http://orcid.org/0000-0002-5162-8768
Figures
Abstract
Fog computing can extend cloud computing to the edge of the network so as to reduce latency and network congestion. However, existing encryption schemes were rarely used in fog environment, resulting in high computational and storage overhead. Aiming at the demands of local information for terminal device and the shortcomings of cloud computing framework in supporting mobile applications, by taking the hospital scene as an example, a searchable personal health records framework with fine-grained access control in cloud-fog computing is proposed. The proposed framework combines the attribute-based encryption (ABE) technology and search encryption (SE) technology to implement keyword search function and fine-grained access control ability. When keyword index and trapdoor match are successful, the cloud server provider only returns relevant search results to the user, thus achieving a more accurate search. At the same time, the scheme is multi-authority, and the key leakage problem is solved by dividing the user secret key distribution task. Moreover, in the proposed scheme, we securely outsource part of the encryption and decryption operations to the fog node. It is effective both in local resources and in resource-constrained mobile devices. Based on the decisional q-parallel bilinear Diffie-Hellman exponent (q-DBDHE) assumption and decisional bilinear Diffie-Hellman (DBDH) assumption, our scheme is proven to be secure. Simulation experiments show that our scheme is efficient in the cloud-fog environment.
Citation: Sun J, Wang X, Wang S, Ren L (2018) A searchable personal health records framework with fine-grained access control in cloud-fog computing. PLoS ONE 13(11): e0207543. https://doi.org/10.1371/journal.pone.0207543
Editor: Rashid Mehmood, King Abdulaziz University, SAUDI ARABIA
Received: July 21, 2018; Accepted: November 1, 2018; Published: November 29, 2018
Copyright: © 2018 Sun et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the paper and its Supporting Information files.
Funding: This research is supported by the National Natural Science Foundation of China (No. 61303223, http://www.nsfc.gov.cn) to J.S, the National Natural Science Foundation of China (No.61572019, http://www.nsfc.gov.cn) to S.W. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
1 Introduction
With the promotion of new medical reform policies and the rapid development of medical information, Electronic Medical Record (EMR) [1] has become an inevitable outcome of network information technology in the medical field. An EMR is an electronic patient record of a specific system that is created, stored and used electronically. The results of the patient’s diagnosis and treatment results can be transmitted through the hospital’s computer network or the health card (optical card and IC card). The sharing of information resources brings great convenience to medical care. Unlike EMR, Personal Health Records (PHR) [2] are health information created and managed by patients themselves through the Internet. With the development of cloud computing, patients upload PHR files to cloud servers through mobile devices, which saves local storage space and expands information sharing.
A large amount of data is stored in the cloud, making traditional clouds difficult to meet the current needs. The massive increase in stored data would not only cause great pressure on the cloud, but also lead to network congestion and transmission delays. For example, large enterprises need to pay for expensive bandwidth if they completely relies on the cloud for complex data processing; some requirements require timely response, such as payment links, car avoidance technologies involved in autonomous driving, and even when providing emergency medical services, data delays or cloud network failures can have serious consequences that cannot be measured. In order to solve the above problems, Bonomi F et al. of the US company Cisco first proposed the concept of fog computing in 2012 [3]. Fog computing is an extension of cloud computing and is a service computing paradigm for paravirtualized frameworks [4,5]. The fog server is set between the cloud server and the IoT devices, so as to the storage and calculation of data are transferred as much as possible to the fog servers. So, the fog computing helps to reduce the workload of the cloud server and improve the efficiency of the entire system. The fog computing service framework is shown in Fig 1.
When sensitive data are outsourced to fog nodes which are similar to cloud platform, the data security and privacy concerns still impede the adoption of fog computing as data owners lose the physical control over their data in fog nodes or cloud. Semi-trusted cloud servers may leak and tamper with PHR information or non-authorized users steal sensitive patient information for commercial benefit. If sensitive information is used by unauthorized users or third parties, the doctor may obtain a wrong medical record, resulting in misdiagnosis. How to solve the security and privacy issues in the PHR system has become one of the most important challenge.
Encryption technology is the most critical technology to ensure information security. Goyal et al. [6] formulated the ABE into two types: the ciphertext-policy attribute-based encryption (CP-ABE) and the key-policy attribute-based encryption (KP-ABE). CP-ABE is considered one of the most appropriate encryption methods to achieve fine-grained access control. This approach allows the data owner to perform access control by setting the access structure. Due to the one-to-many communication characteristics of the ABE system, flexible access control encryption schemes are being proposed. In 2010, Ibraimi et al. [7] applied ABE to PHR security management to achieve flexible access control. However, this scheme did not give concrete proof of security. In 2013, Li et al. [8] used attribute-based encryption technology to encrypt PHR files of patients, achieving scalability and fine-grained access control for PHR. Unlike other solutions, this scheme supports multiple data owner application scenarios. Compared to the traditional single-authority CP-ABE schemes, the attributes come from different attribute authorities in the multi-authority CP-ABE schemes. In addition, it does not cause single point of failure and key leakage, which makes the multi-authority CP-ABE schemes more practical in cloud-fog computing.
In addition to data security issues, supporting outsourced partial computing operations and efficient searching of encrypted data are also an important feature in practical applications.
1.1 Related work
In this section, we discuss the related work of this article.
1.1.1 Multi-authority ABE.
A single authority attribute encryption scheme manages a large number of user attribute sets by only one attribute authority, which easily causes network congestion and reduces system efficiency. This does not meet the actual work needs. In order to improve the efficiency of the single attribute authority, multiple authority ABE schemes have been proposed. In 2007, Chase et al. [9] introduced the first multi-authority ABE scheme. Independent authority supervise attributes and distribute keys to improve the security of the key. However, the encryption algorithm of the scheme is not flexible enough. In 2013, Yang et al. [10] proposed a multi-authority cloud storage data access control (DAC-MACS) scheme. The partial decryption calculation is outsourced to the server by a token-based decryption method, and the scheme also supports instant attribute revocation. However, the global certification authority has a huge amount of bilinear calculations. Subsequently, some multi-authority large-universe ABE schemes [11,12] have been proposed. In 2018, Zhang et al. [13] proposed a multi-authority CP-ABE scheme with white box tracking. The access policy can be expressed as any monotonous access structure, and the ciphertext size grows linearly with the rows of the access matrix.
1.1.2 Keyword search over encrypted data.
Searchable encryption (SE) can be classified into two types: symmetric encryption with keyword search (SEKS) and public key encryption with keyword search (PEKS). There are some attempts to combine data encryption and searchable encryption to ensure the security of uploading to the cloud. In 2004, Boneh et al. [14] proposed the first concept of PEKS. However, the server has a large computational overhead during the matching process between the trapdoor and the index. Then, search schemes [15–19] with different characteristics have been proposed. In 2017, Cui et al. [20] proposed a keyword search encryption scheme that supports effective revocation in cloud computing. At the same time, it supports certifiable keyword search and effective user revocation to meet the application scenarios of multiple data owners and data users. To the best of our knowledge, there is no searchable encryption scheme designed for cloud-fog environments currently.
1.1.3 Outsourced ABE.
In ABE, aim to reduce the local computation cost, outsourcing complex operations to a cloud server becomes an important and popular problem. In 2011, Green et al. [21] constructed the outsourced decryption ABE scheme in order to save the local computing time. The user did not require bilinear pairing operations during the decryption phase. But this scheme can not guarantee the correctness of the transformed key. In 2016, Wang et al. [22] proposed a verifiable outsourced attribute encryption scheme based on dual-system encryption technology and composite order bilinear group, it is less efficient. Recently, In 2018, Jiang et al. [23] proposed a revocable outsourcing attribute based encryption scheme. The storage service manager distributes the attribute key for the user through the binary status tree, thereby implementing user revocation and attribute revocation. There are several applications of outsourced ABE in [24–26].
1.2 Our contribution
In this article, we propose a searchable personal health records framework with fine-grained access control in cloud-fog computing. Roughly, the key points of our work are described below:
- We designed a hybrid searchable encryption scheme based on cloud-fog computing. The fog node bridges between the intelligent terminal and the cloud, the data owner and data user can be directly connected to fog nodes, and each fog node is connected to the cloud, reducing unnecessary data transmission.
- In order to meet the resource-constrained terminal equipment, the novel multi-authority CP-ABE was proposed to support both outsourced encryption and outsourced decryption scheme. Without divulging data privacy, most local calculations are outsourced to fog nodes, enabling data users to enjoy high-rate, low-latency, high-quality services.
- This article proposes an attribute-based searchable encryption scheme, which realizes one-to-many communication. Data users can query relevant ciphertexts according to the keywords they specify, narrowing the scope of retrieval in massive document.
- Formal security and performance analysis proves that our scheme is safe and feasible under cloud-fog computing. In addition, it achieve secure data sharing and effectively protect the confidentiality of data.
1.3 Organization
The remaining structure of this paper is organized as follows: In Section 2, we review the relevant background knowledge of this scheme. Section 3 presents system model and security model throughout the paper. In Section 4, we give a detailed description of the specific algorithm and the correctness analysis of the scheme. We analyzed the security and discuss the performance of our schemes with comparison to several related works in Section 5 and Section 6. Finally, we conclude this scheme in Section 7.
2 Preliminaries
This section mainly gives the basic concept of access structure; then introduces bilinear maps and uses it as the main mathematical tool to construct the encryption algorithm proposed in this paper; the definition of the linear secret sharing scheme is given; and finally some difficult problems are introduced to prove the security of this scheme.
2.1 Access structure
In order to achieve fine-grained access control in an ABE scheme, the following access control structure is defined.
Definition 1 (Access structure [21]). Let P = {P1, P2, ⋯, Pn} be a set of n participants. For ∀B,C, if and B ⊆ C, then
, we call
is monotonous. An access structure is a collection
of non-empty subsets of P = {P1, P2, ⋯, Pn}, namely
. The sets in
are called the authorized sets, and the sets not in
are called the unauthorized sets.
2.2 Bilinear maps
Definition 2 (Bilinear Maps [21]). Let and
are two groups of prime order p. Let g be a generator of
. The map
is called a bilinear pairing operation. The mapping e satisfies the following properties:
- Bilinearity: For all
and
, we have e(ua, vb) = e(u, v)ab.
- Non-degenerate:
, where
is the unit of
.
- Computability: For all
, there is a valid algorithm to calculate e(u, v).
2.3 Linear secret sharing scheme
Definition 3 (Linear Secret Sharing scheme (LSSS) [6]). Let P = {P1, P2, ⋯, Pn} be a set of participants. (M, ρ) represents an access structure , where M is the shared generator matrix of l × n and ρ is a mapping. For all i = 1, 2, ⋯, l, function ρ maps the i row of M to the corresponding attribute. A linear secret sharing scheme consists of the following two effective algorithms:
- Secret sharing algorithm: To share a secret
. The algorithm randomly chooses
and the column vector v = (s, v2, ⋯, vn). Then calculate λi = (M · v)i, where λi belongs to the secret share value obtained by the entity ρ(i).
- Secret reconstruction algorithm: Let
be any set of authorized users, we define I ⊂ {1, 2, ⋯, l} as I = {i: ρ(i) ∈ S}. There is a constant coefficient
that satisfies ∑i∈I ωiMi = (1, 0, ⋯, 0). The recovered secret will be ∑i∈I ωiλi = s. The set of constants can be found in polynomial time.
2.4 Hardness assumptions
Decisional q-Parallel Bilinear Diffie-Hellman Exponent (q-parallel DBDHE)Assumption [27] A group with prime order p is selected through security parameters, and g is a generator of
. Randomly choose
, and given
It’s hard to distinguish a valid tuple from a random element R in
. An algorithm
outputs υ ∈ {0,1} has advantage ε in solving q-parallel DBDHE in
if
Definition 4. we say that the q-parallel DBDHE assumption holds if no polynomial time algorithm to solve the q-parallel DBDHE problem with non-negligible advantage.
Decisional Bilinear Diffie-Hellman (DBDH) Assumption [28,29]. Let g be a generator of and
be selected at random. If the challenger gives adversary (g, gβ, gγ, gz), it must be difficult for the adversary to distinguish a valid tuple
from a random element
.
An algorithm outputs υ ∈ {0,1} has advantage ε in solving DBDH in
if
Definition 5. we say that the DBDH assumption holds if all polynomial time algorithm have at most a negligible advantage in solving the DBDH problem.
3 System overview
3.1 Definition of system model
The system model of this system is shown in Fig 2. The labels (1)-(6) in the figure correspond to the 6 algorithms in our scheme, namely system establishment, key generation, file encryption, trapdoor generation, ciphertext retrieval and file decryption algorithms. It contains the following 6 entities:
Central Authorities (CA): We assumes that there are K central authority CA, for example, the health department, education department, state government, etc. The CA generates global public parameters for the PHR system and distribute secret keys based on the user’s globally unique identifier id. Each CA works independently and does not need to communicate with each other, and at least one of the CAs is honest and not curious. Note that CA does not participate in any attribute-related operations.
Attribute Authorities (AA): Here are D attribute authority AA. Each AA manages different attribute domains Sd, represents the set of all attributes in the entire system. For ∀i ≠ j ∈ {1, 2, ⋯, D}, where Si ∩ Sj = ∅. AA generates related secret keys based on the user’s attributes. For example, a hospital can assign the Hospital A attribute to all employees. Health associations can assign different doctors or nurses attributes related to medical professional licenses, such as dermatologists and psychologists. Each AA is independent of each other, one attribute is managed by only one AA, but one AA can manage multiple attributes.
Cloud Server Provider (CSP): The Cloud Server Provider (CSP) is a semi-trusted entity that is mainly responsible for storing encrypted PHR files and keyword indexes, and providing access services for authorized users.
Fog Nodes (FN): A fog node is a trusted entity that is at the edge of the network and has the ability to computing, storage and network services. It is responsible for partial encryption and decryption operations. The fog node helps the DO to generate partial ciphertext and upload all ciphertext to the CSP. It can also decrypt some ciphertext downloaded from the CSP.
Data Owner (DO): The data owner specifies an access policy, encrypts PHR files and keyword sets, and uploads ciphertext and indexes to the CSP.
Data User (DU): The data user downloads the encrypted PHR file from the CSP. The DU can decrypt successfully only if the attributes of the DU satisfy the access policy. For example, doctors and nurses must visit the patient’s PHR file in order to properly diagnose the condition and care.
For a more intuitive description of the scheme, we use personal health records to illustrate. Consider the following scenario: Alice who has a skin disease wants to find an expert to check through an online medical facility. Alice’s needs is (hospital A ∧ dermatologist). In order to protect the confidentiality of personal health records, Alice needs to encrypt medical health records under hospital A ∧ dermatologist condition before uploading data to the CSP. The CSP then searches for a doctor who satisfies hospital A ∧ dermatologist in its own database and sends Alice’s personal health record to the qualified doctor Bob. Bob can decrypt the record for Alice to continue treatment.
3.2 Algorithm definition
This scheme consists of 6 algorithms: system setup, key generation, file encryption, trapdoor generation, search over ciphertext, and file decryption. Each algorithm is described as follows:
- System Setup: The algorithm is executed by authority. It contains 3 sub-algorithms:
- Global—Setup(1λ): The global-setup algorithm is run by a trusted third party. It takes as no input other than the security parameters λ and outputs the global public parameter GPK.
- CA—Setup(GPK, k): The CA-setup algorithm is run by each CAk. It input the GPK and the tag k of the CA, and then output the public parameter (CPKk, CAPKk) and the master key CASKk, and the CAPKk is used only by the CAk.
- AA—Setup(GPK, d, Sd): The AA-setup algorithm is performed by each AAd. It takes as inputs the GPK, the tag d of the AAd, and attributes set Sd managed by the AAd. It outputs the public parameter (APKd, AAPKd) and the master key AASKd, AAPKd is used only by the AAd.
- Key Generation: This algorithm is performed by the CAk and the AAd. It contains 2 sub-algorithms:
- CA—KeyGen(GPK, CMSKk, AAPKd, id): The CA-key generation algorithm is performed by the CAk. It takes as inputs the global public parameter GPK, the master key CMSKk of the CAk, part of the public parameters AAPKd of the AAd, and the unique identifier id of the data user. It outputs the user-center-key (ucskid,k, ucpkid,k), where ucpkid,k is called user-center-public-key.
: The AA-key generation algorithm is executed by the AAd. It intakes an attributes att, user-center-public-key ucpkid,k, verification key VerifyKeyk, master key AMSKd, and global public parameters GPK. It outputs the secret key SKDU of the DU and the public/secret key pair (pkO, skO) of the DO.
- File Encryption: This algorithm is executed by the FN and the DO. It contains 2 sub-algorithms:
- Fog—Encrypt(GPK, {APKd}, (M, ρ)): The outsourced encryption algorithm is performed by the FN. The algorithm intakes the global public parameter GPK, the public parameter APKd of the AAd, and an access structure (M, ρ). It outputs the intermediate ciphertext CTFog.
- Do—Encrypt(m, GPK, CTFog, skO, pkU): The local encryption algorithm is usually performed by the DO. It intakes the plaintext message m, the global public parameter GPK, DO’s secret key skO, DU’s public key pkU and the ciphertext CTFog. It outputs all ciphertext CT1, CT2 and delivers it to the FN. Finally, the FN uploads the ciphertext CT = (CT1, CT2) to the CSP.
: The trapdoor generation algorithm is performed by the DU. It intakes a desired keyword
, the secret key SKDU and the public key pkO. Finally, it outputs the trapdoor
and the pre-decryption key
.
- Search over Ciphertext: This algorithm is executed by the CSP to determine whether the keywords in the ciphertext match the keywords of the trapdoor.
: The search algorithm is performed by the CSP. It intakes the index CT2, trapdoor
and the public key pkO, pkU. If the trapdoor and index match successfully, returns the search result to the FN.
- File Decryption: This algorithm is executed by the FN and the DU. Including 2 sub-algorithms:
: The outsourced decryption algorithm is performed by the FN. It intakes the ciphertext CT and the pre-decryption key
. It outputs the partially decrypted ciphertext (C, Ω) to the DU.
- Do—Decrypt(C, Ω, RK): The final decryption algorithm is performed by the DU. It intakes the partially decrypted ciphertext (C, Ω) and the retrieval key RK. It outputs the plaintext message m.
3.3 Definition of security model
In the fog-cloud storage system, the CSP is also curious about the contents of the encrypted data. We assume that the CSP will correctly perform the tasks assigned by the central authority and attribute authority. The AA and CA can be corrupted or attacked. To demonstrate the security of our scheme, we design two security games: indistinguishability against selective ciphertext-policy and chosen ciphertext attack (IND-sCP-CCA) game and trapdoor privacy game.
Game 1. Ciphertext indistinguishability.
The security of this scheme is defined by the following game run between a challenger and an adversary
.
can corrupt CAs and AAs by specifying
and
after seeing the public parameters, where
and
. The security game is defined as follows:
Init. exposes a challenged access structure (M*, ρ*), where M* is an l* × n* ≤ q matrix.
Setup. runs algorithms Global—Setup, CA—Setup and AA—Setup. The public parameter GPK, (CPKk, CAPKk) and (APKd, AAPKd) are sent to
. We allow
to corrupt authority
and
(where
,
).
submits an access policy (M*, ρ*) to
, where M* is a matrix of l* × n* ≤ q, ρ* maps the rows of M* to attributes. For uncorrupted authorities in
and
,
sends only the public keys to
. For corrupted authorities
and
,
sends both the master key
and
to
.
Phase 1. can performs the following secret key queries many times, in which limiting the secret key attribute set to be queried does not meet the access policy M* to be challenged. In other words,
cannot ask for a key which can be decrypt in combination with any keys that can obtained from corrupted CAS and AAS:
CKQ(id, k): For each unpurchased ,
submits a tuple (id, k) to
, where id is the user’s global identifier and k is the tag of an uncorrupted authority CA.
runs the algorithm CA—KeyGen and returns the corresponding user-central-key (ucskid,k, ucpkid,k) to
.
: For each unpurchased
,
submits a tuple
to
, where att is an attribute of the attribute set
are the central-public-keys of the user id, and d is the tag of an uncorrupted authority AA.
runs algorithm AA—KeyGen and outputs ⊥ if ucpkid,k are invalid. Otherwise, user-attribute-key uaskatt,id are returned to
.
Challenge. sends two equal length messages m0 and m1.
selects a random bit υ ∈ {0, 1}, and encrypts mυ under (M*, ρ*). Then return the challenge ciphertext
to
.
Phase 2. conducts more secret key queries similar to Phase 1.
Guess. submits a guess υ′ ∈ {0, 1}. If υ′ = υ, the
wins the safety game, otherwise
fails.
The advantage of the in breaking this game is
.
Definition 6. The proposed scheme is IND-sCP-CCA secure if all polynomial time adversary have at most a negligible advantage in the above security game.
Game 2. Trapdoor privacy.
Setup. Given a security parameter λ, generates the DU’s public key pkU and the DO’s public key pkO.
Phase 1. adaptively issues polynomial many times following queries.
Trapdoor Querie :
can ask any keyword’s trapdoor.
Index Queries :
can ask any keyword’s index.
Challenge. sends two equal length keywords
, with the restriction that
have not been queried for trapdoors nor indexes.
selects a random bit υ ∈ {0, 1} and generates the trapdoor
of keyword
and returns it to
.
Phase 2. Same as Phase 1, with the restriction .
Guess. submits a guess υ′ ∈ {0, 1}. If υ′ = υ, the
wins this game, otherwise
fails.
The advantage of the in breaking this game is
.
Definition 7. The proposed scheme is trapdoor privacy secure if all polynomial time adversary have at most a negligible advantage in the above security game.
4 Algorithm construction
In this part, the scheme address the hospital scene to construct a PHR sharing scheme based on cloud-fog computing. The patient encrypts personal medical data according to different access policies and stores it in the cloud. Doctors need to download the PHR file from the cloud if they want to view the case. As the distance of transmission of encrypted data from the cloud to the mobile device is going up, communication costs and delays are increasing. By deploying the fog server in the hospital, the total response time is reduced. In hospitals, it is difficult for a dermatologist to obtain dermatological data in a massive medical database. Using keyword-based search technology can not only access the data in the cloud, but also perform keyword search directly in the cloud. The doctor only downloads the files he needs, effectively reducing communication costs.
4.1 Detailed description of our scheme
A. System setup.
During the system setup phase, global public parameters are generated. The CAk and AAd generate their own public key and secret key, respectively. The phase contains 3 sub-algorithms: Global—Setup, CA—Setup and AA—Setup.
Global—Setup(1λ): Only trusted third parties run the algorithm. It takes as no input other than the security parameters λ. This algorithm chooses a bilinear map , where
and
are two multiplicative cyclic groups of prime order p (p > 2λ). Let g be a generator of
, and randomly pick
. The Σsign = (KeyGen, SignKey, VerifyKey) is a secure unforgeable signature scheme. It also chooses a hash function
. Return the global public parameters
.
CA—Setup(GPK, k): Each CAk runs this algorithm. It takes as inputs the global public parameters GPK and the tag k of the CA. CAk runs the key generation algorithm KeyGen → (SignKeyk, VerifyKeyk) of the scheme Σsign and selects a random exponent . Then Central authority publishes the public key
, CAPKk = VerifyKeyk and keeps the master key CMSKk = (αk, SignKeyk) secret.
AA—Setup(GPK, d, Sd): Each AAd runs this algorithm. It takes as inputs the global public parameter GPK, the tag d of the AA and Sd is a set of attributes managed by AAd. For each attribute att ∈ Sd, select and calculates
. For each k ∈ K, AAd randomly chooses
and computes
. Then it publishes APKd = {Tatt | att ∈ Sd}, AAPKd = {Vd,k | k ∈ K} as its public key and the master key is kept as AMSKd = ({satt | att ∈ Sd}, {Vd,k | k ∈ K}).
B. Key generation.
We assume that there are two central authorities: the health department, the education department, and two attribute authorities: hospitals, health associations. Because the keys and attribute sets are related in the CP-ABE scheme, the attribute authority AAd will generate a corresponding attribute key according to the user’s attribute set. Consider the following scenario: Generate a key for a dermatologist working in Hospital A. The key generation phase contains 2 sub-algorithms: CA—KeyGen and AA—KeyGen. The key generation process is shown in Fig 3.
CA—KeyGen(GPK, CMSKk, AAPKd, id): A data user sends its globally unique identifier id to the CAk to request the user-central-key. The CAk randomly picks element and sets the user-center-key:
,
. For d ∈ [1, D], CAk calculates
and generates the signature signid,k = Sign(SignKeyk, id‖k‖Γid,k‖{Lid,k,d}d∈[1,D]). Simultaneously, the user-central-public-key
is output.
: For attribute att ∈ Sd. The data user id sends its user-center-public-key
to the AAd to request the user-attribute-key.
① For any k ∈ [1, K], the AAd verifies the following equation:
If the above equation holds, then ② is performed. Otherwise, the AAd outputs ⊥. It indicates that the user-central-public-key ucpkid,k submitted by user is invalid.
② For any k ∈ [1, K], the AAd generates the user-attribute-key uaskatt,id for the user
After that, algorithm randomly picks and computes gβ, gγ. It returns the public/secret key pair of DO’s and DU’s as (pkO, skO) = (gγ, γ) and (pkU = gβ, skU = β), respectively. So DU’s secret key SKDU = ({ucskid,k, Γid,k | k ∈ K}, {uaskatt,id | att ∈ Sd}, β).
C. File encryption.
Before uploading the PHR file to the CSP, the patient needs to encrypt the file based on the access policy (hospital A ∧ dermatologist) and sends an access policy to FN. The encryption algorithm contains two sub-algorithms: Fog—Encrypt and Do—Encrypt.
Fog—Encrypt(GPK, {APKd}, (M, ρ)): Here (M, ρ) is an LSSS access structure. Assuming that M is an l × n matrix. Function ρ(.), which is an injective function, maps each rows of M to different attributes. For ∀i ∈ {1, 2, ⋯, l}, fog nodes are randomly selects and sets the ciphertext CTFog as follows:
Output part of the ciphertext .
Do—Encrypt(m, GPK, CTFog, skO, pkU): m is the PHR file to be shared by patient. The DO first creates vectors , where s is the random secret to be shared. From i = 1 to l, it gets the sub-secret λi = V · Mi by computing, where Mi is the i − th row of matrix M. The intact data ciphertext CT1 can be created by the following calculation:
All data ciphertext is published as CT1 = {(M, ρ), C, C′, {Ci,1, Ci,2, Ci,3}i∈[1,l]}.
Then, the DO extracts keywords from the PHR file to form a set of keywords Wm. For each keyword wi ∈ Wm, the algorithm randomly selects to generate a keyword index
and send it to the FN.
Subsequently, the FN uploads the ciphertext CT = (CT1, CT2) to the CSP.
D. Trapdoor generation.
After the doctor issues a search request to the CSP, it generates trapdoors to search for keywords. The trapdoor generation process as follows:
: It takes search query for the keyword
as inputs. It creates the trapdoor as
. The DU delivers the trapdoor
to the CSP. Then DU chooses a random number
to blind his secret key and computes
,
,
. DU holds the unique retrieval key RK = δ. Finally, the DU outputs the pre-decryption key
and sends it to the FN.
E. Search over ciphertext.
When the CSP receives the user’s search request, the CSP performs the following algorithm to search the matched health records:
: When gained the DU’s search query, the CSP first checks whether the DU’s attribute set satisfies with access structure (M, ρ). If it is true, the CSP uses the following equation to checks if the trapdoor
and index CT2 match.
If the equation does not hold, ⊥ is returned. Otherwise, it indicates that the matching is successful and then the CSP returns the corresponding search results CT to the FN.
F. File decryption.
If the doctor’s attribute satisfies the access policy, the doctor uses retrieval key to successfully decrypt the partially encrypted ciphertext and obtain the patient’s PHR file. The decryption algorithm includes 2 aspects: Fog—Decrypt and Do—Decrypt.
: The FN downloads the ciphertext CT from the CSP and the pre-decryption key
from the DU. Once that attribute set of the DU does not satisfy the access policy, the FN outputs ⊥. If not, there must be a constant set
that satisfies ∑i∈IciMi = (1, 0, ⋯, 0). If {λi} is a valid share of secret s, there is ∑i∈Iciλi = s. The FN uses the pre-decryption key
to calculate the intermediate ciphertext Ω as follows:
Finally, the FN sends the partially decryption result (C, Ω) to the DU.
Du—Decrypt(C, Ω, RK): After receiving the partially decrypted ciphertext (C, Ω) by the DU, the DU decrypts it with retrieval key RK = δ. The plaintext m can be recovered by the following equation.
5 Security analysis
Theorem 1. Our system is secure against IND-sCP-CCA based on the standard model if the decisional q—parallelBDHE assumption holds and the signature scheme ∑sign is existent and unforgeable.
Proof. Assuming that exists a polynomial time adversary who can break the IND-sCP-CCA security of our construction with the advantage of
. In the following security game, given the decisional q—parallelBDHE problem instance
, we can build a simulator
to decide whether
or not.
can ask for the master key of any buying center authority
and attribute authority
. The interaction between
and
is as follows:
Init. is given a decisional q—parallelBDHE problem instance
.
exposes the access structure (M*, ρ*) to be challenged, where M* is a l* × n* ≤ q matrix.
Setup. To expose public parameters, performs the following operations:
selects
, sets h = ga.
sets global public parameter GPK and sends it to
.
- For each non-purchased
,
randomly chooses
and implicitly sets
by letting
.
selects the unforgeable signature algorithm ∑sign and calls the algorithm KeyGen → (SignKeyk, VerifyKeyk) to generate a signature key pair, and sets CAPKk = VerifyKeyk.
- Symbol X denote a set which indices i satisfied ρ*(i) = x. It means that all the row in the set X match the same attribute x. For any x(1 ≤ x ≤ S), choose the random exponent
.
calculates:
Finally, sends GPK,
and
to
. Note that the simulated public parameters have the same distribution as the actual parameters.
Phase1. At this stage, accepts secret key queries from the
. Limiting
receives a secret key query for a set S which does not satisfy M*.
CKQ(id, k): For each non-purchased ,
submits a tuple (id, k) to
. According the definition of LSSS, it is not hard to find that there exist a vector
such that w1,k = −1. For any i where ρ*(i) ∈ S, we have that
.
chooses a random number
, then implicitly define rid,k as
The parameter is included during calculating ucskid,k. By defining rid,k, we find that
contains a term
. Therefore, the parameter
included in ucskid,k can be eliminated.
calculates ucskid,k, Lid,k,d as follows:
generates a signature signid,k and returns ucskid,k,
gives
.
: For each non-purchased
,
submits a tuple
to the
. Then
calls algorithm AA—KeyGen to verify the validity of the signature on the ucpkid,k. If the validation is successful,
calculates ucskatt,id as follow, otherwise output ⊥.
Finally, returns SKDU = ({ucskid,k, Γid,k | k ∈ K}, {uaskatt,id | att ∈Sd}) to the
.
Challenge. After finished the query Phase1, he sends two equal length messages m0 and m1 to
.
then throws a random bit υ ∈ {0, 1} and encrypts mυ. It creates challenge ciphertext
The most difficult things for is to simulate Ci,1 since it contains terms
. However,
can do the secret splitting, so that these items can be cancel out.
chooses random and implicitly sets vector
to share secret s. For vector V, the sharing of the secret s can be constructed as
.
Let Ri be a collection of i ≠ y(i ∈ [1, l*]), such that ρ*(i) = ρ*(y). Intuitively, randomly chooses
. For each row of matrix M*, set ρ*(i) = x*. By implicitly setting
. We can simulate the challenge ciphertext as follows:
and
sends the challenge ciphertext
to
.
Phase2. continues to perform a secret key query similar to Phase1.
Guess. submits a guess υ′ ∈ {0, 1}. If υ′ = υ,
outputs guess 0 which means
. Otherwise
outputs guess 1 decides that T is a random element R in
.
Therefore, the advantage of the in solving the decisional q—parallelBDHE problem in a security game is
Theorem 2. No polynomial time adversary can win the trapdoor privacy game with a non-negligible advantage if DBDH assumption holds.
Proof. Suppose there is an adversary which breaks the trapdoor privacy of our scheme with a non-negligible advantage εT, then we can construct an algorithm
to solve the DBDH problem. Let
be a group of prime order p with generator g and
be an bilinear map. First, challenger
selects
, υ ∈ {0,1} and an element
. We let Z = e(g, g)βγz if υ = 0. Otherwise, Z = R. Then
gives (g, gβ, gγ, gz, Z) to
. Now let
play the role of challenger in the following security games.
Setup. announces the public key pkU = gβ, pkO = gγ with the implicit assumption that skU = β, skO = γ.
Phase1. can polynomial query the following oracles:
Hash Oracle :
can ask the random oracle.
maintains a hash list
denoted as LH. When
- If the keyword wi already appears on the LH in a tuple
, then
responds with
.
- If the keyword wi does not exist in the list LH,
throw a random coin ci ∈ {0,1} so that Pr[ci = 0] = σ and σ will be determined later.
If ci = 0, computes
;
If ci = 1, computes
, where
is randomly selected.
Then adds the tuple
to the list LH, and returns
to
.
Trapdoor Querie :
gives a tuple
to ask about the trapdoor.
retrieves
from list LH.
If ci = 0, claims the failure and output⊥.
If ci = 1, and hence .
computes the trapdoor
as
Index Queries :
gives a tuple
to ask about the index.
randomly chooses
and retrieves
from list LH.
If ci = 0, claims the failure and output ⊥.
If ci = 1, let .
computes the index Ii as
Finally, sends trapdoor
and index Ii to
.
Challenge. gives two equal length keywords
, with the restriction that
have not been queried to
nor
.
selects a random bit υ ∈ {0,1} and generates the challenge trapdoor
of keyword
and returns it to the
.
If and
,
claims the failure and output ⊥.
If or
,
selects a random bit υ ∈ {0,1} such that
.
computes the trapdoor
. If Z = e(g, g)βγz, then
. Otherwise, T* is a random group element in
.
Phase2. Same as Phase1, with the restriction .
Guess. will output a guess υ′ ∈ {0,1}. If υ′ = υ, the
wins this game, otherwise
fails.
Probability Analysis. Now, we denote by abort the event that aborts during the game. qT and qI express the query number of trapdoor oracle
and index oracle
. There are two cases in which
aborts, as follows.
- If ci = 0 when simulating
and
. Denote it by abort1. The probability that abort1 will not occur is
.
- If
and
in the challenge phase. Denote it by abort2. The probability that abort2 will not occur is
. Thence, the probability that
does not terminate the game is
When ,
takes the maximum value
which is approximately equal to
, and thus non-negligible. Conditioned on that
does not abort, if
succeeds in breaking the trapdoor privacy of our scheme,
also succeeds in telling Z = e(g, g)βγz or a random element of
. Therefore, the probability that
succeeds in guessing the bit υ (and thus solves the DBDH problem) is
If εT is non-negligible, so is .
6 Performance analysis
In this part, we give theoretical and experimental analysis of the proposed scheme.
6.1 Theoretical analysis
(1) Capability.
Here, we give the comparison between our scheme and several related works in terms of features (i.e. Keyword search, Fog computing, Multi-authority, etc.) in Table 1. Observe that, we can see that the schemes [10,22,29] do not have the function of keyword search. Only our scheme and scheme [29] are based on fog computing. With the exception of scheme [10] and our scheme, all users’ attributes in the other schemes are not distributed by multiple authorities. That is to say, multiple authorities design improve the security of the key and reduce the computational pressure of a single authority. Moreover, our scheme and scheme [22] can provide outsourced encryption algorithm. But scheme [22] outsources their computational tasks to the corresponding service providers and does not address the latency response problem. The schemes [16,29] adopts AND-gate access policy and the schemes [18,24] uses a less computationally efficient tree access structure. Our scheme adopts efficient linear secret sharing (LSSS). Fortunately, only our scheme satisfies all properties which makes our scheme more suitable for cloud-fog computing system.
(2) Efficiency.
In Table 2, we compare the computation cost of our scheme with the schemes [10,16,18,22,24,29] on the key generation, index encryption, trapdoor generation, search over ciphertext, DU-decryption. We mainly consider the time-consuming exponential operation e and the bilinear pairing operation p. In contrast, the time consumption of the remaining operations is negligible. It can be seen from Table 2 that the literature [10,22,29] does not support keyword search, so there is no computational cost in the index generation, trapdoor generation and search phases. Since our scheme is a multi-authority encryption scheme, the proposed scheme has lower efficiency in the key generation phase than other schemes, but our scheme protects the privacy of the user key and prevents the key from leaking. In the index generation phase, it is obvious that the schemes in [16] is less efficient than our scheme. In addition, the computational complexity of the trapdoor generation and search algorithm are linear with the number of attributes. Our scheme is more efficient than other schemes. It only requires 3 exponential operations and 3 pairs of operations are independent of the number of attributes. In the decryption phase, the efficiency of scheme [10] and our scheme are much higher than that of scheme [18,22,24,29] and the decryption algorithm only needs 1 exponential operation. In general, our proposed scheme has higher search efficiency and lower cost of decryption.
6.2 Experimental analysis
In order to evaluate the practical performance of our scheme, our experiments use the Pairing-Based Cryptography (PBC) library [30]. The environment of the hardware runtime is Intel Core i5-3470 CPU @ 3.20GHz and RAM is 4.00GB. The software runtime environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse 10. In this section, we describe the efficiency comparison between our scheme and several related literatures [10,16,18,22,24,29]. For the sake of description, we assume the number of user attributes |S| ∈ [10, 50] for the keygen, index, trapdoor and search algorithms, which the unified factor is described by the number of attributes. The time is given in milliseconds. From these sub-figures Fig 4(A)~4(D), we show that the number of attributes has an influence on the efficiency of the above four algorithms, respectively.
(A) key generation time (B) index generation time (C) trapdoor generation time (D) search time.
In Fig 4(A), we show the runtime of the key generation algorithm under different schemes. It can be seen that our solutions are better than all other solutions, and the running time of the schemes [16,18,24] is slightly higher. This is because the theoretical costs of KeyGen algorithm in aforementioned three schemes are (2|S| + 3)e, (2|S| + 4)e, (2|S| + 4)e, respectively. The scheme [29] requires the longest run time and the fastest growth rate. For example, when setting |S| = n = 30, the time required for these seven programs is 138.934ms, 118.566ms, 120.448ms, 151.836, 120.448ms, 185.444ms and 63.988ms, respectively. The growth of scheme [22] is relatively flat, and at |S| = 10, the time of key generation is the longest in all relevant literature.
Schemes in [10,22,29] do not have the function of keyword search, there are no index generation, trapdoor generation and ciphertext retrieval curve for the scheme of [10,22,29] in Fig 4(B)~4(D). In Fig 4(B) we show the time of index generation in the encryption algorithm. By changing the value of n from 10 to 50, we notice that the computational burden of our scheme is slightly higher than that of schemes [16] and [18]. However, since the encryption algorithm is a one-time cost, it does not affect the user’s search experience. Therefore, its communication cost is acceptable in practical applications.
In Fig 4(C), we present the time cost of the trapdoor generation algorithm in all schemes. Schemes [10], [18] and [24] have only subtle differences in the trapdoor generation phase and the time spent is linearly increasing with the number of attributes. However, our scheme is a tiny constant that only needs 3e + p operations, regardless of the number of attributes.
Focusing on the search algorithm, we also tested the time spent in the ciphertext retrieval phase. In this experiment, the calculation cost of the scheme [18] and [24] were the highest, and the scheme [18] (or the scheme [24]) needs |S|e + (2|S| + 1)p (or (2|S| + 1)p) operations. The computational cost of these three schemes [16,18,24] grows linearly with the number of attributes. While our scheme is optimal in all schemes. This is because the time of ciphertext search is independent of variable n, our scheme just needs 2p operations.
From Fig 4 we can see that the actual experimental simulation is completely consistent with the theoretical analysis. Therefore, our scheme is feasible and efficient in practical environment.
7 Conclusions
In this paper, we have presented a searchable encryption scheme based on cloud-fog computing, in which end users could greatly reduce the computational and storage burden by outsourcing part of the operation to the fog node. Specially, with the application scenarios named PHRs, the scheme enables patients to safely store PHRs shared with their doctor or family on a cloud server, while the patient’s personal information remains confidential. Furthermore, our solution supports keyword search and fine-grained access control to further narrow down the search scope and avoid unauthorized user’s access. Finally, our scheme is proven IND-sCP-CCA secure and trapdoor privacy secure. As part of our future work, we will continue to explore expressive search, fuzzy keyword search, multi-dimensional scope query or no central authority in the system, and so on. Meanwhile, we also need to further improve the efficiency of our system so that it can be applied to various programs.
Supporting information
S1 File. The runtime of cryptographic operations.
https://doi.org/10.1371/journal.pone.0207543.s001
(DOC)
Acknowledgments
This subject was funded by the National Natural Science Youth Fund No. 61303223, the National Natural Science Foundation of China No. 61572019. In addition, we would like to thank all anonymous experts for their valuable opinions and suggestions.
References
- 1. Dubarry E (2007) The Economic Interest of EMR (Electronic Medical Record). American Chiropractor 10: 70–78.
- 2. Endsley S, Kibbe DC, Linares A, Colorafi K (2006) An introduction to personal health records. Fam Pract Manag 13: 57–62.
- 3.
Bonomi F, Milito R, Zhu J, Addepalli S. Fog computing and its role in the internet of things; 2012. pp. 13–16.
- 4.
Stojmenovic I, Wen S. The Fog computing paradigm: Scenarios and security issues; 2014. pp. 1–8.
- 5.
Khakimov A, Muthanna A, Muthanna MSA. Study of fog computing structure; 2018. pp. 51–54.
- 6.
Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data; 2006. pp. 89–98.
- 7.
Ibraimi L, Asim M, Petkovic M. Secure management of personal health records by applying attribute-based encryption; 2009. pp. 71–74.
- 8. Li M, Yu S, Zheng Y, Ren K, Lou W (2013) Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-Based Encryption. IEEE Transactions on Parallel & Distributed Systems 24: 131–143.
- 9.
Chase M. Multi-authority Attribute Based Encryption. Theory of Cryptography; 2007; Berlin, Heidelberg. Springer Berlin Heidelberg. pp. 515–534.
- 10.
Yang K, Jia X, Ren K, Zhang B. DAC-MACS: Effective data access control for multi-authority cloud storage systems; 2013. pp. 2895–2903.
- 11.
Rouselakis Y, Waters B. Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption. Financial Cryptography and Data Security; 2015; Berlin, Heidelberg. Springer Berlin Heidelberg. pp. 315–332.
- 12.
Li D, Chen J, Liu J, Wu Q, Liu W. Efficient CCA2 Secure Revocable Multi-authority Large-Universe Attribute-Based Encryption. Cyberspace Safety and Security; 2017; Cham. Springer International Publishing. pp. 103–118.
- 13. Zhang K, Li H, Ma J, Liu X (2017) Efficient large-universe multi-authority ciphertext-policy attribute-based encryption with white-box traceability. Science China Information Sciences 61: 032102.
- 14.
Boneh D, Di Crescenzo G, Ostrovsky R, Persiano G. Public Key Encryption with Keyword Search. Advances in Cryptology—EUROCRYPT 2004; 2004; Berlin, Heidelberg. Springer Berlin Heidelberg. pp. 506–522.
- 15.
Zhao F, Nishide T, Sakurai K. Multi-User Keyword Search Scheme for Secure Data Sharing with Fine-Grained Access Control. Information Security and Cryptology—ICISC 2011; 2012; Berlin, Heidelberg. Springer Berlin Heidelberg. pp. 406–418.
- 16. Sun W, Yu S, Lou W, Hou T (2016) Protecting Your Right: Verifiable Attribute-based Keyword Search with Fine-grainedOwner-enforced Search Authorization in the Cloud. IEEE Transactions on Parallel & Distributed Systems 27: 1187–1198.
- 17. Cui H, Wan Z, Deng R, Wang G, Li Y (2016) Efficient and Expressive Keyword Search Over Encrypted Data in the Cloud. IEEE Transactions on Dependable & Secure Computing PP: 1–1.
- 18. Miao Y, Ma J, Jiang Q, Li X, Sangaiah AK (2017) Verifiable keyword search over encrypted cloud data in smart city ☆. Computers & Electrical Engineering 65: 1–12.
- 19.
Sun L, Su H, Zhu Z, Li Z. A Novel Attribute Based Keyword Search Scheme for Mobile Cloud Storage; 2017. pp. 229–234.
- 20. Cui J, Zhou H, Zhong H, Xu Y (2017) AKSER: Attribute-based Keyword Search with Efficient Revocation in Cloud Computing. Information Sciences 423.
- 21.
Green M, Hohenberger S, Waters B (2011) Outsourcing the decryption of ABE ciphertexts. Proceedings of the 20th USENIX conference on Security. San Francisco, CA: USENIX Association. pp. 34–34.
- 22. Wang H, He D, Shen J, Zheng Z, Zhao C, Zhao M (2017) Verifiable outsourced ciphertext-policy attribute-based encryption in cloud computing. Soft Computing 21: 7325–7335.
- 23.
Jiang ZL, Zhang R, Liu Z, Yiu SM, Hui LCK, Wang X, Fang J. A Revocable Outsourcing Attribute-Based Encryption Scheme. Cloud Computing, Security, Privacy in New Computing Environments; 2018; Cham. Springer International Publishing. pp. 145–161.
- 24. Li J, Lin X, Zhang Y, Han J (2017) KSF-OABE: Outsourced Attribute-Based Encryption with Keyword Search Function for Cloud Storage. IEEE Transactions on Services Computing 10: 715–725.
- 25. Sha FJ, Wei Y, Lin XN, Zhang QL, Wang HP (2017) Verifiable outsourced decryption of attribute-based encryption with constant ciphertext length. Information Technology 2017: 1–11.
- 26. Zhao Z, Wan J (2017) Verifiable Outsourced Ciphertext-Policy Attribute-Based Encryption for Mobile Cloud Computing. Ksii Transactions on Internet & Information Systems 11: 3254–3272.
- 27.
Waters B (2011) Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography. Taormina, Italy: Springer-Verlag. pp. 53–70.
- 28.
Zhang P, Chen Z, Liang K, Wang S, Wang T (2016) A Cloud-Based Access Control Scheme with User Revocation and Attribute Update: Springer International Publishing. 525–540 p.
- 29. Zuo C, Shao J, Wei G, Xie M, Ji M (2016) CCA-secure ABE with outsourced decryption for fog computing ☆. Future Generation Computer Systems 78: 730–738.
- 30. Duquesne S, Lange T (2005) Pairing-based cryptography. Mathiiscernetin volume 22: 573–590.