An Efficient Encryption Scheme with Fully Hidden Access Policy for Medical Data
Round 1
Reviewer 1 Report
In this paper, the authors propose a safe and efficient data sharing scheme, which combine CP-ABE scheme and symmetric encryption scheme to encrypt integrated medical data. They use Attribute Bloom Filter (ABF) to implement access policy hiding in CP-ABE scheme. Meanwhile, they use an outsourced decryption scheme to improve computational efficiency in CP-ABE scheme. The obtained analysis results prove that the performance of the proposed scheme. In addition, the structure of this paper is well organized and explanation of key part is clear, thus the paper is easy to understand. However, the reviewer has some comments, as are listed below.
Main concerns
1- The Related Work must be updated. The most of paper cited in section 2 are published before 2018. There are new references that allow to better establish the position within the state of the art of the proposed work.
2- In section 6, the authors present the proof of three theorems to prove the efficiency of their model. However, the authors should make more efforts to explain the proof of theorem 3 to prove that the outsourced decryption algorithm is also selectively CPA-secure in our CP-ABE scheme.
Minor details:
1- I suggest the authors add their paper's structure at the end of “Introduction”.
2- In line 382, In this section→ In this subsection
Author Response
Thank you very much for your valuable comments that have helped us significantly improve this manuscript. We have carefully revised the manuscript and the following is our response to your comments.
Comment 1: - The Related Work must be updated. The most of paper cited in section 2 are published before 2018. There are new references that allow to better establish the position within the state of the art of the proposed work.
Response: Thanks for your review and valuable comment. We have revised some new references and shown them in orange with ids R1.2 - R1.5.. The details are given as follows. Imam et al. [1] gave a comprehensive study of ABE works associated with E-Health data sharing. Jiang et al. [2] proposed an attributed based encryption protection combined with a blockchain to protect electronic health records in edge cloud environments. In order to solve the issue of data forgery and tampering in medical data sharing, Zhang et al. [3] proposed a block-based attribute-based keyword searchable encryption scheme for health cloud systems. Li et al. [4] used multikey searchable encryption with attribute-based access control to search all the encrypted electronic health records on the cloud. Saravanan et al.[5] proposed a novel enhanced attribute based encryption for secured access in cloud storage for personal health records. Yang et al. [6] considered the centralized power caused by the single attribute authority in current CP-ABE schemes, and proposed a revocable attribute-based encryption electronic health records sharing with multiple authorities in blockchain. Pussewalage et al. [7] introduced a novel attribute-based encryption to share securely outsourced electronic health records of patients, which can enforce multi-level, controlled access delegation.
Su et al.[8] proposed a new attribute-based encryption which supports the hiding policy during the electronic medical data share. Kim et al.[9] introduced a novel conception called authenticable ABE which is used to resolve an attack that incorrectly sets the access policy of the ciphertext against the system rules.
[1] Raza Imam, Kaushal Kumar, Syed Mehran Raza, Rumi Sadaf, Faisal Anwer, Noor Fatima, Mohammad Nadeem, Mohamed Abbas, Obaidur Rahman: A systematic literature review of attribute based encryption in health services. J. King Saud Univ. Comput. Inf. Sci. 34(9): 6743-6774 (2022)
[2] Yu Jiang, Xiaolong Xu, Fu Xiao:Attribute-Based Encryption With Blockchain Protection Scheme for Electronic Health Records. IEEE Trans. Netw. Serv. Manag. 19(4): 3884-3895 (2022)
[3] Fan Zhang, Yinghui Zhang, Gang Han:Blockchain-based attribute-based keyword searchable encryption for health cloud system. Int. J. Embed. Syst. 15(6): 493-504 (2022)
[4] Wanhua Li, Lingling Xu, Yamin Wen, Fangguo Zhang:
Conjunctive multi-key searchable encryption with attribute-based access control for EHR systems. Comput. Stand. Interfaces 82: 103606 (2022)
[5] N. Saravanan, Umamakeswari Arumugam:
Enhanced attribute based encryption technique for secured access in cloud storage for personal health records. Concurr. Comput. Pract. Exp. 34(11) (2022)
[6] Xiaohui Yang, Wenjie Li, Kai Fan: A revocable attribute-based encryption EHR sharing scheme with multiple authorities in blockchain. Peer Peer Netw. Appl. 16(1): 107-125
[7] Harsha Sandaruwan Gardiyawasam Pussewalage, Vladimir A. Oleshchuk: A Delegatable Attribute Based Encryption Scheme for a Collaborative E-Health Cloud. IEEE Trans. Serv. Comput. 16(2): 787-801 (2023)
[8] Jian Su, Leyou Zhang, Yi Mu: BA-RMKABSE: Blockchain-aided Ranked Multi-keyword Attribute-based Searchable Encryption with Hiding Policy for Smart Health System. Future Gener. Comput. Syst. 132: 299-309 (2022)
[9] Intae Kim, Willy Susilo, Joonsang Baek, Jongkil Kim:Harnessing Policy Authenticity for Hidden Ciphertext Policy Attribute-Based Encryption. IEEE Trans. Dependable Secur. Comput. 19(3): 1856-1870 (2022)
Comment 2: In section 6, the authors present the proof of three theorems to prove the efficiency of their model. However, the authors should make more efforts to explain the proof of theorem 3 to prove that the outsourced decryption algorithm is also selectively CPA-secure in our CP-ABE scheme.
Response: Thanks for your review and valuable comment. We rewrite the proof of theorem 3. Because the previous content only briefly describes the outsourcing decryption security process, did not focus on the successful attack on Green to achieve selectively-CPA secure. After modification, we emphasize that in the process of implementing simulated attacks, the secret key generation phase of Phase 1 and Phase 2 is the same. We shown them in orange with ids R1.10. The details are given as follows. The outsourced decryption scheme in our CP-ABE algorithm is same as Green's scheme expect that the generated values are different during the transform phase. In Green's outsourced decryption scheme, it needs a fixed component secret key to generate the transformation key in transformation phase. In our outsourced decryption scheme, OCS generates a intermediate value $\tilde{E}=e(m,g)^{\frac{-rs}{z}}$, which is unrelated with $e(g,g)^{\sigma s}$. Although the method of transformation key is different, the method of secret key is the same. Therefore, the response method of secret query in Phase 1 and Phase 2 is same as Green. If there is an adversary $\mathcal{A}$ can break our CP-ABE scheme of outsourced decryption with non-negligible advantage, then another adversary $\mathcal{B}$ can be constructed to break Green scheme with non-negligible advantage.
Comment 3: I suggest the authors add their paper's structure at the end of “Introduction”.
Response: Thanks for your review and valuable comment. We add the paper structure at the end of “Introduction”. And we shown them in orange with ids R1.1. “Specifically, this work is organized as follows. In Section 2, we introduce the literature related to the research content of this paper. In Section 3, we briefly reviewed the concepts and definitions relevant to this paper. In Section 4, after describing an efficient encryption and decryption framework with a fully hidden access policy, we present the relevant security model. In Section 5, we give a specific encryption and decryption scheme with a completely hidden access policy. In Section 6, its security is analyzed. In Section 7, the performance is analyzed through experiments. We conclude this paper in Section 8.”
Comment 4: In line 382, In this section→ In this subsection
Response: Thanks for your review and valuable comment. We modify all inappropriate content about “In this section” in the paper. We shown them in orange from ids R1.6 to R1.8.
Author Response File: 
Author Response.pdf
Reviewer 2 Report
Review of paper 2393790
Realizing ”An Efficient Encryption Scheme with Fully Hidden Access Policy for Medical Data” and controlling of data owner access to medical records, in one scientific paper, is contributing to the development of patient-hospital relation.
|
Introduction |
|
|
Does the introduction provide sufficient background information for readers not in the immediate field to understand the problem / hypotheses? |
Yes. The chapter 1 of the paper presents the introduction of cloud storage technology in the last decade or so. It underlines that the medical data is the foundation of hospital development, because medical data can be used as materials to promote the development of medical research in teaching and scientific research |
|
Are the reasons for performing the study clearly defined? |
Yes, the reasons for making an efficient encryption scheme with fully hidden access policy for medical data are quite clear. |
|
Are the study objectives clearly defined? |
The main objective is to develop a safe and efficient data sharing scheme, which combine CP-ABE scheme and symmetric encryption scheme to encrypt integrated medical data. |
|
2. Literature Review and Model Development |
|
|
Is the literature cited balanced or are there important studies not cited, or other studies disproportionately cited? |
The cited literature in this work is related to the topics of Cryptographic Solutions for Cloud Storage, Big data security and privacy, homomorphic encryption, Fuzzy Identity-Based Encryption, as well as Secure Access for Healthcare Data in the Cloud. |
|
Please identify statements that are missing any citations, or that have an insufficient number of citations, given the strength of the claim made. |
Found none. |
|
3. Methodology and Data |
|
|
Are the methodology and data used appropriate to the purpose of the research? |
Yes. |
|
Is sufficient information provided for a capable researcher to reproduce the experiments described? |
Yes. |
|
Are any additional experiments required to validate the results of those that were performed? |
Maybe more testing. |
|
Are there any additional experiments that would greatly improve the quality of this paper? |
Experience would support the development. |
|
Are appropriate references cited where previously established methods are used? |
Yes |
|
4. Results |
|
|
Are the results clearly explained and presented in an appropriate format? |
Yes. |
|
Do the figures and tables show essential data or are there any that could easily be summarized in the text? |
Yes. |
|
Are any of the data duplicated in the graphics and/or text? |
Didn’t find any. |
|
Are the figures and tables easy to interpret? |
Yes. |
|
Are there any additional graphics that would add clarity to the text? |
The multitude of data collected and operated would give better resolution upon it. |
|
Have appropriate statistical methods been used to determine the significance of the results? |
Can be improved. |
|
5. Conclusions and Implications |
|
|
Are all possible interpretations of the data considered or are there alternative hypotheses that are consistent with the available data? |
The Analysis of the data is made in the chapter 7. |
|
Are the findings properly described in the context of the published literature? |
Yes. |
|
Are the limitations of the study discussed? If not, what are the major limitations that should be discussed? |
May be presented a little bit more. |
|
Are the conclusions of the study supported by appropriate evidence or are the claims exaggerated? |
Conclusions are shortly summarized, outlining the data security sharing solution in Internet hospitals, and the fact that CP-ABE scheme is used to achieve fine-grained access control for symmetric keys and solves the problem of low computational efficiency. |
|
Significance and Novelty |
|
|
Are the claims in the paper sufficiently novel to warrant publication? |
Yes. |
|
Does the study represent a conceptual advance over previously published work? |
Yes, it does, by achieving a fully hidden access policy by using Attribute Bloom Filter in the improved CP-ABE scheme. |
|
Journal Selection |
|
|
Is the target journal (if known) appropriate? If not, why not? |
Yes |
|
What is the likely target audience of this paper? |
This scientific paper is useful mainly to hospital digital system staff, digital technicians and cloud development engineers. |
|
Minor comments |
|
|
Please refer to the comments in the edited manuscript file for minor comments. |
Minor revisions: The conclusion chapter should be enhanced and provided with statistical appreciation of the differences between the results achieved by this paper and other research. |
|
Major comments |
|
|
To publish this paper in your target journal, the following revisions are strongly advised: |
- |
Comments for author File: Comments.pdf
Author Response
Thank you very much for your valuable comments that have helped us significantly improve this manuscript. We have carefully revised the manuscript and the following is our response to your comments.
Comment 1: The conclusion chapter should be enhanced and provided with statistical appreciation of the differences between the results achieved by this paper and other research.
Response: Thanks for your review and valuable comment. We have modified the conclusion. The details are given as follows. “We adopt the method of outsourcing decryption to solve the problem of low computing efficiency. Through the experimental comparison analysis, the outsourcing decryption efficiency of this scheme is higher than that of other schemes.” It explains that this paper is different from other contents, which is marked in blue in the paper with the id of R2.1.
Comment 2: Question about the limitations of the study discussed.
Response: Thanks for your review and valuable comment. In the last sentence of the conclusion, we add the contents that are not implemented in this paper and the limitations of this study. It is marked in blue in the paper, and the marked id is R2.2. The details are given as follows. However, the paper uses attribute Bloom filters and hybrid encryption methods to enhance security while prolong encryption time.
Comment 3: Question about the multitude of data collected and operated.
Response: Thanks for your review and valuable comment. In terms of data collected and operated, our team has collected over 30000 annotated TCM medical records, including over 3000 TCM syndrome types, over 1000 Chinese herbal medicines, and over 4000 prescriptions. The collection includes 9765 clinical photos of tongue surface with diagnostic markers, 29482 transthoracic echocardiography, and 29186 skin lesion images. It has formed one set of knowledge association rules and 9 sets of physique identification plans for "symptom syndrome formula solution" based on disease formation, which can be continuously supplemented and optimized with the development and operation of the platform. In our experimental analysis, we only utilized a portion of data for verifying the performance of our construction.
Author Response File: Author Response.pdf
Round 2
Reviewer 1 Report
Authors have addressed all my comments.
