A searchable personal health records framework with fine-grained access control in cloud-fog computing

Fog computing can extend cloud computing to the edge of the network so as to reduce latency and network congestion. However, existing encryption schemes were rarely used in fog environment, resulting in high computational and storage overhead. Aiming at the demands of local information for terminal device and the shortcomings of cloud computing framework in supporting mobile applications, by taking the hospital scene as an example, a searchable personal health records framework with fine-grained access control in cloud-fog computing is proposed. The proposed framework combines the attribute-based encryption (ABE) technology and search encryption (SE) technology to implement keyword search function and fine-grained access control ability. When keyword index and trapdoor match are successful, the cloud server provider only returns relevant search results to the user, thus achieving a more accurate search. At the same time, the scheme is multi-authority, and the key leakage problem is solved by dividing the user secret key distribution task. Moreover, in the proposed scheme, we securely outsource part of the encryption and decryption operations to the fog node. It is effective both in local resources and in resource-constrained mobile devices. Based on the decisional q-parallel bilinear Diffie-Hellman exponent (q-DBDHE) assumption and decisional bilinear Diffie-Hellman (DBDH) assumption, our scheme is proven to be secure. Simulation experiments show that our scheme is efficient in the cloud-fog environment.


Introduction
With the promotion of new medical reform policies and the rapid development of medical information, Electronic Medical Record (EMR) [1] has become an inevitable outcome of network information technology in the medical field. An EMR is an electronic patient record of a specific system that is created, stored and used electronically. The results of the patient's diagnosis and treatment results can be transmitted through the hospital's computer network or the health card (optical card and IC card). The sharing of information resources brings great convenience to medical care. Unlike EMR, Personal Health Records (PHR) [2] are health information created and managed by patients themselves through the Internet. With the development PLOS  of cloud computing, patients upload PHR files to cloud servers through mobile devices, which saves local storage space and expands information sharing. A large amount of data is stored in the cloud, making traditional clouds difficult to meet the current needs. The massive increase in stored data would not only cause great pressure on the cloud, but also lead to network congestion and transmission delays. For example, large enterprises need to pay for expensive bandwidth if they completely relies on the cloud for complex data processing; some requirements require timely response, such as payment links, car avoidance technologies involved in autonomous driving, and even when providing emergency medical services, data delays or cloud network failures can have serious consequences that cannot be measured. In order to solve the above problems, Bonomi F et al. of the US company Cisco first proposed the concept of fog computing in 2012 [3]. Fog computing is an extension of cloud computing and is a service computing paradigm for paravirtualized frameworks [4,5]. The fog server is set between the cloud server and the IoT devices, so as to the storage and calculation of data are transferred as much as possible to the fog servers. So, the fog computing helps to reduce the workload of the cloud server and improve the efficiency of the entire system. The fog computing service framework is shown in Fig 1. When sensitive data are outsourced to fog nodes which are similar to cloud platform, the data security and privacy concerns still impede the adoption of fog computing as data owners lose the physical control over their data in fog nodes or cloud. Semi-trusted cloud servers may leak and tamper with PHR information or non-authorized users steal sensitive patient information for commercial benefit. If sensitive information is used by unauthorized users or third parties, the doctor may obtain a wrong medical record, resulting in misdiagnosis. How to solve the security and privacy issues in the PHR system has become one of the most important challenge.
Encryption technology is the most critical technology to ensure information security. Goyal et al. [6] formulated the ABE into two types: the ciphertext-policy attribute-based encryption (CP-ABE) and the key-policy attribute-based encryption (KP-ABE). CP-ABE is considered one of the most appropriate encryption methods to achieve fine-grained access control. This approach allows the data owner to perform access control by setting the access structure. Due to the one-to-many communication characteristics of the ABE system, flexible access control encryption schemes are being proposed. In 2010, Ibraimi et al. [7] applied ABE to PHR security management to achieve flexible access control. However, this scheme did not give concrete proof of security. In 2013, Li et al. [8] used attribute-based encryption technology to encrypt PHR files of patients, achieving scalability and fine-grained access control for PHR. Unlike other solutions, this scheme supports multiple data owner application scenarios. Compared to the traditional single-authority CP-ABE schemes, the attributes come from different attribute authorities in the multi-authority CP-ABE schemes. In addition, it does not cause single point of failure and key leakage, which makes the multi-authority CP-ABE schemes more practical in cloud-fog computing.
In addition to data security issues, supporting outsourced partial computing operations and efficient searching of encrypted data are also an important feature in practical applications.

Related work
In this section, we discuss the related work of this article.

Multi-authority ABE.
A single authority attribute encryption scheme manages a large number of user attribute sets by only one attribute authority, which easily causes network congestion and reduces system efficiency. This does not meet the actual work needs. In order to improve the efficiency of the single attribute authority, multiple authority ABE schemes have been proposed. In 2007, Chase et al. [9] introduced the first multi-authority ABE scheme. Independent authority supervise attributes and distribute keys to improve the security of the key. However, the encryption algorithm of the scheme is not flexible enough. In 2013, Yang et al. [10] proposed a multi-authority cloud storage data access control (DAC-MACS) scheme. The partial decryption calculation is outsourced to the server by a token-based decryption method, and the scheme also supports instant attribute revocation. However, the global certification authority has a huge amount of bilinear calculations. Subsequently, some multi-authority large-universe ABE schemes [11,12] have been proposed. In 2018, Zhang et al. [13] proposed a multi-authority CP-ABE scheme with white box tracking. The access policy can be expressed as any monotonous access structure, and the ciphertext size grows linearly with the rows of the access matrix.
1.1.2 Keyword search over encrypted data. Searchable encryption (SE) can be classified into two types: symmetric encryption with keyword search (SEKS) and public key encryption with keyword search (PEKS). There are some attempts to combine data encryption and searchable encryption to ensure the security of uploading to the cloud. In 2004, Boneh et al. [14] proposed the first concept of PEKS. However, the server has a large computational overhead during the matching process between the trapdoor and the index. Then, search schemes [15][16][17][18][19] with different characteristics have been proposed. In 2017, Cui et al. [20] proposed a keyword search encryption scheme that supports effective revocation in cloud computing. At the same time, it supports certifiable keyword search and effective user revocation to meet the application scenarios of multiple data owners and data users. To the best of our knowledge, there is no searchable encryption scheme designed for cloud-fog environments currently.
1.1.3 Outsourced ABE. In ABE, aim to reduce the local computation cost, outsourcing complex operations to a cloud server becomes an important and popular problem. In 2011, Green et al. [21] constructed the outsourced decryption ABE scheme in order to save the local computing time. The user did not require bilinear pairing operations during the decryption phase. But this scheme can not guarantee the correctness of the transformed key. In 2016, Wang et al. [22] proposed a verifiable outsourced attribute encryption scheme based on dualsystem encryption technology and composite order bilinear group, it is less efficient. Recently, In 2018, Jiang et al. [23] proposed a revocable outsourcing attribute based encryption scheme. The storage service manager distributes the attribute key for the user through the binary status tree, thereby implementing user revocation and attribute revocation. There are several applications of outsourced ABE in [24][25][26].

Our contribution
In this article, we propose a searchable personal health records framework with finegrained access control in cloud-fog computing. Roughly, the key points of our work are described below: 1. We designed a hybrid searchable encryption scheme based on cloud-fog computing. The fog node bridges between the intelligent terminal and the cloud, the data owner and data user can be directly connected to fog nodes, and each fog node is connected to the cloud, reducing unnecessary data transmission.
2. In order to meet the resource-constrained terminal equipment, the novel multi-authority CP-ABE was proposed to support both outsourced encryption and outsourced decryption scheme. Without divulging data privacy, most local calculations are outsourced to fog nodes, enabling data users to enjoy high-rate, low-latency, high-quality services.
3. This article proposes an attribute-based searchable encryption scheme, which realizes oneto-many communication. Data users can query relevant ciphertexts according to the keywords they specify, narrowing the scope of retrieval in massive document.
4. Formal security and performance analysis proves that our scheme is safe and feasible under cloud-fog computing. In addition, it achieve secure data sharing and effectively protect the confidentiality of data.

Organization
The remaining structure of this paper is organized as follows: In Section 2, we review the relevant background knowledge of this scheme. Section 3 presents system model and security model throughout the paper. In Section 4, we give a detailed description of the specific algorithm and the correctness analysis of the scheme. We analyzed the security and discuss the performance of our schemes with comparison to several related works in Section 5 and Section 6. Finally, we conclude this scheme in Section 7.

Preliminaries
This section mainly gives the basic concept of access structure; then introduces bilinear maps and uses it as the main mathematical tool to construct the encryption algorithm proposed in this paper; the definition of the linear secret sharing scheme is given; and finally some difficult problems are introduced to prove the security of this scheme.

Access structure
In order to achieve fine-grained access control in an ABE scheme, the following access control structure is defined. Definition 1 (Access structure [21]). Let P = {P 1 , P 2 , � � �, P n } be a set of n participants. For 8B,C, if B 2 A and B � C, then C 2 A, we call A � 2 fP 1 ;���P n g is monotonous. An access structure is a collection A of non-empty subsets of P = {P 1 , P 2 , � � �, P n }, namely A � 2 fP 1 ;���P n g f;g. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.

Bilinear maps
Definition 2 (Bilinear Maps [21]). Let G and G T are two groups of prime order p. Let g be a generator of G. The map e : G � G ! G T is called a bilinear pairing operation. The mapping e satisfies the following properties: 3. Computability: For all u; v 2 G, there is a valid algorithm to calculate e(u, v).

Linear secret sharing scheme
Definition 3 (Linear Secret Sharing scheme (LSSS) [6]). Let P = {P 1 , P 2 , � � �, P n } be a set of participants. (M, ρ) represents an access structure A, where M is the shared generator matrix of l × n and ρ is a mapping. For all i = 1, 2, � � �, l, function ρ maps the i row of M to the corresponding attribute. A linear secret sharing scheme consists of the following two effective algorithms: 1. Secret sharing algorithm: To share a secret s 2 Z p . The algorithm randomly chooses v 2 ; � � � ; v n 2 Z p and the column vector v = (s, v 2 , � � �, v n ). Then calculate λ i = (M � v) i , where λ i belongs to the secret share value obtained by the entity ρ(i).
2. Secret reconstruction algorithm: Let S 2 A be any set of authorized users, we define I � {1, 2, � � �, l} as I = {i: ρ(i) 2 S}. There is a constant coefficient fo i 2 Z p g i2I that satisfies ∑ i2I ω i M i = (1, 0, � � �, 0). The recovered secret will be ∑ i2I ω i λ i = s. The set of constants can be found in polynomial time.

Hardness assumptions
Decisional q-Parallel Bilinear Diffie-Hellman Exponent (q-parallel DBDHE)Assumption [27] A group G with prime order p is selected through security parameters, and g is a generator of G. Randomly choose a; s; b 1 ; � � � ; b q 2 Z p , and given y ¼ ðg; g s ; g a ; � � � ; g a q ; ; g a qþ2 ; � � � ; g a 2q 8 1�j�q g s�b j ; g a=b j ; � � � ; g a q =b j ; ; g a qþ2 =b j ; � � � ; g a 2q =b j 8 1�j;k�q;k6 ¼j g a�s�b k =b j ; � � � ; g a q �s�b k =b j Þ It's hard to distinguish a valid tuple eðg; gÞ a qþ1 �s 2 G T from a random element R in G T . An algorithm B outputs υ 2 {0,1} has advantage ε in solving q-parallel DBDHE in G if jPr½Bðy; T ¼ eðg; gÞ a qþ1 �s Þ ¼ 0� À Pr½Bðy; T ¼ RÞ ¼ 0�j � ε Definition 4. we say that the q-parallel DBDHE assumption holds if no polynomial time algorithm to solve the q-parallel DBDHE problem with non-negligible advantage.
Decisional Bilinear Diffie-Hellman (DBDH) Assumption [28,29]. Let g be a generator of G and b; g; z 2 Z p be selected at random. If the challenger gives adversary (g, g β , g γ , g z ), it must be difficult for the adversary to distinguish a valid tuple eðg; gÞ bgz 2 G T from a random element Definition 5. we say that the DBDH assumption holds if all polynomial time algorithm have at most a negligible advantage in solving the DBDH problem.

Definition of system model
The system model of this system is shown in Fig 2. The labels (1)-(6) in the figure correspond to the 6 algorithms in our scheme, namely system establishment, key generation, file encryption, trapdoor generation, ciphertext retrieval and file decryption algorithms. It contains the following 6 entities: Central Authorities (CA): We assumes that there are K central authority CA, for example, the health department, education department, state government, etc. The CA generates global public parameters for the PHR system and distribute secret keys based on the user's globally unique identifier id. Each CA works independently and does not need to communicate with each other, and at least one of the CAs is honest and not curious. Note that CA does not participate in any attribute-related operations.
Attribute Authorities (AA): Here are D attribute authority AA. Each AA manages different attribute domains S d , S ¼ [ D d¼1 S d represents the set of all attributes in the entire system.
. AA generates related secret keys based on the user's attributes. For example, a hospital can assign the Hospital A attribute to all employees. Health associations can assign different doctors or nurses attributes related to medical professional licenses, such as dermatologists and psychologists. Each AA is independent of each other, one attribute is managed by only one AA, but one AA can manage multiple attributes.
Cloud Server Provider (CSP): The Cloud Server Provider (CSP) is a semi-trusted entity that is mainly responsible for storing encrypted PHR files and keyword indexes, and providing access services for authorized users.
Fog Nodes (FN): A fog node is a trusted entity that is at the edge of the network and has the ability to computing, storage and network services. It is responsible for partial encryption and decryption operations. The fog node helps the DO to generate partial ciphertext and upload all ciphertext to the CSP. It can also decrypt some ciphertext downloaded from the CSP.
Data Owner (DO): The data owner specifies an access policy, encrypts PHR files and keyword sets, and uploads ciphertext and indexes to the CSP.
Data User (DU): The data user downloads the encrypted PHR file from the CSP. The DU can decrypt successfully only if the attributes of the DU satisfy the access policy. For example, doctors and nurses must visit the patient's PHR file in order to properly diagnose the condition and care.
For a more intuitive description of the scheme, we use personal health records to illustrate. Consider the following scenario: Alice who has a skin disease wants to find an expert to check through an online medical facility. Alice's needs is (hospital A^dermatologist). In order to protect the confidentiality of personal health records, Alice needs to encrypt medical health records under hospital A^dermatologist condition before uploading data to the CSP. The CSP then searches for a doctor who satisfies hospital A^dermatologist in its own database and sends Alice's personal health record to the qualified doctor Bob. Bob can decrypt the record for Alice to continue treatment.

Algorithm definition
This scheme consists of 6 algorithms: system setup, key generation, file encryption, trapdoor generation, search over ciphertext, and file decryption. Each algorithm is described as follows: 1. System Setup: The algorithm is executed by authority. It contains 3 sub-algorithms: Global-Setup(1 λ ): The global-setup algorithm is run by a trusted third party. It takes as no input other than the security parameters λ and outputs the global public parameter GPK.

CA-Setup(GPK, k):
The CA-setup algorithm is run by each CA k . It input the GPK and the tag k of the CA, and then output the public parameter (CPK k , CAPK k ) and the master key CASK k , and the CAPK k is used only by the CA k .

AA-Setup(GPK, d, S d ):
The AA-setup algorithm is performed by each AA d . It takes as inputs the GPK, the tag d of the AA d , and attributes set S d managed by the AA d . It outputs the public parameter (APK d , AAPK d ) and the master key AASK d , AAPK d is used only by the AA d .

Key Generation:
This algorithm is performed by the CA k and the AA d . It contains 2 subalgorithms: The CA-key generation algorithm is performed by the CA k . It takes as inputs the global public parameter GPK, the master key CMSK k of the CA k , part of the public parameters AAPK d of the AA d , and the unique identifier id of the data user. It outputs the user-center-key (ucsk id,k , ucpk id,k ), where ucpk id,k is called user-center-public-key.
AA À KeyGenðatt; fucpk id;k jk 2 Kg; fVerifyKey k jk 2 Kg; AMSK d ; GPKÞ: The AA-key generation algorithm is executed by the AA d . It intakes an attributes att, user-center-public-key ucpk id,k , verification key VerifyKey k , master key AMSK d , and global public parameters GPK. It outputs the secret key SK DU of the DU and the public/secret key pair (pk O , sk O ) of the DO.

Definition of security model
In the fog-cloud storage system, the CSP is also curious about the contents of the encrypted data. We assume that the CSP will correctly perform the tasks assigned by the central authority and attribute authority. The AA and CA can be corrupted or attacked. To demonstrate the security of our scheme, we design two security games: indistinguishability against selective ciphertext-policy and chosen ciphertext attack (IND-sCP-CCA) game and trapdoor privacy game. Game 1. Ciphertext indistinguishability. The security of this scheme is defined by the following game run between a challenger B and an adversary A. A can corrupt CAs and AAs by specifying K 0 c � K and D 0 c � D after seeing the public parameters, where K n K 0 c 6 ¼ ; and DD 0 c 6 ¼ ;. The security game is defined as follows: Setup. B runs algorithms Global-Setup, CA-Setup and AA-Setup. The public parameter GPK, (CPK k , CAPK k ) and (APK d , AAPK d ) are sent to A. We allow A to corrupt authority

Guess.
A submits a guess υ 0 2 {0, 1}. If υ 0 = υ, the A wins this game, otherwise A fails. The advantage of the A in breaking this game is Adv A ¼ jPr½u ¼ u 0 � À 1 2 j. Definition 7. The proposed scheme is trapdoor privacy secure if all polynomial time adversary A have at most a negligible advantage in the above security game.

Algorithm construction
In this part, the scheme address the hospital scene to construct a PHR sharing scheme based on cloud-fog computing. The patient encrypts personal medical data according to different access policies and stores it in the cloud. Doctors need to download the PHR file from the cloud if they want to view the case. As the distance of transmission of encrypted data from the cloud to the mobile device is going up, communication costs and delays are increasing. By deploying the fog server in the hospital, the total response time is reduced. In hospitals, it is difficult for a dermatologist to obtain dermatological data in a massive medical database. Using keyword-based search technology can not only access the data in the cloud, but also perform keyword search directly in the cloud. The doctor only downloads the files he needs, effectively reducing communication costs.

Detailed description of our scheme
A. System setup. During the system setup phase, global public parameters are generated. The CA k and AA d generate their own public key and secret key, respectively. The phase contains 3 sub-algorithms: Global-Setup, CA-Setup and AA-Setup.
Global-Setup(1 λ ): Only trusted third parties run the algorithm. It takes as no input other than the security parameters λ. This algorithm chooses a bilinear map e : G � G ! G T , where G and G T are two multiplicative cyclic groups of prime order p (p > 2 λ ). Let g be a generator of G, and randomly pick h 2 G. The S sign = (KeyGen, SignKey, VerifyKey) is a secure unforgeable signature scheme. It also chooses a hash function H : f0; 1g � ! G. Return the global public parameters GPK ¼ ðG; G T ; p; g; h; P sign ; H 1 Þ. CA-Setup(GPK, k): Each CA k runs this algorithm. It takes as inputs the global public parameters GPK and the tag k of the CA. CA k runs the key generation algorithm KeyGen ! (SignKey k , VerifyKey k ) of the scheme S sign and selects a random exponent a k 2 Z p . Then Central authority publishes the public key CPK k ¼ eðg; gÞ a k , CAPK k = Verify-Key k and keeps the master key CMSK k = (α k , SignKey k ) secret. B. Key generation. We assume that there are two central authorities: the health department, the education department, and two attribute authorities: hospitals, health associations. Because the keys and attribute sets are related in the CP-ABE scheme, the attribute authority AA d will generate a corresponding attribute key according to the user's attribute set. Consider the following scenario: Generate a key for a dermatologist working in Hospital A. The key generation phase contains 2 sub-algorithms: CA-KeyGen and AA-KeyGen. The key generation process is shown in Fig 3. CA-KeyGen(GPK, CMSK k , AAPK d , id): A data user sends its globally unique identifier id to the CA k to request the user-central-key. The CA k randomly picks element r id;k 2 Z p and sets the user-center-key: ucsk id;k ¼ g a k h r id;k , G id;k ¼ g r id;k . For d 2 [1, D], CA k calculates L id;k;d ¼ V r id;k d;k and generates the signature sign id,k = Sign(SignKey k , idkkkΓ id,k k{L id,k,d } d2 [1,D] ). Simultaneously, the user-central-public-key ucpk id;k ¼ ðid; k; G id;k ; fL id;k;d jd 2 Dg; d id;k Þ is output.

AA-Setup
AA À KeyGenðatt; fucpk id;k jk 2 Kg; fVerifyKey k jk 2 Kg; AMSK d ; GPKÞ: For attribute att 2 S d . The data user id sends its user-center-public-key fucpk id;k jk 2 Kg to the AA d to request the user-attribute-key.
C. File encryption. Before uploading the PHR file to the CSP, the patient needs to encrypt the file based on the access policy (hospital A^dermatologist) and sends an access policy to FN. The encryption algorithm contains two sub-algorithms: Fog-Encrypt and Do-Encrypt.
Fog-Encrypt(GPK, {APK d }, (M, ρ)): Here (M, ρ) is an LSSS access structure. Assuming that M is an l × n matrix. Function ρ(.), which is an injective function, maps each rows of M to different attributes. For 8i 2 {1, 2, � � �, l}, fog nodes are randomly selects l i 0 ; r i 2 Z � p and sets the ciphertext CT Fog as follows: Output part of the ciphertext CT Fog ¼ ððM; rÞ; fC i;1 ; C i;2 ; l 0 i g i2½1;l� Þ. Do-Encrypt(m, GPK, CT Fog , sk O , pk U ): m is the PHR file to be shared by patient. The DO first creates vectors V ¼ ðs; v 2 ; � � � ; v n Þ 2 Z n p , where s is the random secret to be shared. From i = 1 to l, it gets the sub-secret λ i = V � M i by computing, where M i is the i − th row of matrix M. The intact data ciphertext CT 1 can be created by the following calculation: All data ciphertext is published as Then, the DO extracts keywords from the PHR file to form a set of keywords W m . For each keyword w i 2 W m , the algorithm randomly selects t i 2 Z � p to generate a keyword index CT 2 ¼ ðfI i g w i 2W m Þ and send it to the FN.

Correctness analysis
In this part, we will prove the correctness of our scheme by the following equations: (1) In order to verify whether the user-central-public-key ucpk id,k is valid, the calculation process is as follows: The index and trapdoor matching process is verified as follows: Tw � eðI 2;i ; gÞ ¼ eðHðwÞ b ; g g Þ � eðg bt i ; gÞ (4) The Fog-Decryption process calculates:

Security analysis
Theorem 1. Our system is secure against IND-sCP-CCA based on the standard model if the decisional q-parallelBDHE assumption holds and the signature scheme ∑ sign is existent and unforgeable. Proof. Assuming that exists a polynomial time adversary A who can break the IND-sCP-CCA security of our construction with the advantage of ε ¼ Adv INDÀ sCPÀ CCA A . In the following security game, given the decisional q-parallelBDHE problem instance ðp; G; G T ;ỹ; TÞ, we can build a simulator B to decide whether T ¼ eðg; gÞ a qþ1 �s or not. A can ask for the master key of any buying center authority K 0 c and attribute authority D 0 c . The interaction between B and A is as follows: Init. B is given a decisional q-parallelBDHE problem instance ðp; G; G T ;ỹ; TÞ. A exposes the access structure (M � , ρ � ) to be challenged, where M � is a l � × n � � q matrix.
Setup. To expose public parameters, B performs the following operations: 1. B selects g; h 2 G, sets h = g a .B sets global public parameter GPK and sends it to A.
2. For each non-purchased CA k ðk 2 K n K 0 c Þ, B randomly choosesâ k 2 Z p and implicitly sets a k ¼â k þ a qþ1 by letting CPK k ¼ eðg a ; g a q Þ � eðg; gÞâ k .B selects the unforgeable signature algorithm ∑ sign and calls the algorithm KeyGen ! (SignKey k , VerifyKey k ) to generate a signature key pair, and sets CAPK k = VerifyKey k .
3. Symbol X denote a set which indices i satisfied ρ � (i) = x. It means that all the row in the set X match the same attribute x. For any x(1 � x � S), choose the random exponent û x ; v d;k 2 Z p .B calculates: Finally, B sends GPK, ðfCPK k ; CAPK k gjk 2 KÞ and ðfAPK d ; AAPK d gjd 2 DÞ to A. Note that the simulated public parameters have the same distribution as the actual parameters.
Phase1. At this stage, B accepts secret key queries from the A. Limiting B receives a secret key query for a set S which does not satisfy M � .
CKQ(id, k): For each non-purchased CA k ðk 2 K n K 0 c Þ, A submits a tuple (id, k) to B. According the definition of LSSS, it is not hard to find that there exist a vector w ¼ ðw 1;k ; w 2;k ; � � � ; w n � ;k Þ 2 Z n � p such that w 1,k = −1. For any i where ρ � (i) 2 S, we have that X n � j¼1 w j;k � M n � i;j ¼ 0. B chooses a random number r 0 id;k 2 Z p , then implicitly define r id,k as It performs this by setting G id;k ¼ g r 0 id;k þw 1;k a q þ���þw n � ;k a qÀ n � þ1 ¼ g The parameter g a qþ1 is included during calculating ucsk id,k . By defining r id,k , we find that g ar id;k contains a term g À a qþ1 . Therefore, the parameter g a qþ1 included in ucsk id,k can be eliminated. B calculates ucsk id,k , L id,k,d as follows: g a qþ2À i �w i:k ¼ gâ k g ar 0 id;k g a qþ1 g À a qþ1 g a q w 2;k � � � g a qþ2À n � �w i:k B generates a signature sign id,k and returns ucsk id,k , ucpk id;k ¼ ðid; k; G id;k ; fL id;k;d jd 2 Dg; sign id;k Þ gives A.
AKQðatt; fucpk id;k jk 2 Kg; dÞ: For each non-purchased AA d ðd 2 D n D 0 c Þ, A submits a tuple ðatt; fucpk id;k jk 2 Kg; dÞ to the B. Then B calls algorithm AA-KeyGen to verify the validity of the signature on the ucpk id,k . If the validation is successful, B calculates ucsk att,id as follow, otherwise output ?.
Challenge. After A finished the query Phase1, he sends two equal length messages m 0 and m 1 to B. B then throws a random bit υ 2 {0, 1} and encrypts m υ . It creates challenge ciphertext The most difficult things for B is to simulate C i,1 since it contains terms g a j s . However, B can do the secret splitting, so that these items can be cancel out. B chooses random and implicitly sets vector V ¼ ðs; sa þ w 2 ; sa 2 þ w 3 ; � � � ; sa n � À 1 þ w n � Þ 2 Z n � p to share secret s. For vector V, the sharing of the secret s can be constructed as Let R i be a collection of i 6 ¼ y(i 2 [1, l � ]), such that ρ � (i) = ρ � (y). Intuitively, B randomly chooses l @ i ;r 1 ; � � � ;r l � 2 Z � p . For each row of matrix M � , set ρ � (i) = x � . By implicitly setting r i ¼ Àr i À sb i . We can simulate the challenge ciphertext as follows: B sends the challenge ciphertext CT � 1 ¼ fC; C 0 ; fC i;1 ; C i;2 ; C i;3 g i2½1;l � � g to A. Phase2. A continues to perform a secret key query similar to Phase1. Guess. A submits a guess υ 0 2 {0, 1}. If υ 0 = υ, B outputs guess 0 which means T ¼ eðg; gÞ a qþ1 �s . Otherwise B outputs guess 1 decides that T is a random element R in G T . Therefore, the advantage of the B in solving the decisional q-parallelBDHE problem in a security game is No polynomial time adversary A can win the trapdoor privacy game with a non-negligible advantage if DBDH assumption holds.
Proof. Suppose there is an adversary A which breaks the trapdoor privacy of our scheme with a non-negligible advantage ε T , then we can construct an algorithm B to solve the DBDH problem. Let G be a group of prime order p with generator g and e : G � G ! G T be an bilinear map. First, challenger C selects b; g; z 2 Z p , υ 2 {0,1} and an element R 2 G T . We let Z = e(g, g) βγz if υ = 0. Otherwise, Z = R. Then C gives (g, g β , g γ , g z , Z) to B. Now let B play the role of challenger in the following security games.
Setup. B announces the public key pk U = g β , pk O = g γ with the implicit assumption that Index Queries O I : A gives a tuple ðpk 0 U ; w i Þ to ask about the index. B randomly chooses t i 2 Z p and retrieves hðpk DO ; pk 0 DU ; w i Þ; h i ; e i ; c i i from list L H . If c i = 0, B claims the failure and output ?. If c i = 1, let h i ¼ g e i 2 G. B computes the index I i as Finally, B sends trapdoor T w i and index I i to A.

Challenge.
A gives two equal length keywords ðw � 0 ; w � 1 Þ, with the restriction that ðw � 0 ; w � 1 Þ have not been queried to O T nor O I . B selects a random bit υ 2 {0,1} and generates the challenge trapdoor T w � u of keyword w � b and returns it to the A. If c � 0 ¼ 1 and c � 1 ¼ 1, B claims the failure and output ?.
Phase2. Same as Phase1, with the restriction w 6 ¼ w � 0 ; w � 1 . Guess. A will output a guess υ 0 2 {0,1}. If υ 0 = υ, the A wins this game, otherwise A fails. Probability Analysis. Now, we denote by abort the event that B aborts during the game. q T and q I express the query number of trapdoor oracle O T and index oracle O I . There are two cases in which B aborts, as follows.
1. If c i = 0 when simulating O T and O I . Denote it by abort 1 . The probability that abort 1 will not occur is Pr½abort 1 � ¼ ð1 À sÞ q T þq I .
2. If c � 0 ¼ 1 and c � 1 ¼ 1 in the challenge phase. Denote it by abort 2 . The probability that abort 2 will not occur is Pr½abort 2 � ¼ 1 À ð1 À sÞ 2 ¼ 2s À s 2 . Thence, the probability that B does not terminate the game is ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi q T þ q I =q T þ q I þ 2 p , Pr½abort� takes the maximum value which is approximately equal to 2 ðq T þq I Þ , and thus non-negligible. Conditioned on that B does not abort, if A succeeds in breaking the trapdoor privacy of our scheme, B also succeeds in telling Z = e(g, g) βγz or a random element of R 2 G T . Therefore, the probability that B succeeds in guessing the bit υ (and thus solves the DBDH problem) is If ε T is non-negligible, so is jPr½u ¼ u 0 � À 1 2 j.

Performance analysis
In this part, we give theoretical and experimental analysis of the proposed scheme.

Theoretical analysis
(1) Capability. Here, we give the comparison between our scheme and several related works in terms of features (i.e. Keyword search, Fog computing, Multi-authority, etc.) in Table 1. Observe that, we can see that the schemes [10,22,29] do not have the function of keyword search. Only our scheme and scheme [29] are based on fog computing. With the exception of scheme [10] and our scheme, all users' attributes in the other schemes are not distributed by multiple authorities. That is to say, multiple authorities design improve the security of the key and reduce the computational pressure of a single authority. Moreover, our scheme and scheme [22] can provide outsourced encryption algorithm. But scheme [22] outsources their computational tasks to the corresponding service providers and does not address the latency response problem. The schemes [16,29] adopts AND-gate access policy and the schemes [18,24] uses a less computationally efficient tree access structure. Our scheme adopts efficient linear secret sharing (LSSS). Fortunately, only our scheme satisfies all properties which makes our scheme more suitable for cloud-fog computing system.
(2) Efficiency. In Table 2, we compare the computation cost of our scheme with the schemes [10,16,18,22,24,29] on the key generation, index encryption, trapdoor generation, search over ciphertext, DU-decryption. We mainly consider the time-consuming exponential operation e and the bilinear pairing operation p. In contrast, the time consumption of the remaining operations is negligible. It can be seen from Table 2 that the literature [10,22,29] does not support keyword search, so there is no computational cost in the index generation, trapdoor generation and search phases. Since our scheme is a multi-authority encryption scheme, the proposed scheme has lower efficiency in the key generation phase than other schemes, but our scheme protects the privacy of the user key and prevents the key from leaking. In the index generation phase, it is obvious that the schemes in [16] is less efficient than our scheme. In addition, the computational complexity of the trapdoor generation and search algorithm are linear with the number of attributes. Our scheme is more efficient than other schemes. It only requires 3 exponential operations and 3 pairs of operations are independent of the number of attributes. In the decryption phase, the efficiency of scheme [10] and our scheme are much higher than that of scheme [18,22,24,29] and the decryption algorithm only needs 1 exponential operation. In general, our proposed scheme has higher search efficiency and lower cost of decryption.

Experimental analysis
In order to evaluate the practical performance of our scheme, our experiments use the Pairing-Based Cryptography (PBC) library [30]. The environment of the hardware runtime is Intel Core i5-3470 CPU @ 3.20GHz and RAM is 4.00GB. The software runtime environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse 10. In this section, we describe the efficiency comparison between our scheme and several related literatures [10,16,18,22,24,29]. For the sake of description, we assume the number of user attributes |S| 2 [10,50] for the keygen, index, trapdoor and search algorithms, which the unified factor is described by the number of attributes. The time is given in milliseconds. From these sub-figures Fig 4(A)~4(D), we show that the number of attributes has an influence on the efficiency of the above four algorithms, respectively. In Fig 4(A), we show the runtime of the key generation algorithm under different schemes. It can be seen that our solutions are better than all other solutions, and the running time of the schemes [16,18,24] is slightly higher. This is because the theoretical costs of KeyGen algorithm in aforementioned three schemes are (2|S| + 3)e, (2|S| + 4)e, (2|S| + 4)e, respectively. The scheme [29] requires the longest run time and the fastest growth rate. For example, when setting |S| = n = 30, the time required for these seven programs is 138.934ms, 118.566ms, 120.448ms, 151.836, 120.448ms, 185.444ms and 63.988ms, respectively. The growth of scheme [22] is relatively flat, and at |S| = 10, the time of key generation is the longest in all relevant literature.
Schemes in [10,22,29] do not have the function of keyword search, there are no index generation, trapdoor generation and ciphertext retrieval curve for the scheme of [10,22,29] in Fig  4(B)~4(D). In Fig 4(B) we show the time of index generation in the encryption algorithm. By changing the value of n from 10 to 50, we notice that the computational burden of our scheme is slightly higher than that of schemes [16] and [18]. However, since the encryption algorithm is a one-time cost, it does not affect the user's search experience. Therefore, its communication cost is acceptable in practical applications.
In Fig 4(C), we present the time cost of the trapdoor generation algorithm in all schemes. Schemes [10], [18] and [24] have only subtle differences in the trapdoor generation phase and the time spent is linearly increasing with the number of attributes. However, our scheme is a tiny constant that only needs 3e + p operations, regardless of the number of attributes.
Focusing on the search algorithm, we also tested the time spent in the ciphertext retrieval phase. In this experiment, the calculation cost of the scheme [18] and [24] were the highest, and the scheme [18] (or the scheme [24]) needs |S|e + (2|S| + 1)p (or (2|S| + 1)p) operations. The computational cost of these three schemes [16,18,24] grows linearly with the number of attributes. While our scheme is optimal in all schemes. This is because the time of ciphertext search is independent of variable n, our scheme just needs 2p operations.
From Fig 4 we can see that the actual experimental simulation is completely consistent with the theoretical analysis. Therefore, our scheme is feasible and efficient in practical environment.

Conclusions
In this paper, we have presented a searchable encryption scheme based on cloud-fog computing, in which end users could greatly reduce the computational and storage burden by outsourcing part of the operation to the fog node. Specially, with the application scenarios named PHRs, the scheme enables patients to safely store PHRs shared with their doctor or family on a cloud server, while the patient's personal information remains confidential. Furthermore, our solution supports keyword search and fine-grained access control to further narrow down the search scope and avoid unauthorized user's access. Finally, our scheme is proven IND-sCP-CCA secure and trapdoor privacy secure. As part of our future work, we will continue to explore expressive search, fuzzy keyword search, multi-dimensional scope query or no central authority in the system, and so on. Meanwhile, we also need to further improve the efficiency of our system so that it can be applied to various programs.