Traceable Attribute-Based Secure Data Sharing with Hidden Policies in Mobile Health Networks

+e growing need to store, share, and manage medical and health records has resulted in electronic medical health sharing system (mHealth), which provides intelligent medical treatment for people. Attribute-based encryption (ABE) is regarded as a new cryptology to enhance fine-grained access control over encrypted sharing data in mHealth. However, some existing attributebased mHealth systems not only violate the one-to-many application characteristics of attribute-based encryption mechanism but also destroy the anonymity of user. In this study, an efficient scheme is proposed to tackle the above defaults and offer two-way anonymity of data owner and data user by introducing a pseudoidentity. +e computation of hidden access policy is reduced by removing the bilinear pairing, whereas the interaction between cloud storage and data user is avoided to save bandwidth during trapdoor generation. We also consider the temporal factor of the uploaded information by introducing access validity. Security and performance analyses show that the proposed scheme is efficient without reducing security.


Introduction
Given the rapid progress of cloud computing and mobile communication technology with ubiquitous mobile intelligent devices, the electronic medical health sharing system (mHealth) has been developed, which can provide intelligent healthcare services without temporal and spatial restrictions; specifically, mHealth allows patients to record body indicators and upload records, physicians to diagnose patients' illness remotely, and researchers to explore medical records [1]. e application of mHealth reshapes healthcare services model [2]. Figure 1 shows a typical architecture of mHealth sharing system, wherein implanted and wearable sensor devices collect various physiological indicators of patients and then deliver the gathered information to a personal server, such as mobile device. Patients may upload these data to a cloud server (CS) to save a personal storage space and allow doctors, family, other patients, and researchers to access such information. CS provides storage and retrieval services, wherein all kinds of users can apply for access to cloud data according to their own requirements. ese services are also fast and efficient.
Although mHealth provides convenience in people's lives, promotes better quality of life, and exhibits good application prospect, it also raises a series of security issues [3]. After a patient uploads his/her electronic health records (EHRs) to cloud using personal service provider, other users may access such data in the cloud through various devices, laptops, personal computer, and mobile phones. EHRs contain physiological data (heartbeat, blood pressure, medications, and dosages) and sensitive information of patients (patient name, medical history, ID number, and phone number) and hospitals (hospital name and attending doctor). If EHRs are directly uploaded to the cloud for sharing, then the information of patients and hospitals will inevitably be leaked to the cloud server and various users, which may cause hidden danger to patients' health, threaten users' life and health, and affect hospitals. One of the solutions to these security issues is to encrypt EHRs before uploading them [4]. However, new problems may arise as follows: Firstly, who and how to obtain access? Secondly, patients and users operate EHRs through mobile devices, but the storage capacity, computing power, and overall capability of mobile devices are limited. irdly, patients do not want others to know their real identity, and users do not want to reveal what EHRs they have accessed.
In sum, the mHealth system needs to solve the abovementioned problems through the following steps: (1) Ensure data confidentiality: ensure CS and illegal users cannot obtain any information about EHRs. (2) Proper access control: a patient needs to grant access permissions for different potential users to achieve flexible access control on EHRs in the mHealth system by encrypting once. In this way, unauthorised users cannot access shared EHRs. (3) Lightweight cryptography: given the limitations of intelligent and mobile devices, an algorithm with little computation and communication costs should be provided. (4) Two-way anonymity: ensure anonymity for both patients and data users.
To reduce local storage load and achieve resource sharing, increasing numbers of personal and medical institutions upload EHRs to CS. However, CS is not completely trusted and patients do not want to public their EHRs. Hence, EHRs must be encrypted by patients before uploading to CS, which can avoid information leakage. For example, encrypting EHRs of infected patients and then uploading them to the cloud can protect the privacy of patients and hospitals. However, encrypted EHRs can no longer be provided to other data users. Hence, user access authorisation has become a research focus. In general, public key cryptography (such identity-based encryption and certificateless encryption) solves the authorisation problem by sending the key to potential users in advance [5,6]. However, predicting the exact identity of users is impossible, whereas data owners cannot provide authorisation service each time data users send authorisation requests. Hence, traditional public key cryptography is not suitable for online healthcare system. Attribute-based encryption (ABE) is the most attractive and popular in one-to-many application. Data owners usually use ABE technique to solve the problem of multiple users' flexible authorisation without the need to know the identity of potential users' in advance. In ABE, only the users whose attribute set can satisfy the access policy can obtain access to ensure the anonymity of data users [7][8][9].
However, in mHealth system, EHRs are important and sensitive, but in which the access policy includes sensitive information. For example, a patient with heart disease uploads his own EHR encrypted by the defined access policy cardiovascular department∧ chief doctor∨nurse { } , which will easily categorise such EHR as heart disease. erefore, the access policy should also be hidden. Existing research on hidden access policy provided answers to maintain the confidentiality of access policy [10,11].
In the general scheme of attribute cryptography, the length of ciphertext and the computation of encryption and decryption are related to the number of attributes, which increases linearly and hence limits the application of this technique. erefore, the use of fixed or small length ciphertext is a popular solution [12,13], whereas outsourcing decryption is a good alternative [14].
is solution can help patients and data owners who do not want to disclose their identity preserve their anonymity whilst sharing their own EHRs. Specifically, an infected patient who wants to upload personal encrypted records to provide information to scientific research, but due to some social factors, he/she does not want to let other users know his/her real identity [15]. In this case, the anonymity is of great significance.
In addition to the abovementioned problems, time is also an important factor to be considered in the system. e delay of medical data transmission and access may cause serious consequences, including patient casualties.

Related Work.
Sahai and Waters presented attributebased encryption firstly [16]. Compared with traditional public key encryption, ciphertext can only be decrypted by one user, while the ABE ciphertext can be provided to multiple users. e encryptor encrypts a message based on an access policy, and only the user whose attributes set satisfies the requirement of encryptor can obtain the message.
is mechanism establishes the one-to-many relationship between data owner and data users and enables the fine-grained access control. Key-Policy Attribute-Based Encryption (KP-ABE) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE) are the two categories of ABE technique, whose division is proposed in literature [17].
ABE is an excellent approach to ensure the secure access control of encrypted data and is widely used in many fields, such as cloud computing [18] and searchable encryption [19]. Most of the existing researches focus on the expressiveness of access policies [20]. However, in most ABE schemes, the policy is uploaded with the related ciphertext, which is public to CS and all users including illegal users [21][22][23][24]. Hence, any user who obtains the ciphertext can know what the content is about, which will disclose sensitive information about the shared data. Meanwhile, the access policy must be properly handled before sharing with ciphertex, that is, hidden. A series of research results on hidden access policy have been published [25][26][27][28]. Frikken et al. presented a protocol that protected both sensitive credentials and sensitive policies [25]. Lai et al. proposed another construction of CP-ABE scheme, which is a partially hidden access policy [26]. In response to the question of confidentiality, Hahn et al. proposed an attribute-based secure data sharing with hidden policies, which can be used in resource constrained environment [27]. ese results provide better confidentiality of shared data and the anonymity of data user.
In general ABE schemes, the length of ciphertext, computation of encryption, and decryption are related with the number of attributes of data user, which restricts the use of this technique. To resolve this defect, there are two main solutions. One is to reduce the length of ciphertext as much as possible or adopt fixed length ciphertext. To address this problem, Emura et al. introduced the concept of constant ciphetext length in 2009 [29]. After that, many similar schemes were proposed for constant ciphertext length [23,30]. e other is to introduce outsourcing decryption to reduce the computation load [31][32][33]. Li et al. gave a solution to implement attribute-based access control system by introducing secure outsourcing techniques into ABE [31]. In order to decrease computation, Zuo et al. proposed the CCA security model for ABE with outsourced decryption and then presented a concrete CCA-secure ABE scheme with outsourced decryption [32]. In these schemes, data users only perform a small amount of computation by outsourcing a large amount of computing to the cloud service provider.
Some studies with other characteristics have also been proposed, such as decentralized multiauthority scheme [34,35], traceable scheme [36], and leakage-resilience scheme [37] and reduce online computation load scheme [38]. ese studies provide applications in different focus areas.

Contribution.
Given the continuous development of modern mobile communication and sensor technology, mHealth becomes a hot topic in the academe and healthcare industry. In view of the problems existing in the current mHealth system and the problems discussed in [27], this work proposes an improved attribute-based secure data sharing scheme for mHealth with hidden policies and traceability. Specifically, this study aims to (1) solve the problem of identity disclosure by introducing a concept of public pseudo-identity, wherein the real identity is only known by the centre authority (CA); (2) save bandwidth, wherein the interaction between CS and data user is avoided during token generation; and (3) meet the application needs of mobile medical system, wherein the temporal factor is introduced by setting the validity period of shared information by the data owner.

Organization.
e rest of paper is organized as follows. We introduce the cryptographic primitives and describe the access policy and mHealth system model in Section 2. In Section 3, we review the scheme in [27] and give a detailed discussion. Section 4 gives an improved scheme, followed by security and performance analysis. Finally, Section 5 shows a conclusion of this paper.

Bilinear Map.
Let G 0 and G 1 be two groups with prime order p. e, a bilinear map, e: G 0 × G 0 ⟶ G 1 , satisfies the following properties: ere is an efficient algorithm to compute the bilinear map e [39]. Let G 0 be a bilinear group with prime order p and g is the generator of G 0 . e k − BDHE problem in G 0 states that given a vector of 2K + 1 elements (h, g, g a , g a 2 , . . . , g a K , g a K+2 , . . . , g a 2K ) ∈ G 2K+1 0 , it is computationally intractable to compute the value e(g, h) α K+1 . Define the set Y g,α,K as Y g,α,K � 〈g a , g a 2 , . . . , g a K , g a K+2 , . . . , g a 2K 〉.

Security Assumption
e decisional k − BDHE assumption is said to be held in G 1 , if there is no probabilistic polynomial time adversary with nonnegligible advantage to distinguish where α, R ∈ Z * p and g, h ∈ G 0 . [40]. Given a (l + 1)-tuple (g, g a , g a 2 , . . . , g a l ) as input, output (c, g (1/(α+c)) ) ∈ Z * p × G 0 . An algorithm C has advantage ε in solving l − SDH in G 0 if the following holds:
Definition 2. e l − SDH assumption is (t, ε)− secure if no t− time algorithm has advantage at least ε in solving the l − SDH problem in G 0 .

Access Policy.
e attribute universe is

A System Model.
In mHealth systems, individual intelligent sensors monitor certain physiological signal and send to the mobile device. en, the mobile devices upload the received data to the cloud. Users with requirements can initiate requests to obtain retrieval authorisation. In Figure 2, there exist four types of entities in the improved scheme as follows: (1) Centre authority (CA): it is a trusted entity that generates the system master key and public parameters and issues user's private key on his attributes (2) Data owner: this is a patient who encrypts his data and generates the encrypted keyword index and then uploads them to cloud server (3) Data user: patient, physician, nurse, researcher, etc. can be such entities who obtain his private key from CA; he/she generates the token of keyword and gets search authorized to decrypt a ciphertext only if his/her attribute set satisfies the corresponding access policy (4) Cloud sever (CS): this is a storage centre that stores electric medical and health records and carries searching and some other work, such as partially decryption. Table 1 gives the notations used in the paper.

The Scheme in Reference [27]
In this section, we review the scheme in Reference [27] and give a detailed discussion.

KeyGen.
Assume that each data user U a with identity id ua and an attribute set . . , r k ∈ Z p and computes r � k i�1 r i , D � g ((rc)/(μ a +c)) , D ′ � c, D ″ � g r , and D a � g μ a . For each i ∈ [1, k], the following are computed: e private key of user U a is At last, CA puts a tuple (c, id ua ) into table T and uploads tuple (id ua , l i � g D′ j k i�1 ) to the CS.

Encrypt.
e data owner U o specifies an access policy W, where each attribute is either positive/negative or wildcard. U o chooses a random t ∈ Z p and computes Key � e(g K , g 1 , then the W is obfuscated as W. en, the cipher is 3.1.4. GenToken. e data user U a with a set of attribute L ua wants to access the shared data of owner U b , gets C 2 from CS, and computes s i � e(C 2 , D i ) � e(g b , H(j) β ), I i � H(s i ). As a result, the attribute set L ua is transformed into L ua . e token is 3.1.5. PDecrypt. e CS checks whether the attribute set L ua satisfies the access policy W. If satisfies, CSP searches (id ua , l i � g D′ j k i�1 ) to partially decrypt CT as follows: for all i ∈ [1, k]. en, it computes a production of all A i as CT ′ � k i�1 A i and sends to the data user U a .
3.1.6. Decrypt. Once the partially decrypted ciphertext T ′ is received, U a computes the following: where , and obtains B � k i�1 B i ; next, U a carries the decryption as follows: If SK ua is well-formed, CA searches D ′ in T. If D ′ is in T, then it can output the corresponding identity id ua .

Analysis of the Scheme.
Problems in the scheme are observed. A detailed analysis is given follows.

Destroy One-to-Many Mechanism.
e data owner U o must know exactly the identity id ua of data user in advance, wherein U o can decide if he/she will provide access to the target user U a . In this case, the identity id ua of data user is sent to CS with ciphertext. CS can confirm which users can view or access shared messages by providing access rules, which may threaten the security of data users. As a result, this feature is not in line with the feature of developed in the attribute encryption mechanism, given that it cannot guarantee the anonymity of data users.

Identity Leakage.
Before constructing the search token, the data user U a firstly obtains C 2 of the data owner U o from the cloud service provider (CSP) firstly. In this case, data users may know the identity of the data owner who shared the information he/she is interested in. erefore, the anonymity of the data owner cannot be guaranteed and the application scope of the scheme is limited.

Interaction Problem.
While generating the token, an interaction exists between data user and the CSP. e data user submits the identity U o of the data owner he/she wants to access. en, the CS feeds back C 2 corresponding to the given identity U o , which increases the communication load.

Improved Scheme
In this section, we propose an improved scheme that can overcome the defects in [27] by introducing new features without weakening security or setting any particular conditions. (1) Public pseudo-identity is introduced, wherein the real identity is only known by the CA. (2) e access policy is hidden, and the user attribute set is made complicated by eliminating the bilinear pairings to reduce the calculation load. As a result, users will not apply to CS for aid information of the data owner when generating the token. (3) Access validity is added to the ciphertext.

Access Validity.
In order to introduce the temporal factor, we give a mechanism to determine the access validity.
T is the access validity of shared data, T stamp is the time stamp, and T is divided into (T 1 , T 2 , . . . , T τ ) based on different time units of application requirements. en Figure 3).
For example, access validity T � 9 days, which can be expressed as H 9 � (1, 2, . . . , 9) and time stamp T stamp � 2020.02.15. A request occurred at timett � 2020.02.19 and then h 4 � h(4 | 2020.02.15) ∈ H 9 , so the request is within the validity period. Figure 4 shows the overview of the improved scheme, which is described below.
e same as in [27].
(2) KeyGen. Assume an user U t with identity id ut and attribute set L ut , where t can be either o or a. U o is the data owner and U a is the data user. D ′ � c � H 1 (id ut ), and the private key and public identity are At last, put a tuple (id ut , HID ut , c) into the table T and upload (HID ut , g D′ j ) to CS. Instantly, having U o with identity id uo and attribute set L uo , the private key and public identity are Having U a with identity id ua and attribute set L ua , the private key and public identity are ( (4) GenToken. U a chooses x ∈ Z * p randomly and computes ; as long as U a is a legitimate user, it can correctly meet the requirements of the hidden access policy W at one time.
(7) Trace. When something goes wrong, only pseudoidentity HID ut is submitted to CA who can find the true identity id ut from (id ut , HID ut , c).

Security
Model. e security model of the improved scheme is similar to that of the scheme in [27]. e data confidentiality of the improved scheme is considered to be guaranteed if there is no probabilistic polynomial-time adversary A with nonnegligible advantages in the following security game.

Setup.
e challenger B runs the Setup algorithm and publishes the public parameter PK.

Phase 1.
e adversary A submits (id ua , L ua ) to query decryption keys where L ua | ≠ W * . e challenger B answers with a decryption key SK ua . A repeats this phase adaptively.

Challenge.
e challenger B runs Encrypt algorithm to obtain (〈C * 0 , C * 0 〉, Key). Next, B sets Key 0 � Key and picks a random Key 1 of same length as Key 0 . It then flips a random coin b ∈ 0, 1 { } and gives (〈C * 0 , C * 0 〉, Key b ) to the adversary.

Phase 2.
e adversary A repeats Phase 1.

Guess.
e adversary A outputs a guess b ′ ∈ 0, 1 { } . e adversary A wins the game if b ′ � b under the restriction that L ua | ≠ W * . e advantage of an adversary in this game is defined as

Data
Confidentiality. e security of improved scheme is still based on the k − DBDH problem.

Theorem 1. If a probabilistic polynomial-time adversary A
can break our scheme with a nonnegligible advantage, then we can construct a simulator B to solve k − BDHE problem with a nonnegligible advantage.
Proof. A is an adversary who can break our scheme, and then we can construct a simulator B which solves the k − BDHE problem. □ en, A and B play the interactive game in Figure 5.
(1) Init. A submits a challenged access policy W * to B.
(2) Setup. e simulator B runs the Setup algorithm to generate the public parameter PK. B chooses random d ∈ Z p and generates where B outputs PK � (g, Y g,α,K , v) ∈ G 2K+1 .
Phase 3. e adversary A submits (id ua , L ua ) to query private keys, where L ua | ≠ W * . e challenger B first selects k random numbers r i ∈ Z p for i � 1, 2, . . . , k and sets k � r 1 + r 2 + · · · + r k . en, B randomly chooses a, c ∈ Z * p and computes For i ∈ [1, k],

CS
(2) Generates private key sk ut for user (1) Generates public parameters PK and master keys MSK Mobile Information Systems and Phase 4. e adversary A repeats Phase 1.
Note that in attribute-based cryptography, collusion attack is an important discussion point. In order to model the collusion attacks, a decrypting proxy is presented. Each decryption proxy p i (r) simulates a legal decryption key component with a random r. e definition of decryption proxy and the detail of model collusion attacks are given in [27], which will not be discussed here.
If there is 0-collusion, B has at least ∈ /2 advantage in breaking the k − BDHE problem.

Policy Privacy.
In the proposed scheme, no extra computation is needed for policy hiding, given that 0, * { } exist in W. Hence, when the CS receives the encrypted sharing data with W, it can obtain nothing about the content and the access policy. e CS carries out partial decryption and sends the result to U a . Likewise, unauthorised users, as adversaries, either from the server or users, can only obtain hidden access policies ( Figure 6). us, our scheme provides policy privacy.

Two-Way Anonymity.
When an entity joins the system, the CA generates a pseudo-identity HID ut instead of his/her true identity id ut . Firstly, the data owner shares information under a pseudo-identity HID uo , and thus the CS and data users cannot obtain the true identity of the data owner. Secondly, potential data users' id ua can have an access without revealing their true identity, given that their attribute set satisfies the access policy. In this way, the data owner and the CS cannot know who access the encrypted information uploaded in the system. erefore, the improved scheme ensures the two-way anonymity whilst realising flexible authorisation.

Traceability.
e security of improved scheme is still based on l − SDH problem. When a user identity HID ut is questioned, only the CA can trace his/her true identity id ut by detecting the corresponding key and querying (id ut , HID ut , c). In particular, D ′ � c � H 1 (id ut ), where true identity id ut is used to generate c, which further enhances the accuracy of tracking.

Access Validity.
We also include the temporal factor with ciphertext in the improved scheme by giving a judgment mechanism, given that some EHRs have no shared value after a certain period of time. To prevent attack, access validity T and time stamp T st are hashed, which provides evidence for CS verification. For example, the emergency message uploaded by a patient is invalid after his/her treatment time.
A B Figure 5: e game between the adversary and simulator.

Performance Analysis.
In this section, we conduct a performance analysis on the improved scheme compared with that on the existing schemes [15,20,27]. For the sake of simplicity, we define some notations on the main operation: n: the number of attributes; ex: modular exponentiation operation; p: pairing operation; h: hash operation; |G 0 | and |G 1 |: the length of element in G 0 and G 1 , respectively. Table 2, computation cost during encryption phase is constant in our scheme, whereas it increases with the number of attributes in other schemes. During the decryption phase, the computation cost is equal to scheme [27], whereas in scheme [15,20], it is relatively higher. Compared with the computation in the token generation phase, (n + 1)ex is observed in our scheme, whereas n(p + h) in scheme [27]. erefore, the calculation amount of our scheme is low.

Computation and Communication Costs. As shown in
In the case of ciphertext, 2|G 0 | + |G 1 | is used in our scheme and 3|G 0 | + |G 1 | in [27]. However, communication cost in other two schemes are (n + 1)|G 0 | + |G 1 | and 2(n + 1)|G 0 | + |G 1 |, respectively. us, the proposed scheme has lesser communication cost, which is independent of the number of attributes. Table 3 shows the comparison amongst the features of different schemes. e proposed scheme provides one-to-many application requirement and two-way anonymity of data owner and data user, supports noninteractive relationship in token generation, and considers access validity.

Features.
Next, we give the thorough experimental evaluation of our scheme. Our simulation experiment is on Intel(R) Core(TM) i7-6500U CPU at 2.5 GHz and 8.00 GB RAM. e algorithms are implemented using the pairing-based cryptography (PBC) library version 0.4.7-vc.zip [41]. Concretely, we select the Type A elliptic curve parameter with the 160-bit order in PBC library. For comparison convenience, we set n ∈ [1,25], and all of the experimental results are averages of 200 trials. Meanwhile, we just show the experimental results of Encrypt, Decrypt, and GenToken algorithms.
As shown in Figure 7(a), the encryption time in the proposed scheme is constant 3ex, whereas in other three schemes, they are (n + 2)ex, (2n + 3)ex, and 3ex + np, respectively; they increase with the number of attributes in the access policy. In the decryption phase, the time cost of our scheme is almost the same as that in scheme [27], while the time cost of the other two schemes is relatively high, as shown in Figure 7(b). Figure 7(c) shows that the token generation time of the improved scheme is slightly lower than that in [27], given that no bilinear pairing exists in our scheme.
us, the improved scheme is efficient without reducing the security.

Further Efficiency Comparison.
In order to show the efficiency of improved scheme, we also simulate the main phase of our scheme on the laptop with Intel(R) Core(TM) i7-8550U CPU at 1.80 GHz and 8.00 GB RAM. Figure 8 shows the results on different devices.

Location
Enc. Token Dec.

Location
One-to-many Anonymity Noninteraction Access validity Owner User [15] ✓

Conclusions
In this study, we propose an improved secure sharing scheme using ABE for mHealth. Our improved scheme has advantages of two-way anonymity of data owner and data user, noninteractive relationship, and low computation costs without weakening security or setting any particular conditions. e improved scheme helps to protect EHRs from the unauthorised online entities in mHealth. e proposed scheme also considers access validity of EHRs.
rough security and evaluative results of comparison, our scheme is found more efficient in terms of computational cost and energy consumption than three of the existing schemes.
As part of our future work, we aim to design efficient attribute-based signcryption schemes for mHealth. Additionally, we aim to provide different access rights for different users.

Data Availability
All relevant data are included within the article.

Conflicts of Interest
All the authors declare that there are no conflicts of interest regarding the publication of this paper.