1. Introduction
In recent years, the COVID-2019 has received widespread attention, and the overall epidemic situation is characterized by strong infectivity, rapid spread and high risk. Epidemiological survey is one of the main means of epidemic prevention and control. Epidemic risk points can be effectively identified through epidemiological survey, which can facilitate precise identification of the close contacts. And then they can take isolation measures, delimit disinfection scope and timely interrupt virus transmission channels. It plays a decisive role in analyzing epidemic transmission mode, determining transmission generations, calculating incubation period and studying and judging the transmission of asymptomatic infections.
In the process of epidemiological survey, the disease control and other epidemiological staff collected relevant information by investigating the case’s personal information, social relations, action trajectory, exposure and medical treatment. The epidemiological survey information shall be sorted and analyzed to form an epidemiological survey report for subsequent sharing by multiple parties. However, on the one hand, epidemiological survey data includes personal basic information, disease and health information, social relationship information and other relevant private information. The risk of disclosure is increased due to the high openness of these private information. Disclosure will directly lead to secondary injury to epidemiological survey objects and hinder the smooth implementation of epidemic prevention and control. On the other hand, epidemiological survey data will be applied to different institutions such as disease control and community and each department will pay different attention to epidemiological survey data. This situation is prone to ultra vires access and privacy disclosure. Therefore, authorization management of hierarchical access control should be conducted for users according to the sensitivity of the data to more timely control the epidemic and slow down its spread.
Attribute-based encryption (ABE) [1] can embed access policies in ciphertext or keys, support data sharing and implement fine-grained access control. It has been applied in various fields such as cloud computing, enabling access control and authorization and reducing the communication and computing burden in data sharing. There are two types of ABE: ciphertext-policy ABE (CP-ABE) [2] and key-policy ABE (KP-ABE) [3]. CP-ABE schemes [4, 5] allow data owners to precisely control access to data for only authorized users, which is more suitable for data security sharing of epidemiological survey. However, due to the large number of institutions involved in epidemiological survey process, different access permissions, there are some shortcomings when using the existing CP-ABE [6] for epidemiological survey data sharing and privacy protection. Firstly, attributes and keys management depend on a central authority in a single authority CP-ABE scheme [7]. Although this method is convenient for managing keys, as the number of users increases, it can easily cause bottleneck problems, and the single authority scheme will be affected by centralized attacks, leading to system paralysis [8]. However, epidemiological survey involves multiple institutions in charge of different data, and a single authority cannot meet their needs. Secondly, in the general CP-ABE schemes [9, 10], only access control of a single type of permission is considered. In the epidemiological survey, the data sensitivity is different due to the different confidentiality degree of the institutions to which the data belong and the importance of data properties. Thus, it needs to grant different permissions to different users according to the data sensitivity, so as to conduct fine-grained hierarchical access control, avoid unauthorized access, prevent access without relevant permission and protect the privacy of epidemiological survey data. In addition, many existing CP-ABE schemes have a positive correlation between the size of ciphertext and access policy. Storage and computing cost will also increase as access policies increase, which will lead to excessive communication burden and reduced the sharing efficiency. Therefore, the current access control technology cannot meet the requirements of decentralized management of multiple institutions, multi-user and hierarchical access control.
To solve these problems, we propose a black box-assisted hierarchical access control scheme for epidemiological survey data. Our scheme uses hierarchical ABE technology to realize hierarchical access control of epidemiological survey data, thereby improving the efficiency of encryption and decryption. Besides, according to the confidentiality degree of the data institution and the importance of data properties, a sensitivity classification method is proposed. With the help of black box, a multi-attribute authority management mechanism without a master key and a trusted center is established to solve the bottleneck problem, avoid the authority deception of trusted center, reduce the storage load and prevent the disclosure of the master key.
1.1 Motivation and contribution
In the context of epidemiological survey, the security of its data and the privacy of its objects have become increasingly prominent. Therefore, privacy protection of epidemiological survey data based on access control has become a new research need. Data owners prevent unauthorized users from obtaining epidemiological survey data to protect these data’s privacy. They want to set different permissions for different users of different institutions involved in epidemiological survey according to the sensitivity of the data. Many attribute authorities, namely, the institutions to which the epidemiological data belong, also participate in epidemiological survey. The collusion between dishonest attribute authorities will also cause the disclosure of private information. Thus, the collusion attack of multiple attribute authorities needs to be resisted. Accordingly, an access control scheme without trusted authority based on hierarchical ABE should be designed. This scheme supports multi-permission management for the smooth implementation of epidemiological survey and the security of epidemiological survey data.
Our main work is to propose a hierarchical ABE access control scheme with multiple attribute authorities. Firstly, a special threshold key generation method is designed on the basis of Zhang’s scheme [11] and the characteristics of matrix eigenvalue [12]. The difference from Zhang’s scheme [11] is that our scheme does not directly recover the secret value. That is to say, the system public key is generated without obtaining the master key to prevent the leakage of the master key and resist collusion from multi-attribute authorities in our scheme. They jointly manage and distribute of the key and each authority only knows its own sub-secret and cannot obtain the sub-secret information of other authorities. Thus, the attribute authority can generate key without obtaining the master key. Secondly, our scheme proposes a sensitivity classification method due to the different confidentiality degree of the institution to which epidemiological survey data belongs and the importance of the data properties and then divides the multiple access permissions. Furthermore, the access structure of hierarchical access tree is adopted in our scheme to encrypt data at one time for providing multiple permissions. When the data user gives out an access request, the user can obtain the data information within the corresponding permission range when his attribute set meets access structure.
The following are our main contributions:
1) Our scheme supports multi-attribute authority management and multi-permission data sharing. Additionally, we have designed a sensitivity division method based on the confidentiality of data institutions and the importance of data properties, which allows user to assign different permissions to different institutions, enabling multi-permission access control. When users from different institutions access the data, they must obtain the corresponding permissions while satisfying the access policy based on their attribute sets. It effectively addresses privacy protection and access control challenges.
2) It is based on a secret sharing mechanism and utilizes a special threshold of eigenvalues in our scheme to enable multi-attribute authority management. We propose a key generation method. In this method, each attribute authority has its own initial sub-secret, which is assisted by the black box to generate its own sub-key. They jointly generate the key without obtaining the master key and having the trusted center. It avoids the deception of the central authority, solves the bottleneck problem in the single-authority scheme and resists the collusion attack between multi-attribute authorities.
3) We use hierarchical attribute-based encryption technology and hierarchical access tree structure, which only stores the lowest level ciphertext without establishing multiple access structures, saving storage space. At the same time, multiple permissions can be encrypted with one-time encryption, and the cost of encryption time can be reduced without multiple encryptions.
1.2 Related Work
• Multi-attribute authority ABE
In most existing ABE schemes, single center authority (CA) distributes and manages user keys, but that will lead to many security problems [13]. In 2007, Chase [14] proposed the first ABE scheme where multiple attribute authorities are jointly responsible for distributing keys and managing attributes to avoid single point attack, but it needs to a CA. Lin et al. [15]’s scheme support multiple attribute authorities to jointly participate in key generation to resist the single point attack. In the multi-attribute authority scheme proposed by Lewko and Water [16], to prevent user collusion, a global user identity is introduced. Although the scheme can resist user collusion attacks, multiple malicious authorities can obtain user attributes when they track user’s GID collaboration, which damages user’s privacy. For effective privacy protection, a decentralized attribute-based encryption scheme is designed by Tao et al. [17] based on medical blockchain, which can provide effective privacy protection and avoid single point failure. Li et al. [18]’s scheme can make encryption faster and more efficient through the offline encryption. The user will generate the transformed key and hand it over to the honest but curious cloud service provider. So the ciphertext can be decrypted quickly and safely.
• Hierarchical ABE
Generally, if data owners want to share much data, they need define different access policies, which may be intricate. With the increase of shared data, it is very easy to cause problems such as heavier ciphertext storage burden and computing overload. In view of this, Gentry et al. [19] first put forward the concept of hierarchical encryption. Wan et al. [20] use hierarchical ABE to encrypt data stored on the cloud. Later, many scholars have proposed hierarchical ABE schemes. Shen et al. [21] proposed a hierarchical scheme but a trusted center is required. Yang et al. [22] applied attribute-based encryption method with Computer-aided Design (CAD) of assembly model, which can protect the content privacy of CAD model and realize hierarchical access control of collaborative design scenes in cloud manufacturing. Sammy et al. [23]’s scheme uses the elliptic curve cryptography, which can help reduce complexity. Besides, they provide dynamic attributes and a user-centric access policy, allowing multiple authorities to manage the attributes and realize data and user authentication. Ying et al. [24] designed a distributed CP-ABE scheme to realize data sharing. They set multiple blockchain nodes to jointly manage the user nodes’ attribute keys and effectively protect the privacy of users.
At present, multi-attribute authority ABE schemes and hierarchical ABE schemes are mostly used in medical, cloud computing and other fields, but there is less research on access control in epidemiological survey. Due to the requirement to realize decentralized management of multiple institutions and provide multi-user and hierarchical access control in the process of epidemiological survey, the combination of multi-attribute authority ABE scheme and hierarchical ABE scheme is crucial for data sharing and privacy protection in epidemiological survey.
2. Preliminaries
2.1 Bilinear Maps
Let G1 and GT be two multiplicative cyclic group, p be their prime order and g1 be a generator of G1, a bilinear mapping e : G1×G1 → GT satisfies the following properties:
(1) Bilinearity: For ∀g1 ∈ G1, ∀u, x ∈ Z*p, it has e(gu1, gx1) = e(gx1. gu1) = e(g1, g1)ux.
(2) Non-degeneracy: There ∃g1 ∈ G1 such that e(g1, g1) ≠ 1.
(3) Computability: For ∀g1 ∈ G1, there is an efficient computation e(g1, g1).
2.2 Decisional Bilinear Diffie Hellman (DBDH) Assumption
Let G1 and GT be two groups with prime order p, the generator g1 ∈ G1 and x, y, z, w ∈ Z*p. A bilinear mapping e : G1×G1 → GT. If not one adversary can distinguish between (gx1, gy1, gz1, e(g1, g1)xyz) and (gx1, gy1, gz1, e(g1, g1)w) with a negligible advantage in the polynomial time, then the DBDH assumption holds.
2.3 Access Structure
Let the set of all participants in the system be F = {F1, F2,…, Fn}, the collection is said to be monotonous. For ∀K1, K2 , if K1 ∈ ℕ and K1 ⊆ K2 , then K2 ∈ ℕ . If ℕ ≠ ∅ is the monotonous collection and is a subset of F, then the sets in ℕ is the authorized set. Otherwise, it is the unauthorized set.
2.4 Lagrange Interpolation Theorem
Let there be polynomial f(x) of degree m of x, give its m+1 different points(xi, f(xi)), then we can determine that the unique f(x) value of x is as shown in (1):
\(\begin{aligned}f(x)=\sum_{1 \leq h \neq i<n}^{n} f(x)\left(\prod_{1 \leq h \neq i \leq n} \frac{x-x_{h}}{x_{j}-x_{h}}\right)\end{aligned}\). (1)
The Lagrange coefficient [25] is in (2):
\(\begin{aligned}\Delta_{i, s_{x}^{\prime}}(x)=\prod_{i \in s, i \neq j}^{n} \frac{x-j}{i-j}, \text {where}: i, s \in Z_{p}^{*}\end{aligned}\). (2)
2.5 Hierarchical Access Tree
Hierarchical access tree [13] is composed of many access structures enabling to realize Hierarchical access control through dividing different permissions.
Suppose Γ is a hierarchical tree with l access levels. Its root node is (x, y) , x represents the node level in Γ, y represents the order of the grade where the nodes in Γ are located. As shown in Fig. 1, the nodes are described as: R = (1,1) , A = (2,2) , B = (2,3) , C = (3,2) , D = (3,3) , E = (4,1) , F = (4,2) , G = (4,3).
Fig. 1. Hierarchical access tree node
In order to describe Γ, the following formula is defined:
(1) (x, y) : It denotes a node in the access tree Γ. If (x, y) is a leaf node, it denotes an attribute. Otherwise, it denotes a threshold gate. In Fig. 1, A, C, E, F and G are the leaf nodes, which denote the attributes. R , B and D are non-leaf nodes, which denote the threshold gates.
(2) attr(x, y) : It denotes an attitude associated with the leaf node (x, y) in Γ.
(3) k(x,y) : It denotes the threshold value of (x, y).
(4) index(x, y) : It denotes a unique value associated with (x, y) in Γ.
(5) (xh, yh) : It denotes level nodes of Γ, there are l levels of nodes in Γ, which denote l hierarchy. In Fig. 1, (x1, y1) is the highest, (x4, y4) is the lowest.
(6) parent(x, y) : It denotes the parent node of (x, y) in Γ.
3. System Framework
3.1 System Model
Our system includes four entities: Attribute Authorities (AAj) (j = 1,2,…,n) , Cloud Server Provider (CSP), Data Owner (DO) and Data User (DU), as shown in Fig. 2.
Fig. 2. System model
(1) Attribute Authority (AAj) : Each AAj is not completely trusted and their work is separated from each other. In our scheme, each institution involved in epidemiological survey acts as the attribute authority, jointly managing attributes and keys. Each AAj mainly implements AAsetup algorithms and keygen algorithms.
(2) Data Owner (DO): The DO is responsible to collect epidemiological survey data, define access structure and upload ciphertext to the CSP.
(3) Cloud Server Provider (CSP): In the system, CSP can provide encrypted storage and transportation functions. CSP is not fully trusted. Although it will execute the assignments and return the correct results, CSP also wants to know more sensitive information.
(4) Data user (DU): Only When DU’s attribute set meets access structure, DU can obtain the data within permissions, then get corresponding the data.
3.2 Hierarchical ABE Scheme
The details of the hierarchical ABE scheme is shown as below:
(1) Globalsetup(κ) → GP . The system returns global public parameter GP through the input security parameter κ.
(2) AAsetup(GP) → PK . Each AAj inputs GP to return system public key PK .
(3) keygen(PK, GP, S) → SK . AAj inputs public key PK , system parameter GP , user attribute set S and gets user’s private key SK .
(4) Encrypt(GP, M, PK, Γ) → CT . DO inputs GP , the l level data M = {m1, m2,…, ml}, PK and hierarchical access structure Γ to return the ciphertext CT .
(5) Decrypt(CT, GP, SK) → M . DU inputs CT , GP , SK . If S meets the entire access policy, it can obtain all data in M . If it only meets the partial access policy, only gets partial access permission of M .
3.3 Security Model
The security model is described under the DBDH assumption which is the choice between adversary A and challenger B in our scheme. It is a chosen-plaintext-attack (CPA) secure symmetric encryption algorithm based on the model in literature [13], the analysis is as follows:
Init: A submits the challenge access structure Γ0 and the corrupted authorities CA to algorithm Η.
GlobalSetup: B runs Globalsetup algorithm, obtains GP and sends it to A.
AASetup: For the corrupted authorities, B sends system public and secret keys (PK, SK) to A. Otherwise, B sends system public keys PK.
Phase 1: A sends an attribute set T to B for q times secret keys queries, where T ≠ Γ0.
Challenge: A submits the two messages m0, m1 ,which are equal length. B randomly chooses µ∈{0,1} through Encrypt algorithm to obtain ciphertext CTµ . B returns CTµ to A.
Phase 2: Repeated Phase 1 adaptively.
Guess: Finally, A outputs the guess \(\begin{aligned}\hat{\mu} \in\{0,1\}\end{aligned}\), If \(\begin{aligned}\hat{\mu}=\mu\end{aligned}\), A wins the security game. So A can win the game which is defined as shown in (3):
\(\begin{aligned}A d v_{I N D-C P A}(A)=\left|\operatorname{Pr}[\hat{\mu}=\mu]-\frac{1}{2}\right|\end{aligned}\). (3)
4. Scheme Construction
In this section, we will present the concrete construction of our access control scheme. We design a black box-aided key generation method based on matrix eigenvalue to resist collusion attack. Multiple attribute authorities jointly manage and distribute keys without obtaining the master key. Furthermore, a sensitivity classification method that provides multiple permissions is proposed to ensure that different data users from different institutions have different permissions, protect the user privacy and avoid unauthorized access. Finally, the access structure of hierarchical access tree is adopted in our scheme to encrypt different permissions to realize hierarchical access control of epidemiological survey data.
4.1 A black box-aided special threshold key generation method based on matrix eigenvalue
Suppose there are n attribute authorities, and each AAj(j = 1, 2,…, n) randomly chooses the initial secret information aj ∈ Z*p (1 ≤ j ≤ n) . The details are as follows:
(1) Sub-secret generation: AAj sends aj to the black box. Black box calculates:
1) λj = haj(mod p), h is automatically generated by the black box h ∈ Zp . Then, take λj as the element to generate a diagonal matrix \(\begin{aligned}\Lambda=\left(\begin{array}{lll}\lambda_{1} & & \\ & \ddots & \\ & & \lambda_{n}\end{array}\right)\end{aligned}\).
2) AAj randomly generate an n dimensional column vector \(\begin{aligned}\overrightarrow{p_{j}}\end{aligned}\) and sends it to the black box. The black box verifies the linear correlation of n column vectors. If they are uncorrelated, the n order invertible matrix P can be generated, the similarity matrix M = PΛP-1 can be calculated and its standard ortho-normalization can be performed to obtain the eigenvector vector group \(\begin{aligned}\vec{Q}: \overrightarrow{q_{1}}, \overrightarrow{q_{2}}, \ldots, \overrightarrow{q_{n}}, \overrightarrow{q_{j}}\end{aligned}\) is the sub-secret.
(2) Sub-key distribution: Black box randomly selects n different numbers x1, x2,…, xn less than p, sends the sub-key(xj, \(\begin{aligned}\overrightarrow{q_{j}}\end{aligned}\)) to AAj and sets the polynomial of order t .
(3) Reconstruct secret share: Each AAj sends their respective sub-key (xj, \(\begin{aligned}\overrightarrow{q_{j}}\end{aligned}\)) to the black box, which calculates the corresponding characteristic value λj and sends the secret share (xj, λj) to each AAj.
(4) Calculate the corresponding key: t AAj calculate and broadcast e(g1, g1)λj, gλj1 using Lagrange interpolation to obtain:
\(\begin{aligned} e\left(g_{1}, g_{1}\right)^{\lambda} & =\prod_{j=1}^{t}\left(e\left(g_{1}, g_{1}\right)^{\lambda_{j}}\right)^{s(j)} \\ & =e\left(g_{1}, g_{1} \sum^{\sum_{j=1}^{t} \lambda_{j} \cdot s(j)}\right. \\ g_{1}^{\lambda} & =\prod_{j=1}^{t}\left(g_{1}^{\lambda_{j}}\right)^{s(j)}=g_{1}^{\sum_{j=1}^{t} \lambda_{j} \cdot s(j)}\end{aligned}\)
Where \(\begin{aligned}s(j)=\prod_{\substack{l=1 \\ l \neq j}}^{n} \frac{-x_{l}}{x_{j}-x_{l}}\end{aligned}\).
4.2 A data sensitivity classification method with multiple permissions
In the process of epidemiological survey, to achieve hierarchical access control, it is necessary to set different permissions for the users with different attribute set. Before DO encrypts the data, a sensitivity hierarchy model is established for epidemiological survey data. The hierarchical model is divided into two layers: at the first level, the confidentiality degree of the institution to which the data belongs is different, which is set according to national laws and regulations. Second, the confidentiality of different data varies according to the importance of the attribute. The division details are as follows:
(1) First level sensitivity factor: There are l data institutions I1, I2,⋯, Il , and the corresponding sensitivity factors are f1, f2,⋯, fl, then the sensitivity factors satisfy \(\begin{aligned}\sum_{i=1}^{l} f_{i}=1\end{aligned}\), 0 < fi < 1, and the higher the privacy, the smaller the fi.
(2) Second level sensitivity factor: There is a group of data D(Att1, Att2,⋯, Attk) , Atti represents the attributes of the i - th kind data and the corresponding sensitivity factor is ej = Info(w1, w2,⋯, wk) , where Info is a weighting function, w1, w2,⋯, wk represent the weight of various influencing factors that form data sensitivity, such as legal definition, application scenarios, impact, etc. Similarly, the higher the privacy, the smaller the ej .
Integrate (1) and (2) to obtain data sensitivity: Imij = fi · ej .
(3) Permission setting: Each sensitivity is assigned a corresponding permission flag Pi → Imij , which meets partial order relation P1 > P2 > ⋯ > Pl. When the user gets Pi, he also obtains smaller permissions Pi, Pi+1,⋯, Pl.
Hierarchical access structure is designed according to data sensitivity and permission marks to realize the function of encrypting multiple permissions at one time. As shown in Fig. 3, if the user obtains permission P1 , he can obtain A, B, C, D, E, F. If he obtains permission P4, only D, E and F can be obtained.
Fig. 3. Example of four permissions
4.3 Black box-assisted fine-grained hierarchical access control scheme for epidemiological survey data
Our scheme’s overview is shown in Fig. 4. It has the following five algorithms: Globalsetup , AAsetup , keygen , Encrypt , Decrypt . The details are as follows:
Fig. 4. The overview of our scheme
(1) Globalsetup(κ)→GP . The algorithm inputs a security parameter κ , returns the system parameter GP:{e, g, p, G0, GT, H}, where, G0 and GT are the multiplication cycle groups with prime order p . A bilinear mapping e : G0 × G0 → GT and the generator of g∈G0 . Suppose our system has n attribute authorities AA = {AAj | j = 1, 2,…, n} . The hash function H : {0,1}* → G0.
(2) AAsetup(GP) → PK . Each AAj executes the algorithm and ouputs the system public key PK . Each AAj randomly selects aj ∈ Zp , uses the special threshold key generation method based on eigenvalues proposed in Section 4.1, AAj share λ∈Zp , and cooperate to publish the following system public key:
PK = {e(g, g)λ ,gλ}
(3) keygen(PK, GP, S) → SK .
1) AAj randomly selects vi, ri ∈ Z*p (i ∈ S), where S represents the user’s attribute set. In combination with the method proposed in Section 4.1, each AAj selects rij ∈ Z*p (i∈S) and broadcasts grij . At least t AAj jointly calculate:
\(\begin{aligned} D_{1, i} & =\prod_{j=1}^{t}\left(g^{\lambda_{j}} \cdot g^{r_{i j}}\right)^{s(j)} \\ & =g^{\sum_{j=1}^{t} \lambda_{j} \cdot s(j)+} \sum_{j=1}^{t} r_{i j} \cdot s(j) \\ & =g^{\lambda+r_{i}} \\ D_{2, i} & =\prod_{j=1}^{t}\left(g^{r_{i j}} H(i)^{r_{i}}\right)^{s(j)} \\ & =g^{\sum_{j=1}^{r_{i j}} \cdot s(j)} H(i)^{v_{i}} \\ & =g^{r_{i}} H(i)^{v_{i}} \\ D_{3, i} & =g^{v_{i}}\end{aligned}\)
2) So DU’s private key is:
SK = {D1,i = gλ+ri, D2,i = gri H(i)vi, D3,i = gvi}.
(4) Encrypt(GP, M, PK, Γ) → CT . The DO shares l kinds of data M = {m1, m2,…, ml}, sets permission P = {P1, P2,…, Pl} according to the data sensitivity classification method with multiple permissions in Section 4.2, then builds a hierarchical access structure Γ. Firstly, DO encrypts M through symmetric encryption algorithm as following: CTP = {EP1(m1), EP2 (m2),…, EPl(ml)}. Then, encrypts the permissions P according to the access structure Γ .
1) DO sets the level node (xh, yh) (h = 1, 2,…, l) in the access control tree, select l random numbers b1, b2,…, bl ∈ Zp . Then, he calculates the ciphertext at the level nodes as follows:
\(\begin{aligned}\bar{C}_{h}=P_{h} e(g, g)^{\lambda b_{h}}, \bar{C}_{h}^{\prime}=g^{b_{h}}\end{aligned}\)
2) DO randomly selects polynomials q(x, y) from root node R to each node in Γ . The order of the polynomials is d(x, y) = t(x, y) - 1 and t(x, y) is the threshold value. DO sets polynomial qR(0) = q(x, y)(0) = b1 of the root node R . For ∀(x, y) ≠ R , if it is a leaf node, then q(x, y)(0) = q(xk, yk) (0) = bk. Otherwise, q(x, y)(0) = qparent(x, y) (index(x, y) .
3) The leaf nodes ciphertext: Y is the set of leaf nodes in Γ . For ∀(x, y) ∈ Y , ciphertext is:
\(\begin{aligned}C_{(x, y)}=g^{q_{(x, y)}(0)}, \bar{C}_{(x, y)}=H(\operatorname{attr}(x, y))^{q_{(x, y)}(0)}\end{aligned}\)
4) Transport nodes ciphertext: X is transport nodes set in Γ . For ∀(x, y) ∈ X , ciphertext is:
\(\begin{aligned}\widehat{C}_{(x, y), h^{\prime}}=e(g, g)^{\lambda\left(q_{(x, y)}(0)+q_{(x, y), h^{\prime}}(0)\right.}\end{aligned}\)
5) DO output complete ciphertext:
\(\begin{aligned}C T=\left\{\Gamma, C T_{P}, \bar{C}_{h}=P_{h} e(g, g)^{\lambda b_{h}}, \bar{C}_{h}{ }^{\prime}=g^{b_{h}}, \forall(x, y) \in Y: C_{(x, y)}=g^{q_{(x, y)}(0)}\right.\end{aligned}\),
\(\begin{aligned}\left.\bar{C}_{(x, y)}=H(\operatorname{attr}(x, y))^{q_{(x, y)}(0)}, \forall(x, y) \in X: \widehat{C}_{(x, y), h^{\prime}}=e(g, g)^{\lambda\left(q_{(x, y)}(0)+q_{(x, y), h^{\prime}}(0)\right.}\right\}\end{aligned}\)
(5) Decrypt(CT, GP, SK) → M .
1) If (x, y)∈Y , we let i = attr(x, y). If i ∉ S , define DecNode(CT, SK, (x, y)) = null .
Otherwise, we can compute:
\(\begin{aligned} \operatorname{DecNode}(C T, S K,(x, y)) & =\frac{e\left(D_{2, i}, C_{(x, y)}\right)}{e\left(D_{3, i}, \bar{C}_{(x, y)}\right)} \\ & =\frac{e\left(g^{r_{i}} H(i)^{v_{i}}, g^{q_{(x, y)}(0)}\right)}{e\left(g^{v_{i}}, H(a t t r(x, y))^{q_{(x, y)}(0)}\right)} \\ & =\frac{e(H(i), g)^{v_{i} q_{(x, y)}(0)} \cdot e(g, g)^{r_{i(x, y)}(0)}}{e(H(i), g)^{v_{q}(x, y)}(0)} \\ & =e(g, g)^{r_{(x, y)}(0)}\end{aligned}\)
2) If (x, y) ∉ Y , set chi as the child node and let Fchi = DecNode(CT, SK, (x, y)), then, we can compute as follows:
\(\begin{aligned}\begin{array}{l}F_{c h i}=\prod_{c h i \in s_{(x, y)}}\left(e(g, g)^{r_{i} q_{(x, y)}(0)}\right)^{\Delta_{i, s(x, y)^{\prime}(0)}} \\ =\prod_{c h i \in S_{(x, y)}}\left(e(g, g)^{r_{i} q_{p a r e n t}(\operatorname{chi})(\operatorname{index}(\operatorname{chi}))}\right)^{\Delta_{i, S_{(x, y)^{\prime}}(0)}} \\ =\prod_{c h i \in S_{(x, y)}} e(g, g)^{r_{i} q_{(x, y)}(i) \Delta_{i, s(x, y)^{\prime}(0)}} \\ =e(g, g)^{r_{i} q_{(x, y)}(0)} . \\\end{array}\end{aligned}\)
i = index(chi), s(x, y)' = {index(chi) : chi∈s(x, y)} , Where ∆i, s(x, y)′ is the Lagrange coefficient. Then performs the following decryption operation:
a) If S satisfies part or the whole access structure Γ , we can obtain as follows:
\(\begin{aligned} B_{h} & =\operatorname{DecNode}\left(C T, S K,\left(x_{h}, y_{h}\right)\right) \\ & =e(g, g)^{\left.r_{i} q_{\left(x_{h}, y_{h}\right.}\right)}(0) \\ & =e(g, g)^{r_{i} b_{h}} \\ F_{h} & =\frac{e\left(\bar{C}_{h}{ }^{\prime}, D_{1, i}\right)}{B_{h}} \\ & =\frac{e\left(g^{b_{h}}, g^{\lambda+r_{i}}\right)}{e(g, g)^{r_{i} b_{h}}} \\ & =e(g, g)^{\lambda b_{h}}\end{aligned}\)
b) If S contains lower authorization nodes, calculate through transport node \(\begin{aligned}\widehat{C}_{(x, y), h^{\prime}}\left(h^{\prime}=1,2, \ldots\right)\end{aligned}\) as follows:
\(\begin{aligned} F_{h+1, h^{\prime}} & =\frac{\hat{C}_{(x, y), h^{\prime}}}{F_{h}} \\ & =\frac{e(g, g)^{\lambda\left(b_{h}+q_{(x, y), h^{\prime}}(0)\right)}}{e(g, g)^{\lambda b_{h}}} \\ & =e(g, g)^{\lambda q_{(x, y), h^{\prime}}(0)}\end{aligned}\)
c) Calculate corresponding permissions Ph:
\(\begin{aligned}\frac{\bar{C}_{h}}{F_{h}}=\frac{P_{h} e(g, g)^{\lambda b_{h}}}{e(g, g)^{\lambda b_{h}}}=P_{h}\end{aligned}\)
d) According to the obtained permission Ph , the data mh = DPh(CTh) within the permission range in the shared data M is obtained.
5. Security analysis
5.1 Security proof
Theorem 1: If the DBDH assumption is valid, no adversary can break our proposed scheme in a certain probability polynomial time, then our scheme is IND-CPA secure.
Proof: Suppose that an adversary A will attack our scheme with a non-negligible advantage ε in polynomial time, a polynomial time algorithm Η can attack the DBDH assumption with a non-negligible advantage \(\begin{aligned}\frac{\varepsilon}{2}\end{aligned}\).
The challenger B randomly selects x, y, z∈Z*p , η∈{0,1}, e(g, g)xyz∈GT . Let a bilinear mapping e: G0×G0 → GT, the generator g ∈ G0 . If η = 0 is established, B sends (X, Y, Z, W) = (gx, gy, gz, e(g, g)xyz) to Η . Otherwise, sends (X, Y, Z, W) = (gx, gy, gz, e(g, g)w) to Η . After receiving (X, Y, Z, W) , Η plays the following security games with A:
Initialization: A submits the challenge access structure Γ0 and a list of corrupted authorities CA to Η .
GlobalSetup: Η randomly chooses AA*j∈ {AA1, AA2, …, AAn}
(1) If AAj ∈ CA , Η randomly chooses a number wj ∈ Zp , uses the key generation method based on eigenvalue to calculate fj = hwj . Then, he uses Lagrange interpolation to calculate e(g, g)f and gf , simulator Η sends < fj, e(g, g)f, gf, wj > to the adversary.
(2) If AAj ∉ CA , Η randomly chooses wj ∈ Zp , calculates fj = gwj = gb . Simulator Η randomly chooses jp w'j ∈ Zp and calculates fj = gw'j + a . If AAj = AA*j, e(g, g)λ = e(g, g)f+ab . If AAj is honest, Η sends PK to A.
Phase 1: A sends B attribute set T to ask for the key, where \(\begin{aligned}T=\{\varpi \in \Gamma\} \notin \Gamma_{0}\end{aligned}\).
(1) For AAj ∈ CA , Η chooses the random number ri ∈ Zp , vi ∈ Zp and uses the key generation method based on eigenvalues to calculate SK.
(2) For AAj ∉ CA , Η randomly chooses ri ∈ Zp , v'i ∈ Zp and calculate D1,i = gf+ri, D2,i = gri H(i)vi', D3,i = gvi' . Simulator Η randomly chooses v"i ∈ Zp , if AAj = AA*j , D1,i = gf+ri , D2,i = gri H(i)v"i+a , D3,i = gv"i+a . If AAj ≠ AA*j , simulator Η randomly chooses r'i ∈ Zp , sets ri = r'i - a , f = f' + ab , calculates D1,i = gf'+ab+r'i-a = gf'+ab+r'i-a . For \(\begin{aligned}\varpi \in T\end{aligned}\) , D2,i = gr'i-a H(i)v"1+a = gr'i / A·H(i)v"i+a , Η sends SK to A.
Challenge: B receives m0, m1 from A and randomly chooses \(\begin{aligned}\hat{\mu} \in\{0,1\}\end{aligned}\) to obtain ciphertext \(\begin{aligned}C T_{\mu}=\left\{C_{k}{ }^{\prime}=g^{s_{k}}=g^{c}=C, \tilde{C}_{k}=m_{\mu} \cdot e(g, g)^{f \cdot s_{k}}=m_{\mu} \cdot e(g, g)^{f \cdot c}=m_{\mu} \cdot W e(g, g)^{f^{\prime} \cdot c}\right\}\end{aligned}\). B sends CTµ to A.
Phase 2: Repeated Phase 1.
Guess: Finally, A outputs his guess \(\begin{aligned}\hat{\mu} \in\{0,1\}\end{aligned}\) If \(\begin{aligned}\hat{\mu} = {}\mu\end{aligned}\) simulator Η outputs 0, so W = e(g, g)xyz . Otherwise, outputs 1, W ∈ GT .
Probability Analysis: The correct ciphertext can be decrypted if W = e(g, g)xyz , so \(\begin{aligned}\operatorname{Pr}\left[B\left(g, g^{x}, g^{y}, g^{z}, W=e(g, g)^{x y z}\right)=0\right]=\varepsilon+\frac{1}{2}\end{aligned}\) If W ∈ GT , the information of µ cannot be learned, so, \(\begin{aligned}\operatorname{Pr}\left[C\left(g, g^{x}, g^{y}, g^{z}, W=e(g, g)^{w}\right)=0\right]=\frac{1}{2}\end{aligned}\). Finally, B’s advantage in solving DBDH problems is \(\begin{aligned}A d v_{I N D-C P A}(A)=\frac{\varepsilon}{2}\end{aligned}\), where, ε is a non-negligible advantage, so its advantages cannot be ignored.
Theorem 2: Our scheme can resist multiple authority collusion attacks.
Proof: We propose a special threshold key generation method based on eigenvalue based on the secret sharing scheme of Zhang et al. [11]. In keygenphase, there is no master key, and each AAj can only obtain part of its own information, so that AAj cannot get the complete SK to resist multiple authority collusion.
Theorem 3: Our scheme can resist user collusion attacks.
Proof: Only when S meets access structure, DU can get Ph . When users with different permissions conspire, because different users randomly choose different vi , part of the user’s key D2,i = griH(i)vi is different, so user collusion cannot obtain the user’s key. Therefore, the scheme can resist collusion attacks from users.
5.2 System robustness
In our system, attribute authority is not fully trusted, and there are some malicious attribute authorities that will prevent from running the system normally. Since our scheme uses the (t,n) special threshold key generation method to manage and generate user keys, the robustness of the system depends on (t,n). Suppose the attacker can crash some AAs. The probability of the system being attacked satisfies the Bernoulli distribution \(\begin{aligned}\sum_{n-t+1}^{n}\left(\begin{array}{l}i \\ n\end{array}\right) p^{i}(1-p)^{n-i}\end{aligned}\) when the probability of the single AA crash is p . In Fig. 5, when n is taken as 7 and 14 respectively, the probability of the system being attacked is different with p .
In addition, the attacker can control the system if he can control t attribute authorities. Suppose the probability that the attacker can control a single attribute authority is q , the probability of the system crash being attacked meets the Bernoulli distribution \(\begin{aligned}\sum_{t}^{n}\left(\begin{array}{l}i \\ n\end{array}\right) q^{i}(1-q)^{n-i}\end{aligned}\). As shown in Fig. 6, the probability of the system being attacked changes with q and n is 7 and 14 respectively.
In Fig. 5 and Fig. 6, the robustness of our scheme is more significant. The probability of the system being attacked is lower as t gets closer to n .
Fig. 5. The probability of system being attacked changes with p
Fig. 6. The probability of system being attacked changes with q
6. Performance Analysis
This section presents a comparison between our scheme with related schemes [2], [13], [20], [26] and [27] in term of the functions, computational overhead and storage costs. The relevant notations are described in Table 1.
Table 1. Notations
6.1 Functional comparison
The functions of our scheme and schemes [2], [13], [20], [26] and [27] are analyzed and compared in Table 2. Amongst them, schemes [2] and [26] are of CP-ABE type. The access structure increases linearly with data types, while ciphertext storage cost also increases, which will result in greater storage burden. Compared with scheme [20], a sensitivity classification method is designed to set different access permissions in our scheme. Meanwhile, we propose a special threshold key generation method based on matrix eigenvalue to establish a multi-attribute authority management mechanism without a master key. This way avoids the collusion of dishonest attribute authorities, which is not found in other schemes. Moreover, our scheme and scheme [13] are of H-CP-ABE type and both use hierarchical access tree access structure, which can reduce storage burden and improves the efficiency of the scheme. The other feature is to design a data sensitivity classification method with multiple permissions, which enables it to realize hierarchical access control. In summary, our scheme can meet privacy protection and access control requirements in epidemiological survey and is feasible.
Table 2. Functional comparison
6.2 Computational cost
Suppose our system need to share l hierarchical data M = {m1, m2,…, ml}. The access order decreases gradually with the number of levels. According to the characteristics of hierarchical access tree, each level of ciphertext attribute set is expressed as {AC1, AC2,…, AC1} , where AC1 ⊇ AC2 ⊇⋯⊇ ACl.
As shown in Table 3, the size of ciphertext in scheme [2], [26] and [27] is positively correlated to the number of attributes and data types Different access structures need to be established according to different levels of data. which will result in higher computational costs. We use the hierarchical access tree structure to encrypt data and designs an authorization algorithm for multiple permissions. This algorithm can encrypt multiple permissions at a time. Thus, it does not need to establish an access structure for each level. Compared with schemes [2], [26] and [27], our scheme greatly saves the computational cost.
Table 3. Computational cost
6.3 Storage cost
Table 4 presents a comparison in term of the PK, MSK, SK and CT sizes of our scheme with those of schemes [2], [26] and [27]. In our scheme, we design a special threshold key generation method based on matrix eigenvalue with the help of black box, which can establish a multi-attribute authority management mechanism without trusted center and master key and take up less storage space. However, the schemes [2], [26] and [27] requires layered encryption of data at multiple levels, which aggravates the burden of ciphertext storage. Our scheme encrypts the data by using the hierarchical ABE, it only needs to store attribute ciphertext. When the data types and user attributes increase, our storage cost is lower than that in schemes [2], [26] and [27].
Table 4. Storage cost
6.4 Experiment simulation
We carried out some experimental simulations to evaluate our scheme. Our scheme is implemented on Windows 10 operating system, 8.00 GB RAM laptop and 2.60 GHz CPU. The Java language and the Pairing-Based Cryptography (PBC) library [28] are applied to implement cryptographic algorithm. The operations on prime-order groups are implemented by Type A pairing, which is provided by Java Pairing-Based Cryptography Library (JPBC). The access policy what we use in the experiments is the access tree. The experimental results are as follows.
The encryption and decryption times are shown in Fig. 7 in our scheme and schemes [2], [26] and [27]. We use the hierarchical access tree to encrypt data and does not need to establish different access structures according to different levels of permission that reduces computational cost. The encryption and decryption times increase slowly when the number of attributes increases, but they increase rapidly in other schemes with l = 4. Our scheme is more efficient than other three schemes.
Fig. 7. The comparison of encryption/decryption time(l = 4)
A similar phenomenon can be observed from Fig. 8. We fix user attributes Au = 30 and we observe the encryption and decryption times vary as l changes. With the increase of l, its exponential operation rises. Then, computational cost increases slowly in our scheme, on the contrary, they rise rapidly in schemes [2], [26] and [27]. Thus, the time efficiency of our scheme is more prominent.
Fig. 8. The comparison of encryption/decryption time(| Au |= 30).
In our scheme, the access structure of hierarchical access tree is used for encryption and decryption. It does not need to establish multi-level access structure and store multi-level ciphertext. The establishment of a master key-free system in our scheme can reduce the storage cost. According to the analysis of (a) and (b) in Fig. 9, as data types and attributes increase, our scheme has less storage burden.
Fig. 9. The comparison of storage cost of ciphertext
According to the abovementioned conclusions, our scheme has more significant advantages in computing and storage costs than schemes [2], [26] and [27]. Our scheme fully utilizes the characteristics of hierarchical access tree to provide a finer division of different permissions and more efficient services for the smooth process of epidemiological survey.
7. Conclusion
Data privacy protection in epidemiological survey is explored based on the hierarchical access tree structure to ensure smooth operation of this survey. A data sensitivity classification method with multiple permissions is designed according to the confidentiality degree of the institution to which the data belongs and the importance of the data properties. Different permissions are set using hierarchical access tree structure to improve encryption efficiency and realize privacy protection. Combined with the characteristics of matrix eigenvalue, multi-attribute authority management mechanism is established without a trusted center to prevent fraud of a single authority center. Public and private keys are distributed without obtaining the master key by using secret sharing mechanism to avoid key disclosure. Our scheme is proven to be secure under the DBDH assumption. In the future work, more comprehensive access control methods will be considered, such as access structure change and access structure hiding, to better protect the privacy of epidemiological survey data.
References
- A. Sahai, B. Waters, "Fuzzy identity-based encryption," in Proc. of The 24th Annual International Conference on Theory and Applications of Cryptographic Techniques, pp. 457-473, 2005.
- J. Bethencourt, A. Sahai, B. Waters, "Ciphertext-policy attribute-Based encryption," in Proc. of 2007 IEEE Symposium on Security and Privacy, pp. 321-334, 2007.
- V. Goyal, O. Pandey, A. Sahai, W. Brent, "Attribute-based encryption for fine-grained access control of encrypted data," in Proc. of the 13th ACM Conference on Computer and Communications Security, pp. 89-98, 2006.
- Ba, X. Hu, Y. Chen, Z. Hao, X. Li, X. Yan, "A blockchain-based CP-ABE scheme with partially hidden access structures," Security and Communication Networks, vol. 2021, pp. 1-16, Nov. 2021. https://doi.org/10.1155/2021/4132597
- Z. Zhang, X. Ren, "Data security sharing method based on CP-ABE and blockchain," Journal of Intelligent & Fuzzy Systems, vol. 40, no. 2, pp. 2193-2203, Jan. 2021. https://doi.org/10.3233/JIFS-189318
- X. Liu, Y. Xia, W. Yang, F. Yang, "Secure and efficient querying over personal health records in cloud computing," Neurocomputing, vol. 274, pp. 99-105, Jan. 2018. https://doi.org/10.1016/j.neucom.2016.06.100
- S. Wang, J. Zhou, J. K. Liu, J. Yu, J. Chen, W. Xie, "An efficient file hierarchy attribute-based encryption scheme in cloud computing," IEEE Transactions on Information Forensics and Security, vol. 11, no. 6, pp. 1265-1277, Jun. 2016. https://doi.org/10.1109/TIFS.2016.2523941
- J. Tao, L. Ling, "Practical medical files sharing scheme based on blockchain and decentralized attribute-based encryption," IEEE Access, vol. 9, pp. 118771-118781, 2021. https://doi.org/10.1109/ACCESS.2021.3107591
- Y. He, H. Wang, Y. Li, K. Huang, V. C. M. Leung, F. Yu, Z. Ming, "An efficient ciphertext-policy attribute-based encryption scheme supporting collaborative decryption with blockchain," IEEE Internet of Things Journal, vol. 9, no. 4, pp. 2722-2733, 15 Feb. 2022. https://doi.org/10.1109/JIOT.2021.3099171
- H. Wang J. Liang, Y. Ding, S. Tang, Y. Wang, "Ciphertext-policy attribute-based encryption supporting policy-hiding and cloud auditing in smart health," Computer Standards & Interfaces, vol. 84, pp. 103696, 2023.
- Y. Zhang, W. Li, G. Zhao, et al. "Research on Secret Sharing Scheme Without Trusted Center Based on Eigenvalue," Journal of Electronics & Information Technology, vol. 40, no. 11, pp. 2752-2757, 2018.
- Y. Zhang, W. Li, L. Chen, W. Bi, T. Yang, "Verifiable special threshold secret sharing scheme based on eigenvalue," Journal on Communications, vol. 39, pp. 169-175, 2018.
- X. Liu, X. Yang, Y. Luo, L. Wang and Q. Zhang, "Anonymous electronic health record sharing scheme based on decentralized hierarchical attribute-based encryption in cloud environment," IEEE Access, vol. 8, pp. 200180-200193, 2020. https://doi.org/10.1109/ACCESS.2020.3035468
- M. Chase, "Multi-authority Attribute-Based Encryption," in Proc. of TCC 2007: Theory of Cryptography, pp. 515-534, 2007.
- H. Lin, Z. Cao, X. Liang, J. Shao, "Secure threshold multi authority attribute-based encryption without a central authority," Information Sciences, vol. 180, pp. 2618-2635, 2010. https://doi.org/10.1016/j.ins.2010.03.004
- A. Lewko, B. Waters, "Decentralizing attribute-based encryption," in Proc. of Advances in Cryptology- EUROCRYPT 2011, pp. 568-588, 2011.
- J. Tao and L. Ling, "Practical medical files sharing scheme based on blockchain and decentralized Attribute-based encryption," IEEE Access, vol. 9, pp. 118771-118781, 2021. https://doi.org/10.1109/ACCESS.2021.3107591
- S. Li and H. Zhang, "Online/Offline attribute-based encryption with multi-authority access control," in Proc. of International Computer Conference on Wavelet Active Media Technology and Information Processing, pp. 426-433, 2021.
- C. Gentry, A. Silverberg, "Hierarchical ID-based cryptography," in Proc. of Advances in Cryptology- ASIACRYPT 2002, pp. 548-566, 2002.
- Z. Wan, R H. Deng, "HASBE: A hierarchical attribute-based solution for flexible and scalable access control in cloud computing," IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 743-754, Apr. 2012. https://doi.org/10.1109/TIFS.2011.2172209
- J. Shen, D. Liu, Q. Liu, X. Sun and Y. Zhang, "Secure authentication in cloud big data with hierarchical attribute authorization structure," IEEE Transactions on Big Data, vol. 7, no. 4, pp. 668-677, Oct. 2021.
- Y. Yang, F. He, S. Han, Y. Liang, Y. Cheng, "A novel attribute-based encryption approach with integrity verification for CAD assembly models," Engineering, vol. 7, pp. 787-797, 2021. https://doi.org/10.1016/j.eng.2021.03.011
- F. Sammy, S. Maria Celestin Vigila, "An efficient blockchain based data access with modified hierarchical attribute access structure with CP-ABE using ECC scheme for patient health record," Security and communication networks, vol. 2022, pp. 1-11, Mar. 2022.
- Ying Z, Si Y, Ma J, et al. Z. Ying, Y. Si, J. Ma, X Liu, "Blockchain-based distributed EHR fine-grained traceability scheme," Journal on Communications, vol. 42, pp. 205-215, 2021.
- A. Saidi, O. Nouali, A. Amira, "SHARE-ABE: an efficient and secure data sharing framework based on ciphertext-policy attribute-based encryption and Fog computing," Cluster Comput, vol. 25, pp. 167-185, 2022. https://doi.org/10.1007/s10586-021-03382-5
- X. Yan, X. He, T. Liu, Q. Ye, J. Yu, Y. Tang, "Traceable attribute-based encryption scheme with key-delegation abuse resistance," Journal on Communications, vol. 41, pp. 150-161, 2020.
- X. Yan, X. Yuan, Q. Zhang, Y. Tang, "Traceable and weighted attribute-based encryption scheme in the cloud environment," IEEE Access, vol. 8, pp. 38285-38295, 2020. https://doi.org/10.1109/ACCESS.2020.2975813
- V. Lynn, "PBC Library," 2016. [Online] . Available: https://crypto.stanford.edu/pbc.