Secured and Privacy-Preserving Multi-Authority Access Control System for Cloud-Based Healthcare Data Sharing

Abstract

With continuous advancements in Internet technology and the increased use of cryptographic techniques, the cloud has become the obvious choice for data sharing. Generally, the data are outsourced to cloud storage servers in encrypted form. Access control methods can be used on encrypted outsourced data to facilitate and regulate access. Multi-authority attribute-based encryption is a propitious technique to control who can access encrypted data in inter-domain applications such as sharing data between organizations, sharing data in healthcare, etc. The data owner may require the flexibility to share the data with known and unknown users. The known or closed-domain users may be internal employees of the organization, and unknown or open-domain users may be outside agencies, third-party users, etc. In the case of closed-domain users, the data owner becomes the key issuing authority, and in the case of open-domain users, various established attribute authorities perform the task of key issuance. Privacy preservation is also a crucial requirement in cloud-based data-sharing systems. This work proposes the SP-MAACS scheme, a secure and privacy-preserving multi-authority access control system for cloud-based healthcare data sharing. Both open and closed domain users are considered, and policy privacy is ensured by only disclosing the names of policy attributes. The values of the attributes are kept hidden. Characteristic comparison with similar existing schemes shows that our scheme simultaneously provides features such as multi-authority setting, expressive and flexible access policy structure, privacy preservation, and scalability. The performance analysis carried out by us shows that the decryption cost is reasonable enough. Furthermore, the scheme is demonstrated to be adaptively secure under the standard model.

1. Introduction

The modern health industry is adopting Internet of Things (IoT) technology for providing advanced healthcare services [1]. A wide range of IoT devices and applications are designed for healthcare needs, e.g., sensors, remote healthcare monitoring applications, telemedicine consultation applications, etc. Healthcare organizations can collect, record, and monitor patient data regularly, providing them with adequate treatment in every situation. Patients can be treated well in emergencies by making use of their electronic health records (EHRs). For example, let us assume that a patient is suffering from chronic heart disease and they use body sensors to record their blood pressure. As patient monitoring services make their EHR available online, their doctors can treat them efficiently. In addition, in some unfavorable conditions when they may need medical attention, any treating doctor can access their data to make the right diagnosis. The availability of their EHRs can save their life.

Patients can maintain their EHR data on cloud storage servers and receive various advantages such as 24/7 access, easy management, and tracking and sharing of the EHR data for treatment as well as beneficiary purposes. However, cloud-based data outsourcing is not trusted because the data owners lose physical control of their data. Performing data encryption before uploading to the cloud is one solution to the above problem. This limits accessibility for legitimate users, as they will need decryption keys for accessing the data. Data owners can only issue the keys to known users. Other legitimate users cannot access the encrypted data in this case. Therefore, there is a need for a secure data-sharing system allowing the data owner to provide access control to data in a fine-grained manner. The system should have proper attributes and key management facilities to serve all legitimate users. To accomplish this outsourcing paradigm, the cloud-based EHR approach is motivated by the concepts of “Availability, Scalability, Cost efficiency, and Convenience” [2]. Dissemination of patient data through cloud-based EHRs is advantageous, but it must be performed with such care that the privacy of patients is protected.

Various cryptographic access control models have been defined to provide data security and control unauthorized data access. For this need, attribute-based encryption, also known as ABE [3], seems to be a suitable option. It allows for fine-grained and flexible access control. One type of ABE called ciphertext-policy attribute-based encryption [4] or CP-ABE is a technique in which the user’s secret key is generated for their attributes and an access policy is coupled with ciphertext. Access policies are typically expressed by threshold gates or AND-OR gates over the attributes. Users receive their attribute keys in terms of secret keys issued by the attribute authorities. CP-ABE is a kind of public key encryption (PKE) technique. It provides access control for a large group of users because it allows decryption only when the user carries the attribute set that matches the policy. Credentials or attributes are issued to the users by various attribute authorities, which may be from single or multiple domains. Several ABE techniques for cloud-based data sharing are given [5,6,7,8]. However, these schemes consider a single domain authority that manages all the attributes. In practical scenarios, users from multiple domains may request a download of the shared data and different administrating authorities may issue the attributes. Additionally, normal cipher-policy ABE schemes [4,9] store the access policy with outsourced encrypted data, but in plain text. This may result in the disclosure of sensitive information regarding the encrypted data. Let us understand cloud-based data sharing with the help of a healthcare use case.

1.1. Use-Case

In the healthcare system, various users such as doctors, nurses, research scholars, insurance agents, etc., may need to access the data. In this case, various authorities, e.g., hospitals, clinical research centers, insurance companies, and pharmaceutical companies, may issue various attribute keys to the concerned users (as shown in Figure 1). The shared EHRs of the patients may be protected by instituting access policies, such as any user who possesses the “Research Assistant” attribute in the domain of renowned “Research Organization” or “Insurance agent” attribute in the domain of “Insurance Company” from where the patient is receiving services being permitted to access the data. Therefore, in healthcare industries, where the user fraternity is a large group, multi-authority CP-ABE schemes are a suitable option for facilitating efficient and secure EHR sharing. All the above-stated users in the healthcare system come from the open domain, i.e., they are not known to the data owner.

To control access to shared data, attributes issued by various open-domain attribute authorities are used in access policies. Another important issue that must be considered in EHR data sharing is to give access to closed-domain users, i.e., the users known to the data owner, e.g., family friends, relatives, etc. Flexibility in handling the access requirements of both closed- and open-domain users makes the sharing of health data more practical and effective [10]. In emergencies, family friends or relatives may access the data. The privacy of the patient is also crucial in this kind of data sharing. In the above instance, if a patient outsources their medical data with policy “[(Profession = “Doctor” and Specialization = “Cardiology” and Affiliation = “AIIMS”) or (Profession = “Doctor” and Specialization = “Cardiology” and Research Associate = “University Hospital”) or (Relation = “Friend”)]”, then everyone including adversaries and the cloud service provider (CSP) can look at the policy formulation and figure out that the shared data are of a patient who is suffering from heart disease. This results in privacy leakage even though the ciphertext of EHR data is protected well. Therefore, it is essential to keep the access policy a secret to protect sensitive data.

1.2. Related Works

Numerous researchers have discussed data outsourcing in the cloud environment. Attribute-based encryption introduced by Sahai-Waters [11] is considered as most prominent scheme to institute access control for encrypted data. Although ABE and similar systems [4,9,11,12] employ one-to-many encryption concepts, there are some concerns with these techniques. The single authority managing the key issuance process for all the eligible users may decrypt every ciphertext by using issued secret keys. This is called the key escrow problem. Another problem in these schemes is low system performance due to over-reliance on a single authority for handling all of the system’s keys. This motivated the concept of establishing multiple authorities for key management tasks in a distributed manner. Several multi-authority ABE schemes and schemes supporting policy privacy have been presented in the literature.

1.2.1. Multi-Authority ABE Schemes

Multi-authority ABE was first discussed in the work [13], where only one CA, also known as the central authority, and numerous AAs, also known as attribute authorities, controlled key management. The CA and AAs were responsible for issuing keys for identity and keys for attributes, respectively. The use of the global identifier GID prevented user collusion problems. However, the CA was capable of decrypting any ciphertext. Chase and Chow [14] improved their scheme (CC-MA-ABE) by removing the CA and introducing an anonymous key distribution mechanism with the help of pseudo-random functions. Both schemes in [13,14] had the limitation that they supported an AND policy architecture only. Liu et al. [15] presented the MACP-ABE scheme, a fully secure scheme in the standard model where multiple central and attribute authorities collaborate to work together. The central authorities are responsible for issuing keys related to the user’s identity, and the attribute authorities control the issuance of the attribute-related keys. Lewko and Waters [16] designed a decentralized CP-ABE and demonstrated security under the random oracle model. The linear secret sharing scheme, also known as LSSS, was used for specifying the access policy. At setup and key generation, no coordination between authorities was necessary, nor was there a central authority. Li et al. [17] proposed a scheme where the user’s community can be divided into public and personal domains (PUD and PSD, respectively) depending upon their role in the system. Their scheme was based on scheme [14] and policy was specified using a conjunctive normal form (CNF) structure. Ibraimi et al. [18] suggested a scheme for patient health record sharing in a multi-authority (two authorities) setting. They introduced social domains and professional domains for different authorized users. Several pieces were proposed to cater to different issues regarding MA-ABE. Ruj et al. [19] addressed the revocation function in a multi-authority setting. However, their method had heavy communication overhead and key update computation overhead. The authors of [20] proposed cipher policy ABE schemes for supporting multi-authority scenarios and handling user revocation features. To improve efficiency, the decryption process was outsourced. AA became a bottleneck in the scheme, as it had to calculate update keys for each unrevoked user. The scheme presented in [21] improved the CP-ABE scheme for secure PHR sharing [22] for the multi-authority scenario. The authors also defined public and private domains for their PHR-sharing scheme. Li et al. [23] introduced an access control scheme for cloud storage supporting decryption outsourcing. The scheme was also a multi-authority scheme and was evidenced to be adaptive and secure. In order to eliminate key escrow and minimize computation and communication costs, Hu et al. [24] provided an MA-ABE scheme that resisted key escrow and had a ciphertext of constant size. Furthermore, in the MA-KPABE scheme presented in [25], verifiability of partial decryption ciphertext (PDC) and delegation features were added. Ma et al. [26] presented two decentralized CP-ABE techniques for the standard model. The CAs and AAs operated independently of one another. The first technique was constructed using a group of composite orders. The second technique produced ciphertexts of constant size in the groups of prime order. The first technique worked for any monotonic structure, while the second worked for AND-gate policies.

1.2.2. Policy Preservation in Attribute-Based Encryption

Because encrypted data on cloud storage servers remained in plaintext form when outsourced, access policies were shared with different users in all of the above schemes. This may cause potential exposure of sensitive information about the data owner as well as the consumers of the data. Several works [27,28] introduced CP-ABE schemes with partially hidden access control policies to protect the disclosure of this sensitive information. The access policies in these schemes divide attributes into two parts, i.e., attribute name and attribute value. In a partially hidden access policy, the attribute value that reveals sensitive information is made hidden, e.g., ([(Profession = “*” and Specialization = “*” and Affiliation = “*”) or (Profession = “*” and Specialization = “*” and Research Associate = “*”) or (Relation = “*”))). Li et al. [29] used the anonymous key issuing protocol used in CC-MA-ABE [14] and proposed an accountable multi-authority CP-ABE. Han et al. [30] developed a decentralized CP-ABE (PPDCP-ABE) scheme to eliminate dependency on and trust in central authorities while maintaining the privacy of users. In their scheme, multiple authorities may operate autonomously. The Pedersen commitment protocol [31] and zero-knowledge-proof protocol [32] were used to protect the attributes’ privacy. In [32], a policy-hiding CP-ABE scheme was proposed to improve decryption efficiency. The authors pioneered the “match-then-decrypt” method, in which ciphertext components were routed to the decryption test. Without performing the actual decryption, it checked the satisfiability of the hidden attributes policy for the attribute private key. Chen et al. [33] designed a privacy-preserving decentralized CP-ABE where the secret key was taken out with privacy. Their proposal required no central AA or multi-authority collaboration. They used the scheme [31] proposed by Pederson and oblivious attribute certificates [34]. The users receive secret keys for legitimate identity attributes, but AAs cannot find any useful information. Zhong et al. [35] proposed an access control scheme with a hidden policy on multi-authority architecture. To hide policy, attributes were obfuscated using a one-way anonymous key agreement protocol. Yang et al. [36] proposed a method for controlling Big Data access. Instead of hiding the attribute values, they hid the whole attribute for privacy purposes. They utilized an attribute bloom filter, which detects an attribute and its precise location in the access policy. Ying et al. [37] presented a lightweight policy-preserving CP-ABE scheme for EHR sharing on the cloud. The access policy was fully hidden by use of the attribute cuckoo filter (ACF). PASH, proposed in [38], was designed to provide access control for smart health. The CP-ABE scheme supported a large universe and used partially hidden policies. It also handled decryption tests efficiently and provided full security. Yan et al. [39] introduced a multi-authority ABE with privacy preservation and dynamic policy updating. This scheme was suggested for a multi-authority scenario, but it could not prevent malicious users from sharing their private keys. Belguith et al. [40] proposed PHOABE for cloud-assisted IoT, where multiple authorities were considered and a fully hidden policy was maintained by obfuscating the attributes. Their scheme was based on the scheme in [16]. It introduced a semi-trusted cloud server for outsourcing the heavy decryption process. This minimized computation overhead on resource-constrained devices. Zhang et al. [41] developed a hidden ciphertext-policy scheme for a large universe and proposed an efficient decryption procedure. Chinnasamy et al. [42] proposed a policy-hidden CP-ABE scheme for providing access control in an IoT environment. The SHA1 hashing algorithm was used for policy anonymization. Research works in [43,44] presented challenges related to cloud storage resources and applications in IoT. Najafi et al. [45] introduced a system with attribute privacy and search capabilities over encrypted data. In order to keep medical records safe and accessible, they created a storage and retrieval system. The approach was safe against keyword guess attacks in the standard model.

Analysis of the aforementioned schemes elucidated some comparative notes and observations. The following is a brief outline of issues with prominent MA-ABE schemes.

(1)

Several attribute-based access control schemes [13,14,15,16,17,18,19,20,21,22,23,26] in the multi-authority domain have been proposed, but these methods lack the policy preservation aspect;

(2)

There are schemes supporting privacy preservation approaches [27,28,29,30,32,33,35,36,37,38,39,40,41,46], but some of them are single-authority [27,38] and some of them use fully hidden access policies [35,40], which are more rigid in nature;

(3)

The security of most of the multi-authority schemes was validated in weaker security models, i.e., selective security [35,39], where adversaries need to declare a challenged access policy structure before obtaining the public parameters. There is a requirement for higher security in the above scenario.

1.3. Our Contributions

To resolve the aforementioned problems, SP-MAACS, a secure and privacy-preserving multi-authority access control system for cloud-based data sharing is proposed. Our SP-MAACS is a secure MA-CP-ABE scheme with a partial policy hiding feature. Two components make up an attribute: the name and the value. Concrete attribute values are used in the access policy. They are encoded in the ciphertext components. The access policy in plaintext is also saved with the encrypted data. It includes attribute names, not values. In our scheme, we used the access policy in DNF form, also called “alternative routes to authorization” [47]. A set of satisfiable sub-policies can be derived from the main policy. For example, a policy for the data D represented as an arbitrary logical formula such as [a1 ∧ (a2 ∨ a3)] can be written as [(a1 ∧ a2) ∨ (a1 ∧ a3)]. Here the set of sub-policies is [(a1 ∧ a2), (a1 ∧ a3)]. Generally, when a data owner decides on an access policy, he starts framing it using a combination of alternatives. This standard method of specifying access policy corresponds to the DNF structure employed by our approach. The following is a concise summary of the primary features of our system:

→

The proposed scheme incorporates the important aspect of privacy preservation in a multi-authority setting. Along with this added-on feature of privacy preservation, our multi-authority access control scheme also achieves better decryption efficiency;

→

The scheme is designed to support open- and closed-domain users and allows for employing fine-grained access control. The access policy formulated using DNF makes the policy specification more flexible and expressive. As our system is scalable, it allows users from varied domains and makes it better suited for real-world applications;

→

The scheme is adaptively secure. It achieves resistance to collusion attacks, as the users cannot integrate their attributes to access shared data. The scheme is demonstrated as secure in the standard model.

1.4. Organization

The rest of the paper is organized into the following sections: Section 2 compares the traits of prominent schemes studied in the previous section and our scheme. In Section 3, we outline some standard cryptographic definitions and access structure definitions. In Section 4, we propose the system model, the definitions of algorithms, and the security model. The SP-MAACS system construction is illustrated in Section 5. Section 6 discusses the scheme’s security, performance analysis, and implementation results. Section 7 concludes the research work.

2. Characteristics Comparison

Table 1. Prominent ABE schemes vs. SP-MAACS scheme.

Scheme	CP/KP	Multi- Authority	Privacy-Aware	Expressiveness	Security	Group Order	Security Model
Single-Authority Privacy Preserving Schemes with Adaptive Security in Standard Model
[28]	CP	×	√ (Partially hidden policy)	LSSS	Adaptive	Composite	Standard
[38]	CP	×	√ (Partially hidden policy)	LSSS	Adaptive	Composite	Standard
[48]	CP	×	√ (Partially hidden policy)	LSSS	Adaptive	Composite	Standard
Multi-Authority Schemes
[16]	CP	√	×	LSSS	Adaptive	Composite	Random oracle
[23]	CP	√	×	LSSS	Adaptive	Composite	Standard
[26]	CP	√	×	LSSS	Adaptive	Composite	Standard
[25]	KP	√	×	LSSS	Adaptive	Composite	Standard
Multi-Authority Privacy Preserving Schemes
[35]	CP	√	√ (Fully hidden policy)	LSSS	Selective	Prime	Random oracle
[39]	CP	√	√ (Partially hidden policy)	LSSS	Selective	Prime	Standard
Multi-Authority Privacy Preserving (Partially Hidden policy) Scheme with Adaptive Security in Standard Model
Ours	CP	√	√ (Partially hidden policy)	LSSS	Adaptive	Composite	Standard

provides a comprehensive comparison of some major characteristics of prominent CP-ABE schemes and SP-MAACS. The comparison involves important features such as multi-authority setting, access policy structure and its expressiveness, privacy preservation, and the security settings of the schemes. The schemes [25,38,39,48] were designed for healthcare systems. From this comparison, we can see that the adaptively secure privacy-preserving schemes [28,38,48] are single-authority schemes. The multi-authority CP-ABE schemes [16,23,25,26] are adaptively secure but do not offer privacy preservation of the access policy. The schemes [35,39] are multi-authority and privacy-preserving schemes, but their security is only evidenced in weaker selective models. As far as our survey goes, the SP-MAACS scheme is the only one that preserves privacy while also offering adaptive security in a multi-authority setting.

3. Mathematical Preliminaries

This section introduces the formal definitions and notations of the proposed scheme:

3.1. Composite Order Bilinear Groups

The authors defined composite order bilinear groups in [49].

Definition 1.

The order$O$of a bilinear group is defined as$O=p_1{p}_2{p}_3$, i.e., the product of three different primes (here$p_1$, $p_2$and$p_3).$Let$G$and$G_T$be cyclic groups of the order$O$. Let the subgroup in$G$with the order$p_i$be denoted as$G_{p_i}$.$g_{p_1},g_{p_2}$and$g_{p_3}$are generators of$G_{p_1}$,$G_{p_2}$and$G_{p_3}$, respectively. Let$e:G X G\to G_T$be the mapping and the following be the required properties:

1. 

Bilinear property:$\forall c,d\in G$and a, b ∈ ZN.$e\left(c^a, d^b\right)=e{\left(c, d\right)}^{ab}.$

2. 

Property of non-degeneracy:$\exists ℊ \in G,$where$e\left(g, g\right)$in$G_T$is of the order$O$.

3. 

Computability:$\exists$ an algorithm to compute $e\left(c,d\right) \forall c,d\in G$efficiently.

4. 

Orthogonality:$e\left(g_{p_1},g_{p_2}\right)$= 1 for any$g_{p_1}$∈$G_{p_1}$and any$g_{p_2}$∈$G_{p_2}$.

3.2. Access Structure for Privacy Preservation

Here we first define normal access structure.

Definition 2.

Let us name the universe of attributes AU. An access structure$\phi$on AU is a collection of non-empty attribute sets, i.e.,$\phi \subseteq 2^{AU}\backslash \varnothing$. The collection of attribute sets, which is present in$\phi$, is called the authorized set; all the other attributes lie in an unauthorized set. In addition, an access structure is called monotonic if ∀C, D: if C ∈$\phi$and C ⊆ D, then D ∈$\phi$.

Now let us define linear secret sharing scheme (LSSS).

Definition 3.

Let Π be a secret-sharing scheme in which:

(1) 

The generated share for each participant is a vector over$Z_p$.

(2) 

$\exists$A matrix W of m rows and n columns, where ∀rows ∈ W, the j^th row is marked with the function ρ(j); then it is called a linear scheme. Secret s is randomly chosen such that s ∈$Z_p$and a vector is formed so that$v=\left(s, v_2 \dots v_n\right)\in Z_p^n$. Now let us take λ=$W v^T$such that share${\lambda }_{j }$is for participant ρ(j) so we can write${\lambda }_j=W_j· v$.

(3) 

Linear reconstruction property: Let us denote S as an authorized set and take I = {j: ρ(j)∈ S}. For an LSSS scheme, there exists a constant set${\left({\mu }_j\in Z_p\right)}_{j\in I}$, used to compute the secret s:${\displaystyle \sum }_{j\in I}{\mu }_j{\lambda }_j=s$.

Access Structure for privacy preservation:

Definition 4.

Let us take an access structure$\phi$= ($W$, ρ, Z) for describing an access policy.$W$is a share-generating matrix with the dimensions l by n that is connected with a secret sharing scheme, ρ is a map function and Z = ${\left(Z_{\rho \left(j\right)}\right)}_{1\le j\le l}$is a set of corresponding possible values of the respective attribute. Function ρ maps each row of$W$to the name of the attribute present in the access policy. We are keeping Z hidden in our scheme and the share-generating matrix$W$and function ρ are attached to the ciphertext.

Disjunctive Normal Form

Definition 5.

In discrete mathematics, a canonical normal form of a Boolean formula can be written as OR of ANDs. It is termed the sum of products (SOP). This normal form is called a disjunctive normal form (DNF). It can be written as$A=A_{1 }V A_{2 } V \dots V{A}_{n } \left(n\ge 1\right)$, where$A_{1 }, A_{2 },\dots , A_{n }$are called sub-formulas and they are all conjunctions of the terms.

4. System Model, Algorithms, and Security Model

This section discusses the system model, various algorithms designed for the scheme, and the security model of the SP-MAACS scheme.

4.1. System Model

Figure 2 shows the major entities in our SP-MAACS system for cloud-based data sharing. The entities are:

(1)

Data Owner (DO): The data owner decides on an access policy and formulates it using the attributes present in the attribute universe. Then they encrypt the data under this policy. These encrypted data are stored on the cloud servers, but the access policy is kept partially hidden (Steps 1 and 2 in Figure 2);

(2)

Central Authority (CA): The responsibilities of a CA can be defined as: (1) Generate global public parameters for the system. (2) Service the user’s request for registration and issue identity keys based on their global identifier (gid) (Step 3 in Figure 2);

(3)

Attribute Authorities (AAs): The responsibilities of an AA can be defined as: (1) Generate public keys for the attributes they manage. Each AA may have the authority to issue any number of attributes, but a single AA is authorized to issue each attribute. (2) Verify the user’s possession of the attribute and issue a secret key for the user’s attributes;

(4)

Cloud Service Provider (CSP): The CSP essentially acts as a resource provider in place of the cloud, replicating that role for the cloud. The data owners use its data storage service and the users send a query for required data to access it. Furthermore, there is an assumption that the CSP is curious about obtaining the knowledge of data, but at the same time, it is honest;

(5)

User: A unique global identity is allotted to every user. They receive a secret key issued for numerous attributes from the responsible AA. The user sends the request for data access to the CSP along with their acquired secret keys, and if the attributes possessed by them are required in satisfying the access policy, they can obtain the data (Steps 5 and 6 in Figure 2).

In the SP-MAACS scheme, attribute authorities in the open domain can be hospitals, clinical research centers, etc. These authorities issue attributes to users such as doctors, nurses, etc. The EHR data owner plays the role of an AA for issuing secret keys to the users in a closed domain, e.g., friends, relatives, etc. (Step 4 in Figure 2).

4.2. Algorithms

The SP-MAACS scheme uses the following four algorithms in its construction.

4.2.1. System Initialization

GlobalSetup(λ) → GPP: The algorithm uses the input λ which is also called the security parameter. After the setup executes, global public parameters GPP are generated.

CASetup(GPP) → (MPK, MSK): The central authority(CA) executes the CASetup algorithm. It outputs public key MPK and secret key MSK. All the authorities use MPK for verification purposes.

AASetup(GPP, k, U_k) → (APK_k, ASK_k): Every authority AA_k present in the system executes this algorithm, where the inputs are GPP and its attribute domain is called $U_k$. No two authorities have a common attribute domain, which means for i ≠ j, $U_i\cap U_j=\varnothing$. This algorithm produces public key APK_k and secret key ASK_k.

4.2.2. Encryption

Encrypt(K, ψ, GPP, $\cup$ APK_k) → (CT): This algorithm takes as input the GPPs, a symmetric key K by which data are encrypted, an access policy structure ψ, and a collection of public keys of applicable authorities. It generates the ciphertext.

4.2.3. User Key Generation

CAKeyGen(GPP,gid) → (CAPK_gid, CASK_gid): The user submits their gid as input to this algorithm. Taking GPP as another input, it produces the gid-related identity-key CASK_gid, which is held by the user. The public key CAPK_gid is given to the AAs for generating attribute-related keys.

AAKeyGen(${\mathrm{S}}_{\mathrm{gid},\mathrm{k}},$)GPP, MPK, CAPK_gid, ASK_k) → (ASK_S,gid,k): When a user requests k^th authority for generating keys for an attribute set ${\mathrm{S}}_{\mathrm{gid},\mathrm{k}}$, AA_k runs this algorithm with inputs as ${\mathrm{S}}_{\mathrm{gid},\mathrm{k}},$ GPP, MPK, CAPK_gid, and ASK_k. If CAPK_gid is invalid, then it returns ﬩, else it returns corresponding attribute-related keys ASK_S,gid,k for attribute set ${\mathrm{S}}_{\mathrm{gid},\mathrm{k}}$.

4.2.4. Decryption

Decrypt(CT, GPP, FK_gid) → (K): The decryption algorithm uses a global public parameter, the ciphertext denoted as CT, and the final secret keys’ set FK_gid as the inputs. The decryption is complete when the user’s attributes satisfy the policy.

4.3. Security Model

We define the security model for SP-MAACS through a security game between adversary A and challenger C. We assumed that A can corrupt at most K-1 AAs. Let K_c denote the index set of corrupted AAs and K_uc denote the index set of uncorrupted AAs, where K_uc = K\K_c. The steps of the game are as follows:

Setup: C executes the algorithms GlobalSetup, CASetup, and AASetup and transfers the GPP, MPK, and ${{\displaystyle \cup }}_{k=1}^{K}AP{K}_k$ to the adversary A. Assume the adversary corrupts K_c AAs such that K\K_c ≠ Φ. The challenger C passes the secret key {ASK_k $|k\in$ K_c to A.

Phase 1: Adversary A can obtain the secret keys for the AAs who have been corrupted.

CAKey queries: For these queries, challenger C responds by CAPK_gid and CASK_gid.

AAKey queries: For the attribute set, the adversary submits ${\mathrm{S}}_{\mathrm{gid},\mathrm{k}}$ and CAPK_gid to C, where$k\in$ K_uc. C returns the ${\left\{{\mathrm{ASK}}_{\mathrm{S},\mathrm{gid},\mathrm{k}}\right\}}_{k\in K_{uc}}\}.$

Challenge: If adversary A finds that phase 1 is complete, it sends to C two messages M₀, M₁, which are equal in length, and two challenge access structures ${\psi }_1^{*}=\left(W_1,{\rho }_1,Z_1\right)$ and ${\psi }_2^{*}=\left(W_2,{\rho }_2,Z_2\right)$. Here the condition is that ${\psi }_1^{*}$ and ${\psi }_2^{*}$ cannot be satisfied by any attribute key query performed in phase 1. A random coin c$\in$ {0, 1} is flipped by C; then, it sets $C{T}_{{\psi }_c}^{*}\leftarrow Encrypt(K_c,{\psi }_c,GPP,\cup AP{K}_k)$ and passes this challenged ciphertext to A.

Phase 2: As in phase 1, adversary A can again obtain adaptive secret key queries.

Guess: Adversary A gives its guess c′ of c as output and wins the game if ${\mathrm{c}}^{\prime }=\mathrm{c}$. Probability$Pr$ of being ${\mathrm{c}}^{\prime }=\mathrm{c}$, i.e., $\left|Pr\left[{\mathrm{c}}^{\prime }=\mathrm{c}\right]=\frac{1}{2}\right|$ is called the advantage of adversary A. To compute $Pr$, A and C choose random bits.

Definition 6.

Our SP-MAACS scheme with a privacy-preserving feature is fully secure since no probabilistic polynomial-time (PPT) adversary has a non-negligible advantage in the above game.

5. Scheme Construction

The following is the detailed construction of SP-MAACS:

5.1. System Initialization

The following three algorithms are used for system setup:

GlobalSetup(λ) → GPP: The algorithm is called to initialize the system. It uses the input λ and generates GPP (global public parameters). Then, it chooses two bilinear groups $G$ and $G_T$ of order $O=p_1{p}_2{p}_3$ and mapping $e:GXG\to G_T$. Let the subgroup in $G$ with the order $p_{i}b$be denoted as $G_{p_i}.g$ is a randomly chosen element from $G_{p_1}$. $I_3$ is a generator of $G_{p_3}$. The GPP are made available as =$\left(O,e,g,I_3,{\Omega }_{Sign}\right)$, where ${\Omega }_{Sign}$= (GenKey,Sign,Verify) is a secure signature scheme and will be used to counter any collusion attempts.

CASetup(GPP) → (MPK, MSK): The CA runs the GenKey algorithm of ${\Omega }_{Sign}$ to obtain signature key MSK and verification key MPK. All the AAs use MPK.

AASetup(GPP, k, Uk) → (APK_k, ASK_k): The attribute authority AA_k runs the algorithm. Let us assume attribute universe AU_k consists of n attribute names e.g., (a₁, a₂, …, a_n), and each attribute a_i has n_i attribute values, e.g., $(a_{i,1},a_{i,2}$, …, $a_{i,n_i})$. Each AA_k chooses a random exponent $t_{k,n_i}\in Z_N$ and computes $T_{k,n_i}=g^{t_{k,n_i}}$. It also chooses two random exponents ${\alpha }_k,{\beta }_k\in Z_N$ and computes the public keys of AA_k as:

$$P{K}_{k,1}=e{\left(g,g\right)}^{{\alpha }_k}$$

(1)

$$P{K}_{k,2}=g^{{\beta }_k}$$

(2)

Hence, the cumulative public key of AA_k is:

$$AP{K}_k=\left\{e{\left(g,g\right)}^{{\alpha }_k},g^{{\beta }_k},g^{t_{k,n_i}}\forall a_{k,n_i}\in U_k\right\}$$

(3)

And the cumulative secret key of AA_k is:

$$AS{K}_k=\left\{{\alpha }_k,{\beta }_k,t_{k,n_i},\forall a_{k,n_i}\in U_k\right\}$$

(4)

5.2. Encryption

When the data owner outsources EHR data, they use a symmetric encryption algorithm and a key K to encrypt the data. Then, they encrypt key K using the following encrypt algorithm with the access policy ψ. Encryption is performed as follows:

Encrypt(K, ψ, GPP,$\mathbf{\cup }\mathit{A}\mathit{P}{\mathit{K}}_{\mathit{k}}$) → (CT): As we mentioned to choose the DNF of a set of sub-policies, let us assume there are q sub-policies, i.e., {ψ_i}_i=1,2..,q. For simplicity, let us call each of them $W.$The sub-policy $W$is the LSSS matrix. Let us take some rows and columns in the LSSS matrix as land n. The function $\rho$ associates each row $W_j$ of $W$ to attribute $\rho \left(j\right)$. To make the policy hidden, a set of attribute values is denoted as $Z=(Z_{\rho \left(1\right)},\dots Z_{\rho \left(l\right)})$ and is attached to the access policy. Thus, the sub-policy can be expressed by $\left(W,\rho ,Z\right).$For each sub-policy, the following steps are run:

Step 1. The data owner chooses $s\in Z_p$ and a random vector

$$v={\left(s,v_2\dots v_n\right)}^T\in Z_N^n$$

Step 2. For each row of the matrix, the following is calculated:

$$\mathsf{\lambda }\mathrm{x}=W_x·v$$

Step 3. Then, for every $xϵ\left[l\right]$, it selects a random exponent $r_xϵZ_p$ and calculates:

$$C=K·\left({{\displaystyle \prod }}_{k\in SAA}e{\left(g,g\right)}^{{\alpha }_k}\right)\mathrm{s}=K·e{\left(g,g\right)}^s{}^{{\displaystyle \sum }_{k\in SAA}{\alpha }_k}$$

(5)

$$C_0=g^s$$

(6)

$$C_{1,x}=g^{{{\displaystyle \sum }}_{k\in SAA}{\beta }_k\mathsf{\lambda }\mathrm{x}}·{\left(T_{\rho \left(x\right)}^{Z_{\rho \left(x\right)}}\right)}^{-r_x}$$

(7)

$$C_{2,x}=g^{r_x}$$

(8)

Here, SAA is defined as the index set of AA_k. This set consists of an index of AAs whose attributes are present in the policy.

Step 4. Finally, the data owner sends the ciphertext data to a cloud E(K) = {{ψ_i}_{i=1,2,3,…,q,} {E_i}_{i=1,2,3,…, q}}, where, $E_i=\left\{C,C_0,{\left(C_{1,x},C_{2,x}\right)}_{x\in \left\{1,\dots ,l\right\}}\right\}$.

The decryption of the data by the user is possible when their attribute set matches any of the sub-policy $\left(W,\rho ,Z\right).$The matching process is successful when for all $x\in \left\{1,\dots ,l\right\},a_{\rho \left(x\right)}=Z_{\rho \left(x\right)}$ and constants ${\mu }_x\in Z_N$ such that ${\displaystyle \sum }_{x\in l}{\mu }_x{\mathsf{\lambda }}_x=s$.

5.3. User Key Generation

Every new user receives a unique gid after he registers himself in the system. For obtaining identity-related keys, he requests CA. The CA runs the CAKeyGen algorithm. After that, the user applies attribute-related keys, and different AAs run the AAKeyGen algorithm for this.

CAKeyGen(GPP,gid) → ($CAP{K}_{gid}$,${\mathrm{CASK}}_{\mathrm{gid}}$): The CA demands the user’s gid for issuing identity keys. CA randomly chooses $r_{gid}\in Z_N$ and ${\mathrm{R}}_{\mathrm{gid}}\in G_{p_3},$then sets ${\mathrm{CASK}}_{\mathrm{gid}}=g^{r_{gid}}{\mathrm{R}}_{\mathrm{gid}}$. Then, it uses MSK to compute ${\gamma }_{gid}=Sign\left(MSK,gid\parallel {\mathrm{CASK}}_{\mathrm{gid}}\right)$. Finally, it sends $CAP{K}_{gid}=\left(gid,{\mathrm{CASK}}_{\mathrm{gid}},{\gamma }_{gid}\right)$ and ${\mathrm{CASK}}_{\mathrm{gid}}$ to the user.

AAKeyGen($S_{gid,k}GPP,MPK,CAP{K}_{gid},AS{K}_k$) → (ASK_S,gid,k): To obtain the attribute-related keys issued, a user passes their attribute set ${\mathrm{S}}_{\mathrm{gid},\mathrm{k}}$ to the AA_k, which belongs to their domain. Then, the AA_k uses the MPK to verify whether the ${\mathrm{CAPK}}_{\mathrm{gid}}$ is valid. If valid, for issuing keys related to ${\mathrm{S}}_{\mathrm{gid},\mathrm{k}}$, AA_k randomly selects ${\mathrm{R}}_{\mathrm{gid},\mathrm{k}}\in G_{p_3}$ and computes ${\mathrm{SK}}_{\mathrm{gid},\mathrm{k}}=g^{{\alpha }_k}{\mathrm{CASK}}_{\mathrm{gid}}{}^{{\beta }_k}{\mathrm{R}}_{\mathrm{gid},\mathrm{k}}=g^{{\alpha }_k}{g}^{r_{gid}{\beta }_k}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k}}$, where ${{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k}}={\mathrm{R}}_{\mathrm{gid}}{}^{{\beta }_k}{\mathrm{R}}_{\mathrm{gid},\mathrm{k}}$, else it aborts.

For each attribute $\mathrm{i}\in {\mathrm{S}}_{\mathrm{gid},\mathrm{k}}$, it randomly selects ${\mathrm{R}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}\in G_{p_3}$ and computes ${\mathrm{SK}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}={\mathrm{CASK}}_{\mathrm{gid}}{}^{t_{k,ni}}{\mathrm{R}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}=T_{k,ni}{}^{r_{gid}}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k},\mathrm{i}}$, where ${{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k},\mathrm{i}}={\mathrm{R}}_{\mathrm{gid}}{}^{t_{k,ni}}{\mathrm{R}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}$. Finally, ASK_S,gid,k = $({\mathrm{SK}}_{\mathrm{gid},\mathrm{k}},{\left\{{\mathrm{SK}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}\right\}}_{\mathrm{i}\in {\mathrm{S}}_{\mathrm{gid},\mathrm{k}}})$ is given to the user.

Therefore, the final set of user keys FK_gid contains:

$$\mathrm{K}1=g^{r_{gid}}{\mathrm{R}}_{\mathrm{gid}}$$

(9)

$$\mathrm{K}2=\text{{}{\mathrm{SK}}_{\mathrm{gid},\mathrm{k}}\}$$

(10)

$${\mathrm{K}}_3=\text{{}\left({\mathrm{SK}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}{}_{\mathrm{i}\in {\mathrm{S}}_{\mathrm{gid},\mathrm{k}}}\right)\}$$

(11)

5.4. Decryption

When a user submits their data access request to the cloud server along with their secret keys, the decrypt algorithm is executed as follows:

Decrypt(CT, GPP, FK_gid)→(K): When the set of attribute keys of the user (S_gid) matches any of the conjunction or sub-policy $\left(W,\rho ,Z\right)$, then the symmetric key K can be retrieved by the following steps:

Step 1: Compute $CK={\displaystyle \prod }_{i\in SAA}{\mathrm{K}}_{2,\mathrm{i}},$ and choose constants ${\mu }_x\in Z_N$, such that ${\displaystyle \sum }_{\rho \left(x\right)\in {\mathrm{S}}_{\mathrm{gid}}}{\mu }_x{W}_x=\left(1,0,\dots ,0\right)$. Then compute

$$e\left(CK,C_0\right)=e\left({{\displaystyle \prod }}_{k=1}^l{g}^{{\alpha }_k}{g}^{r_{gid}{\beta }_k}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k}},g^s\right)=e{\left(g,g\right)}^{s{\displaystyle \sum }_{k=1}^l{\alpha }_k}e{\left(g,g\right)}^{r_{gid}s{\displaystyle \sum }_{k=1}^l{\beta }_k}$$

(12)

Step 2: For all attribute-related keys for which $\rho \left(x\right)\in {\mathrm{S}}_{\mathrm{gid}}$, compute

$$\begin{gathered} {{\displaystyle \prod }}_{\rho \left(x\right)\in {\mathrm{S}}_{\mathrm{gid}}}{[e\left(C_{1,x},K_1\right)e\left(C_{2,x},K_{3,i}\right)]}^{{\mu }_x}= \\ {{\displaystyle \prod }}_{\rho \left(x\right)\in {\mathrm{S}}_{\mathrm{gid}}}{\left[e\left(g^{{{\displaystyle \sum }}_{k\in SAA}{\beta }_k\mathsf{\lambda }\mathrm{x}}·{\left(g^{t_{\rho \left(x\right)}{Z}_{\rho \left(x\right)}}\right)}^{-r_x}, g^{r_{gid}}{\mathrm{R}}_{\mathrm{gid}}\right)e\left(g^{r_x},T_{\rho \left(x\right)}^{Z_{\rho \left(x\right)}}{}^{r_{gid}}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k},\mathrm{i}}\right)\right]}^{{\mu }_x} \\ ={{\displaystyle \prod }}_{\rho \left(x\right)\in {\mathrm{S}}_{\mathrm{gid}}}{\left[e\left(g^{{{\displaystyle \sum }}_{k\in SAA}{\beta }_k\mathsf{\lambda }\mathrm{x}},g^{r_{gid}}\right)\right]}^{{\mu }_x}=e{\left(g,g\right)}^{r_{gid}s{{\displaystyle \sum }}_{kϵSAA}{\beta }_k} \end{gathered}$$

(13)

Step 3: After dividing the result of step 1 by step 2, we obtain $e{\left(g,g\right)}^{s{\displaystyle \sum }_{k=1}^l{\alpha }_k}$.

Step 4:

$$C/e{\left(g,g\right)}^{s{\displaystyle \sum }_{k=1}^l{\alpha }_k}=K·e{\left(g,g\right)}^s{}^{{\displaystyle \sum }_{k\in SAA}{\alpha }_k}/e{\left(g,g\right)}^{s{\displaystyle \sum }_{k=1}^l{\alpha }_k}=K$$

(14)

The user can recover the data by using the symmetric key K.

6. Security and Performance Analysis

6.1. Security Analysis

The following complexity assumptions serve as the foundation for our security proofs:

Subgroup Decision Problem for Three Primes [38,50]

Three assumptions are contained in this SDP assumption. Here Pr denotes the probability function.

Assumption 1:

Let us take a group generator$\stackrel{\text{-}}{\mathrm{g}}$and consider the distribution:$\mathbb{G}$=($O=p_1{p}_2{p}_3,G,G_T,e$)$\stackrel{R}{\leftarrow } \stackrel{\text{-}}{\mathrm{g}}, g\stackrel{R}{\leftarrow }{G}_{p_1},X_3\stackrel{R}{\leftarrow }{G}_{p_3},$D = ($\mathbb{G},g,X_3$),$T_1\stackrel{R}{\leftarrow }{G}_{p_1{P}_2},T_2\stackrel{R}{\leftarrow }{G}_{p_1}.$The advantage of an algorithm$A$in breaking the mentioned assumption is:

$$SDP\_Adv{1}_{\mathcal{G},\mathsf{A}}\left(\lambda \right)=|Pr\left[\mathsf{A}\left(D,T_1\right)=1\left]-\mathrm{Pr}\right[\mathsf{A}\left(D,T_2\right)=1\right]$$

(15)

Definition 7.

If for any polynomial time (PT) algorithm$A$,$SDP\_Adv{1}_{\mathcal{G},\mathcal{A}}$($\lambda$) is a negligible function of$\lambda$, then$\stackrel{\text{-}}{\mathrm{g}}$is said to satisfy the above-mentioned assumption 1.

Assumption 2:

Let us take a group generator$\stackrel{\text{-}}{\mathrm{g}}$and consider the distribution:$\mathbb{G}$= ($O=p_1{p}_2{p}_3,G,G_T,e$)$\stackrel{R}{\leftarrow } \stackrel{\text{-}}{\mathrm{g}},g,X_1\stackrel{R}{\leftarrow }{G}_{p_1},X_2,Y_2\stackrel{R}{\leftarrow }{G}_{p_2},X_3,Y_3\stackrel{R}{\leftarrow }{G}_{p_3},$D = ($\mathbb{G},g,X_1{X}_2,X_3,Y_2{Y}_3$),$T_1\stackrel{R}{\leftarrow }G,T_2\stackrel{R}{\leftarrow }{G}_{p_2{P}_3}$. The advantage of an algorithm$A$in breaking the mentioned assumption is:

$$SDP\_Adv{2}_{\mathcal{G},\mathsf{A}}\left(\lambda \right)=\left|Pr\left[\mathsf{A}\left(D,T_1\right)=1\left]-Pr\right[\mathsf{A}\left(D,T_2\right)=1\right]\right|$$

(16)

Definition 8.

If for any polynomial-time (PT) algorithm$A,SDP\_Adv{2}_{\mathcal{G},\mathcal{A}}$($\lambda$) is a negligible function of$\lambda$, then$\stackrel{\text{-}}{\mathrm{g}}$is said to satisfy the above-mentioned assumption 2.

Assumption 3:

Let us take a group generator$\stackrel{\text{-}}{\mathrm{g}}$and consider the distribution:$\mathbb{G}$=($O=p_1{p}_2{p}_3,G,G_T,e$)$\stackrel{R}{\leftarrow }\mathcal{G},\alpha ,s\stackrel{R}{\leftarrow }{\mathbb{Z}}_N,g\stackrel{R}{\leftarrow }{G}_{p_1},X_2,Y_2,Z_2\stackrel{R}{\leftarrow }{G}_{p_2},X_3\stackrel{R}{\leftarrow }{G}_{p_3},$D=($\mathbb{G},g,g^{\alpha }{X}_2,X_3,g^s{Y}_2,Z_2$),$T_1=e{(g,g)}^{\alpha }s,T_2\stackrel{R}{\leftarrow }{G}_T$. The advantage of an algorithm$A$in breaking the mentioned assumption is:

$$SDP\_Adv{3}_{\mathcal{G},\mathsf{A}}\left(\lambda \right)=\left|Pr\left[\mathsf{A}\left(D,T_1\right)=1\left]-Pr\right[\mathsf{A}\left(D,T_2\right)=1\right]\right|$$

(17)

Definition 9.

If for any polynomial-time (PT) algorithm$A, SDP\_Adv{3}_{\mathcal{G},\mathcal{A}}$($\lambda$) is a negligible function of$\lambda ,$then$\stackrel{\text{-}}{\mathrm{g}}$is said to satisfy the above-mentioned Assumption 3.

Theorem 1.

If the above three assumptions are true, then the proposed SP-MAACS scheme is fully secure according to the model presented inSection 4.3—Definition 6.

Proof. 

We will use two terms here: ciphertext in semi-functional form (SF-CT) and key in semi-functional form (SF-Key). The terms are used in proof [16] and are not used in the construction of the scheme. We chose a random exponent ${\mathrm{z}}_{\mathrm{k},\mathrm{i}}\in {\mathrm{Z}}_{\mathrm{N}}$ for each attribute i $\in {\mathrm{U}}_{\mathrm{k}}$. □

Semi-functional ciphertext. To make an SF-CT, perform the following:

Let $g_2$ be a generator of$G_{p_2}$, $d\stackrel{R}{\leftarrow }{Z}_N$. ∀row$xϵ\left[l\right]$, let us randomly select ξx$\in {\mathrm{Z}}_{\mathrm{N}}$. In addition, choose a random vector$\overrightarrow{y}\in Z_N^n$. Then, set

$$C_0=g^s·g_2{}^d$$

For each row$xϵ\left[l\right]$,

$$C_{1,x}=g^{{{\displaystyle \sum }}_{k\in SAA}{\beta }_k\mathsf{\lambda }\mathrm{x}}·{\left(T_{\rho \left(x\right)}^{Z_{\rho \left(x\right)}}\right)}^{-r_x}·g_2{}^{W_x.\overrightarrow{y}+\mathsf{\xi }\mathrm{x}{z}_{\rho \left(x\right)}}$$

$$C_{2,x}=g^{r_x}·g_2{}^{-\mathsf{\xi }\mathrm{x}}$$

Semi-functional key: There can be two types:

Type 1 SF-Key: Choose random exponents r, δ_k$\in {\mathrm{Z}}_{\mathrm{N}}$and set:

$${\mathrm{CASK}}_{\mathrm{gid}}=g^{r_{gid}}{\mathrm{R}}_{\mathrm{gid}}·g_2{}^r$$

$$CAP{K}_{gid}=\left(gid,{\mathrm{CASK}}_{\mathrm{gid}},{\gamma }_{gid}\right)$$

$${\mathrm{SK}}_{\mathrm{gid},\mathrm{k}}=g^{{\alpha }_k}{g}^{r_{gid}{\beta }_k}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k}}·g_2{}^{{\mathsf{\delta }}_k}$$

$${\mathrm{SK}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}=T_{k,ni}{}^{r_{gid}}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k},\mathrm{i}}·g_2{}^{r{\mathrm{z}}_{\mathrm{k},\mathrm{i}}}$$

Type 2 SF-Key:

$${\mathrm{CASK}}_{\mathrm{gid}}=g^{r_{gid}}{\mathrm{R}}_{\mathrm{gid}}$$

$$CAP{K}_{gid}=\left(gid,{\mathrm{CASK}}_{\mathrm{gid}},{\gamma }_{gid}\right)$$

$${\mathrm{SK}}_{\mathrm{gid},\mathrm{k}}=g^{{\alpha }_k}{g}^{r_{gid}{\beta }_k}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k}}·g_2{}^{{\mathsf{\delta }}_k}$$

$${\mathrm{SK}}_{\mathrm{gid},\mathrm{k},\mathrm{i}}=T_{k,ni}{}^{r_{gid}}{{\mathrm{R}}^{\prime }}_{\mathrm{gid},\mathrm{k},\mathrm{i}}$$

If we use a regular key to decipher an SF-CT or an SF-Key to decipher a regular ciphertext, we can correctly calculate $\left({\displaystyle \prod }_{k\in SAA}e{\left(g,g\right)}^{{\alpha }_k}{}^s\right)$. However, if we try to use an SF-Key to decipher a semi-functional CT, it will give us an extra thing:$e{\left(g_2,g_2\right)}^c{}^{{\displaystyle \sum }_{k\in SAA}{\mathsf{\delta }}_k-r{y}_1},$where y₁ is the first coordinate of the vector $\overrightarrow{y}$.

The adaptive security of the scheme from three assumptions (Assumption no. 1, 2, 3), can be confirmed using a sequence of games shown in the appendix of [38].

6.2. Performance Analysis

As shown in Table 1, our scheme is compared with prominent multi-authority schemes, single-authority privacy-preserving schemes, and some privacy-preserving multi-authority schemes. The salient features of our scheme are also highlighted in Section 1 and Section 2.

Table 2. Storage and computation cost comparison.

Scheme	Storage Overhead			Computation Cost
	Public Key	User’s Secret Key	Ciphertext	Encryption	Decryption
[28]	$\left|{\mathrm{G}}_{\mathrm{T}}\right|+\left(\mathrm{n}+4\right)\left|\mathrm{G}\right|$	$\left(\left|{\mathrm{A}}_{\mathrm{U}}\right|+2\right)\left|\mathrm{G}\right|$	$\left(4\left|{\mathrm{A}}_{\mathrm{C}}\right|+2\right)\left|\mathrm{G}\right|+2\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(7\left|{\mathrm{A}}_{\mathrm{C}}\right|+4\right)\mathrm{E}$	$\left(2\left|\mathrm{I}\right|+4\right)\mathrm{P}+\left(4\left|\mathrm{I}\right|\right)\mathrm{E}$
[38]	$\left|{\mathrm{G}}_{\mathrm{T}}\right|+4\left|\mathrm{G}\right|$	$\left(\left|{\mathrm{A}}_{\mathrm{U}}\right|+2\right)\left|\mathrm{G}\right|$	$\left(3\left|{\mathrm{A}}_{\mathrm{C}}\right|+2\right)\left|\mathrm{G}\right|+2\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(7\left|{\mathrm{A}}_{\mathrm{C}}\right|+4\right)\mathrm{E}$	$\left(2\left|\mathrm{I}\right|+3\right)\mathrm{P}+\left(3\left|\mathrm{I}\right|\right)\mathrm{E}$
[16]	$\mathrm{n}\left|{\mathrm{G}}_{\mathrm{T}}\right|+\mathrm{n}\left|\mathrm{G}\right|$	$\left(\left|{\mathrm{A}}_{\mathrm{U}}\right|\right)\left|\mathrm{G}\right|$	$\left(2\left|{\mathrm{A}}_{\mathrm{C}}\right|\right)\left|\mathrm{G}\right|+\left(\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(5\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\mathrm{E}$	$\left(2\left|\mathrm{I}\right|\right)\mathrm{P}+\left(\left|\mathrm{I}\right|\right)\mathrm{E}$
[23]	${\mathrm{n}}_{\mathrm{a}}\left|{\mathrm{G}}_{\mathrm{T}}\right|+\left(\mathrm{n}+{\mathrm{n}}_{\mathrm{a}}+1\right) \left|\mathrm{G}\right|$	$\left({\mathrm{n}}_{\mathrm{a}}+\left|{\mathrm{A}}_{\mathrm{U}}\right|+2\right)\left|\mathrm{G}\right|$	(2$\left|{\mathrm{A}}_{\mathrm{C}}\right|+1)\left|\mathrm{G}\right|$ +$\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(3\left|{\mathrm{A}}_{\mathrm{C}}\right|+2\right)\mathrm{E}$	$\left(2\left|\mathrm{I}\right|+1\right)\mathrm{P}+\left(\left|\mathrm{I}\right|+1\right)\mathrm{E}$
[26]	$\mathrm{n}\left|{\mathrm{G}}_{\mathrm{T}}\right|+\left(\mathrm{n}+1\right)\left|\mathrm{G}\right|$	$\left(\left|{\mathrm{A}}_{\mathrm{U}}\right|+1\right)\left|\mathrm{G}\right|$	$\left(2\left|{\mathrm{A}}_{\mathrm{C}}\right|\right)\left|\mathrm{G}\right|+\left(\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(5\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\mathrm{E}$	$\left(2\left|\mathrm{I}\right|\right)\mathrm{P}+\left(3\left|\mathrm{I}\right|\right)\mathrm{E}$
[35]	$\mathrm{n}\left|{\mathrm{G}}_{\mathrm{T}}\right|+\mathrm{n}\left|\mathrm{G}\right|$	$\left(2\left|{\mathrm{A}}_{\mathrm{U}}\right|\right)\left|\mathrm{G}\right|$	$\left(2\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\left|\mathrm{G}\right|+\left(\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(5\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\mathrm{E}$	$\left(2\left|\mathrm{I}\right|+1\right)\mathrm{P}+\left|\mathrm{I}\right|\mathrm{E}$
[39]	${\mathrm{n}}_{\mathrm{a}}\left|{\mathrm{G}}_{\mathrm{T}}\right|+\left(\mathrm{n}+{\mathrm{n}}_{\mathrm{v}}\right)\left|\mathrm{G}\right|$	$\left({\mathrm{n}}_{\mathrm{a}}+\left|{\mathrm{A}}_{\mathrm{U}}\right|\right)\left|\mathrm{G}\right|$	(2$\left|{\mathrm{A}}_{\mathrm{C}}\right|+1)\left|\mathrm{G}\right|+\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(5\left|{\mathrm{A}}_{\mathrm{C}}\right|+1\right)\mathrm{E}$	$\left(3\left|\mathrm{I}\right|\right)\mathrm{P}+\left|\mathrm{I}\right|\mathrm{E}$
[Ours]	${\mathrm{n}}_{\mathrm{a}}\left|{\mathrm{G}}_{\mathrm{T}}\right|+\left(\mathrm{n}+{\mathrm{n}}_{\mathrm{v}}+1\right)\left|\mathrm{G}\right|$	$({\mathrm{n}}_{\mathrm{a}}+\left|{\mathrm{A}}_{\mathrm{U}}\right|+2)\left|\mathrm{G}\right|$	(2$\left|{\mathrm{A}}_{\mathrm{C}}\right|+1)\left|\mathrm{G}\right|$ +$\left|{\mathrm{G}}_{\mathrm{T}}\right|$	$\left(3\left|{\mathrm{A}}_{\mathrm{C}}\right|+2\right)\mathrm{E}$	$\left(2\left|\mathrm{I}\right|+1\right)\mathrm{P}+\left|\mathrm{I}\right|\mathrm{E}$

shows the comparison of storage overhead and encryption and decryption computation costs.

Table 3. Summary of notations.

Notation	Description
$\left|G\right|$	No. of bits needed to represent an element in group $G$
$\left|G_T\right|$	No. of bits needed to represent an element in group$G_T$
$\left|I\right|$	No. of attributes of satisfying set
$n$	The size of universe of attributes
$A_C$	Attribute set used in encryption
$A_U$	User’s attribute set
$E$	One exponential operation
$P$	One pairing operation
$n_a$	Count of AAs in the system
$n_v$	Number of values all the attributes in the system may have (an attribute may have multiple values)

presents a summary of the notations that are used in the comparison.

From the above numerical performance analysis, it can be observed that the key generation time of our scheme and schemes [23,39] are comparable, while other schemes have shorter key generation times. The reason for this is that either they are single-authority or not provide privacy preservation features. The numerical decryption time of our scheme is less than that of the others, as the number of exponentiation operations performed is less.

6.3. Implementation Result

Through the characteristic comparison presented in Table 1, our scheme SP-MAACS has been shown to be better than other schemes in terms of features attained. We implemented our scheme and the fully secure decentralized CP-ABE scheme [26] and assessed the performance. The authors of fully secure decentralized CP-ABE presented two constructions [26] and demonstrated them to be secure under the standard model. Their first construction used a composite-order bilinear group and was confirmed to be fully secure by taking static assumptions. The scheme applies to any monotone access structure.

6.3.1. Implementation Environment

The SP-MAACS scheme and the fully secure decentralized CP-ABE scheme [26] were implemented using the well-developed and robust JPBC library [51]. We used the Eclipse IDE to implement the simulation code and the code was written in Java. The tests were conducted on a laptop running Windows 10 (64-bit) and equipped with a 2.50 GHz Intel (R) i5-3210M processor and 4 gigabytes of RAM.

6.3.2. Implementation Setup

ABE schemes can be implemented using pairing-based cryptography. The Java Pairing Based Cryptography JPBC library [51] is extensively used in developing cryptographic solutions. While configuring JPBC, the following .jar files are included: jpbc-pbc-v2.0.0-m.jar, jpbc-plaf-v2.0.0-m.jar, jpbc-api-v2.0.0-m.jar, jpbc-crypto-v2.0.0-m.jar, and bcprov-jdk16-1.46.jar. JPBC includes various packages such as api, util, pairing, field, etc. Some interfaces for pairing functions, finite fields, and elliptic curves are provided by package api. Package util offers support for mathematical operations and other functions. Package pairing and field are the concrete realizations of the interfaces offered by package api. JPBC supports a variety of elliptic curve types. Type A, Type A1, Type D, Type E, Type F, and Type G are included. This experiment was conducted on the group of elliptic curves of Type A1. Their order is the product of three primes of length 517 bits. In the global setup method, while performing setup for the central authority, the Boneh–Lynn–Shacham signature scheme, called the BLS signature, was implemented. A BLS signature enables a user to validate the authenticity of a signer. Signatures are created as elements in elliptic curve groups and verified using a pairing function. The Junit testing framework was used for testing the implemented classes.

6.3.3. System Setup

Exponentiations and pairing operations in the above algorithms for the encryption and decryption process account for a large portion of the computational overhead of CP-ABE systems; thus, we analyzed the encryption and decryption cost of our scheme. For the analysis purpose, we assumed that in our system, five attribute authorities are responsible for attribute management. In addition, it was assumed that each authority manages five attributes. Each attribute may have any one of the possible attribute values. We also implemented a secure signature scheme, which was used by CA to sign the user key, and AA use verified the algorithm to perform the verification of the key.

6.3.4. Result Analysis

Figure 3 illustrates the computation time of the encryption, key generation, and decryption algorithms. Each algorithm’s experimental outcome was the mean of 10 independent runs. Figure 3a presents a graph between the encryption time and the attribute count in the access control policy. We took several attributes on the X-axis in the range of 5 attributes to 25 attributes. We have already mentioned that our scheme considers the DNF access structure and the scheme [26] uses a traditional AND-OR access structure. Typically, when a data owner decides on an access policy, they start to build it by combining many possibilities using the “OR” gate. This standard method of specifying access policy corresponds to the DNF structure used by our approach. The time taken for encryption in our scheme is higher because we perform encryption for every access sub-structure clause. This, in turn, increases the number of ciphertext components. It can be observed that the encryption activity is less frequent. Due to the vast computational power and storage capacities of the cloud, increased encryption time and storage needs are acceptable.

Figure 3b shows the key generation time versus attribute count in the satisfying set. In SP-MAACS, the key generation time is higher, as the user secret key contains the identity and attribute-value-related key components in addition to the authority-related keys. We use identity and attribute-value-related keys to provide collision resistance and privacy preservation features. The central authority CA of the system registers the user and issues them identity-related keys, and are the keys are issued to the user by the CA (shown in the construction of the scheme). The user may have multiple values for their attributes. The attribute authority AA issues both authority-related and attribute-value-specific keys to the user. Scheme [26], on the other hand, only considers keys provided by the attribute authority. Therefore, we compromise key generation time to deliver more functionality. Figure 3c shows a graph between the decryption times and attribute count. In Figure 3c, attributes present in policy and attribute count in the satisfying sets are shown on the dual X-axis. While performing decryption, the user can determine the smallest satisfying set out of the policy defined by the owner of the data. In general, we can assume that on average 50% of the attributes make a satisfying subset out of the total attributes present in the policy. For example, if an access control policy contains 20 attributes in it, then in general the AND-OR combination requires that the user should carry on average 10 attributes for satisfying it or the policy require only 10 attributes to fulfill it. The DNF clause, which matches the attribute and its value in the user-supplied keys, is only utilized during the decryption process. Since there is no requirement for attribute matching with the whole access structure, our scheme takes less decryption time and improves decryption efficiency in comparison to the scheme [26]. This improvement in decryption time satisfies the major requirement of healthcare data sharing, where a doctor wants to access a patient’s EHR data quickly in a life-critical situation.

In summary, our scheme simultaneously provides features of multi-authority, privacy preservation, efficient decryption, and adaptive security. The increase in storage cost and encryption time is affordable, as cloud storage is available at a very nominal cost and encryption activity is performed less frequently. The users may ask for the download and decryption of the ciphertext randomly as per their requirement, so it is a frequent process. Thus, reducing the decryption cost is beneficial.

7. Conclusions

Today, the cloud is the most obvious data-sharing platform for the healthcare sector, and ABE schemes can be used to provide access control on outsourced EHR data in encrypted form. In order to share data on cloud storage servers, this article suggests the SP-MAACS scheme, a completely secure and privacy-preserving multi-authority access control system for cloud-based healthcare data sharing. Data owners may now freely share their data with all users in both open and closed domains. This makes the system scalable and adaptable. The partially hidden access policy protects user as well as data owner privacy. Our implementation results demonstrate that the scheme achieves an improvement in decryption cost despite the scheme being privacy-preserving and providing adaptive security under the standard model. The efficiency of decryption can be further increased by outsourcing the decryption to proxy servers in the future. Healthcare data management and privacy protection are currently one of the most active blockchain research areas. Combining the proposed control scheme with blockchain technology could improve security, privacy, and audibility.