Revocable and Traceable Undeniable Attribute-Based Encryption in Cloud-Enabled E-Health Systems

The emerging cloud storage technology has significantly improved efficiency and productivity in the traditional electronic healthcare field. However, it has also brought about many security concerns. Ciphertext policy attribute-based encryption (CP-ABE) holds immense potential in achieving fine-grained access control, providing robust security for electronic healthcare data in the cloud. However, current CP-ABE schemes still face issues such as inflexible attribute revocation, relatively lower computational capabilities, and key management. To address these issues, this paper introduces a revocable and traceable undeniable ciphertext policy attribute-based encryption scheme (MA-RUABE). MA-RUABE not only enables fast and accurate data traceability, effectively preventing malicious user key leakage, but also includes a direct revocation feature, significantly enhancing computational efficiency. Furthermore, the introduction of a multi-permission mechanism resolves the issue of centralization of power caused by single-attribute permissions. Furthermore, a security analysis demonstrates that our system ensures resilience against chosen plaintext attacks. Experimental results demonstrate that MA-RUABE incurs lower computational overhead, effectively enhancing system performance and ensuring data-sharing security in cloud-based electronic healthcare systems.


Introduction
With the mainstreaming of cloud computing technology, cloud data sharing has become a highly regarded research topic [1,2].Presently, the exchange of medical data is a vital endeavor aimed at improving the performance of healthcare service providers and the transformation of the healthcare system [3].To track patients' health conditions more precisely, electronic health records (EHRs) emerged.While EHR management systems autonomously upheld by healthcare institutions do have specific constraints, this has resulted in insufficient interoperability among stakeholders [4].Furthermore, the management mode of EHR appears to lack transparency and is also prone to internal security issues such as leaks [5].For the assurance of confidentiality, data protection, and seamless integration of EHR data, patients can choose to employ searchable encryption methods or utilize techniques like homomorphic encryption to secure their data prior to transferring it to the cloud by employing encryption [6,7].While this approach ensures the security of EHR data, it may struggle to meet the flexibility requirements necessary for EHR data sharing [8].Attribute-based encryption (ABE) addresses the issue of unauthorized data access and can fulfill the need for fine-grained access control.ABE can be categorized into two forms: ciphertext policy attribute-based encryption (CP-ABE) and key policy attribute-based encryption (KP-ABE) [9,10].KP-ABE nests the decryption key of a data user with an access policy while embedding a set of attributes into the ciphertext.In contrast, the decryption key in CP-ABE corresponds to a set of attributes, while the ciphertext of the cloud server is associated with the access policy.Consider an EHR sharing scenario where a patient's electronic medical record is stored in the healthcare system's cloud in ciphertext with an access policy of {{Chief Physician OR Department Head} AND {Internal Medicine AND Male}}.This means that only physicians who also treat internal medicine, are male in gender, and hold the title of chief physician or department head are eligible to view patient information.This fine-grained access control ensures that only specific physicians can access sensitive medical data, thus maintaining patient privacy and data security.In contrast, CP-ABE can better address interoperability issues among stakeholders,while the owner of the EHR can flexibly adjust the embedded access policies in the ciphertext based on specific access scenarios [11].In comparison, CP-ABE can more effectively address interoperability issues among stakeholders.However, in practical applications, CP-ABE poses risks such as key exposure and potential changes in user permissions [12,13].Furthermore, a sole attribute authority oversees the assignment and revocation of all attributes.These schemes are vulnerable to singular points of failure, exacerbating the impact on the accessibility of attribute administration [14].To tackle the difficulties encountered by CP-ABE, this article proposes a revocable and tracing undeniable attribute-based encryption scheme with multi-authority (MA-RUABE).Specifically, the primary contributions of the MA-RUABE scheme can be outlined as follows: (1) Effectively tracking shared keys.A novel EHR sharing model based on cloud storage environments has been established, which can accurately identify malicious users who leak keys and build decryption devices, ensuring data protection against unauthorized access.(2) Supports direct key revocation.By generating a special identifier binary tree for each participant and employing subset cover techniques, revocable key management has been achieved.Users who have not been revoked do not need to interact with third parties to update their keys, and this process does not affect the decryption process for other users.(3) Adopted a strategy of power decentralization.The key generation method has been extended from single-attribute authorization to multi-attribute authorization, with collaboration among multiple authorities through secret sharing for generating global parameters, distributing keys, and managing users.This effectively prevents the misuse of private keys and mitigates the risk of single-point failures that can arise from a single authority.(4) Ensured data non-repudiation.Users cannot deny the fact of key leakage, thus ensuring data security.Simulation experiments were conducted, and the results indicate that the MA-RUABE scheme is secure under the IND-CPA security model.

Related Work
In 2005, Sahai et al. [15] proposed an encryption scheme based on fuzzy identities, leading to the concept of attribute-based encryption (ABE).In 2006, Goyal et al. [9] first categorized attribute-based encryption (ABE) into cipher policy attribute-based encryption (CP-ABE) and key policy attribute-based encryption (KP-ABE).CP-ABE has had a profound impact on cloud storage technology.In practical applications, when multiple users share the same set of attributes, they can use the same key for decryption.However, this can also lead to challenges in tracing illegal sellers.Therefore, identifying the user who leaked the key becomes a crucial issue in CP-ABE.In 2008, Hinek et al. [16] first introduced the concept of traceability, which binds a user's personal information to their private key, preventing the user from leaking the key while also making it impossible to identify the specific malicious user.In 2015, Ning et al. [17] devised a white-box traceability scheme with selective plaintext security, utilizing probabilistic encryption techniques and the Shamir threshold-sharing approach to achieve traceability.Subsequently, Ning et al. [18] proposed a white-box traceable CP-ABE scheme that is fully secure under small attribute sets.This scheme employs commitment mechanisms to trace users, avoiding the need for additional identity tables.However, it may have relatively lower flexibility.In 2022, Liu et al. [19] introduced a CP-ABE scheme with black-box accountable authority characteristics.This scheme ensures secure access and control of sensitive health data while protecting the privacy of the data.In 2023, Qu et al. [20] introduced an attribute-based traceable encryption scheme that involves equality testing and is applied in electronic health systems.However, without an effective revocation mechanism as a supplement, the utility of the traceability feature will be greatly diminished.
Regarding the revocation of user keys, the revocation mechanism can be classified into two types: direct revocation and indirect revocation, depending on the entity performing the revocation operation.In 2009, Attrapadung et al. [21] proposed a CP-ABE scheme with direct revocation, where the ciphertext is associated with the identity set of unrevealed users, leading to lower efficiency.In contrast, indirect revocation can achieve finer-grained attribute revocation and offers greater flexibility.In 2011, Hur et al. [22] introduced an indirect revocation CP-ABE scheme.Although this scheme supports attribute revocation, it is unable to effectively defend against collaborative attacks initiated by users.In 2017, Li et al. [23] proposed a novel CP-ABE scheme that requires users to possess both the system private key and attribute set key when accessing data.If a user's attributes are revoked, the system recalculates the ciphertext and attribute set key, rendering users with revoked attributes unable to decrypt the data.In 2022, Han et al. [24] combined the functionality of user revocation and hiding policies with ABE.Once a user is tracked and identified as a malicious user, its privileges will be revoked immediately.Subsequently, Ge et al. [25] presented a revocable attribute encryption with data integrity protection.This scheme is efficient and practical.
In terms of multiple-attribute authorities, in 2009, Chase and Chow [26] achieved privacy protection by preventing the certificate authority (CA) from collecting specific user information.In 2015, Li et al. [27] introduced a CP-ABE scheme with multiple-attribute authorizing authorities designed for cloud storage.However, this scheme did not incorporate user revocation functionality.In 2018, Zhu et al. [28] proposed a decentralized multi-authority CP-ABE access control scheme.This scheme achieved user revocation by distributing keys to legitimate users, but it did not overcome the issue of single-point bottleneck.In 2022, Sarma et al. [29] introduced the multi-authority scheme, where each attribute authority manages a set of mutually disjoint attributes.This scheme assigns corresponding attributes to users after verifying their roles, but it also results in increased complexity and management costs.During the same period, Zhang et al. [30] implemented a safeguard mechanism by introducing a group manager responsible for assigning certificates to individual users.This measure aimed to counteract collusion attacks involving revoked users and malicious entities.In 2023, Yan et al. [31] introduced a CP-ABE scheme with key revocation and computational outsourcing capabilities involving multiple authorities.Subsequently, Xiong et al. [32] introduced an attribute-based data-sharing scheme, granting the cloud server the capability to perform ciphertext searches.However, the scheme exhibits a lack of flexibility in attribute revocation.
The solutions mentioned earlier exhibit limitations in effectively handling key tracing, key revocation, non-repudiation, and multi-authority scenarios comprehensively.Conversely, the MA-RUABE scheme presented in this article proves to be capable of satisfying diverse security and permission requirements.

Linear Secret-Sharing Schemes
A set of participants P with respect to the secret-sharing scheme Π [33] is linear on Z p , and needs to satisfy the following two conditions: 1.
Each participant's shared secret constitutes a column vector in Z p .

2.
A shared generator matrix M with m rows and n columns is associated with Π, the i'th row of M is denoted by ρ(i) and belongs to participant i. Considering a vector v = (s, r 2 , . . ., r n ), where s represents the shared secret.M m×n • v associates the m shares of Π with the secret number s, λ i = M i • v is the share held by the participant i.
Let λ i be the share held by participant i, ρ(i) be the rows in the shared generator matrix of the attributes owned by i.Should i meet the access policy criteria, there is a constant vector w such that ρ(i) T • w = (1, 0, . . ., 0) T , and If access structure A has a monotonic nature, the following results follow: -There is a vector

Composite-Order Bilinear Groups
Composite-order group bilinear mapping and prime-order group bilinear mapping have significant differences [34].Consider three N-order cyclic groups G 1 , G 2 , G T , where N is the product of large prime numbers (N = p 1 p 2 • • • p n ), and p i are distinct large prime numbers.For the bilinear mapping e : G 1 × G 2 → G T , this mapping satisfies three crucial properties: linearity, non-degeneracy, and computability.Additionally, assume G p 1 , G p 2 , and G p 3 are subgroups of group G with orders p 1 , p 2 , and p 3 , respectively.Choose parameters q i ∈ G p i and q j ∈ G p j , where i ̸ = j, e(q i , q j ) = 1.

Subgroup Decision Problem for Three Primes
Assumption 1 ([35]).Let G denote the order of the group, and G represent the group generator.Given the distribution below: By violating Assumption 1, algorithm A exhibits the following advantage: ) is a negligible function with respect to 1 λ for any polynomial-time algorithm A, we assert that Assumption 1 is fulfilled by G.
Assumption 2 ([35]).Given the distribution below: By violating Assumption 2, algorithm A exhibits the following advantage: ) is a negligible function with respect to 1 λ for any polynomial-time algorithm A, we assert that Assumption 2 is fulfilled by G. Assumption 3 ([35]).Given the distribution below: By violating Assumption 3, algorithm A exhibits the following advantage: ) is a negligible function with respect to 1 λ for any polynomial-time algorithm A, we assert that Assumption 3 is fulfilled by G.

Subset Cover
Consider T as a complete binary tree with a depth of d, where the leaf nodes of T represent system users [36].Let function path(x) = (path x,0 , path x,1 , ..., path x,depth(x) ) outputs the route from the root p x,0 = root to arbitrary node p x,depth(x) = x, and function depth(x) produces the depth of node x.The following is the way to revoke users using the subset cover method: Marking each node in path(x) ∀x∈R with the revoked users set (leaf nodes) R. Defined as the set of unmarked nodes with direct children of marked nodes, cover(R) characterizes the term.Figure 1 shows a subset cover tree, T contains eight leaves x 8 , x 9 , . . ., x 15 .Suppose R = {x 12 , x 15 }, path(x 12 ) = {x 1 , x 3 , x 6 , x 12 }.The cover(R) is defined as {x 2 , x 13 , x 14 }.The nodes in cover(R) cover the part of the node that has not been revoked from the user path.

System Model
The MA-RUABE scheme's system model comprises six entities, as depicted in Figure 2. The roles and functions of each section are outlined as follows.

Scheme Description
The MA-RUABE scheme is composed of eight algorithms that run in polynomial time: - The setup algorithm takes the secure parameters 1 λ , the collective set of attributes U of all users in the system, and the set of user tag universe U I as inputs.It generates public parameters pk, a master key msk, and private keys sk k corresponding to each attribute authority AA k .-KeyGen(pk, msk, sk k , id, S, utag) → sk id,S,utag : The key generation algorithm is jointly generated by user DU, the authority TA, and each attribute authority AA k through an interactive protocol.This algorithm takes public parameter pk, private key sk k corresponding to each attribute authority, master key msk, attribute set S ∈ U , user's identity id, and user's identifier utag ∈ U I as inputs to generate a decryption key sk id,S,utag .-Encrypt(pk, M, (A, ρ), R) → CT A,R : The encryption algorithm requires four input parameters: public parameters pk, the plaintext M that the user wants to encrypt, a matrix A and a revocation list R.
-Decrypt(pk, sk id,S,utag , CT A,R ) → M or ||: The decryption algorithm takes public parameters pk and the user's own decryption key sk id,S,utag , and the ciphertext CT A,R is uploaded to the cloud as inputs.If the attributes of the user's key match the matrix corresponding to the access structure A in the ciphertext and satisfy certain conditions path(utag) ∩ cover(R) ̸ = null, then the decryption algorithm outputs the plaintext M. -KeyIntegrityCheck(pk, sk) → 1 or 0: The algorithm is primarily used to check whether a decryption key is complete.Public parameters pk and the secret key sk are used as inputs to the KeyIntegrityCheck algorithm.If sk is valid, the algorithm outputs 1, otherwise, it outputs 0. -Trace(pk, msk, sk k , sk) → id: The key tracing algorithm is primarily used to extract the user from a key and determine its ownership.Public parameters pk, master key msk, AA ′ k s secret key sk k , and leaked key sk are used as inputs to the key tracing algorithm.If the key passes the KeyIntegrityCheck algorithm, the Paillier decryption algorithm is then used to extract the user's ID.
-Audit(pk, sk id,S,utag , sk * id,S,utag ) → guilty or innocent: The Audit algorithm consists of a user and a public auditor(PA) and is mainly used to determine the guilty or innocent of the user.
The data owner uses an update algorithm to refresh the ciphertext, taking the original ciphertext CT A,R and a new revocation list R ′ ⊃ R as inputs, and producing the updated ciphertext CT A,R ′ as output.

Security
The security of the MA-RUABE scheme is affirmed when it meets the following three criteria: (1) The security of the initial ciphertext has been provided in reference.The definition of a security under chosen plaintext attack for the updated ciphertext is as follows: Setup: The adversary A sends an access structure A, a revocation lists R and R ′ (R ⊂ R ′ ) to challenger B, and B starts the Setup(1 λ , U , U I ) algorithm and sends the public parameter pk to the adversary.
Phase1: In this phase, the adversary A can adaptively ask the challenger about the secret key sk id i ,S i ,utag i corresponding to the user (id 1 , S 1 , utag 1 ), (id 2 , S 2 , utag 2 ), . . ., (id i , S i , ∈ R ′ and S i meets the access policy, the challenge is terminated, otherwise, the challenger B generates the decryption key sk id i ,S i ,utag i through the decryption key generation algorithm KeyGen(pk, msk, sk k , id i , S i , utag i ), and sends sk id i ,S i ,utag i to the adversary.
Challenge: A picks two messages of the same length M 0 , M 1 , an access structure A * corresponds to the revocation lists R and R ′ where R ⊂ R ′ and a utag.Note that A * cannot be satisfied by any of the queried attribute sets (id 1 , S 1 , utag 1 ), (id 2 , S 2 , utag 2 ), . . ., (id i , S i , utag i ).
Phase2 : A queries the secret key sk id i ,S i ,utag i the same as in phase1, i ∈ [p i+1 , p n ], S i / ∈ A * or utag i ∈ R.
Guess: A outputs a guess σ ′ , it wins this game if σ = σ ′ .
Definition 1.The MA-RUABE is considered secure under a chosen plaintext attack of the updated ciphertext if a polynomial adversary can succeed in this scenario only with a negligible probability Pr[σ (2) The definition of the dishonest AA game is as follows: The game involves the interaction between the dishonest authority adversary A and the challenger B. The task of adversary A is to attempt to recover the decryption key sk * id,S,utag through this interaction to satisfy KeyIntegrityCheck(pk, sk * id,S,utag ) → 1 and Trace(pk, msk, sk k , sk) → id.
Setup: The challenger B generates the public parameter pk, the master secret key msk, and secret keys sk k through the Setup(1 λ , U , U I ), and sends pk along with the private key sk x corresponding to adversary A to A.
Phase: A queries B for the decryption key of any user (id, S, utag).B first generates a portion sk pri of the decryption key, computes sk id,S,utag using the Decrypt algorithm, then sends the generated parameters to A, and retains sk id,S,utag .
Challenge: A attempts to recover a decryption key sk * id,S,utag based on the parameters sent by challenger B. Also, the algorithm randomly selects p, q(p ̸ = q, p and q have the same length), and gcd(pq The public parameters pk = (N, n, g 1 , g, g a , g b , g c , g d , g m , e(g, g) α , {∀utag ∈ U I , g F(x r ) } x r ∈path(utag) , , a, g 3 ) and secret key sk k = {β i } i∈AA k corresponding to the authorized agency AA k .-KeyGen(pk, msk, sk k , id, S, utag) → sk id,S,utag : The key generation algorithm is jointly generated by the user DU, the authority TA, and each attribute authority AA k through an interactive protocol: 1.
DU sends its own attributes {s i } i∈AA k to organization AA k , which has the authorization authority for the corresponding attributes.

2.
AA k calculates Di = {U β i i } i∈AA k and sends Di to DU.

3.
DU first verifies the following equation: If the equation holds, DU randomly selects x, y ∈ Z N and calculates t = xy, R U = g t , then sends g t , identity id, unique identifier utag and { Di } i∈S to TA, then runs an interactive zero-knowledge proof of R U about t.

4.
TA first verifies whether R U is generated by t, if the verification passes, TA ran- then TA calculates a part of the decryption key: DU initially checks if the following equation is valid: (1) e( D1 , g a ) = e( D3 , g) = e(g, g) ah .( 2) e( D0 , g a g T ) = e(g, g) α e(R U , g b )e(( D1 ) T D3 , g d ).
(3) ∃x ∈ S, s.t.e(U x , Ḡx,2 ) = e( Ḡx,1 , g), e( Dx,1 , g a ) = e(g β x , D3 ).If the equation holds, DU calculates t id = h t and generates the decryption key: We distribute the attributes to different institutions.TA lacks access to the secret key β i , and AA k is not aware of TA's msk.Therefore, only a few institutions are unable to recover the decryption key.
-Enctypt(pk, M, (A, ρ), R) → CT A,R : The encryption algorithm first encodes the access structure A with LSSS scheme, and then selects a vector y = (s, y 2 , . . ., y n ), where s is the shared secret number and y 2 , . . ., y n ∈ Z N is randomly selected, then selects random elements x i , r i ∈ Z N for each row of the matrix M. Define [l] = 1, ..., m, where m denotes the number of rows of the matrix.The ciphertext is composed of the following: The algorithm takes the user's decryption key sk id,S,utag , ciphertext CT A,R , and public parameter pk as input, if S satisfies the access structure and utag / ∈ R. It first calculates the vector w = (w i ) so that ∑ ρ(i)∈S w i A T i = (1, 0, . . ., 0), and if user i / ∈ R, then there is an x r = cover(R) ∩ path(utag) such that F(x r ) x r ∈path(utag) = F(x r ) x r ∈cover(R) , then calculates: KeyIntegrityCheck(pk, sk) → 1 or 0: The algorithm takes public parameter pk and a decryption key sk as input, and the sk is valid if: 1. sk is expressed as e(D 1 , g a ) = e(D 3 , g) = e(g, g) ah .3.
e(D 0 , g a g T ) = e(g, g) α e((D 1 ) T D 3 , g d )e(R U , g b )e((g a g T ) t id , g c ).
-Trace(pk, msk, sk k , sk) → id: After the key successfully passes the KeySanityCheck algorithm, the Trace algorithm can decrypt the Paillier encryption and extract the id from the key.-Audit(pk, sk id,S,utag , sk * id,S,utag ) → guilty or innocent: When a user is suspected of being guilty, but he himself claims to be innocent, DU interacts with the public auditor PA: 1.
DU provides its decryption key sk id,S,utag to the public auditor PA, and if it passes the KeyIntegrityCheck algorithm, proceeds to the second step.

2.
PA verifies whether t id = t * id .As our scheme employs multiple authoritative institutions to issue decryption keys, only a few entities are unable to recover the key.If this equation holds, then DU cannot deny the fact that it leaked the decryption key. - The key update algorithm takes the original ciphertext CT A,R , a revocation list R ′ as input, and publishes R ′ publicly, as shown in Figure 3. Assuming that the revocation list is {x 10 , x 13 }, then cover(R ′ ) = {x 4 , x 11 , x 14 }, and the data owner modifies the ciphertext.CT A,R ′ according to the revocation list is as follows: If a user is not included in the revocation set, then there is an x j = cover(R) ∩ path(utag) such that F(x j ) x j ∈path(utag) = F(x j ) x j ∈cover(R) , and R 0 , R 2 , R x r ∈ G p 3 .In accordance with the orthogonal characteristic of composite-order bilinear groups: D = e(g s(a+T) , g ct id )e(g s(a+T) , g α a+T )e(g s(a+T) , g bt a+T ) e((g b ) s , g t ) • e((g c ) s , (g T g a ) t id ) e(g s(a+T) , g dh ) = e(g s , g α )e(g s(a+T),g dh ) If a user is included in the revocation set: e(g mh R 2 , (g F(x j ) ) s ) x j ∈cover(R) )) )) D/E = e(g, g) αs , M = C D/E

IND-CPA Security
The literature has demonstrated the security of the initial ciphertext.After the ciphertext has been updated, then we demonstrate the IND-CPA security.First, a semi-functional ciphertext (S-FC) and semi-functional keys (S-FK) [37] must be created: Randomly choose z i , w i ∈ Z N for attributes, and select elements γ i , v i ∈ Z N along with a vector u ∈ Z N .The definition of the S-FC after updating the ciphertext is as follows:

}
Randomly select h, k to define the following two S-FKs: The S-FK can only decrypt the S-FC, but the ordinary key can also decrypt the ordinary ciphertext.There will be an extra item when we use an S-FK to decrypt the S-FC: Through a sequence of games, we demonstrate the security of the MA-RUABE system: • Game real : The keys and ciphertexts used in this simulation of a security game are standard.

•
Game 0 : In this stage, all keys are common, and the ciphertext is only semi-functional.

•
Game k,1 : The challenge ciphertext and first k − 1 keys of Type2 and the k-th key of Type1 are both semi-functional.

•
Game k,2 : The challenge ciphertext in this game is S-FC, and the first k keys are S-FK of Type2, with the remaining keys being common keys.
In the final stage of the game, we engage in the last round of the game(Game f inal ): all of the keys are Type2 semi-functional keys, and the ciphertext is produced by semifunctionally encrypting.Lemma 1. Assuming there is a polynomial algorithm A such that Game real Adv A -Game 0 Adv A =ε, we can construct an algorithm in polynomial time to break Assumption 1 with the advantage of ε.
Proof.Send α, a, g 3 , β i to B, he will simulate Game real and Game 0 with A.A sends an access structure (A * , ρ) and revocation lists R,R ′ (R ⊂ R ′ )to B. B randomly selects exponents α, m, a, b, c, d ∈ Z N , and selects u i , β i for each attribute i in the system, a function F : U I → Z N , and then sends the public parameter pk = (N, n, g 1 , g, g a , g b , g c , g d , g m , e(g, g) α , {∀utag ∈ U I , g F(x r ) } x r(utag) , {U i = g u i , V i = g β i } i∈U ) to A. A sends two plaintexts M 0 , M 1 of equal length to B,and B implicitly sets g s the G p1 part of T. B chooses β = {0, 1} by tossing a coin, and sets the ciphertext in the following format: B randomly selects {y ′ 2 , . . ., y ′ n } ∈ Z N , sets y ′ = (1, y 2 , . . ., y n ), randomly selects random values x i , r i , for each row of A * , and sets B implicitly sets y to (s, sy ′ 2 , . . ., sy ′ n ), This is a uniformly distributed semi-functional ciphertext.Therefore, the game can be won by A with the advantage of ε.Since it is only different from the ciphertext structure in [17,37], Assumptions 2 and 3 can be obtained by the above construction and the proof.
Dishonest Attribute Authority Game Lemma 2. We can create an algorithm B in polynomial time to disprove Assumption 4 with the advantage of ε, assuming there is a polynomial algorithm A such that Adv A = ε.
Proof.The challenger B starts the Setup algorithm to generate the public parameter, the master secret key, and secret keys, where pk = (N, n, g 1 , g, g a , g b , g c , g d , g m , e(g, g) α , {∀utag ∈ U I , g F(x r ) } x r(utag) , {U i = g u i , V i = g β i } i∈U ), msk = (p, q, α, a, g 3 ), sk k = {β i }, B sends pk to adversary A. A asks B about the decryption key of user (id, utag, S).B generates part of the decryption key: and sets the decryption key: , and generates the decryption key.At this time, the KeyIntegrityCheck algorithm outputs 1, and the Trace algorithm outputs id.
Since the CDH assumption is an NP problem, adversary A can therefore break Assumption 4 with the advantage of ε.

Property Comparison
As shown in Table 1, for tracking overhead, TR-APABE [24] requires maintaining an identity table and performing corresponding identity searches in this table every time the tracking algorithm is executed.The scheme RABE-DI [25] allows for the updating the access policy for ciphertexts, but does not enable direct user revocation.On the contrary, TLU-CPABE [17] and MA-RUABE only have to retain a constant value k to achieve traceability.However, both schemes assume that the central authority is completely trusted and susceptible to attacks from a corrupt central authority.G-ABEET [32] is an extension of KP-ABE, but the EHR's attributes visitors typically remain stable.Therefore, EHR owners need to adjust the embedded access policies based on the access scenario.In comparison, MA-RUABE is the only solution that achieves the multi-attribute property, traceability, and attribute revocation in an adaptive secure manner, ensuring that users' data privacy in the electronic healthcare environment is protected from various threats.

Efficiency Comparison
To perform a thorough analysis of the feasibility and effectiveness of this scheme, this section employs simulation experiments to compare the performance of various schemes.We utilize the Java-based JPBC library to construct the scheme and evaluate the efficiency of the encryption scheme.The experiments are conducted on a Windows 11 system platform with 16 GB of RAM, equipped with a six-core R5-2600 processor operating at a frequency of 3.40 GHz.The composite-order bilinear group is configured with a size of 128 bits, and the attribute set's size increases exponentially, taking values of 2, 4, 8, and so on.
In the private key generation phase, as shown in Figure 4a, as the attributes associated with the key increase, the key size, and generation time exhibit linear expansion.TR-APABE stands out as the most efficient solution during this phase, demonstrating the shortest key generation time and minimal key size.Our proposed scheme shares the same level of efficiency as TR-APABE.In the tracking phase, as shown in Figure 4b, compared to TLU-ABE, MA-RUABE exhibits a certain advantage in traceability effectiveness.
In the encryption phase, as shown in Figure 4c, with an increase in the number of attributes associated with the ciphertext, both the size of the ciphertext and the encryption time exhibit linear growth.Although this scheme introduces subset coverage technology, the complexity in parameter selection remains O(N).Therefore, compared to previous schemes in this stage, the suggested scheme showcases superior efficiency, characterized by the briefest encryption time.However, ciphertext construction is relatively complex, resulting in a marginally greater size of ciphertext.
In the decryption phase, as illustrated in Figure 4d, this scheme requires an intersection operation on a set, but the time required for this step can be considered negligible.Hence, relative to previous schemes, the proposed scheme is also the most effective in this stage, boasting the shortest decryption time.Furthermore, both TR-APABE and G-ABEET incur additional search costs, which escalate with the growing number of users.
In summary, MA-RUABE represents a reliable data privacy protection scheme, exhibiting outstanding performance in cloud-based electronic healthcare environments.It demonstrates both practicality and efficiency.

Conclusions and Future Work
To accomplish efficient data sharing in the electronic healthcare cloud environment, we have introduced a revocable and traceable undeniable adaptively secure scheme (MA-RUABE), based on TLU-CPABE.This scheme employs subset coverage techniques and multi-authority key distribution to effectively address the potential misuse of keys resulting from malicious key sharing by users.It also ensures that the decryption process for other members of the system remains unaffected.Experimental evaluations demonstrate that MA-RUABE provides both high efficiency and sufficient security, effectively safeguarding data sharing within the electronic healthcare cloud system.
One future direction is to further optimize the proposed scheme and enhance the current architecture.This involves standardizing the system model and continuously improving it to bolster the overall resilience of the system.The goal is to advance the system's intelligence and adaptability.Additionally, a crucial direction involves integrating the scheme with other advanced technologies, particularly incorporating blockchain technology.By introducing blockchain, the security and functionality of the MA-RUABE scheme can be further strengthened to address emerging challenges in the electronic healthcare cloud environment.

•
Third-party authoritative (TA): Responsible for tracking and revoking malicious users in the system.TA is secure and trustworthy, capable only of generating attribute keys related to user identity.It does not have the authority to grant specific attribute meanings and cannot forge attribute keys corresponding to decentralized attribute authorities.• Attribute Authority (AA): Responsible for issuing meaningful attributes and generating corresponding attribute keys for EHRs.AA is considered semi-trusted; no individual AA can forge attribute keys corresponding to attributes managed by other authorization centers.• Cloud Service Provider (CSP): A cloud server provider is honest and inquisitive, offering data storage services.• Data Owner (DO): Responsible for establishing access policies to define the scope of data sharing.Patients generate ciphertext based on this access policy and transfer it to the cloud.• Data User (DU): Doctors receive ciphertext sent by the encryptor.They can only decrypt and obtain plaintext if the attribute key satisfies the requirements of the access policy.• Public Auditor (PA): In a situation where a user is suspected of key leakage, despite their claims of innocence, an audit of the user is necessary to ensure the accuracy and compliance of the entire process.
(i) The initial ciphertext's indistinguishability under chosen plaintext attack (IND-CPA).(ii) The modified ciphertext's indistinguishability under the chosen plaintext attack.(iii) Multiple attribute authorizations can only recover the decryption key with an ignored advantage of ε.

Definition 2 .
We call a scheme multi-attribute and authoritatively secure if, for any polynomial-time dishonest adversary A, the game can be won only with negligible probability Pr[KeyIntegrityCheck (pk, sk * id,S,utag ) → 1 and Trace(pk, msk, sk k , sk) → id] < ε.
λ , U , U I ) → (pk, msk, sk k ): The setup algorithm produces an order N = p 1 p 2 p 3 bilinear group G through the group generator G, and p 1 , p 2 , p 3 are three distinct primes.G p i is of order p i in G ′ s subgroup.g, g 3 are generators of G p 1 , G p 3 respectively, defining a mapping e : G × G → G T , then the algorithm chooses random elements α, m, a, b, c, d ∈ Z N , and it selects random values u i , β i ∈ Z N for each attribute i ∈ U .

Table 1 .
Comparison of MA-RUABE scheme and other schemes.