Keywords

1 Introduction

The promotion of wireless body area network (WBAN) has accelerated the explosive growth of medical and biological data, posing new challenges to data storage and data processing for health care providers [1, 2]. A possible way to overcome these challenges is to exploit the benefits of cloud computing [3]. Cloud computing can provide an information technology infrastructure that allows hospitals, insurance companies, research institutions and other government agencies in the healthcare ecosystem to leverage improved computing capabilities with lower cost and complexity, and allows them to access a shared pool of configurable computing resources from anywhere at any time.

Cloud computing has been widely deployed in mobile healthcare systems to improve the quality of healthcare services and potentially reduce healthcare costs in recent years. However, it also brings about a series of challenges, especially how to ensure the security of personal health information (PHI) and user privacy from various attacks [4]. Firstly, the outsourced PHI may be misused or accessed by unauthorized users. Secondly, the outsourced PHI contain personal and sensitive private information. User privacy will be destroyed once exposed to the public. Thus, scalable and strict security mechanisms are mandatory and should provide data confidentiality, integrity, source authentication, access control and user anonymity [5, 6].

To solve the problem of fine-grained access control over encrypted data, Sahai and Waters [7] first introduced the concept of attribute-based encryption (ABE). Since then, various ABE schemes have been proposed, such as [8,9,10,11], and several cloud-based secure systems using ABE have been developed, such as [12,13,14]. There are two different and complementary notions of ABE: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE).

In KP-ABE scheme [8], ciphertexts are labeled by the data owner with a set of descriptive attributes, while data users’ private keys are issued by a trusted private key generator (PKG) captures an access policy that specifies which type of ciphertexts the key can decrypt. When the access policy defined in the private key matches the attributes labeled with the ciphertext, then it decrypts the ciphertext. In CP-ABE scheme [9], the data owner encrypts a message under an access policy over attributes. A data user who possesses a set of attributes can obtain corresponding secret attribute keys from the PKG. A data user is able to decrypt a ciphertext if his attributes satisfy the access policy associated with the ciphertext.

In recent years, various cloud-based healthcare systems have been proposed by exploiting CP-ABE scheme to simultaneously achieve data confidentiality and access control. Yu et al. [15] and Tan et al. [16] pointed out that KP-ABE scheme is more appropriate than the CP-ABE scheme to be implemented in cloud-based mobile healthcare system. The main reasons are as follows: Firstly, encryption performs by using descriptive attributes has lower encryption complexity and shorter computation time than encryption to be performed by using access policy. Secondly, assignment of descriptive attributes in KP-ABE for encryption purpose is much simpler and less time consuming than assignment of access policy in CP-ABE encryption. This results from the fact that a slight update mistake in the access policy would cause a complication in the entire encryption and decryption system. Furthermore, in terms of access control, KP-ABE allows higher flexibility and efficiency in the modification of access control towards any authorized personnel compared to CP-ABE. This stems from the fact that the updates made on the descriptive attributes are much simpler than updates made on access structure.

Given the importance of PHI and the compliance of health insurance portability and accountability act (HIPPA), it is critical to guarantee source authentication and integrity of PHI in cloud-based mobile healthcare system. Otherwise, anyone can modify or forge someone’s PHI, which is undesirable. In addition, user privacy may impede its wide adoption. Digital signature is a very useful tool for providing authenticity, integrity and non-repudiation while it is rarely considered to provide user privacy by its own. Although privacy-preserving signature schemes, such as ring signature, group signature, mesh signature, attribute-based signature [17], have been widely studied in recent years, they are very complicated and time-consuming.

In this paper, we introduce a new cryptographic primitive named privacy preserving pseudonym and attribute-based signcryption (P3ASC) scheme, which can fulfill the functionality of pseudonym-based signature and key-policy attribute-based encryption in a logical step. To achieve user anonymity, privacy preserving technique based on pseudonyms is adopted. Then, we propose a P3ASC scheme and prove it is indistinguishable against adaptive chosen plaintext attacks in the selective-set model under the DBDH assumption, and is existentially unforgeable against adaptive chosen message and pseudonym attacks in the random oracle model under the ECDL assumption. Finally, we provide an architectural model of cloud-based mobile healthcare system by exploiting our proposed P3ASC scheme. It can ensure data confidentiality, integrity, authenticity, and non-repudiation, but also can provide fine-grained access control and user anonymity.

The rest of the paper is organized as follows. We introduce some necessary preliminary work in Sect. 2. We give syntax and security definitions for P3ASC scheme in Sect. 3. We present a P3ASC scheme in Sect. 3. We describe an architecture of cloud-based mobile healthcare system by exploiting the proposed P3ASC scheme in Sect. 4. Finally, we conclude our paper and discuss our future work in Sect. 5.

2 Preliminaries

We denote by \(\kappa \) the system security parameter. When \(\mathbf {S}\) is a set, \(x \overset{\$}{\leftarrow } \mathbf {S}\) denotes that x is uniformly picked from \(\mathbf {S}\). Let \(\mathbf {M}\), \(\mathbf {ID}\) and \(\mathbf {\Omega }\) be message universe, identity (pseudonym) universe and attribute universe, respectively.

2.1 Access Structure and Linear Secret Sharing Scheme

Let \(\mathbf {\Omega } = \{\omega _1, \omega _2, \cdots , \omega _n\}\) be a set of attributes, and denote by \(2^{\mathbf {\Omega } }\) its power set. A collection \(\mathbb {A} \subseteq 2^{\mathbf {\Omega }}\) is monotone if for every \(\mathbf {B}\) and \(\mathbf {C}\), if \(\mathbf {B} \in \mathbb {A}\) and \(\mathbf {B} \subseteq \mathbf {C}\) then \(\mathbf {C} \in \mathbb {A}\). An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) \(\mathbb {A}\) of non-empty subsets of \(\mathbf {\Omega }\), i.e. \(\mathbf {\Omega } \setminus \emptyset \). The sets in \(\mathbb {A}\) are called the authorized sets, and the sets not in \(\mathbb {A}\) are called the unauthorized sets [9].

We restrict our attention to monotone access structures. If a set of attributes \(\mathbf {\omega }\) satisfies an access policy (access structure) \(\mathbb {A}\), we denote it as \(\mathbb {A}(\mathbf {\omega }) = 1\). Otherwise, we denote it as \(\mathbb {A}(\mathbf {\omega }) = 0\).

Let \(\mathbf {M}_{\ell \times k}\) be a matrix, and \(\rho : \{1, \ldots , \ell \} \rightarrow \mathbf {\Omega }\) be a function that maps a row of \(\mathbf {M}_{\ell \times k}\) to an attribute for labeling. A secret sharing scheme for access structure \(\mathbb {A}\) over a set of attributes \(\mathbf {\Omega }\) is a linear secret-sharing scheme over \(\mathbf {F}_q\) and is represented by \((\mathbf {M}_{\ell \times k}, \rho )\) if it consists of two polynomial-time algorithms:

  • Share: The algorithm takes as input \(s \in \mathbf {F}_q\) which is to be shared. It chooses \(\upsilon _2, \ldots , \upsilon _k \overset{\$}{\leftarrow } \mathbf {F}_q\) and let \(\mathbf {\upsilon }= (s, \upsilon _2, \ldots , \upsilon _k)\). It outputs \(\mathbf {M}_{\ell \times k} \cdot \mathbf {\upsilon }^{\top }\) as the vector of \(\ell \) shares of the secret s. The share \(\lambda _i = <\! \mathbf {M}_i, \mathbf {\upsilon }\) belongs to party \(\rho (i)\), where we denote \(\mathbf {M}_i\) as the i-th row in \(\mathbf {M}_{\ell \times k}\).

  • Reconstruct: The algorithm takes as input \(\mathbf {S} \subseteq \mathbf {\Omega }\) satisfies \(\mathbb {A}\). Let \(\mathbf {I} = \{i|\rho (i) \in \mathbf {S}\}\). It outputs reconstruction constants \(\{(i, \mu _i)\}_{i \in \mathbf {I}}\) which has a linear reconstruction property, i.e., \(\sum _{i \in \mathbf {I}} \lambda _i \cdot \mu _i = s\).

2.2 Bilinear Pairing and Complexity Assumptions

Let P be a point with a prime order q in an elliptic curve \(\text {E}_p(a, b)\), and \(\mathbf {G}\) be a subgroup generated by the base point P, i.e., \(\mathbf {G} \overset{\mathrm {def}}{=}\langle P \rangle \).

Definition 1

Given \(Q \in \mathbf {G}\), the elliptic curve discrete logarithm problem (ECDLP) in \(\mathbf {G}\) is to find the integer a where \(1 \le a \le q\), such that \(Q = [a]P\).

The advantage of an adversary \(\mathcal {A}\) in breaking the ECDLP in \(\mathbf {G}\) is defined by

$$ \textsf {Adv}_{\mathcal {A}}^{\text {ECDLP}}(1^\kappa ) = \Pr [\mathcal {A}(P, Q=[a]P) = a \mid a \overset{\$}{\leftarrow } \mathbf {Z}_q^{*} ]. $$

We say that the ECDL assumption holds for the group \(\mathbf {G}\), if for any probabilistic polynomial time (PPT) adversary \(\mathcal {A}\), the advantage \(\textsf {Adv}_{\mathcal {A}}^{\text {ECDLP}}(1^\kappa )\) is a negligible function in the security parameter \(\kappa \).

A bilinear group parameter generator \(\mathcal {G}\) is an algorithm that takes as input a security parameter \(\kappa \) and outputs a bilinear group setting \((q, \mathbf {G}_1, \mathbf {G}_T, \hat{e})\), where \(\mathbf {G}_1\) and \(\mathbf {G}_T\) are a cyclic additive group and a multiplicative group of prime order q, respectively, and \(\hat{e}\): \(\mathbf {G}_1 \times \mathbf {G}_1 \rightarrow \mathbf {G}_T\) is a bilinear pairing with the following properties:

  • Bilinearity: For \(P_1, P_2 \overset{\$}{\leftarrow } \mathbf {G}_1\) and \(a, b \overset{\$}{\leftarrow } \mathbf {Z}^{*}_q\), we have \(\hat{e}([a]P_1, [b]P_2) = \hat{e}(P_1, P_2)^{ab}\).

  • Non-degeneracy: There exists \(P_1, Q_1 \in \mathbf {G}_1\) such that \(\hat{e}(P_1, Q_1) \ne 1_{\mathbf {G}_T}\).

  • Computability: There is an efficient algorithm to compute \(\hat{e}(P_1, Q_1)\) for \(P_1, Q_1 \overset{\$}{\leftarrow } \mathbf {G}_1\).

Definition 2

Given a bilinear group setting \((q, \mathbf {G}_1, \mathbf {G}_T, \hat{e})\) generated by \(\mathcal {G}(1^\kappa )\), define two distributions

$$\begin{aligned} \mathcal {D}_0(1^\kappa ) \overset{\mathrm {def}}{=}&\{ P_1, [a]P_1, [b]P_1, [c]P_1, \hat{e}(P_1, P_1)^{z} \} \\ \mathcal {D}_1(1^\kappa ) \overset{\mathrm {def}}{=}&\{ P_1, [a]P_1, [b]P_1, [c]P_1, \hat{e}(P_1, P_1)^{abc} \} \end{aligned}$$

where \(a, b, c, z \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\), \(P_1 \overset{\$}{\leftarrow } \mathbf {G}_1\), the decisional bilinear Diffie-Hellman problem (DBDHP) in \((q, \mathbf {G}_1, \mathbf {G}_T, \hat{e})\) is to determine whether \(\hat{e}(P_1, P_1)^z = \hat{e}(P_1, P_1)^{abc}\).

The advantage of an adversary \(\mathcal {A}\) in breaking DBDHP in \((q, \mathbf {G}_1, \mathbf {G}_T, \hat{e})\) is defined by

$$\begin{aligned} \textsf {Adv}_{\mathcal {A}}^{\text {DBDHP}}(1^\kappa ) = | \Pr [\mathcal {D}_0(1^\kappa ) \rightarrow 1] - \Pr [\mathcal {D}_1(1^\kappa ) \rightarrow 1 ]| \end{aligned}$$

We say that the DBDH assumption holds for \((q, \mathbf {G}_1, \mathbf {G}_T, \hat{e})\), if for any PPT adversary \(\mathcal {A}\), the advantage \(\textsf {Adv}_{\mathcal {A}}^{\text {DBDHP}}(1^\kappa )\) is a negligible function in the security parameter \(\kappa \).

3 Privacy-Preserving Pseudonym and Attribute-based SignCryption Scheme

A P3ASC scheme consists of the following six polynomial-time algorithms:

  • Setup: The probabilistic setup algorithm is run by the PKG. It takes as input a security parameter \(\kappa \) and an attribute universe \(\mathbf {\Omega }\). It outputs the public system parameters mpk, and the master secret key msk which is known only to the PKG.

  • PIDKeyGen: The probabilistic pseudonym-based private key generation algorithm is run by the PKG. It takes as input mpk, msk, and a real user identity \(\mathsf {id}\). It outputs a pseudonym \(\mathsf {pid}\) and a private key \(sk_{\mathsf {pid}}\) corresponding to the pseudonym.

  • ABKeyGen: The probabilistic attribute-based private key generation algorithm is run by the PKG. It takes as input mpk, msk, and an access structure \(\mathbb {A}\) assigned to a user. It outputs a private key \(dk_\mathbb {A}\) corresponding to the access structure \(\mathbb {A}\).

  • SignCrypt: The probabilistic signcrypt algorithm is run by a sender. It takes as input mpk, a message \(\text {Msg}\), a sender’s pseudonym-based private key \(sk_{\mathsf {pid}}\), and a set \(\mathbf {\omega }\) of descriptive attributes. It outputs a signcrypted ciphertext \(\text {Sct}\).

  • PubVerify: The deterministic public verifiability algorithm is run by any receivers. It takes as input mpk, a signcrypted ciphertext \(\text {Sct}\), a sender’s pseudonym \(\mathsf {pid}\), and a set \(\mathbf {\omega }\) of descriptive attributes. It outputs a bit b which is 1 if \(\text {Sct}\) is generated by the sender, or 0 if \(\text {Sct}\) is not generated by the sender.

  • UnSigncrypt: The deterministic unsigncryption algorithm is run by a receiver. It takes as input mpk, a signcrypted ciphertext \(\text {Sct}\), a sender’s pseudonym \(\mathsf {pid}\), a set \(\mathbf {\omega }\) of descriptive attributes, and a receiver’s attribute-based private key \(dk_\mathbb {A}\). It outputs \(\text {Msg}\) if \(\mathbb {A}(\mathbf {\omega })=1\). Otherwise it outputs \(\perp \).

The set of algorithms must satisfy the following consistency requirement:

$$\begin{aligned}&\qquad \textsf {Setup}(1^\kappa , \mathbf {\Omega }) \rightarrow (mpk, msk), \text {Msg} \overset{\$}{\leftarrow } \mathbf {M}, \mathsf {id} \overset{\$}{\leftarrow } \mathbf {ID}, \\&\qquad \textsf {PIDKeyGen}(mpk, msk, \mathsf {id}) \rightarrow (\mathsf {pid}, sk_{\mathsf {pid}}), \\&\qquad \textsf {ABKeyGen}(mpk, msk, \mathbb {A}) \rightarrow dk_{\mathbb {A}}, \\&\qquad \textsf {SignCrypt}(mpk, sk_{\mathsf {pid}}, \mathbf {\omega }, \text {Msg}) \rightarrow \text {Sct}, \; \mathbf {\omega } \in \mathbf {\Omega }\\&\qquad \text{ If } \mathbb {A}(\mathbf {\omega })=1 \Rightarrow {\left\{ \begin{array}{ll} \textsf {PubVerify}(mpk, \mathsf {pid}, \mathbf {\omega }, \text {Sct}) = 1 \\ \textsf {UnSignCrypt}(mpk, dk_{\mathbb {A}}, \mathsf {pid}, \mathbf {\omega }, \text {Sct}) = \text {Msg} \end{array}\right. } \end{aligned}$$

A P3ASC scheme should satisfy confidentiality and unforgeability. For the confidentiality, we consider the following indistinguishability against adaptive chosen plaintext attack (IND-CPA) game played between a challenger \(\mathcal {C}\) and an adversary \(\mathcal {A}\) in the selective-set model [8].

  • Init: \(\mathcal {A}\) declares a set of attributes, \(\mathbf {\omega }^{*}\).

  • Setup: \(\mathcal {C}\) runs the Setup algorithm, gives mpk to \(\mathcal {A}\), while keeps msk secret.

  • Phase 1: \(\mathcal {A}\) is allowed to issue the following queries adaptively.

    • Singing private key query on an identity \(\mathsf {id}_i\). \(\mathcal {C}\) runs the PIDKeyGen algorithm, and sends \((\mathsf {pid}_i, sk_{\mathsf {pid}_i})\) back to \(\mathcal {A}\).

    • Decrypting private key query on an access structures \(\mathbb {A}_j\). If \(\mathbb {A}_j(\mathbf {\omega }^{*}) \ne 1\), then \(\mathcal {C}\) runs the ABKeyGen algorithm, and sends \(dk_{\mathbb {A}_j}\) back to \(\mathcal {A}\). Otherwise, \(\mathcal {C}\) rejects the request.

  • Challenge: \(\mathcal {A}\) submits two equal length messages \((\text {Msg}_0, \text {Msg}_1)\), and an identity \(\mathsf {id}\) to \(\mathcal {C}\). Then, \(\mathcal {C}\) flips a random coin b, runs \(\textsf {PIDKeyGen}(mpk, msk, \mathsf {id}) \rightarrow (\mathsf {pid}, sk_{\mathsf {pid}})\) and \(\textsf {Signcrypt}(mpk, sk_{\mathsf {pid}}, \mathbf {\omega }^{*}, \text {Msg}_b) \rightarrow \text {Sct}^{*}\) in sequence. Finally, \(\mathcal {C}\) sends \(\text {Sct}^{*}\) to \(\mathcal {A}\).

  • Phase 2: Phase 1 is repeated.

  • Guess: \(\mathcal {A}\) outputs a guess \(b'\) of b.

The advantage of \(\mathcal {A}\) in the above game is defined as

$$ \text {Adv}^{\text {IND-CPA}}_{\mathcal {A}}(1^\kappa ) = \Pr [b' = b]-\frac{1}{2}. $$

Definition 3

A P3ASC scheme is said to be IND-CPA secure in the selective-set model if \(\text {Adv}^{\text {IND-CPA}}_{\mathcal {A}}(1^\kappa )\) is negligible in the security parameter \(\kappa \).

For the unforgeability, we consider the following existential unforgeability against adaptive chosen message and pseudonyms attack (UF-CMPA) game played between a challenger \(\mathcal {C}\) and a forger \(\mathcal {F}\).

  • Setup: Same as in the above IND-CPA game.

  • Find: \(\mathcal {F}\) is allowed to issue the following queries adaptively.

    • Singing private key query. Same as in the above IND-CPA game.

    • Decrypting private key query. Upon receiving decryption private key query on an access structure \(\mathbb {A}_j\), \(\mathcal {C}\) runs \(\textsf {ABKeyGen}(mpk, msk, \mathbb {A}_j) \rightarrow dk_{\mathbb {A}_j}\), and sends \(dk_{\mathbb {A}_j}\) back to \(\mathcal {F}\).

    • Signcrypt query on \(\langle \text {Msg}, sk_{\mathsf {pid}}, \mathbf {\omega } \rangle \). \(\mathcal {C}\) runs \(\textsf {Signcrypt}(mpk, sk_{\mathsf {pid}}, \mathbf {\omega }, \text {Msg}) \rightarrow \text {Sct}\) successively. Finally, \(\mathcal {C}\) sends \(\text {Sct}\) back to \(\mathcal {F}\).

  • Forgery: \(\mathcal {F}\) produces a new triple \(\langle \text {Sct}^{*}, \mathbf {\omega }^{*}, \mathsf {pid}^{*} \rangle \). The only restriction is that \(\langle \mathbf {\omega }^{*}, \mathsf {pid}^{*}\rangle \) does not appear in the set of previous Signcrypt queries during the Find stage and the signing private key of \(\mathsf {pid}^{*}\) is never returned by any PIDKeyGen query.

\(\mathcal {F}\) wins the game if

$$ \textsf {PubVerify}(mpk, \mathsf {pid}^{*}, \mathbf {\omega }^{*}, \text {Sct}^{*})= 1, $$

and the advantage of \(\mathcal {F}\) is defined as the probability that it wins.

Definition 4

A P3ASC scheme is said to be EUF-CMPA secure if no polynomially bounded adversary \(\mathcal {F}\) has non-negligible advantage in the above game.

3.1 Our Proposed P3ASC Scheme

Our proposed P3ASC scheme is described as follows.

  • Setup: The PKG performs as follows.

    1. 1.

      Generate an elliptic curve group \(\mathbf {G} \overset{\mathrm {def}}{=}\langle P \rangle \).

    2. 2.

      Run \(\mathcal {G}(1^\kappa ) \rightarrow \langle {q, \mathbf {G}_1, \mathbf {G}_T, \hat{e}}\rangle \).

    3. 3.

      Choose \(P \overset{\$}{\leftarrow } \mathbf {G}\), \(P_1 \overset{\$}{\leftarrow } \mathbf {G}_1\), \(x, y \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\), \(t_i \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\) for each attribute \(\text {Atr}_i \in \mathbf {\Omega }\), four secure hash functions \(H_1: \mathbf {Z}_q^{*} \times \mathbf {G} \rightarrow \mathbf {ID}\), \(H_2: \mathbf {ID} \times \mathbf {G} \rightarrow \mathbf {Z}_q^{*}\), \(H_3: \mathbf {G} \times \mathbf {G}_T \times \mathbf {Z}_q^{*} \rightarrow \mathbf {Z}_q^{*}\), and \(H_4: \mathbf {G} \times \mathbf {G}_T \times \mathbf {G}_T \rightarrow \mathbf {Z}_q^{*}\).

    4. 4.

      Compute \(P_{\text {pub}} = [x]P\), \(Y = \hat{e}(P_1, P_1)^y\) and \(T_i = [t_i]P_1\) for \(1 \le i \le |\mathbf {\Omega }|\).

    5. 5.

      Set \(msk = \{t_1, t_2, \cdots , t_{|\mathbf {\Omega }|}, x, y \}\).

    6. 6.

      Publish \(mpk = \{ \mathbf {\Omega }, T_1, T_2, \cdots , T_{|\mathbf {\Omega }|}, P_{\text {pub}}, Y, H_1, H_2, H_3, H_4 \}\).

  • PIDKeyGen: A user with real identity \(\mathsf {id}_{\text {U}}\) registers to the PKG to get his/her pseudonym \(\mathsf {pid}_{\text {U}}\) and pseudonym-based private key \(sk_{\text {U}}\) by performing the following pseudonym-based key generation protocol. Figure 1 illustrates the procedure.

    1. 1.

      The user chooses \(\overline{r}_{\text {U}} \xleftarrow {\$} \mathbb {Z}_q^{*}\), computes \(\overline{R}_{\text {U}} =[\overline{r}_{\text {U}}]P\), and sends a pseudonym-based private key request \((\overline{R}_{\text {U}}, \mathsf {id}_{\text {U}})\) to the PKG.

    2. 2.

      Upon receiving the private key request, the PKG first verifies \(\mathsf {id}_{\text {U}}\). If it is valid, then the PKG picks \(\widehat{r}_{\text {U}} \xleftarrow {\$} \mathbb {Z}_{q}^{*}\), computes \(\widehat{R}_{\text {U}} = [\widehat{r}_{\text {U}}]P\), \(R_{\text {U}} = \overline{R}_{\text {U}} + \widehat{R}_{\text {U}}\), \(\mathsf {pid}_{\text {U}} = H_1(x, R_{\text {U}}) \oplus \mathsf {pid}_{\text {U}}\), \(c_{\text {U}} = H_2(\mathsf {pid}_{\text {U}}, R_{\text {U}})\) and \(\widehat{sk}_{\text {U}} = \widehat{r}_{\text {U}} + c_{\text {U}} \cdot x \bmod {q}\). Finally, the PKG sends \((\mathsf {pid}_{\text {U}}, \widehat{sk}_{\text {U}}, \widehat{R}_{\text {U}})\) to the user via a secure channel.

    3. 3.

      Upon receiving the response from the PKG, the user computes \(R_{\text {U}} = \overline{R}_{\text {U}} + \widehat{R}_{\text {U}}\), \(c_{\text {U}} = H_2(\mathsf {pid}_{\text {U}}, R_{\text {U}})\) and \(sk_{\text {U}} = \overline{r}_{\text {U}} + \widehat{sk}_{\text {U}} \bmod {q}\), sets the corresponding public key \(Q_{\text {U}} = [sk_{\text {U}}]P\), and checks the following equation:

      $$ Q_{\text {U}} {\mathop {=}\limits ^{?}} R_{\text {U}} + [c_{\text {U}}]P_{\text {pub}} $$

      If it holds, the user stores the tuple \((\mathsf {pid}_{\text {U}}, R_{\text {U}})\) and the corresponding private key \(sk_{\text {U}}\).

    Fig. 1.
    figure 1

    Pseudonym-based key generation protocol

    Full size image

  • ABKeyGen: A user sends an attribute-based private key request to the PKG, and the PKG performs as follows.

    1. 1.

      Assign a linear secret sharing scheme for access structure \(\mathbb {A}\) described by \((\mathbf {M}_{\ell \times n}, \rho )\) to the user.

    2. 2.

      Choose \(u_i \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\) for \(1 \le i \le n\) such that \(\sum _{i=1}^n u_i = y\), and set \(\mathbf {u}= (u_1, u_2, \ldots , u_n)\).

    3. 3.

      Compute \(\lambda _i = <\!\mathbf {M}_i, \mathbf {u}\) and \(D_i = [\lambda _i/t_{\rho (i)}]P\) for each row vector \(\mathbf {M}_i\) of \(\mathbf {M}_{\ell \times n}\).

    4. 4.

      Send the attribute-based decryption key \(dk_{\mathbb {A}} = \{D_i\}_{i=1}^{\ell }\) associated with the access structure \(\mathbb {A}\) to the user.

  • Signcrypt: To signcrypt a message \(\text {Msg} \in \mathbf {G}_T\) along with a set \(\mathbf {\omega }\) of attributes, a sender with pseudonym \(\mathsf {pid}_{\text {U}}\) performs as follows.

    1. 1.

      Compute \(c_{\text {U}} = H_2(\mathsf {pid}_{\text {U}}, R_{\text {U}})\).

    2. 2.

      Choose \(s \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\).

    3. 3.

      Compute \(A = [s]P\), \(C' = \text {Msg} \cdot Y^s\), \(h_3 = H_3(A, C', c_{\text {U}})\), \(\sigma = s + h_3 \cdot sk_{\text {U}}\), \(h_4 = H_4(A, \text {Msg}, Y^s)\), and \(C_i = [s]T_i\) for \(1 \le i \le |\mathbf {\omega }|\).

    4. 4.

      Output \(\text {Sct} = \{ \mathbf {\omega }, \mathsf {pid}_{\text {U}}, R_{\text {U}}, C', \{C_i\}_{i=1}^{|\mathbf {\omega }|}, A, \sigma , h_4 \}\)

  • PubVerify: Any receiver can check the validity of the signcrypted ciphertext \(\text {Sct}\) against sender’s pseudonym \(\mathsf {pid}_{\text {U}}\) as follows.

    1. 1.

      Compute \(c_{\text {U}} = H_2(\mathsf {pid}_{\text {U}}, R_{\text {U}})\) and \(h_3 = H_3(A, C', c_{\text {U}})\).

    2. 2.

      Check \([\sigma ]P {\mathop {=}\limits ^{?}} A + [h_3](R_{\text {U}} + [c_{\text {U}}]P_{\text {pub}})\). It outputs 1 if the equation holds, or 0 if the equation does not hold.

  • UnSigncrypt: A receiver uses his decryption private key \(dk_{\mathbb {A}}\) associated to the access structure \(\mathbb {A}\) described by \((\mathbf {M}_{\ell \times n}, \rho )\) to recover and verify the signcrypted ciphertext \(\text {Sct} = \{\mathbf {\omega }, \mathsf {pid}_{\text {U}}, R_{\text {U}}, C', \{C_i\}_{i=1}^{|\mathbf {\omega }|}, A, \sigma , h_4 \}\) as follows.

    1. 1.

      Determine \(\mathbb {A}(\mathbf {\omega }) {\mathop {=}\limits ^{?}} 1\). If not, the receiver rejects the signcrypted ciphertext \(\text {Sct}\).

    2. 2.

      Validate the signcrypted ciphertext \(\text {Sct}\) as any receiver performs in the PubVerify algorithm.

    3. 3.

      Define \(\mathbf {I} = \{i | \rho (i) \in \mathbf {\omega }\} \subset \{1, 2, \ldots , \ell \}\), and let \(\{\mu _i\}\) be a set of constants such that if \(\{\lambda _i\}\) are valid shares of y according to \((\mathbf {M}_{\ell \times n}, \rho )\), then \(\sum _{i \in \mathbf {I}} \lambda _i \cdot \mu _i = y\).

    4. 4.

      Compute \(V = \prod _{\rho (i) \in \mathbf {\omega }} \hat{e}(D_i, C_{\rho (i)})^{\mu _i}\) and \(\text {Msg}' = C' / V\).

    5. 5.

      Check \(H_4(A, \text {Msg}', V) {\mathop {=}\limits ^{?}} h_4\). If it holds, the receiver accepts and outputs the message \(\text {Msg}\). Otherwise, rejects and outputs \(\perp \).

Theorem 1

Our P3ASC scheme satisfies consistency requirement.

Proof

Consistency requirement can be verified as follows.

$$\begin{aligned}{}[\sigma ]P&= [s + h_3 \cdot sk_{\text {U}} ]P = [s]P + [h_3][sk_{\text {U}}]P\\&= A + [h_3](R_{\text {U}} + [c_{\text {U}}]P_{\text {pub}}) \\ V&= \prod _{\rho (i) \in \mathbf {\omega }} \hat{e}(D_i, C_{\rho (i)})^{\mu _i} = \prod _{\rho (i) \in \mathbf {\omega }} \hat{e}([\lambda _i/t_{\rho (i)}]P, [s \cdot t_{\rho (i)}]P)^{\mu _i} \\&= \prod _{\rho (i) \in \mathbf {\omega }} \hat{e}(P, P)^{s \cdot \lambda _i \cdot \mu _i} = \hat{e}(P, P)^{s \sum _{\rho (i) \in \mathbf {\omega }} \lambda _i \cdot \mu _i} \\&= \hat{e}(P, P)^{sy} \\ \text {Msg}'&= C' / V = \text {Msg} \cdot Y^s / \hat{e}(P, P)^{sy} \\&= \text {Msg}. \end{aligned}$$

Theorem 2

Our P3ASC scheme satisfies the conditional anonymity for the sender.

Proof

In the PIDKeyGen, sender can choose a family of pseudonyms and obtain associated private keys by running a Schnorr-like lightweight identity-based blind signature scheme with the PKG ([18,19,20]). Although the signcrypted message Sct must include a pseudonym of the sender and \(R_{\text {U}}\). However, anyone, except the PKG, cannot extract sender’s real identity \(\mathsf {id}_{\text {U}}\) because they have no idea of the master secret key x. Furthermore, there is no linkage between these pseudonyms, anyone, except the PKG, cannot link two sessions initiated by the same sender. Of course, the PKG can extract the sender’s real identity by computing \(\mathsf {id}_{\text {U}} = \mathsf {pid}_{\text {U}} \oplus H_1(x, R_{\text {U}})\). Thus, our P3ASC scheme achieves the conditional anonymity for the sender.

Theorem 3

Our P3ASC scheme is IND-CPA secure in the selective-set model under the DBDH assumption.

Proof

We will give detailed security proof in the full version due to the space limitation.

Theorem 4

Our P3ASC scheme is EUF-CMA secure in the adaptive model under the ECDL assumption.

Proof

We will give detailed security proof in the full version due to the space limitation.

4 Privacy Preserving Cloud-Based Mobile Healthcare System

The general architecture and message sequence of our privacy-preserving cloud-based mobile healthcare system is shown in Fig. 2. Three types of users are supported by our proposed system:

  • PHI owner who generates personal health data collected from wireless body sensor network, creates signcrypted ciphertexts and forward them to the medical cloud service provider (CSP).

  • PHI reader who can only read a PHI owner’s PHI.

  • PHI writer who can access a PHI owner’s PHI, but also can modify a PHI owner’s PHI, e.g., an authorized doctor can generate medical data for a PHI owner.

Fig. 2.
figure 2

Architecture of proposed cloud-based mobile healthcare system

Full size image

There are five essential participants in our cloud-based mobile healthcare system: hospital authority (HA), PHI Owners, medical CSP, PHI readers, and PHI writers. We assume that all communications between participants are secured by transport layer security (TLS) protocol.

  • HA, who acts as the PKG. HA is responsible for generating system public parameters, issuing pseudonym-based private keys for PHI owners and PHI writers, and attribute-based private keys for PHI writers and PHI readers.

  • PHI Owners, who carry multiple wearable or implanted sensors and a patient terminal. Those sensors can sense and process vital signs or environmental parameters, and transfer the relevant data to the patient terminal. Typically, patient terminal is equipped with mobile health application and database collection and storage functions with the ability for mobile communication. PHI owners register themselves to the HA by sending their real identity, and the HA allocates pseudo-identity to the PHI owner, which is to be used for all the communications in the network. Thus, the actual identity of the PHI owner is concealed.

  • Medical CSP, who keeps patient related data of registered users and provides various services to the registered users. We assume that the medical CSP is honest-but-curious, which means that the medical CSP will perfectly execute the protocol specifications, but intend to extract the patient’s private personal health information.

  • PHI readers, who are allowed to view a PHI owner’s PHI. It can be doctors, nurses, researchers, insurance company employees, etc.

  • PHI writers, who are allowed to view and update a PHI owner’s PHI. It can be doctors who may access the patients’ medical information and provide medical services.

5 Conclusions

To achieve medical data security (confidentiality, integrity, authenticity and access control) and user privacy in mobile health cloud, we introduce a new cryptographic primitive named privacy-preserving pseudonym and attribute-based signcryption scheme, propose a provable secure construction and present a novel secure and efficient cloud-based mobile healthcare system by exploiting our proposed construction. For future work, we plan to further investigate and implement the proposed system in a suitable cloud platform. We will also evaluate the security and performance of the proposed system after being implemented and compare them with the most related work in the area.