Efficient File Sharing in Electronic Health Records

Efficient File Sharing in Electronic Health

Records

?

Cl´ementine Gritti, Willy Susilo, Thomas Plantard

Centre for Computer and Information Security Research School of Computer Science and Software Engineering

University of Wollongong, Australia

cjpg967@uowmail.edu.au, {wsusilo,thomaspl}@uow.edu.au

Abstract. The issue of handling electronic health records have become paramount interest to the practitioners and security community, due to their sensitivity. In this paper, we propose a framework that enables medical practitioners to securely communicate among themselves to dis-cuss health matters, and the patients can be rest assured that the in-formation will only be made available to eligible medical practitioners. Specifically, we construct a new cryptographic primitive to enable File Sharing in Electronic Health Records (FSEHR). This primitive enables doctors to read the information sent by the hospital, or by any other in-dividuals (such as patients’ health records), when the doctors have their ‘license’ validated by that given hospital. We construct such a crypto-graphic primitive and capture its security requirements in a set of security models. Subsequently, we present a concrete scheme, which is proven se-lectively chosen-ciphertext security (CCA-1) secure under the Decisional Bilinear Diffie-Hellman Exponent (DBDHE) assumption and fully collu-sion resistant.

Keywords: File Sharing, Electronic Health Records, Broadcast Encryption, Certificate-Based Encryption, Bilinear map, Chosen-Ciphertext Security.

1

Introduction

Electronic Health Records (EHR) have become of paramount interest to practi-tioners and security community, due to their data size as well as their security issues and sensitivity. In the existing literature, there have been a number of papers [9, 12, 13, 2] that discuss the way to secure this type of data. In this work, we take a new direction by proposing a framework that enables secure communication among medical practitioners. The communication channel en-abled here will allow medical practitioners, i.e. medical doctors, to communicate among themselves as well as to review the patients’ EHRs. Additionally, it also allows the hospital to broadcast any important information to the doctors who are working in that hospital, and this information will only be made available to

?

them. The issue is the fact that the doctors have their own rights in a hospital, delivered by the government or the medical legislators. Therefore, our framework should be able to specify which are the doctors that have access to the data by updating their license as authorized in that hospital. To generalize this scenario, we decouple several entities involved in this scenario, namely the hospital (as the data owner), the government and the other medical legislators, who grant the li-cense for the doctors to work in that hospital. This scenario is depicted in Figure 1. We note that the hospital would be the entity that generates the encrypted data for the doctors, which includes all important information that the doctors need to know. Additionally, any other members (such as the nurse or any other entities outside the doctors) should also be able to send any information to the group of doctors in that hospital. This is to represent a case for instance when a patient provides his/her X-ray or blood test results to the hospital.

Our Work. Based on the above scenario, we present a new cryptographic notion called File Sharing in Electronic Health Records (FSEHR). In this system, there are four entities, namely the Group Manager (GM), a group of Certificate Authorities (CA), or simply of Certifiers, a set of doctors and the rest of the universe. The GM represents an entity such as the hospital in this scenario. A CA represents the government, the medical institute or other medical legislator who grants the rights to some doctors to work in a given hospital. The set of doctors is denoted as a set of users,Ui, who are the main players in this setting. The rest of the universe includes the patients, nurses, and any other players who are not captured in the above set of entities. The scenario of the FSEHR primitive is depicted in Figure 1. In this work, we provide a sound security model to capture this scenario.

One may think thatFSEHR could be achieved easily by combining the two cryptographic primitives, namely certificate-based encryption and broadcast en-cryption schemes. Unfortunately this is false. The primary difficulty of achieving such a scheme is due to the need to achieve a shorter ciphertext, in comparison to merely combining the ciphertexts into one to achieve a linear size. Furthermore, the notion of certificate-based encryption usually allows a sender to interact with only a single receiver, with the help of a CA. Hence, it is clear that by a simple combination of the existing certificate-based encryption scheme and a broadcast encryption will lead a construction with a linear size of ciphertext (in number of both users and certifiers), which is undesirable (otherwise, it would be better for the broadcaster to just simply encrypt each ciphertext individually for each user). Moreover, we require that aFSEHRscheme to be fully collusion resistant, which follows the original notion of broadcast encryption schemes. Hence, even if all the users in the system collude, only the users in the selected subset with valid certificates can recover the plaintext.

Related Work. Modelling and securing authorization and access control to EHR has become a challenge. In [9], such a model, called Role-Based Access Control (RBAC), is proposed to inscrease the patient privacy and confidential-ity of his data but it remains flexible to allow specific situations (for instance,

emergency cases). A literature review about security and privacy in EHR can be found in [2].

U1

Un

SetupPart ”DoctorsUi” H generates (P Ki, SKi)

U2

Un−1

SetupPart ”LegislatorsLj”

Certif Encrypt

N

generates ciphertextCT

for set of doctorsSdand

DecryptCase 2 DecryptCase 1 ifUi∈Sdand messageM ifUi∈/Sdor fail (⊥) fori∈ {1,· · ·, n} Government Medical Institute Other Legislators generates generates generates (P Kl1, SKl1) (P Kl2, SKl2) (P Kl3, SKl3), (P Klk, SKlk) Lj generatesCertifi,j,T fori∈ {1,· · ·, n}

for set of legislatorsSl

and time periodT

∃Lj∈Sls.t.Certifi,j,T is not valid at time periodT ∀Lj∈Sl,Certifi,j,T is valid at time periodT (GM) (CA) (Univ.) for messageM · · ·, U1 Un U2 Un₋1 U1 Un U2 Un₋1 U1 Un U2 Un−1 U1 Un U2 Un−1

Fig. 1. A hospital H (GM) generates and sends the public/secret key pairs (P Ki, SKi) for doctor Ui, where i= 1,· · ·, n. The government, the medical insti-tute and the other medical legislators Lj (CAs) create their public/secret key pairs (P Kl1, SKl1),(P Kl2, SKl2),(P Kl3, SKl3),· · ·,(P Klk, SKlk) respectively. The legisla-tors then compute and give the certificatesCertifi,j,lfor doctorUi, wherei= 1,· · ·, n,

j= 1,· · ·, k,and time periodT. Finally, a hospital staff member (Universe), for instance a nurseN, selects a subgroup of doctorsSd={Ui1,· · ·, Ui|_Sd|}and a subgroup of leg-islatorsSl, encrypts a messageMfor doctors inSd, legislators inSl and time period

T, and sends the resulting ciphertext CT. Only a doctor Ui_i0 inSd, with certificate

Benaloh et al. [3] combined a Hierarchical Identity-Based Encryption (HIBE) and a searchable encryption to obtain a privacy-preserving and patient-centered EHR system. However, the patients have to create and manage manifold keys and check the credentials of the healthcare providers (doctors, nurses, ...). Narayan et al. [10] proposed an EHR system using a broadcast Ciphertext-Policy Attribute-Based Encryption (bCP-ABE) scheme, a variant of ABE system, and a Public key Encryption with Keyword Search (PEKS) scheme. Their system is secure, allows private search on health records by performing keyword matching without leaking information, and enable direct revocation of user access without having to re-encrypt the data. But the system is only designed for online access control. More recently, Akinyele et al. [1] presented a system along with a mobile app for iPhone for secure offline access to EHRs. They constructed their scheme based on ABE (Key-Policy and Ciphertext-Policy versions) and they developped a corresponding software library to help the implementation.

2

Preliminaries and Definitions

2.1 File Sharing in Electronic Health Records (FSEHR)

A File Sharing system in Electronic Health Records (FSEHR) comprises four algorithms (Setup,Certif,Encrypt,Decrypt):

1. Setup(λ, n, k) run by the group manager, takes as inputs the security pa-rameterλ, the total numbernof users, and the total numberkof cerfitiers, output the public parameters P K, the public/secret key pair (P Ki, SKi) for user i∈ {1,· · ·, n}. The public/secret key pair (P Kcj, SKcj) are

inde-pendently generated by the certifierj∈ {1,· · ·, k}. We assume thatnis the bound of the universe, in order to pre-compute public/secret key pairs and allow users to join the system later.

2. Certif(P K,(P Kcj, SKcj), P Ki, l) run by the certifier j∈ {1,· · ·, k}, takes

as inputs the public parametersP K, the certifierj’s public/secret key pair (P Kcj, SKcj), the public keyP Kifor useri∈ {1,· · ·, n}, and the time period l, output the certificateCertif_i,j,l fori,j andl.

3. Encrypt(P K, Su, Sc,{P Ki:i∈Su},{P Kcj :j∈Sc}, l), run by the sender

belonging to the universe, takes as inputs the public parametersP K, the subsetSuof users selected by the sender such thatSu⊆ {1,· · ·, n}, the subset

Sc of certifiers selected by the sender such thatSc⊆ {1,· · ·, k}, the public keysP Ki for usersi∈Su, the certifier’s public keyP Kcj for certifersj∈Sc,

and the time periodl, output the headerHdrand the session keyK. 4. Decrypt(P K, Su, Sc, l,(P Ki, SKi),{Certifi,j,l:j∈Sc}, Hdr) run by useri,

takes as inputs the public parametersP K, the subsetSuof users selected by the sender, the subsetScof certifiers selected by the sender, the time period

l, the public/secret key pair (P Ki, SKi) and the certificates Certifi,j,l for useriand certifierj∈Sc, and the headerHdr, output the session keyK if

We require that for useri∈ {1,· · ·, n} and certifierj∈ {1,· · ·, k} such that (P K,(P Ki, SKi),(P Kcj, SKcj))←Setup(λ, n, k), and subsetsSu∈ {1,· · ·, n}

and Sc∈ {1,· · ·, k}: if user i∈Su, certifier j∈Sc and Certifi,j,l is valid for time period l, then K ←Decrypt(P K, Su, Sc, l,(P Ki, SKi),{Certifi,j,l:j ∈

Sc},Encrypt(P K, Su, Sc,{P Ki:i∈Su},{P Kcj:j∈Sc}, l)); otherwise⊥←

De-crypt(P K, Su, Sc, l,(P Ki, SKi),{Certifi,j,l:j∈Sc},Encrypt(P K, Su, Sc,{P Ki:

i∈Su},{P Kcj:j∈Sc}, l)).

We call theheader,Hdr, as the encryption of the session keyK. We call the full header as the headerHdralong with the descriptions of the setSu of users and the setScof certifiers selected by the sender. Without losing generalization, we only consider the headerHdr when discussing the size of the scheme.

2.2 Security Requirements

We first present the definitions for plaintext attack (CPA) and chosen-ciphertext attack (CCA) securities. We adopt the security definitions from the certificate-based encryption [7]. There are two basic attacks which may be launced by an uncertified user or by the certifier. These are captured in the following two distinct games. In Game 1, the adversary plays the role of an uncertified user: it first proves that it knows the secret key of the uncertified user and then, it can make Decryption and Certification queries. In Game 2, the adversary plays the role of a trusted certifier: it first proves that it knows the secret key of the certifier and then, it can make Decryption queries. Eventually, we say that the FSEHRsystem is secure if no adversary can win either game.

Game 1. Setup. The challenger runs the algorithm Setup(λ, n, k) to obtain the public parametersP K, the public keysP Ki for usersi∈ {1,· · ·, n}, and the public keysP Kcj for certifiersj∈ {1,· · ·, k}, and gives them toA1.

Certification Query Phase.For time periodl, for useri∈ {1,· · ·, n}, and for

j∈ {1,· · ·, k}, the challenger first checks that SKi is the secret key correspond-ing to the public key P Ki. If so, it runs Certif and returns Certifi,j,l to the adversaryA1; otherwise, it returns⊥.

Decryption Query Phase. For time periodl, for useri∈ {1,· · ·, n}, and for certifierj∈ {1,· · ·, k}, the challenger first checks thatSKiis the secret key corre-sponding to the public keyP Ki. If so, it returnsDecrypt(P K, Su, Sc, l,(P Ki, SKi),

{Certifi,j,l:j∈Sc}, Hdr) to the adversaryA1; otherwise, it returns⊥.

Challenge.For time periodl∗,A1 outputs a challenge setSu∗⊆ {1,· · ·, n}. For useri∈S∗_u, the challenger first checks thatSK_i∗is the secret key corresponding to the public keyP K_i∗. If so, it chooses a setS_c∗⊆ {1,· · ·, k}and a random bitb∈R {0,1}, and runs (Hdr∗, K∗)←Encrypt(P K∗, S_u∗, S_c∗,{P K_i∗ :i∈S_u∗},{P K_c∗

j : j∈S_c∗}, l∗). It then sets K_b∗=K∗, picks at randomK₁∗_−b in the key space, and gives (Hdr∗, K_b∗, K₁∗_−b) to the adversaryA1. Otherwise, it gives⊥.

Guess.The adversaryA1outputs its guessb0∈R{0,1}forband wins the game

ifb=b0, (l∗, S_u∗, Hdr∗) was not the subject of a valid Decryption query after the

We define A1’s advantage in attacking the File Sharing system in Electronic

Health Records for Game 1 with parameters (λ, n, k) as AdvFSEHRGame_A 1

1,n,k(λ) =

|P r[b=b0]−1₂|.

Game 2. Setup. The challenger runs the algorithm Setup(λ, n, k) to obtain the public parametersP K, the public keysP Ki for usersi∈ {1,· · ·, n}, and the public keysP Kcj for certifiersj∈ {1,· · ·, k}, and gives them toA2.

Decryption Query Phase. For time period l and for certifierj∈ {1,· · ·, k}, the challenger first checks thatSKcj is the secret key corresponding to the public

key P Kcj. If so, it returns Decrypt(P K, Su, Sc, l,(P Ki, SKi),{Certifi,j,l:j∈

Sc}, Hdr) to the adversaryA2; otherwise, it returns ⊥.

Challenge. For time period l∗, A2 outputs a challenge set Su∗ ⊆ {1,· · ·, n}. The challenger first checks that SK_c∗

j is the secret key corresponding to the

public key P K_c∗

j. If so, it chooses a setS

∗

c⊆ {1,· · ·, k} such that j∈Sc∗ and a random bit b∈R{0,1}, and runs (Hdr∗, K∗)←Encrypt(P K∗, Su∗, Sc∗,{P Ki∗:

i∈S∗},{P K_c∗ j:j∈S

∗

c}, l∗). It then setsKb∗=K∗, picks at randomK1∗−bin the key space, and gives (Hdr∗, K_b∗, K₁∗_−b) to the adversaryA2. Otherwise, it gives

⊥.

Guess.The adversaryA2outputs its guessb0∈R{0,1}forband wins the game if b=b0 and (l∗, P K_c∗

j, Hdr

∗_{) was not the subject of a valid Decryption query}

after the Challenge.

We define A2’s advantage in attacking the File Sharing system in Electronic

Health Records for Game 2 with parameters (λ, n, k) as AdvFSEHRGame_A 2

2,n,k(λ) =

|P r[b=b0]−1₂|.

Definition 1. We say that a File Sharing system in Electronic Health Records is adaptively (t, ε, n, k, qC, qD)-secure if no t-time algorithm Athat makes at most

qC Certification queries (in Game 1) and qD =qD1+qD2 Decryption queries

(in the Game 1 and Game 2 respectively), has non-negligible advantage in either Game 1 or Game 2, i.e.AdvFSEHRGame_A,n,k1(λ) +AdvFSEHRGame_A,n,k2(λ)≤ε.

We also mention the selective CCA security: a selective adversaryAprovides the setS_u∗⊆ {1,· · ·, n}that it wishes to be challenged on at the beginning of the security game.

We then define the Fully Collusion Resistance security, in order to capture the notion of encryption against arbitrary collusion of users. Let the number of usersn, the number of certifierskand the security parameterλbe given to the adversaryAand the challenger. The game between the two entities proceeds as follows:

Game Fully Collusion Resistant

1. The adversaryAoutputs a setS_u,n0={u₁,· · ·, u_n0} ⊆ {1,· · ·, n}of colluding

2. The challenger runs the algorithm Setup(λ, n, k) to obtain the public pa-rametersP K, the keys pairs (P Ki, SKi) for users i∈Su,n0, and the keys

pair (P Kcj, SKcj) for the certifier j∈ {1,· · ·, k}. It gives (P K,{P Ki, SKi: i∈S_u,n0},{P K_c

j:j∈ {1,· · ·, k}}) to the adversary A and keeps SKcj to

itself. It also runs the algorithmCertif(P K,(P Kcj, SKcj), P Ki, l) to obtain

the certificatesCertifi,j,l for user i∈Su,n0,j∈ {1,· · ·, k}, and time period

l, and gives them to the adversaryA.

3. The challenger runs the algorithmEncrypt(P K, Su, Sc,{P Ki:i∈Su},{P Kj:

j∈Sc}, l0) for a subset Su⊆ {1,· · ·, n} such that Su∩Su,n0=∅ and l06=l,

and for a subsetSc⊆ {1,· · ·, k}, and gives the resulting header Hdrto the adversaryAand keeps the associated session keyK to itself.

4. The adversary A outputsK∗←Decrypt(P K, Su, Sc, l0,(f({P Ki:i∈S0⊆

S_u,n0}), f({SK_i:i∈S0⊆S_u,n0})),{f({Certif_i,l:i∈S0⊆S_u,n0}) :j∈S_c}, Hdr∗)

wheref is a function that takes as input public keys, secret keys or certifi-cates, and outputs a new public key, a new secret key or a new certificate as a combination of public keys, secret keys or certificates, respectively. 5. The adversaryAwins the game ifK∗=K.

Definition 2. We say that a File Sharing system in Electronic Health Records is fully collusion resistant if not-time algorithmAhas non-negligible advantage in the above game.

2.3 Broadcast Encryption

A Broadcast Encryption (BE) system [6, 5, 4, 8] is made up of three randomized algorithms (Setup_BE,Encrypt_BE,Decrypt_BE) such that:

1. Setup_BE(n) takes as input the number of receivers n. It outputsn secret keysd1,· · ·, dnand a public key P K.

2. Encrypt_BE(S, P K) takes as inputs a subsetS⊆ {1,· · ·, n}and a public key

P K. It outputs a pair (Hdr, K) whereHdr is called the header andK∈ K is a message encryption key chosen from a finite key set K. We will often refer toHdr as the broadcast ciphertext.

LetM be a message to be broadcast that should be decipherable precisely by the receivers inS. LetCM be the encryption ofM under the symmetric keyK. The broadcast consists of (S, Hdr, CM). The pair (S, Hdr) is often called thefull header andCM is often called thebroadcast body.

3. Decrypt_BE(S, i, di, Hdr, P K) takes as inputs a subsetS⊆ {1,· · ·, n}, a user identityi∈ {1,· · ·, n}and the secret keydi for useri, a headerHdr, and the public keyP K. If i∈S, then the algorithm outputs a message encryption keyK∈ K. Intuitively, userican then useK to decrypt the broadcast body

CM and obtain the message bodyM.

We require that for all subsetS⊆ {1,· · ·, n}and alli∈S, if (P K,(d1,· · ·, dn))←

Setup_BE(n) and (Hdr, K)←Encrypt_BE(S, P K), thenDecrypt_BE(S, i, di, Hdr,

2.4 Certificate-Based Encryption

A certificate-updating Certificate-Based Encryption (CBE) system is made up of six randomized algorithms (GenIBE,GenPKE,Upd1,Upd2,EncryptCBE,

De-crypt_CBE) such that:

1. GenIBE(λ1, t) takes as inputs a security parameter λ1 and (optionally) the

total number of time periodst. It outputsSKIBE(the certifier’s master secret

key) and public parametersparams that include a public key P KIBE and

the description of a string spaceS.

2. GenPKE(λ2, t) takes as inputs a security parameterλ2 and (optionally) the

total number of time periods t. It outputsSK_PKE and public key P K_PKE

(the client’s secret and public keys).

3. Upd1(SKIBE, params, l, s, P KPKE) takes as inputsSKIBE,params,l, string

s∈ S and P KPKE, at the start of time periodl. It outputs Cert0l, which is sent to the client.

4. Upd2(params, l, Cert0_l, Certl−1) takes as inputsparams, l, Cert0l and

(op-tionally)Cert_l−1, at the start of time periodl. It outputsCertl.

5. Encrypt_CBE(params, l, s, P KPKE, M) takes as inputs (params, l, s, P KPKE, M), whereM is a message. It outputs a ciphertextCon messageM intended for the client to decrypt usingCertl andSKPKE(and possibly s).

6. Decrypt_CBE(params, Certl, SKPKE, C, l) takes as inputs (params, Certl, SKPKE, C) in time periodl. It outputs eitherM or the special case⊥indicating fail-ure.

We require thatDecrypt(params, Cert_l, SK_PKE,Encrypt(params, l, s, P K_PKE, M), l) =M for the givenparams←Gen_IBE(λ1, t),P K←GenPKE(λ2, t),Certl←

Upd2(params, l,Upd1(SKIBE, params, l, s, P KPKE), Certl−1).

3

An Efficient Construction

Our constructionFSEHRis an effective combination of the BGW Broadcast En-cryption (BE) scheme [4] and the Gentry’s Certificate-Based Encryption (CBE) scheme [7]. Notice that the Gentry’s CBE scheme is designed for a communi-cation between one sender and one receiver. Therefore, applying the Gentry’s CBE scheme directly to the BGW, will lead to the linear size of the headers in the number of users and of certifiers in the two respective subsets designed by the sender, which is impractical. However, we managed to overcome this issue and achieve constant size for header, secret keys and certificates. Moreover, our schemeFSEHRis proved selective CCA secure using the standard transformation from the REACT scheme proposed by Okamoto and Pointcheval [11].

Setup(λ, n, k). On input the security parameterλ, the total numbernof users, and the total numberkof certifiers, run (p,G,GT, e)←GroupGen(λ, n, k). Pick at randomg∈RGandα∈RZp, computegi=g(α

i₎

fori= 1,· · ·, n, n+ 2,· · ·,2n. Pick at random γ∈RZp and compute v=gγ. Choose three hash functions

H1:G× {0,1}∗→G,H2:G×G→G, andH3:GT×G×G×G×G→ {0,1}λ. For useri∈ {1,· · ·, n}, compute the user’s secret key asdi=gγi(=v(α

i₎

). Independently, forj∈ {1,· · ·, k}, certifier j computes its own public/secret key pair as follows: choose at random an exponent σj∈RZpand then compute the public keywj=gσj. Set the secret key asdcj=σj.

Set the public parameters asP K= (p,_G,_GT, g, g1,· · ·, gn, gn+2,· · ·, g2n, v, w1,

· · ·, w_k, H1, H2, H3).

Certif(P K, dcj, i, l). On input the public parametersP K, the certifierj’s secret

keydcj, the useri, and the time periodlrepresented as a string in{0,1}

∗_{, pick}

at randomri,j,l∈RZpand compute the user’s certificateei,j,l= (ei,j,l,1, ei,j,l,2)

as follows: e_i,j,l,1=gσj i ·H1(wj, l) σj·ri,j,l_(=w(α i₎ j ·H1(wj, l) σj·ri,j,l₎ ei,j,l,2=gσj·ri,j,l(=w ri,j,l j )

Encrypt(P K, Su, Sc, l). On input the public parametersP K, a setSu⊆ {1,· · ·, n} of users, a set Sc⊆ {1,· · ·, k} of certifiers, and the time period l, pick at ran-dom an exponentt∈RZp, compute the session keyK=e(gn+1, g)t, and set the

headerHdr= (C1, C2, C3, C4, C5) as follows: (gt, Y j∈Sc H1(wj, l)t,(v· Y j∈Sc wj· Y i0_∈S u g_n+1−i0)t, H2(C1, C3)t, H3(K, C1, C2, C3, C4))

Decrypt(P K, Su, Sc, l, i, di, ei,j,l, Hdr). On input the public parametersP K, a set Su⊆ {1,· · ·, n} of users, a set Sc⊆ {1,· · ·, k} of certifiers, the time period

l, the useri with its secret keydi and its certificates ei,j,l forj∈Sc, parsed as (e_i,j,l,1, e_i,j,l,2), and the headerHdrparsed as (C1, C2, C3, C4, C5), check whether e(C1, H2(C1, C3)) ? =e(g, C4), and output K= e(gi, C3)·e( Q j∈Scei,j,l,2, C2) e(di·Qj∈Scei,j,l,1· Q i0_∈S u\{i}gn+1−i0+i, C1) =e(gn+1, g)t

Then, computeC₅0=H3(K, C1, C2, C3, C4). IfC50=C5, then returnK; otherwise

return⊥.

Correctness. Notice that g(αi 0

)

i =gi+i0 for any i, i0. At time period l, user i∈Su⊆ {1,· · ·, n}with secret keydi and certificateei,l,j forj∈Sc⊆ {1,· · ·, k} decrypts as follows: K= e(gi, C3)·e( Q j∈Scei,j,l,2, C2) e(di·Qj∈Scei,j,l,1· Q i0_∈S u\{i}gn+1−i0+i, C1) = e(g (αi)_,(v·Q j∈Scwj· Q i0_∈S ugn+1−i0) t_)·e(Q j∈Scg σj·ri,j,l_,Q j∈ScH1(wj, l) t₎ e(v(αi₎ ·Q j∈Scw (αi₎ j ·H1(wj, l)σj·ri,j,l·Qi0_∈S u\{i}gn+1−i0+i, g t₎ =e(gn+1, g)t

Performance. In the following table, we evaluate the efficiency of our scheme FSEHR. We use results of cryptographic operation implementations (exponen-tiations and pairings) using the MIRACL library, provided by Certivox for the MIRACL Authentication Server Project Wiki. All the following experiments are based on Borland C/C++ Compiler/Assembler and tested on a processor 2.4 GHz Intel i5 520M.

For our symmetric pairing-based systems, AES with a 80-bit key and a Super Singular curve overGFp, for a 512-bit moduluspand an embedding degree equal to 2, are used. We assume that there aren= 100 users andk= 20 certifiers.

Exponentiation inGExponentiation inGT Pairings

Time/computation 1.49 0.36 3.34

AlgorithmsSetup 546,80

Certif 89,40

Encrypt 5,96 0,36 3,34

Decrypt 16,70

Fig. 2.Timings for our symmetric pairing-based systemFSEHR. Times are in millisec-onds.

We note that the total time in the algorithmSetupis substantial, but we recall that this algorithm should be run only once to generate the public parameters and the static secret keys for both users and certifiers. In the algorithmCertif, it requires 89,40 milliseconds because k= 20 certificates are created. Finally, in the algorithmsEncryptandDecrypt, it takes 9,66 and 16,70 milliseconds respectively, mainly due to the cost of pairing computations.

4

Security Proofs

Assumption. We prove the security of our schemeFSEHRusing the Decisional

n-Bilinear Diffie-Hellman Exponent (DBDHE) assumption, which is as follows.

Definition 3. The (t, n, ε)-BDHE assumption says that for any t-time adver-saryB that is given(g, h, ga, ga2,· · ·, gan, gan+2,· · ·, ga2n)∈_G2n+1_{, and a}

candi-date to Decisionaln-BDHE problem, that is eithere(g, h)an+1_∈

GT or a random value T, cannot distinguish the two cases with advantage greater thanε:

AdvBDHEB,n=|P r[B(g, h, ga, ga

2

,· · ·, gan, gan+2,· · ·, ga2n, e(g, h)an+1) = 1] −P r[B(g, h, ga, ga2,· · ·, gan, gan+2,· · ·, ga2n, T) = 1]| ≤ε

Selective CCA Security Proof.

Theorem 1. The File Sharing scheme in Electronic Health Records FSEHR achieves Selective CCA Security under the Decision n-BDHE assumption, in the random oracle model.

Proof. We assume there exists an adversaryAthat breaks the semantic security of theFSEHRscheme with probability greater thanεwithin timet, makingqH1, qH2 and qH3 random oracle queries, qcf certification queries andqd decryption

queries. Using this adversary A, we build an attacker B for the Decisional n -BDHE problem inG.Bproceeds as follows.

For simplicity, we writegi=g(α

i₎

for an implicitly definedα. B first takes as input a Decisional n-BDHE intance (g, h, g1,· · ·, gn, gn+2,· · ·, g2n, Z) where

Z=e(gn+1, h) or Z∈RGT. B makes use of three random oraclesH1, H2 and H3, and three respective hash listsL1, L2 andL3, initially set empty, to store

all the query-answers.

Init.Aoutputs a setS_u∗⊆ {1,· · ·, n}of users that it wishes to be challenged on.

Setup. B needs to generate the public parameters P K, the secret keys di for

i /∈S_u∗, and the secret keysdcj for the certifierj∈ {1,· · ·, k}. It chooses random

elementsx, y1· · ·, yk∈RZp, and setsv=gx/Q_i0_∈S∗

ugn+1−i0,wj=g

yj _andd

cj= yj forj∈ {1,· · ·, k}. It then computes

di=gix/ Y i0∈S∗u g_n+1−i0_+i=gx·(α i )_·( Y i0∈Su∗ g_n+1−i0)−(α i )_=v(αi)_.

Eventually,BgivesAthe public parametersP K= (p,G,GT, e, g, g1,· · ·, gn, gn+2,

· · ·, g2n, v, w1,· · ·, wk, H1, H2, H3), where H1,H2 andH3 are controlled byB as

follows:

– Upon receiving a query (wj, lj) to the random oracleH1for somej∈[1, qH1]:

• If ((wj, lj), uj, Uj) exists inL1, returnUj.

• Otherwise, choose uj ∈RZp at random and compute Uj =guj. Put ((wj, lj), uj, Uj) inL1 and returnUj as answer.

– Upon receiving a query (W1j, W2j) to the random oracleH2 for some j∈

[1, qH2]:

• If ((W1j, W2j), Xj) exists inL2, returnXj.

• Otherwise, chooseXj∈RGat random. Put ((W1j, W2j), Xj) in L2 and

returnXj as answer.

– Upon receiving a query (Kj, C1j, C2j, C3j, C4j) to the random oracleH3 for

somej∈[1, qH3]:

• If ((Kj, C1j, C2j, C3j, C4j), C5j) exists inL3, returnC5j.

• Otherwise, chooseC5j∈R{0,1}λat random. Put (Kj, C1j, C2j, C3j, C4j),

C5j) inL3 and returnC5j as answer.

Phase 1. BanswersA’s queries as follows.

1. Upon receiving a Certification query (P Ki0, d_i, l_i0) for somei∈ {1,· · ·, n}and i0∈[1, q_cf]:

– If ((w_i0_,j, l_i0), u_i0_,j, U_i0_,j) exists inL₁, return the pair (u_i0_,j, U_i0_,j) forj∈

{1,· · ·, k}.

– Otherwise, chooseu_i0_,j∈_RZpat random, computeU_i0_,j=gui0,j, and put

Then, pick at randomr_i,j,l

i0 ∈RZpand return the certificateei,j,li0 where ei,j,l_i0,1=g yj i ·(U yj i0,j) ri,j,l_i0 _=gyj·(αi)_·(gui0,j₎ri,j,l_i0·yj =gyj·(αi)_·H 1(wi0_,j, l_i0)ri,j,li0·yj_=w(α i ) i0_,j ·w ri,j,l i0·ui0,j i0_,j ei,j,l_i0,2=w ri,j,l_i0 i0_,j

2. Upon receiving a Decryption query (S_u,i0, Hdr_i0, i, l_i0) for somei∈ {1,· · ·, n}

andi0∈[1, q_d], whereHdr_i0= (C_1i0, C_2i0, C_3i0, C_4i0, C_5i0):

– If ((K_i0, C_1i0, C_2i0, C_3i0, C_4i0), C_5i0) exists inL₃, do the following:

• ComputeH1(wi0_,j, l_i0) using the simulation ofH₁as above and check

whethere(C₂i0, g)=?e(C_1i0,Q

j∈ScH1(wi0,j, li0)) forj∈Sc⊆ {1,· · ·, k}.

If not, return ⊥. Otherwise, compute H2(C1i0, C_3i0) using the

sim-ulation of H2 as above and check whether e(C1i0, H₂(C_1i0, C_3i0))=? e(g, C4i0). If not, return⊥. Otherwise, check whetherK_i0 is equal or

not to

e(gi, C3i0)·e(g, C_2i0) e(g_ix+sumj∈Scy·Q

j∈ScH1(wi0,j, li0), C1i0) .

If the above equation holds, returnK_i0. Otherwise, return⊥.

– Else, return⊥.

Challenge.Bgenerates the challenge on the challenge setS_u∗ as follows. First, BsetsC₁∗=hand searchs inL1to getuthat corresponds to (wj, l) such thatj∈

Sc⊆ {1,· · ·, k}. Then, it computesC2∗=hu. It also computesC3∗=h

x+P j∈Scy_.

Informally, we write h=gt _{for an unknown t∈}

Zp. Then, it randomly chooses an exponent z∈RZp, and sets C4∗=hz=H2(C1∗, C3∗)t . Second, it randomly

chooses a bit b∈R{0,1} and setsKb=Z and picks a randomKb−1 in GT. It also picks C₅∗∈R{0,1}∗ at random, and sets C5∗=H3(Kb, C1∗, C2∗, C3∗, C4∗).

Fi-nally, it returns (Hdr∗= (C₁∗, C₂∗, C₃∗, C₄∗, C₅∗), K0, K1) as the challenge toA.

WhenZ=e(gn+1, h), then (Hdr∗, K0, K1) is a valid challenge forA’s point

of view, as in the real attack. Indeed, if we writeh=gt for an unknownt∈Zp, then hx+ P j∈Scy_=hx_· Y j∈Sc hyj_· Q i0∈Su∗gn+1−i0 Q j∈S∗ ugn+1−i0 !t =gt·x· Y j∈Sc gt·yj_· Q i0∈Su∗gn+1−i0 Q j∈S∗ ugn+1−i0 !t =   gx Q i0_∈S∗ ugn+1−i0 · Y j∈Sc gyj_· Y i0_∈S∗ u g_n+1−i0   t =C₃∗

Therefore, by definition,Hdr∗is a valid encryption of the session keye(gn+1, g)t.

Moreover,e(gn+1, g)t=e(gn+1, h) =Z=Kb, and thus (Hdr∗, K0, K1) is a valid

challenge toA. WhenZ∈RGT, then K0 andK1 are random independent

Phase 2. Bresponds to the Certification and Decryption queries as in Phase 1. We note that if (K_b∗, C₁∗, C₂∗, C₃∗, C₄∗) is asked to the random oracle H3, the

valueC₅∗ created in the simulation of the Challenge is returned.

Guess.The adversaryAoutputs its guessb0∈R{0,1}forb.

Analysis. In the simulations of the secret key generation and the certificate generation, the responses toAare perfect.

The simulation of the random oracleH1is not entirely perfect. LetQueryH1

be the event thatAhas queried before theChallengephase (w∗_j, l∗) to H1 for j∈ {1,· · ·, k}. Except for the case above, the simulation ofH1 is perfect. This

event happens with probabilityk/p.

The simulation of the random oracles H2 and H3 are not entirely perfect.

LetQueryH2andQueryH3 be the events thatAhas queried before the

Chal-lengephase (C₁∗, C₃∗) toH2and (Kb∗, C

∗ 1, C ∗ 2, C ∗ 3, C ∗

4) toH3. Except for the cases

above, the simulations ofH2 andH3are perfect. These two events happen with

probability 1/pand 1/2λ respectively.

The simulation of the Decryption oracle is nearly perfect, but a valid header can be rejected sometimes. Indeed, in the simulation of the Decryption oracle, if (K, C1, C2, C3, C4) has not been queried toH3, then the header is rejected. This

leads to two cases:

1. Auses the valueC₅∗, which is part of the challenge, as a part of its Decryption query.

2. Ahas guessed a right value for the output ofH3 without querying it.

However, in the first case, since (C₁∗, C₂∗, C₃∗, C₄∗) andKb are provided as input to H3, the Decryption query that A would ask is the same as the challenge,

which is not allowed to query. The second case may happen but with negligible probability 1/2k. LetDecOdenote the event thatAcorrectly guesses the output of H3. Therefore, if B does not correctly guess the output of H3, A’s point of

view in the simulation is identical to the one in the real attack.

Thus, we have P r[B(g, g1,· · ·, gn, gn+2,· · ·, g2n, h) =e(gn+1, h)] =|P r[b0= b|¬QueryH1∧ ¬QueryH2∧ ¬QueryH3∧ ¬DecO]−12| By definition ofA, we

have|P r[b0=b]−1

2|> ε−P r[QueryH1]−P r[QueryH2]−P r[QueryH3]−P r[DecO].

Hence, we have

|P r[b0=b|¬QueryH1∧ ¬QueryH2∧ ¬QueryH3∧ ¬DecO]−

1 2|

>|P r[b0=b]−P r[QueryH1]−P r[QueryH2]−P r[QueryH3]−P r[DecO]−

1 2|

> ε−P r[QueryH1]−P r[QueryH2]−P r[QueryH3]−P r[DecO]

Since A makes qH1, qH2 and qH3 random oracle queries during the attack, P r[QueryH1]≤kqH1/p, P r[QueryH2]≤qH2/p and P r[QueryH3]≤qH3/2

λ_. In the same way, sinceAmakesqdDecryption queries during the attack,P r[DecO] ≤qd/2λ. Therefore, we haveB’s winning probabilityε0> ε−

k·qH1+qH2

p −

qd+qH3 2λ .

Fully Collusion Resistance Proof.

Theorem 2. The File Sharing scheme in Electronic Health Records FSEHR is fully secure against any number of colluders, in the random oracle model. Proof. We assume there exists an adversaryAthat breaks the semantic security of theFSEHRscheme with probability greater thanεwhen interacting with an algorithmB.

Achooses a subsetSu,n0={u₁,· · ·, u_n0} ⊆ {1,· · ·, n}of colluding users.Bthen

runsSetup(λ, n, k), provides the public parametersP K= (p,G,GT, g, g1,· · ·, gn,

gn+2,· · ·, g2n, v, w1,· · ·, wk, H1, H2, H3), the secret keys di=v(α

i₎

for user i∈

S_u,n0 toA, and keeps secret the certifier’s secret keysd_c

j=σj forj∈ {1,· · ·, k}.

It also runsCertif(P K, dcj, i, l) and gives the certificateei,j,l= (ei,j,l,1=w (αi)

j ·

H1(wj, l)σj·ri,j,l, ei,j,l,2=w

ri,j,l

j ) toAfor useri∈Su,n0,j∈ {1,· · ·, k}, and time

periodl.

Afterwards,Bchooses a subsetS⊆ {1,· · ·, n}of users such thatS∩S_u,n0=∅,

time periodl06=l, and setSc⊆ {1,· · ·, k}. It outputs (Hdr, K)←Encrypt(P K, S,

Sc, l), gives Hdr= (C1=gt, C2=Qj∈ScH1(wj, l)

t_{, C}

3= (v·Qj∈Scwj·

Q

i0_∈S gn+1−i0)t, C₄=H₂(C₁, C₃)t, C₅=H₃(K, C₁, C₂, C₃, C₄)) toA and keeps secret

the session keyK=e(gn+1, g)t.

A computes new secret key dχ and certificate eχ,j,l from the secret keys and certificates of users inS_u,n0 that it previously obtained as follows. First,A

defines a subsetSu,n¯⊆Su,n0, and sets

dχ= Y i0_∈S u,n¯ di0=v P i0∈Su,¯nα i0 =vfχ(α) eχ,j,l,1 = Y i0_∈S u,n¯ e_i0_,j,l,1=w P i0∈Su,n¯α i0 j ·H1(wj, l) σj·P_i0∈Su, ¯ nri0,j,l =wfχ(α) j ·H1(wj, l) σj·rχ,j,l eχ,j,l,2 =w P i0∈Su,¯nri0,j,l j =w rχ,j,l j wherefχ(α) =P i0∈Su,n¯α

i0_{. For a useribelonging toS, it has to cancel out the} following terms e(g,(v(αi)_·Q j∈Scw (αi) j · Q i0∈S\{i}gn+1−i0_+i)t) e(vfχ(α)_·Q j∈Scw fχ(α) j · Q i0_∈S\{i}gn+1−i0_+i, gt) = e(g, v (αi)_·Q j∈Scw (αi) j ) e(vfχ(α)_·Q j∈Scw fχ(α) j , g) Q j∈Sce(g σj·rχ,j,l_,Q j∈ScH1(wj, l 0₎t₎ Q j∈Sce(H1(wj, l) σ·rχ,j,l_{, g}t₎ = e(g,Q j∈ScH1(wj, l 0₎₎ e(Q j∈ScH1(wj, l), g)

In the first equality, the two termsvαi−fχ(α)_andwα i_−f

χ(α)

j should be wiped out. Thus, one wants to have fχ(α) =P

i0∈Su,n¯α

one root of the polynomialP(x) =P

i0_∈S

u,n¯∪{i}x

i0 _{of degree ¯n+ 1. This happens} with probabilityP r[fχ(α) =αi modp]≤(¯n+ 1)/p. In the second equality, if we suppose thatl6=l0,j, j0∈ {1,· · ·, k}, and the hash functionH1is a random oracle,

then the probability that the two outputs are equalP r[H1(wj0, l0) =H₁(w_j, l)]≤

1/p. Finally,Ahas negligible advantageAdvFSEHRA,n,k≤(¯n+ 2)/pto retrieve the session keyK.

References

1. J. A. Akinyele, M. W. Pagano, M. D. Green, C. U. Lehmann, Z. N. Peterson, and A. D. Rubin. Securing electronic medical records using attribute-based encryption on mobile devices. InSPSM ’11, ACM, pp 75-86, 2011.

2. J. L. F. Alem´an, I. C. Se˜nor, P. A. O. Lozoya, and A. Toval. Security and privacy in electronic health records: A systematic literature review. Journal of Biomedical Informatics, 46(3):541–562, 2013.

3. J. Benaloh, M. Chase, E. Horvitz, and K. Lauter. Patient controlled encryption: Ensuring privacy of electronic medical records. InCCSW ’09, ACM, pp 103-114, 2009.

4. D. Boneh, C. Gentry, and B. Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys. InCRYPTO’05, LNCS, pp 258-275. Springer-Verlag, 2005.

5. Y. Dodis and N. Fazio. Public key broadcast encryption for stateless receivers. In

Digital Rights Management, LNCS 2696, pp 61-80. Springer, 2003.

6. A. Fiat and M. Naor. Broadcast encryption. InCRYPTO ’93, LNCS, pp 480-491. Springer-Verlag, 1994.

7. C. Gentry. Certificate-based encryption and the certificate revocation problem. In

EUROCRYPT’03, LNCS, pp 272-293. Springer-Verlag, 2003.

8. C. Gentry and B. Waters. Adaptive security in broadcast encryption systems (with short ciphertexts). InEUROCRYPT 2009, LNCS 5479, pp 171-188. Springer, 2009. 9. G. H. M. B. Motta and S. S. Furuie. A contextual role-based access control autho-rization model for electronic patient record. IEEE Transactions on Information Technology in Biomedicine, 7(3):202–207, 2003.

10. S. Narayan, M. Gagn´e, and R. Safavi-Naini. Privacy preserving ehr system using attribute-based infrastructure. InCCSW ’10, ACM, pp 47-52, 2010.

11. T. Okamoto and D. Pointcheval. React: Rapid enhanced-security asymmetric cryp-tosystem transform. InCT-RSA 2001, LNCS 2020, pp 159-174. Springer, 2001. 12. M. Peleg, D. Beimel, D. Dori, and Y. Denekamp. Situation-based access control:

Privacy management via modeling of patient data access scenarios.J. of Biomedical Informatics, 41(6):1028–1040, Dec. 2008.

13. H. Wang, Q. Wu, B. Qin, and J. Domingo-Ferrer. Frr: Fair remote retrieval of outsourced private medical records in electronic health networks. In J Biomed Inform. Elsevier, 2014.