Attribute-Based Encryption Scheme
this chapter we will discuss our proposed solution for electronic
medical records system. After obtaining the data and access policy
provided by the patients, a healthcare organization can gain access
to their data, which is encrypted by a healthcare provider. This is
achieved by cryptographic primitive. The stored patient’s data is
protected against any access from unauthorized parties. This includes
the data centers where the information is stored.
CP-ABE access control mechanism emerges in integrating the
fine-grained access control of data in attribute-based cryptography
terminology and the efficient advantage of signcryption technology,
which provides confidentiality, unforgeability and public
verifiability simultaneously. Therefore, it is more efficient to
design a privacy-preserving scheme for EHR system using the ABSC
healthcare providers are migrating towards electronic medical
records. This provides healthcare organizations a convenient and
reliable way to share and access health information. However, due to
the nature of healthcare information as a highly sensitive data,
securing patient’s medical data is challenging. One such challenge
is the problem of the patient’s privacy and access control to the
stored data. However, due to the sensitivity of the data, the owner
retains a right to grant and revoke access to requesting parties
where the patients have a fully control of giving the access only to
the authorized parties as well as revoking the access. Furthermore, a
patient has the right to retroactively withdraw or revoke access at
any time. However, EHR brings some serious concerns, such as the
security of the sensitive data and the privacy of the EHR owners and
users. If a malicious or unauthorized adversary breaks the EHR system
and conducts a series of malicious actions, for example the leakage
of the EHR owner identity and malicious tampering with medical
records, it will not only result in disclosure of patient personal
privacy, but also lead to misdiagnosis by the doctors and brings
serious consequences. Unfortunately, developing a new access control
scheme to manage access to the healthcare sensitive information poses
providers and other entities must be able to request access to some
of patient’s data. Before any entity receive records, patient first
should check the request submitted by the entities and decide whether
to give access or not. The patient can allow a partial access to a
subset of the requested records or full record. A data requester must
be able to verify the received information by applying some
cryptographic primitives. Finally, patients should be able to
retroactively deny access to their records anytime they want to.
on the above observations, we propose a Ciphertext-policy
Attribute-Based Encryption Scheme for personal health record systems.
After user submitting health information, the data providers encrypt
the data and transmit it to a data center to store it. Other entities
can request access to user’s data if and only if they satisfy the
access policy defined by the data owner in the encryption phase. The
user sends an access notification with a re-encryption key to the
data center re-encrypts the requested encrypted data with the
re-encryption key sent by the user without accessing the plaintext
and sends the ciphertext to the data requester. The data requester
uses his private key to decrypt the cipher text and the access token
from the user. In this way, a user’s health records are exchanged
among the data provider, data center and data requester without
leaking his data.
4.1: A traditional framework for an PHR system.
this section, we introduce the design of the electronic health
records model and specify the role of each entity in our proposed
scheme. Then, we define the design goals.
typical structure of electronic health care records comprises four
entities: Attribute authority (AA), electronic health care records
owner, user and cloud servers.
is a trusted party that is responsible for generating and
distributing the public parameters and private keys for the users, AA
selects attributes from the attribute space and assigns them to the
users with different access permissions.
is the PHR data provider (such as a patient) who formulates the
access policy, signcrypts his/her own PHR data and uploads the
ciphertext to cloud servers.
is the PHR data receiver (such as a doctor, nurse or researcher) who
can download the cyphertext from cloud servers and unsigncrypt it.
are the storage location for the ciphertext that uploaded by the PHR
owner and in the same time the cloud servers grant the access rights
to PHR users.
in account the above PHR system model, our paper proposes a new
scheme for the PHR sharing system, which includes the following
AA generates the master key and the public parameters for PHR system,
and then publishes the system parameters to all users including the
the users submit a registration application to AA. AA has right to
accept or reject the user application by verifying the legitimacy of
identity of the user. After the user is accepted the AA distributes
the corresponding private key to the user.
an PHR owner signcrypts the PHR data (such as user’s identity and
its medical records) under the access policy and uploads the
generated cyphertext to the cloud servers for data sharing.
an PHR user submits the data access request to the cloud servers, who
can download ciphertext from cloud servers and unsigncrypt data to
obtain original messages if and only if the attribute set of PHR user
that satisfies access policy.
on the above system model, the design goals of the scheme are as
cannot be accessed by other entities without user authorization.
Additionally, the data should be protected from any modifications.
the proposed scheme, the receiver should be able to verify that
whether the ciphertext is tampered or not at the time of
recipient should be able to authenticate the identity of the sender
by verifying sender authentication.
ensures that, the attacker cannot create a valid ciphertext.
the proposed scheme the recipient can know whether the original
message is sent by the sender or not.
proposed scheme ensures that the attacker cannot recover the original
message from a ciphertext even though he has the private key of the
this section, we provide an overview and describe the proposed ABSC
protocol in details.
An overview of the proposed CP-ABE protocol
a user with identity IDu arrives at a healthcare provider (data
provider), for treatment, they will consent for records to be
created. Interactions between them will generate an original health
record for the user. The data provider will store the user’s health
information m. then the data provider sends the data to the data
center, where IDu’ is the record ID and M’ is the encryption of
M. Upon receiving the record from the data provider, the data center
stores the message in the cloud.
stored EHRs can be accessed through a web portal by multiple owners
and users. Owners, who create EHRs, are responsible for generating
access policies based on the attribute of authorized healthcare
providers, encrypting EHRs based on the generated policies and
uploading encrypted EHRs into the data center. EHRs are organized
into a labeled hierarchical data structure, which makes it possible
to share different parts of the EHR, thus making the scheme more
an agreement is achieved between a user and a data requester, the
user will send a consent token to the data requester for accessing
parts of their health record from the data center. Meanwhile, the
user should send a consent * to the data center to inform the data
center about the authorized or permission. Afterwards, the requester
will request for the patient’s medical data from the center. The
data center checks the validity of the request by checking the
consent sent by the data owner. If the verification outputs valid,
the data center re-encrypts the data ** with the re-encryption key
provided by the user and sends the ciphertext ** to the data
requester. During this phase the ciphertext **, under the public key
of the user, is transformed into the ciphertext */* under the public
key of the data requester. As a result, the requester is able to
access the original data *** by decrypting */* with their private
the re-encryption key was to be generated via traditional algorithms,
it would be vulnerable to collusion attacks. Traditional
re-encryption keys are only related to the user’s private key and
the data requester’s public key. The user’s other health
information may be accessed if the data requester re-encrypts it and
the data requester decrypts it. As a result, we propose a shared
secret ** between the user and the data provider for each record.
Thus, the health information */* is encrypted by the user’s public
key as well as the secret**, M’=(Xu,M,k1). Meanwhile the user also
introduces a shared secret ** with data requesters for each
individual consent token. The secret ** is included in the
re-encryption key such that only the intended data requester is able
to access the specific data.
this section we give a detailed construction of our pairing free
CP-ABE based ECC. In our scheme we consider that cloud server
providers (CSP) are not trustworthy in the sense that they will try
to access the content of the PHR data files. Moreover, in some cases
the CSP will also try to collide with malicious users to get access
to the content of the PHR files. Also, the malicious or unauthorized
users can work independently or together to gain access to these
sensitive PHRs. The figure ** illustrate the main proposed framework
for PHR system.
the proposed framework for the EHR system.
propose a CP-ABE scheme to gain fine-grained access control for PHR
system as well as providing data confidentiality and efficient
revocation mechanism. In the proposed scheme the users are divided
into two domains, the public domain (PUD) and personal domain (PSD).
The PUDs consist of users who make access based on their professional
roles such as doctors, nurses and researchers. PSDs are user that
personally attached to the data owner such as family members
friends, the owner assign the access right for the PSDs. The data
owner first defines an access policy and publish the PHR data, the
data owner has right to revoke the access of one or all of her PHR
files anytime she/he wants. Our revocation mechanism is based on the
All-Or-Nothing Transform , where the data owner first sends a
revoke access request to the revocation server, the server process
the request and revoke the access to the specified PHR file, we will
cover the revocation phase in details later in this section. The
figure ** illustrate the overall framework.
proposed CP-ABE scheme is based on the elliptic curve cryptography
where we replaced the complicated bilinear pairing with simple scalar
multiplication on the elliptic curves. Our proposed scheme consists
of three parts, namely Attribute Authority data owner (patients) and
data consumer (doctors, nurses, researchers). The Attribute Authority
provides private and public key of all parties in the network.
proposed protocol is composed of four phases, namely Setup phase,
Authority Setup phase, Key Generation phase, Encryption phase,
Decryption phase and finally Revocation phase. They are described as
this phase, the system chooses and publishes all the parameter of
elliptic curves and authority generates private key and related
public key of each user in the network based on the generated
Global public parameters
for the elliptic curve
q: is a large prime number.
(a,b): two elliptic curve
element which is smaller than q satisfying the equation
the elliptic curve over finite field which satisfying the equation
a base point of elliptic curve
with order .
a point of at
the order of point ,
where is a prime, .
one-way hash function.
authority setup phase is secure because it is only possible to be
done by authorized stuff of the hospital and can be only done within
the hospital network.
an elliptic curve group
is a base point on the elliptic curve .
attribute authority chooses a random number
as its master secret key and publishes
as its public key. For each attribute
in the system, the attribute authority randomly selects a
as its public key. For each data user in the system, the authority
maintains an attribute list corresponding to its global identity
(GID). Then choose four one-way collision-resistance hash functions
which are defined as follows:
where is the length of a sufficiently large random string, the length of plaintext message , a binary string of an arbitrary length.
the algorithm out put the master key MSK=r and the public parameters
this phase the attribute authority generates keys for an attribute
of a user with identity GID as following:
record this attribute
in the user’s attribute list corresponding to the user GID.
encryption algorithm is run by data owner, output the ciphertext CT
by taking the Plaintext .
The encryption algorithm consists of the following steps:
plaintext first is mapped to a point
on the elliptic curve
by choosing a random value
and computes: .
will use the ECIES to encrypt the message
see figure 3, and encrypt the secret sharing using the CP-ABE.
receiver receives ciphertext (c, h, S, Z), and computes,
obtaining the plaintext, the receiver verifies if
then the receiver accepts the plaintext.
this phase the sender chooses a random number
where m is the plaintext
cipher text sent by the sender is (c, h, S, Z)
Upload and Access
data owner who wants to encrypt PHR data using a particular access
policy, first she/he checks for all the valid attributes from the
universal set u and creates access policy based on those valid
attributes. The owner then encrypts her/his PHR data with the chosen
access policy and stores it in the cloud server storage.
5: PHR upload process.
the decryption phase, only the authorized users that satisfies the
access policy has the right to decrypt it. An authorized user (PUDs,
PSDs), first have to download the encrypted PHRs from the cloud
server storage. In order to access the PHR, the data user should
first decrypt the PHR file only and only if, she/he has a key that
satisfies the access policy defined by the data owner in the
to the overall system demonstrated in figure*, we can easily figure
out the PHR upload and PHR access procedures. Specifically, once a
data owner needs to upload his PHR files to the cloud storage, she/he
should process the following steps: (1) splits the data into contents
segments based on the AONT method, after that she/he defines the
dynamic and static data (the dynamic and static data are already
encrypted by the AONT encryption). (2) picks a random key k and over
encrypt the chosen dynamic data. (3) use the CP-ABE algorithm to
encrypt the chosen key k. (4) upload the over encrypted dynamic data,
the static data and the encrypted chosen secret key k to the cloud
storage. The data owner can go offline and attribute authorities can
perform other key distribution workflows.
a user (PUDs, PSDs) wants to access a specific PHR file on the cloud
storage, she/he should process the following steps: (1) get the
ciphertext from the cloud storage. (2) read the access policy and
check if her/his keys satisfy the access policy. (3) if the user’
secret key satisfies the access policy she/he can decrypt the
ciphertext by calling the Decrypt algorithm of the CP-ABE scheme, and
finally obtain the original PHR file.
6: PHR Access process.
mechanism is a property to change the access rights of users when
unexpected events occur, such as malicious behavior from a user or a
requested access revocation from a data owner. The revocation system
can be used in many situations in the PHR systems, for example a data
owner has right to grant and refuse the access to its own data. Also,
another scenario when a doctor is no more a part of the system so the
attribute authorities should revoke all of the given access rights to
the PHR files to that special entity so that the user is no longer
able to access the system and decrypt any stored data on it. Based on
these scenarios an access revocation mechanism should be integrated
in the CP-ABE scheme for the PHR systems.
Attribute-based encryption schemes, the attribute revocation is
severe problem and very costly to apply, because the same attribute
set may be associated with different users’ secret keys, resulting
a significant computational overhead throughout the revocation
process. This happens due to the need for updating all relevant keys
for the non-revoked users and re-encrypting the related ciphertext.
the data owners do not have high computation power on their devices
to do extra tasks related to data access through the network.
Therefore, revocation server will partially handle some tasks on
behalf of the data owner. Moreover, the data owners are not online
all time, so to make the system practical in real-world application
it is more efficient to have a revocation server that is online all
time to take the revocation process in behalf of the data owner.
revocation mechanism is based on [*]. The authors proposed an
efficient revocation scheme, where the original data splits into a
number of slices. The scheme divides the splitting data into dynamic
and static data. The dynamic data refers to the special slice which
is chosen for the over-encryption, and the rest of these slices are
referred to as static data. The figure 10 illustrates the model of
the revocation mechanism. The revocation model consists of two
stages: the data publication stage and revocation stage. In the data
publication stage, the data owner first splits the original data M
into n slices via special (n, n) threshold scheme. second, data owner
selects random slice as the dynamic data DF, and binds the remaining
slices as a static data SF. The dynamic data Df are then over
encrypted by a secret key k and the key k is encrypted by the CP-ABE
algorithm. Finally, the dynamic data and static data are uploaded to
the cloud storage. In the other hand when a data owner request a
revocation, firstly the data owner should retrieve the dynamic data
and the encrypted secret key k from the cloud storage and decrypts
them; the data owner chooses another key k’ and encrypt the dynamic
data with it, and then encrypts k’ with CP-ABE algorithm. Finally,
the new ciphertext is uploaded to the cloud storage and replacing the
old one. During the whole process the static data are not affected by
the revocation operation.
the (n, n) threshold scheme usually consumes more time and CPU
resources than the symmetric encryption algorithms, thus this model
will increase the overhead of the data publication. Intuitively, this
model is very beneficial when the revocation occurs frequently. In
the proposed model, all the revocation operations are performed on
the same slice after it is selected as the dynamic data. This
restriction may lead to a security issue where an authorized user
stores the dynamic data in its local machine, then the data owner
will be unable to revoke this user from accessing her/his PHR file.
To solve this problem the data owner should randomly select a slice
as the dynamic data for every revocation.
our proposed scheme we will adopt the above-mentioned revocation
mechanism and integrate into our CP-ABE scheme for PHR systems only
when there is a revocation requested by the data owner. In another
word, whenever the data owner requests a revocation for a specified
PHR file, the revocation server will verify the requested revocation
by checking the data owner identity then the revocation server
replace the PHR file with the new access policy defined by the data
owner. the data owner first upload data to the cloud without
splitting it into slices to reduce the computational overhead made by
using the splitting, reconstructing algorithms. The figure **
illustrate the process for the r…
revocation mechanism scheme consists of five algorithms: namely, data
splitting algorithm, data reconstructing algorithm, data publishing
algorithm, data retrieving algorithm and finally data revocation
algorithm. The data splitting algorithm is an information dispersal
algorithm (Robin 1989), the core of this algorithm is taking an input
and broke it into
blocks with the same length, also creating a matrix
with the same length as the blocks of
columns. the matrix
is multiplied by the data
to result a
-element is a result slice. The data
can be reconstructed by multiplying vector
with the inverted matrix .
information dispersal algorithm.
data splitting algorithm
original data M are first processed by the AONT scheme, then the
result data are splits into n slices by the (n, n) IDA. Algorithm 1
present the data splitting algorithm.
1: data splitting
the original data ,
the number of slices
the key ,
let be the hash of the
original data: ;
choose a random key
/* use the ECC or CP-ABE */ ;
compute the shares by
letting , where ;
compute the key ,
where the ;
package together as
input to an (n, n) IDA;
run the (n, n) IDA and generate n shares
the above process, the outputted shares will
be published to the cloud storage, but first we have to choose the
dynamic data and encrypt them before the publishing.
algorithm takes the original data as input and the number of slices,
then it calls the Algorithm 1 and pass the original with the number
of slices to split into slices. The algorithm 2 illustrate how the
data publishing working.
2: data publishing
the original data ,
the number of slices
URL of the
run algorithm1 to split the original data and obtain ;
choose a random slice ,
select a random key ;
compute , where E’
is a CP-ABE algorithm and T is the access structure;
and shares to the
return the URLs of the published data;
URLs are no longer sensitive because the published data have already
been encrypted, thus they can be delivered through unsafe channels.
3: data reconstructing
the key and the
the original data
take the shares and
run the (n, n) IDA to reconstruct the packaged data;
un-package the IDA’s result to obtain
compute the key ,
where the ;
compute the blocks by
letting , where ;
let be the hash of the
other reconstructed data ;
data reconstruction success else
algorithm takes the key and shares as input and output the original
data. The data can be reconstructed by using the algorithm 3:
data retrieving process demonstrated as follow:
4: data retrieving
data user’s or data owner private key, URLs
the original data
and shares using the
S does not satisfy the access policy T then
decrypt to obtain the
keys and ;
decrypt to obtain the
dynamic data ;
call the algorithm3 and pass ,
the algorithm3 will reconstruct data and return the original data;
Let’s block ads! (Why?)