An Efficient and Secure Revocation-Enabled Attribute-Based Access Control for eHealth in Smart Society

Abstract

The ever-growing ecosystem of the Internet of Things (IoT) integrating with the ever-evolving wireless communication technology paves the way for adopting new applications in a smart society. The core concept of smart society emphasizes utilizing information and communication technology (ICT) infrastructure to improve every aspect of life. Among the variety of smart services, eHealth is at the forefront of these promises. eHealth is rapidly gaining popularity to overcome the insufficient healthcare services and provide patient-centric treatment for the rising aging population with chronic diseases. Keeping in view the sensitivity of medical data, this interfacing between healthcare and technology has raised many security concerns. Among the many contemporary solutions, attribute-based encryption (ABE) is the dominant technology because of its inherent support for one-to-many transfer and fine-grained access control mechanisms to confidential medical data. ABE uses costly bilinear pairing operations, which are too heavy for eHealth’s tiny wireless body area network (WBAN) devices despite its proper functionality. We present an efficient and secure ABE architecture with outsourcing intense encryption and decryption operations in this work. For practical realization, our scheme uses elliptic curve scalar point multiplication as the underlying technology of ABE instead of costly pairing operations. In addition, it provides support for attribute/users revocation and verifiability of outsourced medical data. Using the selective-set security model, the proposed scheme is secure under the elliptic curve decisional Diffie–Hellman (ECDDH) assumption. The performance assessment and top-ranked value via the help of fuzzy logic’s evaluation based on distance from average solution (EDAS) method show that the proposed scheme is efficient and suitable for access control in eHealth smart societies.

1. Introduction

The transformative effect of eHealth on smart society (shown in Figure 1) enables wearable medical devices for a vast number of applications, such as wearable fitness trackers, smart health watches, electrocardiogram (ECG) monitors, blood presser monitors, biosensors, etc. On the other front, advances in wireless communication lead to the emergence of the solidified and specialized wireless area network for these worn-on or implanted devices; the wireless body area network (WBAN). A WBAN typically consists of tiny biosensors or sensors (wearable and/or implanted) to collect/forward vital signs to the mobile or fixed gateway. It was developed to enable around-the-clock availability of a patient’s medical data to healthcare professionals. This unremitting availability of data will efficiently utilize healthcare resources and makes in-home monitoring for patients having chronic diseases [1]. Unlike conventional sensor networks, a WBAN operates on more critical and sensitive patient information that demands significant security and privacy preservation from the practical aspect of this technology. This concern leads to the desire for more control of their data from the data owner end. This self-contradicting aspect results in severe security challenges for its practical adaptation. In the presence of its underlying Internet of Things (IoT) infrastructure, conventional encryption techniques preclude its adaption for WBAN security. Specifically, public-key encryption suffers from high computation, certificate, and key management overhead issues. The dynamic secret key management hinders the application of symmetric encryption as well. Considering the nature of WBAN healthcare systems, it is inevitable to provide this crucial data to its concerned healthcare professionals. Hence, traditional role-based access control and identity-based encryption (IBE) cannot guarantee fine-grained and one-to-many data transfer. Recently, attribute-based encryption (ABE) has gained popularity for secure access control mechanisms to confidential data because of its inherent support for fine-grained access and one-to-many transfer. ABE is a particular type of IBE; the user’s ID is described by the set of attributes, in which the data is encrypted for all those users who are the possessors of that specific set of attributes. The ABE schemes are categorized into two variants: ciphertext policy (CP-ABE) and key-policy (KP-ABE). Using CP-ABE, the data owner embeds access policy inside ciphertext and the private key of the end user is attached to the attribute set. Anyone can perform the decryption operation if his/her attributes matched with the specified access policy. While in KP-ABE, private keys are attached with the access control policy and ciphertext are attached with the attribute set [2]. In the context of WBAN, ciphertext policy ABE (CP-ABE) is more appropriate because it provides more control to the data owners (patient in WBAN) over the recipients [3] (medical stuff in WBAN) as opposed to its other type, i.e., key-policy ABE (KP-ABE) [4]. The only series concern for most contemporary ABE schemes is that they rely heavily on expensive bilinear pairing and exponentiation operation in the encryption and decryption algorithm. This intense computation hinders its deployment for WBAN resource-constrained sensors [3,5]. This leads to the development of non-pairing ABE schemes in the research community. As a result, the most recent work equips the ABE with the elliptic curve cryptography (ECC) algorithms, which have much stronger bit security and also replace the ten times more expensive bilinear pairing operation with scalar point multiplication on an elliptic curve [3]. At the same time, because of underlying ABE technology, linearity properties entrust the ECC algorithm with heavy operations. As we know, the number of operations linearly increases with the number of attributes and hence incurs a heavy load on WBAN sensors. Therefore, a secure and efficient management mechanism is needed, which stands this operation to an acceptable and minimum constant range for WBAN sensors nodes. In this paper, by utilizing Hu et al.’s [4] secure framework for WBAN, we have proposed an efficient and secure ECC-based CP-ABE scheme for WBAN.

Figure 1. eHealth in smart societies.

Our Contribution

The primary contribution of our work is as follows:

• Considering the resource-scarce nature of WBAN, we have proposed an efficient and secure ABE scheme with outsourcing intense encryption and decryption operations without revealing the secret key/data content to the WBAN data sink node and cloud server digital signal processing (DSP), respectively.
• Our proposed scheme is based on elliptic curve point scalar multiplication instead of costly bilinear pairing operations to address the resource-constrained nature of WBAN, especially the sensors. This feature makes it more appealing to smart healthcare.
• Our proposed scheme supports indirect attribute/users revocation without the need for maintaining a private channel between the trusted attribute authority and the non-revoked users for disseminating updated decryption keys.
• The proposed scheme inherently supports the integrity check, thus increasing the security and reliability of medical data.
• The proposed scheme is secure under the elliptic curve decisional Diffie–Hellman (ECDDH) assumption using the selective-set security model.
• The performance assessment of our scheme shows a significant overall efficiency in storage, computation, and communication.

2. Related Work and Background Knowledge

This section presents a brief overview of existing work and all the cryptographic primitives used to construct our proposed scheme.

2.1. Related Work

With the emerging use of e-healthcare systems, patients are not only concerned for the security of their personal information but also worry for the privacy of their biological characteristics [6,7]. To improve the performance, early approaches utilized cloud computing models for e-healthcare systems. For example, in [8] they have proposed a patient-oriented four-layer cloud-based e-healthcare system. With the emergence of edge computing and its proximity to resource-constrained devices, many edge-based e-healthcare systems [9,10] are proposed. In [11], the author developed a first-aid service to provide emergency aid to the patients rapidly. However, the early approach lacks the much-needed security requirements. For the realization of security in smart healthcare, the author in [12] utilizes fully homomorphic encryption (FHE) to encrypt the data. For better security, Cai et al. [13] create a novel medical record based on the mobile cloud without compromising too much performance. Still, the above system does not devise any proper access control mechanism for these medical records. So, to better protect data privacy, some schemes equipped with access control were proposed [14,15]. For example, in [15], the author suggests a role-based access control with the capability of origin tracing and further scrutinizing the authorization of access made to the system resources. However, fine-grained access control is needed for better and flexible access, which requires the exposure of specific portions of data to the relevant medical professionals. Attributed to its inherent expressiveness and fine-grained access support, attribute-based encryption (ABE) has emerged. Sahi and waters [16] were the first to interpret the identity of users as a set of attributes and were able to propose a fuzzy variation of identity-based encryption (IBE). Attributed to the placement of access policy, ABE has two variations, namely key-policy ABE (KP-ABE) [17] and ciphertext policy ABE (CP-ABE) [18]. Li et al. [19] propose the outsourcing of encryption with MapReduce to relieve local computation overhead. Li et al. [20] construct a novel ABE scheme which outsourced both the key-issuing and decryption with the verification of the results returned from the cloud server. Asim et al. [21], with the help of a semi-trusted proxy, outsourced the computation of message encryption by utilizing the El-Gamal cipher. However, the scheme is proven in the generic group model. Zong et al. [22] utilize the edge-enabled environment for outsourcing part of encryption and decryption to the edge node for the smart healthcare system. Zhidan et al. [23] propose the construction of an ABE scheme with verifiable delegation both for encryption and decryption to an untrusted encryption service provider (ESP) and a decryption service provider (DSP), respectively. Khan et al. [24] propose an online/offline-aided attribute-based multi-keyword search (OOABMS) scheme to delegate most heavy computation operations to the offline phase before acquiring the attribute-based access control policy or keywords. However, all of these ABE schemes were heavily dependent on a costly bilinear pairing operation [25]. Later, in [26], the author proposed a free-pairing lightweight KP-ABE scheme using ECC for resource constraint of IoT infrastructure. Consequently, Tan et al. [27] introduces the concept of key out-sourcing property in [26] for better efficiency without compromising its security. Several body sensor network (BSN) [28,29], are proposed for the cloud environment that exhibits their usability and favorability for the key-policy type of ABE in different scenarios. KP-ABE transferred the computation overhead of access policy formulation to the medical attribute authority (MAA) from the patient but at the same time offered no control over it. CP-ABE offers complete control over who has access to the sensitive medical data, making it conceptually similar to the role-based access control [30] model.

These appealing characteristics for WBAN resulted in the basis for many proposed [18] schemes with various features such as policy update, hidden access policy, traceability, and revocability. These schemes mainly utilized costly pairing operations. Considering the resource constraint nature of a WBAN, pairing-free ABE schemes should be the first choice of a WBAN. In this direction, Ref. [31] proposed a pairing-free ECC-based CP-ABE scheme. However, similar to most of the schemes, this also suffers from the inherent linearity property of ABE. For the sake of practical deployment, we have designed a pairing-free CP-ABE scheme based on ECC with a minimal constant number of scalar point multiplication.

Basar et al. [32] present an image segmentation method based on pulse coupled neural network (PCNN) and local binary pattern (LBP) components. The proposed method is robust because the presented model’s parameters can be modified for different situations. The proposed algorithm has been tested on a dataset that consists of 1000 defocused images. The results show that the proposed algorithm outperforms contemporary algorithms on different evaluation metrics such as accuracy and precision. A fuzzy logic-based ranking based on EDAS has been used for ranking. The experimental results and evaluation show that the proposed scheme outperforms contemporary schemes in terms of time complexity and accuracy.

Mehmood et al. [33] developed a trust-based energy-efficient and reliable communication scheme named trust-based ERCS for remote patient monitoring in eHealth applications. A cooperative communication strategy is used in the proposed scheme to ensure trust and reliability. Furthermore, privacy preservation and a fuzzy-logic rank-based method have been used in the proposed scheme. The detailed experimental results and ranking demonstrated that the proposed scheme outperforms the available contemporary schemes.

Similarly, Basar et al. [34] present a method for an RGB histogram-based K-means clustering initialization for unsupervised color image segmentation. In this method, an adaptive initialization approach has been used to determine the number of clusters and initial central points of each cluster to solve the segmentation issues of color images. The proposed method is compared with well-known unsupervised segmentation methods on various segmentation parameters. Furthermore, the EDAS (evaluation based on distance from average solution) technique is used to rank segmentation integrity. The experimental results show that the proposed method outperformed the contemporary methods. However, due to classification errors, the proposed method is not recommended for healthcare medical applications.

2.2. Background Knowledge

This section presents all the cryptographic primitives used for the construction of our proposed ECC-based ABE scheme, including elliptic curve cryptosystem, lagrange interpolation for secret reconstruction, and access control structure.

2.3. Elliptic Curve Cryptosystem and Its Related Complexity Assumptions

An elliptic curve E over a prime finite field ${\mathbb{Z}}_p$ is defined by a cubic equation

$$y^2(modp)=x^3+a·x+b(modp)$$

while the set of parameters $(p,a,b,\mathbb{G},n)$ can be used for its description, where $x,y,a,b\in {\mathbb{Z}}_p$, and $4a^3+27b^2\ne 0$. All the point operations in ECC must be define to form a cyclic group ${\mathbb{G}}_E$ over E.

Definition 1

(Elliptic curve discrete logarithm problem (ECDLP)). Given points P and Q on the curve, i.e., $P,Q,\in {\mathbb{G}}_E$, it is intractable for a polynomial time algorithm to get the random chosen value $K\in {\mathbb{Z}}_q^{\ast }$ such that $Q=K\ast P$.

Definition 2

(Elliptic curve computational Diffie–Hellman problem (ECCLP)). For generator G of ${\mathbb{G}}_E$ and randomly chosen values $c,d,\in {\mathbb{Z}}_q^{\ast }$, given $(c·G,d·G,G)$ it is intractable for a polynomial time algorithm to get $c·d·G$.

Definition 3

(Elliptic curve decisional Diffie–Hellman problem (ECDLP)). Given randomly chosen values $c,d\in {\mathbb{Z}}_q^{\ast }$ and generator G and any point Z of ${\mathbb{G}}_E$, it is impossible to distinguish between the two probability distributions $(c·G,d·G,c·d·G)$ and $(c·G,d·G,Z)$.

Definition 4

(Access tree). Access tree [17]. Let a tree $\mathcal{T}$ represent an access structure. Each non-leaf node of $\mathcal{T}$ is identified by a threshold gate, associated by its corresponding threshold value and its children. In this case, if $d_x$ is the threshold value of node x and $nu{m}_x$ is its number of children, then $1\le d_x\le nu{m}_x$. When $d_x=nu{m}_x$, the threshold gate is an AND gate, and when $d_x=1$, it is an OR gate. Each leaf node x of $\mathcal{T}$ is identified by a threshold $d_x=1$ value and an attribute. Further, definitions and notations can be obtained from [35].

In ABE, the lagrange interpolation is used for secret reconstruction. The lagrange coefficient ${▵}_{i,s}$ for a random number in ${\mathbb{Z}}_p^{\ast }$ and a set of random elements corresponding to each element in ${\mathbb{Z}}_p^{\ast }$ is given by ${▵}_{i,s\left(x\right)}={\Pi }_{j\in s,j\ne i}\frac{x-j}{i-j}$.

3. System and Security Model

Figure 2 depicts the main components of our proposed scheme, namely the medical attribute authority (MAA), cloud service provider (CSP), body area network (BAN), data sink (DS), and medical data user (MDU). This section presents an overview of the roles played by each component.

Figure 2. System model.

MAA: The MAA acts as a key generation center (KGC) and the only fully trusted entity in the system model. KGC is responsible for the registration of all system users [36]. Through the initialization phase, it produces public parameters (PARAMS), a system master key (SMK), and secret key components (SK) against a set of attributes $S_u$ specific to each user.

CSP: This entity is providing services for storage and partial decryption via sub-entities storage service provider (SSP) and decryption service provider (DSP), respectively. The SSP stores the encrypted health-related data for each registered patient and serves as a repository for all the uploaded data. DSP performs partial decryption service to the interested MDU’s without knowing the actual data contents.

BAN: Body area network is a wireless network consisting of small biosensors. It could be implanted (placed inside the human body), wearable (on the body), or carried based on its specific use. Its deployment aims to persistently measure and notice the abnormal changes in the vital body parameters. Subsequently, consult in real time the healthcare professional for life support. Sensors are suffering from a scarcity of vital resources in memory, battery power, and computation power. In the traditional framework, these [31] resource-constrained sensors are entrusted with the expensive secret distribution mechanism for access formulation along with its prime tasks of sensing, processing, and transmission. Moreover, because of the ABE linearity property, the encryption complexity grows with the size of the access policy. Exploiting the delegation property of the CP-ABE mode of encryption, we offload most of the computation to the gateway. More specifically, retaining part of the secret for little processing locally while exposing part of it to the gateway for most processing still ensures information-theoretical security of a secret.

DS: DS acts as a gateway for aggregation and dissemination of its corresponding sensor data to the MAA. It could be a mobile device such as a smartphone or a specialized BAN controller. Hence, it has significantly more memory, processing, and transmission capacity as opposed to the sensors. These features make us compel in our proposed framework to delegate most of the processing overhead from sensors to the DS. The traditional framework [31] devotes this unit to the function of forwarding only, which is not a judicious use of this entity considering its resources.

MDU: It could be a doctor, nurse, or any other healthcare expert. To be registered into the system, each MDU must prove its credentials and affiliation in a set of attributes to the KGC. The KGC needs to verify the validity of these claimed attributes, subsequently computes its corresponding secret key components, and sends it via a secure channel to its concerned user. These secret key components are uniquely generated to prevent collision attacks by associating a random number to them. As long as the MDU poses the required set of attributes, it can access any patient’s encrypted data. MDU is usually a device, such as a mobile phone, with limited resources. In our framework, we shift most of the decryption overhead to the DSP of MAA. As a result, after retrieving the partially encrypted data from the DSP, it needs to perform a minor operation on its full decryption.

In our threat model, we take the CSP honest-but-curious, adapted by most of the ABKS schemes, which means they will honestly run the algorithm and infer privacy information based on the available data. The medical attribute authority and the data owner (DO) are fully trusted entities in our system model. Corrupted data users (DU) may also collide with each other. To prove the security of an ABE scheme, the selective-set security model generally makes use of a game between the challenger $\mathcal{C}$ and an attacker $\mathcal{A}$. In this game, the attacker faces challenges posed by the challenger to solve the underlying security assumption. Following are the six steps defined in our security game for our proposed scheme against a chosen-plaintext attack [35].

Initialization:$\mathcal{A}$ declares the encryption attribute set in the form of an access structure ${\mathcal{T}}^{\ast }$ that he wants to be challenged upon.

Setup: To generates the system parameters, $\mathcal{C}$ runs the setup algorithm, keeps the SMK to itself and sends the public parameter PARAMS to adversary $\mathcal{A}$.

Phase 1: The adversary $\mathcal{A}$ is allowed to adoptively ask for a set of secret key components $K_A^1,K_A^2,\dots ,K_A^n$ of attribute sets ${\mho }_1,{\mho }_2,\dots ,{\mho }_n$ such that all the attribute sets associated to the corresponding secret key components do not satisfy the ${\mathcal{T}}^{\ast }$.

Challenge: Now, $\mathcal{A}$ submits two equal length messages $M_0$ and $M_1$ to $\mathcal{C}$ with ${\mathcal{T}}^{\ast }$. $\mathcal{C}$ flips binary coin b $\in \{0,1\}$ to encrypt $M_b$ under ${\mathcal{T}}^{\ast }$ and sends the generated ciphertext $C{T}^{\ast }$ to $\mathcal{A}$.

Phase 2: Both adversary $\mathcal{A}$ and challenger $\mathcal{C}$ adoptively repeat the same steps as they did in phase 1.

Guess:$\mathcal{A}$ outputs a guess $b^{\prime }$ of b to $\mathcal{C}$.

The advantage $ϵ$ gained by $\mathcal{A}$ in the above game is defined by $ϵ=(pr[b^{\prime }=b]-\frac{1}{2})$.

Table 1 lists all the notations used in this work.

Table 1. Notations.

Notations	Description
$\lambda$	Security parameter
P	Represents the number of elements in the finite field ${\mathbb{Z}}_p$
q	Represents the order of $\mathbb{G}$ in $\mathbb{E}$
${\mathbb{E}}_q(a,b)$	An elliptic curve defined over the finite field ${\mathbb{Z}}_q$
G	A base point in ${\mathbb{E}}_q(a,b)$
${\mathbb{G}}_{\mathbb{E}}$	A cyclic subgroup of $\mathbb{E}$ of order q
${\mathbb{Z}}_q$	A finite field, whose integer elements are $\{0,1,\dots ,q-1\}$
${\mathbb{Z}}_q^{\ast }$	${\mathbb{Z}}_q^{\ast }={\mathbb{Z}}_q\backslash \left\{0\right\}$
$K\ast P$	Scalar point multiplication, $P\in {\mathbb{E}}_q$
O	A point at infinity of an elliptic curve group
$PARAMS$	The system public key parameter
$SMK$	Master secret key of the system
$HMAC(S_y,M)$	Hash function to output message integrity check of M using integrity key $S_y$
$Enc(S_x,M)$	Encryption of message M with symmetric key $S_x$
$Dec(S_x,C_M)$	Decryption of ciphertext $C_M$ with symmetric key $S_x$
$T_{BP}$	Time cost of bilinear pairing operation
$T_{EXP}$	Time cost of exponentiation
$T_{PM}$	Time cost of elliptic curve scalar point multiplication

4. Proposed Model

In this section, a detail description of our proposed scheme algorithms (i.e., $Setup$, $KeyGeneration$, $Encryp{t}_{local}$, $Encryp{t}_{esp}$, $Decryp{t}_{dsp}$, $Decryp{t}_{local}$) is presented.

Setup ($\mathit{\lambda })\to \mathit{PK},\mathit{MK}$: Run by $MAA$, the Algorithm 1 takes EEC domain parameters as an implicit security parameter $\lambda$ as input. Define the universal attribute set $U=\{at{t}_1,at{t}_2,\dots at{t}_n\}$ for attribute space in the system. A secure hash function $H:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_q^{\ast }$ is chosen to map global identity $GID$. $MAA$ for each attribute $at{t}_i\in U$, chooses ${\beta }_i\in {\mathbb{Z}}_p^{\ast }$ uniformly at random. The public key components corresponding to each system attribute $at{t}_i$ is given by $P{K}_i={\beta }_i·G$. Moreover, it chooses $\alpha \in {\mathbb{Z}}_p^{\ast }$ uniformly at random to be the master secret key $\left(MSK\right)$. Thereafter, setting accordingly, the master public key $\left(MPK\right)$ is $PK=\alpha ·G$. Finally, the algorithm sets the $MSK=(\alpha ,{\beta }_i|i\in U)$ and $PARAMS=(U,H,PK,\left\{P{K}_i\right|i\in U\})$.

Algorithm 1: Setup $\left(\lambda \right)$.

Input Implicit security parameter $\lambda$. Output System secret key $\left(SMK\right)$ and public parameter. Define an elliptic curve $\mathbb{E}$ over a finite field ${\mathbb{Z}}_r$ with a prime order r. Generate a cyclic group ${\mathbb{G}}_{\mathbb{E}}$ of subgroup over $\mathbb{E}$ with generator G of order q. Generate universal attribute set $U=\{at{t}_1,at{t}_2,\dots at{t}_n\}$. For each $at{t}_i\in U$, it randomly chooses element ${\beta }_i\in {\mathbb{Z}}_q^{\ast }$. $MAA$ subsequently computes public key components corresponding to each attribute i as $\{P{K}_i={\beta }_i·G|i\in U\}$. Randomly chooses $\alpha \in {\mathbb{Z}}_q^{\ast }$ as a master secret key. Accordingly, compute master public key by $PK=\alpha ·G$. Set the $PARAMS=(U,H,PK,\{P{K}_i={\beta }_i·G|i\in U\})$. Set the $MSK=(\alpha ,\left\{{\beta }_i\right|i\in U\})$.

   Encryption: To preserve the data privacy and delegate most of the computation of encryption, this algorithm specifies the access control policy tree in the form of $\mathcal{T}={\mathcal{T}}_{local}\bigwedge {\mathcal{T}}_{esp}$, where ${\mathcal{T}}_{local}$ and ${\mathcal{T}}_{esp}$ are two subtrees of $\mathcal{T}$ connected by an AND logical operator ⋀. This division of access control tree leads to two algorithms: local encryption (Algorithm 2) and outsource encryption (Algorithm 3).

${\mathbf{Encrypt}}_{\mathbf{local}}$$(\mathcal{T},M,PK)\to C{T}_{local}$ For optimal efficiency, the ${\mathcal{T}}_{local}$ attaches only one virtual attribute, as shown in Figure 3. The algorithm randomly specify a 1-degree polynomial $q_R(·)$ and set $q_R\left(0\right)=S$, $q_R\left(1\right)=S_1$ and $q_R=S_2$, where $S,S_1,S_2\in {\mathbb{Z}}_q^{\ast }$.

Figure 3. Access policy with subtree.

Let ${\Omega }_{local}$ be the set of leaf nodes in ${\mathcal{T}}_{local}$. This algorithm encrypts M by computing $SK=S·PK=(S_x,S_y)$ such that $SK\ne 0$. Let $S_x$ serve as the encryption key and $S_y$ be the integrity key for M, then $C_M$ and $IN{T}_M$ can be computed $Enc(S_x,M)$ and $HMAC(S_y,M)$, respectively. Finally, the algorithm outputs temporal ciphertext

$$C{T}_{local}=({\mathcal{T}}_{local},C_M,IN{T}_M,\forall y\in {\Omega }_{local}:C_y=q_y\left(0\right)·P{K}_y).$$

$${\mathbf{Encrypt}}_{\mathbf{ESP}}({\mathcal{T}}_{esp},s_1,C{T}_{local},PK)\to CT.$$

Let ${\Omega }_{ESP}$ be the set of leaf nodes in ${\mathcal{T}}_{esp}$. Beginning at the root node $R_1$ of the subtree ${\mathcal{T}}_{esp}$, this algorithm chooses a polynomial $q_x$ of degree $d_x-1$ for each node v. Note that the value for root node $R_1$ has been set as $q_{R_1}\left(1\right)=S_1$. The value of the inner node x is calculated by the equation as $q_x\left(0\right)=q_{parent\left(x\right)}\left(index\left(q\right)\right)$ and randomly chooses $k_x-1$ coefficients to build the polynomial $q_x$. Then, the algorithm generates the temporal ciphertext $C{T}_{ESP}=({\mathcal{T}}_{esp},\forall y\in {\Omega }_{ESP}:C_y=q_x\left(0\right)·P{K}_y)$. Combining the above generated ciphertext with the received ciphertext from $DO$, the whole ciphertext is given as:

$$⟨\mathcal{T}={\mathcal{T}}_{local}\bigwedge {\mathcal{T}}_{esp};C_M;IN{T}_M;\forall y\in {\Omega }_{local}\bigcup {\Omega }_{ESP}:C_y=q_y\left(0\right)·P{K}_y⟩$$

Key Generation$(S_u,MSK)\to {\mathcal{K}}_u$ The Algorithm 4 runs by $MAA$, and is used to generate the secret key ${\mathcal{K}}_u$ under the valid attribute set $S_u$ by the corresponding $DU$. More specifically, upon receiving the claimed attribute set, the $MAA$ needs to check its validity and assign a unique global identity $GID$ to this $DU$. It selects a random $t\in Z_p^{\ast }$ and computes local private key ${\mathcal{K}}_{local}={\alpha }^{1-t}$. This algorithm for each attribute $i\in S_u$ generates its corresponding key components, a delegate key given by $\mathcal{DK}=\{\forall i\in S_u:{\mathcal{K}}_i=H\left(GID\right)·\alpha .{\beta }_i^{-1}\}$. Here, ${\beta }_i^{-1}$ is the inverse of element ${\beta }_i\in {\mathbb{Z}}_p^{\ast }$ chosen in setup phase.

Algorithm 2:$Encryp{t}_{local}$.

Input Access structure $\mathcal{T}$, the message M and public parameters $PARAMS$. Output Local version of ciphertext $C{T}_{local}$. Randomly specify a 1-degree polynomial $q_R\left(x\right)$ corresponding to the root R of $\mathcal{T}$. Randomly chooses $S,S_1$ and $S_2\in {\mathbb{Z}}_q^{\ast }$. Set the root node R value to $q_R\left(0\right)=S$. For the root nodes $R_1$ and $R_2$ of subtrees set $q_R\left(1\right)=S_1$ and $q_R\left(2\right)=S_2$, respectively. Use $ECC$ scalar point multiplication to compute $S·PK=(S_x,S_y)$. We let $S_x$ and $S_y$ represent the encryption and integrity key for M, respectively. Compute message M encryption $C_M=Enc(S_x,M)$ using secure symmetric cipher. Compute message M authentication code $IN{T}_M=HMAC(S_y,M)$ using HMAC function. Let ${\Omega }_{local}$ be a set of leaf nodes in ${\mathcal{T}}_{local}$. For each $at{t}_x\in {\Omega }_{local}$ do. $C{T}_{local}=q_x\left(0\right).P{K}_x$ using ECC point multiplication End for. Set the ciphertext $C{T}_{local}=({\mathcal{T}}_{local},C_M,IN{T}_M,\forall y\in {\Omega }_{local}:C_y=q_y\left(0\right)·P{K}_y)$.

Algorithm 3:$Encryp{t}_{ESP}$.

Input Access structure ${\mathcal{T}}_{esp},S_1,C{T}_{local}$, and public parameters $PARAMS$. output$CT$. Randomly specify a polynomial $q_{R_1}$ with degree $K_{R_1}-1$, where $K_{R_1}$ is the threshold of root node of subtree ${\mathcal{T}}_{ESP}$. Set the value of root node $R_1$ to $q_{R_1}\left(0\right)=S_1$. Randomly select $K_{R_1}-1$ coefficients to uniquely define $q_{R_1}$. For inner node v in ${\mathcal{T}}_{esp}$ do. Set $q_v\left(0\right)=q_{parent\left(v\right)}\left(index\left(v\right)\right)$. Randomly select $K_v-1$ coefficients to uniquely define $q_v$. End For. Let ${\Omega }_{ESP}$ be the set of leaf nodes in ${\mathcal{T}}_{esp}$. For each $at{t}_x\in {\Omega }_{ESP}$ do. $C{T}_{ESP}=q_x\left(0\right).P{K}_x$ using $ECC$ point multiplication. End For. The whole ciphertext is given by $CT=⟨\mathcal{T}={\mathcal{T}}_{local}\bigwedge {\mathcal{T}}_{esp},C_M,IN{T}_M,\forall y\in {\Omega }_{local}\bigcup {\Omega }_{ESP}:C_y=q_y\left(0\right)·P{K}_y⟩$.

Algorithm 4:$KeyGen$.

Input $DU$ claimed attribute set $S_u$, system master key $SMK$ Output $DU$ keys: ${\mathcal{K}}_{local}$ and $\mathcal{DK}$. After the confirmation of the claimed attribute set $S_u$, the $MAA$ assigned a global unique identity $GID$ to its $DU$. Select a random $t\in Z_p^{\ast }$, compute ${\alpha }^t$. Compute and set ${\mathcal{K}}_{local}={\alpha }^{1-t}$. For each $at{t}_i\in S_u$ do. Compute ${\beta }_i^{-1}$ of ${\beta }_i\in {\mathbb{Z}}_p^{\ast }$. Compute ${\mathcal{K}}_i=H\left(GID\right)·{\alpha }^t·{\beta }_i^{-1}$. End For. Set the Keys ${\mathcal{K}}_{local}=\left({\alpha }^{1-t}\right)$, $\mathcal{DK}=(\{\forall i\in S_u:{\mathcal{K}}_i=H\left(GID\right)·{\alpha }^t·{\beta }_i^{-1}\};H\left(GID\right))$.

Finally, the algorithm via a secure channel submits the secret keys ${\mathcal{K}}_{local}=\left({\alpha }^{1-t}\right)$ and $\mathcal{DK}=(\{\forall i\in S_u:{\mathcal{K}}_i=H\left(GID\right)·{\alpha }^t·{\beta }_i^{-1}\};H\left(GID\right))$ to its concerned $DU$.

Decryption: Realizing a CP-ABE scheme via $ECC$ scalar point multiplication instead of bilinear pairing operations still faces a deployment challenge for lightweight devices, especially for sensors. The $ECC$ scheme makes use of threshold secret sharing for secret distribution. Subsequently, the reconstruction makes use of polynomial interpolation, a heavy computation operation. MDU is usually a device such as a mobile phone with limited resources. Hence, this phase delegates most of the decryption load to the $DSP$. This phase makes use of two algorithms $Decryp{t}_{local}$ (Algorithm 5) and $Decryp{t}_{DSP}$ (Algorithm 6).

${\mathbf{Decrypt}}_{\mathbf{DSP}} (\mathcal{DK},PARAM,CT)\to C{T}_{temp}$

This algorithm is run by $DSP$, which makes use of a recursive function $DecNod(CT,\mathcal{DK},y)$. If y is leaf node, let $i=att\left(y\right)$, $DecNode(CT,\mathcal{DK},y)$ is defined as:

$$DecNode(CT,\mathcal{DK},y)=\left\{\begin{array}{c}\frac{K_i·C_i}{H\left(GID\right)},\forall i\in S_u\hfill \\ \perp ,otherwise.\hfill \end{array}\right..$$

which states that the output of $DecNode\left(\right)$ must be an element in $EC$ group ${\mathbb{G}}_E$ or null.

For a leaf node $y\in S_u$, the function $DecNode\left(\right)$ proceeds as follows:

$$\begin{array}{c}DecNode(CT,\mathcal{DK},y)=\frac{K_i·C_i}{H\left(GID\right)}\hfill \\ =\frac{H\left(GID\right)·{\alpha }^t·{\beta }_i^{-1}·q_y\left(0\right)·P{K}_i}{H\left(GID\right)}\hfill \\ ={\alpha }^t·{\beta }_i^{-1}·q_y\left(0\right)·{\beta }_i·G\hfill \\ =q_y\left(0\right)·{\alpha }^t·G.\hfill \end{array}$$

For a non-leaf node y, it calls $DecNode\left(\right)$ for each child x and stores the result as $F_x$ in $k_y-$ sized set $S_y$ of child node x. To reconstruct the value of $F_y$ at nodes y using lagrange interpolation, the algorithm proceeds as follows:

$$F_y={\sum }_{x\in S_y}{▵}_{i,s_y^{\prime }}\left(0\right)·DecNode(CT,\mathcal{DK},x)$$

where $i=index\left(x\right),s_u^{\prime }=\{index\left(x\right),x\in s_u\}$ and ${▵}_{i,s_y}\left(0\right)$ is the lagrange coefficients

$$\begin{array}{c}=\sum _{x\in s_y}{▵}_{i,s_y^{\prime }}\left(0\right)·q_x\left(0\right)·{\alpha }^t·G\hfill \\ =\sum _{x\in s_y}{▵}_{i,s_y^{\prime }}\left(0\right)·q_{parent\left(x\right)}\left(index\left(x\right)\right)·{\alpha }^t·G\hfill \\ =\sum _{x\in s_y}{▵}_{i,s^{\prime }}\left(0\right)·q_y\left(i\right)·{\alpha }^t·G\hfill \\ =q_y\left(0\right)·{\alpha }^t·G.\hfill \end{array}$$

Accordingly, the recursive function $DecNode(CT,\mathcal{DK},R)$ at root node R returns $q_R\left(0\right)·{\alpha }^t·G$. Finally, the temporal ciphertext $C{T}_{temp}$ set as: $C{T}_{temp}=\left\{F_R\right\}$.

${\mathbf{Decrypt}}_{\mathbf{local}} ({\mathcal{K}}_{local},C{T}_{temp})\to M$. After receiving the intermediate ciphertext $C{T}_{temp},MDU$ calculates $\left\{F_R\right\}\times \mathcal{DK}=q_R\left(0\right)·{\alpha }^t·G\times {\alpha }^{1-t}=q_R\left(0\right)·\alpha ·G=s·\alpha ·G=s·PK=(\overline{S_x},\overline{S_y})$. Here, $\overline{S_x}$ and $\overline{S_y}$ are the recovered keys for decryption and integrity of message M, respectively. Therefore, after decrypting $M^{\prime }=Dec(\overline{S_x},C_M)$ we can confirm, whether $HMAC(\overline{S_y},M^{\prime })=IN{T}_M$ to assure that the M is correctly received and not being tempered. Hence, the proposed scheme provides confidentiality, authenticity, and integrity of encrypted data, which is the top most priority of any health-related application.

Algorithm 5:$Decryp{t}_{DSP}$.

Input Delegate key component $\mathcal{DK}$, system public parameter $PARAM$ and $CT$.  Out Put Temporal ciphertext $C{T}_{temp}$. Let y be a node in $\mathcal{T}$. If$i=att\left(y\right)$ is leaf node AND $i\in S_u$ then. Compute $F_y=\frac{{\mathcal{K}}_i·C_i}{H\left(GID\right)}$               $=\frac{H\left(GID\right)·{\alpha }^t·{\beta }_i^{-1}·q_y\left(0\right)·P{K}_i}{H\left(GID\right)}$               $={\alpha }^t·{\beta }_i^{-1}·q_y\left(0\right)·{\beta }_i·G$               $=q_y\left(0\right)·{\alpha }^t·G$. Else Set $F_y=Null$. End if. For each non-leaf node y in $\mathcal{T}$ do. Let $s_y$ represent $k_y$-sized set of child node x. If no such set exist then Set $F_y=Null$. Else Compute lagrange coefficient $F_y={\sum }_{x\in S_y}{▵}_{i,s_y^{\prime }}\left(0\right)·DecNode(CT,\mathcal{DK},x)$        where $i=index\left(x\right),s_u^{\prime }=\{index\left(x\right),x\in s_u\}$ and ${▵}_{i,s_y}\left(0\right)$ is the lagrange coefficients     $={\sum }_{x\in s_y}{▵}_{i,s_y^{\prime }}\left(0\right)·q_x\left(0\right)·{\alpha }^t·G$     $={\sum }_{x\in s_y}{▵}_{i,s_y^{\prime }}\left(0\right)·q_{parent\left(x\right)}\left(index\left(x\right)\right)·{\alpha }^t·G$     $={\sum }_{x\in s_y}{▵}_{i,s^{\prime }}\left(0\right)·q_y\left(i\right)·{\alpha }^t·G$     $=q_y\left(0\right)·{\alpha }^t·G$. End if. End for. Let R represent the root node of $\mathcal{T}$. If$F_R\ne Null$ then recursively compute $F_R=q_R\left(0\right)·{\alpha }^t·G$. End if Set the temporal ciphertext $C{T}_{temp}=\left\{F_R\right\}$.

Algorithm 6:$Decryp{t}_{local}$.

Input$DU$ local secret key ${\mathcal{K}}_{local}$, and temporal ciphertext $C{T}_{temp}$. Output Message M. Compute $F_R·{\mathcal{K}}_{local}$  $=q_R\left(0\right)·{\alpha }^t·G\times {\alpha }^{1-t}$                      $=q_R\left(0\right)·\alpha ·G$                      $=s·\alpha ·G$                      $=s·PK$                      $=(\overline{S_x},\overline{S_y})$ Decrypt $M^{\prime }=Dec(\overline{S_x},C_M)$ and compute $IN{T}_M^{\prime }=HMAC(\overline{S_y},M^{\prime })$.     If $IN{T}_M^{\prime }=IN{T}_M$ then        M is valid.      End if.      Return M.

5. Security Analysis

This section, along with security proof, also assesses the proposed scheme’s collision resistance and attribute/user revocation features.

5.1. Security Proof

The security proof of our scheme in the selective security model is presented as a game between the challenger $\mathcal{C}$ and an attacker $\mathcal{A}$. In this game, the attacker confronts challenges posed by the challenger to break the underlying hardness assumption. Since our scheme is based on ECC, hence, the attacker’s goal is to reduce the hardness of the elliptic curve decisional Diffie–Hellman (DDH) assumption.

Theorem 1.

If an adversary $\mathcal{A}$ in the selective-set model successfully attacks our proposed scheme with, at most, advantage ϵ, then it can also build a simulator $S_{\beta }$ that can distinguish an elliptic curve DDH tuple with non-negligible advantage ${ϵ}^{\prime }$.

Proof. 

Let there exist an adversary $\mathcal{A}$, in the particular set security model that in polynomial time with non-negligible advantage $ϵ$ can break our scheme, then we can build a simulator $S_{\beta }$ to play the ECDDH with advantage ${ϵ}^{\prime }$ in polynomial time.

Firstly, the challenger $\mathcal{C}$ generates an EC group $G_E$ with order q and sets over the finite field $Z_q^{\ast }$ having a base point G. Then, challenger $\mathcal{C}$ takes a fair binary coin $\mu \in \{0,1\}$, flips it outside of $S_{\beta }$’s view for some random choices a, b, z $\in Z_q^{\ast }$. Now, the choices for $\mu$ is given as:

-

Case 1. if $\mu =0$, then ECDDH challenge instance as,

$(A,B,Z)=(c·G,d·G,c·dG)$, and sent to $S_{\beta }$.

-

Case 2. if $\mu =1$, then ECDDH challenge instance as,

$(A,B,Z)=(c·G,d·G,z·G)$, and sent to $S_{\beta }$.

Initialization: The simulator $S_{\beta }$ runs adversary $\mathcal{A}$, to gets an access structure ${\mathcal{T}}^{\ast }$ that the adversary $\mathcal{A}$ wants to be challenged upon.

Setup: The simulator $S_{\beta }$ needs to send the public parameters to adversary $\mathcal{A}$ as follows:

• $S_{\beta }$ at first sets the system parameters $Y=A=c·G$.
• Then, for $\forall \in U$, $S_{\beta }$ sets $Y_i$ according to the following condition:
  • If $i\in \mho$ it sets $Y_i=r_i·G$ and $y_i=r_i$ where $r_i$ is randomly chooses from $Z_q^{\ast }$.
  • If $i\in (U-\mho )$, it sets $Y_i={\beta }_i$, where ${\beta }_i$ is randomly chooses from $Z_q^{\ast }$.
• Sends the system public parameters $\{Y,Y_i,i\in U\}$ to $\mathcal{A}$ and keeps the secret parameter $yi$ as secret.
  In the above scenario, $\mathcal{A}$ does not observe any change as $\{Y,Y_i\}$ and $y_i$ are analogous to $\{PK,P{K}_i\}$ and ${\beta }_i$ of the proposed scheme.

Phase 1:$\mathcal{A}$ adoptivily calls for a number of secret key components $K_A^1,K_A^2,\dots ,K_A^n$ of attribute sets ${\mho }_1,{\mho }_2,\dots ,{\mho }_n$ such that all the attribute sets associated to the corresponding secret key components do not satisfy the ${\mathcal{T}}^{\ast }$. Now, $S_{\beta }$ sends the secret key components $K_i$ to $\mathcal{A}$ as follows:

Case 1. if $i\in \mho$, it sets $K_i$ as

$$K_i=H\left(GID\right)·{\alpha }^t·r_i^{-1}$$

(1)

Case 2. if $i\in (U-\mho )$, it sets $K_i$ as

$$K_i=H\left(GID\right)·{\alpha }^t·{({\beta }_i·d)}^{-1}$$

(2)

The distribution for both the terms in Equations (1) and (2) is uniform, thus, in $\mathcal{A}$’s perspective, the key components generated by $S_{\beta }$ are the same as the basic scheme.

Challenge:$\mathcal{A}$ submits two equal length messages $M_0$ and $M_1$ to $S_{\beta }$. First $S_{\beta }$ sets ${\mathcal{T}}^{\ast }={\mathcal{T}}_{local}^{\ast }\bigwedge {\mathcal{T}}_{esp}^{\ast }$ and then sends ${\mathcal{T}}_{local}^{\ast }$ to the DO. It randomly selects $S,S_1,S_2\in Z_q^{\ast }$ and sets $q_R\left(0\right)=S$ for root node R according to the proposed scheme. $S_{\beta }$ is also sent ${\mathcal{T}}_{esp}^{\ast }$ along with $S_1$ to ESP (i-e sink node) to distribute it for the remaining attributes in ${\mathcal{T}}^{\ast }·S_{\beta }$ randomly selects a bit $b\in \{0,1\}$ to encrypt $M_b$ and generates the ciphertext $C{T}^{\ast }$ as follows:

$$S{K}_{S_{\beta }}=S·Y=(S_x,S_y)$$

Hence, $S_x$ and $S_y$ represent the encryption and integrity K for message M, respectively. Afterwards, $S_{\beta }$ computes $C_i^{\prime }=r_i·B$.

$S_{\beta }$ after computing $C_{S_{\beta }}=Enc(M_b,S_x)$ and $IN{T}_{M_b}=HMAC(M_b,S_y)$ transmits below ciphertext to adversary $\mathcal{A}$.

$$C{T}^{\ast }=({\mathcal{T}}^{\ast }={\mathcal{T}}_{local}^{\ast }\cup {\mathcal{T}}_{esp}^{\ast },C_{S_{\beta }},IN{T}_{M_b},C_i^{\prime })$$

The challenger $\mathcal{C}$ flips coin $\mu \in \{0,1\}$, thus the following cases arises:

• If $\mu =0;$ satisfies case 1, which is identical to our original encryption, then $Z=c·d·G$. Therefore, if S is set to d, there should be $S{K}_{S_{\beta }}^{\prime }=d·Y=d·c·G=Z$, and $C_i=q_x\left(o\right)·Y_i=d·Y_i=d·r_i·G=r_i·B$, where $i\in \mho$.
• If $\mu =1;$ satisfies case 2, which is different from our proposed scheme, then $Z=z·G$. Therefore, if S is set to z, it turns out that $S{K}_{S_{\beta }}^{\prime }=z·Y=z·c·G=Z$, and $C_i=z·Y_i=z·r_i·G=r_i·Z$.

Phase 2: Both $\mathcal{A}$ and $S_{\beta }$ follow the same steps as they did in Phase 1.

Guess:$\mathcal{A}$ output a guess $b^{\prime }$ of b to $S_{\beta }$.

• If $b^{\prime }=b$, $S_{\beta }$ output ${\mu }^{\prime }=0$, which indicates a valid ECDDH instance, $(A,B,Z)=(c·G,d·G,c·d·G)$.
• If $b^{\prime }\ne b$, $b^{\prime }$ output ${\mu }^{\prime }=1$, which indicates a random instance, $(A,B,Z)=(c·G,d·G,z·G)$.

Now, according to the security game, where $\mu =1$, the adversary $\mathcal{A}$ cannot predict the $M_b$, thus we have

$$Pr[\mu =1|b^{\prime }\ne b]=\frac{1}{2}$$

(3)

Since $S_{\beta }$ outputs ${\mu }^{\prime }=1$ when $b^{\prime }\ne b$, it gives

$$Pr[{\mu }^{\prime }=\mu |\mu =1]=\frac{1}{2}$$

(4)

When $\mu =0$, the adversary $\mathcal{A}$ can predict the correct $M_b$, thus we have

$$Pr[\mu =0|b^{\prime }=b]=\frac{1}{2}+ϵ$$

(5)

Since $S_{\beta }$ outputs ${\mu }^{\prime }=0$ when $b^{\prime }=b$, we have

$$Pr[{\mu }^{\prime }=\mu |\mu =0]=\frac{1}{2}+ϵ$$

(6)

According to the selective set security model of our proposed scheme, the overall advantage using Equations (8) and (10) of $S_{\beta }$ in this game is

$${ϵ}^{\prime }=\frac{1}{2}Pr[{\mu }^{\prime }=\mu |\mu =0]+\frac{1}{2}Pr[{\mu }^{\prime }=\mu |\mu =1]-\frac{1}{2}$$

or,

$${ϵ}^{\prime }=\frac{1}{2}(\frac{1}{2}+ϵ)+\frac{1}{2}\left(\frac{1}{2}\right)-\frac{1}{2}$$

or,

$${ϵ}^{\prime }=\frac{1}{4}+\frac{ϵ}{2}+\frac{1}{4}-\frac{1}{2}$$

or,

$${ϵ}^{\prime }=\frac{ϵ}{2}$$

Hence, it conflicts with our assumption, which proves the security of our proposed scheme under the ECDDH assumption. □

5.2. Secure against Collusion Attack

One of the most anticipated attacks on any attribute-based system is a collision attack. Therefore, it is required of the designers of such a system to implicitly avoid it in their proposed scheme. Let us assume that multiple users possess some secret key components, where no individual secret key has access to the message. If they play the role of an attacker to launch a collision attack (i.e., a combination of their secret keys) by trying to decrypt a message that is encrypted under the intersects (common attributes) of their attributes sets. It is assumed that they constitute secret key components labeled to their common attribute set in the form of

$$S{K}_u=(K_0=\left\{{\alpha }^{1-t}\right\},K_i=H\left(GID\right)·{\alpha }^t·{\beta }^{-1})$$

Even after collectively generating secret keys among themselves, still, they are unable to decrypt the message because of the random selection of $GID$ for each user to satisfy the equation

$$\frac{K_i·C_i}{H\left(GID\right)}\forall i\in \mho$$

Hence, the association of the secret key component with attributes along with a unique global identity $GID$ and a random number $t\in Z_p^{\ast }$ for each user makes the proposed scheme resistant to collusion attack.

5.3. Attribute/User Revocation

Nowadays, revocation is a desirable property on the part of an ABE-based scheme. Considering the following aspects, equipping the ABE scheme with revocation is not a simple task: First, the attribute authority labeled each user secret key from a universal set of attributes instead of a unique user-specific attribute. As a result, a malicious user cannot simply be singled out on an attribute or set of attributes; second, after the revocation of a misbehaving user, the system must avoid the collusion attack even if there exists the overlapping of attributes with non-revoked users. The ABE scheme supports two types of revocation, direct revocation and indirect revocation, to address these issues. Indirect revocation incurs the liability on TAA to update and distribute the non-revoked users’ secret key with every revocation event. In direct revocation, we do not need to perform updation on the secret key of non-revoked users. All contemporary direct revocation schemes require system users to maintain an updated and long list of revoked users, which must be labeled to ciphertext. This computation and storage overhead linearly increases with the increase in revoked users in the encryption and decryption algorithms system.

Given the resource-constrained and medical-centric characteristics of our proposed scheme MAA, the indirect revocation fits aptly into our ehealth practical scenario. The computation and storage cost of our scheme is independent of the number of revoked users. The KGC of MAA explicitly maintains the list of global IDs GID and its associated attribute lists for each registered user. To revoke the system attribute from its universal set of attributes, the KGC deletes the associated system attribute’s public key. Similarly, to revoke the user-specific attribute, the KGC must delete the corresponding secret key component for that specific user. Further, KGS deletes the entire attribute set and the GID assigned to that user to revoke a user. For all of these revocation scenarios, the MAA needs to update the delegated key $\mathcal{DK}$ with the help of MSK and the revoked ${\mathcal{DK}}_{\beta }$ of the revoked attribute $\beta$ and produces a new delegate key ${\mathcal{DK}}_{{\beta }^{\ast }}$ of the revoked attribute $\beta$. Furthermore, our proposed scheme avoids the need for maintaining a private channel between the MAA and the non-revoked user for the dissemination of the updated delegated key ${\mathcal{DK}}_{{\beta }^{\ast }}$.

6. Performance Analysis

In this section, we compare our proposed scheme with five related schemes in [19,20,21,22,23], in terms of its features, communication overhead, and computation overhead. Moreover, for the sake of fair comparison, we set n = 20 and m = 10 representing attributes in universal set and encryption, respectively.

6.1. Features Analysis

Table 2 depicts the comparison of various features of our scheme with related schemes for a WBAN from four perspectives: encryption delegation, decryption delegation, integrity check, and attribute revocation. Additionally, our proposed scheme lacks time-based access control and hierarchical access control support. In some practical scenarios, it is inevitable to provide access control for a specific time interval. For instance, a medical document may have different privacy requirements for a different period. More specifically, fewer medical experts have access to the medical record at an early time, while more experts can get access to it at a later time point. Similarly, the hierarchical access permission ensures access to the corresponding documents based on the specific role of the data users. For example, the hospital president can access all the information of the patients and doctors, while the medical experts can access his/her patient information only.

Table 2. Features comparison.

Scheme	[19]	[20]	[21]	[22]	[23]	Proposed
Encrypt Delegation	✓	×	✓	✓	✓	✓
Decrypt Delegation	×	✓	✓	✓	✓	✓
Integrity Check	×	✓	×	×	✓	✓
Attribute Revocation	×	×	×	×	×	✓

6.2. Communication Overhead

Communication overhead relates to the transfer of the message. In the most commonly adopted architectures of ABE, the least number of messages that should be transmitted are of the public key, private key, and ciphertext. For the sake of analysis, we take the length of these messages as a metric to determine and compare the relative communication overhead. Most contemporary ABE schemes use bilinear pairing; a map involves two groups $G_1,G_T$. Because of the underlying modular exponentiation, these are termed RSA-based ABE schemes. Accordingly, we call our scheme an ABE ECC-based scheme.

As we know, ECC has much stronger hit security; we considered 160-bit, i.e., secp160r1 elliptic curve, which has up to 1024-bit RSA security strength. Based on the above-stated assumptions, the size of both public and private keys in the ABE RSA-based scheme is 1024-bit, while the size of an element in $G_1$ and $G_T$ is 1024 bits and 2048-bits. Accordingly, the size of an elliptic curve point is 320 bits, corresponding to both its coordinates. As a result, the 160 bits and 320 bits constitute the private key and public key size, respectively, in ABE ECC-based schemes. For comparison, the communication overhead is identical for each ABE RSA-based scheme. Therefore, we compute the [23] overhead for illustration purposes. The ciphertext in [23] scheme is given by $CT=(C=Me{(g,g)}^{\alpha s},C^{\prime }=g^s,\{C_i=g^{a{\lambda }_i}{g}^{-r_{i}H(at{t}_{\left(i\right)}},D_i=g^{r_i}|i\in m\})$, where m represents the maximum number of attributes attached to the ciphertext. According to the setup phase of this scheme, g and e(g,g) belong to the group $G_1$ and $G_T$, respectively. As a result, the size of each ciphertext component $C,C^{\prime },C_i$ and $D_i$ is 2048, 1024, (2m × 1024) and (m × 1024) bits, respectively. In this way, the length of ciphertext CT is (3m + 3) × 1024 ≈ 33,792 bits. Here, the public key is set to $PK=\{g,e{(g,g)}^{\alpha },g^{\alpha },H\}$, so its length is 4 × 1024 ≈ 4096 bits. In addition, the private key is given by $K=(g^{\alpha },l=g^t,\{K_x=g^{H(at{t}_{\left(x\right)}t}|x\in S\})$ where S represents the user set of attributes associated to the key K. Therefore, the length of the private key of scheme [23] computes to (m + 3) × 1024 ≈ 13,312 bits.

Similarly, we compute the public key, private key, and ciphertext length in our scheme. According to the encryption process of our proposed scheme, the ciphertext is $CT=(T,C_m,IN{T}_m,C_y=q_y\left(0\right)·P{K}_y|y\in T)$. The size of attribute set T is taken constantly for all schemes and, hence, rolled out of the total ciphertext size. Here, $C_m$ and $IN{T}_m$ are the single coordinates on the elliptic curve, each having 160 bits in length. Similarly, $C_y$ consists of 320 bits, a single point on the elliptic curve. Thus, the length of the ciphertext in our proposed scheme computes to (m + 1) × 320 ≈ 3520 bits. The public key components in our scheme are $(PK,\left\{P{K}_i\right|i\in U\})$, and consists of (n + 1) × 320 ≈ 6720 bits, as each of its components is a single point on the elliptic curve. The private key of our scheme is ${\mathcal{K}}_{local}=\left({\alpha }^{1-t}\right)$, $\mathcal{DK}=\left(\{\forall i\in S_u:{\mathcal{K}}_i=H\left(GID\right)·{\alpha }^t·{\beta }_i^{-1}\}\right)$. Hence, its length computes to (m + 1) × 160 ≈ 1760 bits.

We can see from Table 3 that the ciphertext and private key sizes of our proposed scheme are significantly lower than those of all other schemes. We can observe from Table 3 that only the length of the public key in our proposed scheme is higher than the scheme with a constant-size public key [19,23]. However, overall communication overhead for the private key, the public key, and ciphertext size in our scheme is significantly lower than that of [19]. Moreover, the scheme in [23] is based on KP-ABE as opposed to our CP-ABE-based scheme, which provides more control to the patient over the recipient of its sensitive medical data. Moreover, the generation of the public key is a one-time process in the lifetime of the system.

Table 3. Parameters size (bits).

Scheme	Private Key Size	Public Key Size	Ciphertext Size
[19]	$(2m+2)\times 1024\approx \mathrm{22,522}$	$(3\times 1024)\approx 3072$	$(2m+2)\times 1024\approx \mathrm{22,528}$
[20]	$(5m+3)\times 1024\approx \mathrm{54,272}$	$(n+3)\times 1024\approx \mathrm{23,552}$	$(2m+3)\times 1024\approx \mathrm{23,552}$
[21]	$(m+4)\times 1024\approx \mathrm{14,336}$	$(n+4)\times \approx \mathrm{24,576}$	$(2m+3)\times 1024\approx \mathrm{23,552}$
[22]	$(3m+1)\times 1024\approx \mathrm{31,744}$	$(n+3)\times 1024\approx \mathrm{23,552}$	$(2m+1)\times 1024\approx \mathrm{21,504}$
[23]	$(m+3)\times 1024\approx \mathrm{13,312}$	$(4\times 1024)\approx 4096$	$(3m+3)\times 1024\approx \mathrm{33,792}$
Proposed	$(m+1)\times 160\approx 1760$	$(n+1)\times 320\approx 6720$	$(m+1)\times 320\approx 3520$

6.3. Computation Overhead

The computation overhead is mainly caused by the ABE scheme operations, including bilinear pairing, ECC-based scalar point multiplication, exponentiation, hashing, basic arithmetic, and logical operations. We have considered the most expensive exponentiation operations, bilinear pairing, and elliptic curve base scalar point multiplications. Comparatively, the cost of other least costly operations can be ignored [3]. For the sake of simplicity, Table 4, based on [37], is constructed, which shows the execution time (in millisecond) required by each group operation. According to work in [37], single bilinear pairing and modular exponentiation operation is about 10 and 2 times ECC-based scalar point multiplication, respectively.

Table 4. Execution time for cryptographic operations.

Operations	${\mathit{T}}_{\mathit{BP}}$	${\mathit{T}}_{\mathit{EXP}}$	${\mathit{T}}_{\mathit{PM}}$
Time (ms)	20.04	5.31	2.21

To evaluate the computation overhead of the proposed scheme, we need the individual computation overhead of users and service providers on both the encryption and decryption sides. Therefore, in Table 5, we compare the computation overhead incurred on MDO and ESP in the encryption offloading and the MDU and DSP in the decryption offloading. As our scheme is free from costly pairing operations, all matrices’ execution time is comparatively less than other schemes. We can also see from Table 5 that the unwanted linearity property of ABE is shifted to comparatively resource-rich server providers (DSP and ESP). Hence, the data users are left with a significantly less and constant number of operations. Thus, based on the performance assessments, our scheme demonstrates more efficiency and the best solution for a WBAN in terms of communication, computation, and security.

Table 5. Computational overhead (ms).

Scheme	KeyGen	EncLocal	EncOut	DecLocal	DecOut
[19]	$(1+3m)T_{EX}\approx 164.61$	$5T_{EX}\approx 26.55$	$2m{T}_{EX}\approx 106.2$	$2m(T_{bp}+T_{EX})\approx 507$	-
[20]	$(7m+5)T_{EX}\approx 398.25$	$(4+2m)T_{EX}\approx 127.44$	-	$T_{EX}\approx 5.31$	$2m(T_{Bp}+T_{EX})+2T_{Bp}\approx 547.08$
[21]	$(3m+7)T_{EX}\approx 196.47$	$(2m+3)T_{EX}\approx 122.13$	$(2m+1)T_{EX}\approx 111.51$	$\left(T_{EX}\right)\approx 5.31$	$(2m+1)T_{Bp}+(3m+1)T_{EX}\approx 584.61$
[22]	$(1+4m)T_{EX}\approx 217.71$	$\left(5T_{EX}\right)\approx 26.55$	$(2m-2)T_{EX}\approx 95.98$	$(T_{BP}+2T_{EX})\approx 30.66$	$2m(T_{BP}+T_{EX})\approx 506.8$
[23]	$(m+4)T_{EX}\approx 127.44$	$4T_{EX}\approx 21.24$	$3m{T}_{EX}\approx 159.3$	$T_{BP}\approx 20.04$	$2m{T}_{EX}m{T}_{BP}\approx 306.4$
Proposed	$(m+1)T_{EX}\approx 111.51$	$2T_{PM}\approx 4.42$	$(m-2)T_{PM}\approx 17.68$	$T_{PM}\approx 2.21$	$2m.T_{PM}\approx 44.2$

6.4. Rank-Based Evaluation of Performance Matrices

In this research work, a fuzzy logic-based evaluation, which is constructed on the method distance from average solution (EDAS), is used for calculating the ranking of the proposed scheme with state-of-the-art algorithms in terms of computational cost operations, such as KeyGen, Enc${}_{Local}$, Enc${}_{Out}$, Dec${}_{Local}$, and Dec${}_{Out}$, on both the sides of the sender and receiver to find the top rank efficiency of these schemes. The above-stated performance matrices/operations are compared with existing state-of-the-art schemes, including the proposed scheme in this section.

In this evaluation, the authors use the EDAS approach to collect the cross-efficient values of numerous parameters of five schemes, including the proposed scheme. The aggregate of appraisal scores $\left(\lambda \right)$ can be measured for ranking of given schemes to compute the positive distance from the average solution, which is represented in the equation as ($P_{\mathfrak{I}}$) and the negative distance from the average solution is represented by the symbol (${\mathrm{N}}_{\mathfrak{I}}$).

In Table 6 below, the performance matrices are deliberated as the criteria of state-of-the-art schemes.

Table 6. Analysis results of average.

Scheme	Performance Metrics
	KeyGen	EncLocal	EncOut	DecLocal	DecOut
[19]	0.1877	0.5148	0	0	1
[20]	0	0	1	0.9441	0
[21]	0	0	0.3	0.7350	0
[22]	0	0.5148	0	0.6775	0
[23]	0.3711	0.6118	0	0.7892	0.0757
Proposed	0.4497	0.9192	0.7838	0.9767	0.8666

Step 1: Calculate the solution of the average value ($\psi$ ) of all matrices in Equation (7);

$$\left({\psi }_{\beta }\right)={\left[{\psi }_{\beta }\right]}_{1\times \delta }$$

(7)

where,

$$\left(\psi \right)=\frac{{\sum }_{i=1}^x{X}_{\alpha \beta }}{x}$$

(8)

The above steps define the performance matrices as benchmarks of various schemes. The calculation of aggregate in Equations (7) and (8) can be gained as the average value ($\psi$) for each calculated benchmark value against each given value in Table 7.

Table 7. Cross-efficient values.

Scheme	Performance Metrics
	KeyGen	EncLocal	EncOut	DecLocal	DecOut
[19]	164.61	26.55	106.2	507	0
[20]	398.25	127.44	0	5.31	547.08
[21]	196.47	122.13	111.51	5.31	584.61
[22]	217.71	26.55	95.98	30.66	506.8
[23]	127.44	21.24	159.3	20.04	306.4
Proposed	111.51	4.42	17.68	2.21	44.2
${\psi }_{\beta }$	202.665	54.7216	81.7783	95.0883	331.515

Step 2: In this step of the EDAS method, the positive distance from the average is denoted as $\left(P_{\mathfrak{I}}\right)$, and is calculated as shown in Equations (9)–(11) as given below:

$$P_{\mathfrak{I}}={\left[{\left(P_{\mathfrak{I}}\right)}_{\alpha \beta }\right]}_{\delta \times \delta }$$

(9)

If the $\beta$th criterion is more beneficial, then

$${{(P}_{\mathfrak{I}})}_{\alpha \beta }=\frac{Maximum(0,(A_{V_{\beta }}-X_{\alpha \beta }))}{A_{V_{\beta }}}$$

(10)

and if non-beneficial, then the given equation will be changed as follows below:

$${{(P}_{\mathfrak{I}})}_{\alpha \beta }=\frac{Maximum(0,(X_{\alpha \beta }-A_{V_{\beta }}))}{A_{V_{\beta }}}$$

(11)

The results replicate in Table 8 following as:

Table 8. Analysis results of average ${(N}_{\mathfrak{I}}$).

Scheme	Performance Metrics
	KeyGen	EncLocal	EncOut	DecLocal	DecOut
[19]	0	0	0.2986	4.3318	0
[20]	0.9650	1.3288	0	0	0.6502
[21]	0	1.2318	0.3635	0	0.7634
[22]	0.9523	5.0067	4.4287	12.8733	10.4660
[23]	0	0	0.9479	0	0
Proposed	0	0	0	0	0

Step 3: In this step of the EDAS, the negative distance from the average is denoted as ${(N}_{\mathfrak{I}}$), and is calculated using Equations (12), (13) and (15) as follows:

$${(N}_{\mathfrak{I}})={\left[{{(N}_{\mathfrak{I}})}_{\alpha \beta }\right]}_{\delta \times \delta }$$

(12)

If the $\beta$${}_{th}$ criterion is more beneficial, then

$${{(N}_{\mathfrak{I}})}_{\alpha \beta }=\frac{Maximum(0,(A_{V_{\beta }}-X_{\alpha \beta }))}{A_{V_{\beta }}}$$

(13)

and if non-beneficial, then the given equation will be changed as follows below:

$${{(N}_{\mathfrak{I}})}_{\alpha \beta }=\frac{Maximum(0,(X_{\alpha \beta }-A_{V_{\beta }}))}{A_{V_{\beta }}}$$

(14)

In the above equations, ${{(P}_{\mathfrak{I}})}_{\alpha \beta }$ and ${{(N}_{\mathfrak{I}})}_{\alpha \beta }$ stand for the positive distance and negative distance of $\beta$${}_{th}$ appraised algorithms from the average value concerning $\alpha$${}_{th}$ rating performance parameters, respectively.

The results reproduced are shown in Table 8 as:

Step 4: In this step, the the weighted sum of ${(P}_{\mathfrak{I}})$ for the rated algorithms in Table 9 is shown below:

$${{(SP}_{\mathfrak{I}})}_{\alpha }=\sum _{\beta =1}^x{y}_{\beta }{{(P}_{\mathfrak{I}})}_{\alpha \beta }$$

(15)

Table 9. Analysis results of the aggregate ${(P}_{\mathfrak{I}})$.

Criteria (W)	0.4176	0.2850	0.1453	0.0844	0.0676	${{(\mathit{SP}}_{\mathfrak{I}})}_{\mathit{\alpha }}$
Scheme	Performance Metrics
	KeyGen	EncLocal	EncOut	DecLocal	DecOut
[19]	0.0784	0.1467	0	0	0.0676	0.2927
[20]	0	0	0.1453	0.0796	0	0.2250
[21]	0.0127	0	0	0.0796	0	0.0924
[22]	0	0	0	0	0	0
[23]	0.1550	0.1743	0	0.0666	0.0051	0.4011
Proposed	0.1878	0.2619	0.1139	0.0824	0.0586	0.7047

Step 5: In this step, the weighted sum of ${{(N}_{\mathfrak{I}})}_{\alpha \beta }$ for the rated algorithms in Table 10 is shown below in Equation (16):

$${{(SN}_{\mathfrak{I}})}_{\alpha }=\sum _{\beta =1}^x{y}_{\beta }{{(N}_{\mathfrak{I}})}_{\alpha \beta }$$

(16)

Table 10. Analysis results of the aggregate ${(N}_{\mathfrak{I}})$.

Criteria (W)	0.4176	0.2850	0.1453	0.0844	0.0676	${{(\mathit{SP}}_{\mathfrak{I}})}_{\mathit{\alpha }}$
Scheme	Performance Metrics
	KeyGen	EncLocal	EncOut	DecLocal	DecOut
[19]	0	0	0.04340	0.3656	0	0.4090
[20]	0.4030	0.3787	0	0	0.0439	0.8257
[21]	0	0.3510	0.0528	0	0.0516	0.4555
[22]	0	0	0	0	0	0
[23]	0	0	0.1377	0	0	0.1377
Proposed	0	0	0	0	0	0

The results obtained are reflected in Table 10 as shown:

Step 6: In this step, the normalized scores of ${{(SP}_{\mathfrak{I}})}_{\alpha }$ and ${{(SN}_{\mathfrak{I}})}_{\alpha }$ for the rated algorithms are calculated as presented in Equations (17) and (18):

$$N{{(SP}_{\mathfrak{I}})}_{\alpha }=\frac{{{(SP}_{\mathfrak{I}})}_{\alpha }}{{maximum}_{\alpha }\left({{(SP}_{\mathfrak{I}})}_{\alpha }\right)}$$

(17)

$$N{{(SN}_{\mathfrak{I}})}_{\alpha }=1-\frac{{{(SN}_{\mathfrak{I}})}_{\alpha }}{{maximum}_{\alpha }\left({{(SN}_{\mathfrak{I}})}_{\alpha }\right)}$$

(18)

Step 7: In this step, the scores of $N{{(SP}_{\mathfrak{I}})}_{\alpha }$ and $N{{(SN}_{\mathfrak{I}})}_{\alpha }$ to receive an appraisal score (AS) is calculated, which is equal to $\left(\lambda \right)$ for the rated algorithms given in Equation (19).

$${\lambda }_{\alpha }=\frac{1}{2}(N{{(SP}_{\mathfrak{I}})}_{\alpha }-N{{(SP}_{\mathfrak{I}})}_{\alpha })$$

(19)

where $0\le {\lambda }_{\alpha }\le 1$.

The $\left(\lambda \right)$ is determined by the aggregate score of $NS{P}_m$ and $NS{N}_m$.

Step 8: In this step, measurement of the appraisal scores $\left(\lambda \right)$ in terms of decreasing order and then concluding of the ranking of rated algorithms is performed. The paramount ranking algorithms have the higher $\left(\lambda \right)$. Thus, in Table 11 below, the proposed algorithm has the highest $\left(\lambda \right)$.

Table 11. Analysis results of five state-of-the-art schemes.

Scheme	${{(\mathit{SP}}_{\mathfrak{I}})}_{\mathit{\alpha }}$	${{(\mathit{SN}}_{\mathfrak{I}})}_{\mathit{\alpha }}$	$\mathit{N}{{(\mathit{SP}}_{\mathfrak{I}})}_{\mathit{\alpha }}$	$\mathit{N}{{(\mathit{SN}}_{\mathfrak{I}})}_{\mathit{\alpha }}$	${\mathit{\lambda }}_{\mathit{\alpha }}$	Ranking
[19]	0.2927	0.4090	0.4154	0.5046	0.4600	4
[20]	0.2250	0.8257	0.3192	0	0.1596	6
[21]	0.0924	0.4555	0.1311	0.4483	0.2897	5
[22]	0	0	0	1	0.5	3
[23]	0.4011	0.1377	0.5691	0.8331	0.7011	2
Proposed	0.7047	0	1	1	1	1

The final results of the overall ranking are represented in Table 11:

The ranking shows that the proposed algorithm is the best out of five total state-of-the-art algorithms in the stated research domain.

7. Conclusions and Future work

In summary, we present a secure and efficient ABE architecture with outsourcing intense encryption and delegation operations. Further, leverage on the lightweight features of ECC and the primitive syntax of CP-ABE, our scheme reduces the computation cost of both encryption and decryption on the user side into a constant. Our solution enables the resource-scarce and lightweight WBAN sensors to securely upload and retrieve sensitive medical data in public clouds with a minimum constant cost. The inherent features of attribute/user revocation and verifiability of outsourcing data further strengthen the security of our scheme. The proposed scheme is found to be secured under the ECDDH assumption using the selective-set security model. The performance assessment of our scheme shows a significant overall efficiency in terms of storage, computation, and communication. Further, for better clarification and evaluation, the final outputs of the EDAS ranking method show that the proposed approach is on the top rank that noticeably reported the proposed scheme’s outperformance than the other reference schemes. We will investigate the incorporation of time-based access control and hierarchical access control in our research work as future work.