Traceable Ciphertext-Policy Attribute-Based Encryption ...

Research ArticleTraceable Ciphertext-Policy Attribute-Based Encryption withVerifiable Outsourced Decryption in eHealth Cloud

Qi Li 123 Hongbo Zhu3 Zuobin Ying4 and Tao Zhang5

1 School of Computer Science Nanjing University of Posts and Telecommunications Nanjing 210023 China2Jiangsu Key Laboratory of Big Data Security amp Intelligent Processing Nanjing University of Posts and TelecommunicationsNanjing 210023 China

3Jiangsu Innovative Coordination Center of Internet of Things Nanjing University of Posts and TelecommunicationsNanjing 210003 China

4School of Computer Science and Technology Anhui University Hefei 230601 China5School of Computer Science and Technology Xidian University Xian 710071 China

Correspondence should be addressed to Qi Li liqicsnjupteducn

Received 8 March 2018 Revised 19 April 2018 Accepted 7 May 2018 Published 6 June 2018

Academic Editor Kim-Kwang Raymond Choo

Copyright copy 2018 Qi Li et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

In cloud-assisted electronic health care (eHealth) systems a patient can enforce access control on hisher personal healthinformation (PHI) in a cryptographic way by employing ciphertext-policy attribute-based encryption (CP-ABE)mechanismThereare two features worthy of consideration in real eHealth applications On the one hand although the outsourced decryptiontechnique can significantly reduce the decryption cost of a physician the correctness of the returned result should be guaranteedOn the other hand the malicious physician who leaks the private key intentionally should be caught Existing systems mostly aimto provide only one of the above properties In this work we present a verifiable and traceable CP-ABE scheme (VTCP-ABE) ineHealth cloud which simultaneously supports the properties of verifiable outsourced decryption andwhite-box traceabilitywithoutcompromising the physicianrsquos identity privacy An authorized physician can obtain an ElGamal-type partial decrypted ciphertext(PDC) element of original ciphertext from the eHealth cloud decryption server (CDS) and then verify the correctness of returnedPDC Moreover the illegal behaviour of malicious physician can be precisely (white-box) traced We further exploit a delegationmethod to help the resource-limited physician authorize someone else to interact with the CDS The formal security proof andextensive simulations illustrate that our VTCP-ABE scheme is secure efficient and practical

1 Introduction

Electronic health care (eHealth) system is regarded as anoutstanding approach to provide well health care servicethrough various emerging technologies including Internetof Things cloud computing mobile computing and wirelesssensor networks In cloud-assisted eHealth systems an indi-vidual patient integrates hisher personal health information(PHI) collected via various wearable and embedded sensorsstores the PHI in the cloud and receives real-time and high-quality medical treatment Unfortunately when the patientenjoys convenient storage services provided by cloud serverthe risk of privacy exposure also raises The sensitive PHImay be exposed to the cloud server which can not be fully

trusted Even worse the PHI may be widely propagated tounauthorized parties for commerce benefit or other purposesThus the PHImust be encrypted before hosted to the eHealthcloudMeanwhile an access policy must be specified to pointout who are authorized to access the PHI

Aiming to realize access control on encrypted messageattribute-based encryption (ABE) [1] was presented to pro-vide an efficient solution to this kind of applications Accord-ing to the place where the access policy is embedded the ABEschemes are divided into two forms key-policy ABE (KP-ABE) [2] and another type of ABE named ciphertext-policyABE (CP-ABE) [3] In the former framework every userrsquoskey is labeled with an access policy while the ciphertexts areannotated with chosen sets of attributes On the contrary the

HindawiWireless Communications and Mobile ComputingVolume 2018 Article ID 1701675 12 pageshttpsdoiorg10115520181701675

2 Wireless Communications and Mobile Computing

userrsquos key in CP-ABE is issued according to hisher attributeswhile the ciphertext is encrypted under an access policy SincethatABE is a feasiblemechanismwhich preserves the securityand privacy of patientsrsquo PHI a series of attribute-basedaccess control systems [4ndash8] have been proposed aiming atexpressive policies security or efficiency In particular thereremain two significant features to be considered in utilizingABE technique in eHealth systems

The first feature is verifiability of outsourced decryptionIn most ABE systems [1ndash3 9ndash12] the decryption overheadis linear to the scale of involved attributes and expensivefor energy-constrained terminals The decryption outsourc-ing technique [13] is proposed to reduce the number ofexponential operations and bilinear pairing operations onuser side by offloading the heavy decryption computationto a third-party server eg the cloud server The user thenrecovers the plaintext by executing only one exponentialoperation over ElGamal-style partial decrypted ciphertextelement generated by the third-party server However suchoutsourced scheme can not guarantee the correctness ofreturned ElGamal-style element Lai et al [14] presentedthe verifiable approach in ABE to check whether the third-party server has honestly executed the decryption serviceThey also bring redundant overhead in both encryptioncomputation and ciphertext size Qin et al [15] provided anefficient verifiable ABE scheme which significantly reducesthe computation cost in encryption and the decryptionoverhead for users

Another considerable feature is traceability We take CP-ABE as an instance the private key is generated from somedescriptive attributes rather than froma unique identity Eachattribute may be possessed by multiple users It could beimpossible to distinguish who is the original owner of agiven private key Imagine two physicians in eHealth systemsTomas and Jack They have the attribute set lsquoorthopedicsdepartment chief physicianrsquo which is not possessed by anyother users By the key delegate technique [3] both Tomasand Jack can regenerate a private key responding to theset lsquoorthopedics department chief physicianrsquo if there is athird user who can decrypt the ciphertext labeled by accesspolicy lsquo lsquoorthopedics departmentrsquo AND lsquochief physicianrsquo rsquoWhere did the key come from Tomas or Jack To solve theproblem above Liu et al [16] extended an adaptively secureCP-ABE scheme [9] to support lsquowhite-boxrsquo traceability wherethe malicious user directly leaks hisher private key Subse-quently Ning et al [17] constructed a large attribute universeand traceable CP-ABE scheme On the contrary to the lsquosmalluniversersquo in [3 10 14ndash16] the lsquolarge universersquo means that thescale of attribute universe is unbounded [18]

However existing works mostly aimed to support theproperty of verifiable outsourced decryption or traceabilityseparately There is no CP-ABE scheme with both verifiableoutsourced decryption and white-box traceability in practice(1) the CP-ABE schemes [16 17] support the traceability wellbut the userrsquos decryption cost growwith the attribute number(2) these CP-ABE schemes [14 15 19 20] provide decryptionassistance for users and the correctness of returned PDCelement is guaranteed however the traceability property isnot addressed

In this work we propose a novel verifiable and traceableCP-ABE scheme named VTCP-ABE for eHealth cloud appli-cations The VTCP-ABE scheme is the first scheme whichsimultaneously achieves white-box traceability and verifiableoutsourced decryptionwithout exposing the physicianrsquos iden-tity information Since we take the lsquolarge universersquo scheme[18] as the basis the attribute universe in our scheme isinherently unbounded We further extend the VTCP-ABEto support another delegation property We also provide theformal proof of the selective CPA security verifiability andtraceability for VTCP-ABE The comparison and simulationresults show that our VTCP-ABE is applicable for practicaleHealth cloud applications In particularly we make thefollowing contributions

(1) We propose a new VTCP-ABE scheme which simul-taneously achieves the properties of verifiable outsourceddecryption white-box traceability and large universe Anauthorized physician can check the correctness of partialdecrypted ciphertext (PDC) which is requested from theeHealth CDS Given a private key the original owner can beprecisely trackedThe attribute universe can be exponentiallylarge and the number of public parameter elements is con-stant no matter how many attributes are chosen

(2) We present an efficient approach to prevent theCDS from knowing the fixed identification information ofphysician during offering decryption service The originalciphertext and the transmission private key will be pre-processed before being sent to the CDS This method isacceptable since only two additional exponential operationsfor each decryption request are added

(3)We exploit an additional property of delegation for ourVTCP-ABE with which a resource-constrained physiciancan delegate someone to obtain a PDC element withoutcompromising the privacy of PHI

11 Related Works ABE was first introduced in [1] Thefirst KP-ABE scheme with threshold tree access structureswas presented in [2] The first CP-ABE scheme with thesame structures was presented in [3] Waters [21] presentedseveral CP-ABE schemes to support the access policy definedas Linear Secret Sharing Schemes (LSSS) Yu et al [22]demonstrated the deployment of ABE technique in cloudcomputing In [4] Li et al presented a personal healthrecord (PHR) secure sharing scheme in cloud computingSubsequently various constructions of ABE schemes werepresented in [9 23ndash29]

Green et al [13] constructed the first decryption out-sourcing ABE where the most decryption overhead is hostedto a third party With the returned partial decrypted cipher-text a user could recover the plaintext message by executingonly one exponential operation Based on the outsourcedmethod [13] Li et al [7] presented a PHR data sharingscheme for cloud storage applications in the multi-authoritysettings In both [7 13] the correctness of returned PDC isnot guaranteed Lai et al [14] presented an approach to checkwhether the partial decrypted ciphertext element (trans-formed ciphertext element) is correctly calculated Theirtechnique incurred noticeable overhead in both decryptionand encryption Based on key encapsulation mechanism Lin

Wireless Communications and Mobile Computing 3

Table 1 Comparison between ours and some related works

Systems CPKP AU1 OD2 Verifiability Traceability DelegationRouselakis et al [18] CPKP Large No No No NoGreen et al [13] CPKP Small Yes No No NoLai et al [14] CP Small Yes Yes No NoQin et al [15] CP Small Yes Yes No NoLiu et al [16] CP Small No No Yes NoNing et al [17] CP Large No No Yes NoOur VTCP-ABE CP Large Yes Yes Yes Yes1AU is the abbreviation of attribute universe2OD is the abbreviation of outsourced decryption

et al [19] and Qin et al [15] separately proposed a fascinatingmethod to support verifiable outsourced decryption in ABEThe difference between [19] and [15] is that in [19] the hashvalue of a random group element 119877 is set as the symmetrickey to encrypt the original data then 119877 is encrypted by aABE scheme to obtain a ABE-type ciphertext which willbe used to generate the verification key In [15] the originaldata119872 is encrypted along with a randomly chosen bit string119903 while the verification key is set by executing exponentialoperations in the group by taking the hash values of119872 and 119903as exponents

Liu et al presented the first adaptively secure and white-box traceable CP-ABE scheme in [16] where any monotonicLSSS access structure is supported They further constructedanother CP-ABE scheme with black-box traceability in [30]Based on the scheme [31] Ning et al [17] exploited the white-box traceability for CP-ABE in large universe settings Fromthen on many traceable ABE constructions are proposed in[6 32 33] However in these traceable schemes [6 16 1730 32 33] the decryption overhead grows with the scale ofattribute set adopted in decryption

Table 1 compares the characteristics between some relatedworks and our VTCP-ABE From Table 1 our VTCP-ABEscheme is the only practical scheme to simultaneously sup-port the properties of large universe verifiable outsourceddecryption white-box traceability and delegation in CP-ABE

2 Preliminaries

21 Bilinear Maps Denote G and G1 as two multiplicativecyclic groups with prime order 119901 119892 is a generator of groupGThe bilinear map 119890 GtimesGrarr G1 has the following properties

(1) Bilinearity forall120589 120578 isin G and 120580 120592 isin Z119901 119890(120589120580 120578120592) =119890(120589 120578)120580120592

(2) Non-degeneracy 119890(119892 119892) = 1(3) Computability for all 120589 120578 isin G 119890(120589 120578) are efficiently

computable

Since that 119890(119892120580 119892120592) = 119890(119892 119892)120580120592 = 119890(119892120592 119892120580) 119890 is symmetric

22 Linear Secret Sharing Schemes (LSSS)

Definition 1 Linear Secret Sharing Schemes [21 34] let Pdenote a set of attributes and let 119901 be a chosen prime Let119879 isin Z119898times119899

119901 be a matrix For all 119894 = 1 119898 a function 120588 labelsthe 119894-th row of 119879 with an attribute (ie 120588 isin F([119898] rarr P)) Asecret sharing schemeΠ over the attribute universeP is linearif one has the following

(1) The shares for each attribute make a vector over Z119901(2) In order to generate the shares of a secret 119904 isin Z119901 we

select the column vector 997888rarr984858 = (119904 9848582 984858119899)⊤ where 9848582 984858119899

are randomly selected from Z119901 then 119879997888rarr984858 is the shares of 119904according toΠ The share (119879997888rarr984858 )119894 belongs to the attribute 120588(119894)

As demonstrated in [34] the linear reconstruction prop-erty of LSSS is defined as follows Suppose (119879 120588) is the accessstructure T and 119878 is an authorized set Let 119868 = 119894 120588(119894) isin 119878be the index set of rows which are linked with the attributesin 119878 There exist constants 120595119894 isin Z119901119894isin119868 which satisfy that if120582119894 = (119879997888rarr984858 )119894 are valid then we have sum119894isin119868 120595119894120582119894 = 119904

23 120593-Type Assumption The security of VTCP-ABE is re-duced to a 120593-type assumption [18]

Suppose G is a cyclic group and prime 119901 is the grouporder Randomly pick 119892 isin G and choose 120580 119904 1205921 1205922 120592120593 isinZ119901 If an adversary A is given the group description(119901GG1 119890) and Ξ including all of the following terms

Ξ =119892 119892119904

119892120580119894 119892120592119895 119892119904120592119895 119892120580119894120592119895 1198921205801198941205922119895 forall(119894 119895) isin [120593 120593]

119892120580119894120592119895 forall(119894 119895) isin [2120593 120593] with 119894 = 120593 + 1

1198921205801198941205921198951205922

1198951015840 forall(119894 119895 1198951015840) isin [2120593 120593 120593] with 119895 = 1198951015840

1198921199041205801198941205921198951205921198951015840 1198921199041205801198941205921198951205922

1198951015840 forall(119894 119895 1198951015840) isin [120593 120593 120593] with 119895 = 1198951015840

It must be hard for A to distinguish the element119890(119892 119892)120580120593+1119904 isin G1 from a randomly chosen element 119865 isin G1


Physician Patient

AuthorityPK TKDK

VKCTPHI

PDC

eHealth Cloud

CSS

CDS

IOT

BAN

PHI

PTKPCTPHI

VKCTPHI

CSS

Figure 1 Architecture of VTCP-ABE in eHealth cloud

The advantage of an algorithm A which solves the above119902-type problem is

119860119889VA(120582) =1003816100381610038161003816100381610038161003816Pr [A (Ξ119882 = 119890 (119892 119892)120580

120593+1119904) = 0]

minus Pr [A (Ξ119882 = 119865) = 0]1003816100381610038161003816100381610038161003816

(1)

Definition 2 We claim that the 120593-type assumption holds ifthe advantage of all polynomial time adversaries is negligiblein the above 120593-type game

24 120599-Strong Diffie-Hellman Assumption (120599-SDH) The 120599-SDH problem [35 36] supposeG is a cyclic group Let prime119901 be the group order 119892 is randomly selected fromG Given a(120599+1)-tuple (119892 119892120603 1198921206032 119892120603120599 ) output a pair (120575 1198921(120603+120575)) isinZ119901 times G An algorithm A has advantage 120598 in solving 120599-SDHproblem if Pr[A(119892 119892120603 1198921206032 119892120603120599 ) = (120575 1198921(120603+120575))] ge 120598where the probability is over the random bits consumed byA and the randomness of 120603 isin Z119901

Definition 3 We claim that the (120599 119905 120598)-SDH assumptionholds if the advantage of all 119905-time adversaries is at most 120598in solving the above 120599-SDH problem

3 System Architecture and Security Model

31 System Description As shown in Figure 1 our VTCP-ABE framework in the eHealth cloud mainly consists of thefollowing components

The authority the authority produces the system param-eters and generates private keys for the legal physiciansdepending on their attributes It is also in charge of tracingthe malicious physicians

The patient with the help of IOT techniques the patientintegrates and then encrypts hisher PHI under appropriateaccess policy and further uploads the ciphertext to theeHealth cloud storage server

The eHealth cloud storage server (CSS) the eHealth CSSprovides storage service for the patient If necessary thepatient can call CSS to delete hisher PHI data

The eHealth cloud decryption server (CDS) the eHealthCDS provides pre-decryption service of the encrypted PHI

and returns the partial decrypted ciphertext to the authorizedphysician

The physician the physician takes responsibility of med-ical treatment for the patient whose access policy acceptshisher attributes The physician is also enabled to checkthe correctness of returned pre-decryption results from theCDS The malicious physician may leak his private key foreconomic benefit or some malignant purpose

We note that the eHealth CSS and CDS are assumedto be semi-trusted as in [22] That is the CSS and CDShonestly execute the pre-set algorithms But they attemptsto get useful information of the encrypted PHI as much aspossible In addition the eHealth CDS may want to obtainthe identification information of physician

As one of the important applications in IOT environ-ments the eHealth cloud system enables the patient tocollect his PHI via wearable devices physiologic sensornodes and body area networks etc Before uploading thePHI to the cloud sever to get real-time health care servicesthe patient can define expressive access policy of his PHIover descriptive attributes by VTCP-ABE According to theassigned attributes the individual physicians have differentialflexible access rights They can provide various (free orpaid) health care services by smart devices on conditionthat their attributes match the access policy of patientrsquos PHIOur VTCP-ABE also offers the traceability to prevent thekey abuse problem and the verifiable outsourced decryptiontechnique to offload most decryption cost to the cloud serverand guarantee the returned results

32 Definition of VTCP-ABE Our VTCP-ABE is comprisedby the following seven algorithms

Setup(120581 119880) rarr (119875119870119872119878119870) this algorithm takes in asecurity parameter 120581 and the system attribute universe 119880It then outputs the system public parameters 119875119870 and themaster secret key119872119878119870 Besides it initializes an identity table119868119879 =

Encrypt (119872119875119870 T) rarr (119862119879 119881119870) This algorithm takesin amessage119872119875119870 and an access structure T It then outputsa ciphertext 119862119879 and a verification key 119881119870

KeyGen (119875119870119872119878119870 119894119889 119878) rarr (119879119870119863119870) This algorithmtakes in119875119870119872119878119870 an identity information 119894119889 and an attributeset 119878 It then outputs a transmission private key 119879119870 and a userdecryption key119863119870

Pre-Process (119875119870119862119879 119879119870) rarr (119875119862119879 119875119879119870) This algo-rithm takes in 119862119879 and 119879119870 It then outputs a pre-processedciphertext 119875119862119879 and a pre-processed private key 119875119879119870

Pre-Decrypt (119875119862119879 119875119879119870) rarr (119875119863119862) This algorithmtakes in 119875119862119879 and 119875119879119870 If 119878matches T the algorithm outputsa partial decrypted ciphertext 119875119863119862 Otherwise it outputs perp

Decrypt (119875119863119862119863119870119881119870) rarr (119872) This algorithm takesin 119875119863119862 119863119870 and 119881119870 If 119875119863119862 is not valid it outputs perpOtherwise it outputs a message119872

Trace (119868119879 119875119870 119879119870119863119870) rarr 119894119889 or ⊤ This algorithm takesin 119868119879 119875119870 119879119870 and 119863119870 It first verifies whether 119879119870 and 119863119870are well-formed If so this algorithm outputs the 119894119889 annotatedwith 119879119870 and 119863119870 Otherwise it outputs ⊤ implying that 119879119870and119863119870 are not required to be traced If 119879119870 and119863119870 can pass


a rdquokey sanity checkrdquo whichmeans that they can be used in thenormal decryption phase they are called well-formed [16]

33 CPA Security Model Similar to [17 18] the definitionof selective security model of VTCP-ABE against chosenplaintext attack (CPA) is given as follows

InitThe adversaryA gives the simulatorB the challengeaccess policy Tlowast

Setup B runs Setup to produce (119875119870119872119878119870) and passes119875119870 toA

Phase 1 A can ask B to produce the private keysfor ((1198941198891 1198781) (1198941198892 1198782) (1198941198891198761

1198781198761)) For each (119894119889119894 119878119894) B

returns by the corresponding private key pairs (119879119870119894 119863119870119894)Note that for each 119894 isin [1198761] 119878119894 can not match Tlowast

Challenge Phase A submits two messages 1198720 and 1198721

of equal length B encrypts119872120583 under Tlowast to obtain 119862119879lowast and

119881119870lowast where 120583 is randomly chosen from 0 1 It then gives119862119879lowast and 119881119870lowast toA

Phase 2 As in Phase 1B is asked to produce the privatekeys of ((1198941198891198761+1 1198781198761+1) (119894119889119876 119878119876))

Guess A guesses 1205831015840 for 120583 Arsquos advantage is defined asPr[1205831015840 = 120583] minus 12

Definition 4 We claim that a VTCP-ABE scheme is selec-tively CPA secure if the advantage is negligible for all PPTadversaries in the above selective security game

34 Security Game for Verifiability Based on the replayablechosen ciphertext attack (RCCA) security model [13 15] webriefly introduce the verifiability game as follows

Setup The challengerB generates (119875119870119872119878119870) and sends119875119870 to the attacker A

Phase 1B queries the results from the 119862119903119890119886119905119890 119862119900119903119903119906119901119905and 119863119890119888119903119910119901119905 oracles as in [15]

ChallengePhaseThe attackerA submits an access policyTlowast and a message 119872lowast B encrypts 119872lowast under Tlowast to obtain(119862119879lowast 119881119870lowast) and sends them toA

Phase 2A repeats the key queries as in Phase 1Output A gives B 119875119863119862lowast and an attribute set 119878lowast which

satisfies TlowastThe attacker A wins the above game if

Decrypt (119875119863119862lowast 119863119870lowast 119881119870lowast) notin 119872perp Arsquos advantage inthis game is defined as 119860119863119881119881119879119862119875minus119860119861119864A

Definition 5 We claim that a VTCP-ABE scheme is verifiableif 119860119863119881119881119879119862119875minus119860119861119864A is negligible for all PPT attackers in theabove game

35 Security Game for Traceability The traceability game ofour VTCP-ABE is defined as follows

Setup The challengerB generates (119875119870119872119878119870) and sends119875119870 to the attacker A It keeps119872119878119870 as a secret key

Key Query A submits the tuples (1198941198891 1198781) (11989411988921198782) (119894119889119902 119878119902) to B where 119902 refers to the query numberthatA can make

Key Forgery A outputs 119863119870⋆ and 119879119870⋆ A winsif Trace (119868119879119875119870119863119870⋆ 119879119870⋆) = ⊤ and Trace(119868119879 119875119870119863119870⋆ 119879119870⋆) notin 1198941198891 1198941198892 119894119889119902 Arsquos advantage is defined asPr[Trace(119868119879 119875119870119863119870⋆ 119879119870⋆) = ⊤ cup 1198941198891 1198941198892 119894119889119902]

Definition 6 We claim that a VTCP-ABE scheme is fullytraceable if the advantage is negligible for all PPT attackersin the above game

4 The Proposed VTCP-ABE

In this section we first briefly introduce the techniques ofconstructing a verifiable and traceable CP-ABE scheme andthen give the details of VTCP-ABE construction

41 Technical Overview To achieve the traceability in [17]each private key is associated with a unique fixed number 120575so that the key owner cannot re-randomize his own privatekey to get a completely new key In the verifiable CP-ABEscheme with outsourced decryption [15] the private keyis composed of a transmission key and a user decryptionkey The transmission key is sent to a third party to getthe partial decryption result and the user decryption key isused to decrypt the partial decryption result and check itscorrectness

Our goal is to achieve the efficient user decryption andtraceability without compromising the security and privacyHowever if we combine the traceable CP-ABE [17] and theverifiable outsourced decryption approach [15] in a naivewaythe fixed identifier number 120575 will be exposed to the eHealthCDS Even worse the CDS may use 120575 and the transmissionprivate key to fabricate a key which could pass the checkin the traceable algorithm of [17] That is a legal physicianmay be framed to be malicious and further revoked from thesystem To prevent the CDS from knowing 120575 we process thetransmission private key and original ciphertext before sub-mitting them to the eHealthCDSMeanwhile we add the userdecryption key as input of the traceable algorithm Finallywe add the property of verifiable outsourced decryption intothe traceable CP-ABE scheme [17] at a very low cost on thephysician side (one additional element in private key twoadditional exponential operations in pre-processing)

42 Detailed Construction We now give the detailed con-struction of the VTCP-ABE

Setup Given a group description119866 = (119901GG1 119890) whereprime order 119901 is the order of groups (GG1) and 119890 denotes amap 119890 G times G rarr G1 The system attribute universe is set as119880 = Z119901 Then randomly pick 119892 119906 ℏ 119908 ] isin G and 120572 119886 isin Z119901

Select two collision-resistant hash functions 1198671198601 G1 rarr 0 1ℓ1198671198601 and 1198671198602 0 1lowast rarr 0 1ℓ1198671198602 119878119864 =(SE-Keygen SE-Encrypt SE-Decrypt) refers to a one-timesymmetric encryption scheme and the key space is defined as0 1ℓ119878119864 Select1198671198603 G1 rarr 0 1ℓ119878119864 fromH which denotesa party of pairwise independent hash functions

It sets (119866 119892 119906 ℏ 119908 ] 119890(119892 119892)120572 119892119886 11987811986411986711986011198671198602 1198671198603)as 119875119870 and (120572 119886) as119872119878119870 It also initializes 119868119879 =

Encrypt Given the PHI data 119872 isin alefsym and a LSSS policyT = (119879 120588) isin (Z119898times119899

119901 120588 [119898] rarr Z119901) the encryption algorithmacts as follows

Randomly select 120594 isin G1 and997888rarr984858 = (119904 9848582 984858119899)⊤ isin Z119899times1

119901

Calculate997888rarr120582 = 119879 sdot 997888rarr984858 = (1205821 1205822 120582119899)⊤ Choose 1199051 1199052 119905119898

randomly from Z119901 and compute


119862 = 120594 sdot 119890(119892 119892)120572119904

1198621 = 119892119904

1198622 = 119892119886119904

For each 119894 isin [119898] compute 1198621198941 = 119908120582119894]119905119894 1198621198942 = (119906120588(119894)ℏ)minus119905119894

and 1198621198943 = 119892119905119894 The ciphertext of 120594 is 119862119879120594 = (T 119862 1198621 1198622 1198621198941 1198621198942

1198621198943119894isin[119898])After that this algorithm sets 1198791198601198661 = 1198671198601(120594) and

computes a symmetric key 119878119864119870 = 1198671198603(120594) Then it calls 119878119864to create a ciphertext 119862119879119872 = SE-Encrypt(119872 119878119864119870) and theverification key 119881119870 = 1198791198601198662 = 1198671198602(1198791198601198661 119862119879119872)

Finally the ciphertext of PHI data 119862119879 = (119862119879120594 119862119879119872) isuploaded to the eHealth CSS as well as 119881119870

KeyGen Given a tuple (119894119889 119878 = 1198601198791 1198601198792 119860119879119896 subeZ119901) this algorithm randomly selects 119887 120575 120573 1205731 120573119896 isin Z119901

and then calculates

119870119870 = 119892120572119887(119886+120575)119908120573

1198701198701 = 120575

1198711 = 119892120573

1198712 = 119892119886120573

For each 120591 isin [119896] it computes 1198701198701205911 = 119892120573120591 and 1198701198701205912 =(119906119860119879120591ℏ)120573120591]minus(119886+120575)120573

Finally it outputs the private key for (119894119889 119878) as 119879119870 =(1198781198701198701198701198701 1198711 1198712 1198701198701205911 1198701198701205912120591isin[119896]) and119863119870 = 119887 Simul-taneously the tuple (119894119889 120575) is added to 119868119879

Pre-Process The physician can request the PHI cipher-text 119862119879 = (119862119879120594 119862119879119872) and 119881119870 from the eHealth CSS whichwill response by the elements 1198621 1198622 119862119879119872 and 119881119870 while theother elements will be sent to the eHealth CDS

Before calling the pre-decryption service heshe pro-cesses the 1198621 1198622 and 119879119870 by calculating 1198623 = 1198621198701198701

1 1198622 =119892(119886+120575)119904 and 1198713 = 1198711198701198701

1 1198712 = 119892(119886+120575)120573Then 119875119862119879120594 = 1198623 and 119875119879119870 = (119870119870 1198713 1198701198701205911

1198701198701205912120591isin[119896]) are sent to the eHealth CDSPre-Decrypt Once receiving 119875119862119879120594 and 119875119879119870 this algo-

rithm works as followsIf 119878 does not match T this algorithm aborts Otherwise

it sets 119868 = 119894 120588(119894) isin 119878 and calculates constants 120595119894 isin Z119901119894isin119868

such that sum119894isin119868 120595119894119879119894 = (1 0 0) where 119879119894 refers to the 119894-throw of 119879 Then it calculates

1198621015840 = 119890 (119870119870 1198623)prod119894isin119868 (119890 (1198713 1198621198941) 119890 (1198701198701205911 1198621198942) 119890 (1198701198701205912 1198621198943))120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

prod119894isin119868 (119890 (119892 119908)(119886+120575)120573120582119894 119890 (119892 ])(119886+120575)120573119905119894 119890 (119892 119906)minus119905119894120588(119894)120573120591 119890 (119892 ℏ)minus119905119894120573120591 119890 (119906 119892)119905119894119860119879120591120573120591 119890 (ℏ 119892)119905119894120573120591 119890 (] 119892)minus(119886+120575)120573119905119894)120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

prod119894isin119868119890 (119892 119908)(119886+120575)120573120582119894120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

119890 (119892 119908)(119886+120575)120573119904= 119890 (119892 119892)120572119904119887

(2)

Finally it outputs 119875119863119862 = 1198621015840Decrypt This algorithm first computes 120594 = 119862(1198621015840)119887

Then it calculates 1198791198601198661 = 1198671198601(120594) If1198671198602(1198791198601198661 119862119879119872) =119881119870 it aborts immediately Otherwise it calculates 119878119864119870 =1198671198603(120594) and recovers119872 fl SE-Decrypt(119862119879119872 119878119864119870)

Trace This algorithm first verifies whether 119879119870 and 119863119870are well-formed by the following checks

(1) 119879119870 is expressed as (119878 1198701198701198701198701 1198711 1198712 11987011987012059111198701198701205912120591isin[119896]) where 1198701198701 isin Z119901 and 119870119870 1198711 1198712 11987011987012059111198701198701205912 isin G

(2)119863119870 = 119887 isin Z119901(3) 119890(119892 1198712) = 119890(119892119886 1198711)(4) 119890(119870119870 119892119886 sdot 1198921198701198701 ) = 119890(119892 119892)120572119887119890(1198711198701198701

1 1198712 119908)(5) exist120591 isin [119896] st 119890(1198701198701205912 119892)119890(1198711198701198701

1 1198712 ]) = 119890(1198701198701205911ℏ)119890(1198701198701205911 119906)119860119879120591

If 119879119870 and119863119870 fail to pass the above five checks it outputs⊤ Otherwise it searches 1198701198701 in 119868119879 if 1198701198701 exists it outputsthe corresponding 119894119889 If1198701198701 does not exist it aborts

5 Security Proof

51 CPA Security For simplicity the security of the presentedVTCP-ABE scheme is reduced to that of the traceablescheme [17] which is proved under the 120593-type assump-tion We let sum119879119862119875minus119860119861119864 and sum119881119879119862119875minus119860119861119864 denote the trace-able scheme [17] and our VTCP-ABE scheme respec-tively

Theorem 7 Suppose that sum119879119862119875minus119860119861119864 is selectively secure theone-time symmetric encryption scheme 119878119864 is semanticallysecure 1198671198603 is chosen from a party of pairwise independenthash functions and the parameters satisfy 0 lt ℓ119878119864 le(log |alefsym|minusℓ1198671198601

)minus2 log(11205981198671198602)Then the proposedsum119881119879119862119875minus119860119861119864

is selectively secure

Proof Similar to the proof in [15] we define a series of hybridargument of games as in [37]

Game0 Identical to the original security game as definedin Section 33


Game1 Identical to Game0 except that 119879119860119866lowast1 and 119878119864119870lowast

are computed by selecting another randomkey119877lowast rather than120594lowast in 119862119879120594

Game2 Identical to Game1 except that we replace 119878119864119870lowast

by a randomly selected string 119878119864119870lowast119877 isin 0 1ℓ119878119864

Let 119878119875119861119894 be the success probability of the attacker inGame119894

Lemma 8 If sum119879119862119875minus119860119861119864 is selectively secure then the attackercan not distinguish Game0 from Game1 with a non-negligibleadvantage

Proof Suppose that an attacker A can distinguish Game0

fromGame1 then we can build a PPT algorithm B to breaksum119879119862119875minus119860119861119864

Init The attacker A submits the challenge access policyTlowast toBB then sends Tlowast tosum119879119862119875minus119860119861119864

Setup Based on Tlowast sum119879119862119875minus119860119861119864 gives B the parameter119875119870119879119862119875minus119860119861119864 = (119866 119892 119906 ℏ 119908 ] 119890(119892 119892)120572 119892119886) as in [17] Afterthat B chooses 119878119864lowast and sets 119867119860lowast

1 119867119860lowast2 and 119867119860lowast

3 asrandom oracles It also sets 119868119879lowast Finally it sends 119875119870lowast =(119875119870119879119862119875minus119860119861119864 119878119864lowast 119867119860lowast

1119867119860lowast2 119867119860lowast

3) toAPhase 1 To reply the key query of (119894119889 119878) from A B

transmits (119894119889 119878) to sum119879119862119875minus119860119861119864 and obtains 119878119870119879119862119875minus119860119861119864 =(1198781198701198701198701198701 1198711 1198712 1198701198701205911 1198701198701205912120591isin[119896]) where

119870119870 = 119892120572(119886+120575)119908120573

1198701198701 = 1205751198711 = 119892120573

1198712 = 119892119886120573

forall120591 isin [119896]1198701198701205911 = 119892120573120591 and 1198701198701205912 = (119906119860119879120591ℏ)120573120591]minus(119886+120575)120573

B randomly picks 119887 isin Z119901 and sets

119870119870 = (119870119870)1119887 = 119892120572119887(119886+120575)1199081205731198701198701 = 1198701198701 = 1205751198711 = (1198711)1119887 = 119892120573

1198712 = (1198712)1119887 = 119892119886120573

For each 120591 isin [119896] it computes 1198701198701205911 = (1198701198701205911)1119887 = 119892120573120591

and 1198701198701205912 = (1198701198701205912)1119887 = (119906119860119879120591ℏ)120573120591]minus(119886+120575)120573B implicitly sets 120573 = (120573)1119887 and 120573120591 = (120573120591)1119887Finally B sends 119879119870 = (119878 1198701198701198701198701 1198711 1198712 1198701198701205911

1198701198701205912120591isin[119896]) and 119863119870 = 119887 toA Simultaneously it adds (119894119889 120575)to 119868119879lowast

Challenge A submits two equal-length messages 1198720

and 1198721 and B first picks two independent random keys120594lowast and 119877lowast from G1 It sends ((119872lowast

0 = 120594lowast119872lowast1 = 119877lowast)Tlowast)

to sum119879119862119875minus119860119861119864 sum119879119862119875minus119860119861119864 responds by a challenge cipher-text 119862119879119872lowast120583

= (Tlowast 119862 1198621 1198622 1198621198941 1198621198942 1198621198943119894isin[119898]) Then Bcomputes 119878119864119870lowast = 1198671198603(119877lowast) and 119879119860119866lowast

1 = 119867119860lowast1(119877lowast)

It randomly picks 120583 isin 0 1 and calculates 119862119879119872120583=

SE-Encrypt(119872120583 119878119864119870lowast) It also computes 119881119870lowast = 119879119860119866lowast2 =

119867119860lowast2(119879119860119866lowast

1 119862119879119872120583)

Finally it sends 119862119879lowast = (119862119879119872lowast120583 119862119879119872120583

) and 119881119870lowast to theattacker

Note that if the key encrypted under Tlowast in 119862119879119872lowast120583is

119877lowast 119862119879lowast is regarded as a challenge ciphertext in Game0Otherwise 119862119879lowast can be regarded as a challenge ciphertext inGame1

Phase 2 Similar to Phase 1Finally A gives B a 1205831015840 B then sends 1205831015840 to sum119879119862Pminus119860119861119864

From the above game we have |Pr[1198781198751198610] minus Pr[1198781198751198611]| le2119860119863119881Bsum119879119862119875minus119860119861119864

Lemma9 Suppose thatH is a family of pairwise independenthash functions then Game1 can not be distinguished fromGame2 with a non-negligible advantage

Proof The key 119877lowast is completely independent of 119875119870 119862119879119872lowast120583

and119867119860lowast3 in both Game1 and Game2 Moreover the number

of possible values of 119879119860119866lowast1 = 119867119860lowast

1(119877lowast) is at most 2ℓ1198671198601 According to the analysis in [15] and 0 lt ℓ119878119864 le (log |alefsym| minusℓ1198671198601

) minus 2 log(11205981198671198602) the 119878119864119870lowast = 1198671198603(119877lowast) is 1205981198671198602

-statistically indistinguishable from the randomly selected119877lowast

119878119864 isin 0 1ℓ119878119864 Hence we have | Pr[1198781198751198611] minus Pr[1198781198751198612]| le1205981198671198602

Lemma 10 Suppose that 119878119864 is a semantically secure symmet-ric encryption scheme then the attacker can not win Game2with a non-negligible advantage

Proof InGame2 119877lowast119878119864 isin 0 1ℓ119878119864 is a truly random symmetric

key An algorithm B can be directly constructed from Ato break the semantic security of 119878119864lowast Therefore we have|Pr[1198781198751198611] minus 12| le 119860119863119881B119878119864lowast

Remark that Game0 is identical to the selective securitygame for our proposed VTCP-ABE schemeThe advantage is|Pr[1198781198751198610]minus12|Thus the security of oursum119881119879119862119875minus119860119861119864 follows

52 Verifiability

Theorem 11 Suppose that these two hash functions 1198671198601 and1198671198602 are collision-resistant our proposed VTCP-ABE schemeis privately verifiable

Proof Suppose that an attacker A can win the verifiabilitygame we can employ A to build an algorithm B to breakthe collision-resistance of1198671198601 and1198671198602

Given the challenge hash functions 119867119860lowast1 and 119867119860lowast

2 Bprocesses as follows

B runs Setup to generate 119875119870 and119872119878119870 except for119867119860lowast1

and119867119860lowast2 To answer the key queriesB acts as in Phase 1 and

Phase 2In theChallenge phaseB invokes the Encrypt to obtain

the 119862119879120594lowast Then it computes 119879119860119866lowast1 = 119867119860lowast

1(120594lowast) and 119878119864119870lowast =119867119860lowast

3(120594lowast) It also calculates 119862119879119872lowast = SE-Encrypt(119872lowast 119878119864119870lowast)and 119881119870lowast = 119879119860119866lowast

2 = 119867119860lowast2(119879119860119866lowast

1 119862119879119872lowast) It sends 119862119879lowast =(119862119879120594lowast 119862119879119872lowast) and 119881119870lowast toA


A outputs an attribute set 119878lowast which satisfies Tlowast and apartially decrypted ciphertext 119875119863119862lowast = 1198621015840 and 119862119879119872

If A wins the verifiability game B will get a message119872 notin 119872lowast perp Note that the Decrypt algorithm outputs perpif119867119860lowast

2(1198791198601198661 119862119879119872) = 119879119860119866lowast2 where 1198791198601198661 = 119867119860lowast

1(120594) and120594 is recovered from 119875119863119862lowast and 119862119879119872

We now analyze the success probability ofA by consider-ing the following cases

(1) (1198791198601198661 119862119879119872) = (119879119860119866lowast1 119862119879119872lowast) If this case happens

B gets a collision of119867119860lowast2 immediately

(2) (1198791198601198661 119862119879119872) = (119879119860119866lowast1 119862119879119872lowast) but 120594 = 120594lowast Note

that 119867119860lowast1(120594lowast) = 119879119860119866lowast

1 = 1198791198601198661 = 119867119860lowast1(120594) Thus B gets

a collision of119867119860lowast1

53 Traceability

Theorem 12 If the 120599-SDH assumption holds then our pro-posed VTCP-ABE scheme is fully traceable on condition that119902 lt 120599 where 119902 is the number of key queries made by theattackerA

Proof We here briefly introduce the traceability proof Given(119866 = (119901GG1 119890) 119892 119892120603 1198921206032 119892120603120599) the simulator B hasto generate a pair (120575 1198921(120603+120575)) isin Z119901 times G to solve the 120599-SDHproblem

Setup Assuming 120599 = 119902 + 1 B sets 119863119894 = 119892120603119894 foreach 119894 isin [120599] and randomly selects 119902 distinct numbers1205751 120575119902 from Zlowast

119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =

sum119902119894=0 119886119894119911119894 where 119886119894 are the coefficients of 119891(119911) The sim-

ulator computes 119892 larr prod119902119894=0(119863119894)119886119894 = 119892119891(120603) and 119892120603 larr

prod119902+1119894=1 (119863119894)120603119894minus1 = 119892120603sdot119891(120603) It then randomly picks 119906 ℏ isin G

and 120572 1205791 1205792 isin Z119901 Finally B sets (119866 119892 119906 ℏ 119908 = 1198921205791 ] =1198921205792 119890(119892 119892)120572 119892120603 1198781198641198671198601 1198671198602 1198671198603 119868119879) as 119875119870 where 119878119864119867119860111986711986021198671198603 and 119868119879 are set as in the CPA game It gives119875119870 toA

Key Query B answers the 119894-th query of (119894119889119894 119878119894) asfollows

B sets119891119894(119911) = 119891(119911)(119911+120575119894) = prod119902119895=1119895 =119894(119911+120575119895) = sum119902minus1

119895=0 119887119895119911119895

and computes 120577119894 larr prod119902minus1119895=0(119863119895)119887119895 = 119892119891119894(120603) = 119892119891(120603)(120603+120575119894) =

1198921(120603+120575119894) Then B randomly selects 119887 120573 1205731 120573119896 isin Z119901 andcalculates 119879119870 by computing

119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573

For each 120591 isin [119896] it computes 1198701198701205911 = 119892120573120591 and 1198701198701205912 =(119906119860119879120591ℏ)120573120591 ((119892120603)1205792 sdot ]120575119894)minus120573 = (119906119860119879120591ℏ)120573120591]minus(120603+120575119894)120573

It gives 119879119870 and 119863119870 = 119887 toA and add (119894119889119894 120575119894) to 119868119879Key Forgery A submits 119879119870⋆ = (119878 1198701198701198701198701 1198711 1198712

1198701198701205911 1198701198701205912120591isin[119896]) and 119863119870⋆ = 119887 to B ΨA refers to theevent that A wins ie 119879119870⋆ and 119863119870⋆ = 119887 are well-formedand 1198701198701 notin 1205751 1205752 120575119902

If ΨA happensB writes 119891(119911) as 119891(119911) = 120601(119911)(119911 + 1198701198701) +120601minus1 for some polynomial 120601(119911) = sum119902minus1

119894=0 120601119894119911119894 and some 120601minus1 =

0 isin Z119901 Note that 120573 in 119879119870⋆ is unknown to B B thencomputes

120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)

119908119904 larr (120590 sdot prod119902minus1119894=0119863

minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901

Since 119890(119892120603 sdot 119892120575119904 119908119904) = 119890(119892 119892) (120575119904 119908119904) is the solution forthe 120599-SDH problem

IfΨA does not happenB randomly picks (120575119904 119908119904) isin Z119901timesG as the solution

As analyzed in [17] Brsquos advantage is non-negligible insolving the 120599-SDH problem

6 Performance Comparison

Wehere compare the performance of the VTCP-ABE schemewith the TCP-ABE scheme [17] and the VCP-ABE scheme[15] in the setting of key encapsulation where the PHI datais encrypted by a symmetric encryption key 120594 which will beencrypted under an access policy in ABE

61 Numeric Result Tables 2 and 3 show the numeric com-parison between our scheme and other two schemes [15 17]Let 119875 119864 and 1198641 be the overhead in executing a bilinearpairing an exponential operation in G and G1 respectively119880 denotes the system attribute universe 119878119862 119878119870 and 119868 refer tothe set of attributes used in encryption key generation anddecryption respectively Let ℓ1198672 be the output length of1198672

In Table 2 we calculate the computation cost incurredin the following phases encryption key generation pre-decryption and user decryption The user in VCP-ABEand our VTCP-ABE expends constant size computation costof exponential operation in G1 Note that our VTCP-ABErequires two additional exponential operations in the userside since that the ciphertext and transmission key need tobe processed before being transmitted to the eHealth CDS

In Table 3 the length of system public parameter privatekey and ciphertext is calculated by the number of groupelementsTheVCP-ABE scheme requiresmore public param-eters which are linear with the scale of system attributeuniverse due to the fact that all the possible attributes needto be listed during the system initialization phase Comparedwith the non-outsourced TCP-ABE scheme our VTCP-ABErequires an additional element as the user decryption key andan output of1198672 as the verification key

62 Implementation We implement VCP-ABE scheme [15]TCP-ABE scheme [17] and the proposed VTCP-ABE on awindows 7 platform of an Intel(R) Core(TM) i5-3450 CPUat 310GHz with 800GB Memory A Type A elliptic curvegroup is chosen from the JPBC library [38] and the orderis a 512-bit prime We mainly count the computation costincurred by ABE relevant operations The computation timeof each algorithm is the average of 20 trials

Figure 2 illustrates the computation cost comparisonamong VCP-ABE scheme TCP-ABE scheme and our pro-posed VTCP-ABE scheme


Table 2 Computation cost comparison

Encryption KeyGen Pre-Decrypt User DecryptVCP-ABE [15] (3|119878119862| + 1)119864 + 11198641 (|119878119870| + 3)119864 |119868|1198641 + (2|119868| + 1)119875 11198641

TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641

Table 3 The parameter length comparison

Public Parameter Private Key CiphertextVCP-ABE [15] (|119880| + 2)|G| + 1|G1| (|119878119870| + 2)|G| + 1|Z119901| (2|119878119862| + 1)|G| + 1|G1| + ℓ1198672TCP-ABE [17] 6|G| + 1|G1| (2|119878119870| + 3)|G| + 1|Z119901| (3|119878119862| + 2)|G| + 1|G1|VTCP-ABE 6|G| + 1|G1| (2|119878119870| + 3)|G| + 2|Z119901| (3|119878119862| + 2)|G| + 1|G1| + ℓ1198672

Figure 2(a) shows the computation time in the initial-ization phase In the three schemes the computation cost ismainly incurred by computing the parameters 119890(119892 119892)120572 and119892119886

Figures 2(b) and 2(c) show the computation time in thekey generation phase and the encryption phase respectivelyIt is observed that the key generation cost and encryptionoverhead in three schemes are linearly with the number ofused attributes More precisely TCP-ABE and ours requiremore computation operation than VCP-ABE since that thecombination of parameters 119906 and ℏ is employed to indicatean attribute

Figure 2(d) shows the computation cost in the pre-processphase of our VTCP-ABE Two exponential and multiplicativeoperations in group G are required in computing 1198623 and 1198713

no matter how many attributes are involvedFigure 2(e) illustrates the computation cost comparison

in the user decryption phase among three schemes Wecan find that the user decryption cost in TCP-ABE schemeincreases with the number of attributes Thanks to the effi-cient outsourced decryption approach the final decryptioncosts on the user side in VCP-ABE scheme and ours aresignificantly lower than that in TCP-ABE and independentof the attribute number

Figure 2(f) gives the computation cost comparison intracing the malicious users between TCP-ABE and ours Wecan observe that the computation cost in both scheme growswith the number of attributes and our scheme only requiresone additional exponential operation in group G1

7 Delegate Extension

If a physician is in trouble to connect to the eHealth CSSand CDS heshe can delegate someone to download the PHIciphertext from the CSS and request the partial decryptedciphertext from the CDS However the access privilege ofdelegated user has to be restricted Inspired by [20 39 40]we employ a verifiable random function to limit the access ofdelegated users to maximum 120585 times and propose a verifiableand traceable CP-ABE scheme with key delegation (VTDCP-ABE)

Setup Besides generating119875119870 and119872119878119870 as inVTCP-ABEthis algorithm calculates Ω = 119890(119892 119892) and chooses a hash

function 1198671198604 0 1lowast rarr Z119901 The public parameter is119875119870119863 = (119875119870Ω1198671198604)

The Encrypt KeyGen Pre-Process Pre-Decrypt andTrace algorithms are as well as that in VTCP-ABE

Delegate KeyGen Given a transmission key 119879119870 =(1198781198701198701198701198701 1198711 1198712 1198701198701205911 1198701198701205912120591isin[119896]) of an 119894119889 for a set 119878an identity information 119894119889119863 and a set 119878119863 = 1198601198791 1198601198792 119860119879 sube 119878 This algorithm generates a delegated transmis-sion key 119879119870119863 as follows

Randomly select 119889 isin Z119901 and compute Γ1199011199041198901 =Ω1(119889+1198671198604(119901119904119890)) Γ1199011199041198902 = 1198921(119889+1198671198604(119901119904119890)) and Γ1199011199041198903 = 119892119889where 119901119904119890 refers to the unique and random pseudonym ofa delegated user Set 120585 as the maximum number of pre-decryption request that a delegated user can make

Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889

For each 120591 isin [] compute 1198701198701199011199041198901205911 = (1198701198701205911)1119889 = 119892120573120591119889

and 1198701198701199011199041198901205912 = (1198701198701205912)1119889 = (119906119860120591ℏ)120573120591119889]minus(119886+120575)120573119889The 120585-times delegated transmission key is set as

119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)

Delegate Pre-Process The same as Pre-Process thedelegated user requests 119862119879 = (119862119879120594 119862119879119872) from eHealth CSSand computes 1198621199011199041198903 = 1198621198701198701199011199041198901

1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889

The delegated user then sends 119875119862119879119863 and 119875119879119870119863 to theeHealth CDS where

119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs

10 20 30 40 50 60 70 80 90 1000Number of Attributes

0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace

Figure 2 Comparisons of computation cost


Delegate Pre-Decrypt The eHealth CDS first initializesa counter 119888119900119906 = 0 and a set 119878119901119904119890 = Γ1199011199041198901 for each delegateduser and stores the tuple (119888119900119906 119878119901119904119890) in a delegation list 119863119871Once receiving the Pre-Decrypt request from a delegateduser the CDS responds by the following way

If 119878 does not match T it outputs perpOtherwise it searches (119888119900119906 119878119901119904119890) in 119863119871 related to 119875119879119870119863

and checks(1) 119890(1198921198671198604(119901119904119890) sdot Γ1199011199041198903 Γ1199011199041198902) = Ω and Γ1199011199041198901 = 119890(119892 Γ1199011199041198902)(2) 119888119900119906 + 1 le 120585(3) Γ1199011199041198901 isin 119878119901119904119890If the above three conditions do not hold it aborts

Otherwise it updates 119888119900119906 larr 119888119900119906+1 and computes the partialdecryption ciphertext as

1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)

Finally the CDS responds the delegated user by 119875119863119862119863 =1198621015840

119863 Then the delegated user gives 119875119863119862119863 and 119862119879119872 to thephysician

Decrypt If the physician interacts with the CSS and CDSdirectly this algorithm acts exactly as in the Decrypt algo-rithm of VTCP-ABE If the physician asks a delegated userto get the ciphertext and request the outsourced decryptionservice 120594 is recovered by 120594 = 119862(1198621015840

119863)119887119889 The verificationand PHI decryption operations are identical to that of VTCP-ABE

Since that the 119863119870 of physician and 119889 are kept secretlythe delegated user can not obtain any content of the PHIciphertext except a partial decrypted ciphertext

8 Conclusion

In this paper we have constructed a verifiable and traceableCP-ABE (VTCP-ABE) scheme for eHealth cloud applica-tions which also achieves the properties of large universe anddelegation With VTCP-ABE the patient can enforce fine-grained access control over hisher PHI in a cryptographicalway Before submitting the encrypted PHI to the eHealthcloud decryption server a pre-process on the ciphertext andtransmission key is employed to preserve the identity privacyof the physician The correctness of returned ciphertext canbe efficiently verified Moreover the malicious physicianwho leaks the private key can be precisely tracked Besideswe extend the proposed VTCP-ABE to support the del-egation property with which a resource-limited physiciancan authorize someone else to obtain a partial decryptedciphertext without exposing the PHI content The security ofVTCP-ABE is proved in the selective model The extensiveexperiments illustrate that our VTCP-ABE scheme efficientlyachieves verifiability traceability and large attribute universe

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This research is supported by the National Natural ScienceFoundation of China under Grants nos 61502248 61427801u1405255 and 61602365 China Postdoctoral Science Foun-dation (Grant no 2018M632350) and NUPTSF (Grant noNY215008)

References

[1] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in CryptologymdashEUROCRYPT 2005 R Cramer Edvol 3494 of Lecture Notes in Computer Science pp 457ndash473Springer Berlin Heidelberg 2005

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-basedencryption for fine-grained access control of encrypted datardquoin Proceedings of the 13th ACM Conference on Computer andCommunications Security (CCS rsquo06) pp 89ndash98 New York NYUSA November 2006

[3] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[4] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[5] J Zhou Z Cao X Dong and X Lin ldquoTR-MABE white-box traceable and revocable multi-authority attribute-basedencryption and its applications to multi-level privacy-pre-serving e-healthcare cloud computing systemsrdquo in Proceedingsof the 34th IEEE Annual Conference on Computer Communica-tions and Networks (IEEE INFOCOM rsquo15) pp 2398ndash2406 April2015

[6] C Hahn H Kwon and J Hur ldquoEfficient attribute-based securedata sharing with hidden policies and traceability in mobilehealth networksrdquoMobile Information Systems vol 2016 ArticleID 6545873 13 pages 2016

[7] Q Li JMa R Li X Liu J Xiong andDChen ldquoSecure efficientand revocable multi-authority access control system in cloudstoragerdquo Computers amp Security vol 59 pp 45ndash59 2016

[8] Y Zhang X Chen J Li D SWong H Li and I You ldquoEnsuringattribute privacy protection and fast decryption for outsourceddata security in mobile cloud computingrdquo Information Sciencesvol 379 pp 42ndash61 2017

[9] A Lewko T Okamoto A Sahai K Takashima and B WatersldquoFully secure functional encryption Attribute-based encryp-tion and (hierarchical) inner product encryptionrdquo in Advancesin CryptologymdashEUROCRYPT 2010 H Gilbert Ed vol 6110 ofLecture Notes in Computer Science pp 62ndash91 Springer BerlinHeidelberg 2010

[10] K Xue Y Xue J Hong et al ldquoRAAC Robust and AuditableAccess Control with Multiple Attribute Authorities for Public


Cloud Storagerdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 4 pp 953ndash967 2017

[11] W Li K Xue Y Xue and J Hong ldquoTMACS a robustand verifiable threshold multi-authority access control systemin public cloud storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[12] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-based data sharing scheme revisited in cloud computingrdquo IEEETransactions on Information Forensics and Security vol 11 no8 pp 1661ndash1673 2016

[13] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of abe ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) pp 34-34 USENIXAssociation Berkeley CA USA 2011

[14] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[15] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEETransactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[16] Z Liu ZCao andD SWong ldquoWhite-box traceable ciphertext-policy attribute-based encryption supporting any monotoneaccess structuresrdquo IEEE Transactions on Information Forensicsand Security vol 8 no 1 pp 76ndash88 2013

[17] J Ning X Dong Z Cao L Wei and X Lin ldquoWhite-box trace-able ciphertext-policy attribute-based encryption supportingflexible attributesrdquo IEEE Transactions on Information Forensicsand Security vol 10 no 6 pp 1274ndash1288 2015

[18] Y Rouselakis and B Waters ldquoPractical constructions and newproofmethods for large universe attribute-based encryptionrdquo inProceedings of the 2013 ACM SIGSAC Conference on ComputerandCommunications Security (CCS rsquo13) pp 463ndash474NewYorkNY USA November 2013

[19] S Lin R Zhang H Ma and M Wang ldquoRevisiting attribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 10 no10 pp 2119ndash2130 2015

[20] J Ning Z Cao XDong K LiangHMa andLWei ldquoAuditablesigma-time outsourced attribute-based encryption for accesscontrol in cloud computingrdquo IEEE Transactions on InformationForensics and Security vol 13 no 1 pp 94ndash105 2018

[21] B Waters Ciphertext-Policy Attribute-Based Encryption AnExpressive Efficient and Provably Secure Realization vol 6571 ofLecture Notes in Computer Science Springer Berlin Heidelberg2011

[22] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[23] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 NewYork NY USA November 2007

[24] J Li Q Huang X Chen S S M Chow D S Wong and D XieldquoMulti-authority ciphertext-policy attribute-based encryptionwith accountabilityrdquo in Proceedings of the 6th InternationalSymposium on Information Computer and CommunicationsSecurity (ASIACCS rsquo11) pp 386ndash390 New York NY USAMarch 2011

[25] F Guo Y Mu W Susilo D S Wong and V VaradharajanldquoCP-ABE with constant-size keys for lightweight devicesrdquo IEEE

Transactions on Information Forensics and Security vol 9 no 5pp 763ndash771 2014

[26] Q Li J Ma R Li J Xiong and X Liu ldquoLarge universedecentralized key-policy attribute-based encryptionrdquo Securityand Communication Networks vol 8 no 3 pp 501ndash509 2015

[27] Q Li J Ma R Li J Xiong and X Liu ldquoProvably secureunbounded multi-authority ciphertext-policy attribute-basedencryptionrdquo Security and Communication Networks vol 8 no18 pp 4098ndash4109 2015

[28] Q M Malluhi A Shikfa and V C Trinh ldquoA ciphertext-policyattribute-based encryption scheme with optimized ciphertextsize and fast decryptionrdquo in Proceedings of the 2017 ACM AsiaConference on Computer and Communications Security (ASIACCS rsquo17) pp 230ndash240 New York NY USA April 2017

[29] J Ning Z Cao X Dong K Liang L Wei and K R ChooldquoCryptCloud+ secure and expressive data access control forcloud storagerdquo IEEE Transactions on Services Computing vol99 2018

[30] Z Liu Z Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 New York NY USA November 2013

[31] Y Rouselakis and B Waters ldquoEfficient statically-secure large-universe multi-authority attribute-based encryptionrdquo in Finan-cial Cryptography andData Security R Bohme andTOkamotoEds vol 8975 ofLectureNotes in Computer Science pp 315ndash332Springer Berlin Heidelberg 2015

[32] J Ning Z Cao X Dong J Gong and J Chen ldquoTrace-able CP-ABE with short ciphertexts How to catch peopleselling decryption devices on ebay efficientlyrdquo in ComputerSecuritymdashESORICS 2016 I Askoxylakis S Ioannidis S Kat-sikas and C Meadows Eds vol 9879 pp 551ndash569 SpringerInternational Publishing 2016

[33] G Yu Z Cao G Zeng and W Han ldquoAccountable ciphertext-policy attribute-based encryption scheme supporting publicverifiability and nonrepudiationrdquo in Provable Security vol10005 of Lecture Notes in Computer Science pp 3ndash18 SpringerInternational Publishing Cham Switzerland 2016

[34] A Beimel Secure Schemes for Secret Sharing and Key Distribu-tion [Mater Thesis] 1996

[35] D Boneh and X Boyen Short Signatures Without RandomOracles vol 3027 of Lecture Notes in Computer Science SpringerBerlin Heidelberg 2004

[36] V Goyal Reducing Trust in the PKG in Identity Based Cryptosys-tems vol 4622 of Lecture Notes in Computer Science SpringerBerlin Heidelberg 2007

[37] V Shoup ldquoSequences of games a tool for taming complexity insecurity proofs 2004rdquo shoupcsnyuedu 13166 received 30Nov2004 last revised 18 Jan 2006

[38] A de Caro and V Iovino ldquojPBC Java pairing based cryptogra-phyrdquo in Proceedings of the 16th IEEE Symposium on Computersand Communications (ISCC rsquo11) pp 850ndash855 Kerkyra CorfuGreece July 2011

[39] D Yevgeniy and A Yampolskiy ldquoA verifiable random functionwith short proofs and keysrdquo in Public Key CryptographymdashPKC2005 S Vaudenay Ed pp 416ndash431 Springer BerlinHeidelberg2005

[40] TH Yuen J K LiuMH Au X HuangW Susilo and J Zhouldquok-times attribute-based anonymous access control for cloudcomputingrdquo Institute of Electrical and Electronics EngineersTransactions on Computers vol 64 no 9 pp 2595ndash2608 2015

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


userrsquos key in CP-ABE is issued according to hisher attributeswhile the ciphertext is encrypted under an access policy SincethatABE is a feasiblemechanismwhich preserves the securityand privacy of patientsrsquo PHI a series of attribute-basedaccess control systems [4ndash8] have been proposed aiming atexpressive policies security or efficiency In particular thereremain two significant features to be considered in utilizingABE technique in eHealth systems

The first feature is verifiability of outsourced decryptionIn most ABE systems [1ndash3 9ndash12] the decryption overheadis linear to the scale of involved attributes and expensivefor energy-constrained terminals The decryption outsourc-ing technique [13] is proposed to reduce the number ofexponential operations and bilinear pairing operations onuser side by offloading the heavy decryption computationto a third-party server eg the cloud server The user thenrecovers the plaintext by executing only one exponentialoperation over ElGamal-style partial decrypted ciphertextelement generated by the third-party server However suchoutsourced scheme can not guarantee the correctness ofreturned ElGamal-style element Lai et al [14] presentedthe verifiable approach in ABE to check whether the third-party server has honestly executed the decryption serviceThey also bring redundant overhead in both encryptioncomputation and ciphertext size Qin et al [15] provided anefficient verifiable ABE scheme which significantly reducesthe computation cost in encryption and the decryptionoverhead for users

Another considerable feature is traceability We take CP-ABE as an instance the private key is generated from somedescriptive attributes rather than froma unique identity Eachattribute may be possessed by multiple users It could beimpossible to distinguish who is the original owner of agiven private key Imagine two physicians in eHealth systemsTomas and Jack They have the attribute set lsquoorthopedicsdepartment chief physicianrsquo which is not possessed by anyother users By the key delegate technique [3] both Tomasand Jack can regenerate a private key responding to theset lsquoorthopedics department chief physicianrsquo if there is athird user who can decrypt the ciphertext labeled by accesspolicy lsquo lsquoorthopedics departmentrsquo AND lsquochief physicianrsquo rsquoWhere did the key come from Tomas or Jack To solve theproblem above Liu et al [16] extended an adaptively secureCP-ABE scheme [9] to support lsquowhite-boxrsquo traceability wherethe malicious user directly leaks hisher private key Subse-quently Ning et al [17] constructed a large attribute universeand traceable CP-ABE scheme On the contrary to the lsquosmalluniversersquo in [3 10 14ndash16] the lsquolarge universersquo means that thescale of attribute universe is unbounded [18]

However existing works mostly aimed to support theproperty of verifiable outsourced decryption or traceabilityseparately There is no CP-ABE scheme with both verifiableoutsourced decryption and white-box traceability in practice(1) the CP-ABE schemes [16 17] support the traceability wellbut the userrsquos decryption cost growwith the attribute number(2) these CP-ABE schemes [14 15 19 20] provide decryptionassistance for users and the correctness of returned PDCelement is guaranteed however the traceability property isnot addressed

In this work we propose a novel verifiable and traceableCP-ABE scheme named VTCP-ABE for eHealth cloud appli-cations The VTCP-ABE scheme is the first scheme whichsimultaneously achieves white-box traceability and verifiableoutsourced decryptionwithout exposing the physicianrsquos iden-tity information Since we take the lsquolarge universersquo scheme[18] as the basis the attribute universe in our scheme isinherently unbounded We further extend the VTCP-ABEto support another delegation property We also provide theformal proof of the selective CPA security verifiability andtraceability for VTCP-ABE The comparison and simulationresults show that our VTCP-ABE is applicable for practicaleHealth cloud applications In particularly we make thefollowing contributions

(1) We propose a new VTCP-ABE scheme which simul-taneously achieves the properties of verifiable outsourceddecryption white-box traceability and large universe Anauthorized physician can check the correctness of partialdecrypted ciphertext (PDC) which is requested from theeHealth CDS Given a private key the original owner can beprecisely trackedThe attribute universe can be exponentiallylarge and the number of public parameter elements is con-stant no matter how many attributes are chosen

(2) We present an efficient approach to prevent theCDS from knowing the fixed identification information ofphysician during offering decryption service The originalciphertext and the transmission private key will be pre-processed before being sent to the CDS This method isacceptable since only two additional exponential operationsfor each decryption request are added

(3)We exploit an additional property of delegation for ourVTCP-ABE with which a resource-constrained physiciancan delegate someone to obtain a PDC element withoutcompromising the privacy of PHI

11 Related Works ABE was first introduced in [1] Thefirst KP-ABE scheme with threshold tree access structureswas presented in [2] The first CP-ABE scheme with thesame structures was presented in [3] Waters [21] presentedseveral CP-ABE schemes to support the access policy definedas Linear Secret Sharing Schemes (LSSS) Yu et al [22]demonstrated the deployment of ABE technique in cloudcomputing In [4] Li et al presented a personal healthrecord (PHR) secure sharing scheme in cloud computingSubsequently various constructions of ABE schemes werepresented in [9 23ndash29]

Green et al [13] constructed the first decryption out-sourcing ABE where the most decryption overhead is hostedto a third party With the returned partial decrypted cipher-text a user could recover the plaintext message by executingonly one exponential operation Based on the outsourcedmethod [13] Li et al [7] presented a PHR data sharingscheme for cloud storage applications in the multi-authoritysettings In both [7 13] the correctness of returned PDC isnot guaranteed Lai et al [14] presented an approach to checkwhether the partial decrypted ciphertext element (trans-formed ciphertext element) is correctly calculated Theirtechnique incurred noticeable overhead in both decryptionand encryption Based on key encapsulation mechanism Lin







2 Preliminaries




computable











Ξ =119892 119892119904

119892120580119894 119892120592119895 119892119904120592119895 119892120580119894120592119895 1198921205801198941205922119895 forall(119894 119895) isin [120593 120593]

119892120580119894120592119895 forall(119894 119895) isin [2120593 120593] with 119894 = 120593 + 1

1198921205801198941205921198951205922

1198951015840 forall(119894 119895 1198951015840) isin [2120593 120593 120593] with 119895 = 1198951015840

1198921199041205801198941205921198951205921198951015840 1198921199041205801198941205921198951205922

1198951015840 forall(119894 119895 1198951015840) isin [120593 120593 120593] with 119895 = 1198951015840



Physician Patient

AuthorityPK TKDK

VKCTPHI

PDC

eHealth Cloud

CSS

CDS

IOT

BAN

PHI

PTKPCTPHI

VKCTPHI

CSS



119860119889VA(120582) =1003816100381610038161003816100381610038161003816Pr [A (Ξ119882 = 119890 (119892 119892)120580

120593+1119904) = 0]

minus Pr [A (Ξ119882 = 119865) = 0]1003816100381610038161003816100381610038161003816

(1)




























1198781198761)) For each (119894119889119894 119878119894) B
































119901




119862 = 120594 sdot 119890(119892 119892)120572119904

1198621 = 119892119904

1198622 = 119892119886119904







and then calculates

119870119870 = 119892120572119887(119886+120575)119908120573

1198701198701 = 120575

1198711 = 119892120573

1198712 = 119892119886120573





1 1198622 =119892(119886+120575)119904 and 1198713 = 1198711198701198701

1 1198712 = 119892(119886+120575)120573Then 119875119862119879120594 = 1198623 and 119875119879119870 = (119870119870 1198713 1198701198701205911





1198621015840 = 119890 (119870119870 1198623)prod119894isin119868 (119890 (1198713 1198621198941) 119890 (1198701198701205911 1198621198942) 119890 (1198701198701205912 1198621198943))120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904


= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

prod119894isin119868119890 (119892 119908)(119886+120575)120573120582119894120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

119890 (119892 119908)(119886+120575)120573119904= 119890 (119892 119892)120572119904119887

(2)





(2)119863119870 = 119887 isin Z119901(3) 119890(119892 1198712) = 119890(119892119886 1198711)(4) 119890(119870119870 119892119886 sdot 1198921198701198701 ) = 119890(119892 119892)120572119887119890(1198711198701198701

1 1198712 119908)(5) exist120591 isin [119896] st 119890(1198701198701205912 119892)119890(1198711198701198701

1 1198712 ]) = 119890(1198701198701205911ℏ)119890(1198701198701205911 119906)119860119879120591


5 Security Proof




















1119867119860lowast2 119867119860lowast



119870119870 = 119892120572(119886+120575)119908120573

1198701198701 = 1205751198711 = 119892120573

1198712 = 119892119886120573



119870119870 = (119870119870)1119887 = 119892120572119887(119886+120575)1199081205731198701198701 = 1198701198701 = 1205751198711 = (1198711)1119887 = 119892120573

1198712 = (1198712)1119887 = 119892119886120573









1 = 119867119860lowast1(119877lowast)



119867119860lowast2(119879119860119866lowast

1 119862119879119872120583)



















52 Verifiability











2 = 119867119860lowast2(119879119860119866lowast














53 Traceability




119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =







119895=0 119887119895119911119895



119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573





119894=0 120601119894119911119894 and some 120601minus1 =


120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)


minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901














TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








2 Preliminaries




computable











Ξ =119892 119892119904

119892120580119894 119892120592119895 119892119904120592119895 119892120580119894120592119895 1198921205801198941205922119895 forall(119894 119895) isin [120593 120593]

119892120580119894120592119895 forall(119894 119895) isin [2120593 120593] with 119894 = 120593 + 1

1198921205801198941205921198951205922

1198951015840 forall(119894 119895 1198951015840) isin [2120593 120593 120593] with 119895 = 1198951015840

1198921199041205801198941205921198951205921198951015840 1198921199041205801198941205921198951205922

1198951015840 forall(119894 119895 1198951015840) isin [120593 120593 120593] with 119895 = 1198951015840



Physician Patient

AuthorityPK TKDK

VKCTPHI

PDC

eHealth Cloud

CSS

CDS

IOT

BAN

PHI

PTKPCTPHI

VKCTPHI

CSS



119860119889VA(120582) =1003816100381610038161003816100381610038161003816Pr [A (Ξ119882 = 119890 (119892 119892)120580

120593+1119904) = 0]

minus Pr [A (Ξ119882 = 119865) = 0]1003816100381610038161003816100381610038161003816

(1)




























1198781198761)) For each (119894119889119894 119878119894) B
































119901




119862 = 120594 sdot 119890(119892 119892)120572119904

1198621 = 119892119904

1198622 = 119892119886119904







and then calculates

119870119870 = 119892120572119887(119886+120575)119908120573

1198701198701 = 120575

1198711 = 119892120573

1198712 = 119892119886120573





1 1198622 =119892(119886+120575)119904 and 1198713 = 1198711198701198701

1 1198712 = 119892(119886+120575)120573Then 119875119862119879120594 = 1198623 and 119875119879119870 = (119870119870 1198713 1198701198701205911





1198621015840 = 119890 (119870119870 1198623)prod119894isin119868 (119890 (1198713 1198621198941) 119890 (1198701198701205911 1198621198942) 119890 (1198701198701205912 1198621198943))120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904


= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

prod119894isin119868119890 (119892 119908)(119886+120575)120573120582119894120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

119890 (119892 119908)(119886+120575)120573119904= 119890 (119892 119892)120572119904119887

(2)





(2)119863119870 = 119887 isin Z119901(3) 119890(119892 1198712) = 119890(119892119886 1198711)(4) 119890(119870119870 119892119886 sdot 1198921198701198701 ) = 119890(119892 119892)120572119887119890(1198711198701198701

1 1198712 119908)(5) exist120591 isin [119896] st 119890(1198701198701205912 119892)119890(1198711198701198701

1 1198712 ]) = 119890(1198701198701205911ℏ)119890(1198701198701205911 119906)119860119879120591


5 Security Proof




















1119867119860lowast2 119867119860lowast



119870119870 = 119892120572(119886+120575)119908120573

1198701198701 = 1205751198711 = 119892120573

1198712 = 119892119886120573



119870119870 = (119870119870)1119887 = 119892120572119887(119886+120575)1199081205731198701198701 = 1198701198701 = 1205751198711 = (1198711)1119887 = 119892120573

1198712 = (1198712)1119887 = 119892119886120573









1 = 119867119860lowast1(119877lowast)



119867119860lowast2(119879119860119866lowast

1 119862119879119872120583)



















52 Verifiability











2 = 119867119860lowast2(119879119860119866lowast














53 Traceability




119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =







119895=0 119887119895119911119895



119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573





119894=0 120601119894119911119894 and some 120601minus1 =


120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)


minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901














TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Physician Patient

AuthorityPK TKDK

VKCTPHI

PDC

eHealth Cloud

CSS

CDS

IOT

BAN

PHI

PTKPCTPHI

VKCTPHI

CSS



119860119889VA(120582) =1003816100381610038161003816100381610038161003816Pr [A (Ξ119882 = 119890 (119892 119892)120580

120593+1119904) = 0]

minus Pr [A (Ξ119882 = 119865) = 0]1003816100381610038161003816100381610038161003816

(1)




























1198781198761)) For each (119894119889119894 119878119894) B
































119901




119862 = 120594 sdot 119890(119892 119892)120572119904

1198621 = 119892119904

1198622 = 119892119886119904







and then calculates

119870119870 = 119892120572119887(119886+120575)119908120573

1198701198701 = 120575

1198711 = 119892120573

1198712 = 119892119886120573





1 1198622 =119892(119886+120575)119904 and 1198713 = 1198711198701198701

1 1198712 = 119892(119886+120575)120573Then 119875119862119879120594 = 1198623 and 119875119879119870 = (119870119870 1198713 1198701198701205911





1198621015840 = 119890 (119870119870 1198623)prod119894isin119868 (119890 (1198713 1198621198941) 119890 (1198701198701205911 1198621198942) 119890 (1198701198701205912 1198621198943))120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904


= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

prod119894isin119868119890 (119892 119908)(119886+120575)120573120582119894120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

119890 (119892 119908)(119886+120575)120573119904= 119890 (119892 119892)120572119904119887

(2)





(2)119863119870 = 119887 isin Z119901(3) 119890(119892 1198712) = 119890(119892119886 1198711)(4) 119890(119870119870 119892119886 sdot 1198921198701198701 ) = 119890(119892 119892)120572119887119890(1198711198701198701

1 1198712 119908)(5) exist120591 isin [119896] st 119890(1198701198701205912 119892)119890(1198711198701198701

1 1198712 ]) = 119890(1198701198701205911ℏ)119890(1198701198701205911 119906)119860119879120591


5 Security Proof




















1119867119860lowast2 119867119860lowast



119870119870 = 119892120572(119886+120575)119908120573

1198701198701 = 1205751198711 = 119892120573

1198712 = 119892119886120573



119870119870 = (119870119870)1119887 = 119892120572119887(119886+120575)1199081205731198701198701 = 1198701198701 = 1205751198711 = (1198711)1119887 = 119892120573

1198712 = (1198712)1119887 = 119892119886120573









1 = 119867119860lowast1(119877lowast)



119867119860lowast2(119879119860119866lowast

1 119862119879119872120583)



















52 Verifiability











2 = 119867119860lowast2(119879119860119866lowast














53 Traceability




119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =







119895=0 119887119895119911119895



119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573





119894=0 120601119894119911119894 and some 120601minus1 =


120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)


minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901














TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








1198781198761)) For each (119894119889119894 119878119894) B
































119901




119862 = 120594 sdot 119890(119892 119892)120572119904

1198621 = 119892119904

1198622 = 119892119886119904







and then calculates

119870119870 = 119892120572119887(119886+120575)119908120573

1198701198701 = 120575

1198711 = 119892120573

1198712 = 119892119886120573





1 1198622 =119892(119886+120575)119904 and 1198713 = 1198711198701198701

1 1198712 = 119892(119886+120575)120573Then 119875119862119879120594 = 1198623 and 119875119879119870 = (119870119870 1198713 1198701198701205911





1198621015840 = 119890 (119870119870 1198623)prod119894isin119868 (119890 (1198713 1198621198941) 119890 (1198701198701205911 1198621198942) 119890 (1198701198701205912 1198621198943))120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904


= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

prod119894isin119868119890 (119892 119908)(119886+120575)120573120582119894120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

119890 (119892 119908)(119886+120575)120573119904= 119890 (119892 119892)120572119904119887

(2)





(2)119863119870 = 119887 isin Z119901(3) 119890(119892 1198712) = 119890(119892119886 1198711)(4) 119890(119870119870 119892119886 sdot 1198921198701198701 ) = 119890(119892 119892)120572119887119890(1198711198701198701

1 1198712 119908)(5) exist120591 isin [119896] st 119890(1198701198701205912 119892)119890(1198711198701198701

1 1198712 ]) = 119890(1198701198701205911ℏ)119890(1198701198701205911 119906)119860119879120591


5 Security Proof




















1119867119860lowast2 119867119860lowast



119870119870 = 119892120572(119886+120575)119908120573

1198701198701 = 1205751198711 = 119892120573

1198712 = 119892119886120573



119870119870 = (119870119870)1119887 = 119892120572119887(119886+120575)1199081205731198701198701 = 1198701198701 = 1205751198711 = (1198711)1119887 = 119892120573

1198712 = (1198712)1119887 = 119892119886120573









1 = 119867119860lowast1(119877lowast)



119867119860lowast2(119879119860119866lowast

1 119862119879119872120583)



















52 Verifiability











2 = 119867119860lowast2(119879119860119866lowast














53 Traceability




119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =







119895=0 119887119895119911119895



119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573





119894=0 120601119894119911119894 and some 120601minus1 =


120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)


minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901














TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



119862 = 120594 sdot 119890(119892 119892)120572119904

1198621 = 119892119904

1198622 = 119892119886119904







and then calculates

119870119870 = 119892120572119887(119886+120575)119908120573

1198701198701 = 120575

1198711 = 119892120573

1198712 = 119892119886120573





1 1198622 =119892(119886+120575)119904 and 1198713 = 1198711198701198701

1 1198712 = 119892(119886+120575)120573Then 119875119862119879120594 = 1198623 and 119875119879119870 = (119870119870 1198713 1198701198701205911





1198621015840 = 119890 (119870119870 1198623)prod119894isin119868 (119890 (1198713 1198621198941) 119890 (1198701198701205911 1198621198942) 119890 (1198701198701205912 1198621198943))120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904


= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

prod119894isin119868119890 (119892 119908)(119886+120575)120573120582119894120595119894

= 119890 (119892 119892)120572119904119887 119890 (119908 119892)(119886+120575)120573119904

119890 (119892 119908)(119886+120575)120573119904= 119890 (119892 119892)120572119904119887

(2)





(2)119863119870 = 119887 isin Z119901(3) 119890(119892 1198712) = 119890(119892119886 1198711)(4) 119890(119870119870 119892119886 sdot 1198921198701198701 ) = 119890(119892 119892)120572119887119890(1198711198701198701

1 1198712 119908)(5) exist120591 isin [119896] st 119890(1198701198701205912 119892)119890(1198711198701198701

1 1198712 ]) = 119890(1198701198701205911ℏ)119890(1198701198701205911 119906)119860119879120591


5 Security Proof




















1119867119860lowast2 119867119860lowast



119870119870 = 119892120572(119886+120575)119908120573

1198701198701 = 1205751198711 = 119892120573

1198712 = 119892119886120573



119870119870 = (119870119870)1119887 = 119892120572119887(119886+120575)1199081205731198701198701 = 1198701198701 = 1205751198711 = (1198711)1119887 = 119892120573

1198712 = (1198712)1119887 = 119892119886120573









1 = 119867119860lowast1(119877lowast)



119867119860lowast2(119879119860119866lowast

1 119862119879119872120583)



















52 Verifiability











2 = 119867119860lowast2(119879119860119866lowast














53 Traceability




119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =







119895=0 119887119895119911119895



119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573





119894=0 120601119894119911119894 and some 120601minus1 =


120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)


minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901














TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia















1119867119860lowast2 119867119860lowast



119870119870 = 119892120572(119886+120575)119908120573

1198701198701 = 1205751198711 = 119892120573

1198712 = 119892119886120573



119870119870 = (119870119870)1119887 = 119892120572119887(119886+120575)1199081205731198701198701 = 1198701198701 = 1205751198711 = (1198711)1119887 = 119892120573

1198712 = (1198712)1119887 = 119892119886120573









1 = 119867119860lowast1(119877lowast)



119867119860lowast2(119879119860119866lowast

1 119862119879119872120583)



















52 Verifiability











2 = 119867119860lowast2(119879119860119866lowast














53 Traceability




119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =







119895=0 119887119895119911119895



119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573





119894=0 120601119894119911119894 and some 120601minus1 =


120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)


minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901














TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia














53 Traceability




119901 It then sets 119891(119911) = prod119902119894=1(119911 + 120575119894) =







119895=0 119887119895119911119895



119870119870 = (120577119894)120572119887 = 119892120572119887(120603+120575119894)1199081205731198701198701 = 1205751198941198711 = 1198921205731198712 = 119892120603120573





119894=0 120601119894119911119894 and some 120601minus1 =


120590 larr (11987011987011987112057911 )119887120572 = 119892120601(120603)119892120601minus1(120603+1198701198701)


minus120601119894119894 )1120601minus1 = 1198921(120603+1198701198701)

120575119904 larr 1198701198701 mod119901 isin Z119901














TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





TCP-ABE [17] (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 2119864 + |119868|1198641

VTCP-ABE (5|119878119862| + 2)119864 + 11198641 (4|119878119870| + 4)119864 |119868|1198641 + (3|119868| + 1)119875+(3|119868| + 1)119875

31198641
















Then compute

119870119870119901s119890 = 1198701198701119889 = 119892120572119887119889(119886+120575)1199081205731198891198701198701199011199041198901 = 1198701198701 = 1205751198711199011199041198901 = (1198711)1119889 = 119892120573119889

1198711199011199041198902 = (1198712)1119889 = 119892119886120573119889



119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198701198701199011199041198901

1198711199011199041198901 1198711199011199041198902 1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(3)


1 1198622 = 119892(119886+120575)119904 and 1198711199011199041198903 =(1198711199011199041198901)11987011987011990111990411989011198711199011199041198902 = 119892(119886+120575)119903119889


119875119862119879119863 = (T 1198621199011199041198903 1198621198941 1198621198942 1198621198943119894isin[119898])

and 119875119879119870119863 = (120585 119901119904119890 119878119863 Γ1199011199041198901 Γ1199011199041198902 Γ1199011199041198903 119870119870119901119904119890 1198711199011199041198903

1198701198701199011199041198901205911 1198701198701199011199041198901205912120591isin[])

(4)


VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



VCP-ABETCP-ABEOurs


0102030405060708090

100

Com

puta

tion

Cos

t (m

s)

(a) Setup

VCP-ABETCP-ABEOurs


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

(b) KeyGen

1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)


VCP-ABETCP-ABEOurs

(c) Encryption

Ours


05

101520253035404550

Com

puta

tion

Cos

t (m

s)

(d) Pre-process


1000

2000

3000

4000

5000

6000

7000

Com

puta

tion

Cos

t (m

s)

VCP-ABETCP-ABEOurs

(e) User-decrypt


100020003000400050006000700080009000

10000

Com

puta

tion

Cos

t (m

s)

TCP-ABEOurs

(f) Trace







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







1198621015840119863

=119890 (119870119870119901119904119890 1198621199011199041198903)

prod119894isin119868 (119890 (1198711199011199041198903 1198621198941) 119890 (1198701198701199011199041198901205911 1198621198942) 119890 (119870119870119901119904119890120591119902 1198621198943))120595119894

= 119890 (119892 g)120572119904119887119889

(5)






8 Conclusion


Data Availability




Acknowledgments


References














































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


Traceable Ciphertext-Policy Attribute-Based Encryption ...

Documents

Transcript of Traceable Ciphertext-Policy Attribute-Based Encryption ...