https://orcid.org/0000-0001-5723-9512
Figures
Abstract
In the environment of big data of the Internet of Things, smart healthcare is developed in combination with cloud computing. However, with the generation of massive data in smart healthcare systems and the need for real-time data processing, traditional cloud computing is no longer suitable for resources-constrained devices in the Internet of Things. In order to address this issue, we combine the advantages of fog computing and propose a cloud-fog assisted attribute-based signcryption for smart healthcare. In the constructed “cloud-fog-terminal” three-layer model, before the patient (data owner)signcryption, it first offloads some heavy computation burden to fog nodes and the doctor (data user) also outsources some complicated operations to fog nodes before unsigncryption by providing a blinded private key, which greatly reduces the calculation overhead of resource-constrained devices of patient and doctor, improves the calculation efficiency. Thus it implements a lightweight signcryption algorithm. Security analysis confirms that the proposed scheme achieves indistinguishability under chosen ciphertext attack and existential unforgeability under chosen message attack if the computational bilinear Diffie-Hellman problem and the decisional bilinear Diffie-Hellman problem holds. Furthermore, performance analysis demonstrates that our new scheme has less computational overhead for both doctors and patients, so it offers higher computational efficiency and is well-suited for application scenarios of smart healthcare.
Citation: Sun Y, Du X, Niu S, Zhou S (2024) A lightweight attribute-based signcryption scheme based on cloud-fog assisted in smart healthcare. PLoS ONE 19(1): e0297002. https://doi.org/10.1371/journal.pone.0297002
Editor: Pandi Vijayakumar, University College of Engineering Tindivanam, INDIA
Received: September 6, 2023; Accepted: December 22, 2023; Published: January 30, 2024
Copyright: © 2024 Sun et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the experimental analysis section of the manuscript. We clarify that the study can be fully replicated based on the information provided in our manuscript file. The reason we claim that our data are not available is because our data depend on a specific computer configuration, in the manuscript, we have given the computer configuration that our data depend on (C language and executed on a PC with a 2.60 GHz CPU and 8 GB RAM, Lenovo), but this does not affect the results of our experimental analysis results. That is, although our data may differ numerically on computers with different configurations, our experimental findings remain unaffected and do not impact any conclusions presented in the manuscript.
Funding: This work was supported by the National Natural Science Foundation of China (No. 62172337, 62241207) and Key Project of Gansu Natural Science Foundation (NO.23JRRA685). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
Introduction
Smart healthcare has emerged from the rapid advancement of the Internet of Things (IoT) [1]. By leveraging advanced techniques such as big data, artificial intelligence, cloud computing and IoT, smart healthcare has facilitated the automation, informatization, and intelligence of medical services [2], it achieves the intelligence of healthcare capabilities, improves healthcare efficiency, and optimises patient experience services. Traditional paper-based Personal Health Records (PHR) have been replaced by electronic PHR [3], resulting in a massive influx of data and increased demands for device mobility and real-time processing. These challenges have posed significant limitations to traditional cloud computing.
Owing to the above problems, fog computing has been introduced [4]. Fog computing provides a solution that is better suited to mobile IoT and a wide range of mobile applications by extending cloud computing to the network edge, closer to the end-user. With the exponential growth of IoT devices, cloud computing has faced the challenge of processing hundreds of millions of massive data. Fog computing, with its powerful computing capabilities, offers low latency and support for end user mobility, enabling the processing of data with low computing requirements. As a result, certain computing tasks is delegated to fog nodes by nearby end-users, reducing the computational burden for users, significantly improving the efficiency, and satisfies the requirements for real-time processing of mobile applications [5].
In the context of the smart health system, fog computing is positioned closer to the end-user, handling a significant amount of sensitive patient data that ultimately gets uploaded to the medical cloud for storage. Given the semi-trusted nature of the medical cloud, data processing is necessary prior to uploading to safeguard the integrity and privacy of the patient. To address this, the attribute-based cryptosystem offers enhanced privacy and security for patient data. It enables one-to-many access control with fine-grained, distinguishing itself from the traditional identity-based cryptosystem. The attribute-based cryptosystem was originated by the fuzzy identity-based cryptosystem proposed by Sahai et al. [6], which introduces the concept of attributes into the cryptosystem. This idea has found widespread application in smart health scenarios. Li et al. [7] presented an online/offline attribute-based encryption algorithm, offloading a portion of the decryption computation to ensure computational efficiency of IoT terminal devices. Similarly, Zhang et al. [8] provided a lightweight attribute-based encryption algorithm based on the smart health system, leveraging the concept of outsourcing. While traditional attribute-based cryptographic technology achieves fine-grained access control, it incurs a relatively high computational overhead. To mitigate this, Zhong et al. [9] introduced an edge-assisted attribute-based encryption algorithm that offloads part of encryption operations as well as decryption operations to edge nodes, reducing the computational burden on resource-constrained IoT devices. Drawing parallels to edge computing, fog computing also extends computational capabilities and data analysis functions to the network edge, forming a three-layer model known as “cloud-fog-devices”. This model effectively addresses the latency issue associated with cloud computing. Several studies [10–14] have explored the application of fog computing to attribute-based encryption algorithms, outsourcing a majority of the decryption operations to fog nodes, thereby significantly easing the computational load on end users. In addition, in order to ensure the integrity of the data or the legitimacy of the identity of the receiver, the message to be encrypted is usually signed and the identity is authenticated by data owner [15–17].
The traditional idea of “encrypt first and then sign” has high computational overhead and communication cost. In view of this problem, the concept and scheme of signcryption are proposed for the first time in [18], which guarantees the confidentiality and unforgerability of messages. Attribute-based signcryption has been extensively researched in recent years by various scholars [19–22], enhancing the suitability and computational efficiency of attribute-based signcryption algorithms in real-world cloud storage environments. In the context of accessing Personal Health Records (PHR), references [23, 24] propose two efficient attribute-based signcryption for multi-authority. Similarly, Liu et al. [25] present an attribute-based signcryption algorithm based on PHR, facilitating fine-grained data access control. For resource-constrained terminal devices in the IoT [26, 27], adopt a strategy of outsourcing the decryption process to edge servers, effectively reducing user-end computing overhead. Additionally [26], supports the update of access policies.
Motivation and contributions
Combine the advantages of cloud-fog assistance, we present a lightweight attribute-based signcryption scheme for smart healthcare. Our approach leverages the three-layer model structure known as “cloud-fog-terminal” (illustrated in Fig 1) to establish a connection between the smart health system and the medical cloud. By employing fog computing as an intermediary bridge, we exploit its low latency, location-awareness, and powerful computing capabilities to ensure secure data transmission in terms of confidentiality. Additionally, some complicated operations in the signcryption and unsigncryption processes are offloaded to the nearby fog nodes, thereby reducing the computational overhead on data users, which proves particularly advantageous for resource-constrained terminal devices in smart healthcare.
In comparison to existing schemes, our work makes noteworthy contributions in the following:
- Fog computing is structured as an intermediary link between the smart healthcare system and the medical cloud, making it easier for the fog nodes to collect and process data as they are spread around the data users. For the smart health system there are a huge number of IoT devices need to access the Internet through wireless, and have high requirements for mobility. Therefore, fog computing is more suitable for smart medical scenarios.
- In the scheme, the patient (data owner) delegates the computationally intensive tasks to the fog nodes during signcryption. Similarly, the doctor (data user) also offloads some heavy computing burden to the fog nodes by providing a blinded private key before performing unsigncryption. Specifically, in the signcryption and unsigncryption phase, the fog nodes are responsible for undertaking most of the complicated computations, such as the pairing operation. As a result, the client only needs to perform a simple multiplication operation in the process of user unsigncryption, which significantly reduces the computation burden for all client.
- The newly proposed scheme provides several advantages in terms of computational and communication overheads, as demonstrated through theoretical analysis and numerical simulation. The incorporation of fog computing significantly enhances the computational efficiency of data owner signcryption and data receiver unsigncryption in comparison to other schemes. This discrepancy becomes more pronounced as the number of attributes increases. Consequently, the proposed scheme is not only effective and practical, but also highly suitable for resource-constrained devices in the practical application of smart healthcare.
Organization
The subsequent sections are structured as follows. Section 2 presents various fundamental concepts such as the access tree and hardness assumption. Subsequently, Section 3 is an overview of the system model, algorithm formal definition, and the system security model. Following that, Section 4 presents the construction of the scheme in detail. Section 5 is dedicated to a detailed security analysis of our scheme, while Section 6 concentrates on analysing the efficiency of the system. Lastly, Section 7 proposes the conclusion of the article.
Preliminaries
Access tree [7]
Let be an access structure tree and x be a node in
.
(1). If x is a non-leaf node, then it stands for a threshold (“AND” or “OR”) gate, which can be described by (kx, numx), where numx is the number of child nodes of x and kx is its threshold value, 1 ≤ kx ≤ numx. When kx = 1, x is an “OR” gate; when kx = numx, it is an “AND” gate.
(2). If x is a leaf node, then it stands for a attribute and described by a threshold value kx = 1.
Denote the parent node of x in as parent(x), and the attributes associated with the leaf node x in
as att(x). Each children of node x are numbered in a sequence from 1 to numx, the function index(x) denotes the index of x among its siblings.
Let be a access tree with root node r,
be the subtree of
rooted at x. If the attribute set S satisfies the subtree
, we denote it as
. Furthermore,
can be calculated recursively by: if x is a non-leaf node, then
iff at least kx child nodes return 1 and if x is a leaf node,
iff att(x) ∈ S.
Bilinear pairing map [28, 29]
Let G0 and G1 be two cyclic groups with the prime order p, and g is a generator of G0. Then the bilinear map e: G0 × G0 → G1 can be defined as follows:
Bilinearity: For all , e(ga, gb) = e(g, g)ab.
Non-degeneracy: e(g, g)≠1.
Computability: For all a, b ∈ G0, there is an efficient algorithm to compute the map e(a, b).
Hardness assumption
DBDH assumption [22].
Given an cyclic group G0 with order p, a generator g of G0, a bilinear mapping e: G0 × G0 → G1 and . The Decisional Bilinear Diffie-Hellman (CBDH) hardness assumption states that any Probabilistic Polynomial-Time (PPT) algorithm cannot decision e(g, g)abc ∈ G1 and a random Z ∈ G1 from a given triple
with a non-negligible probability.
CBDH assumption [19].
Given an cyclic group G0 with order p, a generator g of G0, a bilinear mapping e: G0 × G0 → G1 and . The Computational Bilinear Diffie-Hellman (CBDH) hardness assumption states that any PPT algorithm cannot compute e(g, g)abc ∈ G1 from a given triple
with a non-negligible probability.
System and security model
This section mainly includes an overview of the construction of system model, the formal definition of the proposed scheme and the elaboration of the system security model.
System model
Based on fog computing, we construct the lightweight attribute-based signcryption scheme in smart healthcare. As illustrated in Fig 2, this system involves five entities, namely Private Key Generator (PKG), Medical Cloud (MC), Fog Nodes (FN), Data user (DU) and Data Owner (DO).
Private Key Generator: PKG initializes the system, then generates and distributes private keys to both the data owners (patients) and the data users (doctors).
Medical Cloud: MC refers to the server of the hospital. As a semi-trusted third party due to its powerful storage capacity, MC is mainly responsible for storing a huge number of electronic health records in the form of ciphertext provided by DO.
Fog Nodes: As small medical centers deployed at the network edge, FN has enough storage space and computing power to help data users with local data processing. The data owner outsources some signcryption operations to the fog node, and the data user outsources some decryption operations to the fog node, so as to reduce the computational burden of the terminal devices.
Data Owner: DO refers to the patients. A enormous number of patients, as the source of data in the smart health system, have ownership and control over the data. The patient defines an access structure for the data that needs to be signcrypted, specifies the scope of authorized users, and their terminal devices signcrypt the data and store the final ciphertext to the medical cloud.
Data User: DU refers to doctors, medical researchers, or insurance company employees who need access to patient information. When DU accesses the data, it downloads the ciphertext from the medical cloud and performs the final unsigncryption. Only the users who satisfy the access policy can decrypt the ciphertext and access the data, which realizes the fine-grained access control.
Firstly, PKG initializes the system, then generates and distributes private keys to both the data owners (patients) and the data users (doctors). The health status and personal information of the patients are collected in real time by the wearable device. The collected data is signcrypted by the fog node, producing a part of the ciphertext. Subsequently, the patients perform the final signcryption and upload the final ciphertext to the medical cloud (hospital). When data users (such as doctors, medical researchers, insurance companies, etc.) request data, the ciphertext is retrieved from the medical cloud for preliminary unsigncryption. The fog node then assists the data users in performing partial operations, ultimately allowing the users to get the required data.
Formal definition
Now, we formalize the definition of the proposed schemes. This scheme is composed of the following six algorithms in PPT.
- Setup(λ, S)→(pp, msk): PKG executes the setup algorithm. Input system security parameter λ, output system public parameter pp, master key msk.
- KeyGen(pp, S, msk)→SK: PKG runs the key generation algorithm, taking as input public parameter pp, a attributes set S and master key msk, it generates and hands out private keys SK for DU.
-
: After receiving the access structure
enacted by DO, FN takes this access policy as input and performs partial signcryption operations, and finally outputs part of the ciphertext CT′.
-
: After FN performs part of the operation, DO executes this algorithm, it takes the message m, the enacted access structure
and the partial ciphertext CT′ as the input of the algorithm, and finally generates the signature σ and the final ciphertext CT.
-
: When FN receives the blinded private key
of DU, it performs a partial unsigncryption operation, calculates some parameters (B, T, F) according to the recursive formula of the access tree, then sends the parameters to DU for final unsigncryption.
- DU.Unsign(CT, SK, S)→m: DU executes this algorithm, using ciphertext CT, private key SK and attribute set S as the input, if DU satisfies the access structure, it will get the plaintext m.
Security model
This section provides a formalization of the security of the scheme encompassing confidentiality and unforgeability, which are simulated as the following two games which are interactions between a challenger and an adversary
within PPT.
Game 1. Confidentiality
Definition 1. The proposed attributed-based signcryption scheme is indistinguishable under chosen ciphertext attack (IND-CCA) against any adversary possessing polynomial time capability, if the advantages of
in the following interaction are negligible:
Initialization: Firstly, generates a challenge attribute set denoted as S. To proceed,
executes the Setup to returns pp to
. Simultaneously, it retains msk secretly.
Query Phase 1: When initiates a series of prophecy inquiry,
responds the inquiry as described below.
- Key extraction query: in the query, when
requests a private key SK with the attribute set S*,
executes KeyGen according to S* and returns the corresponding SK to
.
- Signcryption query: in the query, when
queries a ciphertext for any message m,
proceeds by selecting an attribute set S from T* firstly, it then runs the key extraction query and obtain SK, followed by executing the signcryption algorithm to encrypt and send the corresponding ciphertext CT to the adversary
.
- Unsigncryption query: For any attribute set S and the corresponding ciphertext CT queried by the adversary
, The first step performed by the challenger
is to execute the key extraction query and get SK, it then proceeds the unsigncryption algorithm to decrypts CT and returns the resulting output to
.
Challenge: In this phase, selects two different messages m0 ≠ m1 with equal length as the challenge message, and presents them to
to request the corresponding ciphertext. And
randomly chooses a bit b ∈ {0, 1}, runs the DO.Sign algorithms and FN.Sign algorithms to gnerate and return the challenge ciphertext CT* of
to
.
Query Phase 2:
can continue issue a similar inquiry as in Query Phase 1. Any adversary can initiate a signcryption challenge on any ciphertext apart from the challenged one.
Guess: If can output a bit b′, and b′ = b, then
wins the above game. The probablity advantage of
in the game can be defined as
.
Game 2. Unforgeability
Definition 2. The proposed attributed-based signcryption scheme is existential unforgeability under chosen message attack (EUF-CMA) against any adversary possessing polynomial time capability, if the advantages of adversary
in the following interaction are negligible:
Initialization: in this phase, sends a attributes set S to
forge the ciphertext. To proceed,
executes the Setup to returns pp to
. Simultaneously, it retains msk secretly.
Query Phase:
initiates a prophecy inquiry, and
responds to the inquiry as described below.
- Key extraction query: in the query,
asks the user for the private key SK. After receiving attribute set S*,
runs the key generation algorithm and return the corresponding private key according to the attribute set S*.
- Signcryption query: if
wants to signcrypt message m*,
select an attribute set S, and S ∈ T*, then executes the key extraction algorithm to obtain SK and runs the DO.Sign algorithms and FN.Sign algorithms to obtain and return the ciphertext CT* to
.
- Unsigncryption query: let CT be the ciphertext with respect to attribute set S queried by
,
first performs the key generation algorithm to obtain SK, then executes the DO.Unsign algorithms and FN.Unsign algorithms, and finally sends the result to
.
Forge: In the phase, outputs the forged ciphertext CT of the message m*, and finally if
outputs Unsigncryption(CT, SK, S*) = m* ≠ ⊥, then the game is won. The probablity advantage of
in winning the game can be defined as
The concrete scheme
As illustrated in Fig 3, The scheme is essentially made up of four phases, system initialization, private key generation, signcryption and unsigncryption, which are described in more detail below.
Phase 1: System initialization
PKG performs the Setup algorithm. In the initialization phase, give security parameter λ,
- PKG selects two cyclic multiplicative groups G0 and G1 with order p, a generator g ∈ G0. Let e: G0 × G0 → G1 be bilinear mapping and H: {0, 1}* → G0 be a cryptographic hash function.
- Random selection
, PKG calculation h = gβ. Finally, PKG publishes system parameter pp = (G0, G1, g, e(g, g)α, h = gβ) and keep system master key msk = (gα, β) secretly.
Phase 2: Private key generation
PKG executes this algorithm, generates and issues private keys for DU.
- Randomly select
, generate private key
.
- For all attribute j ∈ S, it selects random number
, and computes
,
. The private key
is eventually distributed to the requested clients.
Phase 3: Signcryption
The signcryption algorithm includes two parts: data owner signcryption and fog node signcryption. Firstly, DO defines an access tree and sends it to FN, it then run FN.Sign algorithm.
- FN signcryption. Fog nodes execute FN.Sign algorithm for outsource computing.
- Let x be a node in
, FN chooses a polynomial qx and sets the degree dx of qx as dx = kx − 1, where kx is the threshold value of x. Now, if x = r is the root node of
, then FN assigns a random number
and sets qr(0) = s, if x ≠ r, then FN sets qx(0) = qparent(x)(index(x)).
- Let Y be the leaf node set in
, for ∀y ∈ Y, FN calculates C = hs = gβs, Cy = gqy(0),
, and sends part of the ciphertext
to DO for the next signcryption.
- DO signcryption. After receiving CT′ = (
, the data owner runs the DO.Sign algorithm.
- DO first computes C* = m ⋅ e(g, g)αs, then selects a number
randomly, and computes σ = e(C, g)μ = e(g, g)βsμ, π = H(σ|m), and
. Eventually, it sends the ciphertext
to the medical cloud for storage.
Phase 4: Unsigncryption
The unsigncryption algorithm mainly includes two parts: data user unsigncryption and fog node unsigncryption. The data user selects the random number , then blinds the private key SK, computes
,
, and
, and finally sends the blinded private key
to the fog node.
- FN unsigncryption. When DU downloads the ciphertext CT from the medical cloud, FN first runs the FN.Unsign algorithm, which is a recursive algorithm that takes node
, blinded private key
and ciphertext CT as input.
- If y ∈ Y is a leaf node, and att(y) ∈ S, compute
if att(y)∉S, it outputs φy = ⊥.
- If y is a non-leaf node, FN recursively calculates φy′ of node y’s child node y′, let Sy′ be a set of any φy-sized child node {y′}, if Sy′ = ∅, then φy′ = Null; otherwise
where
denotes Lagrange coefficient and
.
- If y = r is a root node, FN computes φr = e(g, g)r1ds.
- Finally, FN calculates
then sends (B, T, F) to DU for the next unsigncryption.
- DU unsigncryption. DU performs the final unsigncryption by receiving the parameters sent by FN.
- Firstly, DU computes
- Then decrypt message:
- Finally verify the correctness of the signature by the equation:
Security analysis
Based on the DBDH and CBDH hardness assumption, this section provides a thorough security analysis process of the scheme. Specifically, our primary focus is on ensuring confidentiality and unforgeability.
Theorem 1. The proposed attribute-based signcryption scheme satisfies IND-CCA security if the DBDH hardness assumption holds.
Proof. If there exists an adversary who can win in Game 1 with a non-negligible probability advantage ε within PPT t, which means there is an algorithm can effectively break the confidentiality of the scheme with probability ε within PPT. With the help of the adversary
, we construct an algorithm
to decision DBDH problem associated Challenger
.
Given a tuple (A = ga, B = gb, C = gc), as an example of the DBDH assumption,
tries to decision e(g, g)abc ∈ G1 and Z ∈ G1. Let CT be a challenge ciphertext, C* be part of the ciphertext randomly selected from m0e(g, g)αs or m1e(g, g)αs. Let θ = αs,
, CT be e(g, g)αs or e(g, g)θ.
must distinguish m0e(g, g)αs and m1e(g, g)αs, and needs to make a distinction between e(g, g)αs and e(g, g)θ.
Initialization: Adversary first selects and sends attribute set S* to
as a target attribute set,
randomly selecting
. If β = 0, then the Setup algorithm terminates, otherwise
runs the Setup algorithm and generate the public parameter pp. And then
sends (h = gβ, e(g, g)α) to
. If
queries the value of H, then
randomly selects
and answers
.
Query phase 1: During this phase, adversary makes several inquiries.
- Key extraction query: For target attribute set S*, if
multiple requests the private key SK,
randomly chooses
, let
. For attributes j ∈ S,
chooses
randomly and computes
,
. Eventually, it returns the private key as
to the adversary
. When
queries the i-th key extraction challenge with attribute set Si, algorithm
chooses another random number
, computes
, and for ∀j ∈ Si, it computes
,
, and sends this result to adversary
.
- Signcryption query: Signcryption query: Adversary
requests to signcrypt message m*. For each message,
runs the key generation algorithm to obtain the private key, then executes the signcryption algorithm to obtain the ciphertext CT*, and returns to
.
- Unsigncryption query: At this stage, adversary
issues a unsigncryption request for ciphertext CT. First,
verifies whether C = C* is true, because C = gθ is random in the eyes of adversary
, and the probability of this ciphertext is at most 1/p. If the equation holds,
terminates the algorithm, otherwise the following steps are performed:
- If S* = 0, the access control tree
for unsigncrypting is not satisfied.
execute the key generation algorithm to get the private key, then run the unsigncryption algorithm, and return the result to
.
- If S* = 1, it satisfies the access control tree
for unsigncryption.
first verify signature σ′ = e(C, Ψ)/B′π, if incorrect, output ⊥. Otherwise, it uses
to determine
.
- If the access structure satisfies the attribute set, let
. Then calculate
Finally, the recovered message m is sent to.
Challenge: In this phase, selects two different messages m0 ≠ m1 with equal length,
randomly chooses b ∈ {0, 1}, and signcrypts message
based on challenge attribute set S*. The process for generating challenge ciphertext CT* is the following: first,
randomly chooses
, and uses fj to recover the secret s or attribute j; calculates
, Cj = gab, and
; randomly selects
, and calculates
,
, and
. Finally
sends
to
.
Query phase 2: For the second challenge initiated by adversary , the reply process of
is similar to that of challenge phase 1. There is no unsigncryption challenge during this challenge phase.
Guess: Adversary finally outputs a bit b′ and if b′ = b, then we claim that
wins the game. If Z = e(g, g)abc, then CT* is valid with an advantage of ε. So
, and the probability advantage of
is
.
Theorem 2. The proposed attribute-based signcryption scheme satisfies EUF-CMA security based the CBDH hardness assumption.
Proof. Suppose there is an adversary that can win game 2 with a non-negligible advantage ε in the probability polynomial time t, then an algorithm
can be constructed with the help of adversary
. Challenger
is given (A = ga, B = gb, C = gc),
as an instance in the CBDH problem, and adversary
tries to guess e(g, g)abc. Let θ = αs and
.
Initialization: Adversary sends target attribute set S* to
,
chooses
randomly. If β = 0, then the system Setup algorithm terminates, otherwise
run the system Setup algorithm to obtain public parameters pp. Then
sends h = gβ and e(g, g)α to
. When
asks for the value of H,
randomly chooses
, and answers
.
Query Phase: Adversary initiates queries in each of the following phases.
- Key extraction query: if
requests private key SK based on attribute set S* multiple times,
randomly selects
, let
. For attribute j ∈ S, select
at random and compute
and
. So the private key is:
, and then
returns SK to adversary
. When
sends the i-th key extraction to ask for the attribute set Si,
selects
randomly, computs
, and for ∀j ∈ Si, computs
,
, and sends
to
.
- Signcryption query:
sets access control policy
for authorized attribute set S*. If the challenged attribute set S* does not satisfy access control policy
, then
can obtain the private key through the key generation algorithm. Then run the signcryption algorithm to send ciphertext CT to
. Assuming that attribute set S* satisfies access control policy
,
selects
randomly, and then use b to recover secret s or attribute j.
randomly selects
, run the signcryption algorithm, and calculate
, Cj = gab,
. Select
at random, calculate σ = e(C, g)c, π = H(σ|m),
. Finally,
sends ciphertext
to
.
- Unsigncryption query: Adversary
initiates a unsigncryption query for ciphertext CT based on attribute set S*.
run the key generation algorithm to obtain private key SK, perform the unsigncryption algorithm, and send result m or ⊥ to
.
Forgery: After outputs a valid forged ciphertext
. The challenger
solves the CBDH assumption as follows. Since CT* is a valid ciphertext for m*, which means it can pass the verification equation, then there are Cj = gab, π = H(σ|m),
, σ = e(C, g)c. Adversary
outputs a fake verification
and
using attribute set S*. If S* ≠ 0, then
terminates the algorithm, verifying that equation σ* holds. If the algorithm Unsigncrypt(CT, SK, S) = m* ≠ ⊥ then
wins the game. The advantages of solving the CBDH problem are:
Performance comparison
This section analyzes the advantages and disadvantages of our new scheme in relation to communication and computational capabilities. Compared with some existing attribute-based signcryption schemes [22–25, 27], the capabilities of our new scheme is improved significantly. For convenience, the symbols used in this section are first summarised in Table 1.
Communication overhead
The viability of a scheme, particularly for resource-constrained IoT devices, heavily relies on communication overhead. The comparison between our new scheme and the schemes of [22–25, 27] regarding communication overhead is presented in Table 2. The communication overhead of various stages, namely system initialization, key generation, signcryption, and unsigncryption, is primarily taken into consideration. When it comes to the key generation stage, the communication overhead of each scheme varies based on the number of attributes. However, our scheme stands out with the smallest overhead. By employing outsourcing techniques, the communication overhead of data users in the signcryption phase becomes independent of the number of attributes. This reduction in storage burden on the local side is of utmost importance for resource-constrained IoT devices.
Computational overhead
For the computational overhead, we will compare it from the aspects of theoretical analysis and numerical experiments.
Theoretical analysis.
We primarily consider the computational burden of various stages, including system initialization, key generation, signcryption and unsigncryption. To provide a clear comparison, Table 3 provides a comparison of the computational cost between our proposed scheme and the schemes referenced in [22–25, 27]. This comparison is based on the fact that addition and multiplication operations are significantly less computationally expensive than exponentiation, bilinear pairing, and hash operations. Thus, our main point of comparison revolves around the number of exponential operations, bilinear pairing operations, and hash operations across different schemes.
Table 3 reveals that the computational cost of the proposed scheme remains constant during the system initialization, DO signcryption and DU unsigncryption phases, regardless of the number of attributes. However, in [22], the key generation stage involves pairing operations, resulting in higher computational costs compared to other schemes. Furthermore, the schemes in [22–25] do not utilize outsourcing computing, which means that the computational cost for users varies depending on the complexity of the access policy. On the other hand, our approach ensures a stable computational overhead for data user signcryption, with most calculations outsourced to fog nodes during the signcryption phase. This includes the high-overhead pairing operation, allowing end users to decrypt messages without engaging in pairing operations. By employing outsourcing technology, the computation burden for data owners and users is minimized, further emphasizing the lightweight nature of this scheme.
Numerical simulation.
The numerical simulation comparison was conducted on a Linux operating system, utilizing a pairing-based cryptography library with Type-A bilinear pairing parameters [30]. The programming was implemented in C language and executed on a PC with a 2.60 GHz CPU and 8 GB RAM. Our focus was primarily on observing the time variations during the system initialization stage, key generation stage, signcryption stage, and unsigncryption stage. We performed tests by altering the number of attributes, simulating attribute values from 20 to 140.
Fig 4 illustrates the initialization stage, where the setup algorithm is independent of attributes and follows a nearly straight line. However, the initialization stages except for [23, 27] and our scheme are attribute-dependent, resulting in an increase in setup time as the number of attributes changes. In the key generation phase (Fig 5), both the proposed scheme and the comparison scheme experience an increase in time as the number of attributes increases, but the proposed scheme performs the fastest. From Figs 6 and 7, it is evident that the running time of our new scheme in the DO signcryption and DU unsigncryption stages are optimal and attribute-independent, and thus their efficiency in terminal devices are the highest. This is due to we offload some heavy computation from the original client to the fog node, which means the scheme effectively reduces the computation of the resource-constrained devices, and improves the overall efficiency of the scheme, making it more suitable for smart healthcare scenarios. In the signcryption and unsigncryption stages, [24] demonstrates higher efficiency, but this is based on the assumption of a single attribute authority, whereas the actual scheme involves multiple attribute authorities. Therefore, if multiple attribute authorities are present, the efficiency of [24] will decrease. Through comprehensive analysis, we claim that the proposed scheme significantly enhances algorithm efficiency by partially outsourcing signcryption and unsigncryption operations to the fog node, aligning it more suitable for real-world application environments.
Conclusion
Aiming at the generation of massive data in smart health system and the attention of patients to privacy of personal health information. We proposes a lightweight attribute-based signcryption scheme based on cloud-fog assist. In smart healthcare system, we should not only consider the basic security requirements of medical data sharing, patient privacy and confidentiality, but also consider the computing and storage capabilities of resource-constrained devices in the IoT. Therefore, fog nodes are introduced in this paper, and a three-layer model structure of “cloud-fog-terminal” is constructed, and part of the operations in the signcryption stage and the unsigncryption stage are outsourced to the fog nodes, so that the end user’s calculation cost in the signcryption stage is reduced. None pairing operation is involved, which significantly improves the computational efficiency of the scheme. Finally, under the random oracle model, the feasibility and security of the scheme are proved. Compared with the previous attribute-based signcryption scheme, our proposed scheme has better advantages in computing efficiency and is more suitable for practical smart medical application scenarios. As future work, we plan to conduct a series of simulated real-world experiences to evaluate the performance and practicality of our signcryption scheme, and design efficient a post-quantum based attribute-based signcryption scheme applicable to smart healthcare.
References
- 1. Feng Y, Zhang Q, Wu H, et al. PRISC: privacy-preserved pandemic infection risk computation through cellular-enabled IoT devices. IEEE Internet of Things Journal. 2023; 10(17): 15074–15086.
- 2. Kar P, Chen K, Shi J. DMACN: A dynamic multi-attribute caching mechanism for NDN-based remote health monitoring system. IEEE Transactions on Computers. 2023; 72(5): 1301–1313.
- 3. Sarosh P, Parah SA, Malik BA, et al. Real-time medical data security solution for smart healthcare. IEEE Transactions on Industrial Informatics. 2023; 19(7): 8137–8147.
- 4.
Bonomi F, Milito R, Zhu J, et al. Fog computing and its role in the internet of things. Proceedings of the first edition of the MCC workshop on Mobile cloud computing (MCC’12). ACM, 2012.
- 5. Huang FM, Tu SS, Meng Y. Attribute-based encryption scheme supporting outsourcing and revocation in fog computing. Computer Engineering. 2020; 46(5): 34–40.
- 6.
Sahai A, Waters B. Fuzzy identity-based encryption. Advances in Cryptology—EUROCRYPT 2005. Springer, Berlin, Heidelberg, 457–473, 2005.
- 7. Li H, Yu K, Liu B, et al. An efficient ciphertext-policy weighted attribute-based encryption for the internet of health things. IEEE Journal of Biomedical and Health Informatics, 2021; 26(5): 1949–1960.
- 8. Zhang L, You W, Mu Y. Secure outsourced attribute-based sharing framework for lightweight devices in smart health systems. IEEE Transactions on Services Computing, 2021; 15(5): 3019–3030.
- 9. Zhong H, Zhou Y, Zhang Q, et al. An efficient and outsourcing-supported attribute-based access control scheme for edge-enabled smart healthcare. Future Generation Computer Systems, 2021; 115: 486–496.
- 10. Nkenyereye L, Riazul Islam SM, Hossain M, et al. Fog based Secure Framework for Personal Health Records Systems. Computers, Materials & Continua, 2021; 66(2): 1937–1948.
- 11. Saidi A, Nouali O, Amira A. SHARE-ABE: an efficient and secure data sharing framework based on ciphertext-policy attribute-based encryption and Fog computing. Cluster Computing, 2022; 25(1): 167–185.
- 12. Guo R, Zhuang C, Shi H, et al. A lightweight verifiable outsourced decryption of attribute-based encryption scheme for blockchain-enabled wireless body area network in fog computing. International Journal of Distributed Sensor Networks, 2020; 16(2): 1550147720906796.
- 13. Dong JT, Yan PW, Du RZ. Verifiable access control scheme based on unpaired CP-ABE in fog computing. Journal on Communications, 2021; 42(8): 139–150.
- 14. Du RZ, Yan PW, Liu Y. Fine-grained attribute update and outsourcing computing access control scheme in fog computing. Journal on Communications, 2021; 42(3): 160–170.
- 15. Vijayakumar P, Obaidat MS, Azees M, Islam SKH, Kumar N. Efficient and secure anonymous authentication with location privacy for IoT-based WBANs. IEEE Transactions on Industrial Informatics, 2020; 16(4): 2603–2611.
- 16. Azees M, Vijayakumar P, Karuppiah M, Nayyar A. An efficient anonymous authentication and confidentiality preservation schemes for secure communications in wireless body area networks. Wireless Networks, 2021; 27: 2119–2130.
- 17. Jegadeesan S, Azees M, Arun SR, and Fadi AT. Lightweight privacy and confidentiality preserving anonymous authentication scheme for WBANs. IEEE Transactions on Industrial Informatics, 2022; 18(5): 3484–3491.
- 18.
Zheng Y. Digital signcryption or how to achieve cost (signature & encryption)≪ cost (signature)+ cost (encryption). Advances in Cryptology—CRYPTO’97. Springer, Berlin, Heidelberg, 165–179, 1997.
- 19. Eltayieb N, Elhabob R, Hassan A, et al. A blockchain-based attribute-based signcryption scheme to secure data sharing in the cloud. Journal of Systems Architecture, 2020; 102: 101653.
- 20. Xu Q, Tan C, Fan Z, et al. Secure data access control for fog computing based on multi-authority attribute-based signcryption with computation outsourcing and attribute revocation. Sensors, 2018; 18(5): 1609. pmid:29772840
- 21. Rao YS. Attribute-based online/offline signcryption scheme. International Journal of Communication Systems, 2017; 30(16): e3322.
- 22. Hong HS, Sun ZX. An efficient and secure attribute based signcryption scheme with LSSS access structure. SpringerPlus, 2016; 5: 644. pmid:27330910
- 23.
Ruan AK. Research of multi-authority attribute-based signcryption. MA thesis, University of Electronic Science and Technology of China, 2021.
- 24.
Zhao Y, Ruan A, Dan G, et al. Efficient multi-authority attribute-based signcryption with constant-size ciphertext. 2021 IEEE Conference on Dependable and Secure Computing (DSC). IEEE, 1–8, 2021.
- 25. Liu JH, Huang XY, Liu JK. Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption. Future Generation Computer Systems, 2015; 52: 67–76.
- 26. Belguith S, Kaaniche N, Hammoudeh M, et al. PROUD: Verifiable privacy-preserving outsourced attribute based signcryption supporting access policy update for cloud assisted iot applications. Future Generation Computer Systems, 2020; 111: 899–918.
- 27. Yu J, Liu S, Wang S, et al. LH-ABSC: a lightweight hybrid attribute-based signcryption scheme for cloud-fog-assisted IoT. IEEE Internet of Things Journal, 2020; 7(9): 7949–7966.
- 28. Boneh D, Franklin M. Identity-based encryption from the weil pairing. SIAM Journal on Computing, 2003; 32(3): 586–615.
- 29.
Joux A. The weil and tate pairing as building blocks for public key cryptosystems. Proceedings of Algorithmic Number Theory, Springer, Berlin, Heidelberg, 20–32, 2002.
- 30.
PBC Library. The pairing-based cryptography library. http://crypto.stanford.edu/pbc/.