Efficient Privacy-Friendly and Flexible Wearable Data Processing With User-Centric Access Control

With the advent of cloud computing and the vast amount of data produced by IoT wearable devices, outsourcing computation has become a widespread practice in providing health services to individuals and society. Conventional approaches typically focus on either secure data processing or fine-grain access control. Nevertheless, only a few existing solutions consider secure fine-grain access control over the encrypted computational results. Notably, these solutions overlook different data access request needs (e.g., needs of data owners and requesters to access data of a single or multiple data owners) and data owners’ access control. In addition, they almost exclusively focus on data aggregation operations, neglecting multiplication and division operations on encrypted data, which are fundamental operations with significant importance in various application scenarios. In this paper, we present efficient and privacy-preserving schemes for multiplication and division operations with fine-grain data-sharing and user-centric access control capabilities, called SAMM and SAMD, respectively. We utilise a multi-key Paillier homomorphic cryptosystem to allow privacy-preserving computation of data from both single and multiple data owners. Additionally, we integrate ciphertext-policy attribute-based encryption to enable fine-grain sharing with multiple data requesters based on user-centric access control. Through formal security analysis, we demonstrate that these schemes ensure data confidentiality and authorisation. Moreover, the computational cost and communication overhead of our proposed schemes are thoroughly analysed, and our experimental results indicate that these schemes outperform existing state-of-the-art solutions in terms of efficiency, making them well-suited for use in modern IoT wearable healthcare systems.


I. INTRODUCTION
IoT wearable devices are equipped with sensors and communication capabilities to track an individual's health conditions and activity by monitoring their heart rate, blood pressure, step counts, etc.They play a vital role in advancing healthcare services by harnessing the data acquired from these devices to empower analytical models [1].These The associate editor coordinating the review of this manuscript and approving it for publication was Luca Cassano.models can provide services for both individuals and the wider public.For individuals, this includes services such as personalised treatment, remote health monitoring, anomaly detection and early diagnosis based on data collected from a specific individual.For the wider public, it includes tracking disease prevalence, and mitigating potential outbreaks by analysing data from multiple individuals [2], [3].
Several parties, such as health service providers, research institutions, government, family members, friends and data owners themselves, can benefit from accessing the results generated by these analytical models.Therefore, health systems need to support data processing and sharing in three specific scenarios: (i) data owners (DO) accessing the results of analyses performed on their own data (DO-DO), (ii) data requesters (DRs) accessing the results of analyses conducted on data of a single data owner (DRs-DO) and (iii) DRs accessing the results of analyses conducted on data of multiple data owners (DRs-DOs).These three scenarios are depicted in Fig. 1.
Storing, processing, and analysing large amounts of data generated from wearable devices is commonly achieved through cloud service providers (CSPs) [2], [4].This can alleviate the strain on resource-limited devices and help address these scenarios efficiently, especially on data owners' side [5].However, it also raises two concerns about user privacy and security.First, while the data is collected securely, CSPs may process it in plaintext, which could lead to unauthorised access and data breaches [6], [7].Second, data owners often lack control over who can access their sensitive information, which goes against the principles set by data protection regulations such as GDPR [8] and HIPPA [9] that emphasises the importance of protecting users' data privacy and implementing adequate access control [10].Therefore, it is essential to achieve flexible data processing and sharing in a privacy-preserving manner while efficiently supporting the aforementioned three scenarios (see Fig. 1) and adopting a user-centric approach.
Multiplication and division are core operations in many statistical processes and machine learning algorithms.Secure multiplication and division based on homomorphic encryption (HE) or sharing data with multiple recipients using attribute-based encryption (ABE) have been widely explored in the literature.Fully homomorphic encryption (FHE) allows various operations, including multiplication and division over encrypted data, but comes with a high computational cost unsuitable for resource-constrained devices.Partial homomorphic encryption (PHE) only supports one type of operation over encrypted data.Several existing solutions utilise single-key PHE schemes, which involve encrypting all users' data with a single public key [11], [12], [13], [14], [15].However, this approach can lead to serious privacy issues if the corresponding private key is compromised [4], [16].Moreover, these solutions limit data owners' ability to access their own data, which undermines the DO-DO scenario.In contrast, other solutions [17], [18], [19] use a multi-key PHE scheme that overcomes the limitations of the single-key PHE schemes and addresses the DO-DO scenario.However, HEbased solutions typically do not support flexible data sharing with multiple data requesters by default [20], [21], thus failing to support the DRs-DO and DRs-DOs scenarios.ABEbased solutions [22], [23], [24], [25], [26] provide secure data sharing with multiple requesters but do not support secure data processing, as ABE is designed primarily for data sharing.As a result, none of these approaches can adequately support secure and flexible data processing and sharing.
To address these limitations, Ding et al. proposed multiplication and division schemes [20], [27] that integrate PHE and ABE techniques and can support the DRs-DOs scenario.However, both solutions rely on a single-key HE scheme, inheriting the earlier drawbacks.Additionally, despite enabling flexible data sharing through ABE, they cannot support personalised data processing and access control settings by data owners, as this control is left to third-party cloud servers.Pang et al. [28] designed a multiplication scheme based on multi-key PHE that can support the DO-DO scenario.However, since HE schemes do not support sharing with multiple DRs, the DRs-DO and DRs-DOs scenarios cannot be supported.The SAMA scheme [29] (our prior work) integrates multi-key PHE and ABE to support a privacy-preserving and flexible data aggregation scheme with fine-grain sharing capability in all three scenarios.However, it only supports the aggregation operation, omitting the multiplication and division operations, which are vital for many machine learning tasks.
To address this research gap, we expand upon SAMA [29] by integrating multiplication and division computations into flexible and privacy-preserving data-sharing schemes called SAMM and SAMD, respectively.These schemes combine multi-key PHE with CP-ABE, offering flexible privacy-preserving data processing and fine-grain sharing with a focus on user-centric access control while also being suitable for resource-constrained devices.The main novelty of SAMM and SAMD schemes is their ability to accommodate all three cases (DO-DO, DRs-DO and DRs-DOs) without imposing additional burden on the data owner.The key contributions of this work are twofold.
• We first extend SAMA [29] by proposing two novel schemes, named SAMM and SAMD, to support the multiplication and division operations over encrypted data, respectively.The schemes combine multi-key PHE and CP-ABE to facilitate flexible data processing with fine-grain sharing capabilities.In particular, they can accommodate queries from both data owners and data requesters to process and access analytical results from a single and/or multiple data owners, i.e., both schemes support all three use cases: data owners accessing their own data (DO-DO), data requesters accessing data of a single data owner (DRs-DO) and data requesters accessing data of multiple data owners (DRs-DOs).This approach efficiently caters to the secure data computation and fine-grain sharing requirements of modern healthcare systems, specifically on resource-constrained devices.Data owners upload their data only once, while the health system supports the three scenarios, i.e., DO-DO, DRs-DO and DRs-DOs.This feature makes SAMM and SAMD suitable for resource-constrained devices.Furthermore, it offers a user-centric access policy setting that empowers data owners to define access control for their outsourced data, incorporating two different access policies.
• We thoroughly evaluate SAMM and SAMD from both theoretical and experimental perspectives.Theoretical analysis focuses on security aspects, while experimental evaluation involves assessing computational and communication costs through simulations.Our findings demonstrate that SAMM and SAMD outperform the previous schemes [20], [28], and [27], respectively, in terms of computational and communication efficiency.The rest of this paper is organised as follows.Section II briefly overviews the related work.Sections III and IV show design preliminaries and main building blocks of the proposed schemes' design.The design of the SAMM and SAMD schemes is then presented in detail in Section V.Sections VI and VII show the security analysis and performance evaluation, respectively.Finally, Section VIII concludes the paper.Table 1 presents the acronyms used in the paper.

II. RELATED WORK
Secure multiplication and division computations refer to the process of performing mathematical multiplication and division operations on sensitive data in a way that the confidentiality of the input data is maintained throughout the computations [27].This is particularly important in applications where sensitive data is being processed.Example application scenarios include data analysis [33], [34], clustering [35], [36], auctions [37], distance calculation [38], and recommender systems [39].
As mentioned earlier, HE schemes allow computations to be performed directly on encrypted data.FHE enables arbitrary operations on encrypted data, while PHE supports limited operations (multiplication or addition).In particular, both types can be categorised further into single or multikey FHE/PHE schemes, where data contributed by multiple users are encrypted under a single key (cloud or DR key) or multiple keys (DO's public key), respectively.Some related works [40], [41], [42], [43] implement secure multiplication and division over encrypted data based on single/multi-key FHE.However, the high computation cost of these methods makes them impractical for IoT wearable devices.On the other hand, PHE schemes (e.g., Paillier [44]) are suitable for resource-constrained devices.However, solutions that adopt a single PHE restrict the data owners' ability to access their data without leaking information to the cloud [4], [16]; DOs cannot retrieve and utilise their data from the cloud because their data is encrypted with a common key, and the corresponding decryption key belongs to the cloud [45].This solution cannot fulfil the DO-DO scenario.In addition, the absence of support for this specific scenario may limit the scheme's applicability when multiple data owners need to perform computations on shared encrypted data jointly [16].Furthermore, it poses privacy and security threats if the single decryption key is compromised [45].In contrast, multi-key PHE addresses the limitations of the former approach.However, both FHE and PHE lack flexible data sharing of the computation results with multiple recipients who require access to the same processing result, i.e., multi-key PHE schemes are not sufficient to accommodate the other two scenarios (DRs-DO and DRs-DOs) due to the inherent limitations of the HE schemes.
Various proposals [22], [23], [24], [25], [26] adopted the ABE technique to provide secure access control.This technique allows multiple data requesters to access the data simultaneously.Additionally, it empowers users to decide who can access their data, thus facilitating fine-grain access control and providing support for a user-centric access policy.It is important to note that ABE schemes solely support the DRs-DO or DRs-DOs but not the DO-DO scenario.Table 2 shows a comparison of our proposed schemes with related work in terms of scenario support.
Hong et al. [30] proposed a privacy-preserving association rule mining scheme tailored for a single-cloud-server environment, employing the single-key Paillier cryptosystem.The scheme leverages four distinct protocols, namely multiplication, inner product, comparison, and frequent itemset mining protocols, to facilitate secure data mining operations.However, the scheme lacks support for data sharing with multiple DRs, which restricts collaborative analysis scenarios.Additionally, since the scheme uses a single PHE, it limits data owner access.Accordingly, the scheme does not encompass any of the three scenarios.
Boukoros et al. [31] present a lightweight division protocol specifically designed for operating on two homomorphically encrypted integers as input.The protocol allows users to perform private division while obtaining the result in a floating-point format.The approach ensures data privacy during the division process, making it suitable for sensitive applications where confidentiality is crucial.However, a limitation of this protocol is its lack of support for data sharing with multiple data recipients.As a result, it cannot facilitate scenarios involving collaborative data processing among DRs-DO or DRs-DOs.
Zhao et al. [32] introduced an innovative toolkit called SOCI (Secure Outsourced Computation over Integers) designed for performing secure computations over integers.The toolkit leverages the Paillier cryptosystem and adopts a twin-server architecture to ensure robust security.Within this framework, SOCI offers a comprehensive set of highly secure computation protocols, including multiplication, comparison, secure sign bit acquisition, and division, catering to positive and negative integers.However, it relies on a single-key PHE setup, leading to its inability to cater to all three scenarios (DR-DO, DR-DOs, and DO-DO).
Pang and Wang [28] introduced a privacy-preserving association rule mining scheme under a twin-cloud architecture.Their scheme employed a modified version of Paillier homomorphic encryption, augmented with a double decryption mechanism.It enables different protocols for data mining operations such as multiplication, comparison, and secure cross-key equality testing.One notable advantage of their approach is its ability to handle multi-key settings, allowing it to support the DO-DO scenario.However, it lacks support for data sharing among multiple DRs, leading to its inability to facilitate the DRs-DO and DRs-DO scenarios.
Ding et al. [20] presented a privacy-preserving scheme that incorporates data processing with flexible access control mechanisms, relying on the combination of the Paillier encryption scheme and ABE.The proposed scheme facilitates the secure computation of seven fundamental operations: addition, subtraction, multiplication, etc.The work presented in [27] builds upon the work of Ding et al. [20] and introduces an extension that focuses on privacy-preserving division schemes over integers.Additionally, the scheme goes beyond integers and supports computations over encrypted fractional and fixed-point numbers.Although both schemes employ ABE, which provides data sharing with multiple DRs and supports the DOs-DRs scenario, a notable limitation of their approach is its reliance on a single-key PHE setup, which might hinder an efficient DO-DO scenario, where more comprehensive data owner access is necessary.
In summary, the existing work in secure multiplication and division computations based on HE face limitations related to data sharing with multiple DRs, constrained access of data owners to their encrypted data/computation results, and lack of user-centric control.In addition, excessive computation cost (e.g., schemes using FHE) makes them impractical for resource-constrained devices.Other schemes based on ABE are limited to providing fine-grain access control.Although only some solutions combine both secure processing and sharing that can support specific scenarios such as DRs-DO or DRs-DOs, they fail to provide comprehensive support for all scenarios simultaneously.Addressing these limitations is essential to develop more versatile and practical solutions.

III. PRELIMINARIES
This paper builds on the same preliminaries of the previous work [29] to expand its capabilities and enable secure multiplication and division operations.

A. SYSTEM MODEL
The system model consists of the entities shown in Fig. 2, following the same system model in [29].Wearables measure and collect personal data (e.g., vital signs) of DOs and transmit it to a synchronised smartphone (gateway).Data owners (DOs) are individuals who want the data collected by their wearables to be processed and the results shared with data requesters (DRs) for their own personal and/or societal benefits.A service provider (SP) stores and processes DOs' wearable data as well as manages data access requests from DRs.A computational party (CP) processes users' data (in coordination with SP) and provides access control.Data Requesters (DRs) require access to data owners' raw data or the processed results.They can be DOs themselves, family members, a friend, health providers, researchers and insurance staff.A key authority (KA) manages the generation and distribution of cryptographic key pairs.

B. THREAT MODEL AND ASSUMPTIONS
The proposed schemes are designed for the following threat model.
• All entities involved, namely DOs, DRs, SP, and CP, except the authority, are considered semi-honest, i.e., they follow the specified protocol but may be curious about sensitive information such as DO's raw data and computation results.
• The KA is completely trustworthy, carrying out its responsibilities with honesty and never engaging in collusion with any other entities.
• External entities are untrustworthy and potentially malicious, as they may attempt various network eavesdropping attacks, tamper with data during transit, or seek unauthorised access to disrupt the system.
In this context, any adversary A must be prevented from compromising CP, DOs, and DRs.Therefore, we define the capabilities of the A as follows.A may compromise the SP and attempt to deduce the plaintext from the encrypted data sent by DOs or CP or received by DRs.If A succeeds in compromising the DOs, it can gain access to plaintext data.Similarly, if A compromises the DRs, it can obtain the decrypted processing results.Furthermore, if A compromises the CP, it could access the strong secret key and thereby retrieve the raw data from DOs.
The following assumptions are considered in our design.The communication channels between DOs, SP, CP and DR are secure (encrypted and authenticated).There is no collusion between SP and CP or with other entities as their legal responsibility to protect DOs' data.The KA verifies all entities' identities before receiving their cryptographic key pairs.

C. DESIGN REQUIREMENT
The proposed schemes should consider the functional, security and privacy, and performance requirements as follows.

1) FUNCTIONAL REQUIREMENTS
• Flexible data processing requests: Both SAMM and SAMD should support three primary use cases: (i) data owners request access to the computation results of their own data (DO-DO), (ii) data requesters request access to the computation results of a single data owner (DRs-DO), or (iii) multiple data owners (DRs-DOs).
• Fine-grain access control: Both schemes, i.e., SAMM and SAMD, should enable the data owners to specify fine-grain access policies for their raw data and computation results.DRs whose attributes satisfy the defined access policies can decrypt the ciphertext to obtain the result.
• User-centric: Data owners should have adequate control over their computation results and the raw data collected from their wearables.

2) SECURITY AND PRIVACY REQUIREMENTS
• Data confidentiality: The computation results and raw data must be safeguarded against unauthorised exposure throughout storage, processing and in transit.
• Authorisation: only authorised data requesters should be permitted to access the data owner's computation results.

3) PERFORMANCE REQUIREMENTS
• Efficiency: SAMM and SAMD should be capable of functioning effectively on resource-constrained devices.

IV. BUILDING BLOCKS
In this section, we provide a brief overview of the three cryptographic systems utilised in developing our proposed schemes: the Paillier cryptosystem [44], the Variant-Paillier in multi-key cryptosystem [28], and CP-ABE [46].Table 3 presents the notations used in the paper.

A. PAILLIER CRYPTOSYSTEM
The Paillier cryptosystem, introduced by Paillier in 1999 [44], stands as a practical scheme based on additive homomorphic encryption, having been rigorously proven to maintain semantic security.

1) PAILLIER IN SINGLE-KEY ENVIRONMENT
It involves three fundamental algorithms: the key generation algorithm (KGen PE ), the encryption algorithm (Enc PE ), and the decryption algorithm (Dec PE ).
• KGen PE (k') − → ppk, psk: Given a security parameter k', select two large prime numbers p and q.Compute n = p • q, and λ = lcm(p − 1, q − 1).Define Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

2) VARIANT-PAILLIER IN MULTI-KEY ENVIRONMENT
The variant Paillier scheme, as proposed by Pang et al. [28], represents the adaptation of the original Paillier cryptosystem.While retaining substantial similarities to the original design [44], this variant introduces a minor adjustment in the key generation algorithm.This alteration enables it to effectively operate within a multi-user environment by generating different public-private key pairs for each user, accompanied by two trapdoor decryption algorithms.The scheme encompasses four core algorithms: key generation (KGen VP ), encryption (Enc VP ), decryption using a weak secret key (Dec wsk ), and decryption using a strong secret key (Dec ssk ).
• KGen VP (k) − → vpk, wsk, ssk: Given a security parameter k, choose k + 1 small odd prime factors u, v 1 , . . ., v i , . . ., v k and choose two large prime factors v p and v q in which p and q are large primes with the same bit length.Compute p and q as p = Choose t as a number or a product of multiple numbers from the set (v 1 , v 2 , . . ., v i , . . ., v k ), and t|λ naturally exists.Choose a random integer g ∈ Z * n 2 that satisfies g utn = 1 mod n 2 , and gcd(L(g The public key is vpk = (n, g, h), the weak secret key is wsk = t and the strong secret key is ssk = λ and a public key vpk = (n, g, h), choose a random number r ∈ Z n , and compute the ciphertext c as c = Enc VP (vpk, m) = g m h r mod n 2 .
• WDec VP (wsk, c) − → m: The decryption algorithm with a weak secret key decrypts only the ciphertext encrypted with the associated public key.Given wsk and c, the ciphertext can be decrypted as The decryption algorithm with a strong key decrypts the ciphertexts encrypted with any public key of the scheme.Given ssk and c, the ciphertext can be decrypted as

B. CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION
The CP-ABE is a form of public-key encryption wherein the ciphertext is linked to an access policy.User keys are constructed based on attributes, facilitating fine-grain access control [28].This encryption scheme comprises four fundamental algorithms: a setup algorithm (Setup), an encryption algorithm (Enc ABE ), a key generation algorithm (KGen ABE ), and a decryption algorithm (Dec ABE ).
• Setup(s, U ) − → pk, mk: Given a security parameter s and a universe of attributes U , the setup algorithm outputs the public parameters pk and a main (primary) secret key mk.
• Enc ABE (pk, M , A) − → C: Given public parameters pk, a message M , and an access structure A over the universe of attributes, the encryption algorithm outputs a ciphertext C which implicitly contains A.
• KGen ABE (mk, s) − → sk: Given a main (primary) secret key mk and a set of attributes s which describe the key, the key generation algorithm outputs a private key sk.
• Dec ABE (pk, C, sk) − → M : Given public parameters pk, a ciphertext C, which includes an access policy A, and a private key sk, using a decryption algorithm, a user can decrypt the ciphertext and get a message M only if the attributes associated with the private key satisfy A.

V. THE PROPOSED SAMM AND SAMD SCHEMES
In this section, we first show an overview of the two schemes, SAMM and SAMD, present the system initialisation, and then explain each scheme in detail.

A. OVERVIEW OF THE PROPOSED SCHEMES
The proposed schemes extend our previous work [29] in supporting two additional operations: multiplication (SAMM) and division (SAMD).The SAMM scheme generates a new ciphertext that represents the final product result of the DO(s) raw data.In contrast, the SAMD scheme calculates the division and remainder results over two encrypted integers.
Both schemes utilise a combination of the VP-HE and CP-ABE schemes and consist of four primary phases: (i) DO access policy setting, (ii) data uploading, (iii) data access request and processing, and (iv) data access.In the first phase, the DO establishes two types of access policies, namely single (AP S ) and multiple (AP M ) access policies, to ensure a usercentric approach.These policies are then forwarded to the SP, which, in turn, processes and shares the DOs' data with different DRs based on the DO's preferences.
During the data uploading phase, DOs encrypt their data only once with their VP-HE public key and send the resulting ciphertext to the SP.
In the next phase, the SP can receive two different types of access requests: a request from the DO to access the processing result of their data (the DO-DO scenario) or a request from DRs to access the computation results of a specific single or multiple DO(s) data (the DRs-DO or DRs-DOs scenario).
Next, both SP and CP initiate the data processing phase.First, the SP performs a masking process on the DO's ciphertexts and sends them to the CP.Then, the CP performs strong decryption on all received ciphertexts, performs the required computations on the masked data, re-encrypts the masked processing results and sends it back along with DO's access policies to the SP.Later, the SP de-masks the computation results' ciphertext and forwards them to the relevant data requester.
At the data access phase, a data requester (DO or authorised DR) decrypts the received ciphertext with their key to obtain the final computation result.

B. SYSTEM INITIALISATION
The system initialisation consists of two phases: (1) system parameters setup and (2) cryptographic key generation and distribution.

1) SYSTEM PARAMETERS SETUP
This phase sets the system parameters of the main cryptographic techniques used in the proposed schemes as follows: • VP-HE setup: A security parameter k is set and two large prime numbers p and q are selected by the KA such that L(p) = L(q) = k, where L is the input data bit length.
• Paillier setup: Given the security parameter k, two large prime numbers p and q are chosen by the KA.
• ABE setup: Given the security parameter k and U attributes (generated by KA), the Setup algorithm derives pk and mk as described in Section IV-B.

2) SYSTEM KEY GENERATION AND DISTRIBUTION
This phase consists of three steps outlined below.
• VP-HE Key Generation: A secret and tamper-proof ssk is generated by KA for strong decryption.Moreover, a distinct VP-HE public/private key pair (vpk i , wsk i ) is generated by KA for every DO DO i i = 1, . . ., N DO using the KGen VP algorithm described in Section IV-A2.
It is used for DO's data encryption/decryption.
• Paillier Key Generation: A distinct PE public/private key pair (ppk j , psk j ) is generated by KA for every legitimate request received by DR, using the KGen PE algorithm described in Section IV-A1.The ppk j key is used to encrypt the processing results by CP, while the psk j is used for data decryption by DR.
• ABE Key Generation: Every DR obtains a distinct private key sk j from the KA using KGen ABE , which embeds her/his attributes/roles as described in Section IV-B.

C. THE PROPOSED SCHEMES IN DETAIL
The proposed schemes comprise four main phases: (1) data owner access policy setting, (2) data uploading, (3) data access request and processing, and (4) data access.

1) DATA OWNER ACCESS POLICY SETTING
During this phase, every DO sets its own access policies for data processing and sharing, which are then shared with the SP.It includes three steps: a) define the access policy, b) activate notifications, and c) update the access policy.a) Define access policy: Each DO defines a pair of access policies for data processing and sharing: (i) a single-data owner access policy (AP S ), and (ii) a multiple-data owners access policy (AP M ).Using AP S , DOs establish control over who is allowed to access their data processing results.This guarantees that only authorised DRs whose attributes are aligned with the access policy can retrieve the computation results.In contrast, AP M enables DOs to make choices regarding their consent for processing their data along with other DOs' data, subsequently allowing the sharing of processed results.The AP M does not enable SP to share specific individual raw data with any party.Instead, it grants SP permission to employ DOs encrypted data whose sharing preferences match the attributes of DRs seeking data access.In other words, each user defines their sharing preferences and consents to allow the use of their wearable data in multiplication along with other users' wearable data, which is called multiple-user processing.
b) Activate Notification: DOs have the option to receive periodic summaries encompassing all data access requests that the SP has received.These summaries offer insights into the DRs seeking data access and the status of their requests, whether they have been approved or denied.These regular notifications are available in the form of daily, weekly, or monthly reports and can be activated or deactivated at the discretion of the DOs.c) Update access policy: The SP enables the DOs to update their access policy either periodically or on demand.DOs can also adjust their pre-set policies (AP S or AP M ) as required.

2) DATA UPLOADING
In this phase, DOs encrypt their wearable data before uploading it to the SP.To facilitate the presentation/explanation of the processing scheme, we present its details with two messages m 1 and m 2 generated either from the same DO or from two different DOs.DOs use their variant-Paillier public keys vpk 1 and vpk 2 to encrypt m 1 and m 2 to obtain [m 1 ] vpk 1 = Enc VP (vpk 1 , m 1 ), and [m 2 ] vpk 2 = Enc VP (vpk 2 , m 2 ).This phase is the same for both of our proposed schemes.
Please note that the amount of data available for multiplication affects the size of the original data.To obtain the product of N m , it is necessary to ensure that L(m i ) < L(n)/(2N ), while in SAMD, it should be guaranteed that L(m 1 ) < 3L(n)/4 and L(m 2 ) < L(n)/2.

3) DATA ACCESS REQUEST
We can classify data access requests to the processing result (multiplication or division of user(s) data) into two types: DOs request access to their own raw and processed data results (DO-DO), and DRs request access to the processing results of a single or multiple DO(s) (DRs-DO)/(DRs-DOs).Requests from both DOs and DRs are handled by both SP and CP.However, when SP receives a request to access the computation result of multiple DOs' data, it starts by comparing the DOs' AP M with the DR request.Then, it chooses only the DO's data whose AP M matches the DR request, resulting in N DOs being chosen.

4) DATA PROCESSING
This phase comprises three main steps and involves different operations for multiplication and division, which are illustrated in Algorithm 1 and Algorithm 2. Therefore, we explain them separately as follows.
For multiplication (SAMM), shown in Algorithm 1: (i) Masking: The SP initiates the masking process by concealing users' data using one of Paillier's homomorphic properties (i.e., raising a ciphertext to the power of a plaintext).
In particular, it generates two random numbers r 1 and r 2 , raises DO's encrypted data [m 1 ] vpk 1 and [m 2 ] vpk 2 with r 1 and r 2 respectively, which results in [m Then, the SP sends both masked ciphertexts [m 1 * r 1 ] vpk 1 and [m 2 * r 2 ] vpk 2 along with the access policies defined by DOs (AP S /AP M ) to the CP for further processing.
(ii) Preparing the Processing Result: -The CP performs strong decryption on all the received ciphertexts using ssk and gets the masked data.Then, it multiplies all the resultant masked data together (m 1 * Step 1: Masking by SP: (  (iii) De-masking: Next, the SP starts the de-masking process by raising the received masked multiplication result with the additive inverse of the multiplication of the random numbers (r 1 * r 2 ) −1 .For DRs-DO(s For division (SAMD), also shown in Algorithm 2: (i) Masking: Similar to the SAMM scheme, we follow the same procedures for all use cases but here we will show only for the DRs-DOs/DRs-DO.The SP generates two random numbers r 1 and r 2 and masks the received ciphertexts using Eq.(1) as follows: Then, it sends both masked ciphertexts along with (AP S /AP M ) to the CP.
(ii) Preparing the processing result: -Upon receiving the ciphertexts from the SP, the CP uses ssk to perform strong decryption, obtains DO(s) masked data, and separately computes the quotient and remainder according to Eq.( 2) and Eq.( 3), respectively.-For quotient, it performs division on the resultant masked data m 1 * r 1 and m 2 * r 1 * r 2 and gets -To find the remainder using the general remainder formula: Remainder = Dividend -(Divisor * Quotient).
-Then, in the same way as in SAMM, for both cases (DRs-DO and DRs-DOs), the KA generates a new Paillier key pair (ppk j , psk j ) and send it to the CP.Then, the CP encrypts the masked division results using The SP de-masks the received division ciphertext by raising it to the power of (r 2 ) to obtain [m 1 /m 2 ] ppk j = [m 1 /m 2 ] r 2 ppk j .Additionally, it removes the masking from the received remainder ciphertext by raising to the power of (−r 1 ) and get [R] ppk j = [R * r 1 ] −r 1 ppk j .Finally, the SP forwards the division and remainder results [m 1 /m 2 ] ppk j , [R] ppk j along with [psk j ] AP S /AP M to the DR.

5) DATA ACCESS
In both schemes (SAMM and SAMD), for the DO-DO case, the DO can decrypt and access the final computation results using its wsk i .Whereas, for the DRs-DOs/DRs-DO, only DRs whose key attributes satisfy AP S /AP M can decrypt [psk j ] AP S /AP M using sk j and obtain psk j = Dec ABE (pk, [psk j ] AP S /AP M , sk j ).Then, the DR uses the obtained psk j to decrypt and access the computation results (multiplication, quotient, and remainder) as follows: Only for the remainder, the DR needs to perform an additional modular operation of the divisor, R = (Dec PE (psk j , [R] ppk j )) mod (divisor).

VI. SECURITY OF SAMM AND SAMD SCHEMES
In this section, we analyse the security properties of our schemes, SAMM and SAMD, which include a formal security analysis and analysis against the security requirements of our schemes.

A. FORMAL SECURITY ANALYSES
The security evaluation of both schemes, i.e., SAMM and SAMD, rely on a simulated framework involving semi-honest adversaries who are honest but curious and do not collude with each other.To establish the computational indistinguishability between the execution views of the REAL and Step 1: Masking by SP: Step 3: De-masking by SP: Theorem 1: SAMM and SAMD can securely retrieve the result of the multiplication and division operations, respectively, on encrypted data in plaintext, even in the presence of semi-honest adversary models and threat attacks.
Proof: We demonstrate the security of the SAMM and SAMD schemes by considering a scenario involving two data inputs.

1) SIM DO
Sim DO encrypts the provided inputs m 1 and m 2 using VP-HE and delivers both ciphertexts to Adv DO .The simulation view of Adv DO in the IDEAL world remains computationally indistinguishable from the view in the REAL world, thanks to the semantic security of VP-HE.

2) SIM SP
Sim SP simulates Adv SP for both SAMM and SAMD schemes.It encrypts two randomly chosen numbers m ′ 1 and m ′ 2 with the VP-HE public key.To mask the data in both schemes, 37020 VOLUME 12, 2024 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
Sim SP generates two random numbers r 1 and r 2 .In the SAMM scheme, the received ciphertexts are raised with r 1 and r 2 to obtain m ′ 1 * r 1 and m ′ 2 * r 2 , respectively.Whereas, in the SAMD scheme, both received ciphertexts are raised with r 1 and r 1 * r 2 , respectively, resulting in m ′ 1 * r 1 and m ′ 2 * r 1 * r 2 .
In both cases, Adv SP receives the masked ciphertexts from Sim SP .Therefore, the REAL and IDEAL views of Adv SP are computationally indistinguishable due to the semantic security of VP-HE.In the SAMD scheme, Sim CP employs the strong decryption algorithm to acquire m ′ 1 * r 1 and m ′ 2 * r 1 * r 2 .Then, Sim CP performs division over the decrypted outcomes as m ′ 1 * r 1 /m ′ 2 * r 1 * r 2 and computes the remainder using Eq.3.Then, both the division and remainder results are subsequently encrypted using the Paillier public key.Next, Sim CP encrypts a randomly generated number with CP-ABE.These resultant ciphertexts, which are generated through the Paillier and CP-ABE schemes, are then provided by Sim CP to Adv CP .
These ciphertexts are computationally indistinguishable between the REAL and IDEAL worlds of Adv CP due to the honesty of CP and the semantic security of VP-HE and the Paillier cryptosystem, as well as the security of CP-ABE.

4) SIM DR
The Sim DR randomly selects chosen ciphertexts without access to the challenged data.It then decrypts them and sends the decrypted results to Adv DR , who uses them to gain insights into the data.Adv DR only has access to the decrypted results and no further information, regardless of the number of interactions the adversary has with Sim DR .Both the REAL and IDEAL world views are indistinguishable due to the security of CP-ABE and the semantic security of the Paillier scheme.

B. ANALYSIS AGAINST SECURITY REQUIREMENTS 1) DATA CONFIDENTIALITY
Data owners encrypt their data using their unique VP-HE public key, vpk i .This enhances security and enables users to access and decrypt their outsourced data using their private key.
To maintain the privacy of DO's data at the CP, masking and de-masking processes are performed by SPs in SAMM and SAMD, which ensures the confidentiality of the DO(s) data being processed at the CP.Then, it decrypts the received ciphertext using ssk, performs division and multiplication operations on masked data, encrypts the result using ppk i and then sends the resultant ciphertext to SP.
Moreover, the Paillier cryptosystem ensures semantic security, while CP-ABE is secure under the generic elliptic curve bi-linear group model.Communication channels between entities (DO, SP, CP, and DR) are secured using SSL encryption, ensuring that only authorised entities can access the final result.Any unauthorised internal or external entities attempting to eavesdrop or collect information will only be able to access ciphertexts.

2) AUTHORISATION
SAMM and SAMD use CP-ABE to ensure fine-grain and user-centric access control.
The decryption of the encrypted processing result using CP-ABE requires the attributes of the DR's private key (sk) to satisfy the specified access policy associated with the Paillier private key.This allows the DR to obtain this private key and use it to decrypt the processing result.
Moreover, both schemes follow a user-centric access policy, which enables the DO to define access rules that securely and selectively grant DRs access to the processing result.To achieve this, the private key used to decrypt the processing result is encrypted using access policies named AP S and AP M , which represent the DO's preferences for sharing data processing outcomes.

C. COMPARISON WITH RELATED WORKS
A comparison of SAMM and SAMD with the closely related existing schemes, focusing on our design requirements are summarized in Table 4.
SAMM/SAMD stand out as the only schemes that can accommodate all three use cases (DO-DO, DRs-DO, and DRs-DOs), which support flexible data processing requests.In contrast, work presented by [20], [28], and [27] can only handle one use case, whereas [30] and [32] do not support any of the cases.For a detailed comparison of which scheme supports which cases, please refer to Table 2.
To achieve fine-grain data sharing, our proposed schemes outsource the computationally intensive CP-ABE to the cloud.This strategy significantly reduces the burden on data owners and is particularly suitable for resource-constrained devices that have also been adopted in frameworks proposed by [20] and [27].However, only our schemes follow a user-centric access policy approach compared to other schemes presented in Table 4.
Besides the other attributes where SAMM and SAMD outperform other schemes, data confidentiality and authorisation are achieved in all as primary requirements.Data confidentiality is ensured through the FHE/PHE techniques.For authorisation, all these schemes guarantee that only authorised entities gain access to the data as discussed in Section VI-B Table 4 shows that only our proposed schemes and [28] support multi-key settings.The other schemes mostly utilise PHE schemes in a single-key setting, which entails encrypting data with a third-party public key.This approach requires data to be encrypted with a third-party public key, which might not be suitable for highly sensitive data applications.Additionally, using a single-key HE setting prevents data owners from directly accessing their own data since the data are not encrypted with public keys.

VII. PERFORMANCE EVALUATION
This section evaluates the performance of both SAMM and SAMD schemes in terms of the computational complexity and communication overheads incurred among all schemes' entities.We compare the performance of our SAMM scheme with the most relevant works [20] and [28], while SAMD is compared with [27].

A. COMPUTATIONAL COMPLEXITY
We consider the computationally expensive operations in both schemes: the modular exponentiation (ModExp) and multiplication operations (ModMul).However, the fixed numbers of modular additions are ignored in our analysis because their computational cost is negligible compared to ModExp and ModMul.Moreover, the following parameters are used in our analyses: BiPair is the bilinear pairing in ABE; |γ | + 1 is the attributes of the access policy tree and ϑ is the required attributes to satisfy the access policy.In addition, we first analyse the computational complexity of HE data processing in both schemes and then show the computational complexity of ABE access control.

1) COMPUTATIONAL COMPLEXITY OF HE DATA PROCESSING
In both schemes, we divide the computational complexity in our analysis into four sections based on the entities: a) Computational Complexity of SAMM Computations at DO: With every reporting time slot, each user generates a ciphertext by encrypting their data using their VP-HE public key vpk i .This requires two modular exponentiation operations and one modular multiplication.
Thus, the computational cost on the DO side is: 2 * ModExp+ ModMul.
Computations at SP and CP: The operations conducted by both the SP and CP are outlined next.
For masking data, the SP selects a random number for every DO's data and raises their received ciphertext with the generated random numbers (N m * ModExp).For the demasking process, the SP calculates the multiplication inverse of the product of all random numbers, then raises it to the masked multiplication result ciphertext from the CP, (ModExp).Thus, the computational cost of the SP in SAMM is: The CP decrypts all N m ciphertexts with ssk (N m * (ModExp + ModMul)), and multiplies all the masked results together.Next, it encrypts the product with ppk j Computations at DRs: A DR decrypts the received ABE ciphertext using his/her sk to obtain psk j (at most ϑ * BiPair) and then uses psk j to decrypt the multiplication result ciphertext (ModExp + ModMul).The computational cost at DR is: b) Computational Complexity of SAMD Computations at DO: As in the SAMM scheme, a DO needs to perform two modular exponentiation operations and one modular multiplication, resulting in a computational cost of 2 * ModExp + ModMul.
Computations at SP and CP: For masking data, the SP generates two random numbers r 1 and r 2 and raises two ciphertexts received from DO(s) to the power of these generated random numbers (2 * ModExp).Later, the SP conducts a de-masking process on the division and the remainder ciphertexts received from the CP.It raises the division ciphertext to the power of r 2 (ModExp).Furthermore, SP raises the received remainder ciphertext with the multiplicative inverse of r 1 (ModExp).Thus, the computational cost of the SP in SAMD is: 4 * ModExp.
The CP performs strong decryption on the received ciphertext using ssk 2 * (ModExp+ModMul).Then it computes data division and remainder as follows.The division is obtained by dividing the two masked data, while the remainder is calculated on the masked plaintext, as per the formula described in Eq.( 3).Next, the CP encrypts the division and remainder results with ppk j 2 * (2 * ModExp + ModMul) and then encrypts psk with CP-ABE using AP S /AP M (|γ | + 1) * Exp).Thus, the total computation cost of the CP in the SAMD: 6 * ModExp + 4 * ModMul + (|γ | + 1) * Exp.As a result, in total, the computational cost of both the SP and CP in SAMD is: 10 Computations at DRs: To decrypt the received ABE ciphertext, a DR uses its sk to obtain psk j (which is at most ϑ * BiPair) and then uses the obtained psk j to decrypt the division and remainder result ciphertexts (2 * (ModExp + ModMul)).The computational cost at DR is: 2 * ModExp+2 * ModMul + ϑ * BiPair.
A comparison of the computational costs of each entity in SAMM and SAMD with multiplication and division schemes of [20], [28], and [27] are respectively presented in Table 5 and Table 6.

2) COMPUTATIONAL COMPLEXITY OF ACCESS CONTROL
There are |U | universal attributes and |γ | attributes in the access policy tree τ .There must be ϑ attributes that are required to satisfy the access policy tree τ and hence decrypt the ciphertext.
The Setup() algorithm generates the public parameters using the given system parameters and attributes U .It requires |U | + 1 exponentiation and one Bipar.The Enc ABE () needs two exponential operations for every leaf in the τ , which require (|γ |+1) * Exp.The KGen ABE () algorithm requires two exponential operations for every attribute given to the DO.Further, the private key includes two group elements for every attribute.Last, for each leaf of the τ , the Dec ABE () needs two pairings matched by the attribute of the private key and at most one exponentiation for every node from that leaf to the root node.
The Setup() is executed only once.Thus its computation cost can be neglected.Moreover, the computational complexity of Enc ABE is ignored because it is also performed only once for encrypting the private key of the DR.In addition, since Setup() and KGen ABE () are executed by KA and Enc ABE () by CP, users will not be burdened by their computational cost.Although DR performs Dec ABE () algorithm, which incurs some computational cost, it is a key requirement to give an authorised DR fine-grain access to the final multiplication.

B. COMMUNICATION OVERHEAD
The communication overhead incurred in the proposed schemes is grouped/classified into two types: regular and occasional.Regular data communication overhead includes data uploads by data owners, data exchanged among the SP and CP during data processing, and data sent to the DR.Whereas the occasional data communication overhead represents infrequent data sent within the schemes, such as define/update data owners(s) AP (AP S , AP M ), and notifications.In our schemes, we consider only regular communication overhead as occasional communication overhead is negligible compared to the former overhead.
The communication overhead introduced by the proposed schemes is mainly divided into three parts: overhead incurred (1) between the DO and the SP, denoted as DO-to-SP, (2) between the SP and the CP, denoted as SP-to-CP, and (3) between the SP and DRs, denoted as SP-to-DRs.Since SAMM's communication overhead is slightly different from SAMD, we analyse both schemes separately.[20] and [28] is illustrated in Table 7.  8 shows the communication overhead of our SAMD scheme compared with the division scheme of [27].

C. EXPERIMENTAL RESULTS
Here, we show the experimental results of the proposed schemes in three main parts: (1) the computation cost of HE data processing, (2) the computation cost of CP-ABE data access, and (3) the communication overheads.
For the computational cost, we have conducted our experiments using the Java Pairing-Based Cryptography (jPBC) [47] and Java Realization for Ciphertext-Policy Attribute-Based Encryption (cpabe) [48] libraries on a laptop with AMD Ryzen 7 4800H CPU 2.90GHz and 8GB RAM.
In our experiments, we run them 200 times and compute the average value.We select the length of n as 1024 bits, r as 255 bits, m 1 and m 2 as 256 bits in SAMM, while m 1 as 255 bits and m 2 as 250 bits in SAMD, hence L(m1) and L(m2) is 5 bits difference.For a fair comparison, we maintained the same parameters' length specified in [20] and [27].

1) COMPUTATIONAL COST OF HE DATA PROCESSING
We assess the computational cost associated with DO, SP, CP, and DR and compare the SAMM scheme with the findings presented in [20] and [28] and for SAMD with only [27].Furthermore, we demonstrate the computational costs for the case of DRs-DOs with varying lengths of n and numbers of messages/DOs.
(i) Impact of varying n lengths on data processing Figure 3 and Figure 4 illustrate the impact of different n lengths on processing two messages of our proposed schemes, where n takes values of 1024, 2048, 3072, and 4096 bits.As the computational cost of our proposed schemes SAMM and SAMD are slightly different, we present them separately.
a) SAMM scheme: In Fig. 3a, it can be observed that the computational cost of SAMM is the same as the proposed scheme in [28] on the data owner side for the same length on n.Furthermore, the experimental results demonstrate that SAMM outperforms the computation cost of the scheme [20] on the data owner side, as the encryption method of the scheme in [20] incurs additional addition and multiplication operations dependent on n.
At the SP level, Fig. 3b reveals that SAMM achieves better computational efficiency compared to the schemes presented in [20] and [28].The trend also shows that the computational time depicts quadratic growth as the length of n increases.For the length of n, as high as 4096 bits, the computational  times are 550 ms and 695 ms for the proposed schemes in [20] and [28], respectively, whereas SAMM outperforms the schemes by taking 200 ms while using the same length of n.This is because our SAMM scheme has fewer operations at the SP compared to [20] and [28].
In Fig. 3c, the computational efficiency of the CP in the scheme by Pang et al. [28] surpasses that of the SAMM.This is due to the use of VP-HE encryption which is more efficient than the Paillier encryption used in our implementation for encrypting multiplication results irrespective of the length of n.However, the computational efficiency of CP in SAMM is better than the CP of [20] for lower values of n(n<=2048).Whereas the efficiency of the CP in [20] outperforms the efficiency of the CP in SAMM for higher values of n.This difference in the efficiency of the CP between SAMM and [20] is due to the encryption of [20] becoming better with an increase in n due to linear dependency on n in the encryption algorithm in [20].Whereas there is an exponential dependency of n in the Paillier encryption algorithm, as shown in Fig. 3c.However, SAMM exhibits superior efficiency in CSPs in total compared to the approaches described in [20] and [28].
In Fig. 3d, the operation time of DR is similar to the schemes described in [20] and [28].The computational performance evaluation shown in Fig. 3 is consistent with our analysis in Section VII-A1.
The computation cost exhibits an exponential increase as the bit length of n grows across all entities, i.e., DO, SP, CP, and DR.The experimental results shown in Fig. 3 indicate that the SP and CP bear the majority of computation overhead, while the DOs have relatively lower computational requirements.This outcome highlights the practical advantage of utilising SAMM with constrained devices on the DOs side while addressing all the use cases.
b) SAMD scheme: In Fig. 4a, it is evident that the computational time at the DO is directly proportional to the length of n.In accordance with the SAMM scheme, the data is encrypted only once in the SAMD scheme as well.As the value of n increases, there is an observed increase in the difference in computational time between SAMD and the scheme presented in [27].Specifically, for n = 4096, SAMD encrypts the data in approximately 60 ms, exhibiting a difference of 40% compared to the scheme in [27].This is due to the encryption technique employed in the scheme described in [27], which involves additional arithmetic operations (addition and multiplication) that depend on the parameter n.
Figure 4b illustrates that the scheme presented in [27] incurs significantly larger computational times at the SP when compared to the proposed SAMD scheme for all values of n.This discrepancy can be attributed to the time-consuming calculations involved in obtaining the division in the scheme [27].
The operation time of the CP for different lengths of n is presented in Fig. 4c.The results show that SAMD has superior computational efficiency compared to the methods presented in [27].Moreover, it is observed that the computational time increases as the length of n increases.For instance, when the length of n is as high as 4096 bits, the proposed scheme in [27] takes 1768 ms to complete the computation, while SAMD takes only 839 ms, exhibiting a 50% improvement over the scheme presented in [27].This is because [27] scheme involves extra operations at the CP compared to SAMD.
Figure 4d indicates that the computational time of SAMD is similar to the proposed scheme in [27] since in both schemes, the DR uses his own secret key to decrypt both the quotient and remainder results.
In general, the results demonstrate that SAMD is more computationally efficient than the scheme described in [27]. (

ii) Impact of varying different numbers of messages
As shown in Fig. 5, we tested the computation of SAMM by varying the number of data messages provided.However, this test is not applicable to the SAMD scheme since it only requires two messages for division.The SP, CP and DR results are compared with the related scheme presented in [20].This is because an increased number of messages results in an inefficient solution using the multiplication algorithm presented in [28], which follows the formula nCr = n!/r! * (n − r)!.
As multiplication requires more computational resources, we have tested SAMM for N m =100 to 800.For the messages processed at SP and CP, it is evident that N m is directly proportional to the computational time.The reason for this behaviour is that in our SAMM scheme and also in [20], each message is but our proposed model SAMM performs better comparatively because it involves fewer operations than [20] scheme.In Fig. 5a, the computational time of the proposed scheme at SP is as low as 40 ms for N m =20 and has reached up to 400 ms approximately for N m =80.Whereas in [20], the same computational times are 250 ms and 2000 ms for the same numbers of N m .At the CP, the computational time of our proposed scheme is performing better compared to [20] with a small margin as shown in Fig. 5b.This margin increases as the number of messages increases.As presented in Fig. 5c, the computational time of DR is independent of the number of messages because the DR decrypts the multiplication result only once, regardless of the number of messages.For both SAMM and the scheme presented in [20], the computational time is achieved as 3 ms for all N m .

2) EFFICIENCY OF USER-CENTRIC ACCESS CONTROL
Experiments are conducted to evaluate the computational efficiency of CP-ABE by varying the number of attributes involved in the access policy, ranging from two to ten, as illustrated in Fig. 6.It is observed that the Setup algorithm remains relatively constant, as it is independent of the number of attributes.Moreover, in the conducted tests, the Dec ABE operation was configured to require only one attribute to fulfil the access policy tree, resulting in a constant operation time for Dec ABE .The computational costs of Enc ABE and KGen ABE increase linearly with the number of attributes.Although adopting CP-ABE enables user-centric fine-grain access control, it also introduces an additional computation overhead.However, the computation of Enc ABE is outsourced to the SP while Setup and KGen ABE are delegated to the KA.Therefore, the DO side, which is comprised of resource-constrained devices (wearables), will not be burdened by these computations.Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.the number of messages to be computed.The results are compared with the findings presented in both [20] and [28] for SAMM, while with only [27] for SAMD.

3) COMMUNICATION EFFICIENCY
Figure 7a demonstrates that the communication overhead of the DO-to-SP part in the SAMM scheme is reduced by 50% compared to the approach presented in [20], while it is almost the same compared to the scheme proposed in [28].For the SAMD, it is observed that the proposed scheme has 50% less communication overhead compared to the scheme in [20], as depicted in Fig. 8a.The reason is that the approach in [20] and [27] generates two ciphertexts for each data encryption, thereby increasing the communication overhead on the DO side.In contrast, the SAMM and SAMD schemes generate only one ciphertext, which significantly reduces communication overhead on the DO side, which is beneficial for resource-constrained devices.These outcomes align with the findings of [28], which compared the communication overhead of two HE algorithms, BCP and VP-HE.The study revealed that the communication cost of BCP is approximately twice that of VP-HE, which was adopted in [20].
The communication overhead between cloud servers in both directions, from SP-to-CP and CP-to-SP, is illustrated in Fig. 7b and Fig. 8b.Our SAMM scheme shows a substantial 50% increase in communication efficiency compared to [20].It is also comparable to the performance observed in scheme [28].Moreover, our scheme SAMD reduces communication overhead by 75% compared to [27].This is because their approach involves extra necessary steps.Communication overhead pertaining to the SP-to-DR interaction is presented in Fig. 7c and Fig. 8c.Since DRs only access the processed results, this reduces communication overhead between the SP and DR.It is evident that our scheme SAMM outperforms the approach in [20] by reducing the communication overhead to 50% as presented in Fig. 7c.Consequently, our scheme exhibits a significantly lower total communication overhead compared to [20], while performing similarly to the scheme presented in [28].Additionally, as shown in Fig. 8c, the proposed scheme SAMD reduces the communication overhead by 50% compared to the scheme in [27].
It is important to mention that the approach described in [20] and [27] can only provide DRs-DOs case by encrypting data with the cloud's public key.The data must be re-encrypted twice with the DO's public key to support the DO-DO case, as stated in [20].However, in our scheme, the wearable data only needs to be encrypted once to accommodate DO-DO, DRs-DO and DRs-DOs scenarios.

VIII. CONCLUSION
In this paper, we designed privacy-preserving and efficient multiplication and division schemes with flexible access control based on a user-centric approach called SAMM and SAMD, respectively.Both schemes utilise multi-key VP-HE and CP-ABE to accommodate modern wearable healthcare needs and address all three main use-case scenarios: DO-DO, DRs-DOs, and DRs-DOs.They allow data owners to encrypt their data only once with their public key, which reduces interaction with the cloud, accommodates resource-constrained devices, and enables data owners to retrieve/access their outsourced data and share it with multiple DRs.Experimental evaluation demonstrates that these schemes provide superior efficiency in computation and communication.Moreover, our security analysis shows that SAMM and SAMD are secure and satisfy the specified security and privacy requirements.
As future work, one can focus on the following aspects: First, enhance further the overall security of the system by storing the strong secret key of the VP-HE scheme in distributed manner (for example by using Shamir Secret Sharing scheme).Second, incorporate a verifiable computation feature to verify the validity and correctness of outsourced computation results computed by the cloud providers.Third, protect the DOs' access policies as they make DOs vulnerable to linkability attacks and hence may compromise individual DOs privacy towards the cloud providers.

FIGURE 1 .
FIGURE 1. Different scenarios for data processing requests.

•
Enc PE (ppk, m) − → c: Given a message m ∈ Z and a public key ppk = (n,g), choose a random number r ∈ Z * n , and compute the ciphertext c = Enc PE (ppk, m) = g m • r n mod n 2 .• Dec PE (psk, c) − → m: Given a ciphertext c and a private key psk = (λ, µ), recover the message m = Dec PE (psk, c) = L(c λ mod n 2 ) • µ mod n.

r 1 )
* (m 2 * r 2 ) and obtains (m 1 * r 1 * m 2 * r 2 ).-Next, for the DRs-DO/DRs-DOs cases, a new Paillier key pair (ppk j , psk j ) is generated by the KA and sent to the CP.Then, the CP encrypts the masked multiplication result using ppk j to get [m 1 * r 1 * m 2 * r 2 ] ppk j = Enc PE (ppk j , m 1 * r 1 * m 2 * r 2 ).Whereas, the psk j is encrypted by the single-data owner access policy (AP S ) for the DRs-DO case or multiple-data owners access policy (AP M ) for the DRs-DOs case to get [psk j ] AP S /AP M = Enc ABE (pk, psk j , AP S /AP M ).Algorithm 1 SAMM -Data Processing Phase Input: Two ciphertexts [m 1 ] vpk 1 and [m 2 ] vpk 2 Output: The ciphertexts [m 1 * m 2 ] ppk j

2 :
vpk 2 and AP S /AP M to CP Step Preparing the processing result by CP: ppk j and [psk j ] AP S /AP M to SP Step 3: De-masking by SP: ppk j and [psk j ] AP S /AP M to DR However, for the DO-DO case, the final multiplication result ciphertext is encrypted with DO's VP-HE key vpk i to obtain Enc VP (vpk i , m 1 * r 1 * m 2 * r 2 ).-Later, the CP sends masked multiplication result ciphertext back to the SP.For the DRs-DO(s) cases, it sends [m 1 * r 1 * m 2 * r 2 ] ppk j , and [psk j ] AP S /AP M .While for the DO-DO, the SP sends only Enc VP (vpk i , m 1 * r 1 * m 2 * r 2 ).

2 :
vpk 2 and AP S /AP M to CP Step Preparing the processing result by CP:

1 )
COMMUNICATION OF SAMM Below, we present the communication overhead of the different parts of the SAMM scheme.a) DOs-to-SP: At each data reporting time slot, the DO sends a single ciphertext of length 2 * L(n) to the SP.The total communication overhead of DO-to-SP in the DRs-DOs case is: N * 2 * L(n), while in DO-DO and DR-DO is 2 * L(n).b) SP-to-CP: The communication between the SP and CP in the SAMM scheme is as follows.The SP sends N masked of the data owner(s) ciphertext 2 * L(n) to the CP, which is N * 2 * L(n).Then, the CP sends one masked multiplication result ciphertext 2 * L(n) and the CP-ABE ciphertext (|γ | + 1) * L to the SP.Hence, the total communication cost between the SP and CP in the SAMM scheme remains constant in all cases: (N + 1) * 2 * L(n) + (|γ | + 1) * L. c) SP-to-DRs: The SP sends the final multiplication result ciphertext to DRs 2 * L(n) and one CP-ABE ciphertext of length (|γ | + 1) * L. Thus, the communication at the SP-to-DRs part is: 2 * L(n) + (|γ | + 1) * L. The comparison of communication overhead between our SAMM scheme and the multiplication schemes of

2 )
COMMUNICATION OF SAMD Below, we present the communication overhead of the SAMD scheme.a) DOs-to-SP: The SP receives two ciphertexts from DO(s), each with a length of 2 * L(n).The total communication overhead of the part is: 2 * (2 * L(n)).b) SP-to-CP: The communication between the SP and CP in the SAMD scheme is outlined below.The CP receives two ciphertexts from the SP 2 * (2 * L(n)) and returns two ciphertexts 2 * (2 * L(n)) (the masked division and remainder result) and the CP-ABE ciphertext(|γ | + 1) * L to the SP.In total, the communication cost between the SP and CP in the SAMD scheme is: 4 * (2 * L(n)) + (|γ | + 1) * L. c) SP-to-DRs: The SP sends the encrypted division and remainder result to DRs 2 * (2 * L(n)) along with one CP-ABE ciphertext of length (|γ | + 1) * L. Thus, the communication between the SP and DRs is: 2 * (2 * L(n)) + (|γ | + 1) * L. Table

FIGURE 3 .
FIGURE 3. Computational cost of SAMM with the different lengths of n.

FIGURE 4 .
FIGURE 4. Computational cost of SAMD with the different lengths of n.

FIGURE 5 .
FIGURE 5. Computation cost of SAMM with different numbers of messages.

FIGURE 6 .
FIGURE 6. Operation time of CP-ABE with the different numbers of attributes.

Figure 7 and
Figure 7 and Figure 8 depict the communication overheads between the entities in SAMM and SAMD, respectively, with a fixed key size length of n = 1024 bits while varying

TABLE 2 .
Comparison of SAMM/SAMD with related work in terms of different scenarios support.
r 1 * r 2 )) and [R * r 1 ] ppk j = Enc PE (ppk j , (R * r 1 )).Whereas, the psk j is encrypted using AP S /AP M to get [psk j ] AP S /AP M = Enc ABE (pk, psk j , AP S /AP M ).While in the DO-DO case, the CP encrypts the division and remainder results with DO's vpk i .-Finally, the generated ciphertexts (the masked division/remainder results) [m 1 * r 1 /m 2 *r 1 * r 2 ] ppk j and [R * r 1 ] ppk j , and [psk j ] AP S /AP M are sent back to the SP.(iii) De-masking:

3 )
SIM CP Sim CP simulates Adv CP as follows: Sim CP accesses Sim SP to get the ciphertexts [m ′ 1 * r 1 ] and [m ′ 2 * r 2 ] for SAMM and [m ′ 1 * r 1 ] and [m ′ 2 * r 1 * r 2 ] for SAMD.The execution view of CP in the REAL world consists of two ciphertexts, (m ′ 1 * r 1 ) and (m ′ 2 * r 2 ) for SAMM and (m ′ 1 * r 1 ) and (m ′ 2 * r 1 * r 2 ) for SAMD.In case of SAMM, Sim CP runs the strong decryption algorithm to obtain m ′ 1 * r 1 and m ′ 2 * r 2 .Then, it multiplies the decrypted results and encrypts the multiplication result using the Paillier public key.Sim CP encrypts a randomly generated number with CP-ABE.The two resultant ciphertexts are provided by Sim CP to Adv CP .

TABLE 4 .
Comparison of SAMM/SAMD with related works.

TABLE 5 .
Computational cost of SAMM.

TABLE 7 .
Communication overhead of SAMM.