Secured and Privacy-Preserving Multi-Authority Access Control System for Cloud-Based Healthcare Data Sharing

With continuous advancements in Internet technology and the increased use of cryptographic techniques, the cloud has become the obvious choice for data sharing. Generally, the data are outsourced to cloud storage servers in encrypted form. Access control methods can be used on encrypted outsourced data to facilitate and regulate access. Multi-authority attribute-based encryption is a propitious technique to control who can access encrypted data in inter-domain applications such as sharing data between organizations, sharing data in healthcare, etc. The data owner may require the flexibility to share the data with known and unknown users. The known or closed-domain users may be internal employees of the organization, and unknown or open-domain users may be outside agencies, third-party users, etc. In the case of closed-domain users, the data owner becomes the key issuing authority, and in the case of open-domain users, various established attribute authorities perform the task of key issuance. Privacy preservation is also a crucial requirement in cloud-based data-sharing systems. This work proposes the SP-MAACS scheme, a secure and privacy-preserving multi-authority access control system for cloud-based healthcare data sharing. Both open and closed domain users are considered, and policy privacy is ensured by only disclosing the names of policy attributes. The values of the attributes are kept hidden. Characteristic comparison with similar existing schemes shows that our scheme simultaneously provides features such as multi-authority setting, expressive and flexible access policy structure, privacy preservation, and scalability. The performance analysis carried out by us shows that the decryption cost is reasonable enough. Furthermore, the scheme is demonstrated to be adaptively secure under the standard model.


Introduction
The modern health industry is adopting Internet of Things (IoT) technology for providing advanced healthcare services [1]. A wide range of IoT devices and applications are designed for healthcare needs, e.g., sensors, remote healthcare monitoring applications, telemedicine consultation applications, etc. Healthcare organizations can collect, record, and monitor patient data regularly, providing them with adequate treatment in every situation. Patients can be treated well in emergencies by making use of their electronic schemes are a suitable option for facilitating efficient and secure EHR sharing. All the above-stated users in the healthcare system come from the open domain, i.e., they are not known to the data owner. To control access to shared data, attributes issued by various open-domain attribute authorities are used in access policies. Another important issue that must be considered in EHR data sharing is to give access to closed-domain users, i.e., the users known to the data owner, e.g., family friends, relatives, etc. Flexibility in handling the access requirements of both closed-and open-domain users makes the sharing of health data more practical and effective [10]. In emergencies, family friends or relatives may access the data. The privacy of the patient is also crucial in this kind of data sharing. In the above instance, if a patient outsources their medical data with policy "[(Profession = "Doctor" and Specialization = "Cardiology" and Affiliation = "AIIMS") or (Profession = "Doctor" and Specialization = "Cardiology" and Research Associate = "University Hospital") or (Relation = "Friend")]", then everyone including adversaries and the cloud service provider (CSP) can look at the policy formulation and figure out that the shared data are of a patient who is suffering from heart disease. This results in privacy leakage even though the ciphertext of EHR data is protected well. Therefore, it is essential to keep the access policy a secret to protect sensitive data.

Related Works
Numerous researchers have discussed data outsourcing in the cloud environment. Attribute-based encryption introduced by Sahai-Waters [11] is considered as most prominent scheme to institute access control for encrypted data. Although ABE and similar systems [4,9,11,12] employ one-to-many encryption concepts, there are some concerns with these techniques. The single authority managing the key issuance process for all the eligible users may decrypt every ciphertext by using issued secret keys. This is called the key escrow problem. Another problem in these schemes is low system performance due to over-reliance on a single authority for handling all of the system's keys. This motivated the concept of establishing multiple authorities for key management tasks in a distributed manner. Several multi-authority ABE schemes and schemes supporting policy privacy have been presented in the literature.

Multi-Authority ABE Schemes
Multi-authority ABE was first discussed in the work [13], where only one CA, also known as the central authority, and numerous AAs, also known as attribute authorities, To control access to shared data, attributes issued by various open-domain attribute authorities are used in access policies. Another important issue that must be considered in EHR data sharing is to give access to closed-domain users, i.e., the users known to the data owner, e.g., family friends, relatives, etc. Flexibility in handling the access requirements of both closedand open-domain users makes the sharing of health data more practical and effective [10]. In emergencies, family friends or relatives may access the data. The privacy of the patient is also crucial in this kind of data sharing. In the above instance, if a patient outsources their medical data with policy "[(Profession = "Doctor" and Specialization = "Cardiology" and Affiliation = "AIIMS") or (Profession = "Doctor" and Specialization = "Cardiology" and Research Associate = "University Hospital") or (Relation = "Friend")]", then everyone including adversaries and the cloud service provider (CSP) can look at the policy formulation and figure out that the shared data are of a patient who is suffering from heart disease. This results in privacy leakage even though the ciphertext of EHR data is protected well. Therefore, it is essential to keep the access policy a secret to protect sensitive data.

Related Works
Numerous researchers have discussed data outsourcing in the cloud environment. Attribute-based encryption introduced by Sahai-Waters [11] is considered as most prominent scheme to institute access control for encrypted data. Although ABE and similar systems [4,9,11,12] employ one-to-many encryption concepts, there are some concerns with these techniques. The single authority managing the key issuance process for all the eligible users may decrypt every ciphertext by using issued secret keys. This is called the key escrow problem. Another problem in these schemes is low system performance due to over-reliance on a single authority for handling all of the system's keys. This motivated the concept of establishing multiple authorities for key management tasks in a distributed manner. Several multi-authority ABE schemes and schemes supporting policy privacy have been presented in the literature.

Multi-Authority ABE Schemes
Multi-authority ABE was first discussed in the work [13], where only one CA, also known as the central authority, and numerous AAs, also known as attribute authorities, controlled key management. The CA and AAs were responsible for issuing keys for identity and keys for attributes, respectively. The use of the global identifier GID prevented user collusion problems. However, the CA was capable of decrypting any ciphertext. Chase and Chow [14] improved their scheme (CC-MA-ABE) by removing the CA and introducing an anonymous key distribution mechanism with the help of pseudo-random functions. Both schemes in [13,14] had the limitation that they supported an AND policy architecture only. Liu et al. [15] presented the MACP-ABE scheme, a fully secure scheme in the standard model where multiple central and attribute authorities collaborate to work together. The central authorities are responsible for issuing keys related to the user's identity, and the attribute authorities control the issuance of the attribute-related keys. Lewko and Waters [16] designed a decentralized CP-ABE and demonstrated security under the random oracle model. The linear secret sharing scheme, also known as LSSS, was used for specifying the access policy. At setup and key generation, no coordination between authorities was necessary, nor was there a central authority. Li et al. [17] proposed a scheme where the user's community can be divided into public and personal domains (PUD and PSD, respectively) depending upon their role in the system. Their scheme was based on scheme [14] and policy was specified using a conjunctive normal form (CNF) structure. Ibraimi et al. [18] suggested a scheme for patient health record sharing in a multi-authority (two authorities) setting. They introduced social domains and professional domains for different authorized users. Several pieces were proposed to cater to different issues regarding MA-ABE. Ruj et al. [19] addressed the revocation function in a multi-authority setting. However, their method had heavy communication overhead and key update computation overhead. The authors of [20] proposed cipher policy ABE schemes for supporting multi-authority scenarios and handling user revocation features. To improve efficiency, the decryption process was outsourced. AA became a bottleneck in the scheme, as it had to calculate update keys for each unrevoked user. The scheme presented in [21] improved the CP-ABE scheme for secure PHR sharing [22] for the multi-authority scenario. The authors also defined public and private domains for their PHR-sharing scheme. Li et al. [23] introduced an access control scheme for cloud storage supporting decryption outsourcing. The scheme was also a multi-authority scheme and was evidenced to be adaptive and secure. In order to eliminate key escrow and minimize computation and communication costs, Hu et al. [24] provided an MA-ABE scheme that resisted key escrow and had a ciphertext of constant size. Furthermore, in the MA-KPABE scheme presented in [25], verifiability of partial decryption ciphertext (PDC) and delegation features were added. Ma et al. [26] presented two decentralized CP-ABE techniques for the standard model. The CAs and AAs operated independently of one another. The first technique was constructed using a group of composite orders. The second technique produced ciphertexts of constant size in the groups of prime order. The first technique worked for any monotonic structure, while the second worked for AND-gate policies.

Policy Preservation in Attribute-Based Encryption
Because encrypted data on cloud storage servers remained in plaintext form when outsourced, access policies were shared with different users in all of the above schemes. This may cause potential exposure of sensitive information about the data owner as well as the consumers of the data. Several works [27,28] introduced CP-ABE schemes with partially hidden access control policies to protect the disclosure of this sensitive information. The access policies in these schemes divide attributes into two parts, i.e., attribute name and attribute value. In a partially hidden access policy, the attribute value that reveals sensitive information is made hidden, e.g., ([(Profession = "*" and Specialization = "*" and Affiliation = "*") or (Profession = "*" and Specialization = "*" and Research Associate = "*") or (Relation = "*"))). Li et al. [29] used the anonymous key issuing protocol used in CC-MA-ABE [14] and proposed an accountable multi-authority CP-ABE. Han et al. [30] developed a decentralized CP-ABE (PPDCP-ABE) scheme to eliminate dependency on and trust in central authorities while maintaining the privacy of users. In their scheme, multiple authorities may operate autonomously. The Pedersen commitment protocol [31] and zero-knowledge-proof protocol [32] were used to protect the attributes' privacy. In [32], a policy-hiding CP-ABE scheme was proposed to improve decryption efficiency. The authors pioneered the "match-then-decrypt" method, in which ciphertext components were routed to the decryption test. Without performing the actual decryption, it checked the satisfiability of the hidden attributes policy for the attribute private key. Chen et al. [33] designed a privacy-preserving decentralized CP-ABE where the secret key was taken out with privacy. Their proposal required no central AA or multi-authority collaboration. They used the scheme [31] proposed by Pederson and oblivious attribute certificates [34]. The users receive secret keys for legitimate identity attributes, but AAs cannot find any useful information. Zhong et al. [35] proposed an access control scheme with a hidden policy on multi-authority architecture. To hide policy, attributes were obfuscated using a one-way anonymous key agreement protocol. Yang et al. [36] proposed a method for controlling Big Data access. Instead of hiding the attribute values, they hid the whole attribute for privacy purposes. They utilized an attribute bloom filter, which detects an attribute and its precise location in the access policy. Ying et al. [37] presented a lightweight policy-preserving CP-ABE scheme for EHR sharing on the cloud. The access policy was fully hidden by use of the attribute cuckoo filter (ACF). PASH, proposed in [38], was designed to provide access control for smart health. The CP-ABE scheme supported a large universe and used partially hidden policies. It also handled decryption tests efficiently and provided full security. Yan et al. [39] introduced a multi-authority ABE with privacy preservation and dynamic policy updating. This scheme was suggested for a multi-authority scenario, but it could not prevent malicious users from sharing their private keys. Belguith et al. [40] proposed PHOABE for cloud-assisted IoT, where multiple authorities were considered and a fully hidden policy was maintained by obfuscating the attributes. Their scheme was based on the scheme in [16]. It introduced a semi-trusted cloud server for outsourcing the heavy decryption process. This minimized computation overhead on resource-constrained devices. Zhang et al. [41] developed a hidden ciphertext-policy scheme for a large universe and proposed an efficient decryption procedure. Chinnasamy et al. [42] proposed a policyhidden CP-ABE scheme for providing access control in an IoT environment. The SHA1 hashing algorithm was used for policy anonymization. Research works in [43,44] presented challenges related to cloud storage resources and applications in IoT. Najafi et al. [45] introduced a system with attribute privacy and search capabilities over encrypted data. In order to keep medical records safe and accessible, they created a storage and retrieval system. The approach was safe against keyword guess attacks in the standard model.
Analysis of the aforementioned schemes elucidated some comparative notes and observations. The following is a brief outline of issues with prominent MA-ABE schemes.

Our Contributions
To resolve the aforementioned problems, SP-MAACS, a secure and privacy-preserving multi-authority access control system for cloud-based data sharing is proposed. Our SP-MAACS is a secure MA-CP-ABE scheme with a partial policy hiding feature. Two components make up an attribute: the name and the value. Concrete attribute values are used in the access policy. They are encoded in the ciphertext components. The access policy in plaintext is also saved with the encrypted data. It includes attribute names, not values. In our scheme, we used the access policy in DNF form, also called "alternative routes to authorization" [47]. A set of satisfiable sub-policies can be derived from the main policy. For example, a policy for the data D represented as an arbitrary logical formula such as [a1 ∧ (a2 ∨ a3)] can be written as [(a1 ∧ a2) ∨ (a1 ∧ a3)]. Here the set of sub-policies is [(a1 ∧ a2), (a1 ∧ a3)]. Generally, when a data owner decides on an access policy, he starts framing it using a combination of alternatives. This standard method of specifying access Sensors 2023, 23, 2617 6 of 20 policy corresponds to the DNF structure employed by our approach. The following is a concise summary of the primary features of our system: → The proposed scheme incorporates the important aspect of privacy preservation in a multi-authority setting. Along with this added-on feature of privacy preservation, our multi-authority access control scheme also achieves better decryption efficiency; → The scheme is designed to support open-and closed-domain users and allows for employing fine-grained access control. The access policy formulated using DNF makes the policy specification more flexible and expressive. As our system is scalable, it allows users from varied domains and makes it better suited for real-world applications; → The scheme is adaptively secure. It achieves resistance to collusion attacks, as the users cannot integrate their attributes to access shared data. The scheme is demonstrated as secure in the standard model.

Organization
The rest of the paper is organized into the following sections: Section 2 compares the traits of prominent schemes studied in the previous section and our scheme. In Section 3, we outline some standard cryptographic definitions and access structure definitions. In Section 4, we propose the system model, the definitions of algorithms, and the security model. The SP-MAACS system construction is illustrated in Section 5. Section 6 discusses the scheme's security, performance analysis, and implementation results. Section 7 concludes the research work. Table 1 provides a comprehensive comparison of some major characteristics of prominent CP-ABE schemes and SP-MAACS. The comparison involves important features such as multi-authority setting, access policy structure and its expressiveness, privacy preservation, and the security settings of the schemes. The schemes [25,38,39,48] were designed for healthcare systems. From this comparison, we can see that the adaptively secure privacypreserving schemes [28,38,48] are single-authority schemes. The multi-authority CP-ABE schemes [16,23,25,26] are adaptively secure but do not offer privacy preservation of the access policy. The schemes [35,39] are multi-authority and privacy-preserving schemes, but their security is only evidenced in weaker selective models. As far as our survey goes, the SP-MAACS scheme is the only one that preserves privacy while also offering adaptive security in a multi-authority setting.

Mathematical Preliminaries
This section introduces the formal definitions and notations of the proposed scheme:

Composite Order Bilinear Groups
The authors defined composite order bilinear groups in [49].

Definition 1.
The order O of a bilinear group is defined as O = p 1 p 2 p 3 , i.e., the product of three different primes (here p 1 , p 2 and p 3 ). Let G and G T be cyclic groups of the order O. Let the subgroup in G with the order p i be denoted as G p i . g p 1 , g p 2 and g p 3 are generators of G p 1 , G p 2 and G p 3 , respectively. Let e : G X G → G T be the mapping and the following be the required properties: 1.
Bilinear property: ∀ c, d ∈ G and a, b ∈ ZN. e c a , d b = e(c, d) ab .

2.
Property of non-degeneracy: ∃} ∈ G, where e(g, g) in G T is of the order O.
Orthogonality: e g p 1 , g p 2 = 1 for any g p 1 ∈ G p 1 and any g p 2 ∈G p 2 .

Access Structure for Privacy Preservation
Here we first define normal access structure.
Definition 2. Let us name the universe of attributes AU. An access structure ϕ on AU is a collection of non-empty attribute sets, i.e., ϕ ⊆ 2 AU \∅. The collection of attribute sets, which is present in ϕ, is called the authorized set; all the other attributes lie in an unauthorized set. In addition, an access structure is called monotonic if ∀C, D: if C ∈ ϕ and C ⊆ D, then D ∈ ϕ. Now let us define linear secret sharing scheme (LSSS).

Definition 3.
Let Π be a secret-sharing scheme in which: (1) The generated share for each participant is a vector over Z p .
(2) ∃ A matrix W of m rows and n columns, where ∀rows ∈ W, the j th row is marked with the function ρ(j); then it is called a linear scheme. Secret s is randomly chosen such that s ∈ Z p and a vector is formed so that v = (s, v 2 . . . v n ) ∈ Z n p . Now let us take λ= W v T such that share λ j is for participant ρ(j) so we can write λ j = W j · v. (3) Linear reconstruction property: Let us denote S as an authorized set and take I = {j: ρ(j)∈ S}.
For an LSSS scheme, there exists a constant set µ j ∈ Z p j∈I , used to compute the secret s: ∑ j∈I µ j λ j = s. Access Structure for privacy preservation: Definition 4. Let us take an access structure ϕ = (W, ρ, Z) for describing an access policy. W is a share-generating matrix with the dimensions l by n that is connected with a secret sharing scheme, ρ is a map function and Z = Z ρ(j) 1≤j≤l is a set of corresponding possible values of the respective attribute. Function ρ maps each row of W to the name of the attribute present in the access policy.
We are keeping Z hidden in our scheme and the share-generating matrix W and function ρ are attached to the ciphertext.

Disjunctive Normal Form
Definition 5. In discrete mathematics, a canonical normal form of a Boolean formula can be written as OR of ANDs. It is termed the sum of products (SOP). This normal form is called a disjunctive normal form (DNF). It can be written as . . , A n are called sub-formulas and they are all conjunctions of the terms.

System Model, Algorithms, and Security Model
This section discusses the system model, various algorithms designed for the scheme, and the security model of the SP-MAACS scheme. The CSP essentially acts as a resource provider in place of the cloud, replicating that role for the cloud. The data owners use its data storage service and the users send a query for required data to access it. Furthermore, there is an assumption that the CSP is curious about obtaining the knowledge of data, but at the same time, it is honest; (5) User: A unique global identity is allotted to every user. They receive a secret key issued for numerous attributes from the responsible AA. The user sends the request for data access to the CSP along with their acquired secret keys, and if the attributes possessed by them are required in satisfying the access policy, they can obtain the data (Steps 5 and 6 in Figure 2).   Figure 2).

Algorithms
The SP-MAACS scheme uses the following four algorithms in its construction. This algorithm produces public key APKk and secret key ASKk.

Encryption
Encrypt(K, ψ, GPP,⋃ APKk) → (CT): This algorithm takes as input the GPPs, a symmetric key K by which data are encrypted, an access policy structure ψ, and a collection of public keys of applicable authorities. It generates the ciphertext.

User Key Generation
CAKeyGen(GPP,gid) → (CAPKgid, CASKgid): The user submits their gid as input to this algorithm. Taking GPP as another input, it produces the gid-related identity-key CASKgid, which is held by the user. The public key CAPKgid is given to the AAs for generating attribute-related keys.  Figure 2).

Algorithms
The SP-MAACS scheme uses the following four algorithms in its construction.

System Initialization
GlobalSetup(λ) → GPP: The algorithm uses the input λ which is also called the security parameter. After the setup executes, global public parameters GPP are generated.
CASetup(GPP) → (MPK, MSK): The central authority(CA) executes the CASetup algorithm. It outputs public key MPK and secret key MSK. All the authorities use MPK for verification purposes.
AASetup(GPP, k, U k ) → (APK k , ASK k ): Every authority AA k present in the system executes this algorithm, where the inputs are GPP and its attribute domain is called U k . No two authorities have a common attribute domain, which means for i = j, U i ∩ U j = ∅. This algorithm produces public key APK k and secret key ASK k .

Encryption
Encrypt(K, ψ, GPP, ∪ APK k ) → (CT): This algorithm takes as input the GPPs, a symmetric key K by which data are encrypted, an access policy structure ψ, and a collection of public keys of applicable authorities. It generates the ciphertext.

User Key Generation
CAKeyGen(GPP,gid) → (CAPK gid , CASK gid ): The user submits their gid as input to this algorithm. Taking GPP as another input, it produces the gid-related identity-key CASK gid , which is held by the user. The public key CAPK gid is given to the AAs for generating attribute-related keys.
AAKeyGen(S gid,k ,)GPP, MPK, CAPK gid , ASK k ) → (ASK S,gid,k ): When a user requests k th authority for generating keys for an attribute set S gid,k , AA k runs this algorithm with inputs as S gid,k , GPP, MPK, CAPK gid , and ASK k . If CAPK gid is invalid, then it returns ⊥, else it returns corresponding attribute-related keys ASK S,gid,k for attribute set S gid,k .

Decryption
Decrypt(CT, GPP, FK gid ) → (K): The decryption algorithm uses a global public parameter, the ciphertext denoted as CT, and the final secret keys' set FK gid as the inputs. The decryption is complete when the user's attributes satisfy the policy.

Security Model
We define the security model for SP-MAACS through a security game between adversary A and challenger C. We assumed that A can corrupt at most K-1 AAs. Let K c denote the index set of corrupted AAs and K uc denote the index set of uncorrupted AAs, where K uc = K\K c . The steps of the game are as follows: Setup: C executes the algorithms GlobalSetup, CASetup, and AASetup and transfers the GPP, MPK, and ∪ K k=1 APK k to the adversary A. Assume the adversary corrupts K c AAs such that K\K c = Φ. The challenger C passes the secret key {ASK k | k ∈ K c to A.
Phase 1: Adversary A can obtain the secret keys for the AAs who have been corrupted. CAKey queries: For these queries, challenger C responds by CAPK gid and CASK gid . AAKey queries: For the attribute set, the adversary submits S gid,k and CAPK gid to C, where k ∈ K uc . C returns the ASK S,gid,k k∈K uc .
Challenge: If adversary A finds that phase 1 is complete, it sends to C two messages M 0 , M 1 , which are equal in length, and two challenge access structures ψ * 1 = (W 1 , ρ 1 , Z 1 ) and ψ * 2 = (W 2 , ρ 2 , Z 2 ). Here the condition is that ψ * 1 and ψ * 2 cannot be satisfied by any attribute key query performed in phase 1. A random coin c ∈ {0, 1} is flipped by C; then, it sets CT * ψ c ← Encrypt(K c , ψ c , GPP, ∪APK k ) and passes this challenged ciphertext to A. Phase 2: As in phase 1, adversary A can again obtain adaptive secret key queries. Guess: Adversary A gives its guess c' of c as output and wins the game if c = c. Probability Pr of being c = c , i.e., Pr[c = c] = 1 2 is called the advantage of adversary A. To compute Pr, A and C choose random bits. Definition 6. Our SP-MAACS scheme with a privacy-preserving feature is fully secure since no probabilistic polynomial-time (PPT) adversary has a non-negligible advantage in the above game.

Scheme Construction
The following is the detailed construction of SP-MAACS:

System Initialization
The following three algorithms are used for system setup: GlobalSetup(λ) → GPP: The algorithm is called to initialize the system. It uses the input λ and generates GPP (global public parameters). Then, it chooses two bilinear groups G and G T of order O = p 1 p 2 p 3 and mapping e : G X G → G T . Let the subgroup in G with the order p i bbe denoted as G p i . g is a randomly chosen element from G p 1 . I 3 is a generator of G p 3 . The GPP are made available as = (O, e, g, I 3 , Ω Sign ), where Ω Sign = (GenKey,Sign,Verify) is a secure signature scheme and will be used to counter any collusion attempts.

CASetup(GPP) → (MPK, MSK):
The CA runs the GenKey algorithm of Ω Sign to obtain signature key MSK and verification key MPK. All the AAs use MPK.
AASetup(GPP, k, Uk) → (APK k , ASK k ): The attribute authority AA k runs the algorithm. Let us assume attribute universe AU k consists of n attribute names e.g., (a 1 , a 2 , . . . , a n ), and each attribute a i has n i attribute values, e.g., (a i,1 , a i,2 , . . . , a i,n i ). Each AA k chooses a random exponent t k,n i ∈ Z N and computes T k,n i = g t k,n i . It also chooses two random exponents α k , β k ∈ Z N and computes the public keys of AA k as: Hence, the cumulative public key of AA k is: And the cumulative secret key of AA k is:

Encryption
When the data owner outsources EHR data, they use a symmetric encryption algorithm and a key K to encrypt the data. Then, they encrypt key K using the following encrypt algorithm with the access policy ψ. Encryption is performed as follows: Encrypt(K, ψ, GPP,∪APK k ) → (CT): As we mentioned to choose the DNF of a set of sub-policies, let us assume there are q sub-policies, i.e., {ψ i } i=1,2..,q . For simplicity, let us call each of them W.The sub-policy W is the LSSS matrix. Let us take some rows and columns in the LSSS matrix as land n. The function ρ associates each row W j of W to attribute ρ(j). To make the policy hidden, a set of attribute values is denoted as Z = (Z ρ(1) , . . . Z ρ(l) ) and is attached to the access policy. Thus, the sub-policy can be expressed by (W, ρ, Z). For each sub-policy, the following steps are run: Step 1. The data owner chooses s ∈ Z p and a random vector Step 2. For each row of the matrix, the following is calculated: Step 3. Then, for every x [l], it selects a random exponent r x Z p and calculates: Here, SAA is defined as the index set of AA k . This set consists of an index of AAs whose attributes are present in the policy.
Step 4. Finally, the data owner sends the ciphertext data to a cloud E(K) = {{ψ i } i=1,2,3, . . . ,q, The decryption of the data by the user is possible when their attribute set matches any of the sub-policy (W, ρ, Z). The matching process is successful when for all x ∈ {1, . . . , l}, a ρ(x) = Z ρ(x) and constants µ x ∈ Z N such that ∑ x∈l µ x λ x = s.

User Key Generation
Every new user receives a unique gid after he registers himself in the system. For obtaining identity-related keys, he requests CA. The CA runs the CAKeyGen algorithm.
After that, the user applies attribute-related keys, and different AAs run the AAKeyGen algorithm for this.
CAKeyGen(GPP,gid) → (CAPK gid ,CASK gid ): The CA demands the user's gid for issuing identity keys. CA randomly chooses r gid ∈ Z N and R gid ∈ G p 3 , then sets CASK gid = g r gid R gid . Then, it uses MSK to compute γ gid = Sign MSK, gid CASK gid .
Finally, it sends CAPK gid = gid, CASK gid , γ gid and CASK gid to the user.
AAKeyGen(S gid,k GPP, MPK, CAPK gid , ASK k ) → (ASK S,gid,k ): To obtain the attributerelated keys issued, a user passes their attribute set S gid,k to the AA k , which belongs to their domain. Then, the AA k uses the MPK to verify whether the CAPK gid is valid. If valid, for issuing keys related to S gid,k , AA k randomly selects R gid,k ∈ G p 3 and computes SK gid,k = g α k CASK gid β k R gid,k = g α k g r gid β k R gid,k , where R gid,k = R gid β k R gid,k , else it aborts. For each attribute i ∈ S gid,k , it randomly selects R gid,k,i ∈ G p 3 and computes SK gid,k,i = CASK gid t k,ni R gid,k,i = T k,ni r gid R gid,k,i , where R gid,k,i = R gid t k,ni R gid,k,i . Finally, ASK S,gid,k = (SK gid,k , SK gid,k,i i ∈S gid,k ) is given to the user.
Therefore, the final set of user keys FK gid contains:

Decryption
When a user submits their data access request to the cloud server along with their secret keys, the decrypt algorithm is executed as follows: Decrypt(CT, GPP, FK gid )→(K): When the set of attribute keys of the user (S gid ) matches any of the conjunction or sub-policy (W, ρ, Z), then the symmetric key K can be retrieved by the following steps: Step 1: Compute CK = ∏ i∈SAA K 2,i , and choose constants µ x ∈ Z N , such that ∑ ρ(x)∈S gid µ x W x = (1, 0, . . . , 0). Then compute e( CK, C 0 ) = e ∏ l k=1 g α k g r gid β k R gid,k , g s = e(g, g) s ∑ l k=1 α k e(g, g) r gid s ∑ l k=1 β k Step 2: For all attribute-related keys for which ρ(x) ∈ S gid , compute Step 3: After dividing the result of step 1 by step 2, we obtain e(g, g) s ∑ l k=1 α k .
Step 4: C/ e(g, g) s ∑ l k=1 α k = K· e(g, g) s ∑ k∈SAA α k / e(g, g) s ∑ l k=1 α k = K The user can recover the data by using the symmetric key K.

Security Analysis
The following complexity assumptions serve as the foundation for our security proofs: Subgroup Decision Problem for Three Primes [38,50] Three assumptions are contained in this SDP assumption. Here Pr denotes the probability function.
Assumption 1: Let us take a group generator g and consider the distribution: G=(O = p 1 p 2 p 3 , G, The advantage of an algorithm A in breaking the mentioned assumption is: Definition 7. If for any polynomial time (PT) algorithm A, SDP_Adv1 G,A (λ) is a negligible function of λ, then g is said to satisfy the above-mentioned assumption 1.

Assumption 2:
Let us take a group generator g and consider the distribution: The advantage of an algorithm A in breaking the mentioned assumption is: Definition 8. If for any polynomial-time (PT) algorithm A, SDP_Adv2 G,A (λ) is a negligible function of λ, then g is said to satisfy the above-mentioned assumption 2.

Assumption 3:
Let us take a group generator g and consider the distribution: Proof. We will use two terms here: ciphertext in semi-functional form (SF-CT) and key in semi-functional form (SF-Key). The terms are used in proof [16] and are not used in the construction of the scheme. We chose a random exponent z k,i ∈ Z N for each attribute i ∈ U k .
Semi-functional ciphertext. To make an SF-CT, perform the following: , let us randomly select ξx ∈ Z N . In addition, choose a random vector → y ∈ Z n N . Then, set For each row x [l], Semi-functional key: There can be two types: Type 1 SF-Key: Choose random exponents r, δ k ∈ Z N and set: CASK gid = g r gid R gid ·g 2 r CAPK gid = gid, CASK gid , γ gid SK gid,k = g α k g r gid β k R gid,k ·g 2 δ k SK gid,k,i = T k,ni r gid R gid,k,i ·g 2 rz k,i Type 2 SF-Key: CASK gid = g r gid R gid CAPK gid = gid, CASK gid , γ gid SK gid,k = g α k g r gid β k R gid,k ·g 2 δ k SK gid,k,i = T k,ni r gid R gid,k,i If we use a regular key to decipher an SF-CT or an SF-Key to decipher a regular ciphertext, we can correctly calculate ∏ k∈SAA e(g, g) α k s . However, if we try to use an SF-Key to decipher a semi-functional CT, it will give us an extra thing: e(g 2 , g 2 ) c ∑ k∈SAA δ k −ry 1 , where y 1 is the first coordinate of the vector → y . The adaptive security of the scheme from three assumptions (Assumption no. 1, 2, 3), can be confirmed using a sequence of games shown in the appendix of [38].

Performance Analysis
As shown in Table 1, our scheme is compared with prominent multi-authority schemes, single-authority privacy-preserving schemes, and some privacy-preserving multi-authority schemes. The salient features of our scheme are also highlighted in Sections 1 and 2. Table 2 shows the comparison of storage overhead and encryption and decryption computation costs. Table 3 presents a summary of the notations that are used in the comparison.
n a |G T | + (n + n v + 1)|G| (n a + |A U | + 2)|G| (2|A C | + 1)|G| +|G T | ( 3|A C | + 2)E (2|I| + 1)P + |I| E From the above numerical performance analysis, it can be observed that the key generation time of our scheme and schemes [23,39] are comparable, while other schemes have shorter key generation times. The reason for this is that either they are single-authority or not provide privacy preservation features. The numerical decryption time of our scheme is less than that of the others, as the number of exponentiation operations performed is less.

Implementation Result
Through the characteristic comparison presented in Table 1, our scheme SP-MAACS has been shown to be better than other schemes in terms of features attained. We implemented our scheme and the fully secure decentralized CP-ABE scheme [26] and assessed the performance. The authors of fully secure decentralized CP-ABE presented two constructions [26] and demonstrated them to be secure under the standard model. Their first construction used a composite-order bilinear group and was confirmed to be fully secure by taking static assumptions. The scheme applies to any monotone access structure.

Implementation Environment
The SP-MAACS scheme and the fully secure decentralized CP-ABE scheme [26] were implemented using the well-developed and robust JPBC library [51]. We used the Eclipse IDE to implement the simulation code and the code was written in Java. The tests were conducted on a laptop running Windows 10 (64-bit) and equipped with a 2.50 GHz Intel (R) i5-3210M processor and 4 gigabytes of RAM. JPBC supports a variety of elliptic curve types. Type A, Type A1, Type D, Type E, Type F, and Type G are included. This experiment was conducted on the group of elliptic curves of Type A1. Their order is the product of three primes of length 517 bits. In the global setup method, while performing setup for the central authority, the Boneh-Lynn-Shacham signature scheme, called the BLS signature, was implemented. A BLS signature enables a user to validate the authenticity of a signer. Signatures are created as elements in elliptic curve groups and verified using a pairing function. The Junit testing framework was used for testing the implemented classes.

System Setup
Exponentiations and pairing operations in the above algorithms for the encryption and decryption process account for a large portion of the computational overhead of CP-ABE systems; thus, we analyzed the encryption and decryption cost of our scheme. For the analysis purpose, we assumed that in our system, five attribute authorities are responsible for attribute management. In addition, it was assumed that each authority manages five attributes. Each attribute may have any one of the possible attribute values. We also implemented a secure signature scheme, which was used by CA to sign the user key, and AA use verified the algorithm to perform the verification of the key. Figure 3 illustrates the computation time of the encryption, key generation, and decryption algorithms. Each algorithm's experimental outcome was the mean of 10 independent runs. Figure 3a presents a graph between the encryption time and the attribute count in the access control policy. We took several attributes on the X-axis in the range of 5 attributes to 25 attributes. We have already mentioned that our scheme considers the DNF access structure and the scheme [26] uses a traditional AND-OR access structure. Typically, when a data owner decides on an access policy, they start to build it by combining many possibilities using the "OR" gate. This standard method of specifying access policy corresponds to the DNF structure used by our approach. The time taken for encryption in our scheme is higher because we perform encryption for every access sub-structure clause. This, in turn, increases the number of ciphertext components. It can be observed that the encryption activity is less frequent. Due to the vast computational power and storage capacities of the cloud, increased encryption time and storage needs are acceptable. Figure 3b shows the key generation time versus attribute count in the satisfying set. In SP-MAACS, the key generation time is higher, as the user secret key contains the identity and attribute-value-related key components in addition to the authority-related keys. We use identity and attribute-value-related keys to provide collision resistance and privacy preservation features. The central authority CA of the system registers the user and issues them identity-related keys, and are the keys are issued to the user by the CA (shown in the construction of the scheme). The user may have multiple values for their attributes. The attribute authority AA issues both authority-related and attribute-value-specific keys to the user. Scheme [26], on the other hand, only considers keys provided by the attribute authority. Therefore, we compromise key generation time to deliver more functionality. Figure 3c shows a graph between the decryption times and attribute count. In Figure 3c, attributes present in policy and attribute count in the satisfying sets are shown on the dual X-axis. While performing decryption, the user can determine the smallest satisfying set out of the policy defined by the owner of the data. In general, we can assume that on average 50% of the attributes make a satisfying subset out of the total attributes present in the policy. For example, if an access control policy contains 20 attributes in it, then in general the AND-OR combination requires that the user should carry on average 10 attributes for satisfying it or the policy require only 10 attributes to fulfill it. The DNF clause, which matches the attribute and its value in the user-supplied keys, is only utilized during the decryption process. Since there is no requirement for attribute matching with the whole access structure, our scheme takes less decryption time and improves decryption efficiency in comparison to the scheme [26]. This improvement in decryption time satisfies the major requirement of healthcare data sharing, where a doctor wants to access a patient's EHR data quickly in a life-critical situation. the major requirement of healthcare data sharing, where a doctor wants to access a patient's EHR data quickly in a life-critical situation. In summary, our scheme simultaneously provides features of multi-authority, privacy preservation, efficient decryption, and adaptive security. The increase in storage cost and encryption time is affordable, as cloud storage is available at a very nominal cost and encryption activity is performed less frequently. The users may ask for the download and decryption of the ciphertext randomly as per their requirement, so it is a frequent process. Thus, reducing the decryption cost is beneficial.

Conclusions
Today, the cloud is the most obvious data-sharing platform for the healthcare sector, and ABE schemes can be used to provide access control on outsourced EHR data in encrypted form. In order to share data on cloud storage servers, this article suggests the SP-MAACS scheme, a completely secure and privacy-preserving multi-authority access control system for cloud-based healthcare data sharing. Data owners may now freely share their data with all users in both open and closed domains. This makes the system scalable and adaptable. The partially hidden access policy protects user as well as data owner privacy. Our implementation results demonstrate that the scheme achieves an improvement in decryption cost despite the scheme being privacy-preserving and providing adaptive security under the standard model. The efficiency of decryption can be further increased by outsourcing the decryption to proxy servers in the future. Healthcare data management and privacy protection are currently one of the most active blockchain research areas. Combining the proposed control scheme with blockchain technology could improve security, privacy, and audibility. In summary, our scheme simultaneously provides features of multi-authority, privacy preservation, efficient decryption, and adaptive security. The increase in storage cost and encryption time is affordable, as cloud storage is available at a very nominal cost and encryption activity is performed less frequently. The users may ask for the download and decryption of the ciphertext randomly as per their requirement, so it is a frequent process. Thus, reducing the decryption cost is beneficial.

Conclusions
Today, the cloud is the most obvious data-sharing platform for the healthcare sector, and ABE schemes can be used to provide access control on outsourced EHR data in encrypted form. In order to share data on cloud storage servers, this article suggests the SP-MAACS scheme, a completely secure and privacy-preserving multi-authority access control system for cloud-based healthcare data sharing. Data owners may now freely share their data with all users in both open and closed domains. This makes the system scalable and adaptable. The partially hidden access policy protects user as well as data owner privacy. Our implementation results demonstrate that the scheme achieves an improvement in decryption cost despite the scheme being privacy-preserving and providing adaptive security under the standard model. The efficiency of decryption can be further increased by outsourcing the decryption to proxy servers in the future. Healthcare data management and privacy protection are currently one of the most active blockchain research areas. Combining the proposed control scheme with blockchain technology could improve security, privacy, and audibility. Institutional Review Board Statement: Ethical approval was not required for this study. Human or animal subject data were not used in this study.