Privacy-Preserving Authentication for Tree-Structured Data with Designated Verification in Outsourced Environments

Abstract

Nowadays, the use of database outsourcing is on the rise. Since the service provider may not be fully trusted, a crucial requirement in outsourced data sharing is therefore to ensure that users can verify the integrity and authenticity of their query results. In outsourced healthcare data sharing, because the data contains sensitive information, an equally significant issue is to guarantee that the sharing process does not lead to any information leakages. Though some privacy-preserving authentication solutions have been presented to address these issues, unfortunately, none of them consider the risk of privacy leakage during the dissemination of authenticated healthcare data. That is, the queried data may be leaked by the user since any third party getting hold of a signed data would be convinced of its validity. In other words, for privacy concerns, we need a secure mechanism to ensure that only a specific receiver can check the integrity and authenticity of shared outsourced data.

To address the these concerns, in our work, we propose a privacy-preserving authentication scheme with designated verification for tree-structured data (i.e., XML-based healthcare records). We provide the formal definition and related security properties of our scheme. We further put forward our concrete construction and prove its security under the standard cryptographic assumption in the random oracle model. The comparison analysis of theory and practice shows that our scheme provides stronger privacy protection than existing schemes while having the shortest key length and signature size. Therefore, our construction is efficient and practical for outsourced environments.

Appendix A

Proof of Theorem 1. The proof is similar to  [16, 19]. Given \(w\in \mathbb {G}_1\) and \(g_2, u, v \in \mathbb {G}_2\), where \(u={g_2}^{a}, v={g_2}^{b}\) and \(w={g_1}^{c}\) for some unknown \(a,b,c \in \mathbb {Z}_q\), we will reveal how the adversary \(\mathcal {B}\) can utilize the forger \(\mathcal {A}\) to obtain the value \(\hat{e}(g_1,g_2)^{abc}\).

• Setup Phase: \(\mathcal {B}\) randomly chooses \(r_1, r_2 {\mathop {\longleftarrow }\limits ^{\$}} \mathbb {Z}_q\), and sets \(y_s =u \cdot {g_2}^{r_1} \in \mathbb {G}_2 \) and \(y_v =v \cdot {g_2}^{r_2} \in \mathbb {G}_2 \) as the signer’s public key and the DV’s public key respectively. \(\mathcal {B}\) returns \((g_2, y_s , y_v)\) to \(\mathcal {A}\).

• Hash Queries: In this process, \(\mathcal {A}\) has access to a hash oracle \(H(\cdot )\) at any time. Note that \(\mathcal {B}\) will act the oracle in our proof. To respond to \(\mathcal {A}\)’s queries, \(\mathcal {B}\) maintains a list of tuples L(m, h, d, c) (initially, \(L(\cdot ,\cdot ,\cdot ,\cdot )=\phi \)) as explained below. Each time when \(\mathcal {A}\) queries the hash oracle \(H(\cdot )\) at a point \(m\in \{0,1\}^*\), \(\mathcal {B}\) responds as the following:

  1. 1.

     If m already exists in the L-list in some tuple \((m_i,h_i,d_i,c_i)\) then \(\mathcal {B}\) looks up on the list and responds with \(H(m_i) = h_i \in \mathbb {G}_1\).

  2. 2.

     Otherwise, \(\mathcal {B}\) randomly flips a coin \(c_i \in \{0,1\}\), so that \(\text {Pr}[c=0]=1/(n q_S+n) \).

  3. 3.

     \(\mathcal {B}\) randomly chooses \(d_i {\mathop {\longleftarrow }\limits ^{\$}} \mathbb {Z}_q\). If \( c_i =0\) holds, he computes \(h_i \leftarrow w_i \cdot \psi (g_2)^{d_i} \in \mathbb {G}_1\); otherwise, he computes \(h_i \leftarrow \psi (g_2)^{d_i} \in \mathbb {G}_1\).

  4. 4.

     \(\mathcal {B}\) adds the item \((m_i,h_i,d_i,c_i)\) into the L-list and answering \(\mathcal {A}\)’s query as \(H(m_i)=h_i\).

  Note that each time from the perspective of \(\mathcal {A}\), \(h_i\) is uniform in \(\mathbb {G}_2\) and hence its distribution is identical to the real construction.

• Signature Queries: Assume that a tree \(T=(V,E )\) be a signing query requested by \(\mathcal {A}\) under the signer’s public key \(y_s\). To respond to the query, \(\mathcal {B}\) does as follows:

  1. 1.

     Similar to our Sign, \(\mathcal {B}\) carries out a traversal on T and generates secure names \(\theta _{{u_i}}\) and \(\theta _{p_{u_i}} \) for each node \({u_i} \in V\) and its parent respectively.

  2. 2.

     \(\mathcal {B}\) operates as Hash Queries to obtain a \(h_i \in \mathbb {G}_1\) such that \(H(m_i)=h_i\). Here we assume that \((m_i,h_i,d_i,c_i)\) be the item in L-list corresponding to each node \({u_i}\). If \(c_i=0 \) holds, \(\mathcal {B}\) returns \(\bot \) to indicate failure and terminates.

  3. 3.

     If \(c_i=1 \) for all \({u_i} \in V\) holds and hence \(h_i \leftarrow \psi (g_2)^{d_i} \in \mathbb {G}_1\), \(\mathcal {B}\) defines \(\sigma _{i}= \psi (u)^{d_i} \cdot \psi (g_2)^{r_1 d_i} \in \mathbb {G}_1\). Observe that \(\sigma _{i}={h_i}^{a+r_1} \) and hence that \(\sigma _{i}\) is a valid signature on \(m_i\) under the public key \(y_s= {g_2}^{a+r_1} \).

  4. 4.

     \(\mathcal {B}\) computes \(\sigma _T'= \prod _{i=1}^n \sigma _{i}\) and returns \(\sigma _{T}\leftarrow ( \sigma _{T}', \varTheta _{T})\) to \(\mathcal {A}\), where \(\varTheta _{T} \leftarrow \{( \theta _{{u_i}} , \theta _{p_{u_i}} )| {u_i} \in V \} \).

• Output Phase: Eventually, \(\mathcal {A}\) halts. \(\mathcal {A}\) either outputs \(\bot \) to indicate failure or forges a valid DV signature \({\sigma _{T_{\delta }}^{ds'}}^*\) for a tree \(T_{\delta }^*=(V_{\delta }^*,E_{\delta }^* )\) such that no node \(u_i \in V_{\delta }^*\) (\(1\le i\le k\)) has been queried during the process of Signature Queries. Note that if there is no item \((m_i,h_i,d_i,c_i)\) in the L-list containing nodes in \(V_{\delta }^*\), then \(\mathcal {B}\) can easily operate as the Hash Queries to obtain these corresponding items by himself. Again, we stress that \({\sigma _{T_{\delta }}^{ds'}}^*\) must be a valid signature; otherwise, \(\mathcal {B}\) returns \(\bot \) to indicate failure and terminates. \(\mathcal {B}\) will not abort when \(c_1 =0\) and \(c_i=1\) \((2\le i\le k)\). If \(c_1=0\), we have \(h_1 =w \cdot {\psi (g_2)}^{d_1} \). For \(2\le i\le k\), since \(c_i=1\), we have \(h_i = {\psi (g_2)}^{d_i}\). Note that the signature \({\sigma _{T_{\delta }}^{ds'}}^* \) must be successful verified by the DeVerify. That is, the equation \({\sigma _{T_{\delta }}^{ds'}}^* \)= \( \hat{e}({y_s}^{x_v}, \prod _{i=1}^k h_{i})\) holds. \(\mathcal {B}\), therefore, computes

  $$\begin{aligned}\begin{aligned} {\sigma _{T_{\delta }}^{ds'}}^*&= \hat{e}({y_s}^{x_v}, h_1) \cdot \hat{e}({y_s}^{x_v}, \prod _{i=2}^k h_{i}) = \hat{e}({y_s}^{x_v}, w \cdot {\psi (g_2)}^{d_1} ) \cdot \hat{e}({y_s}^{x_v}, \prod _{i=2}^k {\psi (g_2)}^{d_i}) \\&= \hat{e}({y_s}^{x_v}, w \cdot {g_1}^{d_1} ) \cdot \hat{e}({y_s}^{x_v}, \prod _{i=2}^k {g_1}^{d_i}). \end{aligned}\end{aligned}$$

  \(\mathcal {B}\) now constructs a value \(\varDelta = \{ \hat{e}({y_s}^{x_v}, \prod _{i=2}^k {g_1}^{d_i}) \cdot \hat{e}(w, u^{r_2}\cdot v^{r_1}\cdot {g_2}^{r_1 r_2}) \cdot \hat{e}(u^{d_1}, \psi (y_v)) \cdot \hat{e}(v\cdot {g_2}^{ r_2}, {\psi (g_2)}^{d_1 r_1}) \}^{-1}\) and computes the required value \(\hat{e}(g_1,g_2)^{abc}\) as \({\sigma _{T_{\delta }}^{ds'}}^* \cdot \varDelta \). This can be easily verified because:

  $$\begin{aligned}\begin{aligned} {\sigma _{T_{\delta }}^{ds'}}^* \cdot \varDelta =&\hat{e}({y_s}^{x_v}, w \cdot {g_1}^{d_1} ) \cdot \hat{e}({y_s}^{x_v}, \prod _{i=2}^k {g_1}^{d_i}) \cdot \varDelta \\ =&\hat{e}({y_s}^{x_v}, w \cdot {g_1}^{d_1} ) \cdot \{ \hat{e}(w, u^{r_2}\cdot v^{r_1}\cdot {g_2}^{r_1 r_2}) \cdot \hat{e}(u^{d_1}, \\&\psi (y_v)) \cdot \hat{e}(v\cdot {g_2}^{ r_2}, {\psi (g_2)}^{d_1 r_1}) \}^{-1} \\ =&\hat{e}(g_1,g_2)^{abc}. \end{aligned}\end{aligned}$$

This completes the description of \(\mathcal {B}\). The running time needed for \(\mathcal {B}\) consists of three parts, i.e., the running time needed for \(\mathcal {A}\), \(\mathcal {B}\)’s responds to Hash Queries and Signature Queries, and the time for computing the final \(\mathsf{BDH}\) solution.

We now analyze \(\mathcal {B}\)’s probability in solving the given instance of \(\mathsf{BDH}\) problem in \((\mathbb {G}_1, \mathbb {G}_2)\) with the success probability \(\mathsf{Adv}^{BDH }_{\mathcal {B}}(1^ \lambda )\). \(\mathcal {B}\) will succeed if the following three events occur: (1) \(\mathcal {B}\) does not abort in the Signature Queries phase (remark as \(Ev _1\)), (2) \(\mathcal {A}\) successfully forges a valid DV signature \({\sigma _{T_{\delta }}^{ds'}}^*\) for tree \(T_{\delta }^*=(V_{\delta }^*,E_{\delta }^* )\) (remark as \(Ev _2\)), and (3) Event \(Ev _2\) occurs, and \(c_1=0\) and \(c_i=1\) \((2\le i\le k)\), where \(c_i\) is the c-component of the item containing \(m_i\) in the L-list (remark as \(Ev _1\)). Consequently, the success probability for \(\mathcal {B}\) is \(\mathsf{Adv}^{BDH }_{\mathcal {B}}(1^ \lambda )\)= \(Pr [Ev _1 \wedge Ev _3]\). It further can be decomposed as \(Pr [Ev _1 \wedge Ev _3]=Pr [Ev _1]\cdot Pr [Ev _2 |Ev _1] \cdot Pr [Ev _3| Ev _1 \wedge Ev _2] \).

W.l.o.g., we assume that \(\mathcal {A}\) queries the hash oracle \(H(\cdot )\) and the signature of each message only once. Because the c-component of the item in the L-list is independent of \(\mathcal {A}\)’s view; when \(\mathcal {A}\) makes \(q_S\) signature queries, the probability of \(Ev _1\) occurs is \(Pr [Ev _1]\) \(\ge 1-1/(n q_S+n)^{n q_S}\). Recall that in \(\mathcal {A}\)’s view, all the settings in our simulation are identical to the real construction. Since \(\mathcal {B}\) did not abort in the simulation, all his responses to \(\mathcal {A}\)’s queries are valid. That is, the probability of \(\mathcal {A}\)’s forgery output in our RO model is at least \(\mathsf{Adv}^{uf-cma}_{\mathcal {A},\mathsf{DV}-\mathsf{PPAT}}(1^ \lambda )\)= \(\xi \). Therefore, we have \( Pr [Ev _2 |Ev _1] \ge \xi \). Note that \(c_i\) \((1\le i\le k)\) are all independent of each other. If the event \(Ev _1\) and \(Ev _2\) happen, and \(\mathcal {A}\) generates his forgery in the case that \(c_1=0\) and \(c_i=1\) \((2\le i\le k)\), then the probability \(Pr [Ev _3| Ev _1 \wedge Ev _2] \) \(\ge (1-1/(n q_S+n))^{n -1}\cdot 1/(n q_S+n)\). Clearly, we have

$$\begin{aligned}\begin{aligned} \mathsf{Adv}^{BDH }_{\mathcal {B}}(1^ \lambda ) =&Pr [Ev _1 \wedge Ev _3] = Pr [Ev _1]\cdot Pr [Ev _2 |Ev _1] \cdot Pr [Ev _3| Ev _1 \wedge Ev _2] \\ \ge&(1-1/(n q_S+n)^{n q_S}) \cdot \xi \cdot (1-1/(n q_S+n))^{n -1}\cdot \\&1/(n q_S+n) \ge 1/e(n q_S+n) \cdot \xi \\ =&1/e(n q_S+n) \cdot \mathsf{Adv}^{uf-cma}_{\mathcal {A},\mathsf{DV}-\mathsf{PPAT}}(1^ \lambda ), \end{aligned}\end{aligned}$$

as required, and hence completes the proof.   \(\square \)