A Cheating Detectable Privacy-Preserving Data Sharing Scheme for Cloud Computing

1 School of Computer Science, Shaanxi Normal University, Xi’an 710119, China 2College of Electrical and Information Engineering, Shaanxi University of Science and Technology, Xi’an 710021, China 3State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China 4School of Computer Science and Technology, Wuhan University of Technology, Wuhan 430070, China 5School of Communication and Information Engineering, Xi’an University of Posts & Telecommunications, Xi’an 710121, China


Introduction
At present, new technologies and new industries emerge in an endless stream based on big data and cloud computing.Data production, management, and emerging business models based on big data are springing up.In recent years, with the transformation of large number of businesses into digitalization and informatization, mass data is constantly being manufactured and consumed, which promotes the rapid development of big data technology in research, development, and application.In the context of this industry, the quantity and quality of data become extremely important.Cloud computing provides a new and appealing paradigm to share the resources of storage and computation efficiently among the global consumers.Compared with the traditional data storage methods, cloud users can more conveniently access the data without considering the arrangement of the hardware or infrastructure by data storing and sharing on cloud.However, the cloud presents the value attraction for its huge functionality and convenience, and it brings a lot of new challenge.One reason is that the data owner has lost the physical control on the data when he stored the data on the cloud, and meanwhile, the cloud server is faced to the public.Hence, the owner's data may be subjected to various kinds of threats and malicious attacks.For instance, the data's confidentiality requirement may be disobeyed by some clouds for financial purposes, or they may even sell their business competitors confidential information.Thus, although cloud computing is very attractive to enterprises and consumers by economically sharing massive data among the users, it may fail to guarantee data storage security and privacy to individual of the data owner.Furthermore, in some uses, after the data possessor has put out his encrypted data to the cloud, he may yet wish to keep the data's some controls, for example, update the data or revoke the access rights for some other users [1].In consequence, many recent works have devoted to guarantee security and privacy using remotely storing the shared data and in the meantime assuring the desirable security characteristics.In 2010, the first scheme achieving secure data access control with provable security in cloud storage has been proposed by Yu et al. [2], using key-policy attribute-based encryption and symmetric encryption (KP-ABE) [3].The scheme can reach fine-grained data access by combing KP-ABE with proxy reencryption (PRE) and lazy reencryption.The scheme's performance still needs to be improved, though a part of the private key update calculation can be put out to the cloud.Dong et al. subsequently give a scheme [4] employing symmetric encryption with ciphertext-policy attribute-based encryption [5,6] (CP-ABE).To sum up, regarding the employed technologies, KP-ABE or CP-ABE has either been used by these above schemes under the symmetric encryption to design data security secure access control.Some other design methods are based on hierarchical identity-based encryption (HIBE) [7], but they have appealed to less attention.These schemes have simply considered how to supply data privacy against the cloud, but they do not have the preservation of private information of owner and the possible dishonest behaviors by some authorized users when storing the data in cloud.For instance, some authorized users may provide fake share deliberately to cause decryption failure.
In the personal health medical information surroundings, some extra security demands are required.Since in certain special circumstances, such as medical accidents, abnormal deaths, and traffic accidents, medical disputes claim should be considered.In these situations, while medical evidence is needed, electronic medical records of the patient should be able to be right decrypted by the authorized users.Assuming someone has had an accident or been killed in serious incidents.In case supposing that there are disputes, historic records of the users will be the crucial evidences and they need to be recovered for expert testimony.These existing schemes, however, focus on the confidentiality and privacy of the data itself and the cost of performance mainly, but they are not suitable for medical records scenarios' needs.To realize an effectual, scalable, and privacy-preserving data sharing service in the cloud, the following requirements should be consequently satisfied: (1) the data owner can authorize who can access the data, and the authorized users should be able to get to shared data in the cloud under the constraints that are defined by the data owner; (2) the cloud needs to be able to give support to dynamic requirements so that data owners can update the data file and add or revoke users; (3) when data owner stores his information on the cloud without suitable protection, the data are readable by anyone since the cloud is publicly accessible.The personal private information, for example, their medical information and users' telephone number, consequently needs to be protected against the cloud, and it should not be made public; (4) the data decryption operation should be carried out under mutual supervision, and the dishonest users need to be identified if they submit false shares.How to settle the above important issues has not been considered in cloud that computes yet, although a number of schemes have been proposed in the literature.
In this paper, we propose an effective, scalable and flexible privacy-preserving data sharing scheme to ensure semantic security and effective utilization of owner's data.In order to preserve the privacy of owner's sensitive information that may be unrelated to the data itself, Bloom filter hash function is used to hide data storage in cloud.The scheme employs secret sharing based on general access structure to preserve confidentiality of the owner's data against the cloud.In addition, Reed-Solomon (RS) encoding technique has been adopted to identify the dishonest user who presents a false share.In the proposed scheme, all authorized users are divided into groups by their identity when they register themselves with the protocol.Each data file is described by a set of group secrets, and for every group, such as   , has been assigned one master key   so that the data file can be successfully decrypted when these group secrets are correctly recovered.In addition, each cloud user is assigned into a group and every group secret is shared among the group users by utilizing secret sharing of general access structure.
To ensure correct sharing of the secret, this scheme defines a public-private key pair for each user.By combing secret sharing access structure and user's public key, the share or secret key is sent to user in every group.Therefore, each user could get a different key and he can check this share key by his private key   → .The secret keys of group users are defined to reflect their group access privileges, so that all of the users should present their correctly shared keys without cheating.RS encoding technique is used to enable the identification of the cheater when he provided a fake share.
In the proposed protocol, the secret is shared among multiple participants, and only a quorum of these participants work together can recover the secret.In an ideal secret sharing, the secret share held by each participant has exactly the same size as the secret, and the size of all secret shares together is proportional to the number of the participants.Therefore, when considering the protocol as a whole, more information needs to be dealt with, but each participant's task remains the same.The benefit is that the secrecy and availability of the secret key are enhanced.Suppose the adversary wants to learn the secret key or destroy it.She needs to compromise multiple participants to achieve her objective instead of compromising a single one in the traditional protocols.
Compared with the existing schemes, our analysis shows that the proposed scheme provides the following benefits regarding both security and efficiency: (1) The cloud server can assist search record by data file tag and it can learn nothing about owner's data in plaintext and owner's personal sensitive information.
(2) The user who can access the data file is authorized by the data owner, and he can verify the secret key sent by the owner.
(3) The dishonest cloud users who present fake decryption keys can be identified, so that the ciphertext can be safely and correctly decrypted under the supervision of these users.
The rest of this paper is organized as follows.The preliminaries are briefly described in Section 2. Section 3 discusses system models and security requirement.Our proposed scheme is introduced in Section 4, and its security is analyzed in Section 5. Efficiency analysis as well as its comparison with the related existing schemes is presented in Section 6.Finally, we present an example of the practical impact of our work and conclude this paper in Sections 7 and 8, respectively.

Bilinear Maps.
Let  1 and  2 be two multiplicative cyclic groups with prime order  and  be a generator of group  1 .Moreover, let  :  1 ×  1 →  2 be the bilinear map that satisfies the following properties: (1) Bilinearity: for all  and  there must be (  ,   ) = (, )  .

Secret Sharing Schemes.
Secret sharing schemes (SSS) [8] are used to divide a secret among a number of parties.The value given to a party is called the share (of the secret) for that party.Every SSS realizes some access structure that defines the sets of parties who should be able to reconstruct the secret using their shares.

Access Structure and Monotone Span Programs
Definition 1 (access structure [9,10]).Let { 1 ,  2 , ⋅ ⋅ ⋅ ,   } be a set of parties.A collection A ⊆ 2 { 1 , In a linear secret sharing scheme [9], to realize an access structure A, the dealer who possesses the secret  can distribute these shares of  to a number of parties such that  can be reconstructed by a linear combination of these shares of any authorized set.However, an unauthorized set can obtain no information about the secret .
There is a close relationship between linear secret sharing scheme and a linear algebraic model called monotone span programs (MSP) [11].It has been shown that the existence of a linear secret sharing scheme for some access structure is equivalent to the existence of a monotone span program for that access structure.Definition 2 (monotone span program).Let K be a field and { 1 , ⋅ ⋅ ⋅ ,   } be a set of variables.A monotone span program over K is a labeled matrix M(, ) where  is a matrix over K and  is a labeling of the rows of  by literals from { 1 , ⋅ ⋅ ⋅ ,   } (every row is labeled by one literal).
A monotone span program accepts or rejects an input by the following criteria.For every input set  of literals, let   be the submatrix composing of those rows whose labels are in .The monotone span program M accepts  if and only if  → 1 ∈ (  ).
2.4.Bloom Filter.Bloom filter (BF) [12] is a simple and effective random data storage structure.It is constructed by a set of hash functions () = (ℎ 1 (), ⋅ ⋅ ⋅ , ℎ  ()) and it has two operations: () and (), where  indicates   in the proposed scheme.The () operation handles an element with multiple hash functions ℎ 1 (⋅), ⋅ ⋅ ⋅ , ℎ  (⋅), so that the element is uniformly mapped to a number, for example, ℎ  () =   ∈ [1:], and sets the   -th bit in the array to be one (the array is initialized to zeroes).The () operation repeats the same hashing procedure and then checks if the appropriate bits are set as 1.In 2012, the partially hidden access structure in ABE was proposed [13,14].In addition, the Bloom filter was employed to hide the value of the attribute in partially hidden access structures in [15].In this proposed scheme, we use the Bloom filter to protect the privacy of the data owner as Figure 1.
In order to prevent the cloud server from learning information that may invade personal privacy, like name, mobile number, and home address, each attribute information is split into two parts: an attribute name and its value.The general attribute name is made public while the personal privacy information's specific attribute values are kept secret, when the data file is stored in the cloud server.For example, let the data owner's name be Alice, the phone number be 1-626-780-7552, and home address be 11ndStreet, Brooklyn, New York.Then, let the general attribute name of personal Security and Communication Networks information to be protected be   = (, , ℎ, ), then the owner's specific values is   = (‖awyer‖1 − 626 − 780 − 7552‖11ndStreet, Brooklyn, New York).The data owner builds the data file label   = (  ) and then constructs a Bloom filter   = (  ) using   .In Figure 1, let  = (  ).
To check whether a Tag is in set  that is stored in the cloud, we should firstly compute the values ℎ 1 (), ℎ 2 (), ⋅ ⋅ ⋅ , ℎ  (), and verify if each ℎ  () is 1, where  ∈ [1 ∼ ].If the check fails, we can insure that Tag is not in .Otherwise, we say that Tag is in  with a high probability, because the bloom filter has always a false positive rate.The false positive rate will be analyzed in detail in Section 6.The Bloom filter has an attractive feature of convenient query and concise space.When applying standard Bloom filter, there is a necessity to do  hash operations, where the time complexity to insert one element is ().When determining whether an element is in the set, the  hash calculation is also needed.In addition, it needs the time complexity () to finish an element query.For a set with  elements, it just needs a bit array with size , so the space complexity is ().It is then very concise to use only / bits to save each element.The storage space of the traditional tree query algorithm and hash query algorithm is directly associated with the size of the element itself and the size of the set, while the Bloom filter query algorithm is independent of the number of the elements and it is simply connected the number of the vector's bits, where the mapping comes from the element to the vector.

Reed-Solomon Code.
In coding theory, RS code could detect and correct a number of random information errors.
McEliece and Sarwate [16] pointed out that Shamir's Secret Sharing Scheme (SSS) is closely related to the RS error correction.They observed that a list of shares of Shamir's (, ) threshold SSS forms a codeword of RS code.Thus, if  + 2 shares containing  invalid shares are provided in the reconstruction phase, the secret reconstruction algorithm can identify all  cheaters with certain probability.In addition, it is obvious, by using Lagrange interpolation, that a polynomial () of degree  − 1 is uniquely determined by (1), ⋅ ⋅ ⋅ , () if and only if  ≥  + 2, where  is the number of the cheaters.In 2011, using a single keyed message authentication code, Obana designed an efficient (, ) threshold SSS with unconditional security, which is capable of identifying up to  cheaters under the condition ( − 1)/3 ≥  [17,18].

System Model and Security Goals
3.1.System Model.In our system model, there are four participants: data owner, data consumers, cloud server, and public key generator (PKG).The data owner, e.g., the patient, stores his medical data in the cloud.In this way, he can outsource the data maintenance to the cloud.The data consumers download the data file shared by the data owner and decrypt it using their decryption keys.For the sake of simplicity, the data consumers are referred to as users in this paper.When decrypting data file, these users are collaborating with each other.The cloud server offers a high-quality service utilizing a large number of servers.It has considerable storage space and computation power.The data owner can interact with the cloud server dynamically to update or delete his data files.The public key generator maintains the public key infrastructure.It is a trusted third party with responsibility to deliver the decryption key safely from the data owner to the users.This framework for privacy-preserving data sharing in the cloud is shown as in Figure 2.
Note that, the communication channels between users and cloud server are secured under existing protocols in the system model.

Adversary Model.
The adversary model defines malicious behaviors based on whether they intimidate the confidentiality of the cloud data.In contrast, the cloud server in our model is semitrusted (also known as honest-but-curious or passive.In other words, it will follow the protocol most of the time).The cloud server is assumed not to collude with the cloud user.Note that although the semitrusted adversary model is weaker than the malicious model, it is a realistic model that is widely used in similar protocols.
We have made it clear that the cloud server is semitrusted in our adversary model.This implies that the cloud server will not violate from the protocol but may try to learn more information that she is not authorized to access.Phishing attack is an important issue that needs to be considered in practice, but we will not address this issue since it is an actively attack.We will further consider this issue in our future works.
Hence, the following three types of attackers are considered: (1) data exposure: data owner's personal sensitive information might be leaked; (2) inner threats: some authorized users might present fake decryption key, causing failure when decrypting the data file; (3) outer threats: the channel that used to transmit the secret keys might be insecure.
Different from publicly verifiability [19], the user could verify by himself about the decryption key delivered by the owner, and this property is called secret verifiability.

Design Goals.
With the purpose of secure data sharing and data access control in the cloud, our main goal is to minimize the leakage of the data owner's privacy information and prevent the malicious users from accessing the cloud data, including the deceptive users and collusive users.Then, the main design goals of our system can be summarized as follows.
(1) Personal Privacy Protection.We use bloom filter to design a secure mechanism so that the data owner and the cloud server can share data through the cloud.The operation only involves some hash operations, so the computational cost is very low.
(2) Data Access Control and Confidentiality.The proposed scheme employs secret sharing method to share data.The data owner has the authority to specify policy how these cloud users can access the data, and those unauthorized users cannot obtain the information of the data file.(3) Secret Verifiability of the Decryption Key.In order to ensure secure communications over insecure channels, the decryption key can be verified by the user himself that it has been correctly delivered by the owner.This property is called secret verifiability, while in publicly verifiability, the key can be verified by anyone who is interesting to.
(4) Recognition of the Dishonest User.If some cloud users misbehave, they could be efficiently identified using the RS encoding method.
(1) User registration: the user registers to the public key generator.He first randomly chooses   ∈  *  as the private key and then computes ℎ  =    as the public key.
(2) Here,  denotes the set of users who want to share an owner's data file.Firstly, the public key generator takes a grouping function (⋅) and divides these users  into  different groups, such as doctors and nurses, relatives and friends, legal officers, and so on by user's identity, which are denoted as  1 , ⋅ ⋅ ⋅ ,   that satisfy , where (⋅) is defined as ():  → {1, ⋅ ⋅ ⋅ , }.If () = , where  ∈ {1, ⋅ ⋅ ⋅ , }, then the user group  () is also denoted as   for short, namely, the group ID.
(3) PKG takes random exponents   ,   ∈   for group   (4) The system public key is published as = { 1 , ⋅ ⋅ ⋅ ,   } is denoted as the system master key.

Data File Generation (Data File Sharing)
(1)   is a partitioned group and the number of the users in the group   is   .The data owner chooses a linear secret sharing access structure and an exponent for every group.For group   , the data owner chooses a random secret sharing access structure (  ,   ), where   associates rows of the matrix   and  , corresponding to the th row of   .Then it takes random exponents {  |  ∈ {1, ⋅ ⋅ ⋅ , }}.M is the data to be encrypted; the data file is published as (2) In order to protect the private information of the data owner, the data owner computes the data file tag  (1) These authorized users of the  sets   compute the tag   = (  ) of data file that they want to decrypt and then send it to cloud server.
(2) The cloud server receives the tag   .
The cloud server verifies using   provided by these users.If it is satisfied, two decryption approaches can be adopted to get the plaintext: (a) decrypting by these authorized users and (b) outsourcing the decryption to the cloud.We describe them as follows: (a) Decrypting by these authorized users.
After the authorized users   receive the corresponding data file ⟨  , (  ,   ),  0 ,   ⟩ =1∼ sent by the cloud server, one has the following: (1) All the authority users from those authority sets   use their decryption keys (ℎ  →1 , V    →1 ), ⋅ ⋅ ⋅ , (ℎ  →  , V    →  ) to verify the correctness of these decryption keys.Firstly, it is recovered R () from (V   →1 , ⋅ ⋅ ⋅ , V   →  ) using Berlekamp algorithm.Then, the users of the group   verify R ((ℎ  → ,  → )) = V  → for every decryption key  → .If it is unequal then ℎ  → is a fake share key.The user  → is added to the list of cheaters   .Moreover, every group can identify the cheaters of the group in this way.
(2) If there are no cheaters in all of the authority users, then these authority users recover the blind factor of data M as follows.
After receiving C0 , all the user groups   compute message

Security Analysis
5.1.Provable Security.In the proposed scheme, we utilize a symmetric encryption to hide the message data and use secret sharing based on general access structure to share the session key with users in every group.Since the security of secret sharing based on general access structure does not rely on any computational complexity assumption, it is unconditionally secure.Therefore, the modification does not disclose any information, and the proposed scheme is chosen plaintext secure.

Privacy of the Data Owner's Personal Information.
In order to protect privacy of the data owner, the data owner first computes the tag of the data file   = (  ) with public hash function  and constructs the bloom filter   = (  ) of the tag   .Then the bloom filter   with the ciphertext is constructed as data file and uploaded to cloud server.To decrypt the ciphertext they want to access, the cloud users firstly compute the   of the data file with public hash function .Then they present the   to the cloud server; the cloud finds the item of the data file by verifying the bloom filter   .
If it passes the verification, the ciphertext of the data file ⟨  , (  ,   ),  0 ,   ⟩ =1∼ is sent to users.Then the users decrypt the ciphertext to recover the plaintext with their decryption key.It is easy to see that the personal privacy of the owner can be protected from the cloud.
Claim 1.The correctness of the search result can be ensured if the rate of false search result is acceptable.A false positive probability  exists when determining whether an element  belongs to a set because of the possible collisions in the hash functions.We can compute  as follows [15]: where  is the number of elements in set  and  is the size of the bit array.Obviously, when  = (log 2)(/), the false positive probability  can be minimized to a negligible value, i.e., (1/2)  .

Verifiability of the Share Key Distribution.
In the following, we prove that the user can verify the correctness of share key distributed by the data owner.
Claim 2. Suppose a user is   ; if he accepts the share verification Ω  → from the owner, then there exists a unique value ℎ  → such that (∏ Therefore, the share key can be verified by the user.

Identification of the Cheater.
The RS code is employed here to prevent the cheaters from changing the polynomial (), which is used to test the validity of the shares, due to the fact that RS code has the ability to perform error correction.
In other words, a polynomial () of  degree is uniquely determined by  1 , ⋅ ⋅ ⋅ ,   if and only if  ≥ 3 + 1, even if there are some fake shares   they cannot prevent the correct reconstruction of ().Thus, we have the following conclusion.
Claim 3. If  ≤ ( − 1)/3 in every group  () , then the proposed scheme is a (, ) cheater identifiable data sharing scheme that no cheater can succeed in cheating without being identified with probability better than 1/, where  is the number of the cheaters and  is the threshold for every group.

Mutual Supervision between Groups
Claim 4. The proposed scheme is collision-resistant and mutual supervision between different groups.
The proposed scheme not only identifies the cheater in group but also can achieve mutual supervision between groups, because the secret is distributed to each group, if and only if all of the  groups present the correct secret share, then the plaintext is recovered correctly.If some users present a fake share in any authorized user set, it would cause the group share error, which leads the decryption process to failure.

Performance Analyses
In this section, we briefly compare our scheme with some other classical data sharing schemes, like Yu scheme [2] and Dong scheme [4].Yu scheme is relaying on KP-ABE, while Dong scheme is based on CP-ABE.In our scheme,   can also be seen as the attribute that involved in the group   .These schemes have applications in healthcare or library scenarios to share data.Besides, our scheme is more suitable for medical supervision scenario, especially when evidence is needed like EMR in medical disputes or accident.Data confidentiality is achieved in all these schemes since the data owner stores the ciphertext of data file into cloud server, and the cloud servers are not able to learn the plaintext of any data file.The data decryption keys are not known by the cloud server in any one of these schemes [2,4] as well as in our scheme, although the proxy reencryption key is given to the cloud server in [2].The comparison of our scheme with the schemes in [2,4], regarding the security properties, is summarized in Table 2.
In order to make the comparison fair and meaningful, when comparing the computational cost in the decryption phase, we consider the general situation that all users have participated.In case when the decryption is partially outsourced to the cloud, this will further reduce the computational cost for the users obviously.

Dynamic Operation.
The dynamic operations such as user addition/revocation and file creation/deletion are processed in a similar way as in all these schemes, then the operation are introduced briefly.
(1) File Operation.There are three operations for file operation: file creation, file deletion, and file updating.In these operations, the data owner has the right to delete the new file in [2,4] and ours.He makes a unique tag and defines the access policy or attributes set for file creation.For file updating, the data owner ought to rearrange the access policy in our scheme and in [4], while updating the file's attribute  in ciphertext and the proxy reencryption key in scheme [2].
(2) User Operation.There are two operations for user operations: new user grant and user revocation.Similarly, the data owner assigns the corresponding secret key to the new user according the type of the scheme, KP-ABE or CP-ABE.The data owner may revoke the access privileges from some users.It has been a great challenge to achieve an effective user revocation.
In most existing schemes, it can take a direct manner in which the data owner reupdates the access policy, reencrypts the relevant files, and distributes the renewed keys to the nonrevoked users via the cloud server.This method is applicable in [2,4] and our scheme.Based on the above reasons, the data owner needs to guarantee that all the operations are processed faithfully by the cloud servers.

Computation Complexity.
In this section, we analyze and compare the computation overhead of the proposed scheme with [2,4], considering the encryption and decryption operation.In the proposed scheme, the main computational cost involved in encryption and decryption algorithms are pairing (, ) and scalar multiplication.The ciphertext of the proposed scheme is  = { 0 = (,) Pairing is the most expensive operation.
For each different file, data owner only needs to calculate (, ) once at the beginning.Thus, we do not consider the overhead of pairing operation in the computational complexity when comparing the proposed scheme with those in [2,4].In the computational complexity analysis, we only take into account scalar multiplication operation.During encrypting, all encryption operations are at the data owner's side.The data owner needs to do  scalar multiplication for  0 and  scalar multiplications for   ; thus, the owner should take 2 scalar multiplication in total for encryption.Then the computation complexity of encryption is ().
In the decryption stage, to recover ciphertext, the user needs at most (2|| + ||) scalar multiplications to calculate Thus, the computation complexity of decryption is at most about (||).
In the key generation stage, it needs one scalar multiplication to calculate ℎ  → = ℎ for each user   and two scalar multiplications to calculate    =    ⋅    ⋅  and    =    for each group   .Therefore, the computational complexity of key generation is at most  (1).
For the cloud server, the main computational overhead is caused by the execution of tag testing algorithm by Bloom filter hash function.So the computation complexity for cloud server is  (1).
In [4], the data owner needs to do two scalar multiplications to calculate  1, = ( 1 ,  1 )   (  While in [2], the data owner needs to do one scalar multiplications to calculate Ẽ =  ⋅ (, )  and one scalar multiplication for   =    ⋅ .Therefore the computation complexity of the data owner for encryption is (|  |).To recover the ciphertext one has to compute (  ,   ) = (, )   (0) for each leaf node firstly.Then, it aggregates these pairing results in the bottom-up manner using the polynomial interpolation technique.Finally, it recovers the blind factor   = (, )  and outputs the message  if only if attributes  satisfy access tree .So the time complexity for decryption is about (max(|  |, |  |)).And the time complexity for generation of the key The computational complexity of our scheme, as well as [2,4], is given in Table 3, where   denotes the attributes of the user,   denotes the attributes of access structure, set  represents the universal users, and  is the number of the partitioned groups in our scheme.

Experiment Results.
The evaluation is conducted through experiment evaluating the time cost of the proposed scheme on a computer with Windows7 Intel i5-4590S -3.00GHz CPU, and 4-GB RAM.All results presented here are the average value in 100 different trials.

The Overhead of Encryption Algorithm.
In our scheme, the encryption is to calculate  1 , ⋅ ⋅ ⋅ ,   .In [2], the calculation of ciphertext  is based on Ẽ and {  } ∈ .And the calculation of ciphertext  in scheme [4] is based on  1, ,  2, ,  3, .Let the number of attributes |  | equals the number of users , and then the encryption speed of our scheme and other schemes with the number of the attribute is to 10 and to 50 is given, respectively, in Figures 3 and 4. From Figures 3 and 4, we can see that the encryption cost increases linearly with the attributes in the three schemes, and our scheme has almost the same cost as [2] and it is much lower than [4].

The Overhead of Decryption Algorithm. In our scheme, the decryption is to compute
As we see the cost of decryption depends on the number of groups and the user number in each group.The decryption overload about 10 groups and 10 users in every group of our scheme is showed in Figure 5.
The decryption overload of [2] is to compute the pairing operation which is not only due to the number of the attributes but also due to intermediate node, the size of the concrete tree structure.If the structure of the tree is a large number, then the overload will be very large.Here, we only give the comparison of decryption overload between our scheme and [4], where the number of users in our scheme is the same as the number of attributes in [4].Every star in Figure 6 is denoted as a number of the groups in brackets under the same number of the attributes in our scheme.From Figure 6, we can see that the more groups, the greater the consumption.
When all users are in one group in our scheme, the overhead of decryption are showed in Figures 7 and 8, where   attributes of access structure are up to 10 and 50, respectively.Then it can be seen that our scheme overhead is less than [4].

The Overhead of Key Generation Algorithm.
The key generation algorithm is to compute the power exponent in all of three schemes.In order to simplify the comparison, we take all users in one group, then key generation overloads of three schemes are showed in Figure 9. From the Figure 9, it can be seen that the overload in our scheme is much less than [4] and a little more than [2].The private key is usually a few hundred bits, and in general, it does not need to be compressed.We need to assume that before the cloud environment is established, the private key is initialized in advance, and each participant can securely store and use the private key.Thus the whole communication cost of the protocol is given by log  4. We can see that the communication cost of our scheme is nearly the same as CP-ABE-based schemes and our scheme and [4] is slightly more than KP-ABE-based schemes.However, in practice, the file is described by just a limited attributes or shared with limited users.In addition, even though the order of cyclic group  is large, log || bits is far less than the file size (data).In other words, the extra communication cost can be ignored.

Application to Secure Medical Information Sharing Scene
In personal health medical information environment, like personal medical information, medical record information of a person is cumulated consistently during his life; he will have a lot of contact with nurses and doctors over his life.From perspective of the patient, he is the data owner.
When his health medical record is stored in the cloud server, he also wishes to control his medical data and he needs to specify who can to access his information; those users are called authorized users.As shown in Figure 10, these authorized users might be some friends, specialists, nurses, and public security investigators.To ensure impartiality and fairness, to prevent tampering, forgery, and other illegal acts, the access of medical record data of the owner should be carried out under the above different groups' supervision.And scheme should have the properties of data confidentiality and privacy protection and cheater identification.To achieve this goal, a privacy protection approach is taken to use bloom filter, to hide some personal information that is not closely related to health conditions of the patient, such as name, gender, telephone number, ID card number, family address, and property, when medical record of owner is stored on cloud.Moreover, since each group has a group secret, data's access is carried out under an effective supervision mechanism according to the portioned groups.
Besides, it can be made sure that the participants conspiring or deceive can be found and identified applying an error correction function of RS encoding technique.In summary, the proposed scheme is helpful for patient to achieve flexible and supervised control on his case file stored on cloud server.

Conclusion
In this paper, a personal medical information privacy protection scheme in the cloud was proposed, which can be used to set the electronic medical records system up for patients efficiently.The proposed scheme has flexible data access control through combing the techniques of the secret sharing methods and symmetric encryption.The performance analysis shows that the proposed scheme has low overhead and high efficiency.In this proposed scheme, we use RS encoding method to identify the dishonest user.It means there are not too much misbehave users in every group.As indicate in Section 2.5, this scheme has the capability of identifying up to  cheaters under the condition ( − 1)/3 ≥ .Hence, in the future works, we will investigate how to remove this condition and to achieve more efficiency of recognition of the dishonest user.Moreover, we will investigate how to achieve efficient data file updated flexibly and how to process multifile convergence in batches.

Figure 1 :
Figure 1: Bloom filter of personal privacy information.

Figure 2 :
Figure 2: The framework for privacy-preserving data sharing service in the cloud.

Figure 3 :
Figure 3: Comparison of encryption performance with 10 attributes.

Table 1 :
Data file format on the cloud server.Document number   0 = M ⋅  (, ) ∑    ⋅  ,  1 =   1 , ⋅ ⋅ ⋅ ,   =      = (  ), and then constructs a Bloom filter   = (  ) by using   .(3)Thedataownerselectsaunique ID for this data file and uploads the anonymous data file ⟨  , (  ,   ),  0 ,   ⟩ =1∼ to the cloud server.Finally, each data file is stored on the cloud in the format as shown in Table1.4.3.Key Generation.User   is a user of the universal user set, which is partitioned into group   by grouping function (⋅).To sign the user   in group   , if user   is the th in group   , then it is denoted as  →|   , for short  → .(1) As mentioned earlier, the user   takes random    ∈  *  as private key and computes ℎ   =     as his public key.(2) The data owner distributes the shared key to user   in group   .(a) (  ,   ) is the secret sharing access structure for group   , where   = [   ]   ×  .Then the data owner chooses a random vector  → V  = (  ,  2 , ⋅ ⋅ ⋅ ,    ) ∈    as secret vector, where   is the encryption exponent to share in the group   .Then the share vector is computed as (  1 , ⋅ ⋅ ⋅    ⋅ ⋅ ⋅ ,      , is the -th row vector of the matrix   .(b) The data owner chooses random   ∈  *  and computes the share key ℎ  → = ℎ   ⋅     ,    =    ⋅    ⋅  ,    =    and the share verification the key for user  → , where  1 =   .(c) The data owner takes a random degree  polynomial   () ∈   () and computes   ((ℎ  → ,  → )), denoted as V   |   , in short V   → , with the injective function :GF() × {1, ⋅ ⋅ ⋅ , } → GF().(d)  → = {ℎ  → ,    ,    , Ω  → , V   → } is encrypted by the user's public key, so that only the user can decrypt it by his private key.In other words, the data owner sends the share key  → safely to the user  → by the public key infrastructure. → , share key ℎ  → , and the user's private key    .The effective of this verification can be proved in Claim 2. (b) The user then recovers   → = ℎ   ⋅   from  → by his private key    .(c) Finally the user computes the decryption key  → = {  → =    ⋅   ,    =    ⋅    ⋅  ,    =    , Ω  → , V   → }.
(3) The user receives the  → and computes the decryption key by his private key    as follows.4.4.Decryption of Data File.  is an authority set of the group   and {  |   ⊆   ,  ∈ {1, ⋅ ⋅ ⋅ , }} are the union of the  authority sets for  groups.

Table 3 :
Comparison of computation complexity.

Table 4 :
Comparison of communication costs.In our scheme, the communication cost is mainly attributed to the encrypted data and key distribution transmission.The encrypted data is sent by the data owner to the cloud: the value of  0 = (, )∑    ⋅  and 1 =   1 , ⋅ ⋅ ⋅   =    requires (log |G 2 | +  ⋅ log |G 1 |)bits.The share keys are sent by the data owner to the users: the value ℎ  → ,    ,    for every  requires 3⋅log |G 2 |, Ω  → at most requires  2 ⋅ log |G 2 | and V  → requires log || bits.Thus the communication cost of the share key from owner to users is given by 3 ⋅ log |G 2 | +  2 ⋅ log |G 2 | + log ||.