In the existing Electronic Health Records (EHRs), the medical information of patients is completely controlled by various medical institutions. As such, patients have no dominant power over their own EHRs. These personal data are not only inconvenient to access and share, but are also prone to cause privacy disclosure. The blockchain technology provides a new development direction in the medical field. Blockchain-based EHRs are characterized by decentralization, openness and non-tampering of records, which enable patients to better manage their own EHRs. In order to better protect the privacy of patients, only designated receivers can access EHRs, and receivers can authenticate the sharer to ensure that the EHRs are real and effective. In this study, we propose an identity-based signcryption scheme with multiple authorities for multiple receivers, which can resist N-1 collusion attacks among N authorities. In addition, the identity information of receivers is anonymous, so the relationship between them and the sharer is not disclosed. Under the random oracle model, it was proved that our scheme was secure and met the unforgeability and confidentiality requirements of signcryption. Moreover, we evaluated the performance of the scheme and found that it had the moderate signcryption efficiency and excellent signcryption attributes.
Electronic health recordsblockchainidentity-based signcryptionmultiple authoritiesmultiple receiversIntroduction
Electronic Health Records (EHRs) are to digitize the paper-based health records, so that they can be stored, retrieved and accessed more conveniently and quickly in a network. However, some problems in the existing EHRs remain to be solved. Firstly, EHRs of patients are mainly stored on medical institutions sites, such as hospitals and clinics. Patients have the limited access to their personal medical data, while it is difficult to obtain such data from hospitals in real time, or to even share the data with family members and friends. In addition, medical workers in these institutions may access and disclose patients’ private medical data at will. Secondly, once a patient and a medical institution have any conflict or dispute, the latter can arbitrarily tamper with the EHRs of the patient, implicitly threatening the patient’s case. Thirdly, personal medical records are inherently confidential data and subject to personal privacy and security risks. As such, those records belong only to the corresponding individuals and only authorized users should be able to access relevant information. In order to solve the above problems, some researchers have made significant improvements in enabling patients to generate, manage and share their own EHRs, and ensure the privacy of their medical data.
Related Works
In recent years, due to the extensive application of cloud computing technology in data processing [1], cloud-based EHRs have developed rapidly and more patients have been able to control their own medical data. In the cloud-based EHRs system, Premarathne et al. [2] and Ramu [3] set the access control to allow patients to share their medical data with doctors in a controlled way. However, a cloud server is not a fully trusted third party. In the cloud storage environment, it is difficult to guarantee the security of EHRs [4].
In 2008, blockchain was first proposed by Nakamoto [5] as a part of cryptocurrency bitcoin. At present, the application of the blockchain technology in the medical field is widely concerned among blockchain researchers [6]. With the decentralized, tamper-proof, traceable and publicly available blockchain technology [7], many problems in the medical field can be solved. Roehrs et al. [8] and Gordon et al. [9] proposed the basic framework of blockchain-based EHRs. Omer et al. [10] and Badr et al. [11] protected sensitive data of patients with the encryption technology in blockchain-based EHRs. Chen et al. [12] proposed a blockchain-based searchable encryption scheme for EHRs, which allowed patients to control the access to their EHRs.
In addition to the encryption protection, the authenticity of EHRs should be considered in the sharing process of EHRs. Authentication is crucial in blockchain [13] and cannot be ignored in blockchain-based EHRs [14]. Considering the characteristics of blockchain, many researchers proposed distributed signature schemes for blockchain-based EHRs. Tang et al. [14] constructed an identity-based signature scheme with multiple authorities to verify the identity of the signer and ensure the authenticity of the EHRs. Guo et al. [15] and Sun et al. [16] designed an attribute-based signature scheme with multiple authorities, which allowed the signer to hide their identity information when signing. However, these signature schemes lacked confidentiality of EHRs.
In order to satisfy both confidentiality and authenticity, in 1997, Zheng [17] first proposed the idea of signcryption, which could simultaneously realize the functions of signing and encrypting plaintext messages. Then, Malone-Lee [18] put forward the first practical identity-based signcryption scheme. Although many researchers have proposed more secure and efficient identity-based signcryption schemes [19,20], these schemes have only considered the case that a message was sent to one receiver. In 2006, Duan et al. [21] first proposed a multi-receiver identity-based signcryption scheme to send the same message to multiple receivers. In their scheme, the sender was only required to perform one pairing computation and n scalar multiplication in the signcryption phase, and each receiver could verify the validity of the message. Since then, the identity-based signcryption scheme for multiple receivers have been significantly improved based on the consideration of the efficiency and security properties [22–24].
In all the above identity-based signcryption schemes, only one key generation center (KGC) generates secret keys for all users, and the users must trust KGC unconditionally. However, KGC can use the public identity of users in the system to calculate the user’s secret key. Therefore, it can forge the sender’s signcryption or decrypt the signcryption obtained by the receiver. In addition, KGC may face a single point of failure.
Our Contributions
A centralized KGC will have security risks, and the signcryption scheme of patient’s medical data in the blockchain was seldom explored. To enable patients to share the EHRs safely in the blockchain, in this paper, we made the following contributions.
Firstly, the distributed key generation method [13] is introduced into a centralized identity-based signcryption (IBSC) scheme. For multiple receivers, an identity-based signcryption with multiple authorities (MA-IBSC) scheme is developed. N authorities randomly construct their own polynomials and all authorities cooperatively generate the master secret key of the system by secret sharing, and embed their own secret key into the user’s secret key. Therefore, the scheme can resist the collusion attack of N-1 corrupt authorities. In addition, after signing EHRs, the patient encrypts the EHRs with the identities of other users whom the patient wants to share the data with. Thus, only authorized receivers can decrypt and access the EHRs. In this way, the authenticity of EHRs is ensured by verifying the signer’s signature. Furthermore, in the signcryption process, identity information of receivers can be hidden and the relationships between the patient and receivers are not exposed in the blockchain.
Secondly, signcrypted EHRs are directly uploaded to the blockchain, other nodes cannot verify them. Based on some adjustments of the on-chain and off-chain storage model [13], the signcrypted EHRs are recommended to be stored in the patient’s own off-blockchain database, so that the patient can control the EHRs. Then the patient extracts the storage address, signs it with the private key, and uploads it to the blockchain. Other users (nodes) in the system can verify the validity of the given address based on the patient’s public key.
Thirdly, based on the assumptions of computational Diffie-Hellman (CDH) problem and Bilinear Computational Diffie-Hellman (BCDH) problem, it is proved that our proposed sigcryption scheme is secure in the random oracle model. In other words, the unforgeability and confidentiality of signcryption are realized. Furthermore, the performance of the scheme is evaluated based on the two indices of signcryption efficiency and signcryption attributes.
The remainder of this paper is organized as follows. Section 2 presents the preliminaries, including Lagrange interpolation, bilinear map, computational assumption, syntax and secure model of the signcryption scheme. In Section 3, the EHRs system model in blockchain is described in detail. Section 4 demonstrates the specific MA-IBSC scheme for multiple receivers. The security analysis and performance evaluation are provided in Section 5. Finally, the conclusion is drawn in Section 6.
PreliminariesLagrange Interpolation
For a polynomial f of degree n, given n+1(xi,yi)(i=1,2,…,n+1) on f, we can uniquely determine a polynomial f(x)=∑i=1nyi(∏1≤j≠i≤nx−xjxi−xj).
Bilinear Map
Let p be a large prime number, G1and G2 be two multiplicative cyclic groups of order p, and g be the generator of G1. We say that e:G1×G1→G2 is not a bilinear map unless e satisfies the following properties:
Bilinearity: for all u,v∈G1 and a,b∈Zp, e(ua,vb)=e(u,v)ab;
2) Non-degeneracy: there exists u,v∈G1, such that e(u,v)≠1. That is to say, mapping e will not map all element pairs in G1×G1 to the identity element of G2;
Computability: for allu,v∈G1, a valid algorithm can be used to calculate e(u,v).
Computational Assumption
The security of the MA-IBSC scheme for multiple receivers is mainly based on the assumptions of Computational Diffie-Hellman (CDH) problem and Bilinear Computational Diffie-Hellman (BCDH) problem.
1) Computational Diffie-Hellman (CDH) problem. After a,b∈Zp∗ are randomly selected, for the given g,ga,gb∈G1, gab∈G1 is calculated. If there is no probabilistic polynomial time (PPT) adversary A to calculate gab∈G1 with the probability advantage that cannot be ignored, we call CDH in group G1 the assumption of the difficult problem.
2) Bilinear Computational Diffie-Hellman (BCDH) problem. After a,b,c∈Zp∗ are randomly selected, for the given g,ga,gb,gc∈G1, e(g,g)abc∈G2 is calculated. If there is no probabilistic polynomial time (PPT) adversary A to calculate e(g,g)abc∈G2 with the probability advantage that cannot be ignored, we call BCDH in group G1 the assumption of the difficult problem.
Syntax of the Signcryption Scheme
The identity-based signcryption with multiple authorities (MA-IBSC) scheme for multiple receivers involves the following seven algorithms:
Global Setup: The EHRs server takes a security parameter λ as the input and then outputs system public parameters params.
Authority Setup: All authorities perform this algorithm interactively. They input public parameters params and their identity IDi, then generate their respective secret key skIDi, system master secret key s and master public key PK.
KeyGen: This algorithm is also cooperatively controlled by all authorities. They input the public parameters params, their respective secret key skIDi, and identity idi of a user, and then return secret key skidi to the user.
User-Sign: User idi takes public parameters params, his/her secret key skidi and message M as input to run this algorithm with, and then outputs the signature σi of M.
User-Encrypt: User idi usually executes this algorithm after the User-Sign algorithm. User idi inputs the public parameters params, the signature σi of M, and the public keys of the receivers, and then outputs the signcryption message SC of M.
Verify: To verify the signature σi of M, other users take the signer’s identity idi, M and σi as input to carry out this algorithm. If the signatureσi is valid, it returns Accept, otherwise returns Reject.
Receiver-Decrypt: Only the receivers picked by the user can run the algorithm to decrypt SC. Any one of the receivers inputs public parameter params, SC, and the user’s secret key to the algorithm, and then obtains M and the sharer’s idi.
Security Model
Definition 1 and Definition 2 respectively introduce the two security attributes of the adapted signcryption scheme: unforgeability and confidentiality.
Definition 1: Suppose F is a forger, ℧ is defined as the MA-IBSC scheme for multiple receivers. The game between F and Challenger C is described as follows:
Global Setup: Challenger C takes a security parameter λ as input, runs global setup algorithm, then generates params and transmits it to F.
Authority Setup: Challenger C runs authority setup algorithm to output secret key skIDi for each authority IDi, where i∈{1,2,…N}. Then Forger F outputs his/her target identity idi∗.
Queries: Forger F performs the following four queries to Challenger C:
Secret key queries: F asks C for the secret key of some authorities IDi∈QS, where QS⊂{1,2,…,N} represents the index set of corrupt authorities, and then Challenger C outputs skIDi∈QS to F.
Key generation queries: When C receives the private key query about identity idi, C runs the key generation algorithm and returns skidi to F.
User-sign queries: When C receives the signature query about message M and identity idi, C returns σi to F.
User-encrypt queries: To forge a signcryption, the user-encrypt query always follows user-sign query. When C receives the encryption query about (M,R,idi), where R represents the identity set of the receivers, namely, R={idl}l=1n, then C calculates signcryption SC and returns it to F.
Forgery: Forger F finally outputs a new signcryption SC∗ and the public key pair (id1,skid1),(id2,skid2),…,(idn,skidn) of n receivers. If SC∗ is the signcryption of idi∗ to the message M and can be correctly decrypted and verified by receivers in set R={idl}l=1n, then SC∗ is a valid signcryption and F wins the game. The limitations here are described below. F cannot query the skidi∗ with identity idi∗ through the key generation query, and SC∗ cannot be generated by the User-Sign and User-Encrypt algorithm.
Definition 2: Suppose that A is an adversary, ℧ is defined as the MA-IBSC scheme for multiple receivers. The game between Adversary A and Challenger C is introduced as follows:
Global Setup: Challenger C takes a security parameter λ as input, runs global setup algorithm, and then generates params and transmits it to A.
Authority Setup: Challenger C runs authority setup algorithm to output secret key skIDi for each authority IDi, where i∈{1,2,…,N}. Adversary A outputs target identities idl∗ of n receivers, where l={1,2,…,n}.
Phase 1: Adversary A performs the following five queries to Challenger C:
Secret key queries: A asks C for the secret key of some authorities IDi∈QS, where QS⊂{1,2,…,N} represents the index set of corrupt authorities, and then Challenger C outputs skIDi∈QS to A.
Key generation queries: When C receives the private key query about identity idi, C runs the key generation algorithm and returns skidi to A.
User-sign queries: When C receives the signature query about message M and identity idi∗, where idi∗ is the user being attacked, then C returns σi to A.
User-encrypt queries: The user-encrypt query always follows the user-sign query. When C receives the encryption query about (M,R,idi∗), where R represents the identity set of the receivers, namely R={idl}l=1n, then C calculates signcryption SC and returns to A.
Receiver-Decrypt-and-Verify queries: When C receives the decryption and verify query together about (SC,idl,idi∗), where idl∈R, if SC is a valid singcryption, then C decrypts it, verifies M, and returns M to A.
Challenge: A outputs a target plaintext pair (M0,M1) and a private key skidi∗. When Challenger C receives (M0,M1) and skidi∗, C randomly selects a message Mβ, where β∈{0,1}, then generates the target signcryption SC∗ based on Mβ, skidi∗ and n target receivers idl∗, where l={1,2,…,n}, and finally returns SC∗ to A.
Phase 2: A makes multiple queries as those in Phase 1. The limitations here are described below. A cannot ask skidl∗ of n target receivers idl∗, where l={1,2,…,n} during the key generation query, and A cannot askSC∗ during Receiver-Decrypt-and-Verify query.
Guess: In the end, A outputs its guess β′∈{0,1} and wins the game if β′=β.
EHRs System Model in Blockchain
In this section, the EHRs system model in blockchain is introduced in detail. The model combines the EHRs system with the MA-IBSC scheme for multiple receivers, realizes the sharing of EHRs in the blockchain, and ensures the privacy and validity of EHRs. The system roles, EHRs storage mode, authentication cases, and the application of the signcryption scheme are introduced below.
System Roles
There are three main roles in EHRs system in the blockchain: EHRs server, authority, and user.
EHRs Server: The EHRs server is mainly responsible for generating public parameters params in EHRS system initialization, and distributing corresponding identity for each authority and each user in the system.
Authority: The authorities include all medical departments: hospitals, pharmacies, health insurance companies, medical research institutes and so on. As the bookkeeping nodes in the blockchain, they package a set of transactions that are broadcast on the network and upload them to the new block created by them through the DPoS consensus mechanism.
User: As ordinary nodes in the blockchain, users primarily create new transactions and publish them to the network. Users include patients, medical workers and common people. Patients create their own EHRs after treatment, and then adopt MA-IBSC scheme to share their private EHRs with other designated users in the blockchain.
EHRs Storage Mode
EHRs of patients are generally private data and cannot be directly uploaded to the blockchain for sharing. Therefore, we adopt the on-chain and off-chain storage mode and only upload the address of the stored EHRs to the blockchain. The EHRs are signcrypted and stored in the off-blockchain database of each node, and the decryption permission is set at the same time. This storage mode enables patient’s EHRs to be safely shared among the users that the patient designates.
As shown in Fig. 1, when a patient creates his/her own new EHRs after diagnosis or treatment, he/she uses his/her secret key and the public keys of users, whom he/she wants to share the data with, to signcrypt the EHRs, and stores the signcrypted data in his/her off-blockchain database. Then he/she signs the address of the stored EHRs and publishes it to the blockchain.
Storage Mode of EHRs in Blockchain
Authentication Cases
To guarantee that the EHRs shared by the patient and the storage address of the EHRs broadcast by the patient in the blockchain are real, it is necessary to perform authentication. Authentication is mainly performed by verifying the signature of the sharer. Based on the system model and EHRs storage mode, authentication can be mainly classified into the following two cases:
Case 1 (Signature Authentication): Only the address of the stored EHRs is uploaded to the blockchain. Therefore, the patient needs to sign it with his/her own secret key, and other users can verify the authenticity and validity of the address.
Case 2 (Signcryption Authentication): All users can retrieve the patient’s signcrypted EHRs with the address stored in the blockchain. However, only the users (such as doctors, family members, and friends) authorized by the patient can decrypt the EHRs with their secret key, and then verify the signature of the patient to ensure the authenticity of the patient’s identity and the EHRs.
Application of the Sigcryption Scheme
For the purposes of realizing the signcryption of EHRs and the two authentication cases, we describe the relationships between the system roles and the MA-IBSC scheme for multiple receivers below.
First, the EHRs server runs the Global Setup algorithm to generate the public parameters of the system. Next, each authority performs Authority Setup algorithm to produce its own secret key and then cooperates with other authorities to generate the master secret key and the master public key of the system. After that, with the identity of each user in the system, each authority runs the KenGen algorithm and jointly distribute the secret key to the user. After receiving the secret key, the patient uses User-Sign algorithm to sign his/her own EHRs, executes User-Encrypt algorithm immediately, encrypts the signed EHRs with the public keys of the receivers whom he/she wants to share the data with. In this way, the decryption permission is set for these designated receivers. After storing the signcrypted EHRs in the off-blockchain database, the patient executes the User-Sign algorithm again and broadcasts the signed storage address of EHRs. All other nodes (authorities or users) can verify the validity of the address given by the patient by executing the Verify algorithm. Then, for a period of time, the bookkeeping node packs the storage addresses of EHRs signed by some patients, and uploads them to a new block, which is connected by the hash value of the previous block to form a blockchain. The data structure of blockchain is shown in Fig. 2.
Data Structure of Blockchain in EHRs System
When other users want to access the patient’s EHRs, they retrieve the patient’s signcrypted data in the off-blockchain database through the storage address on the blockchain and then run the Receiver-Decrypt algorithm. Only receivers with the decryption permission set by the patient can decrypt the signcrypted EHRs with their secret keys, and then run the Verify algorithm to ensure that the real EHRs are obtained.
Proposed Signcryption Scheme
Based on the EHRs system of blockchain, we propose an identity-based signcryption with multiple authorities (MA-IBSC) scheme for multiple receivers. In the scheme, users are issued their secret keys from N authorities. In addition, a user can send the same signcryption information to multiple receivers. The anonymity of the receivers is realized by Lagrange interpolation.
The detailed MA-IBSC scheme for multiple receivers is introduced bellow:
Global Setup: The EHRs server chooses two suitable multiplicative cyclic groups G1 and G2 with a prime order p, equipped with a bilinear map e:G1×G1→G2. Assuming that g is a random generator of G1, an element P1 in G1 is randomly selected. There are four strong collision-resistant hash functions H0:{0,1}λ1→Zp∗, H1:{0,1}λ1→G1, H2:G1×{0,1}λ2→Zp∗, and H3:G2→{0,1}λ1+λ2, where λ1 and λ2 represent the length of each user’s identity and the length of message, respectively. Suppose that there are N authorities in the system. The public parameters of the system are params=⟨p,g,P1,e,G1,G2,H0,H1,H2,H3,N⟩.
Authority Setup: Each authority runs this algorithm with the input of public parameters params and identity IDi, where i∈{1,2,…,N}. The two phases of generating master secret key s, master public key PK and authority’s secret key skIDi , where i∈{1,2,…,N}, are described as follows:
- Phase 1 (generation of the master secret key of the system and the secret key of each authority):
1) First, each authority IDi randomly selects a polynomial P(x) of N−1 degree over Zp∗:
P(x)=(ai0+ai1x+…+ai(N−1)xN−1)(modp)
To hide the polynomial coefficients, Aik=gaik is calculated and broadcast, where k=(0,1,…,N−1). Second, it calculates secret shares sij=P(H0(IDj)), where j=(1,2,…,N). Finally, it secretly sends sij to IDj forj≠i.
2) After receiving the secret share sij from IDi, each authority IDj verifies whether the equation gsij=∏k=0N−1(Aik)H0(IDj)k holds. If it holds, the secret share sij is valid and the sender IDi is considered to be honest. If not, IDj broadcasts a complaint against IDi. Then, to prove its honesty, IDi needs to keep broadcasting the secret shares sij until the equation holds.
3) After the above interactions, N authorities jointly generate the master secret key s=∑i=1Nai0. If the number of corrupt authorities is less than N, they cannot recover s. The secret key of each authority IDi is the constant term of its randomly selected polynomial, namely, skIDi=ai0, where i∈{1,2,…,N}.
- Phase 2 (generation of the master public key of system): In Phase 1, each authority has broadcast a publicly verifiable value {Ai0=gai0}, where i∈{1,2,…,N}. Thus, the master public key PK is calculated as:
PK=∏i=1NAi0=∏i=1Ngai0=g∑i=1Nai0=gs∈G1
Finally, each authority adds parameters {(IDi,Ai0)}i=1N and PK to params, which is finally expressed as:
KeyGen: When a user with his/her identity idi registers in the EHRs system of blockchain, he/she obtains his/her public key pkidi and secret key skidi from N authorities. The process consists of the following three phases.
Phase 1 (generation of the public key and partial secret key): First, every authority IDj, where j∈{1,2,…,N}, calculates the user’s public key pkidi=H1(idi) with his/her identity idi, then calculates partial secret key pskidi,j=(pkidi⋅P1)aj0 and secretly sends it to idi.
Phase 2 (verification of the partial secret key): After receiving the pskidi,j from authority IDj, idiverifies whether the equation e(pskidi,j,g)=?e(pkidi,Aj0) holds. If it holds, the partial secret key is valid. If not, the authority IDj needs to transmit the partial secret key again until the equation holds.
Phase 3 (generation of the secret key): Through the above interactions, user idi receives all partial secret keys from N authorities, and then calculates his/her secret key skidi as:
User-Sign: To sign a messageM, user (mainly refers to the patient user in the system) idi selects a random integer r∈Zq∗, and then calculates X=gr, h=H2(M,X) and W=skidihpkidir. The signature σi of message M is σi=(X,W).
User-Encrypt: To complete the signcryption of M, this algorithm is usually used after the User-Sign algorithm. Encryption is mainly divided into the following six steps. First, user idi calculates V=e(PKr,P1), Z=H3(V)⊕(idi||M). Second, he/she selects other users whom he/she wants to share message M with, counts the number n of these receivers, calculates xl=H0(idl) and yl=pkidlr based on the identity idl of the n receivers, where l=(1,2,…,n), and then gets n sets of data: (x1,y1),(x2,y2), … ,(xn,yn). Third, n−1 degree polynomial F(x) is constructed by Lagrange interpolation, so that F(xl)=yl, where l∈{1,2,…,n}. Fourth, for l=(1,2,…,n), the user idi calculates
fl(x)=∏1≤m≠l≤nx−xmxl−xm=bl,1+bl,1x+…+bl,nxn−1
After that, forl=(1,2,…,n), Ll=∑m=1nbm,lym is calculated. Finally, the signcryption of M is expressed as:
SC=⟨L1,L2,…,Ln,σi=(X,W),Z⟩
As you can see, the identity information of receivers is not directly displayed in the SC.
Verify: To verify the validity of signature σi from user idi, first, other users calculate h=H1(M,X), and then verify whether the equation e(g,W)=?e(PKh⋅X,pkidi)⋅e(PKh,P1) holds or not. If it holds, the signature from idi is valid and it returns Accept. If not, it returns Reject.
Receiver-Decrypt: Only the receiver with identity {idl}l=1n designated by sharer idi has the right to decrypt the signcryption SC and obtain message M. The receiver idl takes SC, params, his/her identity idl and secret key skidl as inputs to run this algorithm. He/she first calculates xl=H0(idl), δl=L1+xlL2+…+(xln−1modp)Ln, and V′=e(X,skidl)e(PK,δl) and then gets the message M and the identity idi of the signer through the following calculation:
H3(V′)⊕Z=(idi||M)
Correctness:
1) The correctness of signature σi from user idi is derived from the following equation:
2) When V′=V, message M of the user idi can be obtained. For each l∈{1,2,…,n}, there is yl=pkidlr. According to Lagrange interpolation, we can calculate:
Security Analysis and Performance EvaluationSecurity Proof
In this section, Theorem 1 and Theorem 2 respectively prove the unforgeability and confidentiality of signcryption.
The master secret key s is randomly generated by N authorities by the distributed key generation and no one knows the real value of s, so gs cannot be used as an instance of CDH problem. Here, we set PK=gas, wherega is a CDH instance. s is still generated by all authorities randomly and unknown to others, a and s are independent of each other. For any PPT adversary, even if he/she corrupts N−1 authorities, he/she cannot recover the value s. Therefore, for the PPT adversary, PK=gs∈G1 and PK=gas∈G1 are indistinguishable.
Theorem 1: In the random oracle model, if there is a probabilistic polynomial time (PPT) adversary F, who can win the Definition 1 game in Section 2.5 with a non-negligible advantage ε within timeτ, then there is an algorithm C that can solve the CDH problem with the advantage ε′≥ε−QH2(QUS+QUE)2k within time τ′≈τ+QUEO(τ1), where τ1 is the running time of e. (PPT adversary can make QS secret key quires, QK key generation quires, QUS user-sign quires, QUE user-encrypt quires and QH0,QH1,QH2, QH3 hash function H0, H1, H2,H3 quires at most).
Proof: The following shows how algorithm C uses F to solve the CDH problem with probability ε′ within time τ′.
First, C gets an instance ⟨G1,G2,p,g,e,ga,gb⟩ of CDH problem, whose goal is to calculate gab∈G1. C simulates a challenger to play the following game with F.
Global Setup: Challenger C executes global setup algorithm, inputs parameter λ, outputs public parameter params and sends it to F.
Authority Setup: C represents all authorities to run the authority setup algorithm and generate secret key skIDi for each authority IDi, where i∈{1,2,…N}, so only C knows the real value s of the master secret key. However, C sets the master secret key as a⋅s, and sets the public key as PK=gas. Because s and a⋅s are unknown to F, gs and gas are indistinguishable to F. Finally, C adds parameters {(IDi,Ai0)}i=1N and PK=gas to params. F can obtain params=⟨p,g,P1,e,G1,G2,H0,H1,H2,H3,N,{(IDi,Ai0)}i=1N,PK⟩ from C. After receiving the params, F outputs the target identity idi∗.
H0, H1, H2, and H3 are random oracle models controlled by C. The query results of H0, H1, H2, and H3 are stored in H0−list, H1−list, H2−list, and H3−list respectively.
Queries: Forger F performs some queries to Challenger C:
- H0 queries: C enters an identity IDi or idi into H0. If there is (IDi,xi) or (idi,xi) in the H0−list, returns xi, otherwise C performs the following steps:
1) Randomly selects an integer xi∈Zp∗;
2) Saves (IDi,xi) or (idi,xi) to H0−list;
3) Returns xi.
- H1 queries: C enters an identity idi intoH1. If there is (idi,ki,pkidi) in the H1−list, returns pkidi, otherwise C performs the following steps:
1) Randomly selects an integer ki∈Zp∗;
2) If idi=idi∗, (where idi∗ is C random guess of the identity that F will attack) calculates gkiP1, otherwise calculates gki;
3) Saves (idi,ki,pkidi) to H1−list;
4) Returns pkidi.
- H2 queries: C enters an array (Mi,Xi) into H2. If there is (Mi,Xi,hi) in the H2−list, returns hi, otherwise C performs the following steps:
1) Randomly selects an integer hi∈Zp∗;
2) Saves (Mi,Xi,hi) to H2−list;
3) Returns hi.
- H3 queries: C enters an element Vi∈G2 into H3. If there is (Vi,ρi) in the H3−list, returns ρi otherwise C performs the following steps:
1) Randomly selects a character string ρi∈{0,1}λ1+λ2;
2) Saves (Vi,ρi) to H3−list;
3) Returns ρi.
- Secret key queries: F requests secret keys skIDi∈QS of authority IDi∈QS, where QS⊂{1,2,…,N} represents the index set of corrupt authorities. Because C generates the secret keys of all authorities , C can answer the queries from F.
- Key generation queries: F asks C about the secret key skidi of the identity idi. If idi=idi∗, C does not answer this query and terminate the game. Otherwise, C looks for (idi,ki,pkidi) in H1−list, calculates skidi=(gki⋅P1)as, and then returns it to F.
- User-sign queries: F asks C for the signature σi of a tuple (idi,M). If idi≠idi∗, C will get the correct skidi from key generation queries, and then calculates the signature σi and transmits it to F. If idi=idi∗, C cannot obtain skidi∗ from key generation queries to calculate the signature directly. However, C can answer F’s query through the following steps: 1) C randomly selects r′∈Zp∗ and calculates X′=gr′. 2) C finds (M,X′,h′) in H2−list list and gets h′. 3) C finds (idi,ki,pkidi) in H1−list (if it cannot be found, C chooses ki∈Zp∗, then calculates pkidi=gkiP1 and stores (idi,ki,pkidi) in H1−list). 4) C calculates W′=skidih′pkidir′=gki(as⋅h′+r′)P1r′, and then gets σi=(X′,W′) and returns it to F.
- User-encrypt queries: To forge a signcryption, the query is executed after the user-sign query. When C receives the encryption query about (M,R,idi), where idi=idi∗ and R represents a receiver set {idl}l=1n (l represents the identity of receivers and n represents the number of receivers), C answers F through the following steps: 1) C calculates V′=e(PKr′,P1)=e(gas⋅r′,P1), and then finds (V′,ρ′) in the H3−list. 2) C calculatesZ′=ρ′⊕(idi||M); 3) C finds (idl,xl) in the H0 – list, calculates yl=pkidlr′ and gets Ll, where l∈{1,2,…,n}. 4) C gets the signcryption SC and sends it to F.
Forgery: F generates the target signcryption:
SC∗=⟨L1∗,L2∗,…,Ln∗,σi∗=(X∗,W∗),Z∗⟩
If the forgery is successful, the following equation holds:
e(g,W∗)=?e(PKh⋅X∗,pkidi)⋅e(PKh,P1)
Define b=kih, then W∗=skidihpkidir=(gas⋅ki)hpkidir=gab⋅spkidir. Therefore, we can get the solution of CDH problem gab=(W∗pkidir)s−1.
In the general signcryption query, as most QH2H2queries are conducted, the probability that C fails to answer a signcryption query is not greater than QH2(QUS+QUE)2k. Therefore, C can get the advantage ε′≥ε−QH2(QUS+QUE)2k and τ′≈τ+QUEO(τ1), where τ1 is the running time of e. From the above proof and CDH problem, we can see that this scheme satisfies the unforgeability of signcryption.
Theorem 2: In the random oracle model, if there is a probabilistic polynomial time (PPT) adversary A, who can win the Definition 2 game in Section 2.5 with a non-negligible advantage ε within timeτ, then there is an algorithm C that can solve the BCDH problem with the advantage ε′≥ε−QH3QRD&V2k within time τ′≈τ+(2QRD&V+QUE)O(τ1), where τ1 is the running time of e. (PPT adversary can make QS secret key quires, QK key generation quires, QUS user-sign quires, QUE user-encrypt quires, QRD&V receiver-decrypt-and-verify quires and QH0,QH1,QH2, and QH3 hash function H0, H1, H2, and H3 quires at most).
Proof: The following shows how algorithm C uses A to solve the BCDH problem with probability ε′ within time τ′.
First, C gets an instance ⟨G1,G2,p,g,e,ga,gb,gc⟩ of BCDH problem, whose goal is to calculate e(g,g)abc∈G2. C simulates a challenger to play the following game with A.
Global Setup: Challenger C executes global setup algorithm, inputs parameter λ, outputs public parameter params and sends it to F.
Authority Setup: C represents all authorities to run authority setup algorithm and generate secret key skIDi for each authority IDi, where i∈{1,2,…N}. Similarly, C sets PK=gas instead of PK=gs, where gas and gs are indistinguishable to A. Finally, C adds parameters {(IDi,Ai0)}i=1N and PK=gas to params. A can obtain params=⟨p,g,P1,e,G1,G2,H0,H1,H2,H3,N,{(IDi,Ai0)}i=1N,PK⟩ from C. After receiving the params, A outputs target identities idl∗ of n receivers, where l={1,2,…,n}.
Phase 1: Adversary A performs the following five queries to Challenger C:
- Secret key queries: A requests secret keys skIDi∈QS of authority IDi∈QS, where QS⊂{1,2,…,N} represents the index set of corrupt authorities. Because C generates the secret keys of all authorities , C can answer the queries from A.
- Key generation queries: A asks C about the secret key skidi of the identity idi. If idi=idl∗, where l={1,2,…,n}, C does not answer this query and terminate the game. Otherwise, C looks for (idi,ki,pkidi) in H1−list, then calculates skidi=(pkidi⋅P1)as=(gkiP1⋅P1)as=gas⋅ki, and returns it to A.
- User-sign queries: A asks C about the signature σi of a tuple (idi,M), where idi≠idl∗(l∈{1,2,…,n}). C answers A through the following calculations: 1) C randomly selects r′,h,t∈Zp∗, calculates X=gr′gas⋅h, W=(gkiP1)r′⋅P1as⋅h, P1=gt, and gets (M,X,h). 2) C finds (M,X) in H2−list so that it does not appear in H2−list. Otherwise, C reselects r′,h,t∈Zp∗, repeats the above calculation step, and then adds eligible (M,X) to H2−list. 3) C gets σi=(X,W) of idi and returns it to A.
- User-encrypt queries: To form a complete signcryption, the query is executed after the user-sign query. When C receives the encryption query about (M,R,idi), where idi≠idl∗ and R represents a set of n receivers {idl}l=1n, C answer A through the following steps: 1) C calculates V=e(PKr′,P1)=e(PKr′,gt), and then finds (V,ρ) in the H3−list. 2) C calculatesZ=ρ⊕(idi||M). 3) C finds (idl,xl) in the H0−list, calculates yl=X(kl−t) and gets Ll, where l∈{1,2,…,n}. 4) C gets the signcryption SC and sends it to A.
- Receiver-Decrypt-and-Verify queries: When C receives the decrypt-and-verify query about a signcryption SC=⟨L1,L2,…,Ln,σi=(X,W),Z⟩ and an identity idl, where l∈{1,2,…,n}, C answers A through the following steps: 1) C finds (idl,xl) in the H0−list and calculates δl=L1+xlL2+…+xln−1Ln. 2) C finds (idl,kl,pkidl) in the H1−list, then calculates skidl=PKkl=gas⋅kl and V′=e(X,skidl)e(PK,δl), so C can obtain (idi||M)=H3(V′)⊕Z. 3) C finds (idi,ki,pkidi) in H1−list and gets pkidi. 4) C verifies that e(g,W)=?e(PKh⋅X,pkidi)⋅e(PKh,P1) holds. If it holds, SC is a valid signcryption and M is returned to A.
Challenge: A selects a target plaintext pair (M0,M1) and identity idi of the same signer and encryptor. When Challenger C receives (M0,M1) and idi, C randomly selects a message Mβ to signcrypt, where β∈{0,1}. The signcryption calculation is as follows: 1) C finds (idl∗,kl∗,pkidl∗) in H1−list, where l={1,2,…,n}, and then obtains their pkidl∗=gkl∗P1. 2) C calculates yl∗=pkidl∗r and gets Ll∗, where l={1,2,…,n}. 3) C generates the target signcryption SC∗=⟨L1∗,L2∗,…,Ln∗,σi∗=(X∗,W∗),Z∗⟩, where X∗=gb, W∗=gki⋅(as⋅h′+r′)P1r′, P1∗=gc, Z∗=H3(e(PKr′,P1))⊕(idi||Mβ), and returns SC∗ to A.
Phase 2: A makes multiple queries as those in Phase 1. Note that A cannot ask skidl∗ of n target receivers idl∗, where l={1,2,…,n} during the key generation query, or SC∗ during Receiver-Decrypt-and-Verify query.
Guess: In the end, A outputs its guess β′∈{0,1}. If β′=β, C selects (V,ρ) from H3−list and outputs ρ as the solution of BCDH problem.
Analysis: In User-sign and User-encrypt quires, since X=gr′gas⋅h=g(r′−as⋅h), there is r=r′−as⋅h, and W=(gkiP1)r′⋅P1as⋅h=(gkiP1)(r′−as⋅h)⋅(gkiP1)as⋅h⋅P1as⋅h=(gkiP1)(r′−as⋅h)⋅gki⋅as⋅h=(gkiP1)r⋅skidih=skidihpkidir. Because yl=X(kl−t)=gr⋅(kl−t)=(gklgt)r=(gklP1)r=pkidlr, where l={1,2,…,n}, Ll can be calculated and the target signcryption can be realized.
During the challenge process, C sets X∗=gb and P1∗=gc. After knowing pkidl∗=gkl∗P1 , C can get yl∗=X∗(kl∗−c)=gb(kl∗−c)=(gkl∗gc)b=(gkl∗P1)b=pkidl∗b, and then get Ll∗ by Lagrange interpolation function. Therefore, SC∗ is the same as described in the actual attack process. If A’s guess is correct, A needs to ask the random oracle function H3 to get V=e(PKr,P1)=e(gas⋅b,P1)=e(gas⋅b,gc)=e(g,g)abc⋅s, Therefore, we can get the solution of BCDH problem e(g,g)abc=V⋅e(g,g)s−1.
In the attack phase, A performs QRD&V receiver-decrypt-and-verify quires. C selects V randomly from H3−list to calculate e(g,g)abc=V⋅e(g,g)s−1 as the result of BCDH problem. Therefore, C can get the advantage ε′≥ε−QH3QRD&V2k, and τ′≈τ+(2QRD&V+QUE)O(τ1), where τ1 is the running time of e. From the above proof and BCDH problem, we can see that this scheme satisfies the confidentiality of signcryption.
Performance Evaluation
In this paper, we mainly evaluate the performance from signcryption efficiency and signcryption attributes.
In order to explore the signcryption efficiency, we mainly analyze its computing cost and communication traffic (i.e., length of signcryption). Tab. 1 shows the comparison results of the signcryption efficiency between the proposed scheme and prvious schemes.
Comparison of the Signcryption Efficiency
Schemes
Mul
Exp
Log
Pair
Hash
Num
Length of Signcryption
Reference [22]
4
1
1
1
3
n+9
3|G1|+n|ID|+|M|
Reference [23]
3
2n+2
1
1
2
9
(n+3)|G1|+n|ID|+|M|
Reference [24]
5
1
1
3
3
n+11
5|G1|+2n|ID|+|M|
This scheme
1
n+3
1
1
3
11
(n+2)|G1|+|ID|+|M|
Mul represents multiplication operation in G1; Exp represents exponential operation in G1; Log represents logical operation; Pair represents bilinear operation in G2; Hash represents the hash operation in the signature and encryption step; Num represents the number of parameters; |G1| represents the length of elements in G1; |ID| represents the length of identity information; |M| represents the length of plaintext message; n represents the number of receivers.
Tab. 2 shows the comparison results of signcryption attributes between the proposed scheme and previous schemes.
Comparison of the Signcryption Attributes
Schemes
Unforgeability
Confidentiality
Model
Multiple Receivers
Anonymity of Receivers
Multiple Authorities
Resisting Collusion Attacks
Reference [22]
Y
Y
Random Oracle
Y
N
N
N
Reference [23]
Y
Y
Standard Model
Y
N
N
N
Reference [24]
Y
Y
Random Oracle
Y
Y
N
N
This scheme
Y
Y
Random Oracle
Y
Y
Y
Y
Compared with previous schemes, the proposed scheme has less |ID| length and relatively moderate communication traffic in terms of signcryption efficiency. In order to ensure that the identities of receivers are not exposed in the signcrypted message, our scheme uses Lagrange interpolation to realize the anonymity of receivers. Lagrange interpolation involves many multiplications and exponential operations, so it increases the computing cost and affects the efficiency. However, the Lagrange formula can be calculated before the signcryption, so the operation in the signcryption step can be greatly reduced.
In terms of signcryption attributes, the signcryption scheme proposed in this paper satisfies unforgeability and confidentiality under a random oracle model. Compared with other schemes, the proposed scheme is more suitable for multiple receivers and can guarantee the anonymity of receivers. Importantly, the distributed key generation is realized by multiple authorities and can resist collusion attacks.
Conclusion
In order to allow patients to control their own EHRs initiative and share EHRs safely in blockchain, in this paper, we introduced multiple authorities into the identity-based signcryption scheme, and constructed a detailed MA-IBSC scheme for multiple receivers. The MA-IBSC scheme can not only resist the collusion attack of at most N-1 corrupted authorities, but also share the same signcryption message with multiple designated receivers. At the same time, the identity information of these receivers is anonymous. Under the assumptions of CDH and BCDH, it is proved that the proposed scheme is secure, that is, it satisfies unforgeability and confidentiality of signcryption.
Funding Statement: This work was supported by the National Key Research and Development Project of China (Grant No. 2017YFB0802302), the Science and Technology Support Project of Sichuan Province (Grant Nos. 2016FZ0112, 2017GZ0314, and 2018GZ0204), the Academic and Technical Leaders Training Funding Support Projects of Sichuan Province (Grant No. 2016120080102643), the Application Foundation Project of Sichuan Province (Grant No. 2017JY0168), and the Science and Technology Project of Chengdu (Grant Nos. 2017-RK00-00103-ZF, and 2016-HM01-00217-SF).
Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.
ReferencesL. Z.Xiong and Y. Q.Shi, “
On the privacy-preserving outsourcing scheme of reversible data hiding over encrypted image data in cloud computing,”
Computers, Materials & Continua, vol.
55, no.
3, pp.
523–
539,
2018.U.Premarathne, A.Abuadbba, L.Khalil, Z.Tari and A.Zomaya, “
Hybrid cryptographic access control for cloud-based EHR systems,”
IEEE Cloud Computing, vol.
3, no.
4, pp.
58–
64,
2016.G.Ramu, “
A secure cloud framework to share EHRs using modified CP-ABE and the attribute bloom filter,”
Education and Information Technologies, vol.
23, no.
5, pp.
2213–
2233,
2018.Z.Deng, Y.Ren, Y.Liu, X.Yin, Z.Shenet al., “
Blockchain-based trusted electronic records preservation in cloud storage,”
Computers, Materials & Continua, vol.
58, no.
1, pp.
135–
151,
2019.S.Nakamoto, “
Bitcoin: A peer-to-peer electronic cash system,”
2008. [Online]. Available: https://nakamotoinstitute.org/bitcoin.P. B.Nichol, “
Blockchain applications for healthcare: Blockchain opportunities are changing healthcare globally-innovative leaders see the change,”
2016. [Online]. Available: http://www.cio.com/article/3042603/innovation/blockchain-applications/for-healthcare.html.M.Crosby and V.Kalyanaraman,
Blockchain Technology: Beyond Bitcoin.
Berkeley, USA:
Applied Innovation Review, issue no. 2,
2015.A.Roehrs, C. A.da Costa and R.da Rosa Righi, “
OmniPHR: A distributed architecture model to integrate personal health records,”
Journal of Biomedical Informatics, vol.
71, pp.
70–
81,
2017.W. J.Gordon and C.Catalini, “
Blockchain technology for healthcare: Facilitating the transition to patient-driven interoperability,”
Computational and Structural Biotechnology Journal, vol.
16, pp.
224–
230,
2018.A. A.Omar, S.Rahman, A.Basu and S.Kiyomoto, “
MediBchain: A blockchain based privacy preserving platform for healthcare data,” in International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage,
Cham, Switzerland:
Springer, pp.
534–
543,
2017. S.Badr, I.Gomaa and E.Abd-Elrahman, “
Multi-tier blockchain framework for IoT-EHRs system,”
Procedia Computer Science, vol.
141, pp.
159–
166,
2018.L. X.Chen, W. K.Lee, C. C.Chang, K. K. R.Choo and N.Zhang, “
Blockchain based searchable encryption for electronic health record sharing,”
Future Generation Computer Systems, vol.
95, pp.
420–
429,
2019.X.Jiang, M. Z.Liu, C.Yang, Y. H.Liu and R. L.Wang, “
A blockchain-based authentication protocol for WLAN mesh security access,”
Computers, Materials & Continua, vol.
58, no.
1, pp.
45–
59,
2019.F.Tang, S.Ma, Y.Xiang and C. L.Lin, “
An efficient authentication scheme for blockchain-based electronic health records,”
IEEE Access, vol.
7, pp.
41678–
41689,
2019.R.Guo, H.Shi, Q.Zhao and D.Zheng, “
Secure attribute-based signature scheme with multiple authorities for blockchain in electronic health records systems,”
IEEE Access, vol.
6, pp.
11676–
11686,
2018.Y.Sun, R.Zhang, X.Wang, K.Gao and L.Liu, “
A decentralizing attribute-based signature for healthcare blockchain,” in 27th International Conference on Computer Communication and Networks (ICCCN),
Hangzhou, China, pp.
1–
9,
2018. Y.Zheng, “
Digital signcryption or how to achieve cost (signature & encryption),” in CRYPTO '97: Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology,
B. S. Kaliski, CA, USA, Berlin, Heidelberg:
Springer-Verlag, pp.
165–
179,
1997. J.Malone-Lee, “
Identity-based signcryption,” in
Cryptology ePrint Archive, Report 2002/098,
2002. [Online]. Available: http://eprint.iacr.org/2002/098.pdf.A.Karati and G. P.Biswas, “
A practical identity based signcryption scheme from bilinear pairing,” in International Conference on Advances in Computing, Communications and Informatics,
Jaipur, India, pp.
832–
836,
2016. C. X.Zhou, Y.Zhang and L. M.Wang, “
A provable secure identity-based generalized proxy signcryption scheme,”
International Journal of Network Security, vol.
20, no.
6, pp.
1183–
1193,
2018.S.Duan and Z.Cao, “
Efficient and provably secure multi receiver identity based signcryption,” in Australasian Conference on Information Security & Privacy,
Australia, pp.
195–
206,
2006. S. S. D.Selvi, S. S.Vivek and R.Srinivasan, “
An efficient identity-based signcryption scheme for multiple receivers,” in Proceedings of the 4th International Workshop on Security: Advances in Information and Computer Security,
Berlin:
Springer, pp.
71–
88,
2009. B.Zhang and Q. L.Xu, “
An ID-based anonymous signcryption scheme for multiple receivers secure in the standard model,” in Proceedings of the 2010 International Conference on Advances in Computer Science and Information Technology,
Berlin:
Springer, vol.
20, pp.
15–
27,
2010. X.Wang, J.Shu, W.Zheng, L. L.Liu and X.Fan, “New multi-receiver ID-based ring signcryption scheme,” in
Unifying Electrical Engineering and Electronics Engineering.
X. Song, VA, New York, USA:
Springer, pp.
2251–
2257,
2014.