Black box-assisted fine-grained hierarchical access control scheme for epidemiological survey data

Abstract

Epidemiological survey is an important means for the prevention and control of infectious diseases. Due to the particularity of the epidemic survey, 1) epidemiological survey in epidemic prevention and control has a wide range of people involved, a large number of data collected, strong requirements for information disclosure and high timeliness of data processing; 2) the epidemiological survey data need to be disclosed at different institutions and the use of data has different permission requirements. As a result, it easily causes personal privacy disclosure. Therefore, traditional access control technologies are unsuitable for the privacy protection of epidemiological survey data. In view of these situations, we propose a black box-assisted fine-grained hierarchical access control scheme for epidemiological survey data. Firstly, a black box-assisted multi-attribute authority management mechanism without a trusted center is established to avoid authority deception. Meanwhile, the establishment of a master key-free system not only reduces the storage load but also prevents the risk of master key disclosure. Secondly, a sensitivity classification method is proposed according to the confidentiality degree of the institution to which the data belong and the importance of the data properties to set fine-grained access permission. Thirdly, a hierarchical authorization algorithm combined with data sensitivity and hierarchical attribute-based encryption (ABE) technology is proposed to achieve hierarchical access control of epidemiological survey data. Efficiency analysis and experiments show that the scheme meets the security requirements of privacy protection and key management in epidemiological survey.

1. Introduction

In recent years, the COVID-2019 has received widespread attention, and the overall epidemic situation is characterized by strong infectivity, rapid spread and high risk. Epidemiological survey is one of the main means of epidemic prevention and control. Epidemic risk points can be effectively identified through epidemiological survey, which can facilitate precise identification of the close contacts. And then they can take isolation measures, delimit disinfection scope and timely interrupt virus transmission channels. It plays a decisive role in analyzing epidemic transmission mode, determining transmission generations, calculating incubation period and studying and judging the transmission of asymptomatic infections.

In the process of epidemiological survey, the disease control and other epidemiological staff collected relevant information by investigating the case’s personal information, social relations, action trajectory, exposure and medical treatment. The epidemiological survey information shall be sorted and analyzed to form an epidemiological survey report for subsequent sharing by multiple parties. However, on the one hand, epidemiological survey data includes personal basic information, disease and health information, social relationship information and other relevant private information. The risk of disclosure is increased due to the high openness of these private information. Disclosure will directly lead to secondary injury to epidemiological survey objects and hinder the smooth implementation of epidemic prevention and control. On the other hand, epidemiological survey data will be applied to different institutions such as disease control and community and each department will pay different attention to epidemiological survey data. This situation is prone to ultra vires access and privacy disclosure. Therefore, authorization management of hierarchical access control should be conducted for users according to the sensitivity of the data to more timely control the epidemic and slow down its spread.

Attribute-based encryption (ABE) [1] can embed access policies in ciphertext or keys, support data sharing and implement fine-grained access control. It has been applied in various fields such as cloud computing, enabling access control and authorization and reducing the communication and computing burden in data sharing. There are two types of ABE: ciphertext-policy ABE (CP-ABE) [2] and key-policy ABE (KP-ABE) [3]. CP-ABE schemes [4, 5] allow data owners to precisely control access to data for only authorized users, which is more suitable for data security sharing of epidemiological survey. However, due to the large number of institutions involved in epidemiological survey process, different access permissions, there are some shortcomings when using the existing CP-ABE [6] for epidemiological survey data sharing and privacy protection. Firstly, attributes and keys management depend on a central authority in a single authority CP-ABE scheme [7]. Although this method is convenient for managing keys, as the number of users increases, it can easily cause bottleneck problems, and the single authority scheme will be affected by centralized attacks, leading to system paralysis [8]. However, epidemiological survey involves multiple institutions in charge of different data, and a single authority cannot meet their needs. Secondly, in the general CP-ABE schemes [9, 10], only access control of a single type of permission is considered. In the epidemiological survey, the data sensitivity is different due to the different confidentiality degree of the institutions to which the data belong and the importance of data properties. Thus, it needs to grant different permissions to different users according to the data sensitivity, so as to conduct fine-grained hierarchical access control, avoid unauthorized access, prevent access without relevant permission and protect the privacy of epidemiological survey data. In addition, many existing CP-ABE schemes have a positive correlation between the size of ciphertext and access policy. Storage and computing cost will also increase as access policies increase, which will lead to excessive communication burden and reduced the sharing efficiency. Therefore, the current access control technology cannot meet the requirements of decentralized management of multiple institutions, multi-user and hierarchical access control.

To solve these problems, we propose a black box-assisted hierarchical access control scheme for epidemiological survey data. Our scheme uses hierarchical ABE technology to realize hierarchical access control of epidemiological survey data, thereby improving the efficiency of encryption and decryption. Besides, according to the confidentiality degree of the data institution and the importance of data properties, a sensitivity classification method is proposed. With the help of black box, a multi-attribute authority management mechanism without a master key and a trusted center is established to solve the bottleneck problem, avoid the authority deception of trusted center, reduce the storage load and prevent the disclosure of the master key.

1.1 Motivation and contribution

In the context of epidemiological survey, the security of its data and the privacy of its objects have become increasingly prominent. Therefore, privacy protection of epidemiological survey data based on access control has become a new research need. Data owners prevent unauthorized users from obtaining epidemiological survey data to protect these data’s privacy. They want to set different permissions for different users of different institutions involved in epidemiological survey according to the sensitivity of the data. Many attribute authorities, namely, the institutions to which the epidemiological data belong, also participate in epidemiological survey. The collusion between dishonest attribute authorities will also cause the disclosure of private information. Thus, the collusion attack of multiple attribute authorities needs to be resisted. Accordingly, an access control scheme without trusted authority based on hierarchical ABE should be designed. This scheme supports multi-permission management for the smooth implementation of epidemiological survey and the security of epidemiological survey data.

Our main work is to propose a hierarchical ABE access control scheme with multiple attribute authorities. Firstly, a special threshold key generation method is designed on the basis of Zhang’s scheme [11] and the characteristics of matrix eigenvalue [12]. The difference from Zhang’s scheme [11] is that our scheme does not directly recover the secret value. That is to say, the system public key is generated without obtaining the master key to prevent the leakage of the master key and resist collusion from multi-attribute authorities in our scheme. They jointly manage and distribute of the key and each authority only knows its own sub-secret and cannot obtain the sub-secret information of other authorities. Thus, the attribute authority can generate key without obtaining the master key. Secondly, our scheme proposes a sensitivity classification method due to the different confidentiality degree of the institution to which epidemiological survey data belongs and the importance of the data properties and then divides the multiple access permissions. Furthermore, the access structure of hierarchical access tree is adopted in our scheme to encrypt data at one time for providing multiple permissions. When the data user gives out an access request, the user can obtain the data information within the corresponding permission range when his attribute set meets access structure.

The following are our main contributions:

1) Our scheme supports multi-attribute authority management and multi-permission data sharing. Additionally, we have designed a sensitivity division method based on the confidentiality of data institutions and the importance of data properties, which allows user to assign different permissions to different institutions, enabling multi-permission access control. When users from different institutions access the data, they must obtain the corresponding permissions while satisfying the access policy based on their attribute sets. It effectively addresses privacy protection and access control challenges.

2) It is based on a secret sharing mechanism and utilizes a special threshold of eigenvalues in our scheme to enable multi-attribute authority management. We propose a key generation method. In this method, each attribute authority has its own initial sub-secret, which is assisted by the black box to generate its own sub-key. They jointly generate the key without obtaining the master key and having the trusted center. It avoids the deception of the central authority, solves the bottleneck problem in the single-authority scheme and resists the collusion attack between multi-attribute authorities.

3) We use hierarchical attribute-based encryption technology and hierarchical access tree structure, which only stores the lowest level ciphertext without establishing multiple access structures, saving storage space. At the same time, multiple permissions can be encrypted with one-time encryption, and the cost of encryption time can be reduced without multiple encryptions.

1.2 Related Work

• Multi-attribute authority ABE

In most existing ABE schemes, single center authority (CA) distributes and manages user keys, but that will lead to many security problems [13]. In 2007, Chase [14] proposed the first ABE scheme where multiple attribute authorities are jointly responsible for distributing keys and managing attributes to avoid single point attack, but it needs to a CA. Lin et al. [15]’s scheme support multiple attribute authorities to jointly participate in key generation to resist the single point attack. In the multi-attribute authority scheme proposed by Lewko and Water [16], to prevent user collusion, a global user identity is introduced. Although the scheme can resist user collusion attacks, multiple malicious authorities can obtain user attributes when they track user’s GID collaboration, which damages user’s privacy. For effective privacy protection, a decentralized attribute-based encryption scheme is designed by Tao et al. [17] based on medical blockchain, which can provide effective privacy protection and avoid single point failure. Li et al. [18]’s scheme can make encryption faster and more efficient through the offline encryption. The user will generate the transformed key and hand it over to the honest but curious cloud service provider. So the ciphertext can be decrypted quickly and safely.

• Hierarchical ABE

Generally, if data owners want to share much data, they need define different access policies, which may be intricate. With the increase of shared data, it is very easy to cause problems such as heavier ciphertext storage burden and computing overload. In view of this, Gentry et al. [19] first put forward the concept of hierarchical encryption. Wan et al. [20] use hierarchical ABE to encrypt data stored on the cloud. Later, many scholars have proposed hierarchical ABE schemes. Shen et al. [21] proposed a hierarchical scheme but a trusted center is required. Yang et al. [22] applied attribute-based encryption method with Computer-aided Design (CAD) of assembly model, which can protect the content privacy of CAD model and realize hierarchical access control of collaborative design scenes in cloud manufacturing. Sammy et al. [23]’s scheme uses the elliptic curve cryptography, which can help reduce complexity. Besides, they provide dynamic attributes and a user-centric access policy, allowing multiple authorities to manage the attributes and realize data and user authentication. Ying et al. [24] designed a distributed CP-ABE scheme to realize data sharing. They set multiple blockchain nodes to jointly manage the user nodes’ attribute keys and effectively protect the privacy of users.

At present, multi-attribute authority ABE schemes and hierarchical ABE schemes are mostly used in medical, cloud computing and other fields, but there is less research on access control in epidemiological survey. Due to the requirement to realize decentralized management of multiple institutions and provide multi-user and hierarchical access control in the process of epidemiological survey, the combination of multi-attribute authority ABE scheme and hierarchical ABE scheme is crucial for data sharing and privacy protection in epidemiological survey.

2. Preliminaries

2.1 Bilinear Maps

Let G₁ and G_T be two multiplicative cyclic group, p be their prime order and g₁ be a generator of G₁, a bilinear mapping e : G₁×G₁ → G_T satisfies the following properties:

(1) Bilinearity: For ∀g₁ ∈ G₁, ∀u, x ∈ Z*_p, it has e(g^u₁, g^x₁) = e(g^x₁. g^u₁) = e(g₁, g₁)^ux.

(2) Non-degeneracy: There ∃g₁ ∈ G₁ such that e(g₁, g₁) ≠ 1.

(3) Computability: For ∀g₁ ∈ G₁, there is an efficient computation e(g₁, g₁).

2.2 Decisional Bilinear Diffie Hellman (DBDH) Assumption

Let G₁ and G_T be two groups with prime order p, the generator g₁ ∈ G₁ and x, y, z, w ∈ Z*_p. A bilinear mapping e : G₁×G₁ → G_T. If not one adversary can distinguish between (g^x₁, g^y₁, g^z₁, e(g₁, g₁)^xyz) and (g^x₁, g^y₁, g^z₁, e(g₁, g₁)^w) with a negligible advantage in the polynomial time, then the DBDH assumption holds.

2.3 Access Structure

Let the set of all participants in the system be F = {F₁, F₂,…, F_n}, the collection is said to be monotonous. For ∀K₁, K₂ , if K₁ ∈ ℕ and K₁ ⊆ K₂ , then K₂ ∈ ℕ . If ℕ ≠ ∅ is the monotonous collection and is a subset of F, then the sets in ℕ is the authorized set. Otherwise, it is the unauthorized set.

2.4 Lagrange Interpolation Theorem

Let there be polynomial f(x) of degree m of x, give its m+1 different points(x_i, f(x_i)), then we can determine that the unique f(x) value of x is as shown in (1):

\(\begin{aligned}f(x)=\sum_{1 \leq h \neq i<n}^{n} f(x)\left(\prod_{1 \leq h \neq i \leq n} \frac{x-x_{h}}{x_{j}-x_{h}}\right)\end{aligned}\).       (1)

The Lagrange coefficient [25] is in (2):

\(\begin{aligned}\Delta_{i, s_{x}^{\prime}}(x)=\prod_{i \in s, i \neq j}^{n} \frac{x-j}{i-j}, \text {where}: i, s \in Z_{p}^{*}\end{aligned}\).       (2)

2.5 Hierarchical Access Tree

Hierarchical access tree [13] is composed of many access structures enabling to realize Hierarchical access control through dividing different permissions.

Suppose Γ is a hierarchical tree with l access levels. Its root node is (x, y) , x represents the node level in Γ, y represents the order of the grade where the nodes in Γ are located. As shown in Fig. 1, the nodes are described as: R = (1,1) , A = (2,2) , B = (2,3) , C = (3,2) , D = (3,3) , E = (4,1) , F = (4,2) , G = (4,3).

Fig. 1. Hierarchical access tree node

In order to describe Γ, the following formula is defined:

(1) (x, y) : It denotes a node in the access tree Γ. If (x, y) is a leaf node, it denotes an attribute. Otherwise, it denotes a threshold gate. In Fig. 1, A, C, E, F and G are the leaf nodes, which denote the attributes. R , B and D are non-leaf nodes, which denote the threshold gates.

(2) attr(x, y) : It denotes an attitude associated with the leaf node (x, y) in Γ.

(3) k_(x,y) : It denotes the threshold value of (x, y).

(4) index(x, y) : It denotes a unique value associated with (x, y) in Γ.

(5) (x_h, y_h) : It denotes level nodes of Γ, there are l levels of nodes in Γ, which denote l hierarchy. In Fig. 1, (x₁, y₁) is the highest, (x₄, y₄) is the lowest.

(6) parent(x, y) : It denotes the parent node of (x, y) in Γ.

3. System Framework

3.1 System Model

Our system includes four entities: Attribute Authorities (AA_j) (j = 1,2,…,n) , Cloud Server Provider (CSP), Data Owner (DO) and Data User (DU), as shown in Fig. 2.

Fig. 2. System model

(1) Attribute Authority (AA_j) : Each AA_j is not completely trusted and their work is separated from each other. In our scheme, each institution involved in epidemiological survey acts as the attribute authority, jointly managing attributes and keys. Each AA_j mainly implements AAsetup algorithms and keygen algorithms.

(2) Data Owner (DO): The DO is responsible to collect epidemiological survey data, define access structure and upload ciphertext to the CSP.

(3) Cloud Server Provider (CSP): In the system, CSP can provide encrypted storage and transportation functions. CSP is not fully trusted. Although it will execute the assignments and return the correct results, CSP also wants to know more sensitive information.

(4) Data user (DU): Only When DU’s attribute set meets access structure, DU can obtain the data within permissions, then get corresponding the data.

3.2 Hierarchical ABE Scheme

The details of the hierarchical ABE scheme is shown as below:

(1) Globalsetup(κ) → GP . The system returns global public parameter GP through the input security parameter κ.

(2) AAsetup(GP) → PK . Each AA_j inputs GP to return system public key PK .

(3) keygen(PK, GP, S) → SK . AA_j inputs public key PK , system parameter GP , user attribute set S and gets user’s private key SK .

(4) Encrypt(GP, M, PK, Γ) → CT . DO inputs GP , the l level data M = {m₁, m₂,…, m_l}, PK and hierarchical access structure Γ to return the ciphertext CT .

(5) Decrypt(CT, GP, SK) → M . DU inputs CT , GP , SK . If S meets the entire access policy, it can obtain all data in M . If it only meets the partial access policy, only gets partial access permission of M .

3.3 Security Model

The security model is described under the DBDH assumption which is the choice between adversary A and challenger B in our scheme. It is a chosen-plaintext-attack (CPA) secure symmetric encryption algorithm based on the model in literature [13], the analysis is as follows:

Init: A submits the challenge access structure Γ₀ and the corrupted authorities C_A to algorithm Η.

GlobalSetup: B runs Globalsetup algorithm, obtains GP and sends it to A.

AASetup: For the corrupted authorities, B sends system public and secret keys (PK, SK) to A. Otherwise, B sends system public keys PK.

Phase 1: A sends an attribute set T to B for q times secret keys queries, where T ≠ Γ₀.

Challenge: A submits the two messages m₀, m₁ ,which are equal length. B randomly chooses µ∈{0,1} through Encrypt algorithm to obtain ciphertext CT_µ . B returns CT_µ to A.

Phase 2: Repeated Phase 1 adaptively.

Guess: Finally, A outputs the guess \(\begin{aligned}\hat{\mu} \in\{0,1\}\end{aligned}\), If \(\begin{aligned}\hat{\mu}=\mu\end{aligned}\), A wins the security game. So A can win the game which is defined as shown in (3):

\(\begin{aligned}A d v_{I N D-C P A}(A)=\left|\operatorname{Pr}[\hat{\mu}=\mu]-\frac{1}{2}\right|\end{aligned}\).       (3)

4. Scheme Construction

In this section, we will present the concrete construction of our access control scheme. We design a black box-aided key generation method based on matrix eigenvalue to resist collusion attack. Multiple attribute authorities jointly manage and distribute keys without obtaining the master key. Furthermore, a sensitivity classification method that provides multiple permissions is proposed to ensure that different data users from different institutions have different permissions, protect the user privacy and avoid unauthorized access. Finally, the access structure of hierarchical access tree is adopted in our scheme to encrypt different permissions to realize hierarchical access control of epidemiological survey data.

4.1 A black box-aided special threshold key generation method based on matrix eigenvalue

Suppose there are n attribute authorities, and each AA_j(j = 1, 2,…, n) randomly chooses the initial secret information a_j ∈ Z*_p (1 ≤ j ≤ n) . The details are as follows:

(1) Sub-secret generation: AA_j sends a_j to the black box. Black box calculates:

1) λ_j = h^a_j(mod p), h is automatically generated by the black box h ∈ Z_p . Then, take λ_j as the element to generate a diagonal matrix \(\begin{aligned}\Lambda=\left(\begin{array}{lll}\lambda_{1} & & \\ & \ddots & \\ & & \lambda_{n}\end{array}\right)\end{aligned}\).

2) AA_j randomly generate an n dimensional column vector \(\begin{aligned}\overrightarrow{p_{j}}\end{aligned}\) and sends it to the black box. The black box verifies the linear correlation of n column vectors. If they are uncorrelated, the n order invertible matrix P can be generated, the similarity matrix M = PΛP^-1 can be calculated and its standard ortho-normalization can be performed to obtain the eigenvector vector group \(\begin{aligned}\vec{Q}: \overrightarrow{q_{1}}, \overrightarrow{q_{2}}, \ldots, \overrightarrow{q_{n}}, \overrightarrow{q_{j}}\end{aligned}\) is the sub-secret.

(2) Sub-key distribution: Black box randomly selects n different numbers x₁, x₂,…, x_n less than p, sends the sub-key(x_j, \(\begin{aligned}\overrightarrow{q_{j}}\end{aligned}\)) to AA_j and sets the polynomial of order t .

(3) Reconstruct secret share: Each AA_j sends their respective sub-key (x_j, \(\begin{aligned}\overrightarrow{q_{j}}\end{aligned}\)) to the black box, which calculates the corresponding characteristic value λ_j and sends the secret share (x_j, λ_j) to each AA_j.

(4) Calculate the corresponding key: t AAj calculate and broadcast e(g1, g1)λj, gλj1 using Lagrange interpolation to obtain:

\(\begin{aligned} e\left(g_{1}, g_{1}\right)^{\lambda} & =\prod_{j=1}^{t}\left(e\left(g_{1}, g_{1}\right)^{\lambda_{j}}\right)^{s(j)} \\ & =e\left(g_{1}, g_{1} \sum^{\sum_{j=1}^{t} \lambda_{j} \cdot s(j)}\right. \\ g_{1}^{\lambda} & =\prod_{j=1}^{t}\left(g_{1}^{\lambda_{j}}\right)^{s(j)}=g_{1}^{\sum_{j=1}^{t} \lambda_{j} \cdot s(j)}\end{aligned}\)

Where \(\begin{aligned}s(j)=\prod_{\substack{l=1 \\ l \neq j}}^{n} \frac{-x_{l}}{x_{j}-x_{l}}\end{aligned}\).

4.2 A data sensitivity classification method with multiple permissions

In the process of epidemiological survey, to achieve hierarchical access control, it is necessary to set different permissions for the users with different attribute set. Before DO encrypts the data, a sensitivity hierarchy model is established for epidemiological survey data. The hierarchical model is divided into two layers: at the first level, the confidentiality degree of the institution to which the data belongs is different, which is set according to national laws and regulations. Second, the confidentiality of different data varies according to the importance of the attribute. The division details are as follows:

(1) First level sensitivity factor: There are l data institutions I₁, I₂,⋯, I_l , and the corresponding sensitivity factors are f₁, f₂,⋯, f_l, then the sensitivity factors satisfy \(\begin{aligned}\sum_{i=1}^{l} f_{i}=1\end{aligned}\), 0 < f_i < 1, and the higher the privacy, the smaller the f_i.

(2) Second level sensitivity factor: There is a group of data D(Att₁, Att₂,⋯, Att_k) , Att_i represents the attributes of the i - th kind data and the corresponding sensitivity factor is e_j = Info(w₁, w₂,⋯, w_k) , where Info is a weighting function, w₁, w₂,⋯, w_k represent the weight of various influencing factors that form data sensitivity, such as legal definition, application scenarios, impact, etc. Similarly, the higher the privacy, the smaller the e_j .

Integrate (1) and (2) to obtain data sensitivity: Im_ij = f_i · e_j .

(3) Permission setting: Each sensitivity is assigned a corresponding permission flag P_i → Im_ij , which meets partial order relation P₁ > P₂ > ⋯ > P_l. When the user gets P_i, he also obtains smaller permissions P_i, P_i+1,⋯, P_l.

Hierarchical access structure is designed according to data sensitivity and permission marks to realize the function of encrypting multiple permissions at one time. As shown in Fig. 3, if the user obtains permission P₁ , he can obtain A, B, C, D, E, F. If he obtains permission P₄, only D, E and F can be obtained.

Fig. 3. Example of four permissions

4.3 Black box-assisted fine-grained hierarchical access control scheme for epidemiological survey data

Our scheme’s overview is shown in Fig. 4. It has the following five algorithms: Globalsetup , AAsetup , keygen , Encrypt , Decrypt . The details are as follows:

Fig. 4. The overview of our scheme

(1) Globalsetup(κ)→GP . The algorithm inputs a security parameter κ , returns the system parameter GP:{e, g, p, G₀, G_T, H}, where, G₀ and G_T are the multiplication cycle groups with prime order p . A bilinear mapping e : G₀ × G₀ → G_T and the generator of g∈G₀ . Suppose our system has n attribute authorities AA = {AA_j | j = 1, 2,…, n} . The hash function H : {0,1}* → G₀.

(2) AAsetup(GP) → PK . Each AA_j executes the algorithm and ouputs the system public key PK . Each AA_j randomly selects a_j ∈ Z_p , uses the special threshold key generation method based on eigenvalues proposed in Section 4.1, AA_j share λ∈Z_p , and cooperate to publish the following system public key:

PK = {e(g, g)^λ ,g^λ}

(3) keygen(PK, GP, S) → SK .

1) AA_j randomly selects v_i, r_i ∈ Z*_p (i ∈ S), where S represents the user’s attribute set. In combination with the method proposed in Section 4.1, each AA_j selects r_ij ∈ Z*_p (i∈S) and broadcasts g^r_ij . At least t AA_j jointly calculate:

\(\begin{aligned} D_{1, i} & =\prod_{j=1}^{t}\left(g^{\lambda_{j}} \cdot g^{r_{i j}}\right)^{s(j)} \\ & =g^{\sum_{j=1}^{t} \lambda_{j} \cdot s(j)+} \sum_{j=1}^{t} r_{i j} \cdot s(j) \\ & =g^{\lambda+r_{i}} \\ D_{2, i} & =\prod_{j=1}^{t}\left(g^{r_{i j}} H(i)^{r_{i}}\right)^{s(j)} \\ & =g^{\sum_{j=1}^{r_{i j}} \cdot s(j)} H(i)^{v_{i}} \\ & =g^{r_{i}} H(i)^{v_{i}} \\ D_{3, i} & =g^{v_{i}}\end{aligned}\)

2) So DU’s private key is:

SK = {D_1,i = g^λ+r_i, D_2,i = g^r_i H(i)^v_i, D_3,i = g^v_i}.

(4) Encrypt(GP, M, PK, Γ) → CT . The DO shares l kinds of data M = {m₁, m₂,…, m_l}, sets permission P = {P₁, P₂,…, P_l} according to the data sensitivity classification method with multiple permissions in Section 4.2, then builds a hierarchical access structure Γ. Firstly, DO encrypts M through symmetric encryption algorithm as following: CT_P = {E_P1(m₁), E_P2 (m₂),…, E_Pl(m_l)}. Then, encrypts the permissions P according to the access structure Γ .

1) DO sets the level node (x_h, y_h) (h = 1, 2,…, l) in the access control tree, select l random numbers b₁, b₂,…, b_l ∈ Z_p . Then, he calculates the ciphertext at the level nodes as follows:

\(\begin{aligned}\bar{C}_{h}=P_{h} e(g, g)^{\lambda b_{h}}, \bar{C}_{h}^{\prime}=g^{b_{h}}\end{aligned}\)

2) DO randomly selects polynomials q_{(x, y)} from root node R to each node in Γ . The order of the polynomials is d_{(x, y)} = t_{(x, y)} - 1 and t_{(x, y)} is the threshold value. DO sets polynomial q_R(0) = q_{(x, y)}(0) = b₁ of the root node R . For ∀(x, y) ≠ R , if it is a leaf node, then q_{(x, y)}(0) = q_{(xk, yk)} (0) = b_k. Otherwise, q_{(x, y)}(0) = q_{parent(x, y)} (index(x, y) .

3) The leaf nodes ciphertext: Y is the set of leaf nodes in Γ . For ∀(x, y) ∈ Y , ciphertext is:

\(\begin{aligned}C_{(x, y)}=g^{q_{(x, y)}(0)}, \bar{C}_{(x, y)}=H(\operatorname{attr}(x, y))^{q_{(x, y)}(0)}\end{aligned}\)

4) Transport nodes ciphertext: X is transport nodes set in Γ . For ∀(x, y) ∈ X , ciphertext is:

\(\begin{aligned}\widehat{C}_{(x, y), h^{\prime}}=e(g, g)^{\lambda\left(q_{(x, y)}(0)+q_{(x, y), h^{\prime}}(0)\right.}\end{aligned}\)

5) DO output complete ciphertext:

\(\begin{aligned}C T=\left\{\Gamma, C T_{P}, \bar{C}_{h}=P_{h} e(g, g)^{\lambda b_{h}}, \bar{C}_{h}{ }^{\prime}=g^{b_{h}}, \forall(x, y) \in Y: C_{(x, y)}=g^{q_{(x, y)}(0)}\right.\end{aligned}\),

\(\begin{aligned}\left.\bar{C}_{(x, y)}=H(\operatorname{attr}(x, y))^{q_{(x, y)}(0)}, \forall(x, y) \in X: \widehat{C}_{(x, y), h^{\prime}}=e(g, g)^{\lambda\left(q_{(x, y)}(0)+q_{(x, y), h^{\prime}}(0)\right.}\right\}\end{aligned}\)

(5) Decrypt(CT, GP, SK) → M .

1) If (x, y)∈Y , we let i = attr(x, y). If i ∉ S , define DecNode(CT, SK, (x, y)) = null .

Otherwise, we can compute:

\(\begin{aligned} \operatorname{DecNode}(C T, S K,(x, y)) & =\frac{e\left(D_{2, i}, C_{(x, y)}\right)}{e\left(D_{3, i}, \bar{C}_{(x, y)}\right)} \\ & =\frac{e\left(g^{r_{i}} H(i)^{v_{i}}, g^{q_{(x, y)}(0)}\right)}{e\left(g^{v_{i}}, H(a t t r(x, y))^{q_{(x, y)}(0)}\right)} \\ & =\frac{e(H(i), g)^{v_{i} q_{(x, y)}(0)} \cdot e(g, g)^{r_{i(x, y)}(0)}}{e(H(i), g)^{v_{q}(x, y)}(0)} \\ & =e(g, g)^{r_{(x, y)}(0)}\end{aligned}\)

2) If (x, y) ∉ Y , set chi as the child node and let F_chi = DecNode(CT, SK, (x, y)), then, we can compute as follows:

\(\begin{aligned}\begin{array}{l}F_{c h i}=\prod_{c h i \in s_{(x, y)}}\left(e(g, g)^{r_{i} q_{(x, y)}(0)}\right)^{\Delta_{i, s(x, y)^{\prime}(0)}} \\ =\prod_{c h i \in S_{(x, y)}}\left(e(g, g)^{r_{i} q_{p a r e n t}(\operatorname{chi})(\operatorname{index}(\operatorname{chi}))}\right)^{\Delta_{i, S_{(x, y)^{\prime}}(0)}} \\ =\prod_{c h i \in S_{(x, y)}} e(g, g)^{r_{i} q_{(x, y)}(i) \Delta_{i, s(x, y)^{\prime}(0)}} \\ =e(g, g)^{r_{i} q_{(x, y)}(0)} . \\\end{array}\end{aligned}\)

i = index(chi), s_{(x, y)}' = {index(chi) : chi∈s_{(x, y)}} , Where ∆_{i, s(x, y)′} is the Lagrange coefficient. Then performs the following decryption operation:

a) If S satisfies part or the whole access structure Γ , we can obtain as follows:

\(\begin{aligned} B_{h} & =\operatorname{DecNode}\left(C T, S K,\left(x_{h}, y_{h}\right)\right) \\ & =e(g, g)^{\left.r_{i} q_{\left(x_{h}, y_{h}\right.}\right)}(0) \\ & =e(g, g)^{r_{i} b_{h}} \\ F_{h} & =\frac{e\left(\bar{C}_{h}{ }^{\prime}, D_{1, i}\right)}{B_{h}} \\ & =\frac{e\left(g^{b_{h}}, g^{\lambda+r_{i}}\right)}{e(g, g)^{r_{i} b_{h}}} \\ & =e(g, g)^{\lambda b_{h}}\end{aligned}\)

b) If S contains lower authorization nodes, calculate through transport node \(\begin{aligned}\widehat{C}_{(x, y), h^{\prime}}\left(h^{\prime}=1,2, \ldots\right)\end{aligned}\) as follows:

\(\begin{aligned} F_{h+1, h^{\prime}} & =\frac{\hat{C}_{(x, y), h^{\prime}}}{F_{h}} \\ & =\frac{e(g, g)^{\lambda\left(b_{h}+q_{(x, y), h^{\prime}}(0)\right)}}{e(g, g)^{\lambda b_{h}}} \\ & =e(g, g)^{\lambda q_{(x, y), h^{\prime}}(0)}\end{aligned}\)

c) Calculate corresponding permissions P_h:

\(\begin{aligned}\frac{\bar{C}_{h}}{F_{h}}=\frac{P_{h} e(g, g)^{\lambda b_{h}}}{e(g, g)^{\lambda b_{h}}}=P_{h}\end{aligned}\)

d) According to the obtained permission P_h , the data m_h = D_Ph(CT_h) within the permission range in the shared data M is obtained.

5. Security analysis

5.1 Security proof

Theorem 1: If the DBDH assumption is valid, no adversary can break our proposed scheme in a certain probability polynomial time, then our scheme is IND-CPA secure.

Proof: Suppose that an adversary A will attack our scheme with a non-negligible advantage ε in polynomial time, a polynomial time algorithm Η can attack the DBDH assumption with a non-negligible advantage \(\begin{aligned}\frac{\varepsilon}{2}\end{aligned}\).

The challenger B randomly selects x, y, z∈Z*_p , η∈{0,1}, e(g, g)^xyz∈G_T . Let a bilinear mapping e: G₀×G₀ → G_T, the generator g ∈ G₀ . If η = 0 is established, B sends (X, Y, Z, W) = (g^x, g^y, g^z, e(g, g)^xyz) to Η . Otherwise, sends (X, Y, Z, W) = (g^x, g^y, g^z, e(g, g)^w) to Η . After receiving (X, Y, Z, W) , Η plays the following security games with A:

Initialization: A submits the challenge access structure Γ₀ and a list of corrupted authorities C_A to Η .

GlobalSetup: Η randomly chooses AA*_j∈ {AA₁, AA₂, …, AA_n}

(1) If AA_j ∈ C_A , Η randomly chooses a number w_j ∈ Z_p , uses the key generation method based on eigenvalue to calculate f_j = h^w_j . Then, he uses Lagrange interpolation to calculate e(g, g)^f and g^f , simulator Η sends < f_j, e(g, g)^f, g^f, w_j > to the adversary.

(2) If AA_j ∉ C_A , Η randomly chooses w_j ∈ Z_p , calculates f_j = g^w_j = g^b . Simulator Η randomly chooses jp w'_j ∈ Z_p and calculates f_j = g^{w'_j + a} . If AA_j = AA*_j, e(g, g)^λ = e(g, g)^f+ab . If AA_j is honest, Η sends PK to A.

Phase 1: A sends B attribute set T to ask for the key, where \(\begin{aligned}T=\{\varpi \in \Gamma\} \notin \Gamma_{0}\end{aligned}\).

(1) For AA_j ∈ C_A , Η chooses the random number r_i ∈ Z_p , v_i ∈ Z_p and uses the key generation method based on eigenvalues to calculate SK.

(2) For AA_j ∉ C_A , Η randomly chooses r_i ∈ Z_p , v'_i ∈ Z_p and calculate D_1,i = g^f+r_i, D_2,i = g^r_i H(i)^v_i', D_3,i = g^v_i' . Simulator Η randomly chooses v"_i ∈ Z_p , if AA_j = AA*_j , D_1,i = g^f+r_i , D_2,i = g^r_i H(i)^v"_i+a , D_3,i = g^v"_i+a . If AA_j ≠ AA*_j , simulator Η randomly chooses r'_i ∈ Z_p , sets r_i = r'_i - a , f = f' + ab , calculates D_1,i = g^f'+ab+r'_i-a = g^f'+ab+r'_i-a . For \(\begin{aligned}\varpi \in T\end{aligned}\) , D_2,i = g^r'_i-a H(i)^v"₁+a = g^r'_i / A·H(i)^v"_i+a , Η sends SK to A.

Challenge: B receives m₀, m₁ from A and randomly chooses \(\begin{aligned}\hat{\mu} \in\{0,1\}\end{aligned}\) to obtain ciphertext \(\begin{aligned}C T_{\mu}=\left\{C_{k}{ }^{\prime}=g^{s_{k}}=g^{c}=C, \tilde{C}_{k}=m_{\mu} \cdot e(g, g)^{f \cdot s_{k}}=m_{\mu} \cdot e(g, g)^{f \cdot c}=m_{\mu} \cdot W e(g, g)^{f^{\prime} \cdot c}\right\}\end{aligned}\). B sends CT_µ to A.

Phase 2: Repeated Phase 1.

Guess: Finally, A outputs his guess \(\begin{aligned}\hat{\mu} \in\{0,1\}\end{aligned}\) If \(\begin{aligned}\hat{\mu} = {}\mu\end{aligned}\) simulator Η outputs 0, so W = e(g, g)^xyz . Otherwise, outputs 1, W ∈ G_T .

Probability Analysis: The correct ciphertext can be decrypted if W = e(g, g)^xyz , so \(\begin{aligned}\operatorname{Pr}\left[B\left(g, g^{x}, g^{y}, g^{z}, W=e(g, g)^{x y z}\right)=0\right]=\varepsilon+\frac{1}{2}\end{aligned}\) If W ∈ G_T , the information of µ cannot be learned, so, \(\begin{aligned}\operatorname{Pr}\left[C\left(g, g^{x}, g^{y}, g^{z}, W=e(g, g)^{w}\right)=0\right]=\frac{1}{2}\end{aligned}\). Finally, B’s advantage in solving DBDH problems is \(\begin{aligned}A d v_{I N D-C P A}(A)=\frac{\varepsilon}{2}\end{aligned}\), where, ε is a non-negligible advantage, so its advantages cannot be ignored.

Theorem 2: Our scheme can resist multiple authority collusion attacks.

Proof: We propose a special threshold key generation method based on eigenvalue based on the secret sharing scheme of Zhang et al. [11]. In keygenphase, there is no master key, and each AA_j can only obtain part of its own information, so that AA_j cannot get the complete SK to resist multiple authority collusion.

Theorem 3: Our scheme can resist user collusion attacks.

Proof: Only when S meets access structure, DU can get P_h . When users with different permissions conspire, because different users randomly choose different v_i , part of the user’s key D_2,i = g^r_iH(i)^v_i is different, so user collusion cannot obtain the user’s key. Therefore, the scheme can resist collusion attacks from users.

5.2 System robustness

In our system, attribute authority is not fully trusted, and there are some malicious attribute authorities that will prevent from running the system normally. Since our scheme uses the (t,n) special threshold key generation method to manage and generate user keys, the robustness of the system depends on (t,n). Suppose the attacker can crash some AAs. The probability of the system being attacked satisfies the Bernoulli distribution \(\begin{aligned}\sum_{n-t+1}^{n}\left(\begin{array}{l}i \\ n\end{array}\right) p^{i}(1-p)^{n-i}\end{aligned}\) when the probability of the single AA crash is p . In Fig. 5, when n is taken as 7 and 14 respectively, the probability of the system being attacked is different with p .

In addition, the attacker can control the system if he can control t attribute authorities. Suppose the probability that the attacker can control a single attribute authority is q , the probability of the system crash being attacked meets the Bernoulli distribution \(\begin{aligned}\sum_{t}^{n}\left(\begin{array}{l}i \\ n\end{array}\right) q^{i}(1-q)^{n-i}\end{aligned}\). As shown in Fig. 6, the probability of the system being attacked changes with q and n is 7 and 14 respectively.

In Fig. 5 and Fig. 6, the robustness of our scheme is more significant. The probability of the system being attacked is lower as t gets closer to n .

Fig. 5. The probability of system being attacked changes with p

Fig. 6. The probability of system being attacked changes with q

6. Performance Analysis

This section presents a comparison between our scheme with related schemes [2], [13], [20], [26] and [27] in term of the functions, computational overhead and storage costs. The relevant notations are described in Table 1.

Table 1. Notations

6.1 Functional comparison

The functions of our scheme and schemes [2], [13], [20], [26] and [27] are analyzed and compared in Table 2. Amongst them, schemes [2] and [26] are of CP-ABE type. The access structure increases linearly with data types, while ciphertext storage cost also increases, which will result in greater storage burden. Compared with scheme [20], a sensitivity classification method is designed to set different access permissions in our scheme. Meanwhile, we propose a special threshold key generation method based on matrix eigenvalue to establish a multi-attribute authority management mechanism without a master key. This way avoids the collusion of dishonest attribute authorities, which is not found in other schemes. Moreover, our scheme and scheme [13] are of H-CP-ABE type and both use hierarchical access tree access structure, which can reduce storage burden and improves the efficiency of the scheme. The other feature is to design a data sensitivity classification method with multiple permissions, which enables it to realize hierarchical access control. In summary, our scheme can meet privacy protection and access control requirements in epidemiological survey and is feasible.

Table 2. Functional comparison

6.2 Computational cost

Suppose our system need to share l hierarchical data M = {m₁, m₂,…, m_l}. The access order decreases gradually with the number of levels. According to the characteristics of hierarchical access tree, each level of ciphertext attribute set is expressed as {A_C1, A_C2,…, A_C1} , where A_C1 ⊇ A_C2 ⊇⋯⊇ A_Cl.

As shown in Table 3, the size of ciphertext in scheme [2], [26] and [27] is positively correlated to the number of attributes and data types Different access structures need to be established according to different levels of data. which will result in higher computational costs. We use the hierarchical access tree structure to encrypt data and designs an authorization algorithm for multiple permissions. This algorithm can encrypt multiple permissions at a time. Thus, it does not need to establish an access structure for each level. Compared with schemes [2], [26] and [27], our scheme greatly saves the computational cost.

Table 3. Computational cost

6.3 Storage cost

Table 4 presents a comparison in term of the PK, MSK, SK and CT sizes of our scheme with those of schemes [2], [26] and [27]. In our scheme, we design a special threshold key generation method based on matrix eigenvalue with the help of black box, which can establish a multi-attribute authority management mechanism without trusted center and master key and take up less storage space. However, the schemes [2], [26] and [27] requires layered encryption of data at multiple levels, which aggravates the burden of ciphertext storage. Our scheme encrypts the data by using the hierarchical ABE, it only needs to store attribute ciphertext. When the data types and user attributes increase, our storage cost is lower than that in schemes [2], [26] and [27].

Table 4. Storage cost

6.4 Experiment simulation

We carried out some experimental simulations to evaluate our scheme. Our scheme is implemented on Windows 10 operating system, 8.00 GB RAM laptop and 2.60 GHz CPU. The Java language and the Pairing-Based Cryptography (PBC) library [28] are applied to implement cryptographic algorithm. The operations on prime-order groups are implemented by Type A pairing, which is provided by Java Pairing-Based Cryptography Library (JPBC). The access policy what we use in the experiments is the access tree. The experimental results are as follows.

The encryption and decryption times are shown in Fig. 7 in our scheme and schemes [2], [26] and [27]. We use the hierarchical access tree to encrypt data and does not need to establish different access structures according to different levels of permission that reduces computational cost. The encryption and decryption times increase slowly when the number of attributes increases, but they increase rapidly in other schemes with l = 4. Our scheme is more efficient than other three schemes.

Fig. 7. The comparison of encryption/decryption time(l = 4)

A similar phenomenon can be observed from Fig. 8. We fix user attributes A_u = 30 and we observe the encryption and decryption times vary as l changes. With the increase of l, its exponential operation rises. Then, computational cost increases slowly in our scheme, on the contrary, they rise rapidly in schemes [2], [26] and [27]. Thus, the time efficiency of our scheme is more prominent.

Fig. 8. The comparison of encryption/decryption time(| A_u |= 30).

In our scheme, the access structure of hierarchical access tree is used for encryption and decryption. It does not need to establish multi-level access structure and store multi-level ciphertext. The establishment of a master key-free system in our scheme can reduce the storage cost. According to the analysis of (a) and (b) in Fig. 9, as data types and attributes increase, our scheme has less storage burden.

Fig. 9. The comparison of storage cost of ciphertext

According to the abovementioned conclusions, our scheme has more significant advantages in computing and storage costs than schemes [2], [26] and [27]. Our scheme fully utilizes the characteristics of hierarchical access tree to provide a finer division of different permissions and more efficient services for the smooth process of epidemiological survey.

7. Conclusion

Data privacy protection in epidemiological survey is explored based on the hierarchical access tree structure to ensure smooth operation of this survey. A data sensitivity classification method with multiple permissions is designed according to the confidentiality degree of the institution to which the data belongs and the importance of the data properties. Different permissions are set using hierarchical access tree structure to improve encryption efficiency and realize privacy protection. Combined with the characteristics of matrix eigenvalue, multi-attribute authority management mechanism is established without a trusted center to prevent fraud of a single authority center. Public and private keys are distributed without obtaining the master key by using secret sharing mechanism to avoid key disclosure. Our scheme is proven to be secure under the DBDH assumption. In the future work, more comprehensive access control methods will be considered, such as access structure change and access structure hiding, to better protect the privacy of epidemiological survey data.