# Design of Secure and Privacy-Preserving Data Sharing Scheme Based on Key Aggregation and Private Set Intersection in Medical Information System

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

- We propose a privacy-preserving medical data sharing scheme. To maintain a balance between privacy and data sharing, we leverage PSI between the data owner and the data user before access requests. This facilitates interaction and data sharing while protecting sensitive information.
- The proposed scheme ensures secure data sharing and access control through KAE. Since KAE enables secure and flexible access control with a single aggregate key, the integration of KAE in the proposed scheme enhances data security by reducing the risk of data breaches and unauthorized disclosures.
- We perform security analysis using the Scyther tool [12] and mathematical analysis methods such as Burrows–Abadi–Needham (BAN) logic [13] and indistinguishability against the chosen plaintext attack (IND-CPA). In addition, we conduct performance analyses using the multiprecision integer and rational arithmetic cryptographic library (MIRACL) [14] and compare the obtained results with those of previous studies.

## 2. Related Works

## 3. Preliminaries

#### 3.1. Elliptic Curve Cryptography

- Elliptic curve discrete logarithm problem (ECDLP): Given two points P and Q on ${E}_{p}(a,b)$, determining the scalar $\alpha \in {\mathbb{Z}}_{p}$ such that $Q=\alpha \xb7P$ is considered computationally difficult.
- Elliptic curve computational Diffie–Hellman problem (ECCDHP): Given two points $\alpha \xb7P$ and $\beta \xb7P$, it is hard to calculate $\alpha \xb7\beta \xb7P$.
- Elliptic curve decisional Diffie–Hellman problem (ECDDHP): Given three points $\alpha \xb7P$, $\beta \xb7P$, and $\gamma \xb7P$, it is difficult to determine whether $\gamma \xb7P=\alpha \xb7\beta \xb7P$, where $\alpha ,\beta ,\gamma \in {\mathbb{Z}}_{p}$.

#### 3.2. Bilinear Pairing

- Bilinearity: For $\forall P,Q\in \mathcal{G}$, and $\forall a,b\in {Z}_{p}^{*}$, $\widehat{e}(aP,bQ)=\widehat{e}{(P,Q)}^{ab}$.
- Non-degeneracy: $\widehat{e}(P,Q)\ne 1$ for some $P,Q\in \mathcal{G}$.
- Efficiency: $\widehat{e}(P,Q)$ can be calculated in polynomial time for $\forall P,Q\in \mathcal{G}$.

#### 3.3. Decisional Bilinear Diffie–Hellman (DBDH) Assumption

#### 3.4. Key Aggregate Encryption

- (1)
- KAE.Setup (${1}^{\lambda},n$): Generate a random number $\alpha \in {\mathbb{Z}}_{p}$, compute ${P}_{i}={\alpha}^{i}P\in \mathcal{G}$ for $i=\{1,\dots ,n,n+2,\dots ,2n\}$, and publish $param=\{P,n,{\left\{{P}_{i}\right\}}_{1\le i\le 2n,i\ne n+1}\}$. Then, discard $\alpha .$
- (2)
- KAE.KeyGen (): Generate $sk\in {\mathbb{Z}}_{p}$ and compute $pk=sk\xb7P$. Then, output public and private key pair $(pk,sk)=(sk\xb7P,sk)$.
- (3)
- KAE.Encrypt ($param,pk,i,F$): For data ${F}_{i}\in {\mathcal{G}}_{T}$ in $i\in \{1,\dots ,n\}$, choose a random number $s\in {\mathbb{Z}}_{p}$ and compute ${c}_{1}=s\xb7P$, ${c}_{2}=s\xb7(pk+{P}_{i})$, ${c}_{3}={F}_{i}\xb7e{({P}_{1},{P}_{n})}^{s}$. Then, output $C=\{{c}_{1},{c}_{2},{c}_{3}\}$.
- (4)
- KAE.Extrac t ($param,sk,S$): For the subset of data class indices S, output the aggregate key $AK={\sum}_{j\in S}sk\xb7{P}_{n+1-j}$.
- (5)
- KAE.Decrypt ($param,AK,S,i,C$): If $i\ne S$, output ⊥. Otherwise, calculate ${v}_{1}={\sum}_{j\in S,j\ne i}{P}_{n+1-j+i}$, ${v}_{2}={\sum}_{j\in S}{P}_{n+1-j}$, and output ${F}_{i}={c}_{3}\xb7\frac{e(AK+{v}_{1},{c}_{1})}{e({v}_{2},{c}_{2})}$.

#### 3.5. Brakerski–Gentry–Vaikuntanathan

- (1)
- BGV.Setup (${1}^{\lambda}$): Select a ring ${R}_{q}={\mathbb{Z}}_{q}\left[X\right]/({X}^{l}+1)$, where l is a power of 2. Given a security parameter $\lambda $, set the ciphertext modulus q, plaintext modulus t, and the noise distribution $\mathcal{X}$. Output $params=({R}_{q},l,q,t,\mathcal{X})$.
- (2)
- BGV.KeyGen ($param$): Generate the secret key $s\in {\{-1,0,1\}}^{l}$, a random polynomial $r\in {R}_{q}$, and a random error polynomial $e\in \mathcal{X}$. Calculate the public key $p=({p}_{0},{p}_{1})=(r\xb7s+t\xb7e,-r)$.
- (3)
- BGV.Enc ($params,pk,m$): Generate ${e}_{0},{e}_{1}\in \mathcal{X}$, random polynomial u, and compute $\mathbf{ct}=(c{t}_{0},c{t}_{1})=({p}_{0}\xb7u+t{e}_{0}+m,{p}_{1}\xb7u+t{e}_{1})=\u301am{\u301b}_{p}$.
- (4)
- BGV.Dec ($params,s,\mathbf{ct}$): Calculate $m={\left[{[c{t}_{0}+c{t}_{1}\xb7s]}_{q}\right]}_{t}$ using s.

#### 3.6. Private Set Intersection

- (1)
- PSI.Setup (${1}^{\lambda}$): Sender and receiver each generate a public–private key pair using the BGV.KeyGen procedure.
- (2)
- PSI.Enc ($Y,p$): Receiver encrypts each element ${y}_{z}\in Y$ using BGV.Enc and transmits the ciphertext $\mathbf{ct}=\u301aY{\u301b}_{p}=(\u301a{y}_{1}{\u301b}_{p},\u301a{y}_{2}{\u301b}_{p},\dots ,\u301a{y}_{{N}_{Y}}{\u301b}_{p})$ to the sender.
- (3)
- PSI.Intersection ($\mathbf{ct},X$): Sender chooses a random number ${r}_{z}$ for $\u301a{y}_{z}{\u301b}_{p}\in \mathbf{ct}$, and computes ${d}_{i}={r}_{i}{\prod}_{x\in X}(\u301a{y}_{z}{\u301b}_{{p}_{s}}-x)$. Then, the sender returns $({d}_{1},{d}_{2},\dots ,{d}_{m})$ to the receiver.
- (4)
- PSI.Ext ($\mathbf{d},s$): Receiver computes $Dec\left({d}_{z}\right)={r}_{z}{\prod}_{x\in X}({y}_{z}-x)$ using BGV secret key s, and obtains ${y}_{z}$ where $X\cap Y=$ BGV.Dec(${d}_{z}$)$=0$.

## 4. System Models

#### 4.1. Network Model

- $\mathcal{TA}$: $\mathcal{TA}$ is a trusted authority that initiates the system by generating parameters for data sharing. $\mathcal{TA}$ undertakes the task of registering both $\mathcal{DO}$ and $\mathcal{DU}$, issuing them with the necessary credentials.
- Data owner ($\mathcal{DO}$): $\mathcal{DO}$ is hospitals, clinics, or research institutions. $\mathcal{DO}$ encrypts medical data and sends them to $\mathcal{CS}$. When $\mathcal{DU}$ requests a common keyword identification query, $\mathcal{DO}$ computes an intersection set result, decryptable only by $\mathcal{DU}$ after legitimacy verification. $\mathcal{DO}$ also provides the aggregate key and relevant data class set upon $\mathcal{DU}$’s data access request.
- Data user ($\mathcal{DU}$): $\mathcal{DU}$ is a doctor, nurse, researcher, patient, etc., within a medical institution. To access data, $\mathcal{DU}$ initiates a common keyword identification query. After receiving the results, $\mathcal{DU}$ requests access to data related to the matched keyword results and then uses the aggregate key to decrypt the data obtained from CS.
- Cloud server ($\mathcal{CS}$): $\mathcal{CS}$ is an entity that stores the medical data and returns the data search results. When data are uploaded by $\mathcal{DO}$, $\mathcal{CS}$ stores the data if $\mathcal{DO}$ has the necessary legal permissions. $\mathcal{CS}$ facilitates data access to $\mathcal{DU}$ following a verification process to ascertain the legal status of $\mathcal{DU}$.

- (1)
- $\mathcal{TA}$ initializes the system parameters for authentication, intersection calculation, and data sharing.
- (2)
- $\mathcal{TA}$ registers $\mathcal{DO}$ and $\mathcal{DU}$, storing the identity information to prevent duplicate registrations. Then, $\mathcal{TA}$ issues credentials for secure data sharing through authentication.
- (3)
- $\mathcal{DO}$ encrypts the medical data and uploads them to $\mathcal{CS}$. $\mathcal{CS}$ then verifies the $\mathcal{DO}$’s legitimacy prior to storing the data.
- (4)
- $\mathcal{DU}$ submits the common keyword identification query for owned information. $\mathcal{DO}$ generates and transmits the encrypted intersection results after confirming $\mathcal{DU}$’s legitimacy with $\mathcal{TA}$. $\mathcal{DU}$ verifies the received message and stores the intersection.
- (5)
- $\mathcal{DU}$ transmits a query for data access permission to $\mathcal{DO}$ using the intersection results. Then, $\mathcal{DO}$ generates and sends the aggregate key and corresponding data class set based on the intersected keywords.
- (6)
- $\mathcal{DU}$ requests the data from $\mathcal{CS}$ using a data class set and decrypts them using the aggregate key obtained from $\mathcal{DO}$.

#### 4.2. Adversary Model

#### 4.3. Security Model

**Definition 1**

- Init. $\mathcal{A}$ selects a specific set ${S}_{a}$ from the available set $S=\{1,\dots ,\mathit{n}\}$, which it aims to exploit.
- Setup. The simulator $\mathcal{B}$ provides the system parameters to $\mathcal{A}$.
- Phase 1. For ${S}^{*}\subseteq {\overline{S}}_{a}$, $\mathcal{A}$ submits an aggregate key request query to $\mathcal{B}$. Subsequently, $\mathcal{B}$ generates and transmits the aggregate key to $\mathcal{A}$.
- Challenge. $\mathcal{A}$ selects two plaintexts, ${F}_{0}$ and ${F}_{1}$, of equal length from a set of possible plaintexts associated with class ${i}_{t}$. These plaintexts are then forwarded to $\mathcal{B}$. Thereafter, $\mathcal{B}$ obtains a random bit $\varkappa \in \{0,1\}$ via a coin flip. Following this, $\mathcal{B}$ encrypts the selected plaintext ${F}_{\varkappa}$ and transmits the resulting ciphertext to $\mathcal{A}$.
- Phase 2. $\mathcal{A}$ iterates through Phase 1 for ${S}^{*}\subseteq \overline{{S}_{a}}$, encompassing classes that do not belong to ${S}_{a}$.
- Guess. $\mathcal{A}$ produces an estimate ${\varkappa}^{\prime}$ of the true value of ϰ and communicates it to $\mathcal{B}$. If the estimate ${\varkappa}^{\prime}$ aligns with the true value ϰ, $\mathcal{A}$ is deemed successful in the game.

## 5. Proposed Scheme

#### 5.1. Setup Phase

#### 5.2. Registration Phase

**Step 1:**- $\mathcal{DO}$ selects and sends $I{D}_{o}$ to $\mathcal{TA}$.
**Step 2:**- $\mathcal{TA}$ checks whether $I{D}_{o}$ is registered by computing ${V}_{o}=h(I{D}_{o}\left|\right|{k}_{TA})$. $\mathcal{TA}$ generates ${r}_{o}\in {R}_{q}$, ${e}_{o}\in \mathcal{X}$, ${s}_{o}\in {\{-1,0,1\}}^{k}$, and ${R}_{o}\in {\mathbb{Z}}_{p}$ and computes ${p}_{o}=({r}_{o}\xb7{s}_{o}+t\xb7{e}_{o},-{r}_{o})$, ${v}_{o}=({k}_{TA}+{R}_{o})\phantom{\rule{0.166667em}{0ex}}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.166667em}{0ex}}p$, ${d}_{o}={R}_{o}\xb7P$. Then, $\mathcal{TA}$ stores ${V}_{o}=h(I{D}_{o}\left|\right|{k}_{TA})$, and sends $\{{p}_{o},{s}_{o},{v}_{o},{d}_{o}\}$ to $\mathcal{DO}$.
**Step 3:**- $\mathcal{DO}$ stores $\{{p}_{o},{s}_{o},{v}_{o},{d}_{o}\}$ securely.

#### 5.3. Data Upload Phase

**Step 1:**- $\mathcal{DO}$ generates a random nonce $s,u\in {\mathbb{Z}}_{p}$, and computes ${U}_{1}=u\xb7P$, ${U}_{2}=u\xb7p{k}_{s}$, ${U}_{3}=u+h({U}_{2}\left|\right|{v}_{o}\xb7P)\xb7s{k}_{o}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$. $\mathcal{DO}$ also computes ${c}_{1}=s\xb7P$, ${c}_{2}=s\xb7(p{k}_{o}+{P}_{i})$, ${c}_{3}={F}_{i}\xb7e{({P}_{1},{P}_{n})}^{s}$, ${v}_{i}=h({F}_{i}\left|\right|I{D}_{o})$, ${C}_{i}=({c}_{1}\left|\right|{c}_{2}\left|\right|{c}_{3}\left|\right|{v}_{i})\oplus {U}_{2}$ for document ${F}_{i}(i\in \{1,\dots ,n\})$. Then, $\mathcal{DO}$ sends $\{I{D}_{o},{U}_{1},{U}_{3},{d}_{o},{C}_{i}\}$ to $\mathcal{CS}$.
**Step 2:**- Upon the uploaded message, $\mathcal{CS}$ computes ${U}_{2}^{*}={U}_{1}\xb7s{k}_{s}$ and checks whether ${U}_{3}\xb7P$ is equal to ${U}_{1}+h({U}_{2}^{*}\left|\right|p{k}_{TA}+{d}_{o})\xb7p{k}_{o}$. If it it correct, $\mathcal{CS}$ computes $({c}_{1}\left|\right|{c}_{2}\left|\right|{c}_{3}\left|\right|{v}_{i})={C}_{i}\oplus {U}_{2}$ and stores $\{{c}_{1},{c}_{2},{c}_{3},{v}_{i}\}$.

#### 5.4. Common Keyword Identification Phase

**Step 1:**- $\mathcal{DU}$ generates ${a}_{1}$, ${T}_{A1}$, and computes ${A}_{1}={a}_{1}\xb7P$, ${A}_{2}={a}_{1}\xb7p{k}_{o}$, ${A}_{3}={a}_{1}+h({A}_{2}\left|\right|{v}_{u}\xb7P\left|\right|I{D}_{u})\xb7s{k}_{u}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$, $\mathbf{ct}=\u301aY{\u301b}_{{p}_{u}}=(\u301a{y}_{1}{\u301b}_{{p}_{u}},\u301a{y}_{2}{\u301b}_{{p}_{u}},\dots ,\u301a{y}_{m}{\u301b}_{{p}_{u}})$. Then, $\mathcal{DU}$ sends $\{{T}_{A1},I{D}_{u},{d}_{u},{A}_{1},{A}_{3},\mathbf{ct}\}$.
**Step 2:**- After receiving the message, $\mathcal{DO}$ checks $|{T}_{A1}^{*}-{T}_{A1}|$ and ${A}_{3}\xb7P\stackrel{?}{=}{A}_{1}+h({A}_{2}^{*}\left|\right|p{k}_{TA}+{d}_{u}\left|\right|I{D}_{u})\xb7p{k}_{u}$ by computing ${A}_{2}^{*}={A}_{1}\xb7s{k}_{o}$. If it is correct, $\mathcal{DO}$ generates ${a}_{2}$ and ${T}_{A2}$ and computes ${A}_{4}={a}_{2}\xb7P$, ${A}_{5}={a}_{2}\xb7p{k}_{u}$, ${A}_{6}={a}_{2}+h({A}_{6}\left|\right|{v}_{o}\xb7P\left|\right|{A}_{2}^{*}\left|\right|I{D}_{o})\xb7s{k}_{o}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$. $\mathcal{DO}$ also generates ${r}_{z}$ for $\u301a{y}_{z}{\u301b}_{{p}_{u}}\in \mathbf{ct}$ and computes ${d}_{z}={r}_{z}{\prod}_{x\in X}(\u301a{y}_{z}{\u301b}_{{p}_{u}}-x)$. Then, $\mathcal{DO}$ transmits $\{{T}_{A2},I{D}_{o},{d}_{o},{A}_{4},{A}_{6},{d}_{z}\}$.
**Step 3:**- $\mathcal{DU}$ checks $|{T}_{A2}^{*}-{T}_{A2}|\le \u25b5T$ and computes ${A}_{5}^{*}={A}_{4}\xb7s{k}_{u}$. If ${A}_{6}\xb7P$ is equated to ${A}_{4}+h({A}_{5}^{*}\left|\right|p{k}_{TA}+{d}_{o}\left|\right|{A}_{2}\left|\right|I{D}_{o})\xb7p{k}_{o}$, $\mathcal{DU}$ computes $Dec\left({d}_{z}\right)={r}_{z}{\prod}_{x\in X}({y}_{z}-x)$ using ${s}_{u}$, and inputs y in $SI$ where $y\in X\cap Y$.

#### 5.5. Aggregate Key Issuance Phase

**Step 1:**- $\mathcal{DU}$ generates ${b}_{1}$, ${T}_{B1}$ and computes ${B}_{1}={b}_{1}\xb7P$, ${B}_{2}={b}_{2}\xb7p{k}_{o}$, ${B}_{3}=SI\oplus h({B}_{2}\left|\right|{T}_{B1})$, ${B}_{4}={b}_{1}+h(I{D}_{o}\left|\right|I{D}_{u}\left|\right|{B}_{2}\left|\right|SI)\xb7s{k}_{u}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$. Then, $\mathcal{DU}$ sends $\{{T}_{B1},I{D}_{u},{B}_{1},{B}_{3},{B}_{4}\}$.
**Step 2:**- $\mathcal{DO}$ checks $|{T}_{B1}^{*}-{T}_{B1}|\le \u25b5T$, and computes ${B}_{2}^{*}={B}_{1}\xb7s{k}_{o}$, $SI={B}_{3}\oplus h({B}_{2}^{*}\left|\right|{T}_{B1})$. If ${B}_{4}\xb7P\stackrel{?}{=}{B}_{1}+h(I{D}_{o}\left|\right|I{D}_{u}\left|\right|{B}_{2}^{*}\left|\right|SI)\xb7p{k}_{u}$, $\mathcal{DO}$ generates ${b}_{2}$, ${T}_{B2}$ and computes ${B}_{5}={b}_{2}\xb7P$, ${B}_{6}={b}_{2}\xb7p{k}_{u}$, $AK={\sum}_{j\in S}s{k}_{o}\xb7{P}_{n+1-j}$, ${B}_{7}={b}_{2}+h(I{D}_{o}\left|\right|I{D}_{u}\left|\right|{B}_{2}^{*}\left|\right|{B}_{6}\left|\right|SI)\xb7s{k}_{o}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$, ${B}_{8}=\left(AK\right|\left|S\right)\oplus h({B}_{2}^{*}\left|\right|{B}_{6})$. Then, $\mathcal{DO}$ transmits $\{{T}_{B2},I{D}_{o},{B}_{5},{B}_{7},{B}_{8}\}$.
**Step 3:**- $\mathcal{DU}$ checks $|{T}_{B2}^{*}-{T}_{B2}|\le \u25b5T$ and computes ${B}_{6}^{*}={B}_{5}\xb7s{k}_{u}$ for checking ${B}_{7}\xb7P\stackrel{?}{=}{B}_{5}+h(I{D}_{o}\left|\right|I{D}_{u}\left|\right|{B}_{2}\left|\right|{B}_{6}^{*}\left|\right|{T}_{B2})\xb7p{k}_{o}$. If accurate, $\mathcal{DU}$ computes $\left(AK\right|\left|S\right)={B}_{8}\oplus h({B}_{2}\left|\right|{B}_{6}^{*})$.

#### 5.6. Data Request and Download Phase

**Step 1:**- $\mathcal{DU}$ generates ${d}_{1}$, ${T}_{D1}$, computes ${D}_{1}={d}_{1}\xb7P$, ${D}_{2}={d}_{1}\xb7p{k}_{s}$, ${D}_{3}=S\oplus h({D}_{2}\left|\right|{T}_{D1})$, and sends $\{{T}_{D1},{D}_{1},{D}_{3}\}$.
**Step 2:**- According to the received message, $\mathcal{CS}$ checks $|{T}_{D1}^{*}-{T}_{D1}|\le \u25b5T$ and computes ${D}_{2}^{*}={D}_{1}\xb7s{k}_{s}$, $S={D}_{3}\oplus h({D}_{2}^{*}\left|\right|{T}_{D1})$. For S, $\mathcal{CS}$ generates ${T}_{D2}$ and computes ${v}_{1}={\sum}_{j\in S,j\ne i}{P}_{n+1-j+i}$, ${v}_{2}={\sum}_{j\in S}{P}_{n+1-j}$, $P{F}_{i}={c}_{3}\xb7\frac{e({v}_{1},{c}_{1})}{e({v}_{2},{c}_{2})}$. Then, $\mathcal{CS}$ sends $\{{T}_{D2},{c}_{1},{v}_{i},P{F}_{i}\}$.
**Step 3:**- $\mathcal{DU}$ checks $|{T}_{D2}^{*}-{T}_{D2}|\le \u25b5T$ and obtains data ${F}_{i}$ by computing ${F}_{i}^{*}=P{F}_{i}\xb7e(AK,{c}_{1})$. To verify the data, $\mathcal{DU}$ checks whether ${v}_{i}$ is equal to $h\left({F}_{i}^{*}\right|\left|I{D}_{i}\right)$.
**Correctness:**- $$\begin{array}{cc}\hfill {F}_{i}& =P{F}_{i}\xb7e(AK,{c}_{1})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={c}_{3}\xb7\frac{e({v}_{1},{c}_{1})}{e({v}_{2},{c}_{2})}\xb7e(AK,{c}_{1})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={c}_{3}\xb7\frac{e({\sum}_{j\in S,j\ne i}{P}_{n+1-j+i},s\xb7P)}{e({\sum}_{j\in S}{P}_{n+1-j},s\xb7(p{k}_{o}+{P}_{i}))}\xb7e(\sum _{j\in S}s{k}_{o}\xb7{P}_{n+1-j},s\xb7P)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={c}_{3}\xb7\frac{e({\sum}_{j\in S,j\ne i}{P}_{n+1-j+i},s\xb7P)}{e({\sum}_{j\in S}{P}_{n+1-j},s\xb7p{k}_{o})\xb7e({\sum}_{j\in S}{P}_{n+1-j},s\xb7{P}_{i})}\xb7e(\sum _{j\in S}s{k}_{o}\xb7{P}_{n+1-j},s\xb7P)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={c}_{3}\xb7\frac{e({\sum}_{j\in S}s{k}_{o}\xb7{P}_{n+1-j},s\xb7P)}{e({\sum}_{j\in S}{P}_{n+1-j},s\xb7p{k}_{o})\xb7e({\alpha}^{n+1}P,s\xb7P)}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={F}_{i}\xb7\frac{e{({P}_{1},{P}_{n})}^{s}}{e({\alpha}^{n+1}P,s\xb7P)}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={F}_{i}\xb7\frac{e{({P}_{1},{P}_{n})}^{s}}{e{({P}_{1},{P}_{n})}^{s}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={F}_{i}\hfill \end{array}$$

## 6. Security Analysis

#### 6.1. Informal Security Analysis

#### 6.1.1. Impersonation Attack

#### 6.1.2. Replay and Man-in-the-Middle (MITM) Attack

#### 6.1.3. Denial of Services (DoS) Attack

#### 6.1.4. Mutual Authentication

#### 6.1.5. Data Verification

#### 6.2. Semantic Security

**Theorem 1.**

**Proof of Theorem 1.**

#### 6.3. Formal Security Analysis Using BAN Logic

#### 6.3.1. Rules

- Message mearning rule (MMR):$$\frac{\mathcal{Q}|\equiv \mathcal{Q}\stackrel{\mathcal{L}}{\rightleftharpoons}\mathcal{K},\mathcal{Q}\u25c3{\u2329\mathcal{M}\u232a}_{\mathcal{L}}}{\mathcal{Q}|\equiv \mathcal{K}|\sim \mathcal{M}}$$
- Freshness rule (FR):$$\frac{\mathcal{Q}|\equiv \#(\mathcal{M})}{\mathcal{Q}|\equiv \#(\mathcal{M},\mathcal{S})}$$
- Nonce verification rule (NVR):$$\frac{\mathcal{Q}|\equiv \#(\mathcal{M}),\mathcal{Q}|\equiv \mathcal{K}|\sim \mathcal{M}}{\mathcal{Q}|\equiv \mathcal{K}|\equiv \mathcal{M}}$$
- Jurisdiction rule (JR):$$\frac{\mathcal{Q}|\equiv \mathcal{K}|\Rightarrow \mathcal{M},\mathcal{Q}|\equiv \mathcal{K}|\equiv \mathcal{M}}{\mathcal{Q}|\equiv \mathcal{M}}$$
- Belief rule (BR):$$\frac{\mathcal{Q}|\equiv \mathcal{K}|\equiv (\mathcal{M},\mathcal{S})}{\mathcal{Q}|\equiv \mathcal{K}|\equiv \mathcal{M}}$$

#### 6.3.2. Goals

**Goal 1:**- $\mathcal{DO}|\equiv {A}_{3}$
**Goal 2:**- $\mathcal{DO}|\equiv \mathcal{DU}|\equiv {A}_{3}$
**Goal 3:**- $\mathcal{DU}|\equiv {A}_{6}$
**Goal 4:**- $\mathcal{DU}|\equiv \mathcal{DO}|\equiv {A}_{6}$

#### 6.3.3. Assumptions

- ${A}_{1}$:
- $\mathcal{DO}|\equiv \mathcal{DO}\stackrel{{A}_{2}}{\rightleftharpoons}DU$
- ${A}_{2}$:
- $\mathcal{DO}|\equiv \#({T}_{A1})$
- ${A}_{3}$:
- $\mathcal{DO}|\equiv \mathcal{DU}|\Rightarrow {A}_{3}$
- ${A}_{4}$:
- $\mathcal{DU}|\equiv \mathcal{DO}\stackrel{{A}_{5}}{\rightleftharpoons}DU$
- ${A}_{5}$:
- $\mathcal{DU}|\equiv \#({T}_{A2})$
- ${A}_{6}$:
- $\mathcal{DU}|\equiv \mathcal{DO}|\Rightarrow {A}_{6}$

#### 6.3.4. Idealized Forms

- ${M}_{1}$:
- $\mathcal{DU}\to \mathcal{DO}:{\u2329{T}_{A1},I{D}_{u},{v}_{u},{A}_{3}\u232a}_{{A}_{2}}$
- ${M}_{2}$:
- $\mathcal{DO}\to \mathcal{DU}:{\u2329{T}_{A2},I{D}_{o},{v}_{o},{A}_{6}\u232a}_{{A}_{5}}$

#### 6.3.5. Proof

**Step 1:**- ${S}_{1}$ can be obtained from ${M}_{1}$.$${S}_{1}:\mathcal{DO}\u25c3{\u2329{T}_{A1},I{D}_{u},{v}_{u},{A}_{3}\u232a}_{{A}_{2}}$$
**Step 2:**- ${S}_{2}$ can be obtained by applying the MMR with ${A}_{1}$.$${S}_{2}:\mathcal{DO}|\equiv \mathcal{DU}|\sim ({T}_{A1},I{D}_{u},{v}_{u},{A}_{3})$$
**Step 3:**- ${S}_{3}$ can be obtained by applying the FR with ${S}_{2}$ and ${A}_{2}$.$${S}_{3}:\mathcal{DO}|\equiv \#({T}_{A1},I{D}_{u},{v}_{u},{A}_{3})$$
**Step 4:**- ${S}_{4}$ can be obtained by applying the NVR with ${S}_{2}$ and ${S}_{3}$.$${S}_{4}:\mathcal{DO}|\equiv \mathcal{DU}|\equiv ({T}_{A1},I{D}_{u},{v}_{u},{A}_{3})$$
**Step 5:**- ${S}_{5}$ can be obtained by applying the BR with ${S}_{4}$.$${S}_{5}:\mathcal{DO}|\equiv \mathcal{DU}|\equiv {A}_{3}\phantom{\rule{1.em}{0ex}}(\mathrm{Goal}\phantom{\rule{4.pt}{0ex}}2)$$
**Step 6:**- ${S}_{6}$ can be obtained by applying the JR with ${S}_{5}$ and ${A}_{3}$.$${S}_{6}:\mathcal{DO}|\equiv {A}_{3}\phantom{\rule{1.em}{0ex}}(\mathrm{Goal}\phantom{\rule{4.pt}{0ex}}1)$$
**Step 7:**- ${S}_{7}$ can be obtained from ${M}_{2}$.$${S}_{7}:\mathcal{DU}\u25c3{\u2329{T}_{A2},I{D}_{o},{v}_{o},{A}_{6}\u232a}_{{A}_{5}}$$
**Step 8:**- ${S}_{8}$ can be obtained by applying the MMR with ${A}_{4}$.$${S}_{8}:\mathcal{DU}|\equiv \mathcal{DO}|\sim ({T}_{A2},I{D}_{o},{v}_{o},{A}_{6})$$
**Step 9:**- ${S}_{9}$ can be obtained by applying the FR with ${S}_{8}$ and ${A}_{5}$.$${S}_{9}:\mathcal{DU}|\equiv \#({T}_{A2},I{D}_{o},{v}_{o},{A}_{6})$$
**Step 10:**- ${S}_{10}$ can be obtained by applying the NVR with ${S}_{8}$ and ${S}_{9}$.$${S}_{10}:\mathcal{DU}|\equiv \mathcal{DO}|\equiv ({T}_{A2},I{D}_{o},{v}_{o},{A}_{6})$$
**Step 11:**- ${S}_{11}$ can be obtained by applying the BR with ${S}_{10}$.$${S}_{5}:\mathcal{DU}|\equiv \mathcal{DO}|\equiv {A}_{6}\phantom{\rule{1.em}{0ex}}(\mathrm{Goal}\phantom{\rule{4.pt}{0ex}}4)$$
**Step 12:**- ${S}_{12}$ can be obtained by applying the JR with ${S}_{11}$ and ${A}_{6}$.$${S}_{12}:\mathcal{DU}|\equiv {A}_{6}\phantom{\rule{1.em}{0ex}}(\mathrm{Goal}\phantom{\rule{4.pt}{0ex}}3)$$

#### 6.4. Scyther Tool

## 7. Comparative Analysis

#### 7.1. Security Features

#### 7.2. Computational Costs

#### 7.3. Time Complexity Comparison

## 8. Conclusions

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## References

- Arunprasath, S.; Annamalai, S. Improving patient centric data retrieval and cyber security in healthcare: Privacy preserving solutions for a secure future. Multimed. Tools Appl.
**2024**, 1–31. [Google Scholar] [CrossRef] - Wang, T.; Wu, Q.; Chen, J.; Chen, F.; Xie, D.; Shen, H. Health data security sharing method based on hybrid blockchain. Future Gener. Comp. Syst.
**2024**, 153, 251–261. [Google Scholar] [CrossRef] - Zhang, J.; Yang, Y.; Liu, X.; Ma, J. An efficient blockchain-based hierarchical data sharing for Healthcare Internet of Things. IEEE Trans. Ind. Inform.
**2022**, 18, 7139–7150. [Google Scholar] [CrossRef] - Khan, M.A.; Alhakami, H.; Alhakami, W.; Shvetsov, A.V.; Ullah, I. A smart card-based two-factor mutual authentication scheme for efficient deployment of an IoT-based telecare medical information system. Sensors
**2023**, 23, 5419. [Google Scholar] [CrossRef] - Lee, J.; Oh, J.; Kwon, D.; Kim, M.; Kim, K.; Park, Y. Blockchain-enabled key aggregate searchable encryption scheme for personal health record sharing with multi-delegation. IEEE Internet Things J.
**2024**, 11, 17482–17494. [Google Scholar] [CrossRef] - Sahai, A.; Waters, B. Fuzzy identity-based encryption. In Proceedings of the Advances in Cryptology–EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Volume 24, pp. 457–473. [Google Scholar] [CrossRef]
- Chu, C.K.; Chow, S.S.; Tzeng, W.G.; Zhou, J.; Deng, R.H. Key-aggregate cryptosystem for scalable data sharing in cloud storage. IEEE Trans. Parallel Distrib. Syst.
**2014**, 25, 468–477. [Google Scholar] [CrossRef] - Yang, L.; Li, C.; Cheng, Y.; Yu, S.; Ma, J. Achieving privacy-preserving sensitive attributes for large universe based on private set intersection. Inf. Sci.
**2022**, 582, 529–546. [Google Scholar] [CrossRef] - Sucasas, V.; Mantas, G.; Papaioannou, M.; Rodriguez, J. Attribute-based pseudonymity for privacy-preserving authentication in cloud services. IEEE Trans. Cloud Comput.
**2023**, 11, 168–184. [Google Scholar] [CrossRef] - Wang, H.; Liang, J.; Ding, Y.; Tang, S.; Wang, Y. Ciphertext-policy attribute-based encryption supporting policy-hiding and cloud auditing in smart health. Comput. Stand. Interfaces
**2023**, 84, 103696. [Google Scholar] [CrossRef] - Oh, J.; Lee, J.; Kim, M.; Park, Y.; Park, K.; Noh, S. A secure data sharing based on key aggregate searchable encryption in fog-enabled IoT environment. IEEE Trans. Netw. Sci. Eng.
**2022**, 9, 4468–4481. [Google Scholar] [CrossRef] - Cremers, C.J. The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols: Tool Paper. In Proceedings of the International Conference on Computer Aided Verification, Princeton, NJ, USA, 7–14 July 2008; pp. 414–418. [Google Scholar] [CrossRef]
- Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst.
**1990**, 8, 18–36. [Google Scholar] [CrossRef] - MIRACL Cryptographic SDK. Available online: https://github.com/miracl/MIRACL (accessed on 2 April 2024).
- Bao, Y.; Qiu, W.; Cheng, X. Secure and lightweight fine-grained searchable data sharing for IoT-oriented and cloud-assisted smart healthcare system. IEEE Internet Things J.
**2022**, 9, 2513–2526. [Google Scholar] [CrossRef] - Mamta; Gupta, B.B.; Lytras, M.D. Fog-enabled secure and efficient fine-grained searchable data sharing and management scheme for IoT-based healthcare systems. In IEEE Transactions on Engineering Management; IEEE: New York, NY, USA, 2022; pp. 1–13. [Google Scholar] [CrossRef]
- Wang, Y.; Zhang, A.; Zhang, P.; Qu, Y.; Yu, S. Security-aware and privacy-preserving personal health record sharing using consortium blockchain. IEEE Internet Things J.
**2022**, 9, 12014–12028. [Google Scholar] [CrossRef] - Oh, J.; Lee, J.; Kim, M.; Park, Y.; Park, K.; Noh, S. A secure personal health record sharing system with key aggregate dynamic searchable encryption. Electronics
**2022**, 11, 3199. [Google Scholar] [CrossRef] - Trivedi, H.S.; Patel, S.J. Key-aggregate searchable encryption with multi-user authorization and keyword untraceability for distributed IoT healthcare systems. Trans. Emerg. Telecommun. Technol.
**2023**, 34, e4734. [Google Scholar] [CrossRef] - Xu, G.; Qi, C.; Dong, W.; Gong, L.; Liu, S.; Chen, S.; Liu, J.; Zheng, X. A privacy-preserving medical data sharing scheme based on blockchain. IEEE J. Biomed. Health Inform.
**2023**, 27, 698–709. [Google Scholar] [CrossRef] [PubMed] - Zhang, C.; Luo, X.; Fan, Q.; Wu, T.; Zhu, L. Enabling privacy-preserving multi-server collaborative search in smart healthcare. Future Gener. Comp. Syst.
**2023**, 143, 265–276. [Google Scholar] [CrossRef] - Zhang, Y.; Guo, F.; Susilo, W.; Yang, G. Balancing privacy and flexibility of cloud-based personal health records sharing system. IEEE Trans. Cloud Comput.
**2023**, 11, 2420–2430. [Google Scholar] [CrossRef] - Peng, G.; Zhang, A.; Lin, X. Patient-centric fine-grained access control for electronic medical record sharing with security via dual-blockchain. IEEE Trans. Netw. Sci. Eng.
**2023**, 10, 2908–3921. [Google Scholar] [CrossRef] - Zhang, K.; Zhang, Y.; Li, Y.; Liu, X.; Lu, L. A blockchain-based anonymous attribute-based searchable encryption scheme for data sharing. IEEE Internet Things J.
**2024**, 11, 1685–1697. [Google Scholar] [CrossRef] - Jastaniah, K.; Zhang, N.; Mustafa, M.A. Efficient user-centric privacy-friendly and flexible wearable data aggregation and sharing. In IEEE Transactions on Cloud Computing; IEEE: New York, NY, USA, 2024. [Google Scholar] [CrossRef]
- Yin, H.; Zhao, Y.; Zhang, L.; Qiao, B.; Chen, W.; Wang, H. Attribute-based searchable encryption with decentralized key management for healthcare data sharing. J. Syst. Architect.
**2024**, 148, 103081. [Google Scholar] [CrossRef] - Lai, C.; Zhang, H.; Lu, R.; Zheng, D. Privacy-preserving medical data sharing scheme based on two-party cloud-assisted PSI. IEEE Internet Things J.
**2024**, 11, 15855–15868. [Google Scholar] [CrossRef] - Lax, G.; Nardone, R.; Russo, A. Enabling secure health information sharing among healthcare organizations by public blockchain. Multimed. Tools Appl.
**2024**, 1–17. [Google Scholar] [CrossRef] - Koblitz, N. Elliptic curve cryptosystems. Math. Comput.
**1987**, 48, 203–209. [Google Scholar] [CrossRef] - Patranabis, S.; Shrivastava, Y.; Mukhopadhyay, D. Dynamic key-aggregate cryptosystem on elliptic curves for online data sharing. In Progress in Cryptology, Proceedings of the INDOCRYPT 2015: 16th International Conference on Cryptology in India, Bangalore, India, 6–9 December 2015; Springer: Berlin/Heidelberg, Germany, 2015. [Google Scholar] [CrossRef]
- Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT)
**2014**, 6, 13. [Google Scholar] [CrossRef] - Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory
**1983**, 29, 198–208. [Google Scholar] [CrossRef] - Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng.
**2022**, 9, 1346–1358. [Google Scholar] [CrossRef] - Attir, A.; Naït-Abdesselam, F.; Faraoun, K.M. Lightweight anonymous and mutual authentication scheme for wireless body area networks. Comput. Netw.
**2023**, 224, 109625. [Google Scholar] [CrossRef]

Notation | Description |
---|---|

$I{D}_{o},I{D}_{u}$ | Identity of $\mathcal{DO}$ and $\mathcal{DU}$ |

$(p{k}_{TA},{k}_{TA})$ | $\mathcal{TA}$’s public-master key based on ECC |

$(p{k}_{o},s{k}_{o})$, $({p}_{o},{s}_{o})$ | $\mathcal{DO}$’s public-private key pairs based on ECC and BGV |

$(p{k}_{u},s{k}_{u})$, $({p}_{u},{s}_{u})$ | $\mathcal{DU}$’s public-private key pairs based on ECC and BGV |

$(p{k}_{s},{k}_{s})$ | $\mathcal{CS}$’s public–private key pair based on ECC |

n | Maximum number of document |

S | Dataset index of $\mathcal{DU}$ |

$\alpha ,{R}_{o},{r}_{o},{R}_{u},{r}_{u},s$ | Random number |

${e}_{o},{e}_{u}$ | Random error |

$u,{a}_{1},{a}_{2},{b}_{1},{b}_{2},{d}_{1},{d}_{2}$ | Random nonce |

${T}_{A1},{T}_{A2},{T}_{B1},{T}_{B2},{T}_{D1},{T}_{D2}$ | Timestamp |

$\u25b5T$ | Maximum transmission delay |

$AK$ | Aggregate key |

$\mathcal{G},{\mathcal{G}}_{T}$ | Additive group and multiplicative group |

$\widehat{e}$ | Bilinear map $\widehat{e}:\mathcal{G}\times \mathcal{G}\to {\mathcal{G}}_{T}$ |

h | One-way hash function $h:{\{0,1\}}^{*}\to {Z}_{p}$ |

⊕ | Bitwise exclusive-or operator |

$\left|\right|$ | Concatenation operator |

Notation | Description |
---|---|

$\mathcal{Q}|\equiv \mathcal{M}$ | $\mathcal{O}$ believes statement $\mathcal{M}$ |

$\#\mathcal{M}$ | Statement $\mathcal{M}$ is fresh |

$\mathcal{Q}\u25c3\mathcal{M}$ | $\mathcal{Q}$ receives statement $\mathcal{M}$ |

$\mathcal{Q}|\sim \mathcal{M}$ | $\mathcal{Q}$ once said $\mathcal{M}$ |

$\mathcal{Q}\Rightarrow \mathcal{M}$ | $\mathcal{Q}$ controls statement $\mathcal{M}$ |

${\u2329\mathcal{M}\u232a}_{\mathcal{L}}$ | Statement $\mathcal{M}$ is combined with secret statement $\mathcal{L}$ |

$\mathcal{Q}\stackrel{\mathcal{L}}{\rightleftharpoons}\mathcal{K}$ | $\mathcal{L}$ is a secret known only to $\mathcal{Q}$ and $\mathcal{K}$ |

Claim Event | Description |
---|---|

Secrecy | Confirms that sensitive information remains confidential during communication |

Alive | Verifies active participation of communicating parties |

Weakagree | Checks whether the communicating participant is active user or not |

Niagree | Ensures an implicit agreement between communicating participants |

Nisynch | Ensures messages are exchanged in the proper order from authorized participants |

Security Features | [18] | [19] | [22] | [24] | Ours |
---|---|---|---|---|---|

Replay attack | ∘ | ∘ | − | ∘ | ∘ |

MITM attack | ∘ | ∘ | − | ∘ | ∘ |

Impersonation attack | ∘ | ∘ | ∘ | ∘ | ∘ |

DoS attack | ∘ | × | − | × | ∘ |

Mutual authentication | ∘ | ∘ | × | × | ∘ |

Data verification | ∘ | × | × | × | ∘ |

Data Privacy | × | × | × | × | ∘ |

Notation | Description | Execution Time |
---|---|---|

${T}_{bp}^{{\mathcal{G}}_{m}}$ | Bilinear pairing $\widehat{e}:{\mathcal{G}}_{m}\times {\mathcal{G}}_{m}\to {\mathcal{G}}_{mT}$ (${\mathcal{G}}_{m}$: multiplicative group) | $4.717$ ms |

${T}_{e}^{{\mathcal{G}}_{mT}}$ | Exponentiation in ${\mathcal{G}}_{mT}$ | $1.990$ ms |

${T}_{m}^{{\mathcal{G}}_{mT}}$ | Multiplication/Division in ${\mathcal{G}}_{mT}$ | $0.032$ ms |

${T}_{m}^{{\mathcal{G}}_{m}}$ | Multiplication in ${\mathcal{G}}_{m}$ | $0.323$ ms |

${T}_{a}^{{\mathcal{G}}_{m}}$ | Point addition in ${\mathcal{G}}_{m}$ | $0.013$ ms |

${T}_{bp}^{{\mathcal{G}}_{a}}$ | Bilinear pairing $\widehat{e}:{\mathcal{G}}_{a}\times {\mathcal{G}}_{a}\to {\mathcal{G}}_{aT}$ (${\mathcal{G}}_{a}$: additive group) | $3.023$ ms |

${T}_{e}^{{\mathcal{G}}_{aT}}$ | Exponentiation in ${\mathcal{G}}_{aT}$ | $0.341$ ms |

${T}_{m}^{{\mathcal{G}}_{aT}}$ | Multiplication/Division in ${\mathcal{G}}_{aT}$ | $0.027$ ms |

${T}_{m}^{{\mathcal{G}}_{a}}$ | Multiplication in ${\mathcal{G}}_{a}$ | $0.172$ ms |

${T}_{a}^{{\mathcal{G}}_{a}}$ | Point addition in ${\mathcal{G}}_{a}$ | $0.003$ ms |

${T}_{m}^{\mathbb{Z}}$ | Multiplication in ${\mathbb{Z}}_{p}$ | $0.006$ ms |

${T}_{a}^{\mathbb{Z}}$ | Addition in ${\mathbb{Z}}_{p}$ | $0.005$ ms |

${T}_{e}$ | Modular exponentiation | $0.094$ ms |

${T}_{s}$ | Symmetric key encryption/decryption | $0.001$ ms |

${T}_{h}$ | SHA-256 hash function | $0.001$ ms |

Scheme | Execution Times (ms) |
---|---|

[18] | $3{T}_{bp}^{{\mathcal{G}}_{m}}+{T}_{e}^{{\mathcal{G}}_{mT}}+16{T}_{m}^{{\mathcal{G}}_{m}}+6{T}_{m}^{\mathbb{Z}}+4{T}_{a}^{{\mathcal{G}}_{m}}+22{T}_{h}+\kappa (2{T}_{bp}^{{\mathcal{G}}_{m}}+{T}_{m}^{{\mathcal{G}}_{mT}}+2{T}_{a}^{{\mathcal{G}}_{m}}+{T}_{h})\approx 9.493\kappa +24.419$ |

[19] | $8{T}_{bp}^{{\mathcal{G}}_{m}}+8{T}_{e}^{{\mathcal{G}}_{mT}}+4{T}_{m}^{{\mathcal{G}}_{mT}}+11{T}_{m}^{{\mathcal{G}}_{m}}+2{T}_{m}^{\mathbb{Z}}+6{T}_{a}^{{\mathcal{G}}_{m}}+5{T}_{h}+\kappa (2{T}_{bp}^{{\mathcal{G}}_{m}}+{T}_{m}^{{\mathcal{G}}_{mT}}+4{T}_{a}^{{\mathcal{G}}_{m}}+{T}_{h})\approx 9.519\kappa +57.432$ |

[22] | $6{T}_{m}^{{\mathcal{G}}_{m}}+7{T}_{m}^{\mathbb{Z}}+4{T}_{a}^{\mathbb{Z}}+\kappa (4{T}_{bp}^{{\mathcal{G}}_{m}}+2{T}_{m}^{{\mathcal{G}}_{mT}}+4{T}_{m}^{{\mathcal{G}}_{m}}+9{T}_{m}^{\mathbb{Z}}+{T}_{a}^{{\mathcal{G}}_{m}}+{T}_{a}^{\mathbb{Z}})\approx 20.296\kappa +28.346$ |

[24] | $6{T}_{bp}^{{\mathcal{G}}_{m}}+{T}_{e}^{{\mathcal{G}}_{mT}}+6{T}_{m}^{{\mathcal{G}}_{m}}+5{T}_{m}^{\mathbb{Z}}+2{T}_{a}^{{\mathcal{G}}_{m}}+{T}_{a}^{\mathbb{Z}}+{T}_{e}+{T}_{s}+4{T}_{h}+\kappa (7{T}_{bp}^{{\mathcal{G}}_{m}}+3{T}_{m}^{{\mathcal{G}}_{mT}}+4{T}_{m}^{{\mathcal{G}}_{m}}+3{T}_{m}^{\mathbb{Z}}+2{T}_{a}^{{\mathcal{G}}_{m}}+2{T}_{e}+{T}_{s}+2{T}_{h})\approx 34.642\kappa +32.39$ |

Ours | ${T}_{bp}^{{\mathcal{G}}_{a}}+{T}_{e}^{{\mathcal{G}}_{aT}}+38{T}_{m}^{{\mathcal{G}}_{a}}+11{T}_{m}^{\mathbb{Z}}+9{T}_{a}^{{\mathcal{G}}_{a}}+10{T}_{a}^{\mathbb{Z}}+16{T}_{h}+\kappa (3{T}_{bp}^{{\mathcal{G}}_{a}}+{T}_{m}^{{\mathcal{G}}_{aT}}+2{T}_{m}^{{\mathcal{G}}_{a}}+{T}_{h})\approx 9.441\kappa +11.708$ |

Computation Cost | Communication Cost | |||||
---|---|---|---|---|---|---|

Scheme | Encryption | Request | Verification | Access Key | Request | Ciphertext |

[18] | $O\left(\right|KW\left|E\right)$ | $O\left(\right|Q\left|E\right)$ | $O\left(\right|S\left|P\right)$ | $O\left(1\right)$ | $O\left(1\right)$ | $O\left(1\right)$ |

[19] | $O\left(\right|KW\left|P\right)$ | $O\left(\right|Q\left|M\right)$ | $O\left(\right|Q\left|P\right)$ | $O\left(1\right)$ | $O\left(\right|Q\left|\right)$ | $O\left(\right|Q\left|\right)$ |

[22] | $O\left(\right|A\left|E\right)$ | $NA$ | $O\left(\right|A\left|P\right)$ | $O\left(\right|A\left|\right)$ | $NA$ | $O\left(1\right)$ |

[24] | $O\left(\right|KW\left|P\right)$ | $O\left(\right|Q\left|H\right)$ | $O\left(\right|Q\left|P\right)$ | $O\left(\right|A\left|\right)$ | $O\left(\right|Q\left|\right)$ | $O\left(\right|Q\left|\right)$ |

Ours | $O\left(1\right)$ | $O\left(1\right)$ | $O\left(\right|S\left|P\right)$ | $O\left(1\right)$ | $O\left(1\right)$ | $O\left(1\right)$ |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Oh, J.; Son, S.; Kwon, D.; Kim, M.; Park, Y.; Park, Y.
Design of Secure and Privacy-Preserving Data Sharing Scheme Based on Key Aggregation and Private Set Intersection in Medical Information System. *Mathematics* **2024**, *12*, 1717.
https://doi.org/10.3390/math12111717

**AMA Style**

Oh J, Son S, Kwon D, Kim M, Park Y, Park Y.
Design of Secure and Privacy-Preserving Data Sharing Scheme Based on Key Aggregation and Private Set Intersection in Medical Information System. *Mathematics*. 2024; 12(11):1717.
https://doi.org/10.3390/math12111717

**Chicago/Turabian Style**

Oh, Jihyeon, Seunghwan Son, DeokKyu Kwon, Myeonghyun Kim, Yohan Park, and Youngho Park.
2024. "Design of Secure and Privacy-Preserving Data Sharing Scheme Based on Key Aggregation and Private Set Intersection in Medical Information System" *Mathematics* 12, no. 11: 1717.
https://doi.org/10.3390/math12111717