Flexible and Lightweight Access Control for Online Healthcare Social Networks in the Context of the Internet of Things

Online healthcare social networks (OHSNs) play an essential role in sharing information among medical experts and patients who are equipped with similar experiences. To access other patients’ data or experts’ diagnosis anywhere and anytime, it is necessary to integrate the OHSN into the Internet as part of the Internet of Things (IoT). Therefore, it is crucial to design an efficient and versatile access control scheme that can grant and revoke a user to access the OHSN. In this paper, we propose novel attribute-based encryption (ABE) features with user revocation and verifiable decryption outsourcing to control the access privilege of the users. The security of the proposed ABE scheme is given in the well-studied random oracle model. With the proposed ABE scheme, the malicious users can be excluded from the system and the user can offload most of the overhead in the decryption to an untrusted cloud server in a verifiable manner. An access control scheme for the OHSN has been given in the context of the IoT based on the proposed ABE scheme. The simulation demonstrates that our access control mechanism is practical.


Introduction
Fueled with wireless medical sensors implanted or worn on human body, personal health information (PHI) can be extracted anytime and from any location handily. To share the PHI with the medical experts or other patients from the same community, the online healthcare social networks (OHSNs) [1][2][3] can be formed and integrated into the Internet of Things (IoT) [4][5][6] by exchanging the PHI via the portable devices such as the smart phones ( Figure 1). With the support of OHSN, users can easily identify other users with certain symptoms in the community and share diagnosis information with each other. Furthermore, accurate and positive treatment information from medical experts can also be disseminated in OHSN to improve the online healthcare environment.
In OHSNs, PHI data are extremely sensitive since these data are closely related to the patients' health status. Naturally, one main requirement of PHI data sharing is to ensure that the data owners could fully control the access to their PHI data and hinder unauthorized users from obtaining the PHI data. One simple approach to achieve access control on the PHI data is to encrypt the shared data with the conventional asymmetric encryption by considering the bulky key management overhead of the symmetric encryption. In asymmetric cryptography (also known as public key cryptography), each user is equipped with a public/private key pair where the public key is distributed in the system and the private key is kept a secret by the user. To share PHI data with close friend or medical expert securely, data owner needs to encrypt the shared data under the public key of the receiver. In this way, only the receiver can read this data with his/her private key. However, this approach is not scalable in the system with a huge number of users. Let us consider the following scenario. Assume the user Alice intends to share her PHI data with her attending physician Bob, her colleague Carol, and her friend David with the conventional public key cryptography. To ensure her data can be accessed by these three users, Alice has to perform the encryption over the shared data three times under the public key of Bob, Carol, and David, respectively. Thus, it is not a trivial task to construct an access control mechanism for the OHSNs in the context of the IoT due to the large-scale nature of OHSNs. Attribute-based encryption (ABE) [7,8] seems to be a possible promising solution to provide flexible and versatile access control over the encrypted sharing data due to its oneto-many encryption pattern. In an (ciphertext policy) ABE system, user's private key and ciphertext are, respectively, labeled with a set of attributes and an access policy. Without enumerating the public key of all of the intended receivers, the ciphertext can be read by a group of users as long as the set of attributes associated with the users satisfy the access structure embedded in the ciphertext. That is to say, the one-to-many encryption can be achieved by ABE directly, which makes the ABE primitive particularly appropriate to the large-scale OHSNs. However, two major barriers impede ABE schemes from direct deployment in OHSNs. First, tremendous amounts of wireless and portable sensors/devices interconnected in OHSNs can be easily infiltrated or breached by hackers; therefore, the function with revocation should be considered in ABE schemes to deal with this situation. Second, the ciphertext size and the computational cost of ABE usually grow with the complexity of the access policy because of its expressiveness. By considering the limited battery and computational capabilities of the wireless and portable sensors/devices [9,10], the existing ABE scheme cannot be directly used to secure the OHSNs.
The motivation of the paper is to construct a practical access control mechanism suitable for the large-scale OHSNs in the context of the IoT. In OHSNs, the users equipped with portable devices may be compromised and thus excluded from the system. By considering the limited computation capabilities of the mobile users, the mechanism should be designed to be lightweight. To tackle the above-mentioned issues, we design our ABE scheme featured with user revocation and verifiable decryption outsourcing and apply the proposed ABE scheme to OHSNs. The contributions of this paper include the following two points: (1) We design a novel ABE scheme with user revocation by incorporating the ciphertext update and key update function such that any legitimate users in social group can access the PHI data from other data owners in the community and revoked users cannot read the encrypted data again even if they intend to collude their attributes with other legitimate social group users. Moreover, our scheme offloads most of the computation task on the data sharers' side to the untrusted cloud server provider. Concretely, the data sharer sends the transformation key to the cloud server, which in turn sends the partially decrypted ciphertexts to the data sharers and thus contributes to offloading the original decryption task. Moreover, the outsourced result can be easily validated by users whether it is true or not. (2) Based on our ABE scheme, we present a versatile personal health information (PHI) data sharing architecture to achieve flexible and fine-grained access control. Security proof in the random oracle model and simulation result demonstrate that our scheme is secure and practical.
Organization. The rest of this paper is organized as follows. Related works are illustrated in Section 2. Some preliminaries are presented in Section 3. Section 4 describes the formal definition of proposed scheme, our system model, and the security model. In Section 5, the concrete construction is given. Sections 6 and 7 show the security analysis and the performance analysis, respectively. Finally, our conclusion is stated in Section 8.

Attribute-Based Encryption.
The notion of attributebased encryption, which was suggested by Sahai and Waters as fuzzy identity-based encryption in [11], was extended by Goyal et al. [7]. Up to now, two flavors of ABE, key policy attribute-based encryption (KP-ABE) [7,[12][13][14] and ciphertext policy attribute-based encryption (CP-ABE) [8,15,16], have been proposed referring to the fact that access control policy is embedded to the private key or the ciphertext. In a KP-ABE system, keys are associated with an access policy and the ciphertext with a set of attributes. Contrarily, in a CP-ABE system, ciphertexts are assigned to an access structure and the key to a set of attributes. A user can decipher the ciphertext, only if the set of attributes holds the access structure. Although ABE enjoys high expressive and versatile access control policies, the ciphertext size and the computational cost grow with the complexity of the access policy in existing ABE schemes. To offload high computational overload, Green et al. [17] introduced the notion of outsourced decryption into ABE systems, which largely eliminates the decryption overhead for users. In [17], user's secret key was blinded with a random number and then was delivered to a cloud server to translate the ABE ciphertext into a simper ciphertext. Unfortunately, the verifiability of the cloud's transformation is not guaranteed for users. By offloading all the access policy and attribute related operation to the key generation service provider (KGSP) and the decryption cloud server provider (DSP), respectively, a secure OABE scheme, which was introduced by Li et al. [18], supplied checkability with supporting both outsourced key issuing and decryption. Presently, Lai et al. [19] formally defined the verifiability of ABE and presented an ABE scheme with verifiable outsourced decryption. Although [19] achieved the desirable effect of the verifiability, double overhead on both the length of ciphertext and the computational cost is reluctant to be accepted for users. To resolve the double overhead problem, Ma et al. [20] suggested a verifiable and exculpable outsourced OABE scheme, which not only largely leverages the ciphertext size and computational cost, but also brings the strong verifiability and exculpability, which effectively addresses the dispute between a user and an outsource computation service provider.

User
Revocation. The issue of applying ABE to the data outsourcing architecture also faces many challenges with regard to user revocation or attribute revocation. Key revocation mechanisms in KP-ABE and CP-ABE, respectively, first proposed by Bethencourt et al. [8] and Boldyreva et al. [21], was realized by incorporating with encrypting the message to the attribute and its validation time. However, it was confirmed that these schemes [8,21] had the security degradation problem considering the forward and backward secrecy [22]. In such a data sharing revocable ABE scenario, a revoked user might still be able to retrieve the original data by attribute-collusion even if his/her attributes do not hold access policy. Of course, a new user might be able to access the previous encrypted data before joining the system until the data are reencrypted with the current updated attribute keys. It is not desirable that a user, revoked from a single attribute group, loses all the access rights to the system in many pragmatic scenarios since the other attributes may still be valid. Attrapadung and Imai [23] realized a conjunctive broadcast and attribute-based encryption scheme with revocation ability; in [23], the data owner was able to perform the user direct revocation by maintaining all user membership lists for each attribute group. However, this scheme was unsuitable to be applied to the data sharing system mainly considering that the data owner will no longer take direct control of data after outsourcing data to the cloud storage server. These schemes [24][25][26] also addressed the user revocation in the ABE-based data sharing system. In [25], in order to revoke users, the trusted authority should generate all secret keys including the proxy key; simultaneously, the server would reencrypt the ciphertext to hamper revoked users from deciphering the ciphertext after receiving the proxy key from the trusted authority. Therefore, the key escrow problem described in [26] may appear. To address this problem, Hur [26] integrated a key issuing protocol with the proxy encryption mechanism. Very recently, Li et al. [24] presented a flexible and fine-grained attribute-based data storage in cloud computing; however, several issues, key-unblinding, unverifiability, and high key-updating times, cannot be well addressed.

Online Healthcare Social
Networks. Several research works that are closely related to the online healthcare social networks (OHSNs) have been introduced [27][28][29][30]. Chen et al. [27] present an event-aided packet forwarding (EPF) protocol, which enables patients who suffer from the same diseases to discuss health conditions with other wardmates in OHSNs. Zhou et al. [29] show a secure and privacypreserving key management scheme for cloud-assisted wireless body area network in OHSNs; in [29], it can tamper both time-based and location-based mobile attacks from the collaboration of the patients having the same diseases in the same social group. Jiang et al. [30] propose an efficient and privacy-preserving personal health information sharing scheme in OHSNs; in [30], it provides the privacy-preserving of data recipients by hidden access policy and the lightweight decryption overhead on decryptors' sides by the serveraided outsourcing technique. However, the above schemes do not consider the dynamicity of social group in OHSNs. Featuring with dynamic group can provide the OHSNs with extendibility, flexibility, and practicability.
Most of the existing ABE schemes applied to online healthcare social networks for data sharing can only protect the data confidentiality/privacy. They do not consider the dynamic characteristics of social group and the decryption overhead on recovering the original message. In our paper, the above gaps are bridged well by suggesting a flexible and lightweight access control for online healthcare social networks in the context of the Internet of Things.

Preliminaries
In this section, we briefly describe notion description, bilinear map, hardness assumption, linear secret-sharing scheme, proxy reencryption, and key derivation function.

Notions.
The notions used in this paper are listed in Table 1.

Bilinear Pairing.
Let G represent an algorithm that takes as input a security parameter , it outputs a group tuple ( , G, G , ), where G, G denote multiplicative cyclic groups with prime order , and : G × G → G is a computable bilinear map such that the following are defined:

Definition 1 (DCDH assumption). Given a group tuple
(G, , , ) with its generator , where , ← Z * , the divisible computation Diffie-Hellman (DCDH) problem is to output / . Let G be a bilinear generator; we say that the DCDH holds for G if, for all probabilistic polynomial-time (PPT) algorithms A, the function V DCDH A ( ) is a negligible function of .

Linear Secret-Sharing Scheme (LSSS).
A secret-sharing scheme Π over a set of parties P is called linear (over Z * ) Table 1: Notions for our proposed system.

Notions
Description G, G Two cyclic multiplicative groups with the same prime order A function maps bit strings to a group element in G 1 : G → Z * A function maps an element in G to a random number in Z * User's identity gid Group identity / System public key/system master secret key gpk/gmk Group public key/group master secret key Reencryption key / Transformation key/retrieval key User's decryption secret key / Encapsulated key/session key TA The trusted authority GA The trusted group administrator CSS The cloud storage server DSP The decryption cloud service provider PPT Probabilistic polynomial time KDF Key derivation function with two properties: (1) A vector V over Z * is shared by a set of parties.
(2) For the secret-sharing scheme Π, a sharegenerating matrix M with ℓ rows and columns can be established. Besides, there also exists a function that maps each row of the matrix to an associated party. In other words, for = 1, . . . , ℓ, the value ( ) equals the party associated with row . When we share a secret ∈ Z , the column vector V = ( , 2 , . . . , ) is established, where 2 , . . . , ∈ Z * . Then MV is the vector of ℓ shares of the secret , and the share (MV) belongs to party ( ).
A linear secret-sharing scheme Π also enjoys the linear reconstruction property: Suppose that there exists a LSSS for the access structure A. Let ∈ A denote the attribute set which satisfies the access structure A, and let ⊂ {1, 2, . . . , ℓ} be defined as = { : ( ) ∈ }. Then, there exist constants { ∈ Z } ∈ such that if { } are valid shares of any secret according to Π, then = ∑ ∈ .

Proxy Reencryption.
Proxy reencryption [24] allows an entity of honest but curious proxy cloud server, using reencryption key, to transform an encrypted message under 's public key into an encrypted same message under 's public key without exposing any valuable information about .

Key Derivation Function (KDF).
Key derivation function (KDF [31]), as a cryptographic primitive, provides a keyexpansion capability that converts the initial keying material containing semi-secret randomness into one or more pseudorandom keys. The pseudorandom keys derived from KDF are indistinguishable from a randomly and uniformly distributed string of the same length. Furthermore, portion of the bits generated by the KDF cannot disclose knowledge on the other bits. The definition and the security of the KDF are illustrated as follows.
Definition 2 (KDF). Given a sampled value derived from initial keying material and a length value , a KDF generates a string with length .
Definition 3 (security of KDF). A KDF is said to be secure against any PPT adversary A, in case the following advantage is negligible: where refers to a randomly and uniformly chosen string of the length bits.
( ). The SystemSetup algorithm, implemented by trusted authority, outputs the system master key msk and public key pk taking as input a security parameter .
( ). The GroupSetup algorithm, executed by trusted group administrator, generates the group master key gmk, the group public key gpk, and a dictionary dic with recording the version status.
( , , gmk V ). The CertGen algorithm, also performed by group administrator, takes as input the system public key pk, the user's identity uid, and the group master secret key gmk ver ; it generates a certificate ver .
The KeyGen algorithm, carried out by trusted authority, takes as input the system public key pk, the system master secret key msk, attribute set S, the public group public key gpk ver , the user's identity uid, and the user's authenticated certificate V ; it produces the user decryption keys V and the user tuple V .
( , gpk V , , (M, )). With the system public key pk, the group public key gpk ver , a message , and a LSSS access structure = (M, ), the Encrypt algorithm, run by PHI data owner, generates the ciphertext V stored in cloud server.
( , gmk V , V ). Given the system public key , the group master key gmk ver , and a dictionary V , the GroupUpdate algorithm, executed by group administrator, updates the group master key as gmk V +1 and the group public key as gpk V +1 ; besides, it outputs a new dictionary V +1 and generates a reencryption key V →V +1 delivered to proxy server.
The UserUpdate algorithm, performed by users themselves, takes as input the user's decryption secret key V and current tuple V +1 ; it outputs the updated decryption secret key V +1 .
The ReEncrypt algorithm, executed by proxy server, takes as input the ciphertext V and the reencryption key V →V +1 ; it generates a updated ciphertext V +1 .
The GenTK algorithm, run by data sharer, takes as input the system public key and the user's decryption secret key V +1 ; it outputs a blinded decryption secret key V +1 and a transformation key V +1 .
The Transform algorithm, implemented by DSP, takes as input the ciphertext V +1 and the transformation key V +1 from data sharer (i.e., mobile patients or mobile physicians); if S does not satisfy access structure, it then outputs ⊥. Otherwise, it outputs a transformation ciphertext V +1 .
The Decrypt algorithm, run by data sharers, takes as input the transformation ciphertext V +1 and the updated decryption secret key V +1 ; it outputs the decrypted message if validating the correctness of transformed ciphertext V +1 .

System Model.
We consider an efficient personal health information (PHI) data sharing architecture [32,33] by an example that mobile patients featured with the same symptoms [3] or physicians can form a social group and can rent a cloud server to store and share PHI data with each other in a flexible access manner. Based upon the above premise, several different entities are involved in our system model ( Figure 2): PHI cloud storage server, trusted authority, decryption cloud server provider, trusted group administrator, and a large number of social group users including PHI data owners and PHI data sharers. The trusted authority undertakes the responsibility concerning attribute authentication and key distribution. The trusted group administrator takes charge of group management, certificate generation, key update for social group users, and ciphertext update for reencryption requests. The users (i.e., mobile patients and mobile physicians) in the same social group share their health conditions and medical care experiences with their mobile devices. PHI cloud storage server, which is assumed to be a honest but curious entity, provides social group users with some storage and reencryption services; that is, it faithfully implements all operations requested by users and purposefully retrieves the stored ciphertext to collect additional valuable PHI information. The decryption cloud server provider [20] offers the services that can help users to convert a complex decryption task into a simple one.

Security Model.
We now give the definition of the chosen plaintext security (CPA) security for CP-ABE scheme with verifiability. In this security model, the revoked user may collude with unrevoked user to obtain some unauthorized data [34]. We suppose that the revoked user can get private keys that satisfy the access structure; the version however differs from the current version. Contrarily, the unrevoked user can achieve private keys that do not satisfy the access structure, but the version is the current version. To formalize the security model, the game is described between an adversary A and a challenger B as follows.
Init. The adversary A gives the challenger B its challenge LSSS access structure * = {M * , * }, group identity gid * , and the version V * .
Setup. B first executes SystemSetup() algorithm to obtain the system master secret key msk and the public parameter pk. B then performs GroupSetup() algorithm to achieve the group master key gmk 0 and the group public key gpk 0 for gid * . Moreover, B runs GroupUpdate() algorithm to get the group master key gmk ver , the group public key gpk ver , and reencryption key V −1→V , where V = {1, 2, . . . , V * }. B finally sends A the public parameter and the group public keys {gpk V } 0≤V ≤V * and keeps the system mater key , the group master keys {gpk V } 0≤V ≤V * , and the reencryption key

Phase 1. A repeatedly issues queries as follows, including
Type-A query, Type-B query, User update query, and Reencryption query.
(i) Type-A query: (1) Certificate query, on input user's identity , group identity gid * , and the version number , gmk V ), and then it returns to A the certificate V .
(2) Private key query, on input user's identity , group identity gid * , a set of attributes S satisfying the access structure * , and the certificate (ii) Type-query: (1) Certificate query, on input user's identity , group identity gid * , and the version number V * : B runs V * ← ( , , gmk V * ) and then returns the certificate V * to A.
(2) Private key query, on input user's identity , group identity gid * , a set of attributes S dissatisfying the access structure * , and the certificate V * : B executes V * ← ( , , gpk V * , S, , V * ) and then issues the private key V * to A. (3) Transformation key query, on input the system public key , the version number V * , and the corresponding private key . Then it issues the new private secret key V * to A.
(iii) User update query, on user's identify and the decryption private

Concrete Construction
Our scheme is based on flexible and fine-grained attributebased data storage [24]. In this section, we suggest an efficient CP-ABE scheme based on LSSS structure under the aforementioned DCDH assumption.
(G, G ) can be denoted as a multiplicative cyclic bilinear group pair and these two group elements in pair have the same large prime order . Let be a generator of group G and : G × G → G be a bilinear map. Let : {0, 1} * → G and 1 : G → Z * denote that a hash function maps an identity or an attribute to a group value in G and a hash function 1 maps an elements in G to a random number in Z , respectively. ( ) → (gmk 0 , gpk 0 , 0 ). This algorithm is run by GA. GA first selects a random ∈ Z * and sets the group master secret key gmk = . Then, GA calculates , ( , ) . Lastly, it publishes the group public parameters gpk = (gid, , ( , ) ), where gid denotes group identity. 0 stands for a dictionary which initializes an empty version. In our system, for example, 0 denotes initial version. The version will be updated to a new version when any user leaves the system. Let V be the current version.
( , , gmk V ) → V . This algorithm is implemented by GA. When a new user who wants to join the group system requests a group certificate. Once the GA accepts his/her request, it produces a certificate as V = V × ( ) V and sends it to the user.
. This algorithm is performed by TA. User's attributes and identity could be authenticated by TA and then this algorithm is run to generate decryption secret key as follows: (1) TA first validates the authenticity of certificate to recognize whether the user is a group member or not by ( , V ) ? = ( × ( ), V ). If the equation is true, then the certificate is valid and goes to the next step. Otherwise, it returns an error symbol ⊥.
(2) TA generates decryption secret key V for user according to his/her identity and a set of user attributes S. TA picks 1 , 2 , , , ∈ Z * at random and computes ( ) V = V /( V ) ; then the private key is produced as follows: (3) TA sets the decryption key V = ( S , gid , 1 , 2 ) and sends it to the user in the group; besides, it also delivers the current tuple V = ( , 1 = ( ) 1/ , 2 = 1/ ) to GA.
( , gpk V , , (M, )) → V . This algorithm is run by PHI data owner. This algorithm takes as input the system public key , the group public key gpk, a plaintext message , and a LSSS access structure = (M, ), where M denotes a × matrix and M is the vector corresponding to the th row of M. is a map from each M of M to the party . The algorithm first picks a random vector ⃗ V = ( 2 , V 2 , . . . , V ) ∈ Z * such that 2 can be shared. For = 1 to , it is easy to compute = ⃗ V ⋅ M . The detailed steps by PHR data owner proceed as follows: (1) Choose 1 ∈ Z * randomly and generate a new session key ssk with the encapsulated key = ( , ) 1 ; besides, compute KDF ( , ) = ‖ , (2) Pick 1 , . . . , ∈ Z * randomly, and calculate (3) Output the ciphertext And, then upload V to CSS.
This algorithm is carried out by GA. When social group members leave the group, the group master key and public key should be updated by GA as follows: (1) Pick V +1 ∈ Z * as a updated group master key gmk V +1 = V +1 , and update the group public key gpk V +1 = (gid, V +1 , ( , ) V +1 ). Moreover, compute a reencryption key ) and issue V +1 to each group member.
. This algorithm is performed by PHI data sharer in the social group. When a sharer leaves the group, the group keys need to be updated by GA as above. Besides, other sharers in the group also need to update their decryption keys by themselves.
V +1 is updated as follows: (1) Calculate (2) Update (3) The updated decryption secret key V +1 is denoted as . This algorithm is executed by CSS. After updating user's decryption keys, the user who uses his/her updated key cannot decrypt the original ciphertext stored in CSS anymore; therefore, the ciphertext needs to be updated by reencryption operations as follows: (1) Calculate (2) Output the updated ciphertext . This algorithm is run by the existing social group sharer. Given the user's decryption secret key V +1 , it can convert the original decryption secret key into a blinded decryption secret key in the following: (1) Pick a random ∈ Z * and compute Note that herein we set 2 = 2 = which is not blinded.

Security Analysis
In this section, we present the security for our proposed CP-ABE scheme. The main issue in our scheme is also to resist the collusion attack between the revoked users and existing legitimate users. [24] is a selectively CPA secure CP-ABE scheme; then our scheme proposed is also selectively CPA secure. In our construction, provided that the hash function is a random oracle, if there exists a probabilistic polynomial-time adversary A that can break our scheme with a nonnegligible advantage > 0 after 1 Type-A queries and 2 Type-B queries, then there exists a challenger B that can solve the DCDH problem with the advantage

Theorem 4. Suppose that the construction of Li
Let B be a DCDH attacker who receives a random instance { , G, G , , , ( , ) = ( , )} of DCDH problem in G and has to calculate the value of / . A is an adversary who interacts with the attacker B as modeled in aforementioned game of security model. We present how the attacker B can use the adversary A to solve the DCDH problem, that is, how to compute the value of / .
To easily understand the proof, the reduction is briefly presented. When the game starts, the attacker B first initializes the instance ( , ) = ( , ) of the DCDH problem and then simulates hash functions as random oracles. During the simulation, the attacker B needs to guess the adversary A's target identity and message. the attacker B finally will set where , ∈ Z * . B interacts with A as follows.
Init. The adversary A gives the challenger B its challenge LSSS access structure * = {M * , * }, group identity gid * , and the version V * .
Setup. B does the following steps to set the public parameter and the group public key gpk: (1) Choose random , , , , ∈ Z * , and pick a key derivation function (KDF) with the output length . Also pick a collision-resistant hash function 1 : (2) Pick 0 , 1 , . . . , V * −1 ∈ Z * at random, compute (3) Issue , gpk V to A, and keep , gmk in himself.
H-Queries. B uses three lists , gid , to reply A's queries (user's identity, group identity, and ( ) queries). (2) Group identity query ( gid ): if gid already exists in gid as ⟨gid , , ⟩, then B returns gid = . Otherwise, B chooses random ∈ Z * and adds the tuple ⟨gid , = , ⟩ into the gid . B gives A the group identity query (gid ) = .
(2) B then generates the challenge ciphertext in the following.

Phase 2.
A continues to request the above queries not issues as in Phase 1, and B sends the queries as in Phase 1.
Guess. If A wins the game, then B can compute Eventually, B omits A output and chooses − from and − from randomly. If A wants to decipher the challenge ciphertext, he needs to obtain keys 4 , 5 of − and 3 of − . Namely, can be achieved from ⟨ , , , = 0⟩, and 2 can be obtained from ⟨ , , , = 1⟩. Therefore, we could formalize the above theory evidence as = ( ) V and we have the equation = ⋅ ⋅ V . B finally outputs / = / V as the solution of DCDH problem.
Provided that A makes 1 Type-queries and 2 Typequeries, the probability that B does not return ⊥ in Phase 1 is 1 ⋅ (1 − ) 2 . The equation value reaches maximum when = 1/2. Also, the probability that B always selects correct − , − is 1/ 1 2 . Therefore, it is very easy to compute B advantage at most /2 1 + 2 ⋅ 1 ⋅ 2 .
Analysis. In our security model, we define the attack capability for an adversary A who can not only get private keys (transformation key) that satisfy the access policy, the version not being the current version, but also can receive private keys (transformation key) that do not satisfy the access policy, the version being the current version. The aforementioned statements imply that if the adversary can break our scheme, she/he can of course get from , . These two private keys would be used to decrypt the challenge ciphertext as follows: If an adversary A can break our scheme, then the adversary A can compute And the can successfully decipher the challenge ciphertext. That is to say, we can obtain = ( ( , ) 1 ⋅ ( , ) 2 ⋅ ( , ) 2 )/ ( , ) V 2 = ( , ) 1 ( , ) 2 . Therefore, we can get the equation ( , ) 2 = ( , ) V 2 . If the adversary can break our scheme such that = V , the result / = / V can be taken as his/her answer.

Performance Analysis
In this chapter, the performance of our system is first theoretically evaluated concerning the computational overhead of key update, decryption for DSP and user, and communication cost, and the quantitative analysis of our scheme then is given compared to previous Li et al. 's scheme [24].
In Li et al. 's proposed scheme [24], the private keys have not been blinded, but partially, to be delivered to the trusted third party (DSP) to transform the original ciphertext into a simple ciphertext. Once receiving the transformed ciphertexts, the decryptor can easily recover the plaintext message without checking the correctness of transformed ciphertexts. However, it is not suitable for real outsourced applications because the third party is generally assumed as an untrusted one. In our proposed scheme, the private keys, first blinded by GenTK algorithm, are divided into the transformation key and retrieval key. After that, the blinded transformation key is sent to the untrusted third party (DSP) to translate the complex ciphertext into a simple one. Finally, once partial decrypted ciphertexts are verified as true, the plaintext message can be recovered by the retrieval key.
We express by , G , and G the time to a pairing computation, an exponentiation in G, and an exponentiation in G , respectively (other operations are ignored). From Table 2, we can learn that the computational cost of user's decryption key updating in Li et al. 's [24] follows a linear relationship with the number of attributes while the corresponding cost in our scheme only achieves constant. As for the time-cost of decryption (for server or user), from Table 2, we explicitly learn that the time-efficiency for decryption for DSP in ours is higher than Li et al. 's [24], which indirectly illustrates that the efficiency for decryption for user in ours is higher than Li et al. 's [24] without outsourcing. Besides, our scheme achieves a similar time-efficiency for decryption for user with outsourcing as Li et al. 's [24]. Moreover, our scheme provides the verifiable property of outsourcing while the scheme in Li et al. 's [24] fails. For the communication overhead, our scheme and Li et al. 's [24] also have an approximate size in terms of the ciphertext size and the transformed ciphertext size. Besides, both our scheme and Li et al. 's [24] scheme feature the property of revocation by incorporating the ciphertext update and key update function such that any legitimate users in group can access the data from other data owners in the community. Moreover, revoked users cannot read the encrypted data again even if they intend to collude their attributes with other legitimate group users or revoked group users.
Quantitative analyses for ours and Li's [24] are given as follows. Here we use the experimental results in [35] on MICA2. The experiment in Shim et al. 's [35,36] is based on a super-singular curve 2 + = 3 + . Table 3 shows the sizes Time-cost on key update in Li et al. [11] Time-cost on key update in ours Communicational cost for server in Li et al. [11] Communicational cost for server in ours Communicational cost for user in Li et al. [11] Communicational cost for user in ours as well as exponentiation and pairing computational timecost of the elements at an 80-bit security level. Each value in Table 3 was measured based on pabe toolkit and Pairing-Based Cryptography (PBC) library [37] using an Intel(R) Core(TM) i5-4460 CPU @3.2 GHz and 4 G ROM running Windows XP system and VC++ 6.0. From Table 3, the timecosts to calculate a pairing, an exponentiation in G, and an exponentiation in G need to take 1.9 s, 0.81 s, and 0.9 s. The computational times in ours are 2.43 s, (3.52 + 14.92) s, and 6.12 s in terms of user's key updating, decryption for server, and decryption for user. However, the values in Li's [24] are (0.81 + 0.81) s, (4.7 + 9.5) s, and 3.6 s. For communication cost, assuming |gid| = 80 bits, according to [35], the element in group G and group G can be reduced to 34 bytes and 136 bytes by accessing standard compression technique [35]. Therefore, the communication cost in Li et al. 's [24] and ours can be denoted as (2 * + 4) * 34 + 136 + 2 * 32 = (64 + 336) bytes and 5 * 136 = 618 bytes and (2 + 6) * 34 + 136 + 2 * 32 = (64 + 404) bytes and 6 * 136 + 34 = 850 bytes, respectively.
From Figure 3(a), we could find that the efficiency of the user's decryption key updating in our scheme obviously outperforms Li et al. 's [24]. As depicted in Figure 3(b), the  [24] with achieving the feature of outsourcing. As illustrated in Figure 3(c), communication cost under the same condition in ours and Li et al. 's [24] has an approximate size performance.

Conclusion
In our paper, we suggested a secure and efficient attributebased encryption scheme applied to construct an online healthcare social network. With our proposed ABE scheme, we enabled supporting dynamic social group securely and efficiently; when users (i.e., mobile patients or mobile physicians) were revoked from the social group, after updating ciphertext and secret keys with the aid of PHI cloud storage server, revoked users could not access the cloud again even if they colluded their attributes with other legitimate social group users. Moreover, a lightweight decryption efficiency could be achieved by employing the technique of verifiable outsourcing; thus mobile patients or mobile physicians could effectively share personal health information or medical treatment experience with other users. Finally, the security proof and experiment simulations illustrated that our scheme was selective IND-CPA secure and practical.

Conflicts of Interest
The authors declare that they have no conflicts of interest.