Fine-Grained Access Control in mHealth with Hidden Policy and Traceability

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a well-received cryptographic primitive to securely share personal health records (PHRs) in mobile healthcare (mHealth). Nevertheless, traditional CP-ABE can not be directly deployed in mHealth. First, the attribute universe scale is bounded to the system security parameter and lack of scalability. Second, the sensitive data is encrypted, but the access policy is in the plaintext form. Last but not least, it is difficult to catch the malicious user who intentionally leaks his access privilege since that the same attributes mean the same access privilege. In this paper, we propose HTAC, a fine-grained access control scheme with partially hidden policy and white-box traceability. In HTAC, the system attribute universe is larger universe without any redundant restriction. Each attribute is described by an attribute name and an attribute value. The attribute value is embedded in the PHR ciphertext and the plaintext attribute name is clear in the access policy. Moreover, the malicious user who illegally leaks his (partial or modified) private key could be precisely traced. The security analysis and performance comparison demonstrate that HTAC is secure and practical for mHealth applications.