PRIVACY-FRIENDLY FLEXIBLE IOT HEALTH DATA PROCESSING WITH USER-CENTRIC ACCESS CONTROL
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
1
Privacy-Friendly Flexible IoT Health Data
Processing with User-Centric Access Control
Khlood Jastaniah, Ning Zhang, and Mustafa A. Mustafa
Abstract—This paper proposes a novel Single and Multiple and friends may need to have (or benefit from having) access
user(s) data Aggregation (SAMA) scheme designed to support to the results of these analytic models. Therefore, healthcare
arXiv:2203.00465v1 [cs.CR] 1 Mar 2022
privacy preserving aggregation of health data collected from systems should support wearable data processing and sharing
users’ IoT wearables. SAMA also deploys a user-centric approach
to support flexible fine-grain access control. It achieves this with multiple and diverse data recipients [5].
by deploying two key ideas. First, it uses multi-key Homo- Healthcare provision via wearable devices has led to an
morphic cryptosystem (variant Paillier) to allow flexibility in increased number of applications that collect, store and analyse
accommodating both single and multi-user data processing as (usually with the assistance of cloud providers) user sensitive
well as preserving the privacy of users while processing their wearable data at an unprecedented scale and depth [2], [6],
IoT health data. Second, it uses ciphertext-policy attribute-based
encryption to support flexible access control, which ensures users [7]. However, this approach comes with mounting concerns
are able to grant data access securely and selectively. Formal over users’ data privacy (data confidentiality). The concerns
security and privacy analyses have shown that SAMA supports lead to two major issues. First, although data collection could
data confidentiality and authorisation. The scheme has also be done via secure channels, processing of user wearable data
been analysed in terms of computational and communication is typically performed in plaintext and governed by service
overheads to demonstrate that it is more efficient than the
relevant state-of-the-art solutions. providers who may outsource/disclose the wearable data or
analytic results to third parties [8], [9]. Second, users have no
Index Terms—IoT, wearable, Multi-key Homomorphic encryp-
control over who access and share the collected and processed
tion, Attribute based encryption, Access control, Privacy.
data [10]–[12]. In addition, unauthorised exposure of personal
I. I NTRODUCTION health data violate the GDPR [13] and HIPPA [14] regulations
that advocates for users’ privacy protection and access control.
I OT wearable devices are becoming mainstream as people
realize the benefits they bring to their life along with their
low and affordable prices due to rapid development in sensors,
Therefore, it is important to achieve secure data processing and
sharing, adopting user-centric approach, which gives access
control over data in the hands of users rather than service
wireless communication, and cloud computing technologies. providers.
These devices are equipped with sensors and communication There are already attempts to tackle the aforementioned
capabilities to collect (in real-time) users’ health related data issues which can be generalised into two approaches. The first
(e.g., heart rate, oxygen saturation), activities (e.g., steps count, approach is based on homomorphic encryption schemes, while
sleep quality), and environment (e.g., location, humidity) [1]. the second approach uses attribute-based encryption schemes.
Modern healthcare systems can utilize data generated from
Existing solutions related to the first approach either support
IoT wearable devices to support analytic models. Such models
secure data processing over data collected only from a single
could be used to provide services (i) to individuals, e.g.,
user [15]–[20] or only from multiple users [12], [21]–[26],
personalized treatments such as monitoring a patient remotely
but they do not efficiently support system models for both
and diagnosing diseases early by detecting health anomalies,
single and multiple user data processing scenarios. In addition,
and (ii) to the wider public for purposes such as predicting
the solutions using the second approach [11], [12], [27]–[29]
the spread of disease by analysing data collected from mul-
assume that data processing entities – typically third-party
tiple individuals [2], [3]. For instance, a study by Stanford
services providers – are trustworthy.
Healthcare Innovation Lab [4] uses data collected from many
In modern healthcare systems, the enormous amount of
commercial wearables, such as Apple Watch and Fitbit, to
wearable sensitive health data generated and some of the
identify symptoms of people infected with Coronavirus at an
processing jobs are typically outsourced or delegated to third-
early stage and also record the geographic spread of the virus.
party service providers, such as cloud providers due to user’s
Moreover, many data recipients, including healthcare
constrained devices. In such cases, measures should be in
providers, researchers, insurance companies, family members,
place such that any threats from the third-party service
K. Jastaniah was supported by The University of Jeddah funded by the providers can be addressed. Moreover, data owners should
Saudi Government Scholarship. M. A. Mustafa was supported by the Dame define fine-grained access control to both raw data and com-
Kathleen Ollerenshaw Fellowship and by the EPSRC through the projects
EnnCore EP/T026995/1 and SCorCH EP/V000497/1. puted/aggregated data and specify who can access which data
K. Jastaniah, N. Zhang, and M.A. Mustafa are with the Department of items (i.e. user-centric access control). In addition, there are
Computer Science, The University of Manchester, Manchester, UK, e-mail: multiple entities (e.g., healthcare professionals, researchers)
{khlood.jastaniah, ning.zhang-2, mustafa.mustafa}@manchester.ac.uk.
M.A. Mustafa is also with imec-COSIC, KU Leuven, Leuven, Belgium. who require to process and access different sets of data of
Manuscript received xxx xx, 2021; revised xxx xx, 2021. specific individuals and/or of a group of people for different2
legitimate purposes [2], [12], and both types of data processing TABLE I: Acronyms.
and access (single and multiple users data) should be supported Acronym Meaning
and granted based on a user-centric approach [8]. Therefore,
SAMA Single And Multiple User Data Aggregation
there is a need for secure data processing that can accom- DR Data Recipient
modate single and multiple user data cases, while supporting CSP Cloud Service Provider
user-centric fine-grained data access capabilities. KA Key Authority
HE Homomorphic Encryption
To fill in this research gap, we propose a novel privacy- PE Pailliar Encryption
preserving Single And Multiple user data Aggregation VP-HE Variant Paillier Homomorphic Encryption
(SAMA) scheme that supports single and multiple users data ABE Attribute Based Encryption
CP-ABE Ciphertext-Policy Attribute Based Encryption
processing over encrypted data and realises data sharing with
fine-grain access control based on a user-centric approach. To
the best of our knowledge, this paper is the first attempt to
combine single and multiple users data processing and sharing devices that have limited computational capabilities. PHE
the processing results across multiple entities with the focus schemes, on the other hand, support a limited number of
on a user-centric design approach. To this end, the novel operations, addition or multiplication, on encrypted data. Such
contributions of this work are three-fold: PHE schemes (e.g., Paillier [32]) are suitable for resource
constrained devices.
• The design of SAMA – a novel privacy-preserving
scheme to support secure aggregation of data collected Some of the existing schemes that deploy HE [15]–[20]
from both single and multiple users and secure data have considered secure processing of data provided only
sharing with fine-grain access control based on a user- by one (single) user, while other schemes [12], [21]–[26]
centric approach. The secure aggregation of data is en- support secure processing of data coming only from different
sured by using variant Paillier homomorphic encryption (multiple) users. However, in modern healthcare systems, in
(VP-HE) scheme in a multi-key environment such that many cases, data recipients need to access the processing
data from individual owners (users) are encrypted by results of both single and multiple users’ data. In such cases,
multiple users’ public keys in a twin-cloud architecture the use of the above schemes has limitations. Firstly, HE
and data processing can be carried out over the encrypted proposals cannot efficiently support both single and multiple
data. The fine-grained access control of the processing users data processing scenarios. Secondly, HE cannot support
result is supported by using Ciphertext-policy Attribute- data sharing with multiple data recipients who require access
based Encryption (CP-ABE), which gives data owners to the same processing result.
full control of the access rights over their data. To support secure and user-centric access control, there are
• The investigation of the SAMA scheme both theoretically
proposals [11], [12], [27]–[29] adopting ABE schemes [33].
(in terms of security) and through simulation (in terms These proposals allow users to choose who can access their
of computational and communication costs) – our results data, hence supporting fine-grained access control and multi-
indicate that SAMA satisfies the specified set of security user access. ABE schemes can be classified into two types:
and privacy requirements with lower computational and ciphertext-policy ABE (CP-ABE) [34] and key-policy ABE
communication cost in user and data recipients side (KP-ABE) [35] schemes. The main difference between the
compared with [30]. two types is the following. In the CP-ABE scheme, access
structures are embedded with ciphertexts and users’ attributes
The rest of this paper is organised as follows. Section II
are embedded with the users’ private keys, while with the
discusses the related work. Sections III and IV show design
KP-ABE scheme, the access structure is associated with the
preliminaries and main building blocks used in the design
private keys of users and the ciphertexts are associated with
of SAMA. This is followed by a detailed design of the
attributes. Therefore, with the KP-ABE schemes, users do not
SAMA scheme in Section V. Sections VI and VII detail
have control over who can access the data; they can only
SAMA’s security/privacy analysis and performance evaluation,
control attributes assignments [34]. ABE schemes, on their
respectively. Finally, Section VIII concludes the paper. The
own, do not support computations over encrypted data.
acronyms used in the paper are shown in Table I.
There are some existing proposals which combine secure
data processing with access control. Ding et al. [30], [36]
II. R ELATED W ORK proposed a flexible access control over the computation results
Efforts have already been made to preserve the confi- of encrypted multiple users’ data by combining ABE with
dentiality of user data while data is being processed by HE schemes. The computation supports addition, subtraction,
deploying different advanced cryptographic techniques. One of multiplication, division, etc. However, these proposals do
the most widely used techniques is Homomorphic Encryption not efficiently support processing over data of both single
(HE) which allows operations on encrypted data. There are and multiple user(s) nor user-centric access control. Ruj and
mainly two types of HE schemes: Fully HE (FHE) and Nayak [37] combined Paillier HE with ABE to support privacy
partial HE (PHE). FHE schemes support an arbitrary number preserving data aggregation and access control in the smart
of operations over encrypted data [31]. However, they are grid. However, in their proposal, the aggregated data needs to
still impractical as they require high computational resources. be decrypted and then re-encrypted with an access policy by
Hence they are not suitable for use in wearable/portable a trusted authority, hence this solution places unconditional3
trust on the data manager. Tang et al. [38] proposed privacy-
Users Data Recipients
preserving fog-assisted health data sharing that supports a Key Authority Service Providers
flexible user-centric approach using ABE. Patients send the Cloud Providers
abnormal values encrypted by symmetric encryption scheme • ♥ 120
and define the access policy by encrypting the symmetric key
Insurance Stuff Insurance
with ABE. It also supports naive Bayes disease classification CSPA
Company
over the encrypted data at the fog node; however, it does not
effectively support processing over data from multiple users.
Pang and Wang [39] propose privacy preserving data mining • ♥ 120
Researchers Research
operations on outsourced data from multiple parties under CSPB
Institute
multi-key environments using VP-HE. The proposal supports HOSPITAL
sharing of processed data only with a data recipient (miner); Nurse Pharmacist
• ••
however, it does not support user-centric and fine-grained data • •
Healthcare
Doctor Lab Worker Provider
sharing with multiple users.
In summary, the state-of-the-art research in privacy pre-
serving data processing either focuses on the single user or Fig. 1: System model of the SAMA scheme.
multiple user(s) data processing; they do not support both use-
cases systematically. Furthermore, there are limited efforts on
exploring the integration of privacy preserving data processing but curious. They make legitimate requests to access users’
with fine-grained user-centric access control to support secure data, but they may be curious to access or find out other
data processing and secure data sharing access among multiple users’ data. The CSPs are semi-honest (honest-but-curious)
users. This paper aims to address this knowledge gap, to entities. They follow the protocol as per the specifications, yet
design a solution that can efficiently support both single and they are curious about the sensitive information of users or
multiple user data processing and fine-grained data sharing any aggregated user data. The KA is considered a trustworthy
in a user-centric manner while protecting users’(data owners) entity. It performs all its duties honestly and never colludes
data privacy. with any other entities. The external adversary bounded by
computational resources (not having access to quantum com-
III. P RELIMINARIES puters) is considered as untrustworthy or even malicious.
In this section, we introduce the system and threat model, The external attackers may utilize different kinds of network
assumptions, notations, and design requirements of SAMA. eavesdropping attacks and/or modify the data in transit or try
to gain unauthorized access in an attempt to disrupt the system
or the cloud servers.
A. System Model
The system model used by SAMA consists of the following
C. Assumptions
entities (see Fig. 1). Users are data owners who possess
wearables and are willing to share the data collected from The following assumptions are considered in the SAMA
their wearables with various data recipients for their own design. The communication channels among all entities are
personal benefits or for the collective benefit of society. encrypted and authenticated. CSPA and CSPB do not collude
Users’ wearable data is usually collected and shared via with each other or with any other entities as they have a legal
their smartphone (gateway). Data recipients (DRs) are data responsibility to prevent leakage of the users’ sensitive data.
consumers who wish to utilise users’ wearable data in order All entities’ identities are verified by the key authority before
to provide (personalised) services to users or society. Example obtaining the encryption and decryption keys.
DRs could be individuals such as the users themselves, their
family members, friends, professionals (e.g., named GPs), D. Design Requirements
organisations such as hospitals, research centers, insurance, or
The proposed system should satisfy the following func-
charities, etc. Two cloud service providers store and process
tional, security and privacy, and performance requirements.
data on behalf of users: Cloud A (CSPA ) provides users with
1) Functional Requirements:
storage and processing for users’ data, and manages access
requests, while Cloud B (CSPB ) cooperates with CSPA in (F1) Flexible data processing: SAMA should support both
data computations and access control. A Key authority (KA) single and multiple user(s) data aggregation using the
plays the role of a key management organisation. same system model and without substantially increasing
the computational and communication overhead.
(F2) Fine-grain access control: SAMA should support a flexi-
B. Threat Model ble access policy for users and facilitate granting different
This section describes the threat model of the proposed access rights to a set of data recipients.
SAMA scheme as follows. Users are trustworthy but curious. (F3) user-centric: each user should control who is authorized
They outsource correct wearable data to cloud providers but to access the raw data collected from their wearables as
are keen to learn other users’ data. DRs are also trustworthy well as the aggregated data that includes their raw data.4
2) Security and Privacy Requirements: TABLE II: Notations.
(S1) Data confidentiality: users’ raw and aggregated data Symbol Meaning
should be protected from unauthorised disclosure. NU number of users
(S2) Authorisation: only authorised DRs should be able to NDR number of DR
access users’ aggregated data based on the user-defined Nreq number of data points requested for aggregation
Nm number of messages received by Ui
access policy. N number of users in multiple users processing
3) Performance Requirements: Ui ith user, i = {1, . . . , N }
mi raw data provided by Ui
(P1) Efficient: SAMA should be viable for wearables which ri random number generated by CSPA for each Ui
are devices with limited computational capabilities.
ssk strong secret key in VP-HE
vpki , wski VP-HE key pair (public key, weak secret key) of Ui
IV. B UILDING B LOCKS EncV P encryption using VP-HE
DecV P decryption using VP-HE
This section reviews briefly the Paillier cryptosystem [32], [msum ] addition result encrypted by the vpki of Ui
the Variant-Paillier in Multikey cryptosystem [39], and CP- [mi ] mi encrypted by the vpki of Ui
[ri ] random number encrypted by the vpki of Ui
ABE [34], which are used in the SAMA scheme design. The
notations used throughout the paper are presented in Table II. EncP E encryption using PE
DecP E decryption using PE
ppkj , pskj PE key pair (public key, private key) of DR
A. Paillier Cryptosystem pk public parameters in CP-ABE
MK master key in CP-ABE
Paillier cryptosystem [32] is a practical additive homomor- sk secret key in CP-ABE
phic encryption scheme proven to be semantically secure. EncABE encryption using CP-ABE
1) Paillier in Single-Key Environment: It consists of three DecABE decryption using CP-ABE
APS /APM single and multiple user(s) data access policy
algorithms: key generation algorithm (KGenP E ), encryption
algorithm(EncP E ), and decryption algorithm(DecP E ).
• KGenP E (k’) −→ ppk, psk: Given a security parameter k’, g utn = 1 mod n2 , and gcd(L(g λ mod n2 ), n) = 1.
select two large prime numbers p and q. Compute n = Define L(x) = (x − 1)/n. Compute h = g n×λ/t
p · q, and λ = lcm(p − 1, q − 1). Define L(x) = (x − mod n2 . The public key is vpk = (n, g, h), the weak
1)/n. Select a generator g ∈ Z∗n . Compute µ = (L(gλ secret key is wsk = t and the strong secret key is ssk = λ
mod n2 ))−1 mod n. The public key is ppk = (n,g) and • EncV P (vpk, m) − → c: Given a message m ∈ Zn and
the private key is psk = (λ, µ). a public key vpk = (n, g, h), choose a random num-
• EncP E (ppk, m) − → c: Given a message m ∈ Z and a ber r ∈ Zn , and compute the ciphertext c as c =
public key ppk = (n,g), choose a random number r ∈ Z∗n , EncV P (vpk, m) = g m hr mod n2 .
and compute the ciphertext c = EncP E (ppk, m) = gm · rn • W DecV P (wsk, c) − → m: The decryption algorithm with
mod n2 . a weak secret key decrypts only the ciphertext encrypted
• DecP E (psk, c) − → m: Given a ciphertext c and a with the associated public key. Given wsk and c, the
private key psk = (λ, µ), recover the message m = ciphertext can be decrypted as m = W DecV P (wsk, c) =
DecP E (psk, c) = L(cλ mod n2 ) · µ mod n. L(ct mod n2 )
L(gt mod n2 ) mod n.
• SDecV P (ssk, c) −→ m: The decryption algorithm with
2) Variant-Paillier in Multi-Key Environment: The variant
a strong key decrypts the ciphertexts encrypted with any
Paillier scheme [39] is one of the recent variations of the Pail-
public key of the scheme. Given ssk and c, the ciphertext
lier cryptosystem. It is similar to the original scheme [32] with
can be decrypted as m = SDecV P (ssk, c) = L(cλ
a slight modification in the key generation algorithm, which
mod n2 ) · µ mod n.
makes it compatible to work in multiple users environment
by generating a different public-private key pair for each user L(cλ mod n2 ) L(g λm mod n2 )
mod n = mod n
with two trapdoor decryption algorithms. The scheme com- L(g λ mod n2 ) L(g λ mod n2 )
prises four algorithms: key generation (KGenV P ), encryption
(EncV P ), decryption with a weak secret key (Decwsk ), and
decryption with a strong secret key (Decssk ). B. Ciphertext-Policy Attribute Based Encryption
• KGenV P (k) − → vpk, wsk, ssk: Given a security pa- The CP-ABE is a type of public-key encryption in which
rameter k, choose k + 1 small odd prime factors the ciphertext is associated with an access policy and user
u, v1 , . . . , vi , . . . , vk and choose two large prime fac- keys are dependent upon attributes to supports fine-grained
tors vp and vq in which p and q are large primes access control [39]. It consists of four main algorithms: a
with the same bit length. Compute p and q as p = setup algorithm (Setup), encryption algorithm (EncABE ), key
2uv1 v2 · · · vi · · · vk vp +1 and q = 2uv1 v2 · · · vi · · · vk vq + generation algorithm (KGenABE ), and decryption algorithm
1. Calculate n = p · q and λ = lcm(p − 1, q − 1). (DecABE ).
Choose t as a number or a product of multiple numbers • Setup(s, U ) −→ pk, mk: Given a security parameter s and
from the set (v1 , v2 , . . . , vi , . . . , vk ), and t|λ naturally a universe of attributes U , the setup algorithm outputs the
exists. Choose a random integer g ∈ Zn∗2 that satisfies public parameters pk and a master key mk.5
• EncABE (pk, M, A) − → C: Given public parameters pk, a Users CSPA CSPB DR
message M , and an access structure A over the universe
of attributes, the encryption algorithm outputs a ciphertext
C which implicitly contains A. User
Set APS and APM
Access
• KGenABE (mk, s) − → sk: Given a master key mk and policy
a set of attributes s which describe the key, the key setting
Store APS and APM
generation algorithm outputs a private key sk. Encrypt data
• DecABE (pk, C, sk) − → M : Given public parameters pk, a Data
uploading
ciphertext C, which includes an access policy A, and a Store encrypted data
private key sk, using a decryption algorithm, a user can Request aggregated data
Request case
decrypt the ciphertext and get a message M only if the
User
Aggregate encrypted data
attributes associated with the private key satisfy A.
Data access request and processing
Decrypt aggregated data
V. T HE SAMA S CHEME Request aggregated data
Select N users*
In this section, we propose our novel secure data aggre- Aggregate encrypted data**
gation scheme, SAMA, that works on single and multiple Mask data
Request case
user(s) data with flexible data sharing, adopting a user-centric Decrypt masked data
approach. First, we give an overview of SAMA and explain
DR
Aggregate masked data*
Encrypt masked data by ppkj
the system initialisation before presenting it in detail. Encrypt pskj by APS or APM
De-mask encrypted aggre-
gated data
A. Overview of the SAMA Scheme Decrypt encrypted pskj
by skj
The SAMA scheme mainly makes use of a combination of Decrypt aggregated data
by pskj
the Paillier HE and CP-ABE schemes and consists of three
*Only for multiple users data processing request
main phases: (i) user access polity setting, (ii) data uploading, **Only for single user data processing request
and (iii) data access request and processing, as shown in Fig. 2. Fig. 2: An overview of the SAMA scheme.
At the user access policy setting phase, to achieve a user-
centric fine-grained access policy, users define two types of TABLE III: Cryptographic Keys of Entities.
access policies: single (APS ) and multiple (APM ) user(s) data
access policy and send them to CSPA . This allows CSPA to Entity Public Key Private Key
process and share users’ data with DRs according to users’ User vpki wski
preferences. In the data uploading phase, every user encrypts CSPA ppkj
their data with their VP-HE public key and sends the resulting CSPB ppkj and pk pskj and ssk
DR ppkj pskj and skj
ciphertext to CSPA .
During the data access request and processing phase, CSPA
receives requests from DR to access the (aggregated) data of
users. These requests are processed by the CSP s and the the access policy APM . In both cases, CSPB sends both
results are shared with the corresponding requesters. There ciphertexts to CSPA . CSPA then performs de-masking on the
received ciphertext and sends the encrypted result (aggregated
can be three different types of requests, coming either by the
users themselves for accessing their own data or from the DRs data) and CP-ABE ciphertext to DR. Finally, the authorized
requesting data of a single user or multiple users. DR who satisfies the access policy will be able to decrypt
the CP-ABE ciphertext and obtain the Paillier private key to
Upon receiving a request from a user, the CSPA aggregates
the user’s encrypted data and the result is sent back to the decrypt the ciphertext of the final result (users aggregate data).
user. The user then can use their own VP-HE weak secret
key to obtain their aggregated data. If the request is received B. System Initialisation
by DR for a single user’s data, CSPA aggregates the user’s
encrypted data, masks it, and sends the masked encrypted data The system initialisation step comprises two phases: sys-
to CSPB . CSPB then performs strong decryption to obtain tem parameters setup and cryptographic key generation and
the masked data, encrypts this result (masked aggregated data) distribution. All the entities’ keys are listed in Table III.
with a Paillier public key and encrypts the Paillier private key 1) System Parameters Setup: In this phase, system param-
using CP-ABE with the access policy APS , and sends both eters of the three encryption schemes are set.
ciphertexts to CSPA . However, if the request is received by • VP-HE setup: The KA sets a security parameter k and
DR for multiple users data processing, the process is slightly chooses two large prime numbers p and q such that
different. CSPA gets the encrypted data of users, masks L(p) = L(q) = k. L is the bit length of the input data.
the data and sends the masked data to the CSPB . CSPB • Paillier setup: The KA selects the security parameter k ′ ,
then performs strong decryption on the received ciphertexts, such that k ′ > k. It then chooses two large prime numbers
aggregate them, encrypts the result with a Paillier public key, p and q. Then, the key generation algorithm is initiated
and encrypts the Paillier private key using CP-ABE with as explained in the Section IV-A16
Users CSPA Users CSPA
User access policy setting Data access request and processing (User Request case)
Requests own Data
User defines single and
multiple user(s) access
policy (APS , APM )
Performs additive
homomorphic
APS , APM encryption
Processing results
storage AP storage
Decrypts the
processing
results using wski
Data uploading
Users encrypt
wearable data
using vpki Fig. 4: Data access request and processing phase - user request.
Encrypted data
storage Data storage
DR with specific attributes satisfying the access policy can
have access to the final aggregated result.
Fig. 3: User access policy setting and data uploading phase. (ii) APM allows users to determine whether they agree their
data to be aggregated with other users’ data and the aggregated
result can be accessed by DRs. In other words, each user
• ABE setup: The KA generates security parameters s and defines his/her sharing preferences and gives consent to allow
U attributes, which are used to generate pk and mk using use of their individual wearable data in aggregation along with
the Setup algorithm described in Section IV-B. other users’ wearable data. Note that APM does not authorise
CSPA to share any specific individual raw data with anyone. It
2) System Key Generation and Distribution: This phase is only allows CSPA to use the encrypted data of users whose
divided into three steps outlined below. sharing preferences match with the attributes of DRs who
• VP-HE Key Generation: The KA generates a unique have requested access to data.
ssk and distinct variant Paillier homomorphic pub- b) Activate notification: Users can select to receive regular
lic/private key pair (vpki , wski ) for every user Ui , i = notifications, which is a summary of all single and multi-
1, . . . , NU , using the KGenV P algorithm described in user data requests to access their data received by DRs.
Section IV-A2. Through the summary, users can check how many data access
• Paillier Key Generation: The KA generates a distinct Pail- requests were granted/rejected. This will also allow users to
liar homomorphic public/private key pair (ppkj , pskj ), monitor who has requested access to their data and whose
for each request that comes from the same or any DR, us- requests were granted/rejected. Regular notification can be
ing the KGenP E algorithm described in Section IV-A1. switched on/off by the user and can also be set to be received
• ABE Key Generation: The KA generates a distinct private as daily/weekly/monthly data access summaries. CSPA is
key skj for every DRj , using KGenABE as described responsible to follow users’ notification selections.
in Section IV-B. DRj obtains skj from the KA, which c) Update access policy: The CSPA provides the users the
embeds her/his attributes/roles. ability to update their access policy periodically or based on
demand. Users also have the option to update their pre-defined
access policies (APS and/or APM ) based on their notifications
C. SAMA in Detail
details.
The SAMA scheme consists of three main phases: (1) User 2) Data Uploading: During this phase, users upload their
access policy setting, (2) Data uploading, and (3) Data access data to CSP s regularly. More specifically, users encrypt their
request and processing. wearable data mi with their variant-Paillier public key, vpki ,
1) User Access Policy Setting: This phase shown in Fig. 3 to obtain Cvpki = EncV P (vpki , mi ) and send the encrypted
is usually performed at the setup stage. It allows users to set data to CSPA . This phase is the same for single and multi-user
their access policy for data aggregation and sharing require- aggregated data sharing, as shown in Fig. 3.
ments and share it with CSPA . It includes three steps: a) 3) Data Access Request and Processing: In this phase,
define access policy, b) activate notifications, and c) update there can be three different types of data access requests for
access policy. users’ aggregated data as follows: a) Users request access
a) Define access policy: Generally, the user defines two to their own (aggregated) data, b) DRs request access to
types of access policy: (i) single-user data aggregation and aggregated data of a single user and c) DRs request access
sharing access policy (APS ) and (ii) multiple-users data ag- to aggregated data of multiple users. The requests coming
gregation and sharing access policy (APM ). from users are directly handled by CSPA , while the requests
(i) APS allows users to control who can access the aggre- coming from DRs are handled by both CSP s.
gated results of their own data. Therefore, only the authorized a) User access request for own (aggregated) data: A user7
requests CSPA to aggregate his/her own encrypted wearable Users CSPA CSPB DR
data and provide the processed result, as shown in Fig. 4.
Upon receiving the request to aggregate Nreq data points,
CSPA aggregates the users’ data (i.e., it performs additive Data access request and processing (DR request case)
homomorphic operations PNreq by multiplyingQthe encrypted data Request single / multiple user(s) data
Nreq
of the user) to get [ i=1 mi ]vpki = i=1 Cvpki , where
Select N users*
[data] denotes encrypted data. The result then is sent to the
PNreq Aggregate encrypted data**
user. Then, the user can decrypt [ i=1 mi ]vpki with his/her Mask data
Masked Data
own
PNreq weak secret key wsk i to obtain
PNreq the aggregated data as
Decrypts and obtains the
i=1 m i = Dec vp (wsk i , [ i=1 m i ] vpki ). Regular notifications masked data
Aggregate masked data*
b) DR access request for single-user data processing: A
Encrypts the masked data with
DR requests access to the aggregated data of a (specific) single ppkj and encrypts pskj with CP-
ABE using APS /APM
user. For example, a doctor requires access to the aggregated Masked Data
data of a specific patient to monitor his/her health condition. De-mask encrypted data
Data
The aggregated data can be accessed only by DRs (e.g.,
doctors, friends, etc) whose attributes satisfy the fine grain Decrypt CP-ABE(pskj ) and
use pskj to decrypt and get
access policy APS set by the user. This phase, as shown in *Only for multiple users data processing request
**Only for single user data processing request
the processing result
Fig. 5, is divided into the following five steps:
(i) Handling DR request: After a DR has issued a request Fig. 5: Data access request and processing phase -
to access the aggregated data of a single user, the CSPA DR request case.
performs the same additive homomorphic operations, as in
Step a) explainedPabove. The result is a ciphertext of the
Nreq
aggregated data: [ i=1 mi ]vpki . Finally, it uses pskj to obtain the initially requested aggregated
PNreq PNreq
(ii) Masking: CSPA then masks the aggregated data. More data of the user: i=1 mi = DecP E (pskj , [ i=1 mi ]ppkj ).
specifically, it generates a random number rUi and encrypts it c) DR access request for multi-user data processing: A
with the user’s VP-HE public key, vpki , to obtain [rUi ]vpki = DR requests access to aggregated data of multiple users. For
Encvp (vpki , rUi ). The ciphertext [rUi ]vpki then is multiplied example, a researcher may require access to the aggregated
PNreq
with the ciphertext of the aggregated data [ i=1 mi ]vpki to data of a specific set of patients (users) who, for instance,
PNreq
get a ciphertext of the masked aggregated data [ i=1 mi + suffer from the same disease. The aggregated data can be
PNreq
rUi ]vpki = [ i=1 mi ]vpki ∗ [rUi ]vpki . The result is then sent accessed only by DRs whose attributes satisfy the fine grain
to CSPB along with the APS set by the user. access policy APM of the users whose data is requested. This
(iii) Preparing the processing result: Upon receiving the phase is also shown in Fig. 5 and consists of the following
result, CSPB decrypts it using its strong decryption key steps.
PNreq (i) Handling DR request: Upon receiving a request to
ssk to get the masked aggregate data i=1 mi + rUi =
PNreq access aggregated data of multiple users, the CSPA initiates
Decvp (ssk, [ i=1 mi + rUi ]vpki ). Then, a new Paillier key
pair (ppkj , pskj ) is generated by KA (based on CSPB the process by comparing users’ APM with DR attributes. It
request) and the new key pair is sent back to CSPB . then selects users whose APM matches with DR request. For
The new Pailliar public key, ppkj , is used to encrypt the simplicity, let us assume that CSPA selects N users.
PNreq (ii) Masking: CSPA starts the masking process by gen-
masked aggregated data to get [ i=1 mi + rUi ]ppkj =
PNreq erating a random number for every user’s data used in the
EncP E (ppkj , i=1 mi + rUi ), while the new Pailliar private aggregation. It then encrypts these generated random numbers
key pskj is encrypted by the user defined access policy (APS ) with the corresponding users’ variant Paillier public keys,
to get [pskj ]APS = EncABE (pk, pskj , APS ). Finally, the two
PNreq vpki , generating [rUi ]vpki = Encvp (vpki , rUi ). Next, each
generated ciphertexts ([ i=1 mi + rUi ]ppkj and [pskj ]APS ) encrypted random number is multiplied with the respective
are sent to CSPA . user’s encrypted data, [mi ]vpki , to obtain [mi + rUi ]vpki =
(iv) De-masking: When CSPA receives the two cipher- [mi ]vpki ∗ [ri ]vpki . Finally, the N masked ciphertexts are sent
texts, it initiates the de-masking process. It encrypts the to CSPB along with the APM set by the user for further
random number rUi (used previously in the masking process) processing.
with ppkj to obtain [rUi ]ppkj = EncP E (ppkj , rUi ). Then, (iii) Preparing the processing result: this step consists of
CSPA calculates the additive inverse of [rUi ]ppkj , generating the outlined sub-steps below:
n−1
[−rUi ]ppkj = [rUi ]ppk . Finally, it de-masks the aggregated - The CSPB decrypts all the received masked cipher-
PNreqj
PNreq
data as follows: [ i=1 mi ]ppkj = [ i=1 mi + rUi ]ppkj ∗ texts with the variant Paillier strong secret key ssk to
[−rUi ]ppkj . obtain the individual users’ masked data: mi + rUi =
(v) DR access the processing result: DR can access the Decvp (ssk, [mi +rUi ]vpki ). Then, it performs an addition
processing result only if the DR’s key attributes satisfy the operation
PN toPget the maskedPN aggregation as follows:
N
user’ APS . Hence, DR can decrypt and obtain pskj by i=1 m i + i=1 rU i = i=1 (mi + rUi ).
using its ABE secret key pskj = DecABE (pk, [pskj ]APS , sk). - KA generates a new Paillier public-private key8
(ppkj , pskj ) for every authorised DR request received. TABLE IV: Requirements Comparison.
- CSPB encrypts the masked PNresult using
PN the Pailliar
public key ppkj to obtain [ i=1 mi + i=1 rUi ]ppkj = [37] [38] [39] [30] SAMA
PN PN
EncP E (ppkj , ( i=1 mi + i=1 rUi )), while the corre- single-user data processing. X X
sponding private key pskj is encrypted with the common Multiple users data processing. X X X X
APM : [pskj ]APM = EncABE (pk, pskj , APM ).
PN Fine-grain access control X X X X
- Lastly, CSPB sends both ciphertexts [ i=1 mi +
PN User-centric X X
i=1 rUi ]ppkj and [pskj ]APM to CSPA .
(iv) De-masking: in this phase, CSPA performs the
following steps: It aggregates all the random PN numbers rUi B. Security of the SAMA Scheme
(used in the masking process) to obtain r . It then
P i=1 Ui
encrypts the result with ppkj to get [ N i=1 Ui ]ppkj =
r The security analysis of the SAMA scheme is based on the
PN
EncP E (ppkj , i=1 rUi ). After that, it computes the additive simulation paradigm with the presence of semi-honest (honest-
PN
inverse of [ i=1 rUi ]ppkj by raising it to the power of but-curious and non-colluding) adversaries. To prove that the
PN P execution view of the IDEAL world is computationally indis-
n − 1: [− i=1 rUi ]ppkj = [ N rU ]n−1 . Finally, it de-
PNi=1 i ppkj PN tinguishable from the execution view of the REAL world, we
mask the result as follows: [ i=1 mi ]ppkj = ([ i=1 mi +
PN PN construct four simulators (SimU , SimCSPA , SimCSPB , and
i=1 rUi ]ppkj ) ∗ ([− i=1 rUi ]ppkj ). SimDR ), which represents four entities U , CSPA , CSPB ,
(v) DR access the processing result: the DR decrypts and DR. These simulators simulate the execution of the fol-
[pskj ]APM using sk if the DR’s key satisfies the access policy: lowing adversaries AdvU , AdvCSPA , AdvCSPB , and AdvDR
pskj = DecABE (pk, [pskj ]APM , sk). Finally, the DR uses that compromise U , CSPA , CSPB , and DR, respectively.
the obtained pskj to obtain the requested aggregated data:
PN PN Note that KA is excluded as it is assumed to be a trustworthy
i=1 mi = DecP E (psk, [ i=1 mi ]). entity.
T heorem 1. The SAMA scheme can securely retrieve the
aggregation result plaintext of the addition computations over
D. Functional Requirements Comparison encrypted data in the presence of semi-honest adversaries.
The functional requirements achieved by SAMA in com- P roof : We prove the security of the SAMA scheme by
parison with related schemes [30], [37]–[39] are summarised considering the case with two data inputs.
in Table IV. Compared to these schemes, SAMA achieves all 1) SimU : The SimU encrypts the provided inputs m1
the specified functional requirements. and m2 using VP-HE and returns both ciphertexts to AdvU .
The simulation view of the IDEAL world of AdvU is
computationally indistinguishable from the REAL world view
VI. S ECURITY A NALYSIS owing to the semantic security of VP-HE.
2) SimCSPA : The SimCSPA simulates AdvCSPA in single
In this section, we perform a security analysis which in-
and multiple user(s) data processing scenarios. In the single-
cludes the security of the cryptosystems used (Paillier, variant
user data case, SimCSPA multiplies the provided ciphertexts
Paillier, and CP-ABE), the security of the SAMA scheme, and
and then encrypts a random number r with VP-HE. Next, it
the security requirements of SAMA.
multiplies the encrypted random number with the result of
the multiplication of the ciphertexts. Later, the same random
number r is encrypted with the public key of the Paillier
A. Security of the Cryptosystems
scheme and its ciphertext is raised to n−1 and multiplied with
The security of the Paillier cryptosystem [32] depends on the given ciphertext. In the multiple users data case, SimCSPA
the hardness of the Composite Residuosity Class problem generates two random numbers r1 and r2 , encrypts them with
in the standard model. The scheme is semantically secure the public key of the VP-HE and multiplies the encrypted
against chosen-plaintext attack as the Decisional Composite random numbers with the ciphertexts (encrypted m1 and m2 ),
Residuosity assumption holds. The variant Paillier [39] is respectively. Later, the same random numbers are encrypted
similar to the Paillier encryption with a slight change in with the public key of the Paillier scheme, and the results
the key generation algorithm (described in Section IV-A2). are raised to n − 1 and multiplied with the given ciphertext.
Hence, its security follows directly from the security of the In both cases, the AdvCSPA receives the output ciphertexts
Paillier cryptosystem, which is proven to satisfy the seman- from SimCSPA . Therefore, the REAL and IDEAL views
tic security in the standard model under the assumption of of AdvCSPA are computationally indistinguishable owing to
the intractability of the Composite Residuosity Class hard the semantic security of VP-HE and Paillier encryption.
problem [39]. Moreover, the CP-ABE is secure under the 3) SimCSPB : The execution view of CSPB in the REAL
generic elliptic curve bi-linear group and random Oracle model world is given by both ciphertext of (m1 + r1 ) and (m2 + r2 ),
assumptions [34]. Therefore, the SAMA scheme builds its which are used to obtain m1 + r1 and m2 + r2 by executing
security on the proven security of the Paillier, variant Paillier, decryption with the strong secret key on these ciphertexts (r1
and CP-ABE cryptosystems. and r2 are random integers in Zn ). The execution view of9
CSPB in the IDEAL world has two ciphertexts randomly user-centric access policy has been applied in the design of
selected in the Zn2 . The SimCSPB simulates AdvCSPB in the SAMA scheme, which allows users to define their access
both single and multiple user(s) data processing scenarios. In policies to securely and selectively grant DRs access to the
the single-user data case, SimCSPB simulates AdvCSPB as processing result. Thus, the processing result is encrypted
follows. The SimCSPB runs the strong decryption algorithm using APS and APM , which are access policies set by users
and obtains m′1 + m′2 + r′ and then the decryption result to determine their sharing preferences for sharing the single
undergoes further encryption by the public key of Paillier and multiple users data processing results. Hence, the private
encryption to obtain a new ciphertext. In the multiple users key of DR (sk) is required to decrypt the encrypted processing
data case, SimCSPB runs the strong decryption algorithm result using CP-ABE and only the authorised DR who satisfies
and obtains m′1 + r1′ and m′2 + r2′ . Then, the SimCSPB the access policy can access the key and thereby decrypt the
aggregates the decryption results, and then the aggregated processing result. Thus, using CP-ABE, SAMA provides user-
result is further encrypted by Paillier encryption public key to centric fine grain access control and only authorized DR can
obtain a ciphertext. Next, in both cases, a randomly generated access the processing result (satisfying (S2)).
number is encrypted with CP-ABE. Then, the two ciphertexts
(generated by the Paillier and CP-ABE schemes) are provided VII. P ERFORMANCE E VALUATION
as a result by SimCSPB to AdvCSPB . These ciphertexts are In this section, we evaluate the performance of the SAMA
computationally indistinguishable between the REAL and scheme in terms of the computational complexity and commu-
IDEAL world of AdvCSPB since the CSPB is honest and nication overheads incurred among all entities in the system.
the semantic security of VP-HE and Paillier cryptosystem, and We also compare the performance of SAMA with the perfor-
the security of CP-ABE. mance of the most relevant work [30].
4) SimDR : The SimDR randomly selects chosen cipher-
texts (besides not having access to challenged data), decrypts,
and sends them to AdvDR to gain data information. The A. Computational Complexity
view of the AdvDR is the decrypted result without any other The computationally expensive operations considered in the
information irrespective of how many times the adversary SAMA scheme are the modular exponentiation and multiplica-
access the SimDR . Due to the security of CP-ABE and the tion operations, denoted as M odExp and M odM ul, respec-
semantic security of the Paillier scheme, both REAL and tively. We ignore the fixed numbers of modular additions in
IDEAL world views are indistinguishable. Since the user data our analysis as their computational cost compared to M odExp
encryption process and DR decryption process are common and M odM ul is negligible. In our analyses we also use the
for both single and multi-user data processing in the SAMA following parameters: BiP air is the cost of a bilinear pairing
scheme, the security proof of AdvU and AdvDR is common in ABE; |γ| + 1 is the number of attributes in the access
for both single and multi-user scenarios. policy tree and ϑ is the number of attributes needed to satisfy
the access policy. Furthermore, we divide the complexity of
SAMA to computations related into HE for data aggregation
C. Analysis against Security Requirements and ABE for access control.
1) Data Confidentiality: Every user encrypts his/her data 1) Computational Complexity of HE Data Aggregation: In
using his/her VP-HE public key vpki . CSPA then performs our analysis, we split the computational complexity into four
homomorphic addition operation over encrypted data, and parts: the complexity at each of the entities.
delivers the processing result ciphertext with the encrypted Computations at User Side: This is a common step for sin-
private Paillier key psk using CP-ABE to the DR. Only gle and multiple user(s) data cases. At each reporting time slot,
authorized DRs can obtain psk and hence have access to the each user encrypts their data by their VP-HE public key vpki
user data. Furthermore, the SAMA scheme conceals users’ raw to generate a ciphertext used for data processing/analyzing.
data by adding random numbers at CSPA , i.e., masking the This encryption requires two modular exponentiation opera-
processed data, hence preserving the privacy of the user(s) data tions, hence the computational complexity at the user side is:
at CSPB . Moreover, the Paillier cryptosystem is semantically 2 ∗ M odExp.
secure and the CP-ABE is secure under the generic elliptic Computations at CSP s: This includes operations per-
curve bi-linear group model as discussed in VI-A. In addition, formed by CSPA and CSPB . As these operations are slightly
the communication channels among all the entities (user, different for the single and multiple user(s) data processing
CSPA , CSPB , and DR) are secure (e.g., encrypted using scenarios, we analyse them separately.
SSL). Therefore, based on all of the above, only the authorised For the single-user data processing case, CSPA performs
entities (i.e., the user or DR) can access the processing result additive homomorphic encryption on the received user ci-
and all the unauthorised internal or external entities who might phertexts ((Nm − 1) ∗ M odM ul), generates a random num-
eavesdrop messages sent and/or collect information can only ber r, encrypt it with the user’s VP public key vpki (2 ∗
access the ciphertext of the users (satisfying (S1)). M odExp), multiplies the results of the homomorphic ad-
2) Authorisation: SAMA uses CP-ABE to implement se- dition with the encrypted random number (M odM ul) and
cure fine grain access control, where the processing result is sends it to CSPB . Next, CSPA re-encrypts the generated
encrypted by the user defined access policies and the decryp- random number r by ppkj (2 ∗ M odExp), calculates the
tion key is associated with the attributes of the recipients. The additive inverse of r (M odExp), and then multiplies it with10
TABLE V: Computation Cost.
Entity Computation of single-user Data Processing Computation of Multiple Users Data Processing Computation of Addition in [30]
U ser 2 ∗ M odExp as this is a common step 4 ∗ M odExp
CSP (Nm + 2) ∗ M odM ul + 9 ∗ M odExp + (4∗N +5)∗M odExp+(2∗N +1)∗M odM ul+ Nm ∗ M odM ul + 7 ∗ M odExp +
(|γ| + 1) ∗ Exp (|γ| + 1) ∗ Exp 2 ∗ (|γ| + 1) ∗ Exp
DR 2 ∗ M odExp + M odM ul + ϑ ∗ BiP air 2 ∗ M odExp + M odM ul + ϑ ∗ BiP air 2 ∗ M odExp + M odM ul +
ϑ ∗ BiP air
the encrypted processing result (M odM ul) to remove the U . This requires |U | + 1 exponentiations and one bi-linear
masking from the original data. Thus, CSPA performs in pairing. The EncABE () requires two exponential operations
total: (Nm + 1) ∗ M odM ul + 5 ∗ M odExp. CSPB per- for each leaf in the ciphertext’s access tree τ , which needs
forms strong decryption using ssk on the received ciphertexts (|γ| + 1) ∗ Exp, whereas the KGenABE () algorithm requires
(2 ∗ M odExp + M odM ul). It then encrypts the aggregated two exponential operations for every attribute given to the user.
masked result with ppkj (2 ∗ M odExp), and encrypts pskj Also, the private key consists of two group elements for every
with CP-ABE using APS ((|γ| + 1) ∗ Exp). Hence, CSPB attribute. Finally, DecABE () requires two pairings for every
performs in total: 4 ∗ M odExp + M odM ul + (|γ| + 1) ∗ Exp. leaf of the access tree τ matched by a private key attribute
In total, the computational cost at CSP s in a single-user and at most one exponentiation for each node along a path
data processing case is: (Nm +2)∗M odM ul +9∗M odExp+ from that leaf to the root node.
(|γ| + 1) ∗ Exp. The Setup() only need to be executed once. Thus, its
For the multiple users data processing case, CSPA gen- computational complexity can be neglected in both single
erates a random number for every user’s data (N users), and multiple users data processing cases. Further, EncABE ()
encrypts them using the VP public key of the corresponding is performed only once to encrypt the private key of the
user, vpki , (N ∗ 2 ∗ M odExp), and then multiplies the encrypted final result in both single and multi-user scenarios,
resulting ciphertexts with the ciphertexts received from users also its computation cost is negligible. Moreover, Setup()
(N ∗ M odM ul). Later, it aggregates all the generated random and KGenABE () are performed at KA and EncABE () by
numbers, encrypts it using ppkj (2 ∗ M odExp), calculates CSPB , which means users will not be burdened with the
the additive inverse of the aggregation result (M odExp), computational cost. Although the DecABE () algorithm is
and then multiplies the aggregation result ciphertext with performed by DR which incurs some computational cost, it is
the received ciphertext from CSPB (M odM ul) to remove an essential requirement to provide an authorised DR access
the masking from the original data. Thus, the computational to the final result with fine grained access control.
cost of CSPA in multiple users data processing case is:
(N ∗2+3)∗M odExp+(N +1)∗M odM u)). CSPB performs B. Communication Overhead
strong decryption using ssk for all N received ciphertexts There are two types of communication overhead incurred
(N ∗ (2 ∗ M odExp + M odM ul)), and then aggregates the
in the SAMA scheme: overhead due to occasional data com-
decryption result. Next, it encrypts the addition result with a
munication and overhead due to regular data communication.
Paillier public key ppkj (2∗M odExp), and then encrypts psk The former overhead captures the data sent occasionally, e.g.,
with CP-ABE using APM (|γ| + 1) ∗ Exp). Hence, the total
AP (APS , APM ) uploads/updates and notifications. The latter
computation cost of CSPB in multiple users data processing overhead includes the regular data communication patterns
case is: (2∗N +2)∗M odExp+N ∗M odM ul+(|γ|+1)∗Exp within SAMA, such as data upload, data requests, and data
Therefore, in total, computational complexity of both CSP s exchanged between cloud providers when data is being pro-
in multiple users data processing case is: (4 ∗ N + 5) ∗ cessed. Since the former overhead is negligible compared to
M odExp + (2 ∗ N + 1) ∗ M odM ul + (|γ| + 1) ∗ Exp. the latter overhead, here we focus only on the communication
Computations at DRs: In single and multiple users data overhead due to regular data communication patterns.
processing, a DR decrypts a ABE ciphertext using his/her sk To ease the analyses, we divide the communication overhead
to obtain the Pailliar decryption key pskj (at most ϑ∗BiP air), introduced by the SAMA scheme into three parts: overhead
and then uses it to decrypt the encrypted processing result incurred (1) between users and CSP s denoted as (Users-
(2∗M odExp+M odM ul). In total, this gives a computational to-CSP s), (2) between CSP s (Between-CSP s), and (3)
cost at DR: (2 ∗ M odExp + M odM ul + ϑ ∗ BiP air). between CSP s and DRs (CSP s-to-DRs).
We compare the total computational costs of each entity in 1) Users-to-CSP s: This is a common step for single and
SAMA with the addition scheme of [30] in Table V. multiple users data cases. At each data reporting time slot, each
2) Computational Complexity of Access Control: We as- user Ui sends one ciphertext to CSPA . As each ciphertext has
sume that there are |U | universal attributes, in which |γ| a length of 2∗L(n) (operations are performed under mod n2 ),
attributes are in the access policy tree τ , and at most ϑ the total communication overhead for this part in single and
attributes should be satisfied in the access policy tree τ to multiple users data processing is: N ∗ 2 ∗ L(n).
decrypt the ciphertext. The Setup() will generate the public 2) Between-CSP s: The communication between CSP s in
parameters using the given system parameters and attributes single-user data processing is as follows. CSPA sends one11
TABLE VI: Communication Overhead.
Communication of single-user Communication of Multiple Users Communication of Addition
Data Processing Data Processing in [30]
User-to-CSPA N ∗ 2 ∗ L(n) as this is a common step N ∗ 4 ∗ L(n)
CSPA ↔ CSPB 4 ∗ L(n) + (|γ| + 1) ∗ L (n + 1) ∗ 2 ∗ L(n) + (|γ| + 1) ∗ L 8 ∗ L(n) + (|γ| + 1) ∗ L
CSPA -to-DR 2 ∗ L(n) + (|γ| + 1) ∗ L 2 ∗ L(n) + (|γ| + 1) ∗ L 4 ∗ L(n) + (|γ| + 1) ∗ L
ciphertext of length 2 ∗ L(n), which is the masked aggregated Our single and multi-user
200
Our multi-user
scheme in [30] scheme in [30]
user’s data, to CSPB . Then, CSPB sends one ciphertext of 40
150 Our single-user
2 ∗ L(n) to CSPA , which is the masked encrypted processing
Time (ms)
Time (ms)
100
result, and one CP-ABE ciphertext of (|γ| + 1) ∗ L, where 20
L is the bit length of elements in ABE. Therefore, the 50
total communication among CSP s in the single-user data 0 0
processing case is: 4 ∗ L(n) + (|γ| + 1) ∗ L. 512 1024 2048 512 1024 2048
length of n (bit) length of n (bit)
The communication between CSP s in multiple users data
processing is as follows. CSPA sends N ciphertext (masked (a) Operation time of the user (b) Operation time of CSPA with
of encrypted user’s data) of length 2 ∗ L(n) to CSPB , with the different lengths of n the different lengths of n
200
which is N ∗ 2 ∗ L(n). Then, similar to the single-user data Our multi-user
scheme in [30]
30
Our multi-user
scheme in [30]
Our single-user Our single-user
processing scenario, CSPB sends one ciphertext of 2 ∗ L(n) 150
20
Time (ms)
Time (ms)
and (|γ| + 1) ∗ L of the CP-ABE ciphertext to CSPA . The 100
total communication cost among CSP s in multiple users data 10
50
processing case is: (N + 1) ∗ 2 ∗ L(n) + (|γ| + 1) ∗ L.
3) CSP s-to-DRs: In the single and multiple users data, 0 0
CSPA sends to DRs one ciphertext of length 2 ∗ L(n) (the 512 1024
length of n (bit)
2048 512 1024
length of n (bit)
2048
encrypted processing result) and one CP-ABE ciphertext of
(c) Operation time of CSPB with (d) Operation time of DR with the
length (|γ|+1)∗L. Thus, The communication between CSPA the different lengths of n different lengths of n
and the DRs is: 2 ∗ L(n) + (|γ| + 1) ∗ L.
A comparison between the communication overhead of the
SAMA scheme and the addition scheme proposed in [30] Fig. 6: Computational cost of the SAMA scheme with the
is shown in Table VI. Overall, we can observe that the different lengths of n.
SAMA scheme has lower communication overhead than the
Addition scheme in [30] at the user and DR side, while, the
communication overhead between CSP s in multiple users 1) Computational Cost of Data Processing: We evaluate
case of the SAMA scheme is higher than [30]. the computational cost for all of the four entities: Ui , CSPA ,
CSPB and DR in both single and multiple users data pro-
C. Experimental Results cessing scenarios and compare with the related work [30]
Here we present the experimental results of SAMA in (multi-user) in terms of different lengths of n. In addition,
three different settings: (1) computational cost of the data we show the computational cost of single and multiple users
processing operations, (2) computational cost of the data processing cases with a variable number of messages and
access operations, and (3) communication overheads within users, respectively.
SAMA. (i) Influence of different lengths of n on data processing:
For the computational cost, we have implemented the Figure 6a shows the influence of the different lengths of n
SAMA scheme to test its computational performances by on data processing of two messages, where n=512, 1024, and
conducting experiments with Java Pairing-Based Cryptogra- 2048 bits. We can observe that the computational cost is low
phy (jPBC) [40] and Java Realization for Ciphertext-Policy on the user side, hence acceptable for resource-constrained
Attribute-Based Encryption (cpabe) [41] libraries on a laptop devices. In our single and multiple users data processing,
with Intel Core i7-7660U CPU 2.50GHz and 8GB RAM. We CSPA and CSPB achieve better computational efficiency
ran each experiment 500 times and took the average values. We compared to the scheme in [30], as shown in Fig. 6b and 6c,
set the length of n to 1024 bits, m to 250 bits, and r to 500 bits. respectively. The operation time of DR, as shown in Fig. 6d,
We show the computation evaluation for the single-user and is the least among all the other entities because it only needs to
multiple users data processing for all entities separately and decrypt the processed result. Even when the n length reaches
specifically CSPA and CSPB as they perform different sets 2048 bits, it still only needs about 30ms to complete the
of computations in each case as described in Section VII-C1. computations. Further, our scheme computation performance
In addition, the efficiency of user-centric access control and at DR is comparable to that of the scheme in [30].
communication overhead among the entities are shown in We can observe that the computation cost is linearly in-
Section VII-C2 and Section VII-C3 respectively. creasing with the increase of the bit length of n among allYou can also read
