EVOAC-HP: An Efficient and Verifiable Outsourced Access Control Scheme with Hidden Policy

As medical data become increasingly important in healthcare, it is crucial to have proper access control mechanisms, ensuring that sensitive data are only accessible to authorized users while maintaining privacy and security. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is an attractive access control solution that can offer effective, fine-grained and secure medical data sharing, but it has two major drawbacks: Firstly, decryption is computationally expensive for resource-limited data users, especially when the access policy has many attributes, limiting its use in large-scale data-sharing scenarios. Secondly, existing schemes are based on data users’ attributes, which can potentially reveal sensitive information about the users, especially in healthcare data sharing, where strong privacy and security are essential. To address these issues, we designed an improved CP-ABE scheme that provides efficient and verifiable outsourced access control with fully hidden policy named EVOAC-HP. In this paper, we utilize the attribute bloom filter to achieve policy hiding without revealing user privacy. For the purpose of alleviating the decryption burden for data users, we also adopt the technique of outsourced decryption to outsource the heavy computation overhead to the cloud service provider (CSP) with strong computing and storage capabilities, while the transformed ciphertext results can be verified by the data user. Finally, with rigorous security and reliable performance analysis, we demonstrate that EVOAC-HP is both practical and effective with robust privacy protection.


Introduction
The rapid advancement of medical technology has revolutionized the healthcare industry, and one of its most significant impacts is the increasing prevalence of electronic health record (EHR) systems, replacing traditional paper-based medical records [1,2]. The adoption of EHRs has facilitated the real-time management and sharing of medical records for both doctors and patients. Additionally, healthcare practitioners can now access data more easily, enabling them to make more comprehensive diagnoses. With the emergence of 5G, cloud computing and big data, cloud-assisted EHR systems have become popular for outsourcing medical record management to the CSP and reducing management overhead. However, concerns about security and privacy arise when storing sensitive medical record data on cloud servers. Additionally, traditional encryption methods cannot achieve fine-grained data sharing and access. Access to such data without authorization can result in serious consequences, including identity theft, insurance fraud, and even the endangering of patient lives. Therefore, it is crucial to design robust security mechanisms for protecting medical data stored in the cloud [3]. To ensure data confidentiality and fine-grained access control to sensitive EHR data, Attribute-Based Encryption (ABE) was introduced as an appropriate encryption solution [4].
CP-ABE, proposed by Bethencourt et al. [5], provides a flexible way for data owners to specify their own access control policies. This is achieved by linking a ciphertext to an access policy defined by the user and associating a user's secret key with a set of attributes. As a result, only users whose attributes satisfy the access policy can decrypt the ciphertext and access the data. However, existing CP-ABE schemes [5][6][7] may not meet security and privacy requirements. Firstly, the access policy that is associated with the ciphertext can be viewed publicly, which means that anyone can obtain useful sensitive private data and expose confidential details regarding the encrypted EHR data, which can result in the exposure of the identity and attributes of medical practitioners or patients, thus compromising their privacy [8]. In addition, those existing schemes have the disadvantage of having a linear increase in ciphertext size and decryption overhead with the number of attributes in the access policy, which can be a significant limitation for resource-limited users [9]. As more attributes are added to the policy, both the ciphertext size and decryption overhead grow proportionally. This can make it difficult or even impossible for users with limited resources to decrypt and access the data that they need in a timely manner. Furthermore, this linear growth in ciphertext size can increase the cost of storing and transmitting the encrypted data, as well as the computational overhead associated with performing encryption and decryption operations. Thus, these CP-ABE schemes may not be suitable for applications that require efficient access control and low computational overhead.
Some existing works have been proposed to address these issues, such as outsourcing decryption technology [9][10][11][12] to reduce computation overhead for data users or proposing fully or partially hidden access structure schemes [8,13,14] to protect the privacy of user attributes embedded in the access policy. However, these solutions fail to offer a large universe and reliable mechanism with adaptive security, or they lack flexibility and have low efficiency. To tackle these issues, we propose an efficient access control scheme with robust privacy protection and outsourced decryption with verifiability, which builds upon the work [15] with further optimizations. Our main contributions are outlined as follows: • We designed an efficient and secure fine-grained access control scheme named EVOAC-HP for privacy preserving in the medical data scenario, which supports a large universe, adaptive security and flexible access control structure. This scheme uses the attribute bloom filter to achieve policy hiding, which effectively protects data users' attribute information. • We adopted outsourcing decryption technology to outsource complex computation to the CSP and support the verification of the outsourcing results, which largely reduces the computation overhead of data users. • According to security analysis and performance analysis, EVOAC-HP demonstrated enhanced security and efficiency, which is appropriate for medical data-sharing application scenarios with high privacy requirements.

Related Work
Traditional identity-based encryption (IBE) schemes associate encryption keys with specific identities, and decryption is only possible for ciphertexts encrypted under the matching identities [16]. In contrast, fuzzy IBE allows partial matches between the encryption key and the access policy to be performed, which means that ciphertexts can be decrypted by users whose identities only partially match the policy. In order to achieve more fine-grained access control, the notion of ABE, which enables secure encryption and decryption to be achieved without the need for exact identity matching, was first conceived by Sahai and Waters [4]. According to different application scenarios, ABE is divided into Key-Policy Attribute-Based Encryption (KP-ABE) and CP-ABE. In 2006, Goyal et al. [17] proposed the first construction of a scheme that associates attributes with the private keys of the users, mainly used in paid video sites and broadcast encryption. The first CP-ABE scheme proposed by the work [5] allows complex access policies in which attributes are associated with the ciphertext to be used, which is suitable for data sharing. Although this scheme is very expressive, it was proved to be safe under the general group model, and the security of this model is relatively weak. Afterwards, a significant amount of research has been conducted on CP-ABE and KP-ABE in recent years, with various constructions and optimizations proposed to enhance their efficiency and security. Waters [18] proposed an improvement to CP-ABE schemes by introducing a linear secret sharing scheme (LSSS) based on the previous work [5], which results in enhanced efficiency and expressiveness of the encryption scheme while maintaining stronger security. Many CP-ABE schemes have since emerged, including some classic works [6,7,15]. However, as the access policy becomes more complex and the number of user attributes increases, the size of the ciphertext and the computational overhead required for decryption also increase. Since the decryption process can be expensive due to the large size of the ciphertext and the required pairing operations, resource-limited devices may experience significant delay or even have to abort the decryption process.
To address this inefficiency issue, Green et al. [9] introduced the innovative notion of ABE with outsourced decryption (ABE-OD), which allows a CSP to transform any ABE ciphertext of any size into an ElGamal-type ciphertext with a constant size, so that the user only needs to obtain the decrypted message with one exponentiation. One limitation of outsourcing decryption to the CSP is that they may not perform the transformation operations honestly. To address this concern, the work [10] proposed the concept of ABE verifiable outsourced decryption (ABE-VOD), which enables data users to check whether the transformation results are correct. However, this scheme needs to encrypt additional random messages, which doubles the computing overhead of the data user, resulting in twice the size of the ciphertext. This undoubtedly increases the user's bandwidth requirements and computing costs. Afterward, several efficient and generic ABE-VOD schemes have been proposed [11,[19][20][21][22][23][24]. Some works [19,20] also considered performing outsourced key issuing and outsourced decryption operations by introducing two cloud service providers. Mao et al. [11] and Lin et al. [21] proposed an efficient construction using a commitment scheme and an encapsulation mechanism. These ABE schemes have shown great promise in enabling the secure and verifiable outsourced decryption of ciphertexts to be performed in cloud-based environments. While these ABE schemes are well suited to flexible and fine-grained data-sharing systems, they may not be suitable for applications with high privacy requirements, such as EHR systems. This is because the access policy, which typically includes sensitive attribute information, such as the patient's medical condition and medical history, is directly exposed in the ciphertext. Anyone can obtain some sensitive information with the ciphertext. As a result, malicious adversaries are likely to infer sensitive information about the patient's health status, potentially leading to privacy breaches and other security risks.
In order to improve the above privacy protection issues, CP-ABE with policy hiding has been researched to address sensitive attribute information exposure in the access policy of traditional CP-ABE schemes. The concept of partially hidden access structures was proposed by Nishide et al. [8] and splits the attribute into an attribute name exposed to the ciphertext and sensitive attribute values hidden within the ciphertext. Nevertheless, this solution only supports the less expressive "AND gates" access structure. Lai et al. [25] proposed a CP-ABE scheme with adaptive security and policy hiding under the standard model, but this scheme is constructed based on bilinear groups of composite order, resulting in low efficiency. Subsequently, several works based on [8,25] have since been proposed to enhance the security, efficiency, flexibility and availability of partially hidden access structure CP-ABE [14,[26][27][28][29][30]. However, all these existing schemes can only hide the attribute value but cannot hide the attribute name, and the attribute name itself still leaks some useful information. Therefore, CP-ABE schemes with fully hidden policy are also available, where the access policy is invisible to the data user, ensuring that their attribute sets are not revealed in plaintext. Recently, most of the solutions hide the whole attribute by employing the specified garbled bloom filter [31] to eliminate the attribute mapping function embedded in the access structure and achieve full policy hiding [32][33][34][35][36]. This strategy of policy hiding is well suited to applications with strong privacy requirements.
However, these schemes either do not support verifiable outsourced decryption or do not support flexible access structures under the standard model.
Inspired by the works [11,15,32], we propose EVOAC-HP to be applied in EHR systems. Consider a healthcare scenario where a data owner, such as a patient, wants to share their medical records with a data user, such as a doctor, but does not want to allow other doctors or unauthorized users to access the records. To protect privacy, the patient first establishes an access policy for who is allowed to access the records and encrypts the records using CP-ABE before uploading them to a CSP. Then, doctors who meet the defined access policy can successfully decrypt the ciphertext. Note that the private attributes embedded in the access policy do not reveal the identity of the doctors. Since the doctor's device may be resource-limited, they can request the CSP to transform the ciphertext and obtain the transformed ciphertext for decryption. Finally, the doctor can locally confirm whether the transformed ciphertext is correct to ensure the integrity of the decryption result.

Preliminary
In this section, we mainly review the fundamental knowledge about the CP-ABE definition, the security model for the CP-ABE, the commitment scheme, the attribute bloom filter and the decisional linear assumption.

CP-ABE Definition
A classic CP-ABE scheme is given by the following four algorithms: This algorithm takes the security parameter λ and attribute universe description U as input, and it outputs a master public key mpk and a master key msk.

Security Model for CP-ABE
We introduce the security model for the CP-ABE scheme. The security between adversary A and challenger C is given as follows: • Initialization: A defines the challenge access structure A * and gives it to C. • Setup: C runs Setup to obtain the master public key mpk and returns it to A. • Phase 1: A has the ability to request secret keys corresponding to collections of user attributes S 1 , S 2 , . . . , S Q 1 . For each S i , C runs KeyGen and returns sk i to A. The queried sets must not meet the access structure requirements of the challenge phase above each query, i.e., ∀i ∈ [ Challenge: A submits two messages, m 0 and m 1 , with equal length and returns them to C. C chooses random number b ∈ {0, 1} and invokes Encrypt to obtain ct, which is given to A. • Phase 2: Phase 1 is reiterated under the same constraint. A can continue to query the secret keys for the sets S Q 1 +1 , S Q 1 +2 , . . . , S Q . • Guess: A outputs his guess value b ∈ {0, 1} for b.

Definition 1.
A CP-ABE scheme Π is secure if all polynomial-time attackers A have at most a negligible advantage in the above security game. The advantage of an attacker A for breaking this confidentiality game is defined as Adv A

Commitment
A commitment scheme has three algorithms: InitCom, Commit and Reveal.
• Setup(1 λ ): This algorithm takes a security parameter λ as input and outputs the public commitment key pk. A correct commitment scheme satisfies Reveal(M, r, Commit(M, r)) = 1 for all pk output by the algorithm Setup and for any message M and an additional random number r. If a commitment scheme satisfies the hiding property and the binding property, it is considered secure. The commitment cm to M satisfies the hiding property, which ensures that no information about M can be inferred from cm. The binding property ensures that it is computationally infeasible to reveal a commitment cm to a value M EHR other than the original value M.

Attribute Bloom Filter
The attribute bloom filter (ABF) is a data structure that can efficiently query a large dataset [32]. It is a variant of the bloom filter, where each element is assigned one or more attributes so that it can be filtered and queried by the attribute. During the search stage, one or more attributes can be specified, and only elements with the specified attributes are returned. Unlike traditional bloom filters, the ABF stores an additional attribute vector, where each element corresponds to an attribute vector. Each position in the attribute vector corresponds to an attribute, and if the element has that attribute, the position is set to 1; otherwise, 0. The element is returned during the query stage if all specified attribute positions are 1.
To construct the ABF, a sequence of λ bits in length is joined with two constant strings: one that includes the row number with L rownum bits and another that contains the attribute with L att bits, where the security parameter λ = L rownum + L attr . The ABF can be divided into two components: ABFBuild and ABFQuery. These two components are detailed below: is used as input in the garbled BF building algorithm to create ABF S , as described in [31].
When an element et needs to be inserted into ABF S , this algorithm randomly produces x − 1λ-bit strings r 1 , r 2 , · · · , r x−1 and adopts the XOR-based secret sharing scheme (x, x) to distribute element et. It then assigns r Once the element shares the r i that have been stored in ABF S , element et can be reconstructed using the formula Above all, the ABFBuild algorithm hides the attribute mapping, while the ABFQuery algorithm reconstructs it. This access control structure can allow full policy hiding to be achieved.

Decisional Linear Assumption
Suppose we have two multiplicative groups, G and H, of prime number order q and two generators, g ∈ G and h ∈ H. We randomly select x, y, m, n ∈ Z p and define a tuple T 1 = (g, h, g x , g y , h x , h y , g mx , g ny , h mx , h ny , g m+n , h m+n ). We randomly choose a random number µ ∈ Z p and define another tuple T 2 = (g, h, g x , g y , h x , h y , g mx , g ny , h mx , h ny , g µ , h µ ) .
The assumption then is that no polynomial-time adversary can distinguish tuple T 1 from tuple T 2 with negligible advantage.

Access Control System
In this section, we introduce our system model and the concrete EVOAC-HP, which is composed of five stages, including system parameter initialization, key generation, EHR data encryption, ciphertext transformation, and EHR data decryption and verification.

System Model
As shown in Figure 1, the system model of EVOAC-HP comprises four entities: a certificate authority (CA), many data owners (DOs), many data users (DUs) and a cloud service provider (CSP). The following provides the definition and functions of each participant:

•
Certificate authority (CA): The central component of the entire system is the CA, which is in charge of the initialization of the system. The CA is responsible for creating the master private key and public parameters. Additionally, the CA generates transformation keys for users based on their attribute set when requested. It is assumed that the CA is a trusted entity. • Data owners (DOs): DOs are the producers of medical data. When they need to share their data, they first establish a custom access policy that allows users to access and encrypt the data using our proposed encryption scheme. The resulting ciphertext is then uploaded to the CSP. It is worth noting that the access policy in the ciphertext does not reveal the sensitive attributes of the data owner. In a medical scenario, the data owners are the patients. • Data users (DUs): In the healthcare scenario, the DUs play the role of a doctor or a nurse. They need to retrieve the corresponding ciphertext from the CSP and request it to assist in the transformation of the ciphertext. When obtaining the transformed decrypted ciphertext from the CSP, the data user locally decrypts it to access the EHR data and checks whether the transformation result is correct. Considering that the data user is likely to use resource-limited devices such as conventional desktop computers, the decryption operation is delegated to simplify the computation. • Cloud service provider (CSP): The CSP is a powerful server with storage and computing services. Its main responsibilities include storing ciphertext corresponding to medical data and providing ciphertext transformation service. It should be noted that the CSP is honest but curious, which means that it may attempt to extract useful information from the ciphertext.

The Proposed Scheme
System parameter initialization. The entire process of system initialization is performed by the CA. It runs Setup(1 λ , U) to generate (mpk, msk). This process is shown in Algorithm 1. This algorithm takes as input the security parameter λ and a large attribute universe description U, and it outputs the master public key mpk and the master key msk. In this process, the CA executes the initialization stage of the FAME scheme [15] and the commitment scheme. In addition, the attribute bloom filter is parameterized. Finally, the master public key is mpk, and the master key is msk.

Algorithm 1 Setup (Invoked by CA).
Input Security parameter λ, attribute universe description U Output: The master public key mpk, the master key msk 1: Suppose L att and L rownum denote the maximum bit length of attributes in the whole system and the row numbers in the access matrix. The ABF has a bit array of size L ABF and is associated with x hash functions; 2: Generate x hash functions H i for i ∈ [1, . . . , x]: H i : {0, 1} * → [1, L ABF ] and a hash function H : {0, 1} * → G; 3: Randomly pick three groups G, H and G T of prime order p and defines a bilinear mapê : G × H → G T and generators g 0 , g, h 0 ∈ G, h ∈ H and random number a 1 , a 2 , b 1 , b 2 ∈ Z * p and d 1 , d 2 , d 3 ∈ Z p ; 4: Calculate A 1 = h a 1 , A 2 = h a 2 , E 1 = e(g, h) d 1 a 1 +d 3 , E 2 = e(g, h) d 2 a 2 +d 3 ; 5: Set the master public key mpk = {g 0 , h 0 , h, A 1 , A 2 , E 1 , E 2 , H i∈[1,...,x] , H}; 6: Set the master key msk = {g, h, a 1 , a 2 , b 1 , b 2 , g d 1 , g d 2 , g d 3 }.
Key generation. This stage has two steps: Firstly, the data user randomly selects z ∈ Z p as a secret decryption key dk = z and produces a shared public key spk = g 1 z .
When the data user needs to apply for the transformation key, the data user sends the shared public key spk to the CA responsible for issuing transformation keys. The CA runs TkGen(msk, S, spk) to generate the transformation key tk, and this process is shown in Algorithm 2. This algorithm takes as input the master key msk, a set of the data user attributes S and a shared public key spk, and it outputs the transformation key tk = (tk 0 , tk y y∈S , tk ).

Algorithm 2 TkGen (Invoked by CA).
Input The master key msk, attribute set S, a shared public key spk Output: Transformation key tk 1: Randomly chooses two random number r 1 , r 2 ∈ Z p and calculate tk 0,1 = h b 1 r 1 , tk 0,2 = h b 2 r 2 , tk 0,3 = h r 1 +r 2 ; 2: Settk 0 = (tk 0,1 , tk 0,2 , tk 0,3 ); 3: for each y ∈ S do 4: for k ∈ {1, 2} do 5: Randomly chooses a random number σ y ∈ Z p and calculates tk y,k = H(y1k) 6: end for 7: end for 8: Set tk y = (tk y,1 , tk y,2 , g −σ y ); 9: for k ∈ {1, 2} do 10: Randomly chooses σ ∈ Z p and calculates tk k = g d k · g σ a k ; 11: end for 12: Set tk = (tk 1 , tk 2 , g d 3 z · g −σ ); 13: Set tk = (tk 0 , tk y y∈S , tk ). EHR data encryption. When encrypting sensitive EHR data M EHR under the defined access structure (M, ρ), the data owner first randomly picks a value r and uses a concatenation operation represented by "||" to encrypt the combination of EHR data and the random number M EHR ||r. This means that the encrypted result contains both the original EHR data and the random value. That is, it runs Encrypt(mpk, M EHR ||r, (M, ρ)) → ct. This algorithm takes the master public key mpk, the EHR data M EHR , the random number r and the access structure (M, ρ) as input, and it outputs the encrypted EHR data ct. This process is shown in Algorithm 3. To hide the access structure (M, ρ), we adopt the attribute bloom filter to achieve this property. It invokes ABFBulid(M, ρ) → ABF S to obtain ABF S . This algorithm takes as input the access structure (M, ρ), and it outputs the attribute bloom filter ABF S . The concrete process is detailed in Section 3.5. In order to commit to M EHR using the value r, it runs Commit(M EHR , r) → cm. The data owner calculates a commitment of the EHR data cm = g M EHR 0 h r 0 . The final ciphertext ct is (ct, cm, M, ABF S ).
Ciphertext transformation. In this stage, the CSP invokes Trans f orm(ct, tk) → pct. This algorithm takes as input the encrypted EHR data ct and the transformation key tk and outputs the partially decrypted ciphertext pct. This process is shown in Algorithm 4. Notice that the CSP might be malicious or lazy, so the transformation result is not necessarily true.

EHR data decryption and verification.
When the data user requests the full ciphertext from the CSP, it firstly decomposes the ciphertext ct into (ct, cm, M, ABF S ) and runs ABFQuery(mpk, S, ABF S ) → ρ . The concrete process is detailed in Section 3.5. This algorithm takes as input the master public key mpk, a set of data user attributes S and attribute bloom filter ABF S and outputs the rebuilt attribute mapping ρ . When recovering the corresponding access structure (M, ρ ), the resource-constrained data user is able to delegate the ciphertext ct to the CSP for decryption; the CSP transforms the ciphertext ct into partially decrypted ciphertext pct and gives it to the data user. Then, the data user runs Decrpt(ct , pct, dk). This algorithm takes as input the full ciphertext ct , the partially decrypted ciphertext pct and decryption key dk = z and outputs the final result result = ct M EHR · pct z . The result is the combination of the message and the random number (M EHR ||r). Aiming to check the correctness of the transformation result, the data user runs Reveal(M EHR , r, cm). This process checks whether cm If it passes verification, the data user finally obtains the true message, M EHR . Otherwise, the transformation result is wrong.

Security Analysis
Theorem 1. EVOAC-HP can guarantee the confidentiality of data under the random oracle model.

Lemma 1.
If FAME [15] can guarantee the confidentiality of data, the proposed scheme can also guarantee the confidentiality of data.
Proof. Suppose that there is an adversary that solves the difficult decisional linear problem in probabilistic polynomial time, whose advantage ε cannot be ignored. With the help of adversary A, an algorithm Alg can be constructed so that the algorithm can break the confidentiality of FAME in probabilistic polynomial time, and the advantages are not negligible.
Let C be the challenger of a safe game in the FAME scheme, and let A be the adversary of the game. Algorithm Alg can break FAME's confidentiality by performing the following: • System initialization: Adversary A sends the access structure A * that needs to be challenged to algorithm Alg. Algorithm Alg gives A * to challenger C. Challenger C generates public parameter mpk = {h, A 1 , A 2 , E 1 , E 2 , H} with the Setup algorithm in FAME and sends mpk to algorithm Alg. Algorithm Alg calls the Setup algorithm in EVOAC-HP to complete public parameter mpk = {g 0 , h 0 , h, A 1 , A 2 , E 1 , E 2 , H i∈[1,...,x] , H} and send it to adversary A. • Query phase 1: Algorithm Alg receives the decryption key query request submitted by adversary A. Let adversary A ask for the decryption key of the attribute set S e , and let algorithm Alg forward this query request to challenger C. Challenger C calls the KeyGen algorithm in the FAME scheme to output the decryption key given to algorithm Alg, and algorithm Alg forwards its key to adversary A. • Challenge phase: Adversary A submits two equal-length plaintexts, m * 0 and m * 1 , to algorithm Alg. Algorithm Alg sends them to challenger C and asks for the challenge ciphertext. Challenger C randomly selects b ∈ {0, 1} and calls the Encrypt algorithm in the FAME scheme to encrypt the message m * b . Finally, challenger C sends the ciphertext ct to algorithm Alg. After receiving the challenge ciphertext ct, algorithm Alg completes ct according to the ciphertext form of EVOAC-HP and then sends it to adversary A. • Query phase 2: This phase is the same as Query phase 1. • Guess phase: If adversary A outputs a bit b , then algorithm Alg also outputs b . If adversary A can break the FAME scheme, it means that adversary A can calculate the ciphertext e(g, h) −E s 1 1 ·E s 2 2 according to algorithm Alg. With the help of adversary A, algorithm Alg can calculate m * b in the FAME algorithm, thereby breaking the FAME scheme.

Theorem 2.
If the decisional linear assumption is correct, FAME is adaptively secure under the random oracle model.
Lemma 2. FAME [15] has proved that the decisional linear assumption is adaptively secure under the random oracle model. EVOAC-HP is constructed based on FAME, so EVOAC-HP can guarantee the confidentiality of data under the random oracle model.

Theorem 3. EVOAC-HP can guarantee the confidentiality of ciphertext transformation.
Proof. The proposed scheme guarantees transformation result confidentiality with the discrete logarithm problem. Specifically, EVOAC-HP generates a transformation key using a shared public key spk = g 1 z provided by the data user. Even if an adversary gains access to the transformation key tk and the intermediate ciphertext ct from the CSP, they cannot compute ct M EHR · pct z without the user's secret decryption key z. Thus, the adversary does not have the ability to decrypt the combination of the EHR data and the random number (M EHR ||r) and gain access to sensitive data M EHR . This adds an extra layer of security to the scheme, ensuring that confidential information remains protected even if the adversary gains access to some of the intermediate data. Proof. To prevent the potential leakage of attribute information, EVOAC-HP eliminates the attribute mapping function ρ embedded in the access policy using the ABFBulid and ABFQuery procedures. Adversaries without knowledge of the attribute string cannot carry out a successful brute-force attack within polynomial time, so they are incapable of accessing and inferring confidential information from the access policy. Furthermore, data users are only able to check whether they possess the required attributes for accessing the data. It is impossible for a single data user to verify all the attributes from the attribute universe description U unless they possess all of the attributes or multiple data users work together to achieve it. Therefore, EVOAC-HP provides protection for policy privacy by concealing attribute information in the access policy.

Performance Analysis
In this section, the performance of EVOAC-HP is analyzed from functional, theoretical and experimental perspectives.

Functional Analysis
When it comes to the comparisons of functional analysis, we compare related works in terms of five functionalities: security model, large universe, hidden policy, outsourced decryption and verifiability. Note that in the security model, adaptive security provides stronger security guarantees than selective security. As shown in Table 1, most schemes support only two or three of these features, while the work [18] only supports large universe, and the work [8] only achieves hidden policy. For better security, only schemes [15,25] and EVOAC-HP achieve adaptive security. The schemes [10,11] both support large universe, outsourced decryption and verifiability. According to the above comparison, EVOAC-HP simultaneously achieves large universe, adaptive security, hidden policy, outsourced decryption and verifiability, thus showing functional advantages.

Theoretical Analysis
Here, we only consider some expensive operations and use the symbols Exp, Pair and Hash to denote exponentiation, pairing and hashing operation, respectively. As shown in Table 2, we evaluate EVOAC-HP and compare it with other similar schemes based on the computational complexity of their encryption and decryption algorithms. Regarding the encryption process, although the scheme [32] and EVOAC-HP incur high computational overhead, most of the computational overhead is attributed to the construction of the attribute bloom filter, which requires additional hashing operations to achieve policy hiding. On the other hand, it is obvious that in the decryption stage, existing schemes [15,18,32] need to perform pairing operations, which is expensive for data users, while EVOAC-HP only requires 2Exp + xHash operations. Due to outsourced decryption, EVOAC-HP outperforms other existing schemes that require pairing operations in the decryption stage with regard to performance.

Experimental Analysis
We implemented similar schemes in Python 3.8 in the same experimental environment (Ubuntu-20.04 with Intel Core i7 and 16 G RAM) on top of the Charm framework [37] and MNT224 curve for pairing. The double-hash technique [38] based on 128-bit MurmurHash and SpookyHash was used to construct x hash functions for the attribute bloom filter. We compared the computational time of data encryption and data decryption with schemes [15,32] and EVOAC-HP. We evaluated all the schemes using access policies and attribute sets of sizes ranging from 5 to 50, and the number of hash functions for the ABF was 10. Those schemes were tested in 10 trials, so that the experimental results were averaged. As shown in Figure 2, as the number of attributes increases, the encryption overhead of all three schemes shows a linear growth trend. However, our scheme, EVOAC-HP, has significantly smaller encryption overhead than the scheme proposed in [32], while it has time overhead similar to that of the scheme proposed in [15]. It is worth noting that the scheme proposed in [15] does not consider policy privacy, while our scheme requires the construction of the ABF during the encryption phase to achieve fully hidden policy, resulting in additional computational overhead depending on the number of hash functions used. As shown in Figure 3, the data decryption overhead of scheme [32] shows a linear growth trend as the number of attributes increases, which leads to an increased computational burden for data users. In contrast, EVOAC-HP and scheme [15] maintain constant data decryption overhead. Moreover, EVOAC-HP adopts outsourcing decryption techniques, which further reduces decryption overhead to 2 ms.  In order to evaluate the time cost of five algorithms in EVOAC-HP, we conducted experiments under three curves, MNT159, MNT201 and MNT224. Figure 4 shows the computational time of each algorithm in our proposed scheme with the number of attributes. Obviously, the MNT224 curve had the highest overhead among all algorithms, while MNT159 had the lowest. The Setup algorithm maintained constant computational overhead, and system initialization was only required once. Except for the Decrypt algorithm, the computation overhead of all algorithms was proportional to the number of attributes. Due to outsourced decryption, the Decrypt algorithm only spent a constant time of around 2 ms.

Conclusions and Future Work
In this paper, we introduce a practical and reliable scheme for fine-grained privacy protection and outsourced computation access control for sharing medical data, named EVOAC-HP. We employ CP-ABE as a fundamental building block to encrypt the medical data and outsource the decryption operation to alleviate the computation overhead for data users, which reduces the decryption computation overhead to a constant. Additionally, we achieve policy hiding by utilizing the attribute bloom filter, which prevents any individual from accessing sensitive attribute information from the access policy. The user's attributes are not disclosed in the access policy, which effectively guarantees the security of our scheme. The proposed scheme is proved to be adaptively secure under the random oracle model under the decisional linear assumption. As demonstrated with performance analysis and comparative analysis, EVOAC-HP has functional advantages, better performance and stronger security, which are suitable for EHR data sharing and complex access control in medical scenarios.
Our scheme also has some limitations. First of all, with our scheme, it is difficult to efficiently deal with the policy update problem. When the access policy needs to be updated, the data owner can complete the update with a small computational cost. In this scheme, the data owner needs to re-encrypt according to the new access policy, which is obviously inefficient. Secondly, in most medical scenarios, users' identities may often change, which requires a new solution that supports user attribute update and revocation to meet this requirement. Finally, our scheme has the problem of offline dictionary attack, that is, the user can continuously query whether the attribute is in the access policy with the attribute bloom filter, which may expose user attributes. In the future, we plan to focus on incorporating features such as CP-ABE with policy update and user attribute revocation while preventing dictionary attacks to better meet practical application scenarios.