Efficient Privacy-Preserving Access Control Scheme in Electronic Health Records System

The sharing of electronic health records (EHR) in cloud servers is an increasingly important development that can improve the efficiency of medical systems. However, there are several concerns focusing on the issues of security and privacy in EHR system. The EHR data contains the EHR owner’s sensitive personal information, if these data are obtained by a malicious user, it will not only cause the leakage of patient’s privacy, but also affect the doctor’s diagnosis. It is a very challenging problem for the EHR owner fully controls over own EHR data as well as preserves the privacy of himself. In this paper, we propose a new privacy-preserving access control (PPAC) scheme for EHR. To achieve fine-grained access control of the EHR data, we utilize the attribute-based signcryption (ABSC) mechanism to signcrypt data based on the access policy for the linear secret sharing schemes. Employing the cuckoo filter to hide the access policy, it could protect the EHR owner’s privacy information. In addition, the security analysis shows that the proposed scheme is provably secure under the decisional bilinear Diffie-Hellman exponent assumption and the computational Diffie-Hellman exponent assumption in the standard model. Furthermore, the performance analysis indicates that the proposed scheme achieves low costs of communication and computation compared with the related schemes, meanwhile preserves the EHR owner’s privacy. Therefore, the proposed scheme is better suited to EHR system.


Introduction
With the speedy growth of new-generation information techniques like the cloud computing and Internet of Things, and the uninterrupted improvement of living standards of people, the concept of smart city has also got more attention. In particular, the electronic health records (EHR) system has been widely applied in smart city since its appearance, and it has gradually been developed and improved [1,2]. However, in face of the tremendous EHR data, a third-party platform is needed to store and manage these data. Cloud computing provides inexpensive distributed computing capabilities through the Internet, which has the characteristics of ultra-large-scale and low-cost. Hence, managing and storing the EHR data in cloud servers has become an inevitable trend. In EHR system, EHR owners generally upload and view their personal information, medical records and medication records from cloud servers. Storing the EHR data in cloud servers which improves the quality of personal medical health management while saving resources and reducing hospital expenses. Only authorized EHR users (such as doctors or nurses) are able to log in the cloud servers and access data.
Although there are many significant advantages when using cloud servers to manage the EHR data, it also brings some concerns, such as the security and privacy of the sensitive data [3][4][5]. If a malicious and unauthorized adversary breaks the EHR system and conducts a series of malicious actions, including leaking patient's identity information and maliciously tampering with medical

•
Based on the bilinear pairings, the ciphertext-policy attribute-based signcryption (CP-ABSC) scheme for EHR system is proposed. The proposed scheme ensures fined-grained access control of the EHR data, utilizes cuckoo filter to hide the access policy and preserves the privacy of EHR owners.

•
The security analysis indicates that the proposed CP-ABSC scheme achieves the ciphertext indistinguishability and existential unforgeability in the standard model under the decisional bilinear Diffie-Hellman exponent (q-DBDHE) assumption and the computational Diffie-Hellman exponent (q-CDHE) assumption, respectively.

•
The performance evaluation demonstrates that the proposed CP-ABSC scheme is more efficient than the related existing schemes [20][21][22][23] in terms of communication overheads and computation costs, and is right suitable for EHR system.

Organization
This paper is organized as below. The related work is described in Section 2. The preliminaries are reviewed in Section 3. The system model and security model are described in Section 4. The proposed PPAC scheme is given in Section 5. Sections 6 and 7 present the security proof and performance analysis, respectively. Finally, this paper is concluded in Section 8.

Related Works
Access control is a basic security service in modern computing systems. The access control management ensures that only authorized users are given access to certain resources, which is an effective method to protect data privacy. It is characterized by different access permissions and level of views, and usually constructed according to hierarchical scheme. In particular, Akl and Taylor [24] first proposed the use of cryptography to implement access control in hierarchical structures in 1983. Crampton et al. [25] introduced a novel cryptographic scheme to execute the enforcement of information flow policies. The advantage of this scheme is that no public information is needed to derive the decryption keys. Moreover, when performing a given policy, this tree-based scheme requires fewer keys compared to existing chain-based approaches. Castiglione et al. [26] not only explored the relationship between all the security concepts in the hierarchical key assignment scheme (HKAS), but also proposed a general architecture for HKAS, which provides security for strong key recovery and gives any HKAS that guarantees security for key recovery. According to the security and privacy of outsourced data, a large number of users must create, share, update and delete it dynamically, Castiglione [27] provided some new results on Akl and Taylor's scheme [24], for flexible and fine-grained access control to support dynamic updates in cloud environments. Alderman [28] designed a space-efficient KAS based on a binary tree, which eliminates public information as well as imposes logarithmic bounds on the number of derivatives required. This scheme performs better than the existing scheme, reduces the storage requirement of user equipment and logarithmically limits the derivation cost.
In 2005, the idea of ABE was proposed by Sahai and Waters [29], which is a one-to-many encryption mechanism. In this scheme, the users encrypt plaintext message based on the certain access control policy and adopt the attributes to identify user's identities. Afterwards, ABE is divided into ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE) depending on whether the access structure is associated with the ciphertexts or the sceret keys, respectively. In 2006, the KP-ABE scheme was proposed by Goyal et al. [30], which supports delegation of private keys and provides flexible access policies that enable fine-grained access control. In 2007, Bethencourt et al. [31] constructed the CP-ABE scheme. Even though the storage server is not trusted, this scheme can keep the data confidentiality. In addition, this method could resist collusion attacks. Based on linear secret sharing schemes, Waters [32] firstly put forward a fully expressed CP-ABE scheme in the standard model. The sender of message can formulate an access policy according to its own attributes and define different access policies for different messages in this scheme. The CP-ABE schemes are more appropriate for access control applications, although both KP-ABE and CP-ABE schemes are able to utilize access policies to encrypt message and achieve access control of data. With the development of research, lots of ABE schemes [6][7][8][9][10][11][12][13][14][15][16][17][33][34][35] have been presented.
For guaranteeing the EHR data's confidentiality in data storage and transmission process, EHR owners must consider the access control of the EHR data with the aim at ensuring merely authorized users can obtain the important information. In 2009, Ibraimi et al. [6] present a novel CP-ABE scheme for safely managing and sharing the EHR data from an un-trusted web server, which is used to force organizational/patient access control policies and protect the data. In 2010, based on cryptographic constructions, Sun et al. [7] proposed a secure EHR system, which combining the mechanisms for revocation and fine-grained access control, and gives support for patient data secure sharing. In 2011, Akinyele et al. [8] designed a self-protecting EHR scheme employing ABE, the main purpose is that the access control policy may be assigned to each encrypted project. In 2013, Li et al. [9] gave a new secure EHR data sharing scheme in cloud computing, which simplified key management for users by using the multi-authorized ABE technique.
Owing to the sensitivity of health relevant data, offering privacy-preserving of EHR owners and access control of the EHR data is the main challenge in nowadays EHR system. Based on public key encryption with keyword search, Narayan et al. [10] proposed an ABE scheme to provide privacy preservation for EHR management system. An attribute-oriented authentication scheme was proposed by Liang et al. [12], which is able to assist an EHR user to establish social relationships and share health information with other trusted users. Lu et al. [13] introduced the user-centric privacy access control scheme and allowed a medical user to determine who may take part in computing to give assistance to the EHR data processing. Liu et al. [14] proposed the online/offline ABE. EHR owners performed most of the encryption calculations during the offline encryption phase. When the access policy and the EHR data were known during the online encryption phase, EHR owners can quickly integrate information to generate the final ciphertext. Zhou et al. [15] presented two anonymous ABE schemes, which can achieve anonymity for personal EHR. On the basis of ABE, a PPAC scheme in mobile healthcare social networks was proposed by Jiang et al. [16]. In this scheme, they adopt bloom filter to hide attributes and efficiently query attributes before decryption. Yang et al. [17] constructed a new attribute bloom filter for the privacy-preserving CP-ABE scheme.
Combining the encryption and digital signature functions in a single step, Zheng [36] firstly proposed the concept of signcryption. And its advantages include that the communication overhead is much smaller than the steps of encryption and signature and it can achieve both confidentiality and authenticity. Combining the idea of ABE and signcryption, attribute-based signcryption (ABSC) has been put forward [18,[20][21][22][23][37][38][39][40][41][42][43][44]. In 2010, Gagné et al. [18] proposed the ABSC scheme using the threshold access policy. In which, the users have to determine their access structure in advance in setup phase. In 2011, Wang et al. [20] put forward a ciphertext-policy and claim-predicate ABSC scheme based on bilinear pairings. Its efficiency is much higher than that of the combination of the cipertext policy attribute-based signature (CP-ABS) and CP-ABE. In 2012, the dynamic CP-ABSC scheme was proposed by Emura et al. [21], which allows the signature access structure updating without re-sending the user's signature key. This is the public verifiability, which permits any intermediary to check the validity of ciphertext before sending it to recipient. In 2013, a novel and security fuzzy attribute-based signcryption scheme was constructed by Hu et al. [22], which enables data encryption, access control, and digital signature for patient medical information in the body area networking. Afterward, based on the bilinear pairings on elliptic curves, Guo et al. [38] realized the concept of ring signcryption in the attribute-based encryption frame and present attributed-based ring singcryption scheme. Wang et al. [39] point that the ABSC scheme [18] is not secure under certain forgery. Han et al. [40] used the inner-product encryption and constructed a threshold ABSC scheme with constant-size ciphertext. In 2014, Wei et al. [41] designed a traceable ABSC scheme. This scheme's advantage is that the authority could breach anonymity of the signcryption while it is required to trace messages. In 2016, in the light of expressive LSSS access structure, Rao et al. [43] presented an efficient and constant-size ciphertext KP-ABSC scheme. To solve the problem of secure sharing fine-grained access control of the personal health records (PHR) data , Liu et al. [44] proposed a CP-ABSC scheme. Unfortunately, Rao et al. [23] pointed out the problems in scheme [44] and proposed a secure CP-ABSC scheme for the EHR data sharing in cloud.
In summary, the above mentioned ABSC schemes provide the confidentiality and unforegability of the EHR data. However, these schemes cannot specifically solve the problem about the privacy leakage of EHR owners in EHR system. Moreover, the access policies are still in the form of plaintext in these schemes. To a certain extent, the disclosure of the personal privacy information is still a challenging problem in the fine-grained data access control for EHR system.
Besides, now there are many cloud servers supporting two-factor authentication technology. Based on the analysis of the shortcomings of existing two-factor authentication schemes for privacy preserving, Wang et al. [45] proposed an efficient and provably secure two-factor authentication scheme in the random oracle model, which can achieve higher security and privacy without increasing communication or computing costs. In the following study, Wang et al. [46] proposed a two-factor authentication scheme in the random oracle model, which achieves security guarantees beyond the conventional optimal security bound. If an attribute-based authenticated key agreement scheme is constructed on the basis of signcryption technology, it can also provide good security and efficiency in PPAC scheme. In our research, we prefer to design a PPAC solution for EHR system under the standard model. Therefore, in this paper, using the CP-ABSC scheme, we will present the PPAC scheme for the practical and secure EHR system, which prevent the leakage of EHR owner's personal privacy information from the access policy and may achieve fine-grained access control of EHR data.

Bilinear Pairings
Let G, G T be two multiplicative cyclic groups of prime order p and g be the generator of G. The bilinear map e : G × G → G T satisfies the following three properties:

1.
Bilinearity: For all u, v ∈ G and a, b ∈ Z p , where e(u a , v b ) = e(u, v) ab .

3.
Computability: For all u, v ∈ G, there exists an efficient algorithm to compute e(u, v) for all u, v ∈ G.

Access Structures
Suppose P = {P 1 , P 2 , · · ·, P n } is a set of parties. There exists a collection W ⊆ 2 P , which is monotone if and only if for any set B and C, if B ∈ W and B ⊆ C then C ∈ W. An access structure is a collection W of non-empty subsets of {P 1 , P 2 , · · ·, P n }, i.e., W ⊆ 2 P \{∅}. The sets in W are named as the authorized sets, otherwise which are named as the unauthorized sets.

Linear Secret Sharing Schemes
A secret sharing scheme Π for access structure W is called the linear secret sharing scheme (LSSS) over a set of parties P in Z p if 1.
The shares for each party form a vector over Z p .

2.
There exists a share-generating matrix M with l rows and n columns for Π. For all i = [1, l], ρ(i) maps the i'th row of M to every authorized role attribute, where the function ρ is a function from {1, 2, · · ·, l} to P. We find a column vector v = (σ, r 2 , · · ·, r n ) be a sharing vector, where r 2 , · · ·, r n ∈ Z p are random values and σ ∈ Z p is the secret value to be shared. M v is the vector of l shares of σ on Π. Each λ i = (M v) i is distributed as secret share value to each attribute ρ(i).
An LSSS to be represented by an access structure W = (M, ρ) is shown in Figure 1. Each LSSS has the linear reconstruction property, defined as follows: Let W be the access structure and Π be the LSSS. For any authorized set, i.e., S ∈ W, let I = {i : ρ(i) ∈ S} ⊂ {1, 2, · · ·, l}. According to Π, if {λ i } i∈I are valid shares for the secret σ, here exists constants {w i ∈ Z p } i∈I such that ∑ i∈I w i λ i = σ. Let M i denote i'th row of M, then ∑ i∈I w i M i = (1, 0, · · ·, 0). It is worth noting that the constants {w i } can be obtained in time polynomial in scale of the share-generation matrix M.

Cuckoo Filter
The data structure called cuckoo filter [19] is the extended version of bloom filter, which supports adding and removing items dynamically while having lower space overhead, shorter search time and better performance than bloom filter [47]. It also solves the problem of false positive in bloom filter. As a method for testing set membership, cuckoo filter uses cuckoo hashing technique [48] to solve the problem of false positive in bloom filter and check whether an element exists in a set. Figure 2a shows the basic cuckoo hashing table that includes a series of buckets, and each bucket contains 4 entries. There are two candidate buckets in every item x, which are calculated from the formula and h 1 (x) and h 2 (x). The process of inserting a new element into the hash table is displayed as Figure 2b. In Figure 2, the hash table has 8 buckets. When adding a new element into the candidate bucket 1 or 5, if either of the two candidate buckets is empty, we will insert it into the other free bucket.If both buckets have no space the element selects any candidate bucket (such as "1") and removes the existing element, then this moved element need to re-insert into itself alternative position as shown in Figure 2b. In this case, it will trigger the item "c" that removes from bucket 3 into bucket 6 when removing "a". We will repeat this operation until we find an empty bucket and the maximum number of times is reached. When no empty bucket is obtained, the cuckoo hashing table will be regard as that it is too filled to insert. A cuckoo filter algorithm has mainly three functions: the insert function that stores items into the filter, the lookup function that checks whether an item exists in the filter and the delete function that removes the previously inserted items. For each item x, cuckoo filter stores a fingerprint and calculates two candidate buckets i 1 and i 2 by the following formulas: where H 4 is a one-way hash function. We only adopt the insert and lookup functions of cuckoo filter in our paper. Algorithm 1 and Algorithm 2 illustrate the insert operation and lookup operation, respectively.
In Algorithm 1, cuckoo filter adds new items dynamically through storing fingerprints f of every item x. In Algorithm 2, we can easily check whether an item y belong to cuckoo filter.
has an empty entry then add f to that bucket; return Done; i= randomly pick i 1 or i 2 ; For n = 0; n < MaxMumKicks; n + + do randomly select an entry e from bucket [i]; swap f and fingerprint stored in entry e; has an empty entry then add f to bucket [i]; return done; return False.

Complexity Assumptions
Decisional q-Bilinear Diffie-Hellman Exponent (q-DBDHE) Problem: Given the tuple y a,σ = (g, g σ , g a , g a 2 , · · ·, g a q , g a q+2 , · · ·, g a 2q ) in group G and a, σ ∈ Z p are chosen at randomly, the task of q-DBDHE problem is to distinguish e(g a q+1 , g σ ) ∈ G T from a random element R ∈ G T .
The advantage of A in solving the q-DBDHE problem is defined as q-DBDHE Assumption: It says that there is no known polynomial-time algorithm A to solve the q-DBDHE problem with advantage at least ε.
Computational q-Diffie-Hellman Exponent (q-CDHE) Problem: Given the tuple y a = (g, g a , g a 2 , · · ·, g a q , g a q+2 , · · ·, g a 2q ) in group G and a ∈ Z p is chosen at randomly, the task of q-CDHE problem is to compute g a q+1 .
The advantage of in solving the q-CDHE problem is defined as q-CDHE Assumption: It says that there is no known polynomial-time algorithm A to solve the q-CDHE problem with advantage at least ε.

Model
In this section, we first give the typical structure of the EHR system model and the specific working stages of the proposed PPAC scheme for the EHR system model. Then, we define a CP-ABSC scheme and its security model, which is the basic method to implement the proposed PPAC scheme.

System Model
A typical structure of EHR system model is demonstrated in Figure 3.  EHR system comprises four entities: Attribute authority (AA), EHR owner, EHR user and Cloud servers.

•
AA is a trusted party that is responsible for generating and distributing public parameters and private keys for the users, selects attributes from the attribute space and assigns to the users with different rights. • EHR owner is the EHR data provider (such as a patient) who formulates the access policy, signcrypts his/her own EHR data and uploads the ciphertext to cloud servers. • EHR user is the EHR data receiver (such as a doctor or nurse) who can download the cipgertext from cloud servers and unsigncrypt it. • Cloud servers are in charge of storing ciphertext data that sent by the EHR owner and granting access rights to EHR users.
On the basis of the above EHR system model, our paper designs a new PPAC scheme for the EHR system, which includes the following four phases.
• System initialization phase: AA generates the master key and public systems parameters for EHR system, and then publishes the system parameters to all users (EHR owners and EHR users). • Users registration phase: The users submit a registration application to AA. AA verifies the legitimacy of the identity of the user according to the attributes owned by itself and distributes corresponding private key to the user. • EHR signcrypt phase: An EHR owner signcrypts the EHR data (such as personal information and medical records) under the access policy, hides the access policy by the cuckoo filter and uploads the ciphertext to cloud servers for data sharing. • EHR access phase: An EHR user submits the data access request to the cloud servers, who can download ciphertext from cloud servers and unsigncrypt data to obtain original messages if and only if the attribute set of EHR user that satisfies access policy.

Security Model
The CP-ABSC scheme is composed of the following five algorithms [23,29]: Setup: Given a security parameter k, system attribute set S and message universe M, the algorithm outputs the master key MSK and system public parameters PK. sExtract: Given PK, MSK and the signing attribute set A s ⊆ S, the algorithm outputs the corresponding signing private key SK A s . dExtract: Given PK, MSK and the decryption attribute set A d ⊆ S, the algorithm outputs the corresponding decryption private key SK A d .
Signcrypt: Given PK, the message m ∈ M , the signing private key SK A s for A s , the encryption access structure W e = (M e , ρ e ), signing access structure W s = (M s , ρ s ), where A s ∈ W s , and the cuckoo filter, the algorithm outputs the ciphertext CT.
Unsigncrypt: Given PK, the ciphertext CT and the decryption private key SK A d for A d , the algorithm firstly queries the corresponding attributes values by cuckoo filter and reconstructs the access structure W e = (M e , ρ e ), and outputs message m if A d ∈ W e . Otherwise, the algorithm returns ⊥.
According to [23,32], the security of CP-ABSC needs to satisfy confidentiality and unforgeability. The confidentiality (indistinguishability against adaptive chosen ciphertext attack (IND-CCA2)) for CP-ABSC is captured by an interactive game between the adversary A and the challenger C as follows.
Initialization: The adversary A chooses an encryption access structure W * e for the encryption attribute set A d , which is applied to calculate the challenge ciphertext and provides it to the challenger C.
Setup: C executes the Setup algorithm. C keeps the master key MSK secretly and returns the public parameters PK to A. Phase 1: A adaptively issues the following polynomial bounded queries.
• sExtract queries: Given a query on the signing attribute set A s , C executes the sExtract algorithm and returns the corresponding private key SK A s to A. • dExtract queries: Given a query on the decryption attribute set A d / ∈ W * e , C executes the dExtract algorithm and returns the corresponding private key SK A d to A. • Signcrypt queries: Given a query on the message m ∈ M, the decryption attribute set A d , the signing attribute set A s , the encryption access structure W e , the signing access structure W s and cuckoo filter, C executes the sExtract algorithm and obtains the signing private key SK A s . Then C execute the Signcrypt algorithm to generate the ciphertext CT and returns to A. • Unsigncrypt queries: Given a query on the ciphertext CT, the decryption attribute set A d and the signing attribute set A s , C firstly queries the corresponding attributes of EHR users that are in cuckoo filter or not and reconstructs the access structure W e = (M e , ρ e ). C executes the dExtract algorithm and obtains the decryption private key SK A d . And C executes the Unsigncrypt algorithm to obtain the message m and returns to A.
Challenge: After completing the Phase 1, A outputs two equal length messages m * 0 , m * 1 and the signing access structure W * s . When the signing attribute set A * s ∈ W * s , C gets SK A * d by running the dExtract algorithm. C randomly chooses θ ∈ {0, 1} and executes the Signcrypt algorithm to generate the ciphertext CT * . At last, C sends CT * to A as its challenge ciphertext.
Phase 2: A adaptively issues the queries as in Phase 1 except the dExtract queries for any decryption attribute set A d ∈ W * e and the Unsigncrypt queries for the challenge ciphertext CT * for any A d ∈ W * e . Guess: A outputs a guess bit θ ∈ {0, 1}. If θ = θ, A wins the above game. The advantage of A that wins the above game is defined to be Adv = | Pr[θ = θ] − 1 2 |. Definition 1(Confidentiality). A CP-ABSC scheme is IND-CCA2 security, if there is no polynomial-time adversary who wins the aforementioned game with the non-negligible advantage.
The unforgeability (existential unforgeability against adaptive chosen message attack (EUF-CMA)) for CP-ABSC is captured by an interactive game between the adversary A and the challenger C as follows.
Initialization: The adversary A provides the challenge signing access structure W * s to the challenger C.
Setup: C executes the Setup algorithm. Then C keeps the master key MSK secretly and returns the public parameters PK to A.
Query phase: A performs a polynomial bounded number of queries adaptively.
• sExtract queries: Give a query on the signing attributes set A s / ∈ W * s , C executes the sExtract algorithm and returns the corresponding private key SK A s to A. • dExtract queries: Give a query on the decryption attributes set A d , C executes the sExtract algorithm and returns the corresponding private key SK A d to A. • Signcrypt queries: Same as the Signcrypt queries in the confidentiality game. • Unsigncrypt queries: Same as the Unsigncrypt queries in the confidentiality game.
Forgery: A outputs the forgery ciphertext CT * on (m * , W * s , W * e ). A wins above game if CT * is valid and A never makes the Signcrypt queries on (m * , W * s , W * e ). The advantage of A that wins the above game is defined as the probability that it wins the unforgeability game.
Definition 2(Unforgeability). A CP-ABSC scheme is EUF-CMA security, if there is no polynomial-time adversary who wins the aforementioned game with the non-negligible advantage.

The Proposed Scheme
The construction of PPAC scheme for EHR system is based on the CP-ABSC scheme and the concrete CP-ABSC scheme is given based on the bilinear pairing, supporting the linear secret sharing schemes. Employing the cuckoo filter to hide the access policy, it could protect the EHR owner's privacy information. The proposed scheme meets the requirements of PPAC in this section, by using CP-ABSC mechanism to signcrypt plaintext messages can satisfy the confidentiality and unforegability of the EHR data. At the same time, the use of cuckoo filter achieves the purpose of privacy preserving. Specifically, our proposed CP-ABSC scheme includes four phases: system initialization, user registration phase, EHR signcrypt phase and EHR access phase. The detail steps are as follows.

System Initialization
AA generates the master key MSK and public parameters PK for EHR system through executing the Setup algorithm.
• Setup: Given the security parameter k, message universe M : {0, 1} * and attribute set S that includes the EHR owner's attributes and EHR user's attributes. AA picks three collision resistant cryptographic hash functions: Besides, AA chooses a one-way hash function H 4 : {0, 1} → Z * p , which will be used to hash all ρ(i) for i ∈ {1, 2, · · ·, l} in the access policy W = (M, ρ) associated with the EHR owners' attributes. Then, AA randomly chooses a, α ∈ Z * p , δ 1 , δ 2 , y 0 , y 1 , · · ·, y l ∈ G and sets Y = e(g, g) α . For each attribute x ∈ S, AA samples h x ∈ G.

User Registration Phase
According to the attributes of the EHR owner and the EHR user, AA generates the corresponding private keys through executing the sExtract and dExtract algorithms.
• sExtract: Given PK, MSK and the signing attribute set A s ⊆ S, AA randomly selects r s ∈ Z * p and outputs the EHR owner's signing private key SK A s : K s = g α g ar s , L s = g r s , {K s,x = h r s x } x∈A s . • dExtract: Given PK, MSK and the decryption attribute set A d ⊆ S, AA randomly picks r d ∈ Z * p and outputs the EHR user's decryption private key SK A d :

EHR Signcrypt Phase
The EHR owner signcrypts his/her own EHR data and uses cuckoo filter to hide the access policy W associated with attributes through executing the Signcrypt algorithm.
• Signcrypt: Given the message m ∈ M, the signing private key SK A s , and the encryption access policy W e = (M e , ρ e ) and the signing access policy W s = (M s , ρ s ) that are formulated by the EHR owner. The EHR owner performs the following steps.

-
The EHR owner selects a vector v = (σ, v 2 , · · ·, v n ) ∈ Z * p calculates λ i = v · M i for i = 1, 2, · · ·, l, where M i is the i'th row of matrix M. And the EHR owner randomly chooses ϕ i ∈ Z p and generators a vector ϕ = (−ϕ 1 , −ϕ 2 , · · ·, −ϕ l ) such that ϕ · M s = − 1 n , that is The EHR owner picks ξ ∈ Z * p and computes The EHR owner uses the cuckoo filter to hide the access policy W e = (M e , ρ e ). In order to derive the alternative position of an item based on its fingerprint, it needs to utilize the partial-key cuckoo hashing [19]. That can ensure the EHR owner inserts new items to cuckoo filter dynamically. For each valid attribute a i ∈ S, where the attribute a i = ρ e (i) maps the i'th row of access matrix M, let item x = a i . The EHR owner dynamically inserts a new item x into the cuckoo filter by using the insert operation as shown in Algorithm 1 and constructs the cuckoo filter data structure CF. Finally, the EHR owner uploads the ciphertext [1,l] , S 1 , S 2 , CF} to the cloud server.

EHR Access Phase
In this phase, the EHR user downloads the ciphertext CT from the cloud servers, then gets message m through running the Unsigncrypt algorithm.
• Unsigncrypt: Given the ciphertext CT, the EHR user performs the following steps.
-Suppose that S is the attribute set of the EHR user. For every attribute a i ∈ S , let an item y = a i . The EHR user first checks the attributes are in the access policy or not by using using the lookup operation of the cuckoo filter as shown in Algorithm 2. If the item y is in cuckoo filter, it means that the attribute a i exists in the access policy. Lastly, the EHR user generates the reconstructed attribute map ρ e (i) = a i and obtains the access policy W e = (M e , ρ e ).

Theorem 1.
Assuming there is the adversary A who is capable of breaking the IND-CCA2 security of CP-ABSC scheme with a non-negligible probability ε, then we we can construct an algorithm B that solves the q-DBDHE problem with the probability at least ε = ε − q us p , where q us is the maximum number of the Unsigncrypt queries issued by A.
Proof. The algorithm B receives an instance y a,σ = (g, g σ , g a , g a 2 , · · ·, g a q , g a q+2 , · · ·, g a 2q ) of the q-DBDHE problem, where g i = g a i , a, σ ∈ Z p and g is a generator of G. The goal of B is to decide whether T = e(g, g) a q+1 σ or T = R, where R is a random element in G T . If T = e(g, g) a q+1 σ , B Initialization: A submits the message space M : {0, 1} * and the challenge encryption access structure W * e = (M * e , ρ * e ) to B, where M * e is a matrix of l * × n * with the labeling function ρ * e . Let M * i = (M * i,1 , M * i,2 , · · ·, M * i,n * ) be the i'th row of M * e . Setup: B chooses a random α ∈ Z * p and calculates α = α + a q+1 , Y = e (g, g) α = e (g a , g a q ) · e (g, g) α . B randomly chooses ς ∈ Z * p , η 0 , η 1 , · · ·, η l ∈ Z * p and sets C * = g σ , µ * = H 2 (C * ), δ 1 = g 1 µ * q , δ 2 = g ς g −1 q , y 0 = g η 0 , y 1 = g η 1 , · · ·, y l = g η l . Finally, for each attribute x ∈ S, let X denote the set of indices i such that ρ * e (i) = x. If X = ∅, B selects a random parameter f x ∈ Z * p and defines h x = g f x · g aM * i,1 · g a 2 M * i,2 · · · g a n * M * i,n . If X = ∅, then h x = g f x .
B returns the public parameters PK = {S, M, H 1 , Phase 1: A adaptively makes a number of queries as follows.
• sExtract queries: When A issues a query on the signing attribute set A s , B randomly chooseŝ r ∈ Z * p , sets r s =r − a q and computes L s = gr g −1 q , K s = g α gr 1 , K s,x = hr x g − f x q for any x ∈ A s . Then B returns the signing private key SK A s = {L s , K s , {K s,x } x∈A s } to A.

Phase 2:
A performs a series of queries as Phase 1 except the dExtract queries on any decryption attribute set A d ∈ W * e and the Unsigncrypt queries on the challenge ciphertext CT * for any A d ∈ W * e . Guess: A outputs a guess bit θ ∈ {0, 1}. If θ = θ, B outputs 1 (T = e(g, g) a q+1 σ ); Otherwise B outputs 0 (T = R).
B can't successfully simulate with aborting the game when the ciphertext satisfies C = C * in the Unsigncrypt queries, the probability of this aborting event is at most q us p . If B doesn't abort and T = e(g, g) a q+1 σ , the probability of the successful simulation for B is at least 1 2 + ε − q us p . If T = R, the probability of A does not get any information about m * θ is 1 2 . Therefore, the advantage of B can solve the q-DBDHE problem is at least ε = Pr |B(y, T = e(g, g) a q+1 σ ) = 0| − Pr |B (y, T = R) = 0| = ε − q us p .

Theorem 2.
Assuming there is the adversary A who is capable of breaking the EUF-CMA security of CP-ABSC scheme with the non-negligible probability ε, then we can construct an algorithm B that can solve q-CDHE problem with the probability ε = εk(l + 1), where k is the security parameter and l is the outputs length of hash function H 1 .
Proof. B receives an instance y a = (g, g a , g a 2 , · · ·, g a q , g a q+2 , · · ·, g a 2q ) of the q-CDHE problem, where a ∈ Z p , g is a generator of G and g i = g a i . The goal of the algorithm B is to calculate g a q+1 . Initialization: A submits the challenge signing access policy W * s = (M * s , ρ * s ) to B, where M * s is a matrix of l * × n * with the labeling function ρ * s . Let M * i = (M * i,1 , M * i,2 , · · ·, M * i,n * ) be the i'th row of M * s . Setup: B randomly picks α ∈ Z * , d, d ∈ Z * p and defines α = α + a q+1 , Y = e (g, g) α = e(g a , g a q ) · e (g, g) α , δ 1 = g d , δ 2 = g d . B randomly chooses (z 0 , z 1 , · · ·, z l ) ∈ Z l+1 p , η = k and η(l + 1) < p, where k is a security parameter. B also randomly selects 0 ≤ π ≤ l and (b 0 , b 1 , · · ·, b l ) ∈ Z l+1 η sets y 0 = g p−ηπ+b 0 q , y i = g b i q g z i for all i ∈ [1, l]. For each vector j = (j 1 , j 2 , · · ·, j l ) ∈ {0, 1} l , B defines . It can be seen that, if F( j) = 1, then F 1 ( j) = 0 mod p. Finally, for each attribute x ∈ S, let X denote the set of indices i, such that ρ * s (i) = x. If X = ∅, B selects a random f x ∈ Z * p and defines h x = g f x · g aM * i,1 · g a 2 M * i,2 · · · g a n * M * i,n . If X = ∅, then h x = g f x . B returns the public parameters PK = {S, M, H 1 , Query phase: A adaptively performs a number of polynomial bounded queries as follows.
• sExtract queries: When A issues a query on the signing attribute set A s , if A s / ∈ W * s , B randomly selectsr ∈ Z * p and calculates the vector γ = (γ 1 , γ 2 , · · ·, γ n * ) ∈ Z n * p where γ 1 = −1 such that γ · M * i = 0 for all i where ρ * s (i) ∈ A s . B implicitly defines r s =r + γ 1 a q + γ 2 a q−1 + · · · + γ n * a q−n * +1 and computes L s = gr Then B returns the signing key SK A s = {L s , K s , {K s,x } x∈A s } to A. Correctness: • dExtract queries: When A issues a query on the decryption attribute set A d , B randomly pickŝ r ∈ Z * p , sets r d =r − a q and computes L d = gr g −1 q , K d = g α gr 1 and K d, for any x ∈ A d . Then B returns the decryption private key

Correctness:
L d = gr g −1 q = gr g −a q = g r d , K d = g α gr 1 = g α g q+1 gr 1 g −1 q+1 = g α +a q+1 g ar−a q+1 = g α g ar d , • Signcrypt queries: When A issues a query on (m, W e , W s , A d , A s ) and the cuckoo filter, -If A s / ∈ W * s , B gets the private key SK A s by running the sExtract queries. Then B generates ciphertext CT by executing the Signcrypt algorithm and returns to A.
Since A * d ∈ W * e , the result of the Unsigncrypt algorithm is m * = ⊥; 2.
A never issues the Signcrypt queries on (m * , W * e , W * s ).
Now, B could provide the methods to solve the q-CDHE problem as follows.

Performance Analysis
The functionality, computation and communication costs of the proposed CP-ABSC scheme are evaluated in this section. We also compare them with other related schemes [20][21][22][23].

Functionality Comparison
The functionality comparisons between the proposed CP-ABSC scheme and other related schemes [20][21][22][23] are presented. Let MC be the message confidentiality, CU be the ciphertext unforgeability, CPA be the chosen plaintext attacks, CCA be the chosen ciphertext attack, CMA be the chosen message attack, ROM be the random model and SM be the standard model. Table 1 summarizes the functionality comparison results. It is clear from Table 1 that only the scheme [22] adopts the threshold policy as access policy which only supports simple predicates. Although the schemes [20,21] support monotone tree policy which can transform into LSSS access policy, the construction of this type of access structure is quite complicated. The scheme [23] and our proposed scheme support LSSS access structure that has the simpler construction process. In addition, our scheme and the schemes [21,23] can satisfy public verifiability. All schemes realize CCA security and CMA security in the standard model except [20]. In particular, none of these schemes [20][21][22][23] could provide the property of privacy-preserving, only our scheme protects the personal privacy of EHR owners.

Computation Cost
We analyze the computation cost of the proposed CP-ABSC scheme and compare it with that of other related schemes [20][21][22][23]. For computation complexity estimation, we define the following time cost for performing the cryptographic operations required in all schemes. Let T p be the time for performance a pairing, T m be the time for performance a scale multiplication in G, T mt be the time for performance a scale multiplication in G T . Other lightweight operations (the arithmetic operation in Z p , one-way hash function)are not taken into account.
To offer the security level to 80-bit, we adopt the symmetric bilinear pairing e : G × G → G T , where G be the multiplicative cyclic group by p, p is 512-bit prime number. The simulation experiment is based on the C++ Pairing-Based Cryptography (PBC) library MIRACL and runs on Intel Core i5-4590, 3.3 GHz CPU, 8 gigabytes memory with Windows 7 environment.
In this paper, we execute the experiment on a common PC, if the experiment were to run in a practical cloud environment, such as EC2 cloud computing service [49], it would actually run faster. The average execution times of T p , T m and T mt are listed in Table 2.  [23] in Table 3.  [20] requires to execute (4l + 3) scalar multiplication operations in G, two scalar multiplication operations in G T and one bilinear pairing operation. Therefore, the total signcryption time is 7.554l+23.5863 ms. Emura et al.'s scheme [21] needs to execute (6l + 2) scalar multiplication operations in G and one scalar multiplication operation in G T . Therefore, the total signcryption time is 15.108l+22.2587 ms. Hu et al.'s scheme [22] needs to execute (4l + 2) scalar multiplication operations in G and one scalar multiplication operation in G T . Therefore, the total signcryption time is 22.662l+23.5683 ms. Rao et al.'s scheme [23] needs to execute (5l + 7) scalar multiplication operations in G and one scalar multiplication operation in G T . Therefore, the total signcryption time is 15.108l+8.4783 ms. The proposed scheme needs to execute (2l + 6) scalar multiplication operations in G and one scalar multiplication operation in G T . Therefore, the total signcryption time is 18.885l+27.3633 ms.
In terms of the Unsigncrypt phase, for the computation costs of l attributes, Wang et al.'s scheme [20] needs to execute (2l + 1) scalar multiplication operations in G T and (4l + 4) bilinear pairing operations. Therefore, the total unsigncryption time is 38.165l+37.2407 ms. Emura et al.'s scheme [21] needs to execute (6l + 3) bilinear pairing operations. Therefore, the total unsigncryption time is 54.4746l+27.2373 ms. Hu et al.'s scheme [22] needs to execute 2l scalar multiplication operations in G T and 5l bilinear pairing operations. Therefore, the total unsigncryption time is 47.2441l ms. Rao et al.'s scheme [23] needs to execute (3l + 2) scalar multiplication operations in G and (l + 5) bilinear pairing operations. Therefore, the total unsigncryption time is 20.4101l+52.9495 ms. The proposed scheme needs to execute four scalar multiplication operations in G, l scalar multiplication operations in G T and (2l + 4) bilinear pairing operations. Therefore, the total unsigncryption time is 19.0825l+51.4244 ms. Figures 4 and 5 clearly illustrate the computation cost of the signcrypt and unsigncrypt phases with increasing number of attributes l, respectively. Signcrypt cost (ms) [20] [21] [22] [23] The proposed scheme  Unsigncrypt cost (ms) [20] [21] [22] [23] The proposed scheme From Figures 4 and 5, the computation costs in both the signcrypt and unsigncrypt phases rise linearly with the number of attributes in all the schemes. It can be easily see that the proposed scheme's slope is the lowest.
According to Figures 4 and 5, we intuitively obtain that the proposed scheme achieves the lowest computation cost with the increase of the number of attributes, especially after adding the cuckoo filter, without increasing extra computation costs in. Therefore, our proposed CP-ABSC scheme is efficient in both the signcrypt and unsigncrypt phase, which has much more advantages than the previous schemes [20][21][22][23].

Communication Cost
We discuss the communication cost of the proposed CP-ABSC scheme with other related schemes [20][21][22][23]. Let l be the number of attributes in attribute space, |G| be the element's length in group G and |G T | be the element's length in group G T . Since the size of p is 512 bits (64 bytes), therefore the element's size in group G and G T is 512 bits (64 bytes) and 3072 bits (384 bytes), respectively. We also take into account the communication costs of using cuckoo filter. Assume that we use the one-way hash function in cuckoo filter, and its outputs length is 160 bits (20 bytes). When the number of EHR owner's attributes is l, the comparison results on communication cost of these schemes are listed in Table 4.

Scheme
l Attributes [20] 256l + 576 bytes [21] 192l + 512 bytes [22] 128l + 576 bytes [23] 128l + 640 bytes The proposed scheme 84l + 640 bytes For the communication costs of l attributes, Wang et al.'s scheme [20] includes (4l + 3) the element's length in G and one the element's length in G T . Therefore, the total communication cost is 256l+576 bytes. Emura et al.'s scheme [21] includes (3l + 2) the element's length in G and one the element's length in G T . Therefore, the total communication cost is 192l+512 bytes. Hu et al.'s scheme [22] includes (2l + 3) the element's length in G and one the element's length in G T . Therefore, the total communication cost is 128l+576 bytes. Rao et al.'s scheme [23] includes (2l + 4) the element's length in G and one the element's length in G T . Therefore, the total communication cost is 128l+640 bytes. The proposed scheme includes (l + 4) the element's length in G, one the element's length in G T and the outputs length of one-way hash function in cuckoo filter. Therefore, the total communication cost is 84l + 640 bytes. Figure 6 demonstrates the relationship between the communication cost and the number of attributes. Communication cost (bytes) [20] [21] [22] [23] The proposed scheme From Figure 6, the growth of the ciphertext size is linear when the number of attributes increases in all schemes. We could intuitively find out that the communication cost of our proposed scheme is much less than that for other schemes. On the other hand, as Figure 6 shows, when the amount of attributes reaches 30 [23] and the proposed scheme is 7956, 6272, 4416, 4480 and 3100 bytes, respectively. Then the proposed scheme is compared with these schemes [20][21][22][23], which can save 61.7%, 57.6%, 28.5%, 29.5% of bandwidth, respectively.
Obviously, although the cuckoo filter is used to hide access policy in this paper, it does not increase communication overhead compared with other schemes. Also, our scheme has the best performance in terms of communication cost in the all five schemes.
In summary, the proposed CP-ABSC scheme achieves low computation and communication cost, which is comparatively more suited to the EHR system.

Conclusions
The proposed scheme provides the secure access control of the EHR data as well as prevents the personal privacy information of EHR owners will not be leaked from the LSSS access policy. We show that the proposed scheme is provably security in the standard model under the q-DBDHE assumption and q-CDHE assumption. Detailed performance analysis results indicate that the proposed scheme has lower computation costs and communication overheads than the related schemes. In addition, the proposed scheme protects the EHR owners' sensitive privacy information and is more suitable for EHR system. In the future, we would like to focus on how to design another scheme, such as security and efficient of PPAC scheme without bilinear pairing in EHR system. Author Contributions: Y.M. and T.Z. conceived of the work, designed the concrete scheme and wrote the paper.