2019 IEEE Conference on Information and Communication Technology (CICT)

Certificate-less Public Key Encryption For Secure

Abstract—Any data that is shared in a public network, if Also, only the users that have been authorized are allowed to
private, is supposed to be secured to prevent any unauthorized access certain data from the server thus ensuring data privacy
users. E-healthcare systems have the health status of patients, with confidentiality. Although, there is a need of a Trusted
which are one such kind of data that need to be secured. With
the development of e-healthcare systems, users have increased third party(TTP) that provides users with private keys for the
by a large number, which by the way results in the need decryption of data which is encrypted with respective public
for the security of those. To prevent illicit activities (like data keys. In this case, there is a possibility that the TTP can be
being accessed by unauthorized users), we propose a secure data compromised by the adversaries exposing all the private keys
sharing scheme which uses Certificate-less Public Key Encryption of the users and thus compromising the health data. This is
and signature for the confidentiality along with privacy of the
health data. We proposed this efficient and secure scheme of the problem that arises in [1], which can be prevented by
data transfer for the patients’ health data to provide the privacy using a certificate-less encryption so that there is no need to
required and also to avoid unauthorized users from accessing the completely depend on the TTP.
data. This paper proposes a security protocol for sharing the
Index Terms—e-Healthcare, Certificate-less Public Key En- health data using Certificate-less Public Key Encryption (CL-
cryption, Bilinear Pairing, Key escrow
PKE)[2] with signature[3], so that the data is encrypted and
authenticated using CL-PKE. CL-PKE is used so that there
I. I NTRODUCTION
won’t be any key escrow problem present in the system for
Security factors related to private and sensitive data is a the private keys to be compromised. Thus, we can guarantee
very important issue nowadays. Health status of patients is the security and privacy of data.
one of the most important factor in this case. The Electronic In this proposed scheme, by using CL-PKE, the sender
Health Record (EHR), which is comprised of the patient’s encrypts the data with the receiver’s public key and sends
health data and medical history in digital format, holds very it to the recipient along with the signature of sender. The
private and sensitive information of patients which is used use of signature is to guarantee that the received data is
mostly for emergency situations. This makes the patient’s life from the sender only and has not been changed during the
vulnerable if it goes into the wrong hands. Although, the e- transfer. In this way, receiver can know if the data has been
healthcare system ensures instant access of data when required, corrupted by verifying the signature. Only the receiver knows
especially during emergencies and is also very efficient as it the private key. It is calculated by using the partial private key
does not perform any human errors and does not require any that is provided from the Key generation center(KGC) and the
paper work. receiver’s secret value. Data sent by the sender is first verified
However, when this data is transferred across public net- using BLS Signature[3] and only if the verification is valid,
works (Internet, other wireless networks), it should be secured the decryption takes place. The receiver decrypts the sender’s
from attackers. Also, the data of one patient should be kept data using the private key.
private from the others as these attackers can exist among The rest of the paper is organized as follows: Section
other patients. The EHR of any specific patient is allowed II mentions the related work, Section III discusses all the
to be accessed only by the so authorized users. So, there is preliminaries, Section IV describes the proposed method using
a need of an e-healthcare system that provides both security CL-PKE and Section V shows the performance evaluation of
and privacy. the proposed scheme. Section VI is the conclusion.
The concern about security especially appears when the data
is across public networks. The users in a public network cannot II. R ELATED W ORK
be trusted as anyone can join the network. Therefore, we need Concerning the security of e-healthcare systems, there is
to prevent any unauthorized users by encrypting the health already a secure scheme proposed in [1] based on Identity
data. Only authorized people should be able to decrypt it. Based Encryption(IBE). Identity Based Encryption (IBE)[5]
In [1], a secure data sharing method has been proposed was proposed by Boneh and Franklin. In [1], the secure
with Identity Based Encryption (IBE) and signature for the e- scheme does not depend on any certification authority. It
healthcare system to secure the data using the ID of the user. instead depends on a Key manager (Public Key Generator),

978-1-7281-5398-8/19/$31.00 ©2019 IEEE

Authorized licensed use limited to: University of Exeter. Downloaded on June 20,2020 at 00:15:37 UTC from IEEE Xplore. Restrictions apply.
which generates the private keys of all the users with the help C. Elliptic Curve
of a master secret key. Due to this, the key escrow problem is An algebraic curve that satisfies the following equation is
occurred in which all the private keys are known to the Key said to be an elliptic curve:
Manager knows the private keys of all the users.
After thorough verification and also by referring to the y 2 = x3 + ax + b (1)
journal of security in e-healthcare systems[7] and the recent An elliptic curve does not have any cusps or self-intersections,
papers [8] and [9], we can say that this method has not been i.e., it is non-singular. Let P , Q, R be points on an elliptic
proposed in any of the previous papers. Although papers like curve. On an elliptic curve, we can perform the following
[10], [11], [12] might have used Certificate-less Public Key operations:
Encryption for the security of e-healthcare systems, but we 1) Point Addition: R = P + Q
can say that this method has not been used. Two points P and Q are added on the elliptic curve to
To prevent the key escrow problem in IBE, Al Rayami obtain a third point R. R is the x-axis reflection of the
and Patterson in [2] proposed Certificate-less Public Key third intersection point of the line joining P and Q.
Cryptography (CL-PKC). A Trusted Third Party(TTP) known 2) Point Doubling: R = P + P
as the Key Generation Center (KGC) is used. It provides the A tangent line is drawn at point P which lies on
users only with a partial private keys, so the user themselves the elliptic curve. R is the reflection of the point of
can generate a full private key. To ensure that the data is intersection of this tangent line with the elliptic curve.
accessed only by authorized users, a signature method is 3) Point Multiplication: R = aP
proposed by Boneh, Lynn and Shacham in [3] and the same A scalar value a is multiplied to a point P on the elliptic
method is used in this paper for the sake of data privacy. curve. It can also be represented as the combination of a
Again, Al Rayami and Patterson proposed a new CL-PKE number of point doubling operations and point addition
scheme, namely FullCL-PKE* in [4], which is more efficient operations like aP = 2(2(2P )+P )...+P which depends
than the original CL-PKE scheme. In this paper, encryption on a.
part is based on [4] and the authentication part is based on
[3], and the health data is secured in a more efficient scheme. IV. P ROPOSED S CHEME FOR E -H EALTHCARE S YSTEM
The security requirements of the proposed scheme are
described in this section, those being Certificate-Less Public
III. P RELIMINARIES
Key Encryption (CL-PKE) [2] and BLS signature[3] which
are the basic schemes of this proposed secure data sharing
A. Bilinear Pairing
protocol. The proposed method consists of 7 algorithms:
Let G1 and G2 be two multiplicable cyclic groups such that S ETUP, PARTIAL -P RIVATE -K EY-E XTRACT, S ET-P RIVATE -
their order is |G1 | = |G2 | = p. Let P be a generator of G1 . K EY, S ET-P UBLIC -K EY, E NCRYPT-A ND -S IGN, V ERIFY-
Let e be a admissible bilinear map, e : G1 × G1 → G2 such A ND -D ECRYPT. The first 5 algorithms are similar to the
that it satisfies the following conditions: algorithms of CL-PKE[2] but the last 2 algorithms E NCRYPT-
A ND -S IGN and V ERIFY-A ND -D ECRYPT are Encryption with
1) Bilinearity: ∀ U, V  G1 and a, b  Zp∗ , ∃
authentication and Decryption with authentication respectively,
i.e., there is signing and verification that involves BLS signa-
e(aU, bV ) = e(abU, V ) = e(U, abV ) = e(U, V )ab
ture within those algorithms. The sender encrypts the health
data with the help of the public key of the receiver. A signature
2) Non-degeneracy: If g is a generator of G1 , then e(g, g) is added to the message by the sender using BLS signature
 G2 is a generator of G2 . method and sent to the receiver across the public network. If
3) Computability: ∀ U, V  G1 , e(U, V ) is computable in the user is authenticated to access the data, only then is the
polynomial time. decryption possible. If not, the process aborts.
A. Security Requirements
B. Bilinear Diffie Hellman Problem
The health data of a patient can be accessed by every user
Let e : G1 × G1 → G2 be a bilinear map and g be easily in the e-healthcare system across a public network. This
a generator of G1 . According to Bilinear Diffie Hellman becomes a big problem when there is an adversary among the
Problem(BDHP), for a given hg, g a , g b , g c i with random values users. This makes the adversary able to access health data or
of a, b, c  Zp∗ , compute e(g, g)abc  G2 . The advantage of an send any fake data, which becomes a serious problem. Hence,
algorithm A is said to be ε in solving the BDHP if only authorized users are allowed to access health data.
Also, when the adversary becomes a permissible user,
P r[A(hg, g a , g b , g c i) = e(g, g)abc ] = ε he/she can distribute the fake data to all other users. Thus,
we need to prevent the data from being distributed to other
Here, the probability is determined from random choices of participating users. Therefore, data integrity is also a security
a, b, c  Zp∗ and random bits of A. requirement along with data confidentiality.

Authorized licensed use limited to: University of Exeter. Downloaded on June 20,2020 at 00:15:37 UTC from IEEE Xplore. Restrictions apply.
 Considering the above problems/situations and also as men- E NCRYPT-A ND -S IGN: This algorithm consists of 2 parts-
tioned in [1], the security requirements in the proposed system Encryption and Signing. The encryption part encrypts the data
are: using FullCL-PKE* from [4] and the Signing part adds a
1) Data Confidentiality: The data can be accessed only by signature for verification so that authorized users are allowed
authorized users. to decrypt the data.
2) Data Integrity: The health data that is being exchanged 1) Encryption: Let M be the data that needs to be en-
should be authenticated only by authorized users so that crypted. The encryption part of this algorithm takes
it is not modified by any unauthorized users during place as follows:
transmission. a) Compute UID = H1 (IDA )  G1
B. Proposed Protocol b) Choose a random value r  Zp∗ and compute B =
P r.
The proposed protocol is discussed in this section. In [1], c) Select a random value η  {0, 1}n and compute
the proposed scheme used IBE with signature with the e- l = H3 (η, M ).
healthcare server as Key Generation Center (KGC). In this d) Compute the cipher-text as follows:
method, the originally proposed CL-PKE[2] is slightly ex-
panded by adding the BLS signature[3] for verification, and C = hlP, η⊕H2 (e(UID , Ppub )l )⊕H5 (lYA ), M ⊕H4 (η)i
the FullCL-PKE* method[4] for encryption. There is only a 2) Signing: The user creates a tuple σ in this algorithm
slight modification while most of the parameters remain the on the encrypted data C. It is the signature used for
same. verification. With the given private key s, and cipher-
The e-healthcare server acts as the KGC. The S ETUP text C, the algorithm goes as follows:
algorithm is run by KGC. A security parameter k  Zp∗ is a) Compute R = H1 (C)  G1
given as input. b) Select a random value t  Zp∗ and compute N =
S ETUP: The S ETUP procedure is described as below:
Rt . Also, select the blinding factor rt  Zp∗ and
• The security parameter k is given input to generate a
compute T = Rrt .
random prime p. c) Also, to make sure B is valid, pick the blinding
• Let G1 and G2 be 2 groups of order p. These give the
factor rr  Zp∗ to compute the value F = P rr .
bilinear map e : G1 × G1 → G2 . Let P, g R G∗1 be 2 d) Now, compute a challenge c = H0 (C, T, F )  Zp
random generators. and the responses st = rt + ct, sr = rr + cr.
∗
• A random value s R Zp is selected as the master secret
s
Now, create the tuple, σ = hN, B, c, sr , st i. σ is
key and sets Ppub = P . the signature.
∗
• Choose the hash functions H0 : {0, 1} → Zp , H1 :
∗ ∗
e) Now, send the tuple, hC, σi, to receiver.
{0, 1} → G1 , H2 : G2 → {0, 1} , H3 : {0, 1}n ×
n
V ERIFY-A ND -D ECRYPT: This algorithm also has 2 parts-
{0, 1}n → Zp∗ , H4 : {0, 1}n → {0, 1}n , H5 : G1 →
Verification and Decryption. In the verification part, on the
{0, 1}n . n is the bit-length of plain texts.
given tuple hC, σi, the receiver verifies the validity of the
• This results in the output of the system parameters,
signature σ. The decryption is performed only if the signature
params = he, p, G1 , G2 , n, g, P, Ppub , H1 , H2 , H3 , H4 , H5 iturns out to be valid. Otherwise, the process is aborted.
1) Verification: The verification of σ takes place as:
PARTIAL -P RIVATE -K EY-E XTRACT: In this algorithm, the
inputs are params, s and an identifier for the user(say A), a) Compute R = H1 (C)  G1 .
∗ Rst
IDA  {0, 1} and the output is DA , the partial private key. b) Re-derive T and F by computing: T 0 = ,
The output DA is provided to A from the KGC where this sr Nc
P
algorithm takes place, so that A can set a full private key. F0 = . Also, the challenge is derived again
Bc
as c = H0 (C, T 0 , F 0 ). The decryption process is
0
UID = H1 (IDA )G1
performed only if c0 = c. Otherwise, it is aborted.
s
DA = UID G1 2) Decryption: Let the cipher-text be C = hU, V, W i. The
S ET-S ECRET-VALUE: The user A selects a value xA Zp at ∗ decryption is as follows:
random and sets it as the secret value. a) Compute η 0 = V ⊕ H2 (e(DA , U )) ⊕ H5 (xA U ).
S ET-P RIVATE -K EY: In this algorithm, inputs are params, b) Now, M 0 = W ⊕ H4 (η 0 ) and l0 = H3 (η 0 , M 0 ).
secret value of A, xA and partial private key received from c) Check whether U is equal to l0 P .
0
KGC, DA , and output is the full private key, YA which is • If U 6= l P , then output ⊥ denoting the failure
only known to the user. of decryption and reject the cipher-text.
0 0
• If U = l P , then M will be the decrypted data
SA = hxA , DA i
of C.
S ET-P UBLIC -K EY: In this algorithm, the inputs are params R st
d) Health data will be valid if and only if T = c
and the secret value of A, xA and output is the public key, N
P sr
YA = xA P . and F = .
Bc

Authorized licensed use limited to: University of Exeter. Downloaded on June 20,2020 at 00:15:37 UTC from IEEE Xplore. Restrictions apply.
C. Correctness Proof
The correctness proof of the proposed protocol can be
proved by checking the conditions from Signing and Encryp-
tion with those in Verification and Decryption respectively.
The proof is as follows:
1) Checking T with T 0 and F with F 0 :
Rst Rrt +ct Rrt Rct
T0 = = = = Rrt = T
Nc (Rt )c Rct
P sr P rr +cr P rr P cr
F0 = = = = P rr = F
Bc (P r )c P cr
2) Checking η with η 0 :
η 0 = V ⊕ H2 (e(DA , U )) ⊕ H5 (xA U )
η0 = η ⊕ H2 (e(UID , Ppub )l ) ⊕ H5 (lYA ) ⊕
s
H2 (e(UID , lP )) ⊕ H5 (xA lP )
η0 = η ⊕ H2 (e(UID , P )sl ) ⊕ H5 (lxA P ) ⊕ Fig. 1. Comparison of CPU-time consumed
H2 (e(UID , P )sl ) ⊕ H5 (xA lP )
η0 = η V. P ERFORMANCE E VALUATION
In the proposed method, the E NCRYPT-A ND -S IGN algo-
3) Checking M with M 0 and l with l0 :
rithm requires a number of operations which have been men-
M 0 = W ⊕ H4 (η 0 ) tioned in Table I. However, some operations require very less
amount of time that they can be negligible for consideration.
M 0 = M ⊕ H4 (η) ⊕ H4 (η 0 ) The individual operation times have been already calculated
and mentioned in [6]. The computational time has been calcu-
Since η = η 0 , therefore, M 0 = M .
lated using the cryptographic library MIRACL in a hardware
Now, l0 = H3 (η 0 , M 0 ). Since we have M 0 = M and
platform consisting of Atom 1.44GHz processor with 1024 M
η 0 = η, therefore, l0 = l.
bytes memory in an Ubuntu 9 operating system[6]. Since the
D. Security Analysis computation time is already provided in [6], we used them
as the software and library are also mentioned. However, the
The protocol thet we proposed is based on CL-PKE and
computation times of [1] are different from here due to the
BLS Signature. This type of system is analyzed with adver-
use of different library and software.
saries which are of 2 types:
1) Type I: This adversary chooses some value of its own TABLE I
and uses it by replacing the public key of the user since O PERATION C OUNT IN E NCRYPT-A ND -S IGN A LGORITHM
there is no need of authentication for the public keys.
However, to decrypt a message, the adversary must have Operation Previous Scheme[1] Proposed Scheme
the specific private key which can only be calculated Hash function 1 5
with the partial private key provided by KGC. If the Point Multiplication 3 4
attacker wants to generate a partial private key on its Bilinear Pairing 1 1
Point Addition 2 2
own, they need to solve a computationally hard discrete Random Number Generation 4 5
logarithmic problem on the elliptic curve to get the Hash To Group 4 2
master secret key. Also, the data cannot be accessed by Modular Exponentiation 5 4
unauthorized members to start the decryption process.
2) Type II: Type II adversary is the case when the KGC The above graph clearly shows that the proposed protocol
is compromised. In this case, the adversary is aware has a computaiton time that is comparatively less than that of
about all the partial private keys that are generated using the previous scheme[1] which shows a clear improvement to
the master secret key from KGC. However, recipient that paper. Calculating the total time taken by the algorithm
calculates the full private key by using the combination using these details, Table II shows the time comparisons of the
of the recipient’s secret value with the partial private key previous scheme[1] and the proposed scheme for the Encrypt-
provided by the KGC. In any case, the adversary does And-Sign algorithm and Verify-And-Decrypt algorithm.
not have any information regarding the recipient’s secret The CPU time in the proposed scheme has decreased by a
value, proving that the adversary has no idea about the considerable amount of time so as to say that the proposed
full private key of the users. scheme is an improvement to the previous scheme.

Authorized licensed use limited to: University of Exeter. Downloaded on June 20,2020 at 00:15:37 UTC from IEEE Xplore. Restrictions apply.
 TABLE II [12] M. Ma, D. He, M.K. Khan, J. Chen Certificateless searchable public
C OMPARISON OF CPU TIME key encryption scheme for mobile healthcare system Comput Electr Eng
(2017), p. inpress.
Scheme Algorithm Time Taken (in ms)
Previous Scheme[1] Encrypt-And-Sign 94.84
Proposed Scheme Encrypt-And-Sign 77.11
Previous Scheme[1] Verify-And-Decrypt 131.78
Proposed Scheme Verify-And-Decrypt 72.57

VI. C ONCLUSION
This paper proposes an efficient data sharing protocol for the
security of e-healthcare system with Certificate-less public key
encryption. The correctness proof is also given along with a
time comparison of the proposed protocol. The computational
times of our scheme have been shown in this paper and
are efficient as the time taken for Encrypt-and-Sign and
Verify-and-Decrypt algorithms are only about 77ms and 72
ms respectively. The graph diagram clearly shows the time
difference between the two algorithms. Our future plan is to
analyze the proposed scheme and also work for the further
improvement of the scheme for a better and more secure e-
healthcare system.

R EFERENCES
[1] Amang Sudarsano, Mike Yuliana and Haryadi Amran Darwito, “A
Secure Data Sharing Using Identity-Based Encryption Scheme for e-
Healthcare System,” 3rd International Conference on Science in Infor-
mation Technology (ICSITech), vol. A247, pp. 429–434, 2017.
[2] Sattam S Al-Riyami and Kenneth G Paterson. 2003. Certificateless
public key cryptography. In International Conference on the Theory and
Application of Cryptology and Information Security. Springer, 452–473.
[3] D. Boneh, H. Shacham, and B. Lynn, Short signatures from the Weil
pairing, Journal of Cryptology, Vol. 17, No. 4, pp. 297–319, 2004
Extended abstract in Asiacrypt 2001.
[4] Al-Riyami S.S., Paterson K.G. (2005) CBE from CL-PKE: A Generic
Construction and Efficient Schemes. In: Vaudenay S. (eds) Public Key
Cryptography - PKC 2005.
[5] D. Boneh and M. Franklin, Identity based encryption from the Weil
pairing, SIAM Journal of Computing, Vol. 32, No. 3, pp. 586–615, 2003
Extended abstract in Crypto 2001, LNCS 2139, pp. 213–229 2001.
[6] Aditia, M.K.; Altaf, F.; Singh, M.R.; Burra, M.S.; Maurya, C.; Sahoo,
S.S.; Maity, S. Optimized CL-PKE with lightweight encryption for
resource constrained devices. In Proceedings of the 20th International
Conference on Distributed Computing and Networking, Bangalore,
India, 4–7 January 2019; pp. 427–432.
[7] Isra’a Ahmed Zriqat and Ahmad Mousa Altamimi, “Security and Privacy
Issues in Ehealthcare Systems: Towards Trusted Services” International
Journal of Advanced Computer Science and Applications(IJACSA), 7(9),
2016; pp. 229–236.
[8] A. V. Vijayalakshmi and L. Arockiam, ”Hybrid security techniques
to protect sensitive data in E-healthcare systems,” 2018 International
Conference on Smart Systems and Inventive Technology (ICSSIT),
Tirunelveli, India, 2018, pp. 39-43.
[9] I. Singh, D. Kumar and S. K. Khatri, ”Improving The Efficiency
of E-Healthcare System Based on Cloud,” 2019 Amity International
Conference on Artificial Intelligence (AICAI), Dubai, United Arab
Emirates, 2019, pp. 930-933.
[10] R.Guo,Q.Wen,Z.Jin,andH.Zhang,“An efficient and securec certificateless
authentication protocol for healthcare system on wireless medical sensor
networks,” Scientific World Journal,vol. 2013, Article ID 761240, 7
pages, 2013.
[11] An Efficient and Provably-Secure Certificateless Public Key Encryption
Scheme for Telecare Medicine Information Systems Guo, R., Wen, Q.,
Shi, H. et al. J Med Syst (2013) 37: 9965.

Authorized licensed use limited to: University of Exeter. Downloaded on June 20,2020 at 00:15:37 UTC from IEEE Xplore. Restrictions apply.