a cheating detectable privacy-preserving data sharing scheme for cloud...

Research ArticleA Cheating Detectable Privacy-Preserving Data SharingScheme for Cloud Computing

Xin Wang123 Bo Yang 13 Zhe Xia4 Yanqi Zhao1 and Huifang Yu 5

1 School of Computer Science Shaanxi Normal University Xirsquoan 710119 China2College of Electrical and Information Engineering Shaanxi University of Science and Technology Xirsquoan 710021 China3State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy of SciencesBeijing 100093 China

4School of Computer Science and Technology Wuhan University of Technology Wuhan 430070 China5School of Communication and Information Engineering Xirsquoan University of Posts amp Telecommunications Xirsquoan 710121 China

Correspondence should be addressed to Bo Yang byangsnnueducn

Received 6 February 2018 Revised 2 July 2018 Accepted 7 August 2018 Published 16 October 2018

Academic Editor Jun Zhou

Copyright copy 2018 XinWang et alThis is an open access article distributed under theCreativeCommons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Cloud computing provides a new attractive paradigm for the effective sharing of storage and computing resources among globalconsumers More and more enterprises have begun to enter the field of cloud computing and storing data in the cloud to facilitatethe sharing data among users However in many cases users may be concerned about data privacy trust and integrity It ischallenging to provide data sharing services without sacrificing these security requirements In this paper a data sharing scheme ofreliable secure and privacy protection based on general access structure is introducedThe proposed scheme is not only effectiveand flexible but also is capable of protecting privacy for the cloud owner supporting data sharing under supervision enablingaccountability of usersrsquo decryption keys and identifying cheaters if some users behave dishonestly Security analysis and efficiencyanalysis demonstrate that our proposed scheme has better performance in computational costs compared with most related worksThe scheme is versatile to be used in various environments For example it is particularly suitable to be employed to protect personalhealth data and medical diagnostic data in information medical environment

1 Introduction

At present new technologies and new industries emerge inan endless stream based on big data and cloud comput-ing Data production management and emerging businessmodels based on big data are springing up In recent yearswith the transformation of large number of businesses intodigitalization and informatization mass data is constantlybeing manufactured and consumed which promotes therapid development of big data technology in research devel-opment and application In the context of this industry thequantity and quality of data become extremely importantCloud computing provides a new and appealing paradigmto share the resources of storage and computation efficientlyamong the global consumers Compared with the traditionaldata storage methods cloud users can more convenientlyaccess the data without considering the arrangement of the

hardware or infrastructure by data storing and sharing oncloud However the cloud presents the value attraction forits huge functionality and convenience and it brings a lotof new challenge One reason is that the data owner haslost the physical control on the data when he stored thedata on the cloud and meanwhile the cloud server is facedto the public Hence the ownerrsquos data may be subjected tovarious kinds of threats and malicious attacks For instancethe datarsquos confidentiality requirement may be disobeyed bysome clouds for financial purposes or they may even selltheir business competitors confidential information Thusalthough cloud computing is very attractive to enterprisesand consumers by economically sharing massive data amongthe users it may fail to guarantee data storage securityand privacy to individual of the data owner Furthermorein some uses after the data possessor has put out hisencrypted data to the cloud he may yet wish to keep the

HindawiSecurity and Communication NetworksVolume 2018 Article ID 6174830 13 pageshttpsdoiorg10115520186174830

2 Security and Communication Networks

datarsquos some controls for example update the data or revokethe access rights for some other users [1] In consequencemany recent works have devoted to guarantee security andprivacy using remotely storing the shared data and in themeantime assuring the desirable security characteristics In2010 the first scheme achieving secure data access controlwith provable security in cloud storage has been proposed byYu et al [2] using key-policy attribute-based encryption andsymmetric encryption (KP-ABE) [3] The scheme can reachfine-grained data access by combing KP-ABE with proxyreencryption (PRE) and lazy reencryption The schemersquosperformance still needs to be improved though a part ofthe private key update calculation can be put out to thecloud Dong et al subsequently give a scheme [4] employingsymmetric encryption with ciphertext-policy attribute-basedencryption [5 6] (CP-ABE) To sum up regarding theemployed technologies KP-ABE or CP-ABE has either beenused by these above schemes under the symmetric encryptionto design data security secure access control Some otherdesign methods are based on hierarchical identity-basedencryption (HIBE) [7] but they have appealed to less atten-tion These schemes have simply considered how to supplydata privacy against the cloud but they do not have thepreservation of private information of owner and the possibledishonest behaviors by some authorized users when storingthe data in cloud For instance some authorized users mayprovide fake share deliberately to cause decryption failureIn the personal health medical information surroundingssome extra security demands are required Since in certainspecial circumstances such as medical accidents abnormaldeaths and traffic accidents medical disputes claim shouldbe considered In these situations while medical evidence isneeded electronic medical records of the patient should beable to be right decrypted by the authorized users Assumingsomeone has had an accident or been killed in seriousincidents In case supposing that there are disputes historicrecords of the users will be the crucial evidences and theyneed to be recovered for expert testimony These existingschemes however focus on the confidentiality and privacy ofthe data itself and the cost of performancemainly but they arenot suitable for medical records scenariosrsquo needs To realizean effectual scalable and privacy-preserving data sharingservice in the cloud the following requirements should beconsequently satisfied

(1) the data owner can authorize who can access the dataand the authorized users should be able to get to shared datain the cloud under the constraints that are defined by the dataowner

(2) the cloud needs to be able to give support to dynamicrequirements so that data owners can update the data file andadd or revoke users

(3) when data owner stores his information on the cloudwithout suitable protection the data are readable by anyonesince the cloud is publicly accessible The personal privateinformation for example their medical information andusersrsquo telephone number consequently needs to be protectedagainst the cloud and it should not be made public

(4) the data decryption operation should be carried outunder mutual supervision and the dishonest users need to

be identified if they submit false shares How to settle theabove important issues has not been considered in cloudthat computes yet although a number of schemes have beenproposed in the literature

In this paper we propose an effective scalable and flexibleprivacy-preserving data sharing scheme to ensure semanticsecurity and effective utilization of ownerrsquos data In orderto preserve the privacy of ownerrsquos sensitive information thatmay be unrelated to the data itself Bloom filter hash functionis used to hide data storage in cloud The scheme employssecret sharing based on general access structure to preserveconfidentiality of the ownerrsquos data against the cloud Inaddition Reed-Solomon (RS) encoding technique has beenadopted to identify the dishonest user who presents a falseshare In the proposed scheme all authorized users aredivided into groups by their identity when they registerthemselves with the protocol Each data file is describedby a set of group secrets and for every group such as 119880119896has been assigned one master key 120572119896 so that the data filecan be successfully decrypted when these group secrets arecorrectly recovered In addition each cloud user is assignedinto a group and every group secret is shared among thegroup users by utilizing secret sharing of general access struc-ture

To ensure correct sharing of the secret this schemedefines a public-private key pair for each user By combingsecret sharing access structure and userrsquos public key the shareor secret key is sent to user in every group Therefore eachuser could get a different key and he can check this sharekey by his private key 119889119868119863119894997888rarr119895 The secret keys of group usersare defined to reflect their group access privileges so thatall of the users should present their correctly shared keyswithout cheating RS encoding technique is used to enable theidentification of the cheater when he provided a fake share

In the proposed protocol the secret is shared amongmultiple participants and only a quorum of these partici-pants work together can recover the secret In an ideal secretsharing the secret share held by each participant has exactlythe same size as the secret and the size of all secret sharestogether is proportional to the number of the participantsTherefore when considering the protocol as a whole moreinformation needs to be dealt with but each participantrsquostask remains the same The benefit is that the secrecy andavailability of the secret key are enhanced Suppose theadversary wants to learn the secret key or destroy it She needsto compromise multiple participants to achieve her objectiveinstead of compromising a single one in the traditionalprotocols

Compared with the existing schemes our analysis showsthat the proposed scheme provides the following benefitsregarding both security and efficiency

(1) The cloud server can assist search record by data filetag and it can learn nothing about ownerrsquos data in plaintextand ownerrsquos personal sensitive information

(2) The user who can access the data file is authorized bythe data owner and he can verify the secret key sent by theowner

(3) The dishonest cloud users who present fake decryp-tion keys can be identified so that the ciphertext can be

Security and Communication Networks 3

11 00 11 00 00 00 11

AttValueowner =(Alice1minus626minus780minus755211Ｈ＞３ＮＬＮＬＩＩＥＦＳＨＱ９ＩＬＥ)

ℎ1(x) = 1 ℎ2(x) = 3 ℎ3(x) = 7

Figure 1 Bloom filter of personal privacy information

safely and correctly decrypted under the supervision of theseusers

The rest of this paper is organized as followsThe prelimi-naries are briefly described in Section 2 Section 3 discussessystem models and security requirement Our proposedscheme is introduced in Section 4 and its security is analyzedin Section 5 Efficiency analysis as well as its comparison withthe related existing schemes is presented in Section 6 Finallywe present an example of the practical impact of ourwork andconclude this paper in Sections 7 and 8 respectively

2 Preliminaries

21 BilinearMaps Let1198661 and 1198662 be twomultiplicative cyclicgroups with prime order 119901 and 119892 be a generator of group 1198661Moreover let 119890 1198661 times 1198661 997888rarr 1198662 be the bilinear map thatsatisfies the following properties

(1) Bilinearity for all 119886 and 119887 there must be 119890(119892119886 119892119887) =119890(119892 119892)119886119887(2) Nondegeneracy there must be 119890(119892 119892) = 1

22 Secret Sharing Schemes Secret sharing schemes (SSS) [8]are used to divide a secret among a number of parties Thevalue given to a party is called the share (of the secret) for thatparty Every SSS realizes some access structure that definesthe sets of parties who should be able to reconstruct the secretusing their shares

23 Access Structure and Monotone Span Programs

Definition 1 (access structure [9 10]) Let 1198751 1198752 sdot sdot sdot 119875119899 bea set of parties A collection A sube 211987511198752 sdotsdotsdot 119875119899 is monotonefor forall119861 119862 if 119861 isin A and 119861 sube 119862 then 119862 isin A Anaccess structure (respectively monotone access structure) is acollection (respectivelymonotone collection)A of nonemptysubsets of 1198751 1198752 sdot sdot sdot 119875119899 ieA sube 211987511198752 sdotsdotsdot 119875119899 The setsin A are called the authorized sets otherwise they are calledthe unauthorized sets

In a linear secret sharing scheme [9] to realize an accessstructure A the dealer who possesses the secret 119910 candistribute these shares of 119910 to a number of parties such that119910 can be reconstructed by a linear combination of theseshares of any authorized set However an unauthorized setcan obtain no information about the secret 119910

There is a close relationship between linear secret sharingscheme and a linear algebraic model called monotone spanprograms (MSP) [11] It has been shown that the existenceof a linear secret sharing scheme for some access structure isequivalent to the existence of a monotone span program forthat access structure

Definition 2 (monotone span program) LetK be a field and1199091 sdot sdot sdot 119909119899 be a set of variables A monotone span programover K is a labeled matrix 119872(119872120588) where 119872 is a matrixover K and 120588 is a labeling of the rows of 119872 by literals from1199091 sdot sdot sdot 119909119899 (every row is labeled by one literal)

A monotone span program accepts or rejects an input bythe following criteria For every input set 120574 of literals let119872120574

be the submatrix composing of those rows whose labels arein 120574 The monotone span program accepts 120574 if and only if997888rarr1 isin 119904119901119886119899(119872120574)24 Bloom Filter Bloom filter (BF) [12] is a simple and effec-tive random data storage structure It is constructed by a setof hash functions 119861119865(119909) = (ℎ1(119909) sdot sdot sdot ℎ119896(119909)) and it has twooperations 119886119889119889(119909) and 119902119906119890119903119910(119909) where 119909 indicates 119879119886119892119900119908119899119890119903in the proposed scheme The 119886119889119889(119909) operation handles anelement with multiple hash functions ℎ1(sdot) sdot sdot sdot ℎ119896(sdot) so thatthe element is uniformly mapped to a number for exampleℎ119894(119909) = 119910119894 isin [1119898] and sets the 119910119894-th bit in the array to beone (the array is initialized to zeroes)The 119902119906119890119903119910(119909) operationrepeats the same hashing procedure and then checks if theappropriate bits are set as 1 In 2012 the partially hiddenaccess structure inABEwas proposed [13 14] In addition theBloom filter was employed to hide the value of the attributein partially hidden access structures in [15] In this proposedscheme we use the Bloom filter to protect the privacy of thedata owner as Figure 1

In order to prevent the cloud server from learning infor-mation that may invade personal privacy like name mobilenumber and home address each attribute information is splitinto two parts an attribute name and its value The generalattribute name is made public while the personal privacyinformationrsquos specific attribute values are kept secret whenthe data file is stored in the cloud server For example let thedata ownerrsquos name be Alice the phone number be 1-626-780-7552 and home address be 11ndStreet BrooklynNew YorkThen let the general attribute name of personal


information to be protected be 119860119905119905119873119886119898119890119900119908119899119890119903 =(119873119886119898119890119874119888119888119906119901119886119905119894119900119899119879119890119897119890119901ℎ119900119899119890119873119906119898119887119890119903119860119889119889119903119890119904119904) then theownerrsquos specific values is119860119905119905119881119886119897119906119890119900119908119899119890119903 = (119860119897119894119888119890119871awyer1 minus626minus 780minus 755211ndStreet BrooklynNew York)The dataowner builds the data file label 119879119886119892119900119908119899119890119903 = 119867(119860119905119905119881119886119897119906119890119900119908119899119890119903)and then constructs a Bloom filter 119861119865119889119886119905119886119891119894119897119890 = 119861119865(119879119886119892119900119908119899119890119903)using 119879119886119892119900119908119899119890119903 In Figure 1 let 119909 = 119867(119860119905119905119881119886119897119906119890119900119908119899119890119903)

To check whether a Tag is in set 119878 that is stored inthe cloud we should firstly compute the values ℎ1(119879119886119892)ℎ2(119879119886119892) sdot sdot sdot ℎ119896(119879119886119892) and verify if each ℎ119894(119879119886119892) is 1 where119894 isin [1 sim 119896] If the check fails we can insure that Tag is not in119878 Otherwise we say that Tag is in 119878 with a high probabilitybecause the bloom filter has always a false positive rate Thefalse positive rate will be analyzed in detail in Section 6 TheBloom filter has an attractive feature of convenient query andconcise spaceWhen applying standard Bloomfilter there is anecessity to do 119896 hash operations where the time complexityto insert one element is119874(119896) When determining whether anelement is in the set the 119896 hash calculation is also neededIn addition it needs the time complexity 119874(119896) to finish anelement query For a set with 119899 elements it just needs a bitarray with size 119898 so the space complexity is 119874(119898) It isthen very concise to use only 119898119899 bits to save each elementThe storage space of the traditional tree query algorithm andhash query algorithm is directly associated with the size ofthe element itself and the size of the set while the Bloomfilter query algorithm is independent of the number of theelements and it is simply connected the number of the vectorrsquosbits where the mapping comes from the element to thevector

25 Reed-Solomon Code In coding theory RS code coulddetect and correct a number of random information errorsMcEliece and Sarwate [16] pointed out that Shamirrsquos SecretSharing Scheme (SSS) is closely related to the RS errorcorrection They observed that a list of shares of Shamirrsquos(119896 119899) threshold SSS forms a codeword of RS code Thus if119896 + 2119905 shares containing 119905 invalid shares are provided inthe reconstruction phase the secret reconstruction algorithmcan identify all 119905 cheaters with certain probability In addi-tion it is obvious by using Lagrange interpolation that apolynomial 119891(119909) of degree 119896 minus 1 is uniquely determinedby 119891(1) sdot sdot sdot 119891(119899) if and only if 119899 ge 119896 + 2119905 where 119905 isthe number of the cheaters In 2011 using a single keyedmessage authentication code Obana designed an efficient(119896 119899) threshold SSS with unconditional security which iscapable of identifying up to 119905 cheaters under the condition(119896 minus 1)3 ge 119905 [17 18]3 System Model and Security Goals

31 SystemModel In our systemmodel there are four partic-ipants data owner data consumers cloud server and publickey generator (PKG) The data owner eg the patient storeshis medical data in the cloud In this way he can outsourcethe data maintenance to the cloud The data consumersdownload the data file shared by the data owner and decryptit using their decryption keys For the sake of simplicity thedata consumers are referred to as users in this paper When

decrypting data file these users are collaborating with eachother The cloud server offers a high-quality service utilizinga large number of servers It has considerable storage spaceand computation powerThe data owner can interact with thecloud server dynamically to update or delete his data filesThepublic key generator maintains the public key infrastructureIt is a trusted third party with responsibility to deliver thedecryption key safely from the data owner to the users Thisframework for privacy-preserving data sharing in the cloudis shown as in Figure 2

Note that the communication channels between usersand cloud server are secured under existing protocols in thesystem model

32 AdversaryModel Theadversarymodel definesmaliciousbehaviors based on whether they intimidate the confidential-ity of the cloud data In contrast the cloud server in ourmodelis semitrusted (also known as honest-but-curious or passiveIn other words it will follow the protocol most of the time)The cloud server is assumed not to collude with the clouduser Note that although the semitrusted adversary model isweaker than the malicious model it is a realistic model thatis widely used in similar protocols

We have made it clear that the cloud server is semitrustedin our adversary model This implies that the cloud serverwill not violate from the protocol but may try to learn moreinformation that she is not authorized to access Phishingattack is an important issue that needs to be considered inpractice but we will not address this issue since it is anactively attack We will further consider this issue in ourfuture works

Hence the following three types of attackers are consid-ered (1) data exposure data ownerrsquos personal sensitive infor-mation might be leaked (2) inner threats some authorizedusersmight present fake decryption key causing failure whendecrypting the data file (3) outer threats the channel thatused to transmit the secret keys might be insecure

Different from publicly verifiability [19] the user couldverify by himself about the decryption key delivered by theowner and this property is called secret verifiability

33 Design Goals With the purpose of secure data sharingand data access control in the cloud our main goal is tominimize the leakage of the data ownerrsquos privacy informationand prevent the malicious users from accessing the clouddata including the deceptive users and collusive users Thenthe main design goals of our system can be summarized asfollows

(1) Personal Privacy ProtectionWe use bloomfilter to design asecuremechanism so that the data owner and the cloud servercan share data through the cloudThe operation only involvessome hash operations so the computational cost is very low

(2) Data Access Control and Confidentiality The proposedscheme employs secret sharing method to share data Thedata owner has the authority to specify policy how thesecloud users can access the data and those unauthorized userscannot obtain the information of the data file


Figure 2 The framework for privacy-preserving data sharing service in the cloud

(3) Secret Verifiability of the Decryption Key In order toensure secure communications over insecure channels thedecryption key can be verified by the user himself that it hasbeen correctly delivered by the owner This property is calledsecret verifiability while in publicly verifiability the key canbe verified by anyone who is interesting to

(4) Recognition of the Dishonest User If some cloud usersmisbehave they could be efficiently identified using the RSencoding method

4 The Proposed Scheme

41 System Initialization The public key generator choosestwo groups 1198661 and 1198662 of prime order 119901 two independentgenerators 119892 119892 a bilinear map 1198901198661 times 1198661 997888rarr 1198662 andan injective function 120583GF(119901) times 1 sdot sdot sdot 119899 997888rarr GF(119902) (forexample 120583(119909 119910) = (119910minus 1)119901+119909 [18]) and a collision-resistanthash function 119867(sdot)

(1) User registration the user registers to the public keygenerator He first randomly chooses 119889119868119863 isin 119885lowast

119901 asthe private key and then computes ℎ119868119863 = 119892119889119868119863 as thepublic key

(2) Here 119880 denotes the set of users who want to sharean ownerrsquos data file Firstly the public key generatortakes a grouping function 120593(sdot) and divides these users119880 into119873 different groups such as doctors and nursesrelatives and friends legal officers and so on by userrsquosidentity which are denoted as 1198801 sdot sdot sdot 119880119873 that satisfy119880 = 1198801 cup sdot sdot sdot cup119880119873 Suppose the user 119868119863 is partitioned

into 119880120593(119868119863) where 120593(sdot) is defined as 120593(119868119863)119868119863 997891997888rarr1 sdot sdot sdot 119873 If 120593(119868119863) = 119896 where 119896 isin 1 sdot sdot sdot 119873 thenthe user group 119880120593(119868119863) is also denoted as 119880119896 for shortnamely the group ID

(3) PKG takes random exponents 119886119896 120572119896 isin 119885119901 for group119880119896

(4) The system public key is published as

119875119870 = 119892 119902 120583119867 (sdot) 119890 (119892 119892)1205721 sdot sdot sdot 119890 (119892 119892)120572119873 1198921198861 sdot sdot sdot 119892119886119873 (1)

119872119878119870 = 1205721 sdot sdot sdot 120572119873 is denoted as the system master key

42 Data File Generation (Data File Sharing)

(1) 119880119896 is a partitioned group and the number of the usersin the group 119880119896 is 119897119896 The data owner chooses a linearsecret sharing access structure and an exponent forevery group For group 119880119896 the data owner choosesa random secret sharing access structure (119872119896 120588119896)where 120588119896 associates rows of the matrix 119872119896 and 120588119896119895corresponding to the 119895th row of 119872119896 Then it takesrandom exponents 119904119896 | 119896 isin 1 sdot sdot sdot 119873 M is thedata to be encrypted the data file is published as

119862 = 1198620 = M sdot 119890 (119892 119892)sum119896 120572119896sdot119904119896 1198621 = 1198921199041 sdot sdot sdot 119862119873

= 119892119904119873 (2)

(2) In order to protect the private information of thedata owner the data owner computes the data file tag


Table 1 Data file format on the cloud server

Document number 119861119865119889119886119905119886119891119894119897119890 1198620 = M sdot 119890 (119892 119892) sum119896 120572119896sdot119904119896 1198621 = 1198921199041 sdot sdot sdot 119862119873 = 119892119904119873119879119886119892119900119908119899119890119903 = 119867(119860119905119905119881119886119897119906119890119900119908119899119890119903) and then constructsa Bloom filter 119861119865119889119886119905119886119891119894119897119890 = 119861119865(119879119886119892119900119908119899119890119903) by using119879119886119892119900119908119899119890119903

(3) The data owner selects a unique ID for this datafile and uploads the anonymous data file ⟨119861119865119889119886119905119886119891119894119897119890(119872119896 120588119896) 1198620 119862119896⟩119896=1sim119873 to the cloud server

Finally each data file is stored on the cloud in the formatas shown in Table 1

43 Key Generation User 119868119863119894 is a user of the universal userset which is partitioned into group 119880119896 by grouping function120593(sdot) To sign the user 119868119863119894 in group119880119896 if user 119868119863119894 is the 119895th ingroup 119880119896 then it is denoted as 119868119863119894997888rarr119895|119880119896

for short 119868119863119894997888rarr119895

(1) As mentioned earlier the user 119868119863119894 takes random119889119868119863119894 isin 119885lowast119901 as private key and computes ℎ119868119863119894 = 119892119889119868119863119894

as his public key(2) The data owner distributes the shared key to user 119868119863119894

in group 119880119896

(a) (119872119896 120588119896) is the secret sharing access structurefor group 119880119896 where 119872119896 = [119898119896119894119895

]119899119896times119897119896 Thenthe data owner chooses a random vector 997888rarrV119896 =(119904119896 1199102 sdot sdot sdot 119910119897119896) isin 119885119899

119901 as secret vector where119904119896 is the encryption exponent to share in thegroup 119880119896 Then the share vector is computed as(1205821198961 sdot sdot sdot 120582119896119895 sdot sdot sdot 120582119896119897119896 )119879 = 997888997888997888997888997888997888rarr(119872119896)120588119896119894 sdot 997888997888rarrV120593(119894)119879 where997888997888997888997888997888997888rarr(119872119896)120588119896119894 is the 119894-th row vector of the matrix 119872119896

(b) The data owner chooses random 119905119896 isin 119885lowast119901 and

computes the share key 119878ℎ119868119863119894997888rarr119895 = ℎ119886119896 sdot120582119896119895119868119863119894 1198701015840

119896 =119892120572119896 sdot 119892119886119896 sdot119905119896 11987010158401015840119896 = 119892119905119896 and the share verificationΩ119868119863119894997888rarr119895

= (120590119868119863119894997888rarr119895 )1 = 119892119886119896 sdot1199101 sdot sdot sdot (120590119868119863119894997888rarr119895 )119897119896 =119892119886119896 sdot119910119897119896 of the key for user 119868119863119894997888rarr119895 where 1199101 = 119904119896(c) The data owner takes a random degree 119905

polynomial 119877119896(119909) isin 119866119865119902(119909) and com-putes 119877119896(120583(119878ℎ119868119863119894997888rarr119895 119868119863119894997888rarr119895)) denoted as V119877119895|119880119896 in short V119877119868119863119894997888rarr119895 with the injective function120583GF(119901) times 1 sdot sdot sdot 119899 997888rarr GF(119902)

(d) 119878119870119894997888rarr119895 = 119878ℎ119868119863119894997888rarr119895 1198701015840119896 11987010158401015840

119896 Ω119868119863119894997888rarr119895 V119877119868119863119894997888rarr119895 is

encrypted by the userrsquos public key so that onlythe user can decrypt it by his private key Inother words the data owner sends the share key119878119870119894997888rarr119895 safely to the user 119868119863119894997888rarr119895 by the public keyinfrastructure

(3) The user receives the 119878119870119894997888rarr119895 and computes the de-cryption key by his private key 119889119868119863119894 as follows

(a) The user first verifies 119890(prod119897119896119895=1(120590119868119863119894997888rarr119895)119898119896119894119895119895 119892) =119890(119892 (119878ℎ119868119863119894997888rarr119895 )119889minus1119868119863119894997888rarr119895 ) with share verification in-

formation Ω119868119863119894997888rarr119895 share key 119878ℎ119868119863119894997888rarr119895 and the

userrsquos private key 119889119868119863119894 The effective of thisverification can be proved in Claim 2

(b) The user then recovers 119870119868119863119894997888rarr119895= 119878ℎ119889minus1119868119863119894119868119863119894997888rarr119895

=ℎ119886119896 sdot120582119896119895 sdot119889minus1119868119863119894119868119863119894

= 119892119886119896 sdot120582119896119895 from 119878119870119894997888rarr119895 by his privatekey 119889119868119863119894

(c) Finally the user computes the decryption key119863119870119894997888rarr119895 = 119870119868119863119894997888rarr119895= 119892119886119896 sdot120582119896119895 1198701015840

119896 = 119892120572119896 sdot 119892119886119896 sdot119905119896 11987010158401015840119896 = 119892119905119896 Ω119868119863119894997888rarr119895

V119877119868119863119894997888rarr119895 44 Decryption of Data File 119860119896 is an authority set of thegroup 119880119896 and 119860119896 | 119860119896 sube 119880119896 119896 isin 1 sdot sdot sdot 119873 are the unionof the119873 authority sets for119873 groups

(1) These authorized users of the 119873 sets 119860119896 compute thetag 119879119886119892119900119908119899119890119903 = 119867(119860119905119905119881119886119897119906119890119900119908119899119890119903) of data file that theywant to decrypt and then send it to cloud server

(2) The cloud server receives the tag 119879119886119892119900119908119899119890119903The cloud server verifies

119861119865 [ℎ1 (119879119886119892119900119908119899119890119903)] = 119861119865 [ℎ2 (119879119886119892119900119908119899119890119903)] = sdot sdot sdot= 119861119865 [ℎ119900 (119879119886119892119900119908119899119890119903)] = 1 (3)

using 119879119886119892119900119908119899119890119903 provided by these users If it is satisfied twodecryption approaches can be adopted to get the plaintext (a)decrypting by these authorized users and (b) outsourcing thedecryption to the cloud We describe them as follows

(a) Decrypting by these authorized usersAfter the authorized users 119860119896 receive the corresponding

data file ⟨119861119865119889119886119905119886119891119894119897119890 (119872119896 120588119896) 1198620 119862119896⟩119896=1sim119873 sent by the cloudserver one has the following

(1) All the authority users from those authority sets119860119896 use their decryption keys (119878ℎ119868119863119894997888rarr1 V119877119868119863119894997888rarr1) sdot sdot sdot (119878ℎ119868119863119894997888rarr119897119896 V119877119868119863119894997888rarr119897119896 ) to verify the correctness of these de-cryption keys

Firstly it is recovered 119896(119909) from (V119877119868119863119894997888rarr1 sdot sdot sdot V119877119868119863119894997888rarr119897119896 )using Berlekamp algorithm Then the users of the group 119880119896

verify 119896(120583(119878ℎ119868119863119894997888rarr119895 119868119863119894997888rarr119895)) = V119877119894997888rarr119895 for every decryptionkey 119863119870119894997888rarr119895 If it is unequal then 119878ℎ119868119863119894997888rarr119895 is a fake share keyThe user 119868119863119894997888rarr119895 is added to the list of cheaters 119871119896 Moreoverevery group can identify the cheaters of the group in this way

(2) If there are no cheaters in all of the authority usersthen these authority users recover the blind factor of dataMas follows


Firstly for every authority set there exists constant 120573119896 isin119885119899119901 satisfying sum119897119896

119895=1 120582119896119895 sdot 120573119896 = 119904119896 where 119896 = 1 sdot sdot sdot 119873 Then theblind factor of dataM is computed as

prod119873119896=1119890 (119862119896 1198701015840

119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896

(119890 (119878ℎ119868119863119894997888rarr119895 11987010158401015840119896 )120573119896))

= prod119873119896=1119890 (119892119904119896 119892120572119896119892119886119896 sdot119905119896)

prod119873119896=1(prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896)= 119873prod

119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)= 119890 (119892 119892)sum119873119896=1 120572119896sdot119904119896

(4)

FinallyM = 1198620119890(119892 119892)sum119873119896=1 120572119896sdot119904119896 (b) Outsourcing the decryption to the cloudIn this situation these authorized users first gener-

ate the transformation key 119879119870119862119897119900119906119889119896 in groups for thecloud before they are outsourcing the decryption and thenobtaining group decryption 119866119870119896 where 119896 isin 1 sdot sdot sdot 119873To generate 119879119870119862119897119900119906119889119896 and 119866119870119896 the authorized usergroup 119860119896 chooses a random value 119911119896 isin 119885119901 and com-putes the transformation key 119879119870119862119897119900119906119889119896 as 119879119870119862119897119900119906119889119896 =(119878ℎ119868119863119894997888rarr1)1119911119896 sdot sdot sdot (119878ℎ119868119863119894997888rarr119897119896 )1119911119896 (1198701015840)11199112119896 (11987010158401015840)1119911119896 and out-puts the group decryption key 119866119870119896 = 119911119896 for 119896 isin 1 sdot sdot sdot 119873We allow these authorized users themselves to generate thetransformation key in group which is more flexible Thenthey send transformation key ⟨119879119870119862119897119900119906119889119896⟩119896=1sdotsdotsdot119873 to the cloudserver for outsourced decryption

The cloud computes the following equation using⟨119879119870119862119897119900119906119889119896⟩119896=1sim1198731198620 = 119890 (119862119896 (1198701015840

119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

(119890((119878ℎ119868119863119894997888rarr119895)1119911119896 (11987010158401015840119896 )1119911119896)120573119896)

= 119890 (119892119904119896 (119892120572119896119892119886119896 sdot119905119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896sdot(11199112119896)

= 119890 (119892119904119896 119892120572119896)11199112119896 sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)11199112119896(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896sdot(11199112119896))

= 119890 (119892 119892)120572119896sdot119904119896sdot(11199112119896)

(5)

and then it sends1198620 to the user groups119860119896 for 119896 isin 1 sdot sdot sdot 119873After receiving 1198620 all the user groups 119860119896 compute messageM as 1198620prod119899

119896=1(1198620)1199112119896 = 1198620prod119899119896=1(119890(119892 119892)120572119896sdot119904119896 sdot(11199112119896))1199112119896 = M

5 Security Analysis

51 Provable Security In the proposed scheme we utilize asymmetric encryption to hide themessage data and use secretsharing based on general access structure to share the sessionkey with users in every group Since the security of secretsharing based on general access structure does not rely on anycomputational complexity assumption it is unconditionallysecure Therefore the modification does not disclose anyinformation and the proposed scheme is chosen plaintextsecure

52 Privacy of the Data Ownerrsquos Personal Information Inorder to protect privacy of the data owner the data owner firstcomputes the tag of the data file119879119886119892119900119908119899119890119903 = 119867(119860119905119905119881119886119897119906119890119900119908119899119890119903)with public hash function 119867 and constructs the bloom filter119861119865119889119886119905119886119891119894119897119890 = 119861119865(119879119886119892119900119908119899119890119903) of the tag119879119886119892119900119908119899119890119903Then the bloomfilter 119861119865119889119886119905119886119891119894119897119890 with the ciphertext is constructed as data fileand uploaded to cloud server To decrypt the ciphertext theywant to access the cloud users firstly compute the 119879119886119892119900119908119899119890119903of the data file with public hash function 119867 Then theypresent the 119879119886119892119900119908119899119890119903 to the cloud server the cloud finds theitem of the data file by verifying the bloom filter 119861119865119889119886119905119886119891119894119897119890If it passes the verification the ciphertext of the data file⟨119861119865119889119886119905119886119891119894119897119890 (119872119896 120588119896) 1198620 119862119896⟩119896=1sim119873 is sent to users Then theusers decrypt the ciphertext to recover the plaintextwith theirdecryption key It is easy to see that the personal privacy of theowner can be protected from the cloud

Claim 1 The correctness of the search result can be ensuredif the rate of false search result is acceptable

A false positive probability 119875119900119904119894119875119903119900 exists when deter-mining whether an element 119909 belongs to a set because of thepossible collisions in the hash functions We can compute119875119900119904119894119875119903119900 as follows [15]

119875119900119904119894119875119903119900 = (1 minus (1 minus 1119898)119896119899 sdot 119896) asymp (1 minus 119890minus119896119899119898)119896 (6)

where 119899 is the number of elements in set 119878 and 119898 is the sizeof the bit array Obviously when 119896 = (log 2)(119898119899) the falsepositive probability 119875119900119904119894119875119903119900 can beminimized to a negligiblevalue ie (12)11989653 Verifiability of the Share Key Distribution In the follow-ing we prove that the user can verify the correctness of sharekey distributed by the data owner

Claim 2 Suppose a user is 119868119863119894 if he accepts the shareverification Ω119868119863119894997888rarr119895

from the owner then there exists a

unique value 119878ℎ119868119863119894997888rarr119895 such that 119890(prod119897119896119895=1(120590119868119863119894997888rarr119895 )119898119896119894119895119895 119892) = 119890(119892(119878ℎ119868119863119894997888rarr119895)119889minus1119868119863119894997888rarr119895 )


Table 2 Comparison of security properties

Scheme Collusion-resistant Anonymous storage Having verification property Identifiable cheater[2] YES NO YES NO[4] YES NO NO NOOurs YES YES YES YES

Suppose the owner distributes a share verificationΩ1015840119868119863119894997888rarr119895

= 119892119886119896 sdot1199111 sdot sdot sdot 119892119886119896 sdot119911119897119896 to the user 119868119863119894 if the user ac-

cepts the value Ω1015840119868119863119894997888rarr119895

then 119890(prod119897119896119895=1119892119886119896 sdot1199111 sdot sdot sdot 119892119886119896 sdot119911119897119896 119892) = 119890(119892

(119878ℎ119868119863119894997888rarr119895 )119889minus1119868119863119894997888rarr119895 ) 119890(prod119897119896119895=1119892119886119896 sdot1199111 sdot sdot sdot 119892119886119896 sdot119911119897119896 119892) = 119890((119892)119886119896sdotsum119897119896119895=1 119911119895sdot119898119896119894119895 119892) = 119890(119892 119892sum119897119896119895=1 119886119896 sdot119911119895sdot119898119896119894119895 ) = 119890(119892 (119878ℎ119868119863119894997888rarr119895)119889minus1119868119863119894997888rarr119895 ) which leads

to 119878ℎ119868119863119894997888rarr119895 = ℎsum119897119896119895=1 119886119896 sdot119911119895sdot119898119896119894119895119868119863119894997888rarr119895= ℎ119886119896sdot120582119896119895119868119863119894997888rarr119895

that is to say 120582119896119895 =119911119895 sdot 119898119896119894119895

Therefore the share key can be verified by the user

54 Identification of the Cheater The RS code is employedhere to prevent the cheaters from changing the polynomial119877(119909) which is used to test the validity of the shares due to thefact that RS code has the ability to perform error correctionIn other words a polynomial 119877(119909) of 119905 degree is uniquelydetermined by 1198771198941 sdot sdot sdot 119877119894119896 if and only if 119896 ge 3119905 + 1 evenif there are some fake shares 119877119894119895 they cannot prevent thecorrect reconstruction of 119877(119909) Thus we have the followingconclusion

Claim 3 If 119905 le (119896 minus 1)3 in every group 119880120593(119894) then theproposed scheme is a (119905 120576) cheater identifiable data sharingscheme that no cheater can succeed in cheating without beingidentified with probability better than 1119902 where 119905 is thenumber of the cheaters and 119896 is the threshold for everygroup

55 Mutual Supervision between Groups

Claim 4 The proposed scheme is collision-resistant andmutual supervision between different groups

The proposed scheme not only identifies the cheaterin group but also can achieve mutual supervision betweengroups because the secret is distributed to each group ifand only if all of the 119873 groups present the correct secretshare then the plaintext is recovered correctly If some userspresent a fake share in any authorized user set it would causethe group share error which leads the decryption process tofailure

6 Performance Analyses

In this section we briefly compare our scheme with someother classical data sharing schemes like Yu scheme [2] andDong scheme [4] Yu scheme is relaying on KP-ABE whileDong scheme is based on CP-ABE In our scheme 119905119896 can alsobe seen as the attribute that involved in the group 119880119896 Theseschemes have applications in healthcare or library scenarios

to share data Besides our scheme ismore suitable formedicalsupervision scenario especially when evidence is needed likeEMR in medical disputes or accident Data confidentiality isachieved in all these schemes since the data owner stores theciphertext of data file into cloud server and the cloud serversare not able to learn the plaintext of any data file The datadecryption keys are not known by the cloud server in anyone of these schemes [2 4] as well as in our scheme althoughthe proxy reencryption key is given to the cloud server in [2]The comparison of our scheme with the schemes in [2 4]regarding the security properties is summarized in Table 2

In order to make the comparison fair and meaningfulwhen comparing the computational cost in the decryptionphase we consider the general situation that all users haveparticipated In case when the decryption is partially out-sourced to the cloud this will further reduce the computa-tional cost for the users obviously

61 Dynamic Operation The dynamic operations such asuser additionrevocation and file creationdeletion are pro-cessed in a similar way as in all these schemes then theoperation are introduced briefly

(1) File Operation There are three operations for file oper-ation file creation file deletion and file updating In theseoperations the data owner has the right to delete the newfile in [2 4] and ours He makes a unique tag and definesthe access policy or attributes set for file creation For fileupdating the data owner ought to rearrange the access policyin our scheme and in [4] while updating the filersquos attribute119894 in ciphertext and the proxy reencryption key in scheme[2]

(2) User Operation There are two operations for user oper-ations new user grant and user revocation Similarly thedata owner assigns the corresponding secret key to the newuser according the type of the scheme KP-ABE or CP-ABEThe data owner may revoke the access privileges from someusers It has been a great challenge to achieve an effective userrevocation

In most existing schemes it can take a direct manner inwhich the data owner reupdates the access policy reencryptsthe relevant files and distributes the renewed keys to the non-revoked users via the cloud server This method is applicablein [2 4] and our scheme Based on the above reasons the dataowner needs to guarantee that all the operations are processedfaithfully by the cloud servers

62 Computation Complexity In this section we analyze andcompare the computation overhead of the proposed schemewith [2 4] considering the encryption and decryption


Table 3 Comparison of computation complexity

Scheme Encryption Decryption Key Generation(Data owner) (User)

[2] 119874 (10038161003816100381610038161198681199061003816100381610038161003816) 119874 (max (10038161003816100381610038161198681198721003816100381610038161003816 10038161003816100381610038161198681199061003816100381610038161003816)) 119874 (10038161003816100381610038161198681198721003816100381610038161003816)[4] 119874 (10038161003816100381610038161198681198721003816100381610038161003816) 119874 (10038161003816100381610038161198681198721003816100381610038161003816) 119874 (10038161003816100381610038161198681199061003816100381610038161003816)Ours 119874 (119873) 119874 (|119880|) 119874 (1)operation In the proposed scheme the main computationalcost involved in encryption and decryption algorithms arepairing 119890(119892 119892) and scalar multiplication The ciphertext ofthe proposed scheme is 119862 = 1198620 = 119890(119892 119892)sum119896 120572119896sdot119904119896 1198621 =1198921199041 sdot sdot sdot 119862119873 = 119892119904119873 Pairing is the most expensive operationFor each different file data owner only needs to calculate119890(119892 119892) once at the beginning Thus we do not considerthe overhead of pairing operation in the computationalcomplexity when comparing the proposed schemewith thosein [2 4] In the computational complexity analysis we onlytake into account scalar multiplication operation Duringencrypting all encryption operations are at the data ownerrsquosside The data owner needs to do 119873 scalar multiplicationfor 1198620 and 119873 scalar multiplications for 119862119896 thus the ownershould take 2119873 scalar multiplication in total for encryp-tion Then the computation complexity of encryption is119874(119873)

In the decryption stage to recover ciphertext the userneeds at most (2|119873| + |119880|) scalar multiplications to calculate

119873prod119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)

(7)

Thus the computation complexity of decryption is at mostabout 119874(|119880|)

In the key generation stage it needs one scalar multipli-cation to calculate 119878ℎ119868119863119894997888rarr119895 = ℎ119886119896sdot120582119896119895119868119863119894

for each user 119868119863119894 andtwo scalar multiplications to calculate 1198701015840

119896 = 119892120572119896 sdot 119892119886119896 sdot119905119896 and11987010158401015840119896 = 119892119905119896 for each group 119880119896 Therefore the computational

complexity of key generation is at most 119874(1)For the cloud server the main computational overhead

is caused by the execution of tag testing algorithm by Bloomfilter hash function So the computation complexity for cloudserver is 119874(1)

In [4] the data owner needs to do two scalar multi-plications to calculate 1198621119909 = 119890(1198921 1198921)120582119909119890(1198921 1198921)120572120588(119909) 119903119909 onescalar multiplication for 1198622119909 = 1198921199031199091 and two for 1198623119909 =119892120573120588(119909)1199031199091 1198921205961199091 Therefore the data owner needs at most 5|119868119872|scalar multiplications Thus the computation complexity ofencryption is 119874(|119868119872|) To recover the ciphertext the userneeds another 2|119868119872| scalarmultiplications atmost to calculateprod119909119890(1198921 1198921)120582119909119890(119867(119868119863) 1198921)120596119909 so the time complexity is alsoat most 119874(|119868119872|) The time complexity for key generation is119874(|119868119906|)

1 2 3 4 5 6 7 8 9 10Number of Attributes

Encryption

0

500

1000

Tim

e (m

s)

Yu et alDong et al

Our

Figure 3 Comparison of encryption performance with 10attributes

While in [2] the data owner needs to do one scalarmultiplications to calculate 119864 = 119872 sdot 119890(119892 119892)119910119904 and one scalarmultiplication for 119864119894 = 119892119905119894sdot119904 Therefore the computationcomplexity of the data owner for encryption is 119874(|119868119906|) Torecover the ciphertext one has to compute 119890(119864119894 119904119896119894) =119890(119892 119892)119901119894(0)119904 for each leaf node firstly Then it aggregatesthese pairing results in the bottom-up manner using thepolynomial interpolation technique Finally it recovers theblind factor 119884119904 = 119890(119892 119892)119910119904 and outputs the message119872 if onlyif attributes 119868 satisfy access tree 119879 So the time complexityfor decryption is about 119874(max(|119868119872| |119868119906|)) And the timecomplexity for generation of the key 119878119870 = 119904119896119894 | 119904119896119894 =119892119901119894(0)119905119894119894isin119868119872 is 119874(|119868119872|)

The computational complexity of our scheme as well as[2 4] is given in Table 3 where 119868119906 denotes the attributes ofthe user 119868119872 denotes the attributes of access structure set 119880represents the universal users and 119873 is the number of thepartitioned groups in our scheme

63 ExperimentResults Theevaluation is conducted throughexperiment evaluating the time cost of the proposed schemeon a computer withWindows7 Intel i5-4590S -300GHzCPUand 4-GB RAM All results presented here are the averagevalue in 100 different trials

631 The Overhead of Encryption Algorithm In our schemethe encryption is to calculate 1198621 sdot sdot sdot 119862119873 In [2] the cal-culation of ciphertext 119862 is based on 119864 and 119864119894119894isin119868 Andthe calculation of ciphertext 119862 in scheme [4] is based on1198621119909 1198622119909 1198623119909 Let the number of attributes |119868119906| equals thenumber of users 119873 and then the encryption speed ofour scheme and other schemes with the number of theattribute is to 10 and to 50 is given respectively in Figures3 and 4


1 10 20 30 40 50Number of Attributes

Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)


Number of attributes Groups

108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652

Figure 5 The decryption performance of our scheme

From Figures 3 and 4 we can see that the encryption costincreases linearlywith the attributes in the three schemes andour scheme has almost the same cost as [2] and it is muchlower than [4]

632 The Overhead of Decryption Algorithm In ourscheme the decryption is to compute prod119873

119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896

(119890(119878ℎ119868119863119894997888rarr119895 11987010158401015840119896 )120573119896)) As we see the cost of

decryption depends on the number of groups and the usernumber in each group The decryption overload about 10groups and 10 users in every group of our scheme is showedin Figure 5

The decryption overload of [2] is to compute the pairingoperation which is not only due to the number of theattributes but also due to intermediate node the size of theconcrete tree structure If the structure of the tree is a largenumber then the overload will be very large Here we onlygive the comparison of decryption overload between ourscheme and [4] where the number of users in our schemeis the same as the number of attributes in [4] Every star inFigure 6 is denoted as a number of the groups in bracketsunder the same number of the attributes in our scheme FromFigure 6 we can see that the more groups the greater theconsumption

When all users are in one group in our scheme theoverhead of decryption are showed in Figures 7 and 8 where

(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)

Figure 6 Decryption performance of the proposed scheme and [4]


Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur

Figure 7 Comparison of decryption performance with 10attributes


Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur


attributes of access structure are up to 10 and 50 respectivelyThen it can be seen that our scheme overhead is less than[4]

633 The Overhead of Key Generation Algorithm The keygeneration algorithm is to compute the power exponent inall of three schemes In order to simplify the comparison wetake all users in one group then key generation overloads ofthree schemes are showed in Figure 9 From the Figure 9 itcan be seen that the overload in our scheme is much less than[4] and a little more than [2]


Table 4 Comparison of communication costs

Scheme Communication costs[2] |119868| + 2 log |119868| + (|119868| + 1) log 1003816100381610038161003816G1

1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2

1003816100381610038161003816 + 119873 sdot log 1003816100381610038161003816G11003816100381610038161003816 + 3119873 sdot log 1003816100381610038161003816G2

1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)

Figure 9 Comparison of key generation performance with 10attributes

64 Communication Cost In our scheme the communica-tion cost is mainly attributed to the encrypted data and keydistribution transmission The encrypted data is sent by thedata owner to the cloud the value of 1198620 = 119890(119892 119892)sum119896 120572119896sdot119904119896 and1198621 = 1198921199041 sdot sdot sdot 119862119873 = 119892119904119873 requires (log |G2| + 119873 sdot log |G1|) bitsThe share keys are sent by the data owner to the users thevalue 119878ℎ119868119863119894997888rarr119895 1198701015840

119896 11987010158401015840119896 for every 119894 requires 3119873sdotlog |G2|Ω119868119863119894997888rarr119895

at most requires1198732 sdot log |G2| and V119877119868119863119894997888rarr119895 requires log |119902| bitsThus the communication cost of the share key from ownerto users is given by 3119873 sdot log |G2| + 1198732 sdot log |G2| + log |119902|The private key is usually a few hundred bits and in generalit does not need to be compressed We need to assume thatbefore the cloud environment is established the private keyis initialized in advance and each participant can securelystore and use the private keyThus the whole communicationcost of the protocol is given by log |G2| + 119873 sdot log |G1| + 3119873 sdotlog |G2| + 1198732 sdot log |G2| + log |119902| + data The communicationexpenses comparison between our scheme KP-ABE-basedschemes andCP-ABE-based schemes is shown asTable 4Wecan see that the communication cost of our scheme is nearlythe same as CP-ABE-based schemes and our scheme and [4]is slightly more than KP-ABE-based schemes However inpractice the file is described by just a limited attributes orshared with limited users In addition even though the orderof cyclic group119866 is large log |119866| bits is far less than the file size(data) In other words the extra communication cost can beignored

7 Application to Secure MedicalInformation Sharing Scene

In personal health medical information environment likepersonal medical information medical record informationof a person is cumulated consistently during his life hewill have a lot of contact with nurses and doctors over hislife From perspective of the patient he is the data owner

When his health medical record is stored in the cloud serverhe also wishes to control his medical data and he needsto specify who can to access his information those usersare called authorized users As shown in Figure 10 theseauthorized users might be some friends specialists nursesand public security investigators To ensure impartiality andfairness to prevent tampering forgery and other illegal actsthe access of medical record data of the owner should becarried out under the above different groupsrsquo supervisionAnd scheme should have the properties of data confiden-tiality and privacy protection and cheater identification Toachieve this goal a privacy protection approach is taken touse bloom filter to hide some personal information thatis not closely related to health conditions of the patientsuch as name gender telephone number ID card num-ber family address and property when medical record ofowner is stored on cloud Moreover since each group has agroup secret datarsquos access is carried out under an effectivesupervision mechanism according to the portioned groupsBesides it can be made sure that the participants conspiringor deceive can be found and identified applying an errorcorrection function of RS encoding technique In summarythe proposed scheme is helpful for patient to achieve flexibleand supervised control on his case file stored on cloudserver

8 Conclusion

In this paper a personal medical information privacy protec-tion scheme in the cloud was proposed which can be usedto set the electronic medical records system up for patientsefficiently The proposed scheme has flexible data accesscontrol through combing the techniques of the secret sharingmethods and symmetric encryption The performance anal-ysis shows that the proposed scheme has low overhead andhigh efficiency In this proposed scheme we use RS encodingmethod to identify the dishonest user It means there arenot too much misbehave users in every group As indicatein Section 25 this scheme has the capability of identifyingup to 119905 cheaters under the condition (119896 minus 1)3 ge 119905 Hencein the future works we will investigate how to remove thiscondition and to achieve more efficiency of recognition of thedishonest user Moreover we will investigate how to achieveefficient data file updated flexibly and how to processmultifileconvergence in batches

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request


Cloud server verifies

BF[ℎ1 (Tagowner)] = middot middot middot = BF [ℎo (Tagowner)] = 1

Ciphertext

Patient

Decryption key

Users

Group of relativesand friends

Group of doctors Group of publicand nurses security

investigators

Tagowner = H (AttValue

owner )

Figure 10 The system model for personal medical information privacy protection system

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by National Key RampD Programof China (no 2017YFB0802000) the National NaturalScience Foundation of China (61572303 6177232661802241 61802242 and 61872289) National CryptographyDevelopment Fund during the 13th Five-year Plan Period(MMJJ20180217) the Foundation of State Key Laboratoryof Information Security (2017-MS-03) the ProvincialNatural Science Foundation Research Project of Shaanxi(no 2017JQ6029) the Shaanxi Provincial Department ofEducation Special Scientific Research Project (no 16JK1109)and the Doctoral Scientific Fund Project of ShaanxiUniversity of Science and Technology (BJ11-12)

References

[1] M Kallahalla E Riedel R Swaminathan et al ldquoScalable securefile sharing on untrusted storagerdquo in Proceedings of the FASTrsquo03Proceedings of the 2nd USENIX Conference on File and StorageTechnologies pp 29ndash42 2003

[2] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[3] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[4] X Dong J Yu Y Luo Y ChenG Xue andM Li ldquoAchieving aneffective scalable and privacy-preserving data sharing service

in cloud computingrdquoComputers amp Security vol 42 pp 151ndash1642014

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B Waters ldquoCiphertext-policy attribute-based encryption anexpressive efficient and provably secure realizationrdquo in PublicKey Cryptography (PKC rsquo11) pp 53ndash70 Springer Berlin Ger-many 2011

[7] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances inCryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 209ndash307 Springer Berlin Germany 2006

[8] Beimel Secure schemes for secret sharing and key distribution[PhD thesis] Israel Institute of Technology Technion HaifaIsrael 1996

[9] M Ito A Saito and T Nishizeki ldquoSecret sharing scheme realiz-ing general access structurerdquo Electronics amp Communications inJapan vol 72 no 9 pp 56ndash64 1989

[10] J Benaloh and J Leichter ldquoGeneralized secret sharing andmonotone functionsrdquo On Advances in Cryptology vol 403 pp27ndash36 1988

[11] M Karchmer and A Wigderson ldquoOn span programsrdquo TheEighth Annual Structure in Complexity Theory pp 102ndash111 1993

[12] B H Bloom ldquoSpacetime trade-offs in hash coding withallowable errorsrdquoCommunications of the ACM vol 13 no 7 pp422ndash426 1970

[13] TNishide K Yoneyama andK Ohta ldquoAttribute-based encryp-tion with partially hidden encryptor-specified access struc-turesrdquo in Proceedings of the International Conference on AppliedCryptography amp Network Security vol 5037 pp 111ndash129 2008

[14] J Lai R H Deng and Y Li ldquoExpressive CP-ABE with partiallyhidden access structuresrdquo in Proceedings of the 7th ACMSymposium on Information Computer and CommunicationsSecurity ASIACCS 2012 pp 18-19 Republic of Korea May 2012


[15] S Jiang X Zhu and L Wang ldquoEPPS Efficient and privacy-preserving personal health information sharing in mobilehealthcare social networksrdquo Sensors vol 15 no 9 pp 22419ndash22438 2015

[16] R J McEliece and D V Sarwate ldquoOn sharing secrets and Reed-Solomon codesrdquoCommunications of the ACM vol 24 no 9 pp583-584 1981

[17] SObana ldquoAlmost optimum t-cheater identifiable secret sharingschemesrdquo in EUROCRYPT vol 6632 pp 284ndash302 2011

[18] H Hoshino and S Obana ldquoCheating detectable secret sharingscheme suitable for implementationrdquo in Proceedings of the4th International Symposium on Computing and NetworkingCANDAR 2016 pp 623ndash628 Japan November 2016

[19] Z Chen S Li Q Huang J Yan and Y Ding ldquoA joint randomsecret sharing scheme with public verifiabilityrdquo InternationalJournal of Network Security vol 18 no 5 pp 917ndash925 2016

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


datarsquos some controls for example update the data or revokethe access rights for some other users [1] In consequencemany recent works have devoted to guarantee security andprivacy using remotely storing the shared data and in themeantime assuring the desirable security characteristics In2010 the first scheme achieving secure data access controlwith provable security in cloud storage has been proposed byYu et al [2] using key-policy attribute-based encryption andsymmetric encryption (KP-ABE) [3] The scheme can reachfine-grained data access by combing KP-ABE with proxyreencryption (PRE) and lazy reencryption The schemersquosperformance still needs to be improved though a part ofthe private key update calculation can be put out to thecloud Dong et al subsequently give a scheme [4] employingsymmetric encryption with ciphertext-policy attribute-basedencryption [5 6] (CP-ABE) To sum up regarding theemployed technologies KP-ABE or CP-ABE has either beenused by these above schemes under the symmetric encryptionto design data security secure access control Some otherdesign methods are based on hierarchical identity-basedencryption (HIBE) [7] but they have appealed to less atten-tion These schemes have simply considered how to supplydata privacy against the cloud but they do not have thepreservation of private information of owner and the possibledishonest behaviors by some authorized users when storingthe data in cloud For instance some authorized users mayprovide fake share deliberately to cause decryption failureIn the personal health medical information surroundingssome extra security demands are required Since in certainspecial circumstances such as medical accidents abnormaldeaths and traffic accidents medical disputes claim shouldbe considered In these situations while medical evidence isneeded electronic medical records of the patient should beable to be right decrypted by the authorized users Assumingsomeone has had an accident or been killed in seriousincidents In case supposing that there are disputes historicrecords of the users will be the crucial evidences and theyneed to be recovered for expert testimony These existingschemes however focus on the confidentiality and privacy ofthe data itself and the cost of performancemainly but they arenot suitable for medical records scenariosrsquo needs To realizean effectual scalable and privacy-preserving data sharingservice in the cloud the following requirements should beconsequently satisfied

(1) the data owner can authorize who can access the dataand the authorized users should be able to get to shared datain the cloud under the constraints that are defined by the dataowner

(2) the cloud needs to be able to give support to dynamicrequirements so that data owners can update the data file andadd or revoke users

(3) when data owner stores his information on the cloudwithout suitable protection the data are readable by anyonesince the cloud is publicly accessible The personal privateinformation for example their medical information andusersrsquo telephone number consequently needs to be protectedagainst the cloud and it should not be made public

(4) the data decryption operation should be carried outunder mutual supervision and the dishonest users need to

be identified if they submit false shares How to settle theabove important issues has not been considered in cloudthat computes yet although a number of schemes have beenproposed in the literature

In this paper we propose an effective scalable and flexibleprivacy-preserving data sharing scheme to ensure semanticsecurity and effective utilization of ownerrsquos data In orderto preserve the privacy of ownerrsquos sensitive information thatmay be unrelated to the data itself Bloom filter hash functionis used to hide data storage in cloud The scheme employssecret sharing based on general access structure to preserveconfidentiality of the ownerrsquos data against the cloud Inaddition Reed-Solomon (RS) encoding technique has beenadopted to identify the dishonest user who presents a falseshare In the proposed scheme all authorized users aredivided into groups by their identity when they registerthemselves with the protocol Each data file is describedby a set of group secrets and for every group such as 119880119896has been assigned one master key 120572119896 so that the data filecan be successfully decrypted when these group secrets arecorrectly recovered In addition each cloud user is assignedinto a group and every group secret is shared among thegroup users by utilizing secret sharing of general access struc-ture

To ensure correct sharing of the secret this schemedefines a public-private key pair for each user By combingsecret sharing access structure and userrsquos public key the shareor secret key is sent to user in every group Therefore eachuser could get a different key and he can check this sharekey by his private key 119889119868119863119894997888rarr119895 The secret keys of group usersare defined to reflect their group access privileges so thatall of the users should present their correctly shared keyswithout cheating RS encoding technique is used to enable theidentification of the cheater when he provided a fake share

In the proposed protocol the secret is shared amongmultiple participants and only a quorum of these partici-pants work together can recover the secret In an ideal secretsharing the secret share held by each participant has exactlythe same size as the secret and the size of all secret sharestogether is proportional to the number of the participantsTherefore when considering the protocol as a whole moreinformation needs to be dealt with but each participantrsquostask remains the same The benefit is that the secrecy andavailability of the secret key are enhanced Suppose theadversary wants to learn the secret key or destroy it She needsto compromise multiple participants to achieve her objectiveinstead of compromising a single one in the traditionalprotocols

Compared with the existing schemes our analysis showsthat the proposed scheme provides the following benefitsregarding both security and efficiency

(1) The cloud server can assist search record by data filetag and it can learn nothing about ownerrsquos data in plaintextand ownerrsquos personal sensitive information

(2) The user who can access the data file is authorized bythe data owner and he can verify the secret key sent by theowner

(3) The dishonest cloud users who present fake decryp-tion keys can be identified so that the ciphertext can be


11 00 11 00 00 00 11


ℎ1(x) = 1 ℎ2(x) = 3 ℎ3(x) = 7




2 Preliminaries











































= 119892119904119873 (2)








for short 119868119863119894997888rarr119895



in group 119880119896









(d) 119878119870119894997888rarr119895 = 119878ℎ119868119863119894997888rarr119895 1198701015840119896 11987010158401015840

119896 Ω119868119863119894997888rarr119895 V119877119868119863119894997888rarr119895 is







=ℎ119886119896 sdot120582119896119895 sdot119889minus1119868119863119894119868119863119894



119896 = 119892120572119896 sdot 119892119886119896 sdot119905119896 11987010158401015840119896 = 119892119905119896 Ω119868119863119894997888rarr119895















prod119873119896=1119890 (119862119896 1198701015840

119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896

(119890 (119878ℎ119868119863119894997888rarr119895 11987010158401015840119896 )120573119896))

= prod119873119896=1119890 (119892119904119896 119892120572119896119892119886119896 sdot119905119896)

prod119873119896=1(prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896)= 119873prod

119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


(4)




119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

(119890((119878ℎ119868119863119894997888rarr119895)1119911119896 (11987010158401015840119896 )1119911119896)120573119896)

= 119890 (119892119904119896 (119892120572119896119892119886119896 sdot119905119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896sdot(11199112119896)

= 119890 (119892119904119896 119892120572119896)11199112119896 sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)11199112119896(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


= 119890 (119892 119892)120572119896sdot119904119896sdot(11199112119896)

(5)


119896=1(1198620)1199112119896 = 1198620prod119899119896=1(119890(119892 119892)120572119896sdot119904119896 sdot(11199112119896))1199112119896 = M

5 Security Analysis








































119873prod119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)

(7)









Encryption

0

500

1000

Tim

e (m

s)

Yu et alDong et al

Our








Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)



108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652




119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896





(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)



Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur



Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur







1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



11 00 11 00 00 00 11


ℎ1(x) = 1 ℎ2(x) = 3 ℎ3(x) = 7




2 Preliminaries











































= 119892119904119873 (2)








for short 119868119863119894997888rarr119895



in group 119880119896









(d) 119878119870119894997888rarr119895 = 119878ℎ119868119863119894997888rarr119895 1198701015840119896 11987010158401015840

119896 Ω119868119863119894997888rarr119895 V119877119868119863119894997888rarr119895 is







=ℎ119886119896 sdot120582119896119895 sdot119889minus1119868119863119894119868119863119894



119896 = 119892120572119896 sdot 119892119886119896 sdot119905119896 11987010158401015840119896 = 119892119905119896 Ω119868119863119894997888rarr119895















prod119873119896=1119890 (119862119896 1198701015840

119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896

(119890 (119878ℎ119868119863119894997888rarr119895 11987010158401015840119896 )120573119896))

= prod119873119896=1119890 (119892119904119896 119892120572119896119892119886119896 sdot119905119896)

prod119873119896=1(prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896)= 119873prod

119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


(4)




119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

(119890((119878ℎ119868119863119894997888rarr119895)1119911119896 (11987010158401015840119896 )1119911119896)120573119896)

= 119890 (119892119904119896 (119892120572119896119892119886119896 sdot119905119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896sdot(11199112119896)

= 119890 (119892119904119896 119892120572119896)11199112119896 sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)11199112119896(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


= 119890 (119892 119892)120572119896sdot119904119896sdot(11199112119896)

(5)


119896=1(1198620)1199112119896 = 1198620prod119899119896=1(119890(119892 119892)120572119896sdot119904119896 sdot(11199112119896))1199112119896 = M

5 Security Analysis








































119873prod119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)

(7)









Encryption

0

500

1000

Tim

e (m

s)

Yu et alDong et al

Our








Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)



108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652




119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896





(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)



Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur



Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur







1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia

































= 119892119904119873 (2)








for short 119868119863119894997888rarr119895



in group 119880119896









(d) 119878119870119894997888rarr119895 = 119878ℎ119868119863119894997888rarr119895 1198701015840119896 11987010158401015840

119896 Ω119868119863119894997888rarr119895 V119877119868119863119894997888rarr119895 is







=ℎ119886119896 sdot120582119896119895 sdot119889minus1119868119863119894119868119863119894



119896 = 119892120572119896 sdot 119892119886119896 sdot119905119896 11987010158401015840119896 = 119892119905119896 Ω119868119863119894997888rarr119895















prod119873119896=1119890 (119862119896 1198701015840

119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896

(119890 (119878ℎ119868119863119894997888rarr119895 11987010158401015840119896 )120573119896))

= prod119873119896=1119890 (119892119904119896 119892120572119896119892119886119896 sdot119905119896)

prod119873119896=1(prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896)= 119873prod

119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


(4)




119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

(119890((119878ℎ119868119863119894997888rarr119895)1119911119896 (11987010158401015840119896 )1119911119896)120573119896)

= 119890 (119892119904119896 (119892120572119896119892119886119896 sdot119905119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896sdot(11199112119896)

= 119890 (119892119904119896 119892120572119896)11199112119896 sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)11199112119896(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


= 119890 (119892 119892)120572119896sdot119904119896sdot(11199112119896)

(5)


119896=1(1198620)1199112119896 = 1198620prod119899119896=1(119890(119892 119892)120572119896sdot119904119896 sdot(11199112119896))1199112119896 = M

5 Security Analysis








































119873prod119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)

(7)









Encryption

0

500

1000

Tim

e (m

s)

Yu et alDong et al

Our








Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)



108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652




119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896





(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)



Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur



Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur







1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








for short 119868119863119894997888rarr119895



in group 119880119896









(d) 119878119870119894997888rarr119895 = 119878ℎ119868119863119894997888rarr119895 1198701015840119896 11987010158401015840

119896 Ω119868119863119894997888rarr119895 V119877119868119863119894997888rarr119895 is







=ℎ119886119896 sdot120582119896119895 sdot119889minus1119868119863119894119868119863119894



119896 = 119892120572119896 sdot 119892119886119896 sdot119905119896 11987010158401015840119896 = 119892119905119896 Ω119868119863119894997888rarr119895















prod119873119896=1119890 (119862119896 1198701015840

119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896

(119890 (119878ℎ119868119863119894997888rarr119895 11987010158401015840119896 )120573119896))

= prod119873119896=1119890 (119892119904119896 119892120572119896119892119886119896 sdot119905119896)

prod119873119896=1(prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896)= 119873prod

119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


(4)




119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

(119890((119878ℎ119868119863119894997888rarr119895)1119911119896 (11987010158401015840119896 )1119911119896)120573119896)

= 119890 (119892119904119896 (119892120572119896119892119886119896 sdot119905119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896sdot(11199112119896)

= 119890 (119892119904119896 119892120572119896)11199112119896 sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)11199112119896(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


= 119890 (119892 119892)120572119896sdot119904119896sdot(11199112119896)

(5)


119896=1(1198620)1199112119896 = 1198620prod119899119896=1(119890(119892 119892)120572119896sdot119904119896 sdot(11199112119896))1199112119896 = M

5 Security Analysis








































119873prod119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)

(7)









Encryption

0

500

1000

Tim

e (m

s)

Yu et alDong et al

Our








Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)



108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652




119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896





(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)



Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur



Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur







1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





prod119873119896=1119890 (119862119896 1198701015840

119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896

(119890 (119878ℎ119868119863119894997888rarr119895 11987010158401015840119896 )120573119896))

= prod119873119896=1119890 (119892119904119896 119892120572119896119892119886119896 sdot119905119896)

prod119873119896=1(prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896)= 119873prod

119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


(4)




119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

(119890((119878ℎ119868119863119894997888rarr119895)1119911119896 (11987010158401015840119896 )1119911119896)120573119896)

= 119890 (119892119904119896 (119892120572119896119892119886119896 sdot119905119896)11199112119896)prod119897119896

119895=1119868119863119894997888rarr119895isin119860119896

119890 (119892119886119896 sdot120582119896119895 119892119905119896)120573119896sdot(11199112119896)

= 119890 (119892119904119896 119892120572119896)11199112119896 sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)11199112119896(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896


= 119890 (119892 119892)120572119896sdot119904119896sdot(11199112119896)

(5)


119896=1(1198620)1199112119896 = 1198620prod119899119896=1(119890(119892 119892)120572119896sdot119904119896 sdot(11199112119896))1199112119896 = M

5 Security Analysis








































119873prod119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)

(7)









Encryption

0

500

1000

Tim

e (m

s)

Yu et alDong et al

Our








Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)



108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652




119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896





(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)



Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur



Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur







1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
































119873prod119896=1

119890 (119892119904119896 119892120572119896) sdot 119890 (119892119904119896 119892119886119896 sdot119905119896)(119890 (119892 119892)sum

119897119896119895=1

119868119863119894997888rarr119895isin119860119896

119886119896 sdot120582119896119895 sdot120573119896sdot119905119896)

(7)









Encryption

0

500

1000

Tim

e (m

s)

Yu et alDong et al

Our








Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)



108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652




119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896





(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)



Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur



Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur







1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




Encryption

Yu et alDong et al

Our

0

2000

4000

6000

Tim

e (m

s)



108

6 10984 7652 4320 1

50010001500200025003000350040004500500055006000

Tim

es (s

)

umber of

86 984 7652




119896=1119890(119862119896 1198701015840119896)prod119873

119896=1(prod119897119896119895=1

119868119863119894997888rarr119895isin119860119896





(10)

0

500

1000

1500

2000

2500

3000

Tim

es (s

)


OurDong et al

(1)(2)(5)

(10)

(1)(2)(4)(5)

(10)

(1)

(6)(5)

(10)

(1)

(5)(4)



Decryption

0100200300400500600700

Tim

e (m

s)

Dong et alOur



Decryption

0

2000

4000

Tim

e (m

s)

Dong et alOur







1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





1003816100381610038161003816 + log 1003816100381610038161003816G21003816100381610038161003816 + 119889119886119905119886

[4] |119868|2 + log |119868| + (2 |119868| + 1) log 1003816100381610038161003816G11003816100381610038161003816 + (|119868| + 1) log 1003816100381610038161003816G2

1003816100381610038161003816 + 119889119886119905119886Ours log 1003816100381610038161003816G2


1003816100381610038161003816 + 1198732 sdot log 1003816100381610038161003816G21003816100381610038161003816 + log 10038161003816100381610038161199021003816100381610038161003816 + 119889119886119905119886


Key Generation

Dong et alYu et al

0

200

400

600

Tim

e (m

s)








8 Conclusion


Data Availability





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





Ciphertext

Patient

Decryption key

Users



investigators


owner )




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia










RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


a cheating detectable privacy-preserving data sharing scheme for cloud...

Documents