DOI QR코드

DOI QR Code

A Privacy-Preserving Health Data Aggregation Scheme

  • Liu, Yining (Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology) ;
  • Liu, Gao (School of Mathematics and Computational Science, Guilin University of Electronic Technology) ;
  • Cheng, Chi (School of Computer Science, China University of Geoscience) ;
  • Xia, Zhe (School of Computer Science and Technology, Wuhan University of Technology) ;
  • Shen, Jian (School of Computer and Software, Nanjing University of Information Science & Technology)
  • Received : 2016.05.16
  • Accepted : 2016.06.27
  • Published : 2016.08.31

Abstract

Patients' health data is very sensitive and the access to individual's health data should be strictly restricted. However, many data consumers may need to use the aggregated health data. For example, the insurance companies needs to use this data to setup the premium level for health insurances. Therefore, privacy-preserving data aggregation solutions for health data have both theoretical importance and application potentials. In this paper, we propose a privacy-preserving health data aggregation scheme using differential privacy. In our scheme, patients' health data are aggregated by the local healthcare center before it is used by data comsumers, and this prevents individual's data from being leaked. Moreover, compared with the existing schemes in the literature, our work enjoys two additional benefits: 1) it not only resists many well known attacks in the open wireless networks, but also achieves the resilience against the human-factor-aware differential aggregation attack; 2) no trusted third party is employed in our proposed scheme, hence it achieves the robustness property and it does not suffer the single point failure problem.

Keywords

1. Introduction

In the wireless body area network [1], the implanted or wearable biosensor can be used to measure the patients’ health data, such as the temperature, the blood pressure, etc. In the authenticated manner [2-7], after the health data is collected, it will be transmitted to the doctor in the local healthcare center (LHC) in the authenticated manner. Therefore, the doctor can give precise diagnosis and treatment. Moreover, the aggregated health data has many real world applications. For example, the insurance company can analyze the aggregated result of the health data in a specific area, and then make a decision. However, if the health data of the patient is transmitted directly, the privacy will be violated, and this might have serious consequences, such as financial fines or even law prosecutions. For instance, with the knowledge of some people’s poor body condition, the insurance company might refuse to provide the insurance service for them. Therefore, it is necessary to design a privacy-preserving health data aggregation scheme, which allows LHC to aggregate the health data in a designated region without knowing an individual one.

In order to ensure the privacy property, the individual health data should be encrypted or processed anonymously. As shown in Fig. 1, the patient transmits the processed health data to LHC, and the doctor in LHC can make the diagnosis and give the treatment due to the patient’s data. Furthermore, LHC aggregates the received data, and sends the aggregated result to the healthcare cloud. Moreover, the data consumers can utilize the aggregated result which is stored in the healthcare cloud.

Fig. 1.Network model

Although there are many existing works on data aggregation in the literature, the majority of them may suffer the human-factor-aware differential aggregation (HDA) attack [8], which aims to break the privacy. Moreover, many data aggregation schemes rely on a trusted entity to ensure confidentiality for the sensitive data, so that the robustness requirement is not satisfied in a high level because of the potential single point failure problem. In [9-11], using trusted gateway and operating center, the single data is protected by the homomorphic encryption technique. However, the privacy will be violated if the gateway and the operating center are not trusted. In [12], a one-way virtual ring is used for the aggregation. However, the aggregation operation will fail if any smart device of the ring breaks down. In 2014, Fan et al. proposed a data aggregation scheme [13] based on the subgroup decision assumption. However, each user’s private key can be extracted from the public information in the registration phase, and this flaw has been resolved later [14]. Moreover, the privacy is preserved by the blind factor, which is distributed by an off-line trusted third party, and thus there exists the trust bottleneck in the proposed scheme. Therefore, many of the existing schemes need further improvement in order to suit the practical environment [15,16].

In this paper, we propose a health data aggregation scheme, which also allows LHC to aggregate the health data in a specific area without knowing a single one. The security of the proposed scheme is mainly based on the differential privacy [8] and the subgroup decision assumption [13]. Compared with other data aggregation schemes, the proposed scheme has two contributions: 1) The proposed scheme not only resists many well know attacks, such as external attack, internal attack, replay attack, impersonation attack and modification attack, but also it is robust against the new HDA attack. Therefore, our proposed scheme achieves a higher level of privacy. 2) The proposed scheme does not employ a trusted third party. Hence it achieves the robustness property and it does not suffer the single point failure problem.

The remainder of the paper is organized as follows: The necessary preliminaries are introduced in Section 2. Afterwards, the health data aggregation scheme is presented in Section 3, and its security and efficiency are analyzed in Section 4. Finally, the paper is concluded in Section 5.

 

2. Preliminaries

In this section, we describe the related assumptions and techniques.

• Secure Hash Function

Assume h(x) is a secure hash function. It is computationally infeasible to extract a from a given value h(a) or to find a pair of values (a, b) such that h(a) = h(b) where a ≠ b [17].

• Subgroup Decision Assumption

Given an element x that belongs to a group G0 with a composite order N = q1q2, where q1,q2 are large prime numbers, it is computationally infeasible to decide if x ∈ G0 is in a subgroup with order q1 [18].

• Discrete Logarithm Assumption

Suppose g2 is the generator of a cyclic multiplicative group G1 with order q, it is computationally infeasible to compute x = logg2 y given y = g2x[19].

• Bilinear Pairing

Suppose G1 and G2 are two cyclic multiplicative groups with order q, and g2 is a generator of G1. Furthermore, the discrete logarithm assumption holds both in G1 and G2. A bilinear map e : G1 × G1 → G2 satisfies the following properties [20]:

Bilinear: For any P, Q ∈ G1, a, b ∈ Zq∗, e(Pa,Qb) = e(P, Q)ab and e(P, P) ≠ 1G2.

Non-degenerate: There exist P, Q ∈ G1 such that e(P, Q) ≠ 1G2.

Computable: For any P, Q ∈ G1, there exists an efficient algorithm to compute e(P, Q).

• Gap Diffie-Hellman Group

Assume that g2 is the generator of a cyclic multiplicative group G1 with the order q.

Computational Diffie-Hellman (CDH) problem: For any a, b ∈ Zq∗, the CDH problem asks to derive g2ab from the given (g2a,g2b).

Decision Diffie-Hellman (DDH) problem: For any a, b, c ∈ Zq∗, given (g2a,g2b,g2c), the DDH problem asks to determine whether g2ab = g2c.

If the computational Diffie-Hellman problem is hard but the decision Diffie-Hellman problem is easy to solve in a cyclic multiplicative group G1, G1 is referred to as the gap Diffie-Hellman (GDH) group [21].

• HDA attack

Suppose that the health data of P1,P2,P3,P4,P5 are aggregated, and P5 is the target member. In addition, assume P5 does not use the device in the time slot T1 but uses it in the adjacent time slot T2, and the health data of P1,P2,P3,P4 are relatively stable in these two time slots. Therefore, LHC can derive the health data of P5 in the time slot T2 by comparing the two aggregated results [8].

• Assumption for Byzantine Agreement

The classical assumption of the Byzantine literature (The classical assumption for Byzantine agreement) [22] is employed to resist against the collusion attack. In the assumption, the attacker might corrupt LHC, and compromise no more than 1/3 patients. Finally, the attacker colludes with the compromised LHC and patients, and launches the collusion attack (i.e., HDA attack).

• Differential Privacy

In the query access, the differential privacy [22] is usually employed to achieve the privacy. By adding the proper Gaussian or exponentially distributed random noise, the administrator can obscure the true answer slightly before the query result is sent to the user. Furthermore, the similar inputs, which differ on a tiny entry, generate the indistinguishable outputs.

A randomized algorithm is ε-indistinguishability δ-approximation: Given two data sets D1 and D2, which differ on at most one element, and all S ⊆ Range(), where Range() consists of all possible values of .

If all computations are performed over a finite field, the unbiased binomial distribution B(w,1/2) [8] is employed to replace the Gaussian distribution. Afterwards, the following facts take the important roles in the proposed scheme.

Fact 1. Given the global sensitivity Δ (i.e., the interval of each patient’s health data), and in order to make B(w,1/2) ε-indistinguishability δ-approximation, w should be at least 64Δ2log (2/δ)/ε2 [8].

Fact 2. If Vi ~ B(wi,pr) and Vi, i = 1,2,⋯,n are independent and identically distributed,

 

3. Our Proposal

In this section, we present a novel aggregation scheme, where there only exists n patients and LHC in the specific area, and LHC can derive the summation of the patients’ health data without the knowledge of the individual one. Some notations for the relavant parameters are defined in Table 1.

Table 1.Notation for related parameters

3.1 Initialization Phase

1. Given the pre-set security parameters ε,δ, which are determined by LHC due to the tradeoff between the security and the usability, LHC computes wn = ⌈3w/2n⌉, where w =64Δ2log (2/δ)/ε2.

2. LHC chooses three large prime numbers q,q1,q2, and computes N = q1q2.

3. From a cyclic multiplicative group G0 of order N, LHC determines a generator g0 and a random number u ∈ G0, and computes h = uq2, g1 = g0q1. Then LHC chooses a generator g2 of a cyclic multiplicative group G1 with order q. Moreover, the subgroup decision assumption holds in G0, and the discrete logarithm assumption holds in the GDH group G1.

4. LHC keeps q1,q2 secretly, chooses a secure hash function H(x) and a bilinear map e(G1,G1) → G2, and publishes

5. Each patient Pi registers at LHC using the public key yi = g2xi ∈ G1 with the identifier IDi. Finally, LHC stores {IDi,yi} in its database for the verification in the Aggregation Phase.

3.2 Aggregation Phase

1. Pi collects the health data mi ∈ [0,1,⋯,Δ] at time t, then chooses vi ~ B(wn,1/2) and ri′ ∈ ZN∗ randomly. Pi computes the ciphertext CTi = g0mi+vihri′ and the corresponding signature σi =H(t||CTi)xi, and sends {IDi,CTi,σi} to LHC.

2. With the received {IDi,CTi,σi}, LHC extracts Pi’s public key yi with IDi in the database, and verifies them by checking e(σi,g2) = e(H(t||CTi), yi), i = 1,2,⋯,n . With the selected n random numbers ki ∈ Zq∗,i = 1,2,⋯,n , LHC checks the equation to speed up the verification.

3. If all the verifications hold, LHC computes Furthermore, LHC derives from V with the base g1 using the Pollard’s lambda method, which costs the expected polynomial time [16,23] due to the non-cryptographic interval As a consequence, LHC outputs the approximate aggregated result where nwn/2 is the expectation of the added noise summation Each step is depicted in Fig. 2.

Fig. 2.Aggregation

3.3 Correctness of Health Data Aggregation

The parameter g0 is the generator of the cyclic multiplicative group G0 with order N, and thus g0N = 1. Furthermore, u belongs to G0, and there thus exists a number α ∈ ZN∗ satisfying that u = g0α. Therefore, uN = (g0α)N = (g0N)α = 1α = 1. The correctness of the health data aggregation is shown as follows:

 

4. Analysis

In this section, we provide security and efficiency analysis of our proposed scheme. Moreover, we briefly discuss its usability in real world applications.

4.1 Security Analysis

In this subsection, we demonstrate that the proposed scheme resists against not only the well known attacks (i.e., the external attack, the internal attack, the impersonation attack, the modification attack, and the replay attack), but also the new HDA attack. Moreover, it is shown that the robustness is achieved in the proposed scheme.

• Privacy-preservation

Generally speaking, the attackers can be divided into two categories: the inside attacker and the outside attacker. The inside attacker includes LHC and the patients who attempt to violate the privacy of other patients, and the outside attacker is an illegal party, who does not involve in the proposed scheme.

Scenario 1. The proposed scheme can resist against the external attack, i.e., it is computationally infeasible for an outside adversary to obtain mi from CTi.

Proof The ciphertext CTi = g0mi+vihri′ can be eavesdropped by the outsider. If the adversary manages to derive mi from CTi, he should know vi,ri′ or vi,q1. Unfortunately, vi,ri′ are secretly hold by the patient Pi, and q1 is privately hold by LHC.

Scenario 2. The proposed scheme can resist against the internal attack, i.e., it is computationally infeasible for an internal adversary to extract mi from CTi.

Proof The inside adversary (other patient Pj, j ≠ i) cannot extract mi from CTi successfully, since he has no idea about vi,ri′ or vi,q1. Furthermore, if LHC succeeds in deriving mi, he should at least learn vi which is randomly selected by the patient Pi. Therefore, the proposed scheme can resist against the internal attack.

Scenario 3. The proposed scheme can resist against the HDA attack.

Suppose there exist 3 patients P1,P2,P3 in a specific area, and the health data m1,m2 of P1,P2 are relatively stable at two adjacent time slots T1 and T2. However, P3 uses the medical device at time slot T1, but does not use it at time slot T2. By comparing the aggregated results at the two time slots, it is impossible for the adversary to derive the health data m3 of P3 at time slot T1.

Proof The noise aggregated result at the time slots T1 and T2 are respectively, where V1,V2 ~ B(3w3,1/2). It is infeasible for the adversary to derive m3 by computing M1 − M2, since B(3w3,1/2) is ε-indistinguishability δ-approximation.

Therefore, the proposed scheme resists against not only the external attack and the internal attack, but also the new HDA attack. As a consequence, the privacy property has been enhanced to a higher level compared with existing schemes.

• Resilience against impersonation attack

Scenario 4. The proposed scheme can resist against the impersonation attack, i.e., it is infeasible for the adversary to impersonate the legal patient Pi to provide LHC with the valid message.

Proof To impersonate Pi, the adversary should have knowledge about the private key xi of Pi. Given the public key yi = g2xi and signature σi = H(t||CTi)xi, it is infeasible in polynomial time to extract xi due to the discrete logarithm assumption in G1. As a result, the adversary cannot launch the impersonation attack.

• Resilience against modification attack

Scenario 5. The proposed scheme can resist against the modification attack, i.e., if the adversary modifies a message being sent to LHC, and transmits the modified result to LHC, it can be detected by LHC.

Proof Suppose the adversary modifies {IDi,CTi,σi} into {IDi,CTi′,σi′}, and tries to enable the modified result to pass the verification e(σi′,g2) = e(H(t||CTi′), yi).

Except for guessing the correct σi′, it is impossible for the adversary to determine σi′ from e(σi′,g2) = e(H(t||CTi′), yi) for the given CTi′, since G1 is a GDH group [13]. Similarly, for the given σi′, it is also infeasible to obtain CTi′ from e(σi′,g2) = e(H(t||CTi′), yi) due to the GDH group G1 and the feature of the secure hash function.

As a consequence, if the adversary transmits a modified result, it can be detected by LHC. Therefore, the proposed scheme can resist against the modification attack.

• Resilience against replay attack

Scenario 6. The proposed scheme can resist against the replay attack, i.e., at time t2, the adversary sends a message {IDi,CTi1,σi1} which has been used at time t1 (t1

Proof To launch the replay attack, the adversary provides LHC with the used {IDi,CTi1,σi1} at t2. It can be detected by LHC, since e(σi1,g2) ≠ e(H(t2||CTi1), yi).

• Robustness

Scenario 7. The proposed scheme achieves the robustness.

Proof The proposed scheme does not rely on any trusted third party, and the duty of LHC is only to verify the patient’s message and aggregate the health data in a specific area. Therefore, anyone, who has the knowledge of q1, can verify the message from the patients, and extract the aggregated result. As a result, the trust bottleneck is eliminated, so that the robustness is achieved in the proposed scheme.

Moreover, the security features of the proposed scheme are compared with several works [10,13,14], and the comparison is demonstrated in Table 2.

Table 2.PPR: Privacy-Preservation REX: Resilience against External Attack RIN: Resilience against Internal Attack RHD: Resilience against HDA Attack RIM: Resilience against Impersonation Attack RMO: Resilience against Modification Attack RRE: Resilience against Replay attack ROU: Robustness ✝: Relying on On-line Trusted Third Party ✝✝: Relying on Off-line Trusted Third Party

4.2 Performance Evaluation

We mainly compare the aggregation performance of the proposed scheme with the related works in [10,13,14]. Assume there exists n patients in the specific area. We only count the expensive computation, such as modular multiplication, modular exponentiation, Pollard’s lambda method, Paillier cryptosystem decryption, and pairing operation. In addition, the time cost for the related computations is listed in Table 3, and Te ≈ Tpc ≈ 1.5Tpl [13].

Table 3.Notation for time cost

As for the aggregation efficiency, the comparison result is shown in Table 4. Obviously, the aggregation efficiency of the proposed scheme is comparable to that of Li et al.’s scheme [10] and He et al.’s scheme [14], and it is higher than that of Fan et al.’s scheme [13].

Table 4.Time cost comparison of aggregation

4.3 Utility Analysis

Suppose the aggregation operation involves n patients in the designated area, the approximate aggregated result is and the overall relative error is denoted as When the interval of the added noise is smaller, the relative error thus is also smaller. Moreover, E(γ) is regarded as a binary function of the security parameters ε and δ, and E(γ) is roughly reduced if ε and δ increase simultaneously. Therefore, we can choose the proper ε,δ and E(γ) to balance the security and the usability.

In order to achieve the tradeoff between security and usability, we can roughly determine ε and δ due to a given relative error E(γ). For simplicity, when n = 3000, Δ = 5, and n = 6000, Δ = 5, the binary function E(γ) with respect to ε and δ are shown in Fig. 3 (a) and Fig. 3 (b), respectively. In Fig. 3 (a), if E(γ) = 0.05, the rough parameters are determined, i.e., ε =0.3, δ =0.03. Meanwhile, ε =0.5, δ =0.05 can also be determined when E(γ) = 0.01 in Fig. 3 (b). In Fig. 4, 200 experiments show that almost all the relative errors fall in the pre-determined interval [0,0.05] with n =3000,ε = 0.3, δ = 0.03, Δ = 5, and [0,001] with n = 6000, ε = 0.5, δ = 0.05, Δ = 5, It suggests that the interval of is relatively stable and small for the aggregated expectation with the proper security parameters. As a result, before implementing the proposed scheme, we can determine the proper parameters ε,δ and E(γ) to balance the security and the utility.

Fig. 3.Relative error. (a) When n = 3000, Δ = 5 and (b) When n = 6000, Δ = 5 and

Fig. 4.Relative error. (a) 200 experiments when n = 3000, ε = 0.3, δ = 0.03, Δ = 5, and (b) 200 experiments when n = 6000, ε = 0.5, δ = 0.05, Δ = 5, and

 

5. Conclusion

Based on the differential privacy and the subgroup decision assumption, we propose a privacy-preserving health data aggregation scheme. In the proposed scheme, the local healthcare center can aggregate the health data of the patients in a specific area without leaking the individual one. Moreover, the proposed scheme not only resists against the well known attacks, such as external attack, internal attack, impersonation attack, modification attack, and replay attack, but also overcomes the new HDA attack. Therefore, the privacy is preserved. Notably, no trusted third party is needed in the proposed scheme, such that there exists no trust bottleneck, and thus the robustness is achieved. Hence, the proposed scheme is more practical.

References

  1. C. Hu, X. Liao and D. Chen, "Securing communications between external users and wireless body area networks," in Proc. of the 2nd ACM Workshop on Hot Topics on Wireless Network Security and Privacy, pp. 31-36, 2013. Article (CrossRef Link)
  2. D. He, C. Chen, S. Chan, J. Bu and P. Zhang, "Secure and lightweight network admission and transmission protocol for body sensor networks," IEEE Journal of Biomedical and Health Informatics, vol. 17, no. 3, pp. 664-674, 2013. Article (CrossRef Link) https://doi.org/10.1109/JBHI.2012.2235180
  3. T. Cao and J. Zhai, "Improved dynamic ID-based authentication scheme for telecare medical information systems," Journal of Medical Systmes, vol. 37, no. 2, pp. 1-7, 2013. Article (CrossRef Link)
  4. H.Y. Lin, "On the security of a dynamic ID-based authentication scheme for telecare medical information systems," Journal of Medical Systems, vol. 37, no. 2, pp. 1-5, 2013. Article (CrossRef Link) https://doi.org/10.1007/s10916-013-9929-4
  5. M. Raghavendra and K.B. Amit, "A privacy preserving secure and efficient authentication scheme for telecare medical information systems," Journal of Medical System, vol. 39, 2015. Article (CrossRef Link)
  6. Zhangjie Fu, Xingming Sun, Qi Liu, Lu Zhou and Jiangang Shu, "Achieving Efficient Cloud Search Services: Multi-keyword Ranked Search over Encrypted Cloud Data Supporting Parallel Computing," IEICE Transactions on Communications, vol. E98-B, no. 1, pp.190-200, 2015. Article (CrossRef Link) https://doi.org/10.1587/transcom.E98.B.190
  7. Zheng Yuhui, Jeon Byeungwoo, Xu Danhua, Wu Q.M. Jonathan and Zhang Hui, "Image segmentation by generalized hierarchical fuzzy C-means algorithm," Journal of Intelligent and Fuzzy Systems, vol .28, no. 2, pp. 961-973, 2015. Article (CrossRef Link)
  8. W. Jia, H. Zhu, Z. Cao, X. Dong and C. Xiao, "Human-factor-aware privacy-preserving aggregation in smart grid," IEEE Systems Journal, vol. 8, no. 2, pp. 598-607, 2014. Article (CrossRef Link) https://doi.org/10.1109/JSYST.2013.2260937
  9. R. Lu, X. Liang, X. Li, X. Lin and X. Shen, "EPPA: An efficient and privacy-preserving aggregation scheme for secure smart grid communications," IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 9, pp. 1621-1632, 2012. Article (CrossRef Link) https://doi.org/10.1109/TPDS.2012.86
  10. H. Li, X. Lin, H. Yang, X. Liang, R. Lu and X. Shen, "EPPDR: An efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid," IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 8, pp. 2053-2064, 2014. Article (CrossRef Link) https://doi.org/10.1109/TPDS.2013.124
  11. K. Zhang, X. Liang, M. Baura, R. Lu and X. Shen, "PHDA: A priority based health data aggregation with privacy preservation for cloud assisted WBANs," Information Sciences, vol. 284, pp. 130-141, 2014. Article (CrossRef Link) https://doi.org/10.1016/j.ins.2014.06.011
  12. M. Badra and S. Zeadally, "Design and performance analysis of a virtual ring architecture for smart grid privacy," IEEE Transactions on Information Forensics and Security, vol. 9, no. 2, pp. 321-329, 2014. Article (CrossRef Link) https://doi.org/10.1109/TIFS.2013.2296441
  13. C.I. Fan, S.Y. Huang and Y.L. Lai, "Privacy-enhanced data aggregation scheme against internal attackers in smart grid," IEEE Transactions on Industrial Informatics, vol. 10, no. 1, pp. 666-675, 2014. Article (CrossRef Link) https://doi.org/10.1109/TII.2013.2277938
  14. D. He, N. Kumar and J.H. Lee, "Privacy-preserving data aggregation scheme against internal attackers in smart grids," Wireless Networks, vol. 22, no. 2, pp. 491-502, 2016. Article (CrossRef Link) https://doi.org/10.1007/s11276-015-0983-3
  15. Ping Guo, Jin Wang, Bing Li and Sungyoung Lee, "A Variable Threshold-value Authentication Architecture for Wireless Mesh Networks," Journal of Internet Technology, vol. 15, no. 6, pp. 929-936, 2014. Article (CrossRef Link)
  16. J. Shen, H. Tan, S. Moh, I. Chung, Q. Liu and X. Sun, "Enhanced Secure Sensor Association and Key Management in Wireless Body Area Networks," Journal of Communications and Networks, vol. 17, no. 5, pp. 453-462, 2015. Article (CrossRef Link) https://doi.org/10.1109/JCN.2015.000083
  17. J. Shao, "Efficient verifiable multi-secret sharing scheme based on hash function," Information Sciences, vol. 278, pp. 104-109, 2014. Article (CrossRef Link) https://doi.org/10.1016/j.ins.2014.03.025
  18. D. Boneh, E. Goh and K. Nissim, "Evaluating 2-DNF formulas on ciphertexts," in Proc. of Theory of Cryptography (LNCS), pp. 325-341, 2005. Article (CrossRef Link)
  19. C. Meshram, "An efficient ID-based cryptographic encryption based on discrete logarithm problem and integer factorization problem," Information Processing Letters, vol. 115, pp. 351-358, 2015. Article (CrossRef Link) https://doi.org/10.1016/j.ipl.2014.10.007
  20. K.A. Shim, "An efficient ring signature scheme from pairings," Information Sciences, vol. 300, pp.63-69, 2015. Article (CrossRef Link) https://doi.org/10.1016/j.ins.2014.12.019
  21. D. Boneh, B. Lynn and H. Shacham, "Short signatures from the Weil pairing," Advances in Cryptology - ASIACRYPT, pp. 514-532, 2001. Article (CrossRef Link)
  22. D. Cynthia, K. Kenthapadi, F. McSherry, I. Mironov and M. Naor, "Our data, ourselves: privacy via distributed noise generation," Advances in Cryptology - EUROCRYPT, pp. 486-503, 2006. Article (CrossRef Link)
  23. J.M. Pollard, "Monte carlo methods for index computation (mod p),"Mathematics of Computation, vol. 32, no. 143, pp. 918-924, 1978. Article (CrossRef Link) https://doi.org/10.1090/S0025-5718-1978-0491431-9

Cited by

  1. Secure and Fine-grained Electricity Consumption Aggregation Scheme for Smart Grid vol.12, pp.4, 2016, https://doi.org/10.3837/tiis.2018.04.009
  2. SPChain: Blockchain-based medical data sharing and privacy-preserving eHealth system vol.58, pp.4, 2021, https://doi.org/10.1016/j.ipm.2021.102604