Next Article in Journal
DTS-Net: Depth-to-Space Networks for Fast and Accurate Semantic Object Segmentation
Previous Article in Journal
Design of a SIMO Deep Learning-Based Chaos Shift Keying (DLCSK) Communication System
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Efficient and Secure Revocation-Enabled Attribute-Based Access Control for eHealth in Smart Society

1
Department of Information Security, Military College of Signals (MCS), NUST, Islamabad 44000, Pakistan
2
Department of Computer Science, Shaheed Benazir Bhutto University Sheringal, Dir 18000, Pakistan
3
Department of Computer Science, Northern University, Nowshera 24100, Pakistan
4
School of Electrical and Computer Engineering, Seoul National University, Seoul 08826, Korea
5
Department of Computer Science, IQRA National University, Swat Campus 19220, Pakistan
6
Department of Computer Science, COMSATS University, Islamabad 44000, Pakistan
7
Tecnologico de Monterrey, School of Engineering and Sciences, Zapopan 45201, Mexico
*
Author to whom correspondence should be addressed.
Sensors 2022, 22(1), 336; https://doi.org/10.3390/s22010336
Submission received: 9 November 2021 / Revised: 15 December 2021 / Accepted: 27 December 2021 / Published: 3 January 2022
(This article belongs to the Section Internet of Things)

Abstract

:
The ever-growing ecosystem of the Internet of Things (IoT) integrating with the ever-evolving wireless communication technology paves the way for adopting new applications in a smart society. The core concept of smart society emphasizes utilizing information and communication technology (ICT) infrastructure to improve every aspect of life. Among the variety of smart services, eHealth is at the forefront of these promises. eHealth is rapidly gaining popularity to overcome the insufficient healthcare services and provide patient-centric treatment for the rising aging population with chronic diseases. Keeping in view the sensitivity of medical data, this interfacing between healthcare and technology has raised many security concerns. Among the many contemporary solutions, attribute-based encryption (ABE) is the dominant technology because of its inherent support for one-to-many transfer and fine-grained access control mechanisms to confidential medical data. ABE uses costly bilinear pairing operations, which are too heavy for eHealth’s tiny wireless body area network (WBAN) devices despite its proper functionality. We present an efficient and secure ABE architecture with outsourcing intense encryption and decryption operations in this work. For practical realization, our scheme uses elliptic curve scalar point multiplication as the underlying technology of ABE instead of costly pairing operations. In addition, it provides support for attribute/users revocation and verifiability of outsourced medical data. Using the selective-set security model, the proposed scheme is secure under the elliptic curve decisional Diffie–Hellman (ECDDH) assumption. The performance assessment and top-ranked value via the help of fuzzy logic’s evaluation based on distance from average solution (EDAS) method show that the proposed scheme is efficient and suitable for access control in eHealth smart societies.

1. Introduction

The transformative effect of eHealth on smart society (shown in Figure 1) enables wearable medical devices for a vast number of applications, such as wearable fitness trackers, smart health watches, electrocardiogram (ECG) monitors, blood presser monitors, biosensors, etc. On the other front, advances in wireless communication lead to the emergence of the solidified and specialized wireless area network for these worn-on or implanted devices; the wireless body area network (WBAN). A WBAN typically consists of tiny biosensors or sensors (wearable and/or implanted) to collect/forward vital signs to the mobile or fixed gateway. It was developed to enable around-the-clock availability of a patient’s medical data to healthcare professionals. This unremitting availability of data will efficiently utilize healthcare resources and makes in-home monitoring for patients having chronic diseases [1]. Unlike conventional sensor networks, a WBAN operates on more critical and sensitive patient information that demands significant security and privacy preservation from the practical aspect of this technology. This concern leads to the desire for more control of their data from the data owner end. This self-contradicting aspect results in severe security challenges for its practical adaptation. In the presence of its underlying Internet of Things (IoT) infrastructure, conventional encryption techniques preclude its adaption for WBAN security. Specifically, public-key encryption suffers from high computation, certificate, and key management overhead issues. The dynamic secret key management hinders the application of symmetric encryption as well. Considering the nature of WBAN healthcare systems, it is inevitable to provide this crucial data to its concerned healthcare professionals. Hence, traditional role-based access control and identity-based encryption (IBE) cannot guarantee fine-grained and one-to-many data transfer. Recently, attribute-based encryption (ABE) has gained popularity for secure access control mechanisms to confidential data because of its inherent support for fine-grained access and one-to-many transfer. ABE is a particular type of IBE; the user’s ID is described by the set of attributes, in which the data is encrypted for all those users who are the possessors of that specific set of attributes. The ABE schemes are categorized into two variants: ciphertext policy (CP-ABE) and key-policy (KP-ABE). Using CP-ABE, the data owner embeds access policy inside ciphertext and the private key of the end user is attached to the attribute set. Anyone can perform the decryption operation if his/her attributes matched with the specified access policy. While in KP-ABE, private keys are attached with the access control policy and ciphertext are attached with the attribute set [2]. In the context of WBAN, ciphertext policy ABE (CP-ABE) is more appropriate because it provides more control to the data owners (patient in WBAN) over the recipients [3] (medical stuff in WBAN) as opposed to its other type, i.e., key-policy ABE (KP-ABE) [4]. The only series concern for most contemporary ABE schemes is that they rely heavily on expensive bilinear pairing and exponentiation operation in the encryption and decryption algorithm. This intense computation hinders its deployment for WBAN resource-constrained sensors [3,5]. This leads to the development of non-pairing ABE schemes in the research community. As a result, the most recent work equips the ABE with the elliptic curve cryptography (ECC) algorithms, which have much stronger bit security and also replace the ten times more expensive bilinear pairing operation with scalar point multiplication on an elliptic curve [3]. At the same time, because of underlying ABE technology, linearity properties entrust the ECC algorithm with heavy operations. As we know, the number of operations linearly increases with the number of attributes and hence incurs a heavy load on WBAN sensors. Therefore, a secure and efficient management mechanism is needed, which stands this operation to an acceptable and minimum constant range for WBAN sensors nodes. In this paper, by utilizing Hu et al.’s [4] secure framework for WBAN, we have proposed an efficient and secure ECC-based CP-ABE scheme for WBAN.

Our Contribution

The primary contribution of our work is as follows:
  • Considering the resource-scarce nature of WBAN, we have proposed an efficient and secure ABE scheme with outsourcing intense encryption and decryption operations without revealing the secret key/data content to the WBAN data sink node and cloud server digital signal processing (DSP), respectively.
  • Our proposed scheme is based on elliptic curve point scalar multiplication instead of costly bilinear pairing operations to address the resource-constrained nature of WBAN, especially the sensors. This feature makes it more appealing to smart healthcare.
  • Our proposed scheme supports indirect attribute/users revocation without the need for maintaining a private channel between the trusted attribute authority and the non-revoked users for disseminating updated decryption keys.
  • The proposed scheme inherently supports the integrity check, thus increasing the security and reliability of medical data.
  • The proposed scheme is secure under the elliptic curve decisional Diffie–Hellman (ECDDH) assumption using the selective-set security model.
  • The performance assessment of our scheme shows a significant overall efficiency in storage, computation, and communication.

2. Related Work and Background Knowledge

This section presents a brief overview of existing work and all the cryptographic primitives used to construct our proposed scheme.

2.1. Related Work

With the emerging use of e-healthcare systems, patients are not only concerned for the security of their personal information but also worry for the privacy of their biological characteristics [6,7]. To improve the performance, early approaches utilized cloud computing models for e-healthcare systems. For example, in [8] they have proposed a patient-oriented four-layer cloud-based e-healthcare system. With the emergence of edge computing and its proximity to resource-constrained devices, many edge-based e-healthcare systems [9,10] are proposed. In [11], the author developed a first-aid service to provide emergency aid to the patients rapidly. However, the early approach lacks the much-needed security requirements. For the realization of security in smart healthcare, the author in [12] utilizes fully homomorphic encryption (FHE) to encrypt the data. For better security, Cai et al. [13] create a novel medical record based on the mobile cloud without compromising too much performance. Still, the above system does not devise any proper access control mechanism for these medical records. So, to better protect data privacy, some schemes equipped with access control were proposed [14,15]. For example, in [15], the author suggests a role-based access control with the capability of origin tracing and further scrutinizing the authorization of access made to the system resources. However, fine-grained access control is needed for better and flexible access, which requires the exposure of specific portions of data to the relevant medical professionals. Attributed to its inherent expressiveness and fine-grained access support, attribute-based encryption (ABE) has emerged. Sahi and waters [16] were the first to interpret the identity of users as a set of attributes and were able to propose a fuzzy variation of identity-based encryption (IBE). Attributed to the placement of access policy, ABE has two variations, namely key-policy ABE (KP-ABE) [17] and ciphertext policy ABE (CP-ABE) [18]. Li et al. [19] propose the outsourcing of encryption with MapReduce to relieve local computation overhead. Li et al. [20] construct a novel ABE scheme which outsourced both the key-issuing and decryption with the verification of the results returned from the cloud server. Asim et al. [21], with the help of a semi-trusted proxy, outsourced the computation of message encryption by utilizing the El-Gamal cipher. However, the scheme is proven in the generic group model. Zong et al. [22] utilize the edge-enabled environment for outsourcing part of encryption and decryption to the edge node for the smart healthcare system. Zhidan et al. [23] propose the construction of an ABE scheme with verifiable delegation both for encryption and decryption to an untrusted encryption service provider (ESP) and a decryption service provider (DSP), respectively. Khan et al. [24] propose an online/offline-aided attribute-based multi-keyword search (OOABMS) scheme to delegate most heavy computation operations to the offline phase before acquiring the attribute-based access control policy or keywords. However, all of these ABE schemes were heavily dependent on a costly bilinear pairing operation [25]. Later, in [26], the author proposed a free-pairing lightweight KP-ABE scheme using ECC for resource constraint of IoT infrastructure. Consequently, Tan et al. [27] introduces the concept of key out-sourcing property in [26] for better efficiency without compromising its security. Several body sensor network (BSN) [28,29], are proposed for the cloud environment that exhibits their usability and favorability for the key-policy type of ABE in different scenarios. KP-ABE transferred the computation overhead of access policy formulation to the medical attribute authority (MAA) from the patient but at the same time offered no control over it. CP-ABE offers complete control over who has access to the sensitive medical data, making it conceptually similar to the role-based access control [30] model.
These appealing characteristics for WBAN resulted in the basis for many proposed [18] schemes with various features such as policy update, hidden access policy, traceability, and revocability. These schemes mainly utilized costly pairing operations. Considering the resource constraint nature of a WBAN, pairing-free ABE schemes should be the first choice of a WBAN. In this direction, Ref. [31] proposed a pairing-free ECC-based CP-ABE scheme. However, similar to most of the schemes, this also suffers from the inherent linearity property of ABE. For the sake of practical deployment, we have designed a pairing-free CP-ABE scheme based on ECC with a minimal constant number of scalar point multiplication.
Basar et al. [32] present an image segmentation method based on pulse coupled neural network (PCNN) and local binary pattern (LBP) components. The proposed method is robust because the presented model’s parameters can be modified for different situations. The proposed algorithm has been tested on a dataset that consists of 1000 defocused images. The results show that the proposed algorithm outperforms contemporary algorithms on different evaluation metrics such as accuracy and precision. A fuzzy logic-based ranking based on EDAS has been used for ranking. The experimental results and evaluation show that the proposed scheme outperforms contemporary schemes in terms of time complexity and accuracy.
Mehmood et al. [33] developed a trust-based energy-efficient and reliable communication scheme named trust-based ERCS for remote patient monitoring in eHealth applications. A cooperative communication strategy is used in the proposed scheme to ensure trust and reliability. Furthermore, privacy preservation and a fuzzy-logic rank-based method have been used in the proposed scheme. The detailed experimental results and ranking demonstrated that the proposed scheme outperforms the available contemporary schemes.
Similarly, Basar et al. [34] present a method for an RGB histogram-based K-means clustering initialization for unsupervised color image segmentation. In this method, an adaptive initialization approach has been used to determine the number of clusters and initial central points of each cluster to solve the segmentation issues of color images. The proposed method is compared with well-known unsupervised segmentation methods on various segmentation parameters. Furthermore, the EDAS (evaluation based on distance from average solution) technique is used to rank segmentation integrity. The experimental results show that the proposed method outperformed the contemporary methods. However, due to classification errors, the proposed method is not recommended for healthcare medical applications.

2.2. Background Knowledge

This section presents all the cryptographic primitives used for the construction of our proposed ECC-based ABE scheme, including elliptic curve cryptosystem, lagrange interpolation for secret reconstruction, and access control structure.

2.3. Elliptic Curve Cryptosystem and Its Related Complexity Assumptions

An elliptic curve E over a prime finite field Z p is defined by a cubic equation
y 2 ( m o d   p ) = x 3 + a · x + b ( m o d   p )
while the set of parameters ( p , a , b , G , n ) can be used for its description, where x , y , a , b Z p , and 4 a 3 + 27 b 2 0 . All the point operations in ECC must be define to form a cyclic group G E over E.
Definition 1
(Elliptic curve discrete logarithm problem (ECDLP)). Given points P and Q on the curve, i.e., P , Q , G E , it is intractable for a polynomial time algorithm to get the random chosen value K Z q such that Q = K P .
Definition 2
(Elliptic curve computational Diffie–Hellman problem (ECCLP)). For generator G of G E and randomly chosen values c , d , Z q , given ( c · G , d · G , G ) it is intractable for a polynomial time algorithm to get c · d · G .
Definition 3
(Elliptic curve decisional Diffie–Hellman problem (ECDLP)). Given randomly chosen values c , d Z q and generator G and any point Z of G E , it is impossible to distinguish between the two probability distributions ( c · G , d · G , c · d · G ) and ( c · G , d · G , Z ) .
Definition 4
(Access tree). Access tree [17]. Let a tree T represent an access structure. Each non-leaf node of T is identified by a threshold gate, associated by its corresponding threshold value and its children. In this case, if d x is the threshold value of node x and n u m x is its number of children, then 1 d x n u m x . When d x = n u m x , the threshold gate is an AND gate, and when d x = 1 , it is an OR gate. Each leaf node x of T is identified by a threshold d x = 1 value and an attribute. Further, definitions and notations can be obtained from [35].
In ABE, the lagrange interpolation is used for secret reconstruction. The lagrange coefficient i , s for a random number in Z p and a set of random elements corresponding to each element in Z p is given by i , s ( x ) = Π j s , j i x j i j .

3. System and Security Model

Figure 2 depicts the main components of our proposed scheme, namely the medical attribute authority (MAA), cloud service provider (CSP), body area network (BAN), data sink (DS), and medical data user (MDU). This section presents an overview of the roles played by each component.
MAA: The MAA acts as a key generation center (KGC) and the only fully trusted entity in the system model. KGC is responsible for the registration of all system users [36]. Through the initialization phase, it produces public parameters (PARAMS), a system master key (SMK), and secret key components (SK) against a set of attributes S u specific to each user.
CSP: This entity is providing services for storage and partial decryption via sub-entities storage service provider (SSP) and decryption service provider (DSP), respectively. The SSP stores the encrypted health-related data for each registered patient and serves as a repository for all the uploaded data. DSP performs partial decryption service to the interested MDU’s without knowing the actual data contents.
BAN: Body area network is a wireless network consisting of small biosensors. It could be implanted (placed inside the human body), wearable (on the body), or carried based on its specific use. Its deployment aims to persistently measure and notice the abnormal changes in the vital body parameters. Subsequently, consult in real time the healthcare professional for life support. Sensors are suffering from a scarcity of vital resources in memory, battery power, and computation power. In the traditional framework, these [31] resource-constrained sensors are entrusted with the expensive secret distribution mechanism for access formulation along with its prime tasks of sensing, processing, and transmission. Moreover, because of the ABE linearity property, the encryption complexity grows with the size of the access policy. Exploiting the delegation property of the CP-ABE mode of encryption, we offload most of the computation to the gateway. More specifically, retaining part of the secret for little processing locally while exposing part of it to the gateway for most processing still ensures information-theoretical security of a secret.
DS: DS acts as a gateway for aggregation and dissemination of its corresponding sensor data to the MAA. It could be a mobile device such as a smartphone or a specialized BAN controller. Hence, it has significantly more memory, processing, and transmission capacity as opposed to the sensors. These features make us compel in our proposed framework to delegate most of the processing overhead from sensors to the DS. The traditional framework [31] devotes this unit to the function of forwarding only, which is not a judicious use of this entity considering its resources.
MDU: It could be a doctor, nurse, or any other healthcare expert. To be registered into the system, each MDU must prove its credentials and affiliation in a set of attributes to the KGC. The KGC needs to verify the validity of these claimed attributes, subsequently computes its corresponding secret key components, and sends it via a secure channel to its concerned user. These secret key components are uniquely generated to prevent collision attacks by associating a random number to them. As long as the MDU poses the required set of attributes, it can access any patient’s encrypted data. MDU is usually a device, such as a mobile phone, with limited resources. In our framework, we shift most of the decryption overhead to the DSP of MAA. As a result, after retrieving the partially encrypted data from the DSP, it needs to perform a minor operation on its full decryption.
In our threat model, we take the CSP honest-but-curious, adapted by most of the ABKS schemes, which means they will honestly run the algorithm and infer privacy information based on the available data. The medical attribute authority and the data owner (DO) are fully trusted entities in our system model. Corrupted data users (DU) may also collide with each other. To prove the security of an ABE scheme, the selective-set security model generally makes use of a game between the challenger C and an attacker A . In this game, the attacker faces challenges posed by the challenger to solve the underlying security assumption. Following are the six steps defined in our security game for our proposed scheme against a chosen-plaintext attack [35].
Initialization: A declares the encryption attribute set in the form of an access structure T that he wants to be challenged upon.
Setup: To generates the system parameters, C runs the setup algorithm, keeps the SMK to itself and sends the public parameter PARAMS to adversary A .
Phase 1: The adversary A is allowed to adoptively ask for a set of secret key components K A 1 , K A 2 , , K A n of attribute sets 1 , 2 , , n such that all the attribute sets associated to the corresponding secret key components do not satisfy the T .
Challenge: Now, A submits two equal length messages M 0 and M 1 to C with T . C flips binary coin b { 0 , 1 } to encrypt M b under T and sends the generated ciphertext C T to A .
Phase 2: Both adversary A and challenger C adoptively repeat the same steps as they did in phase 1.
Guess: A outputs a guess b of b to C .
The advantage ϵ gained by A in the above game is defined by ϵ = ( p r [ b = b ] 1 2 ) .
Table 1 lists all the notations used in this work.

4. Proposed Model

In this section, a detail description of our proposed scheme algorithms (i.e., S e t u p , K e y G e n e r a t i o n , E n c r y p t l o c a l , E n c r y p t e s p , D e c r y p t d s p , D e c r y p t l o c a l ) is presented.
Setup ( λ ) PK , MK : Run by M A A , the Algorithm 1 takes EEC domain parameters as an implicit security parameter λ as input. Define the universal attribute set U = { a t t 1 , a t t 2 , a t t n } for attribute space in the system. A secure hash function H : { 0 , 1 } Z q is chosen to map global identity G I D . M A A for each attribute a t t i U , chooses β i Z p uniformly at random. The public key components corresponding to each system attribute a t t i is given by P K i = β i · G . Moreover, it chooses α Z p uniformly at random to be the master secret key ( M S K ) . Thereafter, setting accordingly, the master public key ( M P K ) is P K = α · G . Finally, the algorithm sets the M S K = ( α , β i | i U ) and P A R A M S = ( U , H , P K , { P K i | i U } ) .
Algorithm 1: Setup ( λ ) .
Input Implicit security parameter λ .
Output System secret key ( S M K ) and public parameter.
  • Define an elliptic curve E over a finite field Z r with a prime order r.
  • Generate a cyclic group G E of subgroup over E with generator G of order q.
  • Generate universal attribute set U = { a t t 1 , a t t 2 , a t t n } .
  • For each a t t i U , it randomly chooses element β i Z q .
  • M A A subsequently computes public key components corresponding to each attribute i as { P K i = β i · G | i U } .
  • Randomly chooses α Z q as a master secret key.
  • Accordingly, compute master public key by P K = α · G .
  • Set the P A R A M S = ( U , H , P K , { P K i = β i · G | i U } ) .
  • Set the M S K = ( α , { β i | i U } ) .
   Encryption: To preserve the data privacy and delegate most of the computation of encryption, this algorithm specifies the access control policy tree in the form of T = T l o c a l T e s p , where T l o c a l and T e s p are two subtrees of T connected by an AND logical operator ⋀. This division of access control tree leads to two algorithms: local encryption (Algorithm 2) and outsource encryption (Algorithm 3).
Encrypt local ( T , M , P K ) C T l o c a l For optimal efficiency, the T l o c a l attaches only one virtual attribute, as shown in Figure 3. The algorithm randomly specify a 1-degree polynomial q R ( · ) and set q R ( 0 ) = S , q R ( 1 ) = S 1 and q R = S 2 , where S , S 1 , S 2 Z q .
Let Ω l o c a l be the set of leaf nodes in T l o c a l . This algorithm encrypts M by computing S K = S · P K = ( S x , S y ) such that S K 0 . Let S x serve as the encryption key and S y be the integrity key for M, then C M and I N T M can be computed E n c ( S x , M ) and H M A C ( S y , M ) , respectively. Finally, the algorithm outputs temporal ciphertext
C T l o c a l = ( T l o c a l , C M , I N T M , y Ω l o c a l : C y = q y ( 0 ) · P K y ) .
Encrypt ESP ( T e s p , s 1 , C T l o c a l , P K ) C T .
Let Ω E S P be the set of leaf nodes in T e s p . Beginning at the root node R 1 of the subtree T e s p , this algorithm chooses a polynomial q x of degree d x 1 for each node v. Note that the value for root node R 1 has been set as q R 1 ( 1 ) = S 1 . The value of the inner node x is calculated by the equation as q x ( 0 ) = q p a r e n t ( x ) ( i n d e x ( q ) ) and randomly chooses k x 1 coefficients to build the polynomial q x . Then, the algorithm generates the temporal ciphertext C T E S P = ( T e s p , y Ω E S P : C y = q x ( 0 ) · P K y ) . Combining the above generated ciphertext with the received ciphertext from D O , the whole ciphertext is given as:
T = T l o c a l T e s p ; C M ; I N T M ; y Ω l o c a l Ω E S P : C y = q y ( 0 ) · P K y
Key Generation ( S u , M S K ) K u The Algorithm 4 runs by M A A , and is used to generate the secret key K u under the valid attribute set S u by the corresponding D U . More specifically, upon receiving the claimed attribute set, the M A A needs to check its validity and assign a unique global identity G I D to this D U . It selects a random t Z p and computes local private key K l o c a l = α 1 t . This algorithm for each attribute i S u generates its corresponding key components, a delegate key given by DK = { i S u : K i = H ( G I D ) · α . β i 1 } . Here, β i 1 is the inverse of element β i Z p chosen in setup phase.
Algorithm 2: E n c r y p t l o c a l .
Input Access structure T , the message M and public parameters P A R A M S .
Output Local version of ciphertext C T l o c a l .
  • Randomly specify a 1-degree polynomial q R ( x ) corresponding to the root R of T .
  • Randomly chooses S , S 1 and S 2 Z q .
  • Set the root node R value to q R ( 0 ) = S .
  • For the root nodes R 1 and R 2 of subtrees set q R ( 1 ) = S 1 and q R ( 2 ) = S 2 ,
    respectively.
  • Use E C C scalar point multiplication to compute S · P K = ( S x , S y ) . We let S x
    and S y represent the encryption and integrity key for M, respectively.
  • Compute message M encryption C M = E n c ( S x , M ) using secure symmetric
    cipher.
  • Compute message M authentication code I N T M = H M A C ( S y , M ) using HMAC function.
  • Let Ω l o c a l be a set of leaf nodes in T l o c a l .
  • For each a t t x Ω l o c a l do.
  • C T l o c a l = q x ( 0 ) . P K x using ECC point multiplication End for.
  • Set the ciphertext C T l o c a l = ( T l o c a l , C M , I N T M , y Ω l o c a l : C y = q y ( 0 ) · P K y ) .
Algorithm 3: E n c r y p t E S P .
Input Access structure T e s p , S 1 , C T l o c a l , and public parameters P A R A M S .
output C T .
  • Randomly specify a polynomial q R 1 with degree K R 1 1 , where K R 1 is the threshold
    of root node of subtree T E S P .
  • Set the value of root node R 1 to q R 1 ( 0 ) = S 1 .
  • Randomly select K R 1 1 coefficients to uniquely define q R 1 .
  • For inner node v in T e s p do.
  • Set q v ( 0 ) = q p a r e n t ( v ) ( i n d e x ( v ) ) .
  • Randomly select K v 1 coefficients to uniquely define q v .
  • End For.
  • Let Ω E S P be the set of leaf nodes in T e s p .
  • For each a t t x Ω E S P do.
  • C T E S P = q x ( 0 ) . P K x using E C C point multiplication.
  • End For.
  • The whole ciphertext is given by C T = T = T l o c a l T e s p , C M , I N T M , y Ω l o c a l Ω E S P : C y = q y ( 0 ) · P K y .
Algorithm 4: K e y G e n .
Input D U claimed attribute set S u , system master key S M K Output D U keys: K l o c a l and DK .
  • After the confirmation of the claimed attribute set S u , the M A A assigned a global unique identity G I D to its D U .
  • Select a random t Z p , compute α t .
  • Compute and set K l o c a l = α 1 t .
  • For each a t t i S u do.
  • Compute β i 1 of β i Z p .
  • Compute K i = H ( G I D ) · α t · β i 1 .
  • End For.
  • Set the Keys K l o c a l = ( α 1 t ) , DK = ( { i S u : K i = H ( G I D ) · α t · β i 1 } ; H ( G I D ) ) .
Finally, the algorithm via a secure channel submits the secret keys K l o c a l = ( α 1 t ) and DK = ( { i S u : K i = H ( G I D ) · α t · β i 1 } ; H ( G I D ) ) to its concerned D U .
Decryption: Realizing a CP-ABE scheme via E C C scalar point multiplication instead of bilinear pairing operations still faces a deployment challenge for lightweight devices, especially for sensors. The E C C scheme makes use of threshold secret sharing for secret distribution. Subsequently, the reconstruction makes use of polynomial interpolation, a heavy computation operation. MDU is usually a device such as a mobile phone with limited resources. Hence, this phase delegates most of the decryption load to the D S P . This phase makes use of two algorithms D e c r y p t l o c a l (Algorithm 5) and D e c r y p t D S P (Algorithm 6).
Decrypt DSP   ( DK , P A R A M , C T ) C T t e m p
This algorithm is run by D S P , which makes use of a recursive function D e c N o d ( C T , DK , y ) . If y is leaf node, let i = a t t ( y ) , D e c N o d e ( C T , DK , y ) is defined as:
D e c N o d e ( C T , DK , y ) = K i · C i H ( G I D ) , i S u , o t h e r w i s e . .
which states that the output of D e c N o d e ( ) must be an element in E C group G E or null.
For a leaf node y S u , the function D e c N o d e ( ) proceeds as follows:
D e c N o d e ( C T , DK , y ) = K i · C i H ( G I D ) = H ( G I D ) · α t · β i 1 · q y ( 0 ) · P K i H ( G I D ) = α t · β i 1 · q y ( 0 ) · β i · G = q y ( 0 ) · α t · G .
For a non-leaf node y, it calls D e c N o d e ( ) for each child x and stores the result as F x in k y sized set S y of child node x. To reconstruct the value of F y at nodes y using lagrange interpolation, the algorithm proceeds as follows:
F y = x S y i , s y ( 0 ) · D e c N o d e ( C T , DK , x )
where i = i n d e x ( x ) , s u = { i n d e x ( x ) , x s u } and i , s y ( 0 ) is the lagrange coefficients
= x s y i , s y ( 0 ) · q x ( 0 ) · α t · G = x s y i , s y ( 0 ) · q p a r e n t ( x ) ( i n d e x ( x ) ) · α t · G = x s y i , s ( 0 ) · q y ( i ) · α t · G = q y ( 0 ) · α t · G .
Accordingly, the recursive function D e c N o d e ( C T , DK , R ) at root node R returns q R ( 0 ) · α t · G . Finally, the temporal ciphertext C T t e m p set as: C T t e m p = { F R } .
Decrypt local   ( K l o c a l , C T t e m p ) M . After receiving the intermediate ciphertext C T t e m p , M D U calculates { F R } × DK = q R ( 0 ) · α t · G × α 1 t = q R ( 0 ) · α · G = s · α · G = s · P K = ( S x ¯ , S y ¯ ) . Here, S x ¯ and S y ¯ are the recovered keys for decryption and integrity of message M, respectively. Therefore, after decrypting M = D e c ( S x ¯ , C M ) we can confirm, whether H M A C ( S y ¯ , M ) = I N T M to assure that the M is correctly received and not being tempered. Hence, the proposed scheme provides confidentiality, authenticity, and integrity of encrypted data, which is the top most priority of any health-related application.
Algorithm 5: D e c r y p t D S P .
Input Delegate key component DK , system public parameter P A R A M and C T .
Out Put Temporal ciphertext C T t e m p .
  • Let y be a node in T .
  • If i = a t t ( y ) is leaf node AND i S u then.
  • Compute F y = K i · C i H ( G I D )
                  = H ( G I D ) · α t · β i 1 · q y ( 0 ) · P K i H ( G I D )
                  = α t · β i 1 · q y ( 0 ) · β i · G
                  = q y ( 0 ) · α t · G .
  • Else
  • Set F y = N u l l .
  • End if.
  • For each non-leaf node y in T do.
  • Let s y represent k y -sized set of child node x.
  • If no such set exist then
  • Set F y = N u l l .
  • Else
  • Compute lagrange coefficient
    F y = x S y i , s y ( 0 ) · D e c N o d e ( C T , DK , x )
           where i = i n d e x ( x ) , s u = { i n d e x ( x ) , x s u } and i , s y ( 0 ) is the lagrange coefficients
        = x s y i , s y ( 0 ) · q x ( 0 ) · α t · G
        = x s y i , s y ( 0 ) · q p a r e n t ( x ) ( i n d e x ( x ) ) · α t · G
        = x s y i , s ( 0 ) · q y ( i ) · α t · G
  •     = q y ( 0 ) · α t · G .
  • End if.
  • End for.
  • Let R represent the root node of T .
  • If F R N u l l then recursively compute F R = q R ( 0 ) · α t · G .
  • End if Set the temporal ciphertext C T t e m p = { F R } .
Algorithm 6: D e c r y p t l o c a l .
Input D U local secret key K l o c a l , and temporal ciphertext C T t e m p .
Output Message M.
  • Compute F R · K l o c a l    = q R ( 0 ) · α t · G × α 1 t
  •                       = q R ( 0 ) · α · G
  •                       = s · α · G
  •                       = s · P K
  •                       = ( S x ¯ , S y ¯ ) Decrypt M = D e c ( S x ¯ , C M ) and compute I N T M = H M A C ( S y ¯ , M ) .
  •     If  I N T M = I N T M then
  •        M is valid.
  •      End if.
  •      Return M.

5. Security Analysis

This section, along with security proof, also assesses the proposed scheme’s collision resistance and attribute/user revocation features.

5.1. Security Proof

The security proof of our scheme in the selective security model is presented as a game between the challenger C and an attacker A . In this game, the attacker confronts challenges posed by the challenger to break the underlying hardness assumption. Since our scheme is based on ECC, hence, the attacker’s goal is to reduce the hardness of the elliptic curve decisional Diffie–Hellman (DDH) assumption.
Theorem 1.
If an adversary A in the selective-set model successfully attacks our proposed scheme with, at most, advantage ϵ, then it can also build a simulator S β that can distinguish an elliptic curve DDH tuple with non-negligible advantage ϵ .
Proof. 
Let there exist an adversary A , in the particular set security model that in polynomial time with non-negligible advantage ϵ can break our scheme, then we can build a simulator S β to play the ECDDH with advantage ϵ in polynomial time.
Firstly, the challenger C generates an EC group G E with order q and sets over the finite field Z q having a base point G. Then, challenger C takes a fair binary coin μ { 0 , 1 } , flips it outside of S β ’s view for some random choices a, b, z Z q . Now, the choices for μ is given as:
-
Case 1. if μ = 0 , then ECDDH challenge instance as,
( A , B , Z ) = ( c · G , d · G , c · d G ) , and sent to S β .
-
Case 2. if μ = 1 , then ECDDH challenge instance as,
( A , B , Z ) = ( c · G , d · G , z · G ) , and sent to S β .
Initialization: The simulator S β runs adversary A , to gets an access structure T that the adversary A wants to be challenged upon.
Setup: The simulator S β needs to send the public parameters to adversary A as follows:
  • S β at first sets the system parameters Y = A = c · G .
  • Then, for U , S β sets Y i according to the following condition:
    • If i it sets Y i = r i · G and y i = r i where r i is randomly chooses from Z q .
    • If i ( U ) , it sets Y i = β i , where β i is randomly chooses from Z q .
  • Sends the system public parameters { Y , Y i , i U } to A and keeps the secret parameter y i as secret.
    In the above scenario, A does not observe any change as { Y , Y i } and y i are analogous to { P K , P K i } and β i of the proposed scheme.
Phase 1: A adoptivily calls for a number of secret key components K A 1 , K A 2 , , K A n of attribute sets 1 , 2 , , n such that all the attribute sets associated to the corresponding secret key components do not satisfy the T . Now, S β sends the secret key components K i to A as follows:
Case 1. if i , it sets K i as
K i = H ( G I D ) · α t · r i 1
Case 2. if i ( U ) , it sets K i as
K i = H ( G I D ) · α t · ( β i · d ) 1
The distribution for both the terms in Equations (1) and (2) is uniform, thus, in A ’s perspective, the key components generated by S β are the same as the basic scheme.
Challenge: A submits two equal length messages M 0 and M 1 to S β . First S β sets T = T l o c a l T e s p and then sends T l o c a l to the DO. It randomly selects S , S 1 , S 2 Z q and sets q R ( 0 ) = S for root node R according to the proposed scheme. S β is also sent T e s p along with S 1 to ESP (i-e sink node) to distribute it for the remaining attributes in T · S β randomly selects a bit b { 0 , 1 } to encrypt M b and generates the ciphertext C T as follows:
S K S β = S · Y = ( S x , S y )
Hence, S x and S y represent the encryption and integrity K for message M, respectively. Afterwards, S β computes C i = r i · B .
S β after computing C S β = E n c ( M b , S x ) and I N T M b = H M A C ( M b , S y ) transmits below ciphertext to adversary A .
C T = ( T = T l o c a l T e s p , C S β , I N T M b , C i )
The challenger C flips coin μ { 0 , 1 } , thus the following cases arises:
  • If μ = 0 ; satisfies case 1, which is identical to our original encryption, then Z = c · d · G . Therefore, if S is set to d, there should be S K S β = d · Y = d · c · G = Z , and C i = q x ( o ) · Y i = d · Y i = d · r i · G = r i · B , where i .
  • If μ = 1 ; satisfies case 2, which is different from our proposed scheme, then Z = z · G . Therefore, if S is set to z, it turns out that S K S β = z · Y = z · c · G = Z , and C i = z · Y i = z · r i · G = r i · Z .
Phase 2: Both A and S β follow the same steps as they did in Phase 1.
Guess: A output a guess b of b to S β .
  • If b = b , S β output μ = 0 , which indicates a valid ECDDH instance, ( A , B , Z ) = ( c · G , d · G , c · d · G ) .
  • If b b , b output μ = 1 , which indicates a random instance, ( A , B , Z ) = ( c · G , d · G , z · G ) .
Now, according to the security game, where μ = 1 , the adversary A cannot predict the M b , thus we have
P r [ μ = 1 | b b ] = 1 2
Since S β outputs μ = 1 when b b , it gives
P r [ μ = μ | μ = 1 ] = 1 2
When μ = 0 , the adversary A can predict the correct M b , thus we have
P r [ μ = 0 | b = b ] = 1 2 + ϵ
Since S β outputs μ = 0 when b = b , we have
P r [ μ = μ | μ = 0 ] = 1 2 + ϵ
According to the selective set security model of our proposed scheme, the overall advantage using Equations (8) and (10) of S β in this game is
ϵ = 1 2 P r [ μ = μ | μ = 0 ] + 1 2 P r [ μ = μ | μ = 1 ] 1 2
or,
ϵ = 1 2 ( 1 2 + ϵ ) + 1 2 ( 1 2 ) 1 2
or,
ϵ = 1 4 + ϵ 2 + 1 4 1 2
or,
ϵ = ϵ 2
Hence, it conflicts with our assumption, which proves the security of our proposed scheme under the ECDDH assumption. □

5.2. Secure against Collusion Attack

One of the most anticipated attacks on any attribute-based system is a collision attack. Therefore, it is required of the designers of such a system to implicitly avoid it in their proposed scheme. Let us assume that multiple users possess some secret key components, where no individual secret key has access to the message. If they play the role of an attacker to launch a collision attack (i.e., a combination of their secret keys) by trying to decrypt a message that is encrypted under the intersects (common attributes) of their attributes sets. It is assumed that they constitute secret key components labeled to their common attribute set in the form of
S K u = ( K 0 = { α 1 t } , K i = H ( G I D ) · α t · β 1 )
Even after collectively generating secret keys among themselves, still, they are unable to decrypt the message because of the random selection of G I D for each user to satisfy the equation
K i · C i H ( G I D ) i
Hence, the association of the secret key component with attributes along with a unique global identity G I D and a random number t Z p for each user makes the proposed scheme resistant to collusion attack.

5.3. Attribute/User Revocation

Nowadays, revocation is a desirable property on the part of an ABE-based scheme. Considering the following aspects, equipping the ABE scheme with revocation is not a simple task: First, the attribute authority labeled each user secret key from a universal set of attributes instead of a unique user-specific attribute. As a result, a malicious user cannot simply be singled out on an attribute or set of attributes; second, after the revocation of a misbehaving user, the system must avoid the collusion attack even if there exists the overlapping of attributes with non-revoked users. The ABE scheme supports two types of revocation, direct revocation and indirect revocation, to address these issues. Indirect revocation incurs the liability on TAA to update and distribute the non-revoked users’ secret key with every revocation event. In direct revocation, we do not need to perform updation on the secret key of non-revoked users. All contemporary direct revocation schemes require system users to maintain an updated and long list of revoked users, which must be labeled to ciphertext. This computation and storage overhead linearly increases with the increase in revoked users in the encryption and decryption algorithms system.
Given the resource-constrained and medical-centric characteristics of our proposed scheme MAA, the indirect revocation fits aptly into our ehealth practical scenario. The computation and storage cost of our scheme is independent of the number of revoked users. The KGC of MAA explicitly maintains the list of global IDs GID and its associated attribute lists for each registered user. To revoke the system attribute from its universal set of attributes, the KGC deletes the associated system attribute’s public key. Similarly, to revoke the user-specific attribute, the KGC must delete the corresponding secret key component for that specific user. Further, KGS deletes the entire attribute set and the GID assigned to that user to revoke a user. For all of these revocation scenarios, the MAA needs to update the delegated key DK with the help of MSK and the revoked DK β of the revoked attribute β and produces a new delegate key DK β of the revoked attribute β . Furthermore, our proposed scheme avoids the need for maintaining a private channel between the MAA and the non-revoked user for the dissemination of the updated delegated key DK β .

6. Performance Analysis

In this section, we compare our proposed scheme with five related schemes in [19,20,21,22,23], in terms of its features, communication overhead, and computation overhead. Moreover, for the sake of fair comparison, we set n = 20 and m = 10 representing attributes in universal set and encryption, respectively.

6.1. Features Analysis

Table 2 depicts the comparison of various features of our scheme with related schemes for a WBAN from four perspectives: encryption delegation, decryption delegation, integrity check, and attribute revocation. Additionally, our proposed scheme lacks time-based access control and hierarchical access control support. In some practical scenarios, it is inevitable to provide access control for a specific time interval. For instance, a medical document may have different privacy requirements for a different period. More specifically, fewer medical experts have access to the medical record at an early time, while more experts can get access to it at a later time point. Similarly, the hierarchical access permission ensures access to the corresponding documents based on the specific role of the data users. For example, the hospital president can access all the information of the patients and doctors, while the medical experts can access his/her patient information only.

6.2. Communication Overhead

Communication overhead relates to the transfer of the message. In the most commonly adopted architectures of ABE, the least number of messages that should be transmitted are of the public key, private key, and ciphertext. For the sake of analysis, we take the length of these messages as a metric to determine and compare the relative communication overhead. Most contemporary ABE schemes use bilinear pairing; a map involves two groups G 1 , G T . Because of the underlying modular exponentiation, these are termed RSA-based ABE schemes. Accordingly, we call our scheme an ABE ECC-based scheme.
As we know, ECC has much stronger hit security; we considered 160-bit, i.e., secp160r1 elliptic curve, which has up to 1024-bit RSA security strength. Based on the above-stated assumptions, the size of both public and private keys in the ABE RSA-based scheme is 1024-bit, while the size of an element in G 1 and G T is 1024 bits and 2048-bits. Accordingly, the size of an elliptic curve point is 320 bits, corresponding to both its coordinates. As a result, the 160 bits and 320 bits constitute the private key and public key size, respectively, in ABE ECC-based schemes. For comparison, the communication overhead is identical for each ABE RSA-based scheme. Therefore, we compute the [23] overhead for illustration purposes. The ciphertext in [23] scheme is given by C T = ( C = M e ( g , g ) α s , C = g s , { C i = g a λ i g r i H ( a t t ( i ) , D i = g r i | i m } ) , where m represents the maximum number of attributes attached to the ciphertext. According to the setup phase of this scheme, g and e(g,g) belong to the group G 1 and G T , respectively. As a result, the size of each ciphertext component C , C , C i and D i is 2048, 1024, (2m × 1024) and (m × 1024) bits, respectively. In this way, the length of ciphertext CT is (3m + 3) × 1024 ≈ 33,792 bits. Here, the public key is set to P K = { g , e ( g , g ) α , g α , H } , so its length is 4 × 1024 ≈ 4096 bits. In addition, the private key is given by K = ( g α , l = g t , { K x = g H ( a t t ( x ) t | x S } ) where S represents the user set of attributes associated to the key K. Therefore, the length of the private key of scheme [23] computes to (m + 3) × 1024 ≈ 13,312 bits.
Similarly, we compute the public key, private key, and ciphertext length in our scheme. According to the encryption process of our proposed scheme, the ciphertext is C T = ( T , C m , I N T m , C y = q y ( 0 ) · P K y | y T ) . The size of attribute set T is taken constantly for all schemes and, hence, rolled out of the total ciphertext size. Here, C m and I N T m are the single coordinates on the elliptic curve, each having 160 bits in length. Similarly, C y consists of 320 bits, a single point on the elliptic curve. Thus, the length of the ciphertext in our proposed scheme computes to (m + 1) × 320 ≈ 3520 bits. The public key components in our scheme are ( P K , { P K i | i U } ) , and consists of (n + 1) × 320 ≈ 6720 bits, as each of its components is a single point on the elliptic curve. The private key of our scheme is K l o c a l = ( α 1 t ) , DK = ( { i S u : K i = H ( G I D ) · α t · β i 1 } ) . Hence, its length computes to (m + 1) × 160 ≈ 1760 bits.
We can see from Table 3 that the ciphertext and private key sizes of our proposed scheme are significantly lower than those of all other schemes. We can observe from Table 3 that only the length of the public key in our proposed scheme is higher than the scheme with a constant-size public key [19,23]. However, overall communication overhead for the private key, the public key, and ciphertext size in our scheme is significantly lower than that of [19]. Moreover, the scheme in [23] is based on KP-ABE as opposed to our CP-ABE-based scheme, which provides more control to the patient over the recipient of its sensitive medical data. Moreover, the generation of the public key is a one-time process in the lifetime of the system.

6.3. Computation Overhead

The computation overhead is mainly caused by the ABE scheme operations, including bilinear pairing, ECC-based scalar point multiplication, exponentiation, hashing, basic arithmetic, and logical operations. We have considered the most expensive exponentiation operations, bilinear pairing, and elliptic curve base scalar point multiplications. Comparatively, the cost of other least costly operations can be ignored [3]. For the sake of simplicity, Table 4, based on [37], is constructed, which shows the execution time (in millisecond) required by each group operation. According to work in [37], single bilinear pairing and modular exponentiation operation is about 10 and 2 times ECC-based scalar point multiplication, respectively.
To evaluate the computation overhead of the proposed scheme, we need the individual computation overhead of users and service providers on both the encryption and decryption sides. Therefore, in Table 5, we compare the computation overhead incurred on MDO and ESP in the encryption offloading and the MDU and DSP in the decryption offloading. As our scheme is free from costly pairing operations, all matrices’ execution time is comparatively less than other schemes. We can also see from Table 5 that the unwanted linearity property of ABE is shifted to comparatively resource-rich server providers (DSP and ESP). Hence, the data users are left with a significantly less and constant number of operations. Thus, based on the performance assessments, our scheme demonstrates more efficiency and the best solution for a WBAN in terms of communication, computation, and security.

6.4. Rank-Based Evaluation of Performance Matrices

In this research work, a fuzzy logic-based evaluation, which is constructed on the method distance from average solution (EDAS), is used for calculating the ranking of the proposed scheme with state-of-the-art algorithms in terms of computational cost operations, such as KeyGen, Enc L o c a l , Enc O u t , Dec L o c a l , and Dec O u t , on both the sides of the sender and receiver to find the top rank efficiency of these schemes. The above-stated performance matrices/operations are compared with existing state-of-the-art schemes, including the proposed scheme in this section.
In this evaluation, the authors use the EDAS approach to collect the cross-efficient values of numerous parameters of five schemes, including the proposed scheme. The aggregate of appraisal scores ( λ ) can be measured for ranking of given schemes to compute the positive distance from the average solution, which is represented in the equation as ( P I ) and the negative distance from the average solution is represented by the symbol ( N I ).
In Table 6 below, the performance matrices are deliberated as the criteria of state-of-the-art schemes.
Step 1: Calculate the solution of the average value ( ψ ) of all matrices in Equation (7);
( ψ β ) = [ ψ β ] 1 × δ
where,
( ψ ) = i = 1 x X α β x
The above steps define the performance matrices as benchmarks of various schemes. The calculation of aggregate in Equations (7) and (8) can be gained as the average value ( ψ ) for each calculated benchmark value against each given value in Table 7.
Step 2: In this step of the EDAS method, the positive distance from the average is denoted as ( P I ) , and is calculated as shown in Equations (9)–(11) as given below:
P I = [ ( P I ) α β ] δ × δ
If the β th criterion is more beneficial, then
( P I ) α β = M a x i m u m ( 0 , ( A V β X α β ) ) A V β
and if non-beneficial, then the given equation will be changed as follows below:
( P I ) α β = M a x i m u m ( 0 , ( X α β A V β ) ) A V β
The results replicate in Table 8 following as:
Step 3: In this step of the EDAS, the negative distance from the average is denoted as ( N I ), and is calculated using Equations (12), (13) and (15) as follows:
( N I ) = [ ( N I ) α β ] δ × δ
If the β t h criterion is more beneficial, then
( N I ) α β = M a x i m u m ( 0 , ( A V β X α β ) ) A V β
and if non-beneficial, then the given equation will be changed as follows below:
( N I ) α β = M a x i m u m ( 0 , ( X α β A V β ) ) A V β
In the above equations, ( P I ) α β and ( N I ) α β stand for the positive distance and negative distance of β t h appraised algorithms from the average value concerning α t h rating performance parameters, respectively.
The results reproduced are shown in Table 8 as:
Step 4: In this step, the the weighted sum of ( P I ) for the rated algorithms in Table 9 is shown below:
( S P I ) α = β = 1 x y β ( P I ) α β
Step 5: In this step, the weighted sum of ( N I ) α β for the rated algorithms in Table 10 is shown below in Equation (16):
( S N I ) α = β = 1 x y β ( N I ) α β
The results obtained are reflected in Table 10 as shown:
Step 6: In this step, the normalized scores of ( S P I ) α and ( S N I ) α for the rated algorithms are calculated as presented in Equations (17) and (18):
N ( S P I ) α = ( S P I ) α m a x i m u m α ( ( S P I ) α )
N ( S N I ) α = 1 ( S N I ) α m a x i m u m α ( ( S N I ) α )
Step 7: In this step, the scores of N ( S P I ) α and N ( S N I ) α to receive an appraisal score (AS) is calculated, which is equal to ( λ ) for the rated algorithms given in Equation (19).
λ α = 1 2 ( N ( S P I ) α N ( S P I ) α )
where 0 λ α 1 .
The ( λ ) is determined by the aggregate score of N S P m and N S N m .
Step 8: In this step, measurement of the appraisal scores ( λ ) in terms of decreasing order and then concluding of the ranking of rated algorithms is performed. The paramount ranking algorithms have the higher ( λ ) . Thus, in Table 11 below, the proposed algorithm has the highest ( λ ) .
The final results of the overall ranking are represented in Table 11:
The ranking shows that the proposed algorithm is the best out of five total state-of-the-art algorithms in the stated research domain.

7. Conclusions and Future work

In summary, we present a secure and efficient ABE architecture with outsourcing intense encryption and delegation operations. Further, leverage on the lightweight features of ECC and the primitive syntax of CP-ABE, our scheme reduces the computation cost of both encryption and decryption on the user side into a constant. Our solution enables the resource-scarce and lightweight WBAN sensors to securely upload and retrieve sensitive medical data in public clouds with a minimum constant cost. The inherent features of attribute/user revocation and verifiability of outsourcing data further strengthen the security of our scheme. The proposed scheme is found to be secured under the ECDDH assumption using the selective-set security model. The performance assessment of our scheme shows a significant overall efficiency in terms of storage, computation, and communication. Further, for better clarification and evaluation, the final outputs of the EDAS ranking method show that the proposed approach is on the top rank that noticeably reported the proposed scheme’s outperformance than the other reference schemes. We will investigate the incorporation of time-based access control and hierarchical access control in our research work as future work.

Author Contributions

Formal analysis, S.K. (Shahzad Khan), A.W., G.M. and S.K. (Shawal Khan); funding acquisition, M.Z. and R.R.B.; investigation, G.M.; methodology, S.K. (Shahzad Khan), W.I. and S.K. (Shawal Khan); project administration, R.R.B.; supervision, W.I.; writing—original draft, S.K. (Shahzad Khan); writing—review and editing, A.W. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the School of Engineering and Sciences at Tecnologico de Monterrey.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Ali, S.T.; Sivaraman, V.; Ostry, D. Zero reconciliation secret key generation for body-worn health monitoring devices. In Proceedings of the Fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, Tucson, AZ, USA, 16–18 April 2012; pp. 39–50. [Google Scholar]
  2. Khan, S.; Khan, S.; Zareei, M.; Alanazi, F.; Kama, N.; Alam, M.; Anjum, A. ABKS-PBM: Attribute-Based Keyword Search With Partial Bilinear Map. IEEE Access 2021, 9, 46313–46324. [Google Scholar] [CrossRef]
  3. Yao, X.; Chen, Z.; Tian, Y. A lightweight attribute-based encryption scheme for the Internet of Things. Future Gener. Comput. Syst. 2015, 49, 104–112. [Google Scholar] [CrossRef]
  4. Hu, C.; Li, H.; Huo, Y.; Xiang, T.; Liao, X. Secure and efficient data communication protocol for wireless body area networks. IEEE Trans. Multi-Scale Comput. Syst. 2016, 2, 94–107. [Google Scholar] [CrossRef]
  5. Belguith, S.; Jemai, A.; Attia, R. Enhancing data security in cloud computing using a lightweight cryptographic algorithm. In Proceedings of the 11th International Conference on Autonomic and Autonomous Systems, Rome, Italy, 24–29 May 2015; pp. 98–103. [Google Scholar]
  6. Li, Y.; Wang, G.; Nie, L.; Wang, Q.; Tan, W. Distance metric optimization driven convolutional neural network for age invariant face recognition. Pattern Recognit. 2018, 75, 51–62. [Google Scholar] [CrossRef]
  7. Nogueira, R.F.; de Alencar Lotufo, R.; Machado, R.C. Fingerprint liveness detection using convolutional neural networks. IEEE Trans. Inf. Forensics Secur. 2016, 11, 1206–1213. [Google Scholar] [CrossRef]
  8. Zhang, Y.; Qiu, M.; Tsai, C.W.; Hassan, M.M.; Alamri, A. Health-CPS: Healthcare cyber-physical system assisted by cloud and big data. IEEE Syst. J. 2015, 11, 88–95. [Google Scholar] [CrossRef]
  9. Shi, W.; Cao, J.; Zhang, Q.; Li, Y.; Xu, L. Edge computing: Vision and challenges. IEEE Internet Things J. 2016, 3, 637–646. [Google Scholar] [CrossRef]
  10. Zhang, Q.; Zhang, Q.; Shi, W.; Zhong, H. Distributed collaborative execution on the edges and its application to amber alerts. IEEE Internet Things J. 2018, 5, 3580–3593. [Google Scholar] [CrossRef]
  11. Zhang, Q.; Sun, H.; Wu, X.; Zhong, H. Edge video analytics for public safety: A review. Proc. IEEE 2019, 107, 1675–1696. [Google Scholar] [CrossRef]
  12. Sun, X.; Zhang, P.; Sookhak, M.; Yu, J.; Xie, W. Utilizing fully homomorphic encryption to implement secure medical computation in smart cities. Pers. Ubiquitous Comput. 2017, 21, 831–839. [Google Scholar] [CrossRef]
  13. Cai, Z.; Yan, H.; Li, P.; Huang, Z.a.; Gao, C. Towards secure and flexible EHR sharing in mobile health cloud under static assumptions. Clust. Comput. 2017, 20, 2415–2422. [Google Scholar] [CrossRef]
  14. Green, M.; Hohenberger, S.; Waters, B. Outsourcing the decryption of abe ciphertexts. In Proceedings of the USENIX Security Symposium, San Francisco, CA, USA, 8–12 August 2011; Volume 2011. no.3. [Google Scholar]
  15. Chen, L.; Hoang, D.B. Novel data protection model in healthcare cloud. In Proceedings of the 2011 IEEE International Conference on High Performance Computing and Communication, Banff, AB, Canada, 2–4 September 2011; pp. 550–555. [Google Scholar]
  16. Waters, B. Efficient identity-based encryption without random oracles. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005. [Google Scholar]
  17. Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on COMPUTER and Communications Security, Alexandria, VA, USA, 30 October 30–3 November 2006; pp. 89–98. [Google Scholar]
  18. Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-policy attribute-based encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP’07), Berkeley, CA, USA, 20–23 May 2007; pp. 321–334. [Google Scholar]
  19. Li, J.; Jia, C.; Li, J.; Chen, X. Outsourcing encryption of attribute-based encryption with mapreduce. In Proceedings of the International Conference on Information and Communications Security, Chongqing, China, 17–19 September 2012; pp. 191–201. [Google Scholar]
  20. Li, J.; Huang, X.; Li, J.; Chen, X.; Xiang, Y. Securely outsourcing attribute-based encryption with checkability. IEEE Trans. Parallel Distrib. Syst. 2013, 25, 2201–2210. [Google Scholar] [CrossRef]
  21. Asim, M.; Petkovic, M.; Ignatenko, T. Attribute-based encryption with encryption and decryption outsourcing. In Proceedings of the 12th Australian Information Security Management Conference, Perth, Australia, 1–3 December 2014. [Google Scholar]
  22. Zhong, H.; Zhou, Y.; Zhang, Q.; Xu, Y.; Cui, J. An efficient and outsourcing-supported attribute-based access control scheme for edge-enabled smart healthcare. Future Gener. Comput. Syst. 2021, 115, 486–496. [Google Scholar] [CrossRef]
  23. Li, Z.; Li, W.; Jin, Z.; Zhang, H.; Wen, Q. An efficient ABE scheme with verifiable outsourced encryption and decryption. IEEE Access 2019, 7, 29023–29037. [Google Scholar] [CrossRef]
  24. Khan, S.; Zareei, M.; Khan, S.; Alanazi, F.; Alam, M.; Waheed, A. OO-ABMS: Online/Offline-Aided Attribute-Based Multi-Keyword Search. IEEE Access 2021, 9, 114392–114406. [Google Scholar] [CrossRef]
  25. Pang, L.; Yang, J.; Jiang, Z. A survey of research progress and development tendency of attribute-based encryption. Sci. World J. 2014, 2014, 193426. [Google Scholar] [CrossRef]
  26. Catarinucci, L.; De Donno, D.; Mainetti, L.; Palano, L.; Patrono, L.; Stefanizzi, M.L.; Tarricone, L. An IoT-aware architecture for smart healthcare systems. IEEE Internet Things J. 2015, 2, 515–526. [Google Scholar] [CrossRef]
  27. Tan, S.Y.; Yeow, K.W.; Hwang, S.O. Enhancement of a lightweight attribute-based encryption scheme for the internet of things. IEEE Internet Things J. 2019, 6, 6384–6395. [Google Scholar] [CrossRef]
  28. Tan, Y.L.; Goi, B.M.; Komiya, R.; Tan, S.Y. A study of attribute-based encryption for body sensor networks. In Proceedings of the International Conference on Informatics Engineering and Information, Kuala Lumpur, Malaysia, 14–16 November 2011. [Google Scholar]
  29. Tian, Y.; Peng, Y.; Peng, X.; Li, H. An attribute-based encryption scheme with revocation for fine-grained access control in wireless body area networks. Int. J. Distrib. Sens. Netw. 2014, 10, 259798. [Google Scholar] [CrossRef]
  30. Coyne, E.J.; Feinstein, H.; Sandhu, R.; Youman, C.E. Role-based access control models. IEEE Comput. 1996, 29, 38–47. [Google Scholar]
  31. Sowjanya, K.; Dasgupta, M. A ciphertext-policy Attribute based encryption scheme for wireless body area networks based on ECC. J. Inf. Secur. Appl. 2020, 54, 102559. [Google Scholar] [CrossRef]
  32. Basar, S.; Ali, M.; Ochoa-Ruiz, G.; Waheed, A.; Rodriguez-Hernandez, G.; Zareei, M. A Novel Defocused Image Segmentation Method based on PCNN and LBP. IEEE Access 2021, 9, 87219–87240. [Google Scholar] [CrossRef]
  33. Mehmood, G.; Khan, M.Z.; Waheed, A.; Zareei, M.; Mohamed, E.M. A trust-based energy-efficient and reliable communication scheme (trust-based ERCS) for remote patient monitoring in wireless body area networks. IEEE Access 2020, 8, 131397–131413. [Google Scholar] [CrossRef]
  34. Basar, S.; Ali, M.; Ochoa-Ruiz, G.; Zareei, M.; Waheed, A.; Adnan, A. Unsupervised color image segmentation: A case of RGB histogram based K-means clustering initialization. PLoS ONE 2020, 15, e0240015. [Google Scholar] [CrossRef] [PubMed]
  35. Sahai, A.; Waters, B. Fuzzy identity-based encryption. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005. [Google Scholar]
  36. Cao, Q.; Li, Y.; Wu, Z.; Miao, Y.; Liu, J. Privacy-preserving conjunctive keyword search on encrypted data with enhanced fine-grained access control. World Wide Web 2020, 23, 959–989. [Google Scholar] [CrossRef]
  37. Karati, A.; Amin, R.; Biswas, G. Provably secure threshold-based abe scheme without bilinear map. Arab. J. Sci. Eng. 2016, 41, 3201–3213. [Google Scholar] [CrossRef]
Figure 1. eHealth in smart societies.
Figure 1. eHealth in smart societies.
Sensors 22 00336 g001
Figure 2. System model.
Figure 2. System model.
Sensors 22 00336 g002
Figure 3. Access policy with subtree.
Figure 3. Access policy with subtree.
Sensors 22 00336 g003
Table 1. Notations.
Table 1. Notations.
NotationsDescription
λ Security parameter
PRepresents the number of elements in the finite field Z p
qRepresents the order of G in E
E q ( a , b ) An elliptic curve defined over the finite field Z q
GA base point in E q ( a , b )
G E A cyclic subgroup of E of order q
Z q A finite field, whose integer elements are { 0 , 1 , , q 1 }
Z q Z q = Z q \ { 0 }
K P Scalar point multiplication, P E q
OA point at infinity of an elliptic curve group
P A R A M S The system public key parameter
S M K Master secret key of the system
H M A C ( S y , M ) Hash function to output message integrity check of M using integrity key S y
E n c ( S x , M ) Encryption of message M with symmetric key S x
D e c ( S x , C M ) Decryption of ciphertext C M with symmetric key S x
T B P Time cost of bilinear pairing operation
T E X P Time cost of exponentiation
T P M Time cost of elliptic curve scalar point multiplication
Table 2. Features comparison.
Table 2. Features comparison.
Scheme[19][20][21][22][23]Proposed
Encrypt Delegation×
Decrypt Delegation×
Integrity Check×××
Attribute Revocation×××××
Table 3. Parameters size (bits).
Table 3. Parameters size (bits).
SchemePrivate Key SizePublic Key SizeCiphertext Size
[19] ( 2 m + 2 ) × 1024 22,522 ( 3 × 1024 ) 3072 ( 2 m + 2 ) × 1024 22,528
[20] ( 5 m + 3 ) × 1024 54,272 ( n + 3 ) × 1024 23,552 ( 2 m + 3 ) × 1024 23,552
[21] ( m + 4 ) × 1024 14,336 ( n + 4 ) × 24,576 ( 2 m + 3 ) × 1024 23,552
[22] ( 3 m + 1 ) × 1024 31,744 ( n + 3 ) × 1024 23,552 ( 2 m + 1 ) × 1024 21,504
[23] ( m + 3 ) × 1024 13,312 ( 4 × 1024 ) 4096 ( 3 m + 3 ) × 1024 33,792
Proposed ( m + 1 ) × 160 1760 ( n + 1 ) × 320 6720 ( m + 1 ) × 320 3520
Table 4. Execution time for cryptographic operations.
Table 4. Execution time for cryptographic operations.
Operations T BP T EXP T PM
Time (ms)20.045.312.21
Table 5. Computational overhead (ms).
Table 5. Computational overhead (ms).
SchemeKeyGenEncLocalEncOutDecLocalDecOut
[19] ( 1 + 3 m ) T E X 164.61 5 T E X 26.55 2 m T E X 106.2 2 m ( T b p + T E X ) 507 -
[20] ( 7 m + 5 ) T E X 398.25 ( 4 + 2 m ) T E X 127.44 - T E X 5.31 2 m ( T B p + T E X ) + 2 T B p 547.08
[21] ( 3 m + 7 ) T E X 196.47 ( 2 m + 3 ) T E X 122.13 ( 2 m + 1 ) T E X 111.51 ( T E X ) 5.31 ( 2 m + 1 ) T B p + ( 3 m + 1 ) T E X 584.61
[22] ( 1 + 4 m ) T E X 217.71 ( 5 T E X ) 26.55 ( 2 m 2 ) T E X 95.98 ( T B P + 2 T E X ) 30.66 2 m ( T B P + T E X ) 506.8
[23] ( m + 4 ) T E X 127.44 4 T E X 21.24 3 m T E X 159.3 T B P 20.04 2 m T E X m T B P 306.4
Proposed ( m + 1 ) T E X 111.51 2 T P M 4.42 ( m 2 ) T P M 17.68 T P M 2.21 2 m . T P M 44.2
Table 6. Analysis results of average.
Table 6. Analysis results of average.
SchemePerformance Metrics
KeyGenEncLocalEncOutDecLocalDecOut
[19]0.18770.5148001
[20]0010.94410
[21]000.30.73500
[22]00.514800.67750
[23]0.37110.611800.78920.0757
Proposed0.44970.91920.78380.97670.8666
Table 7. Cross-efficient values.
Table 7. Cross-efficient values.
SchemePerformance Metrics
KeyGenEncLocalEncOutDecLocalDecOut
[19]164.6126.55106.25070
[20]398.25127.4405.31547.08
[21]196.47122.13111.515.31584.61
[22]217.7126.5595.9830.66506.8
[23]127.4421.24159.320.04306.4
Proposed111.514.4217.682.2144.2
ψ β 202.66554.721681.778395.0883331.515
Table 8. Analysis results of average ( N I ).
Table 8. Analysis results of average ( N I ).
SchemePerformance Metrics
KeyGenEncLocalEncOutDecLocalDecOut
[19]000.29864.33180
[20]0.96501.3288000.6502
[21]01.23180.363500.7634
[22]0.95235.00674.428712.873310.4660
[23]000.947900
Proposed00000
Table 9. Analysis results of the aggregate ( P I ) .
Table 9. Analysis results of the aggregate ( P I ) .
Criteria (W)0.41760.28500.14530.08440.0676 ( SP I ) α
SchemePerformance Metrics
KeyGenEncLocalEncOutDecLocalDecOut
[19]0.07840.1467000.06760.2927
[20]000.14530.079600.2250
[21]0.0127000.079600.0924
[22]000000
[23]0.15500.174300.06660.00510.4011
Proposed0.18780.26190.11390.08240.05860.7047
Table 10. Analysis results of the aggregate ( N I ) .
Table 10. Analysis results of the aggregate ( N I ) .
Criteria (W)0.41760.28500.14530.08440.0676 ( SP I ) α
SchemePerformance Metrics
KeyGenEncLocalEncOutDecLocalDecOut
[19]000.043400.365600.4090
[20]0.40300.3787000.04390.8257
[21]00.35100.052800.05160.4555
[22]000000
[23]000.1377000.1377
Proposed000000
Table 11. Analysis results of five state-of-the-art schemes.
Table 11. Analysis results of five state-of-the-art schemes.
Scheme ( SP I ) α ( SN I ) α N ( SP I ) α N ( SN I ) α λ α Ranking
[19]0.29270.40900.41540.50460.46004
[20]0.22500.82570.319200.15966
[21]0.09240.45550.13110.44830.28975
[22]00010.53
[23]0.40110.13770.56910.83310.70112
Proposed0.704701111
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Khan, S.; Iqbal, W.; Waheed, A.; Mehmood, G.; Khan, S.; Zareei, M.; Biswal, R.R. An Efficient and Secure Revocation-Enabled Attribute-Based Access Control for eHealth in Smart Society. Sensors 2022, 22, 336. https://doi.org/10.3390/s22010336

AMA Style

Khan S, Iqbal W, Waheed A, Mehmood G, Khan S, Zareei M, Biswal RR. An Efficient and Secure Revocation-Enabled Attribute-Based Access Control for eHealth in Smart Society. Sensors. 2022; 22(1):336. https://doi.org/10.3390/s22010336

Chicago/Turabian Style

Khan, Shahzad, Waseem Iqbal, Abdul Waheed, Gulzar Mehmood, Shawal Khan, Mahdi Zareei, and Rajesh Roshan Biswal. 2022. "An Efficient and Secure Revocation-Enabled Attribute-Based Access Control for eHealth in Smart Society" Sensors 22, no. 1: 336. https://doi.org/10.3390/s22010336

APA Style

Khan, S., Iqbal, W., Waheed, A., Mehmood, G., Khan, S., Zareei, M., & Biswal, R. R. (2022). An Efficient and Secure Revocation-Enabled Attribute-Based Access Control for eHealth in Smart Society. Sensors, 22(1), 336. https://doi.org/10.3390/s22010336

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop