Privacy-preserving design for emergency response scheduling system in medical social networks

Abstract

Mobile health monitoring, which has been expected as an effective way to improve medical service quality, can monitor the medical users’ real-time physiology parameters and the Emergency Response Support System (ERSS) is built up to deal with emergencies. Unfortunately, the information privacy of both the medical users and the healthcare service providers is at risk when their private information is uploaded to the health center. Especially, when emergencies happen, the privacy must be protected and the responding time of the system should not be compromised. In order to protect the privacy and also maintain high efficiency when an emergency occurs, this paper proposes a privacy-preserving based scheduling scheme for emergency response (PPSSER) system. The system can protect physiological data privacy, location privacy and personal attribute privacy. Also it can defend collusion attack. The simulation demonstrates the effectiveness and feasibility of the proposed scheme.

1 Introduction

In our aging society, mobile healthcare system has been expected as an effective way to improve health care quality and save lives [1]. Recently, with the rapid development of wireless communication, sensor, and energy storage technologies, there has been an increasing interest in Wireless Body Area Networks (WBANs). The patients do not have to go to the hospital for medical examination and the WBANs, as a promising health-care system, can timely monitor human physiological parameters such as heart rate, blood sugar level, blood pressure and temperature as the hospital does [2]. The obtained physiological parameters are assembled to the Coordinator of the network and the Coordinator displays the information on the screen and transmits to the Base Station (BS) [3]. Moreover, besides the patients physiological information monitoring the WBANs are supposed to make immediate response scheduling with the purpose of providing fastest treatment when emergency occurs. According to the World Health Organization (WHO) statistics, 30 % of worldwide deaths are caused by cardiovascular related diseases, and strokes and heart disease account for a bigger proportion, about 50 %. This survey shows that when confronted with sudden emergencies, the rapid response mechanism will significantly shorten treatment time for better remedy results [4, 5].

Unfortunately, although the WBANs based mobile healthcare system is capable of improving the quality of management of health monitoring and reducing the healthcare budget, there are still many problems to solve during the realization of the system. Among them the information security and privacy preserving are of great importance. A recent study shows that 75 % Americans consider the privacy of their health information important or very important [6]. It has also been reported that patients willingness to get involved in health monitoring program could be severely lowered when people are concerned with the privacy breach in their voluntarily submitted health data [7].

Former academics have researched in the area of security and privacy preserving methods and have gotten many achievements. Chen et al. [8] designed an event-driven security forwarding protocol, which assumed that the patients with the same illness would participate in the same activity (illness-related activity) with high probability. In order to safely forward the information of the illness, a predicate encryption was designed to guarantee patient privacy and message confidentiality. Lu et al. [9] proposed a secure same-symptom-based handshake scheme based on bilinear pairing, which could communicate among patients with the same symptom. The patients with the same symptom could generate the same key to maintain the secure communication while others with different symptoms would not obtain the session key to get private data. These researches gave us a new perspective for privacy-preserving but they could only withstand identity theft attack, forgery attack, and collusion attack. Lu et al. [10] designed a privacy-preserving relay filter scheme in delay tolerant network, which could prevent strong and weak privacy-curious users stealing information. The former method can be used in our scheme but they do not take the whole system into consideration and lack emergency scheduling method.

Furthermore, some researchers have studied the Emergency Response Support System (ERSS). Tong et al. [11] built a mobile healthcare systems based on a secure indexing method, which could offer efficient key management, privacy-preserving data storage and emergency retrieving. Liang et al. [12] designed an emergency-aided private preserving scheme which could broadcast patient’s encrypted localization and physiology information. The scheme could withstand identity theft attack and forgery attack. However, the attribute matching between the medical users and the healthcare staffs and privacy of attributes was not considered. Lu et al. [1] proposed a secure and privacy-preserving opportunistic framework, for healthcare emergency, which opportunistically transferred the PHI to around people by smart phone with minimal privacy disclosure. It did not mention the privacy of location and attribute for the healthcare staffs. Sun et al. [13] addressed the conflicting privacy issues from the functional requirements, which took location privacy into consideration but did not pay attention to attribute privacy.

Whereas, current emergency response systems are far from satisfactory and their functions are inadequate. For one thing, most of them lacks effective emergency scheduling strategies which can ensure efficient first-aid. For another, no proper privacy protection mechanism are available. Efficiency and privacy have a definite tradeoff relationship in critical situations, which may provide attackers with the back door to steal private information.

Aiming at the shortcomings of existing systems, the contribution of this paper is:

• This paper proposes a privacy-preserving emergency response scheduling scheme, which can guarantee both efficiency and privacy when dealing with an emergency in Medical Social Networks.

• We integrate both patients and nursing staff locations and attribute matching degree into account to find the nearest first aider provider. A secure attribute matching scheme is proposed to find the best attribute matcher. The perfect HSP is selected by the compromise of the upper two factors. In the meantime, we are capable of protecting PHI privacy, location privacy and information property of privacy effectively.

• The computing burden on the TA, MUs and HSPs is simulated to show that the system is practicable.

The rest of the paper is organized as follows. Some preliminaries are introduced in Section 2 including the Multi-Dimensional Range Queries (MDRQs) and Bilinear Pairing (BP). The system model is introduced in Section 3, in which the system structure and attack model are demonstrated. The scheduling method is introduced in Section 4, in which the four parts of the scheme are illustrated. The simulation is shown in Section 5 and we conclude the paper and discuss the future work in Section 6.

2 Preliminaries

2.1 Multi-dimensional range queries

Multi-dimensional region query technology was first introduced by Shi [14] and applied in database querying. It was then further used in reputation-based encryption schemes [15]. In MDRQs system, the sender encrypts message in interval [r ₁, r ₂] or with θ-bit data d and then receiver can decode the message with corresponding interval or private key of data d. In this way, we can guarantee confidentiality of both the message and the interval or the data.

The method of MDRQs is based on the binary tree. A θ-level binary tree is built to represent the θ-bit data. The root node tag, which is emptied, is shown as ⊥ and all the other nodes are represented in binary. For example, one father node is labeled as w, and its left child node is w0 and right child node is w1. To denote an interval, all elements in this interval are selected and then take the minimum sub tree nodes that can cover these leaf nodes. To denote a value, we pick up the set which contains all nodes in the path from root node to the corresponding leaf node.

Taking a 3-bit binary tree as an example, as shown in Fig. 1. [001,101] can be expressed as S _[001,101]={001,01,10}, the value 3 is represented as S ₀₁₁={⊥,0,01,011}, we can see that these sets are unique and contain up to θ elements. To judge whether the element 011 belongs to [001,101] interval, we only need to know if there is an intersection among their representation sets. For example 011∈[001,101], so S _[001,101]∩S ₀₁₁=01, circle element in Fig. 1 is the answer.

Fig. 1

Basic idea of MDRQs

The method of MDRQs can be constructed [16] by Anonymous Identity-based Encryption plans (A-IBE). A-IBE can accomplish identity confidentiality compared to traditional Identity-based Encryption (IBE) schemes, which can only encrypt confidential information. In order to encrypt information in next interval, we regard each element in the corresponding set as identity of A-IBE and encrypt them one by one. When the receiver’s numeral is just located in this interval, the receiver can decrypt information by using the corresponding element in the set. Obviously, A-IBE can protect identity privacy because each element in the set can be regarded as identity information.

In our following schemes, MDRQs method is used to determine whether the measured physiological values by BAN are in the abnormal range for the detection of emergencies. At the same time, physiological information must be kept in privacy. In Section 4, we will see detailed application of MDRQs in emergency events detection.

2.2 Bilinear pairing

Bilinear Pairing is first introduced to cryptology in 1993 by Menezes et al. [17]. It can transform discrete logarithm from elliptical curve to finite field. Currently, Bilinear Pairing can be obtained by changing Tate pair[18, 19] or Weil pair [17, 20] on the elliptical curve.

Definition 1

Bilinear Pairing: Let \(\mathbb {G}\) be a q-order addictive group and \({\mathbb {G}}_{\mathbb {T}}\) be a q-order multiplicative group, in which q is prime and g is a random generator of \(\mathbb {G}\). An admissible Bilinear Pairing \(e: \mathbb {G} \times \mathbb {G} \rightarrow {\mathbb {G}}_{\mathbb {T}}\) will satisfy the three principles as following.

1. 1.

   Bilinear: e(g ^a, h ^b) = e(g, h)^ab, \(\forall g, h\in \mathbb {G}\) and \(\forall a, b\in \mathbb {Z}_{q}\);

2. 2.

   Nondegeneration: \(\exists g,h \in {\mathbb {G}}_{\mathbb {1}}\) such that e(g, g)≠1;

3. 3.

   Computable: there exists algorithm with polynomial time complexity to get e(g, h), \(\forall g, h\in \mathbb {G}\).

In the above definition, for simplicity, only symmetric bilinear pairs is considered, which is \(\mathbb {G}_{1}=\mathbb {G}_{2}=\mathbb {G}\). More generally, \(e: \mathbb {G}_{1} \times \mathbb {G}_{2} \rightarrow {\mathbb {G}}_{\mathbb {T}}\), in which \(\mathbb {G}_{1},\mathbb {G}_{2}, {\mathbb {G}}_{\mathbb {T}}\) are cyclic group whose order is prime number. However, the method and algorithm are applied to \(\mathbb {G}_{1}\neq \mathbb {G}_{2}\). In cryptology, the security of encryption is based on the assumption of hard problem, which is introduced below.

Definition 2

Computational Bilinear Diffie-Hellman (CDH): For \(a,b \in \mathbb {Z}_{q}\), given (g, g ^a, g ^b), to compute \(g^{ab}\in {\mathbb {G}}_{\mathbb {T}}\) is a hard problem.

Definition 3

Decisional Bilinear Diffie-Hellman (DDH): Randomly pick three numerals \(a,b,c \in {\mathbb {Z}_{q}}\) and random elements \(T\in {\mathbb {G}}_{\mathbb {T}}\), given (g, g ^a, g ^b, g ^c, T), to prove whether e(g, g)^abc = T is hard.

Definition 4

Bilinear Diffie-Hellman Parameters Generator: a probabilistic algorithm \(\mathcal {G}en(\kappa )\) with input κ and output \((q,g,\mathbb {G},{\mathbb {G}}_{\mathbb {T}},e)\), where q is κ prime, \(\mathbb {G},{\mathbb {G}}_{\mathbb {T}}\) is q-order cyclic group, g is a generator and e is a bilinear mapping.

3 System model

3.1 System structure

Based on cloud computing, Emergency Response Scheduling System (ERSS) is designed to guarantee privacy. The system structure is shown as in Fig. 2.

Fig. 2

System Architecture of ERSS

The system is composed by four parts: Cloud Server (CS), Trusted Agent (TA), Medical Users (MUs) and Healthcare Service Providers (HSPs). The TA, which is a totally trusted agent, may possibly be managed by the government. It takes charge of the whole ERSS, for instance, system initialization, registration for MUs, allocation of key for MUs and HSPs. The TA is the manager to keep the system secure, stable and efficient. MUs, which are equipped with medical sensors, are usually shown up as patients and send their physiological information, locations and individual attributes to the CS via PDAs or smart phones. All the information is transmitted in the mode of encrypted text. HSPs are medical service providers, such as hospitals and doctors. HSPs are selected to allocate medical staffs to provide first aid when emergency occurs. And also HSPs are supposed to transmit their localizations and attributes to the CS. The CS monitors MUs’ real time physiological information. When emergency occurs, it selects the nearest and best matched HSP to guarantee the optimization of time and efficiency for first aid.

3.2 Privacy attack model

Because of its large storage and fast computation, the CS is used to store medical information and provide services of inquiry, computation and access. However, the CS is inclined to be attacked by illegal invaders and is honest but curious [21]. The privacy of users may not be guaranteed. In this paper the following privacy attack is considered.

1. 1.

   Physiological Information Privacy Attack: As monitoring MUs’ upload emergencies, the CS can obtain physiological information by various attack method.

2. 2.

   Location Privacy Attack: The location is needed for the CS to compute the distance between the MU and HSPs. The CS can infer the location by analyzing the distance.

3. 3.

   Personal Attribute Privacy Attack: The CS needs to compute the attributes matching between the MU and HSPs and it can analyze personal attributes by matching results.

4. 4.

   Collusion Attack: If the CS cannot decrypt the information, it is possible to collude with MUs or HSPs to obtain the other’s information.

4 Trusted scheduling method

The Trusted Scheduling Method (TSM) proposed in this section can be divided into five steps: Initialization, Emergency Detection, Distance Privacy Computing, Attribute Matching Computing and Scheduling Algorithm Design.

4.1 Initialization

To guarantee the privacy information not revealed or stolen, some initial works are supposed to be put ahead. As a trusted department, the TA initializes, allocates and manages the key for the system.

Therefore, the Master Key (MK) and Public Parameter (PP) of the TA are:

$$ \left. \begin{array}{c} MK=(a,b,r,P,Q,SK_{TA})\\ PP=(q,g,\mathbb{G},{\mathbb{G}}_{\mathbb{T}},e,H_{1},H_{2},H_{3},A,B,T,PK_{TA}) \end{array} \right. $$

(1)

In the proposed system, in order to detect the emergency the CS needs to judge whether the MU’s physiological parameters are in normal range. MDRQs method is proposed for rapid detection. However, this kind of method contains security holes. The CS is capable to obtain the physiological parameters by violent attacks because the range of parameters is relatively small. Accordingly this method needs to be optimized.

Assume that there are n physiological parameters to be monitored, which are denoted by H = {h ₁, h ₂,⋯ , h _n } and the relative indexes are I _i (1≤i≤n). For any h _i ∈H, the normal data range is denoted by t h _i1∼t h _i2. The TA generates random numerals δ _i (1≤i≤n) via pseudorandom function and change the normal range to t h _i1 + δ _i ∼t h _i2 + δ _i . By using MDRQs, the smallest node set who covers the normal range of parameters is obtained.

$$ S_{[th_{i1}+\delta_{i}, th_{i2}+\delta_{i}]}=\{id|id\in S_{i}\} $$

(2)

where id is the elements of the smallest node set S _i .

For convenience, the complement of normal range set is used to detect emergency. The complement set is denoted as follows:

$$ S_{[th_{i1}+\delta_{i}, th_{i2}+\delta_{i}]^{c}}=\{id|id\in S_{i}^{\prime}\} $$

(3)

The TA computes each element id in set \(S_{i}^{\prime }(1\leq i \leq n)\) using its MK.

$$ \left\{ \begin{array}{l} C_{1}=EMC\oplus H_{2}(e(H_{1}(id)^{a},g^{r}))\\ C_{2}=H_{3}(r\parallel id \parallel EMC)\\ C_{3}=g^{\frac{a}{C_{1}+C_{2}+b}} \end{array} \right. $$

(4)

where EMC is emergency detection signal. When the CS detects EMC signal from encrypted information, it will know that the MU is in emergency situation and first aid service is needed.

After computation is finished, the TA sends encrypted text C = (C ₁, C ₂, C ₃) and index of physiological characterises I _i (1≤i≤n) to the CS. The CS receives data and verify data integrity by using \(e(g^{C_{1}}\cdot g^{C_{2}}\cdot B,C_{3})\overset {?}{=}T\), as shown in Eq. 5.

$$ \begin{aligned} e(g^{C_{1}}\!\cdot\! g^{C_{2}}\!\cdot\! B,C_{3})\,=\,e(g^{C_{1}+C_{2}+b},g^{\frac{a}{C_{1}+C_{2}+b}})\,=\,e(g,g)^{a}\,=\,T \end{aligned} $$

(5)

If verification fails this data package will be dropped and if it succeeds the CS stores the data and deal with the emergency.

Meanwhile, the TA carries on the next step using homomorphic encryption as shown in Algorithm 2.

After the initialization, the detailed detecting, computing and scheduling are in progress.

4.2 Emergency detection

After receiving encrypted data from the TA, the MU decrypts data r, δ _i (1≤i≤n), P ⁻¹, Q ⁻¹ using private key and then makes the transformation as shown in Eq. 6 by using δ _i (1≤i≤n):

$$ H'=\{h_{1}+\delta_{1},h_{2}+\delta_{2},\cdots,h_{n}+\delta_{n}\}=\{h_{1}^{\prime},h_{2}^{\prime},\cdots,h_{n}^{\prime}\} $$

(6)

For \(h_{i}^{\prime }\in H^{\prime }\), the MU sets up a binary tree using MDRQs method, which is shown in Fig. 1. \(h_{i}^{\prime }\) is on the relative leaf node. The set path \(S_{path_{i}}\) which is between root node and relative leaf node is chosen to to denote \(h_{i}^{\prime }\) as shown in Eq. 7.

$$ S_{h_{i}^{\prime}}=\{id^{\prime}|id^{\prime}\in S_{path_{i}}\} $$

(7)

For elements i d ^′ in set \(S_{h_{i}^{\prime }}\), the MU will generate a random numeral β as private key for communication and compute public key P K _s = g ^β and then get encrypted text with Eq. 8.

$$ \left\{ \begin{array}{l} C_{1}^{\prime}=H_{1}(id^{\prime})^{r}\\ C_{2}^{\prime}=g^{\frac{1}{C_{1}^{\prime}+\beta}} \end{array} \right. $$

(8)

Afterwards, the MU sends information to the CS including encrypted text \(C^{\prime }=(C_{1}^{\prime },C_{2}^{\prime })\) and relative physiological parameter index I _i (1≤i≤n), location and personal attributes. After receiving the information, the CS verifies the data integrity by using \(e(g^{C_{1}^{\prime }}\cdot PK_{s},C_{2}^{\prime })\overset {?}{=}e(g,g)\), as shown in Eq. 9.

$$ e(g^{C_{1}^{\prime}}\cdot PK_{s},C_{2}^{\prime})=e(g^{C_{1}^{\prime}}\cdot g^{\beta},g^{\frac{1}{C_{1}^{\prime}+\beta}})=e(g,g) $$

(9)

It is verified in Eq. 9 that the CS begins to check each uploaded physiological value according to physiological parameter index to judge whether there exists abnormal status. When \(h_{i}^{\prime }\notin [th_{i1}+\delta _{i},th_{i2}+\delta _{i}]\) is satisfied, it illustrates that \(S_{[th_{i1}+\delta _{i}, th_{i2}+\delta _{i}]^{c}}\cap S_{h_{i}^{\prime }}\neq \varnothing \), which also means i d = i d ^′. Hence, the CS can decrypt alarm signal EMC using Eq. 10.

$$\begin{array}{@{}rcl@{}} &~&\ \ \ \ C_{1}\oplus H_{2}(e(C_{1}^{\prime},A))\\ &=&C_{1}\oplus H_{2}(e(H_{1}(id^{\prime})^{r},g^{a}))\\ &=&C_{1}\oplus H_{2}(e(H_{1}(id^{\prime}),g)^{ra})\\ &=&EMC \oplus H_{2}(e(H_{1}(id),g)^{ra})\oplus H_{2}(e(H_{1}(id^{\prime}),g)^{ra})\\ &=&EMC \end{array} $$

(10)

Once the CS detects EMC, it is supposed to select the nearest and best matched HSP for the first aid to guarantee shortest time and highest efficiency.

4.3 Distance privacy computing

When the CS detects emergency, it is supposed to choose the optimal HSP to guarantee the shortest time of arrival and perfect matching with the MU. First of all, we have to find out which is the nearest HSP from the MU. To compute the distance, both the MU in emergency and the registered HSPs’ locations are needed. However, location is a private parameter for the MU and HSPs and the CS is not totally believable because it may analyse the location or act in collusion with others to steal sinformation. When the attacker gets the location of the MU or HSP, he can first track the user and furthermore estimate the user’s habits, social position, physical condition and even the identification. In this case privacy protection mechanism has to be designed for both the MU and HSPs.

In this system, the location of each MU and HSPs is a 3-dimensional vector. The location of the MU is denoted by L _u =(x ₁, x ₂, x ₃) and the HSP is denoted by L _s =(y ₁, y ₂, y ₃). The Euclidean distance between them is:

$$ d=|L_{u}-L_{s}|=\sqrt{\sum\limits_{i=1}^{3}(x_{i}-y_{i})^{2}} $$

(11)

Before sending location to the CS, the MU and HSP will separately preprocess the location data. The MU conceals its location by Eq. 12 by using the invertible matrix \(P^{-1}=(p_{ij}^{\prime })(1\leq i,j\leq 3)\), which is generated and allocated by the TA.

$$ C_{L_{u}}= \left( \begin{array}{ccc} p_{11}^{\prime}x_{1} & p_{12}^{\prime}x_{2} & p_{13}^{\prime}x_{3}\\ p_{21}^{\prime}x_{1} & p_{22}^{\prime}x_{2} & p_{23}^{\prime}x_{3}\\ p_{31}^{\prime}x_{1} & p_{32}^{\prime}x_{2} & p_{33}^{\prime}x_{3} \end{array} \right) $$

(12)

Meanwhile, the MU encrypts location data with homomorphic encryption and obtains the encrypted text as shown in Eq. 13.

$$ E_{L_{u}}=E_{PK_{TA}}\left( \sum\limits_{i=1}^{3}{x_{i}^{2}}\right) $$

(13)

Then the data \(C_{L_{u}}\), \(E_{L_{u}}\) and \(E_{PK_{TA}}(L_{u})\) are uploaded to CS.

Similarly, each HSP makes use of \(E_{PK_{TA}}(P)(P=(p_{ij}), 1\leq i,j\leq 3)\), which is received from the TA. Combined with the property of homomorphic encryption, the HSP computes \(C_{L_{s}}=(C_{L_{s1}}, C_{L_{s2}},C_{L_{s3}})\) and \(E_{L_{s}}\), where

$$\begin{array}{@{}rcl@{}} C_{L_{si}}&=& \prod\limits_{j=1}^{3}E_{PK_{TA}}^{y_{j}}(p_{ji}) \quad (1\leq i\leq 3) \end{array} $$

(14)

$$\begin{array}{@{}rcl@{}} E_{L_{s}}&=& E_{PK_{TA}}\left( \sum\limits_{i=1}^{3}{y_{i}^{2}}\right) \end{array} $$

(15)

Then \(C_{L_{s}}\) and \(E_{L_{s}}\) are uploaded to the CS.

After receiving data from the MU and HSPs, the CS can compute the distance between the MU and HSPs by taking the next two steps.

• Step 1: Compute \(E_{PK_{TA}}(L_{u}\cdot L_{s})\) using \(C_{L_{u}}\) and \(C_{L_{s}}\). \(C_{L_{si}}\) can be expanded to be: \(C_{L_{si}}={\prod }_{j=1}^{3}E_{PK_{TA}}^{y_{j}}(p_{ji})=E_{PK_{TA}}(y_{1}p_{1i}+y_{2}p_{2i}+y_{3}p_{3i})\). And we get:

  $$\begin{array}{@{}rcl@{}} &~&\ \ \ \ E_{PK_{TA}}(L_{u}\cdot L_{s})\\ &=&\prod\limits_{j=1}^{3}\prod\limits_{i=1}^{3}E_{PK_{TA}}^{p_{ij}^{\prime}x_{j}}(y_{1}p_{1i}+y_{2}p_{2i}+y_{3}p_{3i})\\ &=&E_{PK_{TA}}(L_{u}\cdot P\cdot P^{-1}\cdot L_{s})\\ &=&E_{PK_{TA}}\left( \sum\limits_{k=1}^{3}(x_{k}y_{k})\right) \end{array} $$

  (16)

• Step 2: After computing \(E_{PK_{TA}}(L_{u}\cdot L_{s})\), the distance is obtained by Eq. 17.

  $$\begin{array}{@{}rcl@{}} &~&\ \ \ \ E_{L_{u}}\cdot E_{L_{s}}\cdot E_{PK_{TA}}^{-2}(L_{u}\cdot L_{s})\\ & =&E_{PK_{TA}}\left( \sum\limits_{i=1}^{3}{x_{i}^{2}}\right)\cdot E_{PK_{TA}}\left( \sum\limits_{i=1}^{3}{y_{i}^{2}}\right)\\ &\cdot& E_{PK_{TA}}^{-2}\left( \sum\limits_{k=1}^{3}(x_{k}y_{k})\right) \\ & =&E_{PK_{TA}}\left( \sum\limits_{i=1}^{3}(x_{i}-y_{i})^{2}\right)\\ & =&E_{PK_{TA}}(|L_{u}-L_{s}|^{2})=E_{PK_{TA}}(d^{2}) \end{array} $$

  (17)

4.4 Trusted Attribute Matching Computing

In previous section, we calculate the encrypted squared distance between the MU and HSPs. However, the nearest HSP from the MU in emergency may not be the most suitable. If the chosen HSP cannot handle MU’s problems, the medical service provided will not be efficient, which will threaten patient’s life. As a result, we should also take attribute similarity into account when choosing the best HSP.

In our algorithm, we find out the HSP which matches the MU symptoms most by attributes matching algorithm. In this way we can ensure scheduling efficiency. Therefore, the MU and HSP need to upload attributes related information to the cloud separately. The MU’s uploaded information mainly contains personal messages such as disease details, gender, age and some other information that helps emergent treatment. And for the HSP, attributes information points to its expertise, position, gender, age etc. We transform these attribute messages into numerical value, different symptoms belongs to various attributes and different value represents disease severity. Once both the HSP and MU have the same attributes information, they will then be matched by scheduling algorithm.

In the algorithm, we indicate property information in the form of vector, and we assume that the vector length of both MU and HSP is m. The MU attributes vector is expressed as: U _u =(u ₁, u ₂,⋯ , u _m ) , and HSP’s attributes vector is expressed as: V _s =(v ₁, v ₂,⋯ , v _m ) , then we need to calculate the Manhattan distance between the two vectors d _m as the following formula:

$$ d_{m}=d(U_{u},V_{s})=\sum\limits_{i=1}^{m}|u_{i}-v_{i}| $$

(18)

For convenience, the attributes matching degree is dealt with as Eq. 19.

$$ S=\|U_{u}-V_{s}\|_{2} $$

(19)

The MU computes (20) and (21) by using the TA’s homomorphic encryption key and invertible matrix \(Q^{-1}=(q_{ij}^{\prime })(1\leq i,j\leq m)\).

$$ C_{U_{u}}= \left( \begin{array}{cccc} q_{11}^{\prime}u_{1} & q_{12}^{\prime}u_{2} & {\cdots} & q_{13}^{\prime}u_{m}\\ q_{21}^{\prime}u_{1} & q_{22}^{\prime}u_{2} & {\cdots} & q_{23}^{\prime}u_{m}\\ {\vdots} & {\vdots} & & {\vdots} \\ q_{31}^{\prime}u_{1} & q_{32}^{\prime}u_{2} & {\cdots} & q_{33}^{\prime}u_{m} \end{array} \right) $$

(20)

$$ E_{U_{u}}=E_{PK_{TA}}\left( \sum\limits_{i=1}^{m}{u_{i}^{2}}\right) $$

(21)

The HSP computes \(C_{V_{s}}=(C_{V_{s1}},C_{V_{s2}},{\cdots } C_{V_{sm}})\) and \(E_{V_{s}}\) using the data received from the TA: \(E_{PK_{TA}}(Q)(Q=(q_{ij}),1\leq i,j\leq m)\). As shown in Eqs. 22 and 23.

$$ C_{V_{si}}= \prod\limits_{j=1}^{m}E_{PK_{TA}}^{v_{j}}(q_{ji}) \quad (1\leq i\leq m) $$

(22)

$$ E_{V_{s}}= E_{PK_{TA}}\left( \sum\limits_{i=1}^{m}{v_{i}^{2}}\right) $$

(23)

After that, the MU and HSP separately send \(C_{U_{u}},E_{U_{u}}\) and \(C_{V_{s}},E_{V_{s}}\) to the CS. The CS computes S ² by taking the next two steps:

• Step 1: According to the property of homomorphic encryption, \(C_{U_{u}}C_{V_{s}}\) is used to compute \(E_{PK_{TA}}(U_{u}\cdot V_{s})\). As shown in Eq. 24.

  $$\begin{array}{@{}rcl@{}} E_{PK_{TA}}(U_{u}\cdot V_{s}) &=&\prod\limits_{j=1}^{m}\prod\limits_{i=1}^{m}E_{PK_{TA}}^{q_{ij}^{\prime}u_{j}}\left( \sum\limits_{k=1}^{m}v_{k}\cdot q_{ki}\right)\\ & =&E_{PK_{TA}}(U_{u}\cdot Q\cdot Q^{-1}\cdot V_{s})\\ & =&E_{PK_{TA}}\left( \sum\limits_{k=1}^{m}(u_{k}v_{k})\right) \end{array} $$

  (24)

• Step 2: Compute S ² with Eq. 25.

  $$\begin{array}{@{}rcl@{}} &~&\ \ \ \ E_{U_{u}}\cdot E_{V_{s}}\cdot E_{PK_{TA}}^{-2}(U_{u}\cdot V_{s})\\ & =&E_{PK_{TA}}\left( \sum\limits_{i=1}^{m}{u_{i}^{2}}\right) \cdot E_{PK_{TA}}\left( \sum\limits_{i=1}^{m}{v_{i}^{2}}\right)\\ &\cdot& E_{PK_{TA}}^{-2}\left( \sum\limits_{k=1}^{m}(u_{k}v_{k})\right) \\ & =&E_{PK_{TA}}\left( \sum\limits_{i=1}^{m}(u_{i}-v_{i})^{2}\right)\\ & =&E_{PK_{TA}}(|U_{u}-V_{s}|^{2})=E_{PK_{TA}}(S^{2}) \end{array} $$

  (25)

4.5 Trusted Scheduling Algorithm

After finishing computing the distance and attribute matching degree, the CS needs to select the optimal HSP to provide first aid using scheduling algorithm. In order to guarantee time and efficiency, both distance and attributes matching degree are taken into consideration. It is clear that the smaller d is, the less time needed to arrive to the spot. And the smaller S is the higher matching degree and the better first aid service is. As timeliness is especially crucial for first aid, so only the nearest N HSP are taken into consideration, among which the best attribute matching HSP is selected as the optimal one. With the property of homomorphic encryption, the scheduling function is as shown in Eq. 26.

$$ F_{s}=\min \limits_{minN\{{d_{i}^{2}}\}}\{{S_{i}^{2}}\}, $$

(26)

where m i n N denotes the smallest N elements.

During the scheduling progress, the HSP with the smallest F _s has the authority to get the location of the MU and heads for the spot as soon as possible. The CS and other HSPs will not get any non-encrypted information. To guarantee the security of scheduling, the algorithm is designed as shown in Algorithm 3.

5 Simulations

The security is analysed and the performance of the proposed system is simulated in the section.

5.1 Security analysis

The proposed privacy-preserving based scheduling scheme for emergency response system can protect the privacy of physiological data, location, and personal attribute. Also, it can defend collusion attack.

Physiological data privacy

In order to detect emergencies, the TA and MU are required to send C = (C ₁, C ₂, C ₃) and \(C=(C_{1}^{\prime },C_{2}^{\prime })\) to the CS respectively, in which the PHI and the abnormal range are transformed with MDRQ method and changed to the elements of \(\mathbb {G}\) with Hash function. According to the non-invertible property of Hash function and Bilinear Pairing, the CS cannot obtain the MU’s PHI or the abnormal range. So the PHI privacy can be guaranteed.

Location privacy

The locations of MU and HSP are concealed by P ⁻¹ and encrypted with homomorphic encryption, then transmitted to the CS. For \(C_{L_{u}}\), the CS has to figure out 12 unknown numbers with 9 equations. So the CS cannot obtain the information of locations. Furthermore, according to the attributes of homomorphic encryption, the CS cannot decrypt \(E_{L_{u}}\). The location of both MU and HSP can be protected.

Personal attribute privacy

Similarly, the attributes of MU and HSP are concealed with Q ⁻¹ and encrypted with TA’s homomorphic PK so the CS cannot obtain TA’s encrypted matrix and homomorphic PK to obtain the information of attributes.

Defence of collusion attack

The HSP’s location \(C_{L_{si}}={\prod }_{j=1}^{3}E_{PK_{TA}}^{y_{j}}(p_{ji})\quad (1\leq i\leq 3), E_{L_{s}}= E_{PK_{TA}}({\sum }_{i=1}^{3}{y_{i}^{2}})\) and attributes \( C_{V_{si}}= {\prod }_{j=1}^{m}E_{PK_{TA}}^{v_{j}}(q_{ji}) \quad (1\leq i\leq m),E_{V_{s}}= E_{PK_{TA}}({\sum }_{i=1}^{m}{v_{i}^{2}})\) are encrypted by TA’s homomorphic PK. If the CS colludes with the MU, the MU cannot afford any information of the HSP because it cannot obtain TA’s homomorphic PK. Similarly, if the CS colludes with the HSP, the HSP cannot afford the P ⁻¹ and Q ⁻¹ to the CS and cannot help the CS decrypt the information of the MU. So the collusion attack can be defended.

5.2 Efficiency performance

In this section, based on the Good Manufacturing Practice library and the Peripheral Bus Computer library [22], we verify the safety performance by simulating designed scheduling mechanism on a linux system platform of 2.93 GHz processor and 3.00 GB RAM. We take the operation time and communication overhead as the assessment of performance indicators.

According to the requirements of the actual situation and system safety performance, we set up correlated system parameters as shown in Table 1. In this table, θ represents the quantity of bits of physiological parameters \(h_{i}^{\prime }\). n represents the quantity of PHI, and m denotes the length of personal attribute vector.

Table 1 Parameter Setting

5.2.1 Performance of operation time

In order to evaluate the system efficiency, we simulate the operation time from each part of our system, including the TA, MU, HSP and CS. Then we compute the responding time for detecting emergency and accomplishing scheduling.

Figure 3a and b indicate the offline operation time of the TA. The operation time increases with θ, n and m. The reason is that during the system initialization process, the TA should compute C for each entity id in set \(S_{i}^{\prime }(1\leq i\leq n)\), and then execute homomorphic encryption for each item in matrix P, Q. Computation of C is in direct proportion to numbers of PHI, id, and the amount of θ. We can also find out that the bigger m is the bigger Q is.

Fig. 3

TA’s Offline Run Time with (a) θ, n change (b) with θ, m change

Figure 4 denotes the online operation time of the TA. The operation time is spent to decrypt the scheduling function that is sent by the CS during the TA’s scheduling process. During the scheduling process, the TA compares the MU with scheduling function of each HSP, hence operation time in this part is only related with the quantity of HSPs.

Fig. 4

TA’s Online Running Time over the Number of HSP

In the experiment, one homomorphic encryption costs about 61 ms. Figure 4 shows that when the number of the HSPs is 1000, the overall time needed for computation is only 1 min. Compared with Fig. 3a and b, we can see that the TA can be able to finish complicated computation offline in initialization process, which will greatly reduce online time for operation and speed up medical dispatching.

Total operation time for the MU is illustrated in Fig. 5a and b. The MU computes \(C^{\prime },C_{L_{u}},E_{L_{u}},C_{U_{u}}\) and \(E_{U_{u}}\), among which \(C_{L_{u}}\) and \(E_{L_{u}}\) need only 3² times multiplication calculation and one homomorphic encryption operation. When m is constant, Fig. 5a tells that the computing time becomes longer with the increasing of θ, n, which is mainly because we need to figure out C ^′ for n θ times repeatedly. And when n is invariant, Fig. 5b shows that its operation time hardly changes with different values of m. This is because during computation of \(C_{U_{u}}\) the MU needs only m ² times multiplication calculation of 1024 bits. For each this kind of multiplication, only 7.1×10⁻⁴ ms is needed, which can almost be ignored. Hence, overall operation time of the MU is mainly decided by the number of entity elements and the PHI.

Fig. 5

MU’s Operation Time (a) over θ, n when m=50 (b) over θ, m when n=20

Figure 6 is overall operation time of the HSP. In our designed safe scheduling algorithm, the HSP only needs to upload personal location information and attribute information, which are represented as \(C_{L_{s}},E_{L_{s}}, C_{V_{s}}\) and \(E_{V_{s}}\). These kinds of computations need just double homomorphism encryption, 3² + m ² times exponent operation and m ²−m+6 times 2048-bit multiplication calculation. Figure 6 shows that little time is needed to cover all the computational tasks, the HSP can upload data to the CS in several seconds, which can guarantee real-time requirements.

Fig. 6

HSP’s Operation Time with m Varies

Online and offline operation time of the CS is shown in Fig. 7a,b, Fig. 8a and b. The CS plays the vital role in the whole safe scheduling algorithm, it can be able to finish the majority part of work such as data integrity authentication, emergency detection, distance privacy calculation, attribute matching degree computation and safe secheduling. However, the CS can do most complicated computation as offline work such as authentication of data C sent by the TA during initialization process, attribute matching degree computation. Figure 7a and b show that previous two parts cost more computations and time. Some other parts, e.g., emergency detection, distance privacy and safe scheduling function calculation must be done online. However, these kinds of work cost fewer steps of operation and less time, just as depicted in Fig. 8a and b. θ, n is only related to the number of the HSPs but has nothing to do with m.

Fig. 7

CS’ Offline Operation Time (a) over θ, n when HSP=1000, m=50 (b) over HSP, m when θ = 64, n=20

Fig. 8

CS’ Online Operation Time (a) over HSP, θ when n=20 (b) over HSP, n when θ = 64

The emergency detection time is shown in Fig. 9. The detection time is affected by the number of n and id, this is consistent with the MU’s operation time (Fig. 5) and Cloud operation time (Fig. 8). Figure 9 shows that the CS can detect alarming information in 3 minutes if the abnormal messages occur in the MU. If there is higher standard in time efficiency in special circumstances, we can still adjust parameter n, θ to make detection time shorter.

Fig. 9

Emergency Detection Time (a) over θ, n (b) over HSP, n when θ = 64. c Total Online Operation Time over HSP, θ when n=20

Figure 8b and c reflects the overall online operation time. The overall time consumption is affected by both n, θ and number of the HSPs. With more HSPs participating and n, θ increasing, the operation time increases. Fortunately, the entire scheduling process can be done in a relatively short time, for example, overall operation time is 15 minutes when the number of the HSP is 1000.

5.2.2 Communication Overhead

The communication overhead acts as an indicator to measure system feasibility, which must be considered as a factor in algorithm design. In the following, we simulate communication overhead for each part in the system containing the TA, MU, HSP and the CS.

Fig. 10a and b denote the communication overhead of the TA. The TA has more communication overhead with bigger θ, n, m. This is because during the initialization process, the TA needs to send data to the CS. The data size is 2n θ C. The TA also sends homomorphism encrypted text \(E_{PK_{MU}}(r), E_{PK_{MU}}(\delta _{i})(1\leq i\leq n), E_{PK_{MU}}(P^{-1}), E_{PK_{MU}}(Q^{-1})\) to the MU and sends \(E_{PK_{TA}}(P), E_{PK_{TA}}(Q)\) to the HSP. In our simulation, the sizes of elements in set \(\mathbb {G}\), \({\mathbb {G}}_{\mathbb {T}}\) and homomorphic encryption text are relatively 160 bits, 1024 bits and 2048 bits. The size of the TA’s total communication overhead is 2⋅480n θ+2048(2m ²+19 + n) and Fig. 10a and b show that the overall communication overhead is less then 2MB. What is more, these kinds of data only need to be sent once during initialization process.

Fig. 10

TA’s Communication Overhead (a) over m, θ when n=20 (b) over n, θ when m=50

Figure 11a and b denote communication overhead of the MUs. In order to detect emergency and arrange safe scheduling, the MU needs to send \(C^{\prime },C_{L_{u}},E_{L_{u}},C_{U_{u}}\) and \(E_{U_{u}}\) to the CS. We can know the size of communication overhead is 320n θ+1024(9 + m ²)+2⋅2048 by the preset system parameters. For \(C^{\prime },C_{L_{u}}\) and \(E_{L_{u}}\), they need to be sent to the CS in real time by the MU. And \(C_{U_{u}},E_{U_{u}}\) do not need to be changed often, one time sent is enough. Figure 11a and b show that the MU communication overhead is small, about 0.5MB, which is proper for the users.

Fig. 11

MU’s Communication Overhead (a) over m, θ when n=20 (b) over n, θ when m=50

Figure 12a shows the HSP communication overhead. The communication overhead is in proportion to attribute vector length m. This is because the HSP needs to transmit encrypted text \(C_{L_{s}}, E_{L_{s}},C_{V_{s}}\) and \(E_{V_{s}}\) to the CS, so the data size all together is 2048(5 + m) bits. Furthermore, attribute information is only transmitted once, which is why the HSP only needs to send position information in actual process and communication overhead becomes constant.

Fig. 12

(a) HSP’s Communication Overhead over m (b) CS’ Communication Overhead over the Number of HSP

The communication overhead of the CS is shown in Fig. 12b. In the secure scheduling process the CS sends scheduling function encrypted text \(E_{PK_{TA}}(F_{s})\) to the TA for decoding. In a word, it is only the number of the HSPs that decides the communication overhead.

6 Conclusion

This paper proposes an ERSS model and designs an emergency response scheduling method which includes emergency detection, distance privacy computing, attribute matching computing and security scheduling algorithm. ERSS guarantees the precision and privacy for emergency detection using the MDRQs and Bilinear Pairing and also protects the location and attribute privacy of the MU and HSP by designing distance privacy and attribute matching algorithm based on homomorphic encryption. And finally a security scheduling algorithm is proposed to guarantee the scheduling’s timeliness and effectiveness. The simulation shows that the time and communication overhead is relatively small which verifies the effectiveness and feasibility.