A practical application of CP-ABE for mobile PHR system: a study on the user accountability

Background Attribute based encryption has been widely applied for secure data protection in PHR systems. However, since different users may share the same attributes in the system, a user may leaks his private key for illegal data sharing without being detected. This will add more threat to the private data stored in PHR system. Finding To help users achieve higher efficiency and more secure data sharing in mobile PHR system, based on previous works, we study the traitor tracing mechanism in attribute based cryptosystem and propose a high efficient attribute based encryption with user accountability in mobile PHR system. If a malicious PHR user exposes his private key for illegal data sharing, his identity can be accurately pinpointed by the system manager. During the whole process of data sharing, no bilinear pairing operations are needed, hence this will the mobile terminal devices from heavy computation burden. Conclusion As a further study, in this short report, we show that using a novel attribute based encryption with user accountability can help users achieve better efficiency and more secure data sharing in mobile PHR system.

in CP-ABE, user's access privileges are defined by a set of attributes. A user can read the ciphertext on condition that the attributes he owns match with the policy (Price et al. 2015;). An illustration of ciphertext access policy is shown in Fig. 1, the PHR data owner may not know the exact identity of users who have the privileges to access the data, but can describe those using attributes such as "family members", "Nurse". For instance, if a user owns the attributes of {Hospital 1, Physician}, then he can get access to the PHR data since the attributes he possesses satisfy with the access structure illustrated in Fig. 1.
Many schemes have applied attribute based encryption to design medical care systems such as PHR (Qian et al. 2015;Liu et al. 2013;Li et al. 2015;Xhafa et al. 2015) and BAN (Tan et al. 2011;Tian et al. 2014), but the efficiency is still unsatisfactory. One important factor is that a PHR user has to run many times of bilinear pairing operations when decrypting a ciphertext. When PHR users get access to the encrypted data using mobile devices with restricted computing resources such as cellphones, body area sensors, smart watches, the heavy decryption computation will add difficulty in the process of mobile PHR data sharing.
Key abuse is another obstacle to apply attribute based encryption to PHR system. ABE is an advanced type of broadcast encryption, users owing the same attributes share the same private key. However at the same time, a malicious user may expose his private key deliberately without being detected. Thus, a mechanism which provides user accountability and traitor tracing should also be introduced.
Based on the previous works (Liu et al. 2013;Tan et al. 2011;Li et al. 2015;Tian et al. 2014;Xhafa et al. 2015;Li and Khan 2012;, to better solve the problems described above and help users achieve secure data sharing in mobile PHR system, the following constructions are established: Firstly, we propose a user accountable ciphertext policy attribute based encryption without pairings (UA-CPABE-WP) for mobile PHR system. In our UA-CPABE-WP,

Fig. 1
An CP-ABE access control structure for PHR data users can recover the plaintext on condition that the possessing attributes satisfy with the access policy. Secondly, the mechanism of user accountability is introduced. If a malicious PHR user exposes his private key for illegal data sharing, his identity can be accurately pinpointed by the system manager.
Thirdly, no bilinear pairing are needed during data sharing, hence relieving the mobile terminal devices from large calculation.

Implementation of the proposed UA-CPABE-WP
The implementation example of our scheme can be illustrated in Fig. 2. It consists of 6 entitles: AA (Attribute authority), PHR data center, data owner and receiver. Base station and data center are hardware architectures which are responsible for mobile communications and file storage. AA generates attribute private key for each user in the system. PHR data center stores massive PHR data and responds to user's data access request. Data owner and receiver are the two sides of communication, data owner encrypts the file with an access structure, while a receiver can decrypt the ciphertext using mobile devices if the attributes he owns match with the access structure. Tracer can pinpoint the exact identity of the traitor who leaks his private key deliberately.

Constructions
Before introducing the formulized definitions of our scheme, some notations are defined in Table 1 for the convenience and clearness of description. The system public parameters are {G, q, p, A i , T i , Y , H 1 , H } and the system master keys are t i , y, h .
Private key generation: AA assigns a global unique identifier for each user in the PHR system. For a PHR user (without loss of generality, denote his identity by id) possessing attribute set S, AA generates his private key SK id as follows: Encrypt: When a data owner wants to share his private PHR data with some people processing certain attributes, he works as described below: Picks a polynomial q x for each node x for access control structure. Denote the degree of q x to be one less than the threshold value node. For the root node data owner sets q root (0) = s. For any other node, let q x (0) = q parent(x) (index(x)). The ciphertext is constructed as: Decrypt: Upon receiving CT, data receiver calculates: Correctness proof: If x is a leaf node, If x is a non-leaf node, Then, the algorithm calculates the F root = −q root (0) · rp = −rsp by recursive function and computes:

Security proof
Theorem UA-CPABE-WP is secure under chosen message attack if CDH assumption holds.
Proof If there exists an Adversary can break our UA-CPABE-WP with an advantage (t, ε), then there exists a Simulator breaking the CDH assumption with an advantage of t ′ , ε ′ which satisfies: t ′ ≤ t + nq p + 4n + 9 · t sm + (nq k + 2n + 2) · t a (7) ε ′ ≥ ε e(q k + 1) · 1 − 1 2 l In lemma (7), q p is the amount of public key queries in the challenge game. The detail proof follows from that in (Liu et al. 2013).

PHR user accountability
When a malicious user (denote mid as his unique identity and SK mid as the private key he owns) leaks his private key deliberately in the PHR system for illegal data sharing, then his identity can be exactly pinpointed by tracer. Two main methods can be adopted for traitor tracing as follows: a. Since user'ds private key is unique, if the amount of users is not huge, tracer can build a list recoding each private key with its corresponding user's identity as Table 2 shows. When private key exposure happens, tracer searches the identifier which corresponds to the leaked private key in the list and the traitor is able to be exactly traced. b. Upon receiving a legal private key SK mid = K = mid · y + r h −1 , ∀A i ∈ S, D i = t i − r} from PHR system, tracer firstly recovers the attribute set belonging to the malicious user from D i and calculates r as follows: Then, the identity can be pinpointed by:

Efficiency evaluation
In this section, we will compare the efficiency of our scheme with other schemes which have also applied attribute based encryption to medical systems. In this report, the Encrypt algorithm will take (2n + 2) times of multiplication operation, while the Decrypt algorithm will take (n + 2) times of multiplication operation and (n + 1) times of addition. Denote "Exp", "Pair", "Mul", and "Add" to be exponential operation, pairing operation, multiplication and addition respectively. The detailed comparison results in terms of computation costs are shown in Table 3.
Since the computation cost of bilinear pairing is much larger than that of multiplication and addition, it can be seen that the efficiency of our UA-CPABE-WP is higher since no bilinear pairings are needed.  Ours (2n + 2) Mul (n + 2) Mul + (n + 1)Add Yes