Efficient Privacy-Preserving Access Control Scheme in Electronic Health Records System

Abstract

The sharing of electronic health records (EHR) in cloud servers is an increasingly important development that can improve the efficiency of medical systems. However, there are several concerns focusing on the issues of security and privacy in EHR system. The EHR data contains the EHR owner’s sensitive personal information, if these data are obtained by a malicious user, it will not only cause the leakage of patient’s privacy, but also affect the doctor’s diagnosis. It is a very challenging problem for the EHR owner fully controls over own EHR data as well as preserves the privacy of himself. In this paper, we propose a new privacy-preserving access control (PPAC) scheme for EHR. To achieve fine-grained access control of the EHR data, we utilize the attribute-based signcryption (ABSC) mechanism to signcrypt data based on the access policy for the linear secret sharing schemes. Employing the cuckoo filter to hide the access policy, it could protect the EHR owner’s privacy information. In addition, the security analysis shows that the proposed scheme is provably secure under the decisional bilinear Diffie-Hellman exponent assumption and the computational Diffie-Hellman exponent assumption in the standard model. Furthermore, the performance analysis indicates that the proposed scheme achieves low costs of communication and computation compared with the related schemes, meanwhile preserves the EHR owner’s privacy. Therefore, the proposed scheme is better suited to EHR system.

1. Introduction

With the speedy growth of new-generation information techniques like the cloud computing and Internet of Things, and the uninterrupted improvement of living standards of people, the concept of smart city has also got more attention. In particular, the electronic health records (EHR) system has been widely applied in smart city since its appearance, and it has gradually been developed and improved [1,2]. However, in face of the tremendous EHR data, a third-party platform is needed to store and manage these data. Cloud computing provides inexpensive distributed computing capabilities through the Internet, which has the characteristics of ultra-large-scale and low-cost. Hence, managing and storing the EHR data in cloud servers has become an inevitable trend. In EHR system, EHR owners generally upload and view their personal information, medical records and medication records from cloud servers. Storing the EHR data in cloud servers which improves the quality of personal medical health management while saving resources and reducing hospital expenses. Only authorized EHR users (such as doctors or nurses) are able to log in the cloud servers and access data.

Although there are many significant advantages when using cloud servers to manage the EHR data, it also brings some concerns, such as the security and privacy of the sensitive data [3,4,5]. If a malicious and unauthorized adversary breaks the EHR system and conducts a series of malicious actions, including leaking patient’s identity information and maliciously tampering with medical records, it will not only result in disclosure of patient personal privacy, but also lead to misdiagnosis by the doctors and brings serious consequences. Hence, it is necessary to put forward the access control requirements to legitimate users who can access the EHR data. Attribute-based encryption (ABE) is employed to supply fined-grained access control of the EHR data. The EHR owner defines the access policy to determine who is capable to obtain the EHR data and uploads them to the cloud servers after encrypting it using the access policy. The ciphertext could be decrypted simply if the attributes of the EHR user meet the access policy that is defined by the EHR owner. Such as, the encryption access policy is “Alice” ∨ “XXX Hospital ∧ Oncologist”. So, the EHR owner named “Alice” or the EHR user who is the “oncologist” in “XXX hospital” has the right to access the EHR data.

Although ABE schemes [6,7,8,9] could provide secure access control for the EHR data in EHR system, they still suffer from a serious problem that the access policy may leak EHR owner’s privacy. Here, the access policy will be send together with the ciphertext to EHR users in decryption phase, which may lead to the adversary gains owner’s related sensitive information from the access policy. This is caused by the construction of access policy is related to the EHR owner’s attributes. For instance, “Oncologist” is the sensitive information in the access policy for EHR owners. If anyone obtains this information, he might suspect that the EHR owner is suffering from oncology, which leads to the privacy leakage of the EHR owner. To achieve privacy-preserving for EHR system, some ABE schemes [10,11,12,13,14,15,16,17] were proposed.

However, all ABE schemes only support data encryption functionality and do not provide authentication capability. Attribute-based signcryption (ABSC) [18] mechanism emerges in integrating the fine-grained access control of data in attribute-based cryptography terminology and the efficient advantage of signcryption technology, which provides confidentiality, unforgeability and public verifiability simultaneously. Therefore, it is more appropriate to design a PPAC scheme for EHR system using the ABSC technology.

1.1. Our Contributions

In this paper, inspired by the ABSC mechanism and the cuckoo filter [19], a novel privacy-preserving access control (PPAC) scheme for EHR system is put forward. The major contributions are summed up as below:

• Based on the bilinear pairings, the ciphertext-policy attribute-based signcryption (CP-ABSC) scheme for EHR system is proposed. The proposed scheme ensures fined-grained access control of the EHR data, utilizes cuckoo filter to hide the access policy and preserves the privacy of EHR owners.
• The security analysis indicates that the proposed CP-ABSC scheme achieves the ciphertext indistinguishability and existential unforgeability in the standard model under the decisional bilinear Diffie-Hellman exponent (q-DBDHE) assumption and the computational Diffie-Hellman exponent (q-CDHE) assumption, respectively.
• The performance evaluation demonstrates that the proposed CP-ABSC scheme is more efficient than the related existing schemes [20,21,22,23] in terms of communication overheads and computation costs, and is right suitable for EHR system.

1.2. Organization

This paper is organized as below. The related work is described in Section 2. The preliminaries are reviewed in Section 3. The system model and security model are described in Section 4. The proposed PPAC scheme is given in Section 5. Section 6 and Section 7 present the security proof and performance analysis, respectively. Finally, this paper is concluded in Section 8.

2. Related Works

Access control is a basic security service in modern computing systems. The access control management ensures that only authorized users are given access to certain resources, which is an effective method to protect data privacy. It is characterized by different access permissions and level of views, and usually constructed according to hierarchical scheme. In particular, Akl and Taylor [24] first proposed the use of cryptography to implement access control in hierarchical structures in 1983. Crampton et al. [25] introduced a novel cryptographic scheme to execute the enforcement of information flow policies. The advantage of this scheme is that no public information is needed to derive the decryption keys. Moreover, when performing a given policy, this tree-based scheme requires fewer keys compared to existing chain-based approaches. Castiglione et al. [26] not only explored the relationship between all the security concepts in the hierarchical key assignment scheme (HKAS), but also proposed a general architecture for HKAS, which provides security for strong key recovery and gives any HKAS that guarantees security for key recovery. According to the security and privacy of outsourced data, a large number of users must create, share, update and delete it dynamically, Castiglione [27] provided some new results on Akl and Taylor’s scheme [24], for flexible and fine-grained access control to support dynamic updates in cloud environments. Alderman [28] designed a space-efficient KAS based on a binary tree, which eliminates public information as well as imposes logarithmic bounds on the number of derivatives required. This scheme performs better than the existing scheme, reduces the storage requirement of user equipment and logarithmically limits the derivation cost.

In 2005, the idea of ABE was proposed by Sahai and Waters [29], which is a one-to-many encryption mechanism. In this scheme, the users encrypt plaintext message based on the certain access control policy and adopt the attributes to identify user’s identities. Afterwards, ABE is divided into ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE) depending on whether the access structure is associated with the ciphertexts or the sceret keys, respectively. In 2006, the KP-ABE scheme was proposed by Goyal et al. [30], which supports delegation of private keys and provides flexible access policies that enable fine-grained access control. In 2007, Bethencourt et al. [31] constructed the CP-ABE scheme. Even though the storage server is not trusted, this scheme can keep the data confidentiality. In addition, this method could resist collusion attacks. Based on linear secret sharing schemes, Waters [32] firstly put forward a fully expressed CP-ABE scheme in the standard model. The sender of message can formulate an access policy according to its own attributes and define different access policies for different messages in this scheme. The CP-ABE schemes are more appropriate for access control applications, although both KP-ABE and CP-ABE schemes are able to utilize access policies to encrypt message and achieve access control of data. With the development of research, lots of ABE schemes [6,7,8,9,10,11,12,13,14,15,16,17,33,34,35] have been presented.

For guaranteeing the EHR data’s confidentiality in data storage and transmission process, EHR owners must consider the access control of the EHR data with the aim at ensuring merely authorized users can obtain the important information. In 2009, Ibraimi et al. [6] present a novel CP-ABE scheme for safely managing and sharing the EHR data from an un-trusted web server, which is used to force organizational/patient access control policies and protect the data. In 2010, based on cryptographic constructions, Sun et al. [7] proposed a secure EHR system, which combining the mechanisms for revocation and fine-grained access control, and gives support for patient data secure sharing. In 2011, Akinyele et al. [8] designed a self-protecting EHR scheme employing ABE, the main purpose is that the access control policy may be assigned to each encrypted project. In 2013, Li et al. [9] gave a new secure EHR data sharing scheme in cloud computing, which simplified key management for users by using the multi-authorized ABE technique.

Owing to the sensitivity of health relevant data, offering privacy-preserving of EHR owners and access control of the EHR data is the main challenge in nowadays EHR system. Based on public key encryption with keyword search, Narayan et al. [10] proposed an ABE scheme to provide privacy preservation for EHR management system. An attribute-oriented authentication scheme was proposed by Liang et al. [12], which is able to assist an EHR user to establish social relationships and share health information with other trusted users. Lu et al. [13] introduced the user-centric privacy access control scheme and allowed a medical user to determine who may take part in computing to give assistance to the EHR data processing. Liu et al. [14] proposed the online/offline ABE. EHR owners performed most of the encryption calculations during the offline encryption phase. When the access policy and the EHR data were known during the online encryption phase, EHR owners can quickly integrate information to generate the final ciphertext. Zhou et al. [15] presented two anonymous ABE schemes, which can achieve anonymity for personal EHR. On the basis of ABE, a PPAC scheme in mobile healthcare social networks was proposed by Jiang et al. [16]. In this scheme, they adopt bloom filter to hide attributes and efficiently query attributes before decryption. Yang et al. [17] constructed a new attribute bloom filter for the privacy-preserving CP-ABE scheme.

Combining the encryption and digital signature functions in a single step, Zheng [36] firstly proposed the concept of signcryption. And its advantages include that the communication overhead is much smaller than the steps of encryption and signature and it can achieve both confidentiality and authenticity. Combining the idea of ABE and signcryption, attribute-based signcryption (ABSC) has been put forward [18,20,21,22,23,37,38,39,40,41,42,43,44]. In 2010, Gagné et al. [18] proposed the ABSC scheme using the threshold access policy. In which, the users have to determine their access structure in advance in setup phase. In 2011, Wang et al. [20] put forward a ciphertext-policy and claim-predicate ABSC scheme based on bilinear pairings. Its efficiency is much higher than that of the combination of the cipertext policy attribute-based signature (CP-ABS) and CP-ABE. In 2012, the dynamic CP-ABSC scheme was proposed by Emura et al. [21], which allows the signature access structure updating without re-sending the user’s signature key. This is the public verifiability, which permits any intermediary to check the validity of ciphertext before sending it to recipient. In 2013, a novel and security fuzzy attribute-based signcryption scheme was constructed by Hu et al. [22], which enables data encryption, access control, and digital signature for patient medical information in the body area networking. Afterward, based on the bilinear pairings on elliptic curves, Guo et al. [38] realized the concept of ring signcryption in the attribute-based encryption frame and present attributed-based ring singcryption scheme. Wang et al. [39] point that the ABSC scheme [18] is not secure under certain forgery. Han et al. [40] used the inner-product encryption and constructed a threshold ABSC scheme with constant-size ciphertext. In 2014, Wei et al. [41] designed a traceable ABSC scheme. This scheme’s advantage is that the authority could breach anonymity of the signcryption while it is required to trace messages. In 2016, in the light of expressive LSSS access structure, Rao et al. [43] presented an efficient and constant-size ciphertext KP-ABSC scheme. To solve the problem of secure sharing fine-grained access control of the personal health records (PHR) data, Liu et al. [44] proposed a CP-ABSC scheme. Unfortunately, Rao et al. [23] pointed out the problems in scheme [44] and proposed a secure CP-ABSC scheme for the EHR data sharing in cloud.

In summary, the above mentioned ABSC schemes provide the confidentiality and unforegability of the EHR data. However, these schemes cannot specifically solve the problem about the privacy leakage of EHR owners in EHR system. Moreover, the access policies are still in the form of plaintext in these schemes. To a certain extent, the disclosure of the personal privacy information is still a challenging problem in the fine-grained data access control for EHR system.

Besides, now there are many cloud servers supporting two-factor authentication technology. Based on the analysis of the shortcomings of existing two-factor authentication schemes for privacy preserving, Wang et al. [45] proposed an efficient and provably secure two-factor authentication scheme in the random oracle model, which can achieve higher security and privacy without increasing communication or computing costs. In the following study, Wang et al. [46] proposed a two-factor authentication scheme in the random oracle model, which achieves security guarantees beyond the conventional optimal security bound. If an attribute-based authenticated key agreement scheme is constructed on the basis of signcryption technology, it can also provide good security and efficiency in PPAC scheme. In our research, we prefer to design a PPAC solution for EHR system under the standard model. Therefore, in this paper, using the CP-ABSC scheme, we will present the PPAC scheme for the practical and secure EHR system, which prevent the leakage of EHR owner’s personal privacy information from the access policy and may achieve fine-grained access control of EHR data.

3. Preliminaries

3.1. Bilinear Pairings

Let $\mathbb{G}$, ${\mathbb{G}}_T$ be two multiplicative cyclic groups of prime order p and g be the generator of $\mathbb{G}$. The bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ satisfies the following three properties:

• Bilinearity: For all $u,v\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_p$, where $e(u^a,v^b)=e{(u,v)}^{ab}$.
• Non-degeneracy: $e(g,g)\ne 1$.
• Computability: For all $u,v\in \mathbb{G}$, there exists an efficient algorithm to compute $e(u,v)$ for all $u,v\in \mathbb{G}$.

3.2. Access Structures

Suppose $P=\{P_1,P_2,\cdots ,P_n\}$ is a set of parties. There exists a collection $W\subseteq 2^P$, which is monotone if and only if for any set B and C, if $B\in W$ and $B\subseteq C$ then $C\in W$. An access structure is a collection W of non-empty subsets of $\{P_1,P_2,\cdots ,P_n\}$, i.e., $W\subseteq 2^P\setminus \{\varnothing \}$. The sets in W are named as the authorized sets, otherwise which are named as the unauthorized sets.

3.3. Linear Secret Sharing Schemes

A secret sharing scheme $\Pi$ for access structure W is called the linear secret sharing scheme (LSSS) over a set of parties P in ${\mathbb{Z}}_p$ if

• The shares for each party form a vector over ${\mathbb{Z}}_p$.
• There exists a share-generating matrix M with l rows and n columns for $\Pi$. For all $i=[1,l]$, $\rho (i)$ maps the i’th row of M to every authorized role attribute, where the function $\rho$ is a function from $\{1,2,\cdots ,l\}$ to P. We find a column vector $\overrightarrow{v}=(\sigma ,r_2,\cdots ,r_n)$ be a sharing vector, where $r_2,\cdots ,r_n\in {\mathbb{Z}}_p$ are random values and $\sigma \in {\mathbb{Z}}_p$ is the secret value to be shared. $M\overrightarrow{v}$ is the vector of l shares of $\sigma$ on $\Pi$. Each ${\lambda }_i={(M\overrightarrow{v})}_i$ is distributed as secret share value to each attribute $\rho (i)$.

An LSSS to be represented by an access structure $W=(M,\rho )$ is shown in Figure 1. Each LSSS has the linear reconstruction property, defined as follows: Let W be the access structure and $\Pi$ be the LSSS. For any authorized set, i.e., $S\in W$, let $I=\{i:\rho (i)\in S\}\subset \{1,2,\cdots ,l\}$. According to $\Pi$, if ${\{{\lambda }_i\}}_{i\in I}$ are valid shares for the secret $\sigma$, here exists constants ${\{w_i\in {\mathbb{Z}}_p\}}_{i\in I}$ such that ${\sum }_{i\in I}{w}_i{\lambda }_i=\sigma$. Let $M_i$ denote i’th row of M, then ${\sum }_{i\in I}{w}_i{M}_i=(1,0,\cdots ,0)$. It is worth noting that the constants $\{w_i\}$ can be obtained in time polynomial in scale of the share-generation matrix M.

3.4. Cuckoo Filter

The data structure called cuckoo filter [19] is the extended version of bloom filter, which supports adding and removing items dynamically while having lower space overhead, shorter search time and better performance than bloom filter [47]. It also solves the problem of false positive in bloom filter. As a method for testing set membership, cuckoo filter uses cuckoo hashing technique [48] to solve the problem of false positive in bloom filter and check whether an element exists in a set.

Figure 2a shows the basic cuckoo hashing table that includes a series of buckets, and each bucket contains 4 entries. There are two candidate buckets in every item x, which are calculated from the formula and $h_1(x)$ and $h_2(x)$. The process of inserting a new element into the hash table is displayed as Figure 2b. In Figure 2, the hash table has 8 buckets. When adding a new element into the candidate bucket 1 or 5, if either of the two candidate buckets is empty, we will insert it into the other free bucket.If both buckets have no space the element selects any candidate bucket (such as “1”) and removes the existing element, then this moved element need to re-insert into itself alternative position as shown in Figure 2b. In this case, it will trigger the item “c” that removes from bucket 3 into bucket 6 when removing “a”. We will repeat this operation until we find an empty bucket and the maximum number of times is reached. When no empty bucket is obtained, the cuckoo hashing table will be regard as that it is too filled to insert.

A cuckoo filter algorithm has mainly three functions: the insert function that stores items into the filter, the lookup function that checks whether an item exists in the filter and the delete function that removes the previously inserted items. For each item x, cuckoo filter stores a fingerprint and calculates two candidate buckets $i_1$ and $i_2$ by the following formulas:

$$i_1=H_4(x)$$

(1)

$$i_2=i_1\oplus H_4(fingerprint(x))$$

(2)

where $H_4$ is a one-way hash function.

We only adopt the insert and lookup functions of cuckoo filter in our paper. Algorithm 1 and Algorithm 2 illustrate the insert operation and lookup operation, respectively.

In Algorithm 1, cuckoo filter adds new items dynamically through storing fingerprints f of every item x. In Algorithm 2, we can easily check whether an item y belong to cuckoo filter.

Algorithm 1 Insert $(x)$

$f=\mathrm{fingerprint}(x)$; $i_1=H_4(x)$; $i_2=i_1\oplus H_4(x)$; If bucket $[i_1]$ or bucket $[i_2]$ has an empty entry then add f to that bucket; return Done; i = randomly pick $i_1$ or $i_2$; For $n=0$; $n<\mathrm{MaxMumKicks}$; $n++$ do randomly select an entry e from bucket $[i]$; swap f and fingerprint stored in entry e; $i=i\oplus H_4(f)$; If bucket $[i]$ has an empty entry then add f to bucket $[i]$; return done; return False.

Algorithm 2 Lookup $(y)$

$f=\mathrm{fingerprint}(y)$; $i_1=H_4(x)$; $i_2=i_1\oplus H_4(x)$; If bucket $[i_1]$ or bucket $[i_2]$ has f then return True; else return False; End If.

3.5. Complexity Assumptions

Decisional q-Bilinear Diffie-Hellman Exponent (q-DBDHE) Problem: Given the tuple $y_{a,\sigma }=(g,g^{\sigma },g^a,g^{a^2},\cdots ,g^{a^q},g^{a^{q+2}},\cdots ,g^{a^{2q}})$ in group $\mathbb{G}$ and $a,\sigma \in {\mathbb{Z}}_p$ are chosen at randomly, the task of q-DBDHE problem is to distinguish $e(g^{a^{q+1}},g^{\sigma })\in {\mathbb{G}}_T$ from a random element $R\in {\mathbb{G}}_T$.

The advantage of $\mathcal{A}$ in solving the q-DBDHE problem is defined as

$$Ad{v}_{\mathcal{A}}^{q-\mathrm{DBDHE}}=Pr\left[1\leftarrow \mathcal{A}(y_{a,\sigma },T)|T=e{(g,g)}^{a^{q+1}\sigma }\right]-Pr\left[1\leftarrow \mathcal{A}(y_{a,\sigma },T)|T=R\right]\ge \epsilon .$$

q-DBDHE Assumption: It says that there is no known polynomial-time algorithm $\mathcal{A}$ to solve the q-DBDHE problem with advantage at least $\epsilon$.

Computational q-Diffie-Hellman Exponent (q-CDHE) Problem: Given the tuple $y_a=(g,g^a,g^{a^2},\cdots ,g^{a^q},g^{a^{q+2}},\cdots ,g^{a^{2q}})$ in group $\mathbb{G}$ and $a\in {\mathbb{Z}}_p$ is chosen at randomly, the task of q-CDHE problem is to compute $g^{a^{q+1}}$.

The advantage of in solving the q-CDHE problem is defined as

$$Ad{v}_{\mathcal{A}}^{q-\mathrm{CDHE}}=Pr\left[g^{a^{q+1}}\leftarrow \mathcal{A}(y_a)\right]\ge \epsilon .$$

q-CDHE Assumption: It says that there is no known polynomial-time algorithm $\mathcal{A}$ to solve the q-CDHE problem with advantage at least $\epsilon$.

4. Model

In this section, we first give the typical structure of the EHR system model and the specific working stages of the proposed PPAC scheme for the EHR system model. Then, we define a CP-ABSC scheme and its security model, which is the basic method to implement the proposed PPAC scheme.

4.1. System Model

A typical structure of EHR system model is demonstrated in Figure 3.

EHR system comprises four entities: Attribute authority (AA), EHR owner, EHR user and Cloud servers.

• AA is a trusted party that is responsible for generating and distributing public parameters and private keys for the users, selects attributes from the attribute space and assigns to the users with different rights.
• EHR owner is the EHR data provider (such as a patient) who formulates the access policy, signcrypts his/her own EHR data and uploads the ciphertext to cloud servers.
• EHR user is the EHR data receiver (such as a doctor or nurse) who can download the cipgertext from cloud servers and unsigncrypt it.
• Cloud servers are in charge of storing ciphertext data that sent by the EHR owner and granting access rights to EHR users.

On the basis of the above EHR system model, our paper designs a new PPAC scheme for the EHR system, which includes the following four phases.

• System initialization phase: AA generates the master key and public systems parameters for EHR system, and then publishes the system parameters to all users (EHR owners and EHR users).
• Users registration phase: The users submit a registration application to AA. AA verifies the legitimacy of the identity of the user according to the attributes owned by itself and distributes corresponding private key to the user.
• EHR signcrypt phase: An EHR owner signcrypts the EHR data (such as personal information and medical records) under the access policy, hides the access policy by the cuckoo filter and uploads the ciphertext to cloud servers for data sharing.
• EHR access phase: An EHR user submits the data access request to the cloud servers, who can download ciphertext from cloud servers and unsigncrypt data to obtain original messages if and only if the attribute set of EHR user that satisfies access policy.

4.2. Security Model

The CP-ABSC scheme is composed of the following five algorithms [23,29]:

Setup: Given a security parameter k, system attribute set S and message universe $\mathcal{M}$, the algorithm outputs the master key MSK and system public parameters PK.

sExtract: Given PK, MSK and the signing attribute set $A_s\subseteq S$, the algorithm outputs the corresponding signing private key $S{K}_{A_s}$.

dExtract: Given PK, MSK and the decryption attribute set $A_d\subseteq S$, the algorithm outputs the corresponding decryption private key $S{K}_{A_d}$.

Signcrypt: Given PK, the message $m\in \mathcal{M}$, the signing private key $S{K}_{A_s}$ for $A_s$, the encryption access structure $W_e=(M_e,{\rho }_e)$, signing access structure $W_s=(M_s,{\rho }_s)$, where $A_s\in W_s$, and the cuckoo filter, the algorithm outputs the ciphertext CT.

Unsigncrypt: Given PK, the ciphertext CT and the decryption private key $S{K}_{A_d}$ for $A_d$, the algorithm firstly queries the corresponding attributes values by cuckoo filter and reconstructs the access structure $W_e^{\prime }=(M_e,{\rho }_e^{\prime })$, and outputs message m if $A_d\in W_e^{\prime }$. Otherwise, the algorithm returns ⊥.

According to [23,32], the security of CP-ABSC needs to satisfy confidentiality and unforgeability.

The confidentiality (indistinguishability against adaptive chosen ciphertext attack (IND-CCA2)) for CP-ABSC is captured by an interactive game between the adversary $\mathcal{A}$ and the challenger $\mathcal{C}$ as follows.

Initialization: The adversary $\mathcal{A}$ chooses an encryption access structure $W_e^{\ast }$ for the encryption attribute set $A_d$, which is applied to calculate the challenge ciphertext and provides it to the challenger $\mathcal{C}$.

Setup: $\mathcal{C}$ executes the Setup algorithm. $\mathcal{C}$ keeps the master key MSK secretly and returns the public parameters PK to $\mathcal{A}$.

Phase 1: $\mathcal{A}$ adaptively issues the following polynomial bounded queries.

• sExtract queries: Given a query on the signing attribute set $A_s$, $\mathcal{C}$ executes the sExtract algorithm and returns the corresponding private key $S{K}_{A_s}$ to $\mathcal{A}$.
• dExtract queries: Given a query on the decryption attribute set $A_d\notin W_e^{\ast }$, $\mathcal{C}$ executes the dExtract algorithm and returns the corresponding private key $S{K}_{A_d}$ to $\mathcal{A}$.
• Signcrypt queries: Given a query on the message $m\in \mathcal{M}$, the decryption attribute set $A_d$, the signing attribute set $A_s$, the encryption access structure $W_e$, the signing access structure $W_s$ and cuckoo filter, $\mathcal{C}$ executes the sExtract algorithm and obtains the signing private key $S{K}_{A_s}$. Then $\mathcal{C}$ execute the Signcrypt algorithm to generate the ciphertext CT and returns to $\mathcal{A}$.
• Unsigncrypt queries: Given a query on the ciphertext CT, the decryption attribute set $A_d$ and the signing attribute set $A_s$, $\mathcal{C}$ firstly queries the corresponding attributes of EHR users that are in cuckoo filter or not and reconstructs the access structure $W_e^{\prime }=(M_e,{\rho }_e^{\prime })$. $\mathcal{C}$ executes the dExtract algorithm and obtains the decryption private key $S{K}_{A_d}$. And $\mathcal{C}$ executes the Unsigncrypt algorithm to obtain the message m and returns to $\mathcal{A}$.

Challenge: After completing the Phase 1, $\mathcal{A}$ outputs two equal length messages $m_0^{\ast },m_1^{\ast }$ and the signing access structure $W_s^{\ast }$. When the signing attribute set $A_s^{\ast }\in W_s^{\ast }$, $\mathcal{C}$ gets $S{K}_{A_d^{\ast }}$ by running the dExtract algorithm. $\mathcal{C}$ randomly chooses $\theta \in \{0,1\}$ and executes the Signcrypt algorithm to generate the ciphertext $C{T}^{\ast }$. At last, $\mathcal{C}$ sends $C{T}^{\ast }$ to $\mathcal{A}$ as its challenge ciphertext.

Phase 2: $\mathcal{A}$ adaptively issues the queries as in Phase 1 except the dExtract queries for any decryption attribute set $A_d\in W_e^{\ast }$ and the Unsigncrypt queries for the challenge ciphertext $C{T}^{\ast }$ for any $A_d\in W_e^{\ast }$.

Guess: $\mathcal{A}$ outputs a guess bit $\theta \in \{0,1\}$. If ${\theta }^{\prime }=\theta$, $\mathcal{A}$ wins the above game.

The advantage of $\mathcal{A}$ that wins the above game is defined to be $Adv=|Pr[{\theta }^{\prime }=\theta ]-\frac{1}{2}|$.

Definition 1(Confidentiality). A CP-ABSC scheme is IND-CCA2 security, if there is no polynomial-time adversary who wins the aforementioned game with the non-negligible advantage.

The unforgeability (existential unforgeability against adaptive chosen message attack (EUF-CMA)) for CP-ABSC is captured by an interactive game between the adversary $\mathcal{A}$ and the challenger $\mathcal{C}$ as follows.

Initialization: The adversary $\mathcal{A}$ provides the challenge signing access structure $W_s^{\ast }$ to the challenger $\mathcal{C}$.

Setup: $\mathcal{C}$ executes the Setup algorithm. Then $\mathcal{C}$ keeps the master key MSK secretly and returns the public parameters PK to $\mathcal{A}$.

Query phase: $\mathcal{A}$ performs a polynomial bounded number of queries adaptively.

• sExtract queries: Give a query on the signing attributes set $A_s\notin W_s^{\ast }$, $\mathcal{C}$ executes the sExtract algorithm and returns the corresponding private key $S{K}_{A_s}$ to $\mathcal{A}$.
• dExtract queries: Give a query on the decryption attributes set $A_d$, $\mathcal{C}$ executes the sExtract algorithm and returns the corresponding private key $S{K}_{A_d}$ to $\mathcal{A}$.
• Signcrypt queries: Same as the Signcrypt queries in the confidentiality game.
• Unsigncrypt queries: Same as the Unsigncrypt queries in the confidentiality game.

Forgery: $\mathcal{A}$ outputs the forgery ciphertext $C{T}^{\ast }$ on $(m^{\ast },W_s^{\ast },W_e^{\ast })$.

$\mathcal{A}$ wins above game if $C{T}^{\ast }$ is valid and $\mathcal{A}$ never makes the Signcrypt queries on $(m^{\ast },W_s^{\ast },W_e^{\ast })$.

The advantage of $\mathcal{A}$ that wins the above game is defined as the probability that it wins the unforgeability game.

Definition 2(Unforgeability). A CP-ABSC scheme is EUF-CMA security, if there is no polynomial-time adversary who wins the aforementioned game with the non-negligible advantage.

5. The Proposed Scheme

The construction of PPAC scheme for EHR system is based on the CP-ABSC scheme and the concrete CP-ABSC scheme is given based on the bilinear pairing, supporting the linear secret sharing schemes. Employing the cuckoo filter to hide the access policy, it could protect the EHR owner’s privacy information. The proposed scheme meets the requirements of PPAC in this section, by using CP-ABSC mechanism to signcrypt plaintext messages can satisfy the confidentiality and unforegability of the EHR data. At the same time, the use of cuckoo filter achieves the purpose of privacy preserving. Specifically, our proposed CP-ABSC scheme includes four phases: system initialization, user registration phase, EHR signcrypt phase and EHR access phase. The detail steps are as follows.

5.1. System Initialization

AA generates the master key MSK and public parameters PK for EHR system through executing the Setup algorithm.

• Setup: Given the security parameter k, message universe $\mathcal{M}:{\{0,1\}}^{\ast }$ and attribute set S that includes the EHR owner’s attributes and EHR user’s attributes. AA picks three collision resistant cryptographic hash functions: $H_1:{\{0,1\}}^{\ast }\to {\{0,1\}}^l$, $H_2:\mathbb{G}\to {\mathbb{Z}}_p^{\ast }$, $H_3:\{0,1\}\to {\mathbb{Z}}_p^{\ast }$. Besides, AA chooses a one-way hash function $H_4:\{0,1\}\to {\mathbb{Z}}_p^{\ast }$, which will be used to hash all $\rho (i)$ for $i\in \{1,2,\cdots ,l\}$ in the access policy $W=(M,\rho )$ associated with the EHR owners’ attributes. Then, AA randomly chooses $a,\alpha \in {\mathbb{Z}}_p^{\ast }$, ${\delta }_1,{\delta }_2,y_0,y_1,\cdots ,y_l\in \mathbb{G}$ and sets $Y=e{(g,g)}^{\alpha }$. For each attribute $x\in S$, AA samples $h_x\in \mathbb{G}$.

The system parameters are $PK=\{\mathcal{M},S,H_1,H_2,H_3,H_4,g^a,{\delta }_1,{\delta }_2,y_0,{\{y_i\}}_{i\in [1,l]},Y,{\{h_x\}}_{x\in S}\}$ and the master key is $MSK=\{g^{\alpha }\}$.

5.2. User Registration Phase

According to the attributes of the EHR owner and the EHR user, AA generates the corresponding private keys through executing the sExtract and dExtract algorithms.

• sExtract: Given PK, MSK and the signing attribute set $A_s\subseteq S$, AA randomly selects $r_s\in {\mathbb{Z}}_p^{\ast }$ and outputs the EHR owner’s signing private key $S{K}_{A_s}:K_s=g^{\alpha }{g}^{a{r}_s}$, $L_s=g^{r_s}$, ${\{K_{s,x}=h_x^{r_s}\}}_{x\in A_s}$.
• dExtract: Given PK, MSK and the decryption attribute set $A_d\subseteq S$, AA randomly picks $r_d\in {\mathbb{Z}}_p^{\ast }$ and outputs the EHR user’s decryption private key $S{K}_{A_d}:K_d=g^{\alpha }{g}^{a{r}_d}$, $L_d=g^{r_d}$, ${\{K_{d,x}=h_x^{r_d}\}}_{x\in A_d}$.

5.3. EHR Signcrypt Phase

The EHR owner signcrypts his/her own EHR data and uses cuckoo filter to hide the access policy W associated with attributes through executing the Signcrypt algorithm.

• Signcrypt: Given the message $m\in \mathcal{M}$, the signing private key $S{K}_{A_s}$, and the encryption access policy $W_e=(M_e,{\rho }_e)$ and the signing access policy $W_s=(M_s,{\rho }_s)$ that are formulated by the EHR owner. The EHR owner performs the following steps.

  -

  The EHR owner selects a vector $\overrightarrow{v}=(\sigma ,v_2,\cdots ,v_n)\in {\mathbb{Z}}_p^{\ast }$ calculates ${\lambda }_i=\overrightarrow{v}·M_i$ for $i=1,2,\cdots ,l$, where $M_i$ is the i’th row of matrix M. And the EHR owner randomly chooses ${\phi }_i\in {\mathbb{Z}}_p$ and generators a vector $\overrightarrow{\phi }=(-{\phi }_1,-{\phi }_2,\cdots ,-{\phi }_l)$ such that $\overrightarrow{\phi }·M_s=-{\overrightarrow{1}}_n$, that is ${\displaystyle \sum _{i=1}^l}{\phi }_i·M_{s,i}=-{\overrightarrow{1}}_n$, and ${\phi }_i=0$ for all i where ${\rho }_s(i)\notin A_s$, where $M_{s,i}$ is the i’th row of matrix $M_s$.

  -

  The EHR owner picks $\xi \in {\mathbb{Z}}_p^{\ast }$ and computes

  $$C=m{Y}^{\sigma },C^{\prime }=g^{\sigma },\mu =H_2(C^{\prime }),C^{″}={({{\delta }_1}^{\mu }{\delta }_2)}^{\sigma },\{C_i=g^{a{\lambda }_i}{h}_{{\rho }_e(i)}^{-\sigma }\}{}_{i\in [1,l]},$$

  $$S_1=L_s=g^{r_s},H_1(S_1,W_e,W_s)=(j_1,j_2,\cdots ,j_l),$$

  $$H_3(W_e,W_s,C,C^{\prime },C^{″},\{C_i=g^{a{\lambda }_i}{h}_{{\rho }_e(i)}^{-\sigma }\}{}_{i\in [1,l]})=\beta$$

  $$S_2=K_s·{\displaystyle \prod _{i\in [1,l]}}{(K_{s,{\rho }_s})}^{{\phi }_i}·{(y_0{\displaystyle \prod _{i\in [1,l]}}{y_i}^{j_i})}^{\sigma }·{(C^{″})}^{\beta \xi }.$$

  -

  The EHR owner uses the cuckoo filter to hide the access policy $W_e=(M_e,{\rho }_e)$. In order to derive the alternative position of an item based on its fingerprint, it needs to utilize the partial-key cuckoo hashing [19]. That can ensure the EHR owner inserts new items to cuckoo filter dynamically. For each valid attribute $a_i\in S$, where the attribute $a_i={\rho }_e(i)$ maps the i’th row of access matrix M, let item $x=a_i$. The EHR owner dynamically inserts a new item x into the cuckoo filter by using the insert operation as shown in Algorithm 1 and constructs the cuckoo filter data structure CF. Finally, the EHR owner uploads the ciphertext $CT=\{C,C^{\prime },C^{″},{\{C_i\}}_{i\in [1,l]},S_1,S_2,CF\}$ to the cloud server.

5.4. EHR Access Phase

In this phase, the EHR user downloads the ciphertext CT from the cloud servers, then gets message m through running the Unsigncrypt algorithm.

• Unsigncrypt: Given the ciphertext CT, the EHR user performs the following steps.

  -

  Suppose that $S^{\prime }$ is the attribute set of the EHR user. For every attribute $a_i^{\prime }\in S^{\prime }$, let an item $y=a_i^{\prime }$. The EHR user first checks the attributes are in the access policy or not by using using the lookup operation of the cuckoo filter as shown in Algorithm 2. If the item y is in cuckoo filter, it means that the attribute $a_i^{\prime }$ exists in the access policy. Lastly, the EHR user generates the reconstructed attribute map ${\rho }_e^{\prime }(i)=a_i^{\prime }$ and obtains the access policy $W_e^{\prime }=(M_e,{\rho }_e^{\prime })$.

  -

  The EHR user computes $\mu =H_2(C^{\prime })$, $H_1(S_1,W_e^{\prime },W_s)=(j_1,j_2,\cdots ,j_l)$, $\beta =H_3(W_e^{\prime },W_s,C,C^{\prime },C^{″},{\{C_i=g^{a{\lambda }_i}{h}_{{\rho }_e(i)}^{-\sigma }\}}_{i\in [1,l]})$ and verifies

  $$Y=\frac{e(S_2,g)}{e(g^a·{\displaystyle \prod _{i\in [1,l]}}{h}_{{\rho }_s(i)}^{{\phi }_i},S_1)·e(y_0{\displaystyle \prod _{i\in [1,l]}}{y_i}^{j_i}·{({{\delta }_1}^{\mu }{\delta }_2)}^{\beta \xi },C^{\prime })}$$

  (3)

  -

  If it is invalid, returns ⊥; Otherwise, when the decryption attribute set $A_d\in S^{\prime }$ satisfies $(M_e,{\rho }_e^{\prime })$, the EHR user finds the constants ${\{{\omega }_i\in {\mathbb{Z}}_p^{\ast }\}}_{i\in I}$ such that $\left\{{\lambda }_i\right\}$ are valid shares of secret value $\sigma$ based on $M_e$, ${\sum }_{i\in I}{\omega }_i{\lambda }_i=\sigma$, where $I=\{i:{\rho }_e^{\prime }(i)\in S^{\prime }\}$.

  The EHR user computes

  $$Y^{\sigma }=\frac{e(C^{\prime },K_d)}{{\displaystyle {\prod }_{i\in I}}{\left(e(C_i,L_d)·e(C^{\prime },K_{d,{{\rho }^{\prime }}_e})\right)}^{{\omega }_i}}$$

  (4)

  and recovers the message m from $m=\frac{C}{Y^{\sigma }}$.

Correctness:

$$\begin{array}{cc}\hfill S_2& =K_s·{\displaystyle \prod _{i\in [1,l]}}{(K_{s,{\rho }_s})}^{{\phi }_i}·{(y_0{\displaystyle \prod _{i\in [1,l]}}{y_i}^{j_i})}^{\sigma }·{(C^{″})}^{\beta \xi }\hfill \\ & =g^{\alpha }{g}^{a{r}_s}·{\displaystyle \prod _{i\in [1,l]}}{(h_{{\rho }_s(i)}^{r_s})}^{{\phi }_i}·{(y_0{\displaystyle \prod _{i\in [1,l]}}{y_i}^{j_i})}^{\sigma }·{(C^{″})}^{\beta \xi },\hfill \end{array}$$

$$\begin{array}{cc}\hfill e(S_2,g)& =e(g^{\alpha }{g}^{a{r}_s},g)·e({\displaystyle \prod _{i\in [1,l]}}{(h_{{\rho }_s(i)}^{r_s})}^{{\phi }_i},g)·e({(y_0{\displaystyle \prod _{i\in [1,l]}}{y_i}^{j_i})}^{\sigma },g)·e({({\delta }_1^{\mu }{\delta }_2)}^{\sigma \beta \xi },g)\hfill \\ & =e{(g,g)}^{\alpha }·e(g^a,g^{r_s})·e({\displaystyle \prod _{i\in [1,l]}}{(h_{{\rho }_s(i)})}^{{\phi }_i},g^{r_s})·e(y_0{\displaystyle \prod _{i\in [1,l]}}{y}_i^{j_i},g^{\sigma })·e({({\delta }_1^{\mu }{\delta }_2)}^{\beta \xi },g^{\sigma })\hfill \\ & =Y·e(g^a{\displaystyle \prod _{i\in [1,l]}}{h}_{{\rho }_s(i)}^{{\phi }_i},S_1)·e(y_0{\displaystyle \prod _{i\in [1,l]}}{y}_i^{j_i}·{({\delta }_1^{\mu }{\delta }_2)}^{\beta \xi },C^{\prime }),\hfill \end{array}$$

$$\begin{array}{cc}\hfill \frac{e(C^{\prime },K_d)}{{\displaystyle {\prod }_{i\in I}}{(e(C_i,L_d)·e(C^{\prime },K_{d,{{\rho }^{\prime }}_e}))}^{{\omega }_i}}& =\frac{e(g^{\sigma },g^{\alpha }{g}^{a{r}_d})}{{\displaystyle \prod _{i\in I}}{(e(g^{a{\lambda }_i}{h}_{{{\rho }^{\prime }}_e(i)}^{-\sigma },g^{r_d})·e(g^{\sigma },h_{{{\rho }_e}^{\prime }(i)}^{r_d}))}^{{\omega }_i}}\hfill \\ & =\frac{e{(g,g)}^{\alpha \sigma }·e{(g,g)}^{a\sigma r_d}}{{\displaystyle \prod _{i\in I}}e{(g,g)}^{a{r}_d{\lambda }_i{\omega }_i}}=e{(g,g)}^{\alpha \sigma }=Y^{\sigma }.\hfill \end{array}$$

6. Security Proof

6.1. Confidentiality

Theorem 1.

Assuming there is the adversary $\mathcal{A}$ who is capable of breaking the IND-CCA2 security of CP-ABSC scheme with a non-negligible probability ε, then we we can construct an algorithm $\mathcal{B}$ that solves the q-DBDHE problem with the probability at least ${\epsilon }^{\prime }=\epsilon -\frac{q_{us}}{p}$, where $q_{us}$ is the maximum number of the Unsigncrypt queries issued by $\mathcal{A}$.

Proof. 

The algorithm $\mathcal{B}$ receives an instance $y_{a,\sigma }=(g,g^{\sigma },g^a,g^{a^2},\cdots ,g^{a^q},g^{a^{q+2}},\cdots ,g^{a^{2q}})$ of the q-DBDHE problem, where $g_i=g^{a^i}$, $a,\sigma \in {\mathbb{Z}}_p$ and g is a generator of $\mathbb{G}$. The goal of $\mathcal{B}$ is to decide whether $T=e{(g,g)}^{a^{q+1}\sigma }$ or $T=R$, where R is a random element in ${\mathbb{G}}_T$. If $T=e{(g,g)}^{a^{q+1}\sigma }$, $\mathcal{B}$ outputs 1; Otherwise outputs 0. Then $\mathcal{B}$ chooses three collision-resistant hash functions $H_1:{\{0,1\}}^{\ast }\to {\{0,1\}}^l$, $H_2:\mathbb{G}\to {\mathbb{Z}}_p^{\ast }$, $H_3:\{0,1\}\to {\mathbb{Z}}_p^{\ast }$ and a one-way hash function $H_3:\{0,1\}\to {\mathbb{Z}}_p^{\ast }$. The algorithm $\mathcal{B}$ simulates the challenger in IND-CCA2 security game and interacts with the adversary $\mathcal{A}$ as below. □

Initialization: $\mathcal{A}$ submits the message space $\mathcal{M}:{\{0,1\}}^{\ast }$ and the challenge encryption access structure $W_e^{\ast }=(M_e^{\ast },{\rho }_e^{\ast })$ to $\mathcal{B}$, where $M_e^{\ast }$ is a matrix of $l^{\ast }\times n^{\ast }$ with the labeling function ${\rho }_e^{\ast }$. Let ${\overrightarrow{M}}_i^{\ast }=(M_{i,1}^{\ast },M_{i,2}^{\ast },\cdots ,M_{i,n^{\ast }}^{\ast })$ be the i’th row of $M_e^{\ast }$.

Setup: $\mathcal{B}$ chooses a random ${\alpha }^{\prime }\in {\mathbb{Z}}_p^{\ast }$ and calculates $\alpha ={\alpha }^{\prime }+a^{q+1}$, $Y=e{(g,g)}^{\alpha }=e(g^a,g^{a^q})·e{(g,g)}^{{\alpha }^{\prime }}$. $\mathcal{B}$ randomly chooses $\varsigma \in {\mathbb{Z}}_p^{\ast }$, ${\eta }_0,{\eta }_1,\cdots ,{\eta }_l\in {\mathbb{Z}}_p^{\ast }$ and sets $C^{\prime \ast }=g^{\sigma }$, ${\mu }^{\ast }=H_2(C^{\prime \ast })$, ${\delta }_1=g_q^{\frac{1}{{\mu }^{\ast }}}$, ${\delta }_2=g^{\varsigma }{g}_q^{-1}$, $y_0=g^{{\eta }_0}$, $y_1=g^{{\eta }_1},\cdots ,y_l=g^{{\eta }_l}$.

Finally, for each attribute $x\in S$, let X denote the set of indices i such that ${\rho }_e^{\ast }(i)=x$. If $X\ne \varnothing$, $\mathcal{B}$ selects a random parameter $f_x\in {\mathbb{Z}}_p^{\ast }$ and defines $h_x=g^{f_x}·g^{a{M}_{i,1}^{\ast }}·g^{a^2{M}_{i,2}^{\ast }}\cdots g^{a^{n^{\ast }}{M}_{i,n}^{\ast }}$. If $X=\varnothing$, then $h_x=g^{f_x}$.

$\mathcal{B}$ returns the public parameters $PK=\{S,\mathcal{M},H_1,H_2,H_3,H_4,Y,{\delta }_1,{\delta }_2,y_0,{\{y_i\}}_{i\in [1,l]},Y,{\{h_x\}}_{x\in S}\}$ to $\mathcal{A}$.

Phase 1: $\mathcal{A}$ adaptively makes a number of queries as follows.

• sExtract queries: When $\mathcal{A}$ issues a query on the signing attribute set $A_s$, $\mathcal{B}$ randomly chooses $\widehat{r}\in {\mathbb{Z}}_p^{\ast }$, sets $r_s=\widehat{r}-a^q$ and computes $L_s=g^{\widehat{r}}{g}_q^{-1}$, $K_s=g^{{\alpha }^{\prime }}{g}_1^{\widehat{r}}$, $K_{s,x}=h_x^{\widehat{r}}{g}_q^{-f_x}$ for any $x\in A_s$. Then $\mathcal{B}$ returns the signing private key $S{K}_{A_s}=\{L_s,K_s,{\{K_{s,x}\}}_{x\in A_s}\}$ to $\mathcal{A}$.
  Correctness:

  $$L_s=g^{\widehat{r}}{g}_q^{-1}=g^{\widehat{r}}{g}^{-a^q}=g^{r_s},$$

  $$K_s=g^{{\alpha }^{\prime }}{g}_1^{\widehat{r}}=g^{{\alpha }^{\prime }}{g}_{q+1}{g}_1^{\widehat{r}}{g}_{q+1}^{-1}=g^{{\alpha }^{\prime }+a^{q+1}}{g}^{a\widehat{r}-a^{q+1}}=g^{\alpha }{g}^{a{r}_s},$$

  $$K_{s,x}=h_x^{\widehat{r}}{g}_q^{-f_x}=h_x^{\widehat{r}}{(h_x)}^{-a^q}=h_x^{r_s}.$$
• dExtract queries: When $\mathcal{A}$ issues a query on the decryption attributes set $A_d\notin W_e^{\ast }$, $\mathcal{B}$ randomly chooses a vector $\overrightarrow{\gamma }=({\gamma }_1,{\gamma }_2,\cdots ,{\gamma }_{n^{\ast }})\in {\mathbb{Z}}_p^{n^{\ast }}$ where ${\gamma }_1=-1$, $\overrightarrow{\gamma }·M_{e,i}^{\ast }=0$ for all i where ${\rho }_e^{\ast }(i)\in A_d$. $\mathcal{B}$ randomly selects $\widehat{r}\in {\mathbb{Z}}_p^{\ast }$, implicitly defines $r_d=\widehat{r}+{\gamma }_1{a}^q+{\gamma }_2{a}^{q-1}+\cdots +{\gamma }_{n^{\ast }}{a}^{q-n^{\ast }+1}$ and computes $L_d=g^{\widehat{r}}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i}$, $K_d=g^{{\alpha }^{\prime }}{g}^{a\widehat{r}}{\displaystyle \prod _{i=2}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}$ and $K_{d,x}=L_d^{f_x}{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j·\widehat{r}}{\displaystyle \prod _{\underset{o\ne j}{o=1,\cdots ,n^{\ast }}}}{(g^{a^{q+1+j-o}})}^{{\gamma }_o})}^{M_{i,j}^{\ast }}$ for any $x\in A_d$. For any $i\in [1,l_e^{\ast }]$, if there is no ${\rho }_e^{\ast }(i)=x$, then $\mathcal{B}$ simply sets $K_{d,x}=L_d^{f_x}$. Then $\mathcal{B}$ returns the decryption key $S{K}_{A_d}=\{L_d,K_d,{\{K_{d,x}\}}_{x\in A_d}\}$.
  Correctness:

  $$L_d=g^{\widehat{r}}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i}=g^{r_d},$$

  $$\begin{array}{cc}\hfill K_d& =g^{{\alpha }^{\prime }}{g}^{a\widehat{r}}{\displaystyle \prod _{i=2}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}=g^{{\alpha }^{\prime }}{g}^{a^{q+1}}·g^{a\widehat{r}}·g^{-a^{q+1}}{\displaystyle \prod _{i=2}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}=g^{\alpha }{g}^{a\widehat{r}}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}\hfill \\ & =g^{\alpha }{(g^a)}^{\widehat{r}+{\displaystyle \sum _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i}}=g^{\alpha }{g}^{a{r}_d},\hfill \end{array}$$

  $$\begin{array}{cc}\hfill K_{d,x}& =L_d^{f_x}·{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j·\widehat{r}}{\displaystyle \prod _{\underset{o\ne j}{o=1,\dots ,n^{\ast }}}}{(g^{a^{q+1+j-o}})}^{{\gamma }_o})}^{M_{i,j}^{\ast }}=g^{\widehat{r}{f}_x}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i{f}_x}·{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j})}^{\widehat{r}·M_{i,j}^{\ast }}\hfill \\ & ={(g^{f_x}{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j})}^{M_{i,j}^{\ast }})}^{\widehat{r}}·{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i{f}_x}=h_x^{\widehat{r}}·{\displaystyle \prod _{i=1}^{n^{\ast }}}{({h_x}^{a^{q+1-i}})}^{{\gamma }_i}=h_x^{r_d}.\hfill \end{array}$$
• Signcrypt queries: When $\mathcal{A}$ issues a query on $(m,W_e,W_s,A_d,A_s)$ and the cuckoo filter, if signing attribute set $A_s\in W_s$, $\mathcal{B}$ runs the sExtract queries and gets the private key $S{K}_{A_s}$, then $\mathcal{B}$ executes the Signcrypt algorithm, generates ciphertext $CT=\{C,C^{\prime },C^{″},{\{C_i\}}_{i\in [1,l]},S_1,S_2,CF\}$. Finally, $\mathcal{B}$ returns CT to $\mathcal{A}$.
• Unsigncrypt queries: When $\mathcal{A}$ issues a query on the ciphertext CT, $\mathcal{B}$ checks whether $C^{\prime }=C^{\prime \ast }$. If $C^{\prime }=C^{\prime \ast }$, $\mathcal{B}$ aborts. (Since $C^{\prime }=g^{\sigma }$ is random, the probability is at most $1/p$). Otherwise, $\mathcal{B}$ first checks the corresponding attributes of EHR user are in cuckoo filter or not and reconstructs the encryption access policy $W_e^{\prime \ast }=(M_e^{\ast },{\rho }_e^{\prime \ast })$.

  -

  If $A_d\notin W_e^{\prime \ast }$, $\mathcal{B}$ generates the private key $S{K}_{A_d}$ through executing the dExtract queries and returns the results of the Unsigncrypt algorithm to $\mathcal{A}$.

  -

  If $A_d\in W_e^{\prime \ast }$, $\mathcal{B}$ first checks the validity of ciphertext CT based on Equation (3). If it is not valid, then $\mathcal{B}$ outputs ⊥; Otherwise computes $Y^{\sigma }=e{(C^{″}/{C^{\prime }}^{\varsigma },g_1)}^{{\left(\frac{\mu }{{\mu }^{\ast }}-1\right)}^{-1}}·e(C^{\prime },g^{{\alpha }^{\prime }})$. Finally, $\mathcal{B}$ returns the message $m=\frac{C}{Y^{\sigma }}$ to $\mathcal{A}$.

  Correctness:

  $$\begin{array}{cc}\hfill e{(C^{″}/{C^{\prime }}^{\varsigma },g_1)}^{{\left(\frac{\mu }{{\mu }^{\ast }}-1\right)}^{-1}}·e(C^{\prime },g^{{\alpha }^{\prime }})& =e({({\delta }_1^{\mu }{\delta }_2)}^{\sigma }/g^{\sigma \varsigma },g_1){\left(\frac{\mu }{{\mu }^{\ast }}-1\right)}^{-1}·e(C^{\prime },g^{{\alpha }^{\prime }})\hfill \\ & =({({({g_q}^{\frac{1}{{\mu }^{\ast }}})}^{{\mu }^{\ast }}·g^{\varsigma }{g}_q^{-1})}^{\sigma }/g^{\sigma \varsigma },g_1){\left(\frac{\mu }{{\mu }^{\ast }}-1\right)}^{-1}·e(C^{\prime },g^{{\alpha }^{\prime }})\hfill \\ & =e(g_q^{\sigma },g_1)·e(C^{\prime },g^{{\alpha }^{\prime }})\hfill \\ & =e(C^{\prime },g^{a^{n+1}})·e(C^{\prime },g^{{\alpha }^{\prime }})\hfill \\ & =e(C^{\prime },g^{\alpha }).\hfill \end{array}$$
  Since Equation (3) is valid, it has $e(g^{a{r}_d},C^{\prime })={\displaystyle \prod _{i\in I}}e{(g^{a{r}_d},g)}^{{\lambda }_i{\omega }_i}$. Therefore,

  $$\begin{array}{cc}& e{(C^{″}/{C^{\prime }}^{\varsigma },g_1)}^{{\left(\frac{\mu }{{\mu }^{\ast }}-1\right)}^{-1}}·e(C^{\prime },g^{{\alpha }^{\prime }})\hfill \\ \hfill =& e(C^{\prime },g^{\alpha })·\frac{e(g^{a{r}_d},C^{\prime })}{{\displaystyle \prod _{i\in I}}e{(g^{a{r}_d},g)}^{{\lambda }_i{\omega }_i}}=\frac{e(C^{\prime },g^{\alpha }{g}^{a{r}_d})}{{\displaystyle \prod _{i\in I}}{(e(g^{a{\lambda }_i}{h}_{{\rho }_e(i)}^{-\sigma },g^{r_d})·e(g^{\sigma },h_{{\rho }_e(i)}^{r_d}))}^{{\omega }_i}}\hfill \\ \hfill =& \frac{e(C^{\prime },K_d)}{{\displaystyle \prod _{i\in I}}{(e(C_i,L_d)·e(C^{\prime },K_{d,x}))}^{{\omega }_i}}=Y^{\sigma }.\hfill \end{array}$$

Challenge: $\mathcal{A}$ outputs two equal length messages $m_0^{\ast },m_1^{\ast }\in \mathcal{M}$ and the signing access policy $W_s^{\ast }$ to $\mathcal{B}$. $\mathcal{B}$ chooses $t_1^{\prime }=0$, $\tilde{r},t_2^{\prime },t_3^{\prime },\cdots ,t_{n^{\ast }}^{\prime }\in {\mathbb{Z}}_p^{\ast }$ and sets $r_s=\tilde{r}-a^q$, $\overrightarrow{v}=(\sigma +t_1^{\prime },\sigma a+t_2^{\prime },\sigma a^2+t_3^{\prime },\cdots ,\sigma a^{n^{\ast }-1}+t_{n^{\ast }}^{\prime })=\sigma (1,a,a^2,\cdots ,a^{n^{\ast }-1})+(0,t_2^{\prime },t_3^{\prime },\cdots ,t_{n^{\ast }}^{\prime })$. Then $\mathcal{B}$ selects $\theta \in \{0,1\}$ and outputs the challenge ciphertext $C{T}^{\ast }=(C^{\ast },C^{\prime \ast },C^{″\ast },{\{{C_i}^{\ast }\}}_{i\in [1,l^{\ast }]},S_1^{\ast },S_2^{\ast })$ as follows:

• $C^{\ast }=m_{\theta }T·e(g^{\sigma },g^{a^{\prime }})$,
• $C^{\prime \ast }=g^{\sigma }$,
• $C^{″\ast }={(g^{\sigma })}^{\varsigma }$, where ${\mu }^{\ast }=H_2(C^{\prime \ast })$,
• ${C_i}^{\ast }=({\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^a)}^{M_{i,j}^{\ast }·{t^{\prime }}_j})·{(g^{\sigma })}^{-f_{{\rho }_e^{\ast }(i)}}$ for $i\in [1,l^{\ast }]$,
• $S_1^{\ast }=g^{\tilde{r}}{g}_q^{-1}$,
• $S_2^{\ast }=(g^{{\alpha }^{\prime }}{g}^{a\tilde{r}})·{(h_{{\rho }_s^{\ast }\left(i\right)}^{r^{\ast }}{g}_q^{-f_{{\rho }_s^{\ast }(i)}})}^{{\phi }_i^{\ast }}·{(g^s)}^{{\eta }_0+{\displaystyle \sum _{i=1}^{l^{\ast }}}{j}_i^{\ast }{\eta }_i+\varsigma \xi {\beta }^{\ast }}$, where $H_1(S_1^{\ast },W_e^{\ast },W_s^{\ast })=(j_1^{\ast },j_2^{\ast },\cdots ,{j_l}^{\ast })$, $H_3(W_e^{\ast },W_s^{\ast },C,C^{\prime \ast },C^{″\ast },{\{{C_i}^{\ast }\}}_{i\in [1,l^{\ast }]})={\beta }^{\ast }$.

If $T=e(g^{\sigma },g^{a^{q+1}})$, $C{T}^{\ast }$ is a valid challenge ciphertext.

Correctness:

$$T·e(g^{\sigma },g^{{\alpha }^{\prime }})=e(g^{\sigma },g^{a^{q+1}})·e(g^{\sigma },g^{{\alpha }^{\prime }})=e{(g,g)}^{\sigma \alpha }=Y^{\sigma }.$$

$$C^{\ast }=m_{\theta }·T·e(g^{\sigma },g^{a^{\prime }})=m_{\theta }·Y^{\sigma }.$$

$$C^{″\ast }={(g^{\sigma })}^{\varsigma }={(g^{\varsigma }{g}_q^{-1}{g}_q)}^{\sigma }={({({g_q}^{\frac{1}{{\mu }^{\ast }}})}^{{\mu }^{\ast }}·g^{\varsigma }{g}_q^{-1})}^{\sigma }={({\delta }_1^{{\mu }^{\ast }}{\delta }_2)}^{\sigma }.$$

For $j=1,2,\cdots ,n^{\ast }$, ${\lambda }_i=\overrightarrow{v}·{M_i}^{\ast }=(\sigma (1,a,a^2,\cdots ,a^{n^{\ast }-1})+(0,t_2^{\prime },t_3^{\prime },\cdots ,t_{n^{\ast }}^{\prime }))·{M_i}^{\ast }=a\sigma {\displaystyle \sum _{j=1}^{n^{\ast }}}{a}^{j-1}{M}_{i,j}^{\ast }+{\displaystyle \sum _{j=2}^{n^{\ast }}}{t^{\prime }}_j{M}_{i,j}^{\ast }$,

$$\begin{array}{cc}\hfill {C_i}^{\ast }& =({\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^a)}^{M_{i,j}^{\ast }·{t^{\prime }}_j})·{(g^{\sigma })}^{-f_{{\rho }_e^{\ast }(i)}}\hfill \\ & =g^{\sigma {\displaystyle \sum _{j=1}^{n^{\ast }}}{a}^j{M}_{i,j}^{\ast }}·({\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^a)}^{M_{i,j}^{\ast }·{t^{\prime }}_j})·{(g^{\sigma })}^{-f_{{\rho }_e^{\ast }(i)}}·g^{-\sigma {\displaystyle \sum _{j=1}^{n^{\ast }}}{a}^j{M}_{i,j}^{\ast }}\hfill \\ & =({(g^a)}^{\sigma {\displaystyle \sum _{j=1}^{n^{\ast }}}{a}^{j-1}{M}_{i,j}^{\ast }})·({\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^a)}^{M_{i,j}^{\ast }·{t^{\prime }}_j})·{(g^{f_{{\rho }_e^{\ast }(i)}})}^{-\sigma }·g^{-\sigma {\displaystyle \sum _{j=1}^{n^{\ast }}}{a}^j{M}_{i,j}^{\ast }}\hfill \\ & =g^{a{\lambda }_i}·{(g^{f_{{\rho }_e^{\ast }(i)}}{g}^{{\displaystyle \sum _{j=1}^{n^{\ast }}}{a}^j{M}_{i,j}^{\ast }})}^{-\sigma }=g^{a{\lambda }_i}{h}_{{\rho }_e^{\ast }(i)}^{-\sigma }.\hfill \end{array}$$

$S_1^{\ast }=g^{\tilde{r}}{g}_q^{-1}=g^{\tilde{r}}{g}^{-a^q}=g^{r_s}=L_s$.

$$\begin{array}{cc}\hfill S_2^{\ast }& =(g^{{\alpha }^{\prime }}{g}^{a\tilde{r}})·{(h_{{\rho }_s^{\ast }(i)}^{r^{\ast }}{g}_q^{-f_{{\rho }_s^{\ast }(i)}})}^{{\phi }_i^{\ast }}·{(g^s)}^{{\eta }_0+{\displaystyle \sum _{i=1}^{l^{\ast }}}{j}_i^{\ast }{\eta }_i+\varsigma \xi {\beta }^{\ast }}\hfill \\ & =g^{{\alpha }^{\prime }}{g}^{a^{q+1}}{g}^{a\tilde{r}}{g}^{-a^{q+1}}{\left(h_{{\rho }_s^{\ast }(i)}^{\tilde{r}}{h}_{{\rho }_s^{\ast }(i)}^{-a^q}\right)}^{{\phi }_i^{\ast }}·{(g^{{\eta }_0+{\displaystyle \sum _{i=1}^{l^{\ast }}}{j}_i^{\ast }{\eta }_i})}^{\sigma }·{\left({(g^{\sigma })}^{\varsigma }\right)}^{{\beta }^{\ast }\xi }\hfill \\ & =g^{\alpha }{g}^{a{r}_s}·h_{{\rho }_s^{\ast }(i)}^{{\phi }_i^{\ast }}·{\left(y_0{\displaystyle \prod _{i=1}^{l^{\ast }}}{y}_i^{j_i^{\ast }}\right)}^{\sigma }·{({C^{″}}^{\ast })}^{{\beta }^{\ast }\xi }\hfill \\ & =K_s·{\left(K_{s,x}\right)}^{{\phi }_i^{\ast }}·{\left(y_0{\displaystyle \prod _{i=1}^{l^{\ast }}}{y}_i^{j_i^{\ast }}\right)}^{\sigma }·{({C^{″}}^{\ast })}^{{\beta }^{\ast }\xi }.\hfill \end{array}$$

Phase 2: $\mathcal{A}$ performs a series of queries as Phase 1 except the dExtract queries on any decryption attribute set $A_d\in W_e^{\ast }$ and the Unsigncrypt queries on the challenge ciphertext $C{T}^{\ast }$ for any $A_d\in W_e^{\ast }$.

Guess: $\mathcal{A}$ outputs a guess bit ${\theta }^{\prime }\in \{0,1\}$. If ${\theta }^{\prime }=\theta$, $\mathcal{B}$ outputs 1 ($T=e{(g,g)}^{a^{q+1}\sigma }$); Otherwise $\mathcal{B}$ outputs 0 ($T=R$).

$\mathcal{B}$ can’t successfully simulate with aborting the game when the ciphertext satisfies $C^{\prime }=C^{\prime \ast }$ in the Unsigncrypt queries, the probability of this aborting event is at most $\frac{q_{us}}{p}$. If $\mathcal{B}$ doesn’t abort and $T=e{(g,g)}^{a^{q+1}\sigma }$, the probability of the successful simulation for $\mathcal{B}$ is at least $\frac{1}{2}+\epsilon -\frac{q_{us}}{p}$. If $T=R$, the probability of $\mathcal{A}$ does not get any information about $m_{\theta }^{\ast }$ is $\frac{1}{2}$. Therefore, the advantage of $\mathcal{B}$ can solve the q-DBDHE problem is at least ${\epsilon }^{\prime }=Pr|\mathcal{B}(y,T=e{(g,g)}^{a^{q+1}\sigma })=0|-Pr|\mathcal{B}\left(y,T=R\right)=0|=\epsilon -\frac{q_{us}}{p}$.

6.2. Unforgeability

Theorem 2.

Assuming there is the adversary $\mathcal{A}$ who is capable of breaking the EUF-CMA security of CP-ABSC scheme with the non-negligible probability $\epsilon$, then we can construct an algorithm $\mathcal{B}$ that can solve q-CDHE problem with the probability ${\epsilon }^{\prime }=\epsilon k(l+1)$, where k is the security parameter and l is the outputs length of hash function $H_1$.

Proof. 

$\mathcal{B}$ receives an instance $y_a=(g,g^a,g^{a^2},\cdots ,g^{a^q},g^{a^{q+2}},\cdots ,g^{a^{2q}})$ of the q-CDHE problem, where $a\in {\mathbb{Z}}_p$, g is a generator of $\mathbb{G}$ and $g_i=g^{a^i}$. The goal of the algorithm $\mathcal{B}$ is to calculate $g^{a^{q+1}}$. $\mathcal{B}$ chooses three collision-resistant hash functions $H_1:{\{0,1\}}^{\ast }\to {\{0,1\}}^l$, $H_2:\mathbb{G}\to {\mathbb{Z}}_p^{\ast }$, $H_3:\{0,1\}\to {\mathbb{Z}}_p^{\ast }$ and a one-way hash function $H_4:\{0,1\}\to {\mathbb{Z}}_p^{\ast }$. $\mathcal{B}$ simulates the challenger in EUF-CMA security game and interacts with $\mathcal{A}$ as below. □

Initialization: $\mathcal{A}$ submits the challenge signing access policy $W_s^{\ast }=(M_s^{\ast },{\rho }_s^{\ast })$ to $\mathcal{B}$, where $M_s^{\ast }$ is a matrix of $l^{\ast }\times n^{\ast }$ with the labeling function ${\rho }_s^{\ast }$. Let ${\overrightarrow{M}}_i^{\ast }=(M_{i,1}^{\ast },M_{i,2}^{\ast },\cdots ,M_{i,n^{\ast }}^{\ast })$ be the i’th row of $M_s^{\ast }$.

Setup: $\mathcal{B}$ randomly picks ${\alpha }^{\prime }\in {\mathbb{Z}}_{\mathbb{p}}^{\ast }$, $d,d^{\prime }\in {\mathbb{Z}}_p^{\ast }$ and defines $\alpha ={\alpha }^{\prime }+a^{q+1}$, $Y=e{(g,g)}^{\alpha }=e(g^a,g^{a^q})·e{(g,g)}^{{\alpha }^{\prime }}$, ${\delta }_1=g^d$, ${\delta }_2=g^{d^{\prime }}$. $\mathcal{B}$ randomly chooses $(z_0,z_1,\cdots ,z_l)\in {\mathbb{Z}}_p^{l+1}$, $\eta =k$ and $\eta (l+1)<p$, where k is a security parameter. $\mathcal{B}$ also randomly selects $0\le \pi \le l$ and $(b_0,b_1,\cdots ,b_l)\in {\mathbb{Z}}_{\eta }^{l+1}$ sets $y_0=g_q^{p-\eta \pi +b_0}$, $y_i=g_q^{b_i}{g}^{z_i}$ for all $i\in [1,l]$. For each vector $\overrightarrow{j}=(j_1,j_2,\cdots ,j_l)\in {\{0,1\}}^l$, $\mathcal{B}$ defines two functions $F_1(\overrightarrow{j})=p-\eta \pi +b_0+{\displaystyle \sum _{i=1}^l}{j}_i{b}_i$ and $F_2(\overrightarrow{j})=z_0+{\displaystyle \sum _{i=1}^l}{j}_i{z}_i$, which means that $y_0{\displaystyle \prod _{i=1}^l}{y_i}^{j_i}=g_q^{F_1(\overrightarrow{j})}{g}^{F_2(\overrightarrow{j})}$. $\mathcal{B}$ defines the function $F:{\{0,1\}}^l\to \{0,1\}$ by $F(\overrightarrow{j})=\left\{\begin{array}{cc}0,\hfill & \mathrm{if}{b}_0+{\displaystyle \sum _{i=1}^l}{j}_i{b}_i=0mod\eta ,\hfill \\ 1,\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$. It can be seen that, if $F(\overrightarrow{j})=1$, then $F_1(\overrightarrow{j})\ne 0modp$.

Finally, for each attribute $x\in S$, let X denote the set of indices i, such that ${\rho }_s^{\ast }(i)=x$. If $X\ne \varnothing$, $\mathcal{B}$ selects a random $f_x\in Z_p^{\ast }$ and defines $h_x=g^{f_x}·g^{a{M}_{i,1}^{\ast }}·g^{a^2{M}_{i,2}^{\ast }}\cdots g^{a^{n^{\ast }}{M}_{i,n}^{\ast }}$. If $X=\varnothing$, then $h_x=g^{f_x}$.

$\mathcal{B}$ returns the public parameters $PK=\{S,\mathcal{M},H_1,H_2,H_3,H_4,Y,{\delta }_1,{\delta }_2,y_0,{\{y_i\}}_{i\in [1,l]},Y,{\{h_x\}}_{x\in S}\}$ to $\mathcal{A}$.

Query phase: $\mathcal{A}$ adaptively performs a number of polynomial bounded queries as follows.

• sExtract queries: When $\mathcal{A}$ issues a query on the signing attribute set $A_s$, if $A_s\notin W_s^{\ast }$, $\mathcal{B}$ randomly selects $\widehat{r}\in {\mathbb{Z}}_p^{\ast }$ and calculates the vector $\overrightarrow{\gamma }=({\gamma }_1,{\gamma }_2,\cdots ,{\gamma }_{n^{\ast }})\in {\mathbb{Z}}_p^{n^{\ast }}$ where ${\gamma }_1=-1$ such that $\overrightarrow{\gamma }·M_i^{\ast }=0$ for all i where ${\rho }_s^{\ast }(i)\in A_s$. $\mathcal{B}$ implicitly defines $r_s=\widehat{r}+{\gamma }_1{a}^q+{\gamma }_2{a}^{q-1}+\cdots +{\gamma }_{n^{\ast }}{a}^{q-n^{\ast }+1}$ and computes $L_s=g^{\widehat{r}}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i}$, $K_s=g^{{\alpha }^{\prime }}{g}^{a\widehat{r}}{\displaystyle \prod _{i=2}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}$ and $K_{s,x}=L_s^{f_x}{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j·\widehat{r}}{\displaystyle \prod _{\underset{o\ne j}{o=1,\cdots ,n^{\ast }}}}{(g^{a^{q+1+j-o}})}^{{\gamma }_o})}^{M_{i,j}^{\ast }}$ for any $x\in A_s$. If ${\rho }_s^{\ast }(i)\ne x$ for all i, $\mathcal{B}$ simply sets $K_{s,x}=L_s^{f_x}$. Then $\mathcal{B}$ returns the signing key $S{K}_{A_s}=\{L_s,K_s,{\{K_{s,x}\}}_{x\in A_s}\}$ to $\mathcal{A}$.
  Correctness:

  $$L_s=g^{\widehat{r}}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i}=g^{r_s},$$

  $$\begin{array}{cc}\hfill K_s& =g^{{\alpha }^{\prime }}{g}^{a\widehat{r}}{\displaystyle \prod _{i=2}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}=g^{{\alpha }^{\prime }}{g}^{a^{q+1}}·g^{a\widehat{r}}·g^{-a^{q+1}}{\displaystyle \prod _{i=2}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}=g^{\alpha }{g}^{a\widehat{r}}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+2-i}})}^{{\gamma }_i}\hfill \\ & =g^{\alpha }{(g^a)}^{\widehat{r}+{\displaystyle \sum _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i}}=g^{\alpha }{g}^{a{r}_s},\hfill \end{array}$$

  $$\begin{array}{cc}\hfill K_{s,x}& ={L_s}^{f_x}·{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j·\widehat{r}}{\displaystyle \prod _{\underset{k\ne j}{o=1,\dots ,n^{\ast }}}}{(g^{a^{q+1+j-o}})}^{{\gamma }_o})}^{M_{i,j}^{\ast }}=g^{\widehat{r}{f}_x}{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i{f}_x}·{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j})}^{\widehat{r}·M_{i,j}^{\ast }}\hfill \\ & ={(g^{f_x}{\displaystyle \prod _{j=1}^{n^{\ast }}}{(g^{a^j})}^{M_{i,j}^{\ast }})}^{\widehat{r}}·{\displaystyle \prod _{i=1}^{n^{\ast }}}{(g^{a^{q+1-i}})}^{{\gamma }_i{f}_x}=h_x^{\widehat{r}}·{\displaystyle \prod _{i=1}^{n^{\ast }}}{({h_x}^{a^{q+1-i}})}^{{\gamma }_i}=h_x^{r_s}.\hfill \end{array}$$
• dExtract queries: When $\mathcal{A}$ issues a query on the decryption attribute set $A_d$, $\mathcal{B}$ randomly picks $\widehat{r}\in {\mathbb{Z}}_p^{\ast }$, sets $r_d=\widehat{r}-a^q$ and computes $L_d=g^{\widehat{r}}{g}_q^{-1}$, $K_d=g^{{\alpha }^{\prime }}{g}_1^{\widehat{r}}$ and $K_{d,x}=h_x^{\widehat{r}}{g}_q^{-f_x}$ for any $x\in A_d$. Then $\mathcal{B}$ returns the decryption private key $S{K}_{A_d}=\{L_d,K_d,{\{K_{d,x}\}}_{x\in A_d}\}$ to $\mathcal{A}$.
  Correctness:

  $$L_d=g^{\widehat{r}}{g}_q^{-1}=g^{\widehat{r}}{g}^{-a^q}=g^{r_d},$$

  $$K_d=g^{{\alpha }^{\prime }}{g}_1^{\widehat{r}}=g^{{\alpha }^{\prime }}{g}_{q+1}{g}_1^{\widehat{r}}{g}_{q+1}^{-1}=g^{{\alpha }^{\prime }+a^{q+1}}{g}^{a\widehat{r}-a^{q+1}}=g^{\alpha }{g}^{a{r}_d},$$

  $$K_{d,x}=h_x^{\widehat{r}}{g}_q^{-f_x}=h_x^{\widehat{r}}{(h_x)}^{-a^q}=h_x^{r_d}.$$
• Signcrypt queries: When $\mathcal{A}$ issues a query on $(m,W_e,W_s,A_d,A_s)$ and the cuckoo filter,

  -

  If $A_s\notin W_s^{\ast }$, $\mathcal{B}$ gets the private key $S{K}_{A_s}$ by running the sExtract queries. Then $\mathcal{B}$ generates ciphertext CT by executing the Signcrypt algorithm and returns to $\mathcal{A}$.

  -

  If $A_s\in W_s^{\ast }$, $\mathcal{B}$ performs the following steps: $\mathcal{B}$ randomly chooses ${\phi }_i\in {\mathbb{Z}}_p^l$ and generates a vector $\overrightarrow{\phi }=\left(-{\phi }_1,-{\phi }_2,\cdots ,-{\phi }_l\right)$ such that $\overrightarrow{\phi }·M_s=-{\overrightarrow{1}}_n$, that is ${\displaystyle \sum _{i=1}^l}{\phi }_i·M_{s,i}=-{\overrightarrow{1}}_n$, and ${\phi }_i=0$ for all $i\in [1,l]$, where ${\rho }_s(i)\notin A_s$. $\mathcal{B}$ sets $C=m{Y}^{\sigma }$, $S_1=g^{r_s}$ and computes $\overrightarrow{j}=(j_1,j_2,\cdots ,j_l)=H_1(S_1,W_e,W_s)$. If $F(\overrightarrow{j})=0$, $\mathcal{B}$ aborts; Otherwise, $\mathcal{B}$ chooses a random number ${\sigma }^{\prime }\in {\mathbb{Z}}_p^{\ast }$, sets $\sigma ={\sigma }^{\prime }-\frac{a}{F_1(\overrightarrow{j})}$ and computes $C^{\prime }=g^{{\sigma }^{\prime }}{g_1}^{-1/F_1(\overrightarrow{j})}$, $C^{″}=g^{(d\mu +d^{\prime }){\sigma }^{\prime }}{g_1}^{-(\mu d+d^{\prime })/F_1(\overrightarrow{j})}$, where $\mu =H_2(C^{\prime })$. $\mathcal{B}$ randomly chooses $v_2,\cdots ,v_n\in {\mathbb{Z}}_p^{\ast }$ and defines $\overrightarrow{v}=({\sigma }^{\prime }-\frac{a}{F_1(\overrightarrow{j})},v_2,\cdots ,v_n)$ and ${\lambda }_i=\overrightarrow{v}·M_i=({\sigma }^{\prime }-\frac{a}{F_1(\overrightarrow{j})})M_{i,1}+{\displaystyle \sum _{i=2}^l}{v}_i{M}_{i,n}$ for all $i\in [1,n]$. $\mathcal{B}$ sets $C_i={g_1}^{({\sigma }^{\prime }{M}_{i,1}+{\displaystyle \sum _{i=2}^l}{v}_i{M}_{i,n})}·{g_2}^{-M_{i,1}/F_1(\overrightarrow{j})}·{h_{\rho (i)}}^{-{\sigma }^{\prime }}·{g_1}^{f_{{\rho }_e(i)}/F_1(\overrightarrow{j})}$ for $i\in [1,l]$, $S_2=g^{{\alpha }^{\prime }}{g}^{a{r}_s}({\displaystyle \prod _{i=1}^l}{(h_{{\rho }_s(i)}^{r_s})}^{{\phi }_i})·{({g_q}^{F_1(\overrightarrow{j})}{g}^{F_2(\overrightarrow{j})})}^{{\sigma }^{\prime }}·({g_1}^{-F_2(\overrightarrow{j})/F_1(\overrightarrow{j})})·{(C^{″})}^{\beta \xi }$, where $\beta =H_3(W_e,W_s,C,C^{\prime },C^{″},{\{C_i\}}_{i\in [1,l]})$. Finally, $\mathcal{B}$ returns the ciphertext $CT=\{C,C^{\prime },C^{″},{\{C_i\}}_{i\in [1,l]},S_1,S_2,CF\}$ to $\mathcal{A}$.

  Correctness:

  $$C^{\prime }=g^{{\sigma }^{\prime }}{g_1}^{-1/F_1(\overrightarrow{j})}=g^{{\sigma }^{\prime }-a/F_1(\overrightarrow{j})}=g^{\sigma },$$

  $$\begin{array}{cc}\hfill C_i& ={g_1}^{({\sigma }^{\prime }{M}_{i,1}+{\displaystyle \sum _{i=2}^l}{v}_i{M}_{i,n})}·{g_2}^{-M_{i,1}/F_1(\overrightarrow{j})}·{h_{{\rho }_e(i)}}^{-{\sigma }^{\prime }}·{g_1}^{f_{{\rho }_e(i)}/F_1(\overrightarrow{j})}\hfill \\ & =g^{a^{({\sigma }^{\prime }{M}_{i,1}+{\displaystyle \sum _{i=2}^l}{v}_i{M}_{i,n})}}·{(g^a)}^{-a{M}_{i,1}/F_1(\overrightarrow{j})}·{h_{{\rho }_e\left(i\right)}}^{-\left({\sigma }^{\prime }-a/F_1(\overrightarrow{j})\right)}=g^{a{\lambda }_i}{h}_{{\rho }_e\left(i\right)}^{-\sigma },\hfill \end{array}$$

  $$\begin{array}{cc}\hfill S_2& =g^{{\alpha }^{\prime }}{g}^{a{r}_s}({\displaystyle \prod _{i=1}^l}{(h_{{\rho }_s(i)}^{r_s})}^{{\phi }_i})·{({g_q}^{F_1(\overrightarrow{j})}{g}^{F_2(\overrightarrow{j})})}^{{\sigma }^{\prime }}·({g_1}^{-F_2(\overrightarrow{j})/F_1(\overrightarrow{j})})·{(C^{″})}^{\beta \xi }\hfill \\ & =g^{{\alpha }^{\prime }}{g}^{a^{q+1}}{g}^{a{r}_s}·{({g_q}^{F_1(\overrightarrow{j})}{g}^{F_2(\overrightarrow{j})})}^{{\sigma }^{\prime }}·g^{-a^{q+1}}·({g_1}^{-F_2(\overrightarrow{j})/F_1(\overrightarrow{j})})·{(C^{″})}^{\beta \xi }\hfill \\ & =(g^{\alpha }{g}^{a{r}_s})·({\displaystyle \prod _{i=1}^l}{(h_{{\rho }_s(i)}^{r_s})}^{{\phi }_i})·{({g_q}^{F_1(\overrightarrow{j})}{g}^{F_2(\overrightarrow{j})})}^{{\sigma }^{\prime }}·{({g_q}^{F_1(\overrightarrow{j})}{g}^{F_2(\overrightarrow{j})})}^{-a/F_1(\overrightarrow{j})}·{(C^{″})}^{\beta \xi }\hfill \\ & =K_s·{(K_{s,x})}^{{\phi }_i}·(y_0{\displaystyle \prod _{i=1}^l}{y_i}^{j_i}{)}^{\sigma }·{(C^{″})}^{\beta \xi }.\hfill \end{array}$$
• Unsigncrypt queries: When $\mathcal{A}$ issues a query on the ciphertext CT, $\mathcal{B}$ computes the decryption private key $S{K}_{A_d}$ by executing the dExtract queries. Then $\mathcal{B}$ generates the message m by executing the Unsigncrypt algorithm and returns to $\mathcal{A}$.

Forgery: $\mathcal{A}$ outputs the valid forgery ciphertext $C{T}^{\ast }=\{C^{\ast },C^{\prime \ast },C^{″\ast },{\{C_i^{\ast }\}}_{i\in [1,l]},S_1^{\ast },S_2^{\ast },CF\}$ on $(m^{\ast },W_e^{\ast },W_s^{\ast })$. $C{T}^{\ast }$ satisfies the following two conditions:

• Since $A_d^{\ast }\in W_e^{\ast }$, the result of the Unsigncrypt algorithm is $m^{\ast }\ne \perp$;
• $\mathcal{A}$ never issues the Signcrypt queries on $(m^{\ast },W_e^{\ast },W_s^{\ast })$.

Now, $\mathcal{B}$ could provide the methods to solve the q-CDHE problem as follows.

Firstly, $\mathcal{B}$ computes ${\overrightarrow{j}}^{\ast }=(j_1^{\ast },j_2^{\ast },\cdots ,j_l^{\ast })=H_1(S_1^{\ast },W_e^{\ast },W_s^{\ast })$. If $b_0+{\displaystyle \sum _{i=1}^l}{j}_i{b}_i\ne \eta \pi$, then $\mathcal{B}$ aborts. Otherwise, $F_1({\overrightarrow{j}}^{\ast })=0modp$, $\mathcal{B}$ computes $C^{\ast }=m^{\ast }{Y}^{\sigma }$, $C^{\prime \ast }=g^{\sigma }$, $C^{\prime \prime \ast }=g^{(d\mu +d^{\prime })\sigma }$, ${\{C_i^{\ast }=g^{a{\lambda }_i}{h}_{{\rho }_e^{\ast }(i)}^{\sigma }\}}_{i\in [1,l^{\ast }]}$, $S_1^{\ast }=g^{r_s}$, $S_2^{\ast }=g^{\alpha }{g}^{a{r}_s}({\displaystyle \prod _{i=1}^{l^{\ast }}}{(h_{{\rho }_s^{\ast }(i)}^{r_s})}^{{\phi }_i^{\ast }}){(y_0{\displaystyle \prod _{i\in [1.l]}}{y_i}^{j_i^{\ast }})}^{\sigma }·{(g^{(d\mu +d^{\prime })})}^{\sigma \xi {\beta }^{\ast }}$, where ${\mu }^{\ast }=H_2(C^{\prime \ast })$, ${\beta }^{\ast }=H_3(W_e^{\ast },W_s^{\ast },C^{\ast },C^{\prime \ast },C^{″\ast },{\{C_i^{\ast }=g^{a{\lambda }_i}{h}_{{\rho }_e^{\ast }(i)}^{\sigma }\}}_{i\in [1,l^{\ast }]})$ and the vector ${\overrightarrow{\phi }}^{\ast }=(-{\phi }_1,-{\phi }_2,\cdots ,-{\phi }_{l^{\ast }})$ satisfies ${\displaystyle \sum _{i=1}^{l^{\ast }}}{\phi }^{\ast }·M_{s,i}^{\ast }=-{\overrightarrow{1}}_{n^{\ast }}$.

Then $\mathcal{B}$ can calculate $\frac{S_2^{\ast }}{g^{\alpha }({\displaystyle \prod _{i=1}^{l^{\ast }}}{(S_1^{\ast })}^{f_{{\rho }_s^{\ast }(i)}}){({C^{\prime }}^{\ast })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}=g^{a^{q+1}}$.

Correctness:${\displaystyle \sum _{i=1}^{l^{\ast }}}{\phi }_i^{\ast }·M_{s,i}^{\ast }=-{\overrightarrow{1}}_{n^{\ast }}$ implies ${\displaystyle \sum _{i=1}^{l^{\ast }}}{\phi }_i^{\ast }·M_{i,j}^{\ast }=\left\{\begin{array}{c}-1,j=1;\hfill \\ 0,if2\le j\le n^{\ast }\hfill \end{array}\right.$, so ${\displaystyle \sum _{i=1}^{l^{\ast }}}{\displaystyle \sum _{j=1}^{l_{\ast }}}{a}^j{M}_{i,j}^{\ast }{\phi }_i^{\ast }{r}_s=-a{r}_s$.

$$\begin{array}{c}\frac{S_2^{\ast }}{g^{\alpha }({\displaystyle \prod _{i=1}^{l^{\ast }}}{(S_1^{\ast })}^{f_{{\rho }_s^{\ast }(i)}}){({C^{\prime }}^{\ast })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}\hfill \\ =\frac{g^{\alpha }{g}^{a{r}_s}·({\displaystyle \prod _{i=1}^{l^{\ast }}}{h}_{{\rho }_s^{\ast }(i)}^{r_s{\phi }_i^{\ast }}){(y_0{\displaystyle \prod _{i\in [1,l^{\ast }]}}{y_i}^{j_i^{\ast }})}^{\sigma }·{(g^{(d{\mu }^{\ast }+d^{\prime })})}^{\sigma \xi {\beta }^{\ast }}}{g^{\alpha }·({\displaystyle \prod _{i=1}^{l^{\ast }}}{(S_1^{\ast })}^{{\phi }_i^{\ast }{f}_{{\rho }_s^{\ast }(i)}})·{({C^{\prime }}^{\ast })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}\hfill \\ =\frac{g^{{\alpha }^{\prime }+a^{q+1}}{g}^{a{r}_s}·({\displaystyle \prod _{i=1}^{l^{\ast }}}{(g^{f_{{\rho }_s^{\ast }(i)}}{\displaystyle \prod _{j=1}^n}{g}^{a^j{M}_{i,j}^{\ast }})}^{{\phi }_i^{\ast }{r}_s})·{({g_q}^{F_1({\overrightarrow{j}}^{\ast })}{g}^{F_2({\overrightarrow{j}}^{\ast })})}^{\sigma }·{(g^{\sigma })}^{(d+u^{\ast }{d}^{\prime })\xi {\beta }^{\ast }}}{g^{\alpha }·({\displaystyle \prod _{i=1}^{l^{\ast }}}{(S_1^{\ast })}^{{\phi }_i^{\ast }{f}_{{\rho }_s^{\ast }(i)}})·{({C^{\prime }}^{\ast })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}\hfill \\ =\frac{g^{{\alpha }^{\prime }}{g}^{a^{q+1}}{g}^{a{r}_s}·({\displaystyle \prod _{i=1}^{l^{\ast }}}{(g^{r_s})}^{{\phi }_i^{\ast }{f}_{{\rho }_s^{\ast }(i)}})·({\displaystyle \prod _{i=1}^{l^{\ast }}}{\displaystyle \prod _{j=1}^n}{g}^{a^j{M}_{i,j}^{\ast }{\phi }_i^{\ast }{r}_s})·{(g^{\sigma })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}{g^{\alpha }·({\displaystyle \prod _{i=1}^{l^{\ast }}}{(S_1^{\ast })}^{{\phi }_i^{\ast }{f}_{{\rho }_s^{\ast }(i)}})·{({C^{\prime }}^{\ast })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}\hfill \\ =\frac{g^{{\alpha }^{\prime }}{g}^{a^{q+1}}{g}^{a{r}_s}·({\displaystyle \prod _{i=1}^{l^{\ast }}}{(g^{r_s})}^{{\phi }_i^{\ast }{f}_{{\rho }_s^{\ast }(i)}})·g^{-a{r}_s}·{({C^{\prime }}^{\ast })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}{g^{\alpha }({\displaystyle \prod _{i=1}^{l^{\ast }}}{(S_1^{\ast })}^{{\phi }_i^{\ast }{f}_{{\rho }_s^{\ast }(i)}})·{({C^{\prime }}^{\ast })}^{F_2({\overrightarrow{j}}^{\ast })+(d\mu +d^{\prime })\xi {\beta }^{\ast }}}=g^{a^{q+1}}.\hfill \end{array}$$

In the Forgery phase, $\mathcal{B}$ can successfully simulate without aborting if $b_0+{\sum }_{j\in [1,l^{\ast }]}{m}_j^{\ast }{b}_j=\eta \pi$. The probability of this simulation is not abort is $\frac{1}{\eta }\frac{1}{l+1}=\frac{1}{k(l+1)}$. Therefore, the success probability of $\mathcal{B}$ for solving the q-CDHE problem is at least ${\epsilon }^{\prime }=\epsilon /k(l+1)$.

7. Performance Analysis

The functionality, computation and communication costs of the proposed CP-ABSC scheme are evaluated in this section. We also compare them with other related schemes [20,21,22,23].

7.1. Functionality Comparison

The functionality comparisons between the proposed CP-ABSC scheme and other related schemes [20,21,22,23] are presented. Let MC be the message confidentiality, CU be the ciphertext unforgeability, CPA be the chosen plaintext attacks, CCA be the chosen ciphertext attack, CMA be the chosen message attack, ROM be the random model and SM be the standard model.

Table 1. Comparison of computation cost.

Scheme	KP/CP	Access Structure	Public Verifiability	MC	CU	Security Model	Privacy-Preserving
[20]	CP	Monotone tree	No	CPA	CMA	ROM	No
[21]	CP	Monotone tree	Yes	CCA	CMA	SM	No
[22]	KP	Threshold policy	No	CCA	CMA	SM	No
[23]	CP	LSSS	Yes	CCA	CMA	SM	No
our	CP	LSSS	Yes	CCA	CMA	SM	Yes

summarizes the functionality comparison results.

It is clear from Table 1 that only the scheme [22] adopts the threshold policy as access policy which only supports simple predicates. Although the schemes [20,21] support monotone tree policy which can transform into LSSS access policy, the construction of this type of access structure is quite complicated. The scheme [23] and our proposed scheme support LSSS access structure that has the simpler construction process. In addition, our scheme and the schemes [21,23] can satisfy public verifiability. All schemes realize CCA security and CMA security in the standard model except [20]. In particular, none of these schemes [20,21,22,23] could provide the property of privacy-preserving, only our scheme protects the personal privacy of EHR owners.

7.2. Computation Cost

We analyze the computation cost of the proposed CP-ABSC scheme and compare it with that of other related schemes [20,21,22,23]. For computation complexity estimation, we define the following time cost for performing the cryptographic operations required in all schemes. Let $T_p$ be the time for performance a pairing, $T_m$ be the time for performance a scale multiplication in $\mathbb{G}$, $T_{mt}$ be the time for performance a scale multiplication in ${\mathbb{G}}_T$. Other lightweight operations (the arithmetic operation in ${\mathbb{Z}}_p$, one-way hash function)are not taken into account.

To offer the security level to 80-bit, we adopt the symmetric bilinear pairing $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, where $\mathbb{G}$ be the multiplicative cyclic group by p, p is 512-bit prime number. The simulation experiment is based on the C++ Pairing-Based Cryptography (PBC) library MIRACL and runs on Intel Core i5-4590, 3.3 GHz CPU, 8 gigabytes memory with Windows 7 environment.

In this paper, we execute the experiment on a common PC, if the experiment were to run in a practical cloud environment, such as EC2 cloud computing service [49], it would actually run faster. The average execution times of $T_p$, $T_m$ and $T_{mt}$ are listed in

Table 2. Time cost of cryptographic operation.

Cryptographic Operation	Execution Time
Bilinear pairing $T_p$	9.0791
Scalar multiplication in $\mathbb{G}$ $T_m$	3.7770
Scalar multiplication in ${\mathbb{G}}_T$ $T_{mt}$	0.9243

.

Let l be the number of attributes in attribute space. We summarize the computation costs of the proposed scheme, Wang et al.’s scheme [20], Emura et al.’s scheme [21], Hu et al.’s scheme [22] and Rao et al.’s scheme [23] in

Table 3. Comparison of computation cost.

Scheme	Signcrypt	Unsigncrypt
[20]	$7.554l+23.5863$ ms	$38.165l+37.2407$ ms
[21]	$15.108l+22.2587$ ms	$54.4746l+27.2373$ ms
[22]	$22.662l+23.5683$ ms	$47.2441l$ ms
[23]	$15.108l+8.4783$ ms	$20.4101l+52.9495$ ms
The proposed scheme	$18.885l+27.3633$ ms	$19.0825l+51.4244$ ms

.

In terms of the Signcrypt phase, for the computation costs of l attributes, Wang et al.’s scheme [20] requires to execute $(4l+3)$ scalar multiplication operations in $\mathbb{G}$, two scalar multiplication operations in ${\mathbb{G}}_T$ and one bilinear pairing operation. Therefore, the total signcryption time is $7.554l+23.5863$ ms. Emura et al.’s scheme [21] needs to execute $(6l+2)$ scalar multiplication operations in $\mathbb{G}$ and one scalar multiplication operation in ${\mathbb{G}}_T$. Therefore, the total signcryption time is $15.108l+22.2587$ ms. Hu et al.’s scheme [22] needs to execute $(4l+2)$ scalar multiplication operations in $\mathbb{G}$ and one scalar multiplication operation in ${\mathbb{G}}_T$. Therefore, the total signcryption time is $22.662l+23.5683$ ms. Rao et al.’s scheme [23] needs to execute $(5l+7)$ scalar multiplication operations in $\mathbb{G}$ and one scalar multiplication operation in ${\mathbb{G}}_T$. Therefore, the total signcryption time is $15.108l+8.4783$ ms. The proposed scheme needs to execute $(2l+6)$ scalar multiplication operations in $\mathbb{G}$ and one scalar multiplication operation in ${\mathbb{G}}_T$. Therefore, the total signcryption time is $18.885l+27.3633$ ms.

In terms of the Unsigncrypt phase, for the computation costs of l attributes, Wang et al.’s scheme [20] needs to execute $(2l+1)$ scalar multiplication operations in ${\mathbb{G}}_T$ and $(4l+4)$ bilinear pairing operations. Therefore, the total unsigncryption time is $38.165l+37.2407$ ms. Emura et al.’s scheme [21] needs to execute $(6l+3)$ bilinear pairing operations. Therefore, the total unsigncryption time is $54.4746l+27.2373$ ms. Hu et al.’s scheme [22] needs to execute $2l$ scalar multiplication operations in ${\mathbb{G}}_T$ and $5l$ bilinear pairing operations. Therefore, the total unsigncryption time is $47.2441l$ ms. Rao et al.’s scheme [23] needs to execute $(3l+2)$ scalar multiplication operations in $\mathbb{G}$ and $(l+5)$ bilinear pairing operations. Therefore, the total unsigncryption time is $20.4101l+52.9495$ ms. The proposed scheme needs to execute four scalar multiplication operations in $\mathbb{G}$, l scalar multiplication operations in ${\mathbb{G}}_T$ and $(2l+4)$ bilinear pairing operations. Therefore, the total unsigncryption time is $19.0825l+51.4244$ ms.

Figure 4 and Figure 5 clearly illustrate the computation cost of the signcrypt and unsigncrypt phases with increasing number of attributes l, respectively.

From Figure 4 and Figure 5, the computation costs in both the signcrypt and unsigncrypt phases rise linearly with the number of attributes in all the schemes. It can be easily see that the proposed scheme’s slope is the lowest.

In Figure 4, for $l=10$, the computation cost of signcrypt is equal to 173.3387, 250.1883, 159.5583, 216.2133 and 99.1263 ms when the schemes [20,21,22,23] and the proposed scheme are adopted, respectively. For $l=30$, the computation cost of signcrypt is equal to 475.4987, 703.4283, 461.7183, 593.9133 and 250.2063 ms when the schemes [20,21,22,23] and the proposed scheme are adopted, respectively.

In Figure 5, for $l=10$, the computation costs of unsigncrypt is equal to 418.8907, 571.9833, 472.441, 257.0505 and 242.2494 ms when the schemes [20,21,22,23] and the proposed scheme are adopted, respectively. For $l=30$, the computation cost of unsigncrypt is equal to 1182.1907, 1661.4753, 1417.323, 665.2525 and 623.8994 ms when the schemes [20,21,22,23] and the proposed scheme are adopted, respectively.

According to Figure 4 and Figure 5, we intuitively obtain that the proposed scheme achieves the lowest computation cost with the increase of the number of attributes, especially after adding the cuckoo filter, without increasing extra computation costs in. Therefore, our proposed CP-ABSC scheme is efficient in both the signcrypt and unsigncrypt phase, which has much more advantages than the previous schemes [20,21,22,23].

7.3. Communication Cost

We discuss the communication cost of the proposed CP-ABSC scheme with other related schemes [20,21,22,23]. Let l be the number of attributes in attribute space, $|\mathbb{G}|$ be the element’s length in group $\mathbb{G}$ and $|{\mathbb{G}}_T|$ be the element’s length in group ${\mathbb{G}}_T$. Since the size of p is 512 bits (64 bytes), therefore the element’s size in group $\mathbb{G}$ and ${\mathbb{G}}_T$ is 512 bits (64 bytes) and 3072 bits (384 bytes), respectively. We also take into account the communication costs of using cuckoo filter. Assume that we use the one-way hash function in cuckoo filter, and its outputs length is 160 bits (20 bytes). When the number of EHR owner’s attributes is l, the comparison results on communication cost of these schemes are listed in

Table 4. Comparison of communication costs.

Scheme	l Attributes
[20]	$256l+576$ bytes
[21]	$192l+512$ bytes
[22]	$128l+576$ bytes
[23]	$128l+640$ bytes
The proposed scheme	$84l+640$ bytes

.

For the communication costs of l attributes, Wang et al.’s scheme [20] includes $(4l+3)$ the element’s length in $\mathbb{G}$ and one the element’s length in ${\mathbb{G}}_T$. Therefore, the total communication cost is $256l+576$ bytes. Emura et al.’s scheme [21] includes $(3l+2)$ the element’s length in $\mathbb{G}$ and one the element’s length in ${\mathbb{G}}_T$. Therefore, the total communication cost is $192l+512$ bytes. Hu et al.’s scheme [22] includes $(2l+3)$ the element’s length in $\mathbb{G}$ and one the element’s length in ${\mathbb{G}}_T$. Therefore, the total communication cost is $128l+576$ bytes. Rao et al.’s scheme [23] includes $(2l+4)$ the element’s length in $\mathbb{G}$ and one the element’s length in ${\mathbb{G}}_T$. Therefore, the total communication cost is $128l+640$ bytes. The proposed scheme includes $(l+4)$ the element’s length in $\mathbb{G}$, one the element’s length in ${\mathbb{G}}_T$ and the outputs length of one-way hash function in cuckoo filter. Therefore, the total communication cost is $84l+640$ bytes.

Figure 6 demonstrates the relationship between the communication cost and the number of attributes.

From Figure 6, the growth of the ciphertext size is linear when the number of attributes increases in all schemes. We could intuitively find out that the communication cost of our proposed scheme is much less than that for other schemes. On the other hand, as Figure 6 shows, when the amount of attributes reaches 30, the communication cost of Wang et al.’s scheme [20], Emura et al.’s scheme [21], Hu et al.’s scheme [22] and Rao et al.’s scheme [23] and the proposed scheme is 7956, 6272, 4416, 4480 and 3100 bytes, respectively. Then the proposed scheme is compared with these schemes [20,21,22,23], which can save $61.7\%$, $57.6\%$, $28.5\%$, $29.5\%$ of bandwidth, respectively.

Obviously, although the cuckoo filter is used to hide access policy in this paper, it does not increase communication overhead compared with other schemes. Also, our scheme has the best performance in terms of communication cost in the all five schemes.

In summary, the proposed CP-ABSC scheme achieves low computation and communication cost, which is comparatively more suited to the EHR system.

8. Conclusions

The proposed scheme provides the secure access control of the EHR data as well as prevents the personal privacy information of EHR owners will not be leaked from the LSSS access policy. We show that the proposed scheme is provably security in the standard model under the q-DBDHE assumption and q-CDHE assumption. Detailed performance analysis results indicate that the proposed scheme has lower computation costs and communication overheads than the related schemes. In addition, the proposed scheme protects the EHR owners’ sensitive privacy information and is more suitable for EHR system. In the future, we would like to focus on how to design another scheme, such as security and efficient of PPAC scheme without bilinear pairing in EHR system.