Sharing and Privacy in PHRs: Efficient Policy Hiding and Update Attribute-based Encryption

Abstract

Personal health records (PHRs) is an electronic medical system that enables patients to acquire, manage and share their health data. Nevertheless, data confidentiality and user privacy in PHRs have not been handled completely. As a fine-grained access control over health data, ciphertext-policy attribute-based encryption (CP-ABE) has an ability to guarantee data confidentiality. However, existing CP-ABE solutions for PHRs are facing some new challenges in access control, such as policy privacy disclosure and dynamic policy update. In terms of addressing these problems, we propose a privacy protection and dynamic share system (PPADS) based on CP-ABE for PHRs, which supports full policy hiding and flexible access control. In the system, attribute information of access policy is fully hidden by attribute bloom filter. Moreover, data user produces a transforming key for the PHRs Cloud to change access policy dynamically. Furthermore, relied on security analysis, PPADS is selectively secure under standard model. Finally, the performance comparisons and simulation results demonstrate that PPADS is suitable for PHRs.

1. Introduction

Personal health records (PHRs) [1] is a system that allows medical staffs and patients to retrieve PHR information in a timely way via any smart wearable devices (SWDs) [2]. As a major fundamental service, cloud storage [3] possessing powerful computation and data storage capabilities is very suitable for PHRs. Particularly in PHRs based on cloud storage, a patient only needs to upload her/his electronic health records to PHRs rather than submitting paper medical records. Whereas, PHRs still involves too much practical application concerns that have not been addressed.

Attribute-based encryption (ABE) [4] realized fine-grained access control was classified into CP-ABE [5] and key-policy attribute-based encryption (KP-ABE) [6]. Utilizing CP-ABE, which can well meet the security requirements in PHRs, patients can share their encrypted electronic health records embedded with an access policy with others. Medical staffs could decrypt correctly while her/his attribute sets were in accord with the access policy. Generally, a ciphertext of CP-ABE with a plaintext form of access structure involving user attribute can be accessed by anyone. Therefore, it is not suitable for PHRs. For example, a patient needs to consult with medical staff about medical records of a Psychiatry Department of Medical Institution 1 or 2. The patient can encrypt medical information with an access structure {[Department: (“Psychiatry”)] AND [Medical Institution: (“1” OR “2”)]} and upload it to PHRs Cloud (PHRC). Under the circumstance, anyone can access the ciphertext even if she or he can’t decrypt it, but she or he can infer that the patient might suffer from a mental illness. Therefore, the privacy of the patient is violated and policy hiding plays a crucial role in CPABE. Policy hiding can be divided into two types: full hiding and partial hiding. Attribute in the access structure can be concealed in full hiding policy CP-ABE. But in a partial hiding access policy, only partial attribute information is hidden. Specifically, attribute includes two portions: attribute name and attribute value, and partial hiding simply conceals attribute value. Note that full hiding CP-ABE has a more adequate ability to ensure attribute privacy. As described in the previous example, located in a partial hiding scheme, an attacker can utilize the captured ciphertext to detect that the patient was in the fixed department of the hospital to seek medical advice, while it is impossible to acquire any information in a full hiding scheme.

To our knowledge, most of ABE schemes can encrypt message with static access policy, but the patient’s medical record information needs to be modified at any time in PHRs. Traditionally speaking, the patient has to decrypt an original ciphertext to obtain plaintext, then encrypt plaintext with a new structure, and upload a new ciphertext to PHRC, which undoubtedly increases the computation cost and communication consumption. Therefore, it is meaningful to research on policy update that outsources a ciphertext update to PHRC.

2. Related Work

Nowadays, a growing number of people hope their health care will be protected prudently. The connection of IoT and cloud computing with PHRs is widely used, which will generate massive medical data. Since the data scale of medical IoT is huge, some traditional encryption technologies are difficult to manage and process them effectively. PHRs involving IoT and clouding computing were proposed in Xu et al. [7] and Namani et al. [8].

Nevertheless, above environment cannot refer to data confidentiality or privacy issues in PHRs. ABE, as a primitive, gives a positive solution of data confidentiality in PHRs. Sahai and Waters [4] introduced the ABE concept firstly. Along with the further improvement of ABE, there exists two basic types: KP-ABE [9] and CP-ABE [10]. Furthermore, according to the form of expression, access policy can be classified into the three types: AND-based [11], tree-based [9] and LSSS-based [12]. Additionally, many other efficient and functional ABE solutions have been put forward [13-15]. But these schemes cannot involve user privacy and dynamic update, and thus cannot been applied directly on PHRs

To protect user attribute privacy, a sequence of privacy protection schemes have been presented [16,17]. Generally, policy hiding consists of two types: partial hiding and full hiding. The concept of partial hiding was presented by Nishide et al. [11], where the attribute value is hidden. To improve Nishide et al.’s scheme [11], Lai et al. [18] proposed a concrete construction supporting multi-valued attributes with wildcards. But their schemes only support AND-gate policy. Subsequently, an improved composite-order scheme with expressive LSSS was presented by Lai et al. [19]. Nonetheless, above schemes are limited for composite-order groups, since the size of composite-order group is bigger than prime order that guarantees an equivalent level of security. Later, Cui et al. [20] constructed an efficient scheme with partially hiding access policy based on linear secret sharing scheme (LSSS) in prime-order groups. Furthermore, attribute value is hidden by wildcards [21] and inner product encryption (IPE) [22]. To some extent, hiding attribute value can protect privacy, but attribute name can still reveal user information. Afterwards, Michalevsky et al. [23] utilized IPE and Khan et al. [24] took advantage of hidden vector encryption to guarantee a stronger privacy protection, but some shortcomings in efficiency and expressiveness were still existed. Hao et al. [25] constructed a full hiding attribute CP-ABE, but their scheme only possessed one specific functionality of policy hiding.

To decrease the computation burden and communication overhead, Sahai et al. [26] presented a method utilizing ciphertext authorization to update access structure, but restricted that a new policy was more restrained than previous structure. Later on, Yang et al. [27] presented a variety of policy update mechanisms for various access structures, where these structures could be converted into LSSS matrix. Then Zhang et al. [28] came up with a new policy update method, which was proved secure based on the standard model. However, they utilized the composite order groups. Later, Ying et al. [29] put forward a modified policy update for PHRs, where data owner needed to generate the update component and outsourced to PHRC. Whereas, it is possible to increase the amount of computation for data owner to some extent. Yuan [30] showed a fresh LSS matrix update algorithm, which was a novel way to update the policy, but had low efficiency.

2.1 Our Contributions

In this paper, we recommend PPADS to resolve both data confidentiality and user privacy in PHRs. In PPADS, we present a solution focused on policy hiding and policy update. The policy is fully hidden by hiding the whole attribute and the attribute is hidden by attribute bloom filter, which plays a role for locating row number of the LSSS matrix about the attribute and restoring the corresponding attribute mapping function. As far as policy update is concerned, the patient generates a transforming key and uploads it to PHRC, then PHRC updates the corresponding ciphertext with the transforming key. Our rigorous security proofs and performance comparisons indicate that PPADS is selectively secure. Thus, as shown below are our contributions:

• In PPADS, the whole attribute in access policy can be hidden rather than attribute value, thus the ciphertext does not disclose any user privacy information. Then the attribute can be located and recovered by a fuzzy attribute location mechanism.

• Furthermore, to support a flexible data sharing mechanism, the patient needs to update an old policy to a new one. Considering three scenarios, the patient brings out a transforming key and sends it to PHRC, and then PHRC can update the old corresponding ciphertext to the new ciphertext.

• Through comparing efficiency and functional diversification, the final result shows that PPADS can achieve a stronger privacy protection and smaller computing storage.

2.2 Organization

Our paper is distributed as below. We will describe the preliminary knowledge in Section 3. In Section, the detailed procedure of our system is proposed in Section 4. Finally, we provide a security proof and performance analysis comparisons in Section 5 and Section 6, then make a summary in Section 7.

3. Preliminaries

The definitions of bilinear pairing, decisional q -parallel bilinear Diffie-Hellman exponent (BDHE) problem, linear secret sharing scheme (LSSS), and Bloom filter are given in this part.

3.1 Bilinear Pairing

Note G and G_T as two cyclic multiplicative groups with prime order p, and g can be regarded as a generator of G . A bilinear pairing is a map [12] \(e: \mathrm{G} \times \mathrm{G} \rightarrow \mathrm{G}_{T}\) , which satisfies the following characters:

1) Bilinearity : \(\forall u, v \in \mathrm{G}, \) and \( x, y \in Z_{p}^{*}, e\left(u^{x}, v^{y}\right)=e(u, v)^{x y}\) holds.

2) Non-degeneracy : \(e(g, g) \neq 1\)

3) Computability: On the basis of \(u, v \in G\), there has an ability to calculate \(e(u, v)\)

3.2 Decisional q-BDHE Assumption

The decisional q -parallel BDHE problem is described as below. Given a group G with prime order p , where g is a generator of G . Furthermore, if an adversary 𝒜 is put \(\vec{y}=\left\{g, g^{s}, g^{a}, \cdots, g^{a^{q}}, g^{a^{q+2}}, \cdots g^{a^{2 q}}\right\}\), where \(a, s \in Z_{p}^{*}\) the value \(e(g, g)^{a^{q+1} s} \in G_{T}\)

and a random element Z \(\in G_{T}\) need to be distinguished. An adversary 𝒜 has advantage \(\varepsilon\) in attacking decisional q -BDHE [12] while

\(\left|\operatorname{Pr}\left[\mathcal{A}\left(\vec{y}, e(g, g)^{a^{q+1} s}\right)=0\right]-\operatorname{Pr}[\mathcal{A}(\vec{y}, Z)=0]\right| \geq \varepsilon\)       (1)

Definition 1. The decisional q -BDHE hardness assumption holds, while no polynomial time adversary 𝒜 has a non-negligible advantage in resolving the decisional q -BDHE problem.

3.3 Linear Secret Sharing Scheme

A linear secret sharing scheme [12] is applied to a structure by \((M, \rho),\) where \(M\) M is an access matrix with the size of \(l \times n\) and \(\rho\) is an injective function which maps each row of M to an attribute. Specifically, there are two algorithms:

• Share \(((M, \rho), S)\) : The subalgorithm is applied to distribute a secret value \(s \in Z_{p}\) to attributes. Given a vector \(\vec{v}=\left(s, z_{2}, \cdots ; z_{n}\right)^{\mathrm{T}}\) where 𝑠 is the secret value and \(r_{2}, \cdots, r_{n} \in Z_{p}\)  are selected at random, set M_i as i -th row of M and calculate \(\lambda_{i}=M_{i} \cdot \vec{v}\) which is one of l sharing values of the secret s .

• Reconstruction \(\left(\left(\lambda_{1}, \cdots, \lambda_{l}\right),(M, \rho)\right)\) : : The subalgorithm is utilized to recover the secret value s according to \(\left(\lambda_{1}, \cdots, \lambda_{l}\right)\) . For any authorized attribute set S , define \(I=\{i \mid \rho(i) \in S\} \subset\{1,2, \cdots, l\}\).  A serious of coefficients\(\left\{\omega_{i} \in Z_{p} \mid i \in I\right\}\) will satisfy \(\sum_{i \in I} \omega_{i} \cdot M_{i}=(1,0, \cdots, 0)\). Therefore, \(s=\sum_{i \in I} \omega_{i} \lambda_{i}\) can be reconstructed.

3.4 Bloom Filter

In 1970, Bloom [31] presented the concept of Bloom filter that is a sort of data structure for permitting membership querying and can be applied to make a judgment about whether a value belongs to a collection. Conveniently, BF_A denotes a Bloom filter encoding for a set A. Subsequently, in 2013, Dong et al. [32] proposed the garbled Bloom filter by introducing the XOR operation. Similarly, to add an element \(x \in A\) , x is divided into k shares utilizing the XOR -based secret sharing scheme, which are set on the locations \(\left\{h_{i}(x)\right\}_{i \in[k]}\). To inquire x, the relevant values in these positions are executed by the XOR operation. If the value recovered from the above values is equal to x , then \(x \in A \), otherwise \(x \notin A .\)

Furthermore, garbled Bloom filter is employed as a block to build attribute Bloom filter (ABF) parameterized by \((m, l, k, H, \eta)\) Specifically, l represents the number of inserted attributes, \(H=\left\{h_{j}\right\}_{j \in[k]}\) are k independent hash functions, and \(\eta\) denotes the added value’s bit length. To insert an element \(\rho(i)\) to the filter \(v_{i}=\xi_{i} l+i\) is calculated, where \(\xi_{i}\) is a random value. At the moment, v_i is divided into k \(\eta\)-bit shares \(\left\{v_{i}^{j}\right\}_{j \in[k]}\) utilizing the XOR -based secret sharing scheme, which are presented \(p o s=h_{j}(\rho(i))\) located on the corresponding positions. There exists one situation that some values position \(p o s=h_{j}(\rho(i))\) is taken up by an existed value. As shown in Fig. 1, the existing value will be reused, which sets \(v_{2}^{1}=v_{1}^{2}\). In addition, the k shares of \(V_{i}\) are calculated. Choose k −1 random numbers \(v_{i}^{l}, v_{i}^{2}, \cdots, v_{i}^{k-1}\) with \(\eta\) bits and calculate \(v_{i}^{k}=v_{i}^{l} \oplus v_{i}^{2} \oplus \cdots \oplus v_{i}^{k-1} \oplus v_{i}\). Specifically, Algorithm 1 shows the detailed process of ABFBuild .

Fig. 1. Example for Inserting Values to ABF

3.5 Formal Definition

Fig. 2 shows the personal health record system structure, containing following participants: PHRs Authority (PHRA), PHRs Cloud (PHRC), Data Owner (DO), and Data User (DU).

Fig. 2. Architecture of the Privacy-Aware and Data Sharing PHRs

• Setup \((\lambda, U) \rightarrow(P P, M S K)\) : This step is executed by PHRA. Put a secure param \(\lambda\) and an attribute universe U into the algorithm. PHRA generates public parameters PP and a master secret key MSK.

• KeyGen \((P P, M S K, S) \rightarrow S K_{S}\) This step is operated by PHRA. Put PP , MSK , and attribute set S , and PHRA generates relative attribute private key SKS.

• Encrypt\((P P, m,(M, \rho)) \rightarrow C T\) : DO performs the step. Put PP , a message m and a policy \((M, \rho)\), then DO generates a ciphertext CT.

• Decrypt \(\left(C T, S K_{S}\right) \rightarrow m / \perp\) DU performs the step. Taking ciphertext CT and corresponding secret key SK_S as input, then DU recovers m while user attribute set satisfy structure located in the Encrypt algorithm. Otherwise, the algorithm outputs \(\perp\).

• PolUpdate \(\left(P P, \operatorname{EnInfo}(m),(M, \rho),\left(M^{\prime}, \rho^{\prime}\right)\right) \rightarrow T K_{m}\) : This step is managed by DO. Taking as input PP , encryption information EnInfo(m) derived from a part of

generated ciphertext, an old policy \((M, \rho)\) and a new policy \(\left(M^{\prime}, \rho^{\prime}\right)\), then DO outputs a transforming key TK_m.

• CTUpdate \(\left(C T, T K_{m}\right) \rightarrow C T^{\prime}\) : : This step is carried out by PHRC. Put the ciphertext CT and the transforming key TK_m into the algorithm, and PHRC calculates an update ciphertext CT'.

3.6 IND-CPA Security Model

To ensure the security of PPADS, our security model will be built on Sahai and Waters’s model [4]. The concrete selective security model is built on an interactive game between a simulator ℬ and an adversary 𝒜. In addition, the ciphertexts before and after updating are indistinguishable, then we merely consider the security before policy update.

1) Initialization: 𝒜 specifies an access structure \(\mathbb{A}^{*}=\left(M^{*}, \rho^{*}\right)\), where M* represents an \(l^{*} \times n^{*}\) access matrix and \(\rho^{*}\) is a mapping function which maps each row of matrix to an attribute, then transmits it to ℬ.

2) Setup: ℬ executes the algorithm after obtaining \(\mathrm{A}^{*}\), and then returns PP to 𝒜.

3) Phase 1: 𝒜 queries the attribute secret key connected to S.

Case 1: If attribute set satisfies \(\left(M^{*}, \rho^{*}\right)\), , then abort.

Case 2: ℬ produces a private key related to S for 𝒜.

4) Challenge: 𝒜 picks two messages m₀ m₁, of equal length and sends them to ℬ. Then ℬ randomly chooses a bit \(\beta \in\{0,1\}\), executes Encryption algorithm to produce a challenging ciphertext CT* and returns it to 𝒜.

5) Phase 2: Phase 2 is identical to Phase 1.

6) Guess: 𝒜 returns a guess \(\beta^{\prime}\) of \(\beta\) . Define the advantage of 𝒜 in the security game as: \(A d v_{\mathrm{A}}=\operatorname{Pr}\left[\beta^{\prime}=\beta\right]-\frac{1}{2} \mid\)

Definition 2. If a polynomial-time adversary has a negligible advantage in an interactive game, PPADS is IND-CPA secure under the framework of the selective access structure attacks.

4. Design Details of PPADS

Enlightened by Hao et al.’s scheme [25] and Li et al.’s scheme [33], PPADS is described as shown below.

• Setup. PHRA first carries out the Setup algorithm by taking as input \(\lambda\) and \(U=\left\{a t t_{1}, \cdots, a t t_{/ U /}\right\}\). The algorithm randomly selects \(\alpha, \beta \in Z_{p}, \lambda_{l}^{\prime}, \cdots, \lambda_{l} \in Z_{p}\)served as attribute masks and group elements \(h_{a t t_{l}}, \cdots, h_{a t t_{l U}} \in \mathrm{G}\) for all the attributes in U . The public parameter PP is issued as 1 PP = \(\left\langle e(g, g)^{\alpha}, g, g^{\beta}, \lambda_{1}, \cdots, \lambda_{r^{\prime}}, h_{a t t_{1}}, \cdots, h_{a t_{k \uparrow}}\right\rangle\). The master secret key MSK = g^a is held by PHRA.

• KeyGen. When DU joins the system, she or he should register and authenticate to PHRA to obtain the related secret key. Along with these attributes S , PHRA generates a corresponding secret key. Select a value \(t \in Z_{p}\) randomly and calculate \(D^{\prime}=g^{t}, D=g^{\alpha} \cdot\left(g^{\beta}\right)^{t}, \forall a t t_{x} \in S, D_{a t t_{x}}=h_{a t t_{x}}^{t}\). Then, a secret key \(S K_{S}=\left\langle D, D^{\prime}\right.\), \(\left.\left\{D_{a t t_{x}}\right\}_{\text {att }_{x} \in S}\right\rangle\) is distributed to DU through a safe channel.

• Encrypt. Put PP , _m and \((M, \rho)\) ) into the algorithm, and DO produces a ciphertext CT and then uploads it to PHRC. In order to hide policy, the generated ciphertext is different from the common ciphertext in basic CP-ABE such as [14]. Specifically, the Encrypt phase of PPADS contains two steps: CTGen and ABFBuild . The CTGen step generates common ciphertext and the ABFBuild step assists DU to determine their attribute positions on the access matrix M. It is crucial for the second step that the \(\rho\) can be recovered according to attribute bloom filter.

1) Step 1. CTGen (PP, m, \((M, \rho)\))->\(C T_{0}\). The step is regarded as a normal encryption algorithm. According to a LSSS, DO selects a vector \(\vec{z}=\left(s, z_{2}, \cdots, z_{n}\right)\) where s is a secret value and \(z_{2}, \cdots ; z_{n} \in Z_{p}\) are chosen randomly, calculates \(\lambda_{i}=M_{i} \cdot \vec{z}\) for each \(i \in[l]\), , and picks random values r₁, ⋯ , r_l \(\in \mathrm{Z}_{\mathrm{p}}\). Then DO produces the corresponding ciphertext CT₀ as below. 

\(C T_{0}=\left\langle C=m \cdot e(g, g)^{\alpha s}, C_{0}=g^{s},\left\{C_{i, 1}=g^{\beta \lambda_{i}} h_{\rho(i)}^{-r_{i}}, C_{i, 2}=g^{p_{i}}, C_{i, 3}=g^{\beta\left(\lambda_{i}-\lambda_{i}\right)}\right\}_{i \in l]}\right\rangle\),

where C_i,3 will be used to update ciphertext in the CTUpdate algorithm. That is to say, the difference between the generated ciphertext and the common ciphertext in CP-ABE is the component C_i,3

2) Step 2. ABFBuild \(((M, \rho)) \rightarrow T\). The step calls Algorithm 1 to generate T that hides \(\rho\) At last, DO uploads ciphertext CT₀  and (M,T) , instead of \((M, \rho)\),  that is \(C T=\left\langle C T_{0}, M, T\right\rangle\), to PHRC.

• Decrypt. DU receives the ciphertext \(C T=\left\langle C T_{0}, M, T\right\rangle\), she or he can decrypt successfully while her or his attribute sets meet specified access policy contained in the ciphertext. The Decrypt algorithm in PPADS includes three steps: ABFQuery MapRecover , and DecTest . The ABFQuery algorithm aims at inquiring for the row value in terms of each user attribute, the MapRecover algorithm is designed to restore the mapping functions corresponding to the row number and then the DecTest step is to test that the decryption can pass or not.

1) Step 1. ABFQuery (S,T) \(\rightarrow \Theta\)

The step is executed by calling Algorithm 2. Put the attribute set S and the Attribute Bloom filter T into Algorithm 2, then outputs a mapping function \(\Theta: S \rightarrow J\). In terms of each attribute \(a t t_{x} \in S\), , relevant value \(r_{x}=\xi_{x} l+x\) is inserted. In light of the algorithm, calculate k locations \(\left\{h_{j}\left(a t t_{x}\right)\right\}_{j \in[k]}\) and get the corresponding value \(\left\{r_{x}^{j}=T\left[h_{j}(x)\right]\right\}_{j \in[k]}\). Therefore, there exists \(r_{x}=r_{x}^{l} \oplus r_{x}^{2} \oplus \cdots \oplus r_{x}^{k}\) Furthermore, the row number of the inserted attribute att_x can be represented as rownum_x = r_x modl=\(\left(r_{x}^{l} \oplus r_{x}^{2} \oplus \cdots \oplus r_{x}^{k}\right)\) modl. Hence, the row numbers will be generated and then perform the following algorithm.

Remarks. Notice that the returned row numbers are valid while user attributes are lying in the structure, and other row numbers of the rest of attributes are merely random values. Besides, it is worth noting that quite other attributes maybe regain an identical row number. In this case, it is generally impacted by the quantity of attributes belonged to 𝑆 and the size of access structure.

2) Step 2. MapRecover\((\Theta) \rightarrow P\)

The step is executed by Algorithm 3. Put \(\Theta\) into the algorithm, and outputs a set P filled with \(\overline{\rho_{i}}\) by choosing all the attributes in S . As shown in Algorithm 3, in terms of each row number, the algorithm selects all attributes in J to form an attribute set \(\overline{S_{i}}\) while satisfying the properties of injective functions \(i \neq j \Rightarrow \bar{S}_{i} \neq \bar{S}_{j}\). Later, the set P is composed by all \(\overline{\rho_{i}}, i \in[l]\). After then, for each \(\overline{\rho_{i}} \in P\) and relative secret key \(S K_{\bar{S}} \subseteq S K_{S}\), the following algorithm can be performed.

3) Step 3. DecTes\(\left(C T_{0},\left(M_{J}, \overline{\rho_{i}}\right), S K_{\bar{S}}\right) \rightarrow m / \perp\).

This step is a normal decryption algorithm. The algorithm extracts an attribute set I derived from M_J , which I=\(\{i \mid \rho(i) \in S\} \subseteq\{1, \cdots, l\}, M_{J}\) represents the specific matrix formed by the row number attached to J and computes the coefficients \(\left\{\omega_{i} \in Z_{p}\right\}_{i \in I}\) such that \(\sum_{i \in I} w_{i} \cdot M_{i}=(1,0, \cdots ; 0)\) and \(\sum_{i \in I} \omega_{i} \cdot \lambda_{i}=s\) Then for each \(i \in I\), the algorithm calculates the above formula. If \(\overline{S_{i}}\) i cannot be accordant to \(\left(M_{J}, \overline{\rho_{i}}\right)\) then output \(\perp\).

\(\begin{aligned} B &=\frac{e\left(C_{0}, D\right)}{\prod_{i \in I}\left(e\left(C_{2, i}, D_{\bar{\rho}_{i}}\right) \cdot e\left(C_{1, i}, D^{\prime}\right)\right)^{w_{i}}} \cdot \frac{1}{e\left(\prod_{i \in I} C_{3, i}^{\omega_{1}}, D^{\prime}\right)} \\ &=\frac{e(g, g)^{\alpha s} \cdot e(g, g)^{\beta t s}}{\prod_{i \in I} e(g, g)^{\beta t w_{i} \lambda_{i}}}=e(g, g)^{\alpha s} \\ \frac{C}{B} &=\frac{m \cdot e(g, g)^{\alpha s}}{e(g, g)^{\alpha s}}=m \end{aligned}\)       (2)

• PolUpdate. DO performs the policy update and generates a transforming key, which is used to update ciphertext for PHRC. Set the old structure \((M, \rho)\), the updating or new structure \(\left(M^{\prime}, \rho^{\prime}\right)\) EnInfo(m), which is defined as \(C_{i, 3}\). Define \(n u m_{\rho(i), M}\) as the quantity of attribute \(\)\(\rho(i)\) in M and \(n u m_{\rho(i), M'}\) as the quantity of attribute \(\rho(i)\) in M' , respectively. Concretely, update algorithm is classified as two steps.

1) Step 1. This step is used to pick the secret value s and EnInfo(m) and attribute mask \(\lambda_{i}^{\prime}\). Policy update would be classified into three cases according to the distribution of attribute location:

Case 1: Let Ι1,M' be a set of attributes which existed in an original structure if \(n u m_{\rho(i), M^{\prime}} \geq n u m_{\rho(i), M}\)

Case 2: Let Ι2,M' be a set of attributes which existed in an original structure and appear more than once only if \(n u m_{\rho(i), M^{\prime}} \leq n u m_{\rho(i), M}\).

Case 3: Let \(I_{3, M^{\prime}}\) ' be a set of attributes which did not exist in an original structure.

2) Step 2. This step is used to generate a transforming key. Specifically, on the basis of the new access structure \(\left(M^{\prime}, \rho^{\prime}\right)\), the patient generates the random vector \(\vec{z}^{\prime}=\left(s, z_{2}^{\prime}, \cdots ; z_{n}^{\prime}\right)\)\(\in Z_{p}\) with the secret value s . Compute \(\lambda_{j}=M_{j}^{\prime} \cdot \vec{z}^{\prime}\), where \(M_{j}^{\prime}\) is j-th of M' Attribute parameter \(\lambda_{i}\) and mask \(\lambda_{i} '\) ' are reserved by the original encryption. On account of the above three cases, the transforming key can be regarded as:

Case 1: \(\text { If }(j, i) \in I_{I, M^{\prime}}\) select random number \(\lambda_{j}{ }^{\prime} \in Z_{p}\), generate the transforming key as:  

\(T K_{j, i, m}=\left(T K_{j, i, m}^{(1)}, T K_{j, i, m}^{(2)}\right)=\left(g^{\beta\left(\lambda_{j}-\lambda_{i}\right)}, g^{\beta\left(\lambda_{j}-\lambda_{j}\right)}\right)\)

Case 2: If \((j, i) \in I_{2, M^{\prime}}\)', select \(\lambda_{j}^{\prime}, a_{j} \in Z_{p}\), compute the transforming key as:

\(T K_{j, i, m}=\left(T K_{j, i, m}^{(1)}, T K_{j, i, m}^{(2)}, T K_{j, i, m}^{(3)}\right)=\left(a_{j}, g^{\beta\left(\lambda_{j}^{\prime}-a_{j} \lambda_{j}^{\prime}\right)}, g^{\beta\left(\lambda_{j}-\lambda_{j}\right)}\right)\)

Case 3: If (j,i)\(\in I_{3, M^{\prime}}\) select random number \(\lambda_{j}{ }^{\prime} \in Z_{p}\), generate the transforming key as: 

\(T K_{j, i, m}=\left(T K_{j, i, m}^{(1)}, T K_{j, i, m}^{(2)}, T K_{j, i, m}^{(3)}\right)=\left(g^{\beta \lambda_{j}} h_{\rho(i)}^{-r_{j}}, g^{r_{j}}, g^{\beta\left(\lambda_{j}-\lambda_{j}\right)}\right)\)

• CTUpdate. After receiving the transforming key, PHRC will generate a new ciphertext. Then a final ciphertext is composed of the new ciphertext and an updated attribute bloom filter. Therefore, there exist two steps as follows.

1) Step 1. CTUpdate \(\left(C T, T K_{m}\right) \rightarrow C T^{\prime}\). The update ciphertext algorithm inputs the transforming key TK_m and the old ciphertext CT , and then outputs an update ciphertext CT' according to the following three cases.

a. If \(I_{I, M^{\prime}}\) ' in Case 1 holds, the updated ciphertext \(C_{j}\)' is described as:

\(C_{j}^{\prime}=\left(C_{j, 1}^{\prime}=C_{i, 1} \cdot T K_{j, i, m}^{(1)}=g^{\beta \lambda_{j}^{\prime}} \cdot h_{\rho(i)}^{-r_{j}}, C_{j, 2}^{\prime}=C_{i, 2}=g^{r_{j}}, C_{j, 3}^{\prime}=T K_{j, i, m}^{(2)}=g^{\beta\left(\lambda_{j}-\lambda_{j}\right)}\right)\)

In this formula, rj=r_i is consistent with the original ciphertext.

b. If (j,i)\(\in I_{2, M^{\prime}}\) ' in Case 2 holds, the updated ciphertext \(C_{j}\)' is described as:

\(\begin{array}{l} C_{j}^{\prime}=\left(C_{j, 1}^{\prime}=C_{i, 1}^{a_{j}} \cdot T K_{j, i, m}^{(2)}=g^{\beta \lambda_{j}^{\prime}} \cdot h_{\rho(i)}^{-r_{j}}, C_{j, 2}^{\prime}=C_{i, 2}^{a_{j}}=g^{r_{j}}, C_{j, 3}^{\prime}=T K_{j, i, m}^{(3)}=g^{\beta\left(\lambda_{j}-\lambda_{j}^{\prime}\right)}\right), \\ \text { where } r_{j}=a_{j} r_{i} . \end{array}\)

c. If \((j, i) \in I_{3, M^{\prime}}\) ' in Case 3 holds, the \(C_{j}\)' is described as:

\(C_{j}^{\prime}=\left(C_{j, 1}^{\prime}=T K_{j, i, m}^{(1)}=g^{\beta \lambda_{j}^{\prime}} \cdot h_{\rho(i)}^{-r_{j}}, C_{j, 2}^{\prime}=T K_{j, i, m}^{(2)}=g^{r_{j}}, C_{j, 3}^{\prime}=T K_{j, i, m}^{(3)}=g^{\beta\left(\lambda_{j}-\lambda_{j}^{\prime}\right)}\right)\)

2) Step 2. UpdateABFBulid \(\left(M^{\prime}, \rho^{\prime}\right) \rightarrow T^{\prime}\). The ABFBulid algorithm is run again. The algorithm inputs the new policy, then outputs a new attribute bloom filter. Since DO has a new access policy, we can run the ABFBulid algorithm to get a new T' as a part of the update ciphertext.

In conclusion, the final ciphertext could be regarded as \(C T^{\prime}=\left(C T_{0}^{\prime}, M^{\prime}, T^{\prime}\right)\), where CT₀' is defined as \(C T_{0}^{\prime}=\left(C, C_{0},\left\{C_{j}^{\prime}\right\}_{j \in[l]}\right)\).

5. Security Analysis

5.1 Analysis of Ciphertext Indistinguishability

Theorem 1. Assume q -parallel BDHE assumption holds in groups \(\left(\mathrm{G}, \mathrm{G}_{\mathrm{T}}\right)\), then PPADS is IND-CPA secure under the framework of the selective access policy attacks in the standard model.

Proof: Supposing that an attacker 𝒜 could breach our system in a polynomial time with nonnegligible advantage of \(\varepsilon\) in CPA security game, then a challenger ℬ would have an advantage of \(\frac{\varepsilon}{2}\) to resolve the difficult problem.

Pick s, \(\beta \in Z_{p}\) randomly, the decisional q - parallel BDHE problem used in PPADS is defined as: \(\vec{y}=\left(g, g^{s}, g^{\beta}, \cdots, g^{\beta^{q}}, g^{\beta^{q+2}}, \cdots, g^{\beta^{2 q}}\right)\) and Z . Later on, given a coin flip u, if u =1 , then \(Z=e(g, g)^{\beta^{q+1} s}\) ; ; Or else, Z is selected from G_T randomly. Then ℬ is given a guess value.

Initialization. 𝒜 chooses the challenging policy \(\left(M^{*}, \rho^{*}\right)\) and transmits it to ℬ.

Setup. ℬ simulates PP as below:

• Pick a random number \(\alpha^{\prime} \in Z_{p}\) and figure up \(e(g, g)^{\alpha}=e\left(g^{\beta}, g^{\beta^{q}}\right) \cdot e(g, g)^{\alpha^{\prime}}\), denoted \(\alpha=\alpha^{\prime}+\beta^{q+1} .\)

• Select \(\beta \in Z_{p}\)randomly, then compute \(g^{\beta}\)

• \(\forall x \in U\) , put a corresponding number z_x randomly, then calculate h_x :

1) While \(\rho^{*}\) maps an index i\(\in\left\{1,2, \cdots, l^{*}\right\}\) to an element x , put

\(h_{x}=g^{z_{x}}\left(g^{\beta}\right)^{M_{i, 1}^{*}}\left(g^{\beta^{2}}\right)^{M_{i, 2}^{*}} \cdots\left(g^{\beta^{n^{*}}}\right)^{M_{i, n}^{*}}\)       (3)

2) Otherwise, put \(h_{x}=g^{z_{x}}\)

Phase 1. In the phase, 𝒜 can obtain a group of secret keys except that attribute S that satisfy access matrix M*. ℬ picks a value \(r \in Z_{p}\) randomly and vector \(\vec{w}=\left(w_{l}, w_{2}, \cdots, w_{n^{*}}\right) \in Z_{p}^{n^{*}}\) with the first element 1 w = −1. Put\(\vec{w} \cdot M_{i}^{*}=0, \forall i, \rho(i)^{*} \in S\). From the property of a LSSS, there consequentially exists such a vector. Then the simulator ℬ implicitly defines t as \(\left(\text { denoted } N^{\prime}=\left\{2, \cdots, n^{*}\right\}\right)\):

\(t=r+\omega_{1} \beta^{q}+\omega_{2} \beta^{q-1}+\omega_{n^{*}} \beta^{q-n^{*}+1}\)       (4)

Generate D, D', D_attx as follows:

\(D=g^{\alpha^{\prime}} g^{\beta r} \prod\left(g^{\beta^{q+2-i}}\right)^{w_{i}}, D^{\prime}=g^{r+w_{1} \beta^{q}+w_{2} \beta^{q-1}+w_{n} \beta^{q-n^{*}+1}}\)       (5)

While there not exists an index \(i \in\left\{1,2, \cdots, l^{*}\right\}\) mapped to x , put D_attx\(=\left(D^{\prime}\right)^{z_{x}}\). Otherwise, put (denoted N=\(\left.\left\{1, \cdots, n^{*}\right\}\right) \)

\(D_{a t t_{x}}=\left(D^{\prime}\right)^{z_{x}} \cdot \prod_{j \in N}\left(g^{\left(\beta_{j}\right) \cdot r} \cdot \prod_{k \in N, k \neq j}\left(g^{\beta^{q+1+j-k}}\right)^{\omega_{k}}\right)^{M_{i, j}^{*}}\)       (6)

Challenge. 𝒜 returns two plaintexts s m₀ and m₁ . Then ℬ opts for a random value \(\beta=\{0,1\}\) and calculates \(C=m_{\beta} Z \cdot e\left(g^{s}, g^{\alpha^{\prime}}\right)\) and \(C_{0}=g^{s}\). Next, ℬ picks \(y_{2}^{\prime}, \cdots, y_{n}\) randomly and forms the vector \(\vec{v}: \vec{v}=\left(s, s \beta+y_{2}^{\prime}, s \beta^{2}+y_{3}^{\prime}, \cdots, s \beta^{n-1}+y_{n^{\prime}}^{\prime}\right) \in Z_{p}^{n^{n}}\). Furthermore, ℬ selects some randomized numbers \(r_{I}^{\prime}, \cdots, r_{l}^{\prime} \in Z_{p}\). The challenge ciphertext is produced:

\(C_{i, 1}=\left(g^{s}\right)^{-z_{\rho(i)}} \cdot g^{z_{\rho(i)} r_{i}^{\prime}} \cdot \prod_{j \in N}\left(g^{\beta^{j}}\right)^{M_{i, j}^{*} \cdot r_{i}^{\prime}} \cdot g^{\beta \lambda_{i}^{\prime \prime}}\)       (7)\(C_{i, 2}=g^{s} \cdot g^{-r_{i}^{\prime}}, C_{i, 3}=\prod_{j \in N^{\prime}}\left(g^{\beta}\right)^{y_{j} M_{i, j}^{*}} \cdot g^{-\lambda_{i}^{\prime \prime}}\)       (8)

Set \(r_{i}=s-r_{i}^{\prime}, \lambda_{i}^{\prime}=s M_{i, 1}^{*}+s \beta M_{i, 2}^{*}+\cdots+s \beta^{n-1} M_{i, n}^{*}+\lambda_{i}^{\prime \prime}, i \in\left\{1,2, \cdots, l^{*}\right\}\)

Phase 2. Phase 2 is identical to Phase 1.

Guess. 𝒜 outputs a guess \(\beta^{\prime}\)\(\). \(\beta=\beta^{\prime}\) , , ℬ returns 1 to suggest that \(Z=e(g, g)^{a^{q+t} s}\). Or else, ℬ gets back 0 that signifies Z is a random element. From the above interactive game, it is visible that the simulation of key queries and ciphertext performance was identical to the real system.

1) If u = 0 , \(Z \in \mathrm{G}_{T}\), 𝒜 is winner possessing the probability \(\operatorname{Pr}\left[\beta^{\prime}=\beta \mid \mathrm{u}=0\right]=\frac{1}{2}\).

Then ℬ outputs u' = 0 while \(\beta^{\prime} \neq \beta\) and \(\operatorname{Pr}\left[\mathrm{u}^{\prime}=\mathrm{u} \mid \mathrm{u}=0\right]=\frac{1}{2}\)

2) If u =1, ℬ successfully simulated the challenge ciphertext. Suppose 𝒜 break the system with the advantage of\(\varepsilon\), ℬoutputs u'=1 while \(\beta^{\prime}=\beta\) and \(\operatorname{Pr}\left[\mathrm{u}^{\prime}=\mathrm{u} \mid \mathrm{u}=1\right]=\frac{1}{2}+\varepsilon\).

In a word, the advantage of ℬ can be described as:

\(\begin{aligned} \operatorname{Adv}_{\mathrm{B}} &=\left|\operatorname{Pr}\left[\mathrm{u}^{\prime}=\mathrm{u} \mid \mathrm{u}=0\right] \cdot \operatorname{Pr}[\mathrm{u}=0]\right|+\left|\operatorname{Pr}\left[\mathrm{u}^{\prime}=\mathrm{u} \mid \mathrm{u}=1\right] \cdot \operatorname{Pr}[\mathrm{u}=1]-\frac{1}{2}\right| \\ &=\left|\frac{1}{2} \cdot \frac{1}{2}+\frac{1}{2} \cdot\left(\frac{1}{2}+\varepsilon\right)-\frac{1}{2}\right|=\frac{1}{2} \varepsilon \end{aligned}\)

Hence, we proved that PPADS is IND-CPA secure under the (decisional) q -parallel BDHE assumption.

5.2 Security Comparison

Security level. Table 1 presents intuitional function comparisons. However, PPADS and Hao et al.’s scheme [25] can provide a stronger privacy protection. In particular, the disclosure of access structure can lead to the theft of privacy information, since access structure existed in the form of plaintext. However, the full policy hiding mentioned in PPADS cannot obtain any sensitive information through access policy, which can guarantee higher security. In addition, Theorem 1 indicates that PPADS is selectively secure. Dynamic update can be realized in PPADS and [29,33]. Specifically, the difference is that their schemes adopted different update classification ways. However, all of them only implemented single functionality. Based on the above comparisons, PPADS possesses more powerful functionalities.

Table 1. Functionality Comparisons

Privacy protection and policy update. In PPADS, attribute can be hidden by concealing the attribute mapping function \(\rho\). Data users are allowed to query the corresponding mapping function for their owned attributes. However, users who can pass decryption test are authorized medical staffs. Later on, the ABFQuery oracle returns a random value to 𝒜. Consequently, ABFQuery algorithm cannot reveal any user privacy. Furthermore, transforming key queries still can not improve the advantage of the adversary. Assume that \(\left(M_{i}^{*}, \rho_{i}^{*}\right)\) and \(\left(M_{j}^{*}, \rho_{j}^{*}\right)\) are old and new access structure, respectively. Then considering the transforming key queries \(T K\left(m_{0}, M_{i}^{*}, \rho_{i}^{*}\right)\) and \(T K\left(m_{1}, M_{j}^{*}, \rho_{j}^{*}\right)\), the transforming key oracle returns the same transforming key while the adversary 𝒜 can not distinguish the encryption between m0 and m1 . Thus, PPADS is secure to protect the policy privacy.

6. Performance Analysis

In the section, we contrast our system with other corresponding works [11, 19, 25, 29, 33]. Table 2 displays the specific symbol notations. We further give the storage cost as shown in Table 3. Note that an element length in each group \(\mathrm{G}, \mathrm{G}_{T}\) T is set to 512 bits. From Table 3, due to the characteristic of bloom filter, the size of ciphertext in PPADS is smaller contrasted with Lai et al.’s scheme [19]. Furthermore, since the classification of updating ciphertext is different from Ying et al.’s scheme [29], the size of transforming key and update ciphertext in PPADS is shorter. Table 4 shows the time complexity comparisons of each algorithm among these schemes. Since the time complexity of updating ciphertext is almost the same, we only compare the computation time of updating transforming key.

Table 2. Notations

Table 3. Comparisons of Storage Overhead

Table 4. Comparisons of Computation Cost

We can draw an intuitive efficiency comparison graph based on Table 4, where M, E, P, and H denote a multiplication operation, an exponent operation, pairing operation, and hash operation, respectively. To evaluate the feasibility of PPADS for PHR system, some necessary experiments are conducted to measure time operation. These experiments are carried out by a laptop with an Intel configuration, CPU, TM i5-7500 @3.40GHz, and 4GB RAM. We detect the efficiency of PPADS on the basis of Pairing-based Cryptography (PBC) library [34]. Since the encryption and decryption time are concerned factors to assess the efficiency of the system, we make a comparison of the computational time between PPADS and Lai et al.’s scheme [19]. Fig. 3 and Fig. 4 illustrate the comparison of encryption time and decryption time for policy hiding, respectively. Though the encryption and decryption time of both our system and Lai et al.’s scheme [19] increase along with the number of attributes, PPADS is more efficient since fewer pair operations are required.

Fig. 3. Encryption Time for Policy Hiding

Fig. 4. Decryption Time for Policy Hiding

In addition, focusing on policy update, Fig. 5 elaborates the concrete computational time between PPADS and Ying et al.’s scheme [29]. In [29], since the time complexity of each type for transforming key is the same, we present only a curve comparison analysis. Table 4 presents the time complexity of Type 1 and Type 2 for transforming key do not increase along with the number of attributes in PPADS, while only Type 3 in PPADS and all types in Ying et al.’s scheme [29] require them. Generally, PPADS can achieve higher efficiency than Ying et al.’s scheme [29].

Fig. 5. Computation Time of \(T K_{m}\)

In summary, PPADS has the advantage of supporting expressive access structure, full policy hiding, and flexible policy update over the existing schemes. Therefore, PPADS is more applicable for data confidentiality and user privacy in PHRs. As depicted that the experimental results are coincident with the theory analysis, thus PPADS is feasible.

7. Conclusions

In this paper, we have feasibly addressed data confidentiality and user privacy in PHRs by recommending PPADS, which helps patients to attain medical assistance conveniently. The core building block of PPADS is a basic CP-ABE scheme that realizes full policy hiding and dynamic update simultaneously. In PPADS, the whole attribute can be hidden by an attribute bloom filter and the ciphertext can be updated by PHRC with a transforming key. Moreover, the system provides a specific security proof under decisional q -BDHE assumption. Theoretical analysis and extensive experiment result demonstrate that PPADS has the advantage over other schemes. However, PPADS can only support small universe. Thus, our future work will pay more attention to how to set up a system with large universe effectively. Furthermore, the proposed system from bilinear pairing cannot resist quantum computation, and thus post-quantum secure PPADS over lattice is on the list of things worth studying.