Secure Multi-Keyword Search and Access Control over Electronic Health Records in Wireless Body Area Networks

Wireless body area network (WBAN) consists of a number of sensors that are worn on patients to collect dynamic e-health records (EHRs) and mobile devices that aggregate EHRs. These EHRs are encrypted at mobile devices and then uploaded to the public cloud for storage and user access. To share encrypted EHRs with users eﬀectively, help users retrieve EHRs accurately, and ensure EHRs conﬁdentiality, a secure multi-keyword search and access control (SMKS-AC) scheme is proposed, which implements encrypted EHRs access control under the ciphertext-policy attribute-based encryption (CP-ABE). SMKS-AC provides multi-keyword search for accurate EHRs retrieval, supports the validation of decrypted EHRs, and traces and revokes the identity of users who leak private key. Security analysis shows that SMKS-AC is secure against chosen keyword and chosen plaintext attacks. Through theoretical analysis and experimental veriﬁcation, the proposed SMKS-AC scheme requires less storage resources and computational costs on mobile devices than existing schemes.


Introduction
Wireless body area network (WBAN) consists of sensors and mobile devices. Sensors are used to monitor and collect patients's medical/health data. ese data are aggregated on mobile devices, then transmitted to public cloud for storage, and shared with data users. However, due to the limited storage space, computing resources, and energy on mobile devices, it is important to keep computing lightweight on mobile devices. Besides, data security and privacy [1] are another important concern in WBAN, including the security of data transmission and storage [2] and access control at the user side [3].
In WBAN, electronic health records (EHRs) are outsourced to public cloud which cannot be directly controlled by the data owner. To ensure the privacy and security of data storage, data owners usually store EHRs in an encrypted form in the cloud. However, the encrypted data should be shared with data users according to some access control policy. Attribute-based encryption (ABE) is an effective mechanism for fine-grained access control of data. In addition, when data users want to access the encrypted EHRs stored in the public cloud, they can retrieve the required data according to some keywords. en, the data can be obtained through decryption. Although the single keyword search method can retrieve encrypted data, the search results may contain a large number of irrelevant data, which affects the retrieval accuracy. erefore, an effective multi-keyword search on encrypted data and the validation of the correctness of decrypted data meet more practical needs.
e EHRs are not only highly private but also commercially valuable. ese may promote authorized users to sell their private key for huge profits, so it is necessary to track the identity of the private key owners. Moreover, when the private key of a data user is sold or compromised, the user's access authority shall be revoked. e decrypted data are able to be forged during transmission, and data users cannot recognize the forged data. Hence, it is imperative to verify the correctness of the data.

Our Contributions.
Inspired by the LiST scheme [4], based on the schemes of LSABE [5] and Chen et al. [6], we propose a secure multi-keyword search and access control scheme (SMKS-AC) that supports multi-keyword search of encrypted EHRs and verification of decrypted EHRs in WBAN. It enables data users to search for EHRs more accurately and verify the correctness of decrypted EHRs after decryption so as to ensure the reliability and security of EHRs sharing between data owners and data users. In addition, CP-ABE is employed to achieve fine-grained access control over EHRs. If a user's private key is compromised, the system can also track and revoke the user's real identity. Our SMKS-AC scheme is suitable to the limited resources of mobile devices since only a few exponentiation operations are performed on mobile devices, while bilinear operations are transferred to the public cloud. e rest of this paper is organized as follows. Section 2 reviews related works. Section 3 provides the preliminaries for the proposed scheme. Section 4 presents system model and security requirements. Section 5 presents a concrete SMKS-AC construction. Section 6 shows the security analysis, as well as the function and performance comparison with other schemes. Finally, Section 7 concludes this paper.

Related Works
To achieve fine-grained access control of outsourcing data, ABE provides a good method of data encryption and sharing. ABE is an extension of the identity-based encryption algorithm, which was first proposed by Amit and Waters [7]. It can be divided into two types, namely, key policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). e first KP-ABE, proposed by Goyal et al. [8], associates ciphertext with a set of attributes, while the private key is associated with an access policy that controls which ciphertext users can decrypt. e CP-ABE is first proposed by Bethencourt et al. [9], which can realize complex access control on encrypted data. e main idea is to embed the user's attribute set into the private key, and the ciphertext contains the access policy that determines which user can access the ciphertext. e key can be used to decrypt the ciphertext for the user who can access the data. e advantage of the CP-ABE scheme is that encrypted data can be kept secret even if the storage server is untrusted [10], such as the public cloud.
In order to save storage resources and computing costs at mobile devices, Go et al. [11] introduced an outsourcing scheme that reduces the storage space of mobile devices by outsourcing encrypted medical data to cloud serves. It is also the first outsourcing scheme that can resist the malicious cloud serve attacks. Li et al. [12] proposed an attribute-based encryption scheme for verifiable outsourcing encryption and decryption. eir scheme not only reduces the storage cost of mobile devices but also requires only a small amount of computing overhead to complete the decryption. However, Guo et al. [13] found that there was a security problem in Li et al.'s scheme [12] and put forward an improved scheme. Fan et al. [14] proposed a secure and effective outsourcing computing algorithm to solve the problem of a large amount of computing in existing schemes for data encrypting on mobile devices. is algorithm aims to outsource most of the computing involved in encryption and decryption to the cloud, thereby reducing the cost of computing on mobile devices. In order to reduce the overhead of data transmission and the storage space occupied by encrypted data, Zhang et al. [15] proposed an outsourced data access control scheme with constant size, which can keep the encrypted data and the user's private key constant size.
When some users sell private keys for profit, the outsourced data will face the risk of disclosure. Yu et al. [16] proposed a scheme that can effectively protect the outsourced data. If a malicious user shares the decryption key for profit, the user's identity is required to be publicly verified and the request cannot be denied. erefore, it is necessary to trace the user's identity in ABE. Zhang et al. [17] proposed a scheme that can change user attributes and track the identity of traitors. e results show that the scheme provides feasibility and reliability for practical application. Sethi et al. [18] constructed a multiauthority CP-ABE scheme, which not only provides the function of tracking the identity of malicious users who leak decryption keys but also provides the ability to outsource decryption to reduce the computational burden on users and also supports access policy updates.
Although ABE scheme can preserve the security and privacy of outsourced encrypted medical data, it still faces another problem in retrieving the required medical data in a large number of ciphertexts. e encryption algorithm directly makes the outsourced EHRs unreadable. In order to solve the problem of encrypted data search, Song et al. [19] proposed a scheme of using keywords to search encrypted data stored on untrusted servers without revealing any text information. After that many schemes have been proposed to search for encrypted data. For example, Vaanchig et al. [20] proposed a temporary and fuzzy keyword search public key encryption scheme, which can resist keyword guessing attacks and limit data retrieval time, thus enhancing the security of keyword search. Zhou et al. [21] proposed a public key encryption scheme, in which CP-ABE technology is used for fine-grained access control and keyword search of encrypted data. eir scheme is indistinguishable against adaptive selection keyword attacks.
Besides, the ABE scheme for keyword search of outsourced encrypted data has also been specifically studied in [22][23][24][25]. However, these schemes only support single keyword search, which limits the flexibility and accuracy of data retrieval. Sun et al. [26] proposed a multi-keyword search scheme based on CP-ABE, which supports auditing on search results. is scheme reduces a large number of irrelevant search results from cloud servers by narrowing the search scope. Moreover, Long et al. [27] proposed a lightweight multi-keyword search algorithm based on attribute encryption, which not only supports multi-keyword search but also reduces the computing cost of mobile devices.

Linear Secret-Sharing Scheme (LSSS)
Definition 1 (see [28]). A secret-sharing scheme Π over a set of parties P is called linear (over Z p ) if It is shown in [28] that every LSSS defined above has the linear reconstruction property. Let Π be an LSSS for access structure A, S ∈ A be any authorized set, and I ⊂ 1, 2, . . . , l { } be defined as I � i: ρ(i) ∈ S . en, there exist constants ω i ∈ Z p i∈I such that if λ i i∈I are valid shares of any secret s according to Π, then i∈I ω i λ i � s. Moreover, these constants ω i i∈I can be found in time polynomial in the size of the share-generating matrix M.

Bilinear Groups.
Let G 1 and G 2 be two multiplicative cyclic groups of prime order p and g be a generator of G 1 . If e: G 1 × G 1 ⟶ G 2 satisfies the following properties: (1) Bilinearity: for any u, v ∈ G 1 and a, b ∈ Z p , we have for any u, v ∈ G 1 then e is a bilinear map.

DBDH Assumption.
e security of the proposed SMKS-AC construction is based on the following decisional bilinear Diffie-Hellman (DBDH) assumption.
Assumption 1 (decisional bilinear Diffie-Hellman (DBDH) assumption). Let G 1 be a multiplicative cyclic group of prime order p with generator g. Let a, b, c ∈ Z * p be randomly selected. If an adversary A is given g, g a , g b , g c , and e(g, g) abc , it is difficult for A to distinguish e(g, g) abc from a random element R in G 2 . e adversary A has advantage ϵ in solving the DBDH assumption if Adv DB DH � |Pr [A(g, g a , g b , g c , e (g, g) abc

System Model and Security Requirements
In this section, we introduce the system model and security requirements of SMKS-AC. Figure 1, the system of SMKS-AC mainly consists of the following four types of entities: data owner, medical staff who are regarded as data users, public cloud (PC), and key generation center (KGC).

System Model. As shown in
(1) WBAN (Data Owner). WBAN contains many sensors, which are embedded or worn on patients to collect medical data. e collected data are aggregated and transmitted to personal digital assistant (PDA) through wireless channel. Keywords are extracted from EHRs to describe health information, and an EHR can be described by multiple keywords. en, these keywords form a keyword group, and the corresponding EHR is encrypted under a specific access policy. Finally, these encrypted EHRs are outsourced to the PC.
(2) Medical Staff (Data User). Medical staff, as data users, have their own specific set of attributes. Data users are authorized to search encrypted EHRs according to their set of attributes. A data user can generate keyword trapdoor and send it to the PC to realize data retrieval. As long as the search keywords are included in the keyword group describing the corresponding EHR and the user's set of attributes satisfies the access policy, the searched encrypted EHR will be returned. en, the user uses his/her private key to decrypt and verify the decrypted EHR to ensure the correctness of EHR. (3) PC. PC has almost unlimited storage space and computing power, which can be used to store encrypted EHRs and respond to users' data retrieval requests. In SMKS-AC, PC first verifies whether the keywords in the retrieval request are in the keyword group of the retrieved data. en, the PC helps transform the retrieved ciphertext into a ciphertext that users can decrypt through lightweight computing. (4) KGC. KGC generates public parameters for the whole system and distributes private key to each data user. e user's attributes set is embedded in the private key to implement access control. When the user's private key is maliciously disclosed, KGC can trace the identity of the private key holder and add it to the revocation list.

Security Requirements.
In WBAN, in order to ensure the availability, privacy, and security of EHRs, a secure data access control scheme supporting multi-keyword search needs to meet the following security requirements.

Confidentiality of EHRs.
e EHRs should be encrypted before being outsourced to the PC for remote Security and Communication Networks storage. Only when the user's set of attributes meets the access policy in the ciphertext, the data can be decrypted by the user.

Accuracy of Retrieved EHRs.
When the users retrieve data, there will be a lot of redundant data in the single keyword search results. us, it is necessary to use multikeyword search to improve the accuracy of retrieval results.

Verifiability of EHRs.
Since the ciphertext is outsourced to PC, in order to prevent PC from tampering with the ciphertext, data users need to verify the accuracy of the retrieved data after decrypting with their own private key.

A SMKS-AC Construction
In this section, we present a SMKS-AC construction and depict the running procedure in Figure 2.

System Setup.
Let g ∈ G 1 be a generator of group G 1 of prime order p. Let e: G 1 × G 1 ⟶ G 2 be a bilinear map, H: 0, 1 { } * ⟶ Z * p and H 1 : 0, 1 { } * ⟶ κ be two collisionresistant hash functions, and κ be the key space of the symmetric encryption algorithm (i.e., AES, DES, and so on). KGC selects random elements α, a, λ, τ ∈ Z * p and k 1 ∈ κ and computes (1) e public parameter and the master secret key of the system are PP � (g, p, e, h, f, Y, Y 0 , g a , f a , H, H 1 ) and MSK � (α, a, λ, τ, k 1 ), respectively.

Encryption.
Data owner chooses keywords for an EHR m to form a keyword set KW � kw 1 , kw 2 , . . . , kw l 1 and constructs the l 1 degree polynomial: where H(kw 1   en, the data owner chooses a random vector v → � (s, y 2 , y 3 , . . . , y n ) T ∈ Z n p , where y 2 , y 3 , . . . , y n ∈ Z * p are random elements. For i ∈ [l], the data owner computes selects random elements s ′ , s ″ ∈ Z * p , and calculates  Figure 1: System model.

Trapdoor Generation.
If a data user wants to search for EHRs containing the keyword set KW ′ � kw 1 , kw 2 , . . . , kw l 2 }, the user needs to construct keywords trapdoor T KW′ . e data user chooses random elements u, u 0 ∈ Z * p and computes H kw i j , j ∈ 0, 1, . . . , l 1 .

Transform.
After receiving keywords trapdoor T KW′ from a data user, the PC first verifies whether the following equation is true: If so, the PC outputs 1 means KW ′ ⊂ KW. Otherwise, the PC outputs 0. And then, PC checks whether the attribute set S associated with T KW′ meets the access policy (M, ρ) associated with ciphertext CT.

Decryption and Verification.
After receiving the transformed ciphertext CT ′ � (CT 1 , CT 2 , C m ), the data user calculates If both hold, then m ′ is outputted.

User
Tracing. If the private key of some authorized user is leaked, KGC is able to perform the following two algorithms to track its real identity.
If it is satisfied, the algorithm outputs 1 or 0 otherwise.

Trace.
If the KeyCheck algorithm outputs 0, it means that the private key SK id,S does not need to be traced; in this case, the Trace algorithm outputs ⊥. Otherwise, KGC can use the master key MSK to recover the identity of the private key holder by calculating id � Dec k 1 (D 2 ).

User Revocation.
After the Trace algorithm is completed, the access right of the holder who leaked the private key SK id,S needs to be revoked. erefore, KGC stores the component D 2 � δ of the key containing the user's identity information on the PC. When a user sends a data retrieval request and submits keywords trapdoor T KW′ , the PC checks whether the component D 2 � δ in T KW′ is in the revocation list. If so, the user's data retrieval request is rejected.

Correctness and Security Analysis.
is section analyzes and proves the correctness and security of SMKS-AC construction.

Theorem 1. e proposed SMKS-AC construction is correct.
Proof. In order to prove the correctness of the SMKS-AC construction, we only need to show that equations (8), (11), and (15) hold. First, PC can determine whether the keyword set ΚW ′ searched by the data user satisfies ΚW ′ ⊂ ΚW by verifying equation (8), where ΚW is keyword set in CT. Since , g sδ g λs � e(g, f) u · e g αu/(λ+δ) , g (λ+δ)s � e(g, f) u · e(g, g) αus , we have ΚW ′ ⊂ ΚW. Second, after receiving the PC's transformed ciphertext, the data user can recover the random element Υ by calculating equation (11), so as to decrypt and verify the message. Since C ′ � Γ · Γ ′ � (I ′ ) T 1 · Γ ′ , we have where ird, if the data user sells the private key for profit, KGC can verify the authenticity of the sold key by verifying equation (15) to determine whether the identity of the user holding the private key is worth tracking due to e D 4 , h · g D 2 k · e g a , erefore, the proposed SMKS-AC construction is correct. Proof.
e form of ciphertext CT in the SMKS-AC construction is similar to that in [4]. Compared with the SMKS-AC construction, the data owners of [4] only extract one keyword in processing an EHR. In our construction, in order to improve the accuracy of the data retrieval by data users, the data owners of SMKS-AC construction are able to extract multiple keywords from an EHR. e specific proof of eorem 2 is similar to eorem 1 in [4]. erefore, the SMKS-AC construction is IND-CKCPA secure. Proof. In a multi-user system, collusion attack is an important attack type. Authorized users can collude with each other to generate a new key and gain extra privileges. Whereas in our solution, for each user, KGC selects a set of random numbers based on the user's attributes to generate the user's private key. Users who intend to collude with each other cannot combine their private keys to generate a new valid key. Since each user's private key is generated by different random numbers, they are not compatible with each other. erefore, the proposed SMKS-AC construction is secure against collusion attacks. □

Comparison.
is section compares SMKS-AC construction with existing schemes in terms of function, storage, and computation overheads. e comparison is shown in Tables 1-3 , respectively.
As shown in Table 1, in addition to the proposed SMKS-AC construction, both schemes [5,29] provide multi-keyword search function. Data users are allowed to verify the message after decryption in [4] and SMKS-AC construction. Since the user's private key may be used maliciously, both [4] and the SMKS-AC construction provide user trace and user revocation functions, which are not considered in [5,22,29]. e storage and computing resources of mobile devices in WBAN are limited. In practical applications, storage and computation costs on mobile devices need to be considered. Let |PP|, |SK|, |CT|, and |T KW′ | represent the sizes of the public parameter, private key of data user, ciphertext, and the keywords trapdoor, respectively. |G 1 |, |G 2 |, and |Z p | denote the length of an element in groups G 1 , G 2 , and Z p , respectively. Let |S| be the size of attribute set S, l be the number of rows in M, |U| be the size of the universe attribute set U, and l 1 be the size of the keyword set KW. Besides, E 1 and E 2 represent exponentiation operations on groups G 1 and G 2 , respectively. P is the symbol of bilinear pairing operation. Table 2 shows the storage cost comparison. It can be seen that only the size of public parameter in Wang et al.'s scheme [29] is related to U, which is the number of all the attributes in the whole system. As the number of system attributes increases, the size of public parameter also increases, which do not meet the actual needs. Although the length of public parameters of schemes [5,22] is smaller than that of SMKS-AC construction, the sizes of user's private key, ciphertext, and the keywords trapdoor are, respectively, larger than those of SMKS-AC construction, which will increase the storage burden and data transmission time of mobile devices. Although private key size of scheme [29] is smaller than that of SMKS-AC construction, the sizes of ciphertext and the keywords trapdoor in SMKS-AC construction are, respectively, smaller than those of [29]. Note that the length of the elements in group Z p is much smaller than that in group G. In addition, the sizes of private key, ciphertext and keywords trapdoor in SMKS-AC scheme are, respectively, larger than those in scheme [4]. e main reason is that the SMKS-AC construction realizes multi-keyword search, which can ensure the accuracy of data retrieval, while scheme [4] can only support single keyword search. Table 3 shows the computation cost comparison, where only the cost of exponentiation and bilinear pairing operations are considered. In the Key Generation algorithm, the KGC can use |S| + 2 exponentiation operations on group G 1 to get the user's private key in SMKS-AC construction. Except for [4], other schemes require more computation than ours. e Encryption algorithm is executed on mobile devices with limited resources. In order to save storage space on mobile devices, the EHRs should be encrypted immediately and then transferred to the PC, which require high encryption efficiency. In our scheme and the scheme [4], only four exponentiation operations on group G 1 and three exponentiation operations on group G 2 are required to generate a ciphertext. However, the other schemes require other redundant operations overhead. Since the Trapdoor Generation and Decryption algorithms are executed on the user's mobile device, a small amount of computations is required to get the keywords trapdoor and decryption data to meet the system needs. In addition, compared with the scheme [4] and our construction, the other schemes need to carry out bilinear pairing operations and exponentiation operations.

Experimental Analysis.
In this section, we implement the code based on the Pairing-Based Cryptography Library (PBC-0.5.14, https://crypto.stanford.edu/pbc/). e experimental simulation is run on a virtual machine with 4-core 8 GB memory, 64 bit Linux Ubuntu 18.04.5 operating system, and Intel (R) Core (TM) i5-8265U CPU @ 1.60 GHz 1.80 GHz. e element of cyclic group is 512 bits, and the length of p is 160 bits. Figure 3 compares the running time of each phase in SMKS-AC construction with that in other schemes. Since other schemes had no trace and revocation phases, we only compared the time of Key Generation algorithm, Encryption algorithm, Trapdoor Generation algorithm, Transform algorithm, and Decryption algorithm. Due to the limited resources of mobile devices, it is particularly necessary to consider the complexity of algorithms executed by data owners and users. Figure 3(a) shows the time required for the Key Generation algorithm, which is executed by the KGC. It can be  [29] ✓ ✓ × × × SMKS-AC scheme ✓ ✓ ✓ ✓ ✓ "✓" represents supported; "×" represents not supported.   [29] (|S| + 6)E 1  seen that the scheme in [22] takes the least time to generate the key. With the increase in the number of attributes, the time required remains unchanged. However, our SMKS-AC construction generates different keys for different attributes in the attribute set of data users; thus, the time user key generation will increase as the number of attributes in the attribute set increases. Figure 3(b) indicates the time required for the data owner to execute the Encryption algorithm. e computational cost of SMKS-AC construction and the scheme in [22] roughly keeps constant, while the computational cost of [5] is increasing dynamically. e main reason is that the generation time of ciphertext in scheme [5] is related to the number of rows in matrix M. As the number of rows increases, the time to run the Encryption algorithm also increases.
It can be seen from Figure 3(c) that the time cost of the Trapdoor Generation algorithm has nothing to do with the number of attributes, and the generation time of trapdoor by SMKS-AC construction is shorter than that of the existing schemes. Note that the SMKS-AC construction and scheme [5] support multi-keyword search to improve the search accuracy, while scheme [22] only supports single keyword search.
As indicated in Figure 3(d), the SMKS-AC construction takes more time than the existing schemes. It is worth noting that the Transform algorithm is implemented by the PC, which has almost unlimited computing power and resources. Figure 3(e) shows the decryption time of encrypted data by data users. e SMKS-AC construction takes almost the same decryption time as the scheme [5], and scheme [22] takes relatively much time. Also, the SMKS-AC construction satisfies the verification on the message after decryption.

Conclusion
In WBAN, in order to achieve secure sharing of outsourced EHRs with a large number of users, we proposed a SMKS-AC construction supporting secure multi-keyword search and access control. SMKS-AC provides fine-grained access control and verifiability of decrypted EHRs, multi-keyword search over encrypted EHRs, user's identity tracking, and revocation. Security analysis showed that the SMKS-AC construction can resist chosen keyword and chosen plaintext attacks and collusion attacks. eoretical analysis and experiments demonstrate that our SMKS-AC construction is more effective and takes lower computational cost than existing related solutions.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.