Unidirectional Identity-Based Proxy Re-Signature with Key Insulation in EHR Sharing System

Yanan Chen; Ting Yao; Haiping Ren; Zehao Gan

doi:10.32604/cmes.2022.019589

1School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu, 610054,China
2Basic Course Teaching Department, Jiangxi University of Science and Technology, Nanchang, 330013, China
3Institute of Electronic and Information Engineering, University of Electronic Science and Technology of China, Dongguan, 523808,China
4Network and Data Security Key Laboratory of Sichuan Province, Unversity of Electronic Science and Technology of China, Chengdu,610054, China
*Corresponding Author: Ting Yao. Email: yaoting.uestc@gmail.com
Received: 30 September 2021; Accepted: 30 November 2021

Abstract: The introduction of the electronic medical record (EHR) sharing system has made a great contribution to the management and sharing of healthcare data. Considering referral treatment for patients, the original signature needs to be converted into a re-signature that can be verified by the new organization. Proxy re-signature (PRS) can be applied to this scenario so that authenticity and nonrepudiation can still be insured for data. Unfortunately, the existing PRS schemes cannot realize forward and backward security. Therefore, this paper proposes the first PRS scheme that can provide key-insulated property, which can guarantee both the forward and backward security of the key. Although the leakage of the private key occurs at a certain moment, the forward and backward key will not be attacked. Thus, the purpose of key insulation is implemented. What’s more, it can update different corresponding private keys in infinite time periods without changing the identity information of the user as the public key. Besides, the unforgeability of our scheme is proved based on the extended Computational Diffie-Hellman assumption in the random oracle model. Finally, the experimental simulation demonstrates that our scheme is feasible and in possession of promising properties.

Keywords: Proxy re-signature; key insulation; electronic medical record (EHR); random oracle model

With the improvement of living standards, the healthcare field has attracted more awareness and is playing an increasingly crucial role [1,2]. At the same time, with the aging of the population, the demand for online healthcare treatment is rising. Therefore, the data that the hospital needs to manage is enormous, resulting in a mass of health data that needs to be stored and maintained. The introduction of electronic medical records (EHRs) can solve this problem well, that is, storing and using patient medical records including personal information through the integration of the Internet of Things (IoT), deep learning, blockchain, and other technologies [3–6]. Compared with the conventional method of using paper to preserve health records, it is more advantageous and convenient to analyze the condition and manage the data in EHR sharing system. Nevertheless, putting health records on the Internet in electronic form will inevitably cause security problems. For the confidentiality of information in the IoT environment, there are already various effective methods to encrypt and protect them [7–11], but it is not enough to have only encryption means, and the authenticity of the message needs to be determined. Any unauthorized changes in data will affect the diagnosis and timely treatment of the disease, thus the integrity of the data must be guaranteed. Generally, digital signatures are used to ensure whether the data has been tampered with or not [12 –15]. However, when a patient needs to be referred for treatment, for example, a physician in the hospital needs to give the patient’s EHR to the researcher in the institution for further study. In this case, the signature generated by the hospital demands to be converted into the signature under the institution. Traditionally, the institution is required to verify the legality of the signature first and then recompute its own signature. To make matters worse, there are plenty of data to be processed in the EHR sharing system, which is difficult for the institution with limited resources or inconvenient situations. Therefore, the task of converting signatures can be entrusted to the semi-trusted proxy–-an insurance company. The technology of proxy re-signature (PRS) can implement the transform requirement, while the proxy can not completely replace the hospital or institution and create any other signatures belonging to them without receiving the authorization and delegation. Through the interaction with the delegator, the signature belonging to the delegatee can be converted into the delegator by proxy. What’s more, the conversion process can be completed without the private key of the delegatee, that is, the delegatee does not need actual interactive participation. Accordingly, the concept of PRS can be applied to transfer electronic medical records for management scenarios in EHRs.

However, in a complex environment, the problem of key exposure arises. Once the user is compromised, the attacker can completely pretend to be the user and do whatever he wants, which is definitely fatal. In 2009, Yang et al. [16] combined the two primitives of PRS and forward-secure threshold signature to construct the first forward-secure threshold proxy re-signature scheme. The re-signature key will be updated in different time periods, thus if the re-signature key is leaked in a certain period, it will not alter the previous re-signature key. However, the user’s private key does not change, so Sunitha et al. [17] constructed a multi-use PRS scheme with forward security in the e-banking application. Their private key and re-signing key will be updated after a period of time, but their time slice is limited and needs to be set in advance. Although forward-secure schemes have been proposed by some researchers, forward security can only guarantee the security of the key before the leakage, but not after the leakage. Therefore, a key-insulated method in PRS is proposed, which can guarantee both forward and backward security. In addition, while updating the user key, it can also refresh the re-signature key of the proxy, which ensures the security of both user’s signature and re-signature. In general, in order to construct a promising PRS scheme to ensure the unforgeability and non-repudiation in the environment of the EHR, the following properties are generally desired.

1) Unidirectional: When converting the signature, the proxy can only convert in the specified direction. Without authorization, the proxy cannot obtain the reverse conversion key through calculation.

2) Single-use: The Resign algorithm can determine whether the input signature is original or converted. For schemes with single-use property, re-signature cannot be used as the input of this algorithm.

3) Transparent: Nobody could judge the existence of the proxy, and the form of the re-signature generated by the proxy is indistinguishable from the signature generated by the user.

4) Non-interactive: In the whole delegating process, there is no need for the delegatee to actually participate, so as to realize the non-interactivity between the delegatee and the delegator.

5) ID-based: The user directly views the public parameter of identity information (ID) as his public key, so there is no need for certificate authority (CA) to specifically produce a certificate to bind the public key with the user.

6) Forward-Secure: The keys generated before the leakage occurred are not correlated with the leaked key, and their security will not be affected.

7) Backward-Secure: Conversely, if after key exposure, the key generated later is still secure, it is called backward security.

The primitive proxy re-signature was first proposed by Blaze et al. [18], but it did not give a specific formal definition so that it did not attract people’s attention for a period of time. Until 2005, Ateniese et al. gave a formal definition and security model for PRS [19]. The delegator can authorize the proxy to generate a re-signature key, and then the proxy can utilize this key to convert the designated signature from the delegatee to delegator. Shao et al. [20] eliminated the random model, constructed a PRS scheme under the standard model. Moreover, the PRS scheme in the identity-based cryptosystem was proposed for the first time. Then, Libert et al. [21] solved the open problem left by [19] and proposed the first multi-use unidirectional PRS scheme. The signature can be re-signed by multiple users in sequence, and the direction of conversion is nonreversing. Due to the semi-trusted nature of the proxy, Yang et al. [22] formally proposed the threshold proxy re-signature scheme. Multiple proxies are utilized to jointly perform the re-signature process, only when the number of proxies reaches the threshold. In 2011, Shao et al. [23] first combined the unidirectional PRS scheme with the identity-based cryptosystem. In the random oracle, the unforgeability of the signature can be proved based on the extended Computational Diffie-Hellman assumption. In order to save the Computational cost of the verification algorithm, Wang et al. [24] proposed a PRS scheme with server-assisted verification. In this scheme, the proxy can be used to verify the validity of the signature besides resigning, so that the user does not need to undertake the heavy burden of calculation. Then, Patonico et al. [25] put forward an efficient proxy re-signcryption scheme using the arithmetic operation in the elliptic curve, so as to realize the safe ownership transfer in the cloud. Under the attention of quantum computers, in order to resist this kind of attack, some researchers [26,27] turned their direction to construct PRS schemes from the perspective of lattices. Recently, more and more scenarios need to take advantage of the demand for re-signing. The PRS scheme is used in authentication [28–32], auditing [33–37], secure automated valet parking [38] and data sharing [39].

In this paper, we propose the first unidirectional identity-based proxy re-signature scheme with key insulation (KI-IDPRS), which can satisfy all the properties mentioned above. First, an ID-based scheme reduces the overhead of managing public key certificates by taking the user ID as the public key. In addition, considering identity information is fixed for the user, KI-IDPRS can update the private key without changing the public key to achieve the key-insulated property. The proxy can be authorized by the delegator to convert the signature from delegatee into delegator, but not vice versa. What’s more, the secure status of the key at current moment will not affect the keys at other moments, thus realizing key insulation. Although the proxy is semi-trusted, even if both the user and the proxy are compromised at one certain moment, the security is not broken at other times. Security of this scheme can be reduced to extended Computational Diffie-Hellman (eCDH) assumption in the random oracle model. Finally, it can be concluded that our scheme is feasible and has nice properties from the theoretical analysis including experimental results.

The following parts of the paper will discuss our proposed scheme as follows: the second part introduces related basic knowledge including system model, the formal definition and security model of the proposed scheme. The third part constructs the first unidirectional identity-based PRS scheme with key insulation and proves the unforgeable security of the proposed scheme. The fourth part puts together other relevant schemes with our scheme from the three dimensions of properties, computing cost and communication overhead, then compares them through experiments.

Given two cyclic groups G, GT of prime order p and g be generator of G. A map that meets the following requirements can form a bilinear pairing e:G×G→GT.

In the case of known a tuple , compute the value of a pair (A, Aab), for a,b∈Zp∗, A∈G.

The proposed scheme requires six entities to complete together: Private key generator (PKG), helper A, helper B, user A in hospital (delegatee), user B in the institution (delegator), and an insurance company (proxy). The system model is depicted in Fig. 1, and the description of the notations involved in the model is introduced in Table 1.

PKG: PKG is a trusted authority used to generate secret keys. When a user is supposed to extract its secret key, the identity information will be given to the PKG. The corresponding initial key and helper key will be generated by PKG, and they will be returned to the user and helper, respectively.

Helper A/B: The helper is an auxiliary device with absolute physical security but limited computing power, which is used to store the helper key. It only needs to interact with the user at the beginning of each time period, generate the update key and send it to the user to help the user update the temporary private key, but does not participate in any other cryptographic operations.

User A in hospital: The hospital can act as the delegatee to receive the delegation from the institution, and he sends the signature that needs to be re-signed to the insurance company.

User B in institution: The institution is viewed as the delegator to re-sign user A’s signature into his own signature through the insurance company, rather than directly signing the message.

Insurance company: The insurance company is used to implement the re-signature process through the re-signature key. After receiving the signature of user A and the re-signing key entrusted by user B, he converts the specified signature from A to B.

1) Setup: This is a system establishment algorithm executed by key generation center (KGC). Security parameter 1k is given to KGC and the master public key mpk is returned back for public use, the master secret key msk is returned for PKG.

2) Extract: This is an initial private key extraction algorithm executed by PKG. The master secret key msk and a user’s identity ID are the input of PKG. Then, PKG outputs the initial private key SKID,0 stored by the user and the helper key HKID stored by the helper for the identity ID.

3) HUpdate: This is an update key generation algorithm executed by the helper. The helper key HKID for the identity ID and the time period j, i are as the input of the helper. Then, the helper outputs the update key HKUID,j→i used to update time period j to i.

4) UUpdate: This is a temporary private key update algorithm executed by the user. The private key SKID, j in the old time period j for the identity ID and the update key HKUID,j→i are as the input of the user. Then, the user outputs the private key SKID, i in the new time period i for the identity ID.

5) RKGen: This is a re-signature key generation algorithm executed by the delegator. The delegatee’s identity IDA and the delegator’s private key SKIDB, i in the time period i are as the input of the delegator. Then, the delegator outputs the re-signature key RKA→B,i to the proxy, which is used to implement signature conversion from identity IDA to IDB under the same message m in the time period i.

6) Sign: This is a signature generation algorithm executed by the user/delegatee. The private key SKIDA, i in the time period i for the identity IDA, message m and the signature’s level L are as the input of the delegatee. Then, the delegatee outputs signature (σA[L],i) at level L in the time period i, where L = 1, 2.

7) ReSign: This is a re-signature conversion algorithm executed by the proxy. The original signature (σA[1],i) at level 1, message m, the delegatee’s identity IDA and the re-signature key RKA→B,i are as the input of the proxy. Then, the proxy outputs the signature (σB[2],i) at level 2 for identity IDB in the time period i, if (σA[1],i) can pass the Verify algorithm.

8) Verify: This is a verification algorithm. The alleged signature (σID(L),i) at level L, message m and the identity ID are as the input. Then, 1 can be returned if the signature is valid.

To assess the security of the key-insulated proxy re-signature in a formal manner, the following interactive game between the challenger C and the adversary A is defined by incorporating the security model for the key insulated signature [40] and the one for the proxy re-signature [23].

Setup: C performs the algorithm Setup to generate the master public key mpk and the master secret key msk, and then returns mpk to A while keeps msk secret.

Query: Before the adversary A attempts to forge a signature, the challenger C permits him to adaptively make a number of different queries.

O(Extract): C performs the algorithm Extract to produce the user ID′s initial secret key SKID, 0 for A’s request (ID).

O(UUpdate): C performs the algorithm UUpdate to produce the user ID′s temporary secret key SKID, i in time period i for A’s request (ID, i).

O(RKGen): C performs the algorithm RKGen to produce the re-signature key RKA→B,i in time period i for A’s request (IDA, IDB, i).

O(Sign): C performs the algorithm Sign to produce the signature (σ,L,i) in time period i for A’s request (ID, L, i, m).

O(ReSign): C performs the algorithm ReSign to produce the re-signature (σ′,L+1,i) in time period i for A’s request (σ,L,i,m,IDA,IDB).

Forgery Output: Suppose (ID∗,m∗,σ∗,L∗,i∗) is A’s counterfeit result after queries. If the adversary meets the following restrictions at the same time, and can still generate a valid signature that makes the equation Verify(σ,i,m,ID)=1 hold, then the adversary is considered to be the winner in this game.

By combining identity-based key-insulated signature [41] in the unidirectional IDPRS [23], the concrete construction of the unidirectional identity-based PRS scheme with insulated key has been given as follows:

• Setup(1k)→(mpk,msk): After giving the security parameter 1k, the following operations are performed by KGC to generate the public key mpk and the master secret key msk.

1) Choose two finite cyclic groups G, GT with prime order p=Θ(2k), and choose a generator g of G.

4) Define three hash functions: H1(⋅),H2(⋅):{0,1}∗→Zp∗, H3(⋅):{0,1}∗→G;

• Extract(ID,msk)→(HKID,SKID,0): After inputting the master secret key msk and a user’s identity ID, PKG firstiy randomly chooses one element HKID←RZp∗ as the helper key. Then, it computes the initial secret key SKID,0(1)=gHKID, SKID,0(2)=H1(SKID,0(1)‖ID)⋅x+HKID⋅H2(ID‖0)modp, and sets SKID,0=(SKID,0(1),SKID,0(2)). In fact, for a user, his SKID(1) can be obtained by other users, only SKID(2) is kept private. Because it is obvious to find that the user’s signature has SKID(1) as one of the components, and SKID(1) is not updated in our proposed scheme.

• HUpdate(HKID,ID,i,j)→HKUID,j→i: On receiving the helper key HKID for ID and the time period j, i, the helper outputs the update key HKUID,j→i by computing HKUID,j→i=HKID⋅(H2(ID‖i)−H2(ID‖j)).

• UUpdate(SKID,j,HKUID,j→i,ID,i,j)→SKID,i: After receiving the private key SKID, j in the old time period j and the update key HKUID,j→i, the user updates the private key SKID, i as follows:

• RKGen(IDA,SKIDB,i)→RKA→B,i: After the delegator receives the identity IDA of the delegatee, the delegator calculates RKA→B,i through its private key SKIDB, i as follows and then gives it to the proxy.

• Sign(ID,m,SKID,i)→{σ[1]=(σ(1),σ(2))σ[2]=(σ(1),σ(2),σ(3),σ(4)): After receiving the message, the delegatee signs the message m with IDA and the private key SKIDA, i. First-level signature σA[1] and second-level signature σA[2] are computed as follows, and then the first-level signature σA[1] is given to the proxy to generate the re-signature of the delegator.

2) For σA[2], randomly choose t←RZp∗ and compute σA(1)=H3(m)SKIDA,i(2)⋅t,

σA(2)=(XH1(SKIDA,i(1)||IDA)⋅(SKIDA,i(1))H2(IDA‖i))t, σA(3)=gt, σA(4)=SKIDA,i(1).

• ReSign(σA[1],RKA→B,i)→σB[2]: After receiving the delegatee’s first-level signature σA[1] and the re-signature key RKA→B,i, the proxy first ensures the legality of the signature σA[1] by examining whether the equation e(σA(1),g)=e(H3(m),XH1(σA(2)||IDA)⋅(σA(2))H2(IDA‖i)) can be satisfied. If not, an error is output. Otherwise, the proxy calculates the second-level signature σB[2] of the delegator as follows:

=((σA(1))t,(XH1(SKIDA,i(1)||IDA)⋅(σA(2))H2(IDA||i))t,(RKA→B,i(1))t,RKA→B,i(2))

=H3(m)SKIDA,i(2)⋅t′⋅SKIDB,i(2)SKIDA,i(2),(gSKIDA,i(2))t′⋅SKIDB,i(2)SKIDA,i(2),(gSKIDA,i(2)⋅1SKIDB,i(2))t′⋅SKIDB,i(2)SKIDA,i(2),SKIDB,i(1)

=H3(m)SKIDB,i(2)⋅t′,(XH1(SKIDB,i(1)||IDB)⋅(SKIDB,i(1))H2(IDB‖i))t′,gt′,SKIDB,i(1)

where, {t=t′⋅SKIDB,i(2)SKIDA,i(2)gSKID,i(2)=XH1(SKID,i(1)||ID)⋅(SKID,i(1))H2(ID‖i)

• Verify(σ,i,m,ID)→1/⊥: After entering the signature σ[1]/σ[2], message m, and identity ID, the algorithm checks the validity of the first-level signature through equation e(H3(m),XH1(σ(2)||ID)⋅(σ(2))H2(ID‖i)) =e(σ(1),g), and the validity of the second-level signature through equation e(σ(1),g)=e(H3(m),σ(2)),

In the random oracle model, our proposal is existentially unforgeable under the eCDH assumption in G.

Proof: Assume that there is an adversary A can break the existential unforgeability of our proposal with non-negligible probability ε, then we can build another algorithm B to solve the eCDH problem. The input of eCDH problem is (g, ga, gb), and the goal of security proof is to get (A, Aab), where A could be any element in G.

Setup: The challenger C initializes the system according to the following steps:

2) Send mpk=(g,p,G,GT,e,X,H1,H2,H3) to A, where the values of H1, H2 and H3 can be obtained through the following O(H1), O(H2) and O(H3) queries, respectively.

2) If there is the item (R||ID) in the H1list, C returns the corresponding h1 to A;

3) If not, C randomly chooses one element h1 from Zp∗ as output and adds it to the H1list.

2) If there is the item (ID||i) in the H2list, C returns the corresponding h2 to A;

3) If not, C randomly chooses one element h2 from Zp∗ as output and adds it to the H2list.

3) If not, A randomly chooses one element α from Zp∗ and computes (gb)α as output, then adds it to the H3list.

2) C randomly chooses h1,h2,SKID,0(2)←RZp∗ and computes SKID,0(1)=(gSKID,0(2)/Xh1)1h2;

3) If (SKID,0(1)||ID,h1)∈H1list and (ID||0,h2)∈H2list, C outputs “failure” and aborts;

4) If not, C adds (SKID(1)||ID,h1), (ID||0, h2) to the H1list, H2list and returns (SKID,0(1),SKID,0(2)) as the initial secret key to A.

1) A inputs ID and the time period i to query the temporary secret key SKID, 0 in the time period i;

2) C randomly chooses h1,h2,SKID,i(2)←RZp∗ and computes SKID,i(1)=(gSKID,i(2)/Xh1)1h2;

3) If (SKID,i(1)||ID,h1)∈H1list and (ID||i,h2)∈H2list, C outputs “failure” and aborts;

4) If not, C adds (SKID(1)||ID,h1), (ID||i, h2) to the H1list, H2list and returns (SKID,i(1),SKID,i(2)) as the temporary secret key for time period i to A.

2) C computes the required query value via the corresponding private key and returns it to A;

According to the forking lemma [42], for level 1, A can counterfeit two valid signatures (SKID∗,i∗(1),h1,SKID∗,i∗(2),σ(1),σ(2),m∗), (SKID∗,i∗(1),h1′,SKID∗,i∗(2),σ′(1),σ′(2),m∗). h1 and h′1 are two different random responses from O(H1) on input (SKID∗,i∗(1)||ID∗), then B can compute: (σ(1)σ′(1))1h1−h1′=(((gb)α)h1⋅a+h2⋅HKID∗((gb)α)h1′⋅a+h2⋅HKID∗)1h1−h1′=(gα)ab.

Similarly, for level 2, A can counterfeit two valid signatures (SKID∗,i∗(1),h1,SKID∗,i∗(2),σ(1),σ(2),σ(3),σ(4)), (SKID∗,i∗(1),h1′,SKID∗,i∗(2),σ′(1),σ′(2),σ(3),σ(4)). Then, B can compute: (σ(1)σ′(1))1h1−h1′=(((gb)α)(h1⋅a+h2⋅HKID∗)⋅t((gb)α)(h1′⋅a+h2⋅HKID∗)⋅t)1h1−h1′=(gα⋅t)ab.

Comparison between our KI-IDPRS scheme and state-of-the-art [21,30,43] will be comprehensively discussed from the perspective of properties, computation cost, and communication overhead. The schemes involved in the comparison are the first PRS scheme featured with the multi-use and unidirectional translation [21], the PRS scheme with key-leakage resistance [43] and the up-to-dated PRS scheme [30]. Then, the simulated implementation of these schemes is conducted through the experimental platform.

To make the following theoretical analysis more convincing, these schemes are simulated on a specific experimental platform. The computer’s operating system is 64-bits Windows 10, the processor is Intel Core i7-7700 @ 3.60 GHz, and the memory is 8GB. Based on VC++6.0, cryptography operations are implemented with the Pairing-Based Cryptography (PBC) library [44], where parameter is the standard parameter a.param and |G|=128 bytes, |Zp∗|=20 bytes. In addition, the unit time of critical operations is separately measured and listed in Table 2.

We list the properties of the proposed scheme and the relevant work [21,30,43] in Table 3, where “√” means that the property is supported, “×” means that the feature is not supported. According to the comparison results, it is obvious that all the desired properties can be satisfied in our protocol. Although the scheme [21] owns several desired properties of PRS, this scheme is built in the public key infrastructure and is difficult to be deployed in practical in view of the burden brought by the public-key certificates. In scheme [43], the identity-based cryptographic system is applied to simplify certificate management. Besides, the schemes [30,43] have forward security to prevent the key leakage from affecting the previous key. However, they ignore the security of the private key after key exposure. Only our scheme could provide the key insulated property and thus achieve forward and backward security simultaneously. Although schemes [43] and [30] realize forward security, they divide the time into a presetting limited time period for updating private keys. In contrast to the works in [30,43], the proposed scheme provides unlimited periods.

The communication overhead of these schemes is discussed in Table 4, Figs. 2 and 3, where |G| and |Zp∗| represent the length of an element in group G and group Zp∗, respectively. In the experiment, we take |G|=128 bytes and |Zp∗|=20 bytes. Scheme [21], [30] and our signature length are both 2|G|, and scheme [43] is the longest. In addition, the length of the re-signature is the same. In terms of the re-signature key, our size is one more |G| than scheme [21] and one |G| less than schemes [43] and [30]. In general, the length of signature and re-signature in KI-IDPRS is less than or equal to other schemes. Therefore, the proposed scheme does not occupy more communication overhead compared with other schemes.

From the data in Table 2, it is clear that the hash function, scalar multiplication, and modular multiplication take relatively little time. Therefore, exponential and pairing operations are mainly considered in the theoretical analysis of these schemes. TE is used to represent the time required to perform an exponential operation in group G, and TP represents the runtime of a bilinear pairing. In the signature phase, results in Table 5, Figs. 4–6 can illustrate that our scheme is less than or equal to other schemes in terms of computational overhead. In the process of re-signing, the scheme [21] requires six exponential operations, which is more than our scheme. However, the schemes [43] and [30] only require two and three exponential operations, respectively. Our KI-PRS scheme requires five, which is acceptable, because our scheme can support both forward and backward security. When checking the validity of the first-level signature, it only takes more time than the scheme [30], where TP≈2TE. When performing the verification of second-level signature, our scheme requires four exponential operations and two pairing operations (that is, approximately equal to five TP), which is no more than other schemes. In short, compared with other schemes, KI-IDPRS may not cost more time than some schemes, but this is acceptable for the acquisition of functional and safety enhancements.

This paper proposes the first KI-IDPRS scheme, which is conducive to timely dealing with the occurrence of key leakage in the EHR sharing system. Then, the formal definition and the security model of KI-IDPRS are given. On this basis, a concrete KI-IDPRS scheme is constructed and proved to have unforgeable security under the eCDH assumption in the random oracle model. What’s more, the presented KI-IDPRS scheme can support both forward and backward security, updating private key within unlimited periods. Accordingly, key leakage will not cause a catastrophic threat to the EHR sharing system. Finally, from theoretical analysis and experiment evaluation, related schemes are compared from three dimensions in properties, communication and computation costs. The presented KI-IDPRS is the only scheme with all the promising properties.

Funding Statement: This work is partially supported by the Network and Data Security Key Laboratory of Sichuan Province under the Grant No. NDS2021-2, in part by Science and Technology Project of Educational Commission of Jiangxi Province under the Grant No. GJJ190464, and in part by National Natural Science Foundation of China under the Grant No. 71661012.

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.

References

1. Ranchal, R., Bastide, P., Wang, X., Gkoulalas-Divanis, A., Mehra, M. et al. (2020). Disrupting healthcare silos: Addressing data volume, velocity and variety with a cloud-native healthcare data ingestion service. IEEE Journal of Biomedical and Health Informatics, 24(11), 3182–3188. DOI 10.1109/JBHI.6221020. [Google Scholar] [CrossRef]

2. Schiza, E. C., Kyprianou, T. C., Petkov, N., Schizas, C. N. (2019). Proposal for an ehealth based ecosystem serving national healthcare. IEEE Journal of Biomedical and Health Informatics, 23(3), 1346–1357. DOI 10.1109/JBHI.6221020. [Google Scholar] [CrossRef]

3. Hamza, R., Yan, Z., Muhammad, K., Bellavista, P., Titouna, F. (2020). A Privacy-preserving cryptosystem for iot e-healthcare. Information Sciences, 527, 493–510. DOI 10.1016/j.ins.2019.01.070. [Google Scholar] [CrossRef]

4. Nie, L., Wang, M., Zhang, L., Yan, S., Zhang, B. et al. (2015). Disease inference from health-related questions via sparse deep learning. IEEE Transactions on Knowledge and Data Engineering, 27(8), 2107–2119. DOI 10.1109/TKDE.2015.2399298. [Google Scholar] [CrossRef]

5. Kuo, T. T., Kim, H. E., Ohno-Machado, L. (2017). Blockchain distributed ledger technologies for biomedical and health care applications. Journal of the American Medical Informatics Association, 24(6), 1211–1220. DOI 10.1093/jamia/ocx068. [Google Scholar] [CrossRef]

6. Wu, T. Y., Wang, T., Lee, Y. Q., Zheng, W., Kumari, S. et al. (2021). Improved authenticated key agreement scheme for fog-driven iot healthcare system. Security and Communication Networks. DOI 10.1155/2021/6658041. [Google Scholar] [CrossRef]

7. Xiong, H., Huang, X., Yang, M., Wang, L., Yu, S. (2021). Unbounded and efficient revocable attribute-based encryption with adaptive security for cloud-assisted Internet of Things. IEEE Internet of Things Journal. DOI 10.1109/JIOT.2021.3094323. [Google Scholar] [CrossRef]

8. Xiong, H., Yao, T., Wang, H., Feng, J., Yu, S. (2021). A survey of public key encryption with search functionality for cloud-assisted IoT. IEEE Internet of Things Journal, 9(1), 401–418. DOI 10.1109/JIOT.2021.3109440. [Google Scholar] [CrossRef]

9. Chen, C. M., Tie, Z., Wang, E. K., Khan, M. K., Kumar, S. et al. (2021). Verifiable dynamic ranked search with forward privacy over encrypted cloud data. Peer-to-Peer Networking and Applications, 14, 2977–2991. DOI 10.1007/s12083-021-01132-3. [Google Scholar] [CrossRef]

10. Xiong, H., Jin, C., Alazab, M., Yeh, K. H., Wang, H. et al. (2021). On the design of blockchain-based ECDSA with fault-tolerant batch verication protocol for blockchain-enabled IoMT. IEEE Journal of Biomedical and Health Informatics. DOI 10.1109/JBHI.2021.3112693. [Google Scholar] [CrossRef]

11. Xiong, H., Hou, Y., Huang, X., Zhao, Y., Chen, C. M. (2021). Heterogeneous signcryption scheme from IBC to PKI with equality test for WBANS. IEEE Systems Journal, 1–10. DOI 10.1109/JSYST.2020.3048972. [Google Scholar] [CrossRef]

12. Wang, Q., Wang, C., Ren, K., Lou, W., Li, J. (2010). Enabling public auditability and data dynamics for storage security in cloud computing. IEEE Transactions on Parallel and Distributed Systems, 22(5), 847–859. DOI 10.1109/TPDS.2010.183. [Google Scholar] [CrossRef]

13. Yu, Y., Xue, L., Au, M. H., Susilo, W., Ni, J. et al. (2016). Cloud data integrity checking with an identity-based auditing mechanism from RSA. Future Generation Computer Systems, 62, 85–91. DOI 10.1016/j.future.2016.02.003. [Google Scholar] [CrossRef]

14. Xiong, H., Zhao, Y., Hou, Y., Huang, X., Jin, C. et al. (2020). Heterogeneous signcryption with equality test for IIoT environment. IEEE Internet of Things Journal, 8(21). DOI 10.1109/JIOT.2020.3008955. [Google Scholar] [CrossRef]

15. Xiong, H., Chen, J., Mei, Q., Zhao, Y. (2020). Conditional privacy-preserving authentication protocol with dynamic membership updating for vanets. IEEE Transactions on Dependable and Secure Computing. DOI 10.1109/TDSC.2020.3047872. [Google Scholar] [CrossRef]

16. Yang, X., Wang, C., Zhang, Y., Wei, W. (2009). A new forward-secure threshold proxy re-signature scheme. 2009 IEEE International Conference on Network Infrastructure and Digital Content, pp. 566–569. [Google Scholar]

17. Sunitha, N., Amberker, B. (2009). Multi-use unidirectional forward-secure proxy re-signature scheme. 2009 IEEE International Conference on Internet Multimedia Services Architecture and Applications (IMSAA), pp. 1–6. [Google Scholar]

18. Blaze, M., Bleumer, G., Strauss, M. (1998). Divertible protocols and atomic proxy cryptography. International Conference on the Theory and Applications of Cryptographic Techniques, pp. 127–144. Espoo, Finland. [Google Scholar]

19. Ateniese, G., Hohenberger, S. (2005). Proxy re-signatures: New definitions, algorithms, and applications. Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 310–319. Alexandria VA USA. [Google Scholar]

20. Shao, J., Cao, Z., Wang, L., Liang, X. (2007). Proxy re-signature schemes without random oracles. International Conference on Cryptology in India, pp. 197–209. Chennai, India. [Google Scholar]

21. Libert, B., Vergnaud, D. (2008). Multi-use unidirectional proxy re-signatures. Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 511–520. Alexandria Virginia USA. [Google Scholar]

22. Yang, P., Cao, Z., Dong, X. (2011). Threshold proxy re-signature. Journal of Systems Science and Complexity, 24(4), 816–824. DOI 10.1007/s11424-011-8370-3. [Google Scholar] [CrossRef]

23. Shao, J., Wei, G., Ling, Y., Xie, M. (2011). Unidirectional identity-based proxy re-signature. 2011 IEEE International Conference on Communications (ICC), pp. 1–5. Kyoto, Japan. [Google Scholar]

24. Wang, Z., Lv, W. (2013). Server-aided verification proxy re-signature. 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1704–1707. Melbourne, VIC, Australia. [Google Scholar]

25. Patonico, S., Shabisha, P., Braeken, A., Touhafi, A., Steenhaut, K. (2020). Elliptic curve-based proxy re-signcryption scheme for secure data storage on the cloud. Concurrency and Computation: Practice and Experience, 32(17), e5657. DOI 10.1002/cpe.5657. [Google Scholar] [CrossRef]

26. Luo, F., Al-Kuwari, S., Susilo, W., Duong, D. H. (2021). Attribute-based proxy re-signature from standard lattices and its applications. Computer Standards & Interfaces, 75, 103499. DOI 10.1016/j.csi.2020.103499. [Google Scholar] [CrossRef]

27. Chen, W., Li, J., Huang, Z., Gao, C., Yiu, S. et al. (2021). Lattice-based unidirectional infinite-use proxy re-signatures with private re-signature key. Journal of Computer and System Sciences, 120, 137–148. DOI 10.1016/j.jcss.2021.03.008. [Google Scholar] [CrossRef]

28. Sun, Y., Lu, R., Lin, X., Shen, X., Su, J. (2010). An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications. IEEE Transactions on Vehicular Technology, 59(7), 3589–3603. DOI 10.1109/TVT.2010.2051468. [Google Scholar] [CrossRef]

29. Xiong, H., Chen, Z., Li, F. (2012). Efficient privacy-preserving authentication protocol for vehicular communications with trustworthy. Security and Communication Networks, 5(12), 1441–1451. DOI 10.1002/sec.515. [Google Scholar] [CrossRef]

30. Xiong, H., Wu, Y., Jin, C., Kumari, S. (2020). Efficient and privacy-preserving authentication protocol for heterogeneous systems in IIoT. IEEE Internet of Things Journal, 7(12), 11713–11724. DOI 10.1109/JIoT.6488907. [Google Scholar] [CrossRef]

31. Xiong, H., Kang, Z., Chen, J., Tao, J., Yuan, C. et al. (2020). A novel multiserver authentication scheme using proxy resignature with scalability and strong user anonymity. IEEE Systems Journal, 15(2), 2156–2167. DOI 10.1109/JIOT.2020.2999510. [Google Scholar] [CrossRef]

32. Xiong, H., Zhou, Z., Wang, L., Zhao, Z., Huang, X. et al. (2021). An anonymous authentication protocol with delegation and revocation for content delivery networks. IEEE Systems Journal, 1–12. DOI 10.1109/JSYST.2021.3113728. [Google Scholar] [CrossRef]

33. Wang, B., Li, B., Li, H. (2013). Panda: Public auditing for shared data with efficient user revocation in the cloud. IEEE Transactions on Services Computing, 8(1), 92–106. DOI 10.1109/TSC.2013.2295611. [Google Scholar] [CrossRef]

34. He, K., Huang, C., Yang, K., Shi, J. (2015). Identity-preserving public auditing for shared cloud data. 2015 IEEE 23rd International Symposium on Quality of Service (IWQoS), pp. 159–164. Portland, OR, USA. [Google Scholar]

35. Liu, X., Sun, W., Lou, W., Pei, Q., Zhang, Y. (2017). One-tag checker: Message-locked integrity auditing on encrypted cloud deduplication storage. IEEE Conference on Computer Communications, pp. 1–9. Atlanta, GA, USA. [Google Scholar]

36. Luo, Y., Xu, M., Huang, K., Wang, D., Fu, S. (2018). Efficient auditing for shared data in the cloud with secure user revocation and computations outsourcing. Computers & Security, 73, 492–506. DOI 10.1016/j.cose.2017.12.004. [Google Scholar] [CrossRef]

37. Rabaninejad, R., Ahmadian, M., Asaar, M. R., Aref, M. R. (2019). A lightweight auditing service for shared data with secure user revocation in cloud storage. IEEE Transactions on Services Computing. DOI 10.1109/TSC.2019.2919627. [Google Scholar] [CrossRef]

38. Huang, C., Lu, R., Lin, X., Shen, X. (2018). Secure automated valet parking: A privacy-preserving reservation scheme for autonomous vehicles. IEEE Transactions on Vehicular Technology, 67(11), 11169–11180. DOI 10.1109/TVT.2018.2870167. [Google Scholar] [CrossRef]

39. Song, W., Wu, Y., Cui, Y., Liu, Q., Shen, Y. et al. (2021). Public integrity verification for data sharing in cloud with asynchronous revocation. Digital Communications and Networks. DOI 10.1016/j.dcan.2021.02.002. [Google Scholar] [CrossRef]

40. Dodis, Y., Katz, J., Xu, S., Yung, M. (2003). Strong key-insulated signature schemes. International Workshop on Public Key Cryptography, pp. 130–144. Miami, FL, USA. [Google Scholar]

41. Weng, J., Liu, S., Chen, K., Li, X. (2006). Identity-based key-insulated signature with secure key-updates. International Conference on Information Security and Cryptology, pp. 13–26. Beijing, China. [Google Scholar]

42. Pointcheval, D., Stern, J. (2000). Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3), 361–396. DOI 10.1007/s001450010003. [Google Scholar] [CrossRef]

43. Yang, X., Chen, C., Ma, T., Wang, J., Wang, C. (2018). Revocable identity-based proxy re-signature against signing key exposure. PLos One, 13(3), e0194783. DOI 10.1371/journal.pone.0194783. [Google Scholar] [CrossRef]