Lightweight Fine-Grained Access Control for Wireless Body Area Networks

Abstract

Wireless Body Area Network (WBAN) is a highly promising technology enabling health providers to remotely monitor vital parameters of patients via tiny wearable and implantable sensors. In a WBAN, medical data is collected by several tiny sensors and usually transmitted to a server-side (e.g., a cloud service provider) for long-term storage and online/offline processing. However, as the health data includes several sensitive information, providing confidentiality and fine-grained access control is necessary to preserve the privacy of patients. In this paper, we design an attribute-based encryption (ABE) scheme with lightweight encryption and decryption mechanisms. Our scheme enables tiny sensors to encrypt the collected data under an access control policy by performing very few computational operations. Also, the computational overhead on the users in the decryption phase is lightweight, and most of the operations are performed by the cloud server. In comparison with some excellent ABE schemes, our encryption mechanism is more than 100 times faster, and the communication overhead in our scheme decreases significantly. We provide the security definition for the new primitive and prove its security in the standard model and under the hardness assumption of the decisional bilinear Diffie-Hellman (DBDH) problem.

1. Introduction

Nowadays, because of several improvements in public health, nourishment, and medicine, the aging population around the world has been quickly increasing. For instance, in the United States, the population of people over the age of 65 is predicted to double by 2040 [1]. Also, in the People’s Republic of China, it is predicted that the number of people aged over 60 will be doubled by 2040 [2]. These estimates show that increasing the number of elderly people with various health problems may significantly increase healthcare costs in the near future [3,4,5]. Therefore, the current healthcare system may not be able to respond to the patients’ requests in the coming years [4,6].

With the rapid development of medical sensors and wireless communications [7], wireless body area networks (WBANs) are under rapid development. WBANs have significant potential for improving the current health system. As we have shown in Figure 1, a WBAN consists of several implantable or wearable sensors and a controller. The responsibility of the sensors is to monitor the vital parameters of a patient (e.g., breathing rate, blood pressure, diabetes, and asthma) as well as measuring the environmental parameters such as humidity and temperature. The sensors collect health data files and encrypt them. Then, they transfer the generated ciphertext to the collector. The controller working as a gateway transfers the gathered health data to a cloud service provider. WBANs can significantly raise the efficiency of healthcare services as individuals do not need to visit the hospital anymore. Thus, WBANs play an important role in affording highly reliable ubiquitous healthcare services. However, as in the cloud-based WBANs the health data are outsourced to a third-party cloud server, some security concerns over fine-grained access control and data confidentiality are raised. Moreover, as tiny sensors in WBANs usually have limited computational and power resources, providing a secure lightweight encryption mechanism is another challenge in this scenario.

Attribute-based encryption (ABE) [8,9] is a promising tool to afford confidentiality and fine-grained access control simultaneously. Generally, ABE schemes can be divided into three categories key-policy ABE (KP-ABE) [10], ciphertext-policy ABE (CP-ABE) [11], and dual-policy ABE (DP-ABE) [12]. In a KP-ABE, a data user’s secret-key is associated with an access control policy which is defined by a central authority, and each ciphertext is labeled by a set of attributes. A data user can decrypt a ciphertext if the access policy associated with its secret-key is satisfied by the attribute set associated with the ciphertext. Also, in a CP-ABE, a data user’s secret-key is associated with the data user’s attributes, and ciphertexts are associated with an access control policy. The secret-key of a data user can decrypt a ciphertext only if the attribute set of the data user satisfies the access policy associated with the ciphertext. In a DP-ABE scheme, secret-key of a data user corresponds to both an access control policy defined by the central authority and the data user’s attributes. Each ciphertext also is associated with both an access control policy defined by a data owner and a set of attributes. A data user can decrypt a ciphertext if and only if the access control policy embedded in the ciphertext is satisfied by attributes of the data user, and attributes of the ciphertext satisfy the data user’s access policy. It seems that CP-ABE is more comfortable for both data owners and data users.

However, to the best of the authors’ knowledge, current ABE schemes suffer from expensive computational operations in the encryption phase. Therefore, since the sensors have limited computational and power resources, existing ABE schemes are not appropriate for providing fine-grained access control in WBANs. To address this problem, in this paper, we design a lightweight fine-grained access control scheme called LW-FGAC which is able to offer lightweight encryption and decryption mechanisms. Our main contributions are given below:

• Lightweight encryption mechanism: Our proposed encryption mechanism is very efficient. In fact, in contrast with existing schemes, in our encryption scheme, the number of expensive operations performed by data owners (smart devices in the WBAN) does not depend on the number of attributes in the access control policy, and almost all the computational operations are offloaded onto the cloud service provider. As we will see, our encryption approach is more than 100 times faster than some excellent schemes in the literature.
• Lightweight communication overhead: In LW-FGAC, in comparison with the existing work, the communication overhead from a data owner to the cloud server is very few. Indeed, in LW-FGAC, lightweight partial ciphertexts are uploaded to the cloud server instead of ciphertexts with huge size.
• Lightweight decryption mechanism: Similar to the encryption phase, in the decryption phase, heavy computational operations can be outsourced to the CSP such that the CSP learns no partial information about data users’ secret-keys and also the underlying data files.
• Security definition and security proof: We formalize the system model and the security definition for the new primitive. Also, we prove the security of the scheme under the hardness assumption of the DBDH problem in the standard model.

2. Related Work

Cao et al. presented a thorough survey on WBANs [13]. Their work surveyed several basic WBAN research projects and enabling technologies. It also explored application scenarios, radio systems, smart devices, and the interconnection of WBANs to afford perspective on the trade-offs between data rate, power consumption, and network coverage. Li et al. [14] introduced an anonymous key agreement and mutual authentication scheme for WBANs. Their work enables the sensor nodes attached to patients’ bodies to authenticate with the local server and establish a session key in an unlinkable and anonymous way. Chen et al. presented a detailed review of body area networks and their related issues [15]. They provided a comprehensive investigation of sensor devices, data link layer, physical layer, and radio technology aspects of WBANs. They also introduced some of the design challenges and open problems in this area. Zhang et al. [16] designed an efficient key agreement mechanism for WBANs. Their scheme enables neighboring nodes in WBANs to share a common key established by electrocardiogram (ECG) signals. Their proposed key agreement scheme can secure data communications over WBANs in a plug-n-play manner with no key distribution overhead. He et al. [17] introduced the security and performance challenges related to sensor networks for wireless medical monitoring. They also proposed an attack-resistant and lightweight trust management scheme. Zhou et al. [18] presented several fundamental and sophisticated cyberattacks to wireless sensors networks and introduced some substantial and promising solutions to satisfy the requirements. Ghamari et al. [19] presented a survey on WBANs for health care systems. They compared some current low-power communication technologies supporting the quick advancement and deployment of WBANs. Zhou et al. [20] proposed a privacy-preserving key management system for cloud-based WBANs in m-healthcare social networks. Their proposed scheme protects the patient’s identity privacy, location privacy, and sensor deployment privacy by employing a blinding technique and embedding the human body’s symmetric structure into the Blom’s symmetric-key mechanism with a modified secret sharing technique. Liu et al. [21] designed a medium access control for WBANs. In their work, by employing the Nash Bargaining Solution (NBS), they proposed a cooperative game-theoretic method providing priority-based tuning and maintaining the fairness axioms of game theory. Shen et al. [22] proposed a lightweight multi-layer authentication protocol for WBANs. In their work, using the ECC algorithm, they designed a one-to-many group authentication mechanism and a group key establishment algorithm between personal digital assistants and the other sensor nodes. They also designed a certificateless authentication mechanism without pairing. Whereas, it is known that access control is a major problem in WBANs [23], the mentioned schemes did not consider this problem.

ABE is a promising solution to the access control problem. The notion of ABE was first proposed by Sahai and Waters [8]. In their proposed scheme, a data owner can determine the authorized user to access its data by specifying an attribute set and a threshold value d. Each data user that has at least d common attributes with the specified set can access the outsourced data. After proposing ABE schemes, three schemes [12,24,25] divided ABE schemes into three categories key-policy ABE (KP-ABE), ciphertext-policy ABE (CP-ABE), and dual-policy ABE (DP-ABE), respectively. Zhou et al. [26] designed a constant size CP-ABE. In their work, the size of ciphertexts is not sensitive to the number of attributes in access control policies. This feature significantly reduces the storage and communication overhead of the system. Guo et al. [27] designed a lightweight CP-ABE scheme with a constant secret-key size [28]. In their scheme, the length of a user’s secret-key does not depend on the number of the user’s attributes. Chen et al. [29] proposed an attribute-based scheme with short ciphertexts and signatures. Their proposed scheme has adaptive security in the standard model. However, none of the schemes presented in [26,28,29] provide a flexible access structure. Indeed, the schemes presented in [26,28] only supports the And-gates access control policy, and [29] only provides the threshold access control policy. Yao et al. [30], designed a KP-ABE scheme for IoT applications. Their work supports access trees as access control policies. Also, in their work, by using the ECC algorithm, the communication and storage overhead is reduced significantly. He et al. [31] proposed an ABE scheme for mobile cloud-assisted cyber-physical systems. In their work, by eliminating pairing operations, they tried to lighten the encryption and decryption overhead. However, several expensive operations still remain. So, it seems that their scheme is not suitable for WBANs. Moreover, none of the mentioned ABE schemes provide lightweight encryption and decryption mechanisms which is not desirable for WBANs. To address this issue, several lightweight ABE schemes have been put forward. Yang et al. [32,33] designed lightweight access control systems for healthcare IoT networks. Their scheme provides a lightweight decryption mechanism and supports access trees as access control policies. Also, their schemes have adaptive security in the standard model. Xu et al. [34] proposed a lightweight DP-ABE for healthcare IoT systems. Their work offers a lightweight decryption system, and it is provably secure in the selective model. Lin et al. [35] proposed CP-ABE with a lightweight decryption mechanism by using an outsourcing technique. Lai et al. [36] put forward a CP-ABE scheme with verifiable outsourced decryption. Their work also provides a lightweight decryption approach and is provable in the adaptive model. However, none of the mentioned ABE schemes provide a lightweight encryption mechanism. Indeed, in these schemes, the computational operations on the user’s side in the encryption phase is very expensive. This feature definitely makes such schemes inappropriate for WBANs.

Table 1. Comparison of Properties in Different ABE Schemes.

Schemes	KP/CP/DP-ABE	Lightweight	Flexible	Lightweight	Security Model
		Encryption Mechanism	Access Control	Decryption Mechanism
[8]	ABE	No	No	No	Selective
[12]	DP-ABE	No	Yes	No	Selective
[24]	KP-ABE	No	Yes	No	Selective
[25]	CP-ABE	No	Yes	No	Selective
[26]	CP-ABE	No	No	No	Selective
[27]	CP-ABE	No	No	No	Selective
[28]	KP/CP-ABE	No	No	No	Adaptive
[29]	CP-ABE	No	Yes	No	Adaptive
[30]	KP-ABE	No	Yes	No	Selective
[31]	CP-ABE	No	Yes	No	Selective
[32]	CP-ABE	No	Yes	Yes	Adaptive
[33]	CP-ABE	No	Yes	Yes	Adaptive
[34]	DP-ABE	No	Yes	Yes	Selective
[35]	CP-ABE	No	Yes	Yes	Selective
[36]	CP-ABE	No	Yes	Yes	Adaptive
LW-FGAC	CP-ABE	Yes	Yes	Yes	Adaptive

compares the features of the mentioned ABE schemes with our proposed LW-FGAC. As we see, LW-FGAC is the only one providing a lightweight encryption approach. Also, we see that LW-FGAC is the only scheme that simultaneously meets all the features given in the table. We refer the reader to [37,38,39,40,41,42,43,44], to see more references related to attribute-based systems and wireless sensor networks.

3. System Architecture

In this section, we present the architecture of our proposed health system. We first describe the system model, and then we present the threat model of our system.

3.1. System Model

As we have shown in Figure 2, our proposed system consists of four generic entities Healthcare Authority (HA), the Cloud Service Provider (CSP), several data owners, and several data users. In below, we describe the mentioned four entities:

• HA: This entity is responsible for initializing the health system and also generating secret-keys of data owners and data users according to their attributes.
• CSP: The CSP has almost unlimited computational and storage resources. Its primary responsibility is to provide storage and computational services. When data owners want to encrypt their collected data, they can outsource most of the computational operations of the encryption phase to the CSP. Moreover, data users can also use the CSP’s computational services. When a data user retrieves an encrypted health data, the CSP can help it to recover the associated data by performing most of the heavy computations of the decryption phase without learning any partial information about the underlying health data.
• Data owner: Data owners modeling the tiny wireless sensors attached to bodies of patients and employed to monitor the patients’ vital physiological parameters such as blood pressure, heart rate, diabetes, asthma, and etc. The health data collected by data owners first is encrypted under an access control policy and then transferred to a smart device. Finally, the health data are outsourced to the CSP for online/offline analyzing and long-term storage.
• Data owner: Data owners modeling smart devices that collect the health data from patients’ bodies and transfer the data to the CSP. The smart devices can be categorized into two following groups:
  • Implanted and wearable sensors: These sensors usually embedded on the surface of a patient’s body or implanted in the deep tissue of a human body. Their main responsibility is to monitor the patients’ vital physiological parameters such as blood pressure, heart rate, diabetes, asthma, and etc. After collecting the health data, the sensors first partially encrypt the data under a predetermined access control policy. Then, the partially encrypted data are transferred to the data collector. Note that as the sensors usually have limited computational and power resources, the partial encryption process should be adequate sufficient and does not include costly operations.
  • Data collector: A data collector could be the WBAN’s controller or a mobile device like a tablet or a smartphone. Its main responsibility is to transfer the collected partially encrypted health data to the CSP for completing the encryption process, long-term storage, and online/offline analyzing.
• Data user: Data users model health service providers such as hospitals, doctors, medical clinics, etc. They can be specified by a set of descriptive attributes. Each data user should obtain a secret-key corresponding to its attribute set. Its secret-key can decrypt an outsourced encrypted health data only if the attribute set associated with the secret-key satisfies the access control policy associated with the ciphertext.

In the following, we give an overview of our proposed LW-FGAC. As shown in Figure 3, our proposed scheme consists of four phases Systeminitialization, Key delegation, Data encryption, and Decryption described below:

• System initialization: This phase is managed by the HA. In this phase, the HA generates the public parameters and the master secret-key of the system. It publishes the public parameters to the other parties and keeps the master secret-key confidential by itself.
• Key delegation: This phase is operated by the HA. In this phase, public-key and secret-key of data owners as well as secret-keys of data users associated with their attributes are issued. Each data owner should ask the HA to generate its public-key and secret-key. The generated secret-key is given to the data owner, and the public-key is outsourced to the CSP. Also, in this phase, each data user possessing an attribute set can request its secret-key corresponding to the attribute set from the HA. The HA first checks if the data user has the attributes or not. If so, it provides the data user with an attribute secret-key.
• Data encryption: This phase is executed by data owners and the CSP. When a data owner wants to outsource its collected health data to the CSP, to provide confidentiality and access control, it should define an access control policy and encrypt the health data under it. However, as the computational power of the data owner (implanted and wearable sensors) is assumed to be limited, the heavy computational operations should be offloaded onto the CSP. Using its secret-key, the data owner (implanted and wearable sensors) first performs some lightweight computations and generates a partial ciphertext. Then, the data owner (data collector) gives the partially encrypted data to the CSP, and the CSP completes the encryption procedure. In this phase, the CSP cannot learn any partial information about the underlying health data.
• Decryption: This phase is managed by the CSP and data users. When a data user is authorized for accessing an outsourced health data, using its secret-key obtained in the key delegation phase, it can make a decryption query to the CSP. The CSP performs heavy operations associated with the decryption phase without obtaining any information about the data user’s secret-key and also the associated health data. Afterward, the data user can recover the health data by performing some lightweight computational operations.

3.2. Threat Model

The HA is assumed to be trustworthy. It does not collude with data users and does not gives unauthorized secret-keys to them. Data owners also are assumed to be trusted. They do not reveal the contents of their data to the other parties and do not grant access rights to unauthorized data users. The CSP is assumed to be honest but curious entity. It always executes the given protocols correctly, but it is curious to learn some unauthorized information about the outsourced health data. To gain some information about the outsourced data files, it may collude with unauthorized data users. Data users are assumed to be malicious. Although they do not reveal the contents of health data files if they are authorized to access them, they may try to learn some unauthorized information about the other outsourced health data through colluding with the CSP and the other data users.

4. Preliminaries

For an arbitrary set S, let $x\leftarrow S$ denote the random selection of an element $x\in S$. Also, for algorithm $\mathcal{A}$, let $O\leftarrow \mathcal{A}\left(I\right)$ denote executing $\mathcal{A}$ on input I and outputting O. In the following, we present some related cryptographic notions.

4.1. Cryptographic Background

Bilinear map: Consider two cyclic groups $G_1$ and $G_2$ of a prime order q. A function $\widehat{e}:G_1\times G_1\to G_2$ is said to be a bilinear map if the following conditions hold:

• Bilinearity: $\widehat{e}(g^a,g^b)=\widehat{e}(g^b,g^a)=\widehat{e}{(g,g)}^{ab}$, For each $a,b\in {\mathbb{Z}}_q$ and $g\in G_1$,
• Non-degeneracy: There is a $g\in G_1$ such that $\widehat{e}(g,g)\ne 1$.
• Computability: There exists an efficient algorithm computing $\widehat{e}(g,h)$, for any $g,h\in G_1$.

Assume that $\mathcal{G}$ is a probabilistic polynomial-time (PPT) algorithm that $(\lambda ,q,G_1,G_2,\widehat{e})\leftarrow \mathcal{G}\left(1^{\lambda }\right)$, where $\lambda$ is the security parameter of the system and $(q,G_1,G_2,\widehat{e})$ is the same as before. In this work, we consider the following assumption called decisional bilinear Diffie Hellman (DBDH) on $\mathcal{G}$:

Decisional Bilinear Diffie Hellman assumption (DBDH): Consider $(\lambda ,q,G_1,G_2,\widehat{e})\leftarrow \mathcal{G}\left(1^{\lambda }\right)$, $g\leftarrow G_1$ and $\alpha ,\beta ,\gamma \leftarrow {\mathbb{Z}}_q$. The DBDH assumption states that for all PPT adversaries $\mathcal{A}$ there is a negligible function $negl$ such that

$$|\mathrm{Pr}(\mathcal{A}(\lambda ,q,g,g^{\alpha },g^{\beta },g^{\gamma },g^{\alpha \beta \gamma },G_1,G_2,\widehat{e})=1)-\mathrm{Pr}(\mathcal{A}(\lambda ,q,g,g^{\alpha },g^{\beta },g^{\gamma },g^z,G_1,G_2,\widehat{e})=1)|\le negl\left(\lambda \right),$$

(1)

where the above probabilities are taken over the random selection of $g\in G$ and $\alpha ,\beta ,\gamma ,z\in {\mathbb{Z}}_q$, and also the randomness employed in $\mathcal{G}$ and $\mathcal{A}$.

4.2. Access Trees

In an access tree, each leaf is associated with a unique attribute, and each inner node represents a threshold value. Also, the threshold value of each leaf node is assumed to be 1. Suppose that $\mathcal{T}$ is an access tree, $v_a$ is the leaf associated with an attribute a, $k_v$ is the threshold value associated with a node v in $\mathcal{T}$, $R_{\mathcal{T}}$ is the root node of $\mathcal{T}$, $L_{\mathcal{T}}$ is the leaf node set of $\mathcal{T}$, and ${\mathcal{T}}_v$ is a subtree of $\mathcal{T}$ rooted at a node v.

Let $\mathbb{U}$ be the universal attribute set, and $\mathcal{T}$ be an access tree on $\mathbb{U}$. For a given attribute set $Att\subseteq \mathbb{U}$ and a node v in $\mathcal{T}$, let $F_{{\mathcal{T}}_v}$ be a function mapping $Att$ to $\{0,1\}$ and performing as follows:

• When v is a leaf node corresponding to an attribute a, $F_{{\mathcal{T}}_v}\left(Att\right)=1$ if $a\in Att$, and 0 otherwise.
• When v is an inner node, $F_{{\mathcal{T}}_v}\left(Att\right)=1$ if and only if v has at least $k_v$ children $c_1,\dots ,c_{k_v}$ that $F_{{\mathcal{T}}_{c_i}}\left(Att\right)=1$, for any $i=1,\dots k_v$.

We say that an attribute set $Att$ satisfies an access tree $\mathcal{T}$ if $F_{{\mathcal{T}}_{R_{\mathcal{T}}}}\left(Att\right)=1$.

Suppose that q is a prime number, and $\mathcal{T}$ is an access tree. Consider an algorithm ${\left\{q_v\left(0\right)\right\}}_{v\in L_{\mathcal{T}}}\leftarrow {Share}_q(\mathcal{T},r)$ which shares a secret $r\in {\mathbb{Z}}_q$ according to $\mathcal{T}$ and q and performs as below:

• It generates a $(k_{R_{\mathcal{T}}}-1)$-degree polynomial $q_{R_{\mathcal{T}}}$ for $R_{\mathcal{T}}$ such that $q_{R_{\mathcal{T}}}\left(0\right)=r$, and its other coefficients are chosen uniformly at random from ${\mathbb{Z}}_q$.
• For each node v having a polynomial $q_v$, it generates a polynomial $q_{c_i}$ for the i-th child of v such that $q_{c_i}\left(0\right)=q_v\left(i\right)$, and the other its coefficients are uniform elements of ${\mathbb{Z}}_q$.

When this algorithm stops, it assigns a value $q_v\left(0\right)$ to each leaf node v in the tree.

5. System Definition and Security Model

In this section we present the system definition and the secrity model.

Table 2. Notations Employed in The System Definition And Our Proposed Construction.

Notation	Description
$\lambda$	Security parameter of the system
$\mathbb{U}$	Universal attribute set of the system
$params$	Public parameters of the system
$MSK$	Master secret-key of the HA
$At{t}_u$	Attribute set of a data user
$i{d}_u$	Identifier of a data user
$S{K}_O$	Secret-key of a data owner
$P{K}_O$	Public-key of a data owner
M	A data file
$\mathcal{T}$	An access tree
$PC{T}_{\mathcal{T}}$	Partial ciphertext associated with an access tree $\mathcal{T}$
$C{T}_{\mathcal{T}}$	Ciphertext associated with an access tree $\mathcal{T}$
$S{K}_u$	Attribute secret-key of a data user
$T{K}_u$	Decryption token generated by a data user in the decryption phase
k	Private-key generated by a data user in the decryption phase
$M^{\prime }$	Partial decrypted ciphertext

presents the notations used in this section.

5.1. Definition of LW-FGAC

LW-FGAC scheme is a tuple of PPT algorithms $(Setup,User.KeyGen,Owner.KeyGen,Part.Enc,Full.Enc,TokenGen,Part.Dec,Full.Dec)$ defined as below:

• $Setup(\lambda ,\mathbb{U})$: This algorithm is operated by the HA. It takes as input the security parameter $\lambda$ and the universal attribute set $\mathbb{U}$. It outputs public parameters $params$ and the master secret-key $MSK$.
• $User.KeyGen(params,MSK,i{d}_u,At{t}_u)$: This algorithm is executed by the CSP. On input the public parameters $params$, the master secret-key $MSK$, a data user’s identifier $i{d}_u$, and an attribute set $At{t}_u$, this algorithm outputs a secret-key $S{K}_u$ associated with $i{d}_u$ and $At{t}_u$.
• $Owner.KeyGen\left(params\right)$: This algorithm can be run by a data owner or the HA. It inputs the public parameters $params$ and outputs a pair of secret-key and public-key $(S{K}_O,P{K}_O)$.
• $Part.Enc(params,\mathcal{T},S{K}_O,M)$: A data owner executes this algorithm. The public parameters of the system, an access tree $\mathcal{T}$, the data owner’s secret-key, and a message M are the input of the algorithm. This algorithm outputs a partial ciphertext $PC{T}_{\mathcal{T}}$ associated with the message M and the access tree $\mathcal{T}$.
• $Full.Enc(params,PC{T}_{\mathcal{T}},P{K}_O)$: The CSP runs this algorithm. This algorithm takes the public parameters $params$, a partial ciphertext $PC{T}_{\mathcal{T}}$, and a data owner’s public-key $P{K}_O$. It outputs a ciphertext $C{T}_{\mathcal{T}}$.
• $TokenGen(params,i{d}_u,S{K}_u,C{T}_{\mathcal{T}})$: This algorithm is executed by a data user. On input the pubic parameters $params$, a data user’s identifier $i{d}_u$, a secret-key $S{K}_u$, and a ciphertext $C{T}_{\mathcal{T}}$, this algorithm returns a private-key k and a decryption token $T{K}_u$, or it outputs an error message ⊥.
• $Part.Dec(params,C{T}_{\mathcal{T}},T{K}_u)$: The CSP runs this algorithm. It takes as input the public parameters $params$, a ciphertext $C{T}_{\mathcal{T}}$, and a decryption token $T{K}_u$. This algorithm outputs a partial decrypted ciphertext $M^{\prime }$.
• $Full.Dec(params,M^{\prime },k)$: A data user operates this algorithm. On input the public parameters $params$, the partial decrypted ciphertext $M^{\prime }$, and its associated private-key k, this algorithm returns the message associated with $M^{\prime }$.

Definition 1.

We say that an $LW-FGAC$ scheme Π is correct if for any security parameter λ, universal attribute set $\mathbb{U}$, public parameters and master secret-key $(params,MSK)\leftarrow Setup(\lambda ,\mathbb{U})$, attribute set $At{t}_u$, identifier $i{d}_u$, access tree $\mathcal{T}$ satisfied by $At{t}_u$, secret-key $S{K}_u\leftarrow User.KeyGen(params,MSK,i{d}_u,At{t}_u)$, public-key and secret-key $(S{K}_O,P{K}_O)\leftarrow Owner.KeyGen\left(params\right)$, message M, partial ciphertext $PC{T}_{\mathcal{T}}\leftarrow Part.Enc(params,\mathcal{T},S{K}_O,M)$, and ciphertext $C{T}_{\mathcal{T}}\leftarrow Full.Enc(params,PC{T}_{\mathcal{T}},P{K}_O)$, we have:

$$Full.Dec(params,M^{\prime },k)=M,$$

(2)

where $M^{\prime }\leftarrow Part.Dec(params,C{T}_{\mathcal{T}},T{K}_u)$ and $T{K}_u\leftarrow TokenGen(params,i{d}_u,S{K}_u,C{T}_{\mathcal{T}})$.

5.2. Security Definition

Security of LW-FGAC requires that for any PPT adversary modeling the CSP colluding with unauthorized data users, the advantage of the adversary in learning partial information about encrypted data files is a negligible function in the security parameter of the system. In other words, the adversary is unable to distinguish the encryption of two data files of its choice. We formalize the security requirement by using the following indistinguishability experiment.

Indistinguishability experiment ${LW-FGAC}_{\mathcal{A},\mathsf{\Pi }}\left(\lambda \right)$:

Let $\mathsf{\Pi }=(Setup,User.KeyGen,Owner.KeyGen,Part.Enc,Full.Enc,TokenGen,Part.Dec,Full.Dec)$ be an LW-FGAC scheme and $\mathcal{A}$ be a PPT adversary. Consider the following experiment:

• Setup: A challenger chooses a security parameter $\lambda$ and a universal attribute set $\mathbb{U}$. It executes $(params,MSK)\leftarrow$ Setup $(\lambda ,\mathbb{U})$. $params$ is given to $\mathcal{A}$ and $MSK$ is maintained by the challenger.
• Phase 1: For polynomially many times, $\mathcal{A}$ makes some queries to the following oracle, and for each data user with identifier $i{d}_u$, the challenger maintains a list $L_{i{d}_u}$ which is initially empty.
  ${\mathcal{O}}_{User.KeyGen}(Att,i{d}_u)$: The challenger runs $S{K}_u\leftarrow UKeyGen(PK,MSK,Att,i{d}_u)$ and returns $S{K}_u$ to the adversary. It also substitutes $L_{i{d}_u}\cup Att$ with $L_{i{d}_u}$.
• Challenge: $\mathcal{A}$ declares an access tree ${\mathcal{T}}^{*}$ and two equal-length messages $M_0$ and $M_1$. The challenger checks if there is an identifier $i{d}_u$ such that $L_{i{d}_u}$ satisfies ${\mathcal{T}}^{*}$ or not. If so, the challenger stops and returns 0. Otherwise, it first selects $b\leftarrow \{0,1\}$ and an identifier $i{d}_O$. Then, it runs $(S{K}_O,P{K}_O)\leftarrow Owner.KeyGen\left(params\right)$ and $PC{T}_{\mathcal{T}}^b\leftarrow Part.Enc(params,\mathcal{T},S{K}_O,M_b)$. $P{K}_O$ and $PC{T}_{\mathcal{T}}^b$ are given to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ makes more queries to the oracle ${\mathcal{O}}_{\mathbf{User}.\mathbf{KeyGen}}(Att,i{d}_u)$ and the challenger answers it provided $Att\cup L_{i{d}_u}$ does not satisfy ${\mathcal{T}}^{*}$.
• Guess: $\mathcal{A}$ outputs a bit $b^{\prime }\in \{0,1\}$.

The output of the experiment is defined to be 1 if $b=b^{\prime }$, and 0 otherwise. We say that the adversary $\mathcal{A}$ wins the game, and we write ${LW-FGAC}_{\mathcal{A},\mathsf{\Pi }}\left(\lambda \right)=1$ if the experiment’s output is equal to 1.

Definition 2.

An $LW-FGAC$ scheme Π is said to be secure if for all PPT adversaries $\mathcal{A}$ there exists a negligible function $negl$ such that

$$Pr({LW-FGAC}_{\mathcal{A},\mathsf{\Pi }}\left(\lambda \right)=1)\le \frac{1}{2}+negl\left(\lambda \right).$$

(3)

6. Our Construction

In this section, we present our proposed LW-FGAC scheme. As mentioned in Section 3.1, our proposed scheme consists of four phases System initialization, Key delegation, Data encryption, and Decryption. In the following, the mentioned four phases are described in detail. The notations employed in our construction are given in Table 2.

6.1. System Initialization

In this phase, the HA selects a security parameter $\lambda$ and a universal attribute set $\mathbb{U}$. Then, it executes $(params,MSK)\leftarrow Setup(\lambda ,\mathbb{U})$ as follows and publishes $params$ to the other entities.

$Setup(\lambda ,\mathbb{U})$: This algorithm runs $(\lambda ,q,G_1,G_2,\widehat{e})\leftarrow \mathcal{G}\left(1^{\lambda }\right)$ and selects $P_0,P_1,P_2,X_1\leftarrow G_1$, and $x_0\leftarrow {\mathbb{Z}}_q$. Then, for each $i\in \mathbb{U}$, it chooses $s{k}_i\leftarrow {\mathbb{Z}}_q$ and computes $P{K}_i=s{k}_i{P}_0$. It sets

$$MSK=(x_0,P_1,X_1,{\left\{s{k}_i\right\}}_{i=1}^m)$$

(4)

and

$$params=(\lambda ,G_1,G_2,\widehat{e},P_0,P_2,E_1,E_2,{\left\{P{K}_i\right\}}_{i=1}^m),$$

(5)

as the master secret-key and the global public parameters of the system, respectively, where $E_1=\widehat{e}(x_0{P}_0,P_1)$ and $E_2=\widehat{e}(P_0,X_1)$.

6.2. Key Delegation

As shown in Figure 4, in this phase, the HA provides data users with some secret-keys according to their attributes and also provides each data owner with a pair of public-key and secret-key. Each data user possessing an attribute set $At{t}_u$ should first select a unique identifier $i{d}_u$ and ask the HA to generate its secret-key. The HA runs $S{K}_u\leftarrow User.KeyGen(params,MSK,i{d}_u,At{t}_u)$ and returns $S{K}_u$ to the data user. Also, each data owner with identifier $i{d}_O$ can request its public-key and secret-key from the HA. The HA runs $(S{K}_O,P{K}_O)\leftarrow Owner.KeyGen\left(params\right)$ and returns $S{K}_O$ to the data owner. $(i{d}_O,P{K}_O)$ is also outsourced to the CSP. Note that secret-key and public-key of a data owner can be generated by itself. However, as its computational power is assumed to be limited, this task usually is outsourced to the HA. In the following, we describe the mentioned two algorithms:

$User.KeyGen(params,MSK,i{d}_u,At{t}_u)$: It calculates:

$$S{K}_{i,u}=x_0{P}_1+X_1+s{k}_{i}i{d}_u,$$

(6)

for each $i\in At{t}_u$, and outputs $S{K}_u={\left\{S{K}_{i,u}\right\}}_{i\in At{t}_u}$.

$Owner.KeyGen\left(params\right)$: It selects $d_O\leftarrow {\mathbb{Z}}_q$ and calculates $P{K}_O^{(1)}=E_2^{d_O}$, $P{K}_O^{(2)}=d_O{P}_0$, $P{K}_O^{(3)}=d_O{P}_2$ and $P{K}_{i,O}=d_O(P{K}_i-P_2)$, for each $i\in \mathbb{U}$. It returns $(S{K}_O,P{K}_O)$, where $S{K}_O=d_O$ and $P{K}_O=(P{K}_O^{(1)},P{K}_O^{(2)},P{K}_O^{(3)},{\left\{P{K}_{i,O}\right\}}_{i\in \mathbb{U}})$.

6.3. Data Encryption

As shown in Figure 5, in this phase, data owners encrypt their data by outsourcing most of the computational operations to the CSP. A data owner with identifier $i{d}_O$ and public-key and secret-key $(S{K}_O,P{K}_O)$ that wants to encrypt a message M defines an access tree $\mathcal{T}$ and runs $PC{T}_{\mathcal{T}}\leftarrow Part.Enc(params,\mathcal{T},S{K}_O,M)$ to generate a partial ciphertext $PC{T}_{\mathcal{T}}$. The data owner makes a request $(i{d}_O,PC{T}_{\mathcal{T}})$ to the CSP to complete the encryption procedure. Then, the CSP executes $C{T}_{\mathcal{T}}\leftarrow Full.Enc(params,PS{K}_{\mathcal{T}},P{K}_O)$ and generates a ciphertext associated with the message M and the access tree $\mathcal{T}$. The mentioned two algorithms are presented below:

$Part.Enc(params,\mathcal{T},S{K}_O,M)$: It selects $r\leftarrow {\mathbb{Z}}_q$ and runs ${\{q_{v_i}\left(0\right)\}}_{v_i\in L_{\mathcal{T}}}\leftarrow {Share}_q(r+S{K}_O,\mathcal{T})$. Then, it calculates $C_1=E_1^{-r}M$, $\tilde{r}=r+S{K}_O$ and returns partial ciphertext $PC{T}_{\mathcal{T}}=(\mathcal{T},C_1,\tilde{r},{\{q_{v_i}\left(0\right)\}}_{v_i\in L_{\mathcal{T}}})$.

$Full.Enc(params,PC{T}_{\mathcal{T}},P{K}_O)$: Given a partial ciphertext $PC{T}_{\mathcal{T}}=(\mathcal{T},C_1,\tilde{r},{\{q_{v_i}\left(0\right)\}}_{v_i\in L_{\mathcal{T}}})$ and a data owner’s public-key $P{K}_O=(P{K}_O^{(1)},P{K}_O^{(2)},P{K}_O^{(3)},{\left\{P{K}_{i,O}\right\}}_{i\in \mathbb{U}})$, it calculates

$$C_2=\tilde{r}{P}_2-P{K}_O^{(3)}=r{P}_2,$$

(7)

$$C_3=E_2^{-\tilde{r}}(P{K}_O^{(1)})=E_2^{-r},$$

(8)

and for any leaf node $v_i$ in $\mathcal{T}$, it sets

$$C_{v_i}^{(1)}=q_{v_i}\left(0\right)P_0-P{K}_O^{(2)}=(q_{v_i}\left(0\right)-S{K}_O)P_0,$$

(9)

$$C_{v_i}^{(2)}=q_{v_i}\left(0\right)(P{K}_i-P_2)-P{K}_{i,O}=(q_{v_i}\left(0\right)-S{K}_O)(P{K}_i-P_2).$$

(10)

Finally, this algorithm outputs a ciphertext

$$C{T}_{\mathcal{T}}=(\mathcal{T},C_1,C_2,C_3,{\{C_{v_i}^{(1)}\}}_{v_i\in L_{\mathcal{T}}},{\left\{C_{v_i}^{(2)}\right\}}_{v_i\in L_{\mathcal{T}}}).$$

(11)

6.4. Decryption

As we have shown in Figure 6, in this phase, by outsourcing the heavy computational operations to the CSP, a data user can recover its desired data. Assume that $C{T}_{\mathcal{T}}$ has been retrieved from the CSP. To decrypt the ciphertext, a data user with secret-key $S{K}_u$ and identifier $i{d}_u$ first executes $T{K}_u\leftarrow TokenGen(params,i{d}_u,S{K}_u,C{T}_{\mathcal{T}})$ and generates a decryption token $T{K}_u$. It sends a decryption request $(C{T}_{\mathcal{T}},T{K}_u)$ to the CSP. Then, the CSP runs $M^{\prime }\leftarrow Part.Dec(params,C{T}_{\mathcal{T}},T{K}_u)$ and returns the partial decrypted ciphertext $M^{\prime }$ to the data user. The data user can run the lightweight algorithm $M\leftarrow Full.Dec(parms,M^{\prime },k)$ and recover the associated message M. Detail of the mentioned three algorithms are given below:

$TokenGen(params,i{d}_u,S{K}_u,C{T}_{\mathcal{T}})$: Given a data user’s secret-key $S{K}_u={\left\{S{K}_{i,u}\right\}}_{i\in At{t}_u}$ associated with an attribute set $At{t}_u$, a ciphertext $C{T}_{\mathcal{T}}$ associated with an access tree $\mathcal{T}$, and an identifier $i{d}_u$, this algorithm checks if there is an attribute set $S\subseteq At{t}_u$ satisfying $\mathcal{T}$ or not. If not, it returns ⊥. Otherwise, it selects $k\leftarrow {\mathbb{Z}}_q$ and calculates $K=ki{d}_u$ and $K_i=kS{K}_{i,u}$, for each $i\in S$. It outputs a private-key k and a token $T{K}_u=(K,{\left\{K_i\right\}}_{i\in S})$.

$Part.Dec(params,C{T}_{\mathcal{T}},T{K}_u)$: Given a ciphertext $C{T}_{\mathcal{T}}=(\mathcal{T},{\{C_i\}}_{i=1}^4,{\{C_{v_i}^{(1)}\}}_{v_i\in L_{\mathcal{T}}},{\{C_{v_i}^{(2)}\}}_{v_i\in L_{\mathcal{T}}})$ and a token $T{K}_u=(K,{\left\{K_i\right\}}_{i\in S})$, it first computes

$$\begin{array}{cc}\hfill L_i& =\frac{\widehat{e}(K_i,C_{v_i}^{\left(1\right)})}{\widehat{e}(K,-C_{v_i}^{\left(2\right)})}\hfill \\ \hfill & =E_1^{k{q}_{v_i}\left(0\right)}{E}_2^{k{q}_{v_i}\left(0\right)}\widehat{e}{(i{d}_u,P_2)}^{k{q}_{v_i}\left(0\right)},\hfill \end{array}$$

(12)

for each $i\in S$. Then, by using the polynomial interpolation method, it computes

$$L=E_1^{kr}{E}_2^{kr}\widehat{e}{(i{d}_u,P_2)}^{kr}.$$

(13)

Finally, it returns $M^{\prime }=(C^{\prime },C_1)$, where

$$C^{\prime }=\frac{L}{\widehat{e}(K,C_2)}=E_1^{kr}{E}_2^{kr}.$$

(14)

$Full.Dec(parms,M^{\prime },k)$: On input a partial decrypted ciphertext $M^{\prime }$ and its associated private-key k, this algorithm outputs a message

$$M=C^{\prime k^{-1}}{C}_1{C}_3.$$

(15)

7. Correctness and Security Analysis

In this section, we first show that our proposed scheme is correct. Then, we prove its security in the standard model.

7.1. Correctness Proof

Theorem 1.

Our proposed LW-FGAC scheme is correct.

Proof. 

We prove that LW-FGAC fulfills Definition 1. Given $(params,MSK)\leftarrow Setup(\lambda ,\mathbb{U})$, an attribute set $At{t}_u$, an identifier $i{d}_u$, an access tree $\mathcal{T}$ satisfied by $At{t}_u$, a message M, $S{K}_u\leftarrow User.KeyGen(params,MSK,i{d}_u,At{t}_u)$, $(S{K}_O,P{K}_O)\leftarrow Owner.KeyGen\left(params\right)$, $PC{T}_{\mathcal{T}}\leftarrow Part.Enc(params,\mathcal{T},S{K}_O,M)$, $C{T}_{\mathcal{T}}\leftarrow Full.Enc(params,PC{T}_{\mathcal{T}},P{K}_O)$, we show that the output of the decryption phase is equal to M. Let $C{T}_{\mathcal{T}}=(\mathcal{T},{\left\{C_i\right\}}_{i=1}^4,{\left\{C_{v_i}^{\left(1\right)}\right\}}_{v_i\in L_{\mathcal{T}}},{\left\{C_{v_i}^{\left(2\right)}\right\}}_{v_i\in L_{\mathcal{T}}})$, and $T{K}_u=(K,{\left\{K_i\right\}}_{i\in S})$ be a decryption token generated by $TokenGen(params,i{d}_u,S{K}_u,C{T}_{\mathcal{T}})$, where $S\subset At{t}_u$ satisfies $\mathcal{T}$. We first prove the correctness of Equation (12). We have:

$$\begin{array}{cc}\hfill L_i& =\frac{\widehat{e}(K_i,C_{v_i}^{\left(1\right)})}{\widehat{e}(K,-C_{v_i}^{\left(2\right)})}\hfill \\ \hfill & =\frac{\widehat{e}(kS{K}_{i,u},q_{v_i}\left(0\right)P_0)}{\widehat{e}(ki{d}_u,q_{v_i}\left(0\right)(-P_2+P{K}_i))}\hfill \\ \hfill & =\frac{\widehat{e}(k{x}_0{P}_1+k{X}_1+ks{k}_{i}i{d}_u,q_{v_i}\left(0\right)P_0)}{\widehat{e}{(ki{d}_u,P_2)}^{-q_{v_i}\left(0\right)}\widehat{e}{(ki{d}_u,P{K}_i)}^{q_{v_i}\left(0\right)}}\hfill \\ \hfill & =\frac{\widehat{e}(k{x}_0{P}_1,q_{v_i}\left(0\right)P_0)\widehat{e}(k{X}_1,q_{v_i}\left(0\right)P_0)\widehat{e}{(ki{d}_u,P{K}_i)}^{q_{v_i}\left(0\right)}}{\widehat{e}{(ki{d}_u,P_2)}^{-q_{v_i}\left(0\right)}\widehat{e}{(ki{d}_u,P{K}_i)}^{q_{v_i}\left(0\right)}}\hfill \\ \hfill & =\widehat{e}(k{x}_0{P}_1,q_{v_i}\left(0\right)P_0)\widehat{e}(k{X}_1,q_{v_i}\left(0\right)P_0)\widehat{e}{(ki{d}_u,P_2)}^{q_{v_i}\left(0\right)}\hfill \\ \hfill & =\widehat{e}{(x_0{P}_1,P_0)}^{k{q}_{v_i}\left(0\right)}\widehat{e}{(X_1,P_0)}^{k{q}_{v_i}\left(0\right)}\widehat{e}{(i{d}_u,P_2)}^{k{q}_{v_i}\left(0\right)}\hfill \\ \hfill & =E_1^{k{q}_{v_i}\left(0\right)}{E}_2^{k{q}_{v_i}\left(0\right)}\widehat{e}{(i{d}_u,P_2)}^{k{q}_{v_i}\left(0\right)}.\hfill \end{array}$$

(16)

So, Equation (12) is correct. Also, the correctness of Equations (13) and (14) is clear. Moreover, we see that

$$\begin{array}{cc}\hfill C^{\prime k^{-1}}{C}_1{C}_3& ={\left(E_1^{kr}{E}_2^{kr}\right)}^{k^{-1}}M{E}_1^{-r}{E}_2^{-r}\hfill \\ \hfill & =\left(E_1^r{E}_2^r\right)M{E}_1^{-r}{E}_2^{-r}\hfill \\ \hfill & =M.\hfill \end{array}$$

(17)

It proves the theorem. □

7.2. Security Proof

Theorem 2.

If the DBDH problem is hard relative to $\mathcal{G}$, then LW-FGAC construction is secure in the standard model.

Proof. 

Let Π be our proposed LW-FGAC scheme, and $\mathcal{A}$ is a PPT adversary in the experiment ${LW-FGAC}_{\mathcal{A},\mathsf{\Pi }}\left(n\right)=1$ introduced in Section 6. In the following, we show that there exists a negligible function $negl$ such that:

$$\mathrm{Pr}({LW-FGAC}_{\mathcal{A},\mathsf{\Pi }}\left(\lambda \right)=1)\le \frac{1}{2}+negl\left(\lambda \right),$$

(18)

where λ is the security parameter of the system. Suppose that ${\mathcal{A}}^{\prime }$ is another PPT adversary that attempts to solve the DBDH problem. Recall that the adversary ${\mathcal{A}}^{\prime }$ receives $(\lambda ,q,G_1,G_2,\widehat{e},P,\alpha P,\beta P,\gamma P,\widehat{e}{(P,P)}^z)$, where $P\leftarrow G_1$, $\alpha ,\beta ,\gamma \leftarrow {\mathbb{Z}}_q$, and z is equal to $\alpha \beta \gamma$ or is a uniform element of ${\mathbb{Z}}_q$. The aim of ${\mathcal{A}}^{\prime }$ is to determine the case of z. ${\mathcal{A}}^{\prime }$ runs $\mathcal{A}$ as a subroutine as follows:

• Setup: At first, ${\mathcal{A}}^{\prime }$ considers a universal attribute set $\mathbb{U}$, and for each $i\in \mathbb{U}$, chooses a uniform element $s{k}_i\in {\mathbb{Z}}_q$. Then, it selects $t\leftarrow {\mathbb{Z}}_q$ and $X\leftarrow G_1$ and sets

  $$P_0=P,$$

  (19)

  $$P_1=\alpha P,$$

  (20)

  $$P_2=tP,$$

  (21)

  $$x_0{P}_0=\beta P,$$

  (22)

  $$E_1=\widehat{e}(\beta P,P_1),$$

  (23)

  $$E_2=\widehat{e}(P,X).\widehat{e}{(\alpha P,\beta P)}^{-1},$$

  (24)

  and

  $$P{K}_i=s{k}_{i}P,$$

  (25)

  for any attribute $i\in \mathbb{U}$. ${\mathcal{A}}^{\prime }$ gives $params=(\lambda ,q,G_1,G_2,\widehat{e},P_0,P_1,P_2,E_1,E_2,,{\left\{P{K}_i\right\}}_{i\in \mathbb{U}})$ to $\mathcal{A}$ as the global public parameters of the system. Note that, if we assume that the master secret-key $MSK=(x_0,P_1,X_1,{\left\{s{k}_{a_i}\right\}}_{i=1}^m)$ is chosen such that the following equations

  $$x_0=\beta ,$$

  (26)

  $$\begin{array}{cc}\hfill X& =\beta P_1+X_1=\alpha \beta P+X_1,\hfill \end{array}$$

  (27)

  hold, then one can see that

  $$\begin{array}{cc}\hfill E_2& =\widehat{e}(P,X).\widehat{e}{(\alpha P,\beta P)}^{-1}\hfill \\ \hfill & =\widehat{e}(P,\alpha \beta P+X_1).\widehat{e}{(\alpha P,\beta P)}^{-1}\hfill \\ \hfill & =\widehat{e}(P,\alpha \beta P).\widehat{e}(P,X_1).\widehat{e}{(\alpha P,\beta P)}^{-1}\hfill \\ \hfill & =\widehat{e}(\alpha P,\beta P).\widehat{e}(P,X_1).\widehat{e}{(\alpha P,\beta P)}^{-1}\hfill \\ \hfill & =\widehat{e}(P,X_1)\hfill \\ \hfill & \stackrel{\left(19\right)}{=}\widehat{e}(P_0,X_1).\hfill \end{array}$$

  (28)
  So, $E_2$ is chosen correctly. The correctness of the other components of $params$ can be easily checked.
• Phase 1: For any data user with identifier $i{d}_u$, ${\mathcal{A}}^{\prime }$ makes a list $L_{i{d}_u}$ which is initially empty. When $\mathcal{A}$ submits a query ${\mathcal{O}}_{\mathbf{User}.\mathbf{KeyGen}}(Att,i{d}_u)$, it sets $L_{i{d}_u}=L_{i{d}_u}\cup Att$ and computes

  $$S{K}_{i,u}=X+s{k}_{i}i{d}_u.$$

  (29)
  Combining Equations (20) and (22), we have:

  $$\begin{array}{cc}\hfill S{K}_{i,u}& =X+s{k}_{i}i{d}_u\hfill \\ \hfill & =\alpha \beta P+X_1+s{k}_{i}i{d}_u\hfill \\ \hfill & =\beta \left(\alpha P\right)+X_1+s{k}_{i}i{d}_u\hfill \\ \hfill & =\beta P_1+X_1+s{k}_{i}i{d}_u\hfill \\ \hfill & =x_0{P}_1+X_1+s{k}_{i}i{d}_u.\hfill \end{array}$$

  (30)
  Also, by Equations (6) and (30), we see that $S{K}_{i,u}$ in Equation (29) is a valid secret-key.
• Challenge: $\mathcal{A}$ declares an access tree ${\mathcal{T}}^{*}$ and two equal-length messages $M_0$ and $M_1$ such that there is no data user with identifier $i{d}_u$ such that $L_{i{d}_u}$ satisfies ${\mathcal{T}}^{*}$. ${\mathcal{A}}^{\prime }$ selects $b\leftarrow \{0,1\}$ and $r^{\prime }\leftarrow {\mathbb{Z}}_q$ and assumes that for an unknown $S{K}_O\in {\mathbb{Z}}_q$, $r^{\prime }=\gamma +S{K}_O$. It sets

  $$P{K}_O^{(1)}=E_2^{r^{\prime }}\widehat{e}(-\gamma P,X)\widehat{e}{(P,P)}^z,$$

  (31)

  $$P{K}_O^{(2)}=r^{\prime }P-\gamma P,$$

  (32)

  $$P{K}_O^{(3)}=r^{\prime }{P}_2-t\gamma P,$$

  (33)

  and for each $i\in \mathbb{U}$, it calculates

  $$P{K}_{i,O}=r^{\prime }(P{K}_i-P_2)-(s{k}_i\gamma P-t\gamma P).$$

  (34)
  Then, it runs ${\left\{q_{v_i}\left(0\right)\right\}}_{v_i\in L_{{\mathcal{T}}^{*}}}\leftarrow Share(r^{\prime },q,{\mathcal{T}}^{*})$ and calculates

  $$C_1=\widehat{e}{(P,P)}^{-z}{M}_b.$$

  (35)
  Afterward, it sets $PC{T}_{{\mathcal{T}}^{*}}^b=({\mathcal{T}}^{*},C_1,{\{q_{v_i}\left(0\right)\}}_{v_i\in L_{{\mathcal{T}}^{*}}})$. Finally, it returns $PC{T}_{{\mathcal{T}}^{*}}^b$ and $P{K}_O=(P{K}_O^{(1)},P{K}_O^{(2)},P{K}_O^{(3)},{\{P{K}_{i,O}\}}_{i\in \mathbb{U}})$ to $\mathcal{A}$. We see that

  $$\begin{array}{cc}\hfill P{K}_O^{(2)}& =r^{\prime }P-\gamma P\hfill \\ \hfill & =(\gamma +S{K}_O)P-\gamma P\hfill \\ \hfill & =S{K}_{O}P\hfill \\ \hfill & =S{K}_O{P}_0,\hfill \end{array}$$

  $$\begin{array}{cc}\hfill P{K}_O^{(2)}& =r^{\prime }{P}_2-t\gamma P\hfill \\ \hfill & =(\gamma +S{K}_O)tP-t\gamma P\hfill \\ \hfill & =S{K}_{O}tP\hfill \\ \hfill & =S{K}_O{P}_2,\hfill \end{array}$$

  and

  $$\begin{array}{cc}\hfill P{K}_{i,O}& =r^{\prime }(P{K}_i-P_2)-(s{k}_i\gamma P-t\gamma P)\hfill \\ \hfill & =(S{K}_O+\gamma )(P{K}_i-P_2)-\gamma (P{K}_i-P_2)\hfill \\ \hfill & =S{K}_O(P{K}_i-P_2).\hfill \end{array}$$

  (36)
  Therefore, $P{K}_O^{\left(2\right)}$, $P{K}_O^{\left(3\right)}$, and $P{K}_{i,O}$, for each $i\in \mathbb{U}$, are chosen correctly. Also, when $z=\alpha \beta \gamma$,

  $$\begin{array}{cc}\hfill P{K}_O^{(1)}& =E_2^{r^{\prime }}\widehat{e}(-\gamma P,X)\widehat{e}{(P,P)}^z\hfill \\ \hfill & =E_2^{r^{\prime }}\widehat{e}(-\gamma P,X)\widehat{e}{(P,P)}^{\alpha \beta \gamma }\hfill \\ \hfill & =E_2^{r^{\prime }}\widehat{e}{(P,X)}^{-\gamma }\widehat{e}{(\alpha P,\beta P)}^{\gamma }\hfill \\ \hfill & \stackrel{\left(28\right)}{=}{E}_2^{r^{\prime }}{E}_2^{-\gamma }\hfill \\ \hfill & =E_2^{S{K}_O},\hfill \end{array}$$

  (37)

  and

  $$\begin{array}{cc}\hfill C_1& =\widehat{e}{(P,P)}^{-z}{M}_b\hfill \\ \hfill & =\widehat{e}{(\alpha P,\beta P)}^{-\gamma }{M}_b\hfill \\ \hfill & =E_1^{-\gamma }{M}_b.\hfill \end{array}$$

  (38)
  Thus, assuming $z=\alpha \beta \gamma$ and the random element r in Part.Enc algorithm described in Section 6.3 is equal to γ, one can see that $P{K}_O$ and $PC{T}_{{\mathcal{T}}^{*}}^b$ are chosen correctly.
• Phase 2: $\mathcal{A}$ makes more queries for data users’ secret-keys with the same restriction mentioned in the experiment presented in Section 5.2, and the adversary ${\mathcal{A}}^{\prime }$ responds to the queries similar to Phase 1.
• The adversary $\mathcal{A}$ outputs a bit $b^{\prime }\in \{0,1\}$.

Once the adversary ${\mathcal{A}}^{\prime }$ receives $b^{\prime }$, it checks whether $b=b^{\prime }$ or not. If so, it outputs 1. Otherwise, it returns 0.

As we have seen, if $z=\alpha \beta \gamma$, then $P{K}_O$ and $PC{T}_{{\mathcal{T}}^{*}}^b$ are valid and therefore

$$\begin{array}{c}\hfill \mathrm{Pr}({\mathcal{A}}^{\prime }(\lambda ,q,P,G_1,G_2,\widehat{e},\alpha P,\beta P,\gamma P,\widehat{e}{(P,P)}^{\alpha \beta \gamma })=1)=\mathrm{Pr}({LW-FGAC}_{\mathcal{A},\mathsf{\Pi }}\left(\lambda \right)=1).\end{array}$$

(39)

Also, it is clear that, if $z\in {\mathbb{Z}}_q$ is a uniform element, then the adversary $\mathcal{A}$ cannot get any partial information about $M_b$. Thus,

$$\begin{array}{c}\hfill \mathrm{Pr}({\mathcal{A}}^{\prime }(\lambda ,q,P{G}_1,G_2,\widehat{e},\alpha P,\beta P,\gamma P,\widehat{e}{(P,P)}^z)=1)=\frac{1}{2}.\end{array}$$

(40)

On the other hand, by the hardness assumption of the DBDH problem, we have

$$\begin{array}{cc}\hfill |& \mathrm{Pr}({\mathcal{A}}^{\prime }(\lambda ,q,P,G_1,G_2,\widehat{e},\alpha P,\beta P,\gamma P,D=\widehat{e}{(P,P)}^{\alpha \beta \gamma })=1)-\hfill \\ \hfill & \mathrm{Pr}({\mathcal{A}}^{\prime }(\lambda ,q,P{G}_1,G_2,\widehat{e},\alpha P,\beta P,\gamma P,D=\widehat{e}{(P,P)}^z)=1)|\le negl\left(\lambda \right),\hfill \end{array}$$

(41)

for a negligible function $negl$. Combining Equations (39), (40), and (41), we get

$$\begin{array}{c}\hfill \mathrm{Pr}({LW-FGAC}_{\mathcal{A},\mathsf{\Pi }}\left(\lambda \right)=1)\le \frac{1}{2}+negl\left(\lambda \right).\end{array}$$

(42)

This proves the theorem. □

Corollary 1.

Our proposed system provides a secure lightweight encryption mechanism.

Proof. 

As we have seen in Theorem 1, the ciphertext generated by the lightweight encryption process is valid and can be decrypted by the algorithms presented in Section 6.4. Also, considering the security game presented in Section 5.2, the threat model presented in Section 3.2, and Theorem 2, one can see that the encryption mechanism leaks no information about the underlying health data to any PPT adversary modeling a group of unauthorized data users that colludes with the CSP. Therefore, our encryption mechanism is lightweight and secure. □

8. Performance Analysis

In this section, we analyze the performance of our LW-FGAC scheme by comparing its execution time, storage cost, and communication overhead with some existing ABE schemes in terms of both actual execution time and asymptotic complexity. The employed notations in the asymptotic analysis are given in

Table 3. Notations Employed in Our Asymptotic Analysis.

Notation	Description
$|At{t}_u|$	Carnality of a data user’s attribute set
$\left|\mathbb{U}\right|$	Carnality of the universal attribute set
$|L_{\mathcal{T}}|$	Number of leaf nodes in an access tree $\mathcal{T}$
S	Carnality of a data user’s attribute set satisfying a given access tree
$T_{e_1}$	Exponential operation time in $G_1$
$T_{e_2}$	Exponential operation time in $G_2$
$T_p$	Pairing operation time
$l_{G_1}$	Size of an element in $G_1$
$l_{G_2}$	Size of an element in $G_2$

.

In the asymptotic analysis, we considered three computational operations: exponential operation in $G_1$, exponential operation in $G_2$, and paring operation. As the other computational operations are significantly more efficient than the mentioned three operations, we ignore them in our analysis. Also, in measuring storage cost and communication complexity, we consider the size of elements in the groups $G_1$, $G_2$, and ${\mathbb{Z}}_q$.

We implement our scheme by using an Ubuntu 18.04 laptop with an Intel Core i5-2410M Processor 2.3 GHz, 6 GB RAM using python Pairing-Based Cryptography (pyPBC) and hashlib libraries [45,46]. Also, we use the Type A pairings and SHA-1 algorithm. Moreover, in this section, we use And-gates access structure ($a_1\wedge \dots \wedge a_n$) as the access control policy.

In the following, we describe our asymptotic and actual execution results. In our implementation, we assume that the number of leaf nodes in the access tree and the number of data users’ attributes are ranged between 10 to 100.

The actual execution times incurred by data owners and data users in the encryption and decryption phases are shown in Figure 7. As we see in part (a) of the figure, our encryption algorithm is significantly more efficient than the schemes presented in [27,35,36]. The mentioned fact is confirmed by the results given in

Table 4. Comparison of Computational Overhead on Data Owners and Data Users.

Schemes	Encryption	Decryption
Guo et al. [27]	$\left(2\right|\mathbb{U}|-|L_{\mathcal{T}}|+3)T_{e_1}$	$\left(2\right|\mathbb{U}|-2|S|+3)T_{e_1}+3T_p+T_{e_2}$
Lin et al. [35]	$\left(2\right|L_{\mathcal{T}}|+1)T_{e_1}$	$\left(\right|S|+2)T_{e_1}+T_{e_2}$
Lai et al. [36]	$\left(6\right|L_{\mathcal{T}}|+4)T_{e_1}+2T_{e_2}$	$\left(\right|S|+4)T_{e_1}+T_{e_2}$
LW-ABKS	$T_{e_2}$	$\left(\right|S|+1)T_{e_1}+T_{e_2}$

. According to the figure, our scheme is more than 100 times faster than the schemes [27,35,36]. Also, as shown in Table 4, in [27], execution time is a function of the universal attribute set’s carnality, $\left|\mathbb{U}\right|$. We measure its execution time when $\mathbb{U}\in \{100,200\}$. One can see that this scheme is inefficient for large universal attribute sets, and data owners and data users have to perform a considerable amount of heavy computational operations. Also, Figure 8 and

Table 5. Computational Complexity in The Encryption And Decryption Phases.

Schemes	Encryption	Decryption
Guo et al. [27]	$\left(2\right|\mathbb{U}|-|L_{\mathcal{T}}|+3)T_{e_1}$	$\left(2\right|\mathbb{U}|-2|S|+3)T_{e_1}+3T_p+T_{e_2}$
Lin et al. [35]	$\left(2\right|L_{\mathcal{T}}|+1)T_{e_1}$	$\left(2\right|S|+1)T_p+\left|S\right|T_{e_2}+T_{e_1}$
Lai et al. [36]	$\left(6\right|L_{\mathcal{T}}|+4)T_{e_1}+2T_{e_2}$	$\left(4\right|S|+2)T_p+2\left|S\right|T_{e_2}+2T_{e_1}$
LW-ABKS	$(2L_{\mathcal{T}}+1)T_{e_1}+2T_{e_2}$	$\left(\right|S|+1)T_{e_1}+T_p\left(2\right|S|+1)+T_{e_2}$

compare the execution time of the encryption and decryption phases in LW-FGAC with the schemes presented in [27,35,36]. We see that the performance of our proposed scheme is acceptable in comparison with the other schemes.

The storage overhead in our scheme and the schemes presented in [27,35,36] are given in

Table 6. Storage Overhead.

Schemes	Key Size	Ciphertext Size
Guo et al. [27]	$2l_{G1}$	$\left(\right|\mathbb{U}|-|L_{\mathcal{T}}|+2)l_{G_1}$
Lin et al. [35]	$\left(\right|At{t}_u|+2)l_{G_1}$	$\left(\right|L_{\mathcal{T}}|+1)l_{G_1}$
Lia et al. [36]	$\left(\right|At{t}_u|+2)l_{G_1}$	$\left(4\right|L_{\mathcal{T}}|+3)l_{G_1}+2l_{G_2}$
LW-ABKS	$|At{t}_u|l_{G_1}$	$\left(2\right|L_{\mathcal{T}}+1|l_{G_1}+2l_{G_2})$

and Figure 9. Comparing the storage overhead in LW-FGAC with the others, one can see that the performance of LW-FGAC is acceptable. Also, we see that the data users’ secret-key size in [27] is significantly shorter than the others. However, the length of a ciphertext in [27] grows linearly with $\left|\mathbb{U}\right|-|L_{\mathcal{T}}|$, where $\left|\mathbb{U}\right|$ is the number of attributes in the system, and $|L_{\mathcal{T}}|$ is the number of leaf nodes in the access tree associated with the ciphertext.

Also, Figure 10 and

Table 7. Communication Overhead from Data Owners to the Cloud.

Schemes	Size of The Transmitted Data
Guo et al. [27]	$\left(\right|\mathbb{U}|-|L_{\mathcal{T}}|+2)l_{G_1}$
Lin et al. [35]	$\left(\right|L_{\mathcal{T}}|+1)l_{G_1}$
Lia et al. [36]	$\left(4\right|L_{\mathcal{T}}|+3)l_{G_1}+2l_{G_2}$
LW-ABKS	$\left(\right|L_{\mathcal{T}}+1|l_{{\mathbb{Z}}_q}+l_{G_2})$

present the communication overhead from data owners to the cloud server. We see that our proposed scheme significantly reduces the overhead as in our scheme data owners just transmit lightweight partially encrypted data to the cloud server. However, in the other scheme, a complete ciphertext should be given to the cloud, which consumes more communication resources.

9. Conclusions

We designed a novel attribute-based cryptographic scheme called lightweight fine-grained access control (LW-FGAC) for cloud-based wireless body area networks (WBANs). In our proposed scheme, by performing very lightweight computational operations, a data owner can encrypt its data under an access tree defined by itself. Any data user that its attributes satisfy the access policy can decrypt the ciphertext. Also, in our designed system, the computational overhead on the data user side is very efficient, and most of the computations in the decryption phase are performed by the cloud service provider. We also provided the security definition for the new primitive, and we proved its security in the standard model under the hardness assumption of decisional bilinear Diffie-Hellman (DBDH) problem.