Professional Documents
Culture Documents
April 7, 2020.
Digital Object Identifier 10.1109/ACCESS.2020.2982964
ABSTRACT Electronic medical records can help people prevent diseases, improve cure rates, provide a
significant basis for medical institutions and pharmaceutical companies, and provide legal evidence for
medical negligence and medical disputes. However, the integrity and security problems of electronic medical
data still intractable. In this paper, based on the ciphertext policy attribute-based encryption system and IPFS
storage environment, combined with blockchain technology, we constructed an attribute-based encryption
scheme for secure storage and efficient sharing of electronic medical records in IPFS storage environment.
Our scheme is based on ciphertext policy attribute encryption, which effectively controls the access of
electronic medical data without affecting efficient retrieval. Meanwhile, we store the encrypted electronic
medical data in the decentralized InterPlanetary File System (IPFS), which not only ensures the security
of the storage platform but also solves the problem of the single point of failure. Besides, we leverage
the non-tamperable and traceable nature of blockchain technology to achieve secure storage and search for
medical data. The security proof shows that our scheme achieves selective security for the choose keyword
attacks. Performance analysis and real data set simulation experiments shows that our scheme is efficient
and feasible.
INDEX TERMS Access control, attribute-based encryption, blockchain, electronic medical records, Inter-
Planetary File System (IPFS).
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 8, 2020 59389
J. Sun et al.: Blockchain-Based Secure Storage and Access Scheme For Electronic Medical Records in IPFS
point of failure. Before storing data, we encrypt the medical ciphertext-policy attribute-based encryption (CP-ABE) [10].
data based on attributes and determine the attributes of users KP-ABE is mostly used in biometric identification sys-
(including doctors, nurses, patients, researchers, etc.) [8]. tems [8]. CP-ABE is mostly used for encrypted storage
The user’s private key is related to their attributes, while the systems. Due to attribute-based encryption provides secure
ciphertext is related to the policy. The user can decrypt the fine-grained access control for data, thus, it is being applied
ciphertext if and only if the user’s private key meets the access more and more to various scenes. The most common is
policy in the ciphertext. Also, we can use the blockchain to to encrypt medical data based on attribute and outsource
record the storage and search process of medical data, which it to cloud servers for management, which is not only
can not only track the source of the data but also record the saving local storage costs but also ensuring data security.
data retrieval process. Furthermore, we store the hash value Sun et al. [11] proposed an attribute-based keyword search
of medical data in the blockchain, which provides strong scheme with effective user revocation (ABKS-UR), enabling
evidence for the originality of the user’s verification data. scalable fine-grained search authorization, allowing multiple
Our Contribution: In order to address the effective access owners to separately encrypt and outsourcing their data to
control of electronic medical records and the semi-honest the cloud server. And by combining proxy re-encryption
and curious question of cloud servers, we constructed an and lazy re-encryption technology, the heavy system update
attribute-based encryption scheme for secure storage and workload is delegated to the resource-rich semi-trust cloud
access of electronic medical records in the IPFS storage servers during user revocation. However, in this scheme, it is
environment. Our scheme leverage IPFS as a storage platform impossible to verify whether the cloud server has returned
and the blockchain records the entire process of data storage all relevant results honestly, and also cannot verify their
and search, which provides strong evidence for medical dis- correctness. Guo et al. [12] proposed an access control archi-
putes and medical negligence. Our scheme has the following tecture named EHR for controlling access of electronic health
advantages: records which are stored in the semi-honest and curious
cloud server, they leverage CP-ABE technique to encrypt
A. SECURE CONTENT STORAGE medical data and assign different users with distinct right to
Our scheme stores medical data on a decentralized Inter- search. However, the correctness of lots of search results can-
Planetary file system (IPFS) rather than a semi-honest and not be verified, while a great deal of not corresponding results
curious cloud server, which further protects the privacy of returned by the server will waste resources. Su et al. [13]
medical data; Besides, IPFS allocates a unique hash for each proposed an attribute-based encryption scheme in the cloud
file, therefore, files can not be stored repeatedly while saving environment, which not only enables the server to decrease
storage space to a certain extent. the number of encryption and decryption of the attribute, but
also effectively protects the security of the data, and achieves
B. VERIFIABLE KEYWORD SEARCH effective to control data access; the VKSE scheme is proposed
In our scheme, on the one hand, users can quickly find the by Miao et al. [14] uses the access tree to implement the
corresponding medical records according to the specified access policy, which achieved fine-grained access control
keywords; on the other hand, users can also verify the orig- of data meanwhile supporting data search and verification.
inality of the medical records and track the source of the However, all the above schemes store data on a semi-honest
medical records. and curious cloud server. Once a single cloud model failure,
the entire cloud servers will be unavailable. Li et al. [15]
C. ACCESS CONTROL proposed an extended encryption scheme based on hierarchy
In order to prevent the unrelated person from viewing the attributes of files, which can encrypt multiple files at the same
patient’s medical history, we assign different access rights access level, enabling users in cloud storage to realize secure
based on user’s attribute. The user can decrypt the ciphertext and flexible access control, however, they solve the security
if and only if the user’s private key satisfies the access policy issues for central authority by using attribute encryption,
in the ciphertext. which makes their programs inefficient and unable to adapt
The rest of this paper is arranged as follows: In section II, to large multi-sector organizations and companies.
we introduce the related work of our scheme. In section III, The medical record is important data in the medical sys-
we present the background knowledge about our scheme. tem, and a perfect medical record is critical for the patient’s
Section IV gives the system model and security model of return to visit. Currently, some medical institutions use the
our scheme, Section V is the specific details of our scheme. attribute to encrypt electronic medical records and outsource
In Section VI, we show the security of the scheme and them to the cloud servers for management. Wang and Lin [16]
section VII analyzed the effectiveness and feasibility of our solve the problem of efficiency and security existing in
scheme. At last, we draw the conclusion of this whole paper. accessing control for personal health records (PHRs) through
the mobile client in the environment of the Cloud Storage,
II. RELATED WORKS they put forward a scheme for mobile applications’ access
Attribute-based encryption (ABE) can be separated into the policy of PHRs under a semi-trusted server framework,
key-policy attribute-based encryption(KP-ABE) [9] and the and handle the efficient and on-demand user revocation by
optimizing the existing MA-ABE program and introduc- TABLE 1. Symbols table.
ing lazy re-encryption and proxy re-encryption technology,
but there is no guarantee whether lazy re-encryption is
secure. Alshehri et al. [17] proposed a scheme for secure
access to medical data in a cloud environment by using
ciphertext-policy attribute-based encryption, which provides
effective control of access to medical data, but in this scheme,
the medical data stored in the cloud cannot be retrieved.
Subsequently, Xu et al. [18] proposed a dynamic medical
data storage scheme that supports the insertion and deletion of
medical data, but in this system, the originality and accuracy
of the searched data cannot be verified.
These schemes store all of the encrypted data on a cloud
server. However, the cloud server is centralized, once a single B. HARDNESS ASSUMPTIONS
cloud model is a failure, the entire cloud servers will be para- Definition 2 (Asymmetric Decision Bilinear Diffie-Hellman
lyzed and all data will be inaccessible. The InterPlanetary File (DBDH) Assumption [16]): Given the bilinear map param-
System (IPFS) is a decentralized storage protocol designed eters (G1 , G2 , p, g1 , g2 , e) and elements z1 , z2 , z3 , Z ∈ Zp∗
to solve the problem of excessive file redundancy. It has the and g1 ∈ G1 , g1 ∈ G2 be generators, the DBDH assump-
following advantages: (a)IPFS allocates a unique hash value tion is that the advantage of adversary in distinguish-
z
ing the tuple g1 , g2 , gz11 , gz12 , gz22 , g23 , e (g1 , g2 )z1 z2 z3 from
according to the file content instead of the location stored the z
file as its acquisition path, which prevents IPFS from repeat- the tuple g1 , g2 , gz11 , gz12 , gz22 , g23 , e (g1 , g2 )Z is negligible,
0
where the adversary s advantage is defined as
edly storing the same file and saving storage space. (b)IPFS
is a decentralized storage protocol, which can permanently
AdvDBDH
A 1k
save and share various types of files. (c)For high-frequency
z
= |Pr A g1 , g2 , gz11 , gz12 , gz22 , g23 , e (g1 , g2 )z1 z2 z3 = 1
request data, IPFS will create duplicate data according to
the previous request path. In the next request, these data
h i
z
− Pr A g1 , g2 , gz11 , gz12 , gz22 , g23 , e (g1 , g2 )Z = 1 |
can be read directly locally [19]. Therefore, IPFS is more
suitable as a storage platform for medical data than cloud Definition 3 (Decision Linear Assumption) [21]: Given
servers. Chen et al. [20] proposed an improved P2P file sys- the parameters (G1 , G2 , p, g1 , g2 , e) and elements z1 , z2 , z3 ,
tem scheme based on IPFS and blockchain, which present the z4 , Z ∈ Zp∗ be chosen at random and g1 ∈ G1 ,
role of content service providers to solve the high-throughput g2 ∈ G2 be generators. The D-Linear assumption named
issue of single users in IPFS. Zheng et al. [19] proposed an that the advantage of adversary in distinguishing the
z1 z2 z1 z1 z3 z2 z4 z1 z3 z3 +z4
innovative IPFS-based blockchain storage model, in which tuple g1 , g2 , g1 , g1 , g2 , g1 , g1 , g2 , g1 from the
miners store a large number of files in IPFS and store the
z1 z2 z1 z1 z3 z1 z3 z3 +z4
returned IPFS hash in blocks, Thereby reducing the load tuple g1 , g2 , g1 , g1 , g2 , g1 , Z , g2 , g1 is negligi-
0
ble, where the adversary s advantage is defined as
on the blockchain. Inspired by the above literature, we put
forward a scheme for encrypting electronic medical records
AdvD−L
A 1k
based on attributes, in which data is stored in IPFS and h i
z z z z z +z
the entire process of storage and search is recorded by the = |Pr A g1 , g2 , gz11 , gz12 , gz21 , g11 3 , gz12 z4 , g21 3 , g13 4 = 1
blockchain. h i
z z z z z +z
− Pr A g1 , g2 , gz11 , gz12 , gz21 , g11 3 , Z , g21 3 , g13 4 = 1 |
III. PRELIMINARIES Definition 4 (Asymmetric Decision Diffie-Hellman (DDH
In table 1, we give an explanation of the symbols which will 1v1) Assumption [13]): Given the bilinear map parameters
be used in our system. (G1 , G2 , p, g1 , g2 , e) and elements z1 , z2 , Z ∈ Zp∗ , the DDH
1v1 assumption states that the advantage of adversary in
z1 z2 z1 z2
A. BILINEAR MAP distinguishing the tuple g1 , g 2 , g1 , g 1 , g 2 from the tuple
g1 , g2 , gz11 , gz12 , gZ2 is negligible, where the adversary 0 s
Definition 1 (Bilinear Map [13]): Let G1 , G2 and GT be
three multiplicative cyclic groups of the prime order p, g1 , g2 advantage is defined as
be the generators of G1 and G2 , e : G1 × G2 −→ GT be the AdvDDH 1v1
1k = |Pr A g1 , g2 , gz11 , gz12 , gz21 z2 = 1
A
bilinear map which has several properties: h i
• Bilinearity: ∀g1 ∈ G1 , g2 ∈ G2 , ∀a, b ∈ Zp∗ , e ga1 , gb2 = − Pr A g1 , g2 , gz11 , gz12 , gZ2 = 1 |
e (g1 , g2 )ab .
• Non-degeneracy: ∃g1 ∈ G1 , g2 ∈ G2 , e (g1 , g2 ) 6 = 1. C. ACCESS STRUCTURE
• Computability: ∀g1 ∈ G1 , g2 ∈ G2 , e (g1 , g2 ) can be Threshold structure [8], tree-based access structure [10], [14],
effectively calculated. AND-gates [22] and linear secret sharing structure [23], [24]
FIGURE 2. Blockchain.
3) MEDICAL SYSTEM
is often used to achieve access control in attribute-based The medical system includes doctors and system smart
encryption scheme. Here, we exploit a series of AND-gates device, doctors in our system is responsible for encrypting
with multi-valued attributes like [25] as our access structure. and saving the medical records. He first runs the Encrypt
Definition 5 (Access Structure [21]): algorithms and Index algorithms to encrypt the medical
Let U = {att1 , att2, · · · , attm } be a set of attributes. For records and generate indexes for the keywords. Then the
each atti ∈ U , Li = vi,1 , vi,2 , · · · vi,mi is a set of possible ciphertext is stored in the IPFS, and finally, the hash of
values, where mi is the total of possible values for atti . Then the medical records and the hash address returned by the
let S = {S1 , S2 , · · · , Sm } be an attribute set of a user, where IPFS are recorded on the blockchain. The system smart
Si ∈ Li and W = (W1 , W2 , · · · , Wm ) be an access structure device is primarily responsible for the registration of all
where Wi ∈ Li . Note that S W , if the attribute set S meets personnel in the hospital, and their attributes (i.e. physi-
the access structure W , namely Si = Wi , i = (1, 2, · · · , m). cians, nurses, patients, researchers, etc.) identificaon, besides,
it also assigns secret private key associated with their attribute
IV. PROBLEM FORMULATIONS for registered personnel.
A. SYSTEM MODEL
There exist four main entities in our scheme, namely 4) DATA USER(DU)
Blockchain, InterPlanetary File System (IPFS), medical sys- The data user (DU) can be a doctor, a nurse, a researcher,
tem (including Doctors and system smart device), and data a patient, etc. Each DU can get a key pair assigned by the
user (DU). The data generated by the medical system will be system, which is associated with their attributes. In order to
stored in the IPFS while ensuring its privacy, searchability, search for a medical record, DU first needs to make a request
and verifiability. The main processes are shown in Figure 1. to the hospital. If the system smart device affirms that their
attributes meet the access policies, the system smart device
1) BLOCKCHAIN will return a token for them to search for the medical records
Blockchain is a novel application model that integrates decen- he needed.
tralized data storage, peer-to-peer transmission, consensus
mechanism, encryption algorithm, and other technologies. 5) WORK FLOW
Here, we leverage blockchain to record the storage and search For easy to understand, in our scheme, we instantiate a
process of medical data. Due to the immutability of the provably secure storage and access scheme for electronic
blockchain, the data stored on the blockchain cannot be arbi- medical records. Specifically, after a patient goes to the hos-
trarily modified. So it can be used as evidence for verifying pital system to register, the doctor diagnoses the condition
the originality and fluidity of the data. and generates a medical record. The doctor needs to save
the records so that the patient can return to visit his data
2) IPFS and the researcher can learn some details at any moment.
The InterPlanetary File System (IPFS) is a decentralized Since the medical records are related to the patient’s per-
storage protocol. It can permanently store and share various sonal privacy, the medical records must be encrypted before
types of files, and it will allocate a unique hash value based saving. The doctor encrypts and signs the medical records,
Selective Game for CP-ABE: attribute number {i|1 6 i 6 m}, the system generated
Init: Challenger gets two ciphertext policies W0 , W1 ai,t | 1 6 t 6 mi ∈ Zp∗ randomly, where mi is the total of
promised by the adversary. all possible values of i, ( For example, when i = 1 indicates
Setup: The challenger first inputs a security parameter λ a doctor, i = 2 indicates a nurse, and i = 3 indicates an
and gets the system public parameter, then the adversary gets expert, then m1 represents the total number of doctors, and
the public key pk0 from challenger by running the KeyGen m3 represents the total number of experts ); Finally it gets
algorithm. key mpk = {GP,
the public e(g1 , g2 ), H } and the master key
Phase 1: In the KeyGen query stage,if S W0 ∧ S W1 msk = g1 , g2 , α, β, σ, ai,t |1 6 t 6 mi , 1 6 i 6 m .
or S 2 W0 ∧ S 2 W1 , where S is the attribute of adversary, KeyGen: In this phase, The system generates the
then the adversary will gets the private key skS generated from public-private key pair for the Doctor and the private key
their attribute. This phase can be performed multiple times. pair for the DU; Doctor encrypts the medical records with his
challenge: The adversary begins the challenge stage by public key and stores it in the IPFS; DU generates a search
promising two records R0 and R1 . If the adversary got the skS request with its own search private key, then decrypts the
generated from their attribute S, meanwhile the attribute set S medical records with his secret private key which associate
satisfies both policies W0 and W1 in phase 1,then it is means with the set of his attribute.
that R0 = R1 . The challenger encrypts (sko , Rb , Wb ) by Setp1: Generating a public-private key pair for Doctor. The
β
flipping a random coin b. If b = 0, he encrypts (sko , R0 , W0 ) system first computes Y = e(g1 , g2 )α , B = g1 , u1 = gσ1 and
ai,t
and sends it to the adversary A, else, he encrypts (sko , R1 , W1 ) Ai,t = g1 , where 1 6 t 6 mi , 1 6 i 6 m. Then he gets the
and sends it to the adversary A. public-private key pair (pko , sko ) as following:
Phase 2: Similar to Phase 1. If R0 6 = R1 , the adversary
pko = Y , B, u1 , Ai,t |1 6 t 6 mi , 1 6 i 6 m
cannot submit S such that S W0 ∧ S W1 .
Guess: The adversary A makes a guess b0 , and the adver- sko = α, β, σ, ai,t |1 6 t 6 mi , 1 6 i 6 m
1
sary’s advantage in this game is Adv = |Pr b0 = b − |.
2 Setp2: Generating a private key for DU with attribute
The selective keywords attack (CKA) security games: S = [S1 , S2 , · · · , Sm ] = [v1,t1 , v2,t2 , · · · , vm,tm ]. The system
Init: Challenger gets a ciphertext policy W ∗ promised by randomly selects s ∈ Zp∗ , computing D1 = gs2 , u2 = gσ2 ,
the adversary. P s
ai,t
Setup: The challenger first inputs a security parameter λ ∀i,t∈s
and D2 = u2 g2 i ; Besides, the system selects two
and gets the system public parameter, and the adversary gets
the public key pk0 from challenger by running the KeyGen random numbers xi , λi ∈ Zp∗ , where 1 6 i 6 m lets x =
algorithm. m α+x
xi , and computes d0 = g2 β . For each attribute number
P
Phase 1: In the KeyGen query stage,If S W0 ∧S W1 or
i=1
S 2 W0 ∧ S 2 W1 , where S is the attribute of adversary. Then i xi +ai,t λi
the adversary will get the private key sku , This phase can be {i|1 6 i 6 m}, when Si = vi,ti , he computes di,1 = g2 ,
λi
performed multiple times di,2 = g2 , then it gets the private key pair (sku , skS ) as
challenge: The adversary begins the challenge algorithm following:
by promising two keywords w1 and w2 . The challenger
sku = {D1 , D2 }
encrypts wb by flipping a coin. If b = 0, he encrypts w1 ,
skS = d0 , di,1 , di,2 |1 6 i 6 m
otherwise he encrypts w2 . Then he sends the index to the
adversary A.
Encrypt: Doctor generates a medical record R for DU after
Phase 2: Similar to Phase 1.
he diagnoses the condition of DU, and then stores the medical
Guess: The adversary A makes a guess b0 , and the adver-
1 record R on IPFS. Firstly, in order to encrypt the medical
sary’s advantage in this game is Adv = |Pr b0 = b − |. record R, doctor designations the ciphertext policy as W =
2
[W1 , W2 , · · · , Wm ], for each attribute number {i|1 6 i 6 m},
m
V. OUR CONCRETE CONSTRUCTION he randomly selects ri ∈ Zp∗ , and lets r =
P
ri . He computes
In the medical system, registered users (i.e. doctors, nurses, i=1
patients, researchers, etc. ) can upload and search medical C 0 = R·Y r and C0 = Br at first, then he computes Ci,1 = gr1i ;
records. In our scheme, we instantiate a process of a patient If vi,t ∈ Wi , the doctor lets Ci,t,2 = Ari,ti , otherwise, let Ci,t,2
goes to hospital and then returns to visit. be a random element; Then the ciphertext is
Init: Given a security parameter λ, the system first out-
CT = C 0 , C0 , Ci,1 , Ci,t,2 |1 6 t 6 mi , 1 6 i 6 m
puts a system public parameter (G1 , G2 , GT , λ, e, p, g1 , g2 , ),
where G1 , G2 are two multiplicative cyclic groups of the Secondly, the Doctor signs the ciphertext CT :
prime order p, g1 , g2 are the generators of G1 , G2 and g1 ∈
G1 , g2 ∈ G2 , e : G1 × G2 → GT are the bilinear maps. H (CT ) σ
sigR = H (idR ) · g1
A collision resistant hash function is named as H : {0, 1}λ →
Zp∗ . Then system randomly select α, β, σ ∈ Zp∗ , for each where idR is the identifier of R.
Thirdly,the doctor stores CT ∗ = (CT , sigR ) in the IPFS, containing the keywords w0 = w01 , w02 , · · · , w0m . Then
and the IPFS returns a hash address h about CT ∗ ; system smart device returns a search token STw = (ID, h, γ )
Finally, doctor records the process of storing medical to DU, in which contains a block ID, a hash address h and a
records on the blockchain: He first hashes medical record random number γ . Otherwise, returns ⊥.
Verify1: DU can get the tuple hR , h0 from the blockchain
R with SHA256 hash function and gets hR = SHA256 hRi,
for hash address h, he randomly selects γ ∈ Zp∗ , and according to the block ID which is contained in the search
computes h0 = hγ . Next he stores the tuple hR , h0 on token STw . Then he computes h00 = hγ and compares it with
the blockchain by broadcasting a transaction and obtain the h0 to verify the correctness of h. If h00 = h0 , he leverages the
block ID. hash address hto download medical records containing the
Index: For the convenience of search, the Doctor needs keyword w0 = w01 , w02 , · · · , w0m from the IPFS.
to generate indexes for stored medical records. He first Decrypt: After DU gets the ciphertext
extracts the keyword w = {w1 , w2 , · · · , wm } from the med-
CT = C 0 , C0 , Ci,1 , Ci,t,2 |1 6 t 6 mi , 1 6 i 6 m ,
ical record R, then selects y ∈ Zp∗ and computes I1 =
y !y
H (w1 kw2 k · · · kwm ) Q he decrypts the ciphertext with his secure private key skS , for
g1 , I2 = u1 · Ai,t . Thus he can each attribute number {i|1 6 i 6 m}, Ci,2 0 = C
i,ti ,2 where
∀i,t∈Wi
get the index as {Iwj }j∈[1,m] = (I1 , I2 ). Si = vi,ti , then
Search: In this stage, DU wishes to search the keyword m
C0 · e Ci,1 , di,1
Q
w0 = w01 , w02 , · · · , w0m , the DU first sends a search request
i=1
to the hospital. The system smart device returns a search token R0 = m .
e (C0 , d0 ) · e Ci,20 , di,2
after it verifies the identity of the DU.
Q
Request: DU sends a request to the hospital containing i=1
the keyword w0 = w01 , w02 , · · · , w0m . He selects z ∈
z Verify2: The DU hashes medical record R0 with
0 kw0 k · · · kw0
SHA256 hash function and compares it with the hash value on
H w 1 2 m
∗
Zp randomly, and computes T1 = D1 , the blockchain. If h0R = hR , the medical record R0 is original
T2 = Dz2 . Then he sends the request (T1 , T2 ) to the and has not been tampered with.
hospital.
Test: After receiving the request from the DU, the sys- VI. SECURITY ANALYSES
tem smart device tests whether the DU has the right to A. CORRECTNESS
view the medical records containing the keywords w0 = During the search process, if the attributes set S =
w1 , w02 , · · · , w0m . The system smart device first judges
0
{S1 , S2 , · · · , Sm } satisfies the access policy W = {W1 ,
whether e (I1 , T2 ) is equal to e (I2 , T1 ), if (I1 , T2 ) = W2 , · · · , Wm }, where Wi ∈ Li , then,
e (I2 , T1 ), it means that the DU has the right to access y
the0 medical records which containing the keywords w0 = Y 0
z
H (w kw k···kwm )
0 0
w1 , w2 , · · · , w0m . Then the system smart device returns
0 e (I2 , T1 ) = e u1 · Ai,t , D1 1 2
a search token STw = (ID, h, γ ) to DU, in which ∀i,t∈Wi
contains a block ID, a hash address h and a random y
z
s·
number γ . (
H w01 kw02 k···kw0m )
= e gσ1 ·
Y a
g1i,t , g2
In terms of the equation e(I1 , T2 ) = e(I2 , T1 ), it is a ∀i,t∈Wi
matching of the request with the index. In the keyword index ysz
P
ai,t
generation process, the doctor encrypts m keywords to get σ ysz ∀i,t∈Wi
= e (g1 , g2 ) ( ) · e (g1 , g2 ) (
H w01 kw02 k···kw0m H w1 kw2 k···kw0m )
0 0
{Iwj }j∈[1,m] . In the request generation process, the DU sends a
search request (T1 , T2 ) containing m0 keywords to the system y
H (w kw k···kwm )
smart device of the hospital, particularly m0 6 m. When the e (I1 , T2 ) = e g1 1 2 , Dz2
system smart device obtained the request (T1 , T2 ), in order to P sz
y ai,t
hold the above equation, the system smart device randomly H (w1 kw2 k···kwm )
, gσ2 · g2
∀i,t∈Wi
choose m0 index from {Iwj }j∈[1,m] and perform multiplica- = e g1
tion operations. According to the mathematical statistics and P
probability theory, the total number of random selections is ysz
∀i,t∈Wi
ai,t
0 0 +1) yσ sz
Cmm = m(m−1)(m−2)···(m−m m0 ! . Then, system smart device = e (g1 , g2 ) H (w1 kw2 k···kwm )
· e (g1 , g2 ) H (w1 kw2 k···kwm )
During the decryption process, if attributes set S = For each attribute number {i|1 6 i 6 m}, the simula-
{S1 , S2 , · · · , Sm } satisfies the access policy W = tor B generates Ai,t |1 6 t 6 mi , if vi,t ∈ Wb,i , the sim-
a
{W1 , W2 , · · · , Wm }, where Wi ∈ Li , then, ulator B sets Ai,t =n g1i,t . Otherwise,the osimulator B sets
z a
m Ai,t = g11 i,t , where ai,t ∈ Zp∗ |1 6 t 6 mi is selected ran-
C0 · e Ci,1 , di,1
Q
i=1
domly. Finally the simulator B publishes public parameters
R0 = Y , B, u1 , Ai,t |1 6 t 6 mi , 1 6 i 6 m .
m
e (C0 , d0 ) · 0 ,d
Q
e Ci,2 i,2 Phase1: Adversary A promises an attribute set S =
i=1 [S1 , S2 , · · · , Sm ] in a secret key query stage. In our definition,
m xi +ai,ti λi
R · e (g1 , g2 )αr · e gr1i , g2 if S 2 W0 ∧S 2 W1 , then R0 is equal with R1 , under this situa-
Q
tion, the game G and game G0 are the equal, So the difference
= α+x
i=1m
βr about the advantage of adversary A between game G and in
e g1i,t i , gλ2 i
β a r
e g1 , g2
Q
· game G0 is equal. At this point simulator B ends the game
i=1
and makes a guess randomly. Therefor, we only consider the
R · e (g1 , g2 )αr · e (g1 , g2 )rx+rai,t λi
= case: S 2 W0 ∧ S 2 W1 . When S 2 W0 ∧ S 2 W1 , there
e (g1 , g2 )rα+rx · e (g1 , g2 )ai,t rλi certainly exist y ∈ {1, 2, · · · , m} such that Sy = vy,ty ∈ / Wb,y .
=R For each attribute number {i|1 6 i 6 m}, simulator B
selects λi , xi0 ∈ Zp∗ at random, then sets x = x 0 − z1 z2 and
B. SECURITY PROOF m m
xi0 − z1 z2 , so the component of the secret key
P P
1) SECURITY PROOF OF ENCRYPTED DATA x= xi =
i=1 i=1
At the beginning of the game, the adversary promises two can be computed as
challenge policies W0, W1 . We use the notation Wb = m m
xi0 −z1 z2 xi0
P P
z1 z2 +
Wb,1 , Wb,2 , · · · , Wb,m to express them, where b ∈ {0, 1}. α+x i=1 i=1
β z2 z2
According to the proof in the literature [26], no adversary can d0 = g2 = g2 = g2
win the original game G. Therefore, we prove the security of yk +ay,ty λy xy0 +z1 z2 +ay,ty λy x 0 +ay,ty λ0y
our scheme by leveraging the indistinguishability of follow- dy,1 = g2 = g2 = g2y ,
ing games G, G0 , · · · , Gl−1 , Gl . where
First, We get a new game G0 by changing the way of Z1 Z2
ciphertext component in game G, In game G0 , if the adver- λy = λ0y + ;
ay,ty
sary did not obtain the skS generated from their attribute S λ
such that S W0 ∧ S W1 , then no matter what the dy,2 = g2 y .
b is, the adversary chosen a random number in GT as the 0
ciphtertext component C 0 , and the rest of the components are When i 6 = y, it sets x = x , simulator B also can compute
d0 , di,1 , di,2 without any difficult.
unchanged. If the adversary obtain the skS generated from challenge: Adversary A promises two challenge records
their attribute S satisfying S W0 ∧ S W1 , then no matter R0 and R1 . Simulator B flips a coin b, b ∈ {0, 1}, and sets
what the b is, the adversary generates component C 0 is same C 0 = Rb · Z r , C0 = Br = gz12 r . For Wb ,nif vi,t ∈oWb,i , then
as in game G. That is to say, G = G0 in this case.
simulator B generates Ci,1 , Ci,t,2 = gr1i , Ari,ti correctly
Theorem 1: In the setting of the security parameter k,
the difference for the advantage of adversary A between game because Ai,t does not contain unknown z1 , else if vi,t ∈ / Wb,t ,
G and game G0 is negligible according to the assumption of then he can choose a random number as the components
asymmetric DBDH. Ci,1 , Ci,t,2 .
Proof: The simulator given an asymmetric DBDH chal- Phase 2: Similar as Phase 1.
lenge tuple Guess: Adversary A makes a guess b0 . If b0 = b, adversary
h i A is running in game G, Z = e (g1 , g2 )z1 z2 z3 and otherwise A
Z
g1 , g2 , gZ1 1 , gZ1 2 , gZ2 2 , g2 3 , Z , is running in game G0 , Z is random. Therefore, through our
assumption, the simulator B can win the asymmetric DBDH
where Z = e (g1 , g2 )Z1 Z2 Z3 or a random number with same game with the advantage ε.
probability. Next, we continue to change the way of ciphertext com-
Init: The adversary A promises two challenge ciphertext ponents generated in game G0 and to get a new game. For
policies W0 and W1 to simulator B, then B flips a random each vi,t in the game Gl−1 , when vi,t ∈ W0,t ∧ vi,t ∈ W1,t or
coin b, in which b ∈ {0, 1}. If b = 1, then Z = e(g1 , g2 )z1 z2 z3 , vi,t ∈/ W0,t ∧ vi,t ∈/ W1,t , we generate ciphertext components
else Z is a random element. {Ci,1 , Ci,t,2 } normally, and when vi,t ∈ W0,t ∧ vi,t ∈/ W1,t or
Setup: The simulator B first inputs a security parameter λ vi,t ∈/ W0,t ∧vi,t ∈ W1,t , no matter what value the random coin
and gets the system public parameter. Then he runs KeyGen b is, we choose the random number in the game Gl to replace
algorithm and generates the public key pko for adversary A. the ciphertext components {Ci,1 , Ci,t,2 } generated normally
The simulator B first sets Y = e (g1 , g2 )z1 z2 , B = gz12 , in the game Gl−1 . We replace the ciphertext component nor-
z
u1 = g13 , this implies α = z1 z2 , β = z2 , σ = z3 . mally generated in the previous game with the random value
from the next game until there is no vi,t ∈ W0,t ∧vi,t ∈ / W1,t or where
/ W0,t ∧vi,t ∈ W1,t . Every time we replace it, a new game
vi,t ∈ ail ,tl λil
is formed. In the last game, due to the ciphertext components λy = λ0y − ;
ay,ty
are in the same distribution, so the adversary’s advantage is 0.
λ
And then we can embed the D-Linear challenge in this way, dy,2 = g2 y .
so the distinction of the game Gl and the game Gl−1 is called
D-Linear challenge. Also, when i 6 = il or y, simulator B can also compute
Theorem 2: In the setting of the security parameters k. The di,1 , di,2 easily. Finally
difference about the advantages of adversary A between game m m
Gl−1 and the game Gl is negligible according to the D-Linear
X X
x = xi = xil + xy + xi
assumption. i=1 i6=il ,y
Proof: The challenger given a D-Linear challenge tuple m
X
h
z z z z z +z
i = xi0l − ail ,tl λil + xy0 + xi
g1 , g2 , gz11 , gz12 , gz21 , g11 3 , Z , g21 3 , g13 4 ,
i6=il ,y
m
where Z = g1z2 z4or Z is a random number with same proba-
X
= xi0l + xy0 + xi
bility. we might as well assume that vi,t ∈ W0,t ∧ vi,t ∈ / W1,t . i6=il ,y
Init: The adversary A promises two challenge ciphertext
policies W0 and W1 to simulator B, then B flips a coin b α+x
he can compute the component d0 = with ease.
randomly, b ∈ {0, 1}. If b = 0, simulator B ends the challenge β
and makes a guess randomly, Clearly, in our definition, for- Challenge: Adversary A promises two challenge records
βr z (z +z )
mula b = 0 means vil ,tl ∈ W1,il ∧vil ,tl ∈ / W0,il , then it obvious R0 and R1 , simulator B sets C0 = g1 = g12 3 4 , this
that Gl−1 = Gl . Because the distribution of ciphertext in implies r = z3 + z4 . If S satisfies S 2 W0 ∧ S 2 W1 in
game Gl−1 and in game Gl are same, so there is no advantage each query, B choose a random number as C 0 , otherwise B
b · e (g1 , g2 )
z1 (z3 +z4 )
for adversary A between the game Gl−1 and game Gl . Thus, lets C 0 = R . For Wb , the ciphertext
we need to assume b = 1. components Ci,1 , Ci,t,2 |1 6 i 6 m, 1 6 t 6 mi are gener-
Setup: The simulator B first inputs a security parameter λ ated as game Gl−1 , additional components Cil ,1 , Cil ,tl ,2 are
and gets the system public parameter, then he runs KeyGen computed as
algorithm and generates the public key pko for adversary A. ri
The simulator B first sets Y = e (g1 , g2 )z1 , B = g13 , u1 =
z Cil ,1 = g1 l = gz14
z2 z3 α ri
g1 , this implies α = z1 , β = z3 , σ = z2 z3 . For each ri i ,t
Cil ,tl ,2 = Ail l,tl = g1 l l
l
=Z
attribute number {i|1 6 i 6 m}, Ai,t |1 6 t 6 mi is gen-
erated by the simulator B. If vi,t ∈ Wb,i , the simulator B sets
α z α It is implies ril = z4 , αil ,tl ril = z2 z4 and Z = gz12 z4 .
Ai,t = g1 i,t ; Else, he sets Ai,t = g11 i,t , where αi,t ∈ Zp∗ |1 6 If Z = gz12 z4 , the ciphertext components are generated prop-
t 6 mi is random. Finally
the simulator B publishes public erly and adversary A just runs game Gl−1 .
parameters as Y , B, u1 , Ai,t |1 6 t 6 ni , 1 6 i 6 m .
Phase 2: Similar as Phase 1.
Phase 1: Adversary A promises an attribute set S = Guess: Adversary A makes a guess b0 . If b0 = b, adversary
[S1 , S2 , · · · , Sm ] in a secret key query stage. If Sil ,tl ∈/ vil ,tl , A runs game Gl−1 , Z = gz12 z4 and otherwise A runs game Gl ,
simulator B can compute the secret key dil ,1 , dil ,2 without
Z is random. Therefore, through our assumptions, the advan-
any difficult. Then we assume Sil ,tl = vil ,tl , and simulator B tage of the simulator B is ε during running the D-Linear
computes the components dil ,1 , dil ,2 as follows: game.
xi +ail ,tl λil xi0
dil ,1 = g2 l = g2 l , 2) CHOSEN KEYWORDS ATTACK (CKA) SECURITY
Theorem 3: Under the asymmetric DDH1v1 assumption,
where
it is negligible that the advantage of any polynomial adversary
xil = xi0l − ail ,tl λil A to break the CKA game, then challenger can construct a
λi simulator B such that B 2can
win the DDH1v1 game with the
dil ,2 = g2 l . ε N Pm
advantage of 1− , where N = mi [27].
2 P
Now, we assume S 2 W0 ∧ S 2 W1 , because Sil = vil ,tl ∈ / Proof: Simulator
i=1
Bis given an asymmetric DDH1v1
W1−b,il , that is to say S 2 W1−b , therefore S 2 Wb , so there z2
z1 z1
certainly exist y ∈ {1, 2, · · · , m} satisfying Sy = vy,ty ∈ / Wb,y . tuple g1 , g2 , g1 , g1 , Z .
Then B sets x y = x 0 +a
y i l ,t l λ i l and computes the components Init: The simulator B gives a security parameter λ and
dy,1 , dy,2 as follows:
gets the system public parameter, and then B runs KeyGen
algorithm. The adversary A promises an access policy W ∗ =
xy +ay,ty λy x 0 +ail ,tl λil +ay,ty λy x 0 +ay,ty λ0y
= g2y = g2y , W1 , W2 , · · · , Wm to simulator B.
∗ ∗ ∗
dy,1 = g2
Setup: Simulator B selects a0i,t ∈ ZP∗ at random, where If Z = gz2 , I is not a correct index, the advantage of A is 0,
1 6 i 6 m, 1 6 t 6 mi , and computes thus
0
Adv B → ‘‘random00 |Z = gz2
ai,t
ai,t g1 , vi,t ∈ W ∗
Ai,t = g1 = 0
= Adv b0 = b|Z = gz2
gz2 ai,t , vi,t ∈
/ W∗
1
1
Then simulator B publishes public parameter as =
2
g1 , g2 , α, β, σ, ai,t |1 6 i 6 n, 1 6 t 6 mi .
According to the above information in the DDH game,
ε N2
Phase 1: The adversary A promises an attribute set S = the advantage of B is 1− under the DDH game.
2 P
[S1 , S2 , · · · , Sm ] to simulator B. B computes
X X X
ai,t = ai,t + ai,t VII. PERFORMANCE ANALYSIS
∀i,t∈S ∀i,t∈W ∗ / ∗
∀i,t ∈W A. FUNCTION COMPARISON
X X We compared some existing schemes with our scheme in
= a0i,t +b ai,t
decentralizing, keyword search, verifiable search results, and
∀i,t∈W ∗ / ∗
∀i,t ∈W
search privacy, as shown in Table 2. The symbol ‘‘X’’ indi-
= A1 + bA2
cates that the scheme has this function, and ‘‘×’’ indicates
next he selects
P s! ∈ ZP∗ randomly and computes D1 = gs2 , the opposite case. As can be seen from the table, scheme [14]
ai,t s and scheme [30] dont meet the feature of decentralizing,
A s
= gσ2 gA2 1 gb2 2 , finally he sends
∀i,t∈S
D2 = u2 g2 and scheme [14] supports the search results verifiable; The
schemes [28] and [29] cannot verify search results; our
(D1 , D2 ) to adversary A. Adversary A generates an access
scheme is more powerful and can support the above features
request with this search private key during the search phase.
at the same time. These features make our scheme more
Challenge: Adversary A submits two keywords w1 , w2 ,
suitable for practical applications.
the simulator B encrypts wb by flipping a coin b at random.
, , · · · , w0,m , and
Note that if b = 0, then w b = w0,1 w0,2
B. STORAGE COST COMPARISON
if b = 1, then wb = w1,1 , w1,2 , · · · , w1,m . Simulator B
1 In order to compare the storage costs in the three schemes,
sets y = z1 z2 , then he computes
!y T1 P= Z H (wb,1 kwb,2 k···kwb,m ) we first define some symbols, we set |G|, |G0 |, |GT | to
σ+ a0i,t represent the bit length of an element in group G, G0 , and GT ,
Ai,t = Z ∀i,t∈W ∗ simultaneously.
Q
and T2 = u1 respectively. Meanwhile, we use symbol|Zp | to denote the bit
∀i,t∈W ∗
Then he sends the request (T1 , T2 ) to adversary A. length of an element in filed Zp , symbol |S| to represent the
Phase 2: Similar as Phase 1. number of the DU’s attribute. The storage cost of the three
Guess: Adversary A makes a guess b0 , if b0 = b, scheme as shown in Table 3.
B responds DDH and otherwise he responds random. From Table 3 we can know that although our scheme has
If Z = g2z1 z2 , I is a correct index, and the advantage of A higher storage cost in KeyGen algorithm than scheme [14]
is ε, thus and scheme [11], the storage cost in Setup/Init, Trap/Index
and Search is all significantly lower than them.
Adv B → ‘‘DDH 00 |Z = g2z1 z2
In Alice’s example, according to the experiment simulation
= Adv b0 = b|Z = gz21 z2
in our scheme, we set | Zp |= 160 bit,| G1 |=| G2 |=| GT |=
1 1024 bit, thus the storage cost in Setup algorithm, KeyGen
= +ε
2 algorithm, Index algorithm, Search algorithm, and Verify
59398 VOLUME 8, 2020
J. Sun et al.: Blockchain-Based Secure Storage and Access Scheme For Electronic Medical Records in IPFS
FIGURE 4. The storage and computational costs analysis obout different algorithm in our scheme, VKSE scheme and
ABKS-UR scheme respectively.(a)Setup generations time.(b)KeyGen generations time.(c)Index generations time.(d)Search
generations time.(e)Storage cost of Setup. (f)Storage cost of KegGen.(g)Storage cost of Index.(h)Storage cost of Search.
algorithm is 3008 bit, 21504 bit, 4096 bit, 5120 bit and operation OE1 in group G1 and exponential operation OE2 in
160 bit, respectively. So, the storage cost of the example is group G2 ).
33888bit. From Table 4, it obvious that our scheme is most efficient
in the Init, Index and Search algorithms except the KeyGen
algorithm. In addition, during that the Verify algorithm based
C. COMPUTATIONAL COST COMPARISON the different result verification mechanism, so we analyzed
To analyze the computational costs of the three schemes, the computational cost just in our scheme and the VKSE
we first define some time-consuming operation symbols, scheme.
namely bilinear pairing operation OP , exponentiation opera- From the above information, we can conclude that our
tions OE (exponential operation OE0 in group G0 , exponential scheme enables access control without increasing additional
[24] Y. S. Rao and R. Dutta, ‘‘Computational friendly attribute-based encryp- XIAOMIN YAO was born in Gansu, China,
tions with short ciphertext,’’ Theor. Comput. Sci., vol. 668, pp. 1–26, in 1994. She received the B.S. degree from Tian-
Mar. 2017. shui Normal University, in 2018. She is currently
[25] H. Su, Z. Zhu, L. Sun, and N. Pan, ‘‘Practical searchable CP-ABE in pursuing the M.S. degree with the Xi’an Univer-
cloud storage,’’ in Proc. 2nd IEEE Int. Conf. Comput. Commun. (ICCC), sity of Technology. Her research interests include
Chengdu, China, Oct. 2016, pp. 180–185. cryptography and information security.
[26] J. Bethencourt, A. Sahai, and B. Waters, ‘‘Ciphertext-policy attribute-based
encryption,’’ in Proc. IEEE Symp. Secur. Privacy (SP), Berkeley, CA, USA,
May 2007, pp. 321–334.
[27] V. Goyal, O. Pandey, A. Sahai, and B. Waters, ‘‘Attribute-based encryption
for fine-grained access control of encrypted data,’’ in Proc. 13th ACM Conf.
Comput. Commun. Secur. (CCS), Alexandria, VI, USA, 2006, pp. 89–98.
[28] P. Jiang, F. Guo, K. Liang, J. Lai, and Q. Wen, ‘‘Searchain: Blockchain-
based private keyword search in decentralized storage,’’ Future Gener.
Comput. Syst., vol. 107, pp. 781–792, Jun. 2020. SHANGPING WANG was born in Shaanxi,
[29] H. G. Do and W. K. Ng, ‘‘Blockchain-based system for secure data storage China, in 1963. He received the B.S. degree from
with private keyword search,’’ presented at the IEEE World Congr. Services the Xi’an University of Technology, in 1982,
(SERVICES), Jun. 2017, doi: 10.1109/SERVICES.2017.23. the M.S. degree from Xi’an Jiaotong University,
[30] N. H. Sultan, N. Kaaniche, M. Laurent, and F. A. Barbhuiya, ‘‘Autho- in 1989, and the Ph.D. degree from Xidian Uni-
rized keyword search over outsourced encrypted data in cloud environ- versity, in 2003. He is currently a Professor with
ment,’’ IEEE Trans. Cloud Comput., early access, Jul. 30, 2019, doi:
the Xi’an University of Technology. His research
10.1109/TCC.2019.2931896.
interests include cryptography, information secu-
rity, blockchain, and the Internet of Things.
JIN SUN was born in Anhui, China, in 1977. YING WU was born in Shandong, China, in 1997.
She received the B.S. degree from Shaanxi Nor- She received the B.S. degree from Qufu Normal
mal University, in 2000, the M.S. degree from University, in 2019. She is currently pursuing the
the Xi’an University of Technology, in 2005, and M.S. degree with the Xi’an University of Technol-
the Ph.D. degree from Xidian University, in 2012. ogy. Her research interests include cryptography,
She is currently an Associate Professor with the information security, and blockchain.
Xi’an University of Technology. Her research
interests include cryptography, information secu-
rity, network security, and blockchain.