A Lightweight Policy Update Scheme for Outsourced Personal Health Records Sharing

With high flexibility and accessibility of data outsourcing environment such as cloud computing environment, several healthcare providers implement electronic personal health records (PHRs) to enable individual patients to manage their own health data in such resilient and scalable environment. However, PHRs contain highly sensitive information of which the security and privacy issues are the critical concern. Besides, PHRs owners should be capable to flexibly and securely define their own access policy for their outsourced data. In addition to the basic authentication feature, existing commercial cloud platforms usually provide symmetric or public key encryption as an optional feature to support data confidentiality for their tenants. However, such traditional encryption schemes are not suitable for data outsourcing environment because of high key management overhead of symmetric encryption and high maintenance cost for handling multiple copies of ciphertext for public key encryption solution. In this paper, we design and develop a secure and fine-grained access control scheme with lightweight access policy update for outsourced PHRs. Our proposed scheme is based on the ciphertext policy attribute-based encryption (CP-ABE) and proxy re-encryption (PRE). In addition, we introduce a policy versioning technique to support the full traceability of policy changes. Finally, we conducted the performance evaluation to demonstrate the efficiency of the proposed scheme.


I. INTRODUCTION
In an outsourced data sharing environment such as cloud storage system, the outsourced server must be available all the time to provide unlimited access to shared data and the services. Nowadays, many companies and individuals prefer to store their valuable data in outsourced servers such as cloud storage due to cost saving and efficient resource management provided by cloud providers. Regarding to the privacy and security issue, data owners usually encrypt their data before outsourcing it to the cloud server. Encrypting data is the most suitable way to protect the sensitive data from unauthorized access. Nevertheless, encryption alone is not adequate to support rigorous security control. Access control mechanism is another security perimeter generally required. To address this concern, attribute-based encryption The associate editor coordinating the review of this manuscript and approving it for publication was Petros Nicopolitidis .
(ABE) [1] has been extensively adopted by many works. ABE provides a ''one-to-many'' encryption scheme with finegrained access control. Also, it possesses both encryption and access control capabilities. There are two types of ABE: ciphertext-policy attribute-based encryption (CP-ABE) [2] and key-policy attribute-based encryption (KP-ABE). In CP-ABE, attributes are used to construct the user's decryption key, and access policy is used to encrypt the data. For KP-ABE, the user key is associated with the access policy while the encryption is done by a set of attributes. In security enforcement point of view, CP-ABE is preferred as the data owner can specify his/her own policy to encrypt the data. The advantages to using CP-ABE is for group key management [3]. One of them is the decoupling of abstract attributes from actual keys. It reduces communication overhead and provides a fine-grained data access control. Also, it achieves flexible one-to-many encryption instead of one-to-one; it's envisioned as a promising tool for addressing the problem of secure and fine-grained data sharing and decentralized access control. Nevertheless, CP-ABE introduces expensive overheads including ciphertext re-encryption, key re-generation, and key re-distribution when there is attribute revocation or policy update. These revocation and policy update operations must be done carefully as the propagation effect to both ciphertext and user decryption key is high. Especially, when there are a large number of users, the computation and communication cost related to key update are significantly high. The policy update and data re-encryption cost are the burden at data owner side while the communication cost is subject to the number of ciphertexts to be downloaded and re-uploaded from and to the data outsourcing environment. Such overheads cause inefficient implementation for real data sharing scenario. Also, it is possible that encryptors may not even be available when the access policy update is needed.
In this paper, we figure out the way to efficiently update CP-ABE access policies without re-encryption process done at the data owner side. As for the consideration of PHRs sharing, the data owner such as a patient can selectively share their data to anyone they want. To provide efficient encryption and improved performance of data access and policy updating, we apply the symmetric encryption for encrypting data as it provides higher encryption performance, while the symmetric key is encrypted by CP-ABE method. Since we use CP-ABE method to encrypt the symmetric key, the cost for policy update only affects to the encrypted symmetric key. Hence, all ciphertexts are not required to be re-encrypted. This significantly reduces the computation cost at proxy side. Technically, we device a proxy re-encryption (PRE) protocol to handle the ciphertext re-encryption which is the major cost of policy update.
Our contributions can be summarized as follows. 1. We propose an access control model for PHRs with lightweight policy update in multi-authority data outsourcing environment. With our cryptographic construction and introduced PRE method, when the policy is updated, the re-encryption process is offloaded to the proxy while the data owner deals with small computation. The cost for both data owner side and proxy side is optimized based on two-step encryption. 2. We propose a policy versioning method that allows all update events to be well recorded and older versions of any policy can be re-constructed for the detailed examination anytime. 3. We apply parallel programming to parallelize all crypto operations in the PRE system. In our model, when the policy is updated, the system will efficiently re-encrypt all ciphertexts affected with a new policy. 4. We provide security and performance analysis to substantiate that our proposed scheme is secure and efficient for real implementation. The rest of this paper is organized as follows. Section II discusses background and related work. Section III describes the background of CP-ABE. Section IV presents our proposed system. Section IV presents the policy versioning technique.
Section VI presents the security analysis. Section VII provides the evaluation and experiment. Section VIII concludes the paper.

II. RELATED WORKS
In CP-ABE, policy update is one of the major overheads causing the scalability and efficiency degradation. To update the policy, a data owner performs the update by adding, updating, or revoking attribute or logical gates (AND, OR, or M of N) in the policies. Here, the data owner needs to retrieve the polices usually resided at the data owner's premise and then perform the update. After the policy is updated, all ciphertexts have been encrypted by the affected policy need to be reencrypted. After the ciphertexts are re-encrypted, they will be uploaded to the cloud. Such processes are generally done by the data owners and cause both processing and communication overhead at data owner side. In PHRs management scenario, patients may need to update their access policy used to encrypt medical records in order to allow other doctors in different hospitals to access their medical treatments.
Generally, there are two methods including ciphertext update and proxy re-encryption (PRE) for supporting policy update in CP-ABE setting.

A. CIPHERTEXT UPDATE
In this method, data owners need to generate update keys or tokens and upload them to the outsourced server where the cyphertexts are stored. Update keys are constructed from the computation of affected attributes and they will be used to update the corresponding ciphertext components. Mostly, approaches using this method rely on the linear secret sharing scheme (LSSS) where the access matrix and mapping functions are directly affected when there is a change of policy [5], [12], [13], [16].
For example, Belguith et al. [4] proposed an efficient access policy update scheme with short size ciphertext. However, this scheme is based on KP-ABE which limits the capability of data owners for defining their own access policy. Besides, data owner has to generate the whole of the updated ciphertext. This makes the computation burden at data owner side.
In [5], Li et al. proposed an efficient policy update and file update in CP-ABE setting. The ciphertext components are updated based on the key update generated by the data owner. It reduces the storage and communication costs of the client. Moreover, the proposed scheme is proved to be secure under the assumption of decision q-parallel bilinear Diffie-Hellman exponent. However, the data owner needs to hold the encrypted components of the existing ciphertext in addition to the update key generation based on LSSS principle.
In [12], [13], Kan Yang et al. proposed a ciphertext update method to handle policy updates in the cloud server. They examined the cost of policy updating and proposed algorithms for adding and removing attributes in the AND, OR, and threshold gate of ABE policy in the form of linear secret sharing scheme (LSSS). In this approach, data owners need VOLUME 9, 2021 to generate update keys based on generic order groups and the complexity grows linearly to the number of attributes of the policies. Thus, it is not applicable for resource-constraint device to work on the bilinear operations.
In [16], Yuan proposed policy update algorithm based on the matrix update algorithm and implemented it with the encryption algorithm of the basic CP-ABE scheme. The scheme requires data owner to deal with ciphertext update algorithm comparing the number of attributes of the old and the new policy. The computation and communication cost are subject to the policy size. Recently, Varri et al. [17] proposed a multi-keyword search over CP-ABE with dynamic policy update. This scheme uses the encryption information of the old policy to update the policy without choosing the new secret value. Then, the UpdateKeyGen algorithm is computed to update access policy. Even though this scheme is efficient for ciphertext update caused from policy update, the cost of the update key computation consisting of transforming the LSSS matrix and mapping function, and comparing an old policy and a new policy at data owner side is high if there are a high number of attributes contained in the policy.

B. PROXY RE-ENCRYPTION (PRE)
Mambo and Okamoto [6] firstly introduced the concept of Proxy re-encryption (PRE). The proposed technique relies on a concept of delegator to perform re-encryption of the ciphertext sent by the originator. In this scheme, the delegator learns neither the decryption keys nor original data. This concept has been then adopted by many works [7]- [10], [19] because it outsources heavy cryptographic operation costs to be done by the proxy. In some design, PRE server is separated to do re-encryption task only and it communicates with a cloud server to compute secret component for supporting user revocation [18].
In [11], the authors proposed PRE technique to support key update. In their proposed scheme, the user needs to interact with the proxy in order to send sends the value of encrypted ciphertext with the symmetric key to the proxy and allows proxy to recover a part of ciphertext. Then, the proxy sends back another part of ciphertext to the user for decryption. Even though, the computation of decryption is partially outsourced to the proxy, users still need to deal with two troublesome processes for the decryption and the communication cost between the user and the proxy is the crucial overhead if there are several decryption events.
In [14], we proposed a technique called VL-PRE to support to enable the policy update to be done in the cloud in an efficient and computationally cost-effective manner. The core method is based on PRE and re-encryption key generation optimization method. Even though this approach does not require data owners to deal with heavy cryptographic operation, the operation on ciphertext re-encryption at cloud side is still based on the CP-ABE. If there are a high volume of re-encryption tasks, this may introduce performance problem for users who need to access the updated ciphertext.
Nonetheless, all the above works relying on both ciphertext update and proxy re-encryption have not focused on the practicality point of view which can be noted in three shortfalls. First, the re-encryption cost is based on a number of attributes of the updated policy which are not suitable for mobile devices used by PHRs owners, especially when the policy is big and there are frequent updates of the policy. Second, the trust of the delegated system such as an outsourced server or a delegated proxy server has not been explicitly discussed by any works. The trust of key update or any secret component sent from the data owner and the delegator is overlooked by existing works. Finally, there are no approaches paying attention to the full traceability of policy update.
In this paper, we emphasize on the practical and efficient use of secure outsourcing CP-ABE policy update with full traceability. Here, we combine CP-ABE and proxy re-encryption scheme to support lightweight policy update. The proposed solution is empowered with parallel processing technique to enable efficient data re-encryption. In our proposed scheme, the data owner can flexibly update the policies stored in the outsourced data storage. Also, the cryptographic details of CP-ABE are transparent to the users enabling the usability of the tool. To serve strong accountability of policy change history, we introduce the policy versioning technique as another core construct of our proposed access control scheme.

III. BACKGROUND
This section describes the formal concept of CP-ABE and related definitions used in our proposed system.

A. CIPHERTEXT POLICY ATTRIBUTE-BASED ENCRYPTION (CP-ABE)
Basically, the construction of ABE is based on the bilinear maps. A description of the formal definition of bilinear maps is shown below.

Bilinear Maps
Let G 0 and G 1 be two multiplicative cyclic groups of prime order p and e be a bilinear map e: The bilinear map e has the following properties: An access structure is a monotone collection A of nonempty subsets of {P 1 , P 2 , . . . , P n }, i.e. A ⊂ 2 {P 1 ,P 2 ,...,P n } /∅. Definition 2: Access Tree T [2]: Let T be a tree representing an access structure. Each non-leaf node of the tree represents a threshold gate, described by its children and a threshold value. If num x is the number of children of a node x and k x is its threshold value, then 0 < k x ≤ num x .
When k x = 1, the threshold gate is an OR gate and when k x = num x , it is an AND gate. Each leaf node x of the tree is described by an attribute and a threshold value k x = 1. The kofn threshold gate is also allowed in T , in this case k x = k where k is the threshold value determined in the kofn gate. In our scheme, T is referred as an access control policy ACP.
The traditional CP-ABE consists of four major algorithms as follows.
Setup. The setup algorithm takes no input other than the implicit security parameter. It outputs the public parameters PK and a master key MK .
Key Generation (MK , S). The algorithm takes as input the master key MK and a set of attributes S that describe the key. It outputs a user decryption key UDK . Technically, key generation is based on Bilinear Maps.
Encrypt (PK , M , A). The encryption algorithm takes as input the public parameters PK , a message M, and an access structure A (aka. an access tree T )over the universe of attributes. The algorithm encrypts M and produces a ciphertext CT.
Decrypt (PK , CT , SK ). The algorithm takes as input the public parameters PK , a ciphertext CT , and a user secret key SK , which is a key containing a set S of attributes. If the set S of attributes satisfies the access structure A then the algorithm will decrypt the ciphertext and return a message M .

IV. OUR PROPOSED APPROACH
This section presents the system model and the cryptographic construct of our proposed scheme.

A. SYSTEM MODEL
In our model, PHR owners upload data files such as treatment records, patient profile, etc. in encrypted format to the cloud server and users such as doctors can access the shared file if they have the capability (i.e. decryption key) satisfying the access control policy.
As can be seen from Figure 1, PHR owners and users are issued a set of attributes in the form of user decryption key from attribute authorities. Our model supports multiple authorities who can issue the attributes to users. For example, a patient may be issued keys issued from different authorities such as hospitals, insurance company. In the data outsourcing environment such as cloud computing, a proxy which is a semi-trusted server is exploited to be responsible for performing re-encryption task when any policy is updated. Hence, major heavy cryptographic operations and secure computation are offloaded to the proxy. The proxy is installed with an X.509 certificate issued by a trusted certification authority (CA). The certificate is used for the authentication with other system entities. Thus, the proxy only communicates to the entities having the valid certificate as predetermined in its configuration system.    [1]. Our system construct consists of two encryption parts. First, data is encrypted by AES symmetric encryption. Second, the symmetric key is encrypted by CP-ABE. These two encrypted results are stored in the outsourced server. Here, we define notations shown in Table 1 for describing our cryptographic algorithms.

CP-ABE
Our model consists of five major phases including System Setup, Key Generation, Encryption, Decryption, and Re-encryption. Table 1 presents a list of notations used in our model.

Phase 1: System Setup
This phase consists of the following six algorithms run by the AA or data owner.
1. Create Attribute Authority (k) → PK k , SK k , PK x.k . This algorithm takes as input an attribute authority ID (k). The algorithm chooses a bilinear group G 0 of prime order p with generator g. Next it will choose two random α, β ∈ Z p . The public key is computed as: Note that f is used only for delegation), and the secret key SK k is (β, g α ) . The algorithm also publishes public attribute keys (PK x,k ) for all attributes issued by the A k . 2. Enc ODK oid,k (ODK oid,k , SymKey1 oid ) → ENCO-DK oid,k . The algorithm takes symmetric key1 to encrypt PHR owner decryption key ODK oid,k with AES encryption as follows.
ENC AES (ODK oid,k , SymKey1 Oid ) = ENCODK oid,k 3. Generate random secret This step is run by the PHR owner by executing the following algorithm.
(1) Gen R({r 1 , r 2 , . . . r n }) → R The algorithm randomly chooses a set of random seeds rs, as input and generates a 256-bit random number R (aka. Random string) with its position R p Then, it returns R and R p .
(2) Add R to a shared symmetric key. Add R(SymKey1 Oid ) → RSk A randomized secret RSk is then stored at the proxy server.

Phase 2: Key Generation
This phase is run by the AA. The UserKeyGen algorithm is used to generate the user decryption key (CP-ABE decryption key). The details of the algorithm is detailed as follows.
UserKeyGen (S uid,k , SK k , ) → UDK uid,k . The KeyGen algorithm takes as input a set of attributes (S uid,k ) that describes the uid s user decryption key, attribute authority's secret key (SK k ), then it returns the set of user decryption key (UDKs).
For each user uid, the AA, A k chooses a random r and r j ∈ Z p , for each attribute j ∈ S A k . Then the user decryption key (UDK uid.k ) is computed as: For PHR owner, we call this key type as an owner decryption key (ODK oid,k ). In our scheme, we assume that ODK oid,k can be used to decrypt any ciphertexts encrypted by the PHR owner oid,k.

Phase 3: Encryption
The encryption function is performed by PHRs owners. This phase performs two encryption steps as follows: (1) Encrypt message. ENC AES (SymKey2 Oid , M ) → CT . The encryption algorithm encrypts message M with an AES symmetric key. Then, it outputs ciphertext CT. (2) Encrypt symmetric key To encrypt the symmetric key, the algorithm takes as inputs authority public key PK k , access control policy ACP Pid , and symmetric key SymKey2. Then it returns an encrypted symmetric key EncSEKey uid .

Phase 4: Decryption
The decryption phase is done by the users authorized to access PHRs. There are two decryption steps as follows.
(1) Decrypt symmetric key The algorithm takes as inputs user decryption key UDK uid and encrypted symmetric key EncSymKey2 oid . If the set of attributes S in UDK uid,k satisfies the ACP, the algorithm returns the symmetric key SymKey2 Oid . (2) Decrypt CT DEC AES (SymKey2 Oid , CT ) = M The algorithm takes as inputs symmetric key SymKey2 Oid , and ciphertext CT. Then, it returns message M.

Phase 5: Re-encryption (Proxy Re-encryption)
When the policy is updated, only encrypted symmetric key2SymKey2 Oid ever encrypted by the old policy will be re-encrypted by the proxy. The re-encryption algorithm conducted by the proxy is detailed as follows.
(1) Remove R(R, R p RSk)− > SymKey1 Oid . This function takes as input the random number R, its position R p , and randomized secret RSk. Then, the algorithm removes R from RSk based on the R p . Finally, the algorithm returns SymKey1 oid,k . (2) DecryptODK (SymKey1 Oid , ENCODK oid )− > ODK oid . This function takes as input SymKey1 Oid , and ENCODK oid , then it uses the following decryption function. With our proposed PRE technique, the proxy has no knowledge about the shared symmetric key and CP-ABE decryption key since they are all obfuscated by the random number encryption.

C. POLICY UPDATE ALGORITHM
Our proposed policy update algorithm consists of three states including (1) Updating the policy using update operators such as add, update, delete, (2) Assigning multi-thread to handle transactions, and (3) Re-encrypting encrypted symmetric key. The latter process is also executed in parallel with the ReENC function. Figure 2 presents our proposed policy update algorithm. Technically, the PHRs owner or the administrator can add, update, or delete attribute name or attribute value presented in each access policy tree. After the policy is updated, the thread will be forked and assigned to the encrypted keys that need to be re-encrypted by giving the priority to large-file size based on the parallel threshold value and they will be sent to the 3rd state of re-encryption. Other smaller files are pushed in the queue. In the final state, all affected encrypted keys are updated with a new access control policy. Figure 2 presents our policy update algorithm. With our proposed technique, all major processes are fully offloaded to be processed in the outsourcing environment. Hence, both computation and communication cost at data owner side is significantly reduced. In essence, our scheme enables re-encryption of encrypted symmetric key instead of re-encrypting all affected ciphertexts. This helps reduce complexity of re-encryption process compared to existing PRE schemes.

V. POLICY VERSIONING
A change of an access policy is an important issue that directly correlates the authorization enforcement with access rules. In CP-ABE, when the policy is updated, all ciphertexts encrypted with the older version of the policy need to be reencrypted with a new policy. All update events are generally recorded in the log file where the detail of the update may not be adequate for detailed traceability. For example, in healthcare data outsourcing scenario, if there are historical treatment records encrypted by a Policy A in last two years and these records were archived in the outsourced server. If these healthcare records are in need to be examined, lineage of policy changes and their valid decryption keys are critically required. To the best of our knowledge, this issue has not been entailed by any access control schemes supporting data outsourcing environment.
To provide the detailed traceability of policy changes, we introduce a policy versioning method encapsulating the policy linage retention and policy retrieval mechanism. The lineage of policy update can be described in directed acyclic graph as shown in Figure 3.
As of the policy lineage, historical policies were either generally created from older policies or independently created. For the details of update history, all update records are systematically retained in the database as shown in Table 1. To retrieve any historical policies, users can view the linage from DAG and specify the policy version from our developed system. Then, the identified policy is retrieved from the policy versioning table. This structure of policy versioning record benefits for complete traceability of policy update.   From Table 2, data owners or auditors can check changes of policy structures and associated files. Any historical policies can be re-constructed to support file encryption or decryption scenario in case that the historical cases are needed. For example, there might be a case that some users whose key didn't get updated but they need to use their existing key to decrypt the file encrypted by historical policies.
With our proposed policy versioning, any historical policy versions can be reconstructed to re-encrypt the target file by calling the re-encryption algorithm. In essence, the proposed versioning scheme is used to serve the system auditing and policy lineage investigation. To preserve the confidentiality of the policy content, the policy versioning table is encrypted with data owner's X.509 public key and then it can be stored in the outsourcing server.

VI. SECURITY ANALYSIS
In this paper, the proof of security is a game-based. Since our scheme is based on CP-ABE, the detailed proof of its security can be referred to the original CP-ABE [2], [15].
In the data outsourcing environment, we assume that data owners are fully trusted. The users are assumed to be dishonest, i.e., they may collude to access unauthorized data. It is also assumed that the adversary can corrupt authorities only statically, but key queries can be made adaptively. The attack of the security can be done by an adversary requesting a key from the attribute authority.
The security model of our proposed system is defined as follows between an adversary A and a challenger C: Setup. For uncorrupted authorities in S A − S A the challenger C runs CreateAttributeAuthority algorithm and gives a public keys PK to the adversary A. For corrupted authorities S A the challenger sends both the public keys and secret keys to adversary A.
Phase1: The adversary submits S uid.k which is a set of attributes belonging to an uncorrupted authority AA k . The challenger gives the corresponding user decryption keys UDK to the adversary A.
Challenge. Adversary A submits two challenge messages m 0 and m 1 to the simulator. The simulator flips a fair binary coin ν, and returns an encryption of m ν . In this game, the EncSymKey2 oid,k is referred to CT2 as a ciphertext encrypted by CP-ABE. The ciphertext CT2 is computed as follows: CT 2 = (ACP,Ĉ = m ν Z , CT 2 = h s , ∀y ∈ Y : C y = g q y (0), C y = H (att(y)) q y(0) ) where γ is a chosen set of attributes. If µ = 0 then z = e(g, g) αs. . Therefore, the ciphertext CT2 is a valid random encryption of message m ν .
Otherwise, if µ = 1 then z = e(g, g) z. . We then have,Ĉ = m ν e(g, g) z. . Since z is random,Ĉ will be a random element of G 1 from the adversaries view and the message contains no information about m ν . Phase 2. The simulator performs as it did in Phase 1.
Guess Adversary A submits a guess of ν of ν.
The advantage of A in this game is defined as:

Definition 3:
Our proposed scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above game.
Theorem 1: Suppose there is no polytime adversary who can break the security of CP-ABE with nonnegligible advantage; then there is no polytime adversary who can break our system with nonnegligible advantage.
Proof: As we have shown how the adversary A has nonnegligible advantage against our scheme. Similar to A, we show how the adversary B, is built to break the CP-ABE scheme with nonnegligible advantage. The adversary B can play a similar game with the CP-ABE scheme to make 54868 VOLUME 9, 2021 private queries during the game to get the private keys in the CP-ABE scheme.
Initialization. The adversary B takes the public key of the authority k, PK k = {G 0 , g, h = g β , f = g 1 β , e (g, g) α }, and the corresponding secret key (β, g α ) . is unknown to the adversary.
Setup. The adversary B gets our public parameters from PK' as PK k = {G 0 , g, h = g β , f = g 1 β , e (g, g) α }, then the public key PK k is given to the adversary. Phase 1. B answers private key queries. Suppose the adversary is given a user decryption key query for a set of attributes S where S does not satisfy ACP. Here, B makes a query for obtaining UDK for the same set S twice. Then, B obtains two different UDKs as follows.
UDK uid,k = (D = g (α k +r)/β k, A i ∈ S : Where i's are attributes from S, and r, r , r i , r i are random number in Z p . With UDK uid,k and UDK uid,k , B can obtain g r−r /β , and chooses random number . Then, the UDK is returned to the adversary A.
Challenge. When A decides that Phase 1 is over, it outputs an access policy ACP and two messages m 0 and m 1 , which it wishes to be challenged. B gives the two messages to the challenger, and is given the challenge ciphertext CT2. Then B computes the challenges ciphertext for A from CT2 as CT 2 * . Finally, the challenge ciphertext CT 2 * is returned to the adversary A.
Phase 2. A makes queries not issued in Phase 1. B responds as in Phase 1.
Guess. Finally, it outputs a guess ν ∈ {1, 0}, and then B concludes its own game by generating ν . According to the above security model, the advantage of the adversary B is: Hence, B has nonnegligible advantage against the CP-ABE, which completes the proof of the theorem.

VII. PERFORMANCE ANALYSIS
This section presents the performance analysis in two parts including computational efficiency analysis, and experimental analysis.

A. EFFICIENCY ANALYSIS
In this section, we compare the functionality of our scheme with Li et al.'s scheme [5] and Ying et al.'s scheme [16]. In order to simplify the representation of computation cost of each scheme, we define the following notations.
Let |p| be the element size in the G1, G2, Z p . G 0 : Exponentiation operation in group G 0 G 1 : Exponentiation in group G 1 R d : Random decryption over the message or ciphertext n c : number of attributes associated with the ciphertext or encrypted key.
Z p : The group {0, 1, . . . , p − 1} multiplication modulo p We assume that the policy update operation is done over the set of attributes that already exist in the policy and any attribute can appear in any policy twice or more. As shown in Table 3, our scheme provides less communication cost for policy update than [5]. This is because the data owner only submits the random element and a new access control policy where the attributes belong to Z p to the proxy server. In [5], the communication cost incurs from the update key generation, matrix mapping element with a new access policy to be sent for ciphertext update. Regarding the computation cost, scheme [5] requires data owner and cloud server to perform update key generation and ciphertext update respectively. In contrast, our scheme has a clear advantage. Our scheme does not require the data owner or user to compute any secret element for re-encryption process. The proxy performs re-encryption based on the number of attributes associated to the encrypted key. Therefore, our scheme provides lightweight policy update enabling PHRs owner can use their mobile devices to update the policy flexibly and efficiently.

B. EXPERIMENTAL ANALYSIS
To evaluate the efficiency of our proposed scheme, we set up the system simulation through a proxy server as a simulated outsourcing environment. The system is simulated based on the cp-abe toolkit and Java Pairing-Based Cryptography library (JPBC). The experiment was conducted on Intel(R)Xeon(R)-CPU E5620, 2.40GHz. We evaluate the efficiency of our scheme by comparing the processing time of encryption, decryption, and re-encryption of our proposed re-encryption process done by PRE with multi-thread processing and without PRE. We used JPBC to simulate the cryptographic construct of scheme [5] to be compared with our scheme. For the simulation, we compare the computation efficiency of both encryption and decryption by varying a number of attributes contained in the policy. The 50-KB file size was used to the test. As shown in Fig.4a and Fig.4b, our scheme provides less encryption time and decryp-VOLUME 9, 2021 To encrypt data, our scheme uses AES encryption that provides faster encryption than CP-ABE used by Li et al.'s scheme. Even though our scheme requires two encryption steps, the 2nd encryption portion is symmetric key encryption used by CP-ABE. Since the symmetric key size 128 bit is very small, the encryption and decryption time is not affected much to the total processing time. This obviously illustrates the benefit of our proposed cryptographic protocols.
To evaluate the policy update cost, we measure its subsequent costs including update key generation and ciphertext update for scheme [5] while proxy re-encryption cost is measured in our scheme. Figure 5 shows the results of policy update time (ms.) our proposed scheme and Li et al.' scheme. The processing time is measured with an increased number of ciphertexts to be re-encrypted. In the simulation, we used the 5-attributes policy to re-encrypt files having 20-KB size in average.
As can be seen from Figure 5, our proposed PRE with multithread processing takes less re-encryption time than the Li et al. scheme in a significant manner. In Li et al.' scheme, the policy update cost consists of KeyGen update and ciphertext update. In our scheme, only re-encryption of the encrypted symmetric key is executed by the proxy. This advantage is even obvious when there are high number of ciphertexts to be re-encrypted. Consequently, the experiments confirm that our proposed PRE scheme is efficient in practice for supporting PHRs owner to update the policy. Since the results obtained show that our proposed scheme is efficient, it should suffice to support a high number of ciphertext re-encryptions caused from policy updates in PHRs outsourcing environment. Also, it is thus promising to deploy our re-encryption proxy in VM platform or Linux Container [19] in the real cloud environment to utilize the benefits of cloud in terms of scalability, resource resilience, and high availability.

VIII. CONCLUSION
We have proposed a policy update scheme based on the policy outsourcing and proxy re-encryption method. Our scheme fully offloads policy update cost to be done in the outsourced server. Also, the re-encryption process encapsulates the multi-thread processing to support high scalability and improves the overall performance of the system. For the experiment, we developed a GUI tool for CP-ABE policy update implementation. Data owners can upload files and policies in the encrypted format to the outsourced storage through our system. Administrators or data owners do not need to retrieve policies from local database and interact with the outsourced server for re-encryption process. With our web-based tool, policies can be updated anytime and anywhere. As a result, this provides a transparent access control for the file storage system and policy update management. In addition, we proposed the policy versioning technique to enable efficient reconstruction of historical policies for rigorous auditing. Finally, we also demonstrated the file re-encryption performance. The results showed that the re-encryption process executed by multi-thread processing outperformed the without one. For future work, we will perform the extensive experiments for testing the cloud-based proxy with higher volume of data and larger size of access policies in the real cloud environment.