Certificateless Public Auditing for Cloud-Based Medical Data in Healthcare Industry 4.0

,


Introduction
Te vision of Industry 4.0 creates great potential for optimizing production and services in many industrial sectors, improving productivity, reliability, and fexibility [1].Tis is especially true for healthcare, where cyber-physical systems, big data analytics, and cloud computing are revolutionizing the entire healthcare ecosystem and moving it toward Healthcare Industry 4.0 [2,3].Te fundamental principle of Healthcare Industry 4.0 is to provide better services to patients and improve the efectiveness of the healthcare industry by connecting all medical components, including hospitals, medical professionals, and patients [1][2][3].Today, Healthcare Industry 4.0 is profoundly transforming the healthcare feld.
Owing to the continuously growing amounts of medical data under the background of healthcare industry 4.0, the traditional eHealth systems are overwhelmed.With powerful computing power and storage capacity, cloud technology has been widely introduced into the eHealth environment to manage patient data, maintain electronic health records (EHR), build knowledge bases, and monitor specifc public health trends [4].During the COVID-19 pandemic, the healthcare system extensively uses cloud computing to enable rapid deployment of applications in diferent organizations and efcient integration of data analysis among them [5].Based on cloud computing, many organizational functions and clinical processes related to COVID-19, including monitoring, testing, triage, and diagnosis, have been efciently implemented [5,6].In short, cloud computing is playing an increasingly critical role in Healthcare Industry 4.0 as patients, medical staf, and hospitals all want to efciently and securely obtain medical data and communicate within and across organizational boundaries [2,5,6].
Although there are many advantages of the cloud-based eHealth system, there are still some security issues in practical applications [7], which have raised widespread concerns from the government and society and spawned the promulgation of many related laws, such as Health Information Technology for Economic and Clinical Health Act (HITECH) and Health Insurance Portability and Accountability Act (HIPAA).One of the major challenges is to ensure the integrity of medical data remotely stored in the cloud [8][9][10][11], for which the reasons are twofold.First, cloud service provider (CSP) may hide the fact of data corruption for their own interests [8,9].Second, the user loses physical control over remotely stored data and cannot ensure data security through traditional means [10].Once the medical data is corrupted, it would have a huge impact on medical treatment.Terefore, it is an important and critical task to ensure that medical cloud data remains intact and correct.
To check the integrity of data remotely stored, the cloud data auditing technique has come into being [8][9][10][11].Generally, there are two implementation models, i.e., the private auditing model and the public auditing model.In the private auditing, the auditing process involves only the CSP and the user.It would increase the burden of user and produce a controversial auditing result.To address this issue, in the public auditing, an independent third-party auditor (TPA) is introduced to perform the auditing process, which greatly reduces the user's communication and computation burden and provides a reliable result.Terefore, public auditing has been widely adopted as the primary model in the latest auditing schemes [12][13][14].
Although cloud data auditing has made signifcant progress, there are still some serious issues within medical cloud data that have not been well addressed.
Te frst is the inconsistency between the data owner (patient) and the data producer (medical personnel) in the medical cloud.Difering from common data generated and outsourced by the data owner, the medical data of patients are generally produced by medical personnel.It is unrealistic for the patient to retrieve all medical data and then upload it to the cloud after processing.Terefore, it is crucial to design a delegated data outsourcing mechanism under patient management.
Te second is the multisource nature of medical cloud data.Medical data of patients are generated by diferent medical professionals at various stages.If the traditional PKI-based auditing model is adopted, the management overhead of multiple proxies for certifcate storage, distribution, and verifcation would impose a heavy burden on the eHealth system.In addition, the number of patients and healthcare professionals is too large to adopt identity-based cryptography.Tus, it is essential to develop a highefciency auditing protocol for multisource medical cloud data.
Te third is the unique security requirements of medical data.On the one hand, in the event of a medical dispute, the auditable medical data and their source information (such as uploaders, data types, and uploading time) are the key to traceability and accountability.On the other hand, medical data are highly correlated with patient privacy.As a result, it is crucial to establish a comprehensive verifcation strategy with data privacy preservation.
To address the above issues, we present a novel Certifcateless Public Auditing scheme for Medical cloud Data (called CPAMD), whose contributions can be summarized as follows: (1) We propose a public auditing scheme based on a novel secure certifcateless signature method for medical cloud data, which provides necessary functions and satisfes security requirements for cloud-assisted eHealth systems.
(2) To generate unforgeable data block tags, we propose a new secure certifcateless signature method, which is proven to be secure against both type-I and type-II adversaries.
(3) To solve the inconsistency problem between medical data owners and producers, we design a manageable delegated data outsourcing mechanism, which can not only signifcantly reduce computational and communicational burden on patients by authorizing medical personnel to outsource data but also support the verifcation of the outsourcing behavior.
(4) Considering the multisource nature of medical cloud data, we develop an auditing algorithm based on a certifcateless signature, which can achieve efcient batch auditing for patients' medical data handled by many medical personnel without complicated certifcate management and key escrow.
(5) To meet the unique security requirements of medical data, we establish an augmented data verifcation strategy with privacy protection, which designs an extended signature to provide comprehensive auditing for both medical data and their source information.
2 International Journal of Intelligent Systems (6) We analyze the security by proving the presented scheme can resist potential attacks and evaluate the performance by comparing it with the state-ofthe-art ones theoretically and experimentally.Te results demonstrate that CPAMD can provide better security and more comprehensive auditing functions while achieving desirable performance.
Te structure of our work is listed as follows.Section 2 reviews some related work.Background and preliminaries are introduced in Section 3. Section 4 gives detailed description of CPAMD.Ten, we perform the security analysis and fully performance evaluation in Sections 5 and 6, respectively.At last, Section 7 concludes this work.

Related Work
Healthcare Industry 4.0 takes advantage of cloud computing to store, process, and share massive amounts of medical data among patients, medical professionals, and various institutions.In spite of these benefts, it still faces serious security challenges.To address these issues, researchers have made arduous eforts.For example, Zhou et al. [27] came up with a secure dynamic medical data mining scheme with privacy preserving for cloud-assisted eHealth systems; Roy et al. [28] presented a fne-grained data access control protocol over multiple cloud servers in the healthcare industry 4.0.However, the integrity verifcation of medical cloud data, which is of great importance in cloud-based eHealth systems, has not been explored to a large extent.
In fact, for the traditional cloud data, cloud auditing has been generally adopted to verify and ensure data integrity.As a research foundation of this work, we would like to briefy review representative work on cloud data auditing.In 2007, Juels and Kaliski Jr [29] frst presented proof of retrievability, a classical private auditing model involving only the CSP and user.Meanwhile, Ateniese et al. [30] proposed a provable data possession (PDP) scheme allowing a third party to perform the auditing process.In contrast, public auditing can alleviate the burden on the user and render a trustworthy auditing result, which is thereby considered more practical and reasonable.
With the continuous advancement of cloud services, a large number of auditing schemes for diferent data types (such as dynamic data, shared data, and multiple replicas) and specifc application requirements (such as data privacy preserving) have emerged accordingly.Te auditing schemes for dynamic data must not only check data integrity but also verify data freshness, for which various authenticated data structures are widely adopted, such as Merkle Hash Tree [8], Index-Hash Table [9], and Rank-based Authenticated Skip List [15].To achieve privacy protection, it is often necessary to introduce a random masking technique to prevent the TPA from obtaining any data information while performing auditing [12].For the shared data processed and maintained by various user groups, the auditing schemes should provide the data integrity checking as well as support group dynamics.To achieve this goal, various signature techniques that support multiuser operations, such as proxy resignature [13] and ring signature [14], have been introduced successively.For multireplica data, the auditing scheme must ensure both the integrity of each copy and the correctness of the number of copies.Te frst multireplica auditing scheme is MR-PDP presented by Curtmola et al. [16].Recently, some other advanced schemes have emerged, such as a dynamic multireplica auditing with diferent geographic locations [17].
Since the above cloud auditing schemes employed traditional public key cryptography (PKC), their key management relies heavily on the certifcates generated by public key infrastructure (PKI).As the number of users continues to grow, the certifcate management overhead becomes overwhelming.To overcome this problem, many identitybased data auditing schemes [18][19][20] have been presented, such as a privacy-preserving public auditing scheme using the zero-knowledge proof technique [18], a comprehensive data auditing scheme with delegated data outsourcing [19], and a light-weight data auditing scheme for health storage systems [20].
However, identity-based data auditing schemes face the challenge of key escrow.Particularly, the user-related block tags could be forged because the private key generator (PKG) gets the private key of every user.To overcome this challenge, Wang et al. [21] introduced certifcateless signature into data auditing for the frst time, where the user's private key includes two parts, namely the partial private key generated by the key generation center (KGC) and the secret value chosen by the user.Yang et al. [22] further proposed a certifcateless-based PDP for shared data, which uses zeroknowledge and randomization to protect both data and user privacy.Li et al. [23] presented a certifcateless public auditing scheme (CPIC) for group-shared data that can support user revocation efectively.Later, Gudeme et al. successively proposed two improved certifcateless auditing schemes.One [24] aims to provide dynamic data auditing with data privacy protection, while the other [25] focuses on multireplica data auditing.More recently, Xu et al. [26] proposed a certifcateless public auditing scheme (PAPD) for cloud-assisted medical wireless sensor networks (WSNs), enabling online sharing of medical data.
Unfortunately, the above-mentioned certifcateless auditing schemes [21][22][23][24][25][26] still sufer from certain security risks, since the involved certifcateless signature methods are not resistant to the public key replacement and master key attacks.To be more specifc, a type-I adversary who replaces user's public key (owing to knowing the corresponding secret value) can derive user's partial key after making tag queries with the replaced public key, and a type-II adversary can generate the partial private key of the user with the master key.Based on the queried block-tag pair of i-th data block, it can easily convert it to another valid block-tag pair.Terefore, according to the actual needs of public auditing, it is of great necessity to develop a secure certifcateless signature method that can withstand both type-I and type-II adversaries.
A thorough comparison of the presented scheme with several related schemes is shown in Table 1 in terms of certifcate management, key escrow, delegated data International Journal of Intelligent Systems outsourcing, and comprehensive auditing.In summary, cloud data auditing technology has made very signifcant progress.However, because of the peculiarities of medical cloud data, such as the inconsistency between data owners and producers, the multisource nature, and some unique security requirements, the previous schemes are not directly applicable to cloud-based eHealth system scenarios.Terefore, in this paper, we aim to propose a customized certifcateless public auditing scheme to meet the necessary security requirements and provide comprehensive auditing functions for medical cloud data.

Background and Preliminaries
3.1.System Model.As illustrated in Figure 1, CPAMD has four types of entities, including cloud service provider (CSP), registry authority, user, and third-party auditor (TPA).

Cloud Service Provider (CSP).
A semitrusted entity with enormous computing capabilities and storage capacities, provides medical data storage and management services for users.Registry Authority.A trustworthy entity, which produces the partial private key for users, and in charge of setting up the system.Moreover, it stores the public parameters of outsourced medical record fles.In practice, the health department can assume the role of the registry authority.User.Includes patient and medical personnel.Patient is the data owner and Medical personnel is the data producer.Patient authorizes the designated medical personnel to outsource the medical data to CSP for storage and management, both of which can make an audit request to the TPA.Tird Party Auditor (TPA).An independent entity is authorized to check both data integrity and source information upon request.
Under normal circumstances, the CSP ofers users with on-demand and reliable services.However, the selfinterested CSP would hide the fact when data is damaged.In terms of the abuse and misuse of the delegation, malicious user may impersonate patient or authorized medical personnel to process and outsource medical data in undesirable ways.Furthermore, the TPA is deemed to be reliable but curious, which intends to obtain users' data contents while conducting the auditing.
Let G be a cyclic group of prime order p, for a randomly chosen generator g and random numbers a, b ∈ Z * p , given (g, g a , g b ) ∈ G, it is computationally intractable to compute the value g ab .Tat is, for any probabilistic polynomial-time adversary A, the probability of solving the CDH problem is negligibly.
(2) Discrete Logarithm (DL) Assumption.Let G be a cyclic group of prime order p with a generator g, for a given h ∈ G, it is computationally intractable to compute the value a ∈ Z * p , such that h � g a .In other words, for any probabilistic polynomialtime adversary A, the probability of solving the DL problem is negligibly.
For certifcate management and key escrow, "√" means "no need" and "×" means "need"; for delegated data outsourcing and comprehensive auditing, "√" means "support" and "×" means "not support." 4 International Journal of Intelligent Systems (1) Type-I adversary (A I ): A I can replace the user' public key, yet it cannot get the master key of registry authority.
(2) Type-II adversary (A II ): A II can get the master key of registry authority, yet it cannot replace the public key.
(3) Type-III adversary (A III ): A III tries to pass the verifcation with forged auditing proof.
Te security of CPAMD is defned through three interactive games involving a challenger C and adversaries A I , A II , and A III .A I is deemed to win, on the conditions that: (1) Te forged tag σ * is valid on (m * , ID * , PK ID * ).

Game I. Tis interactive game involves
(2) A I has not queried the partial key on ID * .
(3) A I has not made the tag query on (m * , ID * , PK ID * ).
Game II.A II is deemed to win, on the conditions that: (1) Te forged tag σ * is valid on (m * , ID * , PK ID * ).
(2) A II has not made the secret value query on ID * .
(3) A II has not made the tag query on (m * , ID * , PK ID * ).

Cryptanalysis of Existing Certifcateless Signature
Schemes.Tis subsection gives a detailed cryptanalysis of the certifcateless signature schemes proposed in [21][22][23][24][25][26].Since these certifcateless signature schemes are basically the same, we take scheme [23] as an example to perform type-I and type-II attacks, respectively.[21][22][23][24][25][26].As the above defnition of type-I adversary, A I can replace the user's public key PK j with its chosen value, but it cannot get the system master key msk � s.According to the public key generation algorithm, PK j � g xj is computed by the user ID j using the secret value x j that is secretly kept by the user.Terefore, when A I performs the public key replacement attack, it can generate a secret value-public key pair (x j ′ , PK j ′ ), and then replace the user's public key PK j with the new public key PK j ′ , while A I obtains the corresponding secret value x j ′ .Te detailed attack process is as follows:

Type-I Attack Analysis of Schemes
(1) A type-I adversary A I adaptively generates a secret value-public key pair (x j ′ , PK j ′ ), and then replace the user's public key PK j with the new public key PK j ′ .(2) A I queries the data block tag for (m i , ID j , PK j ′ ).Te challenger C generates the tag for the query by tag generation algorithm as and returns σ i to A I .(3) As A I knows the secret value x j ′ that corresponds to the replaced public key PK j ′ , it can compute the value of H 2 (ω i ) x ′ j .(4) At last, A I can compute the partial private key D j of the user ID j as follow: In conclusion, the certifcateless signature scheme in the scheme [21][22][23][24][25][26] cannot resist the public key replacement attack, namely, a type-I adversary who replaces the user's public key can get to know the corresponding secret value since the public key is generated by the user from the secret value.Terefore, the adversary can extract the user's partial private key after making the tag query with the replaced public key.[21][22][23][24][25][26].As the above defnition of type-II adversary, A II can get the master key msk � s, but it cannot replace the user's ID j public key PK j .According to the partial private key generation algorithm, D j � H 1 (ID j ) s can be computed with the master key s.Ten, based on the queried block-tag pair (m i , σ i ) of i-th data block, A II can convert it into another valid i-th block-tag pair (m i ′ , σ i ′ ).Te detailed attack process is as follows:

Type-II Attack Analysis of Schemes
(1) Since a type-II adversary A II knows the master key msk � s, it can obtain the partial private key D j � H 1 (ID j ) s of the user ID j .(2) A II adaptively queries the tag σ i for i-th data block m i .
Te challenger C computes the tag for the query by tag generation algorithm as and returns σ i to A II .(3) A II has obtained the value of D j m i , since it already gets the partial private key where ω i � fd||n||i, and fd denotes the unique fle identity.(4) At last, A II can convert the i-th block-tag pair into a valid forged block-tag pair (m i ′ , σ i ′ ) as (5)

International Journal of Intelligent Systems
In conclusion, the certifcateless signature in the previous scheme [21][22][23][24][25][26] cannot resist the master key attack, namely, a type-II adversary can generate the partial private key of the user based on the master key.For a block-tag pair (m i , σ i ) of the i-th data block, A II can easily convert it to another valid block-tag pair (m i ′ , σ i ′ ).Te medical record fle to be outsourced will be divided into multiple data blocks m i (1 ≤ i ≤ n), whose corresponding tags σ i (1 ≤ i ≤ n) are generated by the designated medical worker ID u .It is worth noting that the warrant will be embedded into every block tag, which binds the designated medical worker's relevant information with the medical data.

The Presented Scheme
Further, we leverage an extended signature [31] to establish an augmented verifcation strategy, where the patient signs the warrant as the medical worker's delegation and the delegated medical worker generate signatures of blocks as their metadata.In this way, the auditor can efciently check both data integrity and their source information at the same time.

A New Certifcateless
Signature Scheme.To address the security issue of certifcateless signatures in the previous schemes [21][22][23][24][25][26], we frst present a new secure certifcateless signature scheme, which includes the following six algorithms.
Setup.Registry authority (i.e., KGC) chooses two multiplicative cyclic groups G 1 and G 2 with the prime order p, e: G 1 × G 1 ⟶ G 2 , and secure hash functions p , where g is a generator of G 1 .Ten, it randomly chooses s ∈Z p * as the master key and produces system public key P 0 � g s .Finally, the registry authority saves s privately and publishes Paras � (p, g, G 1 , G 2 , e, P 0 , H 1 , H 2 , H 3 ).Partial private key generation: Upon receiving the identity ID j of the user, registry authority computes D j � H 1 (ID j ) s and returns it to the user.SecretValue generation: Te user ID j chooses a random number x j ∈Z * p as secret value.Public key generation: Te user ID j utilizes secret value x j to generate his/her public key PK j � g xj .Tag generation: Te fle F to be outsourced is separated into n data blocks.For each data block , the user ID j chooses a random number r i ∈ Z * p , and computes R i � H 1 (ID u ) ri .Ten, the user ID j generates the block tag as where ω i � fd||n||m i ||i, and fd denotes the unique fle identity.Finally, the user ID j uploads the processed fle {F, fd, {R i } 1≤i≤n , {σ i } 1≤i≤n } to the CSP.Tag verifcation: Te validation of block tag σ i can be verifed as Te correctness of tag verifcation can be demonstrated as follows: where (D o , x o ) is the private key of the patient, ω u � PK o || PK u .At last, the whole authorization (W u , R u , δ u ) are transmitted to the specifed medical worker ID u .Upon receiving the authorization (W u , R u , δ u ), the medical worker ID u would check the validity according to the following equation: If equation (10) holds, the medical worker ID u accepts the authorization of the patient ID o ; otherwise, the authorization fails.
Te partial private key of the j-th user, j ∈ [1, Te public key of the j-th user, j ∈ [1, Te warrant for the u-th medical worker, u International Journal of Intelligent Systems Step 1 (File tag generation): For the fle F to be outsourced, the medical worker ID u generates the fle tag Λ � λ||S.Sig(λ, ssk)||spk with a one-time signature S � <Sig, Vrf>, where (spk, ssk) is its public/secret key pair.
Step 2 (Block tag generation): For each data block m i ∈ Z * p , the medical worker ID u selects a random number r i ∈Z p * , computes R i � H 1 (ID u ) ri and generates the block tag as where ω i � W u ||fd||n||m i ||i, W u is the warrant.Finally, the authorized medical worker ID u sends the fle tag Λ to the registry authority, and transmits the processed medical fle {F, fd, {R i } 1≤i≤n , {σ i } 1≤i≤n } together with its authorization (W u , R u , δ u ) to the CSP.
After receiving these data, the CSP frst checks the validation of the delegation δ j as equation (10) Subsequently, the above proof Φ u , Ω u , and Θ u related to each user ID u are aggregated to get the fnal proof Φ, Ω, and Θ as Eventually, the CSP transmits the proof P � {Φ, Ω, Θ} and the corresponding delegations R u , δ u   1≤u≤d to the TPA.
Step 3 (Verifcation): After receiving a response from the CSP, the TPA frst checks the validity of delegations R u , δ u   1≤u≤d by equation (10) to verify source information, which makes sure that the medical fles were processed and outsourced by the designated medical workers as specifed.Te auditable source information can provide the credible evidence to help address medical disputes between the patient and medical worker.
Subsequently, the TPA checks the validity of the proof P � {Φ, Ω, Θ} to verify data integrity as If equation ( 19) holds, the patient's medical data is perfectly stored; otherwise, the data are corrupted.

Theorem 3. If the medical data stored in the CSP remain intact, the integrity proof can pass the verifcation.
Proof.Te correctness of the verifcation algorithm (equation (19)) is demonstrated as follows: □

Theorem 4. Te presented CPAMD is resistant to type-I adversary A I , if the CDH assumption holds.
Proof.Suppose that A I wins Game I with a non-negligible probability ε, after performing the H 1 -Query, PartialPrivate Key-Query and Tag-Query for q h1 , q ppk and q t times, respectively, a simulator B can solve the CDH problem with probability Pr ≥ (1-1/q h1 ) (qppk+qt) • ε • (1/q h1 ).Tat is, with a problem instance (G 1 , g, g a , g b ), B can compute g ab with a non-negligible probability by running A I .
Setup.Te simulator B produces public parameters Paras, generates system public key as P 0 � g a , where the master key s is equal to a. B sends Paras to A I .Meanwhile, the master key is saved secretly, P 0 � g a is available from the problem instance.Analysis.
It means if the adversary A I successfully generates a forged tag, then the CDH problem in G 1 (with g, g a and g b , compute g ab ) can be solved by the simulator B that runs A I .
Assume that the numbers of performing H 1 -Query, Partial PrivateKey-Query, Tag-Query are q h1 , q ppk and q t .Ten, the probability of A I winning Game I is evaluated as follows: ( From the simulation, we can obtain that Terefore, the probability of simulator B solving the CDH problem is □ Theorem 5. Te presented CPAMD is resistant to type-II adversary A II , if the CDH assumption holds.
Proof.Suppose that A II wins Game II with a non-negligible probability ε, after performing SecretValue-Query and Tag-Query for q s and q t times, a simulator B can solve the CDH problem with Pr B transmits PK IDi to A II , adds International Journal of Intelligent Systems Since x i is a random value in Z p * , g and g a are elements in G 1 , therefore, g xi and (g a ) xi have the identical distribution.Tus, A II cannot distinguish results of PK IDi returned by B. H 2 -Query.A II adaptively makes H 2 -Query for information Tag-Query.A II queries the tag for (ID i , m i , ω i ).If ID i � ID * , B aborts; else B calculates D IDi by the master key, retrieves S IDi from L 2 and H 2 (ω i ) from L 3 , then generates the tag σ i for (ID i , m i , ω i ) by tag generation algorithm.At last, B returns σ i to A II .Forge.Eventually, the adversary A II returns a forged tag σ * on (m * , ID * , PK ID * ).
• e(H 2 (ω ), PK ID * ) according to the verifcation algorithm.At last, we can obtain It means if the adversary A II successfully generates a forged tag, then the CDH problem in G 1 (with g, g a , and g b , compute g ab ) can be solved by the simulator B that runs A II .
Let q s and q t denote the numbers of SecretValue-Query and Tag-Query.Te probability of A II winning game is evaluated as follows: (1) ζ 1 : B has not aborted Game II in the SecretValue-Query and Tag-Query.
From which, we can obtain that Terefore, the probability of the simulator B solving the CDH problem is Theorem .Te presented CPAMD is resistant to type-III adversary A III , if the DL assumption holds.Tat is, the auditing proof is existentially unforgeable.
Proof.If A III wins this game, a simulator B can break the DL problem.In other words, with a DL problem instance (G 1 , g, b � g a ), B can compute a ∈ Z * p with a non-negligible probability by running A III .
Setup.B generates the master key s and public parameters Paras.B saves s in secret, and sends Paras to A III .Tag-Query.A III adaptively makes Tag-Query for (ID i , PK IDi , m i ).B generates the tag σ i for the query by tag generation algorithm.At last, B returns σ i to A III .Challenge.Te simulator B sends a challenge chal � {{i, v i } i∈Cu } (1≤u≤d) to A III .Forge.In response to the challenge issued by B, A III should return a correct proof P � {Φ, Ω, Θ}.However, A III is deemed to win Game III, if A III can pass the verifcation using a forged proof P * � {Φ * , Ω * , Θ * }.
According to the verifcation algorithm, the auditing proof can be verifed as 12 International Journal of Intelligent Systems Since A III wins this game, we have Ω � Ω * and Θ � Θ * , but Φ ≠ Φ * .According to equations ( 29) and (30), and bilinear map's feature, we can obtain Given (G 1 , g, b � g a ), we randomly select x u , y u ∈ Z p * , and set H 1 (ID u ) � g xu b yu .We can further obtain It means if the adversary A III successfully generates a forged auditing proof, then the DL problem in G 1 (i.e., given g, g a , outputs a) can be solved by the simulator B that runs A III .

Theorem 7 (Unforgeability of authorization). If the CDH assumption holds, a valid new authorization is existentially unforgeable.
Proof.Te patient ID o generates a signature on the warrant W u as the delegation δ u for the designated medical worker ID u : Te complete authorization (W u , R u , δ u ) is sent to the specifed medical worker ID u .According to Defnition 1, the signature in our scheme is existentially unforgeable if the CDH assumption holds.Tus, a new valid authorization cannot be forged.

Privacy
Theorem 8 (Data privacy preserving).In CPAMD, the TPA is unable to learn any data information while performing the auditing process, if the DL assumption holds.
Proof.While performing the auditing process, the TPA intends to learn the user's data information from P � {Φ, Ω, Θ} returned by the CSP.Since Θ is the aggregated value of random number r i , which does not contain any data content, so we only need to show that both Φ and Ω in the proof do not leak any data information of the user.
First, according to equations ( 13) and ( 16) in the proof generation, we can obtain According the DL problem in G 1 , it is infeasible to extract the information of m i v i .Terefore, the TPA is unable to learn any data information from Φ.
Second, according to equations ( 14) and ( 17), we can obtain International Journal of Intelligent Systems From the equation above, r i is chosen randomly by the user, and the partial private key D u is kept secretly; thereby, both r i and D u are unknown to the TPA.What is more, according to the DL problem in G 1 , the TPA cannot extract the information of m i v i .Tus, the CPAMD can protect data privacy from the TPA.
As proven above, the presented CPAMD can satisfy all the security requirements.Moreover, we compare the security of our CPAMD with existing certifcateless data auditing schemes [21][22][23][24][25][26].Te results are illustrated in Table 3. Te presented CPAMD is resistant to both the public key replacement attack and master key attacks.Moreover, the TPA learns nothing about patients' data while performing the auditing process.

Performance Evaluation
In this section, we conduct theoretical analysis in terms of auditing functions, communication and computation costs, and then evaluate the performance through detailed comparative experiments with state-of-the-art schemes.
In cloud-assisted eHealth systems, the patient's medical data are generated by diferent medical workers at various stages, so the delegated data outsourcing and efcient batch auditing are indispensable functions to achieve high efciency.In addition, for security requirement, a secure signature method and data privacy preserving are necessary.5 summarizes communication costs in the auditing.In the challenge phase, both CPAMD and PAPD support the multiproxy batch auditing, in which the challenge set is composed of d subsets, each of which is an index set of data blocks processed by the authorized medical worker ID u (1 ≤ u ≤ d).Terefore, the communication costs of both CPAMD and PAPD are c • (|Z * p | + |N|).By contrast, CPIC only sends the count of challenged block and two random numbers (2|Z * p |+|N|) to launch a challenge.However, the CSP and TPA need to use pseudorandom permutation and pseudorandom function to compute real challenge set.Tat is, CPIC reduces communication overhead at the cost of computation overhead.

Communication Costs. Table
In the response phase, CPAMD's communication costs are only 3|G 1 |, which are much lower than IBDO, CPIC, and PAPD.It should be noted that we conduct the comparison of communication costs under the multiproxy environment.Since IBDO does not mention specifc operations with multiple proxies, we expand it into a multiproxy auditing scheme by generating the corresponding proof for each medical worker.Terefore, the communication costs of IBDO during the response are linear to the number of authorized medical workers.In addition, PAPD introduces a blinding factor for each subset to protect data privacy, whose communication cost is 2d By comparison, the presented CPAMD aggregates the data proof and tag proof from all involved medical workers to achieve batch auditing, thereby making the communication costs independent of the number of authorized medical workers.

Computation Costs.
Te computation costs of four schemes are given in Table 6.Te tag generation costs of CPIC, PAPD, and CPAMD are similar and lower than those of IBDO.To be specifc, CPIC, PAPD, and CPAMD all employ a certifcateless signature to generate data block tags, among which the costs of CPIC and PAPD are the same, and CPAMD is slightly higher than these two schemes.However, CPIC and PAPD are not resistant to public key replacement and master key attacks.To address this issue, CPAMD introduces a nonce to protect the partial key, which requires an additional exponentiation on G 1 .Terefore, the tag generation costs of CPAMD are n Te proof generation costs of CPAMD are 3c • E 1 + 3(c − 1) • M 1 , for which the reasons are threefold.First, CPAMD generates an additional proof related to the nonce to resist public key replacement attacks.Second, it produces the data proof as H 1 (ID u ) mivi , instead of m i v i , which can protect data privacy from the TPA.Tird, to support efcient batch auditing, it aggregates the proof from all authorized medical workers.Overall, the proof generation costs of CPAMD are no greater than those of IBDO for the multiuser confguration (i.e., d ≥ 3), but larger than those of CPIC and PAPD.However, we believe it is worthwhile to appropriately add some computational overhead in the proof generation to the CSP, because CPAMD can provide better security and comprehensive auditing functions, particularly secure certifcateless signature, data privacy preserving and multiproxy efcient batch auditing.
In addition, the verifcation costs of CPAMD are which is the lowest among four schemes.As a result, the TPA can efciently verify the patient's medical data that handled by multiple authorized medical workers simultaneously.

Comparative Experiments.
We evaluate the performance through detailed comparative experiments on a Dell workstation with an Intel Xeon E3-1225 CPU at 3.31 GHz, 8 GB of RAM, and 7200 RPM Serial ATA drive, as well as a Linux system.Meanwhile, all algorithms are implemented based on the Charm-Crypto Library v0.43 [32].We employ an MNT d159 curve, which has a 160 bit group order.All the statistical results are the averages of 20 trials.
To comprehensively evaluate the performance in the tag generation phase, two kinds of experimental setting have been established, in one of which, data block number is set as 5000 and data block size ranges from 1 KB to 128 KB.In the other one, the size of the data block is set as 4 KB, and the data block number increases from 5000 to 50000 at 5000 intervals.International Journal of Intelligent Systems Figures 3 and 4, respectively, show the experimental results for these two settings, from which we can observe: (1) the tag generation time of the four schemes is all linear with the block size and block number; (2) the tag generation time of CPIC and PAPD are same; (3) for the same block size and block number, CPAMD is slightly more computationally expensive than CPIC and PAPD, all three of which are much lower than IBDO; and (4) with a fxed number of data blocks (i.e., 5000), the diference in tag generation overhead between CPAMD and CPIC is constant (about 20 s), which does not increase with the block size.Te reason for this phenomenon is that, compared with CPIC and PAPD, CPAMD employs a more secure certifcateless signature method to resist the public key replacement and master key attacks.For each data block, CPAMD requires an additional exponential operation to compute an auxiliary verifcation parameter that is independent of the block size.For better security performance, we believe that a little extra computational overhead is worth it and necessary.
In addition, CPMAD provides a delegated data outsourcing mechanism, through which the patient can delegate designated medical workers to process and outsource the medical data.Tat is to say, in the presented CPAMD, the tag generation operations are not performed by patients but by the authorized medical personnel with professional equipment.Terefore, we could safely make the following conclusions: frst, compared with IBDO, which also supports the delegated data outsourcing, the performance of CPAMD is better than that of IBDO in the tag generation; second, compared to CPIC and PAPD, CPAMD trades a bit of computational overhead for better security and the support for delegated data outsourcing.
Figure 5 depicts the verifcation time of the TPA for diferent numbers of authorized medical personnel.In this experiment, the block size and block number are, respectively, set to 4 KB and 5000.In addition, the challenged blocks number is fxed at 460, and the number of authorized medical personnel increases from 10 to 100 with the interval of 10.Te experimental results in Figure 5 demonstrate that: (1) the verifcation time of four schemes is all linear to the number of authorized medical personnel and (2) the verifcation time of CPAMD is lower than that of IBDO, CPIC, and PAPD.It is worth noting that IBDO, which supports the delegated data outsourcing, does not mention verifcation in a multiproxy environment.To perform this comparative experiment, we extend IBDO to implement a multiproxy auditing by executing verifcation for outsourced data from diferent authorized medical workers separately.CPIC supports efcient public auditing for data shared in a group, which provides batch auditing for multiple group users.However, a curious TPA or an external attacker can deduce the content of outsourced data by collecting linear combinations of challenged blocks in auditing process.To address this issue, PAPD introduces a blinding factor to protect data privacy.As a result, the verifcation time of PAPD is slightly higher than that of CPIC.
By contrast, CPAMD issues a challenge for all authorized medical workers.Te CSP frst computes the integrity proof for each proxy, and then aggregate them to get the fnal proof.In addition, the TPA cannot obtain any data information from the proof, thus protecting patient's data    International Journal of Intelligent Systems privacy.To sum up, in the verifcation process, CPAMD outperforms IBDO, CPIC, and PAPD in terms of efciency and security.

Conclusion
Aiming at the unique attributes and security requirements of cloud-based medical data in healthcare industry 4.0, a new certifcateless public auditing scheme is presented.To generate unforgeable data block tags, a new secure certifcateless signature method is developed, which is proven to be secure against type-I and type-II adversaries.To solve the inconsistency between medical data owners and producers, a manageable delegated data outsourcing mechanism is designed, which can relieve the burden on patients and verify the outsourcing behaviors of medical workers.Taking the multisource nature of medical cloud data into account, an auditing protocol based on certifcateless signature is proposed to achieve efcient batch verifcation for medical data handled by various medical workers without complicated certifcate management and key escrow.In addition, an augmented data verifcation strategy with privacy protection is presented to achieve comprehensive auditing for both medical data and their source information without leaking data privacy.Te security analysis and performance evaluation results show that CPAMD can provide better auditing security and more comprehensive auditing functions while delivering good data auditing performance comparable to the state-of-the-art ones.
With the increasingly rich applications of eHealth systems, the auditing research on medical cloud data will be further deepened.For example, with the increasing popularity of collaborative medical care, patients' EHRs are shared among authorized medical personnel, which places new requirements on data auditing, such as efcient dynamic group management and identity traceability.It is of great signifcance to provide a tailor-made solution for public auditing of shared medical data in the cloud, which is one of the directions of our future eforts.The number of authorized medical personnel PAPD [26] CPAMD IBDO [19] CPIC [23]

3. 3 .( 1 ) 3 ) 4 ) 5 )
Design Goals.Tis work tries to realize the following goals to design a data auditing scheme for cloud-assisted eHealth systems with good security and efciency: Public auditing.Any third party authorized by the user can verify the data integrity and its source information.(2) Designated authorization.Te delegation authorized by the patient can only be applied by the designated medical personnel.A new valid authorization cannot be forged.(Multiproxy batch auditing.Te TPA can efciently check the integrity of patients' medical data that processed and outsourced by various diferent authorized medical workers simultaneously.(Comprehensive auditing.Te TPA can verify both medical data integrity and its source information.(Data privacy preserving.Te TPA learns nothing about patients' data during the auditing process.

3. 4 .
Security Model.Following the typical certifcateless public auditing schemes[21][22][23][24][25][26], we consider three adversaries in this work, including type-I/II/III adversaries (namely, A I , A II , and A III ) with diferent attack capabilities.Both A I and A II intend to forge the block tag.A III tries to pass the verifcation with forged auditing proof.Te detailed defnitions of A I , A II , and A III are shown as follows:

( 2 )
C and A I .Setup.C generates the master key s and public parameters Paras.C saves s in secret, transmits Paras to A I .Queries.A I adaptively queries C in polynomial time.(1) Partial Private Key Query.A I adaptively queries partial private key on ID.C generates partial key D ID , transmits it to A I .SecretValue Query.A I adaptively makes secret value query on ID.C generates the secret value S ID and transmits it to A I .(3)Public Key Query.A I adaptively queries public key on ID.C generates the public key PK ID , transmits it to A I .(4)Public Key Replacement.A I replaces the public key PK ID of ID with PK * ID of its choice.

( 5 )
Tag-Query.A I adaptively queries tag on (m, ID, PK ID ).C computes block tag σ and transmits it to A I .Forge.Eventually, A I generates a forged tag σ * on (m * , ID * , PK ID * ).

Figure 1 :
Figure 1: System model of the presented CPAMD.

Figure 3 :Figure 4 :
Figure 3: Te time of tag generation for blocks in diferent sizes.

Figure 5 :
Figure 5: Te time of verifcation for authorized medical personnel in diferent numbers.

Table 1 :
Feature comparison with existing related work.
II adaptively queries C in polynomial time.(1) SecretValue Query.A II adaptively queries the secret value on ID.C calculates secret value S ID and transmits it to A II .(2) Public Key Query.A II adaptively queries the public key on ID.C generates the public key PK ID , transmits it to A II .(3) Tag-Query.A II adaptively queries tag on (m, ID, PK ID ).C computes block tag σ and transmits it to A II .Forge.Eventually, A II generates a forged tag σ Tis interactive game involves the challenger C and adversary A II .Setup.C produces the master key s and public parameters Paras, transmits s and Paras to A II .Queries.A * on (m * , ID * , PK ID * ).
If for any PPT adversary A I and A II , the probability of A I and A II winning Game I and II is negligible, the signature of the data block (i.e., block tag) is existentially unforgeable.Game III.Tis interactive game involves C and A III .A III is regarded as a malicious CSP, which intends to deceive the auditor with a forged proof.Based on the Defnition 1 above, no adversary can forge data block tags.Terefore, we focus on the issue that whether A III is able to pass the verifcation using a forged auditing proof with incorrect data blocks.Setup.C generates the master key s and public parameters Paras.C saves s in secret, transmits Paras to A III .Tag-Query.A III adaptively queries for (m, ID, PK ID ).C computes block tag and transmits it to A III .
International Journal of Intelligent Systems Defnition 1. Challenge.C generates a challenge chal, and then transmits it to A III .Ten, C requires A III to respond to the chal with integrity proof P. Forge.A III generates a proof P in response to chal.A III is deemed to win, if P passes the verifcation with the incorrect data blocks.Defnition 2. If for any PPT adversary A III , the probability of A III winning Game III is negligible, the auditing proof is existentially unforgeable.
Table2lists the primary notations in this work.In CPAMD, the registry authority produces the partial private key D j for every user ID j including patient ID o and medical personnel ID u .Meanwhile, every user selects a secret value x j for himself/herself in private.Te actual owner of medical data (i.e., patient) ID o generates a valid authorization, which contains a pair of warrant and delegation (W u , δ u ), for the designated medical worker ID u .Te authorization can prove the specifc medical worker ID u can represent the patient ID o to process and upload the designated medical data within the prescribed time period.
Upon receiving the identity ID j of user (including patient ID o and medical worker ID u ), registry authority computes D j � H 1 (ID j ) s and returns D j to the user.Step 2 (SecretValue generation): Te user ID j chooses a random number x j as secret value.Step 3 (Public key generation): Te user ID j utilizes secret value x j to produce his/her public key PK j � g xj . is the medical location, where medical data are produced.Furthermore, the patient ID o randomly chooses r u ∈ Z * p and computes R u � H 1 (ID o ) ru .Ten, the patient ID o generates a signature on the warrant W u as the delegation δ u for the designated medical worker ID u : ) 4.3.Detailed Construction of CPAMD.Te presented CPAMD consists of the following fve processes, namely setup, registration, authorization, data outsourcing and auditing.Te workfow of CPAMD is shown in Figure 2.4.3.1.Setup.Registry authority sets up the system as described in the new certifcateless signature method.Eventually, registry authority saves the master key s privately and publishes Paras � (p, g, G 1 , G 2 , e, P 0 , H 1 , H 2 , H 3 ).4.3.2.Registration.Every user including patient and medicalworker registers to registry authority to obtain the partial private key.Tis process consists of three algorithms as follows:Step 1 (Partial private key generation): u to process and outsource medical data into cloud, the patient ID o generates a warrant W u � ID o || ID u ||DataType||TimeLimit||Institution, where ID o and ID u are the identity of the patient and authorized medical worker, DataType ∈ {0, 1} * is the specifed type of medical data to be processed and outsourced, TimeLimit ∈ {0, 1} * is the validity time period of the authorization, and International Journal of Intelligent Systems Institution ∈ {0, 1} *
*Te identity of the u-th medical worker, u ∈ . If it is invalid, the CSP rejects it; otherwise, the CSP verifes the validation of block tag σ i ase σ i , g  � e R i • H 1 ID u m It frst parses the fle parameter λ � fd||W u ||n to get the warrant W u , fle identifer fd and block number n, which would be used to perform verifcation.Ten, the TPA selects c data blocks from d medical fles in random, to generate a challenge set I. For each i ∈ I, the TPA chooses a random number v i ∈Z * p as its coefcient.To be specifc, the set I consists of d subsets, that is, I � {C 1 , C 2 , . .., C d }, where the subset C u is an index set of In response to the challenge issued by the TPA, the CSP frst computes the proof Φ u , Ω u , and Θ u for each subset C u as (12)P 0  • e H 2 ω i , PK u .(12)4.3.5.Auditing.CPAMD provides comprehensive auditing for both medical data and their source information.Both the patient and medical worker can initiate an auditing request, which can verify some specifc medical fles, but also check all medical records of the patient.Without loss of generality, we request the TPA to verify d medical fles (fd 1 , fd 2 , ..., fd d ) processed by d diferent medical workers.Te auditing process includes the following three steps:Step 1 (Challenge): Upon request, the TPA frst obtains the corresponding fle tags Λ i (1 ≤ i ≤ d) from registry authority, then executes S.Vrf (Λ i , spk) to verify it.If the verifcation fails, the fle fd i cannot be audited; otherwise, TPA executes following operations.
At last, B randomly selects an identity ID * .b are elements in G 1 , therefore, g ki and (g b ) ki have the identical distribution.As a result, A I cannot tell the diference between results of H IDi returned by B. PartialPrivateKey-Query.A I adaptively makes partial key queries.B prepares a hash list L 2 � {(ID, D ID , PK ID , S ID )}, in which L 2 is empty initially.For a partial private key query on ID i , B retrieves (ID i , k i , H IDi ) in the L 1 .If ID i � ID * , B aborts.Otherwise, according to the simulation, H IDi � g ki .Te simulator B computes D IDi � (g ki ) a .At last, B returns D IDi to A I and adds (ID i , D IDi , ⊥, ⊥) into L 2 .SecretValue-Query.A I adaptively queries secret value for ID i , B checks whether S IDi exists in L 2 .If it does, B returns S IDi to A I ; else, B randomly chooses x i ∈ Z * p and sets S IDi � x i , PK IDi � g xi .At last, B transmits S IDi to A I , adds (ID i , D IDi , PK IDi , S IDi ) into L 2 .PublicKey-Query.A I adaptively queries public key for ID i , B checks whether PK IDi exists in L 2 .If it does, B returns PK IDi to A I ; else, B randomly chooses x i ∈ Z * IDi � x i , PK IDi � g xi .At last, B transmits PK IDi to A I , adds (ID i , D IDi , PK IDi , S IDi ) into L 2 .PublicKey-Replacement.A I frst selects a random number x * i ∈Z p * , sets S * IDi � x * i , PK * IDi � g x * i .Ten, A I adaptively executes the Public-Key-Replacement with the (ID i , S * IDi , PK * IDi ).At last, B updates (ID i , D IDi , PK IDi , S IDi ) to (ID i , D IDi , PK * IDi , S * IDi ) in L 2 .H 2 -Query.A I adaptively makes the H 2 -Query for information ω ∈ {0, 1} * .B prepares a hash list L 3 � {(ω, h, H 2 (ω))}, in which L 3 is empty initially.If ω i exists in L 3 , B transmits H 2 (ω i ) to A I ; else, B randomly chooses h i ∈ Z p * and sets H 2 (ω i ) � g hi .Ten B sends H 2 (ω i ) to A I , adds (ω i , h i , H 2 (ω i )) into L 3 .Tag-Query.A I queries the tag for (ID i , PK IDi , m i , ω i ).If ID i � ID * , B aborts.Otherwise, B retrieves D IDi and S IDi from L 2 , H 2 (ω i ) from L 3 , and generates the tag σ i for the query by tag generation algorithm.At last, B returns σ i to A I .Forge.Eventually, the adversary A I returns a forged tag σ * on (m * , ID * , PK ID i .When receiving the query, B checks whether the ID i exist in L 1 .If it does, B transmits H IDi to A I ; else, B randomly selects a value k i ∈Z * i � ID * .Ten, B transmits HIDi to A I , adds (ID i , k i , H IDi ) into L 1 .Since k i is a random value in Z p * , both g and g * ).
according to the verifcation algorithm.At last, we can compute the value of g ab as e σ * , g  � e R * • H 1 ID *  m * , P 0   • e H 2 ω * , PK ID *  � e g bk * r * • g bk * m * * r * +m * ( ) • PK ID * h * , g  , compute the value of g ab by running A II .IDi � g ki .At last, B returns H IDi to A II and adds (ID i , k i , H IDi ) to L 1 .SecretValue-Query.A II adaptively makes secret value queries.B prepares a hash list L 2 � {(ID, PK ID , S ID )}, in which L 2 is empty initially.For a secret value query on ID i , B frst retrieves (ID i , PK IDi , S IDi ) in the L 2 .If ID i � ID * , B aborts.Otherwise, B randomly selects a number x i ∈ Z * p and sets S IDi � x i , PK IDi � g xi .Ten B returns S IDi to A II , adds (ID i , PK IDi , S IDi ) to L 2 .PublicKey-Query.A II adaptively makes PublicKey-Query for identity ID i .When receiving the query, B checks whether (ID i , PK IDi , S IDi ) exist in L 2 .If it does, B transmits PK IDi to A II ; else, B randomly chooses x i ∈ Z * p , sets PK IDi as Setup.B generates public parametersParas, sets the master key as s.B sends s and Paras to A II .Since A II already has the master key, A II has no need to query the partial private key.At last, B randomly selects an identity ID * .H 1 -Query.A II adaptively makes H 1 -Query for identity ID i .B prepares a hash list L 1 � {(ID, k, H ID )}, in which L 1 is empty initially.If the ID i exists in L 1 , B returns H IDi to A II ; else, B randomly chooses k i ∈ Z * p , computes H

Table 3 :
Security comparison with existing certifcateless data auditing schemes.