Accountable Attribute-based Encryption with Public Auditing and User Revocation in the Personal Health Record System

Abstract

In the system of ciphertext policy attribute-based encryption (CP-ABE), only when the attributes of data user meets the access structure established by the encrypter, the data user can perform decryption operation. So CP-ABE has been widely used in personal health record system (PHR). However, the problem of key abuse consists in the CP-ABE system. The semi-trusted authority or the authorized user to access the system may disclose the key because of personal interests, resulting in illegal users accessing the system. Consequently, aiming at two kinds of existing key abuse problems: (1) semi-trusted authority redistributes keys to unauthorized users, (2) authorized users disclose keys to unauthorized users, we put forward a CP-ABE scheme that has authority accountability, user traceability and supports arbitrary monotonous access structures. Specifically, we employ an auditor to make a fair ruling on the malicious behavior of users. Besides, to solve the problem of user leaving from the system, we use an indirect revocation method based on trust tree to implement user revocation. Compared with other existing schemes, we found that our solution achieved user revocation at an acceptable time cost. In addition, our scheme is proved to be fully secure in the standard model.

1. Introduction

Due to the high flexibility and scalability of cloud computing, many businesses and individuals rely on cloud servers to store and calculate their data [1-5]. Today, cloud computing technology is relatively mature and widely used. In this way, they can not only save money, but also improve efficiency. The cloud server is not completely trusted, so the data now placed on the cloud are all in ciphertext [2,6]. Take a PHR system as an example, patients upload their own personal medical records to the PHR system, through which doctors know the patient's medical records and make a rapid diagnosis. This method not only saves patients' time and money, but also improves the efficiency of diagnosis for doctors. A PHR system based on traditional encryption scheme is shown in Fig. 1. However, the traditional encryption scheme can not provide fine-grained access control, which greatly limits the application of PHR system [4,7]. Therefore, many secure PHR systems [8-12] are built based on attribute-based encryption (ABE). ABE is regarded as the most compelling encryption primitive that realizes fine-grained [1,13] access control, solving the problem of one-to-many secret data sharing. In ABE, users have a series of attributes to identify themselves. Only if these attributes they own meet the access policy, users can decrypt the ciphertext. In a PHR system, the patient's medical records are encrypted by ABE, and the fine-grained access control to the encrypted medical records is realized. As the PHR system has high requirements for data privacy and security, and the patient's records stored in the system is of great value, there are often illegal users maliciously divulging the data in the system for their own interests. Specifically, there are two categories of key abuse problems in CP-ABE. (1) Driven by personal interests, authorized users may reveal their private keys to illegal users [6,14]. (2) The semi-trusted authority may redistribute the private keys to unauthorized users for the same reason. In order to solve the problem of key abuse, accountable ABE is proposed. In addition, it is common for patients to exit from the system. So how to revoke the user efficiently is also a research hotspot in ABE. Revocable ABE arises at the historic moment. In this paper, we aim to implement an accountable and full secure ABE scheme in the personal health system, which can publicly audit traceable users and support the revocation of malicious users. The patient's personal health records are encrypted and placed on the cloud server. Patients make access policies to allow specific people to access their health records. If there is malicious behavior that the user leaks the patient's medical records, it can be traced according to the identity-related information contained in the ciphertext. In order to ensure the security of the system, the system access rights of malicious users are reclaimed by indirect revocation. The proposed scheme is based on the personal health medical record system, which greatly protects the privacy of patients and the security of the system.

Fig. 1. PHR System

1.1 Related Work

ABE is evolved from fuzzy identity-based encryption [15]. After that, many ABE schemes were put forward to improve performance and security. In this chapter, we mainly talk about the relevant work to handle the matters of key abuse and user revocation.

1.1.1 Accountability

Due to the matter of key abuse in CP-ABE, accountability has become one of the criteria to measure the practicability of the scheme. The first key accountable ABE scheme was put forward in [16], whereas only supports the access policy expressed by “AND gate and wildcard”. Constructing a traceable CP-ABE scheme is an adequate means to settle the matter of key abuse. There appeared two kinds of traceability: white-box traceability as well as black-box traceability. In 2013, black-box traceable CP-ABE [17] as well as white-box traceable CP-ABE [18] are put forward, and support monotonous access structure. A multi-authority CP-ABE syetem is brought forward by Li et al. [19]. Although the above two schemes are achieved under prime order groups, they only support the access structure of multi-valued “AND” gates with wildcards, and only achieve the selective security under the standard model, so the expression ability and security of access policies are relatively weak. The constructions in [17-21]only implements user traceability, but does not realize authority accountability. Ning et al. [22] proposed an attribute-based encryption scheme which supports both user traceability and authority accountability for the first time. The scheme in [23] allows the key generation center (KGC) and the attribute authority (AA) to jointly generate the user's private key, thus ensuring that KGC and AA cannot distribute the user's private key to unauthorized users. However, the scheme does not solve the problems of user key abuse and user revocation. Ning et al. [24] proposed a fully secure white-box traceable CP-ABE system for the first from non-interactive commitments. Zhao et al. [25] proposed a large universe CP-ABE with black-box traceability. In this scheme, the size of public parameters not to grow linearly with the number of attributes.

1.1.2 Revocation

In a CP-ABE system, there are often cases such as user privilege change, user exit and user private key disclosure, so it is indispensable to consider the matter of user revocation. In the system, revoked user cannot decrypt any ciphertext. Meanwhile, the system permissions of other unrevoked users in the system are not affected. In 2006, revocable attribute-based encryption (RABE) was put forward for the first time in [26]. Goyal et al. [27] put forward an ABE scheme that implements indirect attribute revocation. In their construction, each attribute has a time tag representing the validity period. When the system time exceeds the time available for an attribute, the attribute is revoked. In the construction in [28], a CP-ABE scheme for user revocation using binary tree is proposed, but its performance is not high, and greatly increases the calculation and communication burden of the key generation center. Liu et al. [29] implement user revocation by setting an effective access time to the root node of the access control tree, but the cost of key management and decryption is high. A directly RABE supporting verifiable ciphertext agents is proposed in the construction in [30]. However, if there are a lot of user attributes, direct revocation will increase the burden on the cryptographer because the system has to update the user revocation list, thus reducing the feature of the entire system. Indirect revocation is generally implemented by an authority or a third-party agent, and the computational burden is small.

However, until now, there is rarely a full secure ABE scheme that supports user traceability, authority accountability and user revocation concurrent that prevents the practical application of ABE in PHR system.

1.2 Our Construction

In this article, we concentrate on the two common matters of key abuse and user revocation in existing CP-ABE schemes and come up with a new white-box accountable ABE scheme with public auditing and user revocation.

Our scheme realizes both traceable users and accountable authority. It solves the problem of key abuse of untrusted authority, which is often ignored in the existing CP-ABE schemes. When tracing malicious users, we utilize Paillier-style encryption as an extractable commitment. Because there is no requirement to keep an identity table for traceability, there is no traceability storage, which greatly saves the storage space of the server. In addition, an auditor is used to determine whether the caught user is innocent or guilty. What's more, we adopt the revocation method based on the trust tree to realize the revocation of misbehaving users, authorities and other users who quit the system. At the same time, it is proved the scheme is full secure in the standard model.

Comparing the scheme with others on both theoretically and experimentally. Through the analysis, it can be concluded that our scheme has more complete functions and higher security. In terms of efficiency, although our scheme consumes more time than the schemes in [22,31], it is acceptable because of the supplement function of the user revocation.

2. Preliminary

2.1 Linear Secret-sharing Scheme

If it meets these requirements as below, the secret sharing scheme Π over a series of parties E is regarded as linear.

(a) The shares for all parties constitute a phasor on Z_p.

(b) For Π, there is a l×n matrix A called the sharing-generating matrix. For all i = 1,…,l,δ(i) (δ is a mapping from {1, …, l} to E ) is the label for the i th row of A. We consider the column vector \(v=\left(s, r_{2}, r_{3}, \ldots, r_{n}\right)^{ú}\), where s∈Z_p is the shared secret and r₂,r₃,… ,r_n are randomly chosen from Z_p. Then Av is the vector of l shares of the secret s on the basis of Π. The share (Av)_i pertains to party δ(i).

2.2 Trusted Tree-based Revocation Approach

We use the subset-cover algorithm KUNode (st,rl,t) [32,33] to revoke a user, where st is the data structure of the tree, rl signifies a revocation entry with the identity of the revoked user while t signifies the most recent revocation period. The user will be distributed an identity id and an undefined leaf node when s/he joins the system. The leaf node is identified by id. The implementation of user revocation claims the user id to save secret keys in Path(id). The Path(id) represents all nodes id from the root node to the leaf node.

2.3 Composite Order Bilinear Groups

Ψ represents a group generator. Ψ inputs a security parameter ξ and outputs a group G of order N=n₁n₂n₃, where n₁n₂n₃ are different primes.

Let G, G_T are cyclic groups of order N=n₁n₂n₃, and e : G×G→G_T is a bilinear mapping, which meets the characters as following:

(a) Non-degeneracy: e(g,g)≠1.

(b) Bilinearity : ∀x,y∈G,c,d∈Z_p the equation e(x^c,y^d)=e(x,y)^cd is true [34].

(c) Computability: the map e : G×G→G_T can be effectively calculated.

Let G=G_n1G_n2G_n3, G_n1, G_n2 and G_n3 are the subgroups of order n₁, n₂ and n₃ in G, severally. Suppose g is a generator of group G, while \(\boldsymbol{g}^{n_{2} n_{3}}\) is the generator of subgroup \(G_{n_{1}}\) accordingly. Similarly, \(\boldsymbol{g}^{n_{1} n_{3}}\) is the generator of subgroup \(G_{n_{2}}\), and \(\boldsymbol{g}^{n_{1} n_{2}}\) is the generator of subgroup \(G_{n_{3}}\). Therefore, there exists α₁, α₂∈Z_N, such that \(f_{1}=\left(g^{n_{1} n_{2}}\right)^{\alpha_{1}}\), \(f_{2}=\left(g^{n_{1} n_{2}}\right)^{\alpha_{2}}\). At this time, there are: \(e\left(f_{1}, f_{2}\right)=e\left(g^{\alpha_{1}}, g^{n_{3} \alpha_{2}}\right)^{n_{1} n_{2} n_{3}}=1\).

If we choose i,, j, \(f_{i} \in G_{n_{i}}\), \(f_{j} \in G_{n_{j}}\), then e(f_i,f_j)is the unit component in the group G_T. It also shows that the composite order subgroups \(G_{n_{1}}\), \(G_{n_{2}}\) and \(G_{n_{3}}\) are orthogonal to each other.

2.4 Complexity Assumptions

Assumption 1 ( Subgroup Decision Problem for 3 primes). Provided a group generator Ψ, we distribute these parameters as follows [35]:

\(\mathrm{G}=\left(G, G_{T}, N=n_{1} n_{2} n_{3}, e\right) \stackrel{r}{\longleftarrow} \psi , g \stackrel{r}{\longleftarrow} G_{n_{1}}, W_{3} \stackrel{r}{\longleftarrow} G_{n_{3}} \\ B=\left(\mathrm{G}, g, W_{3}\right), E_{1} \stackrel{r}{\longleftarrow} G_{n_{1}, n_{2}}, E_{2} \stackrel{r}{\longleftarrow} G_{n_{1}}\)

A has the following advantages in breaking this assumption. It is defined:

\(\operatorname{Adv} 1_{\psi, \mathrm{A}}(\xi)=|\operatorname{Pr}\left[\mathrm{A}\left(B, E_{1}\right)=1\right]-\operatorname{Pr}\left[\mathrm{A}\left(B, E_{2}\right)=1\right] \mid\)

Definition 1. If for any PPT algorithm A, Adv1_Ψ,A(ξ) is negligible of ξ, we call Ψ meets Assumption 1.

Assumption 2. Provided a group generator Ψ, we distribute these parameters as below [35]:

\(\mathrm{G}=\left(G, G_{T}, N=n_{1} n_{2} n_{3}, e\right) \stackrel{r}{\longleftarrow} \psi, g, W_{1} \stackrel{r}{\longleftarrow} G_{n_{1}}, W_{2}, V_{2} \stackrel{r}{\longleftarrow} G_{n_{2}}, W_{3}, V_{3} \stackrel{r}{\longleftarrow} G_{n_{3}}\\ B=\left(\mathrm{G}, g, W_{1} W_{2}, W_{3}, V_{2} V_{3}\right), E_{1} \stackrel{r}{\longleftarrow} G, E_{2} \stackrel{r}{\longleftarrow} G_{n_{1}, n_{3}}\)

A has the following advantages in breaking this assumption. It is defined:

\(A d v 2_{\psi, A}(\xi)=|\operatorname{Pr}\left[A\left(B, E_{1}\right)=1\right]-\operatorname{Pr}\left[A\left(B, E_{2}\right)=1\right] \mid\)

Definition 2. If for any PPT algorithm A, Adv2_Ψ,A(ξ) is negligible of ξ, we call Ψ meets Assumption 2.

Assumption 3. Provided a group generator Ψ, we distribute these parameters as follows [35]:

\(\begin{gathered} \mathbb{G}=\left(G, G_{T}, N=n_{1} n_{2} n_{3}, e\right) \stackrel{r}{\leftarrow} \psi, \alpha, s \stackrel{r}{\leftarrow} Z_{N} \\ g \stackrel{r}{\longleftarrow} G_{n_{1}}, W_{2}, V_{2}, X_{2} \stackrel{r}{\longleftarrow} G_{n_{2}}, W_{3} \stackrel{r}{\longleftarrow} G_{n_{3}}, \\ B=\left(\mathrm{G}, g, g^{\alpha} W_{2}, W_{3}, g^{s} V_{2}, X_{2}\right), E_{1}=e(g, g)^{\alpha s}, E_{2} \stackrel{r}{\longleftarrow} G_{T} \end{gathered}\)

A has the following advantages in breaking this assumption. It is defined:

\(A d v 3_{\psi, A}(\xi)=|\operatorname{Pr}\left[A\left(B, E_{1}\right)=1\right]-\operatorname{Pr}\left[A\left(B, E_{2}\right)=1\right] \mid\)

Definition 3. If for any PPT algorithm A, Adv3_Ψ,A(ξ) is negligible of ξ, we call Ψ meets Assumption 3.

3. System model and security model

3.1 Entities in the System

This system includes five entities, namely, authority, PHR server, data owner, data user and auditor as represented in Fig. 2. Their functions and responsibilities are as follows:

Fig. 2. System Model

Authority. In this system, the authority ( AT ) is considered not to be trusted. AT produces public parameters pp and interacts with a data user ( DU ) to produce secret key sk_id. In addition, when user revocation occurs, AT is responsible for broadcasting the key update material.

PHR server. PHR server stores the beginning ciphertext BT. Moreover, the PHR server updates BT to the latest ciphertext at the current time.

Data owner. Plaintext is encrypted by the data owner ( DO ) to BT and sends it to the PHR server for storage. Furthermore, in order to implement user revocation, DO renews revocation list rl and sends it to AT. To determine whether the compromised secret key is intact, DO performs the key sanity check.

Data user. In this system, unrevoked users and revoked users are two genres of data users. If a user is unrevoked and his attributes meet the access structure, he could access. Unrevoked users updates his own decryption key and decrypt the ciphertext through the key update material broadcast by AT.

Auditor. The auditor acts as a fair adjudicator in the system. When the traced user denies disclosing the private key, the auditor executes the audit algorithm to determine whether the user has been framed or innocent.

3.2 System Model

We will elaborate specifically on our scheme with traceable user, accountable authority, public auditing, user revocation and no storage for tracing in this section. Our scheme contains a total of ten algorithms as below:

Setup (ξ,τ,V,U)→(pp,st,rl,msk). AT launches algorithm Setup and inputs security parameter ξ, system lifetime τ, the universe of attributes V as well as the amount of system users U, and outputs public parameters pp, state st, and master secret key msk. Besides, it constitutes a revocation list rl=Ø.

KeyGen(pp,st,msk,S,id)→(sk_id). It is executed by DU and AT together. It takes public parameters pp, state st, master secret key msk, an attribute set S, the identifier of DU id(\(i d \in Z_{N}^{*}\)) as input, and outputs a secret key sk_id.

Key update(I,rl,t,(id_i,t_i),st,msk)→(kd_t,rl). This algorithm includes two sub-algorithms: Rev(rl,(id_i,t_i))→rl and Key update(pp,st,rl,msk)→kd_i. The algorithm inputs a series of identifiers I, rl, the current revocation time t, revocation epoch (id_i,t_i), state st, msk, and outputs a key updating ingredient kd_i as well as the updated revocation list rl corresponding to t.

Decryption key generation(pp,sk_id,kd_i)→dk_id,t/⊥. DU is responsible for executing the algorithm. It takes pp, sk_id, the key updating kd_i as input. If DU is unrevoked user in this period t and S meets the access policy, it outputs decryption key dk_id,t. Otherwise, it outputs the failure symbol ⊥ .

Encrypt((A,ρ),pp,t,m,msk)→BT. This algorithm takes access structure (A,p), public parameters pp, current time t, plaintext m, msk as input, and the beginning ciphertext BT as output.

Ciphertext update(BT,pp,t')→CT/⊥. Algorithm Ciphertext update is carried out by PHR server. The algorithm inputs the latest ciphertext BT, the public parameters pp as well as the recent revocation epoch T'∈τ. The updated ciphertext CT or ⊥ is taken as output.

Decrypt(CT,pp,dk_id)→m/⊥. DU implements this algorithm. It takes the latest ciphertext CT, public parameters pp, decryption key dk_id as input and plaintext m or ⊥ as output.

Key sanity check(sk_id,pp)→1/0. This algorithm launched by AT . And it is utilized to ensure that the key sk_id is in well form during the decryption course. The algorithm inputs sk_id, public parameters pp. If sk_id fails this check, it outputs 0. If not, the output is 1.

Trace(sk_id,pp,msk)→id/⊥. AT implements algorithm Trace. It inputs the secret key sk_id, pp , msk. If algorithm Key sanity check outputs 0, it indicates sk_id is not well-formed. It is not necessary for the Trace algorithm to continue to execute. The algorithm outputs ⊥. On the contrary, if the output is 1, it indicates sk_id is well-formed. Trace algorithm is executed to extract and output the user's id from sk_id.

Audit(pp,sk_id,\(s k_{i d}^{*}\))→guilty/acquitte. The algorithm is implemented by DU and the auditor together. If a user is caught by Trace algorithm, but he does not admit his crime. At this time, the Audit algorithm is used to determine whether the user has been wronged or guilty.

3.3 Security Model

To manifest the security of proposed scheme, a security game, namely, the IND-CPA game is defined. The specific description is as below:

The IND-CPA game. This is an indistinguishability under chosen-plaintext attack game. It's a standard semantic security concept that any CP-ABE scheme must meet.

Setup. The challenger C executes algorithm Setup , holds msk in private and releases pp to the adversary A.

Query 1. K key query requests with a series of attributes (id₁,S₁),(id₂,S₂)…(id_k,S_k) are send to C by A. After obtaining these requests, C carries out algorithm KeyGen, Key update, Decryption key generation and delivers decryption key to A.

Challenge. A sends an access structure which isn't subject to the above k attribute sets and two messages of the same length m₀,m₁to C. After randomly tossing a coin λ∈{0,1}, C encrypts m_λ. The ciphertext is transmitted to A.

Query 2. Identical with Query 1.

Guess. A makes a guess λ'that λ is 0 or 1.

In this process, \(A d v=\left|\operatorname{Pr}\left[\lambda^{\prime}=\lambda\right]-\frac{1}{2}\right|\) is taken as the advantage of A. We allege our scheme is full secure if A has a at the utmost negligible advantage can win the game in any PPT.

4. Construction

In this section, we propose an accountable attribute-based encryption scheme in the personal health record system. The proposed scheme realizes public auditing and user revocation. In addition, there is no storage for retro in the scenario. The details of the proposed scheme are as follows.

4.1 setup(ξ,τ,V,U)→(pp,st,rl,msk)

Get a bilinear group map G={e,G,G_n,N,n_i} where g,g₃ are the generator of \(G_{n_{1}}\), \(G_{n_{3}}\), N=n₁n₂n₃,n_i are the order of group G, \(G_{n_{1}}\) severally.

Then, the algorithm selects randomly \(\alpha, \beta, \gamma, u, \eta \in Z_{N}^{*}, v, u_{0}, \ldots, u_{D}(D \text { denotes the size } \text { of } \tau) \in G_{n_{1}}\) and chooses \(v_{i} \in Z_{N}^{*}\) randomly for every attribute i∈V.

Select randomly b,d two prime numbers , gcd(bd,(d-1)(b-1))=1 and |b|=|d|, b≠d. Let π=lcm(d-1,b_1),n=bd,Q=π^-1 mod n and g₁=(n+1).

It selects TC binary tree with more than U leaves. Finally, it returns public parameters \(p p=\left(N, n, g_{1}, v, u_{0}, \ldots, u_{D}, g, g^{\beta}, g^{\gamma}, g^{u}, e(g, g)^{\alpha}, e(g, g)^{\eta},\left\{V_{i}=g^{v_{i}}\right\}_{i \in V}\right)\), TC as state st, revocation list rl=Ø and msk=(p,q,η,α,g₃) as master secret key.

4.2 KeyGen(pp,st,msk,S,id)→(sk_id)

First, the algorithm selects randomly an unallocated leaf node from TC. This node is utilized to keep id. The algorithm operates as below for every node θ in Path ( id ).

It retrieves η_θ from the node θ. It randomly chooses and saves \(\eta_{\theta} \in Z_{N}^{*}\) in the node  θ if η_θ is unavailable.

A user DU identified by id and the authority AT interact to produce the key as the following steps. To make the whole process clearer, the flow of the domain key generation phase is shown in Fig. 3.

Fig. 3. The Flow of the Domain Key Generation Phase

For DU :

DU selects randomly \(h \in Z_{N}^{*}\) and computes R_U=g^h.

Then, g^h, a set of attributes S as well as id are sent to AT .

Next, AT operates a ZK-POK of the discrete log of R_U in relation to g.

For AT :

AT examines if the ZK-POK is available or not. If the examination succeeds, it executes the next step. If not, AT discontinues the interaction.

Then, it chooses randomly \(a \in Z_{N}^{*}\), \(r \in Z_{N}^{*}\) and \(R, R_{0}, \overline{R_{0}},\left\{R_{i}\right\}_{i \in S} \in G_{n_{3}}\).

Next, the primary secret key sk_pri for each user with id and S is computed as 

\(\left\{S, \bar{K}=g^{\frac{\alpha}{\beta+\bar{T}}}\left(g^{h}\right)^{\frac{\gamma}{\beta+\bar{T}}} v^{a} R, \bar{T}=g_{1}^{i d} r^{n} \bmod n^{2}, \bar{L}=g^{a} R_{0}, \bar{L}_{1}=g^{\beta a} \overline{R_{0}}\right. \\ \left.\left\{\bar{K}_{i}=V_{i}^{(\beta+\bar{T}) a} R_{i}\right\}_{i \in S},\left\{g^{\eta_{\theta}}\right\}_{\theta \in \text { Path }(i d)}\right\}\)

Finally, AT sends(α,sk_pri) to DU.

For DU :

DU determines whether the following equations are true.

(a) \(e\left(\overline{L_{1}}, g\right)=e\left(g^{\beta}, \bar{L}\right)=e\left(g^{\beta},(g)^{a}\right)\)

(b) \(e\left(\bar{K}, g^{\beta} g^{\bar{T}}\right)=e\left(\bar{L}_{1}(\bar{L})^{\bar{T}}, v\right) e\left(R_{U}, g^{\gamma}\right) e(g, g)^{\alpha}\)

(c) \(\text { s.t. } e\left(V_{x}, \overline{L_{1}}(\bar{L})^{\bar{T}}\right)=e\left(\bar{K}_{x}, g\right), \quad \exists x \in S .\)

If all the equations hold, DU holds on the interaction and computes \(h_{i d}=\frac{a}{h}\). Then, it takes his secret key sk_id as below:

\(s k_{i d}=\left\{S, K=\bar{K}\left(g^{u}\right)^{h_{i d}}, T=\bar{T}, L=\bar{L}, L_{1}=\overline{L_{1}}, R_{U}, h_{i d},\left\{K_{i}=\overline{K_{i}}\right\}_{i \in S},\left\{g^{\eta_{\theta}}\right\}_{\theta_{\in \text { Path }(i d)}}\right\}\)

Otherwise, DU aborts the interaction.

4.3 Key update(I,rl,t,(id_i,t_i),st,msk)→(kd_t,rl)

Firstly, AT operates the revocation algorithm for every identifier and revocation epoch (id_i,t_i). To make the whole process clearer, the flow of the domain key generation phase is shown in Fig. 4.

Fig. 4. The Flow of the Domain Key Update Phase

Rev (rl,(id_i,t_i))→rl. This algorithm is mainly used to update revocation lists in systems. DO launches the revocation algorithm and inputs the revocation list rl, the revocation epochs (id_i,t_i) and outputs the renewed rl as follows: rl∪(id_i,t_i)→rl. Fig. 5 shows the composition and update process of the revocation list. After obtaining the latest revocation list rl, AT executes the KeyUpdate algorithm.

Fig. 5. Renew

KeyUpdate(st,rl,msk,t)→kd_t: The algorithm inputs state st, the latest revocation list rl, master secret key msk, time t∈τ, and outputs the key updating material kd_t,θ. In this algorithm, firstly, the time coding method proposed in reference [36] is used to encode the time. The time t is encoded as a bit \(\tilde{t}\). Let ξ∈[D] be the set of all indexes i meeting t[i]=0. The key updating material kd_t is generated as follows for every node θ∈KUNode(st,rl,t): retry η_θ. Randomly select \(\mu \in Z_{N}^{*}\) and output the key updating kd_t,θ as below: \(k d_{t, \theta}=<k d_{1}, k d_{2}>=<g^{\eta-\eta_{\theta}}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu}, g^{\mu}>\).

4.4 Decryption key generation(pp,sk_id,kd_i)→dk_id,t/⊥

Let X and Y represent the sets Path (id) and KUNode(st,rl,t), eparately. If X∩Y=∅, the algorithm returns a failure symbol ⊥ . If not, we can obtain node θ∈X∩Y.

Randomly select \(\mu' \in Z_{N}^{*}\) and calculate the decryption key dk_id,t as follows:

\(\begin{aligned} &D_{1}=g^{\eta_{\theta}} \cdot k d_{1} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu^{\prime}}=g^{\eta_{\theta}} \cdot g^{\eta-\eta_{\theta}}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu^{\prime}}=g^{\eta}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}} \\ &D_{2}=k d_{2} \cdot g^{\mu^{\prime}}=g^{\mu} \cdot g^{\mu^{\prime}}=g^{\mu+\mu^{\prime}} \end{aligned}\)

Finally, the algorithm outputs: \(d k_{i d, t}=\left(S, K, T, L, L_{1}, R_{U}, h_{i d},\left\{K_{i}\right\}_{i \in S}, g^{\eta_{\theta}}, D_{1}, D_{2}\right)\)

4.5 Encrypt((A,ρ),pp,t,m,msk)→BT

For the ciphertext related to attributes, the algorithm chooses randomly \(\vec{y}=\left(s, y_{2}, y_{3},\right.\left.\ldots, y_{n}\right)^{\top}\), \(r_{j} \in Z_{N}^{*}\) for each row A_j of A , where s is randomly selected as a secret value. The attribute-related ciphertext is calculated as:

\(\begin{array}{r} \left(C_{0}=g^{s}, C_{1}=\left(g^{\beta}\right)^{s}, C_{2}=\left(g^{\gamma}\right)^{s}, C_{3}=\left(g^{u}\right)^{s}, C=m \cdot e(g, g)^{\alpha s} \cdot e(g, g)^{\eta s}\right. \\ \left.\left\{C_{j, 1}=v^{A_{j}\vec{y}} V_{\rho(j)}^{-r_{j}}, C_{j, 2}=g^{r_{j}}\right\}_{j \in[l]}\right) \end{array}\)

For the ciphertext related to time, the algorithm encodes t to the bit representation \(\tilde{t}\). Then it derives the time CTEncode(​​​​​​​\(\tilde{t}\),τ)[36] →​​​​​​​\(\tilde{t}\) and let ξ∈[D] be the set of each index i' satisfying t[i']=0. Then, it calculates the ciphertext affiliated to time as follow:

\(C_{4}=u_{0}^{s}, C_{5, i}=u_{i}^{s}, i \in \zeta\)

Finally, it outputs the ciphertext: CT=(C₀,C₁,C₂,C₃​​​​​​​,C,C₄,{C_5,i​​​​​​​}_i∈ξ,{C_j,1​​​​​​​,C_j,2​​​​​​​​​​​​​​ }_j∈l).

4.6 Ciphertext update(BT,pp,t')→CT/⊥

The output of this algorithm is in the following two cases. If the ciphertext is invalid or the timestamp in the latest ciphertext CT is bigger than the time t', the algorithm will discontinue and output ⊥ . If not, it will encode t' to ​​​​​​​\(\tilde{t'}\) and update ciphertext CT.

Let ξ∈[D] signify the set of each index i' satisfying the condition t[i']=0.

Next, the PHR server calculates the ciphertext related to time as below:

\(C_{t}=C_{4} \Pi_{i \in \zeta} C_{5, i}=\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s}\)

Next, the algorithm chooses randomly \(\vec{y}^{\prime}=\left(s^{\prime}, y_{2}^{\prime}, y_{3}^{\prime}, \ldots, y_{n}^{\prime}\right)^{\top} \in Z_{N}^{*}\).

Then, it calculates the ciphertext:

\(C_{0^{\prime}}=C_{0} \cdot g^{s^{\prime}}=g^{s+s^{\prime}} \quad C_{t^{\prime}}=C_{t} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s^{\prime}}=\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s+s^{\prime}}\)

Finally, it outputs:

CT=(C₀,C₁,C₂​​​​​​​,C₃​​​​​​​,C_j,1​​​​​​​,C_j,2,C_t').

4.7 Decrypt(CT,pp,dk_id)→m/⊥

After DU obtains the latest ciphertext from the PHR server, it inputs pp, dk_id and the latest ciphertext CT. Then, if the time t in dk_id,t doesn't match the time t in CT or S doesn't satisfied (A,ρ), it output is ⊥ . If not, this algorithm will output plaintext message m through the following operations.

First, it calculates the constants \(\omega_{j} \in Z_{N}^{*}\) that satisfies \(\Sigma_{\rho(j) \in S} \omega_{j} A_{j}=(1,0, \ldots, 0)\) and the part related to the attributes:

\(\begin{aligned} &H_{a}=e\left(\left(C_{0}\right)^{T} C_{1}, K\right)\left(e\left(C_{2}, R_{U}\right) e\left(C_{3},\left(g^{T} g^{\beta}\right)^{h_{i d}}\right)\right)^{-1} \\ &H_{b}=\Pi_{\rho(j) \in S}\left(e\left(C_{j, 1}, L^{T} L_{1}\right) e\left(K_{\rho(j)}, C_{j, 2}\right)\right)^{\omega_{j}} \\ &H=\frac{H_{a}}{H_{b}}=\frac{e(g, g)^{s \alpha} e(g, v)^{(T+\beta) s a}}{e(v, g)^{s a(T+\beta)}}=e(g, g)^{s a} \end{aligned}\)

Next, it acquires the hiding component in plaintext:

\(E=\frac{e\left(D_{1}, C_{0}\right)}{e\left(D_{2}, C_{t}\right)}=e(g, g)^{s \eta} \quad m=\frac{C}{H \cdot E}\)

Finally, it outputs the plaintext m.

Correctness

\(\begin{aligned} &H_{a}=e\left(g^{s T} g^{\beta s}, g^{\frac{\alpha}{T+\beta}}\left(g^{h}\right)^{\frac{\gamma}{\beta+T}} v^{a} R\left(g^{u}\right)^{h_{i} d}\right)\left(e\left(g^{\gamma s}, g^{h}\right) e\left(g^{u s},\left(g^{T} g^{\beta}\right)^{h_{i d}}\right)\right)^{-1} \\ &=e(g, g)^{s(T+\beta) u h_{i d}} e(g, g)^{s \alpha} e(g, g)^{s \gamma h} e(g, v)^{(T+\beta) s a}\left(e(g, g)^{h \gamma s} e(g, g)^{u s h_{i d}(T+\beta)}\right)^{-1} \\ &=e(g, g)^{s \alpha} e(g, v)^{(T+\beta) s a} \end{aligned}\\ \begin{aligned} &H_{b}=\prod_{\rho(j) \in S}\left(e\left(v^{A_{j} \vec{y}} V_{\rho(j)}^{-r_{j}},\left(g^{a} R_{0}\right)^{T} g^{\beta a} \bar{R}_{0}\right) e\left(V_{\rho(j)}^{(\beta+\bar{T}) a} R_{i}, g^{r_{j}}\right)\right)^{\omega_{j}} \\ &=\prod_{\rho(j) \in S}\left(e\left(v^{A_{j} \vec{y}} V_{\rho(j)}^{-r_{j}}, g^{a T} g^{\beta a}\right) e\left(V_{\rho(j)}^{(\beta+\bar{T}) a}, g^{r_{j}}\right)\right)^{\omega_{j}} \\ &=\prod_{\rho(j) \in S}\left(e\left(v^{A_{j} \vec{y}}, g^{a(T+\beta)}\right)\right)^{\omega_{j}} \\ &=e(v, g)^{a(T+\beta) \sum_{\rho_{j} \in S} A_{j} \vec{y} \omega_{j}} \\ &=e(v, g)^{s a(T+\beta)} \end{aligned}\\ E=\frac{e\left(D_{1}, C_{0}\right)}{e\left(D_{2}, C_{t}\right)}=\frac{e\left(g^{\eta}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}}, g^{s}\right)}{e\left(g^{\mu+\mu^{\prime}},\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s}\right)}=\frac{e\left(g^{s},\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}}\right) e\left(g^{s}, g^{\eta}\right)}{e\left(g^{\mu+\mu^{\prime}},\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s}\right)}=e(g, g)^{s \eta} \)

4.8 Key sanity check(sk_id,pp)→1/0

The key sanity check of sk_id includes the following four phases.

Firstly, check whether sk_id is structure of \(\left(S, K, T, L, L_{1}, R_{U}, h_{i d},\left\{K_{i}\right\}, g^{\eta_{\theta}}\right)\) and \(T \in Z_{N}^{*}, K, L, L_{1}, R_{U},\left\{K_{i}\right\}_{i \in S} \in G, g^{\eta_{\theta}} \in G_{n_{1}}\).

\(-e(g,L1)=e(gβ,L).\)

-\(e\left(g^{\beta} g^{T}, K\right)=e\left(\left(g^{\beta} g^{T}\right)^{h_{d d}}, g^{u}\right) e\left(R_{U}, g^{\gamma}\right) e\left(L_{1} L^{T}, v\right) e(g, g)^{\alpha}\)

-\(\exists x \in S, \text { s.t.e }\left(V_{x}, L_{1} L^{T}\right)=e\left(K_{x}, g\right)\)

If sk_id passes this check, the output is 1. If not, the output is 0.

4.9 Trace(sk_id,pp,msk)→id/⊥

If algorithm Key sanity check output is 0, it implies that sk_id is not well-formed and doesn't deserve to trace. Hence, the algorithm outputs ⊥. If not, AT will perform the operations \(Q=\pi^{-1} \bmod n, T=g_{1}^{i d} r^{n} \bmod n^{2}\) to extract and output the identity id. It can obtain the result from above two equation:

\(T^{\pi Q}=g_{1}^{i d \cdot \pi Q} \cdot r^{n \cdot \pi Q}=g_{1}^{i d}=1+i d \cdot n \bmod n^{2} ; i d=\frac{\left((T)^{\pi Q} \bmod n^{2}\right)-1}{n} \bmod n .\)

4.10 Audit(pp,sk_id,\(s k_{i d}^{*}\))→guilty/acquitte

DU is considered as a malicious user, but it declares to be acquitted or defamed. In this case, an auditor is needed to determine if the user is guilty or not. We propose an auditing algorithm that anyone can act publicly as a auditor in the system. After the Trace algorithm outputs the traced key ​​​​​​​\(s k_{i d}^{*}\), the auditor will interact with DU as follows.

First, DU releases to his secret key sk_id to the auditor. If algorithm Key sanity check outputs 0, the auditor discontinues. Otherwise, the auditor proceeds to the next step.

The auditor checks whether h_id is equal to ​​​​​​​\(h_{i d}^{*}\). If equal, it means that the user does reveal the secret key sk_id to others. Consequently, DU is guilty. The output is guilty. If not, the output is acquitted.

5. Security Analysis

5.1 IND-CPA Security

In this part, the security proof of proposed scheme will be put forward. The security of our new accountable authority, traceable user and revocable user CP-ABE scheme (referred to as AATR-ABE) is based on IND-CPA security of the ABE scheme [35] (referred to as Lewko ABE).

Lemma 1. [35] Lewko ABE is secure if Assumption 1, 2 and 3 in Subsection 2.5 are true.

Lemma 2. [35] AATR-ABE is secure in the IND-CPA game of Subsection 3.3 if Lewko ABE is secure.

Theorem 2. AATR-ABE is secure if Assumption 1, 2 and 3 in Subsection 2.5 are true.

Proof. After exploiting A who has a non-negligible advantage to win the IND-CPA game of AATR-ABE, we establish a PPT simulator algorithm T to break Lewko ABE.

Setup: Lewko ABE gives public parameters \(p p=\left(g, e(g, g)^{\alpha}, g^{\kappa}, N,\left\{V_{i}=g^{v_{i}}\right\}_{i \in V}\right)\) to T , T chooses α,γ at randomly from \(Z_{N}^{*}\) and two random primes bd, which meets |b|=|d|, b≠d, gcd(bd,(d-1)(b-1))=1. Let π=lcm(d-1,b_1),n=bd,Q=π^-1 mod n and g₁=(n+1). T sends \(p p=\left(N, n, g_{1}, v=g^{\kappa}, u_{0}, \ldots, u_{D}, g, g^{\beta},\right.\left.g^{\gamma}, g^{u}, e(g, g)^{\alpha}, e(g, g)^{\eta},\left\{V_{i}=g^{v_{i}}\right\}_{i \in V}\right)\) to A.

Query 1: To query a decryption key, A sends (id,S) to T. T sends S to Lewko ABE. After receiving the S from T, Lewko ABE gives decryption key as \(\mathrm{d} k=\left\{\tilde{K}=g^{\kappa \tilde{a}} g^{\alpha} R, \tilde{L}=g^{\tilde{a}} R_{0},\left\{K_{i}=V_{i}^{\tilde{a}} R_{i}\right\}_{i \in S}\right\}\) to T. In Lewko ABE, the authority independently selects and distributes decryption keys to users. On the contrary, in AATR-ABE, key generation is caused by the interaction between the authority and an user. The secret key is affected by both h produced by the user and a produced by the authority. During key generation, first, the user randomly selects h and submits R_U=g^h to the authority. The user runs a zero-knowledge proof about <R_U,h>, which indicates the presence of a knowledge extractor E. The authority could retrieve discrete logarithm h by using E. Accordingly, in IND-CPA game, T can retrieve h from R_U. T randomly selects \(r \in Z_{N}^{*}\) and calculates \(T=\bar{T}=g_{1}^{i d} r^{n} \bmod n^{2}\) and \(\frac{1}{\beta+T} \bmod N\). Let \(c=\frac{\tilde{c}}{\beta+T}\), \(h_{i d}=\frac{a}{h}\). Then T randomly selects ​​​​​​​\(\overline{R_{0}} \in G_{n_{3}}\) and calculates \(\begin{aligned} &\bar{K}=(\tilde{K})^{\frac{1}{\beta+T}}\left(g^{h}\right)^{\frac{\gamma}{\beta+T}}=g^{\frac{\alpha}{\beta+T}} v^{a} g^{\frac{\gamma h}{\beta+T}} R^{\frac{1}{\beta+T}}, K=\bar{K}\left(g^{u}\right)^{h_{d}}, \bar{L}=(\tilde{L})^{\frac{1}{\beta+T}} \\ &=g^{a}\left(R_{0}\right)^{\frac{1}{\beta+T}}, L=\bar{L}, \quad \bar{L}_{1}=(\tilde{L})^{\frac{\beta}{\beta+T}}=g^{\beta a} R_{0}^{\frac{\beta}{\beta+T}} \overline{R_{0}}, L_{1}=\bar{L}_{1},\left\{\bar{K}_{i} \quad=K_{i}=V_{i}^{(\beta+T) a} R_{i}\right\}_{i \in S}, \left\{K_{i}=K_{i}\right\}_{i \in S} \end{aligned} \). T retrieves η_θ from the node θ. It randomly chooses and saves \(\eta_{\theta} \in Z_{N}^{*}\) in the node θ if η_θ is unavailable. Finally, T gives A secret key \(s k_{i d, S}=\left(S, K, T, L, L_{1}, R_{U}, h_{i d},\left\{K_{i}\right\}_{i \in S}, g^{\eta_{\theta}}\right)\). Retry η_θ for every node θ∈KUNode(st,rl,t), and randomly select \(\mu \in Z_{N}^{*}\) and calculates \(k d_{t, \theta}=<k d_{1}, k d_{2}>=<g^{\eta-\eta_{\theta}}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu}, g^{\mu}>\). Then, randomly select ​​​​​​​\(\mu' \in Z_{N}^{*}\) and calculate the decryption key dk_id,t as follows:

\(D_{1}=g^{\eta_{\theta}} \cdot k d_{1} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu^{\prime}}=g^{\eta}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}} D_{2}=k d_{2} \cdot g^{\mu^{\prime}}=g^{\mu} \cdot g^{\mu^{\prime}}=g^{\mu+\mu^{\prime}}\)

Finally, T sends the decryption key \(d k_{i d, t}=\left(S, K, T, L, L_{1}, R_{U}, h_{i d}, \quad\left\{K_{i}\right\}_{i \in S}, g^{\eta_{\theta}}, D_{1}, D_{2})\right.\) to A.

Challenge: (A,ρ) and two messages m₀, m₁ of the same length are sent to T by A. T sends m₀, m₁ and (A,ρ) to Lewko ABE. Then T gains the challenge ciphertext ct as below:

\(\left\{\tilde{C}=m_{\lambda} \cdot e(g, g)^{\alpha s}, C_{0}=g^{s},\left\{C_{j, 1}=g^{\kappa A, \vec{y}} V_{\rho(j)}-r_{j}, C_{j, 2}=g^{r}\right\}_{j \in[l]},\left(A^{*}, \rho\right)\right\}\) T makes \(\begin{array}{r} C=\tilde{C} \cdot e(g, g)^{\eta s}, C_{0}=C_{0}, C_{1}=\left(C_{0}\right)^{\beta}=g^{\beta s}, C_{2}=\left(C_{0}\right)^{\gamma}=g^{\gamma s}, C_{3}=\left(C_{0}\right)^{u}=g^{u s}, C_{4}=u_{0}^{s} \\ C_{5, i}=u_{i}^{s}, C_{j, 1}=C_{j, 1}=v^{A, \bar{y}} V_{\rho(j)}^{-r_{j}}, C_{j, 2}=C_{j, 2} \end{array}\).

The challenge ciphertext is send to A by T.

ct={C₀,C₁,C₂​​​​​​​,C₃​​​​​​​,C₄,C_5,i​​​​​​​,{C_j,1​​​​​​​,C_j,2​​​​​​​​​​​​​​}}

Query Phase 2: A and T continue the above queries and interactions.

Guess: A generates a bit λ' as the guessing of λ and send it to T. Then, T gives λ' to Lewko ABE. Because the assignment of public parameters, decryption key and challenge ciphertext in the above process is the same as in the real system, we can conclude that the advantage of A breaking AATR-ABE is equivalent to the advantage of A breaking Lewko ABE.

6. Comparison

Next, we will contrast our scheme with other relevant works [22, 24, 25, 31, 36, 37] from the aspects of functionality and efficiency.

6.1 Functionality

In Table 1, we contrast our scheme with the solutions implemented by [22, 24, 25, 31, 36, 37] . [22] realizes traceable user, accountable authority, public auditing and no storage for tracing, but it does not implement user revocation. Although [37] supports both user traceability and user revocation，it does not support accountable users and public auditing. The scheme is selective security under the standard model. The user revocation is achieved in [36] using an indirect revocation, but it can't solve the matter of key abuse. The scheme in [31] only implements traceable user and the storage overhead for traceability is linear. As mentioned earlier, a personal health record system with traceable user, accountable authority, public auditing, user revocation needs to be proposed. Obviously, only our scheme can achieve the above functionalities at the same time. [24] and [25] only implement traceable users.

Table 1. Function Comparison

6.2 Efficiency

The cost of other operations is very small compared with exponentiation operation as well as pairing operation, so we only consider exponential operation and pairing operation when comparing efficiency. We compared our scheme with others [22, 24, 25, 31, 36, 37]with respect to efficiency. The storage and transmission overhead comparison results are given in Table 2, including key length, ciphertext length. The computational complexity comparison results are given in Table 3, including the user-side overhead and authority center overhead in the key generation phase, as well as encryption and decryption costs.

Table 2. Storage and Transmission Overhead Comparison

Table 3. Computational Complexity Comparison

Let \(L_{Z_{P}}\), L_G, \(L_{G_{T}}\) intend the length of a component in group \(Z_{N}^{*}\), G and G_T separately. |U| represents the quantity of users in path (id). Let |S| represent the size of the user's attribute set. l represents the quantity of rows in A. n represents the size of user attribute sets. |D| represents the size of τ. During decryption and encryption, time spent on a pairing operation is expressed as P . The time overhead executing a pair operation in both G_T and G is represented as ​​​​​​​\(E_{G_{T}}\) and E_G respectively. From Table 2 and Table 3, we can see that compared with several other schemes, our plan has some advantages in terms of key length, ciphertext length, encryption complexity and decryption complexity. This means our scheme can achieve relatively high efficiency.

6.3 Implementation

We provide the implementation of our scheme and other relevant schemes [22, 24, 25, 31, 36, 37]. Note that our scheme is built based on composite order pairings, but we can extend our scheme to prime order setting by using the techniques introduced in [16]. So we use PBC library to realize the prime order symmetrical bilinear pairing e: G×G→G_T over the security level of 80 bits to implement the algorithm of the schemes in the Table 3 in a simulation way. The hardware we used is R5-4800H with 8GB RAM. OS is windows 10 1909. As shown in Fig. 6, Fig. 7 and Fig. 8, the evaluation includes KeyGen.authority complexity, decrypt complexity and encrypt complexity mainly.

Fig. 6. KeyGen Authority Complexity

Fig. 7. Decrypt Complexity

Fig. 8. Encrypt Complexity

As can be seen from Fig. 6, Fig. 7 and Fig. 8, the computational complexity of the authority side in the KeyGen algorithm is much lower than that of schemes [36] and [25], and lower than [24], which is basically the same as [22, 31, 37]. The complexity of decryption is much lower than that of scheme [33,43], and not much different from that of other schemes [22, 24, 36, 37]. The encryption complexity is much lower than that of scheme [31, 36, 37], and not much different from that of other schemes [22, 24, 25]. Therefore, in terms of efficiency, the proposed scheme has great advantages and competitiveness.

7. Conclusion

In this paper, we dispose the matters of key abuse and user revocation by introducing a CP-ABE scheme which is traceable user, accountable authority, and supports public auditing and user revocation. Furthermore, we demonstrate the scheme is full secure. Through theoretical analysis and implementation, we find our scheme only sacrifices a little time cost to achieve user revocation, which is a worthwhile compromise and has important significance in security and performance of this system.