A privacy-preserving and efficient data sharing scheme with trust authentication based on blockchain for mHealth

Abstract

The mobile healthcare (mHealth) is a promising and fascinating paradigm, which can dramatically improve the quality of healthcare delivery by providing remote diagnosis and medical record sharing. Now, the mHealth faces serious challenges such as data leakage and unauthorised access currently. Attribute-based encryption (ABE) which has been employed for mHealth is an excellent cryptographic primitive of securing data sharing. However, there are still some security and efficiency issues in the ABE-based data sharing scheme for mHealth. Firstly, the explicit storage of access policy may expose the privacy of users. Secondly, the computation cost is high, especially in the mHealth with IoT devices. Thirdly, the authentication of access rights to shared data is usually performed by the centralised third parties or IoT devices with limited resources. To handle the above issues, this paper presents a privacy-preserving and efficient data sharing scheme. The scheme partially hides access policy to protect user's privacy, and introduces an offline mechanism in key generation and encryption phase to improve efficiency of mHealth. Furthermore, it also provides decentralised and trusted authentication of data access right based on blockchain. The security proofs and the experiment results demonstrate that the presented scheme has better security and efficiency.

Keywords:

• Attribute-based encryption
• blockchain
• privacy-preserving
• mobile healthcare
• outsourced decryption
• access authentication

1. Introduction

In the technological epoch of the Internet of Everything, the Internet of Things (IoT) (Sicari et al., 2015) and 5G (S. Zhang et al., 2019) technology came into being. As a typical application of the IoT and 5G technology, mobile health (mHealth) system (J. Hu et al., 2022) provides more efficient and convenient services for patients. The mHealth collects medical records (MRs) of patients through wearable devices, then storage it in cloud service provider (CSP). Since the online medical records contain patients' privacy, data owners in the mHealth system want to keep their data confidential, and only allow some specific users to access their data. Therefore, mHealth systems urgently need a solution that can achieve fine-grained access control.

The attribute-based encryption (ABE) scheme presented by Sahai and Waters (Sahai & Waters, 2005) can achieve data encryption and one-to-many fine-grained access control simultaneously. So it is one of the effective technical means to the above issue. ABE can be classified into key-policy ABE (KP-ABE) (Goyal et al., 2006) and ciphertext-policy ABE (CP-ABE) (Bethencourt et al., 2007) by the different objects associated with access policy. In CP-ABE, data owner formulates an access policy with a specific set of attributes to protect the data, and only users who have all the attributes in the access policy have decryption rights. The feature just meets the requirement of mHealth system (Akinyele et al., 2011; Ibraimi et al., 2009) to protect the data confidentiality.

However, the traditional CP-ABE schemes only encrypt the data at a fine-grained level, and the access policy in it still exists in the form of plaintext. In the mHealth system, the access policy also contains sensitive information of the data owner. Figure 1 illustrates a simplified mHealth system with conventional CP-ABE, where data owner (DO) encrypts his/her MRs with the access policy (“Hospital: Provincial Hospital” AND “Department: Neurology”) OR (“Disease: Neurology” AND “Gender: Female”). Since the access policy is stored explicitly, anyone can see that the data requester (DR) is a neurologist in a provincial hospital or a female patient who suffering from neurologic diseases. It also can be inferred that the data owner suffers from neurologic diseases and is receiving treatment in a provincial hospital. This will expose the privacy of both the data owner and the data receiver. Therefore, there is an urgent need to hide the explicit access policy.

Figure 1. Data-sharing mHealth system with conventional CP-ABE.

If the explicit attribute values in the access policy are hidden, data receiver can only determine whether he/she is authorised by decrypting the ciphertext instead of directly comparing the attribute values. It undoubtedly increases the meaningless computing cost of unauthorised users. To overcome the defect, some schemes add an authentication phase to authenticate the access right of an user before complete decryption. However, the authentication phase of the schemes is performed by the mobile receiver with limited computing resources, or by centralised third parties (Kim et al., 2020; Ren et al., 2018; Xu et al., 2019) that are not completely trusted. The issues of centralisation and opacity exists the authentication phase.

In addition, CP-ABE schemes utilise many expensive modular exponentiation and pairing operations which require computing devices to have sufficient battery capacity and computing resources. However, there are many mobile devices in mHealth with limited computing resources and storage resources, which do not have the capability to frequently perform necessary operations, such as generating or decrypting ciphertext. Moreover, concurrent registration of users in the system will reduce the efficiency of registration phase. Therefore, how to improve the efficiency in each phase is a key problem in mHealth system.

The paper proposes a privacy-preserving and efficient data sharing scheme with trust authentication based on block-chain to solve the mentioned issues, such as user privacy leakage in access policy, low computing efficiency of mobile users, centralised and untrusted authentication of access rights. The following is our specific contributions in this paper.

• We design a method to transform an explicit access policy into an implicit access policy, which partially hides the access policy by embedding the attribute values in the access policy into the ciphertext. By this means, we can achieve user privacy protection to a greater extent.

• A method for authentication of access rights is proposed. Only one bilinear pairing operation is needed in the method before full decryption to determine whether the user has the decryption permission, and the authentication phase is executed by the smart contract in the blockchain. The authentication method has high execution efficiency and a transparent process.

• We introduce an online/offline mechanism in the key generation phase and the encryption phase. Most operations are completed in the offline phase, while only some low-cost operations are required in the online phase, so as to improve the efficiency of user registration and encryption.

• A verifiable outsourced decryption mechanism is employed in the decryption phase. Most of the operations in the decryption phase are migrated to CSP, while only some low-cost operations are left to users. The verification component in the ciphertext allows the user to verify the results returned by a CSP that is not fully trusted.

The rest sections and contents of this work are arranged as follows. We briefly review related literature in Section 2 and explain the preliminaries involved in Section 3, while the system architecture and security model are exhibited in Section 4. We provide the details of the presented scheme and the security proof in Sections 5 and 6 respectively. The analysis of the experiment is presented in Section 7. Finally, this work is simply summarised in Section 8.

2. Related works

2.1. Attribute-based encryption

The conception of attribute-based encryption (ABE) was initiated by the fuzzy identity-based encryption (IBE) scheme (Sahai & Waters, 2005), which achieved one-to-many access control for the first time by hiding the identity of receivers. Goyal et al. (2006) evolved the FIBE to ABE, and proposed the first KP-ABE scheme with the specific structure. Subsequently, Bethencourt et al. (2007) proposed the first CP-ABE scheme with the specific structure. Cheung and Newport (2007) proposed a CP-ABE scheme based on standard mathematical assumption, and provides the security proofs of the scheme under the corresponding model. Waters (2011) also presented a CP-ABE scheme based on standard mathematical assumptions, and the scheme employs Linear Secret Sharing Scheme (LSSS) to achieve any expression formula. In 2013, Rouselakis and Waters (2013) presented a CP-ABE scheme which supports large attribute universe, the attribute universe can be polynomial unbounded. Based on the above basic ABE schemes, many excellent schemes (Ahamad & Khan Pathan, 2021; Ji et al., 2021) for industrial scenarios have been proposed. However, the above conventional ABE schemes only consider user privacy related to data, but ignore user privacy leakage in access policy and high computational cost.

2.2. Partially hidden-policy CP-ABE

To solve the issue that the explicit access policy may leaking the privacy of users, many relevant policy-hiding schemes have been proposed. According to the granularity of hiding, policy hiding comes in two flavours known Fully-Hidden Policy CP-ABE (FHP-CP-ABE) and Partially-Hidden Policy CP-ABE (PHP-CP-ABE). In the FHP-CP-ABE schemes (Belguith et al., 2018; Chen et al., 2019; Phuong et al., 2015) based on Inner-product Predicate Encryption (IPE) directly or indirectly, there may exists “superpolynomial blowup” problem. To balance the security of access policy and the efficiency of decryption, PHP-CP-ABE is more popular among researchers. In 2008, Nishide et al. (2008) presented a PHP-CP-ABE scheme based on multi-valued AND gates and wildcards, in which each attribute name in the access policy has sets of candidate values, an attribute name corresponds to an attribute value and wildcards match any candidate value. PHP-CP-ABE schemes were presented in L. Zhang et al. (2016) and Y. Zhang et al. (2013) with AND gate, but these schemes do not authenticate access right of user before decryption, which increase meaningless decryption overhead for unauthorised users. To solve the issue, some PHP-CP-ABE schemes (J. Li et al., 2016; S. Qiu et al., 2017) which based on AND gate and supporting access authentication was proposed. However, the above schemes are all on the basis of the AND gate access structure, which has weak expression ability and reduces the flexibility of the schemes.

In 2012, Lai et al. (2012) presented a PHP-CP-ABE scheme which achieves full security and supported access authentication. The scheme applied PHP-CP-ABE scheme which can only be constructed in AND gate to linear secret sharing structure for the first time. However, the scheme does not achieves large universe. Moreover, the computational overhead of the authentication phase is close to that of the complete decryption phase, thus losing the significance of authentication. The same issue exists in the scheme (L. Liu et al., 2016). In 2018, Y. Zhang (2018) achieved the large universe by eliminating attribute-related components in the public parameters. The scheme also reduces the number of pairing operations which is linearly related to the scale of access policy in Lai et al. (2012) to a constant level, it can greatly decrease the computational cost of the authentication phase. However, due to the complexity of composite order groups, the computational efficiency of the above schemes is much lower than that of the schemes based on prime-order groups with the same length. The PHP-CP-ABE schemes (Q. Li et al., 2020; Zeng et al., 2021; L. Zhang et al., 2019) utilising same group type also have the same issue of low efficiency.

To achieve the same correctness and security as the scheme which utilises composite-order groups, Cui et al. (2018, 2016) presented the first PHP-CP-ABE scheme based on LSSS and bilinear groups of prime-order. However, the scheme selects many random numbers and contains many exponentiation and pairing operations, which increases the storage and computing cost of the scheme. Some PHP-CP-ABE schemes (Ba et al., 2021; Gan et al., 2021; J. Zhang et al., 2021) are proposed based on prime groups and LSSS for some specific scenarios. However, these schemes lack an authentication phase before decryption, which increases meaningless computational overhead for unauthorised users. G. Hu et al. (2020) presented a PHP-CP-ABE scheme with the authentication in prime bilinear groups, but the authentication in the scheme may leak the privacy of users. W. Zhang et al. (2022) introduced a PHP-CP-ABE scheme which can achieves privacy protection in authentication, it can avoid the privacy disclosure issue in G. Hu et al. (2020). However, the authentication phase of the above scheme is performed by data requesters with limited computing resources. Z. Zhang et al. (2021) migrates the authentication phase to the CSP. However, centralised CSP is neither entirely trusted nor immune to single point of failure. It is worth noting that the above schemes only consider the privacy leakage of users, but ignore the high encryption computation overhead of users, which is not suitable for CA-IoMT systems with many lightweight devices.

2.3. Efficient computing

To accomplish more computing tasks in limited battery and computing capacity, online/offline mechanism is employed. The online/offline encryption mechanism is adopted for the first time to design an online/offline signature scheme by Even et al. (1989), which divided the signature into offline and online phases. Most operations of the scheme are pre-calculated in the offline phase, and the signature are quickly completed in the online phase. To improve the efficiency of ABE scheme, Hohenberger and Waters (2014) employed the online/offline conception in ABE scheme, and presented the concrete structures of offline KP-ABE and offline CP-ABE. In 2018, Y. Liu et al. (2018) presented a more efficient online/offline CP-ABE scheme for the mHealth system. However, because of the explicit storage of access policy, all above schemes have the issue of privacy disclosure. Subsequently, Y. Zhang et al. (2018) and Yan et al. (2020) presented online/offline CP-ABE schemes supporting policy hiding respectively. In the schemes, both the key generation and the ciphertext generation phase employ the online/offline conception. The entities accomplish most of the pre-calculations in the offline phase, and quickly assemble the required components in the online phase. However, these schemes have low efficiency because of the bilinear groups of composite order. Moreover, the access policy in their scheme is completely transparent to users and CSP in system, it is easy to reveal privacy of users.

The decryption outsourcing mechanism is utilised in some schemes to migrate the computational burden of the users to CSP. In 2011, Green et al. (2011) presented the first CP-ABE scheme for decryption outsourcing. In the scheme, all the intensive calculations in the decryption phase are handed to the CSP, and users only need one exponentiation to recover the message. But the CSP is not always trusted. In 2013, Lai et al. (2013) added a redundancy verification component to the ciphertext, which enable users to verify whether the decryption result of the CSP is correct. However, the ciphertext length of this scheme is twice that of Green et al. (2011), and the storage and computing overhead of this scheme are doubled. Some efficient outsourcing decryption CP-ABE schemes that supports verifying the decryption results are presented in Lin et al. (2015), Mao et al. (2015) and B. Qin et al. (2015). All the above schemes only focus on improving the efficiency of decryption phase, but neglect the efficiency of encryption phase. Moreover, their scheme as well as ignore the importance of user privacy.

3. Preliminaries

3.1. Access structure

Let $\mathcal{U}$ be a set of attribute parties. A collection $\mathbb{A}\subseteq 2^{\mathcal{U}}$ is considered monotones if $\mathrm{\forall }B,C$ when $B\in \mathbb{A}$ and $C\subseteq 2^{\mathcal{U}}$ then $C\in \mathbb{A}$. A monotone access structure of $\mathcal{U}$ is a monotone collection $\mathbb{A}$ without the empty set, which can be represented as $\mathbb{A}\subseteq 2^{\mathcal{U}}\mathrm{\setminus }\left\{\mathrm{\varnothing }\right\}$.

3.2. Bilinear pairings

Let both G and $G_T$ represent two cyclic multiplicative groups with the prime order p. An operation $e:G\times G⟶G_T$ is known as bilinear mapping if it owns the properties as follows:

• Bilinear: $e(g^a,w^b)={e(g,w)}^{ab}$ for any $g,w\in G$ and $a,b\in Z_p^{\ast }$.

• Nondegenerate: There exists $w\in G$, has $e(w,w)\ne 1$.

• Computable: The operations in G and $G_T$ and e : $G\times G⟶G_T$ are all computable in polynomial time.

3.3. Linear secret sharing scheme (LSSS)

Let $\mathcal{U}$ represents the attribute universe of the system. Each attribute in $\mathcal{U}$ can be described together by the attribute name and the corresponding value. Any monotone access formula on $\mathcal{U}$ can be converted into LSSS access structure with the unchanged meaning. There exists a matrix $A_{l\times n}$ and a function ρ, where $A_{l\times n}$ represents the shared generation matrix of l rows and n columns generated by the access formula, ρ maps a row in the matrix to an attribute name index in the system: ${\rho \left(i\right)}_{i\in [1,l]}⟶{att}_i({att}_i\in [1,n\left]\right)$. A LSSS scheme comprises two algorithms as below.

• Sharing: In the algorithm, a secret value $s\in Z_p^{\ast }$ is shared by the shared generation matrix A. The algorithm $\{v_2,v_3,\dots ,v_n\}\stackrel{R}{\leftarrow }{Z}_p^{\ast }$ to forms a n-dimensional column vector $\overrightarrow{v}={(s,v_2,v_3,\dots ,v_n)}^{⊺}$ together with the secret value s. Then, the algorithm calculates the shared component ${\lambda }_i=A_i\bullet \overrightarrow{v}$ which is held by each row vector in the matrix A.

• Reconstruction: In the algorithm, the secret value s can be recovered from the shared components that satisfy the requirement. Assuming that P is an authorised attribute set satisfying the access structure, define an index set $I=\left\{i\right|\rho \left(i\right)\in P\}\subseteq \{1,2,\dots ,l\}$ of attribute name indexs. The constant set $\overrightarrow{w}=\{w_i\in Z_p^{\ast }{\}}_{i\in I}$ can be found by the equation $\sum _{i\in I}{w}_i{A}_i=(1,0,\dots ,0)$ in polynomial time. Finally, the secret value s is calculated by the equation $\sum _{i\in I}{w}_i{\lambda }_i=s$.

If I satisfies the access structure $(A,\rho )$, and there is no set satisfies this condition for any $I_{sub}\subset I$, we called $I=\left\{i\right|\rho \left(i\right)\in P\}\subseteq \{1,2,\dots ,l\}$ is the minimum authorised attribute set of $(A,\rho )$. We represent the specified access structure as $\mathbb{A}=(A,\rho ,\tau )$, where $\tau =(t_{\rho \left(1\right)},\dots ,t_{\rho \left(l\right)})$ indicates a set of attribute values corresponding to $(A,\rho )$. Let $S=(I_S,L_S)$ be an attribute set of a user, where $I_S$ indicates the set of attribute name index and $L_S$ indicates the set of corresponding attribute value. If and only if $I=\left\{i\right|\rho \left(i\right)\in P\}\subseteq I_S$ and $s_{\rho \left(i\right)}=t_{\rho \left(i\right)}(\mathrm{\forall }i\in I)$, we can say that the attribute set matches the specified access structure $\mathbb{A}$.

3.4. Decisional linear assumption

The Decisional Linear assumption is constructed by the algorithm as below.

• Initialisation: The algorithm chooses $\{g,g_1,g_2\}\stackrel{R}{\leftarrow }G$ and $\{a_1,a_2\}\stackrel{R}{\leftarrow }{Z}_p^{\ast }$, where $g,g_1,g_2$ are the generators of cyclic multiplicative group G.

• Calculate: The algorithm calculates and outputs the tuple $\overrightarrow{p}=(g,g_1,g_2,g^{a_1},g_1^{a_2})$ by the selected parameters.

• Challenge: The challenger throws a random coin $\psi \stackrel{R}{\leftarrow }\{0,1\}$, and selects the item sent to the adversary. By the value of the random coin, the adversary can get item $(\overrightarrow{p},T=g_2^{a_1+a_2})$ or $(\overrightarrow{p},T=R)$, where R is an element chosen from $G_T$ randomly. Then, any adversary with probabilistic polynomial-time (PPT) can give the guess ${\psi }^{\mathrm{\prime }}\in \{0,1\}$ to distinguish $T=g_2^{a_1+a_2}$ or T = R.

3.5. Blockchain

The conception of blockchain originates from Bitcoin. The block structure comprises block header and block body. As shown in Figure 2, the header of each block records the hash value of the previous block and the feature information of the current block such as the root of the Merkle tree, and the block body stores the real transaction information, in which the merkle tree can prevent the transactions in blocks are tampered with. Blocks are linked in one direction according to the time sequence, and form a distributed ledger.

Figure 2. Blockchain structure.

Smart contract is a digitised protocol, the rules and data defined in the protocol are open and transparent. Blockchain provides a distributed and trusted execution environment for smart contract. When creating a contract, someone can predefine the conditions for the contract to be automatically executed. After the contract is created, the contract creator submits the contract to the blockchain network in the form of a transaction for broadcasting to reach a consensus, and then the block where the contract is located is added to the blockchain network. Once the contract is triggered, it will automatically self-validate and execute automatically without human intervention (Delmolino et al., 2016), and the execution results of the smart contract are recorded in the blockchain.

4. System model and threat model

4.1. System model

As illustrated in Figure 3, this subsection presented the system model which comprises five entities trust authority (TA), cloud service provider (CSP), consortium blockchain (CB), data owner (DO) and data requester (DR).

• TA: TA is a trust authority that is fully trusted by all entities in the system. TA is in charge of the registration for users.

• CSP: CSP are some semi-trusted cloud servers, which are comprised of many storage servers and computing servers. Among them, the storage server is utilised to store ciphertext for data owner, and the computing server is employed to partially decrypting for data requester who has limited computing resources.

• CB: CB is a distributed trusted platform that allows users to create and query transactions on it. In this paper, the blockchain is utilised to store authentication ciphertext and access policy. Furthermore, as the carrier of smart contract, it can conduct distributed and trusted authentication for data requester.

• DO: DO is an entity who is in charge of generating ciphertext and uploading ciphertext to CSP. DO first generates the offline ciphertext in spare time, then generates the final ciphertext after the message and access policy is specified. To achieve secure and trust data sharing, DO sends the ciphertext address, authentication ciphertext and access policy to the blockchain in the form of storage transaction ${Tx}_{storage}$.

• DR: DR is an entity who has a specific set of attributes and wants access to the shared data. Before decryption, the DR invokes the smart contract to authenticate whether it is authorised.

Figure 3. System model.

4.2. Overview of proposed scheme

There are ten algorithms in the proposed scheme.

• $\mathit{S}\mathit{e}\mathit{t}\mathit{u}\mathit{p}\left(1^{\lambda }\right)\to (PK,MSK)$: Given a security parameter λ as the unique input, TA generates the system public parameter PK and the master secret key MSK as the outputs.

• $\mathit{O}\mathit{f}\mathit{f}\mathit{l}\mathit{i}\mathit{n}\mathit{e}\mathbf{.}\mathit{K}\mathit{e}\mathit{y}\mathit{G}\mathit{e}\mathit{n}(PK,MSK)\to {SK}_{off}$: Given the PK and the MSK as the inputs, TA generates the offline key ${SK}_{off}$ as the output.

• $\mathit{O}\mathit{n}\mathit{l}\mathit{i}\mathit{n}\mathit{e}\mathbf{.}\mathit{K}\mathit{e}\mathit{y}\mathit{G}\mathit{e}\mathit{n}(PK,{SK}_{off},S=(I_S,L_S\left)\right)\to ({SK}_S,{SK}_{Auth})$: Given the PK, the ${SK}_{off}$ and the attribute set $S=(I_S,L_S)$ as the inputs, TA returns the secret key tuple $({SK}_S,{SK}_{Auth})$ as the outputs, where ${SK}_S$ is the decryption key and ${SK}_{Auth}$ is the authentication key.

• $\mathit{O}\mathit{f}\mathit{f}\mathit{l}\mathit{i}\mathit{n}\mathit{e}\mathbf{.}\mathit{E}\mathit{n}\mathit{c}\mathbf{\left(}\mathit{P}\mathit{K}\mathbf{\right)}\to {CT}_{off}$: Given the PK as the input, DO generates the offline ciphertext ${CT}_{off}$ as the output.

• $\mathit{O}\mathit{n}\mathit{l}\mathit{i}\mathit{n}\mathit{e}\mathbf{.}\mathit{E}\mathit{n}\mathit{c}({CT}_{off},M,\mathbb{A}=(A,\rho ,\tau \left)\right)\to ({\mathrm{C}\mathrm{T}}_{\mathbb{A}},{CT}_{Auth})$: Given a message M, the access structure $\mathbb{A}=(A,\rho ,\tau )$ and the ${CT}_{off}$ as inputs, DO returns the ciphertext tuple $({\mathrm{C}\mathrm{T}}_{\mathbb{A}},{CT}_{Auth})$ as the outputs, where ${\mathrm{C}\mathrm{T}}_{\mathbb{A}}$ is the ciphertext and ${CT}_{Auth}$ is the authentication ciphertext.

• $\mathit{A}\mathit{u}\mathit{t}\mathit{h}\mathit{e}\mathit{n}\left(\right(A,\rho ),S=(I_S,L_S),{\mathrm{C}\mathrm{T}}_{\mathbb{A}},{CT}_{Auth},{SK}_{Auth})\to True$ or False: This phase authenticates the access rights of user. If the algorithm outputs Flase, it indicates that the attribute set S does not match the specified access structure A. Otherwise, it indicates that the user can continues the decryption phase.

• ${\mathit{T}\mathit{K}\mathit{G}\mathit{e}\mathit{n}}_{\mathit{o}\mathit{u}\mathit{t}}(PK,{SK}_S)\to ({TK}_{out}^s,UK)$: Given the PK and the ${SK}_S$ as the inputs, DR generates the outsourced transformation key ${TK}_{out}^s$ and the user decryption key UK as the outputs.

• ${\mathit{T}\mathit{r}\mathit{a}\mathit{n}\mathit{s}\mathit{f}\mathit{o}\mathit{r}\mathit{m}}_{\mathit{o}\mathit{u}\mathit{t}}(PK,{\mathrm{C}\mathrm{T}}_{\mathbb{A}},{TK}_{out}^s)\to {\mathrm{C}\mathrm{T}}_{out}$: Given the PK, the ${\mathrm{C}\mathrm{T}}_{\mathbb{A}}$ and the ${TK}_{out}^s$ as the inputs, CSP returns the transformed ciphertext ${\mathrm{C}\mathrm{T}}_{out}$ as the output.

• ${\mathit{D}\mathit{e}\mathit{c}\mathit{r}\mathit{y}\mathit{p}\mathit{t}}_{\mathit{D}\mathit{R}}(PK,{\mathrm{C}\mathrm{T}}_{out},UK)\to M^{\mathrm{\prime }}or\mathrm{\perp }$: Given the PK, the ${\mathrm{C}\mathrm{T}}_{out}$ and the UK, DR recovers the message $M^{\mathrm{\prime }}$ or ⊥ as the output.

• ${\mathit{M}}_{\mathit{V}\mathit{e}\mathit{r}\mathit{i}\mathit{f}\mathit{y}}(PK,{\mathrm{C}\mathrm{T}}_{\mathbb{A}},M^{\mathrm{\prime }})\to \mathrm{T}\mathrm{o}\mathrm{r}\mathrm{F}$: Given the PK, the ${\mathrm{C}\mathrm{T}}_{\mathbb{A}}$ and the $M^{\mathrm{\prime }}$ as the inputs, if the commitment value of $M^{\mathrm{\prime }}$ is equal to the commitment value of M in ${\mathrm{C}\mathrm{T}}_{\mathbb{A}}$, the algorithm outputs T. Otherwise, the algorithm outputs F.

4.3. Security model

The presented scheme ought to satisfy selective indistinguishability under chosen-plaintext attacks (IND-CPA) and anonymity. The selective CPA security model is formalised for the presented scheme through security games between the adversary A and challenger C as follows.

• Initialisation: Adversary A commits two challenge access structure ${\mathbb{A}}_0=(A,\rho ,{\tau }_0)$ and ${\mathbb{A}}_1=(A,\rho ,{\tau }_1)$ to challenger C.

• Setup: Challenger C obtains the master secret key MSK that requires to be kept secretly and the public parameter PK that requires to be sent to the adversary A from run the setup algorithm.

• Key query phase 1 and phase 2: In phase 1, challenger C makes responses to the key query of users by the KeyGen algorithm. The phase 2 is the same as the phase 1. The two phases requires that all the attributes set submitted by the user cannot match the challenge access policy ${\mathbb{A}}_0=(A,\rho ,{\tau }_0)$ and ${\mathbb{A}}_1=(A,\rho ,{\tau }_1)$.

• Challenge: Adversary A sends two specified messages $m_0$ and $m_1$ of equal length to challenger C. Challenger C throws a random coin $\psi \in \{0,1\}$, and encrypts $m_{\psi }$ with encryption algorithm to acquire the ciphertext ${CT}_{\psi }$, then sends the ciphertext to adversary A.

• Guess: Adversary A generates a guess of $\psi \mathrm{\prime }\in \{0,1\}$. Adversary A wins the game with a negligible advantage, if and only ${\psi }^{\mathrm{\prime }}=\psi$.

Definition

Define a negligible advantage as $ϵ=|Pr[{\psi }^{\mathrm{\prime }}=\psi ]-\frac{1}{2}|$. The presented scheme is selective IND-CPA security, if for any PPT adversary can only break the mentioned security game with the most advantages ϵ

5. Design details of proposed system and scheme

This section describes the presented scheme in detail. There are five phases in the mHealth system: (1) System initialisation; (2) User registration; (3) Privacy-preserving MRs Sharing; (4) Privacy-preserving Data Access and (5) Decryption outsourcing. We will covers the details of the algorithms involved in the above five phases.

5.1. System initialisation

TA derives the terms $T=(G,G_T,p,g,e(g,g\left)\right)$ from the security parameter λ, and sets the attribute universe as $U=Z_p^{\ast }$. It then performs the setup algorithm as below.

• $\mathit{S}\mathit{e}\mathit{t}\mathit{u}\mathit{p}$: TA chooses $\alpha ,\eta ,c\stackrel{R}{\leftarrow }{Z}_p^{\ast },g,g_1,g_2,u,w,h,v\stackrel{R}{\leftarrow }G$, and sets a collision-resistant hash function H, which maps an attribute value or element in group $G_T$ to element in $Z_p^{\ast }$. Then TA calculates $u=g^c,Y={e(g,g)}^{\alpha },Q=e(g_1,g_2)$, and publishes the system public parameters and master secret key as: $PK=(g,g_2,g_2^{\eta },c,u,w,h,v,Y,Q,H),MSK=(\alpha ,\eta ,g_1).$

5.2. User registration

Before obtaining an attribute set of users, TA executes the first algorithm as below to generate the offline secret key. After obtaining an attribute set $S=(I_S,L_S)$ submitted by users, TA executes the second algorithm as below to generate the final secret key.

• $\mathit{O}\mathit{f}\mathit{f}\mathit{l}\mathit{i}\mathit{n}\mathit{e}.\mathit{K}\mathit{e}\mathit{y}\mathit{G}\mathit{e}\mathit{n}$: TA chooses random elements $ϵ,{ϵ}_i,{\hat{L}}_i\stackrel{R}{\leftarrow }{Z}_p^{\ast }$, where $i\in [1,U]$, and generates the offline key for all users in the system as ${SK}_{off}=(K_0,K_1,{\{K_{2,i},K_{3,i},K_{4,i},K_{5,i}\}}_{i\in [1,U]}),$where $K_0=g_1^{\alpha }{w}^{ϵ},K_1=g^{ϵ}$, $K_{2,i}=g^{{ϵ}_i}$, $K_{3,i}=g^{{ϵ}_i/\eta }$, $K_{4,i}=(u^{{\hat{L}}_i}h{)}^{{ϵ}_i/\eta }\cdot v^{-ϵ}$, $K_{5,i}=(u^{{\hat{L}}_i}h{)}^{-{ϵ}_i}\cdot (v^{ϵ}{)}^{\eta }$.

• $\mathit{O}\mathit{n}\mathit{l}\mathit{i}\mathit{n}\mathit{e}.\mathit{K}\mathit{e}\mathit{y}\mathit{G}\mathit{e}\mathit{n}$: After obtaining offline key ${SK}_{off}$ and attribute set $S=(I_S,L_S)$ submitted by a user, where $I_S\in Z_N$ and $L_S=\{L_i{\}}_{i\in \left|I_S\right|}$, TA generates the final secret key as $\begin{array}{rl}{SK}_S& =(K_0,K_1,{\left\{K_{2,i},K_{3,i},K_{4,i},K_{5,i},K_{6,i}\right\}}_{i\in I_S}),\\ {SK}_{Auth}& =\left({\left\{K_i^{\mathrm{\prime }}\right\}}_{i\in I_S}\right),\end{array}$where $K_{6,i}=H\left(L_i\right)-\widehat{L_i},K_i^{\mathrm{\prime }}=g_1^{1/H\left(L_i\right)}$. The ${SK}_{Auth}$ is used for authentication of user access rights.

5.3. Privacy-preserving MRs sharing

Before specifying the access policy and the message, DO carries out the first algorithm as below to generate the offline ciphertext. After obtaining the relevant components, DO carries out the second algorithm as below to generate the final ciphertext.

• $\mathit{O}\mathit{f}\mathit{f}\mathit{l}\mathit{i}\mathit{n}\mathit{e}.\mathit{E}\mathit{n}\mathit{c}$: DO chooses random elements $s,s^{\mathrm{\prime }}\stackrel{R}{\leftarrow }{Z}_p^{\ast }$ and $d_j,k_j,\widehat{{\lambda }_j},\widehat{t_j}\stackrel{R}{\leftarrow }{Z}_p^{\ast }$, where $j\in [1,U]$. DO sets the offline ciphertext as ${CT}_{off}=(\widehat{C_0},C_0^{\mathrm{\prime }},C_1,{\{C_{2,j},C_{3,j},C_{4,j},C_{5,j}\}}_{j\in [1,l]}),$where $\widehat{C_0}=Y^s,C_0^{\mathrm{\prime }}=Q^{ds\mathrm{\prime }},C_1=g^s,C_{2,j}=g_2^{d_j},C_{3,j}=({g_2^{\eta })}^{d_j}{g}^{k_j},C_{4,j}=w^{\widehat{{\lambda }_j}}{v}^{k_j},C_{5,j}={\left(u^{\widehat{t_j}}h\right)}^{{-k}_j}.$

• $\mathit{O}\mathit{n}\mathit{l}\mathit{i}\mathit{n}\mathit{e}.\mathit{E}\mathit{n}\mathit{c}$: DO firstly specifies the access structure $\mathbb{A}=(A,\rho ,\tau )$ and the message $M\in G_T$, then DO chooses random elements $d,\delta ,v_2,v_3,\dots ,v_n,v_2^{\mathrm{\prime }},v_3^{\mathrm{\prime }},\dots ,v_n^{\mathrm{\prime }}\stackrel{R}{\leftarrow }{Z}_p^{\ast }$ and constructs two n-dimensional column vectors represent as $\overrightarrow{v}={(s,v_2,v_3,\dots ,v_n)}^{⊺},$ $\overrightarrow{v^{\mathrm{\prime }}}={(s\mathrm{\prime },v_2^{\mathrm{\prime }},v_3^{\mathrm{\prime }},\dots ,v_n^{\mathrm{\prime }})}^{⊺}$, then computes ${\lambda }_j=A_j\cdot \overrightarrow{v},{\lambda }_j^{\mathrm{\prime }}=A_j\cdot \overrightarrow{v^{\mathrm{\prime }}}$ and sets the final ciphertext as $\begin{array}{rl}{\mathrm{C}\mathrm{T}}_{\mathbb{A}}& =(\mathrm{\Phi },C_0,C_0^{\mathrm{\prime }},C_1,{\{C_{2,j},C_{3,j},C_{4,j},C_{5,j},C_{6,j},C_{7,j}\}}_{j\in [1,l]}),\\ {CT}_{Auth}& =\left({\left\{C_j^{\mathrm{\prime }}\right\}}_{j\in [1,l]}\right),\end{array}$where $C_0=M\cdot \widehat{C_0},C_{6,j}={\lambda }_j-{\hat{\lambda }}_j,C_{7,j}=k_j(\widehat{t_j}-H(t_{\rho \left(j\right)}\left)\right)$, $C_j^{\mathrm{\prime }}={\left(g_2^{{\lambda }_j^{\mathrm{\prime }}H\left(t_{\rho \left(j\right)}\right)}\right)}^d$, $\mathrm{\Phi }=g^{H\left(M\right)}{g}_2^{H\left(\delta \right)}$. The ${CT}_{Auth}$ is used for authentication of user access rights.

After the phase, DO stores the ciphertext ${\mathrm{C}\mathrm{T}}_{\mathbb{A}}$ in CSP, and the CSP returns the storage address ctAddress. Then, DO sends the address and the ciphertext containing the hidden access policy to the blockchain through a storage transaction ${TX}_{storage}$ as shown in algorithm 1. Afterwards, the transaction is broadcasted to other nodes in the blockchain for verification of its validity with Algorithm 2. If the verification is passed, the transaction can be packaged into a consensus block.

5.4. Privacy-preserving data access

The authentication phase is utilised to determine whether a user is authorised. Only authorised users need to continue the decryption phase.

• Authen: Before decryption, the data requester calls the authentication contract to authenticate whether he/she has the right to access the data as shown in the Algorithm 3. If the user is authorised, the algorithm outputs True, it means the user can continue the decryption phase. Otherwise, the algorithm outputs Flase.

5.5. Decryption outsourcing

The decryption phase is comprises three steps. First, DR generates transformation key and user decryption key. Then CSP transforms the ciphertext with the transformation key. Finally, the DR obtains the message from the ciphertext and verifies the transformation result returned by the CSP.

• ${\mathbf{\text{{TKGen}}}}_{\mathbf{\text{{out}}}}$: The algorithm is performed by the data requester. DR $r\stackrel{R}{\leftarrow }{Z}_p^{\ast }$, and sets the user decryption key as UK = r, and transformation key as $T{K}_{out}^S=(T{K}_0,T{K}_1,{\{T{K}_{2,i},T{K}_{3,i},T{K}_{4,i}\}}_{i\in [1,\left|I_S\right|]}),$where ${TK}_0=K_0^{1/r},{TK}_1=K_1^{1/r},{TK}_{2,i}=K_{2,i}^{1/r},$ ${TK}_{3,i}=K_{3,i}^{1/r},{TK}_{4,i}=K_{4,i}^{1/r},{TK}_{5,i}=K_{5,i}^{1/r}$.

• ${\mathbf{\text{{Transform}}}}_{\mathbf{\text{{out}}}}$: The algorithm is performed by the CSP as below. $\begin{array}{rl}D& =\frac{e(C_1,T{K}_0)}{\prod _{i\in I}{(e(C_{4,i}\cdot w^{C_{6,j}},T{K}_1)\cdot e(C_{5,i}\cdot u^{C_{7,i}},T{K}_{3,i}))}^{w_i}}\\ & \cdot \frac{1}{\prod _{i\in I}{(e(C_{3,i},T{K}_{4,i}\cdot T{K}_{3,i}{}^{c\cdot T{K}_{6,i}})\cdot e(C_{2,i},T{K}_{5,i}\cdot T{K}_{2,i}{}^{-c\cdot T{K}_{6,i}}))}^{w_i}}\end{array}$

• ${\mathbf{\text{{Decrypt}}}}_{\mathbf{\text{{DR}}}}$: The algorithm is executed by the data requester who calculates as below $M^{\mathrm{\prime }}=\frac{C_0}{D^{UK}}=\frac{M^{\mathrm{\prime }}\cdot {e(g,g_1)}^{\alpha s}}{{e(g,g_1)}^{\alpha s/r\cdot r}}.\text{■}$

6. Proof of security

Theorem 6.1

If the DL assumption holds, then any PPT adversary can selectively break the presented scheme with negligible advantages at most in terms of selective indistinguishability and anonymity.

Proof.

We describe the proving process through many related IND games. First, we sets the challenge ciphertext as $C{T}^{\ast }=(C_0^{\ast },C_0^{\mathrm{\prime }\ast },C_1^{\ast },\{C_{2,j}^{\ast },C_{3,j}^{\ast },C_{4,j}^{\ast },C_{5,j}^{\ast },C_{6,j}^{\ast },C_{7,j}^{\ast },C_j^{\mathrm{\prime }\ast }{\}}_{j\in [1,l]}).$Let R is an element which is chosen randomly from the group G, and $\{R_{j,0},R_{j,1},R_{j,2}{\}}_{j\in [1,l]}$ are elements chosen randomly from the group $G_T$. Define a groups of games $Gam{e}_0,\dots ,Gam{e}_l,\dots ,Gam{e}_{l+1},\dots ,Gam{e}_{2l}$ to distinguish the challenge ciphertext sent by the challenger to the adversary. The details are given as below:

• ${Game}_0$: In the real game, the challenge ciphertext is obtained by carrying out the encryption algorithm of the presented scheme.

• ${Game}_x$: We utilise the set ${Gamex}_{x\in [1,l]}$ to represents ${Game}_1,\dots ,{Game}_l$. For any game in ${Gamex}_{x\in [1,l]}$, we replaces the $\{C_{2,j}^{\ast },C_{3,j}^{\ast }{\}}_{j\in [1,l]}$ in the challenge ciphertext with $\{R_{x,0},R_{x,1}{\}}_{j\in [1,l]}$. The rest of the ciphertext components remains unchanged.

• ${Game}_{x\mathrm{\prime }}$: We utilise the $\{Gam{e}_{x^{\prime }+l}{\}}_{x^{\prime }\in [1,l]}$ to represents the ${Game}_{l+1},\dots ,{Game}_{2l}$. For any interact game in $\{Gam{e}_{x^{\prime }+l}{\}}_{x^{\prime }\in [1,l]}$, the sets $\{C_{3,j}^{\ast },C_{4,j}^{\ast }{\}}_{j\in [1,l]}$ in the challenge ciphertext are replaced by the specified sets $\{R_{x^{\prime },1},R_{x^{\prime },2}{\}}_{x^{\prime }\in [1,l]}$, and the rest of the ciphertext components remains unchanged.

Lemma 6.1

If the D-Linear assumption holds, then any PPT adversary can differentiate ${Game}_x$ from ${Game}_{x+1}$ with a negligible advantage at most, where $x\in [1,l]$.

Proof.

Assume there exists a PPT adversary A who can differentiate ${Game}_x$ from ${Game}_{x+1}$ with a non-negligible advantage $ϵ={Adv}_A$ in the selective security interactive game. We can employ the decisional D-Linear assumption to construct a challenger C who has the same advantage as adversary A. Then we can prove that the challenger C can break the decisional D-Linear assumption with a non-negligible advantage $ϵ={Adv}_A$.

Initialisation: Before the interactive game, the adversary sends an access policy ${\mathbb{A}}^{\ast }=(A^{\ast },{\rho }^{\ast },{\tau }^{\ast })$ to the challenger C, where $A^{\ast }$ is a matrix of $l\times n(l,n\le q)$.

Setup: Challenger C $\{t_1^{\mathrm{\prime }},t_2^{\mathrm{\prime }},\tilde{w},\tilde{\alpha },\tilde{\eta },\tilde{h},\tilde{v}\}\stackrel{R}{\leftarrow }{Z}_p^{\ast }$, $g,g_1\stackrel{R}{\leftarrow }G$, and implicitly sets some public key components as: $g=g,g_2=g^{t_2^{\mathrm{\prime }}},w=g^{\tilde{w}},u=g^{t_1^{\mathrm{\prime }}\tilde{\alpha }},v=g^{\tilde{v}},h=g^{-t_1^{\mathrm{\prime }}\alpha H\left(L_i\right)}{g}^{\tilde{h}}.$Then public parameters can be set as $PK=(g,g_2,g_2^{\tilde{\eta }},w,u,h,v,{e(g,g_1)}^{\alpha }).$Key challenge phase 1 and 2: These two phases serve the same purpose. Adversary A submits a series of attribute sets $S=S_1,S_2,\dots ,S_m$ to the challenger C for key querying. These two phases both require that all attribute sets in S cannot satisfy the challenge access policy ${\mathbb{A}}^{\ast }=(A^{\ast },{\rho }^{\ast },{\tau }^{\ast })$. Challenger C $\{ϵ,{ϵ}_1,{ϵ}_2,\dots {ϵ}_{\left|I_L\right|}\}\stackrel{R}{\leftarrow }{Z}_p^{\ast }$and implicitly sets: $\begin{array}{rl}\widetilde{ϵ}& =ϵ\alpha /(t_1^{\mathrm{\prime }}+\tilde{h}),\\ {ϵ}_i& =\frac{\widetilde{{ϵ}_i}\left(\alpha t_1^{\mathrm{\prime }}\right(H\left(L_{\rho \ast \left(i\right)}\right)-H\left(L_{\rho \ast \left(l^{\mathrm{\prime }}\right)}\right))+\tilde{h})+\tilde{v}\widetilde{ϵ}}{\alpha \left(H\right(L_{\rho \ast \left(i\right)})-H(L_{\rho \ast \left(l^{\mathrm{\prime }}\right)}\left)\right)}.\end{array}$The challenger computes challenge key as below: $\begin{array}{rl}{K}_0& =g_1^{\alpha }{K}_1^{\tilde{w}}=g_1^{\alpha }{\left(g^{\widetilde{ϵ}}\right)}^{\tilde{w}}=g_1^{\alpha }{w}^{\widetilde{ϵ}},\\ K_1& =(g^{ϵ}{)}^{\alpha /(t_1^{\mathrm{\prime }}+\tilde{h})}=g^{\widetilde{ϵ}},\\ K_i& =g_1^{\alpha /H\left(L_i\right)},K_{1,i}=g_1^{\widetilde{{ϵ}_i}/\tilde{\eta }},\\ K_{2,i}& =g^{\alpha {ϵ}_i\left(H\right(L_{\rho \ast \left(i\right)})-H(L_{\rho \ast \left(l^{\mathrm{\prime }}\right)}\left)\right)}\\ & ={\left(u^{H\left(L_{\rho \ast \left(i\right)}\right)}h\right)}^{\widetilde{{ϵ}_i}/\tilde{\eta }}\cdot v^{\widetilde{ϵ}},\\ K_{3,i}& =K_{2,i}^{\tilde{\eta }}={\left(u^{H\left(L_{\rho \ast \left(i\right)}\right)}h\right)}^{\widetilde{{ϵ}_i}}\cdot {{(v}^{\widetilde{ϵ}})}^{\eta }.\end{array}$Challenge phase: Adversary A submits two challenge messages $M_0,M_1\in G_T$ with equal bit length to challenger C. Challenger C responds to the action by throwing a random coin $\psi \stackrel{R}{\leftarrow }\{0,1\}$, then chooses a message $M_{\psi }$ and sends ciphertext $C{T}_{\psi }$ to adversary A. Challenger C implicitly sets two column vectors $\overrightarrow{v}=(s,v_2,v_3,\dots ,v_n{)}^{⊺}$ and $\overrightarrow{v^{\mathrm{\prime }}}=(s^{\mathrm{\prime }},v_2^{\mathrm{\prime }},v_3^{\mathrm{\prime }},\dots ,v_n^{\mathrm{\prime }}{)}^{⊺}$, and computes ${\lambda }_i=\sum _{j\in \left[n\right]}{A}_j^{\ast }\widetilde{v_j}$, ${\lambda }_i^{\mathrm{\prime }}=\sum _{j\in \left[n\right]}{A}_j^{\ast }\widetilde{v_j^{\mathrm{\prime }}}$. Challenger C $\{t^{\mathrm{\prime }},k_1,\dots ,k_l,z_1,\dots ,z_l\}\stackrel{R}{\leftarrow }{Z}_p$. If y = l, Challenger C implicitly sets $z_l=a_1/t_2^{\mathrm{\prime }},k_l=t_2^{\mathrm{\prime }}(a_1+a_2),$

and computes challenge ciphertext as below.

When y = l: $\begin{array}{rl}{C}_0^{\ast }& =m_b\cdot {e(g,g_1)}^{\alpha s},C_0^{{\ast }^{\mathrm{\prime }}}={e(g,g_1)}^{t^{\mathrm{\prime }}\alpha s^{\mathrm{\prime }}},\\ C_1^{\ast }& =g^s,C_{0,y}^{\ast }=\left(g^{a_1}\right)=(g^{t_2^{\mathrm{\prime }}}{)}^{z_l}=g_2^{z_l},\\ C_{1,j}^{\ast }& =(g^{a_1}{)}^{\eta }\cdot R=(g_2^{\eta }{)}^{z_l}\cdot g^{k_l},\\ C_{2,j}^{\ast }& =w^{{\lambda }_l}{R}^{\tilde{v}}=w^{{\lambda }_l}\cdot R^{\tilde{v}}=w^{{\lambda }_l}\cdot v^{k_l}\\ C_{2,j}^{\ast \mathrm{\prime }}& ={\left(g^{{\lambda }_y^{\mathrm{\prime }}H\left(L_{\rho \ast \left(i\right)}\right)}\right)}^{t^{\mathrm{\prime }}},\\ C_{3,j}^{\ast }& =R^{\tilde{h}}={\left(g^{\tilde{h}}\right)}^{t_2^{\mathrm{\prime }}(a_1+a_2)}={\left(u^{H\left(L_{\rho \left(l\right)}\right)}h\right)}^{k_l}.\end{array}$When $y\ne l$: $\begin{array}{r}{C}_{0,y}^{\ast }=g_2^{z_i},C_{1,j}^{\ast }=(g_2^{\eta }{)}^{z_i}{g}^{k_i},C_{2,j}^{\ast }=w^{{\lambda }_i}{f}^{k_i},C_{2,j}^{\ast \mathrm{\prime }}={\left(g^{{\lambda }_j^{\mathrm{\prime }}H\left(L_{\rho \ast \left(i\right)}\right)}\right)}^{t^{\mathrm{\prime }}},C_{3,j}^{\ast }={\left(u^{H\left(L_{\rho \ast \left(i\right)}\right)}h\right)}^{k_i}.\end{array}$Guess phase: After interactive game of the above four phases, adversary A outputs a guess ${\psi }^{\mathrm{\prime }}$ on the random coin value ψ. If ${\psi }^{\mathrm{\prime }}=\psi$, it outputs 0 and guesses $T=g_2^{(a_1+a_2)}=g^{t_2^{\mathrm{\prime }}(a_1+a_2)}$. Otherwise, it outputs 1 and guesses T=R, where $R\stackrel{R}{\leftarrow }{G}_T$. If $T=g_2^{(a_1+a_2)}$, the adversary considers that the interactive game he participated is the real game for the presented scheme. Then the adversary can break the scheme with a non-negligible advantage according the supposition, and the challenger can also break the DL assumption by utilise the same advantage. $\begin{array}{rl}Pr[b^{\mathrm{\prime }}=b]& =\frac{1}{2}+{Adv}_A,\\ Pr\left[C\right(\overrightarrow{p},T=g_2^{(a_1+a_2)})=0]& =\frac{1}{2}+{Adv}_A.\end{array}$From above, it has: $\begin{array}{r}Pr\left[C\right(\overrightarrow{p},T=g_2^{a_1+a_2})=0]-Pr\left[C\right(\overrightarrow{p},T=R)=0]={Adv}_A.\end{array}$

Therefore, if A can differentiate game ${Game}_x$ from game ${Game}_{x+1}$ by a non-negligible advantage ${Adv}_A$, then A can break the assumptions made in Lemma 6.1 by the same advantage.

Lemma 6.2

If the D-Linear assumption holds, then any PPT adversary can differentiate ${Game}_{x^{\mathrm{\prime }}}$ from ${Game}_{x^{\mathrm{\prime }}+1}$ by utilise a negligible advantage at most, where $x^{\mathrm{\prime }}\in [l,2l-1]$.

Proof.

The proof of this lemma is similar to the proof of Lemma 6.1, except that the term changed in the simulation is A.

Theorem 6.2

If the verifiable outsourcing scheme of Lai et al. (2013) can achieve CPA security, then the verifiable outsourcing part in presented scheme also achieves CPA security.

Proof.

The proving process of the theorem is the similar to that of Lai et al. (2013).

7. Performance evaluation

In this section, we provide the performance analysis of the presented scheme and some existing PHP-CP-ABE schemes in functions and computing overhead.

7.1. Functional comparison

Firstly, we provide the comparison of the presented scheme with some other PHP-CP-ABE schemes based on LSSS structure in terms of functions. As illustrated in Table 1, the presented scheme is compared with seven other PHP-CP-ABE schemes in large universe, online/offline key generation and encryption, access authentication, outsourced decryption and group order. From Table 1, we can see that schemes (Lai et al., 2012; L. Liu et al., 2016; Y. Zhang et al., 2018) do not achieve large universe, and the schemes (Cui et al., 2016; L. Liu et al., 2016; Y. Zhang et al., 2018) have no access authentication phase. Additionally, the authentication phase of schemes (G. Hu et al., 2020; Lai et al., 2012; Y. Zhang, 2018) is performed by the mobile users with limited resources, while that of the scheme (Z. Zhang et al., 2021) is performed by a centralised and incompletely trusted third party. Only the presented scheme supports blockchain-based distributed and trusted access authentication, the blockchain nodes that perform the authentication phase have certain computing power, and the results recorded in blockchain cannot be tamper. We can also see that only (Y. Zhang et al., 2018) as well as the presented scheme can achieve online/offline key generation and encryption, and only (G. Hu et al., 2020) and the presented scheme provide outsourcing decryption. Furthermore, schemes (Cui et al., 2016; G. Hu et al., 2020; Z. Zhang et al., 2021) and the presented scheme is utilise prime bilinear groups, while schemes (Lai et al., 2012; Y. Zhang, 2018; Y. Zhang et al., 2018) utilise composite bilinear group. By the above comparison, it can be concluded that the presented scheme is the only PHP-CP-ABE scheme which employs prime bilinear group construction with the following five properties: large universe, online/offline key generation and encryption, trusted access authentication based on blockchain and decryption outsourcing.

Table 1. Function comparison.

		On/offline	On/offline	Access	Outsourced
Scheme	Large universe	KeyGen	encryption	authen	decryption	Blockchain	Group order
Lai et al. (2012)	✗	✗	✗	✓	✗	✗	Composite
L. Liu et al. (2016)	✗	✗	✗	✗	✗	✗	Composite
Y. Zhang (2018)	✓	✗	✗	✓	✗	✗	Composite
Cui et al. (2016)	✓	✗	✗	✗	✗	✗	Prime
G. Hu et al. (2020)	✓	✗	✗	✓	✓	✗	Prime
Z. Zhang et al. (2021)	✓	✗	✗	✓	✗	✗	Prime
Y. Zhang et al. (2018)	✗	✓	✓	✗	✗	✗	Composite
Ours	✓	✓	✓	✓	✓	✓	Prime

7.2. Comparison of computing overhead

Secondly, we provide the comparison of computing overhead of the mentioned schemes, Table 2 gives the definitions of the notations, Table 3 give the comparison result in computing cost. As illustrated in Table 3, the overhead of key generation, encryption, access authentication and decryption in all the above schemes linearly positive correlate with the scale of attributes in user or access matrix. The presented scheme moves most of the precomputation to the offline phase, so the overhead of online key generation and online encryption is much lower than schemes (Cui et al., 2016; G. Hu et al., 2020; Y. Zhang, 2018). We can also see that the scheme (G. Hu et al., 2020) and this one have constant decryption overhead since they outsource most decryption operations to CSP. Moreover, the authentication phase of the presented scheme has no computational overhead on the user side because the authentication phase of the presented scheme is performed by blockchain nodes with computing power. While that of the schemes (G. Hu et al., 2020; Y. Zhang, 2018) are linearly positive correlate with the scale of access matrix.

Table 2. Notations and Meaning.

Notations	Meaning
$T_P$	Time for pairing operation
${G^{\xi },G_T^{\xi }}_{\xi =1,2,\dots }$	A multiplication cyclic group of composite order with ξ subgroups
${T_e^{\xi },T_E^{\xi }}_{\xi =1,2\dots }$	Time cost of exponentiation operation in $G^{\xi }$ and $G_T^{\xi }$
$\left|Z_p^{\ast }\right|,\left|G^{\xi }\right|,\left|G_T^{\xi }\right|$	Bit length of element in $Z_p^{\ast }/G^{\xi }/G_T^{\xi }|$
n	The scale of attributes in the system
l	The scale of rows in an access matrix
ϖ	The scale of attributes in user attribute list

Table 3. A comparative result in computing overhead.

	KeyGen	Encryption	Decryption	Authentication
Scheme	offline/online	offline/online	cloud/user	blockchain/user
Y. Zhang (2018)	✗	✗	✗	✗
	/$(\varpi +4)T_e^4$	/$(6l+3)T_e^4+{2T}_E^4$	/$(2\varpi +1)T_P+\varpi T_E^4$	✗
Cui et al. (2016)	✗	✗	✗	✗
	/$(9\varpi +7)T_e^1$	/$(8l+3)T_e^1+T_E^1$	/$(6\varpi +1)T_P+\varpi T_E^1$	/$2T_P+2\varpi T_E^4$
G. Hu et al. (2020)	✗	✗	$(4\varpi +1)T_P+\varpi T_E^1$	✗
	/$(6\varpi +5)T_e^1$	/$(8l+3)T_e^1+{2T}_E^1$	/$T_P+T_E^1$	/$\varpi T_P+\varpi T_E^1$
Ours	$(6\varpi +5)T_e^1$	$(6l+3)T_e^1+{2T}_E^1$	$(4\varpi +1)T_P+\varpi T_E^1+4\varpi T_e^1$	$\varpi T_P+\varpi T_E^1$
	/$\varpi T_e^1$	/$(l+2)T_e^1$	/$T_E^1$	/✗

7.3. The experiment results

The efficiency of the proposed scheme is mainly affected by the performance of the relevant ABE algorithms and the blockchain. We evaluate the proposed scheme through experiments, including the evaluation of the ABE algorithm and the performance of the blockchain.

(1) ABE algorithms: To evaluate the actual performance of the proposed scheme and other excellent PHP-CP-ABE schemes on PCs and mobile IoT devices, we first deploy the Java pairing-based cryptography library version 2.0.0, which is a dual Linearly paired cryptographic library with good portability. Considering the entities in the system perform different computing tasks, we adopt two types of devices with different computing power to do simulation. We utilise a personal computer (Windows 11 with AMD Ryzen r7-5800H CPU @3.20 GHz, 16-GB RAM) to simulate trust authority, and utilise an Android Smartphone (Android 11 with 8-core CPU, 12-GB RAM) to replace a user. And we employ the Type A pairing established on the elliptic curve $E\left(F_q\right):y^2=x^3+xmodq$. Next, we implement the online key generation algorithm on the PC, and implement the online encryption, authentication of access rights, and user decryption algorithms on the IoT device. Table 4 gives the computation cost of a single operation in PC and IoT devices. For each access policy and user attribute list, we simulate the trials 30 times and take the average as the experimental result.

Table 4. Running time for each operation (MS).

Operations	Smartphone	PC
Exponentiation on Group G	12.3	5.68
Exponentiation on Group $G_T$	3.56	0.47
Bilinear pairing	23.2	4.06

Figure 4(a–d) visually show the experimental results of involved schemes in terms of computation overhead. From Figure 4(a,b), the cost of online key generation and online encryption in schemes (Cui et al., 2016; G. Hu et al., 2020) increase dramatically with the scale of attributes in user or access matrix, while that in the presented scheme increases very slowly, and this gap increases significantly with the scale of attributes. From Figure 4(c), we can see that the overhead of authentication in scheme (Y. Zhang, 2018) is evidently higher than that in scheme (G. Hu et al., 2020) and the presented scheme, and the overhead of authentication in scheme (G. Hu et al., 2020) linearly positive correlate with the scale of attributes, while it in the presented scheme is always constant. From Figure 4(d), the overhead of decryption in scheme (Cui et al., 2016) is linearly positive correlate with the scale of user attributes, while the presented scheme has the smallest computation cost under the same conditions. In conclusion, the presented scheme is evidently superior to Cui et al. (2016) and G. Hu et al. (2020) in every respect, which means that the presented scheme is more practical for mHealth system with many mobile devices.

(2) Blockchain: The experimental environment is 64-bit Ubuntu18.04 operating system with AMD Ryzen r7-5800H CPU @3.20 GHz processor, and Hyperledger Fabric 2.4 version which is deployed based on Docker 20.10.7 version. In Fabric, client nodes generate transactions through smart contracts, peer nodes execute contracts and achieve consensus with other peer nodes on the blockchain by a consensus mechanism. What we need to measure is the time required for a transaction to be confirmed on the blockchain, that is, the consensus time of the nodes on the transaction. We set the number of transactions to 0–1000 in the above environment, and test the response time of the blockchain at different numbers of transactions. We simulate each stage 10 times and take the average value as the experimental result. As shown in Figure 5, the response time of the blockchain is positively correlated with the number of transactions.

Figure 4. The average time cost of: (a) Computation overhead in Online keyGen; (b) Computation overhead in Online encryption; (c) Computation overhead in authentication and (d) Computation overhead in user decryption.

Figure 5. The response time of transaction.

8. Conclusion

The proposed scheme can not only provide fine-grained access control for mHealth scenarios, but also hide attributes in access policy to further protect user privacy. Blockchain-based authentication of access rights also provides undeniable authentication results. In addition, the efficient encryption and decryption algorithms are also very friendly to IoT device users in mHealth. Furthermore, we present concreted proofs that the scheme is selectively secure under the given assumptions. The results of theory and experiment analysis certificate that the scheme has better practicality and efficiency. In a word, this scheme has broad application prospects in mHealth scenarios.

In real application scenarios, there may be malicious users abusing keys in user groups with the same attributes. Therefore, how to trace and revoke malicious users in the mHealth system is the potential future research direction.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work was supported by Shandong Provincial Key Research and Development Program [grant numbers 2021CXGC010107,2020CXGC010107] and the Shandong Provincial Natural Science Foundation of China [grant number ZR2020KF035] and National Natural Science Foundation of China [grant number 62102209] and National Key Research.