A Secure and Privacy-Aware Smart Health System with Secret Key Leakage Resilience

With the development of the smart health (s-health), data security and patient privacy are becoming more and more important. However, some traditional cryptographic schemes can not guarantee data security and patient privacy under various forms of leakage attacks. To prevent the adversary from capturing the part of private keys by leakage attacks, we propose a secure leakageresilient s-health system which realizes privacy protection and the safe transmission of medical information in the case of leakage attacks. The key technique is a promising public key cryptographic primitive called leakage-resilient anonymous Hierarchical Identity-Based Encryption. Our construction is proved to be secure against chosen plaintext attacks in the standard model under the Diffie-Hellman exponent assumption and decisional linear assumption.We also blind the public parameters and ciphertexts by using double exponent technique to achieve the recipient anonymity. Finally, the performance analysis shows the practicability of our scheme, and the leakage rate of the private key approximates to 1/6.


Introduction
With the development of information technology, the Internet of Things (IoT) has become a very important technology for government departments, businesses, and academic circles in various countries with its huge application scenes.The technology of IoT is based on the Internet to achieve the communication between information and terminal equipment, information, and real goods.At present, IoT has been widely used in many fields, like food safety, smart health (s-health), urban construction, cloud storage, etc. [1][2][3][4].
The cloud-based s-health systems play an important role in our daily life.At present, doctors use computers to store and retrieve patients' electronic health records (EHRs).EHRs systems replace paper systems and thus increase efficiency in the recording, storage, and retrieval of patients information [5][6][7].However, EHRs which reveal highly confidential personal information stored in the cloud and exchanged over the Internet can be vulnerable to attack [8][9][10], such as data loss, hackers hijacking information, and integrity.In recent years, a large number of medical information leaks in cloud storage have attracted more and more people's attention.Data privacy and security is believed to be the major challenge in the deployment of EHR-based healthcare system.There has been a lot of work that deals with data privacy and security problems [11][12][13][14][15].
However, the traditional cryptographic schemes may not be secure under various forms of leakage attacks, such as side-channel attacks [16] and cold-boot attack [17].Such attacks exploit various forms of information leakage by observing physical implementations of cryptosystems, such as running time [18], electromagnetic radiation [19], power consumption, and fault detection [20].IoT generally adopts discrete network structure, and most of the nodes are located outdoors, which makes it easy for attackers to obtain sensitive information [21][22][23].Therefore, it is very meaningful to construct a secure and privacy-aware smart health system with secret key leakage resilience in the case of leakage attacks.Based on the paper of Zhang et al. [24], we construct a leakage-resilient anonymous HIBE scheme in s-health data sharing [25][26][27] scenarios.

Our Contributions.
To address the medical information security and privacy of the patients issues in s-health, we propose a secure s-health system which allows a medical information owner to securely share data in the case of leakage attacks.The main contributions of this paper as follows.
(i) Firstly, we present the system model of a secure shealth system based on a leakage-resilient anonymous HIBE scheme.Our system addresses the problem of key management and reduces the pressure of PKG.(ii) Secondly, we blind the public parameters and ciphertexts using double exponent technique to achieve the anonymity, so as to achieve the effect of protecting privacy.(iii) Finally, our scheme is built in prime order groups that are more computationally efficient than composite order groups.The proposed scheme is proved to be secure against chosen plaintext attacks in the standard model.

Related Work.
More attention to identity-based encryption (IBE) has been attracted since the notion of IBE was introduced by Shamir [28].The private key for the user in traditional IBE schemes [29] is generated by the Private Key Generation Center (PKG).However, in a large scale network, such as s-health, the number of users is huge, and the task of PKG is too heavy and it is difficult to manage the user's private key.In order to solve this problem, the notion of Hierarchical Identity-Based Encryption (HIBE) was proposed [30] and then many HIBE schemes were proposed [31,32].What is more, many anonymous HIBE schemes were proposed [33][34][35][36] where the ciphertext does not leak the identity of the recipient.However, their sizes of private keys and ciphertexts increase with the depth of identity hierarchy.Zhang et al. [24] proposed an anonymous HIBE scheme over prime order groups where both private keys and ciphertext have a constant size.Dillema et al. [37] proposed a simple cryptographic access control method in the prehospital environment.However, this system provides access privilege if and only if patient and health worker meet in the physical world.Zhang et al. [38] proposed a reference model of the security and privacy issues in the EHR cloud and requirements for secure access of EHR data.A secure EHR system demonstrated to be resilient to various attacks to protect patient privacy and enable emergency healthcare was proposed by Sun et al. [39].In e-Health and Mobile Health network, Guo et al. [40,41] proposed a privacy-preserving attribute-based authentication system, which leverages users verifiable attributes to authenticate users while preserving their privacy issues.Kumar et al. [42] proposed a biometric based authentication scheme which is lightweight and solely uses symmetric key based operations.A secure data sharing using IBE scheme for the implementation of data sharing in the e-Healthcare system was proposed by Sudarson et al. [43].Zhang et al. [44] proposed a system architecture and adversary model of a secure s-health system which realizes fine-grained access control on s-health cloud data and hence ensures users privacy protection.Dawoud et al. [45] defined different scenarios for the integration of the ehealth systems with the cloud computing systems and these scenarios discussed the authentication and data processing in the different parts of the system.Zhang et al. [46] proposed a three-factor authenticated key agreement scheme based on a dynamic authentication mechanism to protect the users privacy using for e-health systems, and it was proved to be semantically secure under the real or random model.Sahi et al. [47] reviewed the latest research with regard to privacy preservation in e-Healthcare and explored whether this research offers any possible solutions to patient privacy requirements for e-Healthcare.However, these schemes may not be secure under various forms of leakage attacks.
The first leakage-resilient cryptographic scheme was proposed by Dziembowski and Pietrzak [48] that can capture most of the key leakage attacks.However, they constructed the leakage-resilient encryption scheme based on "only computation leaks information" which can not capture the cold-boot attack.To resist the cold-boot attack, the boundedleakage model [49] was proposed by Akavia et al.What is more, the relative-leakage model [50] was proposed by Naor et al.Leakage resilience (anonymous) IBE schemes have been discussed previously.A leakage-resilient IBE scheme was proposed and showed being secure in the standard model by Alwen et al. [51].Chow et al. [52] proposed three new leakage-resilient IBE schemes under the respective static assumptions of the original systems.Li et al. [53] proposed a new leakage-resilient public key encryption and showed that it was secure under Decisional Diffie-Hellman (DDH) assumption.Liu et al. [54] showed that the techniques of dual system technique lead to leakage resilience and proposed an anonymous leakage-resilient identity-based encryption scheme.Li et al. [55] proposed a new leakage-resilient IBE scheme in the bounded-leakage model and showed being semantically secure against adaptive chosen ciphertext attack in the standard model.1.3.Organization.Some preliminaries are reviewed in Section 2. In Section 3, we define the usage scenario for smart healthcare system and present the system model and leakageresilient security model.The secure s-health system based on leakage-resilient anonymous HIBE is described in Section 4. In Section 5, our security analysis and leakage resilience analysis are described.Finally, we draw our conclusions in Section 6.

Preliminaries
2.1.Notations.For ease of reference, important notations are summarized in Table 1.

Random Extractor.
We define the statistical distance between two random variables X and Y over a finite domain Ω to be The min-entropy of a random variable X is defined as The average min-entropy of a random variable X conditioned on another random variable Y is defined as follows: where S is uniform over (0, 1)  , we call polynomial-time function  : (0, 1)  × (0, 1)  → (0, 1)  an average-case (, )-strong extractor.(i) Bilinearity: ∀, V ∈  and ,  ∈ Z  , we have (  , V  ) = (, V)  .

System Model
3.1.Usage Scenario.The hospital uses the system software developed by our proposal, and each member of the hospital is registered in the system at a certain level.The system allocates private keys to them through the key generation algorithm; however, the private key generated may be leaked partly by malicious attackers through various forms of leakage attacks.
A patient, named Alice, visits a doctor in this hospital.According to condition, a nurse assigns Alice to the doctor named Bob.Through diagnosis, Bob thinks that Alice needs the doctor named Carol to treat the illness together.And Bob uploads Alice's EHRs to the cloud server with public key of Carol through the system.Carol uses his private key to download and decrypt Alice's EHRs.They complete the diagnosis and treatment of Alice.
During the entire process, Bob sends Alice's EHRs to Carol through the cloud, but Carol's private key may have leaked partly.If the general system is used, Alice's EHRs may be leaked, but our program can ensure that Alice's EHRs will not be leaked.Thus, the patient's EHRs have been protected safely.

System
Model.We divide the system model into two parts, and the first part is shown in Figure 1, which is to produce the private keys to the different level of users (patients, doctors).The S-Health Authority (SHA) is an entity that produces the public key parameters and the master secret key.In our system, the level is divided into  levels.The private key of users in the first level is defined as the root private key.The private key of the -ℎ level users is related to the private key of the ( − 1)-ℎ level users, where  ≤ .
The second part is shown in Figure 2, which is to share medical information among all users.It is described in the picture where doctor A shares medical information to patient B. A encrypts medical information with B's public key (identity) and then uploads it to the s-health cloud (SHC).Then B decrypts medical information with its own private key.The adversary A can know part of the private keys information of B through the leak attack.
We define an description of the proposed secure s-health system: (i) Initialization: SHA produces the public key parameters  and the master secret key .All users can obtain .
(ii) User Registration: A user (a patient, a doctor) can join the s-health system by confirming its level to SHA.
(iii) Information Upload: A user encrypts medical information based on a leakage-resilient anonymous HIBE scheme and uploads the final ciphertext to SHC.
(iv) Information Access: A user downloads a ciphertext from SHC.The ciphertext can be decrypted if and only if the private keys correspond to the public key used for encryption.

Leakage-Resilient Security Model for Anonymous HIBE.
The security of leakage-resilient anonymous HIBE is defined by the following game ( real ) between an adversary A and a challenger C.
(i) Init: The adversary A gives the challenge identity  * to the challenger C.
(ii) Setup: C computes (, ) ← ().C gives  to A and keeps  to itself.C will initialize a set  = 0, which will be the set of tuples of identities; private keys have been created and the number of leaked bits corresponds to the private key   (,   ,    ).Let ℓ() be a leakage parameter.
(iii) Phase 1: A adaptively issues the following two kinds of queries: (a) Private Key Queries: A adaptively queries C with  where  ̸ =  * and  is not a prefix of  * ; C responds with the private key   corresponding to the identity .(iv) Challenge: A selects two messages  0 ,  1 on which it wishes to be challenged.C chooses a random bit  ← {0, 1} and gives  = (,  * ,   ) to A.
(v) Phase 2: C answers the queries in the same way as phase 1 with the added restriction that A can not execute leakage queries.
Definition 3. We say that an anonymous HIBE scheme is leakage-resilient and selectively secure against chosen plaintext attacks (ANO-IND-sID-CPA) if all polynomial-time adversaries A's advantage is negligible in the above game.We define A's advantage to be

Secure s-Health System
4.1.A Leakage-Resilient Anonymous HIBE Scheme.For an HIBE of maximum depth  and an identity where 1 ≤  ≤ , a leakage-resilient anonymous HIBE scheme is defined as follows: (i) Setup() → (, ): The Setup algorithm takes a security parameter  and produces the public key parameters  and the master secret key .All users can obtain .
(ii) KenGen(,   ,  |−1 ) →  | : The KenGen algorithm takes as input the public key , an identity The master secret key is  =   2 .(ii) User Registration: The user joins the s-health system and gets its private keys.The user initiates the following key generation protocol.

KeyGen:
The KeyGen algorithm is defined as follows.
(a) Root private keys: For the first level user where ℎ 10 = , 1 ≤  ≤ , and ℎ 1 is outputted as the public key.Root  outputs the private key for  1 as and where  1 ,  2 ∈   and   1 are used to rerandomize the private keys.(b) Delegate: For the -ℎ level user   = (V 1 , . . ., V  ) where  ≤ , V  = (V 1 , . . ., V  ) and V  ∈ {0, 1}, by using the private key  |−1 corresponding to the (−1)-ℎ level user and randomly chooses { 1 , . . .,   ,  1 , . . .,   } ∈   , and it produces the auxiliary parameters where outputs the private key for   as and where (iii) Information Upload: A user encrypts medical information based on a leakage-resilient anonymous HIBE scheme as follows.
Encrypt: The encryptor randomly chooses  1 ,  2 ∈   and a random seed  ∈ {0, 1}  .The encryptor creates the ciphertext as follows: (iv) Information Access: A user downloads and decrypts a ciphertext from SHC as follows.

Decrypt:
The -ℎ level user decrypts a ciphertext  using the private key  | and computes 4.3.Correctness.The correctness can be checked:
Proof.The proof follows from the security of the Boneh-Boyen selective-ID scheme [60] and Abdalla's security analysis [58].Suppose there is adversary A that can distinguish between Game 1 and Game 2 with advantage .Then challenge C will be made to solve the decision ( + 1)-BDHE assumption.
C receives a challenge tuple (,  0 ,  1 , ⋅ ⋅ ⋅,   ,  +2 , ⋅ ⋅ ⋅,  2+2 , ) where  0 =   ,   =    , and  is either (, )  +1  or a random element of   .C interacts with A as follows: (i) Init: The adversary A gives the challenge identity The public key parameters are  = {,  1 ,  2 , V, , , }.The master secret key is V  ) where  ̸ =  * and  is not a prefix of  * .This condition ensures that there is  ∈ {1, . . ., } such that C produces the private key corresponding to the identity   = (V 1 , . . ., V  ), where  denotes the first element such that V  ̸ = V *  .Let  be the number of sites such that V  = V *  in V  .To respond to the query, C produces the auxiliary parameters as follows.For 1 ≤  ≤ , compute Finally, the auxiliary parameters can be computed as follows. where randomly chooses   1 ∈   and sets  1 =   1 −  −+1 / (V  ).The private keys corresponding to the identity   are simulated as follows.
In fact, Security and Communication Networks In addition, Then we can obtain C also produces    .C uses    to derive a private key for the descendant identity   and gives A the result.
Then, A submits the leak queries to C.
(v) Phase 2: C answers the queries in the same way as phase 1 with the added restriction that the A can not execute leakage queries.
From the above game, we can see that if  = (, )  +1  , C is playing Game 1.The challenge ciphertexts are valid encryption to   .In fact, let  =  1 .Then one can obtain Otherwise,  is a random element in   ; C is playing Game 2. Thus, Game 1 and Game 2 are computationally indistinguishable.

Lemma 5. Suppose the decisional linear assumption holds.
Then Game 2 and Game 3 are indistinguishable.
Proof.Suppose there is adversary A that can distinguish between Game 2 and Game 3 with advantage .Then a challenge C will be made to solve the decision linear problem.C receives a challenge tuple is either   1 ( 3 + 4 ) or a random element of G. C interacts with A as follows: (i) Init: The adversary A gives the challenge identity  * = (V * 1 , . . ., V *  ) to the challenger C where  ≤ .
In fact, Security and Communication Networks In addition, Then we can obtain C also produces    .C uses    to derive a private key for the descendant identity   and gives A the result.
Then, A submits the leak queries to C. (iv) Challenge: A selects two messages  0 ,  1 on which it wishes to be challenged.C first produces the auxiliary parameters as ℎ  =   1  *  for challenge identity  * , where  *  = (V *  ).C then randomly chooses  0 ∈   and a random seed  ∈ {0, 1}  and responds to the ciphertexts as (v) Phase 2: C answers the queries in the same way as phase 1 with the added restriction that A can not execute leakage queries.(vi) Guess: A outputs a bit   ∈ {0, 1} and wins if   = .
(iv) Challenge: A selects two messages  0 ,  1 on which it wishes to be challenged.C randomly chooses  0 ∈   ,  1 ∈ , and a random seed  ∈ {0,1}  and responds to the ciphertexts as (v) Phase 2: C answers the queries in the same way as phase 1 with the added restriction that A can not execute leakage queries.
From the above game, we can see that if  =   1 ( where  is uniform distribution and  ∈ {0,1}  .The premise is that extractor performance is good enough; one can obtain  ≈ log .Hence the distance between  0 =   ⊕ (( 1 ,  2 )  1 , ) and uniform distribution is  and the statistical distance between two ciphertexts is at most 2.Therefore, no PPT adversary can distinguish the two challenge ciphertexts with the advantage of more than 2.The leakage ratio of our scheme is We compare our work with schemes [24,35,54] in Table 2, where .,.,., and  mean the public key size, the secret key size, the ciphertext size, and leakageresilience, respectively.We define  as the maximum depth of HIBE,  represents the user identity depth, and the symbol "-" represents the fact that the corresponding scheme does not have this feature.It is noted that our scheme supports anonymity and leakage-resilience where both private keys and ciphertext have a constant size.Our scheme has no obvious advantage in computational efficiency, but the public key length and private key length of our HIBE scheme are both in (1) time.However, we mainly solve the problem of key leakage in the acceptable range between computational efficiency and security balance.

Conclusion and Future Work
In this paper, we present a secure s-health system based on a leakage-resilient anonymous HIBE scheme in the boundedleakage model.Our scheme can protect the patient's privacy well, even when the private key is partially leaked.Our system also achieves the safe transmission of the patient's EHRs in the case of leakage attacks.And we provide an example to show the systems feasibility.The proposed scheme was proved to be secure against chosen plaintext attacks in the standard model under the Diffie-Hellman exponent assumption and decisional linear assumption.However, the doctors may reveal the privacy of patients in a malicious way; thus, in the future work, we can increase tracking technology to limit doctors' malicious information disclosure.In the future work, we can also study how to construct a secure shealth system which allows the master-key leakage.

Figure 1 :
Figure 1: The generation of the private keys.

Figure 2 :
Figure 2: The sharing of medical information.

Table 2 :
Comparisons of different schemes.