob
(2) Given his private key 119889119861 Bob computes the session
key 119870119860119861
= 119890(119875119860 119889
119861) = 119890(119876
119860 119876
119861)119904119903119860
In this noninteractive manner the session key is implicitlyauthenticated such that Alice is assured that the no onecan derive the key other than Bob Based on the BDHassumption this protocol is proved to be secure in therandomoraclemodel satisfying unconditional anonymity noimpersonation and session key secrecy To hide the policy weexploit the technique used in [9] as a building block instead ofbuilding a new method for policy obfuscation from scratch
35 Definitions In this section we define a general CP-ABE with hidden policy constant-sized ciphertexts andtraceability capabilities for secure data sharing The schemeconsists of the following seven algorithms
(i) 119878119890119905119906119901 (119896) rarr (119872119870 119875119870) The Setup algorithm takesas input the number of attributes 119896 It outputs apublic key PK and a master key MK and initializes anidentity table 119879 = 0
(ii) 119870119890119910119866119890119899 (119872119870 119875119870 119871 119894119889) rarr (119878119870) The key generationalgorithm takes as input the master key MK thepublic key PK and the userrsquos attribute set 119871 withidentity id It outputs a decryption key SK and insertsid into 119879
(iii) 119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) The encryption algo-rithm takes as input the public key PK an accesspolicy 119882 and a message 119872 It outputs a ciphertextCT such that only the users whose decryption keyssatisfying 119882 should be able to extract 119872 CT isassociated with the obfuscated policy119882
(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870
Λ119906) The token generation
algorithm takes as input the user 119906rsquos secret key SK119906
and a set of attributesΛ ⊨ 119882 It outputs a tokenTKΛ119906
(v) 119875119863119890119888119903119910119901119905 (119879119870
Λ119906 119862119879) rarr (119862119879
1015840) The partial decryp-
tion algorithm takes as input the token and outputs apartially decrypted ciphertext CT1015840 for a user 119906
Mobile Information Systems 5
(vi) 119863119890119888119903119910119901119905 (119875119870 119878119870 1198621198791015840 119862119879) rarr 119872 or perp The decryp-
tion algorithm takes as input the public key PK adecryption key SK and ciphertexts CT1015840 CT If119871 ⊨ 119882then it outputs a message 119872 where 119871 is the userrsquosattribute set and 119882 is the access policy Otherwise itoutputs perp which indicates the failure of decryption
(vii) 119879119903119886119888119890 (119875119870 119878119870 119879) rarr 119894119889 or ⊤ The tracing algorithmtakes as input the public key PK a decryption keySK and the table 119879 It determines whether SK iswell-formed indicating that SK is the real output ofKeyGen If SK is well-formed the algorithm outputsan identity id which corresponds to SK Otherwiseit outputs ⊤ implying that SK is not well-formedThewell-formed decryption key is guaranteed to workcorrectly in the well-formed decryption process
In the proposed scheme each public key component ismapped to an attribute value 119860
119894 When encrypting data the
encryptor specifies an access policy 119882 where 119860119894isin + minus lowast
The decryption succeeds only when the userrsquos attribute set 119871satisfies the (obfuscated) policy119882
4 mHealth Architecture
41 System Model In mHealth systems intelligent wire-less sensors perform data acquisition and processing [32]Individual sensors monitor certain physiological signals andcommunicate with each other and the personal server suchas a tablet PC as shown in Figure 1 Then the personal serverintegrates the data received from the different sensors andplays the role of a gateway by sending data to the upper layerof the mHealth system From a security point of view themHealth system components are categorized as follows
(1) Trust Authority This is a key entity that issues thepublic and secret parameters for the mHealth systemIt publishes diverse access privileges to individualentities based on their attributes The trust authorityis assumed to be fully trusted in the mHealth system[10]
(2) Storage Center This is a data repository center thatstores EHRs In mHealth systems hospitals or clin-ics with certain qualifications certified by the trustauthority can be employed as a storage center It isassumed to be honest-but-curious [10] Thus it willhonestly execute the assigned tasks and like to learnas much information from the encrypted data aspossible
(3) Encryptor This is a patient who generates dataand sends it to the storage center It uses mobiledevices to interact with the storage center Encryptorsare responsible for defining access policy based onattributes obfuscating the policy associating it withthe data and encrypting the data according to the pol-icy Hereafter we will use ldquoencryptorrdquo and ldquopatientrdquointerchangeably
(4) User This includes entities such as the patientphysicians nurses lab technicians researchers or
receptionists who want to access EHRs contained inthe storage center Auserwill be authorized to decrypta ciphertext given by the storage center if and only ifhis key satisfies the access policy of that ciphertext
42 Security Model
CPA Security The security model of the proposed scheme issimilar to that of the CP-ABE scheme with constant-sizedciphertexts [23] except that each key query is labeled withan explicit identity and attributes are obfuscated We firstintroduce the semantic security game A CP-ABE scheme isconsidered to be CPA-secure if no probabilistic polynomialtime adversaries have nonnegligible advantages in the follow-ing CPA security game
(i) Init The adversary chooses a challenge access policy119882 and gives it to the challenger
(ii) Setup The challenger runs the Setup algorithm andgives the adversary the public parameter PK
(iii) Phase 1 The adversary queries the challenger fordecryption keys corresponding to (id 119871) where 119871 ⊭
119882 The challenger answers with a decryption key SKfor 119871 The adversary repeats this phase adaptively
(iv) Challenge The challenger obtains ⟨1198620 119862
1⟩Key by
running the Encrypt algorithm The challenger setsKey
0= Key and picks a random Key
1of the same
length as Key0 It then flips a random coin 120573 isin 0 1
and gives ⟨1198620 119862
1⟩Key
120573 to the adversary
(v) Phase 2 It is the same as Phase 1(vi) Guess The adversary outputs a guess 1205731015840 isin 0 1
The adversary wins the game if 1205731015840 = 120573 under the restrictionthat 119871 cannot satisfy the access policy119882 The adversary mayrun Phase 2 to make multiple key queries in the midst of thechallenge Note that the adversary declares the access policyat the start of the game
The advantage of an adversary in this game is defined as1003816100381610038161003816100381610038161003816
Pr [1205731015840 = 120573] minus
1
2
1003816100381610038161003816100381610038161003816
(6)
Traceability The traceability definition for the proposedscheme is described by the following security game
(i) Setup The challenger runs the Setup algorithm toobtain the public parameter PK Then the challengergives PK to the adversary
(ii) KeyQuery The adversary makes decryption keyqueries 119902-times to the challenger where sets ofattributes (id
1 119871
1) (id
119902 119871
119902) correspond to
decryption keys(iii) KeyForgery The adversary outputs a decryption key
SKlowast
The adversary wins the game if the following holds
(1) Trace (PK SKlowast 119879) = perp
(2) Trace (PK SKlowast 119879) notin id
1 id
119902
6 Mobile Information Systems
Storage center User
(1) Encrypt(2) Token
(3) Partially decrypt(4) Decrypt
Encryptor
Figure 2 Overview of the proposed data sharing process
Then the advantage of the adversary in this game is
Pr [Trace (PK SKlowast 119879) notin perp cup id
1 id
119902] (7)
Definition 6 A traceable ciphertext policy attribute-basedencryption scheme is fully traceable if all polynomial timeadversaries have at most negligible advantage in this game
Policy Privacy While sharing data in the mHealth systemthe storage center or unauthorized users must learn noinformation about the attributes associated with the accesspolicy of the encrypted data Also even authorized usersshould not obtain any information about these attributesother than the fact that they are authorized to access the data
5 Proposed Scheme
51 System Architecture The proposed data sharing processin the mHealth system runs as follows An encryptor definesthe access policy with a set of attributes encrypts the EHRsassociated with clinical reports under the policy and uploadsthe ciphertext and the obfuscated policy to the storagecenter When a user wants to access the uploaded data hefirst generates a token using his attributes and sends it tothe storage center If the attributes in the token satisfy theaccess policy then the storage center partially decrypts theciphertext and sends the result to the user Then the userfinishes the decryption of the ciphertext using his secret keyand the partially decrypted ciphertext as inputs The outlineof data sharing process is depicted in Figure 2
52 Scheme Construction The proposed scheme is con-structed on the basis of the following seven algorithms asfollows
119878119890119905119906119901 (119896) rarr (119872119870 119875119870) Given 119896 attributes 1198601 119860
2 119860
119896
as the attribute universe the proposed scheme has 119870 = 3119896
attribute values such that 119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Specifically we
map 119860+
1 119860
+
2 119860
+
119896 to 1 2 119896 119860minus
1 119860
minus
2 119860
minus
119896 to 119896+
1 119896+2 2119896 and 119860lowast
1 119860
lowast
2 119860
lowast
119896 to 2119896+1 2119896+2 3119896
Let G0be a bilinear group of prime order 119901 The Setup
algorithm chooses a random generator 119892 isin G0and random
120572 120573 120574 isin Z119901 For 119894 = 1 2 119870119870 + 2 2119870 it computes
119892119894
= 119892(120572119894) Then it computes V = 119892
120574 and ℎ = 119892120573 The
master and public keys are set to MK = (120572 120573 120574) PK =
(119892 1198921 119892
119870 119892119870+2
1198922119870
V ℎ) isin G2119870+10
The algorithminitializes an identity table 119879 = 0
119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905
119894119889119906119905
) rarr (119878119870119906119905
) Assume that eachuser 119906
119905is tagged with an attribute set 119871
119906119905
= 119871+
119906119905
cup 119871minus
119906119905
where119871+
119906119905
sub 1 2 119896 and 119871minus
119906119905
sub 119896+1 119896+2 2119896TheKeyGen
algorithm randomly chooses 119886 119888 isin Zlowast
119901 119903
1 1199032 119903
119896 isin Z
119901
Then it computes 119903 = sum119896
119894=1119903119894 11986310158401015840
= 119892119903 and 119863 = 119892
119903120574(119886+119888)For all 119895 isin 119871
119906119905
it computes 119863101584010158401015840= 119867(119895)
120573 where 119867 is a hashfunction119867 0 1
lowastrarr G
0
Next the algorithm computes the following
(i) For every 119894 isin 119871+
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 2119896
The decryption key for user 119906119905is set to
SK119906119905
= (119863 = 119892119903120574(119886+119888)
119863119894| 119894 isin 119871
+
119906119905
119871minus
119906119905
119871lowast
119906119905
1198631015840
= 11988811986310158401015840= 119892
119903 119863
101584010158401015840= 119867 (119895)
120573
119863119886= 119892
119886)
(8)
Note that 1(119886 + 119888) is computed modulo 119901 If gcd (119886 + 119888 119901) =
1 or 119888 is already in 119879 the algorithm is run repeatedly withanother random 119888 isin Zlowast
119901 Then it puts a tuple (119888 id
119906119905
) into 119879
and uploads (id119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) to the storage center
119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) 119882 is an AND-gate accesspolicy with 119896 attributes specified by an encryptor 119906
119887 where
each attribute is either positivenegative or wildcard Thealgorithm chooses a random 119887 isin Zlowast
119901and computes 119904
119895=
119890(ℎ119887 119867(119895))119867
1(119904119895) for all 119895 isin 119882 where119867
1is a hash function
119867 G1rarr 0 1
log119901 Then the access policy 119882 is obfuscatedby replacing each attribute with119867
1(119904119895)
Next the algorithm picks a random 119905 isin Z119901and computes
a one-time symmetric key Key = 119890(119892119870 1198921)119896119905 It encrypts the
message 119872 as 119872Key and computes 119892119905 Then it computes
(Vprod119895isin119882
119892119870+1minus119895
)119905 The ciphertext CT is set to
CT = (119882 119872Key 1198620 = 119892119905 119862
1
= (Vprod119895isin119882
119892119870+1minus119895
)
119905
id119906119905
119892119887)
(9)
The encryptor uploads CT to the storage center
119866119890119899119879119900119896119890119899 (119878119870119906119905
Λ) rarr (119879119870Λ119906119905
) When a user 119906119905needs to
access the ciphertext of 119906119887in the storage center with a set
of attributes Λ ⊨ 119882 119906119905receives 119892
119887 from the storage centerand generates the token for Λ as follows For all 119895 isin Λ thealgorithm computes 119904
119895= 119890(119892
119887 119863
101584010158401015840
119895) = 119890(119892
119887 119867(119895)
120573) Then it
constructs the token TKΛ119906119905
= 119868119895| forall119895 isin Λ 119868
119895= 119867
1(119904119895)
Each 119868119895will be used as an index for the obfuscated attribute
119895 The user 119906119905sends TK
Λ119906119905
to the storage center
119875119863119890119888119903119910119901119905 (119879119870Λ119906119905
119862119879) rarr (1198621198791015840) Given TK
Λ119906119905
from the user119906119905 the storage center checks if each 119868
119895in the token satisfies
Mobile Information Systems 7
Table 1 Comparison of different schemes
Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G
0| + |G
1| 119899-DBDH
Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G
1| DBDH
Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G
1| 119897-BDHI
Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G
1| 119899-BDHE
the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id
119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) as
119860119894= 119890 (119892
1198631015840
119894 119862
1) = 119890(119892 Vprod
119895isin119882
119892119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892120574+sum119895isin119882
120572119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882
120572119870+1minus119895+119894
(10)
for all 119894 isin 119882 Then it computes a production of all 119860119894as
CT1015840 = prod119894isin119882
119860119894 The storage center sends CT1015840 to 119906
119905
119863119890119888119903119910119901119905 (119875119870 119878119870119906119905
1198621198791015840 119862119879) rarr 119872 or perp On receipt of the
partially decrypted ciphertext CT1015840 from the storage centerthe user 119906
119905computes 119861
119894for all 119894 isin 119882 as
119861119894= 119890(119862
0 ( prod
119895isin119882119895 =119894
119892119870+1minus119895+119894
)
1198631015840
sdot 119863119894)
= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894
120572119870+1minus119895+119894
+119905120574(1198631015840120572119894+119903119894(119886+119888))
(11)
Then it computes 119861 = prod119894isin119882
119861119894and divides CT1015840 by 119861 Using
the quotient term CT1015840119861 the user concludes decryption asfollows
CT1015840
119861
sdot 119890 (119863 1198620) =
CT1015840
119861
sdot 119890 (119892120574119903(119886+119888)
119892119905)
= 119890 (119892 119892)1198631015840119896119905120572119870+1
(12)
Then
(
CT1015840
119861
sdot 119890 (119863 1198620))
11198631015840
= 119890 (119892 119892)119896119905120572119870+1
= 119890 (119892120572119870
119892120572)
119896119905
= 119890 (119892119870 1198921)119896119905
= Key
(13)
The user decrypts 119872Key
119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889
119906or ⊤ SK
119906is called well-formed if
it passes the following conditions hold
1198631015840isin Z
lowast
119901
119863119863119894 119863
10158401015840isin G
2119870+1
0
119890 (119863119886sdot 119892
1198631015840
119863) = 119890 (V 11986310158401015840) = 1
(14)
If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is
in 119879 the algorithm outputs the corresponding id119906 and if not
the algorithm outputs the corresponding id0indicating that
the corresponding identity never appears in 119879 If SK119906is not
well-formed the algorithm outputs ⊤
6 Performance Analysis
In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K
Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901
the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z
119901are ignored
In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations
Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
4 Mobile Information Systems
Definition 1 (Decisional 119870-BDHE) The decisional 119870-BDHEassumption is said to be hold inG
0if there is no probabilistic
polynomial time adversary who is able to distinguish
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)120572(119870+1)
⟩
⟨ℎ 119892 119884119892120572119870
119890 (119892 ℎ)119877
⟩
(3)
with nonnegligible advantage where 120572 119877 isin Z119901and 119892 ℎ isin G
0
are chosen independently and uniformly at random
We exploit Boneh et alrsquos 119897-StrongDiffie-Hellman assump-tion (119897-SDH) to prove traceability [29] Given a (119897 + 1)-tuple (119892 119892
119909 119892
1199092
119892119909119897
) as input where 119909 isin Zlowast
119901is chosen
uniformly at random the 119897-SDH assumption is stated asfollows there is no probabilistic polynomial time adversarywho is able to output (119888 1198921(119909+119888)) isin Zlowast
119901timesG
0with nonnegligible
probability where 119888 is not allowed to be zeroFormally we have the following 119897-SDH assumption
Assumption 2 (119897-SDH) The 119897-Strong Diffie-Hellman prob-lem in G
0is defined as follows given a (119897 + 1)-tuple
(119892 119892119909 119892
1199092
119892119909119897
) as input output (119888 1198921(119909+119888)) isin Zlowast
119901times G
0
An algorithmA has advantage 120598 in solving 119897-SDH inG0if the
following holds
Pr [A (119892 119892119909 119892
1199092
119892119909119897
) = (119888 1198921(119909+119888)
)] ge 120598 (4)
where the probability is over the random choice of 119909 in Zlowast
119901
Definition 3 The 119897-SDH assumption is (119905 120598)-secure if no 119905-time algorithm has advantage at least 120598 in solving the 119897-SDHproblem in G
0
33 Access Policy Given an attribute universe 119880 = 1198601
1198602 119860
119896 each 119860
119894has one of three values 119860
+
119894 119860
minus
119894 119860
lowast
119894
where 119860+
119894denotes that the user has 119860
119894 119860minus
119894denotes that the
user does not have 119860119894or 119860
119894is not a proper attribute of this
user and 119860lowast
119894denotes a wildcard specifying do not care We
define the userrsquos attribute set as follows
Definition 4 Let 119871 = 119860+minus
1 119860
+minus
2 119860
+minus
119896 be a userrsquos
attribute set where 119860+minus
119894isin 119860
+
119894 119860
minus
119894 and 119896 is the order of the
attribute universe Then 119871 = 119871+cup 119871
minus where 119871+
= 119860+
119894|
forall119894 isin 1 119896 and 119871minus
= 119860minus
119894| forall119894 isin 1 119896 One has
119871+cap 119871
minus= 0
Next we define the AND-gate access policy as follows
Definition 5 Let 119882 = 1198601 119860
119896 be an AND-gate access
policy where119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Denote 119871 ⊨ 119882 that the userrsquos
attribute set 119871 satisfies119882 Then
119871 ⊨ 119882 lArrrArr 119882 sub 119871 cup 119860lowast
1 119860
lowast
119896 (5)
34 One-Way Anonymous Key Agreement In this paper thekey idea used to obfuscate attributes in the policy starts
from Boneh-Franklin Identity-Based Encryption [30] Intheir scheme a private key generator (PKG) takes the role ofissuing private keys It generates a private key 119889
119894= 119867(ID
119894)119904isin
G0for each user ID
119894using a master secret 119904 where 119867
0 1lowastrarr G
0is a cryptographic hash function
Based on [30] Kate et al proposed a one-way anony-mous key agreement scheme by replacing 119867(ID
119894) with a
pseudonym chosen by each user [31]This scheme guaranteesanonymity for just one receiver when two users engage in itWe give a specific example as follows Suppose Alice and Bobhold identity ID
119860and identity ID
119861 respectively and they are
clients of the same key authority which holds a master secret119904 Given the private key 119889
119860= 119876
119904
119860= 119867(ID
119860)119904 Alice wants to
communicate with Bob without disclosing her identityTo achieve this the key agreement protocol runs as
follows(1) Alice computes119876
119861= 119867(ID
119861) chooses a random 119903
119860isin
Zlowast
119901 sets a pseudonym 119875
119860= 119876
119903119860
119860 and computes the
session key 119870119860119861
= 119890(119889119860 119876
119861)119903119860
= 119890(119876119860 119876
119861)119904119903119860 She
sends the pseudonym 119875119860to Bob
(2) Given his private key 119889119861 Bob computes the session
key 119870119860119861
= 119890(119875119860 119889
119861) = 119890(119876
119860 119876
119861)119904119903119860
In this noninteractive manner the session key is implicitlyauthenticated such that Alice is assured that the no onecan derive the key other than Bob Based on the BDHassumption this protocol is proved to be secure in therandomoraclemodel satisfying unconditional anonymity noimpersonation and session key secrecy To hide the policy weexploit the technique used in [9] as a building block instead ofbuilding a new method for policy obfuscation from scratch
35 Definitions In this section we define a general CP-ABE with hidden policy constant-sized ciphertexts andtraceability capabilities for secure data sharing The schemeconsists of the following seven algorithms
(i) 119878119890119905119906119901 (119896) rarr (119872119870 119875119870) The Setup algorithm takesas input the number of attributes 119896 It outputs apublic key PK and a master key MK and initializes anidentity table 119879 = 0
(ii) 119870119890119910119866119890119899 (119872119870 119875119870 119871 119894119889) rarr (119878119870) The key generationalgorithm takes as input the master key MK thepublic key PK and the userrsquos attribute set 119871 withidentity id It outputs a decryption key SK and insertsid into 119879
(iii) 119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) The encryption algo-rithm takes as input the public key PK an accesspolicy 119882 and a message 119872 It outputs a ciphertextCT such that only the users whose decryption keyssatisfying 119882 should be able to extract 119872 CT isassociated with the obfuscated policy119882
(iv) 119866119890119899119879119900119896119890119899 (119878119870119906 Λ) rarr (119879119870
Λ119906) The token generation
algorithm takes as input the user 119906rsquos secret key SK119906
and a set of attributesΛ ⊨ 119882 It outputs a tokenTKΛ119906
(v) 119875119863119890119888119903119910119901119905 (119879119870
Λ119906 119862119879) rarr (119862119879
1015840) The partial decryp-
tion algorithm takes as input the token and outputs apartially decrypted ciphertext CT1015840 for a user 119906
Mobile Information Systems 5
(vi) 119863119890119888119903119910119901119905 (119875119870 119878119870 1198621198791015840 119862119879) rarr 119872 or perp The decryp-
tion algorithm takes as input the public key PK adecryption key SK and ciphertexts CT1015840 CT If119871 ⊨ 119882then it outputs a message 119872 where 119871 is the userrsquosattribute set and 119882 is the access policy Otherwise itoutputs perp which indicates the failure of decryption
(vii) 119879119903119886119888119890 (119875119870 119878119870 119879) rarr 119894119889 or ⊤ The tracing algorithmtakes as input the public key PK a decryption keySK and the table 119879 It determines whether SK iswell-formed indicating that SK is the real output ofKeyGen If SK is well-formed the algorithm outputsan identity id which corresponds to SK Otherwiseit outputs ⊤ implying that SK is not well-formedThewell-formed decryption key is guaranteed to workcorrectly in the well-formed decryption process
In the proposed scheme each public key component ismapped to an attribute value 119860
119894 When encrypting data the
encryptor specifies an access policy 119882 where 119860119894isin + minus lowast
The decryption succeeds only when the userrsquos attribute set 119871satisfies the (obfuscated) policy119882
4 mHealth Architecture
41 System Model In mHealth systems intelligent wire-less sensors perform data acquisition and processing [32]Individual sensors monitor certain physiological signals andcommunicate with each other and the personal server suchas a tablet PC as shown in Figure 1 Then the personal serverintegrates the data received from the different sensors andplays the role of a gateway by sending data to the upper layerof the mHealth system From a security point of view themHealth system components are categorized as follows
(1) Trust Authority This is a key entity that issues thepublic and secret parameters for the mHealth systemIt publishes diverse access privileges to individualentities based on their attributes The trust authorityis assumed to be fully trusted in the mHealth system[10]
(2) Storage Center This is a data repository center thatstores EHRs In mHealth systems hospitals or clin-ics with certain qualifications certified by the trustauthority can be employed as a storage center It isassumed to be honest-but-curious [10] Thus it willhonestly execute the assigned tasks and like to learnas much information from the encrypted data aspossible
(3) Encryptor This is a patient who generates dataand sends it to the storage center It uses mobiledevices to interact with the storage center Encryptorsare responsible for defining access policy based onattributes obfuscating the policy associating it withthe data and encrypting the data according to the pol-icy Hereafter we will use ldquoencryptorrdquo and ldquopatientrdquointerchangeably
(4) User This includes entities such as the patientphysicians nurses lab technicians researchers or
receptionists who want to access EHRs contained inthe storage center Auserwill be authorized to decrypta ciphertext given by the storage center if and only ifhis key satisfies the access policy of that ciphertext
42 Security Model
CPA Security The security model of the proposed scheme issimilar to that of the CP-ABE scheme with constant-sizedciphertexts [23] except that each key query is labeled withan explicit identity and attributes are obfuscated We firstintroduce the semantic security game A CP-ABE scheme isconsidered to be CPA-secure if no probabilistic polynomialtime adversaries have nonnegligible advantages in the follow-ing CPA security game
(i) Init The adversary chooses a challenge access policy119882 and gives it to the challenger
(ii) Setup The challenger runs the Setup algorithm andgives the adversary the public parameter PK
(iii) Phase 1 The adversary queries the challenger fordecryption keys corresponding to (id 119871) where 119871 ⊭
119882 The challenger answers with a decryption key SKfor 119871 The adversary repeats this phase adaptively
(iv) Challenge The challenger obtains ⟨1198620 119862
1⟩Key by
running the Encrypt algorithm The challenger setsKey
0= Key and picks a random Key
1of the same
length as Key0 It then flips a random coin 120573 isin 0 1
and gives ⟨1198620 119862
1⟩Key
120573 to the adversary
(v) Phase 2 It is the same as Phase 1(vi) Guess The adversary outputs a guess 1205731015840 isin 0 1
The adversary wins the game if 1205731015840 = 120573 under the restrictionthat 119871 cannot satisfy the access policy119882 The adversary mayrun Phase 2 to make multiple key queries in the midst of thechallenge Note that the adversary declares the access policyat the start of the game
The advantage of an adversary in this game is defined as1003816100381610038161003816100381610038161003816
Pr [1205731015840 = 120573] minus
1
2
1003816100381610038161003816100381610038161003816
(6)
Traceability The traceability definition for the proposedscheme is described by the following security game
(i) Setup The challenger runs the Setup algorithm toobtain the public parameter PK Then the challengergives PK to the adversary
(ii) KeyQuery The adversary makes decryption keyqueries 119902-times to the challenger where sets ofattributes (id
1 119871
1) (id
119902 119871
119902) correspond to
decryption keys(iii) KeyForgery The adversary outputs a decryption key
SKlowast
The adversary wins the game if the following holds
(1) Trace (PK SKlowast 119879) = perp
(2) Trace (PK SKlowast 119879) notin id
1 id
119902
6 Mobile Information Systems
Storage center User
(1) Encrypt(2) Token
(3) Partially decrypt(4) Decrypt
Encryptor
Figure 2 Overview of the proposed data sharing process
Then the advantage of the adversary in this game is
Pr [Trace (PK SKlowast 119879) notin perp cup id
1 id
119902] (7)
Definition 6 A traceable ciphertext policy attribute-basedencryption scheme is fully traceable if all polynomial timeadversaries have at most negligible advantage in this game
Policy Privacy While sharing data in the mHealth systemthe storage center or unauthorized users must learn noinformation about the attributes associated with the accesspolicy of the encrypted data Also even authorized usersshould not obtain any information about these attributesother than the fact that they are authorized to access the data
5 Proposed Scheme
51 System Architecture The proposed data sharing processin the mHealth system runs as follows An encryptor definesthe access policy with a set of attributes encrypts the EHRsassociated with clinical reports under the policy and uploadsthe ciphertext and the obfuscated policy to the storagecenter When a user wants to access the uploaded data hefirst generates a token using his attributes and sends it tothe storage center If the attributes in the token satisfy theaccess policy then the storage center partially decrypts theciphertext and sends the result to the user Then the userfinishes the decryption of the ciphertext using his secret keyand the partially decrypted ciphertext as inputs The outlineof data sharing process is depicted in Figure 2
52 Scheme Construction The proposed scheme is con-structed on the basis of the following seven algorithms asfollows
119878119890119905119906119901 (119896) rarr (119872119870 119875119870) Given 119896 attributes 1198601 119860
2 119860
119896
as the attribute universe the proposed scheme has 119870 = 3119896
attribute values such that 119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Specifically we
map 119860+
1 119860
+
2 119860
+
119896 to 1 2 119896 119860minus
1 119860
minus
2 119860
minus
119896 to 119896+
1 119896+2 2119896 and 119860lowast
1 119860
lowast
2 119860
lowast
119896 to 2119896+1 2119896+2 3119896
Let G0be a bilinear group of prime order 119901 The Setup
algorithm chooses a random generator 119892 isin G0and random
120572 120573 120574 isin Z119901 For 119894 = 1 2 119870119870 + 2 2119870 it computes
119892119894
= 119892(120572119894) Then it computes V = 119892
120574 and ℎ = 119892120573 The
master and public keys are set to MK = (120572 120573 120574) PK =
(119892 1198921 119892
119870 119892119870+2
1198922119870
V ℎ) isin G2119870+10
The algorithminitializes an identity table 119879 = 0
119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905
119894119889119906119905
) rarr (119878119870119906119905
) Assume that eachuser 119906
119905is tagged with an attribute set 119871
119906119905
= 119871+
119906119905
cup 119871minus
119906119905
where119871+
119906119905
sub 1 2 119896 and 119871minus
119906119905
sub 119896+1 119896+2 2119896TheKeyGen
algorithm randomly chooses 119886 119888 isin Zlowast
119901 119903
1 1199032 119903
119896 isin Z
119901
Then it computes 119903 = sum119896
119894=1119903119894 11986310158401015840
= 119892119903 and 119863 = 119892
119903120574(119886+119888)For all 119895 isin 119871
119906119905
it computes 119863101584010158401015840= 119867(119895)
120573 where 119867 is a hashfunction119867 0 1
lowastrarr G
0
Next the algorithm computes the following
(i) For every 119894 isin 119871+
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 2119896
The decryption key for user 119906119905is set to
SK119906119905
= (119863 = 119892119903120574(119886+119888)
119863119894| 119894 isin 119871
+
119906119905
119871minus
119906119905
119871lowast
119906119905
1198631015840
= 11988811986310158401015840= 119892
119903 119863
101584010158401015840= 119867 (119895)
120573
119863119886= 119892
119886)
(8)
Note that 1(119886 + 119888) is computed modulo 119901 If gcd (119886 + 119888 119901) =
1 or 119888 is already in 119879 the algorithm is run repeatedly withanother random 119888 isin Zlowast
119901 Then it puts a tuple (119888 id
119906119905
) into 119879
and uploads (id119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) to the storage center
119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) 119882 is an AND-gate accesspolicy with 119896 attributes specified by an encryptor 119906
119887 where
each attribute is either positivenegative or wildcard Thealgorithm chooses a random 119887 isin Zlowast
119901and computes 119904
119895=
119890(ℎ119887 119867(119895))119867
1(119904119895) for all 119895 isin 119882 where119867
1is a hash function
119867 G1rarr 0 1
log119901 Then the access policy 119882 is obfuscatedby replacing each attribute with119867
1(119904119895)
Next the algorithm picks a random 119905 isin Z119901and computes
a one-time symmetric key Key = 119890(119892119870 1198921)119896119905 It encrypts the
message 119872 as 119872Key and computes 119892119905 Then it computes
(Vprod119895isin119882
119892119870+1minus119895
)119905 The ciphertext CT is set to
CT = (119882 119872Key 1198620 = 119892119905 119862
1
= (Vprod119895isin119882
119892119870+1minus119895
)
119905
id119906119905
119892119887)
(9)
The encryptor uploads CT to the storage center
119866119890119899119879119900119896119890119899 (119878119870119906119905
Λ) rarr (119879119870Λ119906119905
) When a user 119906119905needs to
access the ciphertext of 119906119887in the storage center with a set
of attributes Λ ⊨ 119882 119906119905receives 119892
119887 from the storage centerand generates the token for Λ as follows For all 119895 isin Λ thealgorithm computes 119904
119895= 119890(119892
119887 119863
101584010158401015840
119895) = 119890(119892
119887 119867(119895)
120573) Then it
constructs the token TKΛ119906119905
= 119868119895| forall119895 isin Λ 119868
119895= 119867
1(119904119895)
Each 119868119895will be used as an index for the obfuscated attribute
119895 The user 119906119905sends TK
Λ119906119905
to the storage center
119875119863119890119888119903119910119901119905 (119879119870Λ119906119905
119862119879) rarr (1198621198791015840) Given TK
Λ119906119905
from the user119906119905 the storage center checks if each 119868
119895in the token satisfies
Mobile Information Systems 7
Table 1 Comparison of different schemes
Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G
0| + |G
1| 119899-DBDH
Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G
1| DBDH
Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G
1| 119897-BDHI
Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G
1| 119899-BDHE
the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id
119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) as
119860119894= 119890 (119892
1198631015840
119894 119862
1) = 119890(119892 Vprod
119895isin119882
119892119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892120574+sum119895isin119882
120572119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882
120572119870+1minus119895+119894
(10)
for all 119894 isin 119882 Then it computes a production of all 119860119894as
CT1015840 = prod119894isin119882
119860119894 The storage center sends CT1015840 to 119906
119905
119863119890119888119903119910119901119905 (119875119870 119878119870119906119905
1198621198791015840 119862119879) rarr 119872 or perp On receipt of the
partially decrypted ciphertext CT1015840 from the storage centerthe user 119906
119905computes 119861
119894for all 119894 isin 119882 as
119861119894= 119890(119862
0 ( prod
119895isin119882119895 =119894
119892119870+1minus119895+119894
)
1198631015840
sdot 119863119894)
= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894
120572119870+1minus119895+119894
+119905120574(1198631015840120572119894+119903119894(119886+119888))
(11)
Then it computes 119861 = prod119894isin119882
119861119894and divides CT1015840 by 119861 Using
the quotient term CT1015840119861 the user concludes decryption asfollows
CT1015840
119861
sdot 119890 (119863 1198620) =
CT1015840
119861
sdot 119890 (119892120574119903(119886+119888)
119892119905)
= 119890 (119892 119892)1198631015840119896119905120572119870+1
(12)
Then
(
CT1015840
119861
sdot 119890 (119863 1198620))
11198631015840
= 119890 (119892 119892)119896119905120572119870+1
= 119890 (119892120572119870
119892120572)
119896119905
= 119890 (119892119870 1198921)119896119905
= Key
(13)
The user decrypts 119872Key
119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889
119906or ⊤ SK
119906is called well-formed if
it passes the following conditions hold
1198631015840isin Z
lowast
119901
119863119863119894 119863
10158401015840isin G
2119870+1
0
119890 (119863119886sdot 119892
1198631015840
119863) = 119890 (V 11986310158401015840) = 1
(14)
If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is
in 119879 the algorithm outputs the corresponding id119906 and if not
the algorithm outputs the corresponding id0indicating that
the corresponding identity never appears in 119879 If SK119906is not
well-formed the algorithm outputs ⊤
6 Performance Analysis
In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K
Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901
the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z
119901are ignored
In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations
Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 5
(vi) 119863119890119888119903119910119901119905 (119875119870 119878119870 1198621198791015840 119862119879) rarr 119872 or perp The decryp-
tion algorithm takes as input the public key PK adecryption key SK and ciphertexts CT1015840 CT If119871 ⊨ 119882then it outputs a message 119872 where 119871 is the userrsquosattribute set and 119882 is the access policy Otherwise itoutputs perp which indicates the failure of decryption
(vii) 119879119903119886119888119890 (119875119870 119878119870 119879) rarr 119894119889 or ⊤ The tracing algorithmtakes as input the public key PK a decryption keySK and the table 119879 It determines whether SK iswell-formed indicating that SK is the real output ofKeyGen If SK is well-formed the algorithm outputsan identity id which corresponds to SK Otherwiseit outputs ⊤ implying that SK is not well-formedThewell-formed decryption key is guaranteed to workcorrectly in the well-formed decryption process
In the proposed scheme each public key component ismapped to an attribute value 119860
119894 When encrypting data the
encryptor specifies an access policy 119882 where 119860119894isin + minus lowast
The decryption succeeds only when the userrsquos attribute set 119871satisfies the (obfuscated) policy119882
4 mHealth Architecture
41 System Model In mHealth systems intelligent wire-less sensors perform data acquisition and processing [32]Individual sensors monitor certain physiological signals andcommunicate with each other and the personal server suchas a tablet PC as shown in Figure 1 Then the personal serverintegrates the data received from the different sensors andplays the role of a gateway by sending data to the upper layerof the mHealth system From a security point of view themHealth system components are categorized as follows
(1) Trust Authority This is a key entity that issues thepublic and secret parameters for the mHealth systemIt publishes diverse access privileges to individualentities based on their attributes The trust authorityis assumed to be fully trusted in the mHealth system[10]
(2) Storage Center This is a data repository center thatstores EHRs In mHealth systems hospitals or clin-ics with certain qualifications certified by the trustauthority can be employed as a storage center It isassumed to be honest-but-curious [10] Thus it willhonestly execute the assigned tasks and like to learnas much information from the encrypted data aspossible
(3) Encryptor This is a patient who generates dataand sends it to the storage center It uses mobiledevices to interact with the storage center Encryptorsare responsible for defining access policy based onattributes obfuscating the policy associating it withthe data and encrypting the data according to the pol-icy Hereafter we will use ldquoencryptorrdquo and ldquopatientrdquointerchangeably
(4) User This includes entities such as the patientphysicians nurses lab technicians researchers or
receptionists who want to access EHRs contained inthe storage center Auserwill be authorized to decrypta ciphertext given by the storage center if and only ifhis key satisfies the access policy of that ciphertext
42 Security Model
CPA Security The security model of the proposed scheme issimilar to that of the CP-ABE scheme with constant-sizedciphertexts [23] except that each key query is labeled withan explicit identity and attributes are obfuscated We firstintroduce the semantic security game A CP-ABE scheme isconsidered to be CPA-secure if no probabilistic polynomialtime adversaries have nonnegligible advantages in the follow-ing CPA security game
(i) Init The adversary chooses a challenge access policy119882 and gives it to the challenger
(ii) Setup The challenger runs the Setup algorithm andgives the adversary the public parameter PK
(iii) Phase 1 The adversary queries the challenger fordecryption keys corresponding to (id 119871) where 119871 ⊭
119882 The challenger answers with a decryption key SKfor 119871 The adversary repeats this phase adaptively
(iv) Challenge The challenger obtains ⟨1198620 119862
1⟩Key by
running the Encrypt algorithm The challenger setsKey
0= Key and picks a random Key
1of the same
length as Key0 It then flips a random coin 120573 isin 0 1
and gives ⟨1198620 119862
1⟩Key
120573 to the adversary
(v) Phase 2 It is the same as Phase 1(vi) Guess The adversary outputs a guess 1205731015840 isin 0 1
The adversary wins the game if 1205731015840 = 120573 under the restrictionthat 119871 cannot satisfy the access policy119882 The adversary mayrun Phase 2 to make multiple key queries in the midst of thechallenge Note that the adversary declares the access policyat the start of the game
The advantage of an adversary in this game is defined as1003816100381610038161003816100381610038161003816
Pr [1205731015840 = 120573] minus
1
2
1003816100381610038161003816100381610038161003816
(6)
Traceability The traceability definition for the proposedscheme is described by the following security game
(i) Setup The challenger runs the Setup algorithm toobtain the public parameter PK Then the challengergives PK to the adversary
(ii) KeyQuery The adversary makes decryption keyqueries 119902-times to the challenger where sets ofattributes (id
1 119871
1) (id
119902 119871
119902) correspond to
decryption keys(iii) KeyForgery The adversary outputs a decryption key
SKlowast
The adversary wins the game if the following holds
(1) Trace (PK SKlowast 119879) = perp
(2) Trace (PK SKlowast 119879) notin id
1 id
119902
6 Mobile Information Systems
Storage center User
(1) Encrypt(2) Token
(3) Partially decrypt(4) Decrypt
Encryptor
Figure 2 Overview of the proposed data sharing process
Then the advantage of the adversary in this game is
Pr [Trace (PK SKlowast 119879) notin perp cup id
1 id
119902] (7)
Definition 6 A traceable ciphertext policy attribute-basedencryption scheme is fully traceable if all polynomial timeadversaries have at most negligible advantage in this game
Policy Privacy While sharing data in the mHealth systemthe storage center or unauthorized users must learn noinformation about the attributes associated with the accesspolicy of the encrypted data Also even authorized usersshould not obtain any information about these attributesother than the fact that they are authorized to access the data
5 Proposed Scheme
51 System Architecture The proposed data sharing processin the mHealth system runs as follows An encryptor definesthe access policy with a set of attributes encrypts the EHRsassociated with clinical reports under the policy and uploadsthe ciphertext and the obfuscated policy to the storagecenter When a user wants to access the uploaded data hefirst generates a token using his attributes and sends it tothe storage center If the attributes in the token satisfy theaccess policy then the storage center partially decrypts theciphertext and sends the result to the user Then the userfinishes the decryption of the ciphertext using his secret keyand the partially decrypted ciphertext as inputs The outlineof data sharing process is depicted in Figure 2
52 Scheme Construction The proposed scheme is con-structed on the basis of the following seven algorithms asfollows
119878119890119905119906119901 (119896) rarr (119872119870 119875119870) Given 119896 attributes 1198601 119860
2 119860
119896
as the attribute universe the proposed scheme has 119870 = 3119896
attribute values such that 119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Specifically we
map 119860+
1 119860
+
2 119860
+
119896 to 1 2 119896 119860minus
1 119860
minus
2 119860
minus
119896 to 119896+
1 119896+2 2119896 and 119860lowast
1 119860
lowast
2 119860
lowast
119896 to 2119896+1 2119896+2 3119896
Let G0be a bilinear group of prime order 119901 The Setup
algorithm chooses a random generator 119892 isin G0and random
120572 120573 120574 isin Z119901 For 119894 = 1 2 119870119870 + 2 2119870 it computes
119892119894
= 119892(120572119894) Then it computes V = 119892
120574 and ℎ = 119892120573 The
master and public keys are set to MK = (120572 120573 120574) PK =
(119892 1198921 119892
119870 119892119870+2
1198922119870
V ℎ) isin G2119870+10
The algorithminitializes an identity table 119879 = 0
119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905
119894119889119906119905
) rarr (119878119870119906119905
) Assume that eachuser 119906
119905is tagged with an attribute set 119871
119906119905
= 119871+
119906119905
cup 119871minus
119906119905
where119871+
119906119905
sub 1 2 119896 and 119871minus
119906119905
sub 119896+1 119896+2 2119896TheKeyGen
algorithm randomly chooses 119886 119888 isin Zlowast
119901 119903
1 1199032 119903
119896 isin Z
119901
Then it computes 119903 = sum119896
119894=1119903119894 11986310158401015840
= 119892119903 and 119863 = 119892
119903120574(119886+119888)For all 119895 isin 119871
119906119905
it computes 119863101584010158401015840= 119867(119895)
120573 where 119867 is a hashfunction119867 0 1
lowastrarr G
0
Next the algorithm computes the following
(i) For every 119894 isin 119871+
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 2119896
The decryption key for user 119906119905is set to
SK119906119905
= (119863 = 119892119903120574(119886+119888)
119863119894| 119894 isin 119871
+
119906119905
119871minus
119906119905
119871lowast
119906119905
1198631015840
= 11988811986310158401015840= 119892
119903 119863
101584010158401015840= 119867 (119895)
120573
119863119886= 119892
119886)
(8)
Note that 1(119886 + 119888) is computed modulo 119901 If gcd (119886 + 119888 119901) =
1 or 119888 is already in 119879 the algorithm is run repeatedly withanother random 119888 isin Zlowast
119901 Then it puts a tuple (119888 id
119906119905
) into 119879
and uploads (id119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) to the storage center
119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) 119882 is an AND-gate accesspolicy with 119896 attributes specified by an encryptor 119906
119887 where
each attribute is either positivenegative or wildcard Thealgorithm chooses a random 119887 isin Zlowast
119901and computes 119904
119895=
119890(ℎ119887 119867(119895))119867
1(119904119895) for all 119895 isin 119882 where119867
1is a hash function
119867 G1rarr 0 1
log119901 Then the access policy 119882 is obfuscatedby replacing each attribute with119867
1(119904119895)
Next the algorithm picks a random 119905 isin Z119901and computes
a one-time symmetric key Key = 119890(119892119870 1198921)119896119905 It encrypts the
message 119872 as 119872Key and computes 119892119905 Then it computes
(Vprod119895isin119882
119892119870+1minus119895
)119905 The ciphertext CT is set to
CT = (119882 119872Key 1198620 = 119892119905 119862
1
= (Vprod119895isin119882
119892119870+1minus119895
)
119905
id119906119905
119892119887)
(9)
The encryptor uploads CT to the storage center
119866119890119899119879119900119896119890119899 (119878119870119906119905
Λ) rarr (119879119870Λ119906119905
) When a user 119906119905needs to
access the ciphertext of 119906119887in the storage center with a set
of attributes Λ ⊨ 119882 119906119905receives 119892
119887 from the storage centerand generates the token for Λ as follows For all 119895 isin Λ thealgorithm computes 119904
119895= 119890(119892
119887 119863
101584010158401015840
119895) = 119890(119892
119887 119867(119895)
120573) Then it
constructs the token TKΛ119906119905
= 119868119895| forall119895 isin Λ 119868
119895= 119867
1(119904119895)
Each 119868119895will be used as an index for the obfuscated attribute
119895 The user 119906119905sends TK
Λ119906119905
to the storage center
119875119863119890119888119903119910119901119905 (119879119870Λ119906119905
119862119879) rarr (1198621198791015840) Given TK
Λ119906119905
from the user119906119905 the storage center checks if each 119868
119895in the token satisfies
Mobile Information Systems 7
Table 1 Comparison of different schemes
Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G
0| + |G
1| 119899-DBDH
Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G
1| DBDH
Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G
1| 119897-BDHI
Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G
1| 119899-BDHE
the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id
119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) as
119860119894= 119890 (119892
1198631015840
119894 119862
1) = 119890(119892 Vprod
119895isin119882
119892119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892120574+sum119895isin119882
120572119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882
120572119870+1minus119895+119894
(10)
for all 119894 isin 119882 Then it computes a production of all 119860119894as
CT1015840 = prod119894isin119882
119860119894 The storage center sends CT1015840 to 119906
119905
119863119890119888119903119910119901119905 (119875119870 119878119870119906119905
1198621198791015840 119862119879) rarr 119872 or perp On receipt of the
partially decrypted ciphertext CT1015840 from the storage centerthe user 119906
119905computes 119861
119894for all 119894 isin 119882 as
119861119894= 119890(119862
0 ( prod
119895isin119882119895 =119894
119892119870+1minus119895+119894
)
1198631015840
sdot 119863119894)
= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894
120572119870+1minus119895+119894
+119905120574(1198631015840120572119894+119903119894(119886+119888))
(11)
Then it computes 119861 = prod119894isin119882
119861119894and divides CT1015840 by 119861 Using
the quotient term CT1015840119861 the user concludes decryption asfollows
CT1015840
119861
sdot 119890 (119863 1198620) =
CT1015840
119861
sdot 119890 (119892120574119903(119886+119888)
119892119905)
= 119890 (119892 119892)1198631015840119896119905120572119870+1
(12)
Then
(
CT1015840
119861
sdot 119890 (119863 1198620))
11198631015840
= 119890 (119892 119892)119896119905120572119870+1
= 119890 (119892120572119870
119892120572)
119896119905
= 119890 (119892119870 1198921)119896119905
= Key
(13)
The user decrypts 119872Key
119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889
119906or ⊤ SK
119906is called well-formed if
it passes the following conditions hold
1198631015840isin Z
lowast
119901
119863119863119894 119863
10158401015840isin G
2119870+1
0
119890 (119863119886sdot 119892
1198631015840
119863) = 119890 (V 11986310158401015840) = 1
(14)
If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is
in 119879 the algorithm outputs the corresponding id119906 and if not
the algorithm outputs the corresponding id0indicating that
the corresponding identity never appears in 119879 If SK119906is not
well-formed the algorithm outputs ⊤
6 Performance Analysis
In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K
Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901
the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z
119901are ignored
In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations
Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
6 Mobile Information Systems
Storage center User
(1) Encrypt(2) Token
(3) Partially decrypt(4) Decrypt
Encryptor
Figure 2 Overview of the proposed data sharing process
Then the advantage of the adversary in this game is
Pr [Trace (PK SKlowast 119879) notin perp cup id
1 id
119902] (7)
Definition 6 A traceable ciphertext policy attribute-basedencryption scheme is fully traceable if all polynomial timeadversaries have at most negligible advantage in this game
Policy Privacy While sharing data in the mHealth systemthe storage center or unauthorized users must learn noinformation about the attributes associated with the accesspolicy of the encrypted data Also even authorized usersshould not obtain any information about these attributesother than the fact that they are authorized to access the data
5 Proposed Scheme
51 System Architecture The proposed data sharing processin the mHealth system runs as follows An encryptor definesthe access policy with a set of attributes encrypts the EHRsassociated with clinical reports under the policy and uploadsthe ciphertext and the obfuscated policy to the storagecenter When a user wants to access the uploaded data hefirst generates a token using his attributes and sends it tothe storage center If the attributes in the token satisfy theaccess policy then the storage center partially decrypts theciphertext and sends the result to the user Then the userfinishes the decryption of the ciphertext using his secret keyand the partially decrypted ciphertext as inputs The outlineof data sharing process is depicted in Figure 2
52 Scheme Construction The proposed scheme is con-structed on the basis of the following seven algorithms asfollows
119878119890119905119906119901 (119896) rarr (119872119870 119875119870) Given 119896 attributes 1198601 119860
2 119860
119896
as the attribute universe the proposed scheme has 119870 = 3119896
attribute values such that 119860119894isin 119860
+
119894 119860
minus
119894 119860
lowast
119894 Specifically we
map 119860+
1 119860
+
2 119860
+
119896 to 1 2 119896 119860minus
1 119860
minus
2 119860
minus
119896 to 119896+
1 119896+2 2119896 and 119860lowast
1 119860
lowast
2 119860
lowast
119896 to 2119896+1 2119896+2 3119896
Let G0be a bilinear group of prime order 119901 The Setup
algorithm chooses a random generator 119892 isin G0and random
120572 120573 120574 isin Z119901 For 119894 = 1 2 119870119870 + 2 2119870 it computes
119892119894
= 119892(120572119894) Then it computes V = 119892
120574 and ℎ = 119892120573 The
master and public keys are set to MK = (120572 120573 120574) PK =
(119892 1198921 119892
119870 119892119870+2
1198922119870
V ℎ) isin G2119870+10
The algorithminitializes an identity table 119879 = 0
119870119890119910119866119890119899 (119872119870 119875119870 119871119906119905
119894119889119906119905
) rarr (119878119870119906119905
) Assume that eachuser 119906
119905is tagged with an attribute set 119871
119906119905
= 119871+
119906119905
cup 119871minus
119906119905
where119871+
119906119905
sub 1 2 119896 and 119871minus
119906119905
sub 119896+1 119896+2 2119896TheKeyGen
algorithm randomly chooses 119886 119888 isin Zlowast
119901 119903
1 1199032 119903
119896 isin Z
119901
Then it computes 119903 = sum119896
119894=1119903119894 11986310158401015840
= 119892119903 and 119863 = 119892
119903120574(119886+119888)For all 119895 isin 119871
119906119905
it computes 119863101584010158401015840= 119867(119895)
120573 where 119867 is a hashfunction119867 0 1
lowastrarr G
0
Next the algorithm computes the following
(i) For every 119894 isin 119871+
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906119905
compute119863119894= 119892
120574(119888120572119894+1199031198941015840 (119886+119888)) where
1198941015840= 119894 minus 2119896
The decryption key for user 119906119905is set to
SK119906119905
= (119863 = 119892119903120574(119886+119888)
119863119894| 119894 isin 119871
+
119906119905
119871minus
119906119905
119871lowast
119906119905
1198631015840
= 11988811986310158401015840= 119892
119903 119863
101584010158401015840= 119867 (119895)
120573
119863119886= 119892
119886)
(8)
Note that 1(119886 + 119888) is computed modulo 119901 If gcd (119886 + 119888 119901) =
1 or 119888 is already in 119879 the algorithm is run repeatedly withanother random 119888 isin Zlowast
119901 Then it puts a tuple (119888 id
119906119905
) into 119879
and uploads (id119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) to the storage center
119864119899119888119903119910119901119905 (119875119870119882119872) rarr (119862119879) 119882 is an AND-gate accesspolicy with 119896 attributes specified by an encryptor 119906
119887 where
each attribute is either positivenegative or wildcard Thealgorithm chooses a random 119887 isin Zlowast
119901and computes 119904
119895=
119890(ℎ119887 119867(119895))119867
1(119904119895) for all 119895 isin 119882 where119867
1is a hash function
119867 G1rarr 0 1
log119901 Then the access policy 119882 is obfuscatedby replacing each attribute with119867
1(119904119895)
Next the algorithm picks a random 119905 isin Z119901and computes
a one-time symmetric key Key = 119890(119892119870 1198921)119896119905 It encrypts the
message 119872 as 119872Key and computes 119892119905 Then it computes
(Vprod119895isin119882
119892119870+1minus119895
)119905 The ciphertext CT is set to
CT = (119882 119872Key 1198620 = 119892119905 119862
1
= (Vprod119895isin119882
119892119870+1minus119895
)
119905
id119906119905
119892119887)
(9)
The encryptor uploads CT to the storage center
119866119890119899119879119900119896119890119899 (119878119870119906119905
Λ) rarr (119879119870Λ119906119905
) When a user 119906119905needs to
access the ciphertext of 119906119887in the storage center with a set
of attributes Λ ⊨ 119882 119906119905receives 119892
119887 from the storage centerand generates the token for Λ as follows For all 119895 isin Λ thealgorithm computes 119904
119895= 119890(119892
119887 119863
101584010158401015840
119895) = 119890(119892
119887 119867(119895)
120573) Then it
constructs the token TKΛ119906119905
= 119868119895| forall119895 isin Λ 119868
119895= 119867
1(119904119895)
Each 119868119895will be used as an index for the obfuscated attribute
119895 The user 119906119905sends TK
Λ119906119905
to the storage center
119875119863119890119888119903119910119901119905 (119879119870Λ119906119905
119862119879) rarr (1198621198791015840) Given TK
Λ119906119905
from the user119906119905 the storage center checks if each 119868
119895in the token satisfies
Mobile Information Systems 7
Table 1 Comparison of different schemes
Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G
0| + |G
1| 119899-DBDH
Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G
1| DBDH
Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G
1| 119897-BDHI
Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G
1| 119899-BDHE
the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id
119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) as
119860119894= 119890 (119892
1198631015840
119894 119862
1) = 119890(119892 Vprod
119895isin119882
119892119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892120574+sum119895isin119882
120572119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882
120572119870+1minus119895+119894
(10)
for all 119894 isin 119882 Then it computes a production of all 119860119894as
CT1015840 = prod119894isin119882
119860119894 The storage center sends CT1015840 to 119906
119905
119863119890119888119903119910119901119905 (119875119870 119878119870119906119905
1198621198791015840 119862119879) rarr 119872 or perp On receipt of the
partially decrypted ciphertext CT1015840 from the storage centerthe user 119906
119905computes 119861
119894for all 119894 isin 119882 as
119861119894= 119890(119862
0 ( prod
119895isin119882119895 =119894
119892119870+1minus119895+119894
)
1198631015840
sdot 119863119894)
= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894
120572119870+1minus119895+119894
+119905120574(1198631015840120572119894+119903119894(119886+119888))
(11)
Then it computes 119861 = prod119894isin119882
119861119894and divides CT1015840 by 119861 Using
the quotient term CT1015840119861 the user concludes decryption asfollows
CT1015840
119861
sdot 119890 (119863 1198620) =
CT1015840
119861
sdot 119890 (119892120574119903(119886+119888)
119892119905)
= 119890 (119892 119892)1198631015840119896119905120572119870+1
(12)
Then
(
CT1015840
119861
sdot 119890 (119863 1198620))
11198631015840
= 119890 (119892 119892)119896119905120572119870+1
= 119890 (119892120572119870
119892120572)
119896119905
= 119890 (119892119870 1198921)119896119905
= Key
(13)
The user decrypts 119872Key
119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889
119906or ⊤ SK
119906is called well-formed if
it passes the following conditions hold
1198631015840isin Z
lowast
119901
119863119863119894 119863
10158401015840isin G
2119870+1
0
119890 (119863119886sdot 119892
1198631015840
119863) = 119890 (V 11986310158401015840) = 1
(14)
If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is
in 119879 the algorithm outputs the corresponding id119906 and if not
the algorithm outputs the corresponding id0indicating that
the corresponding identity never appears in 119879 If SK119906is not
well-formed the algorithm outputs ⊤
6 Performance Analysis
In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K
Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901
the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z
119901are ignored
In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations
Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 7
Table 1 Comparison of different schemes
Enc Dec Ciphertext length AssumptionConstant-sized ciphertexts [23] 2ex 2119905119901 + ex 2|G
0| + |G
1| 119899-DBDH
Hidden policy [25] (119905 + 2)ex (2119905 + 1)119901 + 119905ex (119905 + 1)|G0| + |G
1| DBDH
Traceability [26] (2119905 + 3)ex (2119905 + 1)119901 + 119905ex 2(119905 + 1)|G0| + |G
1| 119897-BDHI
Proposed 2ex + 119905119901 (2119905 + 1)(119901 + ex) 3|G0| + |G
1| 119899-BDHE
the access policy associated with CT If satisfied the storagecenter partially decrypts CT using (id
119906119905
1198921198631015840
119894| forall119894 isin 119871
119906119905
) as
119860119894= 119890 (119892
1198631015840
119894 119862
1) = 119890(119892 Vprod
119895isin119882
119892119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892120574+sum119895isin119882
120572119870+1minus119895
)
1205721198941199051198631015840
= 119890 (119892 119892)1205721198941199051198631015840120574+1199051198631015840sum119895isin119882
120572119870+1minus119895+119894
(10)
for all 119894 isin 119882 Then it computes a production of all 119860119894as
CT1015840 = prod119894isin119882
119860119894 The storage center sends CT1015840 to 119906
119905
119863119890119888119903119910119901119905 (119875119870 119878119870119906119905
1198621198791015840 119862119879) rarr 119872 or perp On receipt of the
partially decrypted ciphertext CT1015840 from the storage centerthe user 119906
119905computes 119861
119894for all 119894 isin 119882 as
119861119894= 119890(119862
0 ( prod
119895isin119882119895 =119894
119892119870+1minus119895+119894
)
1198631015840
sdot 119863119894)
= 119890 (119892 119892)1199051198631015840sum119895isin119882119895 =119894
120572119870+1minus119895+119894
+119905120574(1198631015840120572119894+119903119894(119886+119888))
(11)
Then it computes 119861 = prod119894isin119882
119861119894and divides CT1015840 by 119861 Using
the quotient term CT1015840119861 the user concludes decryption asfollows
CT1015840
119861
sdot 119890 (119863 1198620) =
CT1015840
119861
sdot 119890 (119892120574119903(119886+119888)
119892119905)
= 119890 (119892 119892)1198631015840119896119905120572119870+1
(12)
Then
(
CT1015840
119861
sdot 119890 (119863 1198620))
11198631015840
= 119890 (119892 119892)119896119905120572119870+1
= 119890 (119892120572119870
119892120572)
119896119905
= 119890 (119892119870 1198921)119896119905
= Key
(13)
The user decrypts 119872Key
119879119903119886119888119890 (119875119870 119878119870119906 119879) rarr 119894119889
119906or ⊤ SK
119906is called well-formed if
it passes the following conditions hold
1198631015840isin Z
lowast
119901
119863119863119894 119863
10158401015840isin G
2119870+1
0
119890 (119863119886sdot 119892
1198631015840
119863) = 119890 (V 11986310158401015840) = 1
(14)
If SK119906is well-formed the algorithm searches1198631015840 in 119879 If1198631015840 is
in 119879 the algorithm outputs the corresponding id119906 and if not
the algorithm outputs the corresponding id0indicating that
the corresponding identity never appears in 119879 If SK119906is not
well-formed the algorithm outputs ⊤
6 Performance Analysis
In this section we analyze the performance of the proposedscheme compared with the previous schemes including aconstant-sized ciphertexts scheme [23] a hidden policyscheme [25] and a traceability scheme [26]We compare eachscheme in several ways such as the computational cost ofencryption and decryption and the ciphertext length and interms of the complexity assumption Also we implementedthe proposed scheme to evaluate its actual performance Weprogrammed our system using the Java-based pairing basedcryptography (jPBC) library [33] on a GIGABYTE desktopwith 4 Intel Core i5-3570 340GHz CPUs 4GB RAM andrunning Windows 7 Ultimate K
Table 1 shows the results of comparing the differentschemes The notations we use in the table are as follows 119905denotes the number of attributes involved in the access policy119899 denotes the number of attributes in the attribute universeex denotes the exponentiation operation and denotes 119901
the paring operation Note that following convention thebit-length of the expression of the access policy and itscomputational costs over Z
119901are ignored
In terms of computational cost the constant-sized cipher-text scheme [23] shows the best encryption phase efficiencyrequiring a constant number of exponentiations The pro-posed scheme also needs two exponentiations in data encryp-tion but an additional 119905119901 operations are required to obfuscatethe access policy In the decryption phase the proposedscheme requires more computations than [23] since the useridentity is exponentiated to every attribute value to supporttraceability In contrast to [25 26] the proposed schemerequires approximately 119905 number of exponentiations Withregard to the ciphertext length the proposed scheme and [23]guarantee constant-sized ciphertext On the other hand thehidden policy scheme [25] and the traceability scheme [26]incur linearly increasing ciphertexts as the attribute number119905 increases Overall the proposed scheme is efficient in termsof the ciphertext size and provides hidden policy traceabilityat the cost of more exponentiation operations
Figure 3 shows the computation overhead incurred inthe core algorithms Setup KeyGen Encrypt GenTokenDecrypt PDecrypt and Trace under various conditions Fig-ure 3(a) shows how system-wide setup time varies according
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
8 Mobile Information Systems
0 10 20 30 40 500
500
1000
1500
2000
2500
3000
3500
4000
4500
Number of attributes
Setu
p tim
e (m
illise
cond
s)
Setup time
(a) Setup time
0 10 20 30 40 50Number of attributes
KeyGen time
0
200
400
600
800
1000
1200
1400
KeyG
en ti
me (
mill
iseco
nds)
(b) Key generation time
0 10 20 30 40 50Number of attributes
Encrypt time
0
200
400
600
800
1000
1200
Encr
ypt t
ime (
mill
iseco
nds)
(c) Encryption time
0 10 20 30 40 50Number of attributes
GenToken time
0100200300400500600700800900
10001100
Gen
Toke
n tim
e (m
illise
cond
s)
(d) Token generation time
0 10 20 30 40 50Number of attributes
Decrypt timePDecrypt time
0100200300400500600700800900
10001100
Dec
rypt
tim
e (m
illise
cond
s)
(e) Decryption and partial decryption time
0 10 20 30 40 50Number of attributes
Trace (1000)Trace (10000)
Trace (50000)Trace (100000)
0
5
10
15
20
25
30
35
40
Trac
e tim
e (m
illise
cond
s)
(f) Trace time with different number of users
Figure 3 Time costs of different algorithms
to the number of attributes Figure 3(b) shows the total keygeneration time against different numbers of attributes Thesetup occurs only once at the start of the system and key gen-eration occurs every time a new user joins Figure 3(c) shows
encryption time against different numbers of attributes Itincreases linearly due to the time taken to obfuscate thepolicy attached to the data Figure 3(d) shows the tokengeneration time against the number of attributes The token
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 9
Table 2 jPBC and PBC benchmark comparison results [33]
Operation jPBC PBCPairing 14654 2688Exponentiation in G
118592 4122
Exponentiation in G119879
2112 0529Exponentiation in Z
1199030068 0087
generation process requires a pairing operation time linearto the number of attributes Figure 3(e) shows the partialdecryption time at the storage center and decryption time atthe user against the number of attributes Interestingly thestorage center can undertake nearly 50 of whole decryptionprocess on behalf of users This property can be most usefulfor relatively resource-constrained user side devices LastlyFigure 3(f) shows the trace time with different numbers ofattributes and users The trace time depends only but notstrongly on the number of users
Further Efficiency Improvement jPBC is a complete Javaport of the PBC library which was originally written in C[34] Java is widely considered to be slower than C becauseJava programs run on the Java Virtual Machine rather thandirectly on the computerrsquos processor Based on this weadditionally provide benchmark comparison results betweenjPBC and PBC in order to demonstrate how fast the proposedscheme can be when it is implemented in C language [33]Table 2 shows the performance comparison between Javaand C with respect to pairing and exponentiation operationsconducted on the same machine The two libraries wereapplied to the curve 119910
2= 119909
3+ 119909 over the field F
119902for
some prime 119902 = 3mod 4 The order of F119902is some prime
factor of 119902 + 1 [33] Since the cost of the pairing operationin PBC is approximately 12 seconds less than in jPBC PBC isexpected to improve the performance of pairing-dependentalgorithms such as GenToken and policy obfuscation processin Encrypt by up to 81 Similarly the cost of the exponen-tiation operations in G
1and G
119879are reduced by 1447 and
1583 seconds respectively Such a difference between the twolibraries implies that moving from Java to C implementationof the proposed scheme can speed up the Setup and KeyGenalgorithms by approximately 778 and the PDecrypt andDecrypt algorithms by approximately 749
7 Security Analysis
71 Data Confidentiality In this section we reduce the cho-sen plaintext attack (CPA) security of the proposed schemeto a decisional119870-BDHE problem Given an access policy119882a user with an attribute set 119871 ⊭ 119882 colludes with 119909 le 119896
decryption proxies Intuitively this attack works successfullyif 119871 cup 119894
1 119894
119909 ⊨ 119882 Based on the CPA security game in
Section 42 we have the following
Theorem 7 If a probabilistic polynomial time adversary winsthe CPA security game with a nonnegligible advantage thenone can construct a simulator that distinguishes a 119870-DBHEtuple with a nonnegligible advantage
Proof Suppose that an adversary Arsquos advantage for winningthe game is 120598 Then we can construct a simulator B whichsolves the decisional 119870-BDHE problem with the advantage1205982 The simulator B takes an input vector (ℎ 119892 119884
119892120572119870 119885)
where 119885 is either 119890(119892 ℎ)120572119870+1
or a random element in G0
Then B breaks the decisional 119870-BDHE problem with theadvantage 1205982 Specifically B takes a random decisional 119870-BDHE challenge ⟨ℎ 119892 119884
119892120572119870 119885⟩ as input where 119885 is either
119885 = 119890(119892 ℎ)120572119870+1
or a random valueNext B runs the following CPA game with the role of
challenger(i) InitA sends an access policy119882 toB(ii) Setup B runs the Setup algorithm to obtain PK and
chooses a random 119889 isin Z119901 ThenB computes
V = 119892119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
= 119892120574 (15)
B outputs the public key PK = (119892 119884119892120572119870
V) isin G2119870+10
Phase 1 The adversary A submits 119871 where 119871 ⊭ 119882 Thenthere exists 119895 isin 119871 such that 119895 + 119896 isin 119882 where 119895 isin 1 119896or 119895 minus 119896 isin 119882 where 119895 isin 119896 + 1 2119896
For 119894 = 1 119896 B picks 119896 random 119903119894isin Z
119901and sets 119903 =
1199031+sdot sdot sdot+119903
119896 NextB randomly chooses 119886 119888 isin Zlowast
119901and computes
119863 = (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
)
119903(119886+119888)
= 119892120574119903(119886+119888)
(16)
NextB computes
119863119894= 119892
119889
119894prod
119895isin119882
(119892119870+1minus119895+119894
)
minus119888
sdot prod
119895isin119882
(119892119870+1minus119895
)
minus1199031198941015840 (119886+119888)
(17)
where 119894 falls into one of the following conditions (1) 119894 + 119896 isin 119882
for all 119894 isin 119871+ (2) 119894 minus 119896 isin 119882 for all 119894 isin 119871
minus and (3) 119894 notin 119882 for all119894 isin 119871
lowastThen each119863
119894is valid such that
119863119894= (119892
119889(prod
119895isin119882
119892119870+1minus119895
)
minus1
)
119888120572119894+1199031198941015840 (119886+119888)
= 119892120574(119888120572119894+1199031198941015840 (119886+119888))
(18)
ChallengeB sets 1198620= ℎ and 119862
1= ℎ
119889 and gives the challenge⟨119862
0 119862
1 119885
119896⟩ toA Note that 119862
0= ℎ = 119892
119905 for some 119905 such that
ℎ119889= (119892
119889)
119905
= (119892119889prod
119895isin119882
(119892119870+1minus119895
)
minus1
sdot prod
119895isin119882
(119892119870+1minus119895
))
119905
= (Vprod119895isin119882
(119892119870+1minus119895
))
119905
(19)
and 119885119896= Key if 119885 = 119890(119892 ℎ)
120572(119870+1)
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
10 Mobile Information Systems
Phase 2 Repeat Phase 1
Guess The adversary A outputs a guess 1198871015840 where 119887
1015840= 0
implies that 119885 = 119890(119892 ℎ)120572119870+1
If 1198871015840 = 1 then 119885 is a randomelement which indicates that Pr [B(ℎ 119892 119884
119892120572119870 119885) = 0] =
12 Note that each decryption proxy 119901119894(119903) simulates a legal
decryption key component with a random 119903 Specifically theadversary A passes 119903 as a guess of 119903
1198941015840 which is embedded in
119863119894 where 119894 isin 119882 We further define a decryption proxy to
model collusion attacks
Definition 8 Given 2119896 decryption proxies in the securitygame each decryption proxy 119901
119894(119903) = 119892
120574(119888120572119894+119903(119886+119888)) where
119903 isin Z119901and 119894 isin 1 2119896
Lemma 9 (collision with 1 decryption proxy) Suppose thatA has issued 119902 queries and there is only 1 attribute 119894 notin 119882whereA makes 119897 queries to 119901
119894(119903) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus 119902119901)119897
Proof Theprobability that at least one query returns an illegaldecryption key component of any 119902 is 1minus119902119901Thus if none ofthe 119897 queries succeeds then Pr [119903 = 119903
1198941015840] = (1minus119902119901)
119897 where 119903 isa randomnumber in the decryption proxy and 119903
1198941015840 is a random
number in the decryption key
Lemma 10 (collision with multiple decryption proxies)Suppose A has issued 119902 queries and there are 119898 attributesdissatisfying 119882 where A makes 119897 queries to each decryptionproxy 119901
1198941
(1199031) 119901
1198942
(1199032) 119901
119894119898
(119903119898) The probability that none of
the queries returns a legal decryption key component of any 119902
is (1 minus (1 minus 119902119901)119897)119898
Proof The probability that one decryption proxy fails isPr [119903 = 119903
1198941015840] = (1 minus 119902119901)
119897 Thus the probability that all 119898decryption proxies succeed is (1 minus (1 minus 119902119901)
119897)119898
In case of 119885 = 119890(119892 ℎ)120572(119870+1)
we have 3 collusion scenariosas follows
0-Collusion If no decryption proxy is used then A has atleast 1205982 advantage in breaking the proposed scheme ThusB has at least the following advantage in breaking 119870-BDHEproblem
1003816100381610038161003816100381610038161003816
Pr [B (ℎ 119892 119884119892120572119870
119885) = 0] minus
1
2
1003816100381610038161003816100381610038161003816
ge
120598
2
(20)
1-Collusion If one decryption proxy 119901119894(119903) is used then we
have Pr [119903 = 1199031198941015840] = (1 minus 119902119901)
119897 Thus if A has at least120598 advantage in breaking the proposed scheme then B hasat least (1 minus 119902119901)
1198971205982 advantage in breaking the 119870-BDHE
problem
119898-Collusion If 119898 decryption proxies 1199011198941
(1199031) 119901
119894119898
(119903119898) are
used then we have
Pr [119903119894119895
= 1199031198941015840
119895
exist119895 le 119898] = (1 minus (1 minus
119902
119901
)
119897
)
119898
(21)
Thus if A has at least 120598 advantage in breaking the proposedscheme then B has at least the following advantage inbreaking the119870-BDHE problem
(1 minus (1 minus (1 minus
119902
119901
)
119897
)
119898
) sdot
120598
2
(22)
72 Traceability In this section we prove the traceability ofthe proposed scheme based on the 119897-SDH assumption
Theorem 11 If 119897-SDH assumption holds then the proposedscheme is fully traceable provided that 119902 lt 119897
Proof Suppose that there is a PPT adversaryAwho wins thetraceability game with nonnegligible advantage 120598 after 119902 keyqueries Without loss of generality assume that 119897 = 119902 + 1Then we can construct a PPT simulatorB that breaks 119897-SDHassumption with nonnegligible advantage
B is given an instance of the 119897-SDH problem as followsLet G
0be a bilinear group of prime order 119901 let 119892 isin G
0 let
119890 G0timesG
0rarr G
1be a bilinearmap and let 119886 isin Z
119901B is given
INSDH = (119901G0G
1 119890 119892 119892
119886 119892
119886119897
) as in instance of the 119897-SDH problemBrsquos goal is to output a pair (119888
119903 119908
119903) isin Zlowast
119901times G
0
satisfying 119908119903
= 1198921(119886+119888
119903) for solving the 119897-SDH problem B
sets 119860119894= 119892
119886119894
for 119894 = 0 1 119897 and interacts with A in thetraceability game as follows
SetupB randomly picks 119902 distinct values 1198881 119888
119902isin Zlowast
119901 Let
119891(119910) be the polynomial 119891(119910) = prod119902
119894=1(119910 + 119888
119894) Expand 119891(119910)
and write 119891(119910) = sum119902
119894=0120572119894119910119894 where 120572
0 1205721 120572
119902isin Z
119901are the
coefficients of the polynomial 119891(119910)B computes
119892 larr997888
119902
prod
119894=0
(119860119894)120572119894
= 119892119891(119886)
119892119886larr997888
119902+1
prod
119894=1
(119860119894)120572119894minus1
= 119892119891(119886)sdot119886
(23)
B randomly chooses 120572 120574 isin Z119901and computes V = 119892
120574For 119894 = 1 2 119870 119870 + 2 2119870 B sets 119892
119894= 119892
(120572119894) where
119870 = 3119896 = 119897B then givesA the public parameter
PK = (119892 1198921 119892
119870 119892119870+2
1198922119870
V) isin G2119870+1
0 (24)
KeyQuery A submits (id119909 119871) to B to request a decryption
key Assume that it is the 119909th query For 119909 le 119902 let119891119909(119910) be the
polynomial 119891119909(119910) = 119891(119910)(119910+119888
119909) = prod
119902
119895=1119895 =119909(119910+119888
119895) Expand
119891119909(119910) and write 119891
119909(119910) = sum
119902minus1
119895=0120573119895119910119895 where 120573
0 120573
1 120573
119902minus1isin
Z119901B computes
120590119909larr997888
119902minus1
prod
119895=0
(119860119895)
120573119895
= 119892119891119909(119886)
= 119892119891(119886)(119886+119888
119909)= 119892
1(119886+119888119909) (25)
B randomly chooses 1199031 1199032 119903
119896 isin Z
119901 Then it computes
119903 = sum119896
119894=1119903119894 119863
10158401015840= 119892
119903 and119863 = 120590119903120574
119909
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 11
FinallyB computes the following
(i) For every 119894 isin 119871+
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894
(ii) For every 119894 isin 119871minus
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 119896
(iii) For every 119894 isin 119871lowast
119906 compute 119863
119894= 119892
120574119888119909120572119894
120590
1205741199031198941015840
119909 where1198941015840= 119894 minus 2119896
B responds toA with SKid119909119871119909
as
SKid119909119871119909
= (119863 = 120590119903120574
119909 119863
119894| 119894 isin 119871
+
119906 119871
minus
119906 119871
lowast
119906 119863
1015840
= 119888119909 119863
10158401015840= 119892
119903)
(26)
B puts tuple (119888119909 id
119909) into 119879
KeyForgeryA submits toB a decryption key SKlowast
Note that the distributions of PK and SK in the abovegame are the same as in the real game Let ΥA denote theevent thatA wins the game that is SK
lowastis well-formed and
119888119903notin 119888
1 1198882 119888
119902 The adversaryrsquos advantage over the game
is 1205982 since there is no decryption proxy used If ΥA does nothappenB chooses a randoma randompair (119888
119903 119908
119903) isin Zlowast
119901timesG
0
as its solution for 119897-SDHproblem IfΥA happensBwrites thepolynomial 119891(119910) = 120574(119910)(119910 + 119863
1015840) + 120574
minus1for some polynomial
120574(119910) = sum119902minus1
119894=0(120574119894119910119894) and some 120574
minus1isin Z
119901 Then 120574
minus1= 0 since
119891(119910) = prod119902
119894=1(119910 + 119888
119894) where 119888
119894isin Zlowast
119901and 119863
1015840notin 119888
1 1198882 119888
119902
Thus 119910 + 1198631015840 does not divide 119891(119910) B computes the value of
gcd(120574minus1 119901)
Next let ΩSDH(119888119903 119908119903) denote the event that (119888119903 119908
119903) is a
solution to the 119897-SDH problem Note that when B chooses(119888119903 119908
119903) randomlyΩSDH(119888119903 119908119903) happens with negligible prob-
ability say zeroB solves the 119897-SDH problemwith probability
Pr [ΩSDH (119888119903 119908
119903)]
= Pr [ΩSDH (119888119903 119908
119903) | ΥA] sdot Pr [ΥA]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
+ Pr [ΩSDH (119888119903 119908
119903) | ΥA and gcd (120574
minus1 119901) = 1]
sdot Pr [ΥA and gcd (120574minus1 119901) = 1]
= 0 + 0 + 1 sdot Pr [ΥA and gcd (120574minus1 119901) = 1] le 120598
(27)
Thus B can break the 119897-SDH assumption with advantage le
120598
73 Policy Privacy When an encryptor uploads its ciphertextto the storage center every attribute 119895 in the access policyis obfuscated as 119867
1(119890(ℎ
119887 119867(119895))) with a random 119887 using the
one-way anonymous key agreement protocol [31] such thatonly users in possession of valid corresponding attributesare able to compute the same value It is infeasible to guess119895 from 119867
1(119890(ℎ
119887 119867(119895))) without having the corresponding
attributes due to 119887 which is chosen uniformly at random by
the encryptor Specifically the storage center does not have119863101584010158401015840
= 119867(119895)120573 which is a secret key component owned by
users whose attribute sets satisfy the access policy Due tothe secrecy property of the key agreement protocol [31] thestorage center cannot compute 119890(119892119887 119867(119895)
120573)
In token generation phase a user computes indices 119868119895=
1198671(119890(119892
119887 119867(119895)
120573)) for each (obfuscated) attribute 119895 Due to
the secrecy property of the key agreement protocol only theauthorized users are able to construct indices correspondingto 119895 Thus the storage center cannot generate correct indicesfor the attributes in the access policy Also even thoughthe storage center conducts partial decryptions the userlearns nothing about the underlying access policy exceptthat he can decrypt the ciphertext since he receives onlythe partially decrypted value and no more Therefore theproposed scheme guarantees the policy privacy against thestorage center and authorized users
8 Conclusion
In this paper we proposed an efficient attribute-based securemHealth data sharing schemewith hidden policies and trace-ability The proposed scheme significantly reduces storageand communication costs The access policies are obfuscatedsuch that not only data privacy but also policy privacy ispreserved The computational costs of users are reduced bydelegating approximately 50 of the decryption operationto the more powerful storage systems Lastly the proposedscheme is able to tracemalicious users who illegally leak theirkeys Our security analysis shows that the proposed schemeis secure against chosen-ciphertext and key forgery attacksunder the decisional 119870-BDHE and 119897-SDE assumptions Wealso prove that the policy privacy of the proposed scheme ispreserved against the storage center and authorized users
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work was supported by the National Research Founda-tion of Korea (NRF) grant funded by the Korea government(MSIP) (no 2016R1A2A2A05005402) This work was alsosupported by Institute for Information amp CommunicationsTechnology Promotion (IITP) grant funded by the Koreagovernment (MSIP) (no B0190-15-2028) This work wasalso supported by the research fund of Signal IntelligenceResearch Center supervised by the Defense Acquisition Pro-gram Administration and Agency for Defense Developmentof Korea
References
[1] P Germanakos C Mourlas and G Samaras ldquoA mobile agentapproach for ubiquitous and personalized eHealth informationsystemsrdquo in Proceedings of the Workshop on lsquoPersonalization for
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
12 Mobile Information Systems
e-Healthrsquo of the 10th International Conference on User Modelingpp 67ndash70 Edinburgh UK July 2005
[2] E Jovanov A OrsquoDonnell Lords D Raskovic P G Cox RAdhami and F Andrasik ldquoStress monitoring using a dis-tributed wireless intelligent sensor systemrdquo IEEE Engineering inMedicine and Biology Magazine vol 22 no 3 pp 49ndash55 2003
[3] J A Wolf J F Moreau O Akilov et al ldquoDiagnostic inaccuracyof smartphone applications for melanoma detectionrdquo JAMADermatology vol 149 no 4 pp 422ndash426 2013
[4] United States Department of Health amp Human ServicesHealthInformation Privacy 2011 httpwwwhhsgovocrprivacyindexhtml
[5] S Alshehri S P Radziszowski and R K Raj ldquoSecure access forhealthcare data in the cloud using Ciphertext-policy attribute-based encryptionrdquo in Proceedings of the IEEE 28th InternationalConference on Data Engineering Workshops (ICDEW rsquo12) pp143ndash146 IEEE Arlington Va USA April 2012
[6] M Poulymenopoulou F Malamateniou and G Vassilacopou-los ldquoE-EPR a cloud-based architecture of an electronic emer-gency patient recordrdquo in Proceedings of the 4th ACM Interna-tional Conference on PErvasive Technologies Related to AssistiveEnvironments (PETRA rsquo11) article 35 Crete Greece May 2011
[7] H A J Narayanan and M H Gunes ldquoEnsuring access controlin cloud provisioned healthcare systemsrdquo in Proceedings of theIEEE Consumer Communications and Networking Conference(CCNC rsquo11) pp 247ndash251 Las Vegas Nev USA January 2011
[8] R Bobba H Khurana M Alturki and F Ashraf ldquoPBES apolicy based encryption systemwith application to data sharingin the power gridrdquo in Proceedings of the 4th InternationalSymposium on ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo09) pp 262ndash275 March2009
[9] J Hur ldquoAttribute-based secure data sharingwith hidden policiesin smart gridrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 11 pp 2171ndash2180 2013
[10] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attribute-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE International Con-ference on Distributed Computing Systems (ICDCS rsquo12) pp 224ndash233 IEEE Macau June 2012
[11] A Kapadia P P Tsang and S W Smith ldquoAttribute-basedpublishing with hidden credentials and hidden policiesrdquo Pro-ceedings of the 14th Annual Network and Distributed SystemSecurity Symposium (NDSS rsquo07) vol 7 pp 179ndash192 2007
[12] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattributebased encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy pp 321ndash334 Berkeley Calif USAMay 2007
[13] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography-PKC pp 53ndash70 2011
[14] V Goyal A Jain O Pandey and A Sahai ldquoBounded ciphertextpolicy attribute based encryptionrdquo in Automata Languagesand Programming 35th International Colloquium ICALP 2008Reykjavik Iceland July 7ndash11 2008 Proceedings Part II vol 5126of Lecture Notes in Computer Science pp 579ndash591 SpringerBerlin Germany 2008
[15] L Ibraimi M Petkovic S Nikova P Hartel and W JonkerldquoMediated ciphertext-policy attribute-based encryption and itsapplicationrdquo in Information Security Applications H Y Youmand M Yung Eds vol 5932 of Lecture Notes in ComputerScience pp 309ndash323 2009
[16] T Jung X-Y Li ZWan andMWan ldquoPrivacy preserving clouddata access with multi-authoritiesrdquo in Proceedings of the IEEEINFOCOM pp 2625ndash2633 Turin Italy April 2013
[17] FWang andWLuo ldquoAssessing spatial andnonspatial factors forhealthcare access towards an integrated approach to defininghealth professional shortage areasrdquo Health amp Place vol 11 no2 pp 131ndash146 2005
[18] R W Bradshaw J E Holt and K E Seamons ldquoConcealingcomplex policies with hidden credentialsrdquo in Proceedings ofthe 11th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo04) pp 146ndash157 October 2004
[19] Z Zhou D Huang and Z Wang ldquoEfficient privacy-preservingciphertext-policy attribute based-encryption and broadcastencryptionrdquo IEEE Transactions on Computers vol 64 no 1 pp126ndash138 2015
[20] J Li K Ren B Zhu andZWan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[21] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology G R Blakley and DChaum Eds vol 196 of Lecture Notes in Computer Science pp47ndash53 1985
[22] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in CryptologymdashEUROCRYPT 2005 vol 3494 ofLecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005
[23] Z Zhou and D Huang ldquoOn efficient ciphertext-policy attributebased encryption and broadcast encryptionrdquo in Proceedings ofthe 17th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo10) pp 753ndash755 ACM Chicago Ill USAOctober 2010
[24] C Chen Z Zhang and D Feng ldquoEfficient ciphertext policyattributebased encryption with constant-size ciphertext andconstant computationcostrdquo in Provable Security 5th Interna-tional Conference ProvSec 2011 Xirsquoan China October 16ndash182011 Proceedings vol 6980 of Lecture Notes in ComputerScience pp 84ndash101 Springer Berlin Germany 2011
[25] J Li K Ren and Z Wan ldquoPrivacy-aware attribute-basedencryption with user accountabilityrdquo in Information Securitypp 347ndash362 Springer Berlin Germany 2009
[26] Z Liu Z Cao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013
[27] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEHow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the 2013 ACM SIGSACConference on Computer amp Communications Security (CCS rsquo13)pp 475ndash486 ACM November 2013
[28] D Boneh X Boyen and E J Goh ldquoHierarchical identitybased encryption with constant size ciphertextrdquo in Advances inCryptologymdashEUROCRYPT 2005 pp 440ndash456 Springer BerlinGermany 2005
[29] D Boneh and X Boyen ldquoShort signatures without randomoraclesrdquo in Advances in Cryptology-EUROCRYPT 2004 vol3027 of Lecture Notes in Computer Science pp 56ndash73 SpringerBerlin Germany 2004
[30] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 pp213ndash229 Springer Berlin Germany 2001
[31] A Kate G Zaverucha and I Goldberg ldquoPairing-based onionroutingrdquo in Privacy Enhancing Technologies N Borisov and P
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 13
Golle Eds vol 4776 of Lecture Notes in Computer Science pp95ndash112 Springer Berlin Germany 2007
[32] E Jovanov andD Raskovic ldquoWireless intelligent sensorsrdquo inM-Health pp 33ndash49 Springer New York NY USA 2006
[33] A De Caro and V Iovino ldquojPBC java pairing based cryptogra-phyrdquo in Proceedings of the IEEE Symposium on Computers andCommunications (ISCC rsquo11) pp 850ndash855 June-July 2011
[34] B Lynn The Pairing-Based Cryptography (PBC) Library 2010httpcryptostanfordedupbc
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014