STEAC: Towards secure, traceable, and efficient cryptographic access control scheme in smart healthcare

Abstract

Smart Healthcare (SHC) plays an increasingly greater role in improving the quality of health care, which has been widely concerned by researchers, hospitals and governments. In SHC, it is crucial that a patient’s health data is readily accessible to authorized nurses, doctors, and emergency services. To realize the easy access while protecting the privacy of patients’ data, ciphertext-policy attribute-based encryption (CP-ABE) has been widely used to achieve secure data sharing and support fine-grained access control. However, the existing CP-ABE schemes have three flaws for SHC. First, CP-ABE with partially hidden of access policies may also leak user’s attribute privacy. Second, malicious user may disclose patient’s health records and these records can not be traced. Third, it is less efficient that the data user, who does not have right to access data, downloads the whole ciphertext. In this paper, we design STEAC to address the above problems. To solve the first problem, we introduce the garbled Bloom filter method to realize fully hidden of access policies. For solving the second problem, we use the transaction-based blockchain scheme to trace the ciphertext storage and access. And before the real decryption, a decryption test operation is added to overcome the third flaw. Finally, security analysis and comprehensive performance evaluation also demonstrate STEAC is secure in standard model and is also more efficient than the previous schemes.

Appendix: Decryption Test Correctness Proof

In the decryption test phase, we use Test algorithm to test whether data user’s attribute set satisfies the access policy created by data owner. First, we compute the row index set S_RI by running RIGBFQuery algorithm and get a sub-matrix \(\mathbb {M}_{S}\). If the data user’s attribute set satisfies the access policy, there exists a vector ω satisfies

$$ \mathbb{M}_{S}^{T}\cdot \mathbf{\omega} = \mathbf{b}, $$

(1)

where \(\mathbf {b}=\left (1,0,...,0\right )^{T}\) and \(\mathbf {\omega }=\left (\omega _{1},\omega _{2},...,\omega _{I}\right )^{T}\). It is a sufficient but unnecessary condition. Next, we compute

$$ \begin{array}{ll} A=\hat{e}\left( K,C_{t}^{\prime}\right)=\hat{e}\left( g^{\alpha}g^{at},g^{s^{\prime}}\right)=\hat{e}\left( g,g\right)^{s^{\prime}\left( \alpha+at\right)}, \end{array} $$

and

$$ \begin{array}{@{}rcl@{}} D&=&{\prod}_{1\leq j \leq I}{\hat{e}\left( L,Ct_{i_{j}}\right)}^{\omega_{j}} ={\prod}_{1\leq j \leq I}{\hat{e}\left( g^{t},g^{a\gamma_{i_{j}}}\right)}^{\omega_{j}}\\ &=&{\prod}_{1\leq j \leq I}{\hat{e}\left( g,g\right)}^{at\gamma_{i_{j}} \omega_{j}}=\hat{e}(g,g)^{at{\sum}_{1\leq j \leq I}{\gamma_{i_{j}} \omega_{j}}}, \end{array} $$

(2)

where K, L are secret keys of the data user and i_j ∈ S_RI = {r₁,r₂,...r_I}. Let \(\mathbf {\gamma }^{\prime }=\left (\gamma _{i_1},\gamma _{i_2},...,\gamma _{i_I}\right )\). And since \(\mathbb {M}\cdot \mathbf {v}=\mathbf {\gamma }\), we have \(\mathbb {M}_S\cdot \mathbf {v}=\mathbf {\gamma }^{\prime }\). Moreover, we can get \(\mathbf {v}^T\cdot \mathbb {M}_S^T=\mathbf {\gamma }^{{\prime }T}\) by transposing both sides of the equation. Next, by (1), we get \(\mathbf {v}^T\cdot \mathbb {M}_S^T\cdot \mathbf {\omega }=\mathbf {\gamma }^{{\prime }T}\cdot \mathbf {\omega }\), that is \(\mathbf {v}^T\cdot \mathbf {b}=\mathbf {\gamma }^{{\prime }T}\cdot \mathbf {\omega } = s^{\prime }\). Therefore, one has \(D=\hat {e}\left (g,g\right )^{s^{\prime }at}\) based on (2).

Finally, if the data user is valid, \({C}_{t}={Y}^{{s}^{\prime }}=\hat {e}\left (g,g\right )^{\alpha {s}^{\prime }}\) must be equal to

$$ A/D=\hat{e}\left( g,g\right)^{{s}^{\prime}\left( \alpha + at \right)}/\hat{e}\left( g,g\right)^{{s}^{\prime} at}=\hat{e}\left( g,g\right)^{\alpha{s}^{\prime}}. $$

Otherwise, data user doesn’t have access right to this ciphertexts. Thus, the proof of the decryption test is completed.

1.1 Decryption Correctness Proof

According to the equation in the real decryption, we have

$$ B=\frac{\hat{e}\left( {C}^{\prime},K\right)}{{\prod}_{1\leq {j} \leq {I}}\left( \hat{e}({C}_{{i}_{j}},L)\cdot \hat{e}({D}_{{i}_{j}},{K}_{{x}_{j}})\right)^{\omega_{j}}} =\frac{\hat{e}\left( g,g\right){\!}^{s(\alpha+at)}}{{\prod}_{1\leq {j} \leq {I}}{\left( \hat{e}\left( {g}^{a{\lambda}_{{i}_{j}}},{g}^{t}\right)\hat{e}\left( {h}_{\rho({i}_{j})}^{-{r}_{{i}_{j}}},{g}^{t}\right)\hat{e}\left( {h}_{{x}_{j}}^{t},{g}^{{r}_{{i}_{j}}}\right)\right){\!}^{\omega_{j}}}}. $$

Since RIGBFQuery(x_j) = i_j and we use the RIGBF to remove the function ρ(⋅), we have ρ(i_j) = x_j. Then

$$ B=\frac{\hat{e}\left( g,g\right)^{s(\alpha+at)}}{{\prod}_{1\leq j \leq I}\hat{e}\left( g,g\right)^{at\lambda_{i_{j}}\omega_{j}}}=\frac{\hat{e}\left( g,g\right)^{s(\alpha+at)}}{\hat{e}\left( g,g\right)^{at{\sum}_{1\leq j \leq I}{\lambda_{i_{j}}\omega_{j}}}}. $$

We have \(\mathbb {M}_{S}\cdot \mathbf {u}=\mathbf {\lambda }^{\prime }\) since \(\mathbb {M}\cdot \mathbf {u}=\mathbf {\lambda }\), where \(\mathbf {\lambda }^{\prime }=\left (\lambda _{i_{1}},\lambda _{i_{2}},...,\lambda _{i_{I}}\right )^{T}\). Further, we get \({\sum }_{1\leq j \leq I}{\lambda _{i_{j}}\omega _{j}}=s\), this is due to

$$ \mathbf{u}^{T}\cdot\mathbb{M}_{S}^{T}\cdot \mathbf{\omega}=\mathbf{\lambda}^{{\prime}T}\cdot \mathbf{\omega}=s. $$

Then we have \(B=\hat {e}\left (g,g\right )^{\alpha s}\) and get the plaintext by \(C/B={\mathscr{M}}\). The correctness proof of the decryption is completed.