Efficient File Sharing in Electronic Health Records

Size: px

Start display at page:

Download "Efficient File Sharing in Electronic Health Records"

Liliana Banks
8 years ago
Views:

1 Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20

2 Outline for Section 1 1 Introduction 2 Solution 3 Construction 4 Security /20

3 Scenario DOCTORS C=Enc(EHR) LICENSE HOSPITAL Dec(C,LICENSE) =EHR GOVERNMENT 3/20

4 Entities and Roles 1 Hospital forwarding important information (EHR) to Doctors Hospital = Broadcaster Forwarding = Broadcasting 2 Government and other legislators granting the license for Doctors Legislators = Certifiers License = Certificate 3 Doctors working in that Hospital Doctors = Users 4/20

5 Previous Results Multi-Receiver Certificate-Based Encryption (MR-CBE) However not suitable results: size of public parameters and ciphertexts linear in the number of users n + only 1 certifier + selective CPA security in ROM C.-I. Fan, P.-J. Tsai, J.-J. Huang and W.-T. Chen, Anonymous Multi-receiver Certificate-Based Encryption. In CyberC C. Sur, C. D. Jung and K.-H. Rhee, Multi-receiver Certificate-Based Encryption and Application to Public Key Broadcast Encryption. In BLISS /20

6 Outline for Section 2 1 Introduction 2 Solution 3 Construction 4 Security /20

7 Broadcast Encryption (BE) Group of users Broadcaster PK and SK C=Enc(PK,K,S ) S S Dec(PK,C,S S,SK)=K if user belongs to S 7/20

8 Certificate-Based Encryption (CBE) Certifier User Certif=Cert(PK,PK,t,SK) C t(pk PK tsk) C=Enc(PK,PK,t,M) PK tm) PK,SK PK,SK Dec(PK,t,C,Certif,SK )=M C tif 8/20

9 Suitable Results BE: constant size for secret key and ciphertext + selective CPA security in SM CBE: constant size for certificate and ciphertext + adaptive CCA security in ROM D. Boneh, C. Gentry, and B. Waters, Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In CRYPTO C. Gentry, Certificate-Based Encryption and the Certificate Revocation Problem. In EUROCRYPT /20

10 Simple Combination BE: communication between 1 sender and n receivers CBE: communication between 1 sender and 1 receiver However not so appropriate results: simple combination BE + CBE gives size for ciphertext linear in number of users and number of certifiers 10/20

11 Efficient Combination File Sharing in Electronic Health Records (FSEHR) Constant size for secret key, certificate and ciphertext Selective CCA security in ROM Size for public parameters linear in number of users and number of certifiers 11/20

12 Outline for Section 3 1 Introduction 2 Solution 3 Construction 4 Security 2/20

13 Our Scheme - Setup On input security parameter λ, total number n of users and total number k of certifiers Run (p, G, G T, e) GroupGen(λ, n, k) For i = 1,, n, n + 2,, 2n, for g R G, α R Z p and γ R Z p, compute g i = g (αi) and v = g γ Hash functions H 1 : G {0, 1} G, H 2 : G G G and H 3 : G T G G G G {0, 1} λ For i {1,, n}, compute user i s secret key d i = g γ i (= v(αi) ) For j {1,, k}, for σ j R Z p, compute certifier j s public key w j = g σ j and secret key d cj = σ j Set public parameters P K = (p, G, G T, g, g 1,, g n, g n+2,, g 2n, v, w 1,, w k, H 1, H 2, H 3 ) 13/20

14 Our Scheme - Certif On input public parameters P K, certifier j s secret key d cj, user i and time period l represented as a string in {0, 1} For r i,j,l R Z p, compute user i s certificate e i,j,l e i,j,l,1 = g σj i H 1 (w j, l) σj r i,j,l = w (αi ) j H 1 (w j, l) σj r i,j,l e i,j,l,2 = g σj r i,j,l = w r i,j,l j 14/20

15 Our Scheme - Encrypt On input public parameters P K, set S u {1,, n} of users, set S c {1,, k} of certifiers and time period l For t R Z p, compute session key K = e(g n+1, g) t and ciphertext C C 1 = g t C 2 = j S c H 1 (w j, l) t C 3 = (v j S c w j i S u g n+1 i ) t C 4 = H 2 (C 1, C 3 ) t C 5 = H 3 (K, C 1, C 2, C 3, C 4 ) 5/20

16 Our Scheme - Decrypt On input public parameters P K, set S u {1,, n} of users, set S c {1,, k} of certifiers, time period l, user i S u with its secret key d i and its certificates e i,j,l for j S c and l, and ciphertext C Check whether e(c 1, H 2 (C 1, C 3 ))? = e(g, C 4 ) e(g i,c 3 ) e( j Sc e i,j,l,2,c 2 ) Compute K = e(d i j Sc e i,j,l,1 i Su\{i} g n+1 i +i,c 1) = e(g n+1, g) t Compute C 5 = H 3(K, C 1, C 2, C 3, C 4 ) If C 5 = C 5, then return K; otherwise return 6/20

17 Outline for Section 4 1 Introduction 2 Solution 3 Construction 4 Security 7/20

18 Assumption Definition (Decisional n-bilinear Diffie-Hellman Exponent assumption) For any t-time adversary B that is given (g, h, g a, g a2,, g an, g an+2,, g a2n ) G 2n+1, and a candidate to the Decisional n-bdhe problem that is either e(g, h) an+1 G T or a random value T, cannot distinguish the two cases with advantage greater than ε: AdvBDHE B,n = P r[b(g, h, g a, g a2,, g an, g an+2,, g a2n, e(g, h) an+1 ) = 1] P r[b(g, h, g a, g a2,, g an, g an+2,, g a2n, T ) = 1] ε. 8/20

19 Security Proofs Theorem (Selective CCA Security) The File Sharing scheme in Electronic Health Records FSEHR achieves Selective CCA Security under the Decisional n-bdhe assumption, in the random oracle model. Theorem (Collusion Resistance) The File Sharing scheme in Electronic Health Records FSEHR is fully secure against any number of colluders, in the random oracle model. 9/20

20 Thank you for your attention Any Questions? 20/20

Efficient File Sharing in Electronic Health Records

Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo, Thomas Plantard Centre for Computer and Information Security Research School of Computer Science and Software Engineering