Privacy-Protection Scheme Based on Sanitizable Signature for Smart Mobile Medical Scenarios

With the popularization of wireless communication and smart devices in the medical field, mobile medicine has attracted more and more attention because it can break through the limitations of time, space, and objects and provide more efficient and quality medical services. However, the characteristics of a mobile smart medical network make it more susceptible to security threats such as data integrity damage and privacy leakage than those of traditional wired networks. In recent years, many digital signature schemes have been proposed to alleviate some of these challenges. Unfortunately, traditional digital signatures cannot meet the diversity and privacy requirements of medical data applications. In response to this problem, this paper uses the unique security attributes of sanitizable signatures to carry out research on the security and privacy protection of medical data and proposes a data security and privacy protection scheme suitable for smart mobile medical scenarios. Security analysis and performance evaluation show that our new scheme effectively guarantees data security and user privacy while greatly reducing computation and communication costs, making it especially suitable for mobile smart medical application scenarios.


Introduction
With the swift development of the Internet and smart devices, mobile medicine has emerged at the historic moment. It is a new type of medical model that can break through the limitations of objective factors such as time, space, and objects. In mobile medical applications, smart devices can provide remote health monitoring and medical supervision for patients using wireless sensor networks [1,2].
Compared with the traditional medical model, the value of electronic medical records is no longer limited to the application of medical, scientific research, and teaching activities but more related to hospital management, insurance claims, judicial evidence collection, and preventive healthcare [3,4]. The scope of application of medical information is getting wider and wider, and the utilization rate is getting higher and higher. Therefore, the authenticity and availability of the electronic medical information are critical to the correct use of medical data and to fully reflect the value of medical data sharing. A slight difference may endanger the safety of the patient's life and property, causing irreparable losses [5].
At the same time, medical data contains a lot of personal privacy, which may lead to the leakage of patient privacy in resource sharing [6,7]. Unnecessary medical information leakage will cause patients to suffer unpredictable hazards such as loss of biological information, telephone fraud, and precise marketing and also seriously endanger the safety of people's life and property [8,9]. The problems of medical data security and privacy protection have become the biggest obstacles to the further development and promotion of the mobile medical industry.
Digital signature is one of the important means to protect the authenticity and availability of medical data [10][11][12]. However, not all applications must obtain the complete electronic medical record. For example, when an electronic medical record is used for medical reimbursement, patients only need to provide the insurance company with real information about the treatment and insurance number. When the complete electronic medical record is provided, too much personal information unrelated to medical claims will be disclosed.
To protect the privacy of patients, one of the solutions is to require the signer to only sign information related to medical claims [13]. However, whenever a new subset of the electronic medical record needs to be shared, the signer is required to repeat the signing process, which will generate excessively high computation costs, and sometimes, even the documents cannot be resigned due to the departure of the signer.
Sanitizable signature [14] is a type of digital signature that supports controlled modification of signed messages. This feature makes it not only guarantee the integrity and authenticity of medical data but also effectively hide sensitive information of patients (specific sensitive information can be flexibly set according to different information sharing objects), which not only follows the "minimum necessary" disclosure standard of HIPAA privacy rules [15] but also promotes the use of value-added medical information and improves the efficiency of the scheme. Therefore, sanitizable signatures are very suitable for solving data security and privacy protection issues in smart mobile medical scenarios.

Our Research Contributions.
We regard the main contributions of our scheme to be as follows: (i) We propose a system model suitable for data security and privacy protection in smart mobile medical scenarios (ii) We propose a privacy-protection scheme based on sanitizable signature for smart mobile medical scenarios (hereafter referred to as the PP-SS scheme).
(iii) We conduct security analysis and performance evaluation for the newly proposed PP-SS scheme 1.2. Organization of the Paper. The rest of the paper is organized as follows. Sections 2 and 3 present related work and the problem statement, respectively. The new PP-SS scheme is proposed in Section 4. In Sections 5 and 6, we describe the security analysis and the performance evaluation, respectively. Finally, we conclude the paper in the last section.

Related Work
The traditional digital signature does not allow any modification operation to the signed message; otherwise, the message signature is invalid [16,17]. However, to achieve data integrity, authenticity, and availability while ensuring data privacy in smart mobile medical and many other application fields, users hope that signed messages can be modified in a controlled manner to derive new signed messages [18,19]. The concept of a sanitizable signature was first proposed by Ateniese et al. [14] in 2005, which can break through the limitations of traditional digital signatures and support an entity (sanitizer) designated by the original signer to modify the signed message within the scope of authorization and generate a new signature without any interaction with the signer. Compared with a traditional signature, it not only ensures data integrity but also solves the hidden problem of sensitive information and provides more flexibility.
Brzuska et al. [20] gave the first formal security model for a sanitizable signature. Gong et al. [21] analyzed the formal security model proposed in [20] and pointed out that the security model is vulnerable to rights forgery attacks and then provided new definitions of attributes such as unforgeability and immutability. Subsequently, Krenn et al. [22] made further research on the above model and introduced stronger unforgeability and privacy.
With the continuous development of sanitizable signature technology, it covers more application examples. Brzuska et al. [23] introduced unlinkability, which can ensure that the sanitized signature will not leak from the original signature; even if the original signature is known, it is difficult determine whether the two signatures are related. Subsequent literature [24] introduced noninteractive public accountability, which can facilitate the implementation of the multieye principle [25]. Pöhls et al. [26] proposed the concept of hidden attributes, which means that outsiders cannot know which parts of the signed message are allowed to be modified. Then, Camenisch et al. [27] gave a formal definition of the hidden attribute, and Beck et al. [28] reinforced the attribute. Very recently, Bultel et al. [29] proposed a new sanitizable signature scheme, but it did not perform well in terms of performance.
At present, sanitizable signature schemes have been tried to be implemented on different devices, from desktops [28], to smart cards [30], and then to applications in XML signatures [20]. Before deploying the sanitizable signature scheme in practical applications, users must be aware of the possible legal consequences. Some researchers have proposed emergency properties to avoid some legal challenges [31,32], because qualified digital signatures are equivalent to handwritten digital signatures in court. The value of concern is that a sanitizable signature scheme can be used to help a redactable signature [33] achieve accountability [34].

Problem Statement
The definitions of the equivalence class signature and system model of our proposed PP-SS scheme are presented in this section. System components and security requirements of the privacy-protection scheme based on a sanitizable signature for smart mobile medical scenarios are then described.
3.1. Equivalence Class Signature. We give the definition of equivalence class signature (EQS). For more details, please refer to Reference [35].  Figure 1, and there are six types of entities in a privacy-protection scheme based on a sanitizable signature scheme: trusted authority, smart medical device, medical server, signer, sanitizer, and verifier. Each entity is specifically defined as follows: (i) Trusted authority. A trusted authority is responsible for initializing the system and generating system parameters (ii) Smart medical device. A smart medical device refers to a portable or wearable medical device used to monitor the health status of patients and give timely feedback to medical experts to get better medical services (iii) Medical server. A medical server is a device with strong computing power and plenty of storage space, which can handle a large amount of data received from smart medical devices (iv) Signer. A signer is usually a doctor who is responsible for completing the setting of relevant parameters that allow modification of the content, the authorization of the semitrust sanitizer, and the signature of the original message (v) Sanitizer. A sanitizer is usually a semitrusted third party authorized by the signer, responsible for modifying the specified content within the scope of the signer's authorization and generating a signature on the sanitized message (vi) Verifier. A verifier is usually a medical data sharing entity which refers to the beneficiaries of medical data sharing, such as insurance companies, scientific research centers, and medical institutions, who can verify the validity of the message signature before and after sanitization and the legality of the identity of the signer and sanitizer 3.3. System Components. Our proposed PP-SS scheme is a collection of the following six polynomial time algorithms: (i) Setupð1 λ Þ → ðparamsÞ is a probabilistic algorithm to complete system initialization, where λ is a security parameter and params is the system parameters (ii) Extract-SKeyðparamsÞ → ðSK s , PK s Þ is a probabilistic algorithm to generate key pairs for the signer (iii) Extract-ZKeyðparamsÞ → ðSK z , PK z Þ is a probabilistic algorithm to generate key pairs for the sanitizer (iv) Signðparams, m, SK s , PK z , α,Þ → σ is a randomized algorithm to generate an original signature, where m = ðm i Þ is the message, α is a description of the admissible modifications to m, and σ = ðσ i Þ is the signature of message m, and i ∈ ½1, ι (v) Sanitizeðparams, m, PK s , SK z , ξÞ → ðm′, σ′Þ is a randomized algorithm to generate a sanitized signature, where ξ is a description of information that 3 Wireless Communications and Mobile Computing needs to be modified on m, m ′ is the sanitized message, σ′ = ðσ i ′Þ is the signature of sanitized message m ′ , and i ∈ ½1, ι (vi) Verifyðparams, PK s , PK z , m, σÞ → f0, 1g is a deterministic algorithm to verify the validity of the signature σ, with 1 or 0 as outputs to indicate whether the message m keeps intergrity 3.4. Security Requirements. A privacy-protection scheme based on a sanitizable signature needs to satisfy the following functions and security requirements: To ensure that a verifier can check the message integrity by verifying the validity of the signature (ii) Unforgeability. To ensure that the signature can be proven whether it is generated by the signer or sanitizer, and no one can forge the signature generated by the signer or sanitizer (iii) Privacy. On the premise of maintaining the validity of the original signature, the sanitizer can be allowed to sanitize the sensitive information in the signed message, and no one can distinguish whether the message has been sanitized

Our Proposed PP-SS Scheme
Our proposed PP-SS scheme includes six phases, namely, Setup phase, Extract-SKey phase, Extract-ZKey phase, Sign phase, Sanitize phase, and Verify phase.
4.1. Setup. The trusted authority generates system parameters after obtaining the security parameter λ by executing the following operations: (1) Generate two cyclic addition groups G 1 , G 2 and one multiplication group G T with the same order q, where q is a prime. P is a generator of G 1 . e : G 1 × G 2 → G T is a bilinear pairing (2) Select one hash function: 4.2. Extract-SKey. The signer produces his public-private key by executing the following operations: 4) Set PK s = ðX, YÞ as signer's public key and SK s = ðx 1 , x 2 , y 1 , y 2 Þ as signer's private key 4.3. Extract-ZKey. The sanitizer produces his public-private key by executing the following operations: (1) Select random value x ∈ Z * q and set SK z = x as the sanitizer's private key (2) Compute PK z = x · P as the sanitizer's public key 4.4. Sign. The signer produces the signature σ on the message m = fm 1 ∥m 2 ∥⋯∥m ι g by executing the following operations: (1) Input system parameters params, signer's private key SK s , sanitizer's public key PK z , message m, and a description α of the admissible modifications to m (2) Compute ϑ = EQS · Sign SK s ðXÞ and ω = EQS · Sign SK s ðYÞ and set σ = fσ 1 , σ 2 ,⋯,σ ι g as the signature of message m (4) Choose a random number r ∈ Z * q and compute R = rP, (1) Input system parameters params, signer's public key PK s , sanitizer's private key SK z , message m, signature σ, and a description ξ of the admissible modifications to m (2) Compute θ = SK z · R and set θ = ðx θ , y θ Þ (3) Compute ðx θ ∥y θ Þ ⊕ c to get α∥y 1 (4) If ξ ∈ α, then excute m ′ = ξðmÞ; otherwise, return ⊥ (5) Select random values u, v ∈ Z * q as randomization factors Compute ϑ′ = EQS · ChgRep PK s ðX 1 , X 2 Þ, ϑ, uÞ and ω′ = EQS · ChgRep PK s ðY 1 , Y 2 Þ, ω, u · vÞ where 4.6. Verification. The verifier verifies the signature σ ′ of message m ′ by executing the following operations: (1) Input system parameters params, signer's public key PK s ′, sanitizer's public key PK z , message m′, signature σ′, and a description ξ of the admissible modifications to m where 5.2. Provable Security. In this section, we demonstrate that our presented PP-SS scheme has perfect strong transparency against adversaries as defined in [29].

Definition 2. (transparency)
. Transparency is also indistinguishability, which means that the sanitized signature looks like it has not been sanitized. It requires that one cannot decide whether the signature is sanitized or nonsanitized without the help of the oracle [22].

Theorem 3.
A sanitizable signature scheme is perfectly strongly transparent if for all probability polynomial time adversaries A, Asanitize where ExpTrans b A is the security experiments of transparency for sanitizable signatures.
Proof. We prove that the scheme has perfectly strong transparency through the hybrid argument. Now, let q denote the maximum number of times that adversary A can query the Sign/SanO b oracle, and define the hybrid variables Hb 0 , Hb 1 ,..., Hb q as follows.
Hb 0 is identical to ExpTrans 0 A ðλÞ. For j ∈ f1, 2,⋯,qg, Hb j is almost the same as the value of Hb j−1 , except for the answer of the j-th query to Sign/SanO b is ExpTrans 1 A ðλÞ. That is to say, the answer of the first j-th query to Sign/SanO b is the sanitized signature, and the remaining q-j signatures are unsanitized (original) signatures. It should be noted that Hb q = ExpTrans 1 A ðλÞ. Obviously, if Pr ½Hb j−1 = 1 = Pr ½Hb j = 1 for j ∈ f1, 2,⋯,qg, then ExpTrans 1 A ðλÞ = ExpTran s 0 A ðλÞ holds.
For j ∈ f1, 2,⋯,qg, we demonstrate that Pr ½Hb j−1 = 1 = Pr ½Hb j = 1 as below. Let the tuple ðm, ξ, αÞ be the j-th query of adversary A to Sign/SanO b oracle, if ξ ∉ α, then oracle returns ⊥ and the equality holds trivially. Otherwise, let m ′ ≔ ξðmÞ and σ ′ be the answer. The signature σ ′ comes from the mathematical distribution D, where D ≔ Replacing x i and y i with u · x i and v · y i , respectively, for some u, v ∈ Z * q , we can obtain a mathematical distribution D ′ = D, where 5 Wireless Communications and Mobile Computing Because of the perfect adaption of EQS [35], the distribution of ϑ = EQS · Sign SK s ðX 1 , X 2 Þ u and ω = EQS · Sign SK s ðY 1 , Y 2 Þ u·v is the same as that of ChgRep PK s ðX 1 , X 2 Þ, ϑ ′ , uÞ and ChgRep PK s ðY 1 , Y 2 Þ, ω ′ , u · vÞ, where ϑ ′ = EQS · Sign SK s ðX 1 , X 2 Þ, ω′ = EQS · Sign SK s ðY 1 , Y 2 Þ. Then, we can obtain a distribution D ′ = D ′ ′, and we have From the above derivation process, it is easy to find that in Hb j , the signature σ′ completely came from D′′. Therefore, we can conclude that Hb j−1 and Hb j are equivalent in function.

Comparative Summary: Security Properties.
We show that our PP-SS scheme can meet all the security requirements presented in Section 3.
(i) Integrity. The PP-SS scheme proposed in this paper has the characteristics of a traditional digital signature. Before sharing medical data, first sign it, and then the verifier can determine the integrity of the medical data by verifying the signature of the message (ii) Unforgeability. The PP-SS scheme proposed in this paper introduces Fuchsbauer et al.'s EQS scheme, which has been proven to be unforgeable under chosen message attacks [35], which can ensure no one can forge the signature generated by the signer or sanitizer (iii) Sanitization. The sanitizer in our proposed PP-SS scheme in this paper can be allowed to sanitize the information in the signed message, which can effectively hide the patient's sensitive information (iv) Privacy. The PP-SS scheme proposed in this paper can effectively hide the patient's sensitive information, and the unsanitized signature and the sanitized signature generated from our PP-SS scheme are indistinguishable as proven in Section 5.2, which effectively protects the privacy of the patient 5.4. Comparative Summary: Security Comparison. As can be seen from  [29], and our proposed PP-SS scheme can all meet the integrity and unforgeability. Only our PP-SS scheme can satisfy the sanitization and privacy. Suppose a patient agrees to share his electronic medical record with other medical research institutions through a third-party platform (hospital) but does not want to expose the privacy information such as the identity in the message. If users try to solve the above problems using the schemes of Jiang et al. or Wu et al., they will find that both of them can only obscure the identity of the information publisher, but cannot effectively hide user privacy information contained in the message. In Bultel et al.'s scheme [29] and our PP-SS scheme, patients can entrust a third-party platform as a sanitizer to modify the privacy information specified by the original signer in the message. In addition, both of them can meet the indistinguishability and the attacker cannot obtain the user's private information, which can effectively protect the privacy of the user's sensitive information. Comparatively speaking, Bultel et al.'s scheme and our PP-SS scheme satisfy all four security requirements in Table 1 and outperform the two other schemes in terms of data security and privacy protection.

Comparative Summary: Performance
In this section, we analyze the performance of our proposed PP-SS scheme by evaluating the computation and communication costs.

Computation Costs.
We evaluate the performance of our new proposal and Bultel et al.'s scheme [29]. In the specific implementation, we choose a nonsingular elliptic curve E 6 Wireless Communications and Mobile Computing : y 2 = x 3 + ax + b mod q, and a, b ∈ Z * q , G is the additive group with the order q on E, security parameter |λ | = 80 bits, and p and q are both prime numbers with a length of 160 bits. We run the simulation experiment using the MIRACL library [36] on a personal computer (Intel core with I7-4770@3.4 GHz CPU, 4 GB random memory, and Windows 7 operating system). The running time of different operations is shown in Table 2.
Because Setup, Extract-SKey, and Extract-ZKey phases are a one-off operation, we only consider the computation costs in the Sign phase, Sanitize phase, and Verify phase. AnEQS · Signalgorithm includesð2n − 2Þpoint addition operations andð2n + 2Þpoint multiplication operations, an EQS · ChgRep algorithm requires ðn + 4Þ point multiplication operations, and an EQS · Verify algorithm requires ðn + 5Þ bilinear pair operations, where n is the number of messages involved in the operation [35].
In the Sign phase, the signer in Bultel et al.'s scheme needs to perform 3ι exponentiation operations, ð4ι − 4Þ point addition operations, ð4ι + 6Þ point multiplication operations, and ι hash to point operations; therefore, the computation cost of the Sign phase in Bultel et al.'s scheme is 3ιT exp + ð4ι − 4ÞT pa + ð4ι + 6ÞT pm + ιT mtp . The signer in our PP-SS scheme needs to perform ι exponentiation operations, four point addition operations, fourteen point multiplication operations, and ι hash to point operations; therefore, the computation cost of Sign phase in our PP-SS scheme is ιT exp + 4T pa + 14T pm + ιT mtp .
In the Sanitize phase, the sanitizer in Bultel et al.'s scheme needs to perform 3ι exponentiation operations, ð2ι + 9Þ point multiplication operations, and α hash to point operations; therefore, the computation cost of the Sanitize phase in Bultel et al.'s scheme is 3ιT exp + ð2ι + 9ÞT pm + αT mtp . The sanitizer in our PP-SS scheme needs to perform ð4 + ιÞ exponentiation operations, thirteen point multiplication operations, and α hash to point operations; therefore, the computation cost of Sanitize phase in our PP-SS scheme is ð4 + ιÞT exp + 13T pm + αT mtp .
In As shown in Figure 2 and Table 3

Communication Costs.
In the Setup, Extract-SKey, Extract-ZKey, and Verify phases, there is no additional communication cost in Bultel et al.'s scheme [29] and our proposed PP-SS scheme. Hence, we only consider the communication costs of the Sign phase and the Sanitize phase. For simplicity, we assume the length of the user's electronic medical record F is ℓ in accordance with the above implementation. The communication cost is analyzed as follows.
If we choose ι = 50 and jFj = ℓ = 1024 bits, the comparative summary of the communication costs is demonstrate in Table 4 and Figure 3. We can observe that the communication cost of the Sign phase in our PP-SS scheme is 21504 bits, which is reduced by 64:

Conclusion
Smart mobile medical is a trend that is unlikely to disappear in the foreseeable future, and as the amount of user data continues to increase, it is essential to ensure the availability of medical data and the privacy of user information. Many digital signature schemes have been proposed recently, but most schemes have certain limitations and cannot be well adapted to the needs of smart medical applications.
To overcome this security problem, we propose a new data security and privacy protection scheme based on a sanitizable signature for smart mobile medical scenarios. Security analysis and detailed performance evaluation demonstrate that our PP-SS scheme can not only ensure the integrity of medical data and support the privacy protection of patient but also achieve a higher level of security assurance when communication and computation costs are greatly reduced. Therefore, our proposed PP-SS scheme is more suitable for actual deployment in smart mobile medical scenarios.

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.