Secure Data Sharing With Lightweight Computation in E-Health

Edge computing provides users with nearby services, promotes the development of the Internet of Things and transforms the mode of traditional electronic medical system that improves the speed and accuracy of medical diagnosis. However, edge computing has introduced new security challenges, such as the difficulty in applying standard encryption algorithms because of the limited computing capability of devices on the edge and concerns of privacy leakage. In this article, we propose a data access scheme by employing a lightweight attribute-based encryption (ABE) to address the security weaknesses of edge computing for e-health. Our novel modular exponential outsourcing algorithm outsources the shared data to the untrusted edge server and verifies the correctness of the returned results while achieving a lightweight computational load. The proposed Mask Algorithm along with blind pairs conceals the bases and exponents of the encrypted data, thus preserving the privacy of sensitive data in the process of outsourced computing. Security analysis and performance evaluation confirmed the security and efficiency of the proposed method.

to achieve granular data security sharing. Goyal et al. [28] proposed a method for encrypting data that implements complex access control, which is called attribute-based encryption based on ciphertext policies. Most of prevailing ABE schemes, such as [4], [9], [12], [27]and [29], support short constant cipher text, or perform layered encryption to decrease the computational cost. However, the cost of computation in both encryption and decryption phases still depends on the complexity of the access policy, and the computational costs increase linearly.
The cost of encrypted computing is a bottleneck that limits its application scope. Therefore, for secure sharing of massive data in edge computing, ABE encryption and decryption calculation remains a challenge for devices with limited resources. Hohenberger and Lysyanskaya [1] propose an algorithm that calculate securely from devices with limited computing resources. Outsourcing computation provides a framework to quantify the efficiency and verifiability of outsourcing implementation. It is performed by untrusted assistants. Previously proposed methods require multiple remote servers that do not collude. If these servers collude, the outsouring party will be unable to verify the correctness of the outsourced calculations. Atallah and Frikken [10] propose an outsourced computing algorithm that can detect dishonest behavior in the server cloud even if the servers collude. Ma et al. [8] proposed a universal security outsourcing solution that allows users to securely outsource exponentiation to an untrusted cloud server. In two untrusted program simulations, Chen et al. [15] proposed a security outsourcing modular exponentiation algorithm for primes(variable exponentiation and variable cardinality). Green et al. [14] presented an ABE scheme that largely eliminates the user's decryption overhead. The user provides a single conversion key for the cloud, which allows the cloud server to transform ciphertext with a constant size that is the same as the ElGamal ciphertext. In this method, the cloud server cannot get any of the user's ciphertext information. Li et al. [13] proposed to outsource ABE to cloud server vendors to decrease the burden of local computation. The computing cost for users would be constant. The scheme of Green et al. cannot guarantee the correctness of ciphertext conversion completed by the cloud. Lai [2] et al. proposed a formal ABE model with verifiable outsourced decryption and provided specific solutions without relying on random oracles. However, the size and calculation cost of ABE ciphertext and the bandwidth and calculation cost doubled. Lin et al. [5] presented a more efficient and universal ABE structure with verifiable outsourcing decryption is proposed. As third parties are generally considered untrustworthy, security requirements for outsourced decryption should include privacy and verifiability. Mao et al. [6] presented a general construction of ABE systems with CPA security and RCCA security for verifiable outsourced decryption. Fortino et al. [18] extended the computing paradigm to the edge of the network and implemented a range of new applications and services. Huang et al. [22] created a first of its kind secure cloud data collaboration service based on server data sharing support and fine-tuned access control to prevent information leaks. Bonomi et al. [19] proposed a cloud-centric vision to implement IoT on a global scale, and discussed the key supporting technologies and application areas that may drive IoT research in the near future. Ruj et al. [30] proposed a communication architecture and designed a CP-ABE scheme to protect implanted wearable sensors and data communications of the data recipient (e.g., authorized health personnel). Ruj et al. [20] proposed a fog computing framework to support security and privacy protection schemes to improve processing power and save bandwidth. For IoT devices and cloud computing, Hu et al. [21] proposed a scheme with a fine-grained access control scheme based on hierarchical attributes, which supports outsourcing encryption and decryption and reduces key management by employing hierarchical attributes. Nguyen et al. [3] proposed an ABE outsourcing mechanism for ciphertext policy, wherein users can offload intensive CP-ABE encryption operations to semi-trusted computing servers. A predictive computing technique for CP-ABE encryption algorithm is proposed in [35] to alleviate the practical problem of CP-ABE implementation on resource-constrained devices. But the storage requirements of its technology have become an important issue. In the scheme proposed by Huang [46] et al., an attribute-based encryption algorithm that outsourced both encryption and decryption computation to the server was proposed. However, there was a risk that the attribute privacy in the access policy would be leaked during the outsourcing process of encryption calculation, and the results of encryption outsourcing calculations were not verified. Sun [47] et al. put forward a lightweight encryption scheme based on CP-ABE that supports strategy hiding by proposing a vector transformation method to reduce computing overhead in key generation, encryption and decryption. In this article, they used offline /online computation to achieve lightweight computation in E-Health. But the scheme does not take into account the congestion of mass data processing and transmission in electronic medical systems. Li [48] et al. proposed a secure and lightweight attribution-based encryption scheme suitable for mobile cloud computing scenarios, and outsourced a large number of decryption operations to cloud servers and verified the correctness of outsourcing results. However, this scheme does not implement the secure outsourcing of encryption phase.

B. OUR CONTRIBUTIONS
To enhance the security and achieve the lightweight computing in the edge devices of E-health, an edge electronic medical system is proposed. The contributions are summarized as follows.
(1) We propose an edge electronic medical framework for E-health. A wearable mobile sensor is attached to an individual's mobile communication device. After the patient sets the access policy, the data collected by the mobile sensor is used by the mobile device to cooperate with the edge servers to complete the encryption operation based on the attribute ciphertext. After the edge server completes the encryption operation with the user, the ciphertext will be uploaded to the edge server for temporary storage or uploaded to the cloud server for permanent storage. The edge server will specify the period (e.g., data from the last ten days) to update the cached ciphertext according to the requirements of the situation, which reduces network congestion and constrains the time spent by personnel in obtaining the data. Access to patient health data can only be obtained when the user meets the access policy. Users can send data access requests to the edge server, then get data directly from the edge server, or get data after the edge server downloads them from the cloud server. The edge server refreshes the data according to the specified setting for the time period. The personnel can access the invalid ciphertext stored on the edge server becomes from the cloud server when necessary. In this way, a timely and accurate diagnosis can be provided to the patient. Figure.1. illustrates the details of this system. (2) To improve the computational efficiency on the edge device, we introduce a lightweight ciphertext-policy ABE with verifiable secure outsourcing for the proposed framework. In the encryption phase, we propose a modular exponentiation operations in a single untrusted server(the details of them are shown in Algorithm1). The proposed algorithm can assist users in calculating the batch of the variable exponential same base (e.g., (u a 1 , u a 2 , . . . , u a n )), which is securely outsourced to an untrusted computing server, so that the data can be efficiently processed and the correct calculation result can be returned by the untrusted server. Our method uses a single server to perform the calculations and prevents malafide or untrustworthy outsourcing users with an error detection rate of 100% while imposing a low verification cost to users. The proposed algorithm offloads a substantial amount of computation to the server during the encryption, and decryption phases, achieves lightweight computation, and is suitable for edge devices. (3) To protect the privacy of patients, the outsourced data is first divided into parts at random for the edge server's view. In order to reduce the burden of encrypted computing on medical devices on the edge network, we outsource encrypted computing to servers on the edge of the network. However, in the encryption process, the corrupted server can guess the patient's disease information by guessing the set of attributes in the encryption policy if the server is directly outsourced to the edge server, which leads to the failure to protect the patient's privacy. Therefor, the data owner hides the bases of the original data and masks the exponents of the ciphertexts with the blind pairs before he/she outsources the computing of encryption to edge servers. Finally, both the exponent and the base of the original data are divided into random parts by the proposed Mask Algorithm to ensure data security and privacy protection.

A. BILINEAR MAPS
We defineê as a map, that isê = G 0 × G 0 → G T . G 0 , G T are two multiplicative cyclic groups with prime order p, select g ∈ G, G is the set of generator of G 0 . Letê be a bilinear mapping, if it satisfies the following conditions: • Bilinearity:ê(g a , g b ) =ê(g, g) ab , ∀g ∈ G, ∀a, b ∈ Z * p . • Nondegeneracy:ê(g, g) = 1 • Computability: An efficient algorithm exists for computingê(g a , g b ), ∀g ∈ G, ∀a, b ∈ Z * p 209632 VOLUME 8, 2020

B. ACCESS TREE
Denote T as a tree that represents the access policy. There are two types of nodes in the tree: leaf nodes and non-leaf nodes. For the non-leaf node x, there are child nodes. num x is the number of the child nodes of x. The child nodes of node x are labeled 1 to num x in the tree, and index(x) returns the mark that is associated with x. For each node x in T, k x is the threshold value of each node x, which satisfies 0 < k x < num x . Specially, it represents the ''AND gate'' when k x = num x and ''OR gate'' when k x = 1. For each leaf node x, there is a unique attribute att x correlating with the node x, and assign k x = 1. The parent(x z ) is the parent of x z (x z is a leaf node) in T. Denote T x r as a subtree of T with the root x r , and let T x r (ω) = 1 when the attribute set ω satisfies the access tree T.

C. DECISIONAL BILINEAR DIFFIE-HELLMAN ASSUMPTION
For the cyclic groups G 0 , G T with the prime order p, select the generator g for G 0 , a, b, c ∈ Z * p and R ∈ G T at random. We call DBDH assumption holds if any probabilistic polynomial time (PPT) algorithm cannot distinguish the tuple (g, g a , g b , g c , T = e(g, g) abc ) and (g, g a , g b , g c , T = R) with a non-negligible advantage .

D. DEFINITION OF OUTSOURCING SECURITY
In this section, we define outsourcing security [1]. The calculator is divided into two parts: a trusted component, T , which knows inputs for Alg and has fewer tasks for calculations, and an untrusted component, U , which can perform a large number of tasks for T . T can outsource tasks to U securely.
(T , U ) is an outsource-secure implementation if: (i) T and U execute the cryptographic algorithm Alg = T U together; and, (ii) If U is replaced by a malicious software U that cannot obtain secure data or communications and is unsuccessful in its attempts to carry out malicious operations;

Definition 1 (Algorithm with Outsourcing-IO):
In the model of this algorithm, there are five logical divisions of inputs and three outputs to Alg. These divisions are further classified according to whether the input generates honestly or adversarially. Alg has secret, protected, andunprotected outputs -five inputs that include: honest secret input x 1 , honest protected input x 2 , honest unprotected input x 3 , adversarial protected input x 4 , and adversarial unprotected input x 5 ; and three outputs that include: secret output y 1 , protected output y 2 , and unprotected output y 3 .
Adversary A comprises E and U : A = (E, U ). Define outsourcing security if: there are emulators S U and S E that will simulate the view of T U (x) and protected input x when T U (x) was invoked.

Definition 2 (Outsourcing security):
If Alg is the algorithm with outsourcing-IO, the algorithms (T , U ) are outsource-secure implementation for Alg if:

1) Correctness: T U executes the algorithm Alg correctly;
and, 2) Security: For any PPT adversary A = (E, U ), there is a probabilistic expected polynomial time simulator (S E , S U ) making the following pairs computationally indistinguishable for random variables. Pair I: EVIEW Real ∼ EVIEW Ideal ( The external adversary E can not learn anything); and, Pair II: UVIEW Real ∼ UVIEW Ideal ( The untrusted software U cannot learn anything).

Definition 3 (α-efficient, secure outsourcing):
In a single server model that is untrusted, the algorithms (T , U ) are α-efficient implementation of an algorithm Alg if: 1) They are outsource-secure implementation of Alg; and, 2) ∀ inputs w, the executing time of T is less than an αmultiplicative factor of the executing time of Alg(w). Definition 4 (β-checkable, secure outsourcing): In a single server model that is untrusted, the algorithms (T , U ) are β -checkable implementation if: 1) T , U are an outsource-secure implementation of Alg; and, VOLUME 8, 2020 2) For ∀ inputs w, if the malicious software U deviates from its functionality during the operational process of T U (w), T will perceive the error with probability more than β.
The detailed description of the definition of outsourcesecurity is referred to [1].

III. DEFINITION OF ABE-VOCE MODEL AND SECURITY MODEL
A. NOTATIONS Table 1 below lists the notations that are used in this article. Figure.2. shows the system structure of the ABE − VOCE scheme comprising three components: cloud, edge, and data layer. The edge layer consists of Edge Storage Servers (ESSs) and Edge Computation Servers (ECSs) near the data layer. ESSs store the data and ECSs compute the data for assisting the encryption and decryption. The features of distributed edge nodes enable them to support multiple permissions and thereby improve the security of the system. Edge nodes substantially improve the performance and security of encryption schemes. The components of the system are as follows.

B. SYSTEM DECRYPTION
• Cloud Server: We define a cloud server that is honest but curious. The cloud server will perform the work correctly and with curiosity. The cloud server has large storage capacity and computing power. When a visitor requests access, the task is assigned to the edge server to meet the visitor's needs. The ciphertext in the system can be stored permanently.
• Edge Storage Servers: An (ESS) is a storage server near the user. The ESS is honest but curious. ESS caches ciphertext from the user and sends the data from medical records to the cloud server for storage permanently.
In addition, ESS processes access requests in real time and sends ciphertext cached on the server to authorized users.
• Edge Computation Servers: There is another computing server(ECS) with computing power at the edge layer.
We assume that the ECS may be untrusted. It is responsible for assisting users in completing the encryption task, so that users with limited resources at the edge of the network can safely achieve data sharing. It pre-decrypts the ciphertext but cannot obtain any content information.
• Central Authority: The Central Authority (CA) is a trusted entity that generates the public key and the master key in system. The CA regulates the setting of global parameters and the registration of user and authorization attribute permissions.
• Edge Attribute Authority: The Edge Attribute Authority (EAA) administers the tasks to generate the secret key in the decryption phases for ECS and DU in its domain to avoid network congestion.
• Data Owner: The Data Owner (DO) is equipped with smart cameras, medical sensors, smart meters, and other IoT devices, and possesses a large amount of data from the device. The DO uploads the data to the medical department to enable doctors to view it. The DO is responsible for formulating access policies and encrypting PHD to achieve secure data sharing.
• Data User: The Data User (DU ) is the medical staff who are permitted to monitor and view the PHD of patients in real time. Medical personnel are on the edge of the network and then sends an access request to get the private key SK from EAA, and EAA then sends the private key SK matching DU to ECS. ECS will partially decrypte for DU , but cannot obtain any information about the data. The DU obtains partial decryption results returned by ECS for full decryption and verifies the decryption results.
C. ABE-VOCE SCHEME MODEL

Definition 6 (Construction of the ABE-VOCE):
We define the contribution of the ABE scheme with verifiable outsourcing computation at the edge of network. The model includes the following five algorithms.

• Secret key generation
KeyGen.User(PK , MSK ) → (SK): EAA runs the key generation algorithm and inputs PK and MSK that from CA, then outputs the private SK for the user.
KeyGen.Edge(PK , MSK , S) → (SK ): EAA runs the key generation algorithm with the inputs PK , MSK and S, which S is user's attribute set. CA outputs the private SK for the edge server's ECS.
• Data encryption The computation cost of operations for the exponentiations modulo a prime is far expensive in most discrete-log based cryptographic algorithms. In the decryption stage, a preprocessing technique is used to accelerate exponential calculation with assistance free the untrusted server. Encrypte.Do + Edge(PK , M ) → (CT )): The DO encrypts the data by invoking a symmetric encryption algorithm. Then set an access policy for the attribute encryption algorithm. The DO takes PK , M as inputs to generate CT with Algorithm1 with the cooperation of the edge server's ECS.
• Data decryption Decryption.Edge(PK , CT , SK ) → (CT Edge ): After receiving the request to complete partial decryption, ECS inputs the public key PK , CT , SK and generates a partially decrypted ciphertext CT Edge when the user's attributes satisfy the access policy in CT , otherwise, it outputs ⊥.
The user inputs CT Edge and the user's secret key SK, then decrypts CT Edge to obtain DK and checks the correctness of CT Edge . If the result is true, the user fully encrypts the ciphertext. The detailed model of the system is shown in Figure. 2.

D. SECURITY MODEL
We define the chosen-plaintext security for an efficient access control scheme that are outsourced to edge computing. A PPT adversary A tries to attack the massage that has encrypted with our scheme. The detail of the game between A and challenger C is shown as follows.
• Initialization. A submits an access structure to C. • Setup. The challenger C invokes Setup(U) algorithm and gives PK to the A.
• Phase 1. A submits an attribute set S to C, and C then initializes an integer l = 0, a table T = Ø and a set D = Ø to provide the oracles for A as follows.  • Guess. Adversary A outputs a guess b of b.

IV. MODEL OF ABE-VOCE AND THE SECURITY A. SYSTEM SETUP
The trust CA sets an attribute universe U in the system, then invokes the setup algorithm and chooses a bilinear map e : G 0 × G 0 → G T . G 0 and G T are multiplicative groups of the prime order p, and g is the generator of G 0 . Then CA chooses a random h ∈ G 0 and α, β ∈ Z * p , selects the cryptographic hash function H : {0, 1} * → Z * p . Finally, the CA returns PK = {g, h, g α , g β , h β , e(g, g) αβ } and the master key MK = (α, β).

B. KEY GENERATION 1) KeyGen.User
The trust EAA runs the KeyGen algorithm to randomly choose γ ∈ Z * p , which is the unique secret associated with each user and computes (g β ) γ . It outputs SK and sends it to the user.

2) KeyGen.Edge
The trust authority selects r j ∈ Z * p at random for each attribute att j ∈ S, which is the attribute set of users to generate SK for the user, and outputs the outsourcing key: Then the authority sends the outsourcing key to ECS.

C. DATA ENCRYPTION
The ciphertext generation phase is completed in collaboration with semi-trusted edge Servers. The DO only needs to compute a small number of multiplication calculations and little modular exponentiation operations to finish encryption. The details are as follows. First, DO selects DK ∈ Z * p at random, then DO encrypts the PHD M using DK by invoking the algorithm SE DK (M ). Next, DO sets an access policy T to encrypt DK. DO randomly selects a polynomial f (·) for the nodes in T. The f (·) is chosen in a top-down manner from the root node R as follows: DO denotes d x as the degree of f (·) and d x = k x − 1 where k x is the value of the threshold for the node x. DO selects s ∈ Z * p at random and lets f R (0) = s. In addition, DO selects d R , which are other points that satisfy the Algorithm 1 BCExp (a i , u) → u a i 1: SetupRand(e, p): User first initializes the Rand by using variables e and p, then inputs k 1 , k 2 , k 3 and runs it three times to generate three blinding pairs (k 1 , g k 1 1 ), (k 2 , g k 2 1 ),(k 3 , g k 3 1 ). User denotes v 1 = g k 1 1 mod p, v 2 = g k 2 1 mod p, v 3 = g k 3 1 mod p. 2: Mask((a, u), (k 1 , g k 1 1 ), (k 2 , g k 2 1 ), (k 3 , g k 3 1 )): User performs the first logical divisions for blinding the base u as follows.
Next, user randomly selects θ, t to hide the exponent a, and θ ≤ 64 bit. User performs the second logical divisions for blinding the exponents a i as follows.
. For batch calculation of modular exponentiation operations with the same base and different exponents, the logical division is as follows.
. Outsourced data is split into parts at random for the outsourced server. The outsourcing party then sends the random pairs {(x i , w), 1,2...n to the server and retains (θ, θ ) as a secret that is only known to the outsourcing party. 3: Compute(α i , β i ): Aftering receiving these random pairs{(x i , w), (y i , v), (r i , v 3 )} i=0,1,2...n uploaded by the user, the edge server computes the modular exponentiations w x i , v l i , v r i 3 and returns the corresponding 1,2...n to user. 4: Verify(σ, (θ, θ ): After obtaining the computational results σ from the outsourced server, the user verifies whether the edge server has produced the correct output with the secret value (θ, θ ) as follows.
3 w x 0 v l 0 5: If the above equation does not hold, the user outputs ''error'' because wrong responses from edge server. Otherwise, compute as follows.  {a m = f y (0) · H(att y )} m=Num y +1,Num y +2,...,2Num y , 6: Outsoursed data has been split into pieces, which are random for the view of edge server; 7: DO disposes pieces as two parts: {(x m , w), (t m , v), (l m , v 3 )} m=0,1,2...2Num y , which will be sent to edge server, and the remaining part (θ, θ ) and bilinding pairs are kept as secret value; 8: return Random Pairs; polynomial f R at random. For the other node x, DO lets f x (0) = f parent(x) (index(x)) and then chooses d x , which are the other points for the polynomial f (·) at random. Denote Y as the set of leaf nodes in T. Finally, DO will collaborate with untrusted severs ECS to compute the ciphertext CT .
DO first runs Algorithm 2 to initialize the Rand algorithm and gets a random blinding pair, which completes some precomputations that assist DO to split the original data. DO uses the initialized subroutine to aid the next division. DO chooses random θ, θ ∈ Z p that θ, θ ≤ 64 bit and selects random t 0 , t 1 , t 2 , . . . , t 2Num y ∈ Z p in order to mask the original base and exponent with the division. The details of division are shown in Algorithm 3.
With the help of blind pairs, DO can complete division and protect the privacy of data. First, DO hides the bases of the original data as follows.
{g f y (0) mod p = v l m 3 w x m v t m mod p} m=1,2,...,Num y {g f y (0)H(att y ) mod p = v l m 3 w x m v t m mod p} m = Num y + 1, Num y + 2, . . . , 2Num y Then, DO hides the remaining exponent as follows.
3 w x m v t m mod p Therefore, both the exponent and the base of the raw data are divided into random parts by the Algorithm 3 to ensure complete security. DO can simply split the data after masking the original data, then send the processed data to the server, and get the final result from ECS. DO retains θ, θ and bilinding pairs as secret. The rest of the parts are sent to the ECS for calculation in the form of the following mask pairs:{(x m , w)} m=0,1,2...2Num x ,

Input: Random Pairs
If the equation holds, DO can check the correctness of the outputs from the edge server, which verifies that the edge sever is honest. DO can then calculate: Then let H(M ) ∈ Z p and run the encrypt algorithm, then output the whole ciphertext: A user can decrypt CT using the following decryption algorithm if the user's attributes satisfy access policy T and obtain the symmetric key DK with the help of ECS.

1) Decrypt .Edge
Edge severs can compute using SK as follows.
i. If the node x is a leaf node, and let x z = att x : If x z ∈ S, then ECS computes: ii. If the node x is a non-leaf node: Define S x as an arbitrary k x -sized set of child nodes n of node x, j = index(n) andŜ x = {index(n) : n ∈ S x }. If the set VOLUME 8, 2020 does not exist or does not satisfy the access policy, output ⊥. Otherwise, output as follows: If the set of attribute for the user satisfies the access policy, ECS will return the result as R = e(g, g) βγ s . Then ECS computes Then edge sever's ECS sends CT Edge to user.
When a user receives CT Edge from edge severs, the user first computes as follows.
= g H(DK * ) . If there is not equality, the user outputs ⊥. Otherwise, the user decrypts SE DK (M ) with DK by applying the symmetric to obtain M .

V. SECURITY AND PERFORMANCE ANALYSIS A. SECURITY PROOF 1) OUTSOURCING ALGORITHM SECURITY ANALYSIS
We prove the security of the outsourcing algorithm in this section.
Theorem 1: Algorithm 1 is an outsource-secure implementation of BCExp under the condition that the inputs {(a i , u)} may be honest,secret inputs; or, adversarial, protected inputs.
Proof: If ECS that plays the role of U is honest, it's to say that the inputs {(a i , u)} are honest, secret inputs, honest, protected inputs, or an adversarial, protected inputs, T will do the following calculation: 1 w a 0 Then, T checks whether the equation is established: By the equation, T will compute correctly if U returns the correct computing consequence and can get the final result that is correct.
Theorem 2: In a single server model that is untrusted, (T , U ) is securely implemented for the outsourcing algorithm BCExp. {(a i , u)} are honest, secret inputs; or, adversarial, protected inputs.
Proof: Firstly, we prove EVIEW real ∼ EVIEW ideal : if the inputs {(a i , u)} are honest, secret, E will always knows the information of those inputs. Therefore, the implementation of the emulator S E is the same as the actual operation. In this situation, we only need to describe the honest and secret inputs.
• In the ideal execution environment, the emulator S E performs as follows: After receiving the input in ith round, the simulator S E will ignore it and submit three random queries to U . Next, simulator detects the three outputs at random and returns the corresponding outputs from U ; When error occur, the simulator S E will return Y i p = ''error , The simulator S E must store all states from itself. What's more, the inputs are indistinguishable for U in the ideal and real word experiment environments. The inputs are randomly chosen in the ideal environment. The inquiries that T submits to U are random and independent in the real experimental environment. Therefore, they are indistinguishable in the computation.
• If U is honest in ith round, T U will implements the algorithm BCExp correctly both in the real and ideal environment, and the outputs are same. If U is untrust in ith round, it has wrong behaves and outputs the incorrect results for T . But T and S E can check the behave of U . Thus, even if the server U is untrusted, EVIEW real ∼ EVIEW ideal is still established. Secondly, we prove UVIEW real ∼ UVIEW ideal . If {(a i , u)} are dishonest, secret inputs; honest, protected inputs, or adversarial, protected inputs, U can always get the knowledge of the inputs, the operation of simulator S U is the same as the process in the real world. Therefore, we need to be considered the inputs {(a i , u)} are honest, secret inputs; honest, protected inputs; or adversarial, protected inputs.
• Simulator S U works in the ideal experiment environment as follows: After receiving the ith inputs, the simulator S U will ignore it and then submit random queries to U . S U records all states of both itself and U . Proof: First, the BCExp invokes subroutine Rand two times, needs 5 + 2n + 1.5logt + 1.5logt modular multiplication(MM) and one modular multiplication(MInv) for computing u a i mod p. What's more, define m as the bitlength of (a 1 , a 2 , . . . , a n ), and it takes 1.5mn MM to compute u a i mod p via using the square-and-multiply method. Meanwhile, it costs O(log 2 m) MM using the EBPV generator method when it executes program Rand. Accordingly, the algorithm BCExp is an O( logt+logt +log 2 m mn )-efficient implementation.
Theorem 4: In a single server model that is untrusted, (T , U ) is a 1-checkable implementation of BCExp.
Proof: T checks the correctness via computing whether the equation u θ ( i u a i ) θ ?
= v r 0 3 w x 0 v t 0 is holding when T receives the computed results from U . If the equation does not hold, U can know the result returned is wrong. Therefore, the error detection rate of T is 1.

2) SCHEME SECURITY ANALYSIS
we discuss the security of the scheme can be reduced to the (DBDH ) assumption.
Theorem 5: The PPT algorithm B can win the game with advantage 2 under DBDH problem, if PPT A with the nonnegligible advantage > 0 in the security model in this article.
• Initialization. A chooses a challenger access policy T * , then A gives it to B.
• Setup. The simulator B selects α ∈ Z p at random and computes α = α + a, by letting g α = g α +a = g α g a and letting g β = g b . Then B can compute e(g, g) αβ = e(g α +a , g b ) = e(g, g) (α +a)b = e(g, g) α b · e(g, g) ab . What's more, B selects x ∈ Z p that is random and lets h = g x , hence, h β = (g b ) x . Finally B sends PK = {g, h, g α , g β , h β , e(g, g) αβ } to A. • Phase 1. A submits a set S of attributes that satisfy S ⊂ U but not satisfy T * to B and a private key query for S. Then B chooses γ ∈ Z * p at random and computes g γ = = B (α +γ ) . Then, B randomly chooses ε ∈ Z * p and computes ε = ε + a x by setting x . For each a i ∈ S, B chooses a random r i ∈ Z * p and computes g r i as follows: Finally, B returns them to A.
• Challenge. In this phase, A presents two messages M 0 and M 1 to B, and does as follows: B chooses s ∈ Z p at random and builds shares v x of s for all related attributes a x in the access policy T * .
All v x must satisfy the linear condition, that is, the secret sharing scheme is applied and selected from the group Z * p . B generates the challenge ciphertext under the assistance of edge servers by computing g s , h s and C = g v y , C = g v y H(att y ) . Then B chooses v ∈ {0, 1} at random, and let = g b(s +c) and C 4 = h β(s +t) = g xb(s +c) . Finally, B gives CT * to A • Phase 2. In this phase, the operation is the same as phase 1.
• Guess. After receiving the value of v that is from A, B will return 0 if T = e(g, g) abc in the game when v = v; Otherwise, B return 1 that T = R. If T = R, the challenge ciphertext CT * is random for the view of A. In other words, the probability that A can take the value of b is as follows: The CT * is an getatable ciphertext when T = e(g, g) abc . Under the circumstances, the advantage of A to distinguish the ciphertext with T = e(g, g) abc is same as the advantage of DBDH assumption. In other words, In conclusion, the advantage of B to win the security game is

B. PERFORMANCE ANALYSIS
We analyze the efficiency of the proposed scheme and compare its performance to a previously proposed ABE scheme [12] and other methods [2], [13], [14], [46] and [43] in Table 2, TABLE 3, TABLE 4. The approach presented in [46] is similar to outsourcing encryption and decryption to a server, but it can not verify whether the results are correct. The data and policy outsourced is untrusted in the encryption phase and will be known to the server. If the server is corrupt, the access policy will be leaked. The ABE schemes presented in [2] and [13] support outsourced decryption . The details of feature comparisons are shown in  TABLE 2.
Let the modular exponentiation computation be Exp, the pairing computation be P, the number of attributes in the policy be |l|, and the number of the user's attributes be |w| as in Table 3 and Table 4. We compare [13], [46] and [43] with the efficiency of our scheme both in both encryption and decryption phases. We also compared the computation cost of encryption and decryption with the scheme presented in [13], [46] and [43]. Our scheme has a lower computation and a higher error detection rate. Our solution only needs to calculate 6 Exp operations and O(|l|) multiplication operations in the encryption phase. The computing cost of the user's encryption is nearly constant and does not increase linearly with the complexity of ciphertext policy. The secondary encryption results verify its correctness. The cost for the user's decryption phase of our solution is lower than other solutions, and the outsourced results returned by the server can be checked. The encryption cost in [13] and [46] increases linearly with the complexity in the access policy. The calculation of ciphertext related to the attributes are unloaded to the server, which reduces the user's calculation cost, but does not validate the outsourced results and there cannot ensure the correctness of the computation results returned by the outsourced server, thus not assuring the user's correct encryption. Although the solution of Li et al [43] is 2 Exp lower than the calculation cost of our solution in the encryption phase of the user, the cost of computing the data outsourced to the server is higher than that of our solution. In the decryption stage, the scheme present in [13] did not unload the tasks to servers, so that the user would do a lot of calculations, which is not realistic for the users on edge of the network. The scheme present in [46] realized the decryption outsourcing calculations, but it did not consider the verification of the outsourced results in the decryption stage. The scheme present in [43], outsourcing computing and the verification of the pockets results are implemented, which need (2+2|w|)Exp+ (6 + 4|w|)P for outsourcing server, 4Exp + 1P for user to encryption and 2Exp for user to Verify the correctness of the results. In our article, there is (|w|)Exp + (2 + 2|w|)P for outsourcing server, 1P for user to encryption and 1Exp for user to Verify the correctness of the results. The user decryption stage and server decryption cost of our scheme are better than those in the scheme presented in [43]. Figure. 3 illustrates the comparison.
TABLE 5 shows the specific comparison. We proposed a new modular exponential outsourcing algorithm suitable for ABE and compared it with the scheme present in [43]- [45]. The scheme present in [43]- [45] as well as our scheme achieved verifiable outsourced encryption in the ABE scheme, which reduced the tasks for the user. When the untrusted server is not honest, the encryptors will receive error-encrypted data for their request. The error detection rate in our scheme can reach 1, and the error detection rates of the outsourced encryption algorithm used in scheme present in [43] are 3/5, 3 5 ,1 − 1 2n(n+1) , 1 n+1 . The outsourced ABE encryption algorithm is also superior in efficiency compared to [43]- [45]. The detailed comparison is provided in TABLE 5. In the scheme presented in [44], although users do not need to carry out modular exponential operations and only need to carry out modular multiplication operations and modular inversion operations, they need to carry out a large number of operations generated by random pairs, and need two outsourcing servers. The schemes in [43] and [45] and our scheme use a single server for calculation, which prevents server collusion. As shown in TABLE 5, the user's calculations in this scenario are minimal in modulo multiplication, modulo inversion, and the operation of calling Rand to generate random pairs. Moreover, the outsourcing of modular exponential computing to the server requires the payment of corresponding costs, and the outsourcing costs proposed in the scheme in our scheme are comparatively low, as shown in Table 5.

VI. CONCLUSION
The proposed scheme addressed new challenges for lightweight devices in electronic medical systems under edge computing for ABE with outsourced cryptographic verifiability. We presented an edge electronic medical system to help resource-constrained lightweight devices enable secure data sharing. We also proposed a new secure outsourcing algorithm for this system. It supports verifiable outsourcing encryption and decryption. Additionally, it achieves the error detection rate 1. Our analysis and results show that our solution is secure and efficient for lightweight devices when they unload the tasks to edge server. However, as the decryption operation is required for verification in this solution, our next work will focus on designing a scheme that is verified first and then decrypted, so that the user's decryption efficiency is higher.
LEYOU ZHANG received the M.S. and Ph.D. degrees from Xidian University in 2002 and 2009, respectively. He is currently a Professor with Xidian University. His current research interests include cryptography, network security, cloud security, and computer security.
XUEHUANG GAO received the B.S. degree in mathematics from the Taiyuan Normal University, China, in 2018. She is currently pursuing the M.S. degree in applied mathematics with Xidian University, China. Her current interests include applied cryptography and cloud security.
YI MU (Member, IEEE) received the Ph.D. degree from the Australian National University, Canberra, ACT, Australia, in 1994. In 2018, he was a Professor of computer science with the University of Wollongong, Wollongong, NSW, Australia. He is currently a Professor with the College of Mathematics and Informatics, Fujian Normal University, Fuzhou, China. His current research interests include blockchain, cybersecurity, and cryptography. He was the Editor-in-Chief of the International Journal of Applied Cryptography. He has served as an associate editor for several other international journals. VOLUME 8, 2020