Privacy Preservation For Outsourced Medical Data With Flexible Access Control

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2810243, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI
Privacy Preservation for Outsourced

Medical Data with Flexible Access
Control
XINGGUANG ZHOU1 , JIANWEI LIU1 , QIANHONG WU1 , AND ZONGYANG ZHANG.1, 2
1
School of Cyber Science and Technology, Beihang University, Beijing, China (e-mail: {zhouxingguang, liujianwei, qianhong.wu,
zongyangzhang}@buaa.edu.cn)
2
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Corresponding author: Zongyang Zhang (e-mail: zongyangzhang@buaa.edu.cn).
This work was supported in part by National Key R&D Program of China (2017YFB1400700), by Beijing Natural Science Foundation
(4182033), by the fund of the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of
Sciences (No. 2017-MS-02), by Natural Science Foundation of China through projects 61672083, 61370190, 61532021, 61472429, and
61402029.
ABSTRACT Electronic medical records (EMRs) play an important role in healthcare networks. Since
these records always contain considerable sensitive information regarding patients, privacy preservation
for the EMR system is critical. Current schemes usually authorize a user to read one’s EMR if and only
if his/her role satisfies the defined access policy. However, these existing schemes allow an adversary to
link patients’ identities to their doctors. Therefore, classifications of patients’ diseases are leaked without
adversaries actually seeing patients’ EMRs. To address this problem, we present two anonymous schemes.
They not only achieve data confidentiality but also realize anonymity for individuals. The first scheme
achieves moderate security, where adversaries choose attack targets before obtaining information from the
EMR system. The second scheme achieves full security, where adversaries adaptively choose attack targets
after interaction with the EMR system. We provide rigorous proof showing the security and anonymity of
our schemes. In addition, we propose an approach in which EMR owners can search for their EMRs in an
anonymous system. For a better user experience, we apply the “online/offline” approach to speed up data
processing. Experimental results show that the time complexity for key generation and EMR encapsulation
can be reduced to milliseconds.
INDEX TERMS privacy preservation, security, electronic medical record.
I. INTRODUCTION thorized to access and decrypt it. However, data sharing

Currently, electronic medical records (EMRs) are very becomes inflexible in this case. Two potential issues are the
prominent in healthcare networks. They enables users to complicated key management and repetitive encryption [2]:
share their health data in a flexible and convenient way. as patients usually do not know who is allowed to access their
For example, to find one’s diagnostic report, a patient or EMRs, they encrypt many pieces with distinct session keys
his/her doctor needs only to retrieve the information from and distribute the keys to different medical staff members.
a database rather than having to search through numerous The approach to accessing users’ data needs to be flex-
physical documents. Health data is very sensitive, and it is ible enough to address changes in users’ roles [3]. Several
a major challenge to securely store and access EMRs in schemes adopting attribute-based encryption (ABE) have
modern EMR systems. As most EMRs are outsourced to been presented for fine-grained access control [4], [5]. Users
the cloud, they are easily exposed to potential threats and with attributes satisfying the access policy can decapsulate
vulnerable to leakage, loss, and theft [1]. To prevent EMRs the EMR data. In addition, some advanced mechanisms,
from unauthorized access, a standard solution is to perform consisting of a multi-authority model in an outsourcing
an encryption before uploading them to the cloud. system [6] and a view-based access control [7] that allows
Specifically, an EMR owner encrypts an EMR using a patients to specify a list of authorized/unauthorized user-
symmetric key, and only authorized medical staff are au- s, have recently been proposed. Role-based access control
VOLUME 4, 2016 1
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
X.Zhou et al.: Preparation of Papers for IEEE ACCESS
schemes (RBACs) [8] also allow fine-grained access control. Scalable data sharing. Senior medical staff members are
They define a role-based policy for a hierarchical organi- allowed to delegate access privileges to their subordinates.
zation with identity-based broadcast encryption (HIBBE).
Anonymous search. A patient and his doctors can link
While the above proposals achieve data confidentiality in
themselves to the targeted EMR, but outsiders cannot.
the EMR system, privacy preservation for patients is still
an unresolved issue. For example, an EMR of the patient
B. RELATED WORK
“Lucy” is uploaded to the cloud, and no attacker can read
the encrypted EMR. If the doctor is an expert in the hepatitis Access control [11] is widely adopted in the EMR system
disease, an attacker can infer that Lucy may carry hepatitis to protect patients’ health data. Access control policies are
B without decrypting her EMR. This means that an attacker specified by some pieces of legislation, i.e., health insurance
can obtain her disease-related information by linking Lucy portability and accountability act (HIPAA) [12], electronic
to her doctor, even without seeing the detailed EMR. This documents [13], and company rules or regulations. The leg-
means that adversaries possess the capacity that no matter islation regulates who can access and how they can operate
if the EMRs are encrypted or not, adversaries can deduce the the stored EMRs. Two solutions are usually used to support
EMR owners’ diseases based on some experience, such as the flexible access control. One solution is to use attribute-
acquired identity-related information. Therefore, if there is based encryption [14], [15]. As attributes can be applied to
an anonymous scheme that obfuscates the identity of the pa- describe users’ privileges, data owners determine the access
tient during an examination, adversaries can only determine policies. The other solution is to use role-based access control
that “someone” carries hepatitis B without knowing who it schemes [8], where each user’s identity denotes a role and
is. Thus, the patient’s privacy is preserved. one is allowed to gain access permission if his role belongs to
a defined policy. However, there is still a lack of consideration
A. OUR CONTRIBUTIONS regarding the identity privacy of EMR owners. Anonymiza-
We design two anonymous schemes, denoted as “RBACAnony” tion techniques can be used to guarantee users’ identity
and “RBACAnony-F”, to preserve patients’ privacy in an privacy [16]. For example, some anonymous ABE schemes
EMR system with role-based access control. We present address not only data privacy but also identity privacy [17],
competing models and a high level demonstration of rigorous [18]. These schemes provide an analysis of confidentiality,
proof. In brief, our schemes have the advantage of data con- anonymity and flexibility.
fidentiality, identity anonymity and access control flexibility. In practice, an unaddressed challenge to real-world de-
Technical details are highlighted as follows. ployment remains: healthcare organizations are usually struc-
tured hierarchically, with data being shared among many
RBACAnony. This scheme is built on a bilinear group with users. In a previous work, we achieved anonymous role-based
two subgroups [9], and a patient’s identity information is access control in this kind of organization with a moderate
hidden in one of the subgroups. The identity-related element security level, where an attacker must output the targeted
in this subgroup is indistinguishable from a random element identities before communication with the EMR system [19].
chosen from the bilinear group. Therefore, an attacker cannot This scheme is denoted as RBACAnony in this paper. We
distinguish a patient’s identity from a random string. In additionally propose a new scheme in the current work,
addition, an attacker chooses the targeted identities he/she denoted as RBACAnony-F, where an attacker can adaptive-
wishes to attack before the system is set up. This means that ly output the targeted identities after interaction with the
an attacker of the RBACAnony scheme cannot obtain any EMR system. Both schemes preserve patients’ privacy in
experience prior to attacking. a healthcare network. The anonymous algorithms in [10],
RBACAnony-F. This scheme is built on a bilinear group [20] are used to achieve patient privacy for RBACAnony and
with four subgroups [10], and a patient’s identity information RBACAnony-F, respectively.
is hidden in one of the composite-order subgroups. The
identity-related element in this subgroup cannot be distin- II. PRELIMINARIES
guished from an element randomly chosen from the same A. NOTATIONS
subgroup. Therefore, an attacker cannot distinguish the pa- We introduce several notations to simplify the illustration of
tient’s identity from a random string. In addition, an attacker our scheme. For ease of description, we borrow notations
adaptively gives out the targeted identities he/she wishes to from [8], as summarized in Table 1.
attack after interacting with the EMR system. This means that
an attacker of the RBACAnony-F scheme can accumulate B. BILINEAR GROUPS
experience before attacking and thus possesses a stronger Let G be a group generation algorithm that takes a security
ability to attack. parameter λ as its input and outputs the description of a
Versatile access control. A user encapsulates the EMR bilinear group (N, G, GT , e). In the case where G outputs
using an on-demand access policy. This policy enables one- (N = p1 p2 p3 p4 , G, GT , e), where p1 , p2 , p3 , p4 are distinct
to-many encryption, where the EMR is encrypted once and prime factors, G and GT are cyclic groups of order N =
different medical staff members are allowed to access it. p1 p2 p3 p4 , and e : G × G → GT is an efficient bilinear
2 VOLUME 4, 2016
TABLE 1: Notations related information in the system such that adversaries cannot
Notation Description infer patients’ personal information. The adversaries include
λ Security parameter the dishonest internal staff and the malicious external attack-
ID Identity of a patient
R Atom role of medical staff member
ers.
−
→
R Role of medical staff member
−
→
S→
−
R
Atom role set for R
P Access policy 3DWLHQW
3DWLHQW
3DWLHQW
3DWLHQW
SP Atom role set for P
−
→ −
→
P ref ( R) Prefix of R, defined as {(R1 , ..., Rd0 ) : d0 ≤ d}
−
→
Prefix of P, defined as →
S
P ref (P) −
R∈P
P ref ( R)
M SK Master secret key 2XW3DWLHQW'RFWRU 2XW3DWLHQW1XUVH &ORXG6HUYHU
→
− −
→ 7UXVWHG EMR
SK R Secret key for a role R $GPLQLVWUDWH
$XWKRULW\
ĂĂ
EM R Electronic medical record (OHFWULF0HGLFDO5HFRUG EMR
Hdr Header of an uploaded EMR ,QTXLU\DQG'LDJQRVLV
K Message encapsulation key ĞƉĂƌƚŵĞŶƚŽĨƐƵƌŐĞƌǇ ĞƉĂƌƚŵĞŶƚŽĨĐŽƐŵĞƚŽůŽŐǇ
CT Ciphertext for the encapsulated EMR ŚŝĞĨ

ŽĐƚŽƌ
ŚŝĞĨ
ŽĐƚŽƌ
H Collision resistant hash function {0, 1}? → ZN
SymEnc Secure symmetric encryption algorithm ƐƐŽĐŝĂƚĞ
ŽĐƚŽƌ
,ĞĂĚ
EƵƌƐĞ
ƐƐŽĐŝĂƚĞ
ŽĐƚŽƌ
,ĞĂĚ
EƵƌƐĞ
SymDec Secure symmetric decryption algorithm
PPT Probabilistic polynomial time ƵƚǇŽĐƚŽƌ ŽĐƚŽƌ ƵƚǇEƵƌƐĞ EƵƌƐĞ ƵƚǇŽĐƚŽƌ ŽĐƚŽƌ ƵƚǇEƵƌƐĞ EƵƌƐĞ
FIGURE 1: System architecture: a typical healthcare network

map satisfying the following two properties: (i) bilinearity:
for all g, h ∈ G and all a, b ∈ ZN , e(g a , hb ) = e(g, h)ab ;
(ii) non-degeneracy: there exists at least a generator g in G
such that e(g, g) generates GT . We respectively denote the B. SECURITY REQUIREMENTS
subgroups of order p1 , p2 , p3 , p4 in G as Gp1 , Gp2 , Gp3 and In practice, all entities are likely to attack an EMR system.
Gp4 . We use Gpi pj (1 ≤ i, j ≤ 4) to denote the subgroup A dishonest party may try to obtain useful information from
of order pi pj in G. These four subgroups additionally satisfy encrypted data that it is not authorized to access or to divert
the orthogonality property, i.e., ∀hi ∈ Gpi and hj ∈ Gpj for instructions from the system regarding benefits (e.g., with
i 6= j, e(hj , hj ) = 1. false information in medical disputes). Multiple dishonest
Composite-order bilinear groups were first introduced parties may collude to achieve this goal. In the context
in [9] and are widely used as tools for constructing crypto- of these attacks, the EMR system is expected to meet the
graphic primitives [21]. following security requirements.
• Data Confidentiality. Personal data needs to be en-
III. SYSTEM MODEL crypted before being uploaded and securely stored on
A. SYSTEM ARCHITECTURE the cloud until an entitled recipient downloads and de-
We describe a typical healthcare network in Figure. 1. It crypts it. Specifically, only the users whose roles satisfy
mainly includes three entities: the trusted keying authority the associated access policy have the privilege to access
(TKA), the patient and the medical staff. the data, with all other unauthorized entities not able to
The TKA is trusted in the system and is responsible for obtain any useful information from the encrypted data,
generating and distributing system parameters, rooting mas- even if they collude with each other.
ter keys, and authorizing top-level medical staff and patients. • Identity Anonymity. Identity-related information need-
The patient is identified by his/her name or identity. The s to be hidden, as individual privacy is vulnerable to loss,
patient and his/her responsible medical staff are the EMR theft, and illegal transactions. When a user’s identity is
owners. hidden in an EMR system, it decreases the possibility of
The top-level medical staff member delegates privileges an adversary guessing that user’s identity such that hard-
to his subordinates, which forms a tree-like organization. ly any third party can obtain useful patient information.
Each staff member is identified by a role vector consisting
of ordered atom roles. For instance, the role vector for an C. SECURITY MODELS
intern doctor, consisting of ordered atom roles “chief doctor, Our security models include the semantic security model,
associate doctor, intern doctor”, is administrated by the asso- anonymity model and full anonymity model. The semantic
ciate doctor, whose atoms roles are “chief doctor, associate security model is used to meet the requirement of data confi-
doctor”. We assign the chief doctor, the associate doctor and dentiality, while the anonymity model and the full anonymity
the intern doctor to one access policy for a certain patient. model are used to meet the requirement of identity anonymi-
Each user can encapsulate the patient’s EMR, but only ty. We define them according to the security games played
the one whose role satisfies the defined access policy or the between an adversary A and a challenger.
patient himself can decapsulate it. We hide all the identity-
VOLUME 4, 2016 3
1) Semantic Security Model access policy set P ∗ and the challenge patient’s identity ID∗
We adopt the selective security notion [8], i.e., an adversary from a ciphertext of the challenge EMR with a random access
must present the set of medical staff roles and the identity of policy set and a random patient’s identity.
the patient it wishes to attack before the system is set up.
3) Full Secure Anonymity Model
Init. The adversary A outputs a challenge access policy set
In the full secure anonymity model, instead of committing the
P ∗ and a challenge identity ID∗ .
challenge access policy P ∗ and the challenge identity ID∗ it
Setup. The challenger runs the Setup algorithm to obtain wishes to attack before the system is set up, the adversary A
public key P K and gives it to the adversary A. can adaptively decide to output the challenge access policy
set and identity during the system interaction. Clearly, this
Query Phase 1. The adversary A adaptively issues two kinds model achieves a stronger security level. Specifically, there
of queries: is no Init phase in the full secure anonymity model. The
• Upon receiving a secret key query for a medical staff adversary A outputs a challenge access policy set P ∗ and a
→
− →
−
member associated with a role R such that R ∈ / challenge patient’s identity ID∗ that it wishes to attack after
→
−
P ref (P ? ), the challenger generates a secret key for R it issues sufficient key queries in the Query phase. The chal-
and gives it to A. lenge access policy set P ∗ and the challenge identity ID∗
• Upon receiving a secret key query for patients with should satisfy the following: for all the secret key queries for
→
− →
−
an identity ID such that ID 6= ID? , the challenger roles R and identity ID in Query Phase 1, R ∈ / P ref (P ∗ )
generates a secret key for ID and gives it to A. and ID 6= ID . ?
Challenge. When the adversary A decides that it has ob- IV. RBACANONY CONSTRUCTION
tained enough secret keys, it outputs two equal-length EMR A. OUR PROPOSAL
files EM R0 , EM R1 that it wishes to challenge. The chal-
Our RBACAnony scheme is based on the HIBE scheme pro-
lenger picks a random bit β ∈ {0, 1} and encapsulates the
posed by Boneh et al. [22] and the RBAC scheme proposed
EM Rβ under the challenge access policy set P ∗ and the
by Liu et al. [8] and offers an efficient approach to supporting
challenge identity ID∗ . It gives A the challenge ciphertext
hierarchical access control. The property is motivated by Seo
(Hdr, En), where En is the output of the encapsulation of
et al. [20] and is achieved by leveraging bilinear groups with
EM Rβ .
composite order N = pq. Elements in the public parameters
Query Phase 2. Phase 1 is repeated adaptively. are utilized in two separate layers: “key generation layer" and
“anonymity layer". Elements in the “key generation layer"
Guess. The adversary A outputs a guess β 0 ∈ {0, 1} and are in the subgroup Gp . They provide the secret key and
wins the game if β 0 = β. master secret key functionality. Elements in the “anonymity
We require that no polynomial time adversary can distin- layer" are hidden by the elements in the subgroup Gq , which
guish a ciphertext of a challenge EMR from a ciphertext of a helps to ensure anonymity. In this way, we offer information
random message with the challenge access policy set P ∗ and regarding the subgroup Gp in the “key generation layer"
the challenge patient’s identity ID∗ . while maintaining our scheme’s anonymity with the help of
the "anonymity layer".
2) Anonymity model
The Init, Setup, and Query phases are the same as that in Setup(λ, n). The setup algorithm is run by the TKA. We
the semantic security model. assume that patient identities and medical staff roles are
elements in ZN . A secure symmetric encryption scheme
Challenge. When an adversary A decides that it has ob- with algorithms SymEnc(K, EM R) and SymDec(K, En)
tained enough secret keys, it outputs two equal-length EMRs and a collision resistant hash H : {0, 1}∗ → ZN are
EM R0 , EM R1 regarding what it wishes to be challenged. employed in our scheme. The TKA picks a random exponent
The challenger picks a random bit β ∈ {0, 1}. If β = 0, R
α ← ZN , random elements ω, gp , g, f, u, gh , {hi }i∈[1,n] in
it generates the header Hdr of the ciphertext under the Gp , and random elements gq , Rg , Rf , Ru , Rh , {Rhi }i∈[1,n]
challenge access policy set P ∗ and the challenge identity in Gq . Next, it computes
ID∗ and encapsulates EM R0 . If β = 1, it generates the
header of the ciphertext under a random access policy set E = e(g, ω), G = g · Rg , F = f · Rf , U = u · Ru ,
and a random patient’s identity and encapsulates EM R1 . It H = gh · Rh , {Hi = hi · Rhi }i∈[1,n]
gives A the challenge ciphertext (Hdr, En), where En is the
The public key P K includes the description of composite-
output of the encapsulation of EM Rβ .
order bilinear groups (N, G, GT , e), and
Guess. The adversary A outputs a guess β 0 and wins the
P K = gp , gq , G, F, U, H, {Hi }i∈[1,n] , E
game if β 0 = β.
We require that no polynomial time adversary can distin- The master key is M SK = ω, p, q, g, f, u, gh , {hi }i∈[1,n]

guish a ciphertext of the challenge EMR with the challenge and is kept by the TKA.
4 VOLUME 4, 2016
→
−
KeyGenM(P K, M SK, R). For any medical staff member
→
−
associated with role R = (R1 , ..., Rd ), denote I = {i :
Y
→− re1
Ri ∈ S→ − }. When a medical staff member wants to join the SKdR = ω u · hR
i
i
f r
e2
, g r
e1
, g r
e2
, gh
r
e1
, {hr
j
e1
}
R
system, he should first be authenticated by the TKA. Next, if i∈I
he is a top-level →
−
medical staff member, the TKA generates a where j ∈ [1, n]\I and
secret key SK R for him. The TKA picks random exponents
R re1 r1 s1 t1 γ1
r1 , r2 , s1 , s2 , t1 , t2 ← ZN satisfying s1 · t2 − s2 · t1 6= = +
re2 r2 s2 t2 δ1
0 mod p and s1 ·t2 −s2 ·t1 6= 0 mod q. If the equations do not →
−
hold, the TKA picks other random exponents →
−
and repeats the It follows that SKdR is well formed, appearing as if it
procedure. It outputs the secret →
−
key SK R
, which consists of was generated directly by the TKA using the KeyGenM
two subkeys: the subkey SKdR is used for decryption and del- algorithm. →
−
→
−
egation, and the subkey SKrR is used for re-randomization. To delegate SKrR , the high-level medical staff member
R
picks random exponents γ2 , δ2 , γ3 , δ3 ← ZN satisfying
→−
Y r1 gpγ2 ·δ3 −γ3 ·δ2 6= 1 and gqγ2 ·δ3 −γ3 ·δ2 6= 1. Then, he delegates
Ri
SKdR = ω u hi r2 r1 r2 r1 r1
f , g , g , gh , {hj } the secret key by using
i∈I ( )
→−
Y s 1 →
−
R
dr,1 , dr,2 , dr,3 , dr,4 , {dr,j }j∈[1,n]\I ,
SKrR = u hR i
f s2 , g s1 , g s2 , ghs1 , {hsj 1 }, SKr = =
i d0r,1 , d0r,2 , d0r,3 , d0r,4 , {d0r,j }j∈[1,n]\I
i∈I  γ2 δ2 
R 0 0 R γ2 0 δ2 
t1
 ar,0 (br,i ) · a r,0 (br,i ) , ar,1 · a r,1 ,
Y 
u hR t2 t1 t2 t1 t1

i
f , g , g , g , {h }
 
i h j 
 i∈I\I 0 


0 δ2 0 δ2 0 δ2
i∈I
 γ2 γ2 γ2

ar,2 · a r,2 , ar,3 · a r,3 , {br,j · b r,j }j∈[1,n]\I ,

 

In the above equations, j ∈ o[1, n]\I. Finally, the TKA γ3
R δ3

δ3 
ar,0 (bR ) · a0 r,0 (b0r,i ) , aγr,1
3
· a0 r,1 ,

→
− n →
− →
− 
r,i
outputs SK R = SKdR , SKrR for the medical staff.
 

 i∈I\I 0 


 

 γ3 0 δ3 γ3 0 δ3 γ3 0 δ3 
−
→0
 a · a , a · a , {b · b }
r,2 r,2 r,3 r,3 r,j r,j j∈[1,n]\I

KeyDelegM(P K, SK R , R). The secret key for a low-level →−
→
− −→ Finally, the delegated secret key SKrR can be rewritten as
medical staff member associated with a role R = (R0 , R) is
derived from a given secret key of his supervisor at a higher-
−
→
R0
−→
R0
−→
R0
−
→  Y se1 
level SK = (SKd , SKr ) associated with a role R0 , 
 u· Ri
hi s s s
f , g , g , gh , {hj },
e2 e1 e2 s
e1 s
e1 
where

 

→
− 
i∈I

−→0 SKrR = t1
SKdR = ad,0 , ad,1 , ad,2 , ad,3 , {bd,j }j∈[1,n]\I 0
Y e
hR f t2 , g t1 , g t2 , ght1 , {htj1 } 
 
 u·
 i e e e e e
i

 

−→0 n 
i∈I
SKrR = ar,0 , ar,1 , ar,2 , ar,3 , {br,j }j∈[1,n]\I 0 ,
o where j ∈ [1, n]\I and
a0r,0 , a0r,1 , a0r,2 , a0r,3 , {b0r,j }j∈[1,n]\I 0
se1 et1 s1 t1 γ2 γ3
=
and I 0 = {i : Ri ∈ S−→0 }. The high-level medical staff se2 t2
e s2 t2 δ2 δ3
R →
−
member generates a secret key SK R for the low-level →
−
one In conclusion, by running KeyDelegM, the delegated se-
that also consists of two parts: the decryption part SKd and
R
cret key is well formed, appearing as if it was generated
→
−
the re-randomization part SKrR . directly by the TKA using KeyGenM.
→
−
For the decryption part SKdR , the high-level medical staff KeyGenP(P K, M SK, ID). When a patient with identity
R
member picks random exponents γ1 , δ1 ← ZN and delegates ID wants to access his own EMR, the TKA first authorizes
the secret key for the low-level one by using him and then assigns him a secret key. The TKA picks a
R
random exponent r10 , r20 ← ZN and outputs
→−
SKdR = d1 , d2 , d3 , d4 , {dj }j∈[1,n]\I = SK ID = d01 , d02 , d03 , {d0j }j∈[1,n]

δ1 r0
 γ1  n 0 0 0 0
o
R R 0 0 R = ω(ughID )r1 f r2 , g r1 , g r2 , {hj 1 }j∈[1,n]


 a (b
d,0 d,i ) · a (b
r,0 r,i ) · a (b
r,0 r,i ) 


 i∈I\I 0 

δ δ δ
 ad,1 · aγr,1
1
· a0 r,1
1
, ad,2 · aγr,2 1
· a0 r,2
1
, ad,3 · aγr,3
1
· a0 r,3
1
 EMREnc(P K, ID, P, EM R). For an access policy P, de-
 
δ1
{bd,j · bγr,j1 · b0 r,j note I = {i : Ri ∈ SP }. When an EMR needs to be
 
}j∈[1,n]\I
 
encapsulated under a patient’s identity ID and an access
where I = {i : Ri ∈ S→
− }. Finally, the delegated secret key
R policy P, the user (the patient or the medical staff member)
→
− R
SKdR can be attained in the form first picks a random exponent s ← ZN and random elements
VOLUME 4, 2016 5
R
Z1 , Z2 , Z3 ← Gq . Note that these random elements in Gq B. SECURITY ANALYSIS
can be chosen by raising gq to random exponents from ZN . We showed that the RBACAnony scheme is selectively se-
Next, the user computes the header Hdr as follows: cure and anonymous in Sections III-C1 and III-C2, respec-
tively. We now validate these characteristics via the following
Hdr = {C1 , C2 , C3 } games between an adversary and a challenger.
s
• CT1 of Game1 : ((C1 , C2 , C3 , ), En)
Y
={Gs · Z1 , F s · Z2 , U H ID HiRi Z3 }
i∈I • CT2 of Game2 : ((C1 , C2 , C3 , ), En · Rp )
• CT3 of Game3 : ((C1 , C2 , C3 , ), En · R = REn )
Then, the user generates a session key K = E s and • CT4 of Game4 : ((R1 , C2 , C3 , ), REn )
computes En = SymEnc(K, EM R). The encapsulated • CT5 of Game5 : ((R1 , R2 , R3 , ), REn )
EMR is output as CT = (Hdr, En) = (C1 , C2 , C3 , En). where Rp is randomly chosen from GT,p , R and REn are uni-
→
− formly distributed in GT , and R1 , R2 , and R3 are uniformly
EMRDecM(P K, ID, (Hdr, En), SK R ). To retrieve the distributed in G.
session key K, the medical staff member with a role satis-
fying the access policy P can use his secret key to compute Proof. We develop the proof via contradiction. Assume that a
PPT adversary can break the RBACAnony scheme. We then
solve a series of difficult-to-solve mathematical assumptions:
Q
e d1 · dID
4 · dR i
, C1
i
i∈I\I l-BDHE assumption, BSD assumption, l-cDH assumption
K= and l-cDHE assumption [19]. Since no PPT algorithm can be
e (d2 , C3 ) · e (d3 , C2 )
used to solve these assumptions, we reach a contradiction and
Finally, EM R = SymDec(K, En) is run to obtain the conclude that RBACAnony is secure. If the group generator
EMR. algorithm G satisfies the BDHE assumption and the BSD
assumption, then no PPT adversary can distinguish Game1
Correctness. Assume that CT = ((C1 , C2 , C3 ), En) is and Game3 . The ciphertext of Game3 does not leak any
a well-formed ciphertext. The medical staff decapsulation information regarding the EMR data since the component
algorithm can →
correctly recover the EMR file with a valid corresponding to the EMR is a random group element. If G
− →
−
secret key SK R , where R ∈ P ref (P) due to the following: satisfies the cDH assumption and the cDHE assumption, then
no PPT adversary can distinguish Game3 and Game5 . The
Q Ri r1 r2 r1 ·ID Q
e w u hi f · gh · (hR i r1
i ) ,g
s ciphertext of Game5 does not leak any information regarding
i∈I i∈I\I the roles of medical staff members and the identity of the
K=
Ri s patient, as the components related to the roles and identity

ghID
Q
e g r1 , u · · hi e (g r2 , f s )
i∈I are random group elements. Concrete proof of this is given
=e(g, ω)s in our previous work [19].
The second equation holds since e(hp , hq ) = 1 for hp ∈ Gp V. ACHIEVING FULL SECURE ANONYMITY
and hq ∈ Gq . A. OUR PROPOSAL
In this section, we show how to achieve full anonymity
EMRDecP(P K, ID, (Hdr, En), SK ID ). The patient with privilege control in RBACAnony-F. We apply the idea of an
identity ID can decapsulate his own EMR using his secret anonymous HIBE [10] to our RBAC. A user first chooses an
key. We denote I = {i : Ri ∈ SP }. The patient computes access policy, which can be regarded as a broadcast group
the session key with all entitled identities. He only needs to encapsulate the
Q R EMR once and allows different medical staff members to
e d01 · d0 j i , C1 decapsulate if their identities belong to this broadcast group.
i∈I
K= Note that the work in [23] also proposed an anonymous
e (d02 , C3 ) · e (d03 , C2 ) HIBBE scheme. The main difference lies in the fact that the
patients are identified individually in our scheme, while they
Finally, he runs SymDec(K, En) to recover his EMR.
are allowed access to their own EMRs in [23]. Thus, we con-
Correctness. Assume that CT = ((C1 , C2 , C3 ), En) is sider the patients’ identities in addition to the access policy
a well-formed ciphertext. A patient can recover his EMR group when we design the broadcast encryption algorithm.
according to the following equations. Setup(λ, n). The TKA chooses a bilinear group G of or-
der N = p1 p2 p3 p4 . Then, it chooses random elements
r0 1 r0 Q r01 Ri s Y1 , X1 , u1 , ..., un , uP ∈ Gp1 , Y3 ∈ Gp3 , X4 , Y4 ∈ Gp4 , and
e w · u · hID
h f 2 · (hi ) , g α ∈ ZN and outputs the public key P K
i∈I
K= s = e(g, ω)s {N, Y1 , Y3 , Y4 , uP , {ui }i∈[1,n] , x = X1 X4 , A = e(Y1 , Y1 )α }
r 0 ID
Q R r 0 s
e g , u · gh · hi
1 i
· e (g , f )
2
i∈I and master secret key M SK = {X1 , α}.

6 VOLUME 4, 2016
→
−
KeyGenM(P K, M SK, R). For any medical staff member and randomly chooses r10 ∈ ZN , R10 , {Tj }j∈[1,n] ∈ Gp3 . The
→
−
with a role R = (R1 , ..., Rd ), I denotes {i : Ri ∈ S→ − }. TKA then outputs
R
When a top-level medical staff member wants to join the sys-
SK ID = dp1 , dp2 , {dpj }j∈[1,n]

tem, the TKA first authenticates him. It then chooses random n 0
elements r1 , r2 ∈ ZN , Rm,1 , Rm,2 , {Tm,j }j∈[1,n]\I ∈ Gp3 r10
o
r r10 0
= Y1 1 R10 , Y1α (uID
P X1 ) R1 , {uj Tj }j∈[1,n]
for m ∈ {1, 2} and RP1 , RP2 ∈ Gp3 and outputs the secret
→
− →
− →
− →
−
key SK R = (SKdR , SKrR ), where SKdR is used for de-
→−
cryption and SKrR is used for re-randomization delegation. EMREnc(P K, ID, P, EM R). For an access policy P, de-
note I = {i : Ri ∈ SP }. When an EMR file needs to be
→− encapsulated under the access policy P and the patient’s i-
SKdR = K1,1 , K1,2 , {K1,j }j∈[1,n]\I , KP1 dentity ID, the userrandomly picks s ∈ ZN and Z, Z 0 ∈ Gp4

 r
 Y1 1 R1,1 , Y1α (X1
Y
uR i r1
 and computes the header Hdr as follows:
i ) R1,2 ,
= i∈I Y
Hdr = {C1 , C2 } = {( uR i ID s s 0
i uP x) Z, Y1 Z }
{urj 1 T1,j }j∈[1,n]\I , urP1 RP1
 
i∈I
→
− Then, the user generates session key K = As and computes
SKrR = K2,1 , K2,2 , {K2,j }j∈[1,n]\I , KP2 =

Y En = SymEnc(K, EM R). Finally, the encapsulated EMR
Y1r2 R2,1 , (X1 uR i r2 r2 r2
i ) R2,2 , {uj T2,j }j∈[1,n]\I , uP RP2 is output as CT = (Hdr, En) = (C1 , C2 , En).
i∈I →
−
EMRDecM(P K, ID, (Hdr, En), SK R ). To retrieve ses-
−
→0 sion key K, the medical staff member with the role satisfying
KeyDelegM(P K, SK R , R). For the low-level medical
→
− −
→ the access policy P can use his secret key to compute
staff member with the role R = (R0 , R), his secret key
is derived from a given secret key of his supervisor, who e(K1,2 · KPID Ri
Q
→
− 1
· i∈I\I K1,i , C2 )
is at a higher-level associated with the role R 0 . We −→
denote K=
0
e(K1,1 , C1 )
I = {i : Ri ∈ S−→0 }. Given a secret key SK , the
0 R
R
high-level medical staff member picks random components Then, he runs EM R = SymDec(K, En) to recover the
re1 , re2 ∈ ZN , R em,2 , {Tem,j }j∈[1,n]\I ∈ Gp for m ∈
em,1 , R
3
EMR.
{1, 2}, and R eP ∈ Gp and computes
eP , R
1 2 3
Correctness. Assume that CT = ((C1 , C2 ), En) is a well-
formed ciphertext. EMRDecM can→ correctly recover the EM-
− →
−
 
0 0 r
K (K ) R , R file using a valid secret key SK R , where R ∈ P ref (P)
e1 e

 1,1 2,1 1,1 

→
−  
SKdR 0 0 r 0 Ri
= K1,2 (K2,2 ) ((K1,i ) (K2,i )
e1 0 e1 Ri
r
)i∈I\I 0 · R1,2 ,
e because
 
{K 0 (K 0 )re1 Te }
 0 0 r 
1,j j∈[1,n]\I , KP (KP ) RP
e1 e 
1,j 2,j 1 2 1
e(Y1 , Y1 )αs · e((X1 i∈I uR i ID r1 s

Q
i uP ) , Y1 )
K= r1 Q Ri ID
= As
e(Y1 , ( i∈I ui uP X1 )s )
( )
0 e2,1 , (K 0 )re2 ((K 0 )re2 Ri )i∈I\I 0 · R
→
− (K2,1 )re2 R 2,2 2,i
e2,2 ,
SKrR = 0
{(K2,j )re2 Te2,j }j∈[1,n]\I , (KP0 )re2 R
eP
2 2
EMRDecP(P K, P, (Hdr, En), SK ID ). The patient with

where I = {i : Ri ∈ S→ − }. The delegated secret key can be
R identity ID can decapsulate his EMR using his secret key.
finally attained in the form
We denote I = {i : Ri ∈ SP }. The patient computes a
session key
 Y 
r̂1 α Ri r̂1
→
−

 Y1 R̂ 1,1 , Y 1 (X 1 u i ) R̂ 1,2 , 

SKdR = i∈I
e(dp2 · i∈I dR
Q
pi , C2 )
i
 {ur̂1 T̂ }
 r̂1 
K=
1,j j∈[1,n]\I , uP R̂P1

j e(dp1 , C1 )
 Y 
r̂2 Ri r̂2
→
−

 Y 1 R̂ 2,1 , (X 1 u i ) R̂ 2,2 ,
 Then, he runs EM R = SymDec(K, En) to recover the
R
SKr = i∈I EMR.
 {ur̂2 T̂ }
 r̂2 
2,j j∈[1,n]\I , uP R̂P2

j
Correctness. Assuming that CT = ((C1 , C2 ), En) is a
The new secret key has the same distributions as if it was well-formed ciphertext, a patient can correctly recover his
computed using KeyGenM with randomness r̂1 = r1 + r2 re1 EMR using the following equalities:
and r̂2 = r2 re2 .
r10
e(Y1 , Y1 )αs · e(( i∈I uR i ID s
Q
i uP X1 ) , Y1 )
KeyGenP(P K, M SK, ID). When a patient with identity K= r 0 = As
e(Y1 1 , ( i∈I uR i ID
Q s)
ID wants to access his own EMR, the TKA authorizes him i u P X 1 )
VOLUME 4, 2016 7
B. SECURITY ANALYSIS The EMRDecP algorithm will correctly output the EM R

In this subsection, we provide a security analysis to demon- when decrypting a semi-functional ciphertext using a semi-
strate that RBACAnony-F is fully anonymous. We apply the functional key. The blinding factorPwill be multiplied by
dual system encryption technique introduced by Lewko [24], an additional term e(g2 , g2 )γx(ezk + i∈I zei Ri −zc ) . If zc =
which has been used as a powerful tool for security analysis. zek + i∈I zei Ri , then decryption still works. In this case, we
P
In the proof, ciphertexts (CT s) and secret keys (SKs) can regard the key for the patient as nominally semi-functional.
take one of two indistinguishable forms: normal form and We can verify the security and anonymity via a series of
semi-functional form, with the correlation shown in Table games.
2. Since the two kinds of ciphertexts and keys are indistin-
Gamereal : This game is a real game for RBACAnony-F,
guishable, a simulator is able to replace the normal key and
which describes the real interaction between the adversary
ciphertext with the semi-functional ones in security games.
and the EMR system.
When both the ciphertext and key are semi-functional, an
adversary can obtain no information regarding the challenge Gamereal0 : This game is the same as Gamereal except
ciphertext since the given key is not able to decapsulate the that all the secret key queries are answered by the secret
challenge ciphertext. key generation algorithm, not by the secret key delegation
algorithm.
TABLE 2: Normal/semi-functional key and ciphertext
Gamerestrict : This game is the same as Gamereal0 except
Normal CT Semi CT
Normal SK decryption allowed decryption allowed
that the adversary cannot query secret keys for the roles
Semi SK decryption allowed decryption not allowed that are prefixes of the challenge role modulo p2 . Namely,
→
− −→
for any queried role R = (R1 , R2 , · · · , Rd ), ∃ R∗ =
Semi-functional Ciphertext. The users run the EMREnc (R∗1 , R∗2 , · · · , R∗d0 ) ∈ P ref (P ∗ ) with d0 ≤ d, s.t. ∀i ∈
algorithm to construct a normal ciphertext (C10 , C20 , En0 ). [1, d0 ], Ri = R∗i mod p2 , where P ∗ is the challenge access
Then, they choose random exponents x, zc ∈ ZN and set policy, is not allowed.
C1 = C10 g2xzc , C2 = C20 g2x , En0 = En.
Gamek : This game is identical to Gamerestrict except that
Semi-functional Key for Medical Staff. For the medical the challenge ciphertext given to the adversary is semi-
→
−
staff member with→ role R, TKA runs KeyGenM to generate
− functional and the first k keys are semi-functional (0 ≤ k ≤
R
normal keys SK 0 d = {K1,1 0 0
, K1,2 0
, {K1,j }j∈[1,n]\I , KP0 1 } q). We note that in Game0 , only the challenge ciphertext is
→
−
R
and SK 0 r = {K2,1 0 0
, K2,2 0
, {K2,j }j∈[1,n]\I , KP0 2 }. Then, semi-functional; in Gameq , all secret keys and ciphertext are
it chooses random exponents z, γ, zk , zP1 , zP2 ∈ ZN and semi-functional.
{zm,j }j∈[1,n]\I ∈ ZN for m ∈ {1, 2}. The semi-functional Gamef inal0 : This game is identical to Gameq except that the
key can be set as challenge ciphertext is a semi-functional encapsulation, with
→
−
(
K1,10
· g2γ , K1,2
0
· g2γ·zk ,
) the component corresponding to the EMR being a random
R
SKd = 0 γz γ·z message in GT . Thus, the ciphertext is independent from the
{K1,j · g2 1,j }j∈[1,n]\I , KP0 1 · g2 P1 messages provided by the adversary.
Gamef inal : This game is identical to Gamef inal0 except
0
· g2z·γ , K2,2
0
· g2z·γ·zk ,
( )
→− K2,1 that the challenge ciphertext is semi-functional, with the
SKrR = z·γz2,j z·γ·zP2
0
{K1,j · g2 }j∈[1,n]\I , KP0 2 · g2 components related to the roles and identity being random
group elements in the subgroup Gp1 p2 p4 . Thus, the ciphertext
It can be seen that the EMRDecM algorithm will correctly is independent from the roles and identity provided by the
output the EM R when decrypting a semi-functional cipher- adversary.
text using a semi-functional key since the added elements
in Gp2 can be cleared due to the orthogonality property. Proof. In the appendix, we show that no polynomial time
However, the blinding factor will be P multiplied by an addi-
adversary can distinguish Gamereal and Gamef inal . The
tional term e(g2 ,Pg2 )γx(zk +zP1 ID+ i∈I\I z1,i Ri −zc ) . If zc = ciphertext of Gamef inal0 does not leak any information re-
zk + zP1 ID + i∈I\I z1,i Ri , then decryption still works. garding the EMR file. The ciphertext of Gamef inal does not
Here, we regard the key for the medical staff as nominally leak any information regarding the roles of the medical staff
semi-functional. and the identity of the patient. Thus, data confidentiality and
Semi-functional Key for Patient. For the patient with the identity anonymity are achieved.
identity ID, the TKA runs the KeyGenP algorithm to gener-
ate the normal key SK ID = {d0p1 , d0p2 , {d0pj }l∈[1,n] }. Then, VI. ANONYMOUS SEARCH
it chooses random exponents γ, zek , {e zj }j∈[1,n] ∈ ZN . The The EMR system may receive queries from the patient or the
semi-functional key can be set as medical staff to search for someone’s EMR. To respond to
n o a search query, we set up an approach that links the EMR
γe
z
SK ID = d0p1 · g2γ , d0p2 · g2γ·ezk , {d0pj · g2 j }j∈[1,n] owners to their encapsulated EMR. We tag two labels, ID0
8 VOLUME 4, 2016
and P 0 , with each ciphertext CT , forming (CTi , IDi0 , Pi0 ). based on the RBACAnony scheme, while the algorithm for
Assume that the total number of stored EMRs is m, i ∈ the RBACAnony-F scheme is omitted due to it having similar
[1, m]. ID0 and P 0 represent the hidden identity of the patient procedures and results.
and the hidden roles of the medical staff, respectively, such
Offline.KeyGenM(P K, M SK). The offline KeyGenM al-
that outsiders cannot identify them. Regarding the patient and
gorithm takes as its input the public parameters and master
medical staff, the following operations show how they can
key, excluding the medical staff role. We assume a random
determine their EMR. −→
role RB with bound B on the maximum number of atom
SearchInitial. In this phase, we generate some parameters roles, which can be used to generate a secret key. Denote
−→
necessary for the subsequent searching work. Let G0 be a RB = (x1 , x2 , ..., xB ) and IB = {i : xi ∈ S− → }, where
−
RB
bilinear group of prime order p and g be a generator of G0 . xi are randomly chosen from ZN and regarded as inter-
For a generated ciphertext CTi , the ith patient with identity mediate atom roles. The algorithm picks random exponents
IDi randomly chooses an element xIDi ← G0 , and the R
r1 , r2 , s1 , s2 , t1 , t2 ← ZN satisfying s1 · t2 − s2 · t1 6= 0 mod
ith group of the medical staff in access policy Pi randomly p and mod q. Then, it generates the intermediate secret key
−
−→ −−
→ −−→
chooses an element xRi ← G0 . Then, they compute a SK , which consists of two subkeys: SKd and SKrRB .
RB RB
session key SKi : SKi ← g xIDi ·xRi mod n. n is a large −
−→
prime number. The session key is owned only by the patient SKdRB can be written in the following form:
with identity IDi and his responsible medical staff in access
( !r1 )
Y
xi r1 r1
policy Pi . ω u hi r2 r1 r2
f , g , g , gh , {hj }j∈[1,n]\IB
i∈IB
SearchLabelCreate. In this phase, we create the search −
−→
labels: IDi0 and Pi0 . IDi0 which can be obtained by applying {hrj 1 }j∈[1,n] can be pre-computed here. SKrRB has a form
−
−→
a hash function to IDi : IDi0 ← H(IDi ). Pi0 can be obtained
similar to that of SKdRB , but it is not used for EMR encapsu-
by applying the symmetric encryption algorithm SymEnc
lation. We can view the procedure as key generation for the
with the session key SKi to the atom roles {Rij } in Pi : −→
intermediate role RB = (x1 , x2 , ..., xB ). The work done in
{R0ij ← SymEnc(Rij , SKi )}, j ∈ {j : Rij ∈ SPi }.
the offline phase is roughly equivalent to the work carried out
{R0ij } constitute the atom roles for Pi0 . Then, the labels IDi0
for the regular KeyGenM algorithm.
and Pi0 are tagged with CTi , yielding (CTi , IDi0 , Pi0 ).
−− → → −
Online.KeyGenM(SK RB , R). The online KeyGenM algo-
Search. When a patient with identity ID tries to search for −−
→
his EMR (or when one of his doctors tries to do this), he rithm takes as its input the intermediate secret key SK RB
first hashes the identity ID and obtains H(ID). Then, he from the offline KeyGenM algorithm and the real role of
→
−
searches through the various IDi0 in all patients’ labels and a medical staff member R = (R1 , ..., Rd≤B ). Denote
I = {i : Ri ∈ S→ − }. The algorithm computes the “correction
pinpoints the one whose value equals H(ID). When he ob- R
tains the index i, he uses his session key to decrypt the roles factors” Ki = r1 · (Ri − xi ) mod N for i ∈ I. The subkey
→
−
for the medical staff: {Rij ← SymDec(R0ij , SKi )}. {Rij } SKdR for the medical staff is output in the following form:
are the atom roles in access policy Pi . When the patient ( !r1 )
knows the access policy Pi of a medical staff member and
Y
ω u hxi i f r2 , g r1 , g r2 , ghr1 , {hrj 1 }j∈[1,n]\I , {Ki }i∈I
his identity, he can decapsulate CTi using the corresponding
secret key. i∈I
= d1 , d2 , d3 , d4 , {dj }j∈[1,n]\I , {Ki }i∈I
→
−
VII. IMPROVING USER EXPERIENCE The subkey SKrR is output with a form similar to that of
→
−
To achieve the perfect user experience, we speed up the data SKdR but without the elements {Ki }i∈I . The dominant cost
processing in the key generation and EMR encapsulation →
−
in the online phase is || R|| multiplications for generating
procedures. We apply online/offline cryptography [25] to {Ki = r1 · (Ri − xi )}i∈I .
our scheme. The online/offline technique was initiated by Since the offline/online algorithm of key delegation fol-
Goldreich and Micali [26] for signature schemes. Guo et lows the same procedure as that in the KeyGenM phase, we
al. [27] extended the offline algorithm to the identity-based omit the details of that process. The dominant cost in the
encryption system. Briefly, the online/offline technique splits online key delegation procedure is only one multiplication.
the encryption or key generation process into two phases: the
offline phase, in which most of the complex computations Offline.EMREnc(P K). The offline EMREnc algorithm
are first executed by assuming a set of random identities, takes as its input only the public parameters. We assume a
and the online phase, in which only simple computations are random access policy PB with bound B on the maximum
performed to produce the ciphertext or secret key once the number of atom roles, which can be used to generate a
identities are available. In this way, we show how to move ciphertext. Denote IB = {i : zi ∈ SPB }, where zi are
the computational work for key generation and EMR encap- randomly chosen from ZN and regarded as intermediate atom
R
sulation offline. The following offline/online algorithms are roles. The algorithm selects y ← ZN , which is assumed
VOLUME 4, 2016 9
to be the intermediate patient identity. Then, the algorithm Table 4 compares four schemes in terms of anonymity,
R
picks a random element s ← ZN and random elements order of the bilinear group and performance. We denote R-
R
Z1 , Z2 , Z3 ← Gq . Finally, it computes the intermediate BACAnony as “Ours & Scheme-I”, RBACAnony-F as “Ours
header HdrIT as follows: & Scheme-II”, and our schemes with the user experience
improvement as “Ours & Improved”.
HdrIT = {C1 , C2 , C3 }
n Y s o
= Gs · Z1 , F s · Z2 , U H y Hizi Z3 B. EXPERIMENTAL PERFORMANCE
i∈IB We conduct the experiment using an Intel Core i7 processor
with 8 GB of RAM and a 2.6 GHZ CPU clock. We use an
The header generated in the offline phase is roughly equiva-
elliptic curve type A1 with the expression y 2 = x3 + x for
lent to the work of the regular EMREnc algorithm.
the Tate symmetric pairing. The group order of ZN is set
Online.EMREnc(HdrIT , Id, P, EM R). The online EM- to 512 bits, and the element size in G is also configured to
REnc algorithm takes as its input the intermediate head- 512 bits. The experiment is executed using the jPBC library
er HdrIT from the offline EMREnc algorithm, a patient (http://gas.dia.unisa.it/projects/jpbc/index.html).
identity ID, an access policy P and the EM R. Denote We test the operational time required for key generation,
I = {i : Ri ∈ SP }, and note that I ⊆ IB since we key delegation, EMR encapsulation and decapsulation for
have assumed the maximum bound B on the number of medical staff. We show the performance results in Fig-
atom roles. The algorithm computes the “correction factors” ure. 2(a)-(e). Figure. 2(f) and Figure. 2(g) show the opera-
C4,i = s · (Ri − zi ) and C5 = s · (Id − y) for i ∈ I. Then, it tional time after the user experience is improved.
outputs the ciphertext header
Hdr = {C1 , C2 , C3 , {C4,i }i∈I , C5 } IX. CONCLUSION
n Y s o In this paper, we propose two anonymous RBAC schemes
= Gs · Z 1 , F s · Z 2 , U H y Hizi Z3 , {C4,i }i∈I , C5 for the EMR system. We achieve flexible access control
i∈I such that the EMR data can be encapsulated according to
As the symmetric encryption time En = SymEnc(K, EM R) an on-demand access policy, with only users whose roles
is relatively fast, the cost of EMR encapsulation can be satisfy the access policy being able to decapsulate it. Patients’
ignored. The dominant cost in the online phase is (||P|| + 1) privacy is preserved using a bilinear group, where all the
multiplications in ZN for generating {C4,i = s·(Ri −zi )}i∈I identity-related information is hidden in a subgroup. Based
and C5 = s · (Id − y). on the chosen bilinear group assumptions, we prove that
Finally, we should verify that the EMR can be correctly our proposed models have the property of semantic security
decapsulated after the online/offline algorithm is applied. The and anonymity. We apply the “online/ offline” approach to
encapsulation key K is calculated using achieve a better user experience.
Q Ki Id Q Ri .
e d1 · hi · d4 · di , C1
i∈I i∈I\I
K= APPENDIX A PROOF OF SECURITY OF RBACANONY-F
Q C
e d2 , C3 · Hi 4,i · H C5 · e (d3 , C2 ) The security proof is based on the following assumptions.
i∈I
Assumption1. Given group generator G, we define the fol-
K can be extracted as K = e(g, ω)s from the above expres-
lowing distribution:
sion. Finally, an EMR can be exactly recovered by running
EM R = SymDec(K, En). G =(N = p1 p2 p3 p4 , G, GT , e) ← G
R
R R R R
VIII. PERFORMANCE ANALYSIS g1 , A1 ← Gp1 , A2 , B2 ← Gp2 , g3 ← Gp3 , g4 , B4 ← Gp4
A. THEORETICAL ANALYSIS D =(G, g1 , g3 , g4 , A1 A2 , B2 B4 )
Table 3 shows the efficiency of our proposed scheme in
Then, this assumption determines whether the given element
detail. The system parameters, the master secret key and R R
the other secret keys (for the medical staff and patients) are T ← Gp1 p2 p4 or T ← Gp1 p4 .
linearly proportional to the maximum number of atom roles. The advantage of an algorithm A that outputs β ∈ {0, 1}
The header contains only three group elements in G, achiev- in breaking Assumption 1 is defined as
ing ciphertext with a constant size and being independent of h
Pr A D, T ← R
i
the maximal depth of the hierarchy for the access policy set G p1 p2 p4 = 1
1
Adv1A (λ) = i −
kPk. In Table 3, we denote te as one exponent operation time
h
=1 2
R
− Pr A D, T ← G p1 p4
in G, tm as one multiplication operation time in G and tp as
one pairing operation time. In the procedures of KeyGenM,
KeyDelegM, KeyGenP, and EMREnc, exponentiations can Definition I. G satisfies Assumption 1 if Adv1A (λ) is negli-
be pre-computed by choosing random exponents. gible for any polynomial-time algorithm A.
10 VOLUME 4, 2016
10
TABLE 3: Efficiency of the proposed schemes

TABLERBACAnony
III: The efficiency ofroles
with n atom the proposed schemes scheme with n atom roles
RBACAnony-F
M SK size RBACAnony withnn+atom 7 roles RBACAnony-F scheme with2 n atom roles
→
− −
→ −
→
M SK R
size
size 3 ·n(n
++ 7 4 − k Rk) 2 ·2(n + 3 − k Rk)
→
− Id
R sizesize −
→ −
→
SKSK 3 · (n + 4 −nk+ Rk)3 2 · (n + 3 − knRk) +2
SKHdr
Id size
size n+3 3 n+2 2
HdrKeyGenM
size
−
→
time 3 · (n + 5)t 3e + (3k Rk + 4)tm (n + 26)te + (2n + 7)tm
−
→ − →
KeyGenM
KeyDelegM time time 3 · (n +(315)te++6n (3k−Rk + 4)tm
Rk)t (n + 6)t e++ (2n + 7)t−
→
6k + (8 2n→− 2k Rk)t e+
e m
−→ − → − −
→
KeyDelegM time (31 + 6n+
(23 −4n6k Rk)t
− 4k + m
eRk)t (8 + 2n(2−+2k3n Rk)t− e +Rk)tm
3k
−
→ −
→
KeyGenP time (23 + 4n(n −+4k Rk)t
5)t e +m 3tm (2 + (n
3n +− 4)t
3k Rk)t
e + (n
m + 4)tm
KeyGenP time
EMREnc time (n + 5)t
(kPk + 5)t + 3t
e e + (kPk
m + 4)tm (n +
(kPke+ 3)te++4)t
4)t + (n (kPk
m + 3)tm
EMREnc time (kPk + 5)te− →
+ (kPk + 4)t (kPk + 3)te + (kPk −
→ + 3)tm
EMRDecM time (1 + kPk− − k Rk)(te + tm )m+ 3tp + tm
→ (1 + kPk → − k Rk)(te + tm ) + 2tp
−
EMRDecM
EMRDecP time
time (1 + kPk (kPk)(t
− k Rk)(te++t tm) )++3t 3tp++ttm (1 + kPk − (kPk)(t
k Rk)(te ++tm tm) )++2t2t
p
e m p m e p
EMRDecP time (kPk)(te + tm ) + 3tp + tm (kPk)(te + tm ) + 2tp
TABLE
TABLE 4: Comparison
IV: Comparison withwith related
related workwork
Anonymity
Anonymity Order
Order of of Key Key Generation
Generation EMR Enc Key Delegation
EMR Enc Number Number
Key Delegation of of
Bilinear
bilinear Group
group TimeTime Time Time Time Time
paring inpairings in
EMR Dec EMR Dec
(n +(n 6)t+e +
6)te + (n e++6)te +
(n + 6)t (kPk +(kPk + 4)te +
4)te +
→ −
− →
[8][8] ×× prime
prime order (k Rk
order (k+Rk 1)t+m1)tm (n m
(n + 5)t + 5)tm (kPk +(kPk
3)tm+ th m + th 2
+3)t 2
−
→ −
→
3 ·+(n
3 · (n 4)t+e +4)te +
(25 +(25
6n +
− 6n − 6keRk)t
6k Rk)t + e +(kPk +(kPk + 4)te +
4)te +
√√ −
→ − → −
→ −
→
[20]
[20] composite order
composite order(3k Rk
(3k+ Rk 4)t+m4)tm(18 +(18 − 4n
4n + 4k Rk)t 4)tm+ 4)tm 3
− 4kmRk)tm (kPk +(kPk 3
−
→ −
→
Ours
Ours&& 3 · (n
3 ·+(n
5)t+e + (31 +(31
5)te + − 6n
6n + 6k Rk)t + e +(kPk +(kPk
− 6keRk)t 5)te +
+ 5)te +
√√ −
→ − →4)t −
→ −
→
Scheme-I
Scheme-I composite order
composite order(3k Rk
(3k+ Rk +m4)tm(23 +(23 − 4n
4n + 4k Rk)t 4)tm+ 4)tm 3
Rk)tm (kPk +(kPk 3
→− 4k
m
− −
→
Ours
Ours&& (n +(n 6)t+e +
6)te + (8 + 2n − 2k
(8 + 2n −Rk)t +
− 2k Rk)te +
e (kPk + 3)t
(kPke++ 3)te +
√√ → −
→
Scheme-II
Scheme-II composite order
composite order (2n (2n
+ 7)t+m7)t (2 + 3n − 3n
(2 + 3k Rk)t
− 3kmRk)t (kPk +(kPk
3)tm+ 3)t 2 2
m m m
Ours &
Ours & √ −
→
Improved √ composite order || R|| −
→
· tm 1 · tm (||P|| + 1)tm 3
Improved composite order || R|| · tm 1 · tm (||P|| + 1)tm 3
2,000 1,500
Scheme-I 4,000
1,500 Scheme-II 1,150
1,000 1,000
2,000 800
500
450
0
0
100
1 2 3 4 5 6 7 8 9 10 0 5 10 15 20 25 30 35
10 15 20 25 30 35
Scheme-I Scheme-II 0 Scheme-I Scheme-II Number of Atom Roles in Access Policy (N )
2 3 4 5 6 7 8 9 10
(a) Secret key generation time (ms) (b) Secret key delegation time (ms) (c) EMR encapsulation time (ms) (d) Scheme-I: EMR decapsulation (ms)
EMRDecM1
6,000 EMRDecM2 2.2
EMRDecM3
1.2
5,000 EMRDecM4 2
EMRDecM5
4,000 EMRDecM6 1.8
1.15
EMRDecM7
3,000 EMRDecM8 1.6
EMRDecM9
2,000 1.1
EMRDecM10 1.4
1,000 1.2
1.05
200
10 15 20 25 30 35 10 20 30 40 50 60 70 80 90 100
Number of Atom Roles in Access Policy (N ) 1 2 3 4 5 6 7 8 9 10 Number of Atom Roles in Access Policy
(e) Scheme-II: EMR decapsulation (ms) (f) Improved KeyGenM time (ms) (g) Improved encapsulation time (ms)
Fig. 2: Experimental
FIGURE results results
2: Experimental for the for
proposed system system
the proposed
VOLUME 4, 2016 11
Assumption2. Given group generator G, we define the fol- Now, we provide the proof showing that Gamereal ,
lowing distribution: Gamereal0 , Gamerestrict , Gamek , Gamef inal0 , and Gamef inal
R are indistinguishable from each other.
G = (N = p1 p2 p3 p4 , G, GT , e) ← G,
R R R R Lemma 5.1. For any algorithm A, it holds that
g1 , A1 ← Gp1 , A2 , B2 ← Gp2 , g3 , B3 ← Gp3 , g4 ← Gp4 GameReal AdvA = GameReal0 AdvA .
D = (G, g1 , g3 , g4 , A1 A2 , B2 B3 )
Proof. We note that the secret keys are identically distributed
Then, this assumption determines whether the given element whether they are generated by the key generation algorithm
R R
T ← Gp1 p2 p3 or T ← Gp1 p3 . or by the key delegation algorithm. Therefore, there is no
The advantage of an algorithm A that outputs β ∈ {0, 1} difference between GameReal AdvA and GameReal0 AdvA
in breaking Assumption 2 is defined as from the adversary’s perspective.
Lemma 5.2. Suppose that there is a PPT algorithm A such
h R
i
Pr A D, T ← G = 1
p1 p2 p3 1
that GameReal AdvA - GameRestricted AdvA = 1 . We can

Adv2A (λ) = h i −
=1 2
R
− Pr A D, T ← G p1 p3 build a PPT algorithm B with the advantage 1 /3 in breaking
Assumption 1.
Definition II. G satisfies Assumption 2 if Adv2A (λ) is negli- Proof. If there exists an adversary A who can distin-
gible for any polynomial-time algorithm A. guish GameRestricted from GameReal with advantage 1 ,
Assumption3. Given group generator G, we define the fol- then based on the definition of GameRestricted , A knows
lowing distribution: that it submits its own secret key query for the role
→
− −→
R = (R1 , R2 , · · · , Rd ) from others satisfying ∃ R∗ =
R
G = (N = p1 p2 p3 p4 , G, GT , e) ← G, (R∗1 , R∗2 , · · · , R∗d0 ) ∈ P ref (P ∗ ) with d0 ≤ d, s.t. ∀i ∈
R R R R [1, d0 ], Ri = R∗i mod p2 . Then, the factor of N can be
α, s, r ← ZN , g1 ← Gp1 , g2 , A2 , B2 ← Gp2 , g3 ← Gp3 ,
extracted by computing gcd(Ri − R∗i , N ), from which we
R
g4 ← Gp4 , D = (G, g1 , g2 , g3 , g4 , g1α A2 , g1s B2 , g2r , Ar2 ) can build an algorithm similar to that introduced in the proof
of Lemma 3.3 in [10] that can break Assumption 1 with
advantage 1 /3. We omit the details to avoid repetition.
T ←e(g1 , g1 )αs or T ←GT .
The advantage of an algorithm A that outputs β ∈ {0, 1} Lemma 5.3. Suppose that there is a PPT algorithm A such
in breaking Assumption 3 is defined as that GameRestricted AdvA - Game0 AdvA = 2 . We can build a

Pr [A (D, T ←e(g , g )αs ) = 1] 1 PPT algorithm B with the advantage 2 in breaking Assump-
Adv3A (λ) =
1 1
−
tion 1.
− Pr [A (D, T ←GT ) = 1] 2
Proof. B receives (G, g1 , g3 , g4 , A1 A2 , B2 B4 , T ) of As-
sumption 1, and it needs to determine whether T is
Definition III. G satisfies Assumption 3 if Adv3A (λ) is neg-
in Gp1 p4 or in Gp1 p2 p4 . B chooses random exponents
ligible for any polynomial-time algorithm A.
α, {ai }i∈[1,n] , a, b, c ∈ ZN and sets Y1 = g1 , Y3 = g4 , Y4 =
Assumption4. Given group generator G, we define the fol- g3 , X4 = Y4c , X1 = Y1b , uP = Y1a and ui = Y1ai
lowing distribution: for i ∈ [1, n]. Then, B gives the public key P K =
R (N, Y1 , Y3 , Y4 , x = X1 X4 , {ui }i∈[1,n] , uP , A
G = (N = p1 p2 p3 p4 , G, GT , e) ← G, = e(Y1 , Y1 )α ) to adversary A. B knows the master key
R R
s, r̂ ← ZN , g1 , U, A1 ← Gp1 , g2 , A2 , B2 , D2 , F2 ← Gp2 ,
R M SK = (X1 , α) and thus can answer all queries from A
R R R
in the secret key query phase.
g3 ← Gp3 , g4 , A4 , B4 , D4 ← Gp4 , A24 , B24 , D24 ← Gp2 p4 In the challenge phase, A sends B two equal-length EMRs
D= EM R0 , EM R1 with a challenge access policy P ∗ and a
(G, g1 , g2 , g3 , g4 , U, U s A24 , U r̂ , A1 A4 , Ar̂1 A2 , g1r̂ B2 , g1s B24 ) change identity ID∗ . B flips a random coin β ∈ {0, 1} and
returns the challenge ciphertext
T ←As1 D24 or T ←Gp1 p2 p4 . {C1∗ , C2∗ , En∗ } =
ai R∗ ∗
P
The advantage of an algorithm A that outputs β ∈ {0, 1} {T i∈I∗ i +aID +b , T, SymEnc(e(T, Y1 )α , EM Rβ )}
in breaking Assumption 4 is defined as R

Pr [A (D, T ←As D ) = 1]

1 If G ← Gp1 p4 , then T can be written as Y1s1 Y3s3 with
Adv4A (λ) =
1 24
−
random s1 , s3 ← ZN . In this case, (C1∗ , C2∗ , En∗ ) is a
− Pr [A (D, T ←Gp1 p2 p4 ) = 1] 2 R
normal ciphertext, and B simulates GameRestricted . If G ←
s1 s s3
Gp1 p2 p4 , then T can be written as Y1 g2 Y3 . In this case,
Definition IV. G satisfies Assumption 4 if Adv4A (λ) is neg- (C1∗ , C2∗ , En∗ ) is a semi-functional ciphertext according to
ligible for any polynomial-time algorithm A. its definition, and B simulates Game0 .
12 VOLUME 4, 2016
Lemma 5.4. Suppose that there is a PPT algorithm A such

that Gamek−1 AdvA - Gamek AdvA = 3 . We can build a PPT ( r0 0 )
T Y1 1 (B2 B3 )f , Y1α (B2 B3 )w (uID r1 w
P X1 ) Y3 ,
l e
algorithm B with the advantage 3 in breaking Assumption 2. SK ID
= r0
{uj 1 (B2 B3 )wj }j∈[1,n]
Setup. B receives (G, g1 , g3 , g4 , A1 A2 , B2 B3 , T ) of As-
sumption 2, and it needs to determine whether T is We consider B2 as g2s for random s ← ZN . It can
in Gp1 p3 or in Gp1 p2 p3 . B chooses random exponents be seen that the generated secret key is semi-functional
α, {ai }i∈[1,n] , a, b, c ∈ ZN and sets Y1 = g1 , Y3 = because γ = s·f , γ·e
zk = s·w and {γ·ezj = s·wj }j∈[1,n] .
g3 , Y4 = g4 , X4 = Y4c , X1 = Y1b , uP = Y1a and • When l > k, B creates a normal secret key by calling
ui = Y1ai for i ∈ [1, n]. Then, B gives the public key the KeyGenP algorithm.
P K = (N, Y1 , Y3 , Y4 , x = X1 X4 , {ui }i∈[1,n] , uP , A = • When l = k, B creates the kth secret key. B lets zek =
e(Y1 , Y1 )α ) to adversary A. The master key M SK = a·ID, chooses random
exponents w, {wj }j∈[1,n] ∈ ZN ,
w
(X1 , α) is kept by B. and sets SK ID = T, Y1α T zek Y3w , {T aj Y3 j }j∈[1,n] .
R
If T ← Gp1 p3 , then all components in this secret
Secret Key Query for Medical Staff. When A requests the
key are in Gp1 p3 . Hence, it is a normal secret key. If
l secret key for the medical staff member with the role
th
r0
−→ R
T ← Gp1 p2 p3 , then T can be written as Y1 1 g2s Y3r3 with
Rl = (Rl,1 , ..., Rl,d ), where I = {i : Rl,i ∈ S→ − }, we
R
need to consider three cases: l < k, l > k and l = k. s, r3 ∈ ZN . Hence, it is a semi-functional secret key
with γ = s, r10 = r10 .
• When l < k, B creates a semi-functional secret key. It
selects random exponents Challenge. A sends B two equal-length EMRs EM R0 , EM R1
r1 , r2 , f, z, w, w1 , w2 , wP1 , wP2 and {wm,j }j∈[1,n]\[I] with a challenge access policy P ∗ and a change identity
for m ∈ {1, 2} from ZN . ID∗ . B flips a random coin β ∈ {0, 1} and returns to
( r1 f α w
Y R
l,j r1 w1 )
A the challenge P ciphertext C ∗ = {C1∗ , C2∗ , En∗ }, where
→
− Y 1 (B 2 3B ) , Y 1 (B B
2 3 ) ( u i X 1 ) Y 3
∗ ∗
C1 = (A1 A2 ) i∈I∗ ai Ri +aID +b Y4z , A1 A2 Y4z , C2∗ =
∗ 0
SKdR = i∈I
SymEnc(e(A1 A2 , Y1 ) , C3 = EM Rβ ), and I∗ = {i :
α ∗
{urj 1 (B2 B3 )w1,j }j∈[1,n]\I , urP1 (B2 B3 )wP1 R∗i ∈ SP ∗ }.
R This ciphertext is semi-functional, with
Y P
( r2
Y (B 2 B 3 )zf
, (B 2 B 3 )zw
( u l,j
X 1 ) r2 w2 )
Y zc = i∈I∗ ai Ri +
→
− 1 i 3 ∗
SKr = R
i∈I aID + b. Since the role associated with the kth secret key
r2
{uj (B2 B3 ) w2,j r2
}j∈[1,n]\I , uP (B2 B3 ) wP2 for the medical staff is not a prefix of the challenge role R∗
modulo p2 and the identity associated with the kth secret
We consider B2 as g2s for random s ← ZN . It can key for the patient is not the challenge identity ID∗ modulo
be seen that the generated secret key is semi-functional p2 , zk + zek and zc will appear to be randomly distributed
because γ = s · f , γ · zk = s · w and γ · zPm = s · wPm to adversary A. If B tries to test whether the kth key is
for m ∈ {1, 2}. semi-functional or not via the above procedure by creating
• When l > k, B creates a normal secret key by calling
−→
a semi-functional ciphertext for Rk ∈ P P ref (P) and IDk ,
the KeyGenM algorithm. then we will have zc = zk + zek + i∈I\I ai Ri , where
• When l = k, B creates the kth secret key. B lets I = {i : Ri ∈ S→ − } and I = {i : Ri ∈ SP }; thus, the
R
chooses random exponents
P
zk = i∈I ai R k,i + b, decryption also works. In other words, simulator B can create
r20 , w1 , w2 , wP1 , wP2 ∈ ZN and {wm,j } ∈ ZN for only a nominally semi-functional key for the kth key query.
j ∈ [1, n]\I,m ∈ {1, 2}, and sets R
→
− Guess. If T ← Gp1 p3 , all components in the kth secret key
aj w1,j a wP1
R α zk w1
generated by B are in Gp1 p3 . Hence, it is a normal secret

SKd = T, Y1 T Y3 , {T Y3 }, T Y3
→
− R
0 0 0 w
SKrR = T r2 , T r2 ·zk Y3w2 , {T r2 ·aj Y3 2,j }, T r2 ·a Y3 P2
0 w key. In this case, B simulates Gamek−1 . Otherwise, T ←
Gp1 p2 p3 ; hence, the kth secret key is semi-functional. In this
R
If T ← Gp1 p3 , then all components in this secret case, B simulates Gamek . If A has the advantage 3 when
R
key are in Gp1 p3 . Hence, it is a normal secret key. If distinguishing the two games, B can distinguish T ← Gp1 p3
0 R
R
T ← Gp1 p2 p3 , then T can be written as Y1 1 g2s Y3r3 with
r
from T ← Gp1 p2 p3 with advantage 3 .
s, r3 ∈ ZN . Hence, it is a semi-functional secret key Lemma 5.5. Suppose that there is a PPT algorithm A such
with γ = s, z = r20 , r1 = r10 , r2 = r10 r20 . that Game Adv - Game 0 Adv = . We can build a PP-
q A f inal A 4
T algorithm B with the advantage 4 in breaking Assumption
Secret Key Query for Patient. When A requests the l th
3.
secret key for the patient with identity IDl , we need to
consider three cases: l < k, l > k and l = k. Setup. B receives (G, g1 , g2 , g3 , g4 , g1α A2 , g1s B2 , g2r , Ar2 , T )
• When l < k, B creates a semi-functional secret key. It of Assumption 3, and it determines whether T ←e(g1 , g1 )αs
R
does this by selecting random exponents or T ← GT . B chooses random exponents {ai }i∈[1,n] , a, b, c ∈
e {wj }j∈[1,n] from ZN .
r10 , w, w, ZN and sets Y1 = g1 , Y3 = g3 , Y4 = g4 , X4 =
VOLUME 4, 2016 13
Y4c , X1 = Y1b , uP = Y1a and ui = Y1ai for i ∈ [1, n]. EMR with a random access policy set and a random patient’s
Then, B gives the public key P K = (N, Y1 , Y3 , Y4 , x = identity.
X1 X4 , {ui }i∈[1,n] , uP , A
Setup. B receives (G, g1 , g2 , g3 , g4 , U, U s A24 , U r̂ , A1 A4 ,
= e(g1α A2 , Y1 ) = e(Y1 , Y1 )α ) to adversary A. The master
Ar̂1 A2 , g1r̂ B2 , g1s B24 , T ) of Assumption 4, and it needs to
key M SK = (X1 , α) is kept by B. R
determine whether T ← As1 D24 or T ← Gp1 p2 p4 . B
Secret Key Query for Medical Staff. When A request- chooses random exponents {ai }i∈[1,n] , a ∈ ZN and sets
s a secret key for the medical staff member with the Y1 = g1 , Y3 = g3 , Y4 = g4 , x = A1 A4 , uP = U a
→
−
role R = (R1 , ..., Rd ), where I = {i : Ri ∈ and ui = U ai for i ∈ [1, n]. B gives public key P K =
S→− }, B creates a semi-functional key by choosing ran- (N, Y1 , Y3 , x, {ui }i∈[1,n] , uP , A = e(Y1 , Y1 )α ) to A.
R
dom exponents r1 , r2 , z, z 0 , zP1 , zP2 , wP1 , wP2 ∈ ZN and
Secret Key Query for Medical Staff. When A requests a
wm,1 , wm,2 , {wm,j , zm,j }j∈[1,n]\I ∈ ZN for m ∈ {1, 2}.
secret key for the medical staff member with the role
→
−
R = (Rl,1 , ..., Rl,d ), where I = {i : Ri ∈
( r1 z w1,1 α 0 Y R w )
Y1 g2 Y3 , (g1 A2 )g2z ( ui l,j X1 )r1 Y3 1,2 S→− }, B creates a semi-functional key by choosing ran-
→− R
SKdR = i∈I dom exponents r1 , r2 , wP1 , wP2 , zP1 , zP2 ∈ ZN and
r1 z1,j w1,j
{uj g2 Y3 }j∈[1,n]\I , urP1 g2P1 Y3 P1
z w
wm,1 , wm,2 , {wm,j , zm,j }j∈[1,n]\I ∈ ZN for m ∈ {1, 2}.
( r2 r z w2,1 r r z0 Y Rl,j w )
→
− Y1 (g2 ) Y3 , A2 (g2 ) ( ui X1 )r2 Y3 2,2 ( w
P
w
)
SKrR = i∈I
→− (g1r̂ B2 )r1 Y3 1,1 , Y1α ((U r̂ ) i∈I ai Ri (Ar̂1 A2 ))r1 Y3 1,2
z w z w SKdR = z w z w
{urj 2 g22,j Y3 2,j }j∈[1,n]\I , urP2 g2P2 Y3 P2 {(U r̂ )r1 aj Y2 1,j Y3 1,j }j∈[1,n]\I , (U r̂ )r1 a Y2 P1 Y3 P1
w w
( P )
We note that this secret key is semi-functional. →
− (g1r̂ B2 )r2 Y3 2,1 , Y1α ((U r̂ ) i∈I ai Ri (Ar̂1 A2 ))r2 Y3 2,2
SKrR = z w2,j z wP2
{(U r̂ )r2 aj Y2 2,j Y3 }j∈[1,n]\I , (U r̂ )r2 a Y2 P2 Y3
Secret Key Query for Patient. When A requests a se-
cret key for the patient with identity ID, B creates We note that this secret key is semi-functional.
a semi-functional key by choosing random exponents
Secret Key Query for Patient. When A requests a key for
r1 , z, z 0 , w e2 ∈ ZN and {wj , zj }j∈[1,n] ∈ ZN .
e1 , w
the patient with identity ID, B creates a semi-functional key
by choosing exponents r1 , w e2 and {wj , zj }j∈[1,n] ∈ ZN .
e1 , w
0
( )
ID Y1r1 g2z Y3we1 , (g1α A2 )g2z (uID r1 w
P X1 ) Y3 ,
e2
SK = z w1,j
{urj 1 g21,j Y3
( )
}j∈[1,n] ID (g1r̂ B2 )r1 Y3we1 , Y1α ((U r̂ )a·ID (Ar̂1 A2 ))r1 Y3we2 ,
SK = z w
We note that this secret key is semi-functional. {(U r̂ )r1 aj Y2 j Y3 j }j∈[1,n]
Challenge. A sends B two equal-length EMRs EM R0 , EM R1 We note that this secret key is semi-functional.
with a challenge access policy P ∗ and a change identity Challenge. A sends B two equal-length EMRs EM R0 , EM R1
ID∗ . B flips a random coin β ∈ {0, 1} and returns to with a challenge access policy P ∗ and a change identity
A the semi-functional
P ciphertext CT ∗ = {C1∗ , C2∗ , En∗ }, ID∗ . B chooses a random En∗ ∈ GT , flips a random coin
∗ ∗ 0
where C1 = (g1 B2 )
∗ s i∈I ∗ ai Ri +aID +b
Y4z , C2∗ = g1s B2 Y4z , β ∈ {0, 1}, and returns to A the semi-functional ciphertext
C3∗ = SymEnc(T,P EM Rβ ), and I∗ = {i : R∗i ∈ SP ∗ }. We T ∗ = {C1∗ , C2∗ , En∗ } as
implicitly set zc = i∈I∗ ai R∗i + aID∗ + b. P
ai R∗ ∗
{T (U s A24 ) i∈I∗ i +aID , g1s B24 , En∗ }
Guess. If T ← e(g1 , g1 ) , then B simulates Gameq since
αs
CT ∗ is a semi-functional ciphertext of the EMR EM Rβ . where I∗ = {i : R∗i ∈ SP ∗ }.

R
If T ← GT , CT ∗ is a semi-functional ciphertext of a Guess. If T ← As1 D24 , then the adversary A generates a
random message that is independent of EM Rβ . In this case, semi-functional ciphertext of a random message En∗ and a
B simulates Gamef inal0 . Hence, if A has the advantage 4 header Hdr∗ under the challenge access policy P ∗ and the
in distinguishing Gameq and Gamef inal0 , then B has the challenge identity ID∗ . In this case, B simulates Gamef inal0 .
advantage 4 in distinguishing the distribution of T . R
If T ← Gp1 p2 p4 , the adversary A generates a semi-functional
ciphertext of a random message En∗ and a header Hdr∗
Lemma 5.6. Suppose that there exists a PPT algorithm A
under the implicit random access policy set and a random
such that Gamef inal0 AdvA - Gamef inal AdvA = 5 . Then, we
patient’s identity. In this case, B simulates Gamef inal .
can build a polynomial-time algorithm B with the advantage
If G satisfies the four assumptions with advantages
5 in breaking Assumption 4.
01 , 02 , 03 , 04 , and 05 , then the above lemmas show that no
Proof. Assume that we are simulating the games for an PPT adversary can distinguish Gamereal and Gamef inal with
adversary who can distinguish a ciphertext of the challenge advantage 301 +02 +03 +04 +05 . The ciphertext of Gamef inal0
EMR with the challenge access policy set P ∗ and the chal- does not leak any information regarding the EMR data since
lenge patient identity ID∗ from a ciphertext of the challenge the component corresponding to the EMR in the ciphertext is
14 VOLUME 4, 2016
a random group element. The ciphertext of Gamef inal does [23] M. H. Ameri, J. Mohajeri, and M. Salmasizadeh, “Efficient and provable
not leak any information regarding the roles of the medical secure anonymous hierarchical identity-based broadcast encryption (hi-
bbe) scheme without random oracle,” ia.cr/2016/780, 2016.
staff and the identity of the patient since the components [24] A. Lewko and B. Waters, “New techniques for dual system encryption and
corresponding to the roles and identity in the ciphertext are fully secure hibe with short ciphertexts,” in TCC 2010. Springer, 2010,
random group elements. pp. 455–479.
[25] S. Hohenberger and B. Waters, “Online/offline attribute-based encryption,”
in PKC 2014. Springer, 2014, pp. 293–310.
REFERENCES [26] E. Shimon, O. Goldreich, and S. Micali, “On-line/off-line digital signa-
tures,” Cryptology, vol. 9, no. 1, pp. 35–67, 1996.
[1] M. J. Atallah, M. Blanton, and K. B. Frikken, “Dynamic and efficient key [27] Y. F. Wang, G. Yang, and Z. C. Z, “Identity-based online/offline encryp-
management for access hierarchies,” ACM Trans. Inf. Syst. Secur., vol. 12, tion,” Computer Technology and Development, vol. 51, no. 43, pp. 247–
no. 3, 2009. 261, 2012.
[2] J. Huang, M. Sharaf, and C. T. Huang, “A hierarchical framework for
secure and scalable ehr sharing and access control in multi-cloud,” in
ICPPW 2012. IEEE, 2012, pp. 279–287.
[3] M. C. Mont, P. Bramhall, and K. Harrison, “A flexible role-based secure
messaging service: Exploting ibe technology for privacy in health care,”
IEEE Computer Society, vol. 432, 2003. XINGGUANG ZHOU is a Ph.D. candidate in the
[4] J. A. Akinyele, M. W. Pagano, M. D. Green, C. U. Lehmann, Z. N. Department of Electronic and Information Engi-
Peterson, and A. D. Rubin, “Securing electronic medical records using neering, Beihang University. Her research interest-
attribute-based encryption on mobile devices,” in SPSM 2011. ACM, s include information security and communication
2011, pp. 75–86. network security.
[5] S. Narayan and R. Safavi-Naini, “Privacy preserving ehr system using
attribute-based infrastructure,” in CCSW’10. ACM, 2010, pp. 47–52.
[6] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and secure
sharing of personal health records in cloud computing using attribute-
based encryption,” IEEE Trans. Parallel Distrib. Syst., vol. 24, no. 1, pp.
131–143, 2013.
[7] M. Sicuranza, A. Esposito, and M. Ciampi, “A view-based acces control
model for EHR systems,” in IDC 2014. Springer, 2014, pp. 443–452.
[8] W. Liu, X. Liu, J. Liu, Q. Wu, J. Zhan, and Y. Li, “Auiting and revocation
enabled role-based access contrl over outsourced private ehrs,” in HPCC JIANWEI LIU is currently a full professor and
2015. IEEE, 2015, pp. 336–341. party secretary in the Department of Electronic
[9] D. Boneh, E. J. Goh, and K. Nissim, “Evaluating 2-dnf formulas on and Information Engineering, Beihang University.
ciphertexts,” in TCC 2005. Springer, 2005, pp. 325–341. He received his Ph.D. from the Communication
[10] A. D. Caro, V. Iovino, and G. Persiano, “Fully secure anonymous hibe and Electronic System Department, Xidian Uni-
and secret-key anonymous ibe with short ciphertexts,” in International versity, in 1998. His research interests include
Conference on Pairing-Based Cryptography. Springer, 2010, pp. 347– wireless communication networks, cryptography,
366. information security, communication network se-
[11] R. J. Anderson, “Technical perspective - A chilly sense of security,” curity, channel coding, and modulation technolo-
Commun. ACM, vol. 52, no. 5, p. 90, 2009. gy.
[12] Centers for Medicare & Medicaid Services, “Health insurance portability
and accountability act,” 1996.
[13] C. I. of Health Research, Recommendations for the Interpretation and Ap-
plication of the Personal Information Protection and Electronic Documents
Act (S.C. 2000, C. 5) in the Health Research Context. Canadian Institutes QIANHONG WU is currently a full professor
of Health Research, 2001. in the Department of Electronic and Information
[14] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption Engineering, Beihang University. He has served
for fine-grained access control of encrypted data,” in CCS 2006. ACM, as a member of the ACISP committee and more
2006, pp. 89–98.
than 10 international conference procedure com-
[15] L. Guo, C. Zhang, J. Sun, and Y. Fang, “Paas: A privacy-preserving
mittees. He received his Ph.D. degree in cryptogra-
attribute-based authentication system for ehealth networks,” in ICDCS
phy from Xidian University in 2005. His research
2012. IEEE, 2012, pp. 224–233.
interests include information security, security in
[16] J. Sedayao, “Enhancing cloud security using data anonymization,” White
Paper, Intel Coporation, 2012. big data and cloud computing, and blockchains.
[17] T. Jung, X. Li, Z. Wan, and M. Wan, “Control cloud data access privilege
and anonymity with fully anonymous attribute-based encryption,” IEEE
Trans. Inf. Forensics Security, vol. 10, no. 1, pp. 190–199, 2015.
[18] S. Sabitha and M. Rajasree, “Anonymous-cpabe: Privacy preserved con-
tent disclosure for data sharing in cloud,” in ARCS 2015. Springer, 2015,
pp. 146–157. ZONGYANG ZHANG is an assistant professor
[19] X. Zhou, J. Liu, W. Liu, and Q. Wu, “Anonymous role-based access control in the Department of Electronic and Informa-
on e-health records,” in AsiaCCS 2016. ACM, 2016, pp. 559–570. tion Engineering, Beihang University. He received
[20] J. H. Seo, T. Kobayashi, M. Ohkubo, and K. Suzuki, “Anonymous hier- his Ph.D. in computer software and theory from
archical identity-based encryption with constant size ciphertexts,” in PKC Shanghai Jiao Tong University in 2012. His re-
2009. Springer, 2009, pp. 215–234. search interests include public-key cryptography
[21] A. Lewko and B. Waters, “New proof methods for attribute-based encryp- and blockchains.
tion: Achieving full security through selective techniques,” in CRYPTO
2012. Springer, 2012, pp. 180–198.
[22] D. B. X. Boyen and E. J. Goh, “Hierarchical identity based encryption
with constant size ciphertext,” in EUROCRYPT 2005. Springer, 2005,
pp. 440–456.
VOLUME 4, 2016 15

Privacy Preservation For Outsourced Medical Data With Flexible Access Control

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Privacy Preservation For Outsourced Medical Data With Flexible Access Control

Încărcat de

Drepturi de autor:

Formate disponibile

This article has been accepted for publication in a future issue of this journal, but has not been

Privacy Preservation for Outsourced

INDEX TERMS privacy preservation, security, electronic medical record.

I. INTRODUCTION thorized to access and decrypt it. However, data sharing

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

Hdr Header of an uploaded EMR ,QTXLU\DQG'LDJQRVLV

K Message encapsulation key ĞƉĂƌƚŵĞŶƚŽĨƐƵƌŐĞƌǇ ĞƉĂƌƚŵĞŶƚŽĨĐŽƐŵĞƚŽůŽŐǇ

CT Ciphertext for the encapsulated EMR ŚŝĞĨ

FIGURE 1: System architecture: a typical healthcare network

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

i∈I and master secret key M SK = {X1 , α}.

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

e(Y1 , Y1 )αs · e((X1 i∈I uR i ID r1 s

EMRDecP(P K, P, (Hdr, En), SK ID ). The patient with

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

B. SECURITY ANALYSIS The EMRDecP algorithm will correctly output the EM R

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

TABLE 3: Efficiency of the proposed schemes

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

Lemma 5.4. Suppose that there is a PPT algorithm A such

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

CT ∗ is a semi-functional ciphertext of the EMR EM Rβ . where I∗ = {i : R∗i ∈ SP ∗ }.

X.Zhou et al.: Preparation of Papers for IEEE ACCESS

S-ar putea să vă placă și

K Message encapsulation key ĞƉĂƌƚŵĞŶƚŽĨƐƵƌŐĞƌǇ ĞƉĂƌƚŵĞŶƚŽĨĐŽƐŵĞƚŽůŽŐǇ

CT Ciphertext for the encapsulated EMR ŚŝĞĨ