EVOAC-HP: An Efficient and Verifiable Outsourced Access Control Scheme with Hidden Policy

Haobin Ma

Dehua Zhou

Peng Li

and

Xiaoming Wang

College of Information Science and Technology, Jinan University, Guangzhou 510632, China

Author to whom correspondence should be addressed.

Sensors2023,23(9), 4384;https://doi.org/10.3390/s23094384

Submission received: 20 March 2023 /Revised: 25 April 2023 /Accepted: 27 April 2023 /Published: 28 April 2023

(This article belongs to the SectionSensor Networks)

Downloadkeyboard_arrow_down

Browse Figures

Versions Notes

Abstract

As medical data become increasingly important in healthcare, it is crucial to have proper access control mechanisms, ensuring that sensitive data are only accessible to authorized users while maintaining privacy and security. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is an attractive access control solution that can offer effective, fine-grained and secure medical data sharing, but it has two major drawbacks: Firstly, decryption is computationally expensive for resource-limited data users, especially when the access policy has many attributes, limiting its use in large-scale data-sharing scenarios. Secondly, existing schemes are based on data users’ attributes, which can potentially reveal sensitive information about the users, especially in healthcare data sharing, where strong privacy and security are essential. To address these issues, we designed an improved CP-ABE scheme that provides efficient and verifiable outsourced access control with fully hidden policy named EVOAC-HP. In this paper, we utilize the attribute bloom filter to achieve policy hiding without revealing user privacy. For the purpose of alleviating the decryption burden for data users, we also adopt the technique of outsourced decryption to outsource the heavy computation overhead to the cloud service provider (CSP) with strong computing and storage capabilities, while the transformed ciphertext results can be verified by the data user. Finally, with rigorous security and reliable performance analysis, we demonstrate that EVOAC-HP is both practical and effective with robust privacy protection.

Keywords:

access control;data sharing;Attribute-Based Encryption;hidden policy;outsourced decryption

1. Introduction

The rapid advancement of medical technology has revolutionized the healthcare industry, and one of its most significant impacts is the increasing prevalence of electronic health record (EHR) systems, replacing traditional paper-based medical records [1,2]. The adoption of EHRs has facilitated the real-time management and sharing of medical records for both doctors and patients. Additionally, healthcare practitioners can now access data more easily, enabling them to make more comprehensive diagnoses. With the emergence of 5G, cloud computing and big data, cloud-assisted EHR systems have become popular for outsourcing medical record management to the CSP and reducing management overhead. However, concerns about security and privacy arise when storing sensitive medical record data on cloud servers. Additionally, traditional encryption methods cannot achieve fine-grained data sharing and access. Access to such data without authorization can result in serious consequences, including identity theft, insurance fraud, and even the endangering of patient lives. Therefore, it is crucial to design robust security mechanisms for protecting medical data stored in the cloud [3]. To ensure data confidentiality and fine-grained access control to sensitive EHR data, Attribute-Based Encryption (ABE) was introduced as an appropriate encryption solution [4].

CP-ABE, proposed by Bethencourt et al. [5], provides a flexible way for data owners to specify their own access control policies. This is achieved by linking a ciphertext to an access policy defined by the user and associating a user’s secret key with a set of attributes. As a result, only users whose attributes satisfy the access policy can decrypt the ciphertext and access the data. However, existing CP-ABE schemes [5,6,7] may not meet security and privacy requirements. Firstly, the access policy that is associated with the ciphertext can be viewed publicly, which means that anyone can obtain useful sensitive private data and expose confidential details regarding the encrypted EHR data, which can result in the exposure of the identity and attributes of medical practitioners or patients, thus compromising their privacy [8]. In addition, those existing schemes have the disadvantage of having a linear increase in ciphertext size and decryption overhead with the number of attributes in the access policy, which can be a significant limitation for resource-limited users [9]. As more attributes are added to the policy, both the ciphertext size and decryption overhead grow proportionally. This can make it difficult or even impossible for users with limited resources to decrypt and access the data that they need in a timely manner. Furthermore, this linear growth in ciphertext size can increase the cost of storing and transmitting the encrypted data, as well as the computational overhead associated with performing encryption and decryption operations. Thus, these CP-ABE schemes may not be suitable for applications that require efficient access control and low computational overhead.

Some existing works have been proposed to address these issues, such as outsourcing decryption technology [9,10,11,12] to reduce computation overhead for data users or proposing fully or partially hidden access structure schemes [8,13,14] to protect the privacy of user attributes embedded in the access policy. However, these solutions fail to offer a large universe and reliable mechanism with adaptive security, or they lack flexibility and have low efficiency. To tackle these issues, we propose an efficient access control scheme with robust privacy protection and outsourced decryption with verifiability, which builds upon the work [15] with further optimizations. Our main contributions are outlined as follows:

We designed an efficient and secure fine-grained access control scheme named EVOAC-HP for privacy preserving in the medical data scenario, which supports a large universe, adaptive security and flexible access control structure. This scheme uses the attribute bloom filter to achieve policy hiding, which effectively protects data users’ attribute information.
We adopted outsourcing decryption technology to outsource complex computation to the CSP and support the verification of the outsourcing results, which largely reduces the computation overhead of data users.
According to security analysis and performance analysis, EVOAC-HP demonstrated enhanced security and efficiency, which is appropriate for medical data-sharing application scenarios with high privacy requirements.

2. Related Work

Traditional identity-based encryption (IBE) schemes associate encryption keys with specific identities, and decryption is only possible for ciphertexts encrypted under the matching identities [16]. In contrast, fuzzy IBE allows partial matches between the encryption key and the access policy to be performed, which means that ciphertexts can be decrypted by users whose identities only partially match the policy. In order to achieve more fine-grained access control, the notion of ABE, which enables secure encryption and decryption to be achieved without the need for exact identity matching, was first conceived by Sahai and Waters [4]. According to different application scenarios, ABE is divided into Key-Policy Attribute-Based Encryption (KP-ABE) and CP-ABE. In 2006, Goyal et al. [17] proposed the first construction of a scheme that associates attributes with the private keys of the users, mainly used in paid video sites and broadcast encryption. The first CP-ABE scheme proposed by the work [5] allows complex access policies in which attributes are associated with the ciphertext to be used, which is suitable for data sharing. Although this scheme is very expressive, it was proved to be safe under the general group model, and the security of this model is relatively weak. Afterwards, a significant amount of research has been conducted on CP-ABE and KP-ABE in recent years, with various constructions and optimizations proposed to enhance their efficiency and security. Waters [18] proposed an improvement to CP-ABE schemes by introducing a linear secret sharing scheme (LSSS) based on the previous work [5], which results in enhanced efficiency and expressiveness of the encryption scheme while maintaining stronger security. Many CP-ABE schemes have since emerged, including some classic works [6,7,15]. However, as the access policy becomes more complex and the number of user attributes increases, the size of the ciphertext and the computational overhead required for decryption also increase. Since the decryption process can be expensive due to the large size of the ciphertext and the required pairing operations, resource-limited devices may experience significant delay or even have to abort the decryption process.

To address this inefficiency issue, Green et al. [9] introduced the innovative notion of ABE with outsourced decryption (ABE-OD), which allows a CSP to transform any ABE ciphertext of any size into an ElGamal-type ciphertext with a constant size, so that the user only needs to obtain the decrypted message with one exponentiation. One limitation of outsourcing decryption to the CSP is that they may not perform the transformation operations honestly. To address this concern, the work [10] proposed the concept of ABE verifiable outsourced decryption (ABE-VOD), which enables data users to check whether the transformation results are correct. However, this scheme needs to encrypt additional random messages, which doubles the computing overhead of the data user, resulting in twice the size of the ciphertext. This undoubtedly increases the user’s bandwidth requirements and computing costs. Afterward, several efficient and generic ABE-VOD schemes have been proposed [11,19,20,21,22,23,24]. Some works [19,20] also considered performing outsourced key issuing and outsourced decryption operations by introducing two cloud service providers. Mao et al. [11] and Lin et al. [21] proposed an efficient construction using a commitment scheme and an encapsulation mechanism. These ABE schemes have shown great promise in enabling the secure and verifiable outsourced decryption of ciphertexts to be performed in cloud-based environments. While these ABE schemes are well suited to flexible and fine-grained data-sharing systems, they may not be suitable for applications with high privacy requirements, such as EHR systems. This is because the access policy, which typically includes sensitive attribute information, such as the patient’s medical condition and medical history, is directly exposed in the ciphertext. Anyone can obtain some sensitive information with the ciphertext. As a result, malicious adversaries are likely to infer sensitive information about the patient’s health status, potentially leading to privacy breaches and other security risks.

In order to improve the above privacy protection issues, CP-ABE with policy hiding has been researched to address sensitive attribute information exposure in the access policy of traditional CP-ABE schemes. The concept of partially hidden access structures was proposed by Nishide et al. [8] and splits the attribute into an attribute name exposed to the ciphertext and sensitive attribute values hidden within the ciphertext. Nevertheless, this solution only supports the less expressive “AND gates” access structure. Lai et al. [25] proposed a CP-ABE scheme with adaptive security and policy hiding under the standard model, but this scheme is constructed based on bilinear groups of composite order, resulting in low efficiency. Subsequently, several works based on [8,25] have since been proposed to enhance the security, efficiency, flexibility and availability of partially hidden access structure CP-ABE [14,26,27,28,29,30]. However, all these existing schemes can only hide the attribute value but cannot hide the attribute name, and the attribute name itself still leaks some useful information. Therefore, CP-ABE schemes with fully hidden policy are also available, where the access policy is invisible to the data user, ensuring that their attribute sets are not revealed in plaintext. Recently, most of the solutions hide the whole attribute by employing the specified garbled bloom filter [31] to eliminate the attribute mapping function embedded in the access structure and achieve full policy hiding [32,33,34,35,36]. This strategy of policy hiding is well suited to applications with strong privacy requirements. However, these schemes either do not support verifiable outsourced decryption or do not support flexible access structures under the standard model.

Inspired by the works [11,15,32], we propose EVOAC-HP to be applied in EHR systems. Consider a healthcare scenario where a data owner, such as a patient, wants to share their medical records with a data user, such as a doctor, but does not want to allow other doctors or unauthorized users to access the records. To protect privacy, the patient first establishes an access policy for who is allowed to access the records and encrypts the records using CP-ABE before uploading them to a CSP. Then, doctors who meet the defined access policy can successfully decrypt the ciphertext. Note that the private attributes embedded in the access policy do not reveal the identity of the doctors. Since the doctor’s device may be resource-limited, they can request the CSP to transform the ciphertext and obtain the transformed ciphertext for decryption. Finally, the doctor can locally confirm whether the transformed ciphertext is correct to ensure the integrity of the decryption result.

3. Preliminary

In this section, we mainly review the fundamental knowledge about the CP-ABE definition, the security model for the CP-ABE, the commitment scheme, the attribute bloom filter and the decisional linear assumption.

3.1. CP-ABE Definition

A classic CP-ABE scheme is given by the following four algorithms:

$S e t u p (1^{λ}, U)$ : This algorithm takes the security parameter $λ$ and attribute universe descriptionU as input, and it outputs a master public key $m p k$ and a master key $m s k$ .
$K e y G e n (m s k, S)$ : This algorithm takes the master key $m s k$ and a set of attributesS, and it outputs a secret decryption key $s k$ .
$E n c r y p t (m p k, (M, ρ), M)$ : This algorithm takes the master public key $m p k$ , an access structure $(M, ρ)$ over the universe of attributes and a messageM, and it outputs a ciphertext $c t$ .
$D e c r y p t (m p k, c t, s k)$ : This algorithm takes the master public key $m p k$ , a ciphertext $c t$ and a secret decryption key $s k$ , and it outputs a messageM or a special symbol ⊥.

3.2. Security Model for CP-ABE

We introduce the security model for the CP-ABE scheme. The security between adversary

A

and challenger

C

is given as follows:

$I n i t i a l i z a t i o n$ : $A$ defines the challenge access structure $A^{*}$ and gives it to $C$ .
$S e t u p$ : $C$ runs $S e t u p$ to obtain the master public key $m p k$ and returns it to $A$ .
$P h a s e 1$ : $A$ has the ability to request secret keys corresponding to collections of user attributes $S_{1}, S_{2}$ , $\dots, S_{Q_{1}}$ . For each $S_{i}$ , $C$ runs $K e y G e n$ and returns $s k_{i}$ to $A$ . The queried sets must not meet the access structure requirements of the challenge phase above each query, i.e., $\forall i \in [Q_{1}] : S_{i} \notin$ $A^{*}$ .
$C h a l l e n g e$ : $A$ submits two messages, $m_{0}$ and $m_{1}$ , with equal length and returns them to $C$ . $C$ chooses random number $b \in {0, 1}$ and invokes $E n c r y p t$ to obtain $c t$ , which is given to $A$ .
$P h a s e 2$ : Phase 1 is reiterated under the same constraint. $A$ can continue to query the secret keys for the sets $S_{Q_{1} + 1}, S_{Q_{1} + 2}$ , $\dots, S_{Q}$ .
$G u e s s$ : $A$ outputs his guess value $b^{'} \in {0, 1}$ forb.

Definition 1.

A CP-ABE scheme Πis secure if all polynomial-time attackers

A

have at most a negligible advantage in the above security game. The advantage of an attacker

A

for breaking this confidentiality game is defined as

A d v_{Π}^{A} (λ) = | P r [b^{'} = b] - 1 / 2 |

3.3. Commitment

A commitment scheme has three algorithms:

I n i t C o m

C o m m i t

and

R e v e a l

$S e t u p (1^{λ})$ : This algorithm takes a security parameter $λ$ as input and outputs the public commitment key $p k$ .
$C o m m i t (M, r)$ : This algorithm takes a messageM and an additional random numberr as input and outputs a commitment $c m$ .
$R e v e a l (M, r, c m)$ : This algorithm takes a messageM, an additional random numberr and a commitment $c m$ as input and outputs a bit value $b \in {0, 1}$ . If $b = 1$ , it indicates that $c m$ is a valid commitment toM; otherwise, it indicates that $c m$ is not a commitment toM.

A correct commitment scheme satisfies

R e v e a l (M, r, C o m m i t (M, r)) = 1

for all

p k

output by the algorithm

S e t u p

and for any messageM and an additional random numberr. If a commitment scheme satisfies the hiding property and the binding property, it is considered secure. The commitment

c m

toM satisfies the hiding property, which ensures that no information aboutM can be inferred from

c m

. The binding property ensures that it is computationally infeasible to reveal a commitment

c m

to a value

M_{E H R}^{'}

other than the original valueM.

3.4. Attribute Bloom Filter

The attribute bloom filter (ABF) is a data structure that can efficiently query a large dataset [32]. It is a variant of the bloom filter, where each element is assigned one or more attributes so that it can be filtered and queried by the attribute. During the search stage, one or more attributes can be specified, and only elements with the specified attributes are returned. Unlike traditional bloom filters, the ABF stores an additional attribute vector, where each element corresponds to an attribute vector. Each position in the attribute vector corresponds to an attribute, and if the element has that attribute, the position is set to 1; otherwise, 0. The element is returned during the query stage if all specified attribute positions are 1.

To construct the ABF, a sequence of

λ

bits in length is joined with two constant strings: one that includes the row number with

L_{r o w n u m}

bits and another that contains the attribute with

L_{a t t}

bits, where the security parameter

λ = L_{r o w n u m} + L_{a t t r}

. The ABF can be divided into two components:

A B F B u i l d

and

A B F Q u e r y

. These two components are detailed below:

$A B F B u l i d (M, ρ)$ : This algorithm takes as input an access policy $(M, ρ)$ . The attributes $a t t_{e}$ and their corresponding row numberi involved in access matrix $M$ are concatenated, where each rowi maps to attribute $a t t_{e}$ according to the mapping function $ρ (i)$ , and they are left-padded with zeros to achieve a maximum bit length. The resulting set of elements $S_{e t} = {\{i | | a t t_{e t}\}}_{i \in [1, \dots, l]}$ is used as input in the garbled BF building algorithm to create $A B F_{S}$ , as described in [31].
When an element $e t$ needs to be inserted into $A B F_{S}$ , this algorithm randomly produces $x - 1 λ$ -bit strings $r_{1}, r_{2}, \dots, r_{x - 1}$ and adopts the XOR-based secret sharing scheme $(x, x)$ to distribute element $e t$ . It then assigns $r_{x} = r_{1} \oplus r_{2} \oplus \dots \oplus r_{x - 1} \oplus e t$ . Afterward,x independent and uniform hash functions $H_{i}$ are used to hash attribute $a t t_{e}$ to obtain $H_{i} (a t t_{e t})$ for $i \in [1, \dots, x]$ , where $H_{i} (a t t_{e t})$ represents the specific index position in $A B F_{S}$ . The i-th share $r_{i}$ of the element is then stored in $A B F_{S}$ at the position indicated by the hash function $H_{i} (a t t_{e t})$ . When adding more elements to $A B F_{S}$ , it is possible that a location $j = H_{i} (e t)$ has already been filled by an element added earlier. In this case, we can repurpose the existing share assigned as a share for the new element.
$A B F Q u e r y (m p k, S, A B F_{S})$ : This algorithm takes as input the master public key $m p k$ , an attribute setS and the attribute bloom filter $A B F_{S}$ . For each attribute $a t t$ within the attribute setS, the algorithm calculates the position index $H_{i} (a t t_{e t})$ in $A B F_{S}$ withx hash functions. The value $r_{i}$ stored in the corresponding position $H_{i} (a t t)$ can then be retrieved.
Once the element shares the $r_{i}$ that have been stored in $A B F_{S}$ , element $e t$ can be reconstructed using the formula $e t = r_{1} \oplus r_{2} \oplus \dots \oplus r_{x - 1} \oplus r_{k} = r_{1} \oplus r_{2} \oplus \dots \oplus r_{x - 1} \oplus r_{k} \oplus e t$ , where $e t$ is represented as $i | | a t t_{e}$ and attribute $a t t_{e}$ is derived from the rightmost $L_{a t t}$ bits of element $e t$ . If there are redundant zeros in $a t t_{e}$ , they are removed. When $a t t_{e}$ matches the attribute $a t t$ specified in the access policy, this implies that attribute $a t t$ exists in the access control policy. Otherwise, attribute $a t t$ is not present in the access policy. Similarly, the row numberi is derived from the leftmostL bits of element $e t$ , and redundant zeros are removed if present. Once $a t t_{e}$ andi have been obtained, the attribute mapping can be rebuilt as $ρ^{'} = {(r o w n u m, a t t)}_{a t t \in S}$ .

Above all, the

A B F B u i l d

algorithm hides the attribute mapping, while the

A B F Q u e r y

algorithm reconstructs it. This access control structure can allow full policy hiding to be achieved.

3.5. Decisional Linear Assumption

Suppose we have two multiplicative groups,

G

and

H

, of prime number orderq and two generators,

g \in G

and

h \in H

. We randomly select

x, y, m, n \in Z_{p}

and define a tuple

T_{1} = (g, h, g^{x}, g^{y}, h^{x}, h^{y}, g^{m x}, g^{n y}, h^{m x}, h^{n y}, g^{m + n}, h^{m + n})

. We randomly choose a random number

μ \in Z_{p}

and define another tuple

T_{2} = (g, h, g^{x}, g^{y}, h^{x}, h^{y}, g^{m x}, g^{n y}, h^{m x}, h^{n y}, g^{μ}, h^{μ})

. The assumption then is that no polynomial-time adversary can distinguish tuple

T_{1}

from tuple

T_{2}

with negligible advantage.

4. Access Control System

In this section, we introduce our system model and the concrete EVOAC-HP, which is composed of five stages, including system parameter initialization, key generation, EHR data encryption, ciphertext transformation, and EHR data decryption and verification.

4.1. System Model

As shown inFigure 1, the system model of EVOAC-HP comprises four entities: a certificate authority (CA), many data owners (DOs), many data users (DUs) and a cloud service provider (CSP). The following provides the definition and functions of each participant:

Certificate authority (CA): The central component of the entire system is the CA, which is in charge of the initialization of the system. The CA is responsible for creating the master private key and public parameters. Additionally, the CA generates transformation keys for users based on their attribute set when requested. It is assumed that the CA is a trusted entity.
Data owners (DOs): DOs are the producers of medical data. When they need to share their data, they first establish a custom access policy that allows users to access and encrypt the data using our proposed encryption scheme. The resulting ciphertext is then uploaded to the CSP. It is worth noting that the access policy in the ciphertext does not reveal the sensitive attributes of the data owner. In a medical scenario, the data owners are the patients.
Data users (DUs): In the healthcare scenario, the DUs play the role of a doctor or a nurse. They need to retrieve the corresponding ciphertext from the CSP and request it to assist in the transformation of the ciphertext. When obtaining the transformed decrypted ciphertext from the CSP, the data user locally decrypts it to access the EHR data and checks whether the transformation result is correct. Considering that the data user is likely to use resource-limited devices such as conventional desktop computers, the decryption operation is delegated to simplify the computation.
Cloud service provider (CSP): The CSP is a powerful server with storage and computing services. Its main responsibilities include storing ciphertext corresponding to medical data and providing ciphertext transformation service. It should be noted that the CSP is honest but curious, which means that it may attempt to extract useful information from the ciphertext.

4.2. The Proposed Scheme

System parameter initialization. The entire process of system initialization is performed by the CA. It runs

S e t u p (1^{λ}, U)

to generate

(m p k, m s k)

. This process is shown in Algorithm 1. This algorithm takes as input the security parameter

λ

and a large attribute universe descriptionU, and it outputs the master public key

m p k

and the master key

m s k

. In this process, the CA executes the initialization stage of the FAME scheme [15] and the commitment scheme. In addition, the attribute bloom filter is parameterized. Finally, the master public key is

m p k

, and the master key is

m s k

Algorithm 1 Setup (Invoked by CA).

Input Security parameter

λ

, attribute universe descriptionU
Output: The master public key

m p k

, the master key

m s k

1:: Suppose $L_{a t t}$ and $L_{r o w n u m}$ denote the maximum bit length of attributes in the whole system and the row numbers in the access matrix. The ABF has a bit array of size $L_{A B F}$ and is associated withx hash functions;
2:: Generatex hash functions $H_{i}$ for $i \in [1, \dots, x]$ : $H_{i} : {\{0, 1\}}^{*} \to [1, L_{A B F}]$ and a hash function $H : {\{0, 1\}}^{*} \to G;$
3:: Randomly pick three groups $G$ , $H$ and $G_{T}$ of prime orderp and defines a bilinear map $\hat{e} : G \times H \to G_{T}$ and generators $g_{0}, g, h_{0} \in G, h \in H$ and random number $a_{1}, a_{2}, b_{1}, b_{2} \in Z_{p}^{*}$ and $d_{1}, d_{2}, d_{3} \in Z_{p};$
4:: Calculate $A_{1} = h^{a_{1}}, A_{2} = h^{a_{2}}, E_{1} = e {(g, h)}^{d_{1} a_{1} + d_{3}}, E_{2} = e {(g, h)}^{d_{2} a_{2} + d_{3}};$
5:: Set the master public key $m p k = {g_{0}, h_{0}, h, A_{1}, A_{2}, E_{1}, E_{2}, H_{i \in [1, \dots, x]}, H};$
6:: Set the master key $m s k = {g, h, a_{1}, a_{2}, b_{1}, b_{2}, g^{d_{1}}, g^{d_{2}}, g^{d_{3}}} .$

Key generation. This stage has two steps: Firstly, the data user randomly selects

z \in Z_{p}

as a secret decryption key

d k = z

and produces a shared public key

s p k = g^{\frac{1}{z}}

. When the data user needs to apply for the transformation key, the data user sends the shared public key

s p k

to the CA responsible for issuing transformation keys. The CA runs

T k G e n (m s k, S, s p k)

to generate the transformation key

t k

, and this process is shown in Algorithm 2. This algorithm takes as input the master key

m s k

, a set of the data user attributesS and a shared public key

s p k

, and it outputs the transformation key

t k = (t k_{0}, {\{t k_{y}\}}_{y \in S}, t k^{'}) .

Algorithm 2 TkGen (Invoked by CA).

Input The master key

m s k

, attribute setS, a shared public key

s p k

Output: Transformation key

t k

1:: Randomly chooses two random number $r_{1}, r_{2} \in Z_{p}$ and calculate $t k_{0, 1} = h^{b_{1} r_{1}}, t k_{0, 2} = h^{b_{2} r_{2}}, t k_{0, 3} = h^{r_{1} + r_{2}};$
2:: Set $t k_{0} = (t k_{0, 1}, t k_{0, 2}, t k_{0, 3});$
3:: for each $y \in S$ do
4:: for $k \in {1, 2}$ do
5:: Randomly chooses a random number $σ_{y} \in Z_{p}$ and calculates $t k_{y, k} = H {(y 1 k)}^{\frac{b_{1} r_{1}}{a_{k}}} \cdot H {(y 2 k)}^{\frac{b_{2} r_{2}}{a_{k}}} \cdot$ $H {(y 3 k)}^{\frac{r_{1} + r_{2}}{a_{k}}} \cdot g^{\frac{σ_{y}}{a_{k}}}$ ;
6:: end for
7:: end for
8:: Set $t k_{y} = (t k_{y, 1}, t k_{y, 2}, g^{- σ_{y}});$
9:: for $k \in {1, 2}$ do
10:: Randomly chooses $σ^{'} \in Z_{p}$ and calculates $t k_{k}^{'} = g^{\frac{d_{k}}{z}} \cdot H {(011 t)}^{\frac{b_{1} r_{1}}{a_{k}}} . H {(012 t)}^{\frac{b_{2} r_{2}}{a_{k}}} \cdot H {(013 t)}^{\frac{r_{1} + r_{2}}{a_{k}}} \cdot g^{\frac{σ^{'}}{a_{k}}};$
11:: end for
12:: Set $t k^{'} = (t k_{1}^{'}, t k_{2}^{'}, g^{\frac{d_{3}}{z}} \cdot g^{- σ^{'}});$
13:: Set $t k = (t k_{0}, {\{t k_{y}\}}_{y \in S}, t k^{'}) .$

EHR data encryption. When encrypting sensitive EHR data

M_{E H R}

under the defined access structure

(M, ρ)

, the data owner first randomly picks a valuer and uses a concatenation operation represented by “

| |

” to encrypt the combination of EHR data and the random number

M_{E H R} | | r

. This means that the encrypted result contains both the original EHR data and the random value. That is, it runs

E n c r y p t (m p k, M_{E H R} | | r, (M, ρ)) \to c t

. This algorithm takes the master public key

m p k

, the EHR data

M_{E H R}

, the random numberr and the access structure

(M, ρ)

as input, and it outputs the encrypted EHR data

c t

. This process is shown in Algorithm 3. To hide the access structure

(M, ρ)

, we adopt the attribute bloom filter to achieve this property. It invokes

A B F B u l i d (M, ρ) \to A B F_{S}

to obtain

A B F_{S}

. This algorithm takes as input the access structure

(M, ρ)

, and it outputs the attribute bloom filter

A B F_{S}

. The concrete process is detailed inSection 3.5. In order to commit to

M_{E H R}

using the valuer, it runs

C o m m i t (M_{E H R}, r) \to c m

. The data owner calculates a commitment of the EHR data

c m = g_{0}^{M_{E H R}} h_{0}^{r}

. The final ciphertext

c t^{'}

(c t, c m, M, A B F_{S})

Algorithm 3 Encrypt (Invoked by DO).

Input Master public key

m p k

, the combination of the message and random number

(M_{E H R} | | r)

, access structure

(M, ρ)

, attribute setS
Output: Encrypted message

c t

1:: Randomly chooses two random number $s_{1}, s_{2} \in Z_{p}$ and calculates $c t_{0, 1} = A_{1}^{s_{1}}, c t_{0, 2} = A_{2}^{s_{2}}, c t_{0, 3} = h^{s_{1} + s_{2}};$
2:: Set $c t_{0} = (c t_{0, 1}, c t_{0, 2}, c t_{0, 3});$
3:: for each $i \in (1, n_{1})$ do
4:: for $l \in {1, 2, 3}$ do
5:: Calculate $c t_{i, l} = H {(ρ (i) l 1)}^{s_{1}} \cdot H {(ρ (i) l 2)}^{s_{2}} \cdot \prod_{j = 1}^{n_{2}} {[H {(0 j l 1)}^{s_{1}} \cdot H {(0 j l 2)}^{s_{2}}]}^{{(M)}_{i, j}};$
6:: end for
7:: end for
8:: Set $c t_{i} = (c t_{i, 1}, c t_{i, 2}, c t_{i, 3});$
9:: Calculate $c t_{M_{E H R}} = E_{1}^{s_{1}} \cdot E_{2}^{s_{2}} \cdot (M_{E H R} | | r);$
10:: Set $c t = (c t_{0}, c t_{1}, \dots, c t_{n_{1}}, c t_{M_{E H R}}) .$

Ciphertext transformation. In this stage, the CSP invokes

T r a n s f o r m (c t, t k) \to p c t

. This algorithm takes as input the encrypted EHR data

c t

and the transformation key

t k

and outputs the partially decrypted ciphertext

p c t

. This process is shown in Algorithm 4. Notice that the CSP might be malicious or lazy, so the transformation result is not necessarily true.

Algorithm 4 Transform (Invoked by CSP).

Input Ciphertext

c t

, transformation key

t k

Output: Partially-decrypted ciphertext

p c t

1:: Calculate $n u m = e (\prod_{i \in I}^{γ_{i}} c t_{i, 1}^{γ_{i}}, t k_{0, 1}) \cdot e (\prod_{i \in I}^{γ_{i}} c t_{i, 2}^{γ_{i}}, t k_{0, 2}) \cdot e (\prod_{i \in I}^{γ_{i}} c t_{i, 3}^{γ_{i}}, t k_{0, 3});$
2:: Calculate $d e n = e (t k_{1}^{'} \cdot \prod_{i \in I} t k_{ρ (i), 1}^{γ_{i}}, c t_{0, 1}) \cdot e (t k_{2}^{'} \cdot \prod_{i \in I} t k_{ρ (i), 2}^{γ_{i}}, c t_{0, 2}) \cdot e (t k_{3}^{'} \cdot \prod_{i \in I} t k_{ρ (i), 3}^{γ_{i}}, c t_{0, 3});$
3:: Calculate $p c t = n u m / d e n .$

EHR data decryption and verification. When the data user requests the full ciphertext from the CSP, it firstly decomposes the ciphertext

c t^{'}

into

(c t, c m, M, A B F_{S})

and runs

A B F Q u e r y (m p k, S, A B F_{S}) \to ρ^{'}

. The concrete process is detailed inSection 3.5. This algorithm takes as input the master public key

m p k

, a set of data user attributesS and attribute bloom filter

A B F_{S}

and outputs the rebuilt attribute mapping

ρ^{'}

. When recovering the corresponding access structure

(M, ρ^{'})

, the resource-constrained data user is able to delegate the ciphertext

c t

to the CSP for decryption; the CSP transforms the ciphertext

c t

into partially decrypted ciphertext

p c t

and gives it to the data user. Then, the data user runs

D e c r p t (c t^{'}, p c t, d k)

. This algorithm takes as input the full ciphertext

c t^{'}

, the partially decrypted ciphertext

p c t

and decryption key

d k = z

and outputs the final result

r e s u l t = c t_{M_{E H R}} \cdot p c t^{z}

. The result is the combination of the message and the random number

(M_{E H R} | | r)

. Aiming to check the correctness of the transformation result, the data user runs

R e v e a l (M_{E H R}, r, c m)

. This process checks whether

c m \overset{?}{=} g_{0}^{M_{E H R}} h_{0}^{r}

. If it passes verification, the data user finally obtains the true message,

M_{E H R}

. Otherwise, the transformation result is wrong.

5. Security Analysis

Theorem 1.

EVOAC-HP can guarantee the confidentiality of data under the random oracle model.

Lemma 1.

If FAME [15] can guarantee the confidentiality of data, the proposed scheme can also guarantee the confidentiality of data.

Proof.

Suppose that there is an adversary that solves the difficult decisional linear problem in probabilistic polynomial time, whose advantage

ε

cannot be ignored. With the help of adversary

A

, an algorithm

A l g

can be constructed so that the algorithm can break the confidentiality of FAME in probabilistic polynomial time, and the advantages are not negligible.

Let

C

be the challenger of a safe game in the FAME scheme, and let

A

be the adversary of the game. Algorithm

A l g

can break FAME’s confidentiality by performing the following:

System initialization: Adversary $A$ sends the access structure $A^{*}$ that needs to be challenged to algorithm $A l g$ . Algorithm $A l g$ gives $A^{*}$ to challenger $C$ . Challenger $C$ generates public parameter $m p k = {h, A_{1}, A_{2}, E_{1}, E_{2}, H}$ with the $S e t u p$ algorithm in FAME and sends $m p k$ to algorithm $A l g$ . Algorithm $A l g$ calls the $S e t u p$ algorithm in EVOAC-HP to complete public parameter $m p k = {g_{0}, h_{0}, h, A_{1}, A_{2}, E_{1}, E_{2}, H_{i \in [1, \dots, x]}, H}$ and send it to adversary $A$ .
Query phase 1: Algorithm $A l g$ receives the decryption key query request submitted by adversary $A$ . Let adversary $A$ ask for the decryption key of the attribute set $S_{e}$ , and let algorithm $A l g$ forward this query request to challenger $C$ . Challenger $C$ calls the $K e y G e n$ algorithm in the FAME scheme to output the decryption key given to algorithm $A l g$ , and algorithm $A l g$ forwards its key to adversary $A$ .
Challenge phase: Adversary $A$ submits two equal-length plaintexts, $m_{0}^{*}$ and $m_{1}^{*}$ , to algorithm $A l g$ . Algorithm $A l g$ sends them to challenger $C$ and asks for the challenge ciphertext. Challenger $C$ randomly selects $b \in {0, 1}$ and calls the $E n c r y p t$ algorithm in the FAME scheme to encrypt the message $m_{b}^{*}$ . Finally, challenger $C$ sends the ciphertext $c t$ to algorithm $A l g$ . After receiving the challenge ciphertext $c t$ , algorithm $A l g$ completes $c t$ according to the ciphertext form of EVOAC-HP and then sends it to adversary $A$ .
Query phase 2: This phase is the same as Query phase 1.
Guess phase: If adversary $A$ outputs a bit $b^{'}$ , then algorithm $A l g$ also outputs $b^{'}$ .

If adversary

A

can break the FAME scheme, it means that adversary

A

can calculate the ciphertext

e {(g, h)}^{- E_{1}^{s_{1}} \cdot E_{2}^{s_{2}}}

according to algorithm

A l g

. With the help of adversary

A

, algorithm

A l g

can calculate

m_{b}^{*}

in the FAME algorithm, thereby breaking the FAME scheme. □

Theorem 2.

If the decisional linear assumption is correct, FAME is adaptively secure under the random oracle model.

Lemma 2.

FAME [15] has proved that the decisional linear assumption is adaptively secure under the random oracle model. EVOAC-HP is constructed based on FAME, so EVOAC-HP can guarantee the confidentiality of data under the random oracle model.

Theorem 3.

EVOAC-HP can guarantee the confidentiality of ciphertext transformation.

Proof.

The proposed scheme guarantees transformation result confidentiality with the discrete logarithm problem. Specifically, EVOAC-HP generates a transformation key using a shared public key

s p k = g^{\frac{1}{z}}

provided by the data user. Even if an adversary gains access to the transformation key

t k

and the intermediate ciphertext

c t

from the CSP, they cannot compute

c t_{M_{E H R}} \cdot p c t^{z}

without the user’s secret decryption keyz. Thus, the adversary does not have the ability to decrypt the combination of the EHR data and the random number (

M_{E H R} | | r

) and gain access to sensitive data

M_{E H R}

. This adds an extra layer of security to the scheme, ensuring that confidential information remains protected even if the adversary gains access to some of the intermediate data. □

Theorem. 4

EVOAC-HP can guarantee the privacy of the access policy.

Proof.

To prevent the potential leakage of attribute information, EVOAC-HP eliminates the attribute mapping function

ρ

embedded in the access policy using the

A B F B u l i d

and

A B F Q u e r y

procedures. Adversaries without knowledge of the attribute string cannot carry out a successful brute-force attack within polynomial time, so they are incapable of accessing and inferring confidential information from the access policy. Furthermore, data users are only able to check whether they possess the required attributes for accessing the data. It is impossible for a single data user to verify all the attributes from the attribute universe descriptionU unless they possess all of the attributes or multiple data users work together to achieve it. Therefore, EVOAC-HP provides protection for policy privacy by concealing attribute information in the access policy. □

6. Performance Analysis

In this section, the performance of EVOAC-HP is analyzed from functional, theoretical and experimental perspectives.

6.1. Functional Analysis

When it comes to the comparisons of functional analysis, we compare related works in terms of five functionalities: security model, large universe, hidden policy, outsourced decryption and verifiability. Note that in the security model, adaptive security provides stronger security guarantees than selective security. As shown inTable 1, most schemes support only two or three of these features, while the work [18] only supports large universe, and the work [8] only achieves hidden policy. For better security, only schemes [15,25] and EVOAC-HP achieve adaptive security. The schemes [10,11] both support large universe, outsourced decryption and verifiability. According to the above comparison, EVOAC-HP simultaneously achieves large universe, adaptive security, hidden policy, outsourced decryption and verifiability, thus showing functional advantages.

6.2. Theoretical Analysis

Here, we only consider some expensive operations and use the symbols

E x p

P a i r

and

H a s h

to denote exponentiation, pairing and hashing operation, respectively. As shown inTable 2, we evaluate EVOAC-HP and compare it with other similar schemes based on the computational complexity of their encryption and decryption algorithms. Regarding the encryption process, although the scheme [32] and EVOAC-HP incur high computational overhead, most of the computational overhead is attributed to the construction of the attribute bloom filter, which requires additional hashing operations to achieve policy hiding. On the other hand, it is obvious that in the decryption stage, existing schemes [15,18,32] need to perform pairing operations, which is expensive for data users, while EVOAC-HP only requires

2 E x p + x H a s h

operations. Due to outsourced decryption, EVOAC-HP outperforms other existing schemes that require pairing operations in the decryption stage with regard to performance.

6.3. Experimental Analysis

We implemented similar schemes in Python 3.8 in the same experimental environment (Ubuntu-20.04 with Intel Core i7 and 16 G RAM) on top of the Charm framework [37] and MNT224 curve for pairing. The double-hash technique [38] based on 128-bit MurmurHash and SpookyHash was used to constructx hash functions for the attribute bloom filter. We compared the computational time of data encryption and data decryption with schemes [15,32] and EVOAC-HP. We evaluated all the schemes using access policies and attribute sets of sizes ranging from 5 to 50, and the number of hash functions for the ABF was 10. Those schemes were tested in 10 trials, so that the experimental results were averaged. As shown inFigure 2, as the number of attributes increases, the encryption overhead of all three schemes shows a linear growth trend. However, our scheme, EVOAC-HP, has significantly smaller encryption overhead than the scheme proposed in [32], while it has time overhead similar to that of the scheme proposed in [15]. It is worth noting that the scheme proposed in [15] does not consider policy privacy, while our scheme requires the construction of the ABF during the encryption phase to achieve fully hidden policy, resulting in additional computational overhead depending on the number of hash functions used. As shown inFigure 3, the data decryption overhead of scheme [32] shows a linear growth trend as the number of attributes increases, which leads to an increased computational burden for data users. In contrast, EVOAC-HP and scheme [15] maintain constant data decryption overhead. Moreover, EVOAC-HP adopts outsourcing decryption techniques, which further reduces decryption overhead to 2 ms.

In order to evaluate the time cost of five algorithms in EVOAC-HP, we conducted experiments under three curves, MNT159, MNT201 and MNT224.Figure 4 shows the computational time of each algorithm in our proposed scheme with the number of attributes. Obviously, the MNT224 curve had the highest overhead among all algorithms, while MNT159 had the lowest. The

S e t u p

algorithm maintained constant computational overhead, and system initialization was only required once. Except for the

D e c r y p t

algorithm, the computation overhead of all algorithms was proportional to the number of attributes. Due to outsourced decryption, the

D e c r y p t

algorithm only spent a constant time of around 2 ms.

7. Conclusions and Future Work

In this paper, we introduce a practical and reliable scheme for fine-grained privacy protection and outsourced computation access control for sharing medical data, named EVOAC-HP. We employ CP-ABE as a fundamental building block to encrypt the medical data and outsource the decryption operation to alleviate the computation overhead for data users, which reduces the decryption computation overhead to a constant. Additionally, we achieve policy hiding by utilizing the attribute bloom filter, which prevents any individual from accessing sensitive attribute information from the access policy. The user’s attributes are not disclosed in the access policy, which effectively guarantees the security of our scheme. The proposed scheme is proved to be adaptively secure under the random oracle model under the decisional linear assumption. As demonstrated with performance analysis and comparative analysis, EVOAC-HP has functional advantages, better performance and stronger security, which are suitable for EHR data sharing and complex access control in medical scenarios.

Our scheme also has some limitations. First of all, with our scheme, it is difficult to efficiently deal with the policy update problem. When the access policy needs to be updated, the data owner can complete the update with a small computational cost. In this scheme, the data owner needs to re-encrypt according to the new access policy, which is obviously inefficient. Secondly, in most medical scenarios, users’ identities may often change, which requires a new solution that supports user attribute update and revocation to meet this requirement. Finally, our scheme has the problem of offline dictionary attack, that is, the user can continuously query whether the attribute is in the access policy with the attribute bloom filter, which may expose user attributes. In the future, we plan to focus on incorporating features such as CP-ABE with policy update and user attribute revocation while preventing dictionary attacks to better meet practical application scenarios.

Author Contributions

Formal analysis, D.Z., H.M. and P.L.; Methodology, H.M. and P.L.; Supervision, D.Z. and X.W.; Writing—original draft preparation, H.M.; Writing—review and editing, P.L., D.Z. and X.W. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the National Natural Science Foundation of China under grant number 61932010 and Guangdong Provincial Key Laboratory of Power System Network Security under grant number GPKLPSNS-2022-KF-05.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data sharing is not applicable to this article.

Conflicts of Interest

The authors declare no conflict of interest.

References

Wang, M.; Guo, Y.; Zhang, C.; Wang, C.; Huang, H.; Jia, X. MedShare: A privacy-preserving medical data sharing system by using blockchain.IEEE Trans. Serv. Comput.2021,16, 438–451. [Google Scholar] [CrossRef]
Li, F.; Liu, K.; Zhang, L.; Huang, S.; Wu, Q. EHRChain: A blockchain-based ehr system using attribute-based and homomorphic cryptosystem.IEEE Trans. Serv. Comput.2021,15, 2755–2765. [Google Scholar] [CrossRef]
Huang, J.; Kong, L.; Cheng, L.; Dai, H.N.; Qiu, M.; Chen, G.; Liu, X.; Huang, G. BlockSense: Towards Trustworthy Mobile Crowdsensing via Proof-of-Data Blockchain.IEEE Trans. Mob. Comput.2022, 1–17. [Google Scholar] [CrossRef]
Sahai, A.; Waters, B. Fuzzy identity-based encryption. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 457–473. [Google Scholar] [CrossRef]
Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-policy attribute-based encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP’07), Berkeley, CA, USA, 20–23 May 2007; pp. 321–334. [Google Scholar] [CrossRef]
Lewko, A.; Waters, B. New proof methods for attribute-based encryption: Achieving full security through selective techniques. In Proceedings of the Advances in Cryptology–CRYPTO 2012: 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2012; pp. 180–198. [Google Scholar] [CrossRef]
Rouselakis, Y.; Waters, B. Practical constructions and new proof methods for large universe attribute-based encryption. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany, 4–8 November 2013; pp. 463–474. [Google Scholar] [CrossRef]
Nishide, T.; Yoneyama, K.; Ohta, K. Attribute-based encryption with partially hidden encryptor-specified access structures. In Proceedings of the International Conference on Applied Cryptography and Network Security, New York, NY, USA, 3–6 June 2008; Springer: Berlin/Heidelberg, Germany, 2008; pp. 111–129. [Google Scholar] [CrossRef]
Green, M.; Hohenberger, S.; Waters, B. Outsourcing the Decryption of ABE Ciphertexts. In Proceedings of the 20th USENIX Security Symposium (USENIX Security 11), San Francisco, CA, USA, 8–12 August 2011. [Google Scholar]
Lai, J.; Deng, R.H.; Guan, C.; Weng, J. Attribute-based encryption with verifiable outsourced decryption.IEEE Trans. Inf. Forensics Secur.2013,8, 1343–1354. [Google Scholar] [CrossRef]
Mao, X.; Lai, J.; Mei, Q.; Chen, K.; Weng, J. Generic and efficient constructions of attribute-based encryption with verifiable outsourced decryption.IEEE Trans. Dependable Secur. Comput.2015,13, 533–546. [Google Scholar] [CrossRef]
Liu, X.; Wang, H.; Zhang, B.; Zhang, B. An efficient fine-grained data access control system with a bounded service number.Inf. Sci.2022,584, 536–563. [Google Scholar] [CrossRef]
Lai, J.; Deng, R.H.; Li, Y. Fully secure cipertext-policy hiding CP-ABE. In Proceedings of the Information Security Practice and Experience: 7th International Conference, ISPEC 2011, Guangzhou, China, 30 May–1 June 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 24–39. [Google Scholar] [CrossRef]
Hur, J. Attribute-based secure data sharing with hidden policies in smart grid.IEEE Trans. Parallel Distrib. Syst.2013,24, 2171–2180. [Google Scholar] [CrossRef]
Agrawal, S.; Chase, M. FAME: Fast attribute-based message encryption. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 665–682. [Google Scholar] [CrossRef]
Shamir, A. Identity-based cryptosystems and signature schemes. In Proceedings of the Advances in Cryptology: Proceedings of CRYPTO ’84, Santa Barbara, California, USA, 19–22 August 1984; Springer: Berlin/Heidelberg, Germany, 1985; pp. 47–53. [Google Scholar] [CrossRef]
Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 89–98. [Google Scholar] [CrossRef]
Waters, B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. InInternational Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2011; pp. 53–70. [Google Scholar] [CrossRef]
Li, J.; Chen, X.; Li, J.; Jia, C.; Ma, J.; Lou, W. Fine-grained access control system based on outsourced attribute-based encryption. In Proceedings of the European Symposium on Research in Computer Security, Egham, UK, 9–13 September 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 592–609. [Google Scholar] [CrossRef]
Li, J.; Huang, X.; Li, J.; Chen, X.; Xiang, Y. Securely outsourcing attribute-based encryption with checkability.IEEE Trans. Parallel Distrib. Syst.2013,25, 2201–2210. [Google Scholar] [CrossRef]
Lin, S.; Zhang, R.; Ma, H.; Wang, M. Revisiting attribute-based encryption with verifiable outsourced decryption.IEEE Trans. Inf. Forensics Secur.2015,10, 2119–2130. [Google Scholar] [CrossRef]
Cui, H.; Wan, Z.; Wei, X.; Nepal, S.; Yi, X. Pay as you decrypt: Decryption outsourcing for functional encryption using blockchain.IEEE Trans. Inf. Forensics Secur.2020,15, 3227–3238. [Google Scholar] [CrossRef]
Qin, X.; Huang, Y.; Yang, Z.; Li, X. LBAC: A lightweight blockchain-based access control scheme for the internet of things.Inf. Sci.2021,554, 222–235. [Google Scholar] [CrossRef]
Qin, X.; Yang, Z.; Li, Q.; Pan, H.; Yang, Z.; Huang, Y. Attribute-based encryption with outsourced computation for access control in IoTs. In Proceedings of the 2022 3rd Asia Service Sciences and Software Engineering Conference, Macao, 24–26 February 2022; pp. 66–73. [Google Scholar] [CrossRef]
Lai, J.; Deng, R.H.; Li, Y. Expressive CP-ABE with partially hidden access structures. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, Seoul, Republic of Korea, 2–4 May 2012; pp. 18–19. [Google Scholar] [CrossRef]
Cui, H.; Deng, R.H.; Wu, G.; Lai, J. An efficient and expressive ciphertext-policy attribute-based encryption scheme with partially hidden access structures. In Proceedings of the International Conference on Provable Security, Nanjing, China, 10–11 November 2016; Springer: Berlin/Heidelberg, Germany, 2016; pp. 19–38. [Google Scholar] [CrossRef]
Zhang, Y.; Zheng, D.; Deng, R.H. Security and privacy in smart health: Efficient policy-hiding attribute-based access control.IEEE Internet Things J.2018,5, 2130–2145. [Google Scholar] [CrossRef]
Cui, H.; Deng, R.H.; Lai, J.; Yi, X.; Nepal, S. An efficient and expressive ciphertext-policy attribute-based encryption scheme with partially hidden access structures, revisited.Comput. Netw.2018,133, 157–165. [Google Scholar] [CrossRef]
Zhang, L.; Hu, G.; Mu, Y.; Rezaeibagha, F. Hidden ciphertext policy attribute-based encryption with fast decryption for personal health record system.IEEE Access2019,7, 33202–33213. [Google Scholar] [CrossRef]
Saidi, A.; Nouali, O.; Amira, A. SHARE-ABE: An efficient and secure data sharing framework based on ciphertext-policy attribute-based encryption and Fog computing.Clust. Comput.2022,25, 167–185. [Google Scholar] [CrossRef]
Dong, C.; Chen, L.; Wen, Z. When private set intersection meets big data: An efficient and scalable protocol. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany, 4–8 November 2013; pp. 789–800. [Google Scholar] [CrossRef]
Yang, K.; Han, Q.; Li, H.; Zheng, K.; Su, Z.; Shen, X. An efficient and fine-grained big data access control scheme with privacy-preserving policy.IEEE Internet Things J.2016,4, 563–571. [Google Scholar] [CrossRef]
Han, Q.; Zhang, Y.; Li, H. Efficient and robust attribute-based encryption supporting access policy hiding in Internet of Things.Future Gener. Comput. Syst.2018,83, 269–277. [Google Scholar] [CrossRef]
Hao, J.; Huang, C.; Ni, J.; Rong, H.; Xian, M.; Shen, X.S. Fine-grained data access control with attribute-hiding policy for cloud-based IoT.Comput. Netw.2019,153, 1–10. [Google Scholar] [CrossRef]
Zhang, L.; Wang, J.; Mu, Y. Privacy-Preserving Flexible Access Control for Encrypted Data in Internet of Things.IEEE Internet Things J.2021,8, 14731–14745. [Google Scholar] [CrossRef]
Deng, W.; Xiang, T.; Liao, X. STEAC: Towards secure, traceable, and efficient cryptographic access control scheme in smart healthcare.Multimed. Tools Appl.2022,81, 30069–30092. [Google Scholar] [CrossRef]
Akinyele, J.A.; Garman, C.; Miers, I.; Pagano, M.W.; Rushanan, M.; Green, M.; Rubin, A.D. Charm: A framework for rapidly prototyping cryptosystems.J. Cryptogr. Eng.2013,3, 111–128. [Google Scholar] [CrossRef]
Bradford, P.G.; Katehakis, M.N. A probabilistic study on combinatorial expanders and hashing.SIAM J. Comput.2007,37, 83–111. [Google Scholar] [CrossRef]

Figure 1. The system model of EVOAC-HP.

Figure 2. Computation time comparison of data encryption among FAME [15], Yang et al.’s scheme [32] and our scheme.

Figure 3. Computation time comparison of data decryption among FAME [15], Yang et al.’s scheme [32] and our scheme.

Figure 4. Computational overhead with the number of attributes.

Table 1. Comparisons of functionality¹.

Scheme	Security Model	Large Universe	Hidden Policy	Outsourced Decryption	Verifiability
[8]	Selective security	✘	✔	✘	✘
[18]	Selective security	✔	✘	✘	✘
[9]	Selective security	✔	✘	✔	✘
[25]	Adaptive security	✘	✔	✘	✘
[10]	Selective security	✔	✘	✔	✔
[11]	Selective security	✔	✘	✔	✔
[32]	Selective security	✔	✔	✘	✘
[15]	Adaptive security	✔	✘	✘	✘
EVOAC-HP	Adaptive security	✔	✔	✔	✔

¹ Here, ✔ denotes support; ✘ denotes no support.

Table 2. Comparisons of computation cost¹.

Scheme	Encryption	Decryption
[18]	$(2 n_{1} + 2) E x p$	$I E x p + (2 I + 1) P a i r$
[32]	$(2 n_{1} + 2) E x p + x H a s h$	$I E x p + (2 I + 1) P a i r + x H a s h$
[15]	$(6 n_{1} + 3) E x p + 6 (n_{1} + n_{2}) H a s h$	$6 P a i r$
EVOAC-HP	$(6 n_{1} + 3) E x p + (6 n_{1} + 6 n_{2} + x) H a s h$	$2 E x p + x H a s h$

¹ Here,I denotes the number of attributes used in the final successful decryption;

n_{1}

and

n_{2}

are the dimensions of the access matrix in the access policy; andx is the number of hash functions for the attribute bloom filter.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Ma, H.; Zhou, D.; Li, P.; Wang, X. EVOAC-HP: An Efficient and Verifiable Outsourced Access Control Scheme with Hidden Policy.Sensors2023,23, 4384. https://doi.org/10.3390/s23094384

AMA Style

Ma H, Zhou D, Li P, Wang X. EVOAC-HP: An Efficient and Verifiable Outsourced Access Control Scheme with Hidden Policy.Sensors. 2023; 23(9):4384. https://doi.org/10.3390/s23094384

Chicago/Turabian Style

Ma, Haobin, Dehua Zhou, Peng Li, and Xiaoming Wang. 2023. "EVOAC-HP: An Efficient and Verifiable Outsourced Access Control Scheme with Hidden Policy"Sensors 23, no. 9: 4384. https://doi.org/10.3390/s23094384

APA Style

Ma, H., Zhou, D., Li, P., & Wang, X. (2023). EVOAC-HP: An Efficient and Verifiable Outsourced Access Control Scheme with Hidden Policy.Sensors,23(9), 4384. https://doi.org/10.3390/s23094384

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further detailshere.

Article Metrics

Article Access Statistics

For more information on the journal statistics, clickhere.

Multiple requests from the same IP address are counted as one view.

Movatterモバイル変換

Article Menu

EVOAC-HP: An Efficient and Verifiable Outsourced Access Control Scheme with Hidden Policy

Abstract

1. Introduction

2. Related Work

3. Preliminary

3.1. CP-ABE Definition

3.2. Security Model for CP-ABE

3.3. Commitment

3.4. Attribute Bloom Filter

3.5. Decisional Linear Assumption

4. Access Control System

4.1. System Model

4.2. The Proposed Scheme

5. Security Analysis

6. Performance Analysis

6.1. Functional Analysis

6.2. Theoretical Analysis

6.3. Experimental Analysis

7. Conclusions and Future Work

Author Contributions

Funding

Institutional Review Board Statement

Informed Consent Statement

Data Availability Statement

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI