Patient-Controlled Attribute-Based Encryption for Secure Electronic Health Records System

Abstract

In recent years, many countries have been trying to integrate electronic health data managed by each hospital to offer more efficient healthcare services. Since health data contain sensitive information of patients, there have been much research that present privacy preserving mechanisms. However, existing studies either require a patient to perform various steps to secure the data or restrict the patient to exerting control over the data. In this paper, we propose patient-controlled attribute-based encryption, which enables a patient (a data owner) to control access to the health data and reduces the operational burden for the patient, simultaneously. With our method, the patient has powerful control capability of his/her own health data in that he/she has the final say on the access with time limitation. In addition, our scheme provides emergency medical services which allow the emergency staffs to access the health data without the patient’s permission only in the case of emergencies. We prove that our scheme is secure under cryptographic assumptions and analyze its efficiency from the patient’s perspective.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3

References

  1. 1.

    104th United States Congress. Health Insurance Portability and Accountability Act (HIPAA), 1996. http://aspe.hhs.gov/admnsimp/pl104191.htm

  2. 2.

    Abbas, A., and Khan, S. U. h., A review on the state-of-the-art privacy-preserving approaches in the e-health clouds. IEEE J. Biomed. Health Inf. 18(4):1431–1441, 2014.

    Article  Google Scholar 

  3. 3.

    AbuKhousa, E., Mohamed, N., and Al-Jaroodi, J., e-health cloud: opportunities and challenges. Futur. Internet 4(3):621–645, 2012.

    Article  Google Scholar 

  4. 4.

    Akinyele, J. A., Garman, C., Miers, I., Pagano, M. W., Rushanan, M., Green, M., and Rubin, A. D., Charm: a framework for rapidly prototyping cryptosystems. J. Cryptograph. Eng. 3(2):111–128, 2013.

    Article  Google Scholar 

  5. 5.

    Akinyele, J. A., Pagano, M. W., Green, M. D., Lehmann, C. U., Peterson, Z. N. J., and Rubin, A. D., Securing electronic medical records using attribute-based encryption on mobile devices. In: SPSM’11, pp. 75–86. ACM (2011)

  6. 6.

    Fernȧndez Alemȧn, J. L., Carriȯn Seṅor, I., Lozoya, P. Ȧ. O., and Toval, A., Security and privacy in electronic health records: a systematic literature review. J. Biomed. Inf. 46(3):541–562, 2013.

    Article  Google Scholar 

  7. 7.

    Benaloh, J., Chase, M., Horvitz, E., and Lauter, K. E., Patient controlled encryption: ensuring privacy of electronic medical records. In: CCSW 2009, pp. 103–114. ACM, 2009

  8. 8.

    Boneh, D., and Boyen, X., Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., and Camenisch, J. (Eds.) Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pp. 223–238. Springer, 2004.

  9. 9.

    Chen, T.-S., Liu, C.-H., Chen, T.-L., Chen, C.-S., Bau, J.-G., and Lin, T.-C., Secure dynamic access control scheme of PHR in cloud computing. J. Med. Syst. 36(6):4005–4020, 2012.

    Article  PubMed  Google Scholar 

  10. 10.

    Dong, N., Jonker, H., and Pang, J., Challenges in ehealth: From enabling to enforcing privacy. In: Foundations of Health Informatics Engineering and Systems, pp. 195–206. Springer, 2011.

  11. 11.

    European Comission. Directive 95/46/EC on Data Protection - data protection in the area of public health, 2011. http://ec.europa.eu/health/data_collection/data_protection/

  12. 12.

    Fabian, B., Ermakova, T., and Junghanns, P., Collaborative and secure sharing of healthcare data in multi- clouds. Inf. Syst. 48:132–150, 2015.

    Article  Google Scholar 

  13. 13.

    Zhangjie, F., Ren, K., Shu, J., Sun, X., and Huang, F., Enabling personalized search over encrypted outsourced data with efficiency improvement. IEEE Trans. Parallel Distrib. Syst. 27(9):2546–2559, 2015.

    Google Scholar 

  14. 14.

    Zhangjie, F., Sun, X., Qi, L., Zhou, L., and Shu, J., Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing. IEICE Trans. Commun. E98-B(1):190–200, 2015.

    Article  Google Scholar 

  15. 15.

    Haas, S, Wohlgemuth, S., Echizen, I., Sonehara, N., and Mu̇ller, G., Aspects of privacy for electronic health records. I. J. Med. Inf. 80(2):e26–e31, 2011.

    Article  Google Scholar 

  16. 16.

    Jiankun, H., Chen, H.-H., and Hou, T.-W., A hybrid public key infrastructure solution (HPKI) for HIPAA privacy/security regulations. Comput. Standards Interf. 32(5–6):274–280, 2010.

    Google Scholar 

  17. 17.

    Lee, K., Self-updatable encryption with short public parameters and its extensions. Des. Codes Cryptograph. 79(1):121–161, 2016.

    Article  Google Scholar 

  18. 18.

    Lee, K., Choi, S. G., Lee, D. H., Park, J. H., and Yung, M., Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency. In: Sako, K., and Sarkar, P. (Eds.) Advances in Cryptology - ASIACRYPT 2013, volume 8269 of Lecture Notes in Computer Science, pp. 235–254. Springer ,2013.

  19. 19.

    Lee, W.-B., and Lee, C.-D., A cryptographic key management solution for HIPAA privacy/security regulations. IEEE Trans. Inf. Technol. Biomed. 12(1):34–41, 2008.

    Article  PubMed  Google Scholar 

  20. 20.

    Li, M., Shucheng, Y., Cao, N., and Lou, W., Authorized private keyword search over encrypted data in cloud computing. In: International Conference on Distributed Computing Systems, pp. 383–392. IEEE, 2011.

  21. 21.

    Li, M., Shucheng, Y., Ren, K., and Lou, W., Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings. In: SecureComm 2010, pp. 89–106. Springer, 2010.

  22. 22.

    Li, M., Shucheng, Y., Zheng, Y., Ren, K., and Lou, W., Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE Trans. Parallel Distrib. Syst. 24(1):131–143, 2013.

    Article  Google Scholar 

  23. 23.

    Liu, J., Huang, X., and Liu, J. K., Secure sharing of personal health records in cloud computing: Ciphertext-policy attribute-based signcryption. Futur. Gen. Comp. Syst. 52:67–76, 2015.

    Article  Google Scholar 

  24. 24.

    Mandl, K. D., Simons, W. W., Crawford, W. C. R., and Abbett, J. M., Indivo: a personally controlled health record for health information exchange and communication. BMC Med. Inf. Decis. Making 7:25, 2007.

    Article  Google Scholar 

  25. 25.

    Narayan, S., Gagnė, M., and Safavi-Naini, R., Privacy preserving EHR system using attribute-based infrastructure. In: CCSW 2010, pp. 47–52. ACM, 2010.

  26. 26.

    Neubauer, T., and Heurix, J., A methodology for the pseudonymization of medical data. I. J. Med. Inf. 80 (3):190–204, 2011.

    Article  Google Scholar 

  27. 27.

    Prince, P. B., Krishnamoorthy, K., Anandaraj, R., Jeno Lovesum, S. P., Rsa-dabe: A novel approach for secure health data sharing in ubiquitous computing environment. Indian J. Sci. Technol. 8(17), 2015.

  28. 28.

    Bo, Q., Deng, H., Qianhong, W., Domingo-Ferrer, J., Naccache, D., and Zhou, Y., Flexible attribute-based encryption applicable to secure e-healthcare records. Int. J. Inf. Sec. 14(6):499–511, 2015.

    Article  Google Scholar 

  29. 29.

    Rosenthal, A., Mork, P., Li, M.H., Stanford, J., Koester, D., and Reynolds, P., Cloud computing: A new business paradigm for biomedical information sharing. J. Biomed. Inf. 43(2):342–353, 2010.

    Article  Google Scholar 

  30. 30.

    Rouselakis, Y., Waters, B., and Gligor, V. D., Practical constructions and new proof methods for large universe attribute-based encryption. In: Sadeghi, A.-R., and Yung, M. (Eds.) CCS 2013, pp. 463–474. ACM, 2013.

  31. 31.

    Shi, J., Lai, J., Li, Y., Deng, R. H., and Weng, J., Authorized keyword search on encrypted data. In: ESORICS 2014, vol. 8712, pp. 419–435. Springer, 2014.

  32. 32.

    Sunyaev, A., Chornyi, D., Mauro, C., and Krcmar, H., Evaluation framework for personal health records: Microsoft healthvault vs. google health. In: HICSS-43 2010, pp. 1–10. IEEE, 2010.

  33. 33.

    Szolovits, P., Doyle, J., Long, W. J, Kohane, I., and Pauker, S. G., Guardian angel: Patient-centered health information systems. Technical report, Cambridge, MA, USA, 1994.

  34. 34.

    Tang, P. C., Ash, J. S., Bates, D. W., Marc Overhage, J., and Sands, D. Z., Personal health records: Definitions, benefits, and strategies for overcoming barriers to adoption. JAMIA 13(2):121–126, 2006.

    CAS  PubMed  PubMed Central  Google Scholar 

  35. 35.

    U.S. Department of Health and Human Services. Health Information Technology for Economic and Clinical Health (HITECH) Act, 2009, http://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/

  36. 36.

    Wan, Z., Liu, J., Deng, R. H, HSBE: A hierarchical attribute-based solution for flexible and scalable access control in cloud computing. IEEE Trans. Inf. Forens. Secur. 7(2):743–754 , 2012.

    Article  Google Scholar 

  37. 37.

    Wang, C., Xu, X.-L., Shi, D.-Y., Fang, J., Privacy-preserving cloud-based personal health record system using attribute-based encryption and anonymous multi-receiver identity-based encryption. Informatica 39(4), 2015.

  38. 38.

    Xia, Z., Wang, X., Sun, X., and Wang, Q., A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Trans. Parallel Distrib. Syst. 27(2):340–352, 2015.

    Article  Google Scholar 

  39. 39.

    Yang, J.-J., Li, J., Niu, Y., A hybrid solution for privacy preserving medical data sharing in the cloud environment. Future Gen. Comp. Syst. 43–44:74–86, 2015.

    Article  Google Scholar 

Download references

Acknowledgments

This research was supported by Samsung Research Funding Center of Samsung Electronics under Project Number SRFC-TB1403-03 and by Global PH.D Fellowship Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2013H1A2A1033834).

Author information

Affiliations

Authors

Corresponding authors

Correspondence to Dong Hoon Lee or Kwangsu Lee.

Additional information

This article is part of the Topical Collection on Systems-Level Quality Improvement

Appendices

Appendix A: Building Blocks

A.1 IBE scheme

The IBE scheme of Boneh and Boyen [8] is described as follows:

IBE.Setup(GDS).:

Let \(GDS = ((p, \mathbb {G}, \mathbb {G}_{T}, e), g)\) be a description of a bilinear group. It first chooses random \(u_{I}, h_{I} \in \mathbb {G}\) and \(\alpha \in \mathbb {Z}_{p}\). It outputs a master key M K I B E = α and public parameters \(PP_{IBE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g, u_{I}, h_{I}, {\Omega } = e(g, g)^{\alpha } \big )\).

IBE.GenKey(I D, M K I B E , P P I B E ).:

It chooses a random exponent \(r \in \mathbb {Z}_{p}\) and outputs a private key \(SK_{ID} = \big (D_{0} = g^{\alpha } (u_{I}^{ID} h_{I})^{r}, D_{1} = g^{-r} \big )\).

IBE.RandKey(S K I D , δ, P P I B E ).:

Let S K I D = (D 0, D 1). It chooses a random exponent \(r^{\prime } \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{ID} = \big (D^{\prime }_{0} = D_{0} \cdot g^{\delta } (u_{I}^{ID} h_{I})^{r^{\prime }}, D^{\prime }_{1} = D_{1} \cdot g^{-r^{\prime }} \big )\). Note that δ can be zero.

IBE.Enc(I D, t, P P I B E ).:

It outputs a ciphertext header \(CH_{ID} = \big (C_{0} = g^{t}, C_{1} = (u_{I}^{ID} h_{I})^{t} \big )\) and a session key as E K I B E = Ωt.

IBE.Dec(\(CH_{ID}, SK_{ID^{\prime }}, PP_{IBE}\)).:

If I DI D , then it outputs ⊥. Otherwise, it outputs a session key as \(EK^{\prime }_{IBE} = e(C_{0}, D_{0}) \cdot e(C_{1}, D_{1})\).

Theorem 3 (8)

The above IBE scheme is selectively secure under chosen plaintext attacks if the DBDH assumption holds.

A.2 CP-ABE scheme

We first review the definitions of access structure and a linear secret-sharing scheme.

Let \(\mathcal {U}\) be the attribute universe. An access structure on \(\mathcal {U}\) is a collection \(\mathbb {A}\) of non-empty sets of attributes, i.e. \(\mathbb {A}\subseteq 2^{\mathcal {U}}\setminus \{\}\). The sets in \(\mathbb {A}\) are called the authorized sets and the sets not in \(\mathbb {A}\) are called the unauthorized sets. In addition, an access structure is called monotone if \(\forall B, C\in \mathbb {A}\): if \(B\in \mathbb {A}\) and BC, then \(C\in \mathbb {A}\).

Let p be a prime and \(\mathcal {U}\) be the attribute universe. A secret sharing scheme π with domain of secrets \(\mathbb {Z}_{p}\) realizing access structure on \(\mathcal {U}\) is linear over \(\mathbb {Z}_{p}\) if

  1. 1.

    The shares of a secret \(s \in \mathbb {Z}_{p}\) for each attribute form a vector over \(\mathbb {Z}_{p}\).

  2. 2.

    For each access structure \(\mathbb {A}\) on \(\mathcal {U}\), there exists a matrix \(M\in \mathbb {Z}_{p}^{l\times n}\), called the share-generating matrix, and a function ρ, that labels the rows of M with attributes from \(\mathcal {U}\), i.e. \(\rho : [l]\to \mathcal {U}\), which satisfy the following: During the generation of the shares, we consider the column vector \(\vec {v}=(s, r_{2}, \ldots , r_{n})^{\top }\), where \(r_{2}, \ldots , r_{n}\gets \mathbb {Z}_{p}\) . Then the vector of l shares of the secret s according to π is equal to \(M \vec {v} \in \mathbb {Z}_{p}^{l\times 1}\) . The share \((M\vec {v})_{j}\) where j ∈ [l] ”belongs” to attribute ρ(j).

Each secret-sharing scheme should satisfy the reconstruction and the security requirements.

We describe the CP-ABE scheme of Rouselakis and Waters [30] as follows:

ABE.Setup(GDS).:

Let \(GDS = ((p, \mathbb {G}, \mathbb {G}_{T}, e), g)\) be a description of a bilinear group. It first chooses random \(w_{A}, v_{A}, u_{A}, h_{A}, v_{S} \in \mathbb {G}\) and \(\beta \in \mathbb {Z}_{p}\) . It outputs a master key M K A B E = β and public parameters \(PP_{ABE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, [0] e), g, w_{A}, v_{A}, u_{A}, [0] h_{A}, v_{S}, {\Lambda } = e(g, g)^{\beta } \big )\).

ABE.GenKey(S, M K A B E , P P A B E ).:

Let S={a 1, a 2, …,[0]a k } be a set of attributes. It chooses random exponents \(r, r_{1}, \ldots , r_{k} \in \mathbb {Z}_{p}\) and outputs \(SK_{S} = \big (K_{0} = g^{\beta } {w_{A}^{r}}, K_{1} = g^{-r}, \big \{ K_{i,2} = g^{r_{i}}, K_{i,3} = {v_{A}^{r}} (u_{A}^{a_{i}} h_{A})^{r_{i}} \big \}_{i=1}^{k} \big )\).

ABE.RandKey(S K S , δ, P P A B E ).:

Let \(SK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k} )\) for an attribute set S={a 1, …,a k }. It chooses random \(r^{\prime }, r^{\prime }_{1}, \ldots , r^{\prime }_{k} \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot g^{\delta } w_{A}^{r^{\prime }}, K^{\prime }_{1} = K_{1} \cdot g^{-r^{\prime }}, \big \{ K^{\prime }_{i,2} = K_{i,2} \cdot g^{r^{\prime }_{i}}, K^{\prime }_{i,3} = K_{i,3} \cdot v_{A}^{r^{\prime }} (u_{A}^{a_{i}} h_{A})^{r^{\prime }_{i}} \big \}_{i=1}^{k} \big )\). Note that δ can be zero.

ABE.BlindKey(S K S , P P A B E ).:

Let \(SK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k} )\). It chooses a random exponent \(r_{S} \in \mathbb {Z}_{p}\) and outputs a blinded private key \(BSK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot v_{S}^{r_{S}}, K^{\prime }_{1} = K_{1}, \big \{ K^{\prime }_{i,2} = K_{i,2}, K^{\prime }_{i,3} = K_{i,3} \big \}_{i=1}^{k}, K^{\prime }_{4} = g^{-r_{S}} \big )\) and a blinding key B K = r S .

ABE.VerifyBKey(B S K S , P P A B E ).:

Let \(BSK_{S} = (K_{0}, K_{1},[0] \{ K_{i,2}, K_{i,3} \}_{i=1}^{k}, K_{4})\) for an attribute set S={a 1, …,a k }. It checks \({\Lambda } \overset {?}{=} e(g, K_{0}) \cdot e(w, K_{1}) \cdot e(v_{S}, K_{4})\) and \(e(g, K_{i,3}) \cdot e(v, K_{1}^{-1}) \overset {?}{=} e(u_{A}^{a_{i}} h_{A}, K_{i,3})\) for all i ∈ [k]. If the equation holds, it outputs 1. Otherwise, it outputs 0.

ABE.UnblindKey(B S K S , B K, P P A B E ).:

Let \(BSK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k}, K_{4})\) and B K = r S . It outputs an unblinded private key \(SK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot v_{S}^{-r_{S}}, K^{\prime }_{1} = K_{1}, \big \{ K^{\prime }_{i,2} = K_{i,2}, K^{\prime }_{i,3} = K_{i,3} \big \}_{i=1}^{k} \big )\).

ABE.Enc(\(\mathbb {A}, t, PP_{ABE}\)).:

Let \(\mathbb {A} = (A, \rho )\) be an LSSS access structure where A is an l×n matrix and ρ is a map that associates rows of A to attributes. It first sets a random vector \(\vec {v} = (t, v_{2}, \ldots , v_{n}) \in {\mathbb {Z}_{p}^{n}}\) by selecting random exponents \(v_{2}, \ldots , v_{n} \in \mathbb {Z}_{p}\) and obtains \(\lambda _{i} = A_{i} \vec {v}\) for all i where A i is the ith row of A. It selects random exponents \(s_{1}, \ldots , s_{l} \in \mathbb {Z}_{p}\) and outputs a ciphertext header \(CH_{\mathbb {A}} = \big (C_{0} = g^{t}, \big \{ C_{i,1} = w_{A}^{\lambda _{i}} v_{A}^{s_{i}}, C_{i,2} = (u_{A}^{\rho (i)} h_{A})^{-s_{i}}, C_{i,3} = g^{s_{i}} \big \}_{i=1}^{l} \big )\) and a session key E K A B E = Λt.

ABE.Dec(\(CH_{\mathbb {A}}, SK_{S}, PP_{ABE}\)).:

It computes a set of constants \(\{w_{i} \in \mathbb {Z}_{p}\}_{i\in I}\) where I={i:ρ(i)∈S} such that Σ iI w i A i = (1,0,…,0) and outputs a session key as \(EK^{\prime }_{ABE} = e(K_{0}, C_{0}) \cdot {\prod }_{i\in I} (e(K_{1}, C_{i,1}) \cdot e(K_{i,2}, C_{i,2}) \cdot e(K_{i,3}, C_{i,3}))^{w_{i}}\).

Theorem 4 ([30])

The above CP-ABE scheme is selectively secure under chosen plaintext attacks if the n-RW1 assumption holds.

A.3 CDE scheme

The CDE scheme of Lee [17] is described as follows:

CDE.Setup(G D S, t m a x ).:

Let \(GDS = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g \big )\) be a description of a bilinear group and t m a x be a maximum time. It first chooses random \(w_{T}, v_{T}, u_{T}, h_{T} \in \mathbb {G}\) and \(\gamma \in \mathbb {Z}_{p}\) . It outputs M K C D E = γ and \(PP_{CDE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g, w_{T},[0] v_{T}, u_{T}, h_{T}, {\Delta }= e(g, g)^{\gamma } \big )\).

CDE.GenKey(T, M K C D E , P P C D E ).:

Let \(L_{n} = (t_{1}, \ldots , t_{n}) [0] \in {\mathbb {Z}_{p}^{n}}\) be a label of time T. It chooses random exponents \(r, r_{1}, \ldots , r_{n} \in \mathbb {Z}_{p}\) and outputs a private key \(SK_{T} = \big (T_{0} = g^{\gamma } {w_{T}^{r}}, T_{1} = g^{-r}, \big \{ T_{i,2} = {v_{T}^{r}} (u_{T}^{t_{i}} h_{T})^{r_{i}}, T_{i,3} = g^{-r_{i}} \big \}_{i=1}^{n} \big )\).

CDE.RandKey(S K T , δ, P P C D E ).:

Let \(SK_{T} = (T_{0}, T_{1}, \big \{T_{i,2}, T_{i,3}\big \}_{i=1}^{n})\) be a private key for time T. It chooses random exponents \(r^{\prime }, r^{\prime }_{1}, \ldots , [0] r^{\prime }_{n} \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{T} = \big (T^{\prime }_{0} = T_{0} \cdot g^{\delta } w_{T}^{r^{\prime }}, T^{\prime }_{1} = T_{1} \cdot g^{-r^{\prime }}, \big \{ T^{\prime }_{i,2} = T_{i,2} \cdot v_{T}^{r^{\prime }} (u_{T}^{t_{i}} h_{T})^{r^{\prime }_{i}}, [0] T^{\prime }_{i,3} = T_{i,3} \cdot g^{-r^{\prime }_{i}} \big \}_{i=1}^{n} \big )\).

CDE.Enc(T, t, P P C D E ).:

Let \(L_{n} = (t_{1}, \ldots , t_{n}) \in {\mathbb {Z}_{p}^{n}}\) be a label of time T. It chooses a random exponent vector \(\vec {s} = (s_{1}, \ldots , s_{n}) \in {\mathbb {Z}_{p}^{n}}\) and outputs a ciphertext header as \(CH_{T} = \big (C_{0} = g^{t}, C_{1} = {w_{T}^{t}} {\prod }_{i=1}^{n} v_{T}^{s_{i}}, \{ C_{i,2} = g^{s_{i}}, C_{i,3} = (u_{T}^{t_{i}}h_{T})^{s_{i}}\}_{i=1}^{n} \big )\) and a session key E K C D E = Δt.

CDE.DelegCT(C H T , T ,P P C D E ).:

Let \(CH_{T} = \big (C_{0},[0] C_{1}, [0] \{ C_{i,2}, C_{i,3}\}_{i=1}^{n} \big )\) for time T with a label L n = (t 1, …,t n ) and time T with L n+1 = (t 1, …,t n , t n+1). It chooses random \(s_{n+1} \in \mathbb {Z}_{p}\) and outputs delegated \(CH_{T^{\prime }} = \big (C^{\prime }_{0} = C_{0}, C^{\prime }_{1} = C_{1}\cdot v_{T}^{s_{n+1}}, \{ C^{\prime }_{i,2} = C_{i,2}, C^{\prime }_{i,3} = C_{i,3}\}_{i=1}^{n}, C^{\prime }_{n+1,2} [0] = g^{s_{n+1}}, [0] C^{\prime }_{n+1,3} = (u_{T}^{t_{n+1}}h_{T})^{s_{n+1}}\big )\).

CDE.Dec(\(CH_{T}, SK_{T^{\prime }}, PP_{CDE}\)).:

Let \(CH_{T} = \big (C_{0}, C_{1}, \{C_{i,2}, [0] C_{i,3}\}_{i=1}^{k} \big )\) and \(SK_{T^{\prime }} = \big (T_{0}, T_{1}, \{T_{i,2}, T_{i,3}\}_{i=1}^{n} \big )\). If kn, then it outputs a session key \(EK^{\prime }_{CDE} = e(T_{0}, C_{0})\cdot e(T_{1}, C_{1}) \cdot {\prod }_{i=1}^{k} \big (e(T_{i,2}, C_{i,2}) \cdot e(T_{i,3}, C_{i,3}) \big )\).

Theorem 5 (17)

The above CDE scheme is selectively secure under chosen plaintext attacks if the n-RW1 assumption holds.

Appendix B: security proofs of PC-ABE

To prove the security of our PC-ABE scheme, we construct a meta-simulator that runs the simulators of IBE, CP-ABE, and CDE as sub-simulators. Each sub-simulator operates identically to the simulators in [17]. The detailed description of the security proof is given as follows:

B.1 The Proofs of Theorem 1

Lemma 1

The PC-ABE scheme is selectively IND-CPA secure against an outside adversary if the n-RW1 assumption holds.

Proof

Suppose there exist an adversary \(\mathcal {A}_{O}\) defined in Section “Definitions” that attacks PC-ABE with a non-negligible advantage \(\textbf {Adv}_{\mathcal {A}}\) and a meta-simulator \(\mathcal {B}\) that solves n-RW1 problem by using \(\mathcal {A}_{O}\). Let \(\mathcal {B}_{IBE}\), \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) be simulators described in [17]. \(\mathcal {B}_{IBE}\) aims to solve DBDH problem. \(\mathcal {B}_{ABE}\) and \(\mathcal {B}_{CDE}\) aims to solve n-RW1 problem. Since the challenge tuple (D D B D H , Z) of DBDH assumption can be derived from the challenge tuple (D n-R W1, Z) of n-RW1 assumption, \(\mathcal {B}\) can run \(\mathcal {B}_{IBE}\) by giving (D D B D H , Z). We build the meta-simulator \(\mathcal {B}\) which interacts with \(\mathcal {A}_{O}\) in the following security game:

Init::

\(\mathcal {A}_{O}\) initially submits a challenge I D , a challenge access structure \(\mathbb {A}^{*} = (A^{*}, \rho ^{*})\) , and a challenge time T . \(\mathcal {B}\) runs \(\mathcal {B}_{IBE}\) by giving D D B D H and Z, and it also runs \(\mathcal {B}_{ABE}\) and \(\mathcal {B}_{CDE}\) by giving D n-R W1 and Z.

Setup::

\(\mathcal {B}\) first submits (G D S, I D ) to \(\mathcal {B}_{IBE}\) and receives P P I B E , and it submits \((GDS, \mathbb {A}^{*})\) to \(\mathcal {B}_{ABE}\) and receives P P A B E . In addition, it submits (G D S, T ) to \(\mathcal {B}_{CDE}\) and receives P P C D E . \(\mathcal {B}\) chooses a random exponent \(\theta \in \mathbb {Z}_{p}\) and computes Ω = Ω⋅e(g, g)𝜃 and Λ = e(g, g)𝜃. It replaces Ω with Ω in P P I B E and Λ with Λ in P P A B E , respectively. Then it sets P P I A = (P P I B E , P P C D E ) and P P A A = P P A B E , and gives P P=(G D S, P P I A , P P A A ) to \(\mathcal {A}_{O}\).

Query 1::

\(\mathcal {A}_{O}\) adaptively requests a polynomial number of private key, attribute key, and decryption key queries and \(\mathcal {B}\) answers as follows:

S K I D query::

If \(\mathcal {A}_{O}\) requests a private key for I DI D , then \(\mathcal {B}\) uses \(\mathcal {B}_{IBE}\) to obtain S K I B E, I D and generates the private key S K I D by running IBE.RandKey(S K I B E, I D , [0]−𝜃, P P I B E ). \(\mathcal {B}\) provides it to \(\mathcal {A}_{O}\).

A K S query::

For every set S, \(\mathcal {B}\) creates A K S by running ABE.GenKey(S, 𝜃, P P A B E ) and provides it to \(\mathcal {A}_{O}\).

D K I D, S, T query::

If \(\mathcal {A}_{O}\) requests a decryption key for a tuple (I D, S, T), then \(\mathcal {B}\) creates D K I D, S, T to provide it to \(\mathcal {A}_{O}\) with the following restrictions.

  • \((ID\neq ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T\ge T^{*})\): Since the requested ID is not equal to the challenge I D , \(\mathcal {B}\) can use \(\mathcal {B}_{IBE}\) to obtain the IBE private key for ID. It first queries the private key to \(\mathcal {B}_{IBE}\) and receives S K I B E, I D . Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates S K I D by running IBE.RandKey (S K I B E, I D , −δσ, P P I B E ). \(\mathcal {B}\) then generates A K S and S K T by running ABE.GenKey [0] (S, δ, P P A B E ) and CDE.GenKey(T, σ, P P C D E ). Finally, it obtains D K I D, S, T = (S K I D , A K S , S K T ).

  • \((ID = ID^{*})\wedge (S\notin \mathbb {A}^{*})\wedge (T\ge T^{*})\): Since the requested S does not satisfy the challenge \(\mathbb {A}^{*}\), \(\mathcal {B}\) can use \(\mathcal {B}_{ABE}\) to obtain the ABE private key for S. \(\mathcal {B}\) first queries the private key for a set S to \(\mathcal {B}_{ABE}\) and receives S K A B E, S . Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates A K S by running ABE.RandKey(S K A B E, S , −δσ, P P A B E ). Then it generates S K I D and S K T by running IBE.GenKey[0] (I D, δ, P P I B E ) and CDE.GenKey [0] (T, σ, P P C D E ). Finally, it obtains D K I D, S, T = (S K I D , [0]A K S , S K T ).

  • \((ID = ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T < T^{*})\): Since the requested T is less than the challenge T , \(\mathcal {B}\) can use \(\mathcal {B}_{CDE}\) to obtain the CDE private key for T. \(\mathcal {B}\) first queries the private key for T to \(\mathcal {B}_{CDE}\) and receives S K C D E, T . Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates S K T by running CDE.RandKey[0] (S K C D E, T , −δσ, P P C D E ). Then it generates S K I D and A K S by running IBE.GenKey [0] (I D, δ, P P I B E ) and ABE.GenKey(S, σ, P P A B E ). Finally, it obtains D K I D, S, T = (S K I D , A K S , S K T ).

Challenge::

\(\mathcal {A}_{O}\) submits two pairs of symmetric keys and messages \((K_{0}^{*}, M_{0}^{*}), (K_{1}^{*}, M_{1}^{*})\) of equal length. \(\mathcal {B}\) queries challenge ciphertext headers to \(\mathcal {B}_{IBE}\) , \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) and receives \((CH^{*}_{IBE, ID^{*}}, EK_{IBE})\), \((CH^{*}_{ABE, \mathbb {A}^{*}},[0] EK_{ABE})\), and \((CH^{*}_{CDE, T^{*}}, EK_{CDE})\), respectively. It then computes E K = e(g 𝜃,g c) where g c is given in the challenge tuple. Finally, \(\mathcal {B}\) chooses a random bit b ∈ {0,1} and generates C by running SKE.Enc(\(K_{b}^{*}, M_{b}^{*}\)). \(\mathcal {B}\) provides the challenge ciphertext as \(CT_{ID^{*},\mathbb {A}^{*},T^{*}}^{*} = \big (CH^{*}_{IBE, ID^{*}}, [0] CH^{*}_{ABE, \mathbb {A}^{*}}, CH^{*}_{CDE, T^{*}},[0] E_{1}^{*} = K_{b}^{*} \cdot Z \cdot EK, E_{2}^{*} = K_{b}^{*} \cdot Z, C \big )\) to \(\mathcal {A}_{O}\).

Query 2::

Same as Phase 1.

Guess::

Finally, \(\mathcal {A}_{O}\) outputs a guess b . If b = b , then \(\mathcal {B}\) outputs 0. Otherwise, it outputs 1.

We now show that the security game is correctly simulated. Since \(\mathcal {B}_{IBE}\), \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) sets P P I B E , P P A B E , and P P C D E with the same generator g given in the assumption and they all internally sets the master key as \(g^{a^{q+1}}\), the public parameters are correctly generated. The private key is also correct since it can be transformed from the private key of IBE with the random 𝜃. Moreover, the attribute key is easily simulated with the 𝜃 as a master key. Furthermore, we show that the decryption key is correctly generated. The real format of the master key in the decryption key is g α + β and we set it as \(g^{a^{q+1}}\). We consider the cases that two out of three conditions are satisfied. In each case, \(\mathcal {B}\) uses only one sub-simulator to obtain the private key and computes the rest of the parts. Consequently, the decryption key is generated with the master key as \(g^{a^{q+1}}\). Finally, we show that the challenge ciphertext is correct. Each challenge ciphertext header is generated with the same element g c given in the assumption and they are correctly generated.

If \(Z = Z_{0} = e(g,g)^{a^{q+1}c}\), then \(\mathcal {A}_{O}\) plays the proper security game since \(CT_{ID^{*}, \mathbb {A}^{*}, T^{*}}^{*}\) is correctly distributed. Then we have that \(\Pr [\mathcal {B}(D, Z_{0}) = 0] = \frac {1}{2} + \textbf {Adv}_{\mathcal {A}}\). If Z = Z 1 is a random element in \(\mathbb {G}_{T}\), then \(CT_{ID^{*}, \mathbb {A}^{*}, T^{*}}^{*}\) is independent of the chosen symmetric key and message and therefore, the advantage of \(\mathcal {A}_{O}\) is exactly 0. That is, we have that \(\Pr [\mathcal {B}(D, Z_{1}) = 0] = \frac {1}{2}\) . Thus the advantage of \(\mathcal {B}\) is obtained as

$$\begin{array}{@{}rcl@{}} \mathbf{Adv}_{\mathcal{B}} &=&\Big| \Pr \big[\mathcal{B}(D, Z_{0}) = 0 \big] - \Pr \big[ \mathcal{B}(D, Z_{1}) = 0 \big] \Big| \\ &=& \Big| \frac{1}{2} + \mathbf{Adv}_{\mathcal{A}} - \frac{1}{2} \Big| = \mathbf{Adv}_{\mathcal{A}}. \end{array} $$

Therefore, \(\mathcal {B}\) has a non-negligible advantage to solve the n-RW1 problem. □

Lemma 2

The PC-ABE scheme is selectively IND-CPA secure against an inside adversary if the n- RW1 assumption holds.

Proof

Suppose an inside adversary \(\mathcal {A}_{I}\) defined in Section “Definitions” that breaks our PC-ABE scheme with non-negligible advantage and a meta-simulator \(\mathcal {B}\) that solves the n-RW1 problem by using \(\mathcal {A}_{I}\). We build \(\mathcal {B}\) identically to the meta-simulator in the proof of Lemma 1 except Setup and Query phases. The different procedures are as follows:

Setup::

PP is generated as in the proof of Lemma 1 and \(\mathcal {B}\) gives P P=(G D S, P P I A , P P A A ) and M K A A = 𝜃 to \(\mathcal {A}_{I}\).

Query 1::

\(\mathcal {A}_{I}\) adaptively requests a polynomial number of private key and decryption key queries. Since \(\mathcal {A}_{I}\) can create A K S for every S of its choice, it can not request any attribute keys and decryption keys for \((ID\neq ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T\ge T^{*})\). The rest of queries are identically simulated to the proof of Lemma 1.

The correctness of the simulation and advantages are as in the proof of Lemma 1. □

B.2 The Proof of Theorem 2

To prove that the GenDecKey protocol is secure, we show that the VBK is EUF-CAA. The VBK is generated from an attribute key and the attribute key is a private key of the CP-ABE scheme of Rouselakis and Waters [30]. Therefore, the security of VBK depends on the security of the underlying CP-ABE scheme.

Proof

Suppose there exists an adversary \(\mathcal {F}\) that forges a VBK with a non-negligible advantage and a simulator \(\mathcal {B}\) that attacks CP-ABE using \(\mathcal {F}\). In addition, there is a CP-ABE simulator \(\mathcal {S}_{ABE}\) for \(\mathcal {B}\). \(\mathcal {B}\) interacts with \(\mathcal {F}\) in the following security game:

Setup::

Given P P A B E , \(\mathcal {B}\) generates \(\tilde {v} = g^{\eta }\) for a random exponent \(\eta \in \mathbb {Z}_{p}\) and sets \(PP_{AA} = (PP_{ABE}, \tilde {v})\). Then it sends P P A A to \(\mathcal {F}\).

Query::

\(\mathcal {F}\) adaptively requests a polynomial number of private keys and verifiably blinded keys for any set S of attributes. For the private key queries, \(\mathcal {B}\) obtains the attribute key A K S of the set S from \(\mathcal {S}_{ABE}\) and gives it to \(\mathcal {F}\). For the verifiably blinded key queries, \(\mathcal {B}\) first obtains the attribute key A K S from \(\mathcal {S}_{ABE}\) and computes V B K S by using \(\tilde {v}\). Then it provides \(\mathcal {F}\) with V B K S as a response.

Output::

Finally, \(\mathcal {F}\) outputs a forged \(VBK_{S^{*}} = \big (BK_{0}, BK_{1}, [0] \{BK_{i,2}, BK_{i,3}\}_{i=1}^{k}, BK_{4}\big )\) on the challenge set of attributes S . \(\mathcal {F}\) must never have requested a blinded key query at S . B checks the validity of the \(VBK_{S^{*}}\) and if it is invalid, then B aborts the game. Otherwise, \(\mathcal {B}\) computes K 0 = B K 0⋅(B K 4)η and derives the attribute key as \(AK_{S^{*}} = (K_{0}, BK_{1}, \{BK_{i,2}, BK_{i,3}\}_{i=1}^{k})\) . It submits two challenge messages \(M_{0}^{*}, M_{1}^{*}\) and the challenge access structure \(\mathbb {A}^{*}\) such that \(S^{*}\in \mathbb {A}^{*}\) to \(\mathcal {S}_{ABE}\). \(\mathcal {B}\) receives the challenge ciphertext \(CT_{b}^{*}\) and decrypts it with \(AK_{S^{*}}\). Finally, it outputs the guess b .

A K is a valid attribute key if the forged \(VBK_{S^{*}}\) is valid. Therefore, \(\mathcal {B}\) is able to decrypt the challenge ciphertext and the guess is correct whenever \(\mathcal {A}\) wins the game. □

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Eom, J., Lee, D.H. & Lee, K. Patient-Controlled Attribute-Based Encryption for Secure Electronic Health Records System. J Med Syst 40, 253 (2016). https://doi.org/10.1007/s10916-016-0621-3

Download citation

Keywords

  • Electronic health records
  • Patient control
  • Data privacy
  • Cloud computing