An Efficient Encryption Scheme with Fully Hidden Access Policy for Medical Data

Abstract

With the development of informatization, patient medical data are generally stored in the form of electronic medical records. Hospitals store a large amount of medical data on cloud servers, which can ensure the integrity and sharing of medical data. There are many problems when sharing medical data, the most important of which is the security of private data. The ciphertext-policy attribute-based encryption (CP-ABE) algorithm not only supports data encryption, but also supports data access control. The CP-ABE algorithm is applied to medical databases. Through the encryption of medical data and the fine-grained control of data owner access to medical data, the privacy security and sharing security of medical data are realized. However, the traditional CP-ABE algorithm also has problems for the data user regarding access policy privacy leakage and the low efficiency of medical data encryption and decryption. This paper proposes a secure and efficient encryption technique. Medical data are encrypted using a symmetric encryption algorithm, and the CP-ABE algorithm with a fully hidden access policy encrypts the symmetric key. To implement access policy hiding, it uses an attribute bloom filter (ABF) for all access structures. The solution also supports the outsourced decryption of medical data, which can improve the encryption and decryption efficiency of the technique. Finally, in this paper, it is demonstrated that the scheme is selectively chosen-plaintext attack secure (CPA-secure). The experimental results show that users have less computational consumption to obtain medical data.

1. Introduction

Cloud storage technology has become an important part of people’s lives, and users can share data without space constraints [1]. With this advantage, it is possible to apply cloud storage to hospitals to achieve efficient storage and sharing. Since the prevention and control of the COVID-19 epidemic in 2020, many doctors have been conducting research on COVID-19 through clinical medical data. After accumulating a large amount of medical data, efficiently storing and sharing a large amount of medical data is an urgent problem to be solved. In order to solve this problem, cloud storage is combined with medical data so that the medical data of patients in the form of electronic information can be stored and shared in the cloud server. In addition, medical data can be used as materials to promote the development of medical research in teaching and scientific research. In terms of management, they can be used as management information to promote the development of the hospital. Therefore, medical data are the foundation of hospital development. However, medical data contain private patient information. Malicious users may obtain patient medical data through illegal means. The privacy and security of patient medical data are an important issue in data storage and sharing [2].

In order to solve the problem of privacy, a common solution is to encrypt medical data [3]. This solution [4,5] can protect the security of medical data. However, traditional encryption schemes do not support access control in data sharing, which greatly limits the development of Internet hospitals [6]. The proposed attribute-based encryption (ABE) scheme [7] solves this problem, especially cipertext-policy attribute-based encryption (CP-ABE) [8]. In the CP-ABE scheme, the data owner uses the access policy to encrypt data. Only when the data user’s own attributes satisfy the access policy in ciphertext can it decrypt the ciphertext to obtain plaintext data. Hospitals use the CP-ABE algorithm in their medical databases. Doctors or nurses inside the hospital formulate access policies to encrypt medical data, and other doctors or nurses outside the hospital can decrypt ciphertext only if the attributes satisfy the access policies [9]. In general, hospital administrators load the encrypted medical data and access policy to the cloud server. The traditional CP-ABE scheme stores data in the form of ciphertext, and it stores the access policy in the form of plaintext. The cloud server may not be trusted. Therefore, the public access policy may leak user privacy. This means that a malicious user may discover what disease a patient has through access policy in Internet hospitals. A malicious user can combine other public information to obtain private patient information. Access policy leakage is a crucial problem in Internet hospitals. In order to solve the problem of privacy leakage, it is necessary to hide the access policy from unauthorized users and authorized users in the CP-ABE scheme [10,11].

In addition, the data decryption time grows as the access policy increases in the CP-ABE scheme. There are many pairing operations in the CP-ABE scheme that reduce computational efficiency. After the hospital integrates patient medical data, the amount of data is relatively large. When using the CP-ABE scheme to encrypt a large amount of medical data, it has low computational efficiency. It is suitable for encrypting a large amount of data using the symmetric encryption scheme [12]. This scheme has high computational efficiency, but the security of the encryption scheme is low.

In this paper, we propose a safe and efficient data-sharing scheme, which combines the CP-ABE scheme and the symmetric encryption scheme to encrypt integrated medical data. We use the attribute bloom filter (ABF) to implement access policy hiding in the CP-ABE scheme. Meanwhile, we use an outsourced decryption scheme to improve computational efficiency in the CP-ABE scheme. Our scheme is suitable for any complex access structure. Our contributions mainly include the following:

(1) Safe and Efficient Data Sharing: Hospital administrators use the CP-ABE algorithm to encrypt medical data, which enables the safe sharing of medical data. Considering the large volume of medical data, we use symmetric encryption to encrypt medical data and use the CP-ABE algorithm with a fully hidden access policy and an outsourced decryption scheme to encrypt the symmetric key.

(2) Fully Hidden Access Policy: Since the access policy is public, this paper fully hides the access policy. It uses the attribute bloom filter (ABF) to hide sensitive information about the access policy during the encryption phase. The ABF can achieve a fully hidden access policy for any access structure. It uses the attribute location to determine whether the user attributes satisfy the access policy.

(3) Outsourced Decryption: Our scheme uses an outsourced decryption scheme. The algorithm generates values that are not associated with the plaintext of the medical data and the symmetric key. It outsources a number of computational pairings to the cloud server and ensures the privacy security of the medical data.

This work is organized as follows. In Section 2, we introduce the literature related to the research content of this paper. In Section 3, we briefly review the concepts and definitions relevant to this paper. In Section 4, after describing an efficient encryption and decryption framework with a fully hidden access policy, we present the relevant security model. In Section 5, we give a specific encryption and decryption scheme with a completely hidden access policy. In Section 6, its security is analyzed. In Section 7, its performance is analyzed through experiments. We conclude this paper in Section 8.

2. Related Work

In this section, we focus on improving CP-ABE. Sahai et al. [7] proposed attribute-based encryption (ABE). The proposal of ABE solves the problem of one-to-many secret data sharing. ABE can be divided into two categories: key-policy attribute-based encryption (KP-ABE) [13] and ciphertext-policy attribute-based encryption (CP-ABE) [8]. In CP-ABE, the data user’s secret key is related to the user attribute. In contrast, the secret key of the data user is related to the access policy in KP-ABE. Since then, many researchers have proposed improved CP-ABE and KP-ABE programs. In Internet hospitals, the data owner can set the access policy to encrypt medical data. CP-ABE is essential in Internet hospitals. The traditional CP-ABE scheme has low computational efficiency since there are some pairing operations. To solve this problem, Green et al. [14] proposed an ABE scheme with outsourced decryption, which greatly reduces the decryption cost of users. It outsources part of the pairings to the cloud. The data user only needs to compute a few pairings when decrypting.

Imam et al. [15] conducted a comprehensive study of ABE works associated with e-health data sharing. Jiang et al. [16] proposed attributed-based encryption protection combined with a blockchain to protect electronic health records in edge cloud environments. In order to solve the issue of data forgery and tampering in medical data sharing, Zhang et al. [17] proposed a block-based attribute-based keyword searchable encryption scheme for health cloud systems. Li et al. [18] used multikey searchable encryption with attribute-based access control to search all encrypted electronic health records in the cloud. Saravanan et al. [19] proposed a novel enhanced attribute-based encryption for secure access in cloud storage for personal health records. Yang et al. [20] considered the centralized power caused by the single-attribute authority in current CP-ABE schemes, and proposed revocable attribute-based encryption of electronic health records sharing with multiple authorities in the blockchain. Pussewalage et al. [21] introduced a novel attribute-based encryption to share the securely outsourced electronic health records of patients, which can enforce multi-level, controlled-access delegation.

In addition, the access policy is embedded in ciphertext and stored on the cloud server in CP-ABE. However, the access policy in ciphertext is public to the user. The CP-ABE scheme still has the security problem of user attribute information leakage. To solve this problem, some schemes propose hidden access policies. Nishide et al. [22] proposed the partially hidden access policy in CP-ABE. In their paper, the data owner needs to know possible values of attributes in advance and hide subsets of possible attribute values. However, the scheme only supports the AND gate access policy. Later, Lai et al. [23] proposed the partially hidden attribute value. It uses complex-order bilinear mapping, which is computationally expensive. The authors of [24] realized the partially hidden access policy of the prime order and applied the method to a specific scene. In order to solve the problem of large calculations, Cui [25] added outsourcing decryption on the basis of the partially hidden access policy. Later, Hu et al. [26] proposed a “test-decryption-verification” CP-ABE with an outsourced scheme. The scheme adds a test phase to determine whether the user attributes meet the access policy to reduce the number of decryption calculations. Gan et al. [27] implemented the CP-ABE scheme for vehicular fog computing. The scheme separates attributes to achieve a partially hidden access policy.

After that, Phuong et al. [28] proposed a fully hidden access policy for the CP-ABE scheme. It uses an element that represents a user attribute to construct the access structure. It hides the access policy by using the inner product encryption (IPE) scheme. Yang et al. [29] realized the fully hiding access policy by constructing the attribute bloom filter (ABF). It adds the user attribute to the garbled bloom filter. Ramu [30] used the ABF method proposed by Yang to achieve the full hiding of user attributes in CP-ABE, and applied the method to electronic health records to improve the security of patient attribute privacy in a secure cloud framework. Hao et al. [31] proposed a fully hidden access policy scheme that supports all types of access policies in cloud-based IoT. It is also based on the garbled bloom filter. Zhang et al. [32] proposed a fully hidden access policy with multi-authority attribute-based encryption. It converts the access policies and attributes into vectors. It achieves access policy hiding by using IPE. This fully hidden access policy scheme protects data users’ and data owners’ private information while increasing the computation cost of encryption and decryption. Su et al. [33] proposed a new method of attribute-based encryption that supports the hiding policy during electronic medical data sharing. Kim et al. [34] introduced a novel concept called authenticable ABE, which is used to resolve an attack that incorrectly sets the access policy of the ciphertext against the system rules.

Belguith et al. [35] implemented the access policy hiding of CP-ABE while outsourcing most of the decryption computation to semi-trusted cloud servers. In [36], Zhang et al. implemented hidden access policies while using outsourced authentication mechanisms to enhance efficiency. Although they solved the problem of low computational efficiency and the large volume of medical data in our model, the decryption efficiency for users to obtain the data is still low. In

Table 1. Comparison with other schemes.

Performance/Scheme	Luan [9]	Liu [10]	Hu [26]	Zhang [32]	Belguith [35]	Ours
Encrypt Algorithm	CP-ABE	CP-ABE	CP-ABE	CP-ABE	CP-ABE	Symmetric Encryption and CP-ABE
Hidden Access Policy	no	partially	partially	fully	fully	fully
Testing	no	no	yes	no	no	yes
Outsourced Decrypt	no	no	yes	no	yes	yes

, we give a comparison with other schemes.

3. Preliminaries

3.1. Bilinear Map

Definition 1

([37]). Let G and $G_1$ be two multiplication cyclic groups and p the prime order of the multiplication cyclic group. $Z_p$ is a prime field. g is a generator of G. $e:G\times G\to G_1$ is an effective bilinear mapping. e satisfies the following properties: (1) Non-Degeneracy: $\exists g\in G$ and meets $e(g,g)\ne 1_{G_1}$. It is said that $e(g,g)$ is not equal to the unit of $G_1$. (2) Bilinear: For $\forall g\in G$ and $\forall a,b\in Z_p$, it holds $e(g^a,g^b)=e{(g,g)}^{ab}$. (3) Computability: There is polynomial time to calculate for any bilinear mapping.

3.2. Bloom Filter

Definition 2

([38]). A bloom filter is a data structure that is used to test whether an element exists in a set. A bloom filter consists of t hash functions to form an m-bit array defined as follows: $H_i:{\{0,1\}}^{*}\to [1,m]$, where.

Firstly, all bits are set to 0 in the m-bit array. To insert the element e into the array, it calculates the hash function value $\left\{H_i\left(e\right)\right\},1\le i\le t$ of all positions and sets the value of the corresponding position array to 1 in the m-bit array. In order to check whether the element x exists in the array, the bloom filter calculates the hash function value $\left\{H_i\left(x\right)\right\},1\le i\le t$ at all positions. If the values of the corresponding position array are all 1, x exists in the array; otherwise, x does not exist in the array.

3.3. (q − 1)-BDHE Assumption

Definition 3

([39]). The challenger first takes the security parameter as input. It sets g as the generator of G and randomly chooses $q+2$ numbers $a,s,b_1,b_2,\dots ,b_q$ in $Z_p$. Then, the challenger outputs the group $(p,G,G_1,e)$ and the following tuples:

$$\begin{array}{cc}\hfill & g,g^s,\hfill \\ \hfill & g^{a_i},g^{b_j},g^{s{b}_j},g^{a^i{b}_j},g^{\frac{a^i}{b_j^2}},\forall [i,j]\in [q,q]\hfill \\ \hfill & g^{\frac{a^i}{b_j}},\forall [i,j]\in [2q,q]i\ne q+1\hfill \\ \hfill & g^{\frac{a^i{b}_j}{b_{i^{\prime }}^2}},\forall [i,j,i^{\prime }]\in [2q,q,q]j\ne i^{\prime }\hfill \\ \hfill & g^{\frac{s{a}^i{b}_j}{b_{i^{\prime }}}},g^{\frac{s{a}^i{b}_j}{b_{i^{\prime }}^2}}.\forall [i,j,i^{\prime }]\in [q,q,q]j\ne i^{\prime }\hfill \end{array}$$

The challenger sends them to the adversary. The adversary randomly chooses $b\in \{0,1\}$. If $b=0$, the assumption holds. The adversary obtains the challenge part $e{(g,g)}^{s{a}^{q+1}}$; otherwise, the adversary returns the random challenge part.

4. System Model

4.1. The Entity of the Model

As shown in Figure 1, there are six entities in the proposed system model, including data owner (DO), data user (DU), local service provider (LSP), semi-trust authority (STA), cloud storage server (CSS), and outsourced cloud server (OCS). The following is a detailed task design for entities:

DO: The DO firstly sets the access policy and then uploads the medical data and access policy to the hospital’s local server.

DU: If the DU meets the access policy, the DU is an authorized user. The authorized DU can decrypt ciphertext; otherwise, it is an unauthorized user.

LSP: The LSP is a trusted entity in the hospital’s local network. The task of the LSP mainly includes two parts. On the one hand, the LSP encrypts the medical data. On the other hand, the LSP encrypts the secret key.

STA: The STA mainly generates partial public parameters and user secret keys, which are used to encrypt and decrypt the secret key, respectively.

CSS: The CSS is not trusted in the system model. The CSS only provides a platform for the DO to store and share encrypted medical data.

OCS: The OCS in the system model is a semi-trusted entity. The OCS can not only execute partially outsourced decryption operations for the authorized DU, but also generate partial public parameters and user secret keys as an authority.

4.2. The Definition of the Model

In this subsection, we define an efficient encryption scheme for a medical database system model. The following is a description of the system model definition:

(1) Setup Phase

$STA.Setup\left(1^{\kappa }\right)\to \{p{p}_1,ms{k}_1\}.$ The algorithm is executed by The STA. It inputs the security parameter $\kappa$. It returns the public parameter $p{p}_1$ and the master secret key $ms{k}_1$.

$OCS.Setup\left(p{p}_1\right)\to \{p{p}_2,ms{k}_2\}.$ The OCS runs the algorithm, which takes the public parameter $p{p}_1$ as input. It generates the public parameter $p{p}_2$ and the master secret key $ms{k}_2$.

The STA and the OCS successively send public parameters to the LSP. It forms the system public parameter $pp=\{p{p}_1,p{p}_2\}$. The master key $msk=\{ms{k}_1,ms{k}_2\}$ are stored by the STA and the OCS, respectively.

(2) KeyGen Phase

$KeyGen(pp,msk,R)\to \left\{sk\right\}.$ In this phase, the STA and the OCS, respectively, input the public parameters $p{p}_1$ and $p{p}_2$ and the master secret keys $ms{k}_1$ and $ms{k}_2$. The STA and the OCS generate the user attribute key $sk$ with the attribute set R by the key issuing protocol.

(3) Encrypt Phase

$Encrypt(pp,MD,(P,\rho \left)\right)\to \left\{c\right\}.$ The LSP takes the public parameter $pp$, the medical data $MD$, and the access policy $(P,\rho )$ as inputs. It generates the ciphertext of the medical data c.

$ABFBuild\left(\right(P,\rho \left)\right)\to \left\{ABF\right\}.$ The LSP inputs the access policy $(P,\rho )$. It outputs the attribute bloom filter $ABF$.

In the Encrypt phase, the LSP takes the ciphertext $C=\{c,ABF\}$ as output. It sends the ciphertext C to the CSS.

(4) Decrypt Phase

$Decrypt(pp,sk,C)\to \left\{MD\right\}.$ The algorithm inputs the public parameters $pp$, the user secret key $sk$, and the ciphertext C. There are two steps in the decryption phase:

• $ABFQuery(ABF,R)\to \left\{a\right\}.$ The algorithm inputs the user attribute R and the attribute bloom filter $ABF$. If the attribute R meets the access policy, it outputs $a=1$. It then executes the following decryption phase; otherwise, it outputs $a=0$. It terminates the decryption operations.
• Outsourced decryption phase. It continues to perform the decryption operation as follows:
  $GenT{K}_{out}\left(sk\right)\to \{s{k}^{\prime },tsk\}.$ The transformation key generation algorithm takes the user secret key $sk$ as input. It generates the transformation secret key $s{k}^{\prime }$ and the outsourced decryption key $tsk$.
  $Transfor{m}_{out}(s{k}^{\prime },c^{\prime })\to \left\{\tilde{E}\right\}.$ It inputs the transformation secret key $s{k}^{\prime }$ and the partial ciphertext $c^{\prime }$. The CSS generates the intermediate value $\tilde{E}$, which is irrelevant to the medical data.
  $Decryp{t}_{out}(\tilde{E},tsk,c)\to \left\{MD\right\}.$ The outsourced decryption algorithm takes as input the intermediate value $\tilde{E}$, the outsourced decryption key $tsk$, and the ciphertext c. The DU generates medical data $MD$ by the algorithm.

4.3. The Security Definition of the Model

4.3.1. Data Privacy Security of the Model

In this subsection, we define data security by a secure game between the adversary $\mathcal{A}$ and the challenger $\mathcal{B}$. The following defines a selectively chosen-plaintext attack secure (CPA-secure) for model:

• Init: In this phase, the adversary $\mathcal{A}$ gives the challenge access structure $(P^{*},{\rho }^{*})$ to the challenger $\mathcal{B}$.
• Setup: First of all, $\mathcal{B}$ executes the $STA.Setup$ and $OCS.Setup$ phase. The STA generates the key pair $(p{p}_1,ms{k}_1)$. The OCS generates the key pair $(p{p}_2,ms{k}_2)$. $\mathcal{B}$ transmits the public parameter $pp=(p{p}_1,p{p}_2)$ to $\mathcal{A}$. The STA and the OCS, respectively, store the master secret keys $ms{k}_1$ and $ms{k}_2$.
• Phase 1: $\mathcal{A}$ makes a secret key query, where the secret key is related to attributes the R. However, R is not satisfied with the challenge access structure $(P^{*},{\rho }^{*})$. $\mathcal{B}$ generates $sk$ by executing $KeyGen$ and sends it to $\mathcal{A}$.
• Challenge: $\mathcal{A}$ sends two equal-size challenge plaintext messages $M{D}_0$ and $M{D}_1$ to $\mathcal{B}$, as well as the challenge access policy $(P^{*},{\rho }^{*})$. $\mathcal{B}$ firstly uses the two symmetric keys $s{k}_s^0$ and $s{k}_s^1$ to, respectively, encrypt medical data $M{D}_0$ and $M{D}_1$. Then, $\mathcal{B}$ encrypts $s{k}_s^f$ by using CP-ABE, where $f\in \{0,1\}$. The challenge ciphertext $C^{*}$ is obtained by running the $Encrypt$ and $ABFBulid$ algorithm and sending $C^{*}$ to $\mathcal{A}$.
• Phase 2: The query is the same as the secret key query in Phase 1. However, $\mathcal{A}$ obtains $sk$, which is different from Phase 1. They also do not satisfy the challenge access policy $(P^{*},{\rho }^{*})$.
• Guess: The adversary $\mathcal{A}$ outputs the guess $f^{\prime }\in \{0,1\}$. If $f^{\prime }=f$, $\mathcal{A}$ wins the game.

The adversary $\mathcal{A}$ wins the security game by a non-negligible advantage $|Pr[f^{\prime }=f]-\frac{1}{2}|$ in probabilistic polynomial-time (PPT). This model is selectively chosen-plaintext attack secure (CPA-secure).

4.3.2. Hiding the Access Policy Security of the Model

In this subsection, we define the fully hidden access policy security by a secure game between the adversary $\mathcal{A}$ and the challenger $\mathcal{B}$. The following defines a selectively secure for a model with a fully hiding access policy:

• Init: In this phase, the adversary $\mathcal{A}$ gives the challenge access policies $(P_0^{*},{\rho }_0^{*})$ and $\left(P_1^{*}{\rho }_1^{*}\right)$ to the challenger $\mathcal{B}$.
• Setup: First of all, $\mathcal{B}$ executes the $STA.Setup$ and $OCS.Setup$ phase. The STA generates the key pair $(p{p}_1,ms{k}_1)$. The OCS generates the key pair $(p{p}_2,ms{k}_2)$. $\mathcal{B}$ transmits the public parameter $pp=(p{p}_1,p{p}_2)$ to $\mathcal{A}$. The STA and the OCS save the master secret keys $ms{k}_1$ and $ms{k}_2$ by themselves.
• Phase 1: $\mathcal{A}$ makes a secret key query, where the secret key is related to the attributes R. However, the attribute R is not satisfied with the challenge access structure $(P_b^{*},{\rho }_b^{*})$. $\mathcal{B}$ generates $sk$ by executing $KeyGen$ and sends it to $\mathcal{A}$.
• Challenge: $\mathcal{A}$ sends the medical data $MD$ to $\mathcal{B}$. It uses the symmetric key $s{k}_s$ to encrypt $MD$. $\mathcal{B}$ randomly chooses the value $b\in \{0,1\}$. It embeds $(P_b^{*},{\rho }_b^{*})$ into the CP-ABE ciphertext. Finally, $\mathcal{B}$ obtains the challenge ciphertext $C^{*}$ and sends it to $\mathcal{A}$.
• Phase 2: The query is the same as the secret key query in Phase 1. However, $\mathcal{A}$ obtains $sk$, which is different from Phase 1. They also do not satisfy the challenge access policy $(P_b^{*},{\rho }_b^{*})$.
• Guess: $\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$ about b. If $b^{\prime }=b$, $\mathcal{A}$ wins the game.

The adversary $\mathcal{A}$ wins the security game in probabilistic polynomial-time (PPT). This model achieves fully hidden access policy security.

4.3.3. Outsourced Decryption Security of the Model

We describe outsourced decryption security for the CP-ABE scheme. It is implemented by a security game between the adversary $\mathcal{A}$ and the challenger $\mathcal{B}$.

• Init: In this phase, the adversary $\mathcal{A}$ gives the challenge access structure $(P^{*},{\rho }^{*})$ to the challenger $\mathcal{B}$.
• Setup: First of all, $\mathcal{B}$ sets a tuple $T=(R,sk,s{k}^{\prime })$. $\mathcal{B}$ executes the $STA.Setup$ and $OCS.Setup$ phase. The STA generates the key pair $(p{p}_1,ms{k}_1)$. the OCS generates the key pair $(p{p}_2,ms{k}_2)$. Then, $\mathcal{B}$ transmits the public parameter $pp=(p{p}_1,p{p}_2)$ to $\mathcal{A}$. The STA and the OCS conserve the master secret keys $ms{k}_1$ and $ms{k}_2$ by themselves.
• Phase 1: $\mathcal{A}$ makes a secret key query and transformation key query, where the secret key is related to the attributes R. However, R is not satisfied with challenge access structure $(P^{*},{\rho }^{*})$. $\mathcal{B}$ generates $sk$ by executing $KeyGen$. $\mathcal{B}$ executes $GenT{K}_{out}$ to generate the transformation secret key $s{k}^{\prime }$ and the outsourced decryption key $tsk$. It stores $tsk$ by itself. $\mathcal{B}$ saves $sk$ and $s{k}^{\prime }$ to T and sends T to $\mathcal{A}$. If T exists, $\mathcal{A}$ performs the $Decrypt$ phase; otherwise, it cannot perform the decryption operations.
• Challenge: $\mathcal{A}$ sends two equal-size challenge plaintext messages $M{D}_0$ and $M{D}_1$ to $\mathcal{B}$. $\mathcal{B}$, respectively, encrypts $M{D}_0$ and $M{D}_1$ with the two symmetric keys $s{k}_s^0$ and $s{k}_s^1$. $\mathcal{B}$ uses the challenge access policy $(P^{*},{\rho }^{*})$ to encrypt the symmetric key $s{k}_s^f$, where $f\in \{0,1\}$. The challenge ciphertext $C^{*}$ is obtained by running the $Encrypt$ and $ABFBulid$ algorithms and sending $C^{*}$ to $\mathcal{A}$.
• Phase 2: The query is the same as the secret key query and the transformation key query in Phase 1. However, $\mathcal{A}$ obtains T, which is different from Phase 1. They also do not satisfy the challenge access policy $(P^{*},{\rho }^{*})$.
• Guess: $\mathcal{A}$ outputs a guess value $f^{\prime }\in \{0,1\}$. If $f^{\prime }=f$, $\mathcal{A}$ wins the game.

The adversary $\mathcal{A}$ wins the security game in probabilistic polynomial-time (PPT). The challenge $\mathcal{B}$ also breaks the security game with a non-negligible advantage. It is said that the outsourced decryption of the model is selectively CPA-secure.

5. Construction

Our scheme uses the symmetric encryption algorithm and the improved CP-ABE algorithm to implement the security sharing of medical data. The improved CP-ABE algorithm can realize the fully hidden access policy, outsourced decryption, and escrow-free key issuing.

(1) Setup Phase

Firstly, the STA inputs the security parameters $\kappa$ into the group generator $\mathcal{G}$. It generates the public key $pk=(p,G,G_1,e)$, where G and $G_1$ are a cyclic group with a prime number p, and e is a bilinear map.

$STA.Setup\left(1^{\kappa }\right)\to \{p{p}_1,ms{k}_1\}.$ The STA inputs the security parameter $\kappa$ to execute the algorithm. It randomly selects $g,m,n,h,v\in G$ and ${\sigma }_1\in Z_p$, where $Z_p$ is prime a field. The STA computes $y_1=e{(g,g)}^{{\sigma }_1}$. Then, the algorithm generates some public parameters and the master secret key as follows:

$$\begin{array}{cc}\hfill & p{p}_1=\{g,m,n,h,v,pk,y_1\},\hfill \\ \hfill & ms{k}_1=\left\{{\sigma }_1\right\}.\hfill \end{array}$$

$OCS.Setup\left(p{p}_1\right)\to \{p{p}_2,ms{k}_2\}.$ The OCS runs the algorithm. It randomly selects $\beta \in Z_p$. It assumes that ${\sigma }_1=\frac{\sigma }{\beta }$. The OCS obtains the public parameter, which is $p{p}_2={\left(e{(g,g)}^{{\sigma }_1}\right)}^{\beta }=e{(g,g)}^{\sigma }$. The master secret key is $ms{k}_2=\left\{\beta \right\}$.

The STA and the OCS, respectively, transmit the public parameters to the LSP and obtain the public parameter $pp=\{p{p}_1,p{p}_2\}=$$\{p,g,m,n,h,v,e{(g,g)}^{\sigma }\}$. The master secret keys are saved by the STA and the OCS separately.

(2) KeyGen Phase

This phase includes the $STA.KeyGen$ and $OCS.KeyGen$ algorithms. In this phase, the OCS and the STA communicate with each other to generate the user attribute keys. However, the STA can not collude with the OCS.

$STA.KeyGen(ms{k}_1,R)\to \left\{s{k}_1\right\}.$ The STA randomly picks $r^{\prime },r_1^{\prime },r_2^{\prime },\dots ,r_x^{\prime }\in Z_p$, where x is the number of attributes R. To prevent the OCS from obtaining the user attribute key, it randomly selects $\alpha \in Z_p$ and sends it to the DU. Then, the STA computes the secret key $s{k}_1=\{m^{\frac{1}{\alpha }},k^{\prime },k_0^{\prime },{(k_{1,x}^{\prime },k_{2,x}^{\prime })}_{x\in [1,|R\left|\right]}\}$ associated with the user attribute and sends it to the OCS, where

$$\begin{array}{cc}\hfill & k^{\prime }=g^{\frac{{\sigma }_1}{\alpha }}{m}^{\frac{r^{\prime }}{\alpha }},\hfill \\ \hfill & k_0^{\prime }=g^{r^{\prime }},\hfill \\ \hfill & k_{1,x}^{\prime }=g^{r_x^{\prime }},\hfill \\ \hfill & k_{2,x}^{\prime }={\left(n^{R_x}h\right)}^{r_x^{\prime }}{v}^{r^{\prime }}.\hfill \end{array}$$

$OCS.KeyGen(ms{k}_2,R)\to \left\{s{k}_2\right\}.$ In this phase, the OCS stochastically obtains $r^{″},r_1^{″},r_2^{″},$$\dots ,r_x^{″}\in Z_p$. Then, the OCS computes the user secret key $s{k}_2=\{k^{″},k_0^{″},{(k_{1,x}^{″},k_{2,x}^{″})}_{x\in [1,|R\left|\right]}\}$ and sends it to the DU, where

$$\begin{array}{cc}\hfill & k^{″}={\left(k^{\prime }\right)}^{\beta }{\left(m^{\frac{1}{\alpha }}\right)}^{r^{″}},\hfill \\ \hfill & k_0^{″}={\left(k_0^{\prime }\right)}^{\beta }{g}^{r^{″}},\hfill \\ \hfill & k_{1,x}^{″}={\left(k_{1,x}^{\prime }\right)}^{\beta }{g}^{r_x^{″}},\hfill \\ \hfill & k_{2,x}^{″}={\left(k_{2,x}^{\prime }\right)}^{\beta }{\left(n^{R_x}h\right)}^{r_x^{″}}{v}^{r^{″}}.\hfill \end{array}$$

Finally, let $r=r^{\prime }\beta +r^{″}$ and $r_x=r_x^{\prime }\beta +r_x^{″}$. The DU obtains the complete secret key $sk=\{R,\alpha ,k,k_0,{(k_{1,x},k_{2,x})}_{x\in [1,|R\left|\right]}\}$, where

$$\begin{array}{cc}\hfill & k=k^{″}=g^{\frac{\sigma }{\alpha }}{m}^{\frac{r}{\alpha }},\hfill \\ \hfill & k_0=k_0^{″}=g^r,\hfill \\ \hfill & k_{1,x}=k_{1,x}^{″}=g^{r_x},\hfill \\ \hfill & k_{2,x}=k_{2,x}^{″}={\left(n^{R_x}h\right)}^{r_x}{v}^r.\hfill \end{array}$$

(3) Encrypt Phase

Before the medical data $MD$ are saved to the CSS, the LSP performs the following operations: (1) The LSP uses the symmetric key $s{k}_s$ to symmetrically encrypt the medical data $MD$. To ensure that the medical data securely exist in the CSS, the medical data are stored by the ciphertext $C_1=En{c}_{s{k}_s}\left(MD\right)$. (2) It realizes the encryption of the symmetric key $s{k}_s$ by running the improved CP-ABE algorithm.

$Encrypt(pp,s{k}_s,(P,\rho ))\to \left\{c\right\}.$ The LSP firstly defines an LSSS access structure $(P,\rho )$, where P is a $u\times t$ access matrix and $\rho$ is a map from row $P_i$ in P to attribute $\rho \left(i\right)$. It chooses a vector $\overrightarrow{l}={(s,l_2,l_3,\dots ,l_t)}^{\top }$ and can calculate ${\eta }_i=P_i\overrightarrow{l},i\in [1,u]$. It encrypts the symmetric key $s{k}_s$ to obtain the ciphertext $C_2=\{c_0,c_1,{(c_{1,i},c_{2,i},c_{3,i})}_{i\in [1,u]}\}$, where

$$\begin{array}{cc}\hfill & c_0=s{k}_{s}e{(g,g)}^{\sigma s},\hfill \\ \hfill & c_1=g^s,\hfill \\ \hfill & c_{1,i}=g^{k_i},\hfill \\ \hfill & c_{2,i}=m^{{\eta }_i}{v}^{k_i},\hfill \\ \hfill & c_{3,i}={\left(n^{\rho \left(i\right)}h\right)}^{k_i}.\hfill \end{array}$$

$ABFBuild\left(\right(P,\rho \left)\right)\to \left\{ABF\right\}.$ In this scheme, when the LSP decrypts the ciphertext, it is necessary to judge whether the user attribute complies with the access policy. We also need to locate the attribute row number in the access matrix. The fully hiding access policy scheme needs to hide the attribute and the row number of the attribute at the same time. Like the garbled bloom filter [29], we construct a m-bit fixed-length string as the element of the attribute bloom filter that consists of two parts. One part is the row number of the attribute in the access matrix, where the fixed length is $m_{rownum}$-bit. The other part is the $m_{att}$-bit length attribute, where $m_{rownum}+m_{att}=m$. For empty positions, we fill in zeros to achieve a fixed length. So, it uses an attribute bloom filter (ABF) to implement the fully hiding access policy. The LSP defines a set $F_e=\{i\parallel R_e\}$ as the element of the ABF, where $R_e$ is the access attribute of the row i-th mapping $\rho \left(i\right)$ in the access matrix P. It uses the $(t,t)$ secret share sharing scheme to add the new element e in the set $F_e$ position to the ABF like the garbled bloom filter. It randomly picks $t-1$ strings with the same length bits and sets $s_{t,e}=s_{1,e}⨁s_{2,e}\cdots ⨁s_{t-1,e}⨁e$. It uses the hash function $H_k{\left(\right)}_{k\in [1,t]}$ to compute the hash value of the attribute $R_e$ and obtains

$$\begin{array}{c}\hfill H_1\left(R_e\right),H_2\left(R_e\right),\dots ,H_t\left(R_e\right).\end{array}$$

The hash values represent the index value of the ABF. It stores the strings $s_{k,e}$ in the ABF, where the index value of $s_{k,e}$ is the hash value $H_k\left(R_e\right)$:

$$\begin{array}{c}\hfill s_{1,e}\to H_1\left(R_e\right),s_{2,e}\to H_2\left(R_e\right),\dots ,s_{t,e}\to H_t\left(R_e\right).\end{array}$$

An example of the ABF construction algorithm is shown in Figure 2.

Then, the LSP sends the ciphertext $C=\{C_1,C_2,ABF\}$ to the CSS. The security of the medical data in the storage and transmission process is realized by the ABF.

(4) Decrypt Phase

$Decrypt(pp,sk,C)\to \left\{MD\right\}.$ If the DU wants to obtain medical data, the DU sends the ciphertext request to the CSS. The DU needs to decrypt the symmetric key $s{k}_s$ firstly. Then, it uses the symmetric key $s{k}_s$ to decrypt the medical data. When decrypting the symmetric key $s{k}_s$, the decryption algorithm consists of two steps:

• $ABFQuery(ABF,R)\to \{a,{\rho }^{\prime }\}.$ In the ABF, the DU firstly uses the hash function $H_k\left(\right)$ to compute the index value of the user attribute R. The DU obtains the string location, which is $H_1\left(R\right)\to s_{1,R},H_2\left(R\right)\to s_{2,R},\dots ,H_t\left(R\right)\to s_{t,R}$. If the attribute R is not in the ABF, the attribute does not meet the access policy. So, it outputs $a=0$ and terminates the decryption operation. If it outputs $a=1$, it continues to execute the outsourced decryption algorithm. It also takes ${\rho }^{\prime }=(i,R)$ as outputs, where i is the attribute row number in the access matrix P.
• Outsourced Decryption Phase: During the outsourced decryption phase, we always ensure that medical data are securely transmitted and stored in ciphertext. The DU generates the transformation key $s{k}^{\prime }$ and the outsourced decryption key $tsk$ based on the $sk$ generated by the STA. When outsourced decryption is performed, the OCS generates an intermediate value $e{(m,g)}^{\frac{-rs}{z}}$ unrelated to the plaintext based on $s{k}^{\prime }$ and the ciphertext C, which does not reveal the medical data information and the symmetric key information during transmission. The DU generates the symmetric key $s{k}_s$ based on the intermediate value $e{(m,g)}^{\frac{-rs}{z}}$ and $tsk$. The DU continues to perform the following decryption operation to obtain the symmetric key $s{k}_s$:
  $GenT{K}_{out}\left(sk\right)\to \{s{k}^{\prime },tsk\}.$ The DU executes the algorithm to generate the transformation key pair $(s{k}^{\prime },tsk)$. It randomly selects $z\in Z_p$. It calculates the transformation key $s{k}^{\prime }=\{k_0^{\prime },{(k_{1,x}^{\prime },k_{2,x}^{\prime })}_{x\in [1,|R\left|\right]}\}$ and the outsourced decryption key $tsk=\left\{z\right\}$, where

  $$\begin{array}{cc}\hfill & k_0^{\prime }=k_0^{\frac{1}{z}},\hfill \\ \hfill & k_{1,x}^{\prime }=k_{1,x}^{\frac{1}{z}},\hfill \\ \hfill & k_{2,x}^{\prime }=k_{2,x}^{\frac{1}{z}}.\hfill \end{array}$$
  $Transfor{m}_{out}(s{k}^{\prime },C_2^{\prime },(P,{\rho }^{\prime }))\to \left\{\tilde{E}\right\}.$ The DU sends the transformation key $s{k}^{\prime }$ to OCS. It randomly picks the constants ${\lambda }_i\in Z_p$ and ${\sum }_{i\in [1,u]}{\lambda }_i{\eta }_i=s$. It runs the algorithm and finally generates an intermediate value $\tilde{E}$, where the intermediate value is not associated with the symmetric key $s{k}_s$. It computes:

  $$\begin{array}{cc}\hfill \tilde{E}& =\prod _{i\in [1,u]}{\left(\frac{e(c_{1,i},k_{2,\rho \left(i\right)}^{\prime })}{e(c_{2,i},k_0^{\prime })e(c_{3,y},k_{1,\rho \left(i\right)}^{\prime })}\right)}^{{\lambda }_i}\hfill \\ \hfill & =e{(m,g)}^{\frac{-rs}{z}}.\hfill \end{array}$$
  Finally, it sends the obtained intermediate value $\tilde{E}$ to the DU.
  $Decryp{t}_{out}(\tilde{E},tsk,C)\to \left\{s{k}_s\right\}.$ It inputs the outsourced decryption keys $tsk$, $\tilde{E}$, and $c_2$ on the decryptor of the DU. Finally, it obtains $s{k}_s$ by calculating

  $$\begin{array}{cc}\hfill s{k}_s& =\frac{c_0}{{\left(e{(c_1,k)}^{\frac{\alpha }{z}}\tilde{E}\right)}^{tsk}}.\hfill \end{array}$$
  The DU obtains the symmetric key $s{k}_s$ to decrypt the medical data $MD=De{c}_{s{k}_s}\left(C_1\right)$.

6. Performance Analysis

6.1. Data Security Analysis

In this subsection, we detailedly prove the data security of the model.

Theorem 1.

If the $(q-1)$-BDHE assumption [26] in our model is true, the adversary A with PPT has a negligible advantage to attack the model. The model in our paper is selectively chosen-plaintext attack secure (CPA-secure).

Proof. 

Suppose there is a PPT adversary $\mathcal{A}$ that has a non-negligible advantage to attack our scheme. The challenger $\mathcal{B}$ constructed by the adversary $\mathcal{A}$ has a non-negligible advantage in solving the $q-1$ assumption.

Init: In this phase, the adversary $\mathcal{A}$ gives the challenge access structure $(P^{*},{\rho }^{*})$ to the challenge $\mathcal{B}$, where $P^{*}$ is a $u\times t$ challenge access matrix and ${\rho }^{*}$ is a map from row $P_i^{*}$ in $P^{*}$ to attribute ${\rho }^{*}\left(i\right)$.

Setup: $\mathcal{B}$ provides system public parameters to $\mathcal{A}$. Firstly, $\mathcal{B}$ runs $STA.Setup\left(1^{\kappa }\right)\to \{p{p}_1,ms{k}_1\}$. $\mathcal{B}$ randomly picks $\tilde{n},\tilde{p},\tilde{v},{\tilde{\sigma }}_1\in Z_p$. Then, it sets the master secret key ${\sigma }_1={\tilde{\sigma }}_1+d^{q+1}$ in $STA.Setup$, where d and q are set in the $(q-1)$-BDHE assumption. In the $STA.Setup$ phase, the public parameters are as follows:

$$\begin{array}{cc}\hfill & m=g^d,\hfill \\ \hfill & n=g^{\tilde{n}}\prod _{(i,k)\in [u,t]}{\left(g^{\frac{d^k}{b_i^2}}\right)}^{P_{i,k}^{*}},\hfill \\ \hfill & h=g^{\tilde{h}}\prod _{(i,k)\in [u,t]}{\left(g^{\frac{d^k}{b_i^2}}\right)}^{P_{i,k}^{*}{\rho }^{*}\left(i\right)},\hfill \\ \hfill & v=g^{\tilde{v}}\prod _{(i,k)\in [u,t]}{\left(g^{\frac{d^k}{b_i}}\right)}^{P_{i,k}^{*}},\hfill \\ \hfill & e{(g,g)}^{{\sigma }_1}=e{(g,g)}^{d^{q+1}}e{(g,g)}^{\widetilde{{\sigma }_1}}.\hfill \end{array}$$

$\mathcal{B}$ sends the above public parameters to $\mathcal{A}$. Next, $\mathcal{B}$ runs $OCS.Setup\left(p{p}_1\right)\to \{p{p}_2,ms{k}_2\}$. It sets the master secret key $\beta =\tilde{\beta }$. Since it assumes ${\sigma }_1=\frac{\sigma }{\beta }$, it sets

$$\begin{array}{cc}\hfill \sigma & ={\tilde{\sigma }}_1\tilde{\beta }+d^{q+1}\tilde{\beta }\hfill \\ \hfill & =\tilde{\sigma }+a^{q+1}.\hfill \end{array}$$

In the $OCS.KeyGen$ phase, the public parameter is $e{(g,g)}^{\sigma }=$$e{(g,g)}^{a^{q+1}}e{(g,g)}^{\tilde{\sigma }}$.

Phase 1: In this phase, $\mathcal{B}$ generates user attribute key to $\mathcal{A}$, where the user attribute does not satisfy the challenge access structure $(P^{*},{\rho }^{*})$. Firstly, $\mathcal{B}$ runs $STA.KeyGen(ms{k}_1,R)\to \left\{s{k}_1\right\}$, where $R=\{R_1,R_2,\dots ,R_{\left|R\right|}\}$ and $R\notin (P^{*},{\rho }^{*})$. $\mathcal{B}$ randomly picks ${\tilde{r}}^{\prime }\in Z_p$ and sets

$$\begin{array}{cc}\hfill r^{\prime }& ={\tilde{r}}^{\prime }+m_1{d}^q+m_2{d}^{q-1}+\dots +m_j{d}^{q+1-j}\hfill \\ \hfill & ={\tilde{r}}^{\prime }+\sum _{j\in \left[t\right]}{m}_j{d}^{q+1-j}.\hfill \end{array}$$

Then, $\mathcal{B}$ obtains the partially secret key by $STA.KeyGen$, where the partially secret key is as follows:

$$\begin{array}{cc}\hfill k^{\prime }& =g^{\frac{{\sigma }_1}{\alpha }}{m}^{\frac{r^{\prime }}{\alpha }}\hfill \\ \hfill & =g^{\frac{{\tilde{\sigma }}_1}{\alpha }}{\left(g^d\right)}^{\frac{{\tilde{r}}^{\prime }}{\alpha }}\prod _{j\in \left[t\right]}{\left(g^{d^{q+2-j}}\right)}^{\frac{m_j}{\alpha }},\hfill \end{array}$$

$$\begin{array}{c}\hfill {k_0}^{\prime }=g^{r^{\prime }}=g^{\widetilde{r^{\prime }}}\prod _{j\in \left[t\right]}{\left(g^{d^{q+1-j}}\right)}^{m_j}.\end{array}$$

For all attribute values $x\in [1,|R\left|\right]$, $\mathcal{B}$ randomly chooses ${\tilde{r}}_x^{\prime }\in Z_p$ and sets

$$\begin{array}{cc}\hfill r_x^{\prime }& ={\tilde{r}}_x^{\prime }+r^{\prime }\sum _{i^{\prime }\in \left[u\right]}\frac{b_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}\hfill \\ \hfill & ={\tilde{r}}_x^{\prime }+\sum _{i^{\prime }\in \left[u\right]}\frac{{\tilde{r}}^{\prime }{b}_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}+\sum _{(i^{\prime },j)\in [u,t]}\frac{m_j{b}_{i^{\prime }}{d}^{q+1-j}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}.\hfill \end{array}$$

Then, the remain secret key is as follows:

$$\begin{array}{cc}\hfill k_{1,x}^{\prime }=g^{r_x^{\prime }}& =g^{{\tilde{r}}_x^{\prime }}\prod _{i^{\prime }\in \left[u\right]}{g}^{\frac{{\tilde{r}}^{\prime }{b}_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}}\prod _{(i^{\prime },j)\in [u,t]}{g}^{\frac{m_j{b}_{i^{\prime }}{d}^{q+1-j}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}}.\hfill \end{array}$$

$\mathcal{B}$ needs to set two parts ${\left(n^{R_x}h\right)}^{r_x^{\prime }}$ and $v^{r^{\prime }}$ for $k_{2,x}^{\prime }$, where

$$\begin{array}{cc}\hfill {\left(n^{R_x}h\right)}^{{r_x}^{\prime }}& ={\left(n^{R_x}h\right)}^{{\tilde{r}}_x^{\prime }}{\left(\frac{g^{r_x^{\prime }}}{g^{{\tilde{r}}_x^{\prime }}}\right)}^{\tilde{n}{R}_x+\tilde{h}}\hfill \\ \hfill & ·\prod _{(i^{\prime },i,k)\in [u,u,t]}{g}^{\frac{{\tilde{r}}^{\prime }(R_x-{\rho }^{*}\left(i\right))P_{i,k}^{*}{b}_{i^{\prime }}{d}^k}{(R_x-{\rho }^{*}\left(i^{\prime }\right))b_i^2}}\hfill \\ \hfill & ·\prod _{(i^{\prime },j,i,k)\in [u,t,u,t]}{g}^{\frac{(R_x-{\rho }^{*}\left(i\right))m_j{P}_{i,k}^{*}{d}^{q+1+k-j}}{(R_x-{\rho }^{*}\left(i^{\prime }\right))b_i^2}}\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill v^{r^{\prime }}& =v^{{\tilde{r}}^{\prime }}\prod _{j\in \left[t\right]}{\left(g^{d^{q+1-j}}\right)}^{\tilde{v}{m}_j}\hfill \\ \hfill & ·\prod _{(j,i,k)\in [t,u,t]}{\left(g^{\frac{d^{q+1+k-j}}{b_i}}\right)}^{P_{i,k}^{*}{m}_j}.\hfill \end{array}$$

$\mathcal{B}$ sends the secret key $s{k}_1=\{m^{\frac{1}{\alpha }},k^{\prime },k_0^{\prime },{(k_{1,x}^{\prime },k_{2,x}^{\prime })}_{x\in [1,|R\left|\right]}\}$ associated with the user attribute R to the OCS. The OCS sets

$$\begin{array}{cc}\hfill r^{″}& ={\tilde{r}}^{″}+m_1{a}^q+m_2{a}^{q-1}+\dots +m_j{a}^{q+1-j}\hfill \\ \hfill & ={\tilde{r}}^{″}+\sum _{j\in \left[t\right]}{m}_j{a}^{q+1-t}.\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill r_x^{″}& ={\tilde{r}}_x^{″}+r^{″}\sum _{i^{\prime }\in \left[u\right]}\frac{b_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}\hfill \\ \hfill & ={\tilde{r}}_x^{″}+\sum _{i^{\prime }\in \left[u\right]}\frac{{\tilde{r}}^{″}{b}_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}+\sum _{(i^{\prime },j)\in [u,t]}\frac{m_j{b}_{i^{\prime }}{a}^{q+1-j}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}.\hfill \end{array}$$

According to the $OCS.KeyGen$ phase protocol, $\mathcal{B}$ generates $s{k}_2=\{k^{″},k_0^{″},{(k_{1,x}^{″},k_{2,x}^{″})}_{x\in [1,|R\left|\right]}\}$ and sends it to $\mathcal{A}$. Finally, let

$$\begin{array}{cc}\hfill r& ={\tilde{r}}^{\prime }\beta +{\tilde{r}}^{″}+2\sum _{j\in \left[t\right]}{m}_j{a}^{q+1-j}\hfill \\ \hfill & =\tilde{r}+2\sum _{j\in \left[t\right]}{m}_j{a}^{q+1-j}\hfill \end{array}$$

and

$$\begin{array}{c}\hfill r_x={\tilde{r}}_x+2\sum _{(i^{\prime },j)\in [u,t]}\frac{b_{i^{\prime }}{m}_j{a}^{q+1-j}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}+\sum _{i^{\prime }\in \left[u\right]}\frac{\tilde{r}{b}_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}.\end{array}$$

$\mathcal{A}$ obtains the secret key $sk=\{R,\alpha ,k,k_0,{(k_{1,x},k_{2,x})}_{x\in [1,|R\left|\right]}\}$, where

$$\begin{array}{cc}\hfill k& =k^{″}={\left(k^{\prime }\right)}^{\beta }{\left(m^{\frac{1}{\alpha }}\right)}^{r^{″}}={\left(g^{\frac{d}{\alpha }}\right)}^r{g}^{\frac{\tilde{\sigma }}{\alpha }}\hfill \\ \hfill & =m^{\frac{\tilde{r}}{\alpha }}\prod _{j\in \left[t\right]}{\left(m^{\frac{2m_j}{\alpha }}\right)}^{a^{q+1-j}}{g}^{\frac{\tilde{\sigma }}{\alpha }},\hfill \end{array}$$

$$\begin{array}{cc}\hfill k_0& =k_0^{″}={\left(k_0^{\prime }\right)}^{\beta }{g}^{r^{″}}=g^r\hfill \\ \hfill & =g^{\tilde{r}}\prod _{j\in \left[t\right]}{g}^{2m_j{a}^{q+1-j}},\hfill \end{array}$$

$$\begin{array}{cc}\hfill k_{1,x}& =k_{1,x}^{″}={\left(k_{1,x}^{\prime }\right)}^{\beta }{g}^{r_x^{″}}=g^{r_x}\hfill \\ \hfill & =g^{{\tilde{r}}_x}\prod _{(i^{\prime },j)\in [u,t]}{g}^{\frac{2b_{i^{\prime }}{m}_j{a}^{q+1-j}+\tilde{r}{b}_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}}.\hfill \end{array}$$

$\mathcal{B}$ needs to set two parts ${\left(n^{R_x}h\right)}^{r_x^{\prime }\beta +{r_x}^{″}}$ and $v^{r^{\prime }\beta +r^{″}}$ for $k_{2,x}$, where

$$\begin{array}{cc}\hfill & {\left(n^{R_x}h\right)}^{r_x^{\prime }\beta +r_x^{″}}={\left(n^{R_x}h\right)}^{r_x}\hfill \\ \hfill & ={\left(n^{R_x}h\right)}^{{\tilde{r}}_x}\prod _{(i^{\prime },j)\in [u,t]}{\left(n^{R_x}h\right)}^{\frac{b_{i^{\prime }}{m}_j{a}^{q+1-j}+\tilde{r}{b}_{i^{\prime }}}{R_x-{\rho }^{*}\left(i^{\prime }\right)}}\hfill \end{array}$$

and

$$\begin{array}{c}\hfill v^{r^{\prime }\beta +r^{″}}=v^r=v^{\tilde{r}}\prod _{j\in \left[t\right]}{v}^{2m_j{a}^{q+1-j}}.\end{array}$$

Challenge: In this phase, $\mathcal{A}$ sends two equal-size challenge messages $M{D}_0$ and $M{D}_1$ to $\mathcal{B}$. $\mathcal{B}$ uses the two challenge symmetric keys $s{k}_s^0$ and $s{k}_s^1$ to, respectively, encrypt $M{D}_0$ and $M{D}_1$. $\mathcal{B}$ randomly flips $b\in \{0,1\}$ and $f\in \{0,1\}$. It obtains the challenge ciphertext $C_1^{*}=En{c}_{s{k}_s^f}\left(M{D}_b\right)$. $\mathcal{B}$ encrypts the challenge symmetric key $s{k}_s^f$ by the following algorithm, where the partially structures are as follows:

$$\begin{array}{cc}\hfill & c_0=s{k}_s^{f}De{(g,g)}^{\tilde{\sigma }s},\hfill \\ \hfill & c_1=g^s.\hfill \end{array}$$

$\mathcal{B}$ continues to perform the rest of the ciphertext structure. $\mathcal{B}$ sets the vector $\overrightarrow{l}=(s,sd+\widetilde{l_2},s{d}^2+\widetilde{l_3},\cdots ,s{d}^{t-1}+\widetilde{l_t})$. Since ${\eta }_i=P_i\overrightarrow{l}$, $\mathcal{B}$ can obtain

$$\begin{array}{cc}\hfill {\eta }_i& =\sum _{j\in \left[t\right]}{P}_{i,j}^{*}s{d}^{j-1}+\sum _{j=2}^t{P}_{i,j}^{*}{\tilde{m}}_j\hfill \\ \hfill & =\sum _{j\in \left[t\right]}{P}_{i,j}^{*}s{d}^{j-1}+{\tilde{\eta }}_i.\hfill \end{array}$$

$\mathcal{B}$ sets $k_i=s{t}_i$ for each $i\in [1,u]$. Then, $\mathcal{B}$ obtains

$$\begin{array}{cc}\hfill c_{1,i}& =g^{k_i}=g^{s{t}_i},\hfill \\ \hfill c_{2,i}& =m^{{\eta }_i}{v}^{k_i}=m^{{\tilde{\eta }}_i}{\left(g^{s{t}_i}\right)}^{\tilde{v}}\hfill \\ \hfill & ·\prod _{(i,k)\in [u,t],k\ne j}{\left(g^{\frac{d^{k}s{t}_i}{b_i}}\right)}^{P_{i,k}^{*}}\prod _{(i,j)\in [u,t]}{\left(g^{P_{i,j}^{*}s{d}^j}\right)}^2\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill & c_{3,i}={\left(n^{\rho \left(i\right)}h\right)}^{k_i}\hfill \\ \hfill & ={\left(g^{s{t}_i}\right)}^{\tilde{n}{\rho }^{*}\left(i\right)+\tilde{h}}\prod _{(i,k)\in [u,t]}{\left(g^{\frac{d^{k}s{t}_i}{b_i^2}}\right)}^{P_{i,k}^{*}({\rho }^{*}\left(i\right)+{\rho }^{*}\left(i\right))}.\hfill \end{array}$$

$\mathcal{B}$ submits the challenge ciphertext $C^{*}=(C_1^{*},C_2^{*},AB{F}^{*})$ to $\mathcal{A}$, where $C_1^{*}=En{c}_{s{k}_s^f}\left(M{D}_b\right)$ and $C_2^{*}=\{c_0,c_1,{(c_{1,i},c_{2,i},c_{3,i})}_{i\in [1,u]}\}$. Phase 2: The query in this phase is the same as the query in Phase 1. However, $\mathcal{A}$ obtains a user secret key that is different from Phase 1. They also do not satisfy the challenge access policy $(P^{*},{\rho }^{*})$. Guess: After the above security game, the adversary $\mathcal{A}$ outputs the challenge values $f^{\prime }$. If $f^{\prime }=f$, it can obtain the challenge value $b^{\prime }=b$. The challenger $\mathcal{B}$ finally outputs 0. It is said that $\mathcal{A}$ wins the security game and obtains the challenge part $D=e{(g,g)}^{s{a}^{q+1}}$; otherwise, the challenger $\mathcal{B}$ outputs 1 and D, which is a random value from G. If $\mathcal{A}$ wins the security game with a non-negligible advantage, $\mathcal{B}$ can break the $(q-1)$-BDHE assumption with the advantage. Therefore, the model is selectively CPA-secure. □

6.2. Hiding Access Policy Security Analysis

Theorem 2.

The CP-ABE scheme is a fully hidden access policy. The scheme is privacy-preserving for polynomial-time adversaries with the security parameter κ.

Proof. 

In this solution, the DU obtains an individual attribute string from the attribute authorization center. If the attribute string of the DU matches the access matrix, the DU is determined to be an authorized user; otherwise, the DU is an unauthorized user and cannot obtain medical data.

It combines the user attributes and the attribute positions in the matrix into a string. It embeds the string into the garbled bloom filter. Therefore, malicious users cannot obtain private information from access policies. In our scheme, the mapping function $\rho$ in the access structure $(P,\rho )$ is embedded in the ABF to achieve full hiding. Firstly, it adds the authorized user attribute to the ABF. It performs t times hash operations on the attribute $R_y$, which is associated with the authorized user. $H_i\left(R_y\right),i\in [1,t]$ represents the position of the authorized user attribute in the ABF. When an unauthorized user $R_x$ executes $ABFQuery\left(\right)$, it is possible that there are some hash values that are the same. It is said that the bloom filter is a false positive. The probability of the false positive is $\frac{1}{2^{\kappa }}$. The security of the ABF depends on the probability of the hash function collision and string matching. The probability of ABF collision is $\frac{1}{2^{\kappa }}{p}_1\le \frac{1}{2^{\kappa }}$, which $p_1$ is the probability of string matching. □

6.3. Outsourced Decryption Security Analysis

Theorem 3.

Suppose that Green’s [14] CP-ABE scheme is selectively CPA-secure and the outsourced decryption algorithm is also selectively CPA-secure in our CP-ABE scheme.

Proof. 

The outsourced decryption scheme in our CP-ABE algorithm is the same as Green’s scheme [14], except that the generated values are different during the transform phase. Green’s outsourced decryption scheme needs a fixed component secret key to generate the transformation key in the transformation phase. In our outsourced decryption scheme, the OCS generates an intermediate value $\tilde{E}=e{(m,g)}^{\frac{-rs}{z}}$, which is unrelated to $e{(g,g)}^{\sigma s}$. Although the method of the transformation key is different, the method of the secret key is the same. Therefore, the response method of the secret query in Phase 1 and Phase 2 is the same as Green’s. If there is an adversary $\mathcal{A}$ that can break our CP-ABE scheme of outsourced decryption with a non-negligible advantage, then another adversary $\mathcal{B}$ can be constructed to break Green’s scheme with a non-negligible advantage. □

7. Experimental Analysis

In this section, we analyze and compare our scheme with [9,26,32]. Our simulation experiment is run on a desktop computer with the Windows 10 64-bit operating system, which uses an i5-4460 CPU and 8 GB of RAM. The software is Eclipse, and the development language is Java with the jpbc 2.0.0 open-source code library. The medical data are from public data sets [40]. We run all experiments 50 times and take the average value as the comparison result.

In Figure 3, we compare the storage consumption. According to the theoretical analysis, these schemes all use a prime-order bilinear group. Let $G^1$ denote the prime-order bilinear group and l denote the length of the user attribute list. The decryption key storage overhead is $(4l+2)G^1$ in [26,32]. In [9], the decryption key storage cost is $(2l+1)G^1$, but it generates two secret keys for patients’ families and doctors. Our scheme decryption key storage consumption is $(3l+1)G^1$. According to the results of the simulation experiments, the storage capacity of the decryption key in our scheme is smaller than [26].

In Figure 4 and Figure 5, we compare the computational efficiency. Our plaintext is 100 KB of medical data in Figure 4. It is obvious that the encryption time of these schemes increases linearly with the increase in the number of user attributes. Our scheme has disadvantages in encryption since it encrypts medical data by symmetric encryption and the CP-ABE algorithm with the fully hidden access policy. The symmetric key plaintext size is constant in the improved CP-ABE algorithm, so the pairing operations are fixed. We decrypt the medical data with the sizes of 100 KB and 3000 KB, respectively, in Figure 5. Our scheme uses outsourced partial pairing to decrypt, and the size of ciphertext in the improved CP-ABE algorithm is less than [9,32]. The improved CP-ABE scheme decrypts the data, which is only a symmetric key. The time consumption of the symmetric decryption is less than that of CP-ABE because there is no bilinear calculation in the symmetric decryption.

8. Conclusions

In this article, we introduced a data security sharing solution in Internet hospitals. In this scheme, data users use a symmetric encryption scheme to encrypt medical data. This only guarantees the efficiency of data encryption and decryption. Due to the low-security performance of symmetric keys, the improved CP-ABE scheme is used to achieve fine-grained access control for symmetric keys. On the one hand, it achieves a fully hidden access policy by using the attribute bloom filter in the improved CP-ABE scheme. It protects privacy information security for the data owner and realizes privacy information security for the data user. On the other hand, we adopted the method of outsourcing decryption to solve the problem of low computing efficiency. Through the experimental comparison analysis, the outsourcing decryption efficiency of this scheme is higher than that of other schemes. In addition, we also prove that the improved CP-ABE scheme is selectively CPA-secure. However, the paper uses attribute bloom filters and hybrid encryption methods to enhance security while prolonging encryption time.