10034 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO.

12, JUNE 15, 2021

A Privacy-Aware and Traceable Fine-Grained Data

Delivery System in Cloud-Assisted Healthcare IIoT
Jianfei Sun , Dajiang Chen , Member, IEEE, Ning Zhang , Senior Member, IEEE,
Guowen Xu , Student Member, IEEE, Mingjian Tang, Xuyun Nie ,
and Mingsheng Cao , Member, IEEE

Abstract—The emerging of healthcare Industrial Internet of I. I NTRODUCTION

Things (HealthIIoT) cannot only facilitate high-quality care
NTERNET of Things (IoT) is one of the emerging
services for patients but also enable efficient telemedicine plat-
form for healthcare practitioners. However, it faces several
fundamental security and privacy challenges, such as secure
I technologies that realize a digitization of the physical world
by embedding massive smart objects with actuators, sensors,
fine-grained data delivery, privacy preserving keyword-based electronics, and network connectivity, which empowers them to
ciphertext retrieval, malicious key delegation, and efficiency of interact with each other for data acquisition, and exchange and
the system. To combat these issues, we propose a privacy-
analysis without human interventions [1]–[4]. It is predicted
aware and traceable fine-grained system (PTFS) for secure data
delivery in cloud-assisted HealthIIoT. Compared to the existing that by 2021, the number of IoT devices will be beyond 50
solutions that only implement some of the preceding features, billion and the endpoint spending in IoT business will up to $3
the proposed solution enables secure fine-grained data deliv- trillion [5]–[7]. To date, IoT devices have been applicable in a
ery, privacy-preserving data retrieval, efficient encryption and broad range of application scenarios from healthcare and smart
decryption operations, and trace of malicious key delegation city to environmental monitoring, and so on. As one of the most
simultaneously. For security analysis, rigorous proofs of the
proposed scheme are provided to prove its security. In addi- popular applications of IoT in the industrial sector, healthcare
tion, extensive simulations and experiments are conducted for Industrial Internet of Things (HealthIIoT) has been recognized
performance evaluation, which demonstrate the feasibility and as an important tool to facilitate medicine and healthcare practi-
effectiveness of PTFS. tioners to render timely diagnosis and treatment. The ultimate
Index Terms—Industrial Internet of Things (IoT), malicious goal of HealthIIoT is to provide high-quality care services
key delegation, privacy aware, traceable. for patients and to enable efficient telemedicine for healthcare
practitioners [8], [9]. In the HealthIIoT environment, wearable
IIoT devices implanted inside or worn on the wearer’s body are
utilized for collecting the health data, such as blood pressure,
Manuscript received July 31, 2020; revised November 14, 2020; accepted
temperature, pulse rate, lung volume, etc. These data can be
December 30, 2020. Date of publication January 4, 2021; date of current remotely accessed by healthcare practitioners for the diagnose
version June 7, 2021. This work was supported in part by NSFC under of a patient’s condition.
Grant 61872059, Grant 61771417, Grant 61502085, and Grant 62002047; Despite significant benefits it brings, fundamental secu-
in part by the Project “The Verification Platform of Multi-Tier Coverage
Communication Network for Oceans” under Grant LZC0020; and in part by rity and privacy challenges in HealthIIoT have to be
the International Scientific and Technological Innovation Cooperation Project solved [10]–[12]. For example, flexible and secure data com-
in Sichuan Province under Grant 2020YFH0062. (Corresponding authors: munication between IIoT devices should be realized. This is
Dajiang Chen; Ning Zhang.)
Jianfei Sun, Xuyun Nie, and Mingsheng Cao are with the School because the cost is prohibitive to build and manage a sheer
of Information and Software Engineering, University of Electronic amount of secure connections between each pair of IIoT
Science and Technology of China, Chengdu 610054, China (e-mail: devices. In practice, it is usually unnecessary to realize data
[email protected]; [email protected]; [email protected]).
Dajiang Chen is with the Network and Data Security Key Laboratory access on a one-to-one connection basis. Besides, considering
of Sichuan Province, University of Electronic Science and Technology of the sensitivity of healthcare data as well as the vulnerability
China, Chengdu 611731, China, and also with the Network Communication of IIoT devices, any leakage of sensitive healthcare data will
Research Centre, Peng Cheng Laboratory, Shenzhen 518055, China (e-mail:
[email protected]). result in the patient’s privacy and reputation breaches.
Ning Zhang is with the Department of Electrical and Computer As one of promising cryptographic communication
Engineering, University of Windsor, Windsor, ON N9B 3P4, Canada (e-mail: technologies, ciphertext-policy attribute-based encryption
[email protected]).
Guowen Xu is with the School of Computer Science and Engineering, (CP-ABE) [13], [14] can effectively and flexibly secure data
University of Electronic Science and Technology of China, Chengdu 611731, delivery between IIoT devices. In a CP-ABE, an access control
China (e-mail: [email protected]). is associated with a ciphertext and the secret key assigned to
Mingjian Tang is with the Department AI Enablement, Huawei
Technologies Company Ltd., Shenzhen 518129, China (e-mail: each user is associated with a set of attributes. The data can
[email protected]). be recovered from the ciphertext by a user in the case that the
This article has supplementary material provided by the set of attributes satisfies the specified access control policy.
authors and color versions of one or more figures available at
https://doi.org/10.1109/JIOT.2020.3048976. However, the direct deployment of CP-ABE in HealthIIoT
Digital Object Identifier 10.1109/JIOT.2020.3048976 induces several challenges. To be specific, encryption
2327-4662 
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: PRIVACY-AWARE AND TRACEABLE FINE-GRAINED DATA DELIVERY SYSTEM IN CLOUD-ASSISTED HEALTHCARE IIoT 10035

greatly undermines the availability of health data, which results 1) Online/Offline Encryption: To enable users to quickly
in plaintext information retrieval over encrypted health data complete ciphertext generation with minimal energy
to be a challenge [16]–[24]. For example, when a health- consumption, the proposed scheme splits the cipher-
care practitioner intends to obtain the health data of interests, text generation into offline and online phases, which
he/she must download and decipher all the data. Apparently, greatly enhances service availability. More specifically,
this inevitably brings about the prohibitive wastage of com- the most majority of operations to encrypt the data and
puting and storage resources. Besides, the privacy leakage keyword are conducted in the offline mode and only
of sensitive information can be caused by an access pol- some marginal operations to produce the final ciphertext
icy in the conventional CP-ABE schemes directly attached and index are completed in the online phase.
to the ciphertext. This is because the access control is speci- 2) Privacy-Preserving Fine-Grained Data Retrieval: To
fied based on the user’s attributes and hence it is relevant to provide privacy-preserving fine-grained access control
user’s privacy. For example, in a HealthIIoT system, hospi- and keyword-based ciphertext over encrypted data, the
tal A encrypts a patient’s health data with an access policy proposed scheme allows a data owner to embed a
(“Hospital: Hospital B” AND “Doctor: Psychologist”) OR (“ID: privacy-preserving access policy into the generated
9533” AND “Hospital: Hospital A”) OR (“Institution: Insurance cipheretext, such that data users can efficiently retrieve
Company” AND “Position: Insurance Employee”), which spec- the target data in a fine-grained manner without exposing
ifies that the user who is a psychologist of hospital B or a staff any attribute privacy of access control.
with ID: 9533 of hospital A or an insurance company employee 3) Lightweight Decryption: To enable users to rapidly
can access the data. Nevertheless, anyone could easily capture recover the encrypted data, most of the intensive decryp-
that the patient (ID: 9533) in Hospital A likely suffers from tion operations in the proposed scheme are shifted to the
a psychological problem. Obviously, such privacy leakage is cloud server and only a few operations with less compu-
improper and should be impeded for the HealthIIoT system. tation overhead are left to users. More specifically, the
As one of most efficient countermeasures against the decryption overhead of the proposed scheme is constant,
above challenges, the privacy-preserving CP-ABE with key- i.e., it does not increase linearly with the complexity
word search (PP-CP-ABKS) [25]–[27], [29] cannot only of access control and the number of user’s attributes,
allow the user in HealthIIoT to achieve secure, flexible which indicates the feasibility and practicability of the
data delivery between IIoT devices but also support fine- proposed scheme.
grained keyword-based ciphertext retrieval without exposing 4) Trace of Malicious Key Delegation: To impede the dis-
any attribute privacy of access control. However, there are honest users from maliciously delegating their secret key
two mainly limitations in existing PP-CP-ABKS schemes for to unauthorized users for profits, the proposed scheme
the HealthIIoT system. One limitation is about the ineffi- realizes the traceability to trace malicious users who may
ciency. In a HealthIIoT system, the IIoT devices are frequently leak the secret key by securely embedded their iden-
leveraged for data processing, whereas these devices are com- tity information in the private key, which facilitates the
putation limited or power constrained to complete ciphertext accountability of malicious behaves.
generation and plaintext recovery operations. Besides, the Besides, rigorous security proofs are provided to demon-
computation overhead in ciphertext generation and decryp- strate that not only the selective security toward keyword and
tion phases increases with the complexity of access control the shared data but also the traceability can be realized in the
and the amount of user’s attributes. Thus, it is necessary proposed scheme. Moreover, we also conduct simulations and
to support efficient encryption and decryption operations in experiments to reveal the efficiency of the proposed scheme
PP-CP-ABKS schemes to complete ciphertext generation and by comparison with existing solutions.
data recovery. For the other limitation, most PP-CP-ABKS
schemes do not consider the malicious key delegation issue.
Specifically, the dishonest IIoT users may share or sell their II. R ELATED W ORKS
secret keys to unauthorized users for financial benefits, which To realize the secure and flexible healthcare data delivery
results in nonauthorization entities capturing the same priv- between IIoT devices, CP-ABE provides a cryptographic solu-
ileges as the dishonest IIoT users [28], [30]. Thus, it is tion to support one-to-many data encryption and fine-grained
also essential to support traceability in PP-CP-ABKS schemes access control over the encrypted data. The notion of the first
to trace malicious users who intentionally leak or sell the standard CP-ABE primitive is raised by Goyal et al. [13] and
secret key. Ostrovsky et al. [14]. Until now, considerable CP-ABE works
Seeking to resolve the limitations above elaborated while have been put forward to support many desirable features, such
realizing flexible and privacy preserving data exchange, we as outsourced CP-ABE [31], revocable CP-ABE [32], trace-
propose a privacy-aware and traceable fine-grained system able CP-ABE [33], and so on. However, these works cannot
for secure data delivery in the HealthIIoT environment in provide keyword-based ciphertext retrieval due to that data
this article. We handle the issues of online/offline encryption, availability is completely breached by encryption.
lightweight decryption, privacy-preserving fine-grained data For the provision of fine-grained access control and
retrieval, and trace of malicious key delegation. To be more keyword-based ciphertext retrieval over encrypted data simul-
specific, the main contributions of this work are summarized taneously, CP-ABE with keyword search (CP-ABKS), as
as follows. a combination of the concept of CP-ABE [13], [14] and

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
10036 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 12, JUNE 15, 2021

searchable encryption (SE) [15], was designed, which allows Besides, there are also many attribute-based multikeyword
a data user with granted fine-grained search/decryption per- schemes. For example, Miao et al. [39] proposed a practi-
mission to retrieve/decrypt the target data. For example, cal attribute based multikeyword search scheme for mobile
Zheng et al. [16] put forward a CP-ABKS scheme that crowdsourcing, which supports numeric attribute comparison
only enables efficient fine-grained keyword-based ciphertext and multikeyword retrieval simultaneously. Liang et al. [40]
retrieval instead of supporting data sharing. Li et al. [17] raised suggested a verifiable and practical attribute based multi-
a keyword retrieval scheme on CP-ABE scheme that sup- keyword search scheme, which supports the attribute-based
ports attribute revocation to revoke access privilege. Liang and multikeyword search and verifiability of the decryption result.
Susilo [18] put forward a searchable CP-ABE that supports Chen et al. [41] formulated a practical attribute-based mul-
a user in searching for a certain ciphertext and performing tikeyword ranked search scheme, which supports multikey-
reencryption operation. Sun et al. [19] raised a verifiable word search and fine-grained ranked function. Although these
owner-enforced CP-ABKS scheme that also realizes user revo- multiple keyword search schemes realize fine-grained multiple
cation and searching verifiability. Miao et al. [20] invented a keywords queries, they rarely consider the issues of privacy
CP-ABKS over encrypted hierarchical data that enables high protection, malicious key delegation, and lightweight access.
search accuracy with multikeyword search. Ge et al. [21] To sum up, compared with previously proposed schemes,
solved the open problem of trapdoor generation without the until now there is no practical CP-ABKS scheme that supports
trusted third party in Liang et al.’s scheme and introduced privacy-preserving access policy, traceability, efficient encryp-
a new CP-ABKS scheme with chosen ciphertext security. tion and decryption, as well as fine-grained keyword retrieval
However, the computation cost of these schemes grow lin- at the same time. In this article, we aim to design such a
early with the amount of system attributes, which makes scheme to be deployed in HealthIIoT that achieves all above
them impractical for resource-constrained environments. To desirable properties.
reduce the computation cost, Li et al. [22] built an efficient
CP-ABKS scheme via key issuing and decryption outsourcing.
Dong et al. [23] formulated a CP-ABKS scheme with efficient III. P RELIMINARIES AND D EFINITIONS
search and decryption by the online and offline computation
In this part, some basic definitions and prerequisite knowl-
operations. Miao et al. [24] designed an efficient CP-ABKS-
edge used in our manuscript are reviewed. More specifically,
based data sharing framework by implementing online and
the knowledge concerning the bilinear maps, hardness assump-
offline computation on encryption operations.
tions (i.e., DBDH and -SDH), AND gate, and wildcard access
One of the limitations in the above efficient CP-ABKS
control and inner product are introduced as follows.
schemes is that the attribute privacy may be learned from the
access policy embedded in the ciphertext by nonauthorization
users, as discussed in the introduction part. To achieve the
A. Bilinear Maps and Hardness Assumptions
privacy-preserving property of access control, Qiu et al. [26]
proposed a hidden policy CP-ABKS scheme that supports key- Definition 1 (Bilinear Map): Let {Gi }i=3 be multiplicative
word retrieval and policy hiding simultaneously. However, the cyclic groups, where g and  g are denoted as corresponding
computation cost in this scheme follows a linear increment in generators of G0 and G1 . Let e : G0 ×G1 → G2 denote a com-
the number of system attributes in increases. Sun et al. [27] putable bilinear map [18] that owns the features as follows:
presented a lightweight CP-ABKS scheme with policy protec- 1) bilinearity: e(ru , wv ) = e(r, w)vu for all r ∈ G0 , w ∈ G1 ,
tion, which, however, is constructed on a symmetric pairing. u, v ∈ Zp and 2) nondegeneracy: e(r, w) = 1.
Another limitation is that above CP-ABKS mechanisms are Definition 2 (P-DBDH Assumption): Given a tuple
incapable of supporting traceability of malicious key dele- (g, gz1 , gz2 ,
g, gz1 ,gz3 , T ), where g and g are chosen from
gation. This is because the secret key of a user is labeled one of corresponding generators of the group G1 and G2 ,
with a set of attributes rather than the user’s identity, while it is intractable for the parallel decisional bilinear Diffie–
the same attribute set can be shared by a group of various Hellman problem (P-DBDH) [36] to determine whether
users. If a dishonest user sells his secret key to an unau- T = e(g, g)z1 z2 z3 , or T is one of random elements of G2 .
thorized user for some financial gains, the system cannot Definition 3 (-SDH Assumption): Given the ( + 1) tuple

(gα , gα , . . . , gα ), it is hard for the strong Diffie–Hellman
2
discern the suspect. In order to trace the malicious users while
realizing fine-grained keyword search, Yang et al. [28] put for- problem (SDH) [30] to produce a pair (c, g1/(α+c) ) ∈ Zp × G.
ward a lightweight sharable and traceable secure mobile health
system, however, the access policy in [28] is exposed to all
system users in the plaintext form. Miao et al. [29] invented B. Inner Product
a traceable privacy-preserving CP-ABKS scheme under the Definition 4 (Inner Product): Let ,  : V × V → F denote
shared multiowner setting that provides keyword search and a inner product map that has the properties below, where V
traceability. Whereas, one defect in this scheme is that prior stands for a vector space over the field F. For all vectors
to implementing decryption operations, a data user requires rn ), t = (t1 , . . . , tn ) ∈ V, and
s = (s1 , . . . , sn ), r = (r1 , . . . ,
to interact with data owners to derive valid authorization, c ∈ F: 1) symmetry: s, r = ni=1 si ri = r, s; 2) linearity:
thus leading to always online for data owners. Clearly, it cs, r = cs, r and s + r, t = s, t + r, t; and 3) positive
is irrational and impractical in the public-key cryptosystem. definiteness: s, s ≥ 0.

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: PRIVACY-AWARE AND TRACEABLE FINE-GRAINED DATA DELIVERY SYSTEM IN CLOUD-ASSISTED HEALTHCARE IIoT 10037

TABLE I
E XAMPLE D ESCRIPTIONS 1) Trusted Authority: The responsibility of the trusted
authority is to authenticate the attributes of system users
and take charge of issuing a private key associated with
an attribute set to each user (step 3 ). Besides, it is
also required to publish the generated public parameters
(step 1 ). Furthermore, another essential responsibil-
ity of the trusted authority is to trace the dishonest
users who maliciously delegate his private key to other
unauthorized users (step 6 ).
2) Data Owner: The data owner is required to encrypt his
healthcare data before outsourcing them to the health-
care cloud (step 2 ). To facilitate data sharing under the
ciphertext, each data are linked to an encrypted index
constructed from a single keyword and an access con-
trol, which means that only authorized users (satisfies
the access control) holding the target keyword are per-
mitted to retrieve this data. Then, the data owner uploads
the encrypted data along with encrypted indexes to the
healthcare cloud.
3) Healthcare Cloud Server: The primary responsibility of
the healthcare cloud server is to maintain the integrity
of the ciphertext data stored on it, thereby providing
Fig. 1. System model of the proposed system. secure data sharing and retrieval service for multiple
users. Specifically, upon receiving a query request from
a legitimate user, the server is asked to retrieve the data
C. AND Gate and Wildcard Access Structure that the user is authorized to, and returns the cipher-
text results that is consistent with the currently queried
Let T = {T1 , T2 , . . . , Tn } denote the universe of system
keyword (step 4 ). During the retrieval process, partial
attributes, where each T , for  ∈ {1, . . . , n}, has two
complex ciphertexts are transformed into a simple one.
possible values, i.e., negative value “−” and positive value
4) Data Users: Each legitimate user will be assigned a dis-
“+”. Each system user is associated with an attribute set
tinct secret key related to his attribute set, which will
Att = {Att1 , . . . , Attn }, where each Att ∈ {“ + ”, “ − ”} for
be used to generate encrypted search tokens (i.e., trap-
 ∈ {1, . . . , n}. Denote W = {W1 , . . . , Wn } as an access pol-
doors). After deriving the target ciphertext, the encrypted
icy, where each Wn ∈ {“+,” “−,” “ ∗”} and the wildcard “ ∗”
data are then recovered.
indicates that both “ +” and “ −” can match with it.
In our system, the adversaries mainly originate from the
For instance, assume T = {T1 = “CS,” T2 = “SE,” T3 =
untrusted server and some malicious users. More specifically,
“Faculty,” T4 = “Student”}, where Computer Science and
we suppose that the healthcare cloud server is an honest-but-
Software Engineering are correspondingly abbreviated as “CS”
curious entity, which indicates the server honestly implements
and “SE”. Alice is a student studying in SE department. A fac-
the preagreed procedures to complete its mission. However,
ulty Bob only works in CS department. A faculty Carol works
it may also attempt to capture users’ data privacy by utiliz-
in both SE and CS departments. One access policy W1 states
ing mastered prior knowledge. Every data user is considered
the matched users who are all SE faculties excluding those
malicious, and we allow them to collude with each other with
in the CS. Another access policy W2 indicates the matched
the most offensive ability to try to gain the attribute privacy
users who are all CS faculties and students without working
of other users. Besides, each user may intentionally leak the
SE. The above descriptions are clearly described in Table I.
owned secret key to other unauthorized users who derive the
same privilege of authorized users. In addition, the data owner
IV. P ROBLEM S TATEMENT is considered to be trustworthy due to that it is data provider
For easily following the detailed construction and its secu- to upload the encrypted data.
rity, we present the description of system and threat models.
Also, we show an overview of the PTFS system. Finally, the B. Overview of Proposed System
security models are formalized for concrete security analysis.
Our privacy-aware and traceable fine-grained system
for secure data delivery in HealthIIoT contains seven
A. System and Threat Models phases: 1) system initialization; 2) privilege authoriza-
As presented in Fig. 1, we consider the following generic tion; 3) data and keyword encryption; 4) search token
entities in our system model, i.e., trusted authority, data generation; 5) keyword retrieval; 6) data recovery; and
owner, healthcare cloud server, and data users, and the roles 7) malicious identification. The corresponding algorithms for-
of these entities in HealthIIoT system are described as follows. malized in Fig. 3 are presented as follows: Setup, KeyGen,

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
10038 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 12, JUNE 15, 2021

Fig. 2. Definitions of privacy-aware and traceable fine-grained cryptographic primitive.

Offline-Online.Encrypt, Trapdoor, Search, Decrypt, and key is generated and sent by B. After getting the query
Trace. More specifically, the Setup algorithm implements v = (v1 , . . . , vn ) if v, u = 0, B produces a secret key
the generation of master secret key and public parameters SK for A by conducting KeyGen.
to complete the system initialization. The KeyGen algorithm 4) Challenge: Two equal length messages M0 and M1
conducts privilege authorization by granting each system user (Ms are randomly selected by A, where s ∈ {0, 1}),
a secret key related to a set of user’s attributes and an identity. B performs Offine.Encrypt (PP) and Online.Encrypt
To securely share data with other users, the Offline.Encrypt (PP, Off.CT, u, Ms ) to produce the ciphertext CT, which
and Online.Encrypt algorithms perform data and keyword is then given to A for guessing.
encryption to complete the ciphertext generation related to 5) Guess: A returns a guess s of s and wins this security
the raw data and keyword. To retrieve the interest’s data, game if s = s. In this security model, the advantage in
the Trapdoor algorithm performs search token generation to winning this game for A is defined as adv = |Pr[s =
produce the keyword trapdoor, which will be submitted to s] − (1/2)|.
the server for searching. The Search algorithm implements Definition 6: The selectively chosen keyword security game
the keyword retrieval to find the target data. After receiving between A and B is also illustrated as follows.
the data from the server, the Decrypt algorithm performs data 1) Init: A challenge attribute vector u corresponding to a
recovery to recover the raw data. The Trace algorithm per- challenge set is randomly picked and then issued to
forms malicious identification to trace the suspect user once challenger B.
multiple users simultaneously login the system with the same 2) Setup: B implements the Setup algorithm to produce
secret key. The detailed definitions of the used algorithms are PP and MSK, where PP and MSK represent the mas-
illustrated in Fig. 2. ter secret key and the public parameter, respectively.
Subsequently, B transmits PP to A, and stores MSK
securely in his hand.
C. Security Model 3) Phases 1 and 2: In these two phases, trapdoor queries
Definition 5: The security game between a challenger B can be also queried repeatedly by A until the desirable
and an adversary A can be described through the following trapdoors are generated and sent by B. After getting the
selectively chosen plaintext attack (CPA) game. submitted keywords KW and the query v = (v1 , . . . , vn )
1) Init: A challenge attribute vector u corresponding to a if v, u = 0, B generates a trapdoor TD for A by
challenge set is randomly picked and then issued to executing Trapdoor.
challenger B below. 4) Challenge: Two equal length keywords KW0 and
2) Setup: B implements Setup algorithm to produce PP KW1 (KWs , are randomly selected by A, where
and MSK, where PP and MSK represent the mas- coin ∈ {0, 1}), B performs Offine.Encrypt (PP)
ter secret key and the public parameter, respectively. and Online.Encrypt (PP, Off.CT, u, KWs ) to pro-
Subsequently, B transmits PP to A, and stores MSK duce the ciphertext CT, which is then given to A for
securely in his hand. guessing.
3) Phases 1 and 2: In these two phases, secret key queries 5) Guess: A returns a guess s of s and wins this security
can be queried repeatedly by A until the desirable secret game if s = s. In this security model, we define the

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: PRIVACY-AWARE AND TRACEABLE FINE-GRAINED DATA DELIVERY SYSTEM IN CLOUD-ASSISTED HEALTHCARE IIoT 10039

advantage in winning this game for A as adv = |Pr[s = Algorithm 1 Attribute and Access Vector Generation
s] − (1/2)|. Approach
Definition 7: We give the traceability definition by the for- Input: An access structure and an attribute set with the same length.
malization of a security game between A and B below. In the Specifically,  wildcards (“*”), + positive attributes (“+”) and
− negative attributes (“−”) are contained in an access structure;
game,  is defined as the total number of key queries A issues. An attribute set is denoted as T = {T1 , . . . , Tm }, where each
1) Setup: B implements the Setup algorithm to produce attribute Tk ∈ {“ + ”, “ − ”} for k ∈ {1, . . . , m}.
PP and MSK, where PP and MSK represent the mas- Output: Access and attribute vectors.
ter secret key and the public parameter, respectively. 1: For the access structure, separate the positive and wildcard
Subsequently, B transmits PP to A. symbols in it into two position sets P and W;
2: while ki ∈ W do
2) Key Queries: A transmits a set of attribute vectors  
n
(id1 , u1 ), . . . , (id , u ) to B for deriving the correspond- 3: Expand (j − ki ) = ut jt to derive coefficients {ut };
ki ∈W t=0
ing private key SKid . 4: end while
3) Key Forgery: A outputs an SKi , if Trace 5: for ki ∈ W and j ∈ P  do 
(PP, MSK, SK, t,n ) ∈ / {id1 , . . . , id }, A wins the 6: Calculate  = + (j − ki );
j∈P kj ∈W
game. Otherwise, A fails to win this game.
7: end for
8: For an attribute set, only separate positive symbols in it into one
position set P ;
V. P ROPOSED S YSTEM 9: for x = 1 to  and x ∈ P do
For better understanding the construction and its application, 10: Calculate {vj = + xj };
x∈P
this section first introduces the main idea of our proposed 11: end for
privacy-aware and traceable fine-grained encryption primitive 12: Return the access vector u  = (u0 , u1 , . . . , un , 0n+1 , . . . , 0 , )
and then presents how to deploy in HealthIIoT system with and the attribute vector v = (v0 , u1 , . . . , v , −1).
the PTFS scheme.

A. Main Idea of Proposed Cryptographic Primitive Remark: The computation-intensive burden of both encryp-
tion and decryption can be can greatly eased with the
With the goal of simultaneously realizing privacy-preserving
PTFS scheme, which makes it more practical for resource-
policy-hiding, fine-grained keyword retrieval, efficient encryp-
constrained IIoT devices. This is because our proposed vector
tion, lightweight decryption, and malicious traceability, our
generation approach can largely optimize the length of pro-
main thought is first to design a basic efficient fine-grained
duced vectors (i.e., attribute vector and access vector), which
hidden policy CP-ABE scheme, then incorporate the tech-
are utilized for generating the secret key and ciphertext.
nologies of online/offline computation, information retrieval
Generally speaking, shorter-size secret key and ciphertext
and traceability into it to realize a privacy-aware and trace-
mean smaller computation and storage cost for decryption
able fine-grained cryptographic primitive. More specifically,
operation. Besides, the online/offline computation technology
to realize the CP-ABE scheme with the properties of fine
can further speed up the ciphertext generation, which also
granularity and policy hiding, we first exploit our suggested
offloads the encryption burden on the encryptor’s side.
technique shown in Algorithm 1 to generate the attribute and
access vector by converting the corresponding user’s attribute
set and access policy. The generated vectors will be then
applied in inner product encryption for constructing an effi- B. Deployment of Our Proposed Scheme in HealthIIoT
cient fine-grained CP-ABE with privacy-aware access policy. In this section, we put forward a privacy-aware and traceable
It is deserved to mention that our vector generation method can fine-grained data sharing primitive shown in Fig. 4, which is
effectively reduce the length of the generated vectors compared as our main building block to set up a data delivery system in
to the previous vector transformation method [35], which HealthIIoT. More specifically, the data delivery system con-
determines the great efficiency of secret key and ciphertext tains four different entities: 1) trusted system administrator;
generation. Furthermore, to enrich the functionality, keyword- 2) patient; 3) healthcare provider; and 4) healthcare cloud
based ciphertext retrieval technique is used for quickly locating server. The trusted administrator is acted as the authority to
the target ciphertext of interest and meantime converting the initialize the system, issue the secret key and discern the dis-
retrieved ciphertext into a simple one. To accelerate the cipher- honest users. Data provider is deemed as the patient who
text generation concerning raw data and keyword, the majority collects his health data (such as blood pressure, pulse rate, etc.)
of computationally intensive operations are done in the encryp- by wearing tiny wireless sensors or connected IIoT devices.
tion preprocessing under offline mode and low-cost operations Healthcare providers generally work as medical doctors or hos-
(e.g., multiplication operations) are accomplished under online pital researchers who diagnose and analyze the body condition
mode. To realize the traceability of malicious key delegation, for patients by recovering their encrypted health data. In the
the Boneh-Boyen-Style signature [34] and Shamir’s threshold following, a data delivery system in HealthIIoT is presented,
scheme [37] are leveraged to achieve a constant-size identity which mainly involves seven modules depicted in Fig. 5.
table irrespective of the amount of suspect identities, which In the system initialization module, the trusted administra-
makes our constructed system more practical. tor performs the Setup(1λ ) algorithm to complete the public

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
10040 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 12, JUNE 15, 2021

Fig. 3. Architecture of the proposed system.

Fig. 4. Privacy-aware and traceable fine-grained data sharing primitive.

parameter generation for system users (i.e., patients and health- the administrator. After receiving the authorization request, the
care practitioners) (step 1 ). In the privilege authorization administrator conducts certificate verification to authenticate
module, a healthcare practitioner first sends his attribute set to his legitimate. If passing the verification, the administrator first

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: PRIVACY-AWARE AND TRACEABLE FINE-GRAINED DATA DELIVERY SYSTEM IN CLOUD-ASSISTED HEALTHCARE IIoT 10041

Fig. 5. Application of deployment of privacy-aware and traceable fine-grained data delivery scheme in HealthIIoT.

generates each attribute vector v for the healthcare provider by the healthcare provider to recover the raw health data and
according to the authenticated attribute set, and then performs an acknowledge message is then given back to the server for
KeyGen(PP, v, ID, MSK) to produce the secret key SK, which proving the correctness of the given ciphertext (step 6 ). In
is subsequently transmitted to the healthcare provider via a the malicious identification modular, the trusted administra-
security channel such as secure socket layer (SSL) (step 2 ). tor performs Trace algorithm to find the suspect identity by
In the data and keyword encryption module, before data determining whether the SK of the target user is a well-formed
uploading to the healthcare cloud server, a data provider (i.e., secret key (step 7 ).
a patient) first gathers his health data from IIoT devices via a
base station, and then combines an access vector u transformed
by the selected access control to implement Offline.Encrypt VI. S ECURITY A NALYSIS AND P ERFORMANCE
and Online.Encrypt to produce the corresponding intermediate E VALUATION
ciphertext Off.CT and final ciphertext CT (step 3 ). Finally, This section presents the elaborated security proofs to indi-
these ciphertexts are delivered to the healthcare cloud server cate selectively security and the traceability of the proposed
to store for sharing with healthcare providers. In this modular, scheme, which ensures that the PTFS can be securely deployed
the transport layer security (TLS) handshake between a data in the HeathIIoT scenario. In addition, this section also shows
provider and a healthcare cloud server is to gain the mutual the functionality comparisons among the related works and
authentication, which guarantees that the data are stored on the ours. Then, the theoretical performance comparisons con-
target server. To ensure the successful uploading of ciphertexts, cerning communication and storage costs are also presented.
an acknowledge message is responded by the healthcare cloud Finally, we simulate the experiment to indicate the practica-
server to the data provider. bility of our PTFS.
In the search token generation modular, with Trapdoor
(PP, KW, SK), the healthcare provider first creates the trap-
door TD also named search token according to the interest’s A. Security Proofs
keyword KW and the owned secret key SK. Then, the pro- Lemma 1: There exists another algorithm B that enables to
duced search token is also transmitted to the healthcare cloud solve the P-DBDH problem with a nonnegligible advantage
server for retrieving (step 4 ). Note that in the TLS handshake if an adversary A can breach the indistinguishable chosen-
between a healthcare provider and the server is also required plaintext attack (IND-CPA) game.
to ensure the search token reached to healthcare cloud server. Lemma 2: There exists another algorithm B that can be
As a response, an acknowledge message is returned to the capable of solving the P-DBDH problem with a nonnegligible
healthcare provider. advantage if an adversary A can breach the indistinguishable
In the keyword retrieval modular, the healthcare cloud server chosen-keyword attack (IND-CKA) game.
performs Search(PP, CT, TD) to locate the target data and Lemma 3: If the -SDH assumption holds and the
return a simple ciphertext CT (step 5 ). In the data recovery scheme [30] can achieve traceability, then the traceability can
modular, with SK, the Decrypt(CT , SK) algorithm is called be securely realized in our scheme.

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
10042 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 12, JUNE 15, 2021

TABLE II
F UNCTIONALITY C OMPARISONS OF CP-ABE S CHEMES W ITH F INE -G RAINED K EYWORD S EARCH S CHEMES

Fig. 6. a) Communication Cost Comparison (n=5). b) Communication Cost Comparison (n=10). c) Communication Cost Comparison (n=15). d)
Communication Cost Comparison (n=20).

Proof: The detailed security proofs of Lemmas 1–3 are [29], and the PTFS realize privacy awareness of access policy,
described in the supplemental material A. only the works [23], [24], [27], [28], and the PTFS achieve
lightweight decryption, only the works [18], [21], [26], and
B. Functionality Comparison ours are constructed in the asymmetry pairing setting, and only
the works [27] and PTFS are constructed under the standard
In this section, we make a comparison of function-
model. In addition, from Table II, it is easy to conclude that
ality in existing CP-ABE schemes with keyword search.
the works [39]–[41] support fine-grained access control and
Specifically, recently proposed works [16]–[24], [26]–[29],
multiple keyword retrieval in the oracle model, which indeed
[39]–[41] shown in Table II are used to make the compari-
improves the accuracy of search results and supports users
son with our work in terms of access control, single keyword
in accessing the target data in a fine-grained way. However,
retrieval, traceability, online/offline encryption, privacy aware-
the system costs of communication and computing are obvi-
ness, lightweight decryption, asymmetry pair, and standard
ously increased with the increment of the amounts of attributes
model. The symbol “✓” means the work supports the given
and keywords. Besides, these works [39]–[41] cannot support
function, “✗” indicates the work is unable to support the
trace of malicious key delegation, lightweight encryption and
function, and “⊥” denotes that the work has no this function.
decryption and user’s privacy protection. To sum up, according
As depicted in Table II, it is not difficult to observe that
to the above analysis, only our PTFS scheme is constructed
all listed works can realize both access control and keyword
for fine-grained data retrieval in the standard model while
retrieval with fine granularity, the works [16] and [19] are
simultaneously realizing traceability, online/offline encryption,
unable to support decryption function, and the works [17]
privacy awareness, lightweight decryption, and asymmetric
and [20] do not realize lightweight decryption operation. The
pairing operation.
works [18] and [21] are constructed in the asymmetry pairing
setting, and the works [23] and [24] realize lightweight oper-
ations on both encryption and decryption. Also, we can easily C. Communication and Computation Cost Comparison
conclude that only the works [28], [29], and the PTFS support In Table III, the communication overhead comparisons
traceability, only the works [23], [24], [27], and the PTFS between PTFS and other existing privacy-aware CP-ABE
provide online/offline encryption, only the works [26], [27], works with keyword search are made with regard to the sizes

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: PRIVACY-AWARE AND TRACEABLE FINE-GRAINED DATA DELIVERY SYSTEM IN CLOUD-ASSISTED HEALTHCARE IIoT 10043

TABLE III
C OMMUNICATION C OST C OMPARISON IN E XISTING P RIVACY-AWARE CP-ABE W ITH K EYWORD S EARCH

TABLE IV
C OMPUTATION C OST C OMPARISON IN E XISTING P RIVACY-AWARE CP-ABE W ITH K EYWORD S EARCH

of the public parameter, secret key, trapdoor, and ciphertext. For the computation cost comparisons, from Table IV, we
In Table IV, the computation cost comparisons for setup, key can also conclude that the computation costs of setup and
generation, encryption, trapdoor search, and decryption algo- search algorithms in all listed works show linear increments
rithms are presented in terms of the works [26], [27], [29], and in the number of attributes, the computation costs of key gen-
ours. In Tables III and IV, te0 , te1 , and tp (te∗0 , te∗1 , and tp∗ ) are eration, encryption, and trapdoor in [21], [26], and [29] also
correspondingly represented as an exponentiation computation increase linearly with the amount of attributes while those
cost in G0 , an exponentiation computation cost in G1 , and a in [27] and the PTFS are always constant. Besides, we can also
bilinear pairing computation cost in the symmetry pairing set- observe that PTFS and the works [27] and [28] have constant
ting (asymmetry pairing setting). Additionally, we denote an decryption overhead while the works [18], [21], and [29] have
element length in G0 , G1 , G2 , and Zp as |G0 |, |G1 |, |G2 |, linear decryption costs. Clearly, the computation performance
and |Zp |, respectively. We denote n and m as the amount of for every algorithm in the PTFS is almost superior to that
attributes in access policy and user’s attribute set, respectively. in [18], [21], [26], and [29]. As we all know, since the expo-
We also let k and  be the number of possible values on each nentiation computation and pairing computation in asymmetry
attribute and the number of system attributes. Here, n is also pairing setting is much faster than those in symmetry, the com-
regarded as the length of attribute or access vector due to that putation performance in the proposed PTFS is almost the same
these vectors can be transformed by the method introduced in as that in [27].
our Algorithm 1.
For the communication cost comparisons, we can observe
from Table III that the sizes of the works [18], [21], [26]–[29], D. Experimental Simulation
and PTFS in the public parameter, secret key, and ciphertext The version of Intellij IDEA-2018.2.5 and Java 8 in our
follow linear increments in the number of system attributes or experimental implementation is used. Along with Intellij
user’s attributes. We can also find that the trapdoor size of the IDEA-2018.2.5, the latest JPBC library [38] is installed for
works [18], [21], [26], [27], [29], and the PTFS is incremental underlying cryptographic operations. We run our experiments
linearly with the increment of the number of system attributes or on a “cloud,” which is simulated with a Lenove server
user’s attributes while that of the work [28] is always constant. that owns 512SSD, 1-TB storage space of hard disk, and
Due to that the length of an element in G0 , G1 , and G1 is implements on Windows 10 operating system under Intel
the same, and an element length in G0 is six times that in Zp , 8 Core i7-7820HK CPU @2.9 GHz and 16-GB RAM. We
we can also summarize that the sizes of our secret key and replace a user with a Huawei nova3 android phone with
ciphertext are clearly smaller than those in [18], [21], [26], [28], 6-GB RAM, a four-core 2.36 GHz Cortex A73 processor
and [29] and slightly larger than those in [27]. For the sizes and four-core Cortex A53 1.8-GHz processor. All our experi-
of public parameter and trapdoor, we can learn that our PTFS ments are simulated by symmetrical Type A and asymmetrical
scheme has a better performance than [18], [21], [26], and [29] Type F elliptic curve. All our experiments take an average
and have a slightly poor performance than [27] and [28]. of 100 running times. Type A pairing and Type F pairing

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
10044 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 12, JUNE 15, 2021

Fig. 7. Computation cost comparison for each algorithm under the number of different attributes. (a) Setup algorithm. (b) KeyGen algorithm. (c) Encrypt
algorithm. (d) Trapdoor algorithm. (e) Search algorithm. (f) Decrypt algorithm.

are based on the corresponding curve A : y2 = x3 + x SK, TD, and CT have hardly increased significantly, which
and F : y2 = x3 + 5 over the field Fq for some prime indicates that our PTFS scheme has a stable communication
q = 3 mod 4. For ease of the comparisons of communi- cost irrespective of the number of attributes involved in our
cation and computation cost, we assume that the number PTFS.
of possible values k on each attribute equals to 3, this is For the computation cost comparison presented in Fig. 7,
because the attribute value of access control in others is we vary the quantity of attributes n from 5 to 25 for each
also 3. Besides, we also assume all the system attributes are algorithm. From Fig. 7(a), we easily depict that the computa-
picked for encryption. In our simulation results, Fig. 6(a)–(d) tion costs of setup algorithm in our PTFS scheme, LS [18],
presents our communication cost comparison with that of GSL+[21], SXD+ [27], QLS+[26], and MLC+[29] are lin-
others [18], [21], [26]–[29] concerning the sizes of public ear with the number of attributes and our setup algorithm
parameter (PP), secret key (SK), trapdoor (TD), and ciphertext has the smallest computation cost under the same condi-
(CT). Fig. 7(a)–(f) presents the computation cost compari- tions. From Fig. 7(b)–(d), it is straightforward to observe
son for the corresponding setup, key generation, encryption, that the computation costs of KeyGen and Encrypt algo-
trapdoor generation, search, and decryption algorithms among rithms in LS [18], GSL+[21], QLS+[26], and MLC+[29]
the works [18], [21], [26]–[29], and our PTFS. For each all increase linearly with the amount of attribute while PTFS
figure of Fig. 6, we in turn let the value n be 5, 10, and the scheme [27] are always constant. We can also con-
15, and 20. clude that the computation costs of Trapdoor algorithm in
From Fig. 6(a)–(d), we can see that our communication GSL+[21], QLS+[26], and MLC+[29] are incremental lin-
cost for setup phase is slightly higher compared to that of early with the amount of attributes while that in the rest of
SXD+ [27] and YLD+ [28], and much lower than that of the others, including PTFS, LS[18], SXD+[27], and YLD+ [28],
works in LS [18], GSL+[21], QLS+[26], and MLC+[29]. always keep stable. Also, we can easily find that our PTFS
We can also get that our communication cost for both key has a relatively desirable performance than the others in
and trapdoor generation phases is slightly higher compared terms of the computation performance of KeyGen, Encrypt,
to that of SXD+ [27] and much lower than that of the and Trapdoor algorithms. From Fig. 7(e), our search algo-
works in LS [18], GSL+[21], YLD+ [28], QLS+[26], and rithm is faster than that of the work [29] and lower than
MLC+[29]. In addition, we can easily observe that the com- that of the rest of others [18], [21], and [26]–[28]. From
munication cost for ciphertext generation phase in our PTFS Fig. 7(f), it is easy to conclude that our PTFS scheme is
work is much lower than that of the works in LS [18], clearly superior than [18], [21], and [29] and slightly slower
GSL+[21], YLD+ [28], and QLS+[26] and is slightly higher than [27] and [28] in the decryption phase, which means
than that of SXD+ [27] and MLC+[29]. When n varies that our PTFS is more appropriate for resource-constraint
from 5 to 20, we can clearly find that the sizes of our PP, devices.

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: PRIVACY-AWARE AND TRACEABLE FINE-GRAINED DATA DELIVERY SYSTEM IN CLOUD-ASSISTED HEALTHCARE IIoT 10045

In summary, from the above experimental analysis, our [15] D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano, “Public key
PTFS scheme has a relatively better performance on encryp- encryption with keyword search,” in Advances in Cryptology, vol. 3027.
Berlin, Germany: Springer, 2004, pp. 506–522.
tion and decryption operations, which makes the PTFS feasible [16] Q. Zheng, S. Xu, and G. Ateniese, “VABKS: Verifiable attribute-
and practical for IIoT applications. based keyword search over outsourced encrypted data,” in Proc. IEEE
INFOCOM, 2014, pp. 522–530.
[17] J. Li, Y. Shi, and Y. Zhang, “Searchable ciphertext-policy attribute-based
VII. C ONCLUSION encryption with revocation in cloud storage,” Int. J. Commun. Syst.,
vol. 30, no. 1, 2017, Art. no. e2942.
In this article, we have proposed a privacy-aware and [18] K. Liang and W. Susilo, “Searchable attribute-based mechanism with
traceable fine-grained system (PTFS) for secure data deliv- efficient data sharing for secure cloud storage,” IEEE Trans. Inf.
Forensics Security, vol. 10, no. 9, pp. 1981–1992, Sep. 2015.
ery in HealthIIoT, which can achieve desirable functionali- [19] W. Sun, S. Yu, W. Lou, Y. T. Hou, and H. Li, “Protecting your
ties, including privacy-preserving access policy, traceability right: Verifiable attribute-based keyword search with fine-grained owner-
of malicious key delegation, online/offline encryption, and enforced search authorization in the cloud,” IEEE Trans. Parallel Distrib.
Syst., vol. 27, no. 4, pp. 1187–1198, Apr. 2016.
lightweight decryption. The rigorous security proofs were pro- [20] Y. Miao, J. Ma, X. Liu, X. Li, Q. Jiang, and J. Zhang, “Attribute-
vided, which prove that the proposed scheme cannot only based keyword search over hierarchical data in cloud computing,” IEEE
achieve traceability but also be selectively secure against cho- Trans. Services Comput., vol. 13, no. 6, pp. 985–998, Nov./Dec. 2020,
doi: 10.1109/TSC.2017.2757467.
sen plaintext and keyword attacks in the standard model. [21] C. Ge, W. Susilo, Z. Liu, J. Xia, P. Szalachowski, and F. Liming,
Extensive simulation and experiment results demonstrate the “Secure keyword search and data sharing mechanism for cloud com-
effectiveness and efficiency of the proposed scheme for puting,” IEEE Trans. Dependable Secure Comput., early access, Jan. 3,
2020, doi: 10.1109/TDSC.2020.2963978.
HealthIIoT. [22] J. Li, X. Lin, Y. Zhang, and J. Han, “KSF-OABE: Outsourced attribute-
based encryption with keyword search function for cloud storage,” IEEE
Trans. Services Comput., vol. 10, no. 5, pp. 715–725, Sep./Oct. 2017.
R EFERENCES [23] Q. Dong, Z. Guan, and Z. Chen, “Attribute-based keyword search effi-
ciency enhancement via an online/offline approach,” in Proc. Int. Conf.
[1] P. Huang, L. Guo, M. Li, and Y. Fang, “Practical privacy-preserving Parallel Distrib. Syst. (ICPADS), 2015, pp. 298–305.
ECG-based authentication for IoT-based healthcare,” IEEE Internet [24] Y. Miao, Q. Tong, K.-K. R. Choo, X. Liu, R. H. Deng, and H. Li,
Things J., vol. 6, no. 5, pp. 9200–9210, Oct. 2019. “Secure online/offline data sharing framework for cloud-assisted indus-
[2] J. Sun, H. Xiong, S. Zhang, X. Liu, J. Yuan, and R. H. Deng, “A secure trial Internet of Things,” IEEE Internet Things J., vol. 6, no. 5,
flexible and tampering-resistant data sharing system for vehicular social pp. 8681–8691, Oct. 2019.
networks,” IEEE Trans. Veh. Technol., vol. 69, no. 11, pp. 12938–12950, [25] D. Chen, N. Zhang, N. Cheng, K. Zhang, Z. Qin, and X. Shen, “Physical
Nov. 2020. layer based message authentication with secure channel codes,” IEEE
[3] W. Z. Khan, M. Y. Aalsalem, M. K. Khan, and Q. Arshad, “Data and Trans. Dependable Secure Comput., vol. 17, no. 5, pp. 1079–1093,
privacy: Getting consumers to trust products enabled by the Internet Sep./Oct. 2020, doi: 10.1109/TDSC.2018.2846258.
of Things,” IEEE Consum. Electron. Mag., vol. 8, no. 2, pp. 35–38, [26] S. Qiu, J. Liu, Y. Shi, and R. Zhang, “Hidden policy ciphertext-
Mar. 2019. policy attribute-based encryption with keyword search against keyword
[4] Q. Zhu, S. W. Loke, R. Trujillo-Rasua, F. Jiang, and Y. Xiang, guessing attack,” Sci. China Inf. Sci., vol. 60, no. 5, pp. 1–12, 2017.
“Applications of distributed ledger technologies to the Internet of Things: [27] J. Sun, H. Xiong, R. H. Deng, Y. Zhang, X. Liu, and M. Cao,
A survey,” ACM Comput. Surveys, vol. 52, no. 6, pp. 1–34, 2020. “Lightweight attribute-based keyword search with policy protection for
[5] Y. Zhang, R. H. Deng, D. Zheng, J. Li, P. Wu, and J. Cao, “Efficient cloud-assisted IoT,” in Proc. IEEE Conf. Dependable Secure Comput.
and robust certificateless signature for data crowdsensing in cloud- (DSC), 2019, pp. 1–8.
assisted industrial IoT,” IEEE Trans. Ind. Informat., vol. 15, no. 9, [28] Y. Yang, X. Liu, R. H. Deng, and Y. Li, “Lightweight sharable and
pp. 5099–5108, Sep. 2019. traceable secure mobile health system,” IEEE Trans. Dependable Secure
[6] L. Ale, N. Zhang, H. Wu, D. Chen, and T. Han, “Online proactive Comput., vol. 17, no. 1, pp. 78–91, Jan./Feb. 2020.
caching in mobile edge computing using bidirectional deep recurrent [29] Y. Miao et al., “Privacy-preserving attribute-based keyword search in
neural network,” IEEE Internet Things J., vol. 6, no. 3, pp. 5520–5530, shared multi-owner setting,” IEEE Trans. Dependable Secure Comput.,
Jun. 2019. early access, Feb. 5, 2019, doi: 10.1109/TDSC.2019.2897675.
[7] T. V. X. Phuong, R. Ning, C. Xin, and H. Wu, “Puncturable attribute- [30] J. Ning, X. Dong, Z. Cao, L. Wei, and X. Lin, “White-box
based encryption for secure data delivery in Internet of Things,” in Proc. traceable ciphertext-policy attribute-based encryption supporting flex-
IEEE INFOCOM, 2018, pp. 1511–1519. ible attributes,” IEEE Trans. Inf. Forensics Security, vol. 10, no. 6,
[8] W. Tang, K. Zhang, D. Zhang, J. Ren, Y. Zhang, and X. Shen, “Fog- pp. 1274–1288, Jun. 2015.
enabled smart health: Toward cooperative and secure healthcare service [31] J. Lai, R. H. Deng, C. Guan, and J. Weng, “Attribute-based encryp-
provision,” IEEE Commun. Mag., vol. 57, no. 5, pp. 42–48, May 2019. tion with verifiable outsourced decryption,” IEEE Trans. Inf. Forensics
[9] Y. Meng, Z. Huang, G. Shen, and C. Ke, “SDN-based security enforce- Security, vol. 8, no. 8, pp. 1343–1354, Aug. 2013.
ment framework for data sharing systems of smart healthcare,” IEEE [32] S. Xu, G. Yang, and Y. Mu, “Revocable attribute-based encryption with
Trans. Netw. Service Manag., vol. 17, no. 1, pp. 308–318, Mar. 2020, decryption key exposure resistance and ciphertext delegation,” Inf. Sci.,
doi: 10.1109/TNSM.2019.2941214. vol. 479, pp. 116–134, Apr. 2019.
[10] D. Chen et al., “S2M: A lightweight acoustic fingerprints-based wireless [33] D. Han, N. Pan, and K.-C. Li, “A traceable and revocable ciphertext-
device authentication protocol,” IEEE Internet Things J., vol. 4, no. 1, policy attribute-based encryption scheme based on privacy protection,”
pp. 88–100, Feb. 2017. IEEE Trans. Dependable Secure Comput., early access, Mar. 2, 2020,
[11] N. Zhang, R. Wu, S. Yuan, C. Yuan, and D. Chen, “RAV: Relay aided doi: 10.1109/TDSC.2020.2977646.
vectorized secure transmission in physical layer security for Internet [34] D. Boneh and X. Boyen, “Short signatures without random oracles,” in
of Things under active attacks,” IEEE Internet Things J., vol. 6, no. 5, Advances in Cryptology, vol. 3027. Berlin, Germany: Springer, 2004,
pp. 8496–8506, Oct. 2019. pp. 56–73.
[12] D. Chen et al., “An LDPC code based physical layer message authen- [35] T. V. X. Phuong, G. Yang, and W. Susilo, “Hidden ciphertext policy
tication scheme with prefect security,” IEEE J. Sel. Areas Commun., attribute-based encryption under standard assumptions,” IEEE Trans. Inf.
vol. 36, no. 4, pp. 748–761, Apr. 2018. Forensics Security, vol. 11, no. 1, pp. 35–45, Jan. 2016.
[13] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryp- [36] I. Kim, S. O. Hwang, J. H. Park, and C. Park, “An efficient predi-
tion for fine-grained access control of encrypted data,” in Proc. ACM cate encryption with constant pairing computations and minimum costs,”
CCS, 2006, pp. 89–98. IEEE Trans. Comput., vol. 65, no. 10, pp. 2947–2958, Oct. 2016.
[14] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption [37] Z. Liu, Z. Cao, and D. S. Wong, “White-box traceable ciphertext-policy
with non-monotonic access structures,” in Proc. ACM CCS, 2007, attribute-based encryption supporting any monotone access structures,”
pp. 195–203. IEEE Trans. Inf. Forensics Security, vol. 8, no. 1, pp. 76–88, Jan. 2013.

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.
10046 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 12, JUNE 15, 2021

[38] B. Lynn. The Stanford Pairing Based Crypto Library. Accessed: May Guowen Xu (Student Member, IEEE) received the
2020. [Online]. Available: http://crypto.stanford.edu/pbc/ Ph.D. degree from the University of Electronic
[39] Y. Miao, J. Ma, X. Liu, X. Li, Z. Liu, and H. Li, “Practical attribute- Science and Technology of China, Chengdu, China,
based multi-keyword search scheme in mobile crowdsourcing,” IEEE in 2020.
Internet Things J., vol. 5, no. 4, pp. 3008–3018, Aug. 2018. His research interests include cryptography,
[40] Y. Liang, Y. Li, Q. Cao, and F. Ren, “VPAMS: Verifiable and searchable encryption, and the privacy-preserving
practical attribute-based multi-keyword search over encrypted cloud deep learning.
data,” J. Syst. Archit., vol. 108, Sep. 2020, Art. no. 101741,
doi: 10.1016/j.sysarc.2020.101741.
[41] Y. Chen, W. Li, F. Gao, Q. Wen, H. Zhang, and H. Wang, “Practical
attribute-based multi-keyword ranked search scheme in cloud com-
puting,” IEEE Trans. Service Comput., early access, Dec. 18, 2019,
doi: 10.1109/TSC.2019.2959306.

Jianfei Sun is currently pursuing the Ph.D. degree

with the School of Information and Software
Engineering, University of Electronic Science and
Technology of China, Chengdu, China. Mingjian Tang received the Ph.D. degree (with
His research interests include public-key cryptog- Distinction) in computer science from La Trobe
raphy and network security. University, Melbourne, VIC, Australia, in 2009.
He is currently a Lead Data Scientist with Huawei
Technologies Company Ltd., Shenzhen, China. He
has participated in several industry-based research
projects, including unsupervised fraud detection,
unstructured threat intelligence, cyber risk analysis
and quantification, and big data analytics.

Dajiang Chen (Member, IEEE) received the Ph.D.

degree in information and communication engineer-
ing from the University of Electronic Science and
Technology of China (UESTC), Chengdu, China, in
2014.
He is currently an Associate Professor with the
School of Information and Software Engineering,
UESTC. He was a Postdoctoral Fellow with
the Broadband Communications Research Group,
Department of Electrical and Computer Engineering,
University of Waterloo, Waterloo, ON, Canada, from
2015 to 2017. His current research interest includes physical layer security,
secure channel coding, and machine learning and its applications in wireless Xuyun Nie received the Ph.D. degree in information
network security and wireless communications. security from the Graduate University of Chinese
Dr. Chen served as the Workshop Chair for BDEC-SmartCity’19 (in con- Academy of Sciences, Beijing, China, in 2007.
junction with IEEE WiMob 2019). He also serves/served as a Technical He is currently an Associate Professor with SISE,
Program Committee Member for IEEE Globecom, IEEE ICC, IEEE VTC, University of Electronic Science and Technology
IEEE WPMC, and IEEE WF-5G. of China, Chengdu, China. His research interests
include cryptography and information security.

Ning Zhang (Senior Member, IEEE) received the

Ph.D. degree in electrical and computer engineer-
ing from the University of Waterloo, Waterloo, ON,
Canada, in 2015.
He is an Associate Professor with the Department
of Electrical and Computer Engineering, University
of Windsor, Windsor, ON, Canada. After that, he was
a Postdoctoral Research Fellow with the University
of Waterloo and University of Toronto, Toronto,
ON, Canada. His research interests include con-
Mingsheng Cao (Member, IEEE) received the Ph.D.
nected vehicles, mobile-edge computing, wireless
degree from the School of Computer Science and
networking, and machine learning.
Engineering, University of Electronic Science and
Dr. Zhang is a Highly Cited Researcher (Web of Science). He serves
Technology of China (UESTC), Chengdu, China, in
as an Associate Editor for IEEE I NTERNET OF T HINGS J OURNAL, IEEE
2017.
T RANSACTIONS ON C OGNITIVE C OMMUNICATIONS AND N ETWORKING,
He is currently a Lecture with SISE, UESTC. His
and IEEE S YSTEMS J OURNAL; and a Guest Editor of several inter-
research interests include network security, pervasive
national journals, such as IEEE W IRELESS C OMMUNICATIONS, IEEE
computing, and machine learning.
T RANSACTIONS ON I NDUSTRIAL I NFORMATICS, IEEE T RANSACTIONS ON
I NTELLIGENT T RANSPORTATION S YSTEMS, and IEEE T RANSACTIONS ON
C OGNITIVE C OMMUNICATIONS AND N ETWORKING.

Authorized licensed use limited to: Ontario Tech University. Downloaded on September 28,2021 at 16:07:02 UTC from IEEE Xplore. Restrictions apply.