MDS²-C³PF: A Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in IoT

Heng Pan

^1,2,3,*

Yaoyao Zhang

^1,2,3,*

Xueming Si

^1,2,4,

Zhongyuan Yao

^1,2,3 and

Liang Zhao

⁵

Research Institute of Advanced Information Technology, Zhongyuan University of Technology, Zhengzhou 450007, China

Henan International Joint Laboratory of Blockchain and Data Sharing, Zhengzhou 450007, China

Henan Key Laboratory of Network Cryptography Technology, Zhengzhou 450007, China

⁴

Department of Computer Science and Engineer, Shanghai Jiao Tong University, Shanghai 200240, China

⁵

Department of Computing and Mathematics, Faculty of Philosophy, Science and Letters at Ribeirao Preto (FFCLRP) Bandeirantes, University of Sao Paulo, 3900, Ribeirao Preto 14040-901, SP, Brazil

Authors to whom correspondence should be addressed.

Symmetry2022,14(12), 2479;https://doi.org/10.3390/sym14122479

Submission received: 24 October 2022 /Revised: 13 November 2022 /Accepted: 17 November 2022 /Published: 23 November 2022

(This article belongs to the Special IssueAdvances in Internet of Things with Symmetric/Asymmetric Structure, Computing and Interaction)

Downloadkeyboard_arrow_down

Browse Figures

Versions Notes

Abstract

The Internet of Things (IoT) and cloud technologies have significantly facilitated healthcare. In such a context, medical data are collected by the terminals from the patients, manipulated, and stored on the cloud by hospitals (doctors). This brings asymmetry problems in medical data access control, processing, and storage between doctors and patients, which results in medical data sharing face many challenges such as privacy leakage and malicious feedback from cloud servers on queries. To solve these asymmetry problems, this paper proposes a medical data sharing scheme with cloud-chain cooperation and policy fusion in the IoT. Regarding asymmetrical access control rights, a conflict resolution and fusion algorithm that enables co-authorization of medical data by the doctor and the patient is introduced. To balance the symmetry of medical data storage and processing, a cloud-chain cooperation ciphertext retrieval method is proposed by means of two-stage joint searching from cloud servers and the blockchain, which can not only detect malicious medical data feedback from cloud servers, but also improve the data search efficiency. The security analysis showed that this scheme satisfies the confidentiality and verifiability of the retrieved information, and the feasibility of the proposed scheme was demonstrated through experiments.

Keywords:

cooperation retrieval;co-authorization;policy conflict resolution;blockchain;IoMT

1. Introduction

The massive amount of data generated by the Internet of Medical Things (IoMT) serves as an important vehicle for recording patient information for treatment and needs to be shared to advance medical information [1,2]. Because of the limited computational power and storage capacity of the terminal, medical data based on the IoMT are generally stored and processed on the cloud, where the data access and usage rights are always in the hands of medical institutions. This brings asymmetries in medical data access control, processing, and storage between doctors and patients. Specifically, patients have little control over their records, which results in privacy disclosure. Furthermore, the unbalanced structure of the terminal collection, cloud storage, and processing may cause malicious tampering or false feedback on queries from the cloud server. These problems due to asymmetry seriously impede medical data sharing.

Current research on IoMT data sharing mainly focuses on the access control of medical data and secure retrieval methods. The common method is to use Attribute-Based Encryption (ABE) [3], especially Ciphertext Policy Attribute-Based Encryption (CP-ABE) [4], access control to encrypt medical data and store them on the cloud server. Most studies based on CP-ABE to solve medical data sharing consider the access control of medical data by hospitals or patients [5,6,7]. However, medical data come from both patients and doctors. Thus, their ownership should be shared between hospitals and patients. Therefore, it is worthwhile to further study the medical data access control method with the co-authorization of doctors and patients.

Furthermore, the ciphertext retrieval of medical data is a hot research topic that addresses the security risks of the cloud. While Searchable Encryption (SE) [8] can prevent the leakage and tampering of medical records by semi-trusted cloud servers, there still remains the risk of the cloud server’s malicious feedback errors or false medical data [9,10]. Since these solutions do not break the centralized imbalanced structure, it is difficult to fundamentally solve the secure storage and processing problems of medical data sharing. Blockchain is open, transparent, tamperproof, and traceable, which can provide a solution to this problem [11]. The existing methods mainly use blockchain to record the query information [12,13,14] or ensure the correctness of the retrieved results by performing ciphertext medical data searching on the blockchain [15]. However, due to blockchain’s special structure and storage limitations, the blockchain ciphertext retrieval efficiency is much lower than cloud services. Although blockchain breaks the asymmetric structure of cloud-based medical data’s centralized storage and processing, it raises efficiency problems and other issues.

To solve the above two asymmetric problems that impede medical data sharing, a Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in the IoT (

M D S^{2} - C^{3} P F

) is proposed. The scheme makes use of cloud-chain cooperation to effectively balance the medical data sharing access control between doctors and patients and resist some of the security risks such as malicious feedback and privacy disclosure caused by the centralized asymmetric structure of cloud data processing.

The main contributions of this article are as follows:

A multi-stage system model is proposed. The access control right of medical data between doctors and patients becomes symmetric through their co-authorization. A symmetric cloud-chain cooperation storage and retrieval method is designed to detect malicious feedback from the cloud and to improve the medical data retrieval efficiency.
An attribute-based access policy fusion method is proposed to develop an access control policy created by both doctors and patients. When the medical data access control policies made by doctors and patients conflict, the balance score matrix is calculated to solve this by using the mutual influence weight and intention score of doctors and patients.
Considering both medical records retrieval efficiency and detecting malicious feedback from cloud servers, a cloud-chain cooperation retrieval method is proposed. It can improve medical records retrieval efficiency by designing the off-chain search structure and performing an initial search on the cloud server with a secondary search on the blockchain.

The rest of this article is arranged as follows. Related work is first discussed inSection 2, followed bySection 3, which presents the background knowledge.Section 4 introduces the

M D S^{2} - C^{3} P F

model and the security model. The construction and details of the scheme are described inSection 5. Then,Section 6 discusses the security analysis. InSection 7, the experimental analysis of the scheme is carried out. Finally, the whole article is concluded.

2. Related Work

In order to ensure the security of medical data, many works encrypt medical records and store the ciphertext on the cloud. Many IoT-based medical data sharing researchers use ABE and SE to protect data security and privacy in cloud searching and access. In order to overcome the problems caused by the centralized nature of the cloud, recent studies have tried to use blockchain to make an improvement.

Since data sharing requires fine-grained access control methods, Sahai et al. [3] first presented an ABE scheme enabling one-to-many encryption. To improve the performance of ABE, Bethencourt et al. [4] provided a CP-ABE method, which was proven secure in the generic group model. Based on these fundamental works, the state-of-the-art studies on secure data sharing on the cloud, especially medical data sharing, often make use of CP-ABE. Han et al. [16] proposed an attribute-revocable CP-ABE scheme based on privacy protection, which can share data securely by the cloud. In IoT research, Li et al. [17] presented a white-box traceable CP-ABE scheme with accountability in the IoT to address the user key abuse problem. Hu et al. [18] proposed a strategy-hidden sharing method in the IoT to outsource data to the cloud, which can reduce the cost of the user and improve computational efficiency. K. et al. [19] introduced a lightweight key management mechanism based on the IoT to solve the key escrow problem. At the same time, the development of the cloud and the IoT have greatly promoted technological innovation in the medical scene and promoted the secure sharing of medical data. In particular, in order to prevent the disclosure of patients’ privacy, many existing ABE access control studies focus on how to strengthen patients’ control over medical data. Hwang et al. [20] believed that patients have ownership of medical data and used CP-ABE to encrypt medical data to protect the privacy of patient data. Liu et al. [21] proposed an approach based on consortium blockchain to make access control policies by patients. Wang et al. [22] provided a fast, secure patient-controlled access scheme for medical data, which can reduce the storage capacity on the mobile terminal. In fact, the medical data are produced by both the patient and the doctor. Therefore, access to medical data should be decided jointly by doctors and patients, but there are not many studies on co-authorization.

Searchable encryption based on ABE is crucial to achieving secure data sharing. Song et al. [8] first introduced the scheme of searchable encryption and solved the problem of ciphertext retrieval. Since this pioneering work, many security research workshave been proposed to improve the efficiency of ciphertext search and improve the search function. Li et al. [23] provided a secure and efficient dynamic searchable encryption scheme on medical cloud data, improving the ciphertext keyword search efficiency. Chen et al. [24] realized an efficient fuzzy search of keywords by encrypting the fuzzy association scores between data and query predicates. Chaudhari et al. [25] proposed a searchable encryption algorithm based on a single keyword that allows a user to access a subset of the documents. Tahir et al. [26] exploited the properties of the modular inverse to generate a probabilistic trapdoor that facilitates the search over the secure inverted index table. Sun et al. [27] proposed an attribute-based searchable encryption scheme that supports multiple data owners and data requesters. Zheng et al. [28] proposed a verifiable-attribute-based keyword search scheme that could prevent false feedback from the cloud. Yu et al. [29] retrieved the required ciphertext medical data in the IoT, reducing the computational load of outsourcing decryption and improving efficiency.

However, semi-trusted cloud servers are vulnerable to providing false feedback and the malicious forging of medical data. Blockchain’s immutable and decentralized characteristics provide new research ideas and solutions. Liu et al. [30] implemented an electronic medical record sharing scheme based on policy hiding, which uses blockchain to store electronic medical record ciphertext and ensure the correctness of data retrieval. Cao et al. [31] presented a cloud-assisted secure medical system that uses blockchain to record the data operation process and ensure the traceability of data. Zhang et al. [32] provided a decentralized personal health record sharing scheme, using blockchain for the keyword search to ensure the correctness of the queried results. Krishna et al. [33] used ciphertext indexing to search data and utilized blockchain to verify every transaction to make medical data transmission more reliable. Zhu et al. [34] proposed a shared electronic medical data system, which used the automatic execution of chain codes to ensure data access security. In addition, there are some literature works on smart contracts in blockchain, which realize secure sharing and retrieval. Saini et al. [35] designed an access control framework based on a smart contract to prevent a single point of failure and ensure data sharing among different entities. Chen et al. [36] ensured the security of medical data through smart authorization contracts. However, the retrieval efficiency of the above research schemes still needs to be improved.

In a word, it can be seen that the existing works mainly focus on the security data access and retrieval in the IoT and cloud environments, while the essential problem of asymmetry in medical data sharing is not discussed. Unlike the above methods,

M D S^{2} - C^{3} P F

solves the asymmetric access control right of the medical data between doctors and patients and the asymmetric collection and processing capability between the IoT and the cloud. Meanwhile, our scheme can detect false feedback from the cloud server and improve the sharing data retrieval efficiency.

3. Preliminaries

This section sorts out the preliminary knowledge, including the bilinear maps and access structure.

3.1. Bilinear Maps

Let

G_{1}

G_{2}

be a multiplicative cyclic group of prime orderp [37]; the generating element of

G_{1}

isg. The bilinear map

e : G_{1} \times G_{1} \to G_{2}

has the following characteristics:

Bilinear: $\forall u, v \in G_{1}$ and $a, b \in Z_{p}^{*}$ with $e (u^{a}, v^{b}) = e {(u, v)}^{a b}$ ;
Non-degeneracy: $e (g, g) \neq 1$ ;
Computability: $\forall u, v \in G_{1}$ with $e (u, v)$ computable.

3.2. Access Structure

LetT be an access control structure tree whose root node isr [38]. Each non-leaf node in the tree is a threshold, and the leaf nodes are attribute values. Let the number of child nodes of nodex be

n u m_{x}

and

k_{x}

be a threshold

(0 \leq k_{x} \leq n u m_{x})

. If and only if at least

k_{x}

child nodes meet the condition, the parent node can obtain the correct result. When

k_{x} < n u m_{x}

, the current threshold gate is OR; when

k_{x} = nu m_{x}

, the current threshold gate is AND.

Let

T_{x}

be a subtree of treeT, wherex is a child node ofT:

If there exists an attribute setS satisfying the access control treeT, then $T_{r} (S) = 1$ ;
Ifx is a leaf node, if and only if the attribute setS contains the attribute $a t t (x) \in S$ of the current leaf node, then $T_{x} (S) = 1$ ;
Ifx is a non-leaf node, for a child node $x^{'}$ of nodex, compute $T_{x^{'}} (S)$ ; if and only if at least $k_{x}$ children return $T_{x^{'}} (S) = 1$ , it can be denoted as $T_{x} (S) = 1$ .

4. System and Security Model

This section introduces the system model, algorithm definition, and security model.

4.1. System Model

Figure 1 shows the system model, which involves the following roles:

Trust Center (TC). The TC generates key pairs for all legitimate users and executes the policy fusion algorithm.
Blockchain (BC). The BC is a consortium blockchain that consists of multiple medical institutions to store index information.
Doctor (DOC). The DOC is the medical data owner responsible for encrypting medical data and uploading the encrypted data to the cloud.
Cloud Server (CS). The CS is responsible for storing the ciphertext of medical data and sending the file storage address to the DOC.
Patient (PA). The PA is the owner of the medical data, responsible for developing access policies for the medical data.
Data Requester (DR). The DR generates a search trapdoor to obtain the corresponding type of data from the cloud and decrypts the medical data.

Table 1 shows the meanings of the symbols in our scheme.

4.2. Scheme Definition

The proposed scheme consists of the following polynomial-time algorithms:

$P a r a S e t (λ) \to (p p, p k, m k)$ : Inputs security parameter $λ$ and outputs public parameter $p p$ and master key $m k$ .
$K e y G e n (S, m k, p p) \to s k$ : The TC inputs attribute setS, master key $m k$ , and public parameter $p p$ . Then, the TC outputs the attribute key $s k$ for all legitimate users.
$S t r a t e g y F u s (A, B) \to T$ : The TC inputs the access control policy treeA of the PA and the treeB of the DOC. The TC fusesA andB and expresses the result asT.
$E n c (k, M) \to C_{M}$ : The DOC inputs the encryption keyk and the medical data and outputs the ciphertext $C_{M}$ of the medical data.
$I n d e x G e n (W, T, v_{1}, k, m k, p k, p p, v_{2}) \to (I, C^{*})$ : The DOC inputs the keywordW, access control policy treeT, system public key $p k$ , master key $m k$ , and public parameter $p p$ . Then, the DOC outputs indexI and partial index ciphertext $C^{*}$ .
$T r a p G e n (W^{'}, m k, s k) \to T r a p$ : The DR runs the algorithm to generate trapdoors based on the keyword $W^{'}$ that needs to be queried and then uploads the trapdoors to the BC.
$C l o u d S e a r c h (D e p, T r a p, s k) \to D A T A^{*}$ : The CS inputs medical type $D e p$ , trapdoor $T r a p$ , and secret key $s k$ . Then, the CS outputs the dataset ${D A T A}^{*}$ .
$B l o c k S e a r c h (T r a p, D A T A^{*}, I) \to T x$ : The BC executes the algorithm and performs the blockchain keyword search operation based on the trapdoor $T r a p$ and the initial filtered dataset ${D A T A}^{*}$ and outputs the transactions $T x$ .
$V e r i f y (T x) \to l$ : The DR obtains the hash value $T x$ , verifies whether the ciphertext is modified, and outputs $l = 1$ if the hash value is consistent; otherwise, $l = 0$ .
$D e c r y p t (l, s k, I) \to k$ : If the medical data verification is passed, the DR will decrypt the keyk of the medical data according to its own attribute private key $s k$ andI.

4.3. Security Model

M D S^{2} - C^{3} P F

performs keyword retrieval on the blockchain to improve searching security and address the issue of false feedback from the cloud servers. Two security models are defined: the Indistinguishability of Ciphertext under the Selectively Chosen Keyword Attack (INDC-SCKA) and the Keyword Secrecy under the Selectively Chosen Secret Key Attack (KS-SCSKA).

4.3.1. The Definition of INDC-SCKA

Theorem 1.

To prove the INDC-SCKA of

M D S^{2} - C^{3} P F

, in this paper, let attacker

A_{1}

and challenger

B_{1}

play a secure game

G a m e_{1}

M D S^{2} - C^{3} P F

is said to be indistinguishable with keywords if the probability of attacker

A_{1}

winning the game is negligible in polynomial time.

Initialization:

B_{1}

inputs the security parameter

λ

and runs

P a r a S e t (λ)

. Finally, the initialized algorithm returns the system parameter

p p

and the master key

m k

Phase 1:

A_{1}

initiates a trapdoor query on the keyword set

W_{1}, \dots, W_{t}

T r a p G e n (W, m k, s k)

B_{1}

runs the trapdoor generation algorithm

T r a p (W_{m}, m k, s k)

to return the trapdoor

T_{W_{m}}

and then returns it to

A_{1}

Challenge:

A_{1}

sends the keyword set

(W_{0}, W_{1})

B_{1}

, where

W_{0}, W_{1}

is of equal length.

B_{1}

selects a bit

c \in {0, 1}

B_{1}

generates

I_{c} = I n d e x G e n (W_{c}, T^{'}, v_{1}, k, m k, p k, p p, v_{2})

and sends

I_{c}

A_{1}

Phase 2:

A_{1}

issues a trapdoor query for the keyword set

W_{m + 1}, \dots, W_{τ}

T r a p (W_{i} \neq W_{0}, W_{1}, m k, s k)

B_{1}

runs

T r a p (W_{i}, m k, s k)

to obtain the trapdoor

T_{W_{i}}

, which is sent to

A_{1}

Guess:

A_{1}

outputs guess

c^{'} \in {0, 1}

. If

c = c^{'}

A_{1}

wins the game.

The probability of success of

A_{1}

attacking the model is

A d v_{A_{1}} (1^{k}) = | P r [c = c^{'}] - \frac{1}{2} |

4.3.2. The Definition of KS-SCSKA

Theorem 2.

To prove the KS-SCSKA, a secure game

G a m e_{2}

is defined between attacker

A_{1}

and challenger

B_{1}

. If the probability of

A_{1}

completing the keyword secrecy game in polynomial time is negligible, then

M D S^{2} - C^{3} P F

can achieve the keyword security.

Initialization:

B_{1}

inputs the security parameter

λ

and runs

P a r a S e t (λ)

. Finally, the initialized algorithm returns the system parameter

p p

and the master key

m k

Phase 1:

A_{1}

interrogates the following algorithm in polynomial time.

K e y G e n (S, m k, p p)

B_{1}

first gives the key

s k

A_{1}

and adds the key set to

l_{K e y G e n}

T r a p G e n (W, m k, s k)

: Given

s k

andW,

B_{1}

executes the trapdoor generation algorithm to generate the trapdoor.

B_{1}

sends the result to

A_{1}

Challenge:

A_{1}

selects the challenge key

s k

and gives it to

B_{1}

B_{1}

selects the key set

W^{'}

from the information space and executes the

I n d e x G e n

algorithm, and then,

B_{1}

gives the index to

A_{1}

Guess: After

A_{1}

obtains a different set of keywords

τ

, the adversary outputs

W^{'}

. If

W^{'} = W

, then

A_{1}

wins.

M D S^{2} - C^{3} P F

can achieve keyword security if the probability of

A_{1}

winning the game is no more than for

{(| W | - τ)}^{- 1} + ϵ

τ

denotes the number of keyword sets;

ϵ

is the negligible probability in the security parameterk;

W

is the keyword space.

5. Scheme Construction

Our scheme includes five stages, shown inFigure 2. In the first stage, the system initializes the parameters. Then, the TC sends private keys to the users. In order to form one consistent access policy, in Stage 2, a policy fusion algorithm is presented to merge and resolve conflicts between the access control policies proposed by the patient and the doctor, respectively. In the data generation and storage stage, a doctor uses the fused policy to encrypt and upload the medical data. The original ciphertexts are stored on the cloud, and the index information is stored on the blockchain. The following two stages leverage cloud-chain cooperation mapping and searching to implement controlled secure access to the medical data. The following subsections will thoroughly discuss the access control policy fusion algorithm and the detailed working process of the five stages.

5.1. Access Control Policy Fusion Algorithm

The first step of our scheme is to create one authorization policy that considers User A and B’s access control over medical data. UserA generates policy set

S t r a_{A}

, which containsn policies, where

a_{i}

is the policy of

S t r a_{A}

. Similarly, UserB produces a policy set

S t r a_{B}

that containsm policies, where

b_{j}

is a policy of

S t r a_{B}

. The TC takes charge of generating a co-authorization policy set

S t r a_{T}

by comparing

S t r a_{A}

and

S t r a_{B}

. Firstly, the TC puts the same policies from setting

S t r a_{A}

and

S t r a_{B}

into the new policy set

S t r a_{T}

. Then, different and non-conflicting policies from

S t r a_{A}

and

S t r a_{B}

are also added to

S t r a_{T}

. The most critical work is to call the policy conflict resolution algorithm when there are conflicting policies in

S t r a_{A}

and

S t r a_{B}

Figure 3 shows the flowchart of the algorithm.

5.1.1. Policy Conflict Resolution Algorithm

The strategy conflict resolution is an improved algorithm presented by Tan et al. [28]. They indicated a peer-aware collaborative access control based on identity, which achieves policy equilibrium through peer influence. Differently, our method achieves attribute-based policy equilibrium, referring to players’ influence and using the strategy to update the rules. In this paper, the intention score is defined as the user’s willingness intensity score for policy

a_{i}

. The impact score is the intensity of user interaction. The balance score is the user’s final willingness value for a policy after being influenced by others:

Initialize the matrix:
Let it containn users (resource owners) andf conflicting attributes, then initialize useri’s intention score for conflicting attribute $a_{k}$ as $x_{i} (a_{k})$ , where $i \in (1, \dots, n), k \in (1, \dots, f)$ . The value range of the intention score is 0 to 5. Intention score matrixX is denoted as
$X = [\begin{matrix} x_{1} (a_{1}) & \dots & x_{1} (a_{f}) \\ ⋮ & ⋱ & ⋮ \\ x_{n} (a_{1}) & \dots & x_{n} (a_{f}) \end{matrix}] = [\begin{matrix} I_{1} & \dots & I_{f} \end{matrix}]$
(1)
Suppose the initialized useri is influenced by userj’s influence score $w_{i j}$ , taking values in the range of 0–1. Impact score matrixY is denoted as
$Y = [\begin{matrix} w_{11} & \dots & w_{1 n} \\ ⋮ & ⋱ & ⋮ \\ w_{n 1} & \dots & w_{n n} \end{matrix}]$
(2)
Generate the balance score matrix:
Let the sentiment gain of user $i \in U$ for an attribute $a_{k}$ be
$p a y_{i} = x_{i} (a_{k}) p_{i} (a_{k}) - \frac{1}{2} {(p_{i} (a_{k}))}^{2} + \sum_{j \neq i} w_{i j} p_{i} (a_{k}) x_{j} (a_{k})$
(3)
where $x_{i} (a_{k})$ is the initial willingness value set by the user and $p_{i} (a_{k})$ is the final willingness value influenced by other users.
$\frac{d p a y_{i}}{d p_{i} (a_{k})} = x_{i} (a_{k}) - p_{i} (a_{k}) + \sum_{j \neq i} w_{i j} x_{j} (a_{k})$
(4)
Let $\frac{d p a y_{i}}{d p_{i} (a_{k})} = 0$ , which gives
$p_{i} (a_{k}) = x_{i} (a_{k}) + \sum_{j \neq i} w_{i j} x_{j} (a_{k})$
(5)
That is, when $p_{i} (a_{k}) = x_{i} (a_{k}) + \sum_{j \neq i} w_{i j} x_{j} (a_{k})$ , the user has the highest gain. From Equation (5), the final user’s intention is the sum of his/her own and the player’s influence score. If there is no player influence, then $p_{i} (a_{k}) = x_{i} (a_{k})$ . The final willingness value of each player is calculated by computing the user’s initial settings.
Therefore, the column vectorP of the balance score matrix $p_{k}$ is denoted as
$\begin{matrix} p_{k} = Y \cdot I_{k} = [\begin{matrix} w_{11} & \dots & w_{1 n} \\ ⋮ & ⋱ & ⋮ \\ w_{n 1} & \dots & w_{n n} \end{matrix}] \cdot [\begin{matrix} x_{1} (a_{k}) \\ ⋮ \\ x_{n} (a_{k}) \end{matrix}] \\ = [\begin{matrix} w_{11} \cdot x_{1} (a_{k}) + \dots + w_{1 n} \cdot x_{n} (a_{k}) \\ ⋮ \\ w_{n 1} \cdot x_{1} (a_{k}) + \dots + w_{n n} \cdot x_{n} (a_{k}) \end{matrix}] \end{matrix}$
(6)
Let $p_{i} (a_{k}) = w_{i 1} \cdot x_{i} (a_{k}) + \dots + w_{i n} \cdot x_{i} (a_{k})$ , and thus, P is denoted as
$\begin{matrix} P = [\begin{matrix} p_{1} & \dots & p_{f} \end{matrix}] = [\begin{matrix} q_{1} \\ ⋮ \\ q_{n} \end{matrix}] \\ = [\begin{matrix} p_{1} (a_{1}) & \dots & p_{1} (a_{f}) \\ ⋮ & ⋱ & ⋮ \\ p_{n} (a_{1}) & \dots & p_{n} (a_{f}) \end{matrix}] \end{matrix}$
(7)
Judge rule:
This rule determines whether the policy is successfully merged. Firstly, it compares the size of each value of $q_{i}$ in the row vector, selects the attribute $a_{k}$ corresponding to the largest value, and stores it in the attribute selection set $γ$ . Next, the rule judges whether the attribute $a_{k}$ in the set $γ$ is the same attribute and outputs the result.
Modify the intention matrix:
Calculate the probability that userj is referenced by other users.
$P r {o_{i \to}}_{j} (a_{k}) = 1 / (1 + e^{(p_{i} (a_{k})) - p_{j} (a_{k}) / w_{i j}})$
(8)
where $P r {o_{i \to}}_{j} (a_{k})$ denotes the probability thati imitatesj’s strategy under attribute $a_{k}$ and $w_{i j}$ denotes the fraction ofi influenced byj. $p_{i} (a_{k})$ and $p_{j} (a_{k})$ denote the equilibrium fraction of usersi andj choosing attribute $a_{k}$ . For each userj, the average probability:
$P_{j} (a_{k}) = \frac{\sum_{i = 1, i \neq j}^{n} {P_{i \to}}_{j}}{(n - 1)}$
(9)
where the userj with the highest probability is selected and all other users modify the intention score referring to the policy ofj. The balance matrixP is recalculated to determine whether the users’ choices are consistent.

5.1.2. Policy Conflict Resolution Algorithm Process

Compared with the mechanism proposed by Tan et al. [39], the policy conflict resolution algorithm can achieve finer-grained conflict resolution and is suitable for co-authorization scenarios such as the IoMT. Algorithm 1 shows the detailed policy fusion algorithm.

Algorithm 1Policy conflict resolution algorithm.

Input:

X, Y, S^{*}, γ = []

Output:

γ [i]

1.while

S^{*} \neq null

S^{*} = S^{*} - {a_{k}}

3. compute

p_{i} = Y \cdot I_{k}

4.end while

5.while truedo

6. let

P = [\begin{matrix} p_{1} & \dots & p_{f} \end{matrix}]

r e s u l t = J u d g e R u l e (P)

8. if

r e s u l t = Y

9. break

10. end if

11. if

r e s u l t = N

12. for

i = 1; i < f; i + +

13.

u s e r = g e t M a x U s e r (Y, P, f)

14. for

j = 1; j < n; j + +

15. if

j \neq u s e r

16. update

x_{j} (a_{f})

according to

x_{user} (a_{f})

17. end if

18. end for

19. end for

20. Compute

p_{i} = Y \cdot I_{k}

21. end if

22.end while

23. return

γ [i]

Firstly, the TC initializes intention matrix

X = [I_{1}, \dots, I_{f}]

, impact matrixY, and conflicting attribute set

S^{*}

. It initializes attribute selection set

γ

, which here is represented as an array

γ = []

. The TC calculates the balanced matrixP for the conflicting attributes and checks if all users select the same conflicting attribute. If yes, the algorithm ends. Otherwise, the TC calculates the probability of the user being imitated and selects the user with the highest probability. Other users follow the highest-probability user to modify the intention matrix. After that, the balanced matrixP is recalculated.Figure 4 shows the specific process of the algorithm.

5.2. Details of Five Stages

The project consists of five stages: system initialization, access control policy fusion, data generation and storage, cloud-chain cooperation retrieval, and data verification and decryption.

Stage 1. System initialization:

The TC initializes the parameter and generates the private key for the PA, DOC, and DR, respectively.

System parameter setting:
Given security parameter $λ$ and mapping parameter $(G_{1}, G_{2}, q, g, e)$ , the TC executes $P a r a S e t (λ)$ to generate parameter $p p$ , system public key $p k$ , and master key $m k$ . Then, it selects two hash functions $H_{1} {0, 1}^{*} \to G_{1}, H_{2} {0, 1}^{*} \to Z_{q}$ . Besides, the TC chooses $α, β, γ \in Z_{q}$ and computes $t_{1} = g^{α}$ , $t_{2} = g^{β}$ , $t_{3} = g^{γ}$ . Finally, the TC generates public parameter $p p = (G_{1}, G_{2}, q, g, e, H_{1}, H_{2})$ , system public key $p k = (t_{1}, t_{2}, t_{3})$ , and master key $m k = (α, β, γ)$ .
Key generation:
The TC executes $K e y G e n (S, m k, p p)$ and generates key $s k$ for the user who owns attribute setS. Firstly, the TC selects random $r \in Z_{q}$ and chooses $r_{s} \in Z_{q}$ for every attribute $s \in S$ . Then, it computes $D_{1} = g^{(α γ - r) / β}$ , $D_{2} = g^{(α + r) / β}$ and calculates $A_{s} = g^{r} H_{1} {(s)}^{r_{s}}$ , $B_{s} = g^{r_{s}}$ . Finally, it generates the user’s attribute key $s k = (D_{1}, D_{2}, {A_{s}, B_{s}}_{s \in S})$ .

Stage 2. Access control policy fusion:

In this stage, the TC is responsible for executing the access policy fusion algorithm to create a new policy set

{s t r a}_{T}

. Here, an example is given to show how the conflict of a policy is fused.

For the conflicting attributes

a_{1}

and

a_{2}

, the TC obtains the intention scores of the conflicting attributes of the DOC and PA, as shown inTable 2. Besides, the TC obtains the impact scores of the attributes, as expressed inTable 3. Then, the balance score matrix

P = [\begin{matrix} p_{1} & p_{2} \end{matrix}]

is calculated, where

p_{1} = Y \cdot {(\begin{matrix} x_{1} (a_{1}) & x_{2} (a_{1}) \end{matrix})}^{T}

p_{2} = Y \cdot {(\begin{matrix} x_{1} (a 2) & x_{2} (a_{2}) \end{matrix})}^{T}

, as shown inTable 4.

The current user’s choice is the highest score in the row vector ofP. If the attributes corresponding to the highest scores of the DOC and PA are the same, this attribute is the final result. If there is no agreement on the attribute, the TC calculates the probability

{P_{1 \to}}_{2} (a_{1}) = 1 / (1 + e^{(p_{1} (a_{1}) - p_{2} (a_{1})) / w_{12}})

of the PA imitating the DOC’s strategy under attribute

a_{1}

. Similarly, the TC calculates the probability

{P_{2 \to}}_{1} (a_{1})

of the PA being imitated. Under attribute

a_{1}

, the average probability of the PA being imitated is

P_{1} (a_{1}) = {P_{2 \to}}_{1} (a_{1})

, and the average probability of the DOC being imitated is

P_{2} (a_{1}) = {P_{1 \to}}_{2} (a_{1})

. If

P_{1} (a_{1}) > P_{2} (a_{1})

, the DOC modifies the intention score to attribute

a_{1}

according to the PA. Furthermore, the TC calculates

P_{1} (a_{2})

and

P_{2} (a_{2})

. If

P_{1} (a_{2}) < P_{2} (a_{2})

, the PA modified the intention score to attribute

a_{2}

according to the DOC. Finally, the balance score matrixP is recalculated, and the algorithm ends when the highest score of row vectors inP is the same attribute.

Stage 3. Data generation and storage:

The DOC first encrypts the medical data with a symmetric encryption algorithm to obtain the ciphertext of the medical data and sends it to the CS for storage. Next, he/she encrypts the keyword set with policy treeT to generate the keyword index. Finally, he/she uploads the index information to the blockchain and stores the transaction information table on the cloud:

Encryption of medical data:
The DOC inputs the medical dataM and randomly selects a symmetric keyk from the key space, then outputs $C_{M}$ . The DOC stores $C_{M}$ to the CS and obtains the storage address $a d d$ . Moreover, the DOC performs a hash operation for ciphertext $C_{M}$ to obtain the result $h_{1} = h (C_{M})$ , which ensures that the medical data on the cloud are neither tampered with nor forged.
Index generation:
The DOC selects random $v_{1}, v_{2} \in Z_{q}$ and generates an access control policy tree T with $v_{2}$ as the secret value. Then, the DOC encrypts the keyword setW. The specific algorithm is shown below:
(1) The DOC computes $C_{^{_{0}}} = {t_{1}}^{v_{2}}$ , $C_{1} = {t_{2}}^{v_{2}}$ , $C_{2} = {t_{3}}^{v_{1}}$ , and $K = k e {(g, g)}^{α v_{2}}$ .
(2) For each keyword $m \in {1, \dots, t}$ , the DOC computes ${ρ_{m} = {t_{1}}^{v_{1} H_{2} (ω_{m})}}_{m \in {1, \dots, t}}$ .
(3) For each leaf node $z \in Z$ , the DOC computes $ρ_{z} = g^{q_{z} (0)}$ , $ζ_{z} = H_{1} {(a t t (z))}^{q_{z} (0)}$ .
(4) Finally, $I = (C_{0}, C_{1}, C_{2}, K)$ , $C^{*} = {ρ_{m}}_{m \in {1, \dots, t}}, {ρ_{z}, ζ_{z}}_{z \in Z}$ .
Data storage:
The DOC putsn ${I, a d d, H}$ in a transaction sheet $T X = {I, a d d, h_{1}}_{n}$ . If the number of correct node verification results is more than 2/3, the transaction is uploaded to the blockchain. The system obtains the transaction information from the blockchain, constructs the cloud-chain cooperation mapping table according to Dep, and stores it on the cloud, as shown inTable 5.

Stage 4. Cloud-chain cooperation retrieval:

When the DR wants to obtain medical data, he/she generates a trapdoor by

s k

and sends it to the cloud server for retrieval. Then, the DR uploads the matching dataset to the consortium blockchain for secondary retrieval and performs a ciphertext keyword search operation. The specific process is as follows:

Trapdoor generation:
(1) The DR selects random $p \in Z_{q}$ and chooses the keyword set $W^{'} = {{w_{1}}^{'}, \dots, {w_{m}}^{'}} (m \in {1, \dots, t})$ .
(2) The DR calculates $R_{1} = \prod_{m = 1}^{t} g^{p α H_{2} (w {^{'}}_{m})}$ , $R_{2} = g^{p γ}$ , $R_{3} = {D_{1}}^{p}$ , ${A_{s}}^{'} = {A_{s}}^{p}$ , and ${B_{s}}^{'} = {B_{s}}^{p}$ , where $s \in S$ .
(3) The DR generates the trapdoor $T r a p = (S, R_{1}, R_{2}, R_{3}, {{A_{s}}^{'}, {B_{s}}^{'}}_{i \in S})$ .
Cloud search:
The CS runs $C l o u d S e a r c h (D e p, T r a p, s k)$ . According to the medical data type $D e p$ , the CS finds the corresponding medical dataset $D A T A$ from the cloud-chain cooperation mapping table and then performs access control policy matching to select the dataset $D A T A^{*}$ that satisfies the conditions.
(1) Ifx is a leaf node, let $i^{'} = a t t (x)$ , then the CS calculates $D_{x} = \frac{e ({A_{i^{'}}}^{'}, ρ_{x})}{e ({B_{i^{'}}}^{'}, ζ_{x})} = e {(g, g)}^{r p q_{x} (0)}$ .
(2) Ifx is a non-leaf node, let $x^{'}$ be a child node ofx. The CS computes if $D_{x} = \prod_{x^{'} \in ω_{x}} D_{x^{'}}^{Δ_{i, {ω_{x}}^{'}} (0)}$ $= e {(g, g)}^{r p q_{x} (0)}$ holds, where $i = i n d e x (x^{'})$ . If not, $D_{x^{'}} = ⊥$ .
(3) Let $d a t a = (id, B l o c k n u m, T x H a s h)$ , $D_{r} = e {(g, g)}^{r p q_{r} (0)} = e {(g, g)}^{r p v_{2}}$ .
(4) Finally, the CS outputs the dataset $D A T A^{*} = {d a t a, D_{r}}_{d}, d \in D$ .
Blockchain search:
The BC executes $B l o c k S e a r c h (T r a p, D A T A^{*}, I)$ . According to the trapdoor uploaded by the DR, the nodes on the blockchain carry out keyword matching by Equation (10).
$e (\prod_{m = 1}^{t} ρ_{m} C_{0}, R_{2}) = e (C_{2}, R_{1}) D_{r} e (C_{1}, R_{3})$
(10)
If Equation (10) holds, it means that the relevant data are queried and indexI is returned; otherwise, ⊥ is returned. The correctness of Equation (10) is verified as follows:
$\begin{matrix} e (C_{2}, R_{1}) D_{r} e (C_{1}, R_{3}) \\ = e ({t_{3}}^{v_{1}}, \prod_{i = 1}^{t} g^{p α H_{2} ({w^{^{'}}}_{m^{'}})}) e {(g, g)}^{r p v_{2}} e ({t_{1}}^{v_{2}}, D^{p}) \\ = e (g^{y v_{1}}, \prod_{i = 1}^{t} g^{p α H_{2} ({w^{^{'}}}_{m^{'}})}) e {(g, g)}^{r p v_{2}} e (g^{β v_{2}}, g^{(α γ - r) \cdot p / β}) \\ = e {(g, g)}^{y v_{1} p α \sum_{i = 1}^{t} H_{2} ({w^{^{'}}}_{m^{'}})} \cdot e {(g, g)}^{r p v_{2}} \cdot e {(g, g)}^{v_{2} p (α γ - r)} \\ = e {(g, g)}^{p α γ (v_{2} + v_{1} \sum_{i = 1}^{t} H_{2} ({ω^{'}}_{m^{'}}))} \\ = e (\prod_{m = 1}^{t} ρ_{m} C_{0}, R_{2}) \end{matrix}$
(11)

Stage 5. Data verification and decryption:

Medical data validation:
After successful retrieval, the DR obtains the medical data ciphertext $C T_{M}$ from the CS. The DR executes $V e r i f y (T x)$ to verify the hash value. The DR calculates $h_{2} = h (C T_{M})$ . If $h_{2} = h_{1}$ , it outputs $l = 1$ ; otherwise, it returns $l = 0$ .
Ciphertext decryption:
If $l = 1$ , the DR calculates
$k = \frac{K}{({(e (C_{1}, D_{2}))}^{p} / D_{x})^{\frac{1}{p}}}$
(12)
If Equation (12) holds, the DR can recoverk by $D e c r y p t (l, s k, I)$ and further recover plaintext dataM.
The correctness of Equation (12) is verified as follows:
$\begin{matrix} \frac{K}{({(e (C_{1}, D_{2}))}^{p} / D_{x})^{\frac{1}{p}}} \\ = \frac{k e {(g, g)}^{α v_{2}}}{\frac{e {(g, g)}^{(α + r) v_{2} p}}{e {(g, g)}^{r p v_{2}}}} \\ = \frac{k e {(g, g)}^{α v_{2}}}{{(\frac{e {(g, g)}^{α v_{2} p} e {(g, g)}^{r v_{2} p}}{e {(g, g)}^{r p v_{2}}})}^{\frac{1}{p}}} \\ = \frac{k e {(g, g)}^{α v_{2}}}{e {(g, g)}^{α v_{2}}} \\ = k \end{matrix}$
(13)

6. Security Analysis

We provide two detailed safety analyses of the proposed scheme, including the indistinguishability of ciphertext under the selectively chosen keywords attack and the keyword secrecy under the selectively chosen secret key attack.

6.1. The Security Analysis of Our Scheme under the INDC-SCKA

Theorem 3.

This scheme is selection-safe under the adaptive selection keyword attack based on the general bilinear group model.

Proof.

The challenger first establishes the general bilinear group model assumption. Let the hash functions

H_{1}, H_{2}

be one-way hash functions, and the specific challenge process is as follows.

Initialization:

B_{1}

selects

α, β, γ \in Z_{q}

and generates public parameter

p p

for

A_{1}

and system public key

p k = (t_{1}, t_{2}, t_{3})

A_{1}

selects policy tree

T^{'}

and returns it to

B_{1}

H_{1} (i)

simulates: If the attributes has been queried, then challenger

B_{1}

selects

{r^{'}}_{s} \in Z_{q}

, inputs

(s, {r^{'}}_{s})

into

O_{H_{1}}

, and returns

g^{{r^{'}}_{s}}

. Otherwise, challenger

B_{1}

retrieves

{r^{'}}_{s}

from

O_{H_{1}}

and returns

g^{{r^{'}}_{s}}

Phase 1: Adversary

A_{1}

asked

O_{K e y G e n}

and

O_{T r a p}

as follows:

O_{K e y G e n} (S, m k, p p)

: Challenger

B_{1}

chooses

r^{*} \in Z_{q}

and calculates

D_{1} = g^{(α γ - r^{*}) / β}

, then randomly selects

r_{s}^{*} \in Z_{q}

and calculates

A_{s} = g^{r^{*}} H_{1} {(i)}^{r_{s}^{*}}

B_{s} = g^{r_{s}^{*}}

for the attribute

s \in S

. Finally,

B_{1}

returns

(D_{1}, D_{2}, {A_{s}, B_{s}}_{s \in S})

O_{T r a p d o o r} (s k, W^{*}, m k)

: Challenger

B_{1}

interrogates

K e y G e n (S, m k, p p)

to obtain

s k = (S, D_{1}, D_{2}, {A_{s}, B_{s}}_{s \in S})

. After that,

B_{1}

randomly selects

s \in Z_{q}

and computes

R_{1} = Π_{i = 1}^{t} g^{s α H_{2} (ω_{s})}, R_{2} = g^{s γ}, R_{3} = D_{1}^{s}

. IfS satisfies

T^{'}

W^{*}

is added to the keyword set list

L_{W}

Challenge phase: Letting

W_{0}, W_{1}

that does not belong to

L_{W}

B_{1}

chooses

v_{1}, v_{2} \in Z_{q}

v \in Z_{q}

and calculates the secret value for each leaf node in

T^{'}

. After that,

B_{1}

selects random element

b^{*} \in {0, 1}

. If

b^{*} = 0

B_{1}

outputs

{ρ_{i} = g^{v H_{2} (w_{m})}}_{m \in {1, . . ., t}}

C_{0} = {t_{1}}^{v_{2}}

C_{1} = {t_{2}}^{v_{2}}

{ρ_{y} = g^{q_{z} (0)}, ζ_{y} = H_{1} (a t t {(z)}^{q_{z} (0)})}_{z \in ln}

C_{2} = {t_{3}}^{v_{1}}

; otherwise,

B_{1}

returns

{ρ_{m} = {t_{1}}^{v_{2} H_{2} (w_{m})}}_{m \in {1, . . ., t}}

{ρ_{z} = g^{q_{z} (0)}, ζ_{z} = H_{1} (a t t {(z)}^{q_{z} (0)})}_{z \in ln}

C_{0} = {t_{1}}^{v_{2}}

C_{1} = {t_{2}}^{v_{2}}

C_{2} = {t_{3}}^{v_{1}}

Phase 2: Generate queries on the key generation algorithm and trapdoor algorithm as in Phase 1.

Guess:

A_{1}

outputs guess

c^{'} \in {0, 1}

. If

c = c^{'}

A_{1}

will succeed in the challenge and outputs 1; otherwise,

A_{1}

fails in this challenge.

Analysis: If

A_{1}

can construct

{t_{t}}^{ψ v_{1} H_{2} (w_{i})}

for

g^{ψ}

contained in the output of the data that have been queried,

A_{1}

is able to distinguish between

{t_{t}}^{v_{1} H_{2} (w_{i})}

and

g^{v}

. Therefore, it is necessary to prove that

A_{1}

can construct

e {(g, g)}^{ψ α v_{1} H_{2} (ω_{i})}

from

g^{ψ}

with negligible probability. Because

v_{1}

is only in

γ v_{1}

, let

ψ = ψ^{'} γ

A_{1}

only needs to construct

e {(g, g)}^{ψ^{'} γ α v_{1}}

through the term

γ v_{1}

. When

^{β v_{2} (α γ - r^{*})} /_{β} = v_{2} (α γ - r^{*})

A_{1}

needs to eliminate

v_{2} r^{*}

r^{*}

and

q_{r} (0)

. However, it is difficult to construct

v_{2} r^{*}

. Therefore,

A_{1}

needs to have properties that satisfy the access control tree

T^{'}

to return the correct indexed result. Therefore,

A_{1}

can win with negligible probability. Finally, the INDC-SCKA is implemented, which can effectively detect malicious feedback from the cloud server. □

6.2. The Security Analysis of Our Scheme under the KS-SCSKA

Theorem 4.

When a one-way hash function

H_{2}

is given, this method is the keyword secrecy under selectively chosen secret key attack.

Proof.

B_{1}

plays the following KS-SCSKA game.

Initialization:

B_{1}

chooses

α, β, γ \in Z_{q}

, selects hash function

H_{1} : {0, 1}^{*} \to Z_{q}

, and finally, generates public keys

p k = (g^{α}, g^{β})

p p = (e, g, q)

m k = (α, β, γ)

B_{1}

simulates

O_{H_{1}} (s)

as follows: If the attributes has not been queried before,

B_{1}

randomly selects element

r_{s} \in Z_{q}

, adds

(s, r_{s})

O_{H_{1}}

, and outputs

g^{r_{s}}

. Otherwise,

B_{1}

retrieves

r_{s}

from

O_{H_{1}}

and returns

g^{r_{s}}

Phase 1:

A_{1}

adaptively interrogates

O_{K e y G e n}

and

O_{T r a p d o o r}

in polynomial time:

O_{K e y G e n} (S, m k, p p)

B_{1}

interrogates the key generation algorithm and returns

s k

A_{1}

, then adds the access policyT to the list

l_{K e y G e n}

O_{T r a p d o o r} (s k, W^{*}, m k)

: Challenger

B_{1}

first interrogates the trapdoor generation algorithm to obtain

s k = (T, {A_{z}, B_{z} | z \in ln (T)})

and then interrogates the trapdoor algorithm to return the trapdoor to adversary

A_{1}

Challenge phase:

A_{1}

selects the attribute set

S^{'}

B_{1}

, then selects

T^{'}

to interrogate

K e y G e n

to obtain

s k

. Given

S^{'}

and

s k^{'}

A_{1}

randomly selects

W^{'}

to compute the ciphertexts

C T^{'}_{M}

and trapdoor.

Guess:

A_{1}

outputs keyword

W^{'}

and sends it to

B_{1}

, then

B_{1}

asks the IndexGen algorithm to obtain index

I^{'}

. If the keywords ciphertext is searched,

A_{1}

wins the game.

Analysis: Since

| W | - τ

is the space size of the remaining keyword set, the probability of

A_{1}

computing

W^{'}

from

H_{2} (W^{'})

is negligible. If

A_{1}

queries

τ

different keywords, the maximum probability of winning the game is

{(| W | - τ)}^{- 1} + ϵ

. Therefore, it is proven that this scheme can achieve keyword secrecy. □

7. Experiments and Performance Analysis

The experiment was implemented on the Ubuntu operating system and Intel Core i5 processor 2.3GHz. Fabric was used to set up a 4-node blockchain and Caliper to perform the stress test.

7.1. Blockchain Performance Analysis

As shown inFigure 5, the blockchain throughput was tested by increasing the transaction number from 1000 to 12,000 and using medical data index information to form a transaction. From the figure, it can be seen that the throughput is proportional to the number of transactions, and the change is relatively smooth. This indicates that the system performance improves steadily with the increase of transactions and has good scalability. Since upload indicates writing data to the blockchain, the uploading throughput is lower than downloading. The experiment shows that the proposed scheme in this paper can support data transactions in large quantities.

Figure 6 shows the time comparison between the blockchain search and the cloud-chain combined search. As shown in the figure, a medical data requester should first obtain the dataset that satisfies the access policy from the cloud and then perform a secondary search on the blockchain. During access policy matching, the number of attributes in the user’s private key affects the policy execution time, eventually affecting the search time. As illustrated, the cloud-chain searching scheme is better than blockchain searching. Because centralized cloud searching is more efficient than on-chain searching, our solution combines them together to ensure search efficiency while preventing centralized cloud false feedback.

7.2. Experimental Analysis

The functional analysis and complexity analysis of the

M D S^{2} - C^{3} P F

scheme are analyzed in this section.

7.2.1. Function Comparison

Table 6 lists the functional benefits of the

M D S^{2} - C^{3} P F

scheme. As mentioned in the related work, the works [27,28,29,30,31] showed a good performance on data sharing. Reference [29] and the

M D S^{2} - C^{3} P F

scheme implement policy hiding. The works [27,29,31] and our scheme all realize multi-keyword search operations. However, the

M D S^{2} - C^{3} P F

scheme implements co-authorization to further ensure the balance of access control among data owners.

7.2.2. Complexity Analysis

Table 7 shows the comparison of the computational algorithm complexity in different operation stages. The works [27,28] are similar to the relevant algorithm proposed in this paper, which adopt CP-ABE and SE to solve the problem of data sharing. Therefore, they were compared with the algorithms in the

M D S^{2} - C^{3} P F

scheme. Compared with [27,28], the overhead of the proposed method in the setup is lower than [27]. It also has advantages over [27,28] in terms of the exponential operational overhead of the search phase. The bilinear matching time is denoted by

T_{p}

, and

T_{e}

is the exponential time. The hash operation time is represented by

T_{h}

. Letn denote the number of attributes of the authorized user, andl is the number of attributes in the policy.m denotes the keyword count, andt denotes the number of keywords that the authorized user wants to find.

In order to make further comparisons and analysis, the runtimes of

K e y g e n

I n d e x G e n

, and

T r a p G e n

were tested through experiments. Attribute numbers were used as a variable because they can significantly affect the runtime.

The time comparison of the

K e y G e n

algorithm is shown inFigure 7. From the figure, it can be seen that the key generation time rises as the number of attributes increases.Figure 8 shows the time comparison of trapdoor generation. As can be seen from the figure, the trapdoor generation time increases with the number of attributes. The key generation time and trapdoor generation time of the scheme are basically the same as those of the schemes in [27,28].

Figure 9 shows the comparison of the index generation time. From the figure, the time of the index generation algorithm rises with increasing attribute number. Compared with [27,28], the

M D S^{2} - C^{3} P F

scheme implements an index generation algorithm with policy hiding to improve its security. Therefore, our

I n d e x G e n

algorithm’s time consumption is a little higher. However, the scheme in this paper can realize multiple times of searching following one generated index, which further ensures the feasibility of our solution.

8. Conclusions

In view of the asymmetric access control right of the medical data between doctors and patients and the asymmetric collection and processing capability of IoT terminals and the cloud, medical data sharing is faces the problems of privacy leakage, malicious tampering, and false feedback by the cloud.

M D S^{2} - C^{3} P F

was proposed to address these asymmetries. For data privacy, a conflict access policy fusion algorithm is used to achieve co-authorization, ensuring that doctors and patients have equal rights to control the medical data. To improve retrieval efficiency and detect spurious feedback from cloud servers, a cloud-chain cooperation retrieval scheme was proposed to balance the asymmetry structure of medical data storage and processing under IoT. Experimental results showed that our scheme can improve search efficiency and is suitable for the secure sharing of medical data with a symmetry structure. In fact, some weaknesses still exist in our work. Policy fusion and conflict resolution need to be completed by a trust center. Such a centralized approach may have some security risks. In future work, the access control policy fusion will be manipulated in a more symmetric way by using blockchain. Inter-domain dynamic access control for medical data sharing will also be further discussed.

Author Contributions

Conceptualization, H.P., Y.Z., Z.Y., and X.S.; software, Y.Z.; validation, Y.Z. and Z.Y.; formal analysis, H.P., Z.Y., and L.Z.; investigation, H.P. and Y.Z.; writing—original draft preparation, Y.Z.; writing—review and editing, H.P., Y.Z., Z.Y., and L.Z.; supervision, H.P., L.Z., Y.Z., and X.S; project administration, H.P. and X.S.; funding acquisition, H.P. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported in part by the Henan Key Laboratory of Network Cryptography Technology under Grant LNCT2022-A12 and in part by the Major Science and Technology Project of Henan Province under Grant 201300210300.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no potential conflict of interest with respect to the research, authorship, or publication of this article.

References

Gubbi, J.; Buyya, R.; Marusic, S.; Palaniswami, M. Internet of Things (IoT): A vision, architectural elements, and future directions.Future Gener. Comput. Syst.2013,29, 1645–1660. [Google Scholar] [CrossRef] [Green Version]
Zhou, J.; Cao, Z.; Dong, X.; Vasilakos, A.V. Security and Privacy for Cloud-Based IoT: Challenges, Countermeasures, and Future Directions.IEEE Commun. Mag.2017,55, 26–33. [Google Scholar] [CrossRef]
Sahai, A.; Waters, B.Fuzzy Identity-Based Encryption; Springer: Berlin, Germany, 2005; pp. 457–473. [Google Scholar]
Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-Policy Attribute-Based Encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP ’07), Oakland, CA, USA, 20–23 May 2007; pp. 321–334. [Google Scholar]
Yin, C.; Wang, H.; Zhou, L.; Fang, L. Ciphertext-policy attribute-based encryption with multi-keyword search over medical cloud data. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 9 February 2021. [Google Scholar]
Hsieh, G.; Chen, R.J. Design for a secure interoperable cloud-based Personal Health Record service. In Proceedings of the 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings, Taipei, Taiwan, 3–6 December 2012; pp. 472–479. [Google Scholar]
Sangeetha, D.; Chakkaravarthy, S.S.; Satapathy, S.C.; Vaidehi, V.; Cruz, M.V. Multi keyword searchable attribute based encryption for efficient retrieval of health Records in Cloud.Multimed. Tools Appl.2022,81, 22065–22085. [Google Scholar] [CrossRef]
Boneh, D.; Crescenzo, G.D.; Ostrovsky, R.; Persiano, G.Public Key Encryption with Keyword Search; Springer: Berlin, Germany, 2004; pp. 506–522. [Google Scholar]
Ding, Y.; Xu, H.; Wang, Y.; Yuan, F.; Liang, H. Secure Multi-Keyword Search and Access Control over Electronic Health Records in Wireless Body Area Networks.Secur. Commun. Netw.2021. [Google Scholar] [CrossRef]
Ramu, G.; Reddy, B.E.; Jayanthi, A.; Prasad, L.V. Fine-grained access control of EHRs in cloud using CP-ABE with user revocation.Health Technol.2019,9, 487–496. [Google Scholar] [CrossRef]
Zheng, Z.B.; Xie, S.A.; Dai, H.N.; Wang, H. Blockchain challenges and opportunities: A survey. Blockchain challenges and opportunities: A survey.Int. J. Web Grid Serv.2018,14, 352–375. [Google Scholar] [CrossRef]
Xu, C.; Fulong, C.; Dong, X.; Sun, H.; Huang, C. Design of a Secure Medical Data Sharing Scheme Based on Blockchain.J. Med. Syst.2020,44, 52. [Google Scholar]
Gai, K.; Guo, J.; Zhu, L.; Yu, S. Blockchain Meets Cloud Computing: A Survey.IEEE Commun. Surv. Tutorials2020,22, 2009–2030. [Google Scholar] [CrossRef]
Chen, L.; Lee, W.K.; Chang, C.C.; Choo, K.K.R.; Zhang, N. Blockchain based searchable encryption for electronic health record sharing.Future Gener. Comput. Syst.2019,95, 420–429. [Google Scholar] [CrossRef]
Gupta, B.B.; Li, K.C.; Leung, V.C.; Psannis, K.E.; Yamaguchi, S. Blockchain-Assisted Secure Fine-Grained Searchable Encryption for a Cloud-Based Healthcare Cyber-Physical System.IEEE/CAA J. Autom. Sin.2021,8, 1877–1890. [Google Scholar]
Han, D.; Pan, N.; Li, K. A Traceable and Revocable Ciphertext-Policy Attribute-based Encryption Scheme Based on Privacy Protection.IEEE Trans. Dependable Secur. Comput.2022,19, 316–327. [Google Scholar] [CrossRef]
Li, Q.; Xia, B.; Huang, H.; Zhang, Y.; Zhang, T. TRAC: Traceable and revocable access control scheme for mHealth in 5G-enabled IIoT.IEEE Trans. Ind. Inform.2021,18, 3437–3448. [Google Scholar] [CrossRef]
Hu, G.; Zhang, L.; Mu, Y.; Gao, X. An Expressive “Test-Decrypt-Verify” Attribute-Based Encryption Scheme with Hidden Policy for Smart Medical Cloud.IEEE Syst. J.2020,15, 365–376. [Google Scholar] [CrossRef]
Sowjanya, K.; Dasgupta, M.; Ray, S. A lightweight key management scheme for key-escrow-free ECC-based CP-ABE for IoT healthcare systems.J. Syst. Archit.2021,117, 102108. [Google Scholar] [CrossRef]
Hwang, Y.W.; Lee, I.Y. A Study on CP-ABE-Based Medical Data Sharing System with Key Abuse Prevention and Verifiable Outsourcing in the IoMT Environment.Sensors2020,20, 4934. [Google Scholar] [CrossRef]
Liu, J.; Wu, M.; Sun, R.; Du, X.; Guizani, M. BMDS: A Blockchain-based Medical Data Sharing Scheme with Attribute-Based Searchable Encryption. In Proceedings of the ICC 2021-IEEE International Conference on Communications, Montreal, QC, Canada, 14–23 June 2021; pp. 1–6. [Google Scholar]
Wang, S.; Wang, H.; Li, J.; Wang, H.; Chaudhry, J.; Alazab, M.; Song, H. A fast CP-ABE system for cyber-physical security and privacy in mobile healthcare network.IEEE Trans. Ind. Appl.2022,56, 4467–4477. [Google Scholar] [CrossRef]
Li, H.; Yang, Y.; Dai, Y.; Yu, S.; Xiang, Y. Achieving Secure and Efficient Dynamic Searchable Symmetric Encryption over Medical Cloud Data.IEEE Trans. Cloud Comput.2020,8, 484–494. [Google Scholar] [CrossRef]
Mingwu, Z.; Yu, C.; Jiajun, H. SE-PPFM: A Searchable Encryption Scheme Supporting Privacy-Preserving Fuzzy Multikeyword in Cloud Systems.IEEE Syst. J.2021,15, 2980–2988. [Google Scholar]
Payal, C.; Manik, L.D. Privacy Preserving Searchable Encryption with Fine-Grained Access Control.IEEE Trans. Cloud Comput.2021,9, 753–762. [Google Scholar]
Shahzaib, T.; Sushmita, R.; Yogachandran, R.; Rajarajan, M.; Glackin, C. A New Secure and Lightweight Searchable Encryption Scheme over Encrypted Cloud Data.IEEE Trans. Emerg. Top. Comput.2019,7, 530–544. [Google Scholar]
Sun, W.; Yu, S.; Lou, W.; Hou, Y.T.; Li, H. Protecting your right: Verifiable attribute-based keyword search with fine-grained owner-enforced search authorization in the cloud.IEEE Trans. Parallel Distrib. Syst.2014,27, 1187–1198. [Google Scholar] [CrossRef]
Zheng, Q.; Xu, S.; Ateniese, G. VABKS: Verifiable attribute-based keyword search over outsourced encrypted data. In Proceedings of the IEEE INFOCOM 2014-IEEE Conference on Computer Communications, Toronto, ON, Canada, 27 April 2014; pp. 522–530. [Google Scholar]
Liu, S.; Yu, J.; Xiao, Y.; Wan, Z.; Wang, S.; Yan, B. BC-SABE: Blockchain-Aided Searchable Attribute-Based Encryption for Cloud-IoT.IEEE Internet Things J.2020,7, 7851–7867. [Google Scholar] [CrossRef]
Liu, J.; Li, X.; Ye, L.; Zhang, H.; Du, X.; Guizani, M. BPDS: A blockchain based privacy-preserving data sharing for electronic medical records. In Proceedings of the 2018 IEEE Global Communications Conference (GLOBECOM), Abu Dhabi, United Arab Emirates, 9–13 December 2018; pp. 1–6. [Google Scholar]
Cao, S.; Zhang, G.; Liu, P.; Zhang, X.; Neri, F. Cloud-assisted secure eHealth systems for tamper-proofing EHR via blockchain.Inf. Sci.2019,485, 427–440. [Google Scholar] [CrossRef]
Zhang, L.; Zhang, T.; Wu, Q.; Mu, Y.; Rezaeibagha, F. Secure Decentralized Attribute-Based Sharing of Personal Health Records with Blockchain.IEEE Internet Things J.2021. [Google Scholar] [CrossRef]
Munagala, N.V.L.M.; Rani, A.; Reddy, D.V. Blockchain-Based Internet-of-Things for Secure Transmission of Medical Data in Rural Areas.Comput. J.2022. [Google Scholar] [CrossRef]
Chen, W.; Zhu, S.; Li, J.; Wu, J.; Chen, C.L.; Deng, Y.Y. Authorized Shared Electronic Medical Record System with Proxy Re-Encryption and Blockchain Technology.Sensors2021,21, 7765. [Google Scholar] [CrossRef] [PubMed]
Saini, A.; Zhu, Q.; Singh, N.; Xiang, Y.; Gao, L.; Zhang, Y. A Smart-Contract-Based Access Control Framework for Cloud Smart Healthcare System.IEEE Internet Things J.2021,8, 5914–5925. [Google Scholar] [CrossRef]
Chen, C.L.; Deng, Y.Y.; Weng, W.; Sun, H.; Zhou, M. A blockchain-based secure inter-hospital EMR sharing system.Appl. Sci.2020,10, 4958. [Google Scholar] [CrossRef]
Yang, L.; Jiguo, L. Efficient searchable public key encryption against keyword guessing attacks for cloud-based EMR systems.Clust. Comput.2018,22, 285–299. [Google Scholar]
Chen, N.; Li, J.; Zhang, Y.; Guo, Y. Efficient CP-ABE scheme with shared decryption in cloud storage.IEEE Trans. Comput.2020,71, 175–184. [Google Scholar] [CrossRef]
Xiao, Q.; Tan, K.L. Peer-aware collaborative access control in social networks. In Proceedings of the 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), Pittsburgh, PA, USA, 14–17 October 2012; pp. 30–39. [Google Scholar]

Figure 1. System model.

Figure 2. Scheme working process.

Figure 3. Policy fusion algorithm.

Figure 4. Policy conflict resolution algorithm.

Figure 5. Consortium blockchain throughput testing.

Figure 6. Search algorithm time comparison.

Figure 7. KeyGen algorithm time comparison.

Figure 8. TrapGen algorithm time comparison.

Figure 9. IndexGen algorithm time comparison.

Table 1. Symbols’ description.

Symbols	Description
$p p$	Public parameter
$p k$	System public key
$m k$	Master key
M	Medical data
$C_{M}$	Medical data ciphertext
$s k$	Private key
H	Medical data ciphertext hash
k	Encryption key for medical data
P	Balance score matrix
Y	Impact score matrix
X	Intention score matrix
W	Keyword set
T	Access control policy tree
$a d d$	Storage Address

Table 2. Intention score matrixX.

	$a_{1}$	$a_{2}$
PA	$x_{1} (a_{1})$	$x_{1} (a_{2})$
DOC	$x_{2} (a_{1})$	$x_{2} (a_{2})$

Table 3. Impact score matrixY.

	PA	DOC
PA	1	$w_{12}$
DOC	$w_{21}$	1

Table 4. Balance score matrixP.

	$a_{1}$	$a_{2}$
PA	$x_{1} (a_{1}) + x_{2} (a_{1}) \cdot w_{12}$	$x_{1} (a_{2}) + x_{2} (a_{2}) \cdot w_{12}$
DOC	$x_{1} (a_{1}) \cdot w_{21} + x_{2} (a_{1})$	$x_{1} (a_{2}) \cdot w_{21} + x_{1} (a_{2})$

Table 5. Cloud-chain cooperation mapping table.

Department	Ledger ID	Block Number	Transaction Hash	Partial Ciphertext Index
$D e p$	$i d$	$B l o c k n u m$	$T x H a s h$	$C^{*}$

Table 6. Function comparison.

Scheme	[27]	[28]	[29]	[30]	[31]	${MDS}^{2} - C^{3} PF$
Multi-keyword search	√	×	√	×	√	√
Co-authorization	×	×	×	×	×	√
Policy hiding	×	×	×	√	×	√
Data sharing	√	√	√	√	√	√

Table 7. Comparison computational overhead of our scheme.

Scheme	[27]	[28]	${MDS}^{2} - C^{3} PF$
Setup	$(3 n + 1) T_{e} + T_{p}$	$3 T_{e}$	$3 T_{e}$
KeyGen	$(3 n + 1) T_{e}$	$(2 n + 2) T_{e} + n T_{h}$	$(2 n + 3) T_{e} + n T_{h}$
IndexGen	$(3 l + 3) T_{e} + m T_{h}$	$(2 l + 4) T_{e} + (l + 1) T_{h}$	$T_{p} + (2 l + 4) T_{e} + (m + l) T_{h}$
TrapGen	$(3 l + 1) T_{e} + T_{h}$	$(2 n + 4) T_{e} + T_{h}$	$(t + 2) T_{e} + t T_{h}$
Search	$(3 l + 1) T_{p} + T_{e}$	$(2 n + 3) T_{p} + T_{e}$	$(t + 2) T_{p}$

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Pan, H.; Zhang, Y.; Si, X.; Yao, Z.; Zhao, L.MDS²-C³PF: A Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in IoT.Symmetry2022,14, 2479. https://doi.org/10.3390/sym14122479

AMA Style

Pan H, Zhang Y, Si X, Yao Z, Zhao L.MDS²-C³PF: A Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in IoT.Symmetry. 2022; 14(12):2479. https://doi.org/10.3390/sym14122479

Chicago/Turabian Style

Pan, Heng, Yaoyao Zhang, Xueming Si, Zhongyuan Yao, and Liang Zhao. 2022. "MDS²-C³PF: A Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in IoT"Symmetry 14, no. 12: 2479. https://doi.org/10.3390/sym14122479

APA Style

Pan, H., Zhang, Y., Si, X., Yao, Z., & Zhao, L. (2022).MDS²-C³PF: A Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in IoT.Symmetry,14(12), 2479. https://doi.org/10.3390/sym14122479

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further detailshere.

Article Metrics

Article Access Statistics

For more information on the journal statistics, clickhere.

Multiple requests from the same IP address are counted as one view.

Movatterモバイル変換

Article Menu

MDS2-C3PF: A Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in IoT

Abstract

1. Introduction

2. Related Work

3. Preliminaries

3.1. Bilinear Maps

3.2. Access Structure

4. System and Security Model

4.1. System Model

4.2. Scheme Definition

4.3. Security Model

4.3.1. The Definition of INDC-SCKA

4.3.2. The Definition of KS-SCSKA

5. Scheme Construction

5.1. Access Control Policy Fusion Algorithm

5.1.1. Policy Conflict Resolution Algorithm

5.1.2. Policy Conflict Resolution Algorithm Process

5.2. Details of Five Stages

6. Security Analysis

6.1. The Security Analysis of Our Scheme under the INDC-SCKA

6.2. The Security Analysis of Our Scheme under the KS-SCSKA

7. Experiments and Performance Analysis

7.1. Blockchain Performance Analysis

7.2. Experimental Analysis

7.2.1. Function Comparison

7.2.2. Complexity Analysis

8. Conclusions

Author Contributions

Funding

Data Availability Statement

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI

MDS²-C³PF: A Medical Data Sharing Scheme with Cloud-Chain Cooperation and Policy Fusion in IoT