Privacy Preservation for Outsourced Medical Data with ... - IEEE Xplore

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2810243, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000. Digital Object Identifier 10.1109/ACCESS.2017.DOI

Privacy Preservation for Outsourced Medical Data with Flexible Access Control XINGGUANG ZHOU1 , JIANWEI LIU1 , QIANHONG WU1 , AND ZONGYANG ZHANG.1, 2 1

School of Cyber Science and Technology, Beihang University, Beijing, China (e-mail: {zhouxingguang, liujianwei, qianhong.wu, zongyangzhang}@buaa.edu.cn) 2 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

Corresponding author: Zongyang Zhang (e-mail: [email protected]). This work was supported in part by National Key R&D Program of China (2017YFB1400700), by Beijing Natural Science Foundation (4182033), by the fund of the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences (No. 2017-MS-02), by Natural Science Foundation of China through projects 61672083, 61370190, 61532021, 61472429, and 61402029.

ABSTRACT Electronic medical records (EMRs) play an important role in healthcare networks. Since these records always contain considerable sensitive information regarding patients, privacy preservation for the EMR system is critical. Current schemes usually authorize a user to read one’s EMR if and only if his/her role satisfies the defined access policy. However, these existing schemes allow an adversary to link patients’ identities to their doctors. Therefore, classifications of patients’ diseases are leaked without adversaries actually seeing patients’ EMRs. To address this problem, we present two anonymous schemes. They not only achieve data confidentiality but also realize anonymity for individuals. The first scheme achieves moderate security, where adversaries choose attack targets before obtaining information from the EMR system. The second scheme achieves full security, where adversaries adaptively choose attack targets after interaction with the EMR system. We provide rigorous proof showing the security and anonymity of our schemes. In addition, we propose an approach in which EMR owners can search for their EMRs in an anonymous system. For a better user experience, we apply the “online/offline” approach to speed up data processing. Experimental results show that the time complexity for key generation and EMR encapsulation can be reduced to milliseconds. INDEX TERMS privacy preservation, security, electronic medical record.

I. INTRODUCTION

Currently, electronic medical records (EMRs) are very prominent in healthcare networks. They enables users to share their health data in a flexible and convenient way. For example, to find one’s diagnostic report, a patient or his/her doctor needs only to retrieve the information from a database rather than having to search through numerous physical documents. Health data is very sensitive, and it is a major challenge to securely store and access EMRs in modern EMR systems. As most EMRs are outsourced to the cloud, they are easily exposed to potential threats and vulnerable to leakage, loss, and theft [1]. To prevent EMRs from unauthorized access, a standard solution is to perform an encryption before uploading them to the cloud. Specifically, an EMR owner encrypts an EMR using a symmetric key, and only authorized medical staff are auVOLUME 4, 2016

thorized to access and decrypt it. However, data sharing becomes inflexible in this case. Two potential issues are the complicated key management and repetitive encryption [2]: as patients usually do not know who is allowed to access their EMRs, they encrypt many pieces with distinct session keys and distribute the keys to different medical staff members. The approach to accessing users’ data needs to be flexible enough to address changes in users’ roles [3]. Several schemes adopting attribute-based encryption (ABE) have been presented for fine-grained access control [4], [5]. Users with attributes satisfying the access policy can decapsulate the EMR data. In addition, some advanced mechanisms, consisting of a multi-authority model in an outsourcing system [6] and a view-based access control [7] that allows patients to specify a list of authorized/unauthorized users, have recently been proposed. Role-based access control 1

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2810243, IEEE Access X.Zhou et al.: Preparation of Papers for IEEE ACCESS

schemes (RBACs) [8] also allow fine-grained access control. They define a role-based policy for a hierarchical organization with identity-based broadcast encryption (HIBBE). While the above proposals achieve data confidentiality in the EMR system, privacy preservation for patients is still an unresolved issue. For example, an EMR of the patient “Lucy” is uploaded to the cloud, and no attacker can read the encrypted EMR. If the doctor is an expert in the hepatitis disease, an attacker can infer that Lucy may carry hepatitis B without decrypting her EMR. This means that an attacker can obtain her disease-related information by linking Lucy to her doctor, even without seeing the detailed EMR. This means that adversaries possess the capacity that no matter if the EMRs are encrypted or not, adversaries can deduce the EMR owners’ diseases based on some experience, such as the acquired identity-related information. Therefore, if there is an anonymous scheme that obfuscates the identity of the patient during an examination, adversaries can only determine that “someone” carries hepatitis B without knowing who it is. Thus, the patient’s privacy is preserved. A. OUR CONTRIBUTIONS

We design two anonymous schemes, denoted as “RBACAnony” and “RBACAnony-F”, to preserve patients’ privacy in an EMR system with role-based access control. We present competing models and a high level demonstration of rigorous proof. In brief, our schemes have the advantage of data confidentiality, identity anonymity and access control flexibility. Technical details are highlighted as follows. RBACAnony. This scheme is built on a bilinear group with two subgroups [9], and a patient’s identity information is hidden in one of the subgroups. The identity-related element in this subgroup is indistinguishable from a random element chosen from the bilinear group. Therefore, an attacker cannot distinguish a patient’s identity from a random string. In addition, an attacker chooses the targeted identities he/she wishes to attack before the system is set up. This means that an attacker of the RBACAnony scheme cannot obtain any experience prior to attacking. RBACAnony-F. This scheme is built on a bilinear group with four subgroups [10], and a patient’s identity information is hidden in one of the composite-order subgroups. The identity-related element in this subgroup cannot be distinguished from an element randomly chosen from the same subgroup. Therefore, an attacker cannot distinguish the patient’s identity from a random string. In addition, an attacker adaptively gives out the targeted identities he/she wishes to attack after interacting with the EMR system. This means that an attacker of the RBACAnony-F scheme can accumulate experience before attacking and thus possesses a stronger ability to attack. Versatile access control. A user encapsulates the EMR using an on-demand access policy. This policy enables oneto-many encryption, where the EMR is encrypted once and different medical staff members are allowed to access it. 2

Scalable data sharing. Senior medical staff members are allowed to delegate access privileges to their subordinates. Anonymous search. A patient and his doctors can link themselves to the targeted EMR, but outsiders cannot. B. RELATED WORK

Access control [11] is widely adopted in the EMR system to protect patients’ health data. Access control policies are specified by some pieces of legislation, i.e., health insurance portability and accountability act (HIPAA) [12], electronic documents [13], and company rules or regulations. The legislation regulates who can access and how they can operate the stored EMRs. Two solutions are usually used to support flexible access control. One solution is to use attributebased encryption [14], [15]. As attributes can be applied to describe users’ privileges, data owners determine the access policies. The other solution is to use role-based access control schemes [8], where each user’s identity denotes a role and one is allowed to gain access permission if his role belongs to a defined policy. However, there is still a lack of consideration regarding the identity privacy of EMR owners. Anonymization techniques can be used to guarantee users’ identity privacy [16]. For example, some anonymous ABE schemes address not only data privacy but also identity privacy [17], [18]. These schemes provide an analysis of confidentiality, anonymity and flexibility. In practice, an unaddressed challenge to real-world deployment remains: healthcare organizations are usually structured hierarchically, with data being shared among many users. In a previous work, we achieved anonymous role-based access control in this kind of organization with a moderate security level, where an attacker must output the targeted identities before communication with the EMR system [19]. This scheme is denoted as RBACAnony in this paper. We additionally propose a new scheme in the current work, denoted as RBACAnony-F, where an attacker can adaptively output the targeted identities after interaction with the EMR system. Both schemes preserve patients’ privacy in a healthcare network. The anonymous algorithms in [10], [20] are used to achieve patient privacy for RBACAnony and RBACAnony-F, respectively. II. PRELIMINARIES A. NOTATIONS

We introduce several notations to simplify the illustration of our scheme. For ease of description, we borrow notations from [8], as summarized in Table 1. B. BILINEAR GROUPS

Let G be a group generation algorithm that takes a security parameter λ as its input and outputs the description of a bilinear group (N, G, GT , e). In the case where G outputs (N = p1 p2 p3 p4 , G, GT , e), where p1 , p2 , p3 , p4 are distinct prime factors, G and GT are cyclic groups of order N = p1 p2 p3 p4 , and e : G × G → GT is an efficient bilinear VOLUME 4, 2016



TABLE 1: Notations Description Security parameter Identity of a patient Atom role of medical staff member Role of medical staff member − → Atom role set for R Access policy Atom role set for P − → Prefix of R, defined as {(R1 , ..., Rd0 ) : d0 ≤ d} S − → − Prefix of P, defined as → P ref ( R) R∈P Master secret key − → Secret key for a role R Electronic medical record Header of an uploaded EMR Message encapsulation key Ciphertext for the encapsulated EMR Collision resistant hash function {0, 1}? → ZN Secure symmetric encryption algorithm Secure symmetric decryption algorithm Probabilistic polynomial time

map satisfying the following two properties: (i) bilinearity: for all g, h ∈ G and all a, b ∈ ZN , e(g a , hb ) = e(g, h)ab ; (ii) non-degeneracy: there exists at least a generator g in G such that e(g, g) generates GT . We respectively denote the subgroups of order p1 , p2 , p3 , p4 in G as Gp1 , Gp2 , Gp3 and Gp4 . We use Gpi pj (1 ≤ i, j ≤ 4) to denote the subgroup of order pi pj in G. These four subgroups additionally satisfy the orthogonality property, i.e., ∀hi ∈ Gpi and hj ∈ Gpj for i 6= j, e(hj , hj ) = 1. Composite-order bilinear groups were first introduced in [9] and are widely used as tools for constructing cryptographic primitives [21].

related information in the system such that adversaries cannot infer patients’ personal information. The adversaries include the dishonest internal staff and the malicious external attackers.

7UXVWHG $XWKRULW\

$GPLQLVWUDWH

2XW3DWLHQW1XUVH

&ORXG6HUYHU

EMR EMR

(OHFWULF0HGLFDO5HFRUG ,QTXLU\DQG'LDJQRVLV

ĞƉĂƌƚŵĞŶƚŽĨƐƵƌŐĞƌǇ

ĞƉĂƌƚŵĞŶƚŽĨĐŽƐŵĞƚŽůŽŐǇ

ŚŝĞĨ ŽĐƚŽƌ

ƐƐŽĐŝĂƚĞ ŽĐƚŽƌ ƵƚǇŽĐƚŽƌ ŽĐƚŽƌ

ŚŝĞĨ ŽĐƚŽƌ

,ĞĂĚ EƵƌƐĞ ƵƚǇEƵƌƐĞ

EƵƌƐĞ

ƐƐŽĐŝĂƚĞ ŽĐƚŽƌ ƵƚǇŽĐƚŽƌ ŽĐƚŽƌ

,ĞĂĚ EƵƌƐĞ ƵƚǇEƵƌƐĞ

EƵƌƐĞ

FIGURE 1: System architecture: a typical healthcare network

B. SECURITY REQUIREMENTS

In practice, all entities are likely to attack an EMR system. A dishonest party may try to obtain useful information from encrypted data that it is not authorized to access or to divert instructions from the system regarding benefits (e.g., with false information in medical disputes). Multiple dishonest parties may collude to achieve this goal. In the context of these attacks, the EMR system is expected to meet the following security requirements. •

VOLUME 4, 2016

3DWLHQW

3DWLHQW

2XW3DWLHQW'RFWRU

III. SYSTEM MODEL A. SYSTEM ARCHITECTURE

We describe a typical healthcare network in Figure. 1. It mainly includes three entities: the trusted keying authority (TKA), the patient and the medical staff. The TKA is trusted in the system and is responsible for generating and distributing system parameters, rooting master keys, and authorizing top-level medical staff and patients. The patient is identified by his/her name or identity. The patient and his/her responsible medical staff are the EMR owners. The top-level medical staff member delegates privileges to his subordinates, which forms a tree-like organization. Each staff member is identified by a role vector consisting of ordered atom roles. For instance, the role vector for an intern doctor, consisting of ordered atom roles “chief doctor, associate doctor, intern doctor”, is administrated by the associate doctor, whose atoms roles are “chief doctor, associate doctor”. We assign the chief doctor, the associate doctor and the intern doctor to one access policy for a certain patient. Each user can encapsulate the patient’s EMR, but only the one whose role satisfies the defined access policy or the patient himself can decapsulate it. We hide all the identity-

3DWLHQW

3DWLHQW

ĂĂ

Notation λ ID R − → R − S→ R P SP − → P ref ( R) P ref (P) M SK → − SK R EM R Hdr K CT H SymEnc SymDec PPT

•

Data Confidentiality. Personal data needs to be encrypted before being uploaded and securely stored on the cloud until an entitled recipient downloads and decrypts it. Specifically, only the users whose roles satisfy the associated access policy have the privilege to access the data, with all other unauthorized entities not able to obtain any useful information from the encrypted data, even if they collude with each other. Identity Anonymity. Identity-related information needs to be hidden, as individual privacy is vulnerable to loss, theft, and illegal transactions. When a user’s identity is hidden in an EMR system, it decreases the possibility of an adversary guessing that user’s identity such that hardly any third party can obtain useful patient information.

C. SECURITY MODELS

Our security models include the semantic security model, anonymity model and full anonymity model. The semantic security model is used to meet the requirement of data confidentiality, while the anonymity model and the full anonymity model are used to meet the requirement of identity anonymity. We define them according to the security games played between an adversary A and a challenger. 3



1) Semantic Security Model

We adopt the selective security notion [8], i.e., an adversary must present the set of medical staff roles and the identity of the patient it wishes to attack before the system is set up. Init. The adversary A outputs a challenge access policy set P ∗ and a challenge identity ID∗ . Setup. The challenger runs the Setup algorithm to obtain public key P K and gives it to the adversary A. Query Phase 1. The adversary A adaptively issues two kinds of queries: • Upon receiving a secret key query for a medical staff → − → − member associated with a role R such that R ∈ / → − P ref (P ? ), the challenger generates a secret key for R and gives it to A. • Upon receiving a secret key query for patients with an identity ID such that ID 6= ID? , the challenger generates a secret key for ID and gives it to A. Challenge. When the adversary A decides that it has obtained enough secret keys, it outputs two equal-length EMR files EM R0 , EM R1 that it wishes to challenge. The challenger picks a random bit β ∈ {0, 1} and encapsulates the EM Rβ under the challenge access policy set P ∗ and the challenge identity ID∗ . It gives A the challenge ciphertext (Hdr, En), where En is the output of the encapsulation of EM Rβ . Query Phase 2. Phase 1 is repeated adaptively. Guess. The adversary A outputs a guess β 0 ∈ {0, 1} and wins the game if β 0 = β. We require that no polynomial time adversary can distinguish a ciphertext of a challenge EMR from a ciphertext of a random message with the challenge access policy set P ∗ and the challenge patient’s identity ID∗ . 2) Anonymity model

The Init, Setup, and Query phases are the same as that in the semantic security model. Challenge. When an adversary A decides that it has obtained enough secret keys, it outputs two equal-length EMRs EM R0 , EM R1 regarding what it wishes to be challenged. The challenger picks a random bit β ∈ {0, 1}. If β = 0, it generates the header Hdr of the ciphertext under the challenge access policy set P ∗ and the challenge identity ID∗ and encapsulates EM R0 . If β = 1, it generates the header of the ciphertext under a random access policy set and a random patient’s identity and encapsulates EM R1 . It gives A the challenge ciphertext (Hdr, En), where En is the output of the encapsulation of EM Rβ . Guess. The adversary A outputs a guess β 0 and wins the game if β 0 = β. We require that no polynomial time adversary can distinguish a ciphertext of the challenge EMR with the challenge 4

access policy set P ∗ and the challenge patient’s identity ID∗ from a ciphertext of the challenge EMR with a random access policy set and a random patient’s identity. 3) Full Secure Anonymity Model

In the full secure anonymity model, instead of committing the challenge access policy P ∗ and the challenge identity ID∗ it wishes to attack before the system is set up, the adversary A can adaptively decide to output the challenge access policy set and identity during the system interaction. Clearly, this model achieves a stronger security level. Specifically, there is no Init phase in the full secure anonymity model. The adversary A outputs a challenge access policy set P ∗ and a challenge patient’s identity ID∗ that it wishes to attack after it issues sufficient key queries in the Query phase. The challenge access policy set P ∗ and the challenge identity ID∗ should satisfy the following: for all the secret key queries for → − → − roles R and identity ID in Query Phase 1, R ∈ / P ref (P ∗ ) ? and ID 6= ID . IV. RBACANONY CONSTRUCTION A. OUR PROPOSAL

Our RBACAnony scheme is based on the HIBE scheme proposed by Boneh et al. [22] and the RBAC scheme proposed by Liu et al. [8] and offers an efficient approach to supporting hierarchical access control. The property is motivated by Seo et al. [20] and is achieved by leveraging bilinear groups with composite order N = pq. Elements in the public parameters are utilized in two separate layers: “key generation layer" and “anonymity layer". Elements in the “key generation layer" are in the subgroup Gp . They provide the secret key and master secret key functionality. Elements in the “anonymity layer" are hidden by the elements in the subgroup Gq , which helps to ensure anonymity. In this way, we offer information regarding the subgroup Gp in the “key generation layer" while maintaining our scheme’s anonymity with the help of the "anonymity layer". Setup(λ, n). The setup algorithm is run by the TKA. We assume that patient identities and medical staff roles are elements in ZN . A secure symmetric encryption scheme with algorithms SymEnc(K, EM R) and SymDec(K, En) and a collision resistant hash H : {0, 1}∗ → ZN are employed in our scheme. The TKA picks a random exponent R α ← ZN , random elements ω, gp , g, f, u, gh , {hi }i∈[1,n] in Gp , and random elements gq , Rg , Rf , Ru , Rh , {Rhi }i∈[1,n] in Gq . Next, it computes E = e(g, ω), G = g · Rg , F = f · Rf , U = u · Ru , H = gh · Rh , {Hi = hi · Rhi }i∈[1,n] The public key P K includes the description of compositeorder bilinear groups (N, G, GT , e), and P K = gp , gq , G, F, U, H, {Hi }i∈[1,n] , E The master key is M SK = ω, p, q, g, f, u, gh , {hi }i∈[1,n] and is kept by the TKA. VOLUME 4, 2016



→ − KeyGenM(P K, M SK, R). For any medical staff member → − associated with role R = (R1 , ..., Rd ), denote I = {i : − }. When a medical staff member wants to join the Ri ∈ S→ R system, he should first be authenticated by the TKA. Next, if he is a top-level medical staff member, the TKA generates a → − secret key SK R for him. The TKA picks random exponents R r1 , r2 , s1 , s2 , t1 , t2 ← ZN satisfying s1 · t2 − s2 · t1 6= 0 mod p and s1 ·t2 −s2 ·t1 6= 0 mod q. If the equations do not hold, the TKA picks other random exponents and repeats the → − R procedure. It outputs the secret key SK , which consists of → − two subkeys: the subkey SKdR is used for decryption and del→ − egation, and the subkey SKrR is used for re-randomization. → − SKdR

Y r1 r1 r1 Ri r2 r1 r2 = ω u hi f , g , g , gh , {hj }

→ − SKrR

i∈I Y s 1 i = u hR f s2 , g s1 , g s2 , ghs1 , {hsj 1 }, i i∈I

Y t1 t1 t1 t2 t1 t2 i u hR f , g , g , g , {h } i j h i∈I

In the above equations, j ∈ o[1, n]\I. Finally, the TKA n → − → − → − outputs SK R = SKdR , SKrR for the medical staff. − →0

KeyDelegM(P K, SK R , R). The secret key for a low-level − → → − medical staff member associated with a role R = (R0 , R) is derived from a given secret key of his supervisor at a higher− → − → − → − → R0 R0 R0 level SK = (SKd , SKr ) associated with a role R0 , where − →0 SKdR = ad,0 , ad,1 , ad,2 , ad,3 , {bd,j }j∈[1,n]\I 0 n − →0 SKrR = ar,0 , ar,1 , ar,2 , ar,3 , {br,j }j∈[1,n]\I 0 , o a0r,0 , a0r,1 , a0r,2 , a0r,3 , {b0r,j }j∈[1,n]\I 0 and I 0 = {i : Ri ∈ S−→0 }. The high-level medical staff R

→ −

member generates a secret key SK R for the low-level one → − R that also consists of two parts: the decryption part SKd and → − the re-randomization part SKrR . → − For the decryption part SKdR , the high-level medical staff R member picks random exponents γ1 , δ1 ← ZN and delegates the secret key for the low-level one by using → − SKdR = d1 , d2 , d3 , d4 , {dj }j∈[1,n]\I =   γ1 δ1 R R 0 0 R   a (b ) · a (b ) · a (b )   d,0 d,i r,0 r,i r,0 r,i    i∈I\I 0  δ

δ

δ

1 1 1 1 1 1 ad,1 · aγr,1 · a0 r,1 , ad,2 · aγr,2 · a0 r,2 , ad,3 · aγr,3 · a0 r,3     δ1 {bd,j · bγr,j1 · b0 r,j }j∈[1,n]\I

   

− }. Finally, the delegated secret key where I = {i : Ri ∈ S→ R → −

SKdR can be attained in the form VOLUME 4, 2016

Y re1 → − r e1 r e1 r e2 r e1 r e2 i } , g , g , g , {h f SKdR = ω u · hR j i h i∈I

where j ∈ [1, n]\I and re1 r1 s1 = + re2 r2 s2

t1 t2

γ1 δ1

→ −

It follows that SKdR is well formed, appearing as if it was generated directly by the TKA using the KeyGenM algorithm. → − To delegate SKrR , the high-level medical staff member R picks random exponents γ2 , δ2 , γ3 , δ3 ← ZN satisfying gpγ2 ·δ3 −γ3 ·δ2 6= 1 and gqγ2 ·δ3 −γ3 ·δ2 6= 1. Then, he delegates the secret key by using ( ) → − dr,1 , dr,2 , dr,3 , dr,4 , {dr,j }j∈[1,n]\I , R = SKr = d0r,1 , d0r,2 , d0r,3 , d0r,4 , {d0r,j }j∈[1,n]\I   γ2 δ2  γ2 0 δ2  R 0 0 R  , ar,1 · a r,1 , · a r,0 (br,i )     ar,0 (br,i )   i∈I\I 0       γ2 γ2 γ2 0 δ2 0 δ2 0 δ2   ar,2 · a r,2 , ar,3 · a r,3 , {br,j · b r,j }j∈[1,n]\I , γ3  δ3  R δ3 3    , aγr,1 · a0 r,1 , ar,0 (bR ) · a0 r,0 (b0r,i ) r,i   0   i∈I\I       γ3 γ3 γ3   0 δ3 0 δ3 0 δ3 a · a , a · a , {b · b } r,2

r,2

r,3

r,3

r,j

Finally, the delegated secret key

→ −

SKrR

r,j j∈[1,n]\I

→ − SKrR

can be rewritten as

  Y se1  Ri s e1 s e1  s e2 s e1 s e2  u· hi f , g , g , gh , {hj },       i∈I = e Y t1   e e e e e  i   hR f t2 , g t1 , g t2 , ght1 , {htj1 }    i   u· i∈I

where j ∈ [1, n]\I and se1 e t1 s1 = e s2 se2 t2

t1 t2

γ2 δ2

γ3 δ3

In conclusion, by running KeyDelegM, the delegated secret key is well formed, appearing as if it was generated directly by the TKA using KeyGenM. KeyGenP(P K, M SK, ID). When a patient with identity ID wants to access his own EMR, the TKA first authorizes him and then assigns him a secret key. The TKA picks a R random exponent r10 , r20 ← ZN and outputs SK ID = d01 , d02 , d03 , {d0j }j∈[1,n] n o 0 0 0 0 r0 = ω(ughID )r1 f r2 , g r1 , g r2 , {hj 1 }j∈[1,n] EMREnc(P K, ID, P, EM R). For an access policy P, denote I = {i : Ri ∈ SP }. When an EMR needs to be encapsulated under a patient’s identity ID and an access policy P, the user (the patient or the medical staff member) R first picks a random exponent s ← ZN and random elements 5



R

Z1 , Z2 , Z3 ← Gq . Note that these random elements in Gq can be chosen by raising gq to random exponents from ZN . Next, the user computes the header Hdr as follows: Hdr = {C1 , C2 , C3 } s Y ={Gs · Z1 , F s · Z2 , U H ID HiRi Z3 } i∈I

Then, the user generates a session key K = E s and computes En = SymEnc(K, EM R). The encapsulated EMR is output as CT = (Hdr, En) = (C1 , C2 , C3 , En). → −

EMRDecM(P K, ID, (Hdr, En), SK R ). To retrieve the session key K, the medical staff member with a role satisfying the access policy P can use his secret key to compute Q i , C e d1 · dID dR 1 4 · i K=

i∈I\I

e (d2 , C3 ) · e (d3 , C2 )

Finally, EM R = SymDec(K, En) is run to obtain the EMR. Correctness. Assume that CT = ((C1 , C2 , C3 ), En) is a well-formed ciphertext. The medical staff decapsulation algorithm can → correctly recover the EMR file with a valid − → − secret key SK R , where R ∈ P ref (P) due to the following: Q Ri r1 r2 r1 ·ID Q s i r1 e w u hi f · gh · (hR i ) ,g K=

i∈I

e g r1 , u ·

ghID

·

Q i∈I

i∈I\I Ri s hi e (g r2 , f s )

=e(g, ω)s The second equation holds since e(hp , hq ) = 1 for hp ∈ Gp and hq ∈ Gq . EMRDecP(P K, ID, (Hdr, En), SK ID ). The patient with identity ID can decapsulate his own EMR using his secret key. We denote I = {i : Ri ∈ SP }. The patient computes the session key Q R e d01 · d0 j i , C1 i∈I K= e (d02 , C3 ) · e (d03 , C2 ) Finally, he runs SymDec(K, En) to recover his EMR. Correctness. Assume that CT = ((C1 , C2 , C3 ), En) is a well-formed ciphertext. A patient can recover his EMR according to the following equations. r0 1 r0 Q r01 Ri s e w · u · hID f 2 · (hi ) , g h i∈I K= = e(g, ω)s s Q 0 0 R ID i r r s 1 2 e g , u · gh · hi · e (g , f ) i∈I

6

B. SECURITY ANALYSIS

We showed that the RBACAnony scheme is selectively secure and anonymous in Sections III-C1 and III-C2, respectively. We now validate these characteristics via the following games between an adversary and a challenger. • CT1 of Game1 : ((C1 , C2 , C3 , ), En) • CT2 of Game2 : ((C1 , C2 , C3 , ), En · Rp ) • CT3 of Game3 : ((C1 , C2 , C3 , ), En · R = REn ) • CT4 of Game4 : ((R1 , C2 , C3 , ), REn ) • CT5 of Game5 : ((R1 , R2 , R3 , ), REn ) where Rp is randomly chosen from GT,p , R and REn are uniformly distributed in GT , and R1 , R2 , and R3 are uniformly distributed in G. Proof. We develop the proof via contradiction. Assume that a PPT adversary can break the RBACAnony scheme. We then solve a series of difficult-to-solve mathematical assumptions: l-BDHE assumption, BSD assumption, l-cDH assumption and l-cDHE assumption [19]. Since no PPT algorithm can be used to solve these assumptions, we reach a contradiction and conclude that RBACAnony is secure. If the group generator algorithm G satisfies the BDHE assumption and the BSD assumption, then no PPT adversary can distinguish Game1 and Game3 . The ciphertext of Game3 does not leak any information regarding the EMR data since the component corresponding to the EMR is a random group element. If G satisfies the cDH assumption and the cDHE assumption, then no PPT adversary can distinguish Game3 and Game5 . The ciphertext of Game5 does not leak any information regarding the roles of medical staff members and the identity of the patient, as the components related to the roles and identity are random group elements. Concrete proof of this is given in our previous work [19]. V. ACHIEVING FULL SECURE ANONYMITY A. OUR PROPOSAL

In this section, we show how to achieve full anonymity privilege control in RBACAnony-F. We apply the idea of an anonymous HIBE [10] to our RBAC. A user first chooses an access policy, which can be regarded as a broadcast group with all entitled identities. He only needs to encapsulate the EMR once and allows different medical staff members to decapsulate if their identities belong to this broadcast group. Note that the work in [23] also proposed an anonymous HIBBE scheme. The main difference lies in the fact that the patients are identified individually in our scheme, while they are allowed access to their own EMRs in [23]. Thus, we consider the patients’ identities in addition to the access policy group when we design the broadcast encryption algorithm. Setup(λ, n). The TKA chooses a bilinear group G of order N = p1 p2 p3 p4 . Then, it chooses random elements Y1 , X1 , u1 , ..., un , uP ∈ Gp1 , Y3 ∈ Gp3 , X4 , Y4 ∈ Gp4 , and α ∈ ZN and outputs the public key P K {N, Y1 , Y3 , Y4 , uP , {ui }i∈[1,n] , x = X1 X4 , A = e(Y1 , Y1 )α } and master secret key M SK = {X1 , α}. VOLUME 4, 2016



→ − KeyGenM(P K, M SK, R). For any medical staff member → − − }. with a role R = (R1 , ..., Rd ), I denotes {i : Ri ∈ S→ R When a top-level medical staff member wants to join the system, the TKA first authenticates him. It then chooses random elements r1 , r2 ∈ ZN , Rm,1 , Rm,2 , {Tm,j }j∈[1,n]\I ∈ Gp3 for m ∈ {1, 2} and RP1 , RP2 ∈ Gp3 and outputs the secret → − → − → − → − key SK R = (SKdR , SKrR ), where SKdR is used for de→ − cryption and SKrR is used for re-randomization delegation. → − SKdR = K1,1 , K1,2 , {K1,j }j∈[1,n]\I , KP1 Y   r i r1 uR  Y1 1 R1,1 , Y1α (X1 i ) R1,2 , = i∈I   {urj 1 T1,j }j∈[1,n]\I , urP1 RP1

i∈I − →0

  0 0 r e1 e   R , K (K ) 1,1   1,1 2,1   0 0 r e1 0 Ri 0 r e1 Ri e = K1,2 (K2,2 ) ((K1,i ) (K2,i ) )i∈I\I 0 · R1,2 ,      {K 0 (K 0 )re1 Te } 0 0 r e1 e 1,j j∈[1,n]\I , KP (KP ) RP 1,j 2,j 1

→ −

SKrR

2

2

2

− }. The delegated secret key can be where I = {i : Ri ∈ S→ R finally attained in the form   Y rˆ1 ˆ Ri rˆ1 ˆ α   Y R , Y (X u ) R ,   1,1 1 1,2 1 1 i → − i∈I SKdR =   rˆ1 ˆ  {urˆ1 Tˆ }  1,j j∈[1,n]\I , uP RP1 j   Y rˆ2 ˆ Ri rˆ2 ˆ   Y R , (X u ) R ,   2,1 1 2,2 1 i → − R i∈I SKr =   rˆ2 ˆ  {urˆ2 Tˆ }  2,j j∈[1,n]\I , u RP j

P

EMRDecM(P K, ID, (Hdr, En), SK R ). To retrieve session key K, the medical staff member with the role satisfying the access policy P can use his secret key to compute Q Ri e(K1,2 · KPID · i∈I\I K1,i , C2 ) 1 K= e(K1,1 , C1 ) Then, he runs EM R = SymDec(K, En) to recover the EMR. Correctness. Assume that CT = ((C1 , C2 ), En) is a wellformed ciphertext. EMRDecM can→ correctly recover the EM− → − R file using a valid secret key SK R , where R ∈ P ref (P) because

1

( ) 0 e2,1 , (K 0 )re2 ((K 0 )re2 Ri )i∈I\I 0 · R e2,2 , (K2,1 )re2 R 2,2 2,i = 0 eP {(K2,j )re2 Te2,j }j∈[1,n]\I , (KP0 )re2 R

2

The new secret key has the same distributions as if it was computed using KeyGenM with randomness rˆ1 = r1 + r2 re1 and rˆ2 = r2 re2 . KeyGenP(P K, M SK, ID). When a patient with identity ID wants to access his own EMR, the TKA authorizes him VOLUME 4, 2016

Then, the user generates session key K = As and computes En = SymEnc(K, EM R). Finally, the encapsulated EMR is output as CT = (Hdr, En) = (C1 , C2 , En). → −

KeyDelegM(P K, SK R , R). For the low-level medical − → → − staff member with the role R = (R0 , R), his secret key is derived from a given secret key of his supervisor, who → − is at a higher-level associated with the role R 0 . We −→ denote 0 0 R I = {i : Ri ∈ S−→0 }. Given a secret key SK , the R high-level medical staff member picks random components em,1 , R em,2 , {Tem,j }j∈[1,n]\I ∈ Gp for m ∈ re1 , re2 ∈ ZN , R 3 eP , R eP ∈ Gp and computes {1, 2}, and R 1 2 3

→ −

EMREnc(P K, ID, P, EM R). For an access policy P, denote I = {i : Ri ∈ SP }. When an EMR file needs to be encapsulated under the access policy P and the patient’s identity ID, the userrandomly picks s ∈ ZN and Z, Z 0 ∈ Gp4 and computes the header Hdr as follows: Y s s 0 i ID Hdr = {C1 , C2 } = {( uR i uP x) Z, Y1 Z } i∈I

→ − SKrR = K2,1 , K2,2 , {K2,j }j∈[1,n]\I , KP2 = Y r2 r2 i r2 Y1r2 R2,1 , (X1 uR i ) R2,2 , {uj T2,j }j∈[1,n]\I , uP RP2

SKdR

and randomly chooses r10 ∈ ZN , R10 , {Tj }j∈[1,n] ∈ Gp3 . The TKA then outputs SK ID = dp1 , dp2 , {dpj }j∈[1,n] n 0 o r r10 r10 0 = Y1 1 R10 , Y1α (uID P X1 ) R1 , {uj Tj }j∈[1,n]

K=

Q s i ID r1 e(Y1 , Y1 )αs · e((X1 i∈I uR i uP ) , Y1 ) = As Q r1 Ri ID e(Y1 , ( i∈I ui uP X1 )s )

EMRDecP(P K, P, (Hdr, En), SK ID ). The patient with identity ID can decapsulate his EMR using his secret key. We denote I = {i : Ri ∈ SP }. The patient computes a session key Q i e(dp2 · i∈I dR pi , C2 ) K= e(dp1 , C1 ) Then, he runs EM R = SymDec(K, En) to recover the EMR. Correctness. Assuming that CT = ((C1 , C2 ), En) is a well-formed ciphertext, a patient can correctly recover his EMR using the following equalities: Q r10 s i ID e(Y1 , Y1 )αs · e(( i∈I uR i uP X1 ) , Y1 ) K= = As 0 Q r i ID s) e(Y1 1 , ( i∈I uR u X ) 1 i P 7



B. SECURITY ANALYSIS

In this subsection, we provide a security analysis to demonstrate that RBACAnony-F is fully anonymous. We apply the dual system encryption technique introduced by Lewko [24], which has been used as a powerful tool for security analysis. In the proof, ciphertexts (CT s) and secret keys (SKs) can take one of two indistinguishable forms: normal form and semi-functional form, with the correlation shown in Table 2. Since the two kinds of ciphertexts and keys are indistinguishable, a simulator is able to replace the normal key and ciphertext with the semi-functional ones in security games. When both the ciphertext and key are semi-functional, an adversary can obtain no information regarding the challenge ciphertext since the given key is not able to decapsulate the challenge ciphertext. TABLE 2: Normal/semi-functional key and ciphertext Normal SK Semi SK

Normal CT decryption allowed decryption allowed

Semi CT decryption allowed decryption not allowed

Semi-functional Ciphertext. The users run the EMREnc algorithm to construct a normal ciphertext (C10 , C20 , En0 ). Then, they choose random exponents x, zc ∈ ZN and set C1 = C10 g2xzc , C2 = C20 g2x , En0 = En. Semi-functional Key for Medical Staff. For the medical → − staff member with→ role R, TKA runs KeyGenM to generate − R 0 0 0 , K1,2 , {K1,j }j∈[1,n]\I , KP0 1 } normal keys SK 0 d = {K1,1 → − R

0 0 0 , K2,2 , {K2,j }j∈[1,n]\I , KP0 2 }. Then, and SK 0 r = {K2,1 it chooses random exponents z, γ, zk , zP1 , zP2 ∈ ZN and {zm,j }j∈[1,n]\I ∈ ZN for m ∈ {1, 2}. The semi-functional key can be set as ( ) 0 0 → − K1,1 · g2γ , K1,2 · g2γ·zk , R SKd = γ·z γz 0 {K1,j · g2 1,j }j∈[1,n]\I , KP0 1 · g2 P1

→ − SKrR

( =

0 0 K2,1 · g2z·γ , K2,2 · g2z·γ·zk , z·γz2,j

0 · g2 {K1,j

) z·γ·zP2

}j∈[1,n]\I , KP0 2 · g2

It can be seen that the EMRDecM algorithm will correctly output the EM R when decrypting a semi-functional ciphertext using a semi-functional key since the added elements in Gp2 can be cleared due to the orthogonality property. However, the blinding factor will be P multiplied by an additional term e(g2 ,P g2 )γx(zk +zP1 ID+ i∈I\I z1,i Ri −zc ) . If zc = zk + zP1 ID + i∈I\I z1,i Ri , then decryption still works. Here, we regard the key for the medical staff as nominally semi-functional. Semi-functional Key for Patient. For the patient with the identity ID, the TKA runs the KeyGenP algorithm to generate the normal key SK ID = {d0p1 , d0p2 , {d0pj }l∈[1,n] }. Then, it chooses random exponents γ, zek , {e zj }j∈[1,n] ∈ ZN . The semi-functional key can be set as n o γe z SK ID = d0p1 · g2γ , d0p2 · g2γ·ezk , {d0pj · g2 j }j∈[1,n] 8

The EMRDecP algorithm will correctly output the EM R when decrypting a semi-functional ciphertext using a semifunctional key. The blinding factorPwill be multiplied by an additional term e(g2 , g2 )γx(ezk + i∈I zei Ri −zc ) . If zc = P zek + i∈I zei Ri , then decryption still works. In this case, we regard the key for the patient as nominally semi-functional. We can verify the security and anonymity via a series of games. Gamereal : This game is a real game for RBACAnony-F, which describes the real interaction between the adversary and the EMR system. Gamereal0 : This game is the same as Gamereal except that all the secret key queries are answered by the secret key generation algorithm, not by the secret key delegation algorithm. Gamerestrict : This game is the same as Gamereal0 except that the adversary cannot query secret keys for the roles that are prefixes of the challenge role modulo p2 . Namely, −→ → − for any queried role R = (R1 , R2 , · · · , Rd ), ∃ R∗ = (R∗1 , R∗2 , · · · , R∗d0 ) ∈ P ref (P ∗ ) with d0 ≤ d, s.t. ∀i ∈ [1, d0 ], Ri = R∗i mod p2 , where P ∗ is the challenge access policy, is not allowed. Gamek : This game is identical to Gamerestrict except that the challenge ciphertext given to the adversary is semifunctional and the first k keys are semi-functional (0 ≤ k ≤ q). We note that in Game0 , only the challenge ciphertext is semi-functional; in Gameq , all secret keys and ciphertext are semi-functional. Gamef inal0 : This game is identical to Gameq except that the challenge ciphertext is a semi-functional encapsulation, with the component corresponding to the EMR being a random message in GT . Thus, the ciphertext is independent from the messages provided by the adversary. Gamef inal : This game is identical to Gamef inal0 except that the challenge ciphertext is semi-functional, with the components related to the roles and identity being random group elements in the subgroup Gp1 p2 p4 . Thus, the ciphertext is independent from the roles and identity provided by the adversary. Proof. In the appendix, we show that no polynomial time adversary can distinguish Gamereal and Gamef inal . The ciphertext of Gamef inal0 does not leak any information regarding the EMR file. The ciphertext of Gamef inal does not leak any information regarding the roles of the medical staff and the identity of the patient. Thus, data confidentiality and identity anonymity are achieved. VI. ANONYMOUS SEARCH

The EMR system may receive queries from the patient or the medical staff to search for someone’s EMR. To respond to a search query, we set up an approach that links the EMR owners to their encapsulated EMR. We tag two labels, ID0 VOLUME 4, 2016



and P 0 , with each ciphertext CT , forming (CTi , IDi0 , Pi0 ). Assume that the total number of stored EMRs is m, i ∈ [1, m]. ID0 and P 0 represent the hidden identity of the patient and the hidden roles of the medical staff, respectively, such that outsiders cannot identify them. Regarding the patient and medical staff, the following operations show how they can determine their EMR. SearchInitial. In this phase, we generate some parameters necessary for the subsequent searching work. Let G0 be a bilinear group of prime order p and g be a generator of G0 . For a generated ciphertext CTi , the ith patient with identity IDi randomly chooses an element xIDi ← G0 , and the ith group of the medical staff in access policy Pi randomly chooses an element xRi ← G0 . Then, they compute a session key SKi : SKi ← g xIDi ·xRi mod n. n is a large prime number. The session key is owned only by the patient with identity IDi and his responsible medical staff in access policy Pi . SearchLabelCreate. In this phase, we create the search labels: IDi0 and Pi0 . IDi0 which can be obtained by applying a hash function to IDi : IDi0 ← H(IDi ). Pi0 can be obtained by applying the symmetric encryption algorithm SymEnc with the session key SKi to the atom roles {Rij } in Pi : {R0ij ← SymEnc(Rij , SKi )}, j ∈ {j : Rij ∈ SPi }. {R0ij } constitute the atom roles for Pi0 . Then, the labels IDi0 and Pi0 are tagged with CTi , yielding (CTi , IDi0 , Pi0 ). Search. When a patient with identity ID tries to search for his EMR (or when one of his doctors tries to do this), he first hashes the identity ID and obtains H(ID). Then, he searches through the various IDi0 in all patients’ labels and pinpoints the one whose value equals H(ID). When he obtains the index i, he uses his session key to decrypt the roles for the medical staff: {Rij ← SymDec(R0ij , SKi )}. {Rij } are the atom roles in access policy Pi . When the patient knows the access policy Pi of a medical staff member and his identity, he can decapsulate CTi using the corresponding secret key. VII. IMPROVING USER EXPERIENCE

To achieve the perfect user experience, we speed up the data processing in the key generation and EMR encapsulation procedures. We apply online/offline cryptography [25] to our scheme. The online/offline technique was initiated by Goldreich and Micali [26] for signature schemes. Guo et al. [27] extended the offline algorithm to the identity-based encryption system. Briefly, the online/offline technique splits the encryption or key generation process into two phases: the offline phase, in which most of the complex computations are first executed by assuming a set of random identities, and the online phase, in which only simple computations are performed to produce the ciphertext or secret key once the identities are available. In this way, we show how to move the computational work for key generation and EMR encapsulation offline. The following offline/online algorithms are VOLUME 4, 2016

based on the RBACAnony scheme, while the algorithm for the RBACAnony-F scheme is omitted due to it having similar procedures and results. Offline.KeyGenM(P K, M SK). The offline KeyGenM algorithm takes as its input the public parameters and master key, excluding the medical staff role. We assume a random −→ role RB with bound B on the maximum number of atom roles, which can be used to generate a secret key. Denote −→ − → }, where RB = (x1 , x2 , ..., xB ) and IB = {i : xi ∈ S− RB xi are randomly chosen from ZN and regarded as intermediate atom roles. The algorithm picks random exponents R r1 , r2 , s1 , s2 , t1 , t2 ← ZN satisfying s1 · t2 − s2 · t1 6= 0 mod p and mod q. Then, it generates the intermediate secret key − − → − − → − − → RB RB SK , which consists of two subkeys: SKd and SKrRB . − − → SKdRB can be written in the following form: ( !r1 ) Y r1 xi r1 r2 r1 r2 f , g , g , gh , {hj }j∈[1,n]\IB ω u hi i∈IB − − →

{hrj 1 }j∈[1,n] can be pre-computed here. SKrRB has a form − − →

similar to that of SKdRB , but it is not used for EMR encapsulation. We can view the procedure as key generation for the −→ intermediate role RB = (x1 , x2 , ..., xB ). The work done in the offline phase is roughly equivalent to the work carried out for the regular KeyGenM algorithm. − − → → − Online.KeyGenM(SK RB , R). The online KeyGenM algo− − → rithm takes as its input the intermediate secret key SK RB from the offline KeyGenM algorithm and the real role of → − a medical staff member R = (R1 , ..., Rd≤B ). Denote − }. The algorithm computes the “correction I = {i : Ri ∈ S→ R factors” Ki = r1 · (Ri − xi ) mod N for i ∈ I. The subkey → − SKdR for the medical staff is output in the following form: !r1 ) ( Y f r2 , g r1 , g r2 , ghr1 , {hrj 1 }j∈[1,n]\I , {Ki }i∈I ω u hxi i i∈I = d1 , d2 , d3 , d4 , {dj }j∈[1,n]\I , {Ki }i∈I → −

The subkey SKrR is output with a form similar to that of → − SKdR but without the elements {Ki }i∈I . The dominant cost → − in the online phase is || R|| multiplications for generating {Ki = r1 · (Ri − xi )}i∈I . Since the offline/online algorithm of key delegation follows the same procedure as that in the KeyGenM phase, we omit the details of that process. The dominant cost in the online key delegation procedure is only one multiplication. Offline.EMREnc(P K). The offline EMREnc algorithm takes as its input only the public parameters. We assume a random access policy PB with bound B on the maximum number of atom roles, which can be used to generate a ciphertext. Denote IB = {i : zi ∈ SPB }, where zi are randomly chosen from ZN and regarded as intermediate atom R roles. The algorithm selects y ← ZN , which is assumed 9



to be the intermediate patient identity. Then, the algorithm R picks a random element s ← ZN and random elements R Z1 , Z2 , Z3 ← Gq . Finally, it computes the intermediate header HdrIT as follows: HdrIT = {C1 , C2 , C3 } s o n Y = Gs · Z1 , F s · Z2 , U H y Hizi Z3 i∈IB

The header generated in the offline phase is roughly equivalent to the work of the regular EMREnc algorithm. Online.EMREnc(HdrIT , Id, P, EM R). The online EMREnc algorithm takes as its input the intermediate header HdrIT from the offline EMREnc algorithm, a patient identity ID, an access policy P and the EM R. Denote I = {i : Ri ∈ SP }, and note that I ⊆ IB since we have assumed the maximum bound B on the number of atom roles. The algorithm computes the “correction factors” C4,i = s · (Ri − zi ) and C5 = s · (Id − y) for i ∈ I. Then, it outputs the ciphertext header Hdr = {C1 , C2 , C3 , {C4,i }i∈I , C5 } n s o Y = Gs · Z 1 , F s · Z 2 , U H y Hizi Z3 , {C4,i }i∈I , C5 i∈I

As the symmetric encryption time En = SymEnc(K, EM R) is relatively fast, the cost of EMR encapsulation can be ignored. The dominant cost in the online phase is (||P|| + 1) multiplications in ZN for generating {C4,i = s·(Ri −zi )}i∈I and C5 = s · (Id − y). Finally, we should verify that the EMR can be correctly decapsulated after the online/offline algorithm is applied. The encapsulation key K is calculated using Q Ki Id Q Ri e d1 · di , C1 hi · d4 · i∈I

i∈I\I

K= Q C e d2 , C3 · Hi 4,i · H C5 · e (d3 , C2 ) i∈I

K can be extracted as K = e(g, ω)s from the above expression. Finally, an EMR can be exactly recovered by running EM R = SymDec(K, En).

Table 4 compares four schemes in terms of anonymity, order of the bilinear group and performance. We denote RBACAnony as “Ours & Scheme-I”, RBACAnony-F as “Ours & Scheme-II”, and our schemes with the user experience improvement as “Ours & Improved”. B. EXPERIMENTAL PERFORMANCE

We conduct the experiment using an Intel Core i7 processor with 8 GB of RAM and a 2.6 GHZ CPU clock. We use an elliptic curve type A1 with the expression y 2 = x3 + x for the Tate symmetric pairing. The group order of ZN is set to 512 bits, and the element size in G is also configured to 512 bits. The experiment is executed using the jPBC library (http://gas.dia.unisa.it/projects/jpbc/index.html). We test the operational time required for key generation, key delegation, EMR encapsulation and decapsulation for medical staff. We show the performance results in Figure. 2(a)-(e). Figure. 2(f) and Figure. 2(g) show the operational time after the user experience is improved. IX. CONCLUSION

In this paper, we propose two anonymous RBAC schemes for the EMR system. We achieve flexible access control such that the EMR data can be encapsulated according to an on-demand access policy, with only users whose roles satisfy the access policy being able to decapsulate it. Patients’ privacy is preserved using a bilinear group, where all the identity-related information is hidden in a subgroup. Based on the chosen bilinear group assumptions, we prove that our proposed models have the property of semantic security and anonymity. We apply the “online/ offline” approach to achieve a better user experience. . APPENDIX A PROOF OF SECURITY OF RBACANONY-F

The security proof is based on the following assumptions. Assumption1. Given group generator G, we define the following distribution: R

G =(N = p1 p2 p3 p4 , G, GT , e) ← G R

VIII. PERFORMANCE ANALYSIS A. THEORETICAL ANALYSIS

Table 3 shows the efficiency of our proposed scheme in detail. The system parameters, the master secret key and the other secret keys (for the medical staff and patients) are linearly proportional to the maximum number of atom roles. The header contains only three group elements in G, achieving ciphertext with a constant size and being independent of the maximal depth of the hierarchy for the access policy set kPk. In Table 3, we denote te as one exponent operation time in G, tm as one multiplication operation time in G and tp as one pairing operation time. In the procedures of KeyGenM, KeyDelegM, KeyGenP, and EMREnc, exponentiations can be pre-computed by choosing random exponents. 10

R

R

R

g1 , A1 ← Gp1 , A2 , B2 ← Gp2 , g3 ← Gp3 , g4 , B4 ← Gp4 D =(G, g1 , g3 , g4 , A1 A2 , B2 B4 ) Then, this assumption determines whether the given element R R T ← Gp1 p2 p4 or T ← Gp1 p4 . The advantage of an algorithm A that outputs β ∈ {0, 1} in breaking Assumption 1 is defined as i h R Pr A D, T ← G = 1 p1 p2 p4 1 h i − Adv1A (λ) = R − Pr A D, T ← G =1 2 p1 p4

Definition I. G satisfies Assumption 1 if Adv1A (λ) is negligible for any polynomial-time algorithm A. VOLUME 4, 2016


This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2810243, IEEE Access X.Zhou et al.: Preparation of Papers for IEEE ACCESS 10

TABLE 3: Efficiency of the proposed schemes TABLERBACAnony III: The efficiency ofroles the proposed schemes scheme with n atom roles with n atom RBACAnony-F

M SK size

7 roles RBACAnony withnn+atom RBACAnony-F scheme with2 n atom roles − → − → ++ 7 4 − k Rk) 3 ·n(n 2 ·2(n + 3 − k Rk) → − Id − → − → R sizesize 3 +2 SKSK 3 · (n + 4 −nk+ Rk) 2 · (n + 3 − knRk) Id size SKHdr size n+3 3 n+2 2 − → HdrKeyGenM size 3e + (3k Rk + 4)tm time 3 · (n + 5)t (n + 26)te + (2n + 7)tm − → − → → KeyGenM time time 3 · (n +(31 5)te++6n (3k−Rk + 4)tm (n + 6)t + 7)t− e+ m KeyDelegM 6k Rk)t + (8 + (2n 2n e e+ − → − − →− 2k Rk)t → − → KeyDelegM time (31 + 6n+ −4n 6k Rk)t + m (8 + 2n(2−+2k3n Rk)t eRk)t e +Rk)tm (23 − 4k − 3k − → − → (23 + 4n Rk)t (2 + (n 3n + − 4)t 3k Rk)t m + 4)tm KeyGenP time (n − +4k 5)t 3tm e +m e + (n KeyGenP time (n + 5)t + 3t (n + 4)t + (n e e + (kPk m m EMREnc time (kPk + 5)t + 4)tm (kPke+ 3)te++4)t (kPk + 3)tm → − → + 3)tm EMREnc time (kPk + 5)te− + (kPk + 4)t (kPk + 3)te + (kPk EMRDecM time (1 + kPk− − k Rk)(te + tm )m+ 3tp + tm (1 + kPk → − → − k Rk)(te + tm ) + 2tp EMRDecM time − k Rk)(te++t tm) )++3t 3tp+ +ttm (1 + kPk − (kPk)(t k Rk)(te ++tm p EMRDecP time (1 + kPk (kPk)(t tm) )++2t2t e m p m e p EMRDecP time (kPk)(te + tm ) + 3tp + tm (kPk)(te + tm ) + 2tp → −

M SK R size size

TABLE 4: Comparison related TABLE IV: Comparison withwith related workwork Anonymity Anonymity

[8][8]

×× √√

[20] [20] Ours Ours&& Scheme-I Scheme-I Ours Ours&& Scheme-II Scheme-II Ours & Ours & Improved

√√ √√ √

Improved

Order Generation Order of of Key Key Generation Bilinear Group bilinear group TimeTime

Key Delegation Key Delegation Time Time

EMR Enc Number Number of EMR Enc of Time Time paring inpairings in EMR Dec EMR Dec 6)te + (n e++6)te + + 4)te + (n +(n 6)t+e + (n + 6)t (kPk +(kPk 4)te + → − → − prime order (k Rk (k+ Rk (n m + 5)tm (kPk +(kPk 2 prime order 1)t+m1)tm (n + 5)t 3)tm+ +3)t th m + th 2 − → − → 3 · (n 4)t+e + (25 +(25 6n + − 6n 6k Rk)t + e +(kPk +(kPk 4)te + 3 ·+(n 4)te + − 6keRk)t + 4)te + − → − − → → − → composite order 4)t+m4)tm(18 +(18 4n + − 4n 4k Rk)t 4)tm+ 4)tm 3 composite order(3k Rk (3k+ Rk − 4kmRk)tm (kPk +(kPk 3 − → − → 3 · (n 5)t+e + (31 +(31 6n + − 6n 6k Rk)t + e +(kPk +(kPk 5)te + 3 ·+(n 5)te + − 6keRk)t + 5)te + − → − − → →4)t − → composite order 4n + − 4n 4k Rk)t 4)tm+ 4)tm 3 m composite order(3k Rk (3k+ Rk +m4)tm(23 +(23 Rk)tm (kPk +(kPk 3 − →− 4k − → (n +(n 6)t+e + (8 + 2n − 2k Rk)t + (kPk + 3)t e e+ 6)te + (8 + 2n − − 2k Rk)te + (kPk + 3)te + → − → composite order + 7)t+m7)t (2 + 3n − 3n 3k Rk)t 3)tm+ 3)t 2 composite order (2n (2n (2 + − 3kmRk)t (kPk +(kPk 2 m

√

composite order

composite order

m

− → → || R|| − · tm

1 · tm

|| R|| · tm

m

(||P|| + 1)tm

1 · tm

(||P|| + 1)tm

2,000

3

3

1,500 Scheme-I Scheme-II

1,500

4,000 1,150

1,000

1,000

800

2,000

500

450 0

0 1

2

3

4

5

Scheme-I

6

7

8

0

9 10 0

Scheme-II

(a) Secret key generation time (ms)

2

3

4

5

6

7

8

9

EMRDecM1 EMRDecM2 EMRDecM3 EMRDecM4 EMRDecM5 EMRDecM6 EMRDecM7 EMRDecM8 EMRDecM9 EMRDecM10

5,000 4,000 3,000 2,000

10

15

20

25

30

25

30

35

Scheme-II

15

20

25

30

35

(d) Scheme-I: EMR decapsulation (ms)

2 1.8

1.15

1.6 1.1

1.4 1.2

1

(e) Scheme-II: EMR decapsulation (ms)

10

Number of Atom Roles in Access Policy (N )

35

Number of Atom Roles in Access Policy (N )

100

2.2 1.2

1.05 10

20

(c) EMR encapsulation time (ms)

1,000 200

15

Scheme-I

10

(b) Secret key delegation time (ms)

6,000

5

2

3

4

5

6

7

8

10 20 30 40 50 60 70 80 90 100 Number of Atom Roles in Access Policy

9 10

(f) Improved KeyGenM time (ms)

(g) Improved encapsulation time (ms)

Fig. 2: Experimental results results for the for proposed system system FIGURE 2: Experimental the proposed

VOLUME 4, 2016

11



Assumption2. Given group generator G, we define the following distribution: R

G = (N = p1 p2 p3 p4 , G, GT , e) ← G, R

R

R

R

g1 , A1 ← Gp1 , A2 , B2 ← Gp2 , g3 , B3 ← Gp3 , g4 ← Gp4 D = (G, g1 , g3 , g4 , A1 A2 , B2 B3 ) Then, this assumption determines whether the given element R R T ← Gp1 p2 p3 or T ← Gp1 p3 . The advantage of an algorithm A that outputs β ∈ {0, 1} in breaking Assumption 2 is defined as i h R Pr A D, T ← G = 1 p1 p2 p3 1 h i − Adv2A (λ) = R − Pr A D, T ← G =1 2 p1 p3

Definition II. G satisfies Assumption 2 if Adv2A (λ) is negligible for any polynomial-time algorithm A. Assumption3. Given group generator G, we define the following distribution: R

G = (N = p1 p2 p3 p4 , G, GT , e) ← G, R

R

R

R

α, s, r ← ZN , g1 ← Gp1 , g2 , A2 , B2 ← Gp2 , g3 ← Gp3 , R

g4 ← Gp4 , D = (G, g1 , g2 , g3 , g4 , g1α A2 , g1s B2 , g2r , Ar2 ) Then, this assumption determines whether the given element T ←e(g1 , g1 )αs or T ←GT . The advantage of an algorithm A that outputs β ∈ {0, 1} in breaking Assumption 3 is defined as Pr [A (D, T ←e(g , g )αs ) = 1] 1 1 1 Adv3A (λ) = − − Pr [A (D, T ←GT ) = 1] 2 Definition III. G satisfies Assumption 3 if Adv3A (λ) is negligible for any polynomial-time algorithm A. Assumption4. Given group generator G, we define the following distribution: R

G = (N = p1 p2 p3 p4 , G, GT , e) ← G, R

R

R

s, rˆ ← ZN , g1 , U, A1 ← Gp1 , g2 , A2 , B2 , D2 , F2 ← Gp2 , R

R

R

g3 ← Gp3 , g4 , A4 , B4 , D4 ← Gp4 , A24 , B24 , D24 ← Gp2 p4 D= (G, g1 , g2 , g3 , g4 , U, U s A24 , U rˆ, A1 A4 , Ar1Â2 , g1rˆB2 , g1s B24 ) Then, this assumption determines whether the given element T ←As1 D24 or T ←Gp1 p2 p4 . The advantage of an algorithm A that outputs β ∈ {0, 1} in breaking Assumption 4 is defined as Pr [A (D, T ←As D ) = 1] 1 24 1 Adv4A (λ) = − − Pr [A (D, T ←Gp1 p2 p4 ) = 1] 2 Definition IV. G satisfies Assumption 4 if Adv4A (λ) is negligible for any polynomial-time algorithm A. 12

Now, we provide the proof showing that Gamereal , Gamereal0 , Gamerestrict , Gamek , Gamef inal0 , and Gamef inal are indistinguishable from each other. Lemma 5.1. For any algorithm GameReal AdvA = GameReal0 AdvA .

A,

it

holds

that

Proof. We note that the secret keys are identically distributed whether they are generated by the key generation algorithm or by the key delegation algorithm. Therefore, there is no difference between GameReal AdvA and GameReal0 AdvA from the adversary’s perspective. Lemma 5.2. Suppose that there is a PPT algorithm A such that GameReal AdvA - GameRestricted AdvA = 1 . We can build a PPT algorithm B with the advantage 1 /3 in breaking Assumption 1. Proof. If there exists an adversary A who can distinguish GameRestricted from GameReal with advantage 1 , then based on the definition of GameRestricted , A knows that it submits its own secret key query for the role −→ → − R = (R1 , R2 , · · · , Rd ) from others satisfying ∃ R∗ = (R∗1 , R∗2 , · · · , R∗d0 ) ∈ P ref (P ∗ ) with d0 ≤ d, s.t. ∀i ∈ [1, d0 ], Ri = R∗i mod p2 . Then, the factor of N can be extracted by computing gcd(Ri − R∗i , N ), from which we can build an algorithm similar to that introduced in the proof of Lemma 3.3 in [10] that can break Assumption 1 with advantage 1 /3. We omit the details to avoid repetition. Lemma 5.3. Suppose that there is a PPT algorithm A such that GameRestricted AdvA - Game0 AdvA = 2 . We can build a PPT algorithm B with the advantage 2 in breaking Assumption 1. Proof. B receives (G, g1 , g3 , g4 , A1 A2 , B2 B4 , T ) of Assumption 1, and it needs to determine whether T is in Gp1 p4 or in Gp1 p2 p4 . B chooses random exponents α, {ai }i∈[1,n] , a, b, c ∈ ZN and sets Y1 = g1 , Y3 = g4 , Y4 = g3 , X4 = Y4c , X1 = Y1b , uP = Y1a and ui = Y1ai for i ∈ [1, n]. Then, B gives the public key P K = (N, Y1 , Y3 , Y4 , x = X1 X4 , {ui }i∈[1,n] , uP , A = e(Y1 , Y1 )α ) to adversary A. B knows the master key M SK = (X1 , α) and thus can answer all queries from A in the secret key query phase. In the challenge phase, A sends B two equal-length EMRs EM R0 , EM R1 with a challenge access policy P ∗ and a change identity ID∗ . B flips a random coin β ∈ {0, 1} and returns the challenge ciphertext {C1∗ , C2∗ , En∗ } = {T

P

i∈I∗

∗ ai R∗ i +aID +b

, T, SymEnc(e(T, Y1 )α , EM Rβ )}

R

If G ← Gp1 p4 , then T can be written as Y1s1 Y3s3 with random s1 , s3 ← ZN . In this case, (C1∗ , C2∗ , En∗ ) is a R normal ciphertext, and B simulates GameRestricted . If G ← s1 s s3 Gp1 p2 p4 , then T can be written as Y1 g2 Y3 . In this case, (C1∗ , C2∗ , En∗ ) is a semi-functional ciphertext according to its definition, and B simulates Game0 . VOLUME 4, 2016



Lemma 5.4. Suppose that there is a PPT algorithm A such that Gamek−1 AdvA - Gamek AdvA = 3 . We can build a PPT algorithm B with the advantage 3 in breaking Assumption 2. Setup. B receives (G, g1 , g3 , g4 , A1 A2 , B2 B3 , T ) of Assumption 2, and it needs to determine whether T is in Gp1 p3 or in Gp1 p2 p3 . B chooses random exponents α, {ai }i∈[1,n] , a, b, c ∈ ZN and sets Y1 = g1 , Y3 = g3 , Y4 = g4 , X4 = Y4c , X1 = Y1b , uP = Y1a and ui = Y1ai for i ∈ [1, n]. Then, B gives the public key P K = (N, Y1 , Y3 , Y4 , x = X1 X4 , {ui }i∈[1,n] , uP , A = e(Y1 , Y1 )α ) to adversary A. The master key M SK = (X1 , α) is kept by B.

( SK

• •

ID

=

r0

0

r1 w e l T Y1 1 (B2 B3 )f , Y1α (B2 B3 )w (uID P X1 ) Y3 , r0

{uj 1 (B2 B3 )wj }j∈[1,n]

We consider B2 as g2s for random s ← ZN . It can be seen that the generated secret key is semi-functional because γ = s·f , γ·e zk = s·w and {γ·e zj = s·wj }j∈[1,n] . When l > k, B creates a normal secret key by calling the KeyGenP algorithm. When l = k, B creates the kth secret key. B lets zek = a·ID, chooses random ∈ ZN , exponents w, {wj }j∈[1,n] w and sets SK ID = T, Y1α T zek Y3w , {T aj Y3 j }j∈[1,n] . R

If T ← Gp1 p3 , then all components in this secret Secret Key Query for Medical Staff. When A requests the key are in Gp1 p3 . Hence, it is a normal secret key. If th l secret key for the medical staff member with the role R r0 − → T ← Gp1 p2 p3 , then T can be written as Y1 1 g2s Y3r3 with − }, we Rl = (Rl,1 , ..., Rl,d ), where I = {i : Rl,i ∈ S→ R s, r3 ∈ ZN . Hence, it is a semi-functional secret key need to consider three cases: l < k, l > k and l = k. with γ = s, r10 = r10 . • When l < k, B creates a semi-functional secret key. It selects random exponents Challenge. A sends B two equal-length EMRs EM R0 , EM R1 r1 , r2 , f, z, w, w1 , w2 , wP1 , wP2 and {wm,j }j∈[1,n]\[I] with a challenge access policy P ∗ and a change identity for m ∈ {1, 2} from ZN . ID∗ . B flips a random coin β ∈ {0, 1} and returns to Y R A the challenge P ciphertext C ∗ = {C1∗ , C2∗ , En∗ }, where ( r1 l,j f α w r1 w1 ) ∗ ∗ 0 Y (B B ) , Y (B B ) ( u X ) Y ∗ 2 3 2 3 1 1 1 3 i → − C1 = (A1 A2 ) i∈I∗ ai Ri +aID +b Y4z , A1 A2 Y4z , C2∗ = SKdR = i∈I α ∗ SymEnc(e(A1 A2 , Y1 ) , C3 = EM Rβ ), and I∗ = {i : {urj 1 (B2 B3 )w1,j }j∈[1,n]\I , urP1 (B2 B3 )wP1 R∗i ∈ SP ∗ }. P Y R ( r2 l,j zf zw r2 w2 ) This ciphertext is semi-functional, with z = c Y (B B ) , (B B ) ( u X ) Y i∈I∗ ai Ri + 2 3 2 3 1 1 3 i → − ∗ R aID + b. Since the role associated with the kth secret key SKr = i∈I r2 r2 w2,j wP2 for the medical staff is not a prefix of the challenge role R∗ {uj (B2 B3 ) }j∈[1,n]\I , uP (B2 B3 ) modulo p2 and the identity associated with the kth secret We consider B2 as g2s for random s ← ZN . It can key for the patient is not the challenge identity ID∗ modulo be seen that the generated secret key is semi-functional p2 , zk + zek and zc will appear to be randomly distributed because γ = s · f , γ · zk = s · w and γ · zPm = s · wPm to adversary A. If B tries to test whether the kth key is for m ∈ {1, 2}. semi-functional or not via the above procedure by creating −→ • When l > k, B creates a normal secret key by calling a semi-functional ciphertext for Rk ∈ P P ref (P) and IDk , the KeyGenM algorithm. then we will have zc = zk + zek + i∈I\I ai Ri , where • When l = k, B creates the kth secret key. B lets − } and I = {i : Ri ∈ SP }; thus, the I = {i : Ri ∈ S→ P R zk = a R + b, chooses random exponents i k,i decryption also works. In other words, simulator B can create i∈I r20 , w1 , w2 , wP1 , wP2 ∈ ZN and {wm,j } ∈ ZN for only a nominally semi-functional key for the kth key query. j ∈ [1, n]\I,m ∈ {1, 2}, and sets R Guess. If T ← Gp1 p3 , all components in the kth secret key → − R α zk w1 aj w1,j a wP1 generated by B are in Gp1 p3 . Hence, it is a normal secret SKd = T, Y1 T Y3 , {T Y3 }, T Y3 R → − 0 0 0 0 w w key. In this case, B simulates Gamek−1 . Otherwise, T ← SKrR = T r2 , T r2 ·zk Y3w2 , {T r2 ·aj Y3 2,j }, T r2 ·a Y3 P2 Gp1 p2 p3 ; hence, the kth secret key is semi-functional. In this R case, B simulates Gamek . If A has the advantage 3 when If T ← Gp1 p3 , then all components in this secret R distinguishing the two games, B can distinguish T ← Gp1 p3 key are in Gp1 p3 . Hence, it is a normal secret key. If 0 R R r from T ← Gp1 p2 p3 with advantage 3 . T ← Gp1 p2 p3 , then T can be written as Y1 1 g2s Y3r3 with s, r3 ∈ ZN . Hence, it is a semi-functional secret key Lemma 5.5. Suppose that there is a PPT algorithm A such with γ = s, z = r20 , r1 = r10 , r2 = r10 r20 . 0 Adv = . We can build a PPthat Game Adv - Game q

Secret Key Query for Patient. When A requests the l secret key for the patient with identity IDl , we need to consider three cases: l < k, l > k and l = k. • When l < k, B creates a semi-functional secret key. It does this by selecting random exponents r10 , w, w, e {wj }j∈[1,n] from ZN . th

VOLUME 4, 2016

A

f inal

A

4

T algorithm B with the advantage 4 in breaking Assumption 3.

Setup. B receives (G, g1 , g2 , g3 , g4 , g1α A2 , g1s B2 , g2r , Ar2 , T ) of Assumption 3, and it determines whether T ←e(g1 , g1 )αs R or T ← GT . B chooses random exponents {ai }i∈[1,n] , a, b, c ∈ ZN and sets Y1 = g1 , Y3 = g3 , Y4 = g4 , X4 = 13


)


Y4c , X1 = Y1b , uP = Y1a and ui = Y1ai for i ∈ [1, n]. Then, B gives the public key P K = (N, Y1 , Y3 , Y4 , x = X1 X4 , {ui }i∈[1,n] , uP , A = e(g1α A2 , Y1 ) = e(Y1 , Y1 )α ) to adversary A. The master key M SK = (X1 , α) is kept by B. Secret Key Query for Medical Staff. When A requests a secret key for the medical staff member with the → − role R = (R1 , ..., Rd ), where I = {i : Ri ∈ − }, B creates a semi-functional key by choosing ranS→ R dom exponents r1 , r2 , z, z 0 , zP1 , zP2 , wP1 , wP2 ∈ ZN and wm,1 , wm,2 , {wm,j , zm,j }j∈[1,n]\I ∈ ZN for m ∈ {1, 2}.

→ − SKdR

→ −

SKrR

0 Y R w ) ( r1 z w1,1 α Y1 g2 Y3 , (g1 A2 )g2z ( ui l,j X1 )r1 Y3 1,2 i∈I = w z r1 z1,j w1,j {uj g2 Y3 }j∈[1,n]\I , urP1 g2P1 Y3 P1 w ) ( r2 r z w2,1 r r z0 Y Rl,j Y1 (g2 ) Y3 , A2 (g2 ) ( ui X1 )r2 Y3 2,2 i∈I = z w z w {urj 2 g22,j Y3 2,j }j∈[1,n]\I , urP2 g2P2 Y3 P2

We note that this secret key is semi-functional.

( SK

=

0

e2 r1 w Y1r1 g2z Y3we1 , (g1α A2 )g2z (uID P X1 ) Y3 , z

w1,j

{urj 1 g21,j Y3

Secret Key Query for Medical Staff. When A requests a secret key for the medical staff member with the role → − R = (Rl,1 , ..., Rl,d ), where I = {i : Ri ∈ − }, B creates a semi-functional key by choosing ranS→ R dom exponents r1 , r2 , wP1 , wP2 , zP1 , zP2 ∈ ZN and wm,1 , wm,2 , {wm,j , zm,j }j∈[1,n]\I ∈ ZN for m ∈ {1, 2}. → − SKdR

=

→ −

)

}j∈[1,n]

We note that this secret key is semi-functional. Challenge. A sends B two equal-length EMRs EM R0 , EM R1 with a challenge access policy P ∗ and a change identity ID∗ . B flips a random coin β ∈ {0, 1} and returns to A the semi-functional CT ∗ = {C1∗ , C2∗ , En∗ }, P ciphertext ∗ ∗ 0 ∗ s ∗ ai Ri +aID +b i∈I where C1 = (g1 B2 ) Y4z , C2∗ = g1s B2 Y4z , C3∗ = SymEnc(T,P EM Rβ ), and I∗ = {i : R∗i ∈ SP ∗ }. We implicitly set zc = i∈I∗ ai R∗i + aID∗ + b. Guess. If T ← e(g1 , g1 ) , then B simulates Gameq since CT ∗ is a semi-functional ciphertext of the EMR EM Rβ . R If T ← GT , CT ∗ is a semi-functional ciphertext of a random message that is independent of EM Rβ . In this case, B simulates Gamef inal0 . Hence, if A has the advantage 4 in distinguishing Gameq and Gamef inal0 , then B has the advantage 4 in distinguishing the distribution of T . αs

Lemma 5.6. Suppose that there exists a PPT algorithm A such that Gamef inal0 AdvA - Gamef inal AdvA = 5 . Then, we can build a polynomial-time algorithm B with the advantage 5 in breaking Assumption 4. Proof. Assume that we are simulating the games for an adversary who can distinguish a ciphertext of the challenge EMR with the challenge access policy set P ∗ and the challenge patient identity ID∗ from a ciphertext of the challenge 14

Setup. B receives (G, g1 , g2 , g3 , g4 , U, U s A24 , U rˆ, A1 A4 , Ar1Â2 , g1rˆB2 , g1s B24 , T ) of Assumption 4, and it needs to R determine whether T ← As1 D24 or T ← Gp1 p2 p4 . B chooses random exponents {ai }i∈[1,n] , a ∈ ZN and sets Y1 = g1 , Y3 = g3 , Y4 = g4 , x = A1 A4 , uP = U a and ui = U ai for i ∈ [1, n]. B gives public key P K = (N, Y1 , Y3 , x, {ui }i∈[1,n] , uP , A = e(Y1 , Y1 )α ) to A.

SKrR =

Secret Key Query for Patient. When A requests a secret key for the patient with identity ID, B creates a semi-functional key by choosing random exponents r1 , z, z 0 , w e1 , w e2 ∈ ZN and {wj , zj }j∈[1,n] ∈ ZN . ID

EMR with a random access policy set and a random patient’s identity.

( ) P w w (g1rˆB2 )r1 Y3 1,1 , Y1α ((U rˆ) i∈I ai Ri (Ar1Â2 ))r1 Y3 1,2 z

w

z

w2,j

z

w

z

wP2

{(U rˆ)r1 aj Y2 1,j Y3 1,j }j∈[1,n]\I , (U rˆ)r1 a Y2 P1 Y3 P1 ( ) P w w (g1rˆB2 )r2 Y3 2,1 , Y1α ((U rˆ) i∈I ai Ri (Ar1Â2 ))r2 Y3 2,2 {(U rˆ)r2 aj Y2 2,j Y3

}j∈[1,n]\I , (U rˆ)r2 a Y2 P2 Y3

We note that this secret key is semi-functional. Secret Key Query for Patient. When A requests a key for the patient with identity ID, B creates a semi-functional key by choosing exponents r1 , w e1 , w e2 and {wj , zj }j∈[1,n] ∈ ZN . SK

ID

=

( ) (g1rˆB2 )r1 Y3we1 , Y1α ((U rˆ)a·ID (Ar1Â2 ))r1 Y3we2 , z

w

{(U rˆ)r1 aj Y2 j Y3 j }j∈[1,n]

We note that this secret key is semi-functional. Challenge. A sends B two equal-length EMRs EM R0 , EM R1 with a challenge access policy P ∗ and a change identity ID∗ . B chooses a random En∗ ∈ GT , flips a random coin β ∈ {0, 1}, and returns to A the semi-functional ciphertext T ∗ = {C1∗ , C2∗ , En∗ } as P

{T (U s A24 )

i∈I∗

∗ ai R∗ i +aID

, g1s B24 , En∗ }

where I∗ = {i : R∗i ∈ SP ∗ }. Guess. If T ← As1 D24 , then the adversary A generates a semi-functional ciphertext of a random message En∗ and a header Hdr∗ under the challenge access policy P ∗ and the challenge identity ID∗ . In this case, B simulates Gamef inal0 . R If T ← Gp1 p2 p4 , the adversary A generates a semi-functional ciphertext of a random message En∗ and a header Hdr∗ under the implicit random access policy set and a random patient’s identity. In this case, B simulates Gamef inal . If G satisfies the four assumptions with advantages 01 , 02 , 03 , 04 , and 05 , then the above lemmas show that no PPT adversary can distinguish Gamereal and Gamef inal with advantage 301 +02 +03 +04 +05 . The ciphertext of Gamef inal0 does not leak any information regarding the EMR data since the component corresponding to the EMR in the ciphertext is VOLUME 4, 2016



a random group element. The ciphertext of Gamef inal does not leak any information regarding the roles of the medical staff and the identity of the patient since the components corresponding to the roles and identity in the ciphertext are random group elements. REFERENCES [1] M. J. Atallah, M. Blanton, and K. B. Frikken, “Dynamic and efficient key management for access hierarchies,” ACM Trans. Inf. Syst. Secur., vol. 12, no. 3, 2009. [2] J. Huang, M. Sharaf, and C. T. Huang, “A hierarchical framework for secure and scalable ehr sharing and access control in multi-cloud,” in ICPPW 2012. IEEE, 2012, pp. 279–287. [3] M. C. Mont, P. Bramhall, and K. Harrison, “A flexible role-based secure messaging service: Exploting ibe technology for privacy in health care,” IEEE Computer Society, vol. 432, 2003. [4] J. A. Akinyele, M. W. Pagano, M. D. Green, C. U. Lehmann, Z. N. Peterson, and A. D. Rubin, “Securing electronic medical records using attribute-based encryption on mobile devices,” in SPSM 2011. ACM, 2011, pp. 75–86. [5] S. Narayan and R. Safavi-Naini, “Privacy preserving ehr system using attribute-based infrastructure,” in CCSW’10. ACM, 2010, pp. 47–52. [6] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and secure sharing of personal health records in cloud computing using attributebased encryption,” IEEE Trans. Parallel Distrib. Syst., vol. 24, no. 1, pp. 131–143, 2013. [7] M. Sicuranza, A. Esposito, and M. Ciampi, “A view-based acces control model for EHR systems,” in IDC 2014. Springer, 2014, pp. 443–452. [8] W. Liu, X. Liu, J. Liu, Q. Wu, J. Zhan, and Y. Li, “Auiting and revocation enabled role-based access contrl over outsourced private ehrs,” in HPCC 2015. IEEE, 2015, pp. 336–341. [9] D. Boneh, E. J. Goh, and K. Nissim, “Evaluating 2-dnf formulas on ciphertexts,” in TCC 2005. Springer, 2005, pp. 325–341. [10] A. D. Caro, V. Iovino, and G. Persiano, “Fully secure anonymous hibe and secret-key anonymous ibe with short ciphertexts,” in International Conference on Pairing-Based Cryptography. Springer, 2010, pp. 347– 366. [11] R. J. Anderson, “Technical perspective - A chilly sense of security,” Commun. ACM, vol. 52, no. 5, p. 90, 2009. [12] Centers for Medicare & Medicaid Services, “Health insurance portability and accountability act,” 1996. [13] C. I. of Health Research, Recommendations for the Interpretation and Application of the Personal Information Protection and Electronic Documents Act (S.C. 2000, C. 5) in the Health Research Context. Canadian Institutes of Health Research, 2001. [14] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in CCS 2006. ACM, 2006, pp. 89–98. [15] L. Guo, C. Zhang, J. Sun, and Y. Fang, “Paas: A privacy-preserving attribute-based authentication system for ehealth networks,” in ICDCS 2012. IEEE, 2012, pp. 224–233. [16] J. Sedayao, “Enhancing cloud security using data anonymization,” White Paper, Intel Coporation, 2012. [17] T. Jung, X. Li, Z. Wan, and M. Wan, “Control cloud data access privilege and anonymity with fully anonymous attribute-based encryption,” IEEE Trans. Inf. Forensics Security, vol. 10, no. 1, pp. 190–199, 2015. [18] S. Sabitha and M. Rajasree, “Anonymous-cpabe: Privacy preserved content disclosure for data sharing in cloud,” in ARCS 2015. Springer, 2015, pp. 146–157. [19] X. Zhou, J. Liu, W. Liu, and Q. Wu, “Anonymous role-based access control on e-health records,” in AsiaCCS 2016. ACM, 2016, pp. 559–570. [20] J. H. Seo, T. Kobayashi, M. Ohkubo, and K. Suzuki, “Anonymous hierarchical identity-based encryption with constant size ciphertexts,” in PKC 2009. Springer, 2009, pp. 215–234. [21] A. Lewko and B. Waters, “New proof methods for attribute-based encryption: Achieving full security through selective techniques,” in CRYPTO 2012. Springer, 2012, pp. 180–198. [22] D. B. X. Boyen and E. J. Goh, “Hierarchical identity based encryption with constant size ciphertext,” in EUROCRYPT 2005. Springer, 2005, pp. 440–456. VOLUME 4, 2016

[23] M. H. Ameri, J. Mohajeri, and M. Salmasizadeh, “Efficient and provable secure anonymous hierarchical identity-based broadcast encryption (hibbe) scheme without random oracle,” ia.cr/2016/780, 2016. [24] A. Lewko and B. Waters, “New techniques for dual system encryption and fully secure hibe with short ciphertexts,” in TCC 2010. Springer, 2010, pp. 455–479. [25] S. Hohenberger and B. Waters, “Online/offline attribute-based encryption,” in PKC 2014. Springer, 2014, pp. 293–310. [26] E. Shimon, O. Goldreich, and S. Micali, “On-line/off-line digital signatures,” Cryptology, vol. 9, no. 1, pp. 35–67, 1996. [27] Y. F. Wang, G. Yang, and Z. C. Z, “Identity-based online/offline encryption,” Computer Technology and Development, vol. 51, no. 43, pp. 247– 261, 2012.

XINGGUANG ZHOU is a Ph.D. candidate in the Department of Electronic and Information Engineering, Beihang University. Her research interests include information security and communication network security.

JIANWEI LIU is currently a full professor and party secretary in the Department of Electronic and Information Engineering, Beihang University. He received his Ph.D. from the Communication and Electronic System Department, Xidian University, in 1998. His research interests include wireless communication networks, cryptography, information security, communication network security, channel coding, and modulation technology.

QIANHONG WU is currently a full professor in the Department of Electronic and Information Engineering, Beihang University. He has served as a member of the ACISP committee and more than 10 international conference procedure committees. He received his Ph.D. degree in cryptography from Xidian University in 2005. His research interests include information security, security in big data and cloud computing, and blockchains.

ZONGYANG ZHANG is an assistant professor in the Department of Electronic and Information Engineering, Beihang University. He received his Ph.D. in computer software and theory from Shanghai Jiao Tong University in 2012. His research interests include public-key cryptography and blockchains.

15
