Efficient Mediated Ciphertext-Policy Attribute-Based Encryption for Personal Health Records Systems
877
Efficient Mediated Ciphertext-Policy Attribute-Based Encryption for Personal Health Records Systems Zhiwei Wang1,2, Zhuanzhuan Chu1 College of Computer, Nanjing University of Posts and Telecommunications, China 2 School of Computer and Software, Nanjing University of Information Science and Technology, China
[email protected],
[email protected] 1
Abstract Personal Health Record (PHR) system is a patientcentered system that patients, and health care providers could securely access the patient’s health information through internet. It should be noted that security is an important issue of PHR systems, especially if it is accessible through the open internet. In this paper, we propose an efficient mediated ciphertext-policy attributebased encryption (m-CP-ABE) which can realize attribute revocation instantaneously and support monotonic access structure by using Linear Secret-Sharing Schemes (LSSS). These security measures make our scheme greatly reduce the risk that an unauthorized person could access to a patient’s health information contained within a PHR system. At the same time, most of the computational overhead in decryption is outsourced to the mediator side, and leave only a little computational workload to the user side. With development of mobile internet, many users many use the mobile devices to access the PHR systems. Thus, this measure make our scheme be very suitable for the application scenario of mobile internet. Keywords: Mediated CP-ABE, LSSS, Personal health record, Mobileinternet.
1 Introduction Personal Health Record (PHR) system is a patientcentered system of health information access, storage and exchange. Key potential benefits of patients and health care providers in PHR Systems [1] can be listed as follows. Patient: (1) Strengthen the access control to personal health information. (2) Strengthen communication with providers. (3) Support home monitoring for chronic diseases. (4) Support continually care of providers. (5) Increase the accessibility of providers through internet. Healthcare Providers: (1) Support patients to access the specific informationor or services conveniently. (2) Increase patients’ knowledge of drug interactions and allergies. *Corresponding author: Zhiwei Wang; E-mail:
[email protected] DOI: 10.6138/JIT.2015.16.5.20150310b
(3) Improve documentation of communication with patients. In order to improve health care level by using the PHR system, some important steps should be done in the areas of security, privacy, and interoperability. Appropriate cryptographic techniques must be employed to reduce the risk that an unauthorized person could access to an patients health information contained within a PHR system. Some former surveys and researches [2][18-19] indicate that the PHR systems can be used widely until users have confidence in the security protections. This confidence seems to mainly depend on having the ability tocontrol the accessibility to personal health information. In an internet based PHR system, many individuals, such as family members and care providers, may view and improve patient health records. Ensuring the security of access control thus represents an important challenge. Further, there is a question that whether users are willing to accept the costs of cryptographic technologies in PHR system. Attribute-based encryption (ABE) is developed from fuzzy identity based encryption (FIBE) [3][22-23], which offers fine-grained decryption policy that users can do decryption if their attributes satisfy the policy [20-21] [24]. The research on ABE has two directions, the first one is ciphertext-policy ABE (CP-ABE) [6-10], and the second one is key-policy ABE (KP-ABE) [4-5][14]. In CP-ABE, ciphertexts are involved with access policies, while keys are related with attributes sets; and in KP-ABE, keys are involved with access policies, while ciphertexts are related with attributes sets. But in PHR systems, users may associated with some attributes, so CP-ABE is more suitable than KP-ABE. However, before CP-ABE is employed in PHR system, there is still an important issue should be solved, namely user revocation. That is to say, after one attribute is revoked, the corresponding user may lose the decryption privilege of the ciphertexts. There are three security concerns in user revocation: Protecting Previous Encrypted Data: Once an attribute is revoked fromthe user, it cannot use this revoked attribute to decrypt the previous ciphertext. Protecting Newly Encrypted Data: Once an attribute is revoked from the user, it cannot use this revoked attribute to decrypt the newly ciphertext. Guaranteeing Newly Joined Users: The newly joined
878
Journal of Internet Technology Volume 16 (2015) No.5
users should still be able to decrypt previous ciphertext, if they have sufficient attributes. Mediated CP-ABE is a better solution to the problem of “user revocation.” The basic idea is when deployed ABE is to introduce an online mediator, for the check of user’s validity [11-12]. However, the mediator is semi-trusted, and itcannot know the plaintext of the encrypted data. Once the mediator is notified that a user is to be revoked, it can stop the decryption of the user instantaneously.At the same time, the mediator maintains a real-time revocation list. When the ciphertext is sent to the mediator, it first check the validity of the corresponding user in the revocation list. Then, the mediator executes the semi-decryption if and only if the user is authorized, and sends the partially decrypted token tothe user for the completely decryption. Ibraimi et al. [13] proposed a mediated CP-ABE scheme, and discussed its application to the PHR systems. However, Ibraimi et al.’s scheme only support the “AND” and “OR” gates. The simple staccess structure is “Threshold.” “AND” and “OR” gates can be represented by an access tree using 2 of 2 and 1 of 2 “Threshold” gates as root nodes,respectively. For fine-gained access control in PHR systems, mediated CPABE supporting more complex access structure should be researched. Our Contribution. In this work, we propose a newly mediated CP-ABE scheme based on Waters’ efficient CP-ABE scheme, which can support monotonic access structure by using Linear Secret-Sharing Schemes (LSSS). According to [5][7], monotonic access structure can be further extended into non-monotonic access structure. On the other hand, decryption in ABE scheme involves many expensive pairing operations, which is not suitable for the mobile devices. If the decryptionis executed on mobile devices, they may not bear it. For example, decryption with 100 policy leaves on iPhone 3G (412 MHz ARM) takes 30 s. In our scheme,the semi-trusted mediator can not only realize the user revocation, but also bear most of heavy computation of decryption. Thus, the user only need to do light weight decryption. Organization. In Section 2, we propose some preliminaries related to our construction and proof. In Section 3, we define m-CP-ABE and provide a security model. In Section 4, we devise a concrete m-CP-ABE scheme based on Waters’ CP-ABE scheme. In Section 5, we give a proof to our scheme, which is secure under Waters’ scheme. In Section 6, we describe the application in PHR systems. In Section 7, we conclude our paper.
2 Preliminaries In this section, we firstly present the formal definition of bilinear maps, then provide the definitions for monotone
access structures, and the usage of Linear Secret Sharing Scheme (LSSS). 2.1 Bilinear Maps Let G and GT be two groups with the prime order p. Let g be the generator of G. The map e is defined as e: G × G → GT. e is said to be a bilinear mapping on the condition that the following three conditions are satisfied: yye(ga, gb) = e(g, g)ab for each a, b ∈ Zp (bilinear). yye(g, g) ≠ 1GT (non-degenerate). yye can be efficiently computed. 2.2 Monotone Access Structure and Linear Secret Sharing Scheme We adapt our definitions which are given by [15]. However, the role of parties isrelated to the attributes in our definitions. Definition 1: Monotone Access Structure Let {S1, ..., Sn} be a set of attributes. We say an authorized collection A ⊂ 2{S1, ..., Sn} is monotonic, on the condition that for all X, Y, X ∈ A and X ⊆ Y then Y ∈ A. A monotone access structure is essentially a monotone collection A, which is a non-empty of subsets of {S1, ..., Sn}. On the other hand, if the set is not in A, we called it unauthorized set. Definition 2: Linear Secret Sharing Scheme (LSSS) If a secret sharing scheme Π over a set of attributes S is linear, there are two conditions that should be satisfied. (1) The shares for each attributes form a vector from Zp. (2) Leta m × n matrix Γ denote the sharing-generating matrix for Π. For all i = (1, ..., m), the function ρ is used to map the i-th row of Γ to an attribute, which can be labeled with ρ(i). Then, a random column vector v = (μ, r2, ..., rn) is selected, where u ∈ ZN is the secret share, and Γv is the vector of m shares of the secret μ. Let the share (Γv)i belong to the attribute ρ(i). From the discussion in [15], an vital property called linear reconstruction exists in each LSSS scheme Π for the access structure A. Let C ∈ A be an authorized set. We define I ⊂ {1, ..., m} as I = {i: ρ(i) ∈ C}. Then, we cancompute constants {wi ∈ ZN}i∈I such that i ∈ I ωiλi = u on the condition that {λi} are all valid shares. These {ωi} can be computed in polynomial time according to the size of matrix Γ.
Σ
3 Mediated CP-ABE 3.1 Definition A mediated CP-ABE (m-CP-ABE) scheme involves a trusted third party (TTP),which is used to generate users’ secret keys. The secret key includes two parts,and the first part is sent to the mediator, while the second part is given to the user. The TTP can be offline after it generated the
Efficient Mediated Ciphertext-Policy Attribute-Based Encryption for Personal Health Records Systems
secret key, while the mediator should be online all the time. m-CP-ABE for a general monotone access structure A over the monotone attribute universe space Σ is compromised of five probabilistic polynomial time (PPT) algorithms: Setup (1λ, Σ): On the inputs of a security parameter λ and an attribute set Σ, the algorithm outputs system public key MPK and master key MSK. KeyGen (MSK, S ): This algorithm is run by TTP, which takes as input the user’s attribute set S , and the master secret key MSK, and outputs two private key shares SKS,1 and SKS,2. The first share is delivered to the mediator secretly, while the second share is delivered to the user secretly. Encrypt (M, A): On the inputs of a monotone access structure A and amessage M to encrypt, the algorithm outputs a ciphertext CT. m-Decrypt (CT, SKS,1): This algorithm is executed by the mediator, which takes as input a ciphertext CT for an access structure A, and the first private key share SKS,1 for a set S, and outputs a token T, or a stop symbol ⊥ if and only if non-revoked attributes in set S do not satisfy the monotone access structure A. Decrypt (T, SKS,2): This algorithm is run by the user, which takes as input a token T, and the second private key share SKS,2 for a set S, and outputs a plaintext m, or a stop symbol ⊥ if and only if non-revoked attributes in set S do not satisfy the monotone access structure A. 3.2 Security Model In this section, we provide the security model of m-CPABE for semantic security. has one of the two targets as follows: can obtain a partially decrypted token T for the (1) second secret key share SKS,2 to decrypt, although has no knowledge of the corresponding SKS,1. In particular, if the user u has been revoked, then the mediator will not help to partially decrypt for the user u. tries to successfully compute the token T without knowing SKS,1. (2) can get a plaintext M from a partially decrypted token T, although has no knowledge of the corresponding SK S,2. In particular, if the user u is valid, then the mediator will help it to partially decrypt CT. tries to successfully compute the plaintext M from T without knowing SKS,2. We define the security model by an indistinguishable game between a challenger and an adversary . In order to record the queried keys, we set two empty lists: 1 =〈S , SKS,1〉and 2 =〈S , SKS,2〉, where S is an attribute set. Setup. The challenger runs the Setup algorithm to obtain the master public/secret key MPK/MSK, and sends MPK to .
879
Query 1. The adversary can perform the following queries for polynomial bound times: y Key extraction query1 ( E1): When makes the first secret key share query on an attribute set S, checks the list 1 for the tuple with the form〈S , SKS,1〉. If there is no such tuple, then answers SKS,1 ← KeyGen(MSK, S ). At the same time, gets SKS,2 also from the KeyGen algorithm. Then, put〈S , SKS,1〉into the list 1, and puts〈S , SKS,2〉into the list 2. Otherwise, returns SKS,1 from the tuple〈S , SKS,1〉. y Key extraction query2 ( E2): When makes the second secret key share query on an attribute set S, checks the list 2 for the tuple with the form〈S , SKS,2〉. If there is no such tuple, then answers SKS,2 ← KeyGen(MSK, S ). At the same time, gets SKS,1 also from the KeyGen algorithm. Then, puts〈S , SKS,1〉into the list 1, and puts〈S , SKS,2〉into the list 2. Otherwise, returns SKS,2 from the tuple〈S , SKS,2〉. and Challenge. outputs two plaintexts M0, M1 ∈ a monotone access structure A* such that for all full SKS (both SKS,1 and SKS,2) generated from the above key extract queries doesn’t satisfy A*. randomly choose a bit b ∈ {0,1}, and returns the ciphertext CT* ← Encrypt(Mb, A*). Query 2. can make the queries like Query 1. outputs a guess b′ of b. ’s Response. Finally, advantage probability of this game can be defined as ADV = |2Pr[b = b'] − 1|. We say that a m-CP-ABE scheme is CPA (chosen plaintext attack) secure on the condition that ADV is negligible for any PPT adversary in the above game. Definition 3: CPA-m-CP-ABE A m-CP-ABE scheme is said to be CPA secure, if no PPT adversary can win the above game with non-negligible advantage.
4 Construction of m-CP-ABE Our construction is based on Waters’ most efficient CPABE scheme [16]. Setup (1λ, Σ): The setup algorithm firstly takes input λ as a security parameter,and a monotone universal attribute space Σ. Then, this algorithm generate agroup G with prime order p, where p is a λ-bit prime. Then, it selects random generators g, h1, ..., hU of G that are related with the attributes in Σ. It picks a, α ∈ Zp. Finally, the master public key is computed as MPK : 〈G, g, e(g, g)α, gα, h1, ..., hU〉, and the master secret key is computed as MSK = gα. KeyGen(MSK.S): This algorithm is run by TTP. It takes as input anattribute set S, and the master secret key MSK. It firstly chooses a random t ∈ Zp, and randomly chooses
880
Journal of Internet Technology Volume 16 (2015) No.5
two numbers uid1 and uid2, which only issue a difference of 1 such that 1 = uid1 − uid2. Then, the algorithm generates two private key shares as follows: (1) SKS,1:〈K = gαuid1gαt, L = gt, ∀x ∈ SKx = hxt〉 (2) SKS,2: :〈K = gαuid2〉 Finally, the first share SK S ,1 is dispatched to the mediator secretly, and the second share SKS,2 is delivered to the user securely. Encrypt (M, Π): The encryption algorithm takes as input an LSSS scheme Π = ( , ρ) for a monotone access structure A and a plaintext M to encrypt. Here, is a m × n matrix. The function ρ maps rows of to attributes1. The algorithm firstly selects random s ∈ Zp and a random vector = (s, v2, ..., vn) ∈ Zpn. For i = 1 to m, it computes λ1 = v . i2. Furthermore, the algorithm chooses random r1, ..., rm ∈ Zp. The generated ciphertext CT is
m-Decrypt (CT, SKS,1): This algorithm is run by the mediator. It takes as input a ciphertext CT for a LSSS scheme Π = ( , ρ) on the monotone access structure A , and the first private key share SK S,1 for a set S . The mediator firstly searches the attribute revocation list, if any sj ∈ S is revoked, then the mediator returns ⊥ and stop. If no attribute is revoked, then if S ∈ A is an authorizedset, then let I ∈ [m] to be defined as I = {i: ρ(i) ∈ S}. Then, the algorithm computes a set wi ∈ ZNi∈I such that ∑i∈I wi λi = ∑mi∈I si, if {λi} are valid shares according to . Finally, the mediator computes the partially decrypted token T as:
order q is 512 bits long. Wecompile our test code one the hardware platform: a 2.5 GHz Intel Core i5 CPU with 4 GB 1,600 MHz DDR3 RAM running OS X 10.9.3. In our scheme, most ofthe computational cost in decryption is outsourced to the mediator, since the mediator is a powerful server in general. No matter how many policy attributes, the user in our scheme only need to do one pairing operation. However, it needs to execute n + 1 pairings and 1 prod pairing in the original Waters’s scheme, where n is the number of policy attributes. The efficiency comparison can be seen in Figure 1.
Figure 1 Comparison of Decryption Cost
From the Figure 1, we can seen that the decryption cost in our scheme is reduced greatly, since most of it has been outsourced to the mediator, and with the increase of the number of policy attributes, the advantage is expanded greatly.
5 Security Proof
The mediator sends T to the user. Decrypt (T, SKS,2) : This algorithm is run by the user. It computes T/e(C', K') = e(g, g)αs(uid1 − uid2) = e(g, g)αs. Then the user can get the plaintext M from C. Performance Analysis: In order to evaluate the decryption cost of the userin our scheme, we test the pairing and prod pairing time based on the Stanford Pairing-based Crypto library [17]. We choose the type A elliptic curve with the order r of group is 160 bits long, and the base field 1
Since each attribute is mapped to a random number in Zp, ρ can be defined as ρ : Zpl → ∑ .
2
Here
i
is the vector related to i-th row of
.
Theorem 1. Our m-CP-ABE scheme is selectively CPAsecure under the selectively CPA-security of Waters’ CPABE scheme. Proof: To prove this theorem, we will prove that if a PPT adversary can winthe above game in Section 3.2 with significant probability, then a PPT simulator can break the selective CPA-secure of the Waters’ CP-ABE scheme with the same probability. will act as the challenger interacts with in the game in Section 3.2. Initialization. sends a challenge access structure A* to . Then, gives itto the challenger of Waters’ scheme. Setup. receives the master public key MPK from the challenger, and sendsit to . Query1. makes the following two kinds of extract queries for polynomial bound times.
Efficient Mediated Ciphertext-Policy Attribute-Based Encryption for Personal Health Records Systems
y Key extraction query1 ( E1): When makes the first secret key share query on an attribute set S, checks the list 1 for the tuple with the form〈S , SKS,1〉. If there is no such tuple, then passes this query to the challenger. Then, the challenger returns〈K = g αg αt, L = g t, ∀ ∈ t chooses two random S K x = hx〉to . Following that, numbers uid1 and uid2 randomly such that 1 = uid1 − uid2. Then, returns SKS,1:〈K = gαuid1gαt, L = gt, ∀x ∈ S K x = hxt〉to . At the same time, gets SKS,2. Then, puts 〈S , SKS,1〉into the list 1, and puts〈S , SKS,2〉into the list 2. Otherwise, returns SKS,1 from the tuple〈S , SKS,1〉 . y Key extraction query2 ( E2): When makes the second secret key share query on an attribute set S, checks the list 2 for the tuple with the form〈S , SKS,2〉. If there is no such tuple, then passes this query to the challenger. Then, the challenger returns〈K = gαgαt, L = gt, ∀x ∈ t chooses two random S K x = hx〉to . Following that, numbers uid1 and uid2 randomly such that 1 = uid1 − uid2. Then, returns SKS,2:〈K = gαuid2gαt, L = gt, ∀x ∈ S K x = hxt〉to . At the same time, gets SKS,1. Then, puts 〈S , SKS,1〉into the list 1, and puts〈S , SKS,2〉into the list 2. Otherwise, returns SKS,2 from the tuple〈S , SKS,2〉. Challenge. selects two distinct and random message M b , b ∈ {0,1}, and sends to the challenger. Then receives the response as CT* =〈C = Mb . e(g,g)αs, C' = hs, −r (Ci = g1αλihρ(i)i , Di = g1ri)i∈[l]〉. Finally, sends CT* to as a challenge ciphertext. Query2. This phase is the same as Query1. Guess. Finally, sends a bit b′ to , and also outputs b′. The distributionfor is perfect. If has a nonnegligible probability to win the game in Section 3.2, then also can breaks the Waters’ scheme with the same probability.
6 Application Scenario in PHR Syetems PHR system is a patient-centered system for health information exchange. Patients can create, modify, control and share their health records with other usersand health care providers. When our mediated CP-ABE scheme is deployed in PHR system, patients can maintain full control over access to their PHR files through the mediator. Patients can encrypt their PHRs and store them on semi-trusted cloud servers such that cloud servers do not have access to sensitive PHR contexts. However, three important issues should be solved when m-CP-ABE isused in PHR system (Figure 2). (1) A PHR file may be operated by multiple users who the data owner may not know. It should choose a proper attributes universe U which can distinctly define each user.
881
Figure 2 m-CP-ABE Scheme Depoloyed in PHR System
(2) A trusted third party (TTP) must be fully trusted to protect the master key and generate private keys (including two shares) for the users and the mediator. (3) Securely key share distribution may lead to potential communication overhead. If anyone (e.g., heal thcare provider) want to access a user’s PHR file, it should pass through the verification of the mediator. The mediator can prevent any one to access the PHR file, once he has been revoked.
7 Conclusions In this work, we propose an efficient m-CP-ABE scheme, in which the semi-trusted mediator can execute the attribute revocation instantaneously. Compared with the former schemes, our scheme support the monotonic access structure by using LSSS. In PHR system, patients can use this scheme to protect their valuable healthcare information against unauthorized accessing. Further more, the most of decryption overload is outsourced to the mediator, and the user only does little computation, which is more suitable for the mobile internet.
Acknowledgements This research is partially supported by the National Natural Science Foundation of China under Grant No. 61373006, 61232016, U1405254, and the PAPD fund.
References [1]
[2]
[3]
U.S. Department of Health and Human Services, Personal Health Records and Personal Health Record Systems, National Committee on Vital and Health Statistics Report 0602, February, 2006. U.S. Department of Health and Human Services, Sumamary of the HIPAA Privacy Rule, National Committee on Vital and Health Statistics Report 0302, June, 2003. A. Sahai and B. Waters, Fuzzy Identity-Based Encryption, 24th Annual International Conference
882
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
Journal of Internet Technology Volume 16 (2015) No.5
on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 2005, pp. 457-473. V. Goyal, O. Pandey, A. Sahai and B. Waters, Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data, 13th ACM Conference on Computer and Communications Security, Alexandria, VA, 2006, pp. 89-98. R. Ostrovsky, A. Sahai and B. Waters, AttributeBased Encryption with Non-monotonic Access Structures, 14th ACM Conference on Computer and Communications Security, Alexandria, VA, 2007, pp. 195-203. J. Bethencourt, A. Sahai and B. Waters, CiphertextPolicy Attribute-Based Encryption, 2007 IEEE Symposium on Security and Privacy, Oakland, CA, 2007, pp. 321-334. L. Cheung and C. Newport, Provably Secure Ciphertext Policy ABE, 14th ACM Conference on Computer and Communications Security, Alexandria, VA, 2007, pp. 456-465. V. Goyal, A. Jain, O. Pandey and A. Sahai, Bounded Ciphertext Policy Attribute Based Encryption, 35th International Colloquium on Automata, Languages and Programming, Reykjavik, Iceland, 2008, pp. 579-591. A. Kapadia, P. P. Tsang and S. W. Smith, AttributeBased Publishing with Hidden Credentials and Hidden Policies, 14th Annual Network & Distributed System Security Symposium, San Diego, CA, 2007, pp. 179-192. T. Nishide, K. Yoneyama and K. Ohta, ABE with Partially Hidden Encryptor-Specified Access Structure, 6th International Conference on Applied Cryptography and Network Security, New York, 2008, pp. 111-129. S. Yu, C. Wang, K. Ren and W. Lou, Attribute Based Data Sharingwith Attribute Revocation, 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China, 2010, pp. 261-270. K. Yang, X. Jia and K. Ren, Attribute-Based FineGrained Access Control with Efficient Revocation in Cloud Storage Systems, 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, Hangzhou, China, 2013, pp. 523-528. L. Ibraimi, M. Petkovic, S. Nikova, P. Hartel and W. Jonker, Mediated Ciphertext-Policy Attribute-Based Encryption and Its Application, 10th International Workshop on Information Security Applications, Busan, Korea, 2009, pp. 309-323.
[14] T. Okamoto and K. Takashima, Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption, 30th Annual Conference on Advances in Cryptology, Santa Barbara, CA, 2010, pp. 191-208. [15] A. Beimel, Secure Schemes for Secret Sharing and Key Distribution, Ph. D. Thesis, Technion-Israel Institute of Technology, Haifa, Israel, 1996. [16] B. Waters, Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization, 14th International Conference on Practice and Theory in Public Key Cryptography Conference on Public Key Cryptography, Taormina, Italy, 2011, pp. 53-70. [17] B. Lynn, The Pairing-Based Cryptography (PBC) Library, http://crypto.stanford.edu/pbc [18] L. Zhou and H.-C. Chao, Multimedia Traffic Security Architecture for Internet of Things, IEEE Network, Vol. 25, No. 3, pp. 29-34, May, 2011. [19] P. Guo, J. Wang, B. Li and S. Lee, A Variable Threshold-Value Authentication Architecture for Wireless Mesh Networks, Journal of Internet Technology, Vol. 15, No. 6, pp. 929-936, November, 2014. [20] Y. Ren, J. Shen, J. Wang, J. Han and S. Lee, Mutual Verifiable Provable Data Auditing in Public Cloud Storage, Journal of Internet Technology, Vol. 16, No. 2, pp. 317-323, March, 2015. [21] Z. Wang, G. Sun and D. Chen, A New Definition Of Homomorphic Signature for Identity Management In Mobile Cloud Computing, Journal of Computer and System Sciences, Vol. 80, No. 3, pp. 546-553, May, 2014. [22] Z. Wang and W. Chen, An Id-Based Online/Offline Signature Scheme without Random Oracles for Wireless Sensor Networks, Personal and Ubiquitous Computing, Vol. 17, No. 5, pp. 837-841, June, 2013. [23] Z. Wang and A. Xia, ID-Based Proxy Re-signature with Aggregate Property, Journal of Information Science and Engineering, Vol. 31, No. 4, pp. 11991211, July, 2015. [24] Z. Wang, K. Sha and W. Lv, Slight Homomorphic Signature for Access Controlling in Cloud Computing, Wireless Personal Communications, Vol. 73, No. 1, pp. 51-61, January, 2013.
Efficient Mediated Ciphertext-Policy Attribute-Based Encryption for Personal Health Records Systems
Biographies Zhiwei Wang received his PhD degree in cryptography from the Beijing University of Posts and Telecommunications in 2009. Currently, he is an associate professor in the department of information security at Nanjing University of Posts and Telecommunications. His research interests include digital signatures, provable security, cryptographic protocols, and network and cloud security. Zhuanzhuan Chu is a master student of Nanjing University of Posts and Telecommunications. Her research direction is cryptography and information security.
883
