Secure and Privacy-Preserving Data Sharing and Collaboration in Mobile Healthcare Social Networks of Smart Cities

Mobile healthcare social networks (MHSN) integratedwith connectedmedical sensors and cloud-based health data storage provide preventive and curative health services in smart cities.The fusion of social data together with real-time health data facilitates a novel paradigm of healthcare big data analysis. However, the collaboration of healthcare and social network service providers may pose a series of security and privacy issues. In this paper, we propose a secure health and social data sharing and collaboration scheme in MHSN. To preserve the data privacy, we realize secure and fine-grained health data and social data sharing with attribute-based encryption and identity-based broadcast encryption techniques, respectively, which allows patients to share their private personal data securely. In order to achieve enhanced data collaboration, we allow the healthcare analyzers to access both the reencrypted health data and the social data with authorization from the data owner based on proxy reencryption. Specifically, most of the health data encryption and decryption computations are outsourced from resource-constrained mobile devices to a health cloud, and the decryption of the healthcare analyzer incurs a low cost. The security and performance analysis results show the security and efficiency of our scheme.


Introduction
As an emerging paradigm, smart cities leverage a variety of promising techniques, such as Internet of Things, mobile communications, and big data analysis, to enable intelligent services and provide a comfortable life for local residents [1].The smart city is an urbanized area where multiple sectors cooperate to achieve sustainable outcomes through the analysis of contextual, real-time information, which would produce massive opportunities for mobile healthcare social network (MHSN) [2].MHSN extends the traditional centralized healthcare system, in which the patients stay at home or in hospital environment and the professional physicians in the healthcare center take responsibility of generating medical treatment.With the considerable development of wearable devices and body sensors in the smart city, MHSN serving as a mobile community platform for healthcare purposes improves healthcare efficiency and places great emphasis on social interactivities [3] and assists patients in dealing with certain emergency situations or helps in forwarding data and sharing patients' feelings.
Compared to traditional hospital-centric healthcare which not only lacks efficiency when dealing with identifying some serious diseases in early stages but also suffers from limited healthcare information [4], MHSN enables continuous health monitoring and timely diagnosis to the patients in the smart city.It relies on wearable devices and medical sensors to measure the patients' health conditions and sends health data to the processing unit for doctors' further diagnosis and analysis and provides easy access to a patient's historical comprehensive health information.Additionally, the patients wearing body sensors continuously monitoring their health conditions are assumed to walk outside, moving from time to time and place to place [5].However, MHSN may suffer from a series of security and privacy threats due to the vulnerabilities of personal health and social data.The collected private information is stored and processed in the honest but curious health and social Security and Communication Networks cloud servers, which may be directly revealed during the storage and processing phases [6,7].Moreover, the adversary can intercept the sessions between patients to get their health and social data.Hence, the underlying security and privacy requirements, including confidentiality and access control, should be satisfied in MHSN [8][9][10].
Intelligent healthcare is another functionality that can be realized in MHSN, which would provide efficient diagnosis and health condition warning by analyzing the infectiousness in real time, such as infectious diseases analysis [11].As we know, infectious diseases could be rapidly spread in the population via human-to-human contact.An oldfashioned approach to prevent the spread of disease is to isolate the susceptible people for a certain period.However, this approach is always not satisfactory, since people having frequent contact or strong social relationships with a patient are more easily infected from the perspectives of biomedicine and sociology.In general, the spread of infectious diseases depends on users' social contacts and health conditions in a high probability.Specifically, the effective infectious diseases analysis could take several key factors into consideration, that is, susceptibility of the infected patient and immunity strength of contacted user.However, the health and social data of patients are collected by multiple independent service providers, such as hospitals and social network vendors.Hence, the collaboration of these service providers is the key challenge of enabling this enhanced infection analysis in MHSN.
1.1.Our Techniques.In order to preserve the patient's data privacy and achieve data availability, encryption techniques must be adopted to make both health and social data invisible to the untrusted cloud servers.Any users without the authorization of the data owner should not be able to access the personal health and social data, and the collaboration of different untrusted cloud servers should be achieved via an authorized entity.Otherwise, patients may not be willing to share their health and social data such that the infection analysis would be disabled.In fact, attribute-based encryption (ABE) and identity-based broadcast encryption (IBBE) are widely adopted encryption algorithms [12].Particularly, CP-ABE is conceptually closer to traditional access control models, to enforce fine-grained access control of encrypted data.By using CP-ABE, health data can be protected with access policy, and only the people who possess a set of attributes that satisfy the access policy can access data.IBBE scheme is a cryptographic mechanism in which data owners could broadcast their encrypted data to multiple receivers at one time and the public key of the user can be regarded as any valid strings, such as the email, unique ID, and username.In combination, these two mechanisms can be used to implement data protection in healthcare systems and social networks.In this paper, we propose a secure health and social data sharing and collaboration scheme in MHSN.The main contributions of our scheme are as follows: (1) We realize secure and privacy-preserving health data and social data sharing with attribute-based encryption and identity-based broadcast encryption techniques, respectively, which protects the private data confidentiality.
(2) We provide a secure data collaboration construction from different independent cloud servers based on proxy reencryption (PRE), which allows the healthcare analyzers authorized by the data owner to access the reencrypted health data and social data for enhanced data analysis.
(3) We outsource most of the health data encryption and decryption computations from resource-constrained mobile devices to a health cloud, and the decryption of the healthcare analyzer incurs low cost.The extensive security and performance analysis results show that our scheme is secure and efficient.
1.2.Organization.This paper is structured as follows: we review related work in Section 2. We introduce the preliminaries in Section 3 and provide the system model, system definition, and security definition in Section 4. The detailed construction is given in Section 5.Then, we analyze the security and performance of our scheme in Sections 6 and 7, respectively.Finally, we conclude this paper in Section 8.

Related Work
Personal health records (PHRs) are the electronic records containing health and medical information of patients, which involves privacy information that patients are unwilling to disclose.Thus, the security and protection of PHR have been of great concern and a subject of research over the years [13].Zhang et al. [14] proposed a PHR security and privacy preservation scheme by introducing consent-based access control, where the consent can only be generated by an authorized user based on PRE.Currently, there has been an increasing interest in applying ABE to protect PHR.ABE is a promising one-to-many cryptographic technique to realize flexible and fine-grained access control for sharing data [15], which was first introduced by Sahai and Waters as a new method for fuzzy identity-based encryption (IBE) [16].It features a mechanism that enables access control over encrypted data using access policies and ascribed attributes among private keys and ciphertexts [17].Narayan et al. [18] proposed an attribute-based infrastructure for PHR systems, where each patient's PHR files are encrypted using a broadcast variant of ciphertext-policy ABE.Li et al. [19] proposed a novel ABE-based framework for patient-centric secure sharing of PHRs in cloud computing environments.Au et al. [20] designed a general framework for secure sharing of PHR in cloud with CP-ABE, and it deploys attributebased PRE (ABPRE) mechanism so that the ciphertext for doctor A can be transformed to the ciphertext for doctor B. However, the main complaint in CP-ABE scheme is the high computation overhead brought about by its complex computation.This problem will become even worse in the face of resource-limited wearable devices or mobile sensors in MHSN, since it needs to perform burdensome computation tasks for fine-grained data access control when adopting the ABE algorithm.In order to reduce the computational overheads, Liu et al. [21] proposed an outsourced healthcare record access control system by moving the encryption computation offline and keeping online computation task very low.Yeh et al. [22] proposed a decryption outsourcing framework for health information access control in the cloud by utilizing CSP to check whether the attributes satisfy the access policy in ciphertext, which induces the outsourced encryption and decryption scheme introduced by Zhang et al. [23].
Intelligent healthcare, which is one of the intelligent services in the smart city, contains various health-related applications in MHSN, such as home care and emergency alarm [24].Wang et al. [25] designed a secure health cloud system framework based on IBE, in which the assistant doctor can access the health data for enhanced analysis with authorization from the data owner based on identitybased PRE (IBPRE).In particular, by analyzing the collected social data together with real-time health data, accurate infection analysis can be achieved.The secure collaboration of healthcare and social network service providers is the key challenge of intelligent healthcare, since different service providers may adopt different techniques to protect data privacy.Zhang et al. [11] introduced some challenges of security and privacy in MHSN of smart cities and proposed the first secure data collaboration framework of healthcare and social network service providers.However, this scheme does not give the implementation construction.Liang et al. [26] proposed PEC, an ABE-based emergency call scheme for MHSN, which combines location data with health data to guarantee that emergency information is sent to nearby physicians.Jiang et al. [27] proposed EPPS, a personal health information sharing scheme based on ABE by combining the mobile social network with a healthcare center.Patients with geographical proximity can constitute a group to exchange health conditions, healthcare experiences, and medical treatments with the authorized physician.But in this scheme, the physicians in the healthcare center must have many attribute secret keys for each attribute to dock with patients in different groups.Moreover, these two schemes above do not consider the data collaboration (e.g., infectious diseases analysis) with health and social data.
(3) Nondegeneracy.If  is a generator of G 0 , then (, ) is also a generator of G  .

Ciphertext-Policy Attribute-Based Encryption.
The CP-ABE is a cryptography prototype for one-to-many secure communication, which consists of the following algorithms [17].
(1) (1  ).The setup algorithm takes as input the security parameter  and outputs a public key PK and a master secret key MK.
(2) (PK, MK, ).The key generation algorithm takes as input the public key PK, the master secret key MK, and a set  of attributes and outputs an attribute key AK.
(3) (PK, , ).The encryption algorithm takes as input the public key PK, a message , and an access policy  and outputs a ciphertext CT.
(4) (PK, AK, CT).The decryption algorithm takes as input the public key PK, an attribute key AK, and a ciphertext CT with an access policy .If  ∈ , it outputs the message .

Identity-Based Broadcast Encryption.
The IBBE can be seen as an extension of the IBE, by allowing one to encrypt a message once for many receivers.The definition of IBBE is as follows [28].
(1) (1  , ).The setup algorithm takes as input a security parameter  and the maximal size  of a set of receivers and outputs a pair of public key PK and master secret key MK.
(2) (PK, MK, ID).The key generation algorithm takes as input the public key PK, the master secret key MK, and a user's identity ID and outputs a secret key SK ID for the user.
(3) (PK, , ).The encryption algorithm takes as input the public key PK, a message , and a set  of receivers' identities; the algorithm outputs a ciphertext CT for .
(4) (PK, CT, SK ID , ID).The decryption algorithm takes as input the public key PK, a ciphertext CT, a secret key SK ID , and an identity ID; the algorithm outputs the message  if ID ∈ .

The Proposed Scheme
4.1.System Model.In MHSN, the fusion of health data and social data facilitates a novel paradigm of authorized infection analysis.Our scheme focuses on the secure sharing and collaboration of these data.As shown in Figure 1, the system model of our scheme consists of central authority, health cloud, social cloud, users, healthcare provider, and healthcare analyzer.
(1) Central Authority.The central authority is a fully trusted party which is in charge of generating system parameters as well as private keys for each user.
(2) Health Cloud.The health cloud is a semitrusted party which provides health data storage service.It is also responsible for helping encrypt health data for mobile healthcare sensors and decrypt the ciphertext for healthcare providers and reencrypt ciphertext for healthcare analyzers.(3) Social Cloud.The social cloud is also a semitrusted party which provides social data storage service and is in charge of reencrypting social ciphertext for healthcare analyzers.

Security and Communication Networks
(4) Data Owner.The data owners generate a great amount of health data through the mobile healthcare sensors and upload them to the health cloud by defining access policy and also upload their social data to the social cloud for sharing.
(5) User.The user is the ciphertexts' receiver and is able to decrypt the ciphertexts if he is the intended receiver defined by the data owners.
(6) Healthcare Provider.The healthcare providers are the intended receivers of health ciphertext stored in the health cloud.If a healthcare provider's attribute set satisfies the access policy in the ciphertext, he is able to decrypt the patient's health data from the ciphertext.
(7) Healthcare Analyzer.The healthcare analyzer is the authorized receiver of both health ciphertext and social ciphertext for data collaboration and analysis.

System Definition.
Based on the system model, our scheme consists of the following algorithms.
(1) (1  , ).The central authority takes as input a security parameter  and the maximal size of receiver set  and outputs a system public key PK and a master secret key MK.
(2) (PK, MK, ).The central authority takes as input PK and MK and a set of attributes  of user or healthcare provider and outputs the attribute key AK.
(3) (PK, MK, ID).The central authority takes as input PK and MK and an identity ID of user or healthcare analyzer and outputs the secret key of user SK.
(4) .(PK,).The health cloud takes as input PK and an access policy  and outputs an outsourced health ciphertext CT  .
( In the registration phase, the central authority runs Setup algorithms to generate system public key and master secret key.Meanwhile, it also uses AKeyGen and SKeyGen algorithm to generate attribute keys and secret keys of users in the system.For the health data, the health cloud first runs Cloud.Encrypt algorithm to encrypt data with an access policy, and then the data owner runs Health.Encrypt algorithm to finish the encryption.When accessing the health data, the health cloud first uses the Cloud.Decrypt algorithm to partially decrypt the ciphertext, and then the user can use the Health.Decrypt algorithm to recover the data.For the social data, the data owner runs Social.Encrypt algorithm to encrypt data for a set of receivers, and the user can use the Social.Decrypt algorithm to recover the social data.Furthermore, the data owner could run Health.ReKeyGen and Social.ReKeyGen algorithms, respectively, to generate reencryption keys containing their own attribute keys and secret keys.Receiving the reencryption keys, the health cloud and social cloud would run Health.ReEnc and Social.ReEnc algorithms to transform the initial ciphertexts to the reencrypted ciphertexts.Hence, the healthcare analyzer can run Analyzer.Decrypt algorithm to decrypt the reencrypted health and social ciphertexts.

Security Definition.
In our scheme, we assume that the health cloud and social cloud are honest but curious, which means they carry out computation and storage tasks but may try to learn information about the private data [29].Specifically, the security model covers the following aspects.
(1) Data Confidentiality.The unauthorized users that are not the intended receivers defined by the data owner should be prevented from accessing the health and social data.The healthcare analyzer should not be able to access the reencrypted data without the authorization of the data owner.
(2) Fine-Grained Access Control.The data owner can customize an expressive and flexible access policy so that the health data only can be accessed by the healthcare providers whose attributes satisfy these policies.
(3) Collusion Resistance.If each of the users' attributes in the set cannot satisfy the access policy in the ciphertexts alone, the access of ciphertext should not successful.

Key Generation.
The central authority runs  algorithm to select a random  ∈ Z  , which is a unique secret assigned to each user.Then, the central authority chooses random ,  ∈ Z  and random   for each attribute  ∈ , where  is the attribute set of the user, and outputs the attribute key AK.

Health Data Encryption.
The mobile healthcare sensors of the data owner could collect a wide range of real-time health data (e.g., blood pressure, heart rate, and pulse), for further diagnosis or specialist analysis.Before uploading the data to the health cloud, the data owner first chooses a random HK ∈ Z  and encrypts the health data  ℎ with HK using a symmetric encryption algorithm, denoted as  = SE HK ( ℎ ).Then, the data owner defines an access policy , to ensure that only users satisfying this policy can access data, and then sends to the health cloud.
Then, the health cloud runs .algorithm to perform the outsourced encryption.For each node  in the access policy tree , the health cloud chooses a polynomial   .These polynomials are chosen in the following way in a top-down manner, starting from the root node .For each node  in the tree, set the degree   of the polynomial   to be one less than the threshold value   of that node; that is,   =   − 1. Starting with the root node , the algorithm chooses a random  ∈ Z  and sets   (0) = .Then, it chooses   other points of the polynomial   randomly to define it completely.For any other node , it sets   (0) =  parent() (index()) and chooses   other points randomly to completely define   .
Let  be the set of leaf nodes in ; the health cloud outputs an outsourced ciphertext CT  as The health cloud returns CT  to the data owner.The data owner runs ℎ.algorithm to select  ∈ Z  at random and computes  1 = HK ⋅ (, )  with HK and computes  2 =   ,  3 =   3 ⋅   ,  4 =   4 ⋅ ℎ  ,  5 = ( 4 )  ,  6 = ( 5 )  .Finally, the data owner outputs the ciphertext CT ℎ as (4)

Health Data Decryption.
If the attributes of the healthcare provider satisfy the access policy , he can decrypt CT ℎ successfully by informing health cloud and obtaining the symmetric key.The health cloud runs .algorithm with the ciphertext and outsourced attribute key AK  = ( 1 ,  2 , { D , D  } ∈ ) from the healthcare provider.The health cloud first runs DecryptNode algorithm which can be described as a recursive algorithm.This algorithm takes the ciphertext CT ℎ , AK  , and a node  from the access tree  as input.
(1) If the node  is a leaf node, then we let  = attr  and compute as follows.If  ∈ , then If  ∉ , then (CT ℎ , AK  , ) = ⊥.
(2) If the node  is a nonleaf node, the algorithm (CT ℎ , AK  , ) proceeds as follows: for all nodes  that are children of , it calls (CT ℎ , AK  , ) and stores output as   .Let   be an arbitrary   -sized set of child nodes  such that   ̸ = ⊥.If no such set exists, then the node is not satisfied and the function returns ⊥.Otherwise, the function defines  = index() and    = {index() :  ∈   } and returns the result.
If the access policy tree  is satisfied by , we set the result of the entire evaluation for the access tree  as , such that  =  (CT ℎ , AK  , ) =  (, ) Then, the health cloud computes Finally, the health cloud sends the partial decrypted health ciphertext CT  = ( = SE HK ( ℎ ),  1 = HK ⋅ (, )  ,  2 =   ,  = (, )  ) to the healthcare provider.After receiving CT  from the health cloud, the healthcare provider runs ℎ.algorithm to obtain the symmetric key.
Thus, SE HK ( ℎ ) can be decrypted with HK by applying the symmetric decryption algorithm, and the healthcare provider can access the data owner's health data for diagnosis.

Social Data Encryption.
For the private social data denoted as   , the data owner runs .algorithm to encrypt it and then outsource the ciphertext to the social cloud.First, the data owner chooses a set  of receivers' identities (where || ≤ ) and a random CK ∈ Z  which is used to encrypt the data based on the symmetric encryption algorithm.The data owner randomly picks  ∈ Z *  and outputs a social ciphertext CT  . where Then, the user computes CK with .
Finally, the user recovers message   with CK using the symmetric encryption algorithm.

Health Data Reencryption.
In order to analyze the healthcare data, the health data owner runs ℎ .algorithm to choose a healthcare analyzer's identity ID  , randomly pick   ,  ∈ Z  , and compute the following with attribute key AK: Then, the health data owner outputs the health reencryption key RK ℎ = ( 1 ,  2 ,  3 ).When receiving the reencryption key, the health cloud runs ℎ.algorithm to reencrypt the initial health ciphertext.The health cloud computes Finally, the health cloud outputs a reencrypted health ciphertext. (16)

Social Data Reencryption.
The social data is also used to analyze healthcare, such as infectious diseases.The data owner runs .algorithm to choose a healthcare analyzer's identity ID  , randomly pick   ,  ∈ Z  , and compute the following with secret key SK: Then, the data owner outputs the social reencryption key RK  = ( 1 ,  2 ,  3 ).Then, receiving the reencryption key, the social cloud runs .algorithm to reencrypt the initial social ciphertext.The social cloud computes Finally, the social cloud outputs a reencrypted social ciphertext.

Authorized Decryption.
For the reencrypted health and social ciphertext, the healthcare analyzer with identity ID  runs Analyzer.Decrypt algorithm to decrypt.For the health data, the healthcare analyzer first computes Then, the healthcare analyzer computes Finally, the healthcare analyzer computes the HK and recovers the health data  ℎ .
For the social data, the healthcare analyzer can compute V  with secret key and then compute CK and recover the social data   .
Therefore, the healthcare analyzers can access both the reencrypted health data and the social data for collaboration and analysis with authorization from the data owner.

Security Analysis
The sharing data in our scheme is encrypted with CP-ABE and IBBE techniques, which are secure against chosen plaintext attack since the DBDH assumption holds [23,28].We analyze the security properties of our scheme as follows [29].
(1) Data Confidentiality.The health data is encrypted using access policy, and the confidentiality of health data can be guaranteed against users who do not hold a set of attributes that satisfy the access policy.
In the encryption phase, though the health cloud performs encryption computation for the data owner, it still cannot access the data without the attribute key.During the decryption phase, since the set of attributes cannot satisfy the access policy in the ciphertext, the health cloud server cannot recover the value  = (, )  to further get the desired value HK.Therefore, only the users with valid attributes that satisfy the access policy can decrypt the health ciphertext.The social data is encrypted with a random symmetric key CK, and then CK is protected by IBBE.Since the symmetric encryption and IBBE scheme are secure, the confidentiality of outsourced social data can be guaranteed against unauthorized users whose identities are not in the set of receivers' identities defined by the data owner.
(2) Fine-Grained Access Control.The fine-grained access control allows flexibility in specifying differential access policies of individual health data.To enforce this kind of access control, we utilize CP-ABE to escort the symmetric encryption key of health data.
In the health data encryption phase of our scheme, the data owner is able to enforce an expressive and flexible access policy and encrypt the symmetric key which is used to encrypt the health data.Specifically, the access policy of encrypted data defined in access tree supports complex operations including both AND and OR gate, which is able to represent any desired access conditions.
(3) Collusion Resistance.The users may intend to combine their attribute keys to access the data which they cannot access individually.In our scheme, the central authority generates attribute keys for different users; the attribute key is associated with random , which is uniquely related to each user and makes the combination of components in different attribute keys meaningless.Suppose two or more users with different attributes combine together to satisfy the access policy; they cannot compute  = (, )  in the outsourced decryption phase.Thus, the proposed scheme is collusion-resistant.

Performance Analysis
7.1.Functionality Comparisons.We list the key features of our scheme in Table 1 and make a comparison of our scheme with several data sharing schemes in MHSN in terms of health data confidentiality, health data access control, outsourced encryption and decryption, data authorization, and social data collaboration.In order to achieve fine-grained access control, most of these schemes adopt the ABE technique.
From the comparison, we can see that only EPPS [27] and our scheme achieve health data outsourced decryption considering the low computing power of resource-constrained mobile devices or healthcare sensors.Zhang et al. [14], Wang et al. [25], Au et al. [20], and our scheme support data authorization by deploying PRE mechanism so that the semitrusted server could reencrypt the ciphertext to data requester for research and analysis purposes without acquiring any plaintext.Further, PEC [26] combines social data with healthcare record for emergency call, and EPPS [27] divides the mobile patients into different groups according to social data.However, both PEC [26] and EPPS [27] only utilize location information of social data and ignore other valuable data in social networks, which makes extensive social data needed in-depth healthcare analysis (e.g., infectious diseases analysis) impossible.Moreover, the health and social data may be collected and protected by different independent service providers adopting different encryption techniques, such as ABE and IBBE.Thus, to achieve data collaboration of these service providers, data authorization in these different service providers must be supported.Our scheme proposes an efficient CP-ABE construction with outsourced encryption and decryption to achieve efficient fine-grained access control of health data and provides a secure solution for the collaboration of different service providers by transforming the ABE-encrypted health data and IBBE-encrypted social data into an IBE-encrypted one that can only be decrypted by an authorized healthcare analyzer such as specialists, since IBE is more suitable to be employed on resource-constrained mobile devices in MHSN.

Performance Comparisons.
We analyze the performance efficiency of health data encryption, decryption, reencryption key generation, and reencryption by comparing our scheme with several secure health data sharing schemes; the result is shown in Table 2. Let   be the computation cost of a single pairing,  0 be the computation cost of an exponent operation in G 0 ,   be the time for an exponent operation in G  ,   be the number of attributes in a ciphertext,   be the number of attributes in a reencrypted ciphertext, and   be the total number of receivers in social networks.We ignore the simple multiplication, hash, and symmetric encryption and decryption operations.First, we discuss the computation cost of health data encryption and decryption.Since Yeh et al. [22], EPPS [27], and Au et al. [20] all perform standard ABE algorithm locally in the encryption phase, their encryption computation costs are   + (2  + 1)  0 +   , (3  + 1)  0 +   , and (3  + 2)  0 +   , respectively, which grow linearly with the number of attributes in access policy.In our scheme, the users with mobile sensors only need to perform 5 0 +   to encrypt the data, which is constant, the same as Wang et al. [25] and less than these schemes.In the data decryption phase, receivers in Au et al. 's study [20] use secret keys corresponding to matched attributes to recursively decrypt the health ciphertext, and the computation cost is (2  + 1)  +     .In Yeh et al. 's study [22], EPPS [27], and our scheme, most of the decryption computations are outsourced to the cloud server.In particular, users in our scheme only need to perform one pairing operation to decrypt the ciphertext.
Further, in the data authorization phase, Au et al.
[20] adopted ABPRE to reencrypt ciphertext for authorized users, and the computation costs of reencryption key generation and data reencryption are both related to the number of attributes of new access policy.Our scheme transforms ABE-encrypted health data to IBE-encrypted health data for analysis purposes, and the computation costs in these two phases are 3 0 +   and   , which is constant and efficient as in Wang et al. 's study [25].
We also evaluate the computation overhead of social data sharing when the ciphertexts in different service providers need to collaborate together.From Table 3, we can observe that the social data encryption cost on the data owner is (  + 4) 0 +   based on IBBE.If the user is one of the desirable receivers, he can perform 2  + (  − 1) 0 +   cost to decrypt ciphertext.Moreover, our scheme also has high efficiency for the social data authorized phase, in which the IBBE-encrypted social data can be reencrypted to IBEencrypted one by semitrusted social cloud with reencryption key generated by the data owner.The computation cost of generating reencryption key is 4 0 +   , and the semitrusted social cloud needs to take   cost to finish the social data reencryption.At last, the authorized healthcare analyzer needs to perform 2  to obtain the social data or health data which are both protected by IBE.

Experimental Evaluation.
We conduct experiments on a Linux system with an Intel Core 2 Duo CPU with 2.53 GHz processor and 4 GB memory.The experimental prototype is written in C language with the assistance of cpabe toolkit and pairing-based cryptography library [30].We use a pairingfriendly type A 160-bit elliptic curve group based on the supersingular curve over a 512-bit finite field.The Advanced Encryption Standard (AES) is chosen as the symmetric key encryption scheme.
We analyze the time cost of the data encryption and decryption by comparing our scheme with Yeh et al. [22], EPPS [27], Au et al. [20], and Wang et al. [25].In the data encryption phase, the data owner in these schemes encrypts a file with an access policy and posts the encrypted file to the cloud server.Figure 2 shows the computation time on data owners during this phase.The encryption time on data Yeh et al. [22] EPPS [27] Au et al. [20] Wang et al. [25] Our scheme   owners grows with the number of attributes in access policy in Yeh et al. [22], EPPS [27], and Au et al. [20], while it stays constant in our scheme.In the data decryption phase, Figure 3 shows the computation time on healthcare providers for decryption versus the number of attributes in access policy of ciphertext.Compared to Au et al. [20], we can see that the decryption times of Yeh et al. [22], EPPS [27], and our scheme are almost the same, which are constant since most of the laborious decryption operations are delegated to the cloud server.
Furthermore, we evaluate the computation time cost in health data reencryption phase and health data authorized decryption phase, and the results are shown in Figures 4  and 5, respectively.We compare our scheme with that of Au et al. [20] which utilizes ABPRE to support a general framework for secure sharing of PHR and that of Wang et al. [25] which adopts IBPRE.We can observe that the experimental results in Au et al. [20] approximately follow a linear relationship as the number of attributes increases.In our scheme, the data owner generates reencryption keys for authorized healthcare analyzers so that the ABE-based ciphertext can be reencrypted to an IBE-based one and then be decrypted with a secret key, which is independent of the number of attributes in access policy as in Wang et al. [25].

Conclusion
In this paper, we focus on the secure health data and social data sharing and collaboration in MHSN for smart cities and propose a detailed construction based on ABE and IBBE.Our scheme allows the data owner to authorize the healthcare analyzers to access data by reencrypting both ABE-protected health data and IBBE-protected social data to IBE-protected one, which provides a solution for the collaboration of different service providers.In order to reduce the computation overhead of resource-constrained mobile devices, outsourced encryption and decryption construction is adopted in our scheme, which can delegate most of the computation cost to a cloud server.Finally, we analyze the performance of our scheme with the existing schemes in MHSN and conduct experiments.The results have shown that our scheme is secure and efficient.

Figure 1 :
Figure 1: System model of our scheme.

Figure 2 :
Figure 2: Computation cost of health data encryption.

Figure 3 :
Figure 3: Computation cost of health data decryption.
CT  , ID, SK).The social receiver takes as input PK, a social ciphertext CT  , a receiver's identity ID, and its secret key SK and outputs the social data   if ID and SK are valid. and outputs a social reencryption key RK  .(13) .(CT , RK  ).The social cloud takes as input a social ciphertext CT  and a social reencryption key RK  and outputs a reencrypted social ciphertext RT  .(14) Analyzer.Decrypt(RT ℎ , RT  , SK  ).The healthcare analyzer takes as input a reencrypted health ciphertext RT ℎ , a reencrypted social ciphertext RT  , and a secret key SK  and outputs health data  ℎ and social data   .
) ℎ.(PK, ℎ , CT  ).The health data owner takes as input PK, health data  ℎ , and an outsourced health ciphertext CT  and outputs a health ciphertext CT ℎ .(6) .(PK,CT ℎ , AK  ).The health cloud takes as input PK, a health ciphertext CT ℎ , and an outsourced attribute key AK  and outputs a partial decrypted health ciphertext CT  if the attributes in AK  satisfy the access policy in the ciphertext.(7) ℎ.(CT , AK).The healthcare provider takes as input a partial decrypted health ciphertext CT  and an attribute key AK and outputs the health data  ℎ .(8) .(PK,  , ).The social data owner takes as input PK, social data   , and a set  of receivers' identities and outputs a social ciphertext CT  .(9) .(PK,(11) ℎ.(CTℎ , RK ℎ ).The health cloud takes as input a health ciphertext CT ℎ and a heath reencryption key RK ℎ and outputs a reencrypted health ciphertext RT ℎ .(12) .(PK,SK, ID  ).The social data owner takes as input PK, a secret key SK, and a healthcare analyzer's identity ID

Table 1 :
Functionality comparison of data sharing schemes in MHSN.