Abstract
In recent years, many countries have been trying to integrate electronic health data managed by each hospital to offer more efficient healthcare services. Since health data contain sensitive information of patients, there have been much research that present privacy preserving mechanisms. However, existing studies either require a patient to perform various steps to secure the data or restrict the patient to exerting control over the data. In this paper, we propose patientcontrolled attributebased encryption, which enables a patient (a data owner) to control access to the health data and reduces the operational burden for the patient, simultaneously. With our method, the patient has powerful control capability of his/her own health data in that he/she has the final say on the access with time limitation. In addition, our scheme provides emergency medical services which allow the emergency staffs to access the health data without the patient’s permission only in the case of emergencies. We prove that our scheme is secure under cryptographic assumptions and analyze its efficiency from the patient’s perspective.
This is a preview of subscription content, log in to check access.
References
 1.
104th United States Congress. Health Insurance Portability and Accountability Act (HIPAA), 1996. http://aspe.hhs.gov/admnsimp/pl104191.htm
 2.
Abbas, A., and Khan, S. U. h., A review on the stateoftheart privacypreserving approaches in the ehealth clouds. IEEE J. Biomed. Health Inf. 18(4):1431–1441, 2014.
 3.
AbuKhousa, E., Mohamed, N., and AlJaroodi, J., ehealth cloud: opportunities and challenges. Futur. Internet 4(3):621–645, 2012.
 4.
Akinyele, J. A., Garman, C., Miers, I., Pagano, M. W., Rushanan, M., Green, M., and Rubin, A. D., Charm: a framework for rapidly prototyping cryptosystems. J. Cryptograph. Eng. 3(2):111–128, 2013.
 5.
Akinyele, J. A., Pagano, M. W., Green, M. D., Lehmann, C. U., Peterson, Z. N. J., and Rubin, A. D., Securing electronic medical records using attributebased encryption on mobile devices. In: SPSM’11, pp. 75–86. ACM (2011)
 6.
Fernȧndez Alemȧn, J. L., Carriȯn Seṅor, I., Lozoya, P. Ȧ. O., and Toval, A., Security and privacy in electronic health records: a systematic literature review. J. Biomed. Inf. 46(3):541–562, 2013.
 7.
Benaloh, J., Chase, M., Horvitz, E., and Lauter, K. E., Patient controlled encryption: ensuring privacy of electronic medical records. In: CCSW 2009, pp. 103–114. ACM, 2009
 8.
Boneh, D., and Boyen, X., Efficient selectiveid secure identitybased encryption without random oracles. In: Cachin, C., and Camenisch, J. (Eds.) Advances in Cryptology  EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pp. 223–238. Springer, 2004.
 9.
Chen, T.S., Liu, C.H., Chen, T.L., Chen, C.S., Bau, J.G., and Lin, T.C., Secure dynamic access control scheme of PHR in cloud computing. J. Med. Syst. 36(6):4005–4020, 2012.
 10.
Dong, N., Jonker, H., and Pang, J., Challenges in ehealth: From enabling to enforcing privacy. In: Foundations of Health Informatics Engineering and Systems, pp. 195–206. Springer, 2011.
 11.
European Comission. Directive 95/46/EC on Data Protection  data protection in the area of public health, 2011. http://ec.europa.eu/health/data_collection/data_protection/
 12.
Fabian, B., Ermakova, T., and Junghanns, P., Collaborative and secure sharing of healthcare data in multi clouds. Inf. Syst. 48:132–150, 2015.
 13.
Zhangjie, F., Ren, K., Shu, J., Sun, X., and Huang, F., Enabling personalized search over encrypted outsourced data with efficiency improvement. IEEE Trans. Parallel Distrib. Syst. 27(9):2546–2559, 2015.
 14.
Zhangjie, F., Sun, X., Qi, L., Zhou, L., and Shu, J., Achieving efficient cloud search services: multikeyword ranked search over encrypted cloud data supporting parallel computing. IEICE Trans. Commun. E98B(1):190–200, 2015.
 15.
Haas, S, Wohlgemuth, S., Echizen, I., Sonehara, N., and Mu̇ller, G., Aspects of privacy for electronic health records. I. J. Med. Inf. 80(2):e26–e31, 2011.
 16.
Jiankun, H., Chen, H.H., and Hou, T.W., A hybrid public key infrastructure solution (HPKI) for HIPAA privacy/security regulations. Comput. Standards Interf. 32(5–6):274–280, 2010.
 17.
Lee, K., Selfupdatable encryption with short public parameters and its extensions. Des. Codes Cryptograph. 79(1):121–161, 2016.
 18.
Lee, K., Choi, S. G., Lee, D. H., Park, J. H., and Yung, M., Selfupdatable encryption: Time constrained access control with hidden attributes and better efficiency. In: Sako, K., and Sarkar, P. (Eds.) Advances in Cryptology  ASIACRYPT 2013, volume 8269 of Lecture Notes in Computer Science, pp. 235–254. Springer ,2013.
 19.
Lee, W.B., and Lee, C.D., A cryptographic key management solution for HIPAA privacy/security regulations. IEEE Trans. Inf. Technol. Biomed. 12(1):34–41, 2008.
 20.
Li, M., Shucheng, Y., Cao, N., and Lou, W., Authorized private keyword search over encrypted data in cloud computing. In: International Conference on Distributed Computing Systems, pp. 383–392. IEEE, 2011.
 21.
Li, M., Shucheng, Y., Ren, K., and Lou, W., Securing personal health records in cloud computing: Patientcentric and finegrained data access control in multiowner settings. In: SecureComm 2010, pp. 89–106. Springer, 2010.
 22.
Li, M., Shucheng, Y., Zheng, Y., Ren, K., and Lou, W., Scalable and secure sharing of personal health records in cloud computing using attributebased encryption. IEEE Trans. Parallel Distrib. Syst. 24(1):131–143, 2013.
 23.
Liu, J., Huang, X., and Liu, J. K., Secure sharing of personal health records in cloud computing: Ciphertextpolicy attributebased signcryption. Futur. Gen. Comp. Syst. 52:67–76, 2015.
 24.
Mandl, K. D., Simons, W. W., Crawford, W. C. R., and Abbett, J. M., Indivo: a personally controlled health record for health information exchange and communication. BMC Med. Inf. Decis. Making 7:25, 2007.
 25.
Narayan, S., Gagnė, M., and SafaviNaini, R., Privacy preserving EHR system using attributebased infrastructure. In: CCSW 2010, pp. 47–52. ACM, 2010.
 26.
Neubauer, T., and Heurix, J., A methodology for the pseudonymization of medical data. I. J. Med. Inf. 80 (3):190–204, 2011.
 27.
Prince, P. B., Krishnamoorthy, K., Anandaraj, R., Jeno Lovesum, S. P., Rsadabe: A novel approach for secure health data sharing in ubiquitous computing environment. Indian J. Sci. Technol. 8(17), 2015.
 28.
Bo, Q., Deng, H., Qianhong, W., DomingoFerrer, J., Naccache, D., and Zhou, Y., Flexible attributebased encryption applicable to secure ehealthcare records. Int. J. Inf. Sec. 14(6):499–511, 2015.
 29.
Rosenthal, A., Mork, P., Li, M.H., Stanford, J., Koester, D., and Reynolds, P., Cloud computing: A new business paradigm for biomedical information sharing. J. Biomed. Inf. 43(2):342–353, 2010.
 30.
Rouselakis, Y., Waters, B., and Gligor, V. D., Practical constructions and new proof methods for large universe attributebased encryption. In: Sadeghi, A.R., and Yung, M. (Eds.) CCS 2013, pp. 463–474. ACM, 2013.
 31.
Shi, J., Lai, J., Li, Y., Deng, R. H., and Weng, J., Authorized keyword search on encrypted data. In: ESORICS 2014, vol. 8712, pp. 419–435. Springer, 2014.
 32.
Sunyaev, A., Chornyi, D., Mauro, C., and Krcmar, H., Evaluation framework for personal health records: Microsoft healthvault vs. google health. In: HICSS43 2010, pp. 1–10. IEEE, 2010.
 33.
Szolovits, P., Doyle, J., Long, W. J, Kohane, I., and Pauker, S. G., Guardian angel: Patientcentered health information systems. Technical report, Cambridge, MA, USA, 1994.
 34.
Tang, P. C., Ash, J. S., Bates, D. W., Marc Overhage, J., and Sands, D. Z., Personal health records: Definitions, benefits, and strategies for overcoming barriers to adoption. JAMIA 13(2):121–126, 2006.
 35.
U.S. Department of Health and Human Services. Health Information Technology for Economic and Clinical Health (HITECH) Act, 2009, http://www.hhs.gov/hipaa/forprofessionals/specialtopics/HITECHactenforcementinterimfinalrule/
 36.
Wan, Z., Liu, J., Deng, R. H, HSBE: A hierarchical attributebased solution for flexible and scalable access control in cloud computing. IEEE Trans. Inf. Forens. Secur. 7(2):743–754 , 2012.
 37.
Wang, C., Xu, X.L., Shi, D.Y., Fang, J., Privacypreserving cloudbased personal health record system using attributebased encryption and anonymous multireceiver identitybased encryption. Informatica 39(4), 2015.
 38.
Xia, Z., Wang, X., Sun, X., and Wang, Q., A secure and dynamic multikeyword ranked search scheme over encrypted cloud data. IEEE Trans. Parallel Distrib. Syst. 27(2):340–352, 2015.
 39.
Yang, J.J., Li, J., Niu, Y., A hybrid solution for privacy preserving medical data sharing in the cloud environment. Future Gen. Comp. Syst. 43–44:74–86, 2015.
Acknowledgments
This research was supported by Samsung Research Funding Center of Samsung Electronics under Project Number SRFCTB140303 and by Global PH.D Fellowship Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2013H1A2A1033834).
Author information
Affiliations
Corresponding authors
Additional information
This article is part of the Topical Collection on SystemsLevel Quality Improvement
Appendices
Appendix A: Building Blocks
A.1 IBE scheme
The IBE scheme of Boneh and Boyen [8] is described as follows:
 IBE.Setup(GDS).:

Let \(GDS = ((p, \mathbb {G}, \mathbb {G}_{T}, e), g)\) be a description of a bilinear group. It first chooses random \(u_{I}, h_{I} \in \mathbb {G}\) and \(\alpha \in \mathbb {Z}_{p}\). It outputs a master key M K _{ I B E } = α and public parameters \(PP_{IBE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g, u_{I}, h_{I}, {\Omega } = e(g, g)^{\alpha } \big )\).
 IBE.GenKey(I D, M K _{ I B E }, P P _{ I B E }).:

It chooses a random exponent \(r \in \mathbb {Z}_{p}\) and outputs a private key \(SK_{ID} = \big (D_{0} = g^{\alpha } (u_{I}^{ID} h_{I})^{r}, D_{1} = g^{r} \big )\).
 IBE.RandKey(S K _{ I D }, δ, P P _{ I B E }).:

Let S K _{ I D } = (D _{0}, D _{1}). It chooses a random exponent \(r^{\prime } \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{ID} = \big (D^{\prime }_{0} = D_{0} \cdot g^{\delta } (u_{I}^{ID} h_{I})^{r^{\prime }}, D^{\prime }_{1} = D_{1} \cdot g^{r^{\prime }} \big )\). Note that δ can be zero.
 IBE.Enc(I D, t, P P _{ I B E }).:

It outputs a ciphertext header \(CH_{ID} = \big (C_{0} = g^{t}, C_{1} = (u_{I}^{ID} h_{I})^{t} \big )\) and a session key as E K _{ I B E } = Ω^{t}.
 IBE.Dec(\(CH_{ID}, SK_{ID^{\prime }}, PP_{IBE}\)).:

If I D ≠ I D ^{′}, then it outputs ⊥. Otherwise, it outputs a session key as \(EK^{\prime }_{IBE} = e(C_{0}, D_{0}) \cdot e(C_{1}, D_{1})\).
Theorem 3 (8)
The above IBE scheme is selectively secure under chosen plaintext attacks if the DBDH assumption holds.
A.2 CPABE scheme
We first review the definitions of access structure and a linear secretsharing scheme.
Let \(\mathcal {U}\) be the attribute universe. An access structure on \(\mathcal {U}\) is a collection \(\mathbb {A}\) of nonempty sets of attributes, i.e. \(\mathbb {A}\subseteq 2^{\mathcal {U}}\setminus \{\}\). The sets in \(\mathbb {A}\) are called the authorized sets and the sets not in \(\mathbb {A}\) are called the unauthorized sets. In addition, an access structure is called monotone if \(\forall B, C\in \mathbb {A}\): if \(B\in \mathbb {A}\) and B⊆C, then \(C\in \mathbb {A}\).
Let p be a prime and \(\mathcal {U}\) be the attribute universe. A secret sharing scheme π with domain of secrets \(\mathbb {Z}_{p}\) realizing access structure on \(\mathcal {U}\) is linear over \(\mathbb {Z}_{p}\) if

1.
The shares of a secret \(s \in \mathbb {Z}_{p}\) for each attribute form a vector over \(\mathbb {Z}_{p}\).

2.
For each access structure \(\mathbb {A}\) on \(\mathcal {U}\), there exists a matrix \(M\in \mathbb {Z}_{p}^{l\times n}\), called the sharegenerating matrix, and a function ρ, that labels the rows of M with attributes from \(\mathcal {U}\), i.e. \(\rho : [l]\to \mathcal {U}\), which satisfy the following: During the generation of the shares, we consider the column vector \(\vec {v}=(s, r_{2}, \ldots , r_{n})^{\top }\), where \(r_{2}, \ldots , r_{n}\gets \mathbb {Z}_{p}\) . Then the vector of l shares of the secret s according to π is equal to \(M \vec {v} \in \mathbb {Z}_{p}^{l\times 1}\) . The share \((M\vec {v})_{j}\) where j ∈ [l] ”belongs” to attribute ρ(j).
Each secretsharing scheme should satisfy the reconstruction and the security requirements.
We describe the CPABE scheme of Rouselakis and Waters [30] as follows:
 ABE.Setup(GDS).:

Let \(GDS = ((p, \mathbb {G}, \mathbb {G}_{T}, e), g)\) be a description of a bilinear group. It first chooses random \(w_{A}, v_{A}, u_{A}, h_{A}, v_{S} \in \mathbb {G}\) and \(\beta \in \mathbb {Z}_{p}\) . It outputs a master key M K _{ A B E } = β and public parameters \(PP_{ABE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, [0] e), g, w_{A}, v_{A}, u_{A}, [0] h_{A}, v_{S}, {\Lambda } = e(g, g)^{\beta } \big )\).
 ABE.GenKey(S, M K _{ A B E }, P P _{ A B E }).:

Let S={a _{1}, a _{2}, …,[0]a _{ k }} be a set of attributes. It chooses random exponents \(r, r_{1}, \ldots , r_{k} \in \mathbb {Z}_{p}\) and outputs \(SK_{S} = \big (K_{0} = g^{\beta } {w_{A}^{r}}, K_{1} = g^{r}, \big \{ K_{i,2} = g^{r_{i}}, K_{i,3} = {v_{A}^{r}} (u_{A}^{a_{i}} h_{A})^{r_{i}} \big \}_{i=1}^{k} \big )\).
 ABE.RandKey(S K _{ S }, δ, P P _{ A B E }).:

Let \(SK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k} )\) for an attribute set S={a _{1}, …,a _{ k }}. It chooses random \(r^{\prime }, r^{\prime }_{1}, \ldots , r^{\prime }_{k} \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot g^{\delta } w_{A}^{r^{\prime }}, K^{\prime }_{1} = K_{1} \cdot g^{r^{\prime }}, \big \{ K^{\prime }_{i,2} = K_{i,2} \cdot g^{r^{\prime }_{i}}, K^{\prime }_{i,3} = K_{i,3} \cdot v_{A}^{r^{\prime }} (u_{A}^{a_{i}} h_{A})^{r^{\prime }_{i}} \big \}_{i=1}^{k} \big )\). Note that δ can be zero.
 ABE.BlindKey(S K _{ S }, P P _{ A B E }).:

Let \(SK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k} )\). It chooses a random exponent \(r_{S} \in \mathbb {Z}_{p}\) and outputs a blinded private key \(BSK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot v_{S}^{r_{S}}, K^{\prime }_{1} = K_{1}, \big \{ K^{\prime }_{i,2} = K_{i,2}, K^{\prime }_{i,3} = K_{i,3} \big \}_{i=1}^{k}, K^{\prime }_{4} = g^{r_{S}} \big )\) and a blinding key B K = r _{ S }.
 ABE.VerifyBKey(B S K _{ S }, P P _{ A B E }).:

Let \(BSK_{S} = (K_{0}, K_{1},[0] \{ K_{i,2}, K_{i,3} \}_{i=1}^{k}, K_{4})\) for an attribute set S={a _{1}, …,a _{ k }}. It checks \({\Lambda } \overset {?}{=} e(g, K_{0}) \cdot e(w, K_{1}) \cdot e(v_{S}, K_{4})\) and \(e(g, K_{i,3}) \cdot e(v, K_{1}^{1}) \overset {?}{=} e(u_{A}^{a_{i}} h_{A}, K_{i,3})\) for all i ∈ [k]. If the equation holds, it outputs 1. Otherwise, it outputs 0.
 ABE.UnblindKey(B S K _{ S }, B K, P P _{ A B E }).:

Let \(BSK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k}, K_{4})\) and B K = r _{ S }. It outputs an unblinded private key \(SK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot v_{S}^{r_{S}}, K^{\prime }_{1} = K_{1}, \big \{ K^{\prime }_{i,2} = K_{i,2}, K^{\prime }_{i,3} = K_{i,3} \big \}_{i=1}^{k} \big )\).
 ABE.Enc(\(\mathbb {A}, t, PP_{ABE}\)).:

Let \(\mathbb {A} = (A, \rho )\) be an LSSS access structure where A is an l×n matrix and ρ is a map that associates rows of A to attributes. It first sets a random vector \(\vec {v} = (t, v_{2}, \ldots , v_{n}) \in {\mathbb {Z}_{p}^{n}}\) by selecting random exponents \(v_{2}, \ldots , v_{n} \in \mathbb {Z}_{p}\) and obtains \(\lambda _{i} = A_{i} \vec {v}\) for all i where A _{ i } is the ith row of A. It selects random exponents \(s_{1}, \ldots , s_{l} \in \mathbb {Z}_{p}\) and outputs a ciphertext header \(CH_{\mathbb {A}} = \big (C_{0} = g^{t}, \big \{ C_{i,1} = w_{A}^{\lambda _{i}} v_{A}^{s_{i}}, C_{i,2} = (u_{A}^{\rho (i)} h_{A})^{s_{i}}, C_{i,3} = g^{s_{i}} \big \}_{i=1}^{l} \big )\) and a session key E K _{ A B E } = Λ^{t}.
 ABE.Dec(\(CH_{\mathbb {A}}, SK_{S}, PP_{ABE}\)).:

It computes a set of constants \(\{w_{i} \in \mathbb {Z}_{p}\}_{i\in I}\) where I={i:ρ(i)∈S} such that Σ_{ i ∈ I } w _{ i } A _{ i } = (1,0,…,0) and outputs a session key as \(EK^{\prime }_{ABE} = e(K_{0}, C_{0}) \cdot {\prod }_{i\in I} (e(K_{1}, C_{i,1}) \cdot e(K_{i,2}, C_{i,2}) \cdot e(K_{i,3}, C_{i,3}))^{w_{i}}\).
Theorem 4 ([30])
The above CPABE scheme is selectively secure under chosen plaintext attacks if the nRW1 assumption holds.
A.3 CDE scheme
The CDE scheme of Lee [17] is described as follows:
 CDE.Setup(G D S, t _{ m a x }).:

Let \(GDS = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g \big )\) be a description of a bilinear group and t _{ m a x } be a maximum time. It first chooses random \(w_{T}, v_{T}, u_{T}, h_{T} \in \mathbb {G}\) and \(\gamma \in \mathbb {Z}_{p}\) . It outputs M K _{ C D E } = γ and \(PP_{CDE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g, w_{T},[0] v_{T}, u_{T}, h_{T}, {\Delta }= e(g, g)^{\gamma } \big )\).
 CDE.GenKey(T, M K _{ C D E }, P P _{ C D E }).:

Let \(L_{n} = (t_{1}, \ldots , t_{n}) [0] \in {\mathbb {Z}_{p}^{n}}\) be a label of time T. It chooses random exponents \(r, r_{1}, \ldots , r_{n} \in \mathbb {Z}_{p}\) and outputs a private key \(SK_{T} = \big (T_{0} = g^{\gamma } {w_{T}^{r}}, T_{1} = g^{r}, \big \{ T_{i,2} = {v_{T}^{r}} (u_{T}^{t_{i}} h_{T})^{r_{i}}, T_{i,3} = g^{r_{i}} \big \}_{i=1}^{n} \big )\).
 CDE.RandKey(S K _{ T }, δ, P P _{ C D E }).:

Let \(SK_{T} = (T_{0}, T_{1}, \big \{T_{i,2}, T_{i,3}\big \}_{i=1}^{n})\) be a private key for time T. It chooses random exponents \(r^{\prime }, r^{\prime }_{1}, \ldots , [0] r^{\prime }_{n} \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{T} = \big (T^{\prime }_{0} = T_{0} \cdot g^{\delta } w_{T}^{r^{\prime }}, T^{\prime }_{1} = T_{1} \cdot g^{r^{\prime }}, \big \{ T^{\prime }_{i,2} = T_{i,2} \cdot v_{T}^{r^{\prime }} (u_{T}^{t_{i}} h_{T})^{r^{\prime }_{i}}, [0] T^{\prime }_{i,3} = T_{i,3} \cdot g^{r^{\prime }_{i}} \big \}_{i=1}^{n} \big )\).
 CDE.Enc(T, t, P P _{ C D E }).:

Let \(L_{n} = (t_{1}, \ldots , t_{n}) \in {\mathbb {Z}_{p}^{n}}\) be a label of time T. It chooses a random exponent vector \(\vec {s} = (s_{1}, \ldots , s_{n}) \in {\mathbb {Z}_{p}^{n}}\) and outputs a ciphertext header as \(CH_{T} = \big (C_{0} = g^{t}, C_{1} = {w_{T}^{t}} {\prod }_{i=1}^{n} v_{T}^{s_{i}}, \{ C_{i,2} = g^{s_{i}}, C_{i,3} = (u_{T}^{t_{i}}h_{T})^{s_{i}}\}_{i=1}^{n} \big )\) and a session key E K _{ C D E } = Δ^{t}.
 CDE.DelegCT(C H _{ T }, T ^{′},P P _{ C D E }).:

Let \(CH_{T} = \big (C_{0},[0] C_{1}, [0] \{ C_{i,2}, C_{i,3}\}_{i=1}^{n} \big )\) for time T with a label L _{ n } = (t _{1}, …,t _{ n }) and time T ^{′} with L _{ n+1} = (t _{1}, …,t _{ n }, t _{ n+1}). It chooses random \(s_{n+1} \in \mathbb {Z}_{p}\) and outputs delegated \(CH_{T^{\prime }} = \big (C^{\prime }_{0} = C_{0}, C^{\prime }_{1} = C_{1}\cdot v_{T}^{s_{n+1}}, \{ C^{\prime }_{i,2} = C_{i,2}, C^{\prime }_{i,3} = C_{i,3}\}_{i=1}^{n}, C^{\prime }_{n+1,2} [0] = g^{s_{n+1}}, [0] C^{\prime }_{n+1,3} = (u_{T}^{t_{n+1}}h_{T})^{s_{n+1}}\big )\).
 CDE.Dec(\(CH_{T}, SK_{T^{\prime }}, PP_{CDE}\)).:

Let \(CH_{T} = \big (C_{0}, C_{1}, \{C_{i,2}, [0] C_{i,3}\}_{i=1}^{k} \big )\) and \(SK_{T^{\prime }} = \big (T_{0}, T_{1}, \{T_{i,2}, T_{i,3}\}_{i=1}^{n} \big )\). If k ≤ n, then it outputs a session key \(EK^{\prime }_{CDE} = e(T_{0}, C_{0})\cdot e(T_{1}, C_{1}) \cdot {\prod }_{i=1}^{k} \big (e(T_{i,2}, C_{i,2}) \cdot e(T_{i,3}, C_{i,3}) \big )\).
Theorem 5 (17)
The above CDE scheme is selectively secure under chosen plaintext attacks if the nRW1 assumption holds.
Appendix B: security proofs of PCABE
To prove the security of our PCABE scheme, we construct a metasimulator that runs the simulators of IBE, CPABE, and CDE as subsimulators. Each subsimulator operates identically to the simulators in [17]. The detailed description of the security proof is given as follows:
B.1 The Proofs of Theorem 1
Lemma 1
The PCABE scheme is selectively INDCPA secure against an outside adversary if the nRW1 assumption holds.
Proof
Suppose there exist an adversary \(\mathcal {A}_{O}\) defined in Section “Definitions” that attacks PCABE with a nonnegligible advantage \(\textbf {Adv}_{\mathcal {A}}\) and a metasimulator \(\mathcal {B}\) that solves nRW1 problem by using \(\mathcal {A}_{O}\). Let \(\mathcal {B}_{IBE}\), \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) be simulators described in [17]. \(\mathcal {B}_{IBE}\) aims to solve DBDH problem. \(\mathcal {B}_{ABE}\) and \(\mathcal {B}_{CDE}\) aims to solve nRW1 problem. Since the challenge tuple (D _{ D B D H }, Z) of DBDH assumption can be derived from the challenge tuple (D _{ nR W1}, Z) of nRW1 assumption, \(\mathcal {B}\) can run \(\mathcal {B}_{IBE}\) by giving (D _{ D B D H }, Z). We build the metasimulator \(\mathcal {B}\) which interacts with \(\mathcal {A}_{O}\) in the following security game:
 Init::

\(\mathcal {A}_{O}\) initially submits a challenge I D ^{∗}, a challenge access structure \(\mathbb {A}^{*} = (A^{*}, \rho ^{*})\) , and a challenge time T ^{∗}. \(\mathcal {B}\) runs \(\mathcal {B}_{IBE}\) by giving D _{ D B D H } and Z, and it also runs \(\mathcal {B}_{ABE}\) and \(\mathcal {B}_{CDE}\) by giving D _{ nR W1} and Z.
 Setup::

\(\mathcal {B}\) first submits (G D S, I D ^{∗}) to \(\mathcal {B}_{IBE}\) and receives P P _{ I B E }, and it submits \((GDS, \mathbb {A}^{*})\) to \(\mathcal {B}_{ABE}\) and receives P P _{ A B E }. In addition, it submits (G D S, T ^{∗}) to \(\mathcal {B}_{CDE}\) and receives P P _{ C D E }. \(\mathcal {B}\) chooses a random exponent \(\theta \in \mathbb {Z}_{p}\) and computes Ω^{′} = Ω⋅e(g, g)^{−𝜃} and Λ^{′} = e(g, g)^{𝜃}. It replaces Ω with Ω^{′} in P P _{ I B E } and Λ with Λ^{′} in P P _{ A B E }, respectively. Then it sets P P _{ I A } = (P P _{ I B E }, P P _{ C D E }) and P P _{ A A } = P P _{ A B E }, and gives P P=(G D S, P P _{ I A }, P P _{ A A }) to \(\mathcal {A}_{O}\).
 Query 1::

\(\mathcal {A}_{O}\) adaptively requests a polynomial number of private key, attribute key, and decryption key queries and \(\mathcal {B}\) answers as follows:
 S K _{ I D } query::

If \(\mathcal {A}_{O}\) requests a private key for I D ≠ I D ^{∗}, then \(\mathcal {B}\) uses \(\mathcal {B}_{IBE}\) to obtain S K _{ I B E, I D } and generates the private key S K _{ I D } by running IBE.RandKey(S K _{ I B E, I D }, [0]−𝜃, P P _{ I B E }). \(\mathcal {B}\) provides it to \(\mathcal {A}_{O}\).
 A K _{ S } query::

For every set S, \(\mathcal {B}\) creates A K _{ S } by running ABE.GenKey(S, 𝜃, P P _{ A B E }) and provides it to \(\mathcal {A}_{O}\).
 D K _{ I D, S, T } query::

If \(\mathcal {A}_{O}\) requests a decryption key for a tuple (I D, S, T), then \(\mathcal {B}\) creates D K _{ I D, S, T } to provide it to \(\mathcal {A}_{O}\) with the following restrictions.

\((ID\neq ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T\ge T^{*})\): Since the requested ID is not equal to the challenge I D ^{∗}, \(\mathcal {B}\) can use \(\mathcal {B}_{IBE}\) to obtain the IBE private key for ID. It first queries the private key to \(\mathcal {B}_{IBE}\) and receives S K _{ I B E, I D }. Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates S K _{ I D } by running IBE.RandKey (S K _{ I B E, I D }, −δ−σ, P P _{ I B E }). \(\mathcal {B}\) then generates A K _{ S } and S K _{ T } by running ABE.GenKey [0] (S, δ, P P _{ A B E }) and CDE.GenKey(T, σ, P P _{ C D E }). Finally, it obtains D K _{ I D, S, T } = (S K _{ I D }, A K _{ S }, S K _{ T }).

\((ID = ID^{*})\wedge (S\notin \mathbb {A}^{*})\wedge (T\ge T^{*})\): Since the requested S does not satisfy the challenge \(\mathbb {A}^{*}\), \(\mathcal {B}\) can use \(\mathcal {B}_{ABE}\) to obtain the ABE private key for S. \(\mathcal {B}\) first queries the private key for a set S to \(\mathcal {B}_{ABE}\) and receives S K _{ A B E, S }. Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates A K _{ S } by running ABE.RandKey(S K _{ A B E, S }, −δ−σ, P P _{ A B E }). Then it generates S K _{ I D } and S K _{ T } by running IBE.GenKey[0] (I D, δ, P P _{ I B E }) and CDE.GenKey [0] (T, σ, P P _{ C D E }). Finally, it obtains D K _{ I D, S, T } = (S K _{ I D }, [0]A K _{ S }, S K _{ T }).

\((ID = ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T < T^{*})\): Since the requested T is less than the challenge T ^{∗}, \(\mathcal {B}\) can use \(\mathcal {B}_{CDE}\) to obtain the CDE private key for T. \(\mathcal {B}\) first queries the private key for T to \(\mathcal {B}_{CDE}\) and receives S K _{ C D E, T }. Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates S K _{ T } by running CDE.RandKey[0] (S K _{ C D E, T }, −δ−σ, P P _{ C D E }). Then it generates S K _{ I D } and A K _{ S } by running IBE.GenKey [0] (I D, δ, P P _{ I B E }) and ABE.GenKey(S, σ, P P _{ A B E }). Finally, it obtains D K _{ I D, S, T } = (S K _{ I D }, A K _{ S }, S K _{ T }).
 Challenge::

\(\mathcal {A}_{O}\) submits two pairs of symmetric keys and messages \((K_{0}^{*}, M_{0}^{*}), (K_{1}^{*}, M_{1}^{*})\) of equal length. \(\mathcal {B}\) queries challenge ciphertext headers to \(\mathcal {B}_{IBE}\) , \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) and receives \((CH^{*}_{IBE, ID^{*}}, EK_{IBE})\), \((CH^{*}_{ABE, \mathbb {A}^{*}},[0] EK_{ABE})\), and \((CH^{*}_{CDE, T^{*}}, EK_{CDE})\), respectively. It then computes E K = e(g ^{−𝜃},g ^{c}) where g ^{c} is given in the challenge tuple. Finally, \(\mathcal {B}\) chooses a random bit b ∈ {0,1} and generates C by running SKE.Enc(\(K_{b}^{*}, M_{b}^{*}\)). \(\mathcal {B}\) provides the challenge ciphertext as \(CT_{ID^{*},\mathbb {A}^{*},T^{*}}^{*} = \big (CH^{*}_{IBE, ID^{*}}, [0] CH^{*}_{ABE, \mathbb {A}^{*}}, CH^{*}_{CDE, T^{*}},[0] E_{1}^{*} = K_{b}^{*} \cdot Z \cdot EK, E_{2}^{*} = K_{b}^{*} \cdot Z, C \big )\) to \(\mathcal {A}_{O}\).
 Query 2::

Same as Phase 1.
 Guess::

Finally, \(\mathcal {A}_{O}\) outputs a guess b ^{′}. If b = b ^{′}, then \(\mathcal {B}\) outputs 0. Otherwise, it outputs 1.
We now show that the security game is correctly simulated. Since \(\mathcal {B}_{IBE}\), \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) sets P P _{ I B E }, P P _{ A B E }, and P P _{ C D E } with the same generator g given in the assumption and they all internally sets the master key as \(g^{a^{q+1}}\), the public parameters are correctly generated. The private key is also correct since it can be transformed from the private key of IBE with the random 𝜃. Moreover, the attribute key is easily simulated with the 𝜃 as a master key. Furthermore, we show that the decryption key is correctly generated. The real format of the master key in the decryption key is g ^{α + β} and we set it as \(g^{a^{q+1}}\). We consider the cases that two out of three conditions are satisfied. In each case, \(\mathcal {B}\) uses only one subsimulator to obtain the private key and computes the rest of the parts. Consequently, the decryption key is generated with the master key as \(g^{a^{q+1}}\). Finally, we show that the challenge ciphertext is correct. Each challenge ciphertext header is generated with the same element g ^{c} given in the assumption and they are correctly generated.
If \(Z = Z_{0} = e(g,g)^{a^{q+1}c}\), then \(\mathcal {A}_{O}\) plays the proper security game since \(CT_{ID^{*}, \mathbb {A}^{*}, T^{*}}^{*}\) is correctly distributed. Then we have that \(\Pr [\mathcal {B}(D, Z_{0}) = 0] = \frac {1}{2} + \textbf {Adv}_{\mathcal {A}}\). If Z = Z _{1} is a random element in \(\mathbb {G}_{T}\), then \(CT_{ID^{*}, \mathbb {A}^{*}, T^{*}}^{*}\) is independent of the chosen symmetric key and message and therefore, the advantage of \(\mathcal {A}_{O}\) is exactly 0. That is, we have that \(\Pr [\mathcal {B}(D, Z_{1}) = 0] = \frac {1}{2}\) . Thus the advantage of \(\mathcal {B}\) is obtained as
Therefore, \(\mathcal {B}\) has a nonnegligible advantage to solve the nRW1 problem. □
Lemma 2
The PCABE scheme is selectively INDCPA secure against an inside adversary if the n RW1 assumption holds.
Proof
Suppose an inside adversary \(\mathcal {A}_{I}\) defined in Section “Definitions” that breaks our PCABE scheme with nonnegligible advantage and a metasimulator \(\mathcal {B}\) that solves the nRW1 problem by using \(\mathcal {A}_{I}\). We build \(\mathcal {B}\) identically to the metasimulator in the proof of Lemma 1 except Setup and Query phases. The different procedures are as follows:
 Setup::

PP is generated as in the proof of Lemma 1 and \(\mathcal {B}\) gives P P=(G D S, P P _{ I A }, P P _{ A A }) and M K _{ A A } = 𝜃 to \(\mathcal {A}_{I}\).
 Query 1::

\(\mathcal {A}_{I}\) adaptively requests a polynomial number of private key and decryption key queries. Since \(\mathcal {A}_{I}\) can create A K _{ S } for every S of its choice, it can not request any attribute keys and decryption keys for \((ID\neq ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T\ge T^{*})\). The rest of queries are identically simulated to the proof of Lemma 1.
The correctness of the simulation and advantages are as in the proof of Lemma 1. □
B.2 The Proof of Theorem 2
To prove that the GenDecKey protocol is secure, we show that the VBK is EUFCAA. The VBK is generated from an attribute key and the attribute key is a private key of the CPABE scheme of Rouselakis and Waters [30]. Therefore, the security of VBK depends on the security of the underlying CPABE scheme.
Proof
Suppose there exists an adversary \(\mathcal {F}\) that forges a VBK with a nonnegligible advantage and a simulator \(\mathcal {B}\) that attacks CPABE using \(\mathcal {F}\). In addition, there is a CPABE simulator \(\mathcal {S}_{ABE}\) for \(\mathcal {B}\). \(\mathcal {B}\) interacts with \(\mathcal {F}\) in the following security game:
 Setup::

Given P P _{ A B E }, \(\mathcal {B}\) generates \(\tilde {v} = g^{\eta }\) for a random exponent \(\eta \in \mathbb {Z}_{p}\) and sets \(PP_{AA} = (PP_{ABE}, \tilde {v})\). Then it sends P P _{ A A } to \(\mathcal {F}\).
 Query::

\(\mathcal {F}\) adaptively requests a polynomial number of private keys and verifiably blinded keys for any set S of attributes. For the private key queries, \(\mathcal {B}\) obtains the attribute key A K _{ S } of the set S from \(\mathcal {S}_{ABE}\) and gives it to \(\mathcal {F}\). For the verifiably blinded key queries, \(\mathcal {B}\) first obtains the attribute key A K _{ S } from \(\mathcal {S}_{ABE}\) and computes V B K _{ S } by using \(\tilde {v}\). Then it provides \(\mathcal {F}\) with V B K _{ S } as a response.
 Output::

Finally, \(\mathcal {F}\) outputs a forged \(VBK_{S^{*}} = \big (BK_{0}, BK_{1}, [0] \{BK_{i,2}, BK_{i,3}\}_{i=1}^{k}, BK_{4}\big )\) on the challenge set of attributes S ^{∗}. \(\mathcal {F}\) must never have requested a blinded key query at S ^{∗}. B checks the validity of the \(VBK_{S^{*}}\) and if it is invalid, then B aborts the game. Otherwise, \(\mathcal {B}\) computes K _{0} = B K _{0}⋅(B K _{4})^{−η} and derives the attribute key as \(AK_{S^{*}} = (K_{0}, BK_{1}, \{BK_{i,2}, BK_{i,3}\}_{i=1}^{k})\) . It submits two challenge messages \(M_{0}^{*}, M_{1}^{*}\) and the challenge access structure \(\mathbb {A}^{*}\) such that \(S^{*}\in \mathbb {A}^{*}\) to \(\mathcal {S}_{ABE}\). \(\mathcal {B}\) receives the challenge ciphertext \(CT_{b}^{*}\) and decrypts it with \(AK_{S^{*}}\). Finally, it outputs the guess b ^{′}.
A K ^{∗} is a valid attribute key if the forged \(VBK_{S^{*}}\) is valid. Therefore, \(\mathcal {B}\) is able to decrypt the challenge ciphertext and the guess is correct whenever \(\mathcal {A}\) wins the game. □
Rights and permissions
About this article
Cite this article
Eom, J., Lee, D.H. & Lee, K. PatientControlled AttributeBased Encryption for Secure Electronic Health Records System. J Med Syst 40, 253 (2016). https://doi.org/10.1007/s1091601606213
Received:
Accepted:
Published:
Keywords
 Electronic health records
 Patient control
 Data privacy
 Cloud computing