TY - JOUR
AU1 - Liu,, Weiran
AU2 - Liu,, Xiao
AU3 - Liu,, Jianwei
AU4 - Wu,, Qianhong
AB - Abstract Electronic Health Record (EHR) systems bring an abundance of convenience for telediagnosis, medical data sharing and management. A main obstacle for wide adoption of EHR systems is due to the privacy concerns of patients. In this work, we propose a role-based access control (RBAC) scheme for EHR systems to secure private EHRs. In our RBAC, there are two main types of roles, namely independent patients and hierarchically organized medical staffs. A patient is identified by his/her identity, and a medical staff is recognized by his/her role in the medical institute. A user can comprehend an EHR only if he/she satisfies the access policy associated with this EHR, which implies a fine-grained access control. A public auditor is employed to verify whether the EHR is correctly encapsulated with the specified access policy, which provides an a priori approach to find fraudulent EHRs and reduce potential medical disputes. Moreover, our RBAC enforces a forward revocation mechanism. A revoked user cannot access the future EHRs even if his/her previous role satisfies the access policy. These security properties are formally proven under well-established assumptions. Theoretical and experimental analyses show the efficiency of our RBAC in terms of communication and computation. 1. INTRODUCTION The development of electronic health records (EHR) for enabling electronic health systems has drawn extensive attentions from both academia and industry. Compared with traditional paper-based health records (PBHR), EHRs can be stored and shared in a more flexible way. Various types of health data can be contained in one’s EHR account, including prescription files, medical images such as X-ray, B-scan, audio clips and video files. The digital feature also allows EHRs to be accessed in a convenient manner. To find one’s EHRs, the patient and his/her doctors just need to retrieve them from the storage server, instead of seeking carefully in a piled-up archive room. These attractive properties render EHRs as a promising alternative over PBHRs. The Veterans Administration Healthcare System1 in the United States is one of the successful implementations of this kind, with more than 1700 hospitals, clinics and other medical institutes. Nowadays, many countries and regions, including Germany2 and Taiwan [1], have established or are establishing their own EHR systems. It is a daunting task for healthcare providers without required professional skills to manage a large-scale EHR database with universal access (e.g. for telediagnosis). This impedes the practicability of EHR system [2]. Nevertheless, the recent advancement of cloud computing may relieve healthcare providers from this issue. Instead of establishing EHR servers locally, EHRs can be outsourced to a cloud storage server, e.g. Microsoft HealthVault.3 In this way, the capital and operational expenditures can be tremendously reduced for healthcare providers, simultaneously preserving EHR data availability [3, 4]. Nevertheless, there are remaining obstacles for outsourcing EHRs. Among them, privacy and security risks on patients’ health records are considered as the dominating barriers [5, 6]. Patient’s EHRs are often the target of various malicious attacks, vulnerable to loss, leakage or theft [7]. To ensure data secrecy of EHRs, a plausible way is to encapsulate patients’ EHRs by encrypting them prior to outsourcing them to the storage server, e.g. by applying classical private key or public key cryptosystems. In this way, patients’ EHRs would be only allowed to decrypt by the ones who have the corresponding keys, while malicious adversaries cannot obtain useful information from the encrypted results, even if it can access illegally. However, the problem in outsourcing EHRs is that the EHR owners (i.e. patients) may not know who will be allowed to access the EHRs prior to the next diagnosis. This brings difficulties of on-demand EHR sharing. A possible remedy is to encrypt many copies with different keys and assign each key to the doctor who needs to access the EHRs. However, this implies either overwhelming key management and computational overhead [8–10] or failure of flexible access control [11]. New appropriate access control approaches are required to secure outsourced EHRs before they are widely adopted [12]. To address this problem, we consider a typical hospital organization as depicted in Fig. 1. In such a scenario, there are two main types of users, i.e. patients and medical staffs. The patients can be recognized by their national identity numbers, social security numbers or names plus their telephone numbers. The medical staffs in the hospital are usually grouped hierarchically into a relatively small number of roles. For example, the out-patient doctors and out-patient nurses are grouped into the role ‘(out-patient)’. In the department of medicine, the chief doctor is recognized by the role ‘(Department of Medicine, chief doctor)’. Its subordinates, including head nurses, nurses and associate doctors, are all labeled with their roles. One may observe that in the real world, the users’ access privileges are usually determined by their roles in the system. This observation indicates a conceivable role-based access control (RBAC) over outsourced EHRs. Figure 1. Open in new tabDownload slide Typical hospital organization. Figure 1. Open in new tabDownload slide Typical hospital organization. We propose a generic framework of RBAC over outsourced EHRs. We formalize the system model and identify security and secrecy requirements in such a system. Based on the generic framework, we present an efficient and secure RBAC scheme for securing EHRs stored in a storage server maintained by a third party who is not fully trusted. Our RBAC scheme is equipped with the following essential and attractive features. Versatile access control: Our RBAC offers a novel and more efficient approach to fine-grained access control without leveraging attribute-based encryption (ABE) [13, 14]. A user can encapsulate each EHR with an on-demand access policy. Only the corresponding patient and medical staffs with roles that satisfy the access policies can decapsulate. Scalable sharing of EHRs is supported by allowing senior medical staffs to delegate access credentials for their subordinates. Provable secrecy: The security of RBAC is formally defined. The security of our concrete construction is strictly proven under well-established assumptions. Specifically, ones without matching roles can get no useful information about the EHR data, even if they collude and the storage server is untrusted. Public auditability: A public auditor is employed to verify whether the EHR is correctly encapsulated according to the specified access policy. In this way, RBAC provides an a priori approach to find fraudulent EHRs stored in outsourced databases [15, 16] and reduce potential medical disputes. Forward revocation: An automatic revocation mechanism is supported in our RBAC scheme. The revoked user cannot access to the future EHRs even if its previous role satisfies the access policy associating in the newly generated EHRs. Theoretical and experimental analyses show the feasibility and the efficiency of our RBAC in terms of communication and computation. The encapsulation header for an EHR associated with any access policy contains only two group elements. Time consumptions for all procedures involved in our RBAC, including EHR encapsulation and EHR decapsulation, are less than 1 s even when the access policies are considerably complicated. All of these features commit the proposed RBAC a practical solution to secure EHR systems. The remainder of this paper is organized as follows. We survey related works in Section 2. The system framework of RBAC is presented in Section 3. Section 4 proposes our RBAC construction. The formal security evaluations are shown in Section 5. We conduct theoretical and experimental analyses in Section 6, followed by the conclusion in Section 7. 2. RELATED WORK It is essential to identify the potential security and privacy threats of EHR systems in their deployment for seeking design guidelines. Kwak [17] introduced relevant definitions of EHR systems and summarized the available standards of EHR systems presented by International Standards Developing Organizations (SDO). Ray and Wimalasiri [18] identified privacy requirements for EHR systems in the context of HealthLink in Australia and HIPAA in USA, which are the two well-known eHealth frameworks around the world. Recently, Li et al. [19] presented new threats against EHR systems and indicated that EHRs are very vulnerable without effective privacy protection. Efforts have been devoted to access control in EHR systems. Benaloh et al. [11] showed efficient EHR systems that allow patients to both share access rights with others, and to support searches over their EHRs. Löhr et al. [5] presented a security architecture allowing legitimate sharing and ensuring privacy for EHR systems. Some proposals have been implemented to handle access control with security and secrecy enabled approaches, including identity-based authentication [20, 21] and smartcard-based authentication [22]. Very recently, Liu et al. [23] presented a concrete data security mechanism that combines identity-based authentication and smartcard-based authentication to realize data access control with efficient revocation . Schemes exploiting multiple cryptographic primitives have been further proposed to achieve additional functionalities, such as cross-domain EHR sharing [24], emergency EHR sharing [25] and multi-function data sharing with efficient conjunctive keyword search [26]. A plain implementation of aforementioned proposals does not achieve flexible access control. Attribute-based encryption (ABE) [27] is a novel method to obtain flexible access control in clouds [28, 29]. Applications have also been proposed to obtain access control [6, 30] and authentication [31] for outsourced EHRs. Very recently, an access control framework of EHR systems was proposed [8] by combining identity-based encryption and ABE, in which the former is employed to encapsulate EHRs for patients while the latter is for medical staffs. To further improve the security of attribute-based data access control and to extend the expression of access policy, Wang et al. [32] introduced weighted attributes in ABE and proposed an improved attribute-based data sharing scheme with removing the well-known key escrow problem. Although a large body of prominent schemes has been suggested to secure outsourced EHRs, especially for fine-grained access control, there are still remaining challenges unaddressed for these proposals to be deployed in the real world. The practical issues include scalability (to host a large number of users), provable secrecy (to assure convincing EHR secrecy), public auditability (to avoid fraudulent EHRs and reduce potential medical disputes) and revocation of users compromised or left. In this paper, we make efforts to address these practical issues. We also note that some recent EHR systems [33] enforce EHR integrity auditing mechanisms. This is different from our auditing mechanism for the EHRs being outsourced. Indeed, the former is to check whether the outsourced EHRs have been kept intact by the storage service provider, while ours is to validate that the EHRs to be outsourced have been correctly encapsulated according to their associated access policies. These two auditing mechanisms are supplementary for ensuring the availability, integrity and secrecy of EHRs. 3. SYSTEM MODEL 3.1. System architecture As illustrated in Fig. 2, five entities are involved in our RBAC: Trusted Keying Authority (TKA), Patient, Medical Staff, Auditor and Storage Server. We assume that TKA is always trusted in our system. Patient, Medical Staff and Auditor are untrusted but honest, i.e. they honestly execute the algorithms that they are responsible to execute. If they are authorized by an access policy specified to an EHR, they do not reveal any useful information of the EHR to unauthorized entities. However, if they are not authorized by an access policy, they may be a potential adversary. Figure 2. Open in new tabDownload slide System model. Figure 2. Open in new tabDownload slide System model. For the ease of description, we assume that the owner of the EHR is the patient. In some specific situations, patients might not have access to their own EHRs. For example, according to HIPAA, patients are not allowed to access to their own psychotherapy notes without proper authorization from their medical staffs. We can follow the regulations to set parametric roles in such scenarios to meet more accurate access control requirements. All patients need to be identified individually in our RBAC. Their roles are labeled by their identities. Medical staffs in a hospital that provide healthcare services for patients are hierarchically organized. Each medical staff is defined by a role consisting of ordered atom roles. A medical staff whose role is at higher level of the medical institute is responsible for managing other medical staffs with roles at lower level, which implies a tree-like organization. For instance, as shown in Fig. 2, a medical staff in the department of surgery with a lower-level role (dept. surgery, chief doctor, associate doctor, doctor) consisting of different atom roles ‘dept. surgery’, ‘chief doctor’, ‘associate doctor’, ‘doctor’, is administrated by the associate doctor in the same department with the higher-level role (dept. surgery, chief doctor, associate doctor). The associate doctor is then managed by the chief doctor with the role (dept. surgery, chief doctor). TKA is responsible for setting up the system and authenticating users (patients and medical staffs) to determine their eligibilities for accessing EHRs. All patients and medical staffs are eventually managed by TKA. Patients and medical staffs can generate and encapsulate different kinds of EHRs (X-ray, B-scan, etc.) associated with on-demand access policies. Each access policy is described by a role vector set. Any medical staff whose role is in the set can access the corresponding EHRs. For example, the access policy (dept.surgery,chiefdoctor,associatedoctor),(dept.medicine,headnurse) represents that the chief doctor, the associated doctor at the dept. surgery and the head nurse, the associated nurse at the dept. medicine can have access. EHR encapsulations are stored in the storage server for sharing with the designating patient and the entitled medical staffs. The storage server only needs to guarantee basic storage functionalities, such as storage management and integrity examination, which have been widely studied and implemented by existing researches [33, 34]. Before storing EHRs, an auditor is employed to verify whether the EHR is associated with the specified access policy. Only valid EHRs can be stored in the storage server. 3.2. Security requirements Since inside attackers can gain more information to attack the system than outsiders, the system is secure against outside attackers if it is secure against insider attacks. Hence, we will focus on inside attackers. In practice, all entities except TKA are likely to attack the system. A dishonest party may try to get useful information from encapsulated EHRs that he/she is not authorized to access, or divert from the system instructions for benefits (e.g. with false EHRs in medical disputes). Multiple dishonest parties may collude to achieve this goal. In the context of such attacks, an RBAC system is expected to meet the following security requirements. Data secrecy: The secrecy of outsourced EHRs should be protected for authorized access. Specifically, the users (patients and medical staffs) whose roles satisfy the access policy specified in encapsulated EHRs can have access. Unauthorized entities cannot get any useful information from encapsulated EHRs, even if they collude. Public auditability: A public procedure can be employed to verify whether the EHR is correctly encapsulated with the specified access policy, which provides an a priori approach to find fraudulent EHRs and reduce potential medical disputes. Forward revocation: A forward revocation mechanism should be designed to disallow revoked users to access the future EHRs, even if their previous roles satisfy the access policy defined in the newly generated EHRs. 4. A CONCRETE RBAC SCHEME 4.1. Notations We introduce several notations to simplify the description of our RBAC. Table 1 summarizes these notations and their corresponding meanings that will be used in the rest of the paper. Table 1. Notations. Notation . Description . λ Security parameter ID Identity for patient R Atom role R⃗ Role SR⃗ Atom role set for R⃗ IR⃗ Atom Role Position Index set for R⃗  Access policy S Atom role set for  I Atom Role Position Index set for  MSK Master secret key ACID Access credential for an identity ID ACR⃗ Access credential for a role R⃗ EHR Electronic health record Hdr Header of an uploaded EHR K Message encapsulation key EF Encapsulated file of an uploaded EHR t Lifetime Notation . Description . λ Security parameter ID Identity for patient R Atom role R⃗ Role SR⃗ Atom role set for R⃗ IR⃗ Atom Role Position Index set for R⃗  Access policy S Atom role set for  I Atom Role Position Index set for  MSK Master secret key ACID Access credential for an identity ID ACR⃗ Access credential for a role R⃗ EHR Electronic health record Hdr Header of an uploaded EHR K Message encapsulation key EF Encapsulated file of an uploaded EHR t Lifetime Open in new tab Table 1. Notations. Notation . Description . λ Security parameter ID Identity for patient R Atom role R⃗ Role SR⃗ Atom role set for R⃗ IR⃗ Atom Role Position Index set for R⃗  Access policy S Atom role set for  I Atom Role Position Index set for  MSK Master secret key ACID Access credential for an identity ID ACR⃗ Access credential for a role R⃗ EHR Electronic health record Hdr Header of an uploaded EHR K Message encapsulation key EF Encapsulated file of an uploaded EHR t Lifetime Notation . Description . λ Security parameter ID Identity for patient R Atom role R⃗ Role SR⃗ Atom role set for R⃗ IR⃗ Atom Role Position Index set for R⃗  Access policy S Atom role set for  I Atom Role Position Index set for  MSK Master secret key ACID Access credential for an identity ID ACR⃗ Access credential for a role R⃗ EHR Electronic health record Hdr Header of an uploaded EHR K Message encapsulation key EF Encapsulated file of an uploaded EHR t Lifetime Open in new tab We use [a,b] to denote an integer set {a,a+1,…,b} and [a] as the shorthand of [1,a] ⁠. The role of a medical staff is denoted by a vector =(R1,…,Rd) consisting of distinct atom roles Ri ⁠. We define ∥∥ as the number of atom roles in  and S as the atom role set of  ⁠. An access policy  is defined by a role set consisting of distinct roles. Similarly, the number of atom roles in  and the atom role set of  can be defined accordingly. We slightly abuse the term prefix and define the prefix of a role =(R1,…,Rd) as a role set denoted by Pref()={(R1,…,Rd′):d′≤d} Similarly, we define the prefix of an access policy  as Pref()=⋃∈Pref() 4.2. Bilinear groups Bilinear groups have been shown useful in constructing advanced access control schemes to secure EHRs [25, 31] and remote storage systems [28, 29]. They are defined by using a group generator G ⁠, an algorithm which takes a security parameter λ as an input and outputs a description of a bilinear group, (p,G,GT,e)←G(1λ) ⁠, where p is a large prime, G and GT are cyclic groups of order p, and an efficient bilinear map e:G×G→GT satisfying the following properties: Bilinearity: For all g,h∈G and all a,b∈Zp ⁠, e(ga,hb)=e(g,h)ab ⁠. Non-degeneracy: There exists at least an element g∈G such that e(g,g) has order p in GT ⁠. 4.3. The proposal We are now ready to describe our scheme. The basic idea of our construction is shown in Fig. 3. Technically, our proposal contributes in three aspects. Figure 3. Open in new tabDownload slide Basic idea. Figure 3. Open in new tabDownload slide Basic idea. First, we extend a recent hierarchical identity-based encryption (HIBE) scheme [35] to efficiently encrypt to multiple receiver paths, inspired by the work of Liu et al. [36]. As shown in Fig. 3, the RBAC system architecture naturally matches the system model of HIBE schemes, where roles associated with medical staffs and identities associated with patients can be defined as the distinct identity vectors. However, an encryptor can only encrypt to a single path in HIBE [35], which implies either constrained access policy or repetitive encryption to multiple receiver paths. To overcome this problem, we extend the HIBE scheme proposed by Boneh et al. [35] to support multiple receiver paths. In the Boneh–Boyen–Goh HIBE, each hierarchy is associated with a random element to blind the atom identities for the users. When encapsulating, the encryptor combines the related random elements with the receivers’ identity vector to support hierarchical encapsulation with constant size header. In our RBAC construction, we extend the idea by assigning distinct random element to each node, instead of each hierarchy. The encapsulation can be done by combining the random elements with atom roles. In this way, our RBAC construction supports fine-grained access control by encapsulating EHRs to any subset of hierarchically organized users with constant size header. Note that our RBAC offers a novel and more efficient approach to fine-grained access control without using ABE [13, 14]. Second, we propose a new direct header verification approach with marginal cost. We add one on-the-fly dummy verification role in the RBAC scheme. When encapsulating, the EHR owner treats the hash of the associated access policy, the patient’s identity, the lifetime and the encapsulation as the dummy verification role. Then, the EHR owner leverages the dummy verification role to encapsulate the EHR once again. The auditor can later leverage the built-in header verification mechanism in our RBAC scheme to audit the encapsulated EHRs. This approach was introduced by Boyen et al. [37] which builds chosen-ciphertext secure l-hierarchy HIBE from chosen-plaintext secure (l+1)-hierarchy HIBE. Compared with their approach, our approach only adds one on-the-fly dummy verification role in the first hierarchy, instead of a hierarchy of dummy identities. Also, this approach allows public verification of the encapsulation consistency, which implies that a single public auditor can be employed to validate all EHRs to be outsourced. Third, our RBAC facilitates forward revocation. Till now, existing revocation mechanisms can be classified into two categories: direct and indirect revocation. With direct revocation, the data owners specify the revocation list when encapsulating so that the revocation can be done immediately [38, 39]. However, such a mechanism requires all data owners to update the current revocation list in time [40]. Since EHRs can be uploaded by medical staffs, patients or even patients’ family members who may not join the system when uploading, it is difficult to ask them to carry each data user’s status. In our scheme, we focus on indirect revocation, in which TKA periodically updates access credentials to medical staffs. This is realized by introducing a lifetime t as a special role to each access credential and each EHR header, where t is decided by the expiry time of EHRs and published by TKA. This is more effective, since medical staffs are required to be well managed by medical institutions so that access credential updating can be easily operated. We stress that in our scheme we distinguish two types of roles, i.e. independent roles and hierarchical-organized roles. We believe that it is flexible enough for most deployments. For ease of description, we assume that the independent roles can be played by the patients or their guardians, while the hierarchical-organized roles may be played by the medical staffs or the officers of the medical administration authorities. However, we also note that there may be different medical regulatory rules. In some cases, the patients may be not allowed to access their EHRs without the authorization from their doctors. Our scheme can support such deployments as roles are parameterizable. For smoothly applying our RBAC in the actual system, we strongly recommend representing and managing roles by following the RBAC standards [41]. Our scheme works as follows: (PK,MSK)←𝖲𝖾𝗍𝗎𝗉(λ,n) ⁠. It is run by TKA to establish our RBAC. Given the security parameter λ∈Z* ⁠, TKA runs (p,G,GT,e)←G(1λ) to generate a prime p, two groups G ⁠, GT or order p, and a bilinear map e:G×G→GT ⁠. A secure symmetric encryption scheme εsym with algorithms 𝖲𝗒𝗆𝖤𝗇𝖼(K,M) and 𝖲𝗒𝗆𝖣𝖾𝖼(K,M) ⁠, and a collision resistant hash function 𝖧:{0,1}*→Zp are also employed in the scheme. Then, TKA selects a random generator g←RG ⁠, a random exponent α←RZp ⁠, and sets g1←gα ⁠. Next, it picks random elements g2,g3,gh←RG and ui←RG for all i∈[0,n+1] ⁠. The master secret key MSK←(g2α) is kept secret by TKA, while the system parameter PK is published as PK←((p,G,GT,e),g,g1,g2,g3,gh,{ui}i∈[0,n+1]) ACR⃗←𝖠𝖢𝖦𝖾𝗇𝖬(PK,MSK,R⃗) ⁠. It is run when a medical staff is authenticated by TKA. Recall that the lifetime t is published by TKA. To generate an access credential for a medical staff associated with a role R⃗=(R1,…,Rd) using the master secret key MSK, TKA picks a random exponent r←RZp and outputs ACR⃗←(g2α(g3u0t∏i∈IR⃗uiRi)r,gr,ghr,{ujr}j∈[n+1]⧹IR⃗) Note that TKA can generate access credentials for any medical staff with authorized roles by running ACGenM. ACR⃗←𝖠𝖢𝖣𝖾𝗅𝖾𝖬(PK,ACR′⃗,R) ⁠. When a junior medical staff associated with a role R⃗=(R′⃗,R) is authenticated by a supervisor associated with the role R′⃗ ⁠, the supervisor delegates the access credential for the junior one by using ACR′⃗=g2α·(g3·u0t∏i∈IR′⃗uiRi)r′,gr′,ghr′,{ujr′}j∈[n+1]⧹IR′⃗=(a0,a1,a2,{a3,j}j∈[n+1]⧹IR′⃗) where r′ is the random exponent used in ACR′⃗ ⁠. The senior medical staff picks a random exponent s←RZp and outputs the access credential ACR⃗←a0·(b3,iRi)i∈IR⃗⧹IR′⃗(g3·u0t∏i∈IR⃗uiRi)s,a1·gs,a2·ghs,{a3,j·ujs}j∈[n+1]⧹IR⃗ By implicitly setting r=r′+s ⁠, this delegated access credential can be written in the form ACR⃗=(g2α(g3u0t∏i∈IR⃗uiRi)r,gr,ghr,{ujr}j∈[n+1]⧹IR⃗) which is well formed as if it were generated directly by 𝖠𝖢𝖦𝖾𝗇𝖬 ⁠. Hence, it is a properly distributed access credential for the medical staff associated with the role R⃗=(R′⃗,R) ⁠. ACID←𝖠𝖢𝖦𝖾𝗇𝖯(PK,MSK,ID) ⁠. It is run by TKA when a patient with identity ID requests an access credential in order to access its own EHRs. To do so, TKA picks a random exponent r←RZp and outputs ACID←(g2α·(g3·ghID)r,gr,{ujr}j∈[0,n+1]) (Hdr,EF)←𝖤𝖧𝖱𝖤𝗇𝖼(PK,ID,,EHR) ⁠. When EHR needs to be encapsulated under the patient’s identity ID and the access policy  ⁠, the user (a patient or a medical staff) first picks a random exponent β←RZp and computes the first element of the header C0←gβ ⁠. Next, the user generates the message encapsulation key K←e(g1,g2)β and computes EF←𝖲𝗒𝗆𝖤𝗇𝖼(K,EHR) ⁠. Finally, the user computes w←𝖧(ID∥∥t∥C0) and gets the second element of the header C1←(u0t·ghID·un+1w·g3·∏i∈IuiRi)β ⁠. The encapsulated EHR is formed as (Hdr,EF)←(C0,C1,EF) {0,1}←𝖤𝖧𝖱𝖠𝗎𝖽𝗂𝗍(PK,ID,,(Hdr,EF)) ⁠. Before outsourcing (Hdr,EF)=(C0,C1,EF) to the storage server, the auditor verifies whether the EHR is correctly encapsulated under the specified access policy or not by testing the following equation: e(g,C1)=?e(C0,(u0t·ghID·un+1w·g3·∏i∈IuiRi))(1) w←𝖧(ID∥∥t∥C0) ⁠. If Equation (1) holds, the auditor outputs 1 to indicate the encapsulated EHR is valid. Otherwise, the auditor outputs 0 to alarm related parties. Note that the inputs of EHRAudit are publicly known to all entities. Hence, the auditing procedure can be done publicly. EHR←𝖤𝖧𝖱𝖣𝖾𝖼𝖬(PK,ID,,(Hdr,EF),ACR⃗) ⁠. Given (Hdr,EF)=(C0,C1,EF) stored in the storage server, a medical staff whose role R⃗ satisfies the access policy  ⁠, i.e., R⃗∈Pref() ⁠, can use his/her access credential to decapsulate (Hdr,EF) ⁠. Suppose the access credential for the medical staff associated with the role R⃗ is ACR⃗=(a0,a1,a2,{a3,j}j∈[n+1]⧹IR⃗) The medical staff computes K←e(a0·a2ID·bn+1w·∏i∈I⧹IR⃗biRi,C0)/e(C1,a1) where w←𝖧(ID∥∥t∥C0) ⁠. It finally runs EHR←𝖲𝗒𝗆𝖣𝖾𝖼(K,EF) to get the decapsulated EHR. EHR←𝖤𝖧𝖱𝖣𝖾𝖼𝖯(PK,ID,,(Hdr,EF),ACID) ⁠. The patient with identity ID can decapsulate his/her own EHRs using his/her access credential. Suppose the access credential ACID for the patient associated with identity ID is ACID=(g2α·(g3ghID)r,gr,{ujr}j∈[0,n+1])=(b0,b1,{b2,j}j∈[0,n+1]) The patient computes the encapsulation key K←e(b0·b2,0t·b2,n+1w·∏i∈Ib2,iRi,C0)/e(C1,b1) where w←𝖧(ID∥∥t∥C0) ⁠. Then it also runs EHR←𝖲𝗒𝗆𝖣𝖾𝖼(K,EF) to get its own EHR. Correctness. If an EHR is correctly encapsulated under the specified access policy, then we have that e(g,C1)=e(g,(u0t·ghID·un+1w·g3·∏i∈IuiRi)β)=e(gβ,(u0t·ghID·un+1w·g3·∏i∈IuiRi))=e(C0,(u0t·ghID·un+1w·g3·∏i∈IuiRi)) Hence, Equation (1) holds. The auditing can be approved for the correctly encapsulated EHRs. The medical staff whose role satisfies the access policy, that is, R⃗∈Pref() ⁠, can extract the message encapsulation key K by the following equalities: K=e(a0·a2ID·a3,n+1w·∏i∈I⧹IR⃗a3,iRi,C0)e(C1,a1)=e(g2α·(g3·u0t·∏i∈IR⃗uiRi)r,gβ)e((u0t·ghID·un+1w·g3·∏i∈IuiRi)β,gr)·(ghID·un+1w·∏i∈I⧹IR⃗uiRi)r=e(g2α·(u0t·ghID·un+1w·g3·∏i∈IuiRi)r,gβ)e((u0t·ghID·un+1w·g3·∏i∈IuiRi)β,gr)=e(g2α,gβ)=e(g1,g2)β Therefore, the medical staff with a suitable role can correctly decapsulate and access the EHR from (Hdr,EF) ⁠. The patient with identity ID can also obtain the message encapsulation key K by the following equalities: K=e(b0·b2,0t·b2,n+1w·∏i∈Ib2,iRi,C0)e(C1,b1)=e(g2α·(g3·ghID)r·(u0t·un+1w·∏i∈IuiRi)r,gβ)e((u0t·ghID·un+1w·g3·∏i∈IuiRi)β,gr)=e(g2α·(u0t·ghID·un+1w·g3·∏i∈IuiRi)r,gβ)e((u0t·ghID·un+1w·g3·∏i∈IuiRi)β,gr)=e(g2α,gβ)=e(g1,g2)β Hence, the patient can use its access credential ACID to correctly recover the EHR from (Hdr,EF) ⁠. 4.4. Security results We states that the proposed RBAC scheme achieves the security requirements described in Section 3.2. More formal security analysis is given in Section 5. Data secrecy. The secrecy of EHRs is protected by applying a secure symmetric encryption scheme εsym such as advanced encryption standard (AES) [42]. The message encapsulation key K can only be obtained by the corresponding patient and medical staffs with matching roles. The ones whose roles do not satisfy the access policy cannot extract K to reveal useful information from encapsulated EHRs. Public auditability. The public auditing procedure ensures the legitimacy of encapsulated EHRs. The inequality of Equation (1) shows that the EHR is not encapsulated with the specified access policy, or be tampered by malicious entities. Forward revocation. The lifetime t has embedded in the access credentials of medical staffs. Hence, they can only decapsulate EHRs encapsulated under the assigned lifetime t. Newly uploaded EHRs under lifetime t′≠t cannot be decapsulated by expired access credentials of medical staffs. Note that for each lifetime, TKA generates access credentials for all non-revoked medical staffs. Since ACGenM and ACDeleM are run, respectively, by TKA and junior medical staffs that have high computational abilities, periodically updating access credentials is practical. Also, TKA can pre-generate access credentials for further improving the efficiency. The patients, on the other hand, can still correctly decapsulate their own EHRs since the lifetime is not embedded in their access credentials. However, due to the fact that the identity has been embedded in his/her access credential, the patient can only access EHRs that are encapsulated under his/her identity. 5. SECURITY ANALYSIS 5.1. Formal security definition We first formally define the security model of the proposed RBAC scheme. In this model, an adversary wants to extract useful information from an encapsulated EHR of a patient with identity ID* of its choice. The attacked EHR is encapsulated with an access policy * containing all medical staffs who are allowed to decapsulate it under the lifetime t* ⁠, both of which are chosen by the adversary. The adversary is endowed with great capacity. It can obtain access credentials for patients associated with identities ID≠ID* of its choice. It can further obtain three kinds for access credentials for medical staffs: (1) access credentials associated with roles R⃗∉Pref(*) under the lifetime t* ⁠, which implies that the adversary can collude any medical staff with roles that do not satisfy the target access policy; (2) access credentials associated with roles R⃗ under the outdated lifetimes t<t* ⁠, which indicates that the adversary can collude with any revoked medical staff; (3) access credentials associated with roles R⃗ under the lifetimes t>t* ⁠, which means that the adversary can obtain access credentials for newly employed medical staffs. In the security model, the adversary can also ask for decapsulation for any encapsulated EHRs of its choice, except the target EHR. The encapsulated EHRs can be honestly generated by the adversary, in which case correct decapsulations are required. However, if the adversary maliciously tampers existing encapsulations and asks for decapsulation, the public auditing procedure, i.e. EHRAudit, can immediately detect such illegitimate encapsulations and reject to decapsulate. In this way, only legitimate encapsulations can be successfully approved to decapsulate. This indicates that the public auditing procedure can precisely detect invalid encapsulated EHRs and alert related entities to prevent such encapsulated EHRs from being stored in the storage server. Even such an adversary cannot distinguish the target encapsulated EHR from a randomly encapsulated EHR, which indicates no information is revealed to the adversary. We define the security model of our RBAC in the classical ‘selective’ setting. The selective security model was coined by Canetti et al. [43] and has been widely used in state-of-the-art cryptographic primitives [35, 44, 45] and schemes [2, 6]. In this security model, the adversary needs to ahead of time declare the target patient’s identity ID* ⁠, the target access policy * ⁠, and the target lifetime t* before seeing the system parameter PK. One may wonder that this requirement is artificial and wish to deploy schemes proven secure under the standard (sometimes called adaptive or full) security model. There exist advanced cryptographic primitives that offer securities under the standard security model [36, 46–48]. However, existing fully secure schemes are built on more complicated bilinear groups, e.g. composite-order bilinear groups or dual pairing vector space, since advanced algebraic properties are required for applying the new and more systematic security proof approach to achieve standard securities. Operations on such groups are much more time-consuming than those on classical bilinear groups (see Experimental results in [49]). Although such security proof approach can be applied to our RBAC scheme [36, 50] to achieve full security, we design our scheme under the selective security model for practicality consideration. Formally, the selective security model of our RBAC is defined through a game played by an adversary  and a challenger C ⁠. Both of them are given the parameters n and λ as inputs. Init.  commits to an identity ID* ⁠, a access policy * and a lifetime t* ⁠, which describes all the users (patients and medical staffs) that  wishes to attack under the lifetime t* ⁠. It sends * ⁠, ID* and t* to C ⁠. Setup. C runs Setup to obtain the system parameter PK and gives it to  ⁠. Phase 1.  adaptively issues three kinds of queries: Access credential query for a medical staff associated with a role R⃗ and a lifetime t, both of which do not simultaneously satisfy R⃗∈Pref(*) and t=t′ ⁠. C generates an access credential for R⃗ and gives it to  ⁠. Access credential query for a patient with identity ID≠ID* ⁠. C generates an access credential for ID and gives it to  ⁠. Decapsulation query for the encapsulated EHR (Hdr,EF) with a patient’s identity ID and an access policy  ⁠. If EHRAudit outputs 1 by taking (Hdr,EF) as an input, then C decapsulates (Hdr,EF) and returns the EHR to  ⁠. Otherwise, (Hdr,EF) is invalid reported by the public auditing procedure and C returns ⊥ to  ⁠. Challenge.  outputs two equal-length EHRs EHR0 and EHR1 ⁠. C flips a random coin b∈{0,1} and encapsulates EHRb under the access policy * ⁠, the identity ID* and the lifetime t* ⁠. C returns the encapsulated EHR (Hdr*,EF*) of EHRb to  ⁠. Phase 2.  further adaptively issues access credential queries for medical staffs, access credential queries for patients, and decapsulation queries for encapsulated EHRs (Hdr,EF) associated with access policies  ⁠. The constraints are that  does not query access credentials for a medical staff with a role R⃗∈Pref(*) under t* ⁠.  does not query an access credential for the patient with the identity ID=ID* ⁠.  does not make decapsulation queries for the target encapsulated EHR (Hdr*,EF*) ⁠. C responds the same as in Phase 1. Guess. Finally,  outputs a guess b′∈{0,1} of b and wins in the game if b′=b ⁠. The advantage of such  in attacking the RBAC scheme with parameters n and λ is defined as Adv,n(λ)=Pr[b′=b]−12 Definition 1 The RBAC scheme is secure if all polynomial time adversaries have at most a negligible advantage Adv,n(λ)winning in the above game. The above definition covers all security properties stated in Section 4.4. ’s capacity of obtaining access credentials for any medical staff under outdated lifetime t<t* signifies that outdated access credentials are useless for revealing information from the EHR under the lifetime t* ⁠, which implies Forward revocation. The public auditing procedure in decapsulation query responses ensures the validation of queried EHRs, which indicates Public auditability. The indistinguishability between the attacked EHR and the randomly encapsulated EHR implies Data secrecy, that is, information is strictly hidden in encapsulated EHRs. Our security definition is even stronger than the security regarding to revocation in Section 4.4. ’s capacity of obtaining access credentials for medical staffs under lifetime t>t* implies that newly employed medical staffs cannot access previous encapsulated EHRs, which ensures backward revocation. 5.2. Definition of DBDHE assumption The security of our RBAC relies on the decision Bilinear Diffie–Hellman Exponent (DBDHE) assumption [35]. This is a non-static ‘q-type’ assumption, where the size of the problem instance input grows with the maximal depth of hierarchy. The state-of-the-art cryptographic primitives and schemes [27, 43, 46–48] achieve selective or standard security under static assumptions. However, these schemes suffer from the fact that the security reductions are degraded exponentially in the depth of the hierarchy [51]. With the maximal depth of hierarchy increases, the security results of these schemes are exponentially weakened. Therefore, we choose the non-static q-DBDHE assumption as our underlying building block. The use of non-static ‘q-type’ assumptions has been shown a feasible approach to achieve reasonable security reduction results [52]. Let (p,G,GT,e)←G(1λ) be a description of bilinear groups, g←RG be a random generator of G ⁠, h←RG be a random element in G ⁠, and α←RZp be a random integer in Zp* ⁠. The q-DBDHE problem is to determine whether T equals e(g,h)(αq+1) ⁠, or is a random element in G by given the input D=(g,h,gα,g(α2),…,g(αq),g(αq+2),…,g(α2q)) An algorithm B that outputs b∈{0,1} has advantage ϵ in solving the above problem in G if Pr[(D,T=e(g,h)(αq+1))=1]−Pr[(D,T←RGT)=1]≥ϵ where the probability is over the random choice of the elements g,h∈G ⁠, the random choice of the exponent α∈Zp* ⁠, and the random bits used by B ⁠. Definition 2 The q-DBDHE assumption in Gunder the security parameter λ states that no polynomial time algorithm has a non-negligible advantage ϵ in λ that solves the q-DBDHE problem in G ⁠. 5.3. Formal security result We now formally show that the existence of an adversary who can break the security of our RBAC scheme in polynomial time implies an efficient solution to the DBDHE problem. The fact that no polynomial time algorithm has been discovered to solve the DBDHE problem assures that the proposed RBAC scheme is secure in practice. Theorem 1 Let (p,G,GT,e)be a description of bilinear groups under the security parameter λ. Suppose that the (n+4)-DBDHE assumption holds in G ⁠. Then our RBAC scheme is secure under the security model defined in Section5.1. Proof Suppose there exists a polynomial time adversary  breaking our RBAC in the security model defined in Section 5.1 with a non-negligible advantage ϵ in λ. We construct an algorithm B that can solve the (n+4)-DBDHE problem in G ⁠. The input of B is T∈GT and the challenge tuple D=(g,h,y1,…,yn+3,yn+5,…,y2n+6) of the (n+4)-DBDHE problem, where T←RGT or T=e(g,h)(αn+4) ⁠. B interacts with  as follows. Init.  outputs an access policy * containing roles for medical staffs that  may decide to challenge under the lifetime t* ⁠. Also,  outputs an identity ID* for a patient that it may decide to challenge. Setup. We denote the challenge role as {R⃗i*∈*} ⁠, the challenge atom roles as {Ri*∈S*} ⁠, and define I*={i:Ri∈S*} ⁠. To generate the system parameter PK, B chooses a random γ←RZp and sets g1=y1=gα,g2=yn+3·gγ=gγ+(αn+3) B then randomly chooses γ1,…,γn+3←RZp and sets u0=gγn+3·yn+3−1 ⁠, ui=gγi·yn−i+1−1 for all i∈[n+1] ⁠, and gh=gγn+2·yn+2−1 ⁠. Also, B randomly chooses δ←RZp ⁠, computes w*←𝖧(ID*∥*∥t*∥h) ⁠, and sets g3=gδ·yn+1w*·yn+2ID*·yn+3t*·∏i∈I*yn−i+1Ri* Finally, B gives the system parameter PK=((p,G,GT,e),g,g1,g2,g3,gh,{ui}i∈[0,n+1]) to  ⁠. The master secret key is MSK=(g2α)=(gα(αn+3+γ))=(yn+4·y1γ) ⁠. Note that B does not know the value of yn+4 ⁠. Hence, B does not know MSK. Phase 1.  issues the following three kinds of queries: (1) Access credential query for a medical staff with a role R⃗ under a lifetime t. The only restriction is that R⃗∈Pref(*) or t=t* should not be satisfied simultaneously. This restriction ensures that when t=t* ⁠, R⃗ contains at least one Rm∈SR⃗ such that Rm∉SR* ⁠, where m≤n ⁠. We set m as the smallest index satisfying this condition. To respond to the query, B derives an access credential for the role R⃗m=(R1,…,Rm) ⁠, from which B delegates an access credential for the requested role R⃗ ⁠. To generate the access credential for the role R⃗m=(R1,…,Rm) under the lifetime t=t* ⁠, B randomly chooses r˜←RZp ⁠, sets ACRm⃗=(a0,a1,a2,{a3,j}j∈[n+1]⧹IRm⃗)=g2α·(g3·u0t*·∏i∈IRm⃗uiRi)r,gr,ghr,{ujr}j∈[n+1]⧹IRm⃗ where r=αm+3Rm−Rm*+r˜∈Zp ⁠. For the first component a0 ⁠, we have (g3·u0t*·∏i∈IRm⃗uiRi)r=gδ+∑i∈IRm⃗Riγir·(∏i∈Rm⃗,i∈I*yn−i+1Ri*−Ri)r·(yn−m+1Rm*−Rm)r·(yn+1w*yn+2ID*yn+3t*∏i∉IR⃗m,i∈I*yn−i+1Ri*)r=(c1·c2·c3·c4)r B can compute c1 since B knows δ,γi and ki ⁠. Similarly, B can compute c4 as it knows all values involved in c4 ⁠. Also, c2=1 because Ri*=Ri for all i∈Rm⃗ while i∈I* ⁠. Next, observe that c3r=(yn−m+1Rm*−Rm)r=(yn−m+1Rm*−Rm)r˜·(yn−m+1Rm*−Rm)−αm+3Rm*−Rm=(yn−m+1Rm*−Rm)r˜(yn+4)−1 Thus, B can compute a0 since a0=(yn+4·y1γ)(c1·c4)r(yn−m+1Rm*−Rm)r˜(yn+4)−1=y1γ·(c1·c4)r·(yn−m+1Rm*−Rm)r˜ The second component is a1=gr=ym+3(Rm−Rm*)−1·gr˜ ⁠, which B can compute since it knows all ym+3 for m≤n ⁠. Similarly, all the other components in ACR⃗m can be computed by B since they do not involve yn+4 ⁠. Hence, B can generate the access credential for R⃗m ⁠. B can further use this access credential to derive the access credential for the descendant role ACR⃗ and response to ’s request. If the queried access credential is under a lifetime t≠t* ⁠, B can correctly respond the query using the same algorithm described above. In fact, if the queried role also satisfies R⃗∉Pref(*) ⁠, then the algorithm used for B to generate the access credential is identical with the one described above. If R⃗∈Pref(*) while t≠* ⁠, then we have a0=g2α·(g3·u0t·∏i∈IR⃗uiRi)r=g2αgδ+∑i∈IR⃗Riγi·(∏i∈I,i∈I*yn−i+1Ri*−Ri)·(yn+1w*·yn+2ID*·yn+3t*−t·∏i∉IR⃗,i∈I*yn−i+1Ri*)r=(yn+4·y1γ)(yn+3t*−t)r(c1·c4)r=(yn+4·y1γ)yn+3r˜(t*−t)yn+4−1(c1·c4)r=y1γ·yn+3r˜(t*−t)·(c1·c4)r where r=αt−t*+r˜∈Zp ⁠. All the other components involved in ACR⃗ also can be computed accordingly. (2) Access credential query for a patient with identity ID≠ID* ⁠. B picks a random r˜←RZp and computes ACID=(b0,b1,{b2,j}j∈[n+1])=(g2α·(g3·ghID)r,gr,{ujr}j∈[0,n+1]) where r=α2ID−ID*+r˜∈Zp ⁠. For the first component a0′ ⁠, we have that (g3·ghID)r=gδ·yn+1w*·yn+3t∏i∈I*yn−i+1Ri*·yn+2ID*·gγn+2yn+2IDr=(gδ·yn+1w*·yn+3t∏i∈I*yn−i+1Ri*)rgrγn+2·yn+2r(ID*−ID)=(gδ·yn+1w*·yn+3t∏i∈I*yn−i+1Ri*)rgrγn+2·yn+2r˜(ID*−ID)yn+4 Hence, b0=y1γ·(gδ+γn+2·yn+1w*·yn+3t∏i∈I*yn−i+1Ri*)ryn+2r˜(ID*−ID) which can be computed by B since it knows all values involved in b0 ⁠. All the other components in ACID can also be computed by B since they do not involve yn+4 ⁠. Hence, B can generate the access credential for ID and respond it to  ⁠. (3) Decapsulation query for the encapsulated EHR (Hdr,EF)=(C0,C1,EF) with a patient’s identity ID and an access policy  under a lifetime t. Since all encapsulated EHRs need to be audited before storing, B first computes w=𝖧(ID∥∥t∥C0) and determines whether the encapsulated EHR is valid by checking Equation (1) defined in Section 4.3. If the equality does not hold, then B reports that the encapsulated EHR is invalid and returns ⊥ to  ⁠. If w=w* ⁠, ID=ID* and Pref()⊆Pref(*) ⁠, then B cannot generate an access credential to decapsulate this encapsulated EHR. Hence, B terminates the simulation with  ⁠, outputs a random bit b∈{0,1} and halts. Otherwise, we have the following three cases: Case 1: ID≠ID* ⁠. As shown in the above, B can generate an access credential for ID. Then it uses this access credential to decapsulate the encapsulated EHR and returns the result to  ⁠. Case 2: Pref()⊈Pref(*) ⁠. There exists at least a role R⃗∈Pref() ⁠, such that R⃗∉Pref(*) ⁠. As shown in the above, B can generates an access credential for R⃗ ⁠. It uses this access credential to decapsulate the encapsulated EHR and returns the result to  ⁠. Case 3: w≠w* ⁠. In this case, B picks a random r˜←RZp and computes ACw=(d0,d1,d2,{d3,j}j∈[0,n])=(g2α·(g3·un+1w)r,gr,ghr,{ujr}j∈[0,n])=y1γ(gδ+γn+1·yn+3t*∏i∈I*yn−i+1Ri*)ryn+1r˜(w*−w),gr,ghr,{ujr}j∈[0,n] where r=α3w−w*+r˜∈Zp ⁠. The operation processes are similar to the processes in responding an access credential query for a patient with identity ID≠ID* ⁠, except that the operations are now for un+1 instead of gh ⁠. Note that this ‘access credential’ does not appear in the real RBAC scheme. However, B can use this access credential to correctly recover the message encapsulation key hidden in Hdr by calculating K=e(d0·d2ID·d3,0t∏i∈Id3,iRi,C0)/e(C1,d1) Therefore, B can decapsulate (Hdr,EF) and respond the decapsulation query from  ⁠. Challenge.  outputs two equal-length EHRs EHR0,EHR1 ⁠. B returns C0*=h C1*=hδ+∑i∈I*Ri*·γi+w*·γn+1+ID*·γn+2+t*·γn+3 EF*=𝖲𝗒𝗆𝖤𝗇𝖼(T·e(y1,hγ),EHRb) where b∈{0,1} is a flipped random coin by B ⁠, h and T are from the instance tuple given to B ⁠. Since h=gc for an unknown value c∈Zp ⁠, we have C1*=hδ+∑i∈I*Ri*·γi+w*·γn+1+ID*·γn+2+t*·γn+3=(gδ·gw*·γn+1·gID*·γn+2·gt*·γn+3∏i∈I*gRi*·γi)c=(gδ·(gγn+1·yn+1−1)w*·(gγn+2·yn+2−1)ID*)c·((gγn+3·yn+3−1)t*·∏i∈I*(gγi·yn−i+1−1)Ri*)c·(yn+1w*·yn+2ID*·yn+3t*∏i∈I*yn−i+1Ri*)c=(u0t*·ghID*·un+1w*·g3∏i∈I*uiRi*)c B can compute C1* since it knows γi for all i∈I* ⁠. If T=e(g,h)(αl+4) ⁠, then T·e(y1,hγ)=(e(y1,yn+3)·e(y1,gγ))c=e(y1,yn+3·gγ)c=e(g1,g2)c So it is a valid message encapsulation key for encapsulating EHRb ⁠. Otherwise, EHRb is encapsulated by a random message encapsulation key in GT ⁠. Phase 2. B responds ʼs queries as in Phase 1. Guess. Finally,  outputs a guess b′∈{0,1} to answer that B encapsulates EHRb′ ⁠. B also outputs b′ to answer the (n+4)-DBDHE problem. If T=e(g,h)(αn+4) ⁠, then  can successfully attack our RBAC scheme with a non-negligible advantage Pr[b=b′]−12≥ϵ ⁠. If T←RGT ⁠, we have ∣Pr[b=b′]∣=12 ⁠. Also, since for qd distinct decapsulation queries, B aborts with a non-negligible probability qd/p ⁠, and when this happens B makes a guess in the (n+4)-DBDHE problem with advantage 0. Therefore, we have that Bʼs advantage in the (n+4)-DBDHE problem is at least ϵ−qd/p ⁠, which completes the proof of Theorem 1.□ 6. PERFORMANCE ANALYSES 6.1. Theoretical analysis In our RBAC scheme, the encapsulation procedure requires one pairing operation (which can be pre-computed). The public auditing procedure, the decapsulation procedures require two pairing operations. The scheme is efficient in computation. For any subset of receivers (patients or medical staffs), the header of the encapsulated EHR always contains two group elements in G ⁠. The access credentials’ sizes (of patients or medical staffs) are linear with the maximal atom role number involved in the entities. Table 2 shows the efficiency of the proposed RBAC scheme both in computation and in storage aspects. In Table 2, we denote τe as one exponent operation time in G ⁠, τm as one multiplication operation time in G ⁠, τp as one pairing operation time and τh as one hash operation time for the hash function 𝖧 ⁠. Since symmetric encryption and decryption procedures are relatively fast, we ignore symmetric encryption and decryption time in our theoretical efficiency analysis. Table 2. The efficiency of the proposed RBAC. . Proposed RBAC with n atom roles . PK size n+7 MSK size 1 ACR⃗ size n+4−∣SR⃗∣ ACID size n+4 Hdr size 2 ACGenM (n+6)τe+(∣SR⃗∣+1)τm ACDeleM (n+6)τe+(n+5)τm ACGenP (n+6)τe+2τm EHREnc (∣S∣+4)τe+(∣S∣+3)τm+τh EHRAudit (∣S∣+4)τe+(∣S∣+3)τm+2τp+τh EHRDecM (2+∣S∣−∣SR⃗∣)(τe+τm)+2τp+τh EHRDecP (1+∣S∣)(τe+τm)+2τp+τh . Proposed RBAC with n atom roles . PK size n+7 MSK size 1 ACR⃗ size n+4−∣SR⃗∣ ACID size n+4 Hdr size 2 ACGenM (n+6)τe+(∣SR⃗∣+1)τm ACDeleM (n+6)τe+(n+5)τm ACGenP (n+6)τe+2τm EHREnc (∣S∣+4)τe+(∣S∣+3)τm+τh EHRAudit (∣S∣+4)τe+(∣S∣+3)τm+2τp+τh EHRDecM (2+∣S∣−∣SR⃗∣)(τe+τm)+2τp+τh EHRDecP (1+∣S∣)(τe+τm)+2τp+τh Open in new tab Table 2. The efficiency of the proposed RBAC. . Proposed RBAC with n atom roles . PK size n+7 MSK size 1 ACR⃗ size n+4−∣SR⃗∣ ACID size n+4 Hdr size 2 ACGenM (n+6)τe+(∣SR⃗∣+1)τm ACDeleM (n+6)τe+(n+5)τm ACGenP (n+6)τe+2τm EHREnc (∣S∣+4)τe+(∣S∣+3)τm+τh EHRAudit (∣S∣+4)τe+(∣S∣+3)τm+2τp+τh EHRDecM (2+∣S∣−∣SR⃗∣)(τe+τm)+2τp+τh EHRDecP (1+∣S∣)(τe+τm)+2τp+τh . Proposed RBAC with n atom roles . PK size n+7 MSK size 1 ACR⃗ size n+4−∣SR⃗∣ ACID size n+4 Hdr size 2 ACGenM (n+6)τe+(∣SR⃗∣+1)τm ACDeleM (n+6)τe+(n+5)τm ACGenP (n+6)τe+2τm EHREnc (∣S∣+4)τe+(∣S∣+3)τm+τh EHRAudit (∣S∣+4)τe+(∣S∣+3)τm+2τp+τh EHRDecM (2+∣S∣−∣SR⃗∣)(τe+τm)+2τp+τh EHRDecP (1+∣S∣)(τe+τm)+2τp+τh Open in new tab A vast number of pre-computations can also be done to further improve the efficiency in our RBAC substantially. In the access credential generation procedure and the access credential delegation procedure (ACGenM, ACGenP, and ACDeleM), all exponentiations can be pre-computed by choosing the random exponent r←RZp beforehand, or be securely outsourced to untrusted third parties [53]. Similar pre-/outsourced computations can also be done in EHREnc. Table 3 compares our RBAC scheme with other schemes achieving fine-grained access control in terms of performance, security model (standard model or random oracle model), scalable sharing, public auditability and forward revocation support. We similarly denote n as the maximal number of atom roles supported in all the access policy, ∣SR∣ as the number of atom roles involved in the access credential and ∣S∣ as the number of atom roles involved in the specified access policy. In this table, existing works supporting fine-grained access control are under ABE. The scheme in [3] is based on ABE of [44], which can be proven secure in the random oracle model. The work of [5] aims to provide a secure and scalable EHR access control system. It provides two access control schemes that are respectively based on Key-Policy ABE from [54] and Ciphertext-Policy ABE from [45]. The work [6] provides a scalable EHR access control scheme that can be proven secure in the standard model by leveraging multi-authority ABE [55] for user revocation. Table 3. Comparison with related work. . [3] . [5]-1 . [5]-2 . [6] . Ours . Parameter size 3 4 n+3 n−1 n+7 AC size 2∣SR∣+1 2∣SR∣ ∣SR∣+2 ∣SR∣+1 n+4 Hdr size 2∣S∣+2 3∣S∣+2 ∣S∣+2 ∣S∣+1 2 Pairings in decapsulation 2∣SR∣ 2∣SR∣ 3∣SR∣ ∣SR∣+1 2 Security model Random Oracle Random Oracle Standard Standard Standard Scalable share × √ √ √ √ Forward revoke × √ × √ √ Public audit × × × × √ . [3] . [5]-1 . [5]-2 . [6] . Ours . Parameter size 3 4 n+3 n−1 n+7 AC size 2∣SR∣+1 2∣SR∣ ∣SR∣+2 ∣SR∣+1 n+4 Hdr size 2∣S∣+2 3∣S∣+2 ∣S∣+2 ∣S∣+1 2 Pairings in decapsulation 2∣SR∣ 2∣SR∣ 3∣SR∣ ∣SR∣+1 2 Security model Random Oracle Random Oracle Standard Standard Standard Scalable share × √ √ √ √ Forward revoke × √ × √ √ Public audit × × × × √ Open in new tab Table 3. Comparison with related work. . [3] . [5]-1 . [5]-2 . [6] . Ours . Parameter size 3 4 n+3 n−1 n+7 AC size 2∣SR∣+1 2∣SR∣ ∣SR∣+2 ∣SR∣+1 n+4 Hdr size 2∣S∣+2 3∣S∣+2 ∣S∣+2 ∣S∣+1 2 Pairings in decapsulation 2∣SR∣ 2∣SR∣ 3∣SR∣ ∣SR∣+1 2 Security model Random Oracle Random Oracle Standard Standard Standard Scalable share × √ √ √ √ Forward revoke × √ × √ √ Public audit × × × × √ . [3] . [5]-1 . [5]-2 . [6] . Ours . Parameter size 3 4 n+3 n−1 n+7 AC size 2∣SR∣+1 2∣SR∣ ∣SR∣+2 ∣SR∣+1 n+4 Hdr size 2∣S∣+2 3∣S∣+2 ∣S∣+2 ∣S∣+1 2 Pairings in decapsulation 2∣SR∣ 2∣SR∣ 3∣SR∣ ∣SR∣+1 2 Security model Random Oracle Random Oracle Standard Standard Standard Scalable share × √ √ √ √ Forward revoke × √ × √ √ Public audit × × × × √ Open in new tab As shown in Table 3, the size of EHR headers for all existing fine-grained access control schemes in EHR systems is linear with the number of atom roles involved in the specified access policy  ⁠. In our RBAC construction, the header only contains two group elements in G for any subset of receivers (patients or medical staffs). The decapsulation procedure in our RBAC requires two pairing operations, while others require O(∣SR∣) pairing operations. Our RBAC scheme is efficient in computation and storage compared with existing systems. The properties of scalable sharing, public auditability and forward revocation support render our RBAC scheme suitable into practical usage. 6.2. Experimental performance We conduct experiments on our RBAC scheme4 with the jPBC library.5 We use Type A elliptic curve with expression y2=x3+x for the Tate symmetric pairing in our experiments. The group order of Zp is set around 160 bits, and the element size in G is configured around 512 bits, which are considered secure currently [56]. In the experiments, we use MacBook Pro with an Intel Core i7 2.50 GHz CPU clock speed and 16 GB RAM. The operating system is OS X EI Capitan 10.11.6. The Java Runtime Environment (JRE) version is 8u111. The Java Integrated Development Environment (IDE) we leverage to run the experiments is IntelliJ IDEA Community Edition 2016.3. All the time reports are tested over 100 randomized executions. In our experiment, the patient’s identity is assigned to be ‘Patient’, which is used to execute patient’s access credential generation procedure (ACGenP). The medical staff access credential generation (ACGenM) and the medical staff access credential delegation (ACDeleM) involve the roles of the medical staffs. To capture this in our experiments, we generate a collection of 10 distinct roles of the form (‘Role_0’, ‘Role_1’,…, ‘Role_N’), where each “Role_N’ is an atom role for N∈[10] ⁠. The lifetime embedded in medical staff access credentials is assigned to be ‘2016.06’. The time consumptions needed to audit and encapsulate EHRs also rely on the maximal number of atom roles in the access policy. In our experiment, we generate a collection of 100 distinct atom roles of the form {‘Role_1’, ‘Role_2’,…, ‘Role_N’}, where N∈[100] ⁠, and generate 100 headers under these atom roles. Note that this setting covers sufficient numbers of roles for sharing EHRs, even when the access policy assigned to the EHR is considerably complex [3, 29]. The decapsulation procedure is run with the inputs of previously generated 100 headers, previously generated 10 access credentials for medical staffs, and the previously generated access credential for the patient. Figure 4 briefly shows the framework of our RBAC performance evaluations.6 Figure 4. Open in new tabDownload slide The framework of our RBAC performance evaluations. Figure 4. Open in new tabDownload slide The framework of our RBAC performance evaluations. Figure 5 shows results of our performance evaluation.7 As illustrated in Fig. 5a, the access credential generation time for patients and medical staffs are less than 110 ms, if necessary pre-computations are done. Also, as shown in Fig. 5b, as the number of atom roles increases, the time consumptions of access credential delegation procedures increase gradually. When the number of atom roles approaches to 10, the access credential delegation time is less than 120 ms, which is considerably fast. Figure 5. Open in new tabDownload slide Performance measurement for the proposed RBAC system. (a) ACGen Time (ms), (b) ACDeleM time (ms), (c) EHREnc time (ms), (d) EHRAudit time (ms) and (e) EHRDec time (ms). Figure 5. Open in new tabDownload slide Performance measurement for the proposed RBAC system. (a) ACGen Time (ms), (b) ACDeleM time (ms), (c) EHREnc time (ms), (d) EHRAudit time (ms) and (e) EHRDec time (ms). The result demonstrated in Fig. 5d shows that the auditing procedure is efficient. Even when 100 atom roles are involved in the access policy, it takes less than 1 s to validate the encapsulated EHR. Also, the time consumptions of encapsulation and decapsulation procedures are reasonably short (Fig. 5c and e), comparable to those of the up-to-date access control schemes in EHR systems [6, 8, 25, 30] that do not provide scalable access control, public audit of encapsulation or forward revocation functionalities. Our RBAC scheme needs less than 1 s to encapsulate or decapsulate EHRs even when the number of involved atom roles approaches to 100. 7. CONCLUSION In this paper, we proposed a generic RBAC framework and a concrete scheme to secure outsourced EHRs. In our RBAC, an EHR data owner can encapsulate the EHR according to an on-demand access policy. Only medical staffs whose roles satisfy the access policy can read it, which implies a fine-grained access control. A public auditor is introduced to ensure that the EHR is correctly encapsulated with the specified access policy, which prevents fraudulent EHRs being stored. A forward revocation mechanism is facilitated so that a revoked user cannot access to the newly uploaded EHRs, no matter whether the user’s previous role satisfies the associated access policy. We formally analyzed the security of our RBAC scheme under well-established assumptions. Theoretical and experimental analyses illustrate high efficiency of our RBAC scheme in terms of communication and computation. FUNDING Natural Science Foundation of China through projects 61672083, 61370190, 61532021, 61472429 and 61402029, by the National Cryptography Development Fund through project MMJJ20170106, by the Planning fund project of ministry of education through project 12YJAZH136 and by the Beijing Natural Science Foundation through project 4132056. Footnotes 1 " http://www.va.gov 2 " http://www.gematik.de 3 " https://www.healthvault.com/ 4 " The source code of the RBAC prototype has been published online at https://github.com/liuweiran900217/CroudCrypto. 5 " http://gas.dia.unisa.it/projects/jpbc/index.html. 6 " The source code of the RBAC performance evaluation is available at https://github.com/liuweiran900217/CloudCrypto/blob/master/src/test/java/com/example/application/llw15/RBACLLW15PerformanceTest.java. 7 " The detailed performance evaluation results are available at https://github.com/liuweiran900217/CloudCrypto/blob/master/benchmarks/application/LLW15/benchmark.txt. REFERENCES 1 Rau , H.H. , Hsu , C.Y., Lee , Y.L., Chen , W. and Jian , W.S. ( 2010 ) Developing electronic health records in Taiwan . IT Prof. , 12 , 17 – 25 . Google Scholar Crossref Search ADS WorldCat 2 Yu , S. , Wang , C., Ren , K. and Lou , W. ( 2010 ) Achieving Secure, Scalable, and Fine-Grained Data Access Control in Cloud Computing. Proc. INFOCOM 10, San Diego, CA, USA, March 15–19, pp. 1–9. IEEE, Los Alamitos. 3 Barua , M. , Liang , X., Lu , R. and Shen , X. ( 2011 ) Espac: enabling security and patient-centric access control for ehealth in cloud computing . Int. J. Secur. Netw. , 6 , 67 – 76 . Google Scholar Crossref Search ADS WorldCat 4 Kamara , S. and Lauter , K. ( 2010 ) Cryptographic Cloud Storage. Proc. FC 10, Tenerife, Canary Islands, Spain, January 25–28, Lecture Notes in Computer Science, Vol. 6054, pp. 136–149. Springer-Verlag, Berlin. 5 Löhr , H. , Sadeghi , A.R. and Winandy , M. ( 2010 ) Securing the e-health Cloud. Proc. IHI 10, Arlington, WV, USA, November 11–12, pp. 220–229. ACM, New York. 6 Li , M. , Yu , S., Zheng , Y., Ren , K. and Lou , W. ( 2013 ) Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption . IEEE Trans. Parallel Distributed Syst. , 24 , 131 – 143 . Google Scholar Crossref Search ADS WorldCat 7 Johnson , M.E. ( 2009 ) Data Hemorrhages in the Health-Care Sector. Proc. FC 09, Accra Beach, Barbados, February 23–26, Lecture Notes in Computer Science, Vol. 5628, pp. 71–89. Springer-Verlag, Berlin. 8 Huang , J. , Sharaf , M. and Huang , C.T. ( 2012 ) A Hierarchical Framework for Secure and Scalable ehr Sharing and Access Control in Multi-cloud. Proc. ICPPW 12, Pittsburgh, PA, USA, September 10–13, pp. 279–287. IEEE, Los Alamitos. 9 Huang , X. , Xiang , Y., Bertino , E., Zhou , J. and Xu , L. ( 2014 ) Robust multi-factor authentication for fragile communications . IEEE Trans. Dependable Secure Comput. , 11 , 568 – 581 . Google Scholar Crossref Search ADS WorldCat 10 Huang , X. , Liu , J.K., Tang , S., Xiang , Y., Liang , K., Xu , L. and Zhou , J. ( 2015 ) Cost-effective authentic and anonymous data sharing with forward security . IEEE. Trans. Comput. , 64 , 971 – 983 . Google Scholar Crossref Search ADS WorldCat 11 Benaloh , J. , Chase , M., Horvitz , E. and Lauter , K. ( 2009 ) Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records. Proc. CCSW 09, Chicago, IL, USA, November 13, pp. 103–114. ACM, New York. 12 Røstad , L. and Nytrø , Ø. ( 2008 ) Personalized Access Control for a Personally Controlled Health Record. Proc. CSAW 08, Alexandria, WV, USA, October 31–31, pp. 9–16. ACM, New York. 13 Report 2010/565 ( 2010 ) Self-Protecting Electronic Medical Records Using Attribute-Based Encryption. Cryptology ePrint Archive. Online. 14 Narayan , S. , Gagné , M. and Safavi-Naini , R. ( 2010 ) Privacy Preserving EHR System Using Attribute-Based Infrastructure. Proc. CCSW 10, Chicago, IL, USA, October 8, pp. 47–52. ACM, New York. 15 Chen , X. , Li , J., Huang , X., Ma , J. and Lou , W. ( 2015 ) New publicly verifiable databases with efficient updates . IEEE Trans. Dependable Secure Comput. , 12 , 546 – 556 . Google Scholar Crossref Search ADS WorldCat 16 Wang , J. , Chen , X., Huang , X., You , I. and Xiang , Y. ( 2015 ) Verifiable auditing for outsourced database in cloud computing . IEEE. Trans. Comput. , 64 , 3293 – 3303 . Google Scholar Crossref Search ADS WorldCat 17 Kwak , Y.S. ( 2005 ) International Standards for Building Electronic Health Record (EHR). Proc. HEALTHCOM 05, Busan, South Korea, June 23–25, pp. 18–23. IEEE, Los Alamitos. 18 Ray , P. and Wimalasiri , J. ( 2006 ) The Need for Technical Solutions for Maintaining the Privacy of EHR. Proc. EMBS 06, New York, NY, USA, August 30–September 3, pp. 4686–4689. IEEE, Los Alamitos. 19 Li , F. , Zou , X., Liu , P. and Chen , J.Y. ( 2011 ) New threats to health data privacy . BMC. Bioinform. , 12 , 1 – 7 . Google Scholar Crossref Search ADS WorldCat 20 Tan , C.C. , Wang , H., Zhong , S. and Li , Q. ( 2008 ) Body Sensor Network Security: An Identity-Based Cryptography Approach. Proc. WiSec 08, Alexandria, VA, USA, March 31–April 2, pp. 148–153. ACM, New York. 21 Tan , C.C. , Wang , H., Zhong , S. and Li , Q. ( 2009 ) Ibe-lite: a lightweight identity-based cryptography for body sensor networks . IEEE. Trans. Inf. Technol. Biomed. , 13 , 926 – 932 . Google Scholar Crossref Search ADS PubMed WorldCat 22 Hupperich , T. , Löhr , H., Sadeghi , A.R. and Winandy , M. ( 2012 ) Flexible Patient-Controlled Security for Electronic Health Records. Proc. IHI 12, Miami, FL, USA, January 28–30, pp. 727–732. ACM, New York. 23 Liu , J.K. , Liang , K., Susilo , W., Liu , J. and Xiang , Y. ( 2016 ) Two-factor data security protection mechanism for cloud storage system . IEEE. Trans. Comput. , 65 , 1992 – 2004 . Google Scholar Crossref Search ADS WorldCat 24 Sun , J. and Fang , Y. ( 2010 ) Cross-domain data sharing in distributed electronic health record systems . IEEE Trans. Parallel Distributed Syst. , 21 , 754 – 764 . Google Scholar Crossref Search ADS WorldCat 25 Sun , J. , Zhu , X., Zhang , C. and Fang , Y. ( 2011 ) Hcpp: Cryptography Based Secure EHR System for Patient Privacy and Emergency Healthcare. Proc. ICDCS 11, Minneapolis, MN, USA, June 20–24, pp. 373–382. IEEE, Los Alamitos. 26 Liang , K. , Su , C., Chen , J. and Liu , J.K. ( 2016 ) Efficient Multi-function Data Sharing and Searching Mechanism for Cloud-based Encrypted Data. Proc. ASIACCS 16, Xi’an, China, May 30–June 3, pp. 83–94. ACM, New York. 27 Goyal , V. , Pandey , O., Sahai , A. and Waters , B. ( 2006 ) Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. Proc. CCS 06, Alexandria, WV, USA, October 30–November 3, pp. 89–98. ACM, New York. 28 Nabeel , M. and Bertino , E. ( 2012 ) Privacy Preserving Delegated Access Control in the Storage as a Service Model. Proc. IRI 12, Las Vegas, NV, USA, August 8–10, pp. 645–652. IEEE, Los Alamitos. 29 Wan , Z. , Liu , J. and Deng , R.H. ( 2012 ) Hasbe: a hierarchical attribute-based solution for flexible and scalable access control in cloud computing . IEEE Trans. Inf. Forensics Secur. , 7 , 743 – 754 . Google Scholar Crossref Search ADS WorldCat 30 Barua , M. , Liang , X., Lu , R. and Shen , X. ( 2011 ) Peace: An Efficient and Secure Patient-centric Access Control Scheme for ehealth Care System. Proc. INFOCOM WKSHPS 11, Shanghai, PR China, April 10–15, pp. 970–975. IEEE, Los Alamitos. 31 Guo , L. , Zhang , C., Sun , J. and Fang , Y. ( 2012 ) Paas: A Privacy-preserving Attribute-Based Authentication System for ehealth Networks. Proc. ICDCS 12, Macau, China, June 18–21, pp. 224–233. IEEE, Los Alamitos. 32 Wang , S. , Liang , K., Liu , J.K., Chen , J., Yu , J. and Xie , W. ( 2016 ) Attribute-based data sharing scheme revisited in cloud computing . IEEE Trans. Inf. Forensics Secur. , 11 , 1661 – 1673 . Google Scholar Crossref Search ADS WorldCat 33 Agrawal , R. and Johnson , C. ( 2007 ) Securing electronic health records without impeding the flow of information . Int. J. Med. Inform. , 76 , 471 – 479 . Google Scholar Crossref Search ADS PubMed WorldCat 34 Olson , L.E. , Gunter , C.A. and Olson , S.P. ( 2009 ) A Medical Database Case Study for Reflective Database Access Control. Proc. SPIMACS 09, Chicago, IL, USA, November 13, pp. 41–52. ACM, New York. 35 Boneh , D. , Boyen , X. and Goh , E.J. ( 2005 ) Hierarchical Identity Based Encryption with Constant Size Ciphertext. Proc. EUROCRYPT 05, Aarhus, Denmark, May 22–26, Lecture Notes in Computer Science, Vol. 3494, pp. 440–456. Springer-Verlag, Berlin. 36 Liu , W. , Liu , J., Wu , Q. and Qin , B. ( 2014 ) Hierarchical Identity-Based Broadcast Encryption. Proc. ACISP 14, Wollongong, NSW, Australia, July 7–9, Lecture Notes in Computer Science, Vol. 8544, pp. 242–257. Springer International Publishing, Switzerland. 37 Boyen , X. , Mei , Q. and Waters , B. ( 2005 ) Direct Chosen Ciphertext Security from Identity-Based Techniques. Proc. CCS 05, Alexandria, VA, USA, November 7–11, pp. 320–329. ACM, New York. 38 Li , Q. , Xiong , H. and Zhang , F. ( 2013 ) Broadcast revocation scheme in composite-order bilinear group and its application to attribute-based encryption . Int. J. Secur. Netw. , 8 , 1 – 12 . Google Scholar Crossref Search ADS WorldCat 39 Cui , H. and Deng , R.H. ( 2016 ) Revocable and decentralized attribute-based encryption . The Comput. J. , 59 , 1220 – 1235 . bxw007. Google Scholar Crossref Search ADS WorldCat 40 Cui , H. , Deng , R.H., Li , Y. and Qin , B. ( 2016 ) Server-Aided Revocable Attribute-Based Encryption. Proc. ESORICS 16, Heraklion, Greece, September 26–30, Lecture Notes in Computer Science, Vol. 9879, pp. 570–587. Springer International Publishing, Switzerland. 41 Vimercati , S.D.C.D. , Foresti , S., Jajodia , S., Paraboschi , S. and Samarati , P. ( 2010 ) Encryption policies for regulating access to outsourced data . ACM Trans. Database Syst. , 35 , 12:1 – 12:46 . Google Scholar Crossref Search ADS WorldCat 42 Daemen , J. and Vincent , R. ( 2002 ) The Design of Rijndael: AES – The Advanced Encryption Standard . Springer Science & Business Media , Berlin . Google Scholar Google Preview OpenURL Placeholder Text WorldCat COPAC 43 Canetti , R. , Halevi , S. and Katz , J. ( 2003 ) A Forward-Secure Public-Key Encryption Scheme. Proc. EUROCRYPT 03, Warsaw, Poland, May 4–8, Lecture Notes in Computer Science, Vol. 2656, pp. 255–271. Springer-Verlag, Berlin. 44 Bethencourt , J. , Sahai , A. and Waters , B. ( 2007 ) Ciphertext-policy Attribute-based Encryption. Proc. SP 07, Berkeley, CA, USA, May 20–23, pp. 321–334. IEEE, Los Alamitos. 45 Waters , B. ( 2011 ) Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization. Proc. PKC 11, Taormina, Italy, March 6–9, Lecture Notes in Computer Science, Vol. 6571, pp. 53–70. Springer-Verlag, Berlin. 46 Lewko , A. , Okamoto , T., Sahai , A., Takashima , K. and Waters , B. ( 2010 ) Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. Proc. EUROCRYPT 10, French Riviera, France, May 30–June 3, Lecture Notes in Computer Science, Vol. 6110, pp. 62–91. Springer-Verlag, Berlin. 47 Lewko , A. ( 2012 ) Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting. Proc. EUROCRYPT 12, Cambridge, UK, April 15–19, Lecture Notes in Computer Science, Vol. 7237, pp. 318–335. Springer-Verlag, Berlin. 48 Lewko , A. and Waters , B. ( 2012 ) New Proof Methods for Attribute-based Encryption: Achieving Full Security through Selective Techniques. Proc. CRYPTO 12, Santa Barbara, CA, USA, August 19–23, Lecture Notes in Computer Science, Vol. 7417, pp. 180–198. Springer-Verlag, Berlin. 49 Liu , W. , Liu , J., Wu , Q. and Qin , B. ( 2014 ) Experimental Performance Comparisons Between (h)ibe Schemes over Composite-Order and Prime-Order Bilinear Groups. Proc. IBCAST 14, Islamabad, Pakistan, January 14–18, pp. 203–209. IEEE, Los Alamitos. 50 Lewko , A. and Waters , B. ( 2010 ) New Techniques for Dual System Encryption and Fully Secure Hibe with Short Ciphertexts. Proc. TCC 10, Zurich, Switzerland, February 9–11, Lecture Notes in Computer Science, Vol. 5978, pp. 455–479. Springer-Verlag, Berlin. 51 Lewko , A. and Waters , B. ( 2014 ) Why Proving Hibe Systems Secure is Difficult. Proc. EUROCRYPT 14, Copenhagen, Denmark, May 11–15, Lecture Notes in Computer Science, Vol. 8441, pp. 58–76. Springer-Verlag, Berlin. 52 Gentry , C. and Halevi , S. ( 2009 ) Hierarchical Identity Based Encryption with Polynomially Many Levels. Proc. TCC 09, San Francisco, CA, USA, March 15–17, Lecture Notes in Computer Science, Vol. 5444, pp. 437–456. Springer-Verlag, Berlin. 53 Chen , X. , Li , J., Ma , J., Tang , Q. and Lou , W. ( 2014 ) New algorithms for secure outsourcing of modular exponentiations . IEEE Trans. Parallel Distributed Syst. , 25 , 2386 – 2396 . Google Scholar Crossref Search ADS WorldCat 54 Lewko , A. , Sahai , A. and Waters , B. ( 2010 ) Revocation Systems with Very Small Private Keys. Proc. SP 10, Berkeley, CA, USA, May 16–19, pp. 273–285. IEEE, Los Alamitos. 55 Chase , M. and Chow , S.S.M. ( 2009 ) Improving Privacy and Security in Multi-authority Attribute-Based Encryption. Proc. CCS 09, Chicago, IL, USA, November 9–13, pp. 121–130. ACM, New York. 56 Barker , E. ( 2016 ) Recommendation for Key Management – Part 1: General (Revision 4) . National Institute of Standards and Technology , Gaithersburg . Google Scholar Google Preview OpenURL Placeholder Text WorldCat COPAC Author notes Handling editor: Liqun Chen © The British Computer Society 2017. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com
TI - Auditing Revocable Privacy-Preserving Access Control for EHRs in Clouds
JF - The Computer Journal
DO - 10.1093/comjnl/bxx071
DA - 2017-12-01
UR - https://www.deepdyve.com/lp/oxford-university-press/auditing-revocable-privacy-preserving-access-control-for-ehrs-in-USUcfmzigA
SP - 1871
VL - 60
IS - 12
DP - DeepDyve
ER -