DSAS: A Secure Data Sharing and Authorized Searchable Framework for e-Healthcare System

In e-healthcare system, an increasing number of patients enjoy high-quality medical services by sharing encrypted personal healthcare records (PHRs) with doctors or medical research institutions. However, one of the important issues is that the encrypted PHRs prevent effective search of information, resulting in the decrease of data usage. Another issue is that medical treatment process requires the doctor to be online all the time, which may be unaffordable for all doctors (e.g., to be absent under certain circumstances). In this paper, we design a new secure and practical proxy searchable re-encryption scheme, allowing medical service providers to achieve remote PHRs monitoring and research safely and efficiently. Through our scheme DSAS, (1) patients’ healthcare records collected by the devices are encrypted before uploading to the cloud server ensuring privacy and confidentiality of PHRs; (2) only authorized doctors or research institutions have access to the PHRs; (3) Alice (doctor-in-charge) is able to delegate medical research and utilization to Bob (doctor-in-agent) or certain research institution through the cloud server, supporting minimizing information exposure to the cloud server. We formalize the security definition and prove the security of our scheme. Finally, performance evaluation shows the efficiency of our scheme.


I. INTRODUCTION
Nowadays, with the rapid development of artificial intelligence and the advancement of wearable devices and sensors, e-healthcare sensor network has reached a stage of maturity for adoption and deployment at a commercial scale. Ehealthcare sensor network serving as a mobile platform profoundly benefit patients to obtain medical treatment of high quality and efficiency. As shown in Fig.1, patients' devices collect a large amount of personal healthcare records through sensor devices, which enable doctors to more effectively diagnose and attend to the need of the patients through utilizing these data. Such information also enables medical researchers and analysts to perform analytics to gain better insights on illnesses and devise better treatments. Nevertheless, these data may be stored on cloud storage provided by third-party service providers [10], [16], [34], which introduce potential security issues such as data leakage. This is because neither the patients nor the doctors have control of the information The associate editor coordinating the review of this manuscript and approving it for publication was Diana Gratiela Berbecaru . once the data is outsourced. This means the privacy and confidentiality of these outsourced data should be protected in such an environment. For instance, some medical institutions collect and store a large amount of PHRs on cloud servers and authorize the usage of these data to the Center for Disease Control and Prevention (CDC). To facilitate disease prevention and control, doctors in CDC are allowed to study these data with data mining technology. However, in the process of collecting case information from medical institutions and the implementation of traditional data mining technology, the CDC may inevitably expose sensitive data of patients. How to store manage and retrieve the PHRs securely and efficiently is a great challenge. E-healthcare system requires stronger security and privacy guarantees for practices in terms of both data and access to data. In order to prevent information leakage from the stored PHRs, all PHRs stored on the cloud should be encrypted [11], [14], [15], [26], [27], [42]- [44]. Although encryption ensures data confidentiality and can be used to address concerns of data privacy and avoids the attacks from malicious users and cloud servers, it also brings inconvenience of usage. For instance, conventional encryption techniques render it difficult to query these encrypted data [28] because of the useless information retrieval methods based on plaintext. Due to this limitation of conventional, most of the researches employs searchable encryption (SE) cryptosystem to alleviate such concerns. With searchable encryption technology, patients in the e-healthcare system first encrypt the potential keyword as an index and then upload it to the cloud server along with the encrypted PHRs. Then, the authorized doctor or research institution is able to operate encrypted keyword search by sending a trapdoor generated with a certain keyword to the cloud server. With the trapdoor, the cloud server can operate keyword search over the encrypted index and retrieve the corresponding records. Overall, a searchable encryption cryptosystem allows the cloud server to search encrypted data on behalf of users without learning about keywords or plaintext. With searchable encryption technology, doctors in CDC are able to perform information retrieval over encrypted PHRs and carry out medical treatment. Nevertheless, such a system also implies the doctors need to be available all the time. If the doctor is offline, then medical treatment would not be possible. Proxy re-encryption (PRE) [4], [5], [36] was proposed to solve the above problem by allowing a trusted proxy to securely transform ciphertext belonging to one doctor to another so that a doctor can delegate the medical treatment right to the other doctor in his absent. For instance, suppose there are two doctors Alice and Bob. Each patient with Alice's public key can encrypt the healthcare records to Alice. Suppose Alice is on vacation and wishes to delegate the decryption right to Bob. With PRE technology, Alice generates a re-encryption key based on his private key and Bob's public key, so that with the re-encryption key, the proxy can re-encrypt a ciphertext encrypted under Alice's public key into a ciphertext of the same message under Bob's public key. However, there are two problems with the existing PRE approach. First, the proxy is too powerful: With the reencryption key, the proxy can transform all ciphertexts of Alice no matter which keyword the ciphertext has. Second, inherent from the bidirectional property, it is impossible to provide collusion-resistance when the dishonest proxy colludes with the delegatee to export the delegator's private key, which constitutes a serious security issue to the system since now the delegatee can impersonate as the delegator. Therefore, it is necessary to restrict the power of proxy server.
A conditional proxy re-encryption searchable (CPRE) [21], [49] system can be deployed to overcome the above issue. In the CPRE system, the delegator generates the re-encryption key with a condition that aims to specify the ciphertext that satisfies the condition. Unfortunately, most existing CPRE schemes cannot guarantee the privacy of the condition, which also contains some sensitive information.
On the other hand, if a malicious user can distinguish a re-encrypted ciphertext from an original ciphertext, it will increase the security risk such as that the malicious user knows Alice is not available right now. Thus, it is required for conditional proxy re-encryption to be proxy-invisible, where a malicious user cannot distinguish between the original ciphertext and the re-encrypted ciphertext.
In summary, existing solutions apply many methods (e.g., searchable encryption, proxy re-encryption, conditional proxy re-encryption) sharing PHRs with doctors or medical research institutions to protect data privacy. However, information retrieve over the encrypted PHRs is still a challenging issue, especially when dealing with massive data at a finegrained level.

A. RELATED WORK
With the rapid development of cloud computing, more and more patients are willing to move their PHRs to the cloud server to enjoy convenient service [25], [30], [35]. To protect data security and personal information privacy, these PHRs are usually stored with encrypted form in the cloud. However, data encryption hinders effective data utilization when the user tries to retrieve files containing some interesting keywords. Yasnoff [48] proposed a e-healthcare storage framework to eliminate the potential for loss of an entire centralized dataset from a single intrusion while maintaining reasonable search performance. A reliable, searchable and privacy-preserving e-healthcare system was proposed by Yang et al. [45] based on searchable encryption [9], [18], [23], [40], [51] to protect sensitive healthcare files on cloud storage and enable cloud server to search on the encrypted data under the control of patients. The notion of public-key encryption with keyword search (PEKS) was proposed by Boneh et al. [8], who also gave the first PEKS construction for e-healthcare system in the public key environment. Later, Abdalla et al. [1] revisited the concept of PEKS and proposed the consistency notion. Baek et al. [3] extended PEKS which removes secure channels between a user and the cloud server, which make the patients communicate with doctors with a secure way. More expressive searchable schemes for e-healthcaer system are proposed in [24], [29], [33], and zhang2017searchable. To store a huge number of PHRs from multi users, schemes [24], [47] are proposed to optimize data storage and retrieval in the multi user setting.
Except for searchable encryption, proxy re-encryption (PRE) technology proposed by Blaze et al. [7] was also employed to store and share medical data in e-healthcare system. Proxy re-encryption is a highly promising solution for cloud computing, which has been widely applied to provide ciphertext transformation in cloud storage services recently. There has been significant progress in PRE over the recent years because of the property called conditional transformation, greatly enriching the commercial applications of PRE. In 2005, Ateniese et al. [2] proposed a unidirectional scheme and demonstrated how to prevent the proxy from colluding with delegatees in order to expose the delegator's private key. In 2006, Green and Ateniese [17] extended the above notion to identity-based proxy re-encryption, and proposed a new CCA secure scheme. Seo et al. [31] proposed the first proxy-invisible CPRE scheme that is secure against CCA secure in the standard model. He et al. [19] proposed a non-transferable proxy re-encryption scheme that solves the PKG despotism problem and key escrow problem. Fang et al. [12], [13] introduced fuzzy conditional proxy re-encryption and proposed a concrete construction based on the ''set overlap'' distance metric. In [20], PRE was deployed in mobile healthcare social network for a data owner to authorized a healthcare analyzer to access the owner's data. While the underlying purpose is similar, this proposal is more robust using CPRE and examines delegation of duty from a doctor to another, and further provides proxy-invisibility and condition-hiding properties.
Proxy re-encryption with keyword search (PRES), which is proposed by Shao et al. [32], can allow the patients to delegate his search and decrypt capability to doctor or research institution. In the e-healthcare system, suppose doctor Alice (delegator) wants to delegate the search capability to doctor Bob (delegatee), by employing the PRES scheme propose by Shao et al. [32], 1) Bob can decrypt the ciphertexts delegated from Alice using his own private key; 2) given a trapdoor from Bob, the mail gateway can test whether the ciphertext delegated from Alice contains some special keyword. However, we notice that with the re-encryption key, the proxy can transform all ciphertext of Alice no matter which keyword the ciphertext have. In this case, without Alice's delegation, Bob can still read all the message of Alice, this can be make serious security risks to the e-healthcare system. To address this issue, Weng et al. [38], [39] introduced the concept of conditional proxy re-encryption, where the re-encryption key is linked with a condition so that the delegatee can only decrypt ciphertext which satisfying the special condition. After that, a series of CPRE schemes have been proposed [12], [37], [41]. In most CPRE schemes, the condition is specified in the re-encryption key, and thus that the proxy can obtain the condition information such as ''HIV''. However, in the e-healthcare system, the condition can also contain some sensitive information [46]. Therefore, it is necessary to build a CPRE construction without leaking the condition information. Unfortunately, all the above systems do not simultaneously support both encrypted keyword search and condition-hiding in practice, which limits the commercial applications of proxy re-encryption in the e-healthcare system. We propose a proxy-invisible condition-hiding proxy re-encryption scheme with keyword search to address the issues of inefficiency and condition privacy in the e-healthcare system. Table 1 gives the summary of the related works in terms of uni-directional, proxy-invisible, condition-hiding, collusionresistance, keyword search.

B. MOTIVATION AND CONTRIBUTION
• Uni-Directional: Uni-directional proxy re-encryption is more superior than multi-directional proxy reencryption, otherwise, the delegatee may pass permissions to a third party, which will increase the disclosure of privacy. Hence, unidirectionality is a very important characteristic for e-healthcare system.
• Proxy-Invisible: In the secure e-healthcare system, if a malicious user can distinguish a re-encrypted ciphertext from an original ciphertext, it will increase the security risk such as the malicious user knows the delegator is not available right now. Hence, e-healthcare system must provide proxy-invisible.
• Condition-Hiding: In the conditional proxy re-encryption scheme, the condition often contains some private information. If the condition is exposed, it will cause a great loss to the system. Obviously, if the proxy condition is hidden, the proxy server will get less sensitive information, which makes the e-healthcare system more secure.
• Collusion-Resistance: Inherent from trustworthy property, it is impossible to provide collusion-resistance when the dishonest proxy colludes with the delegatee to export the delegator's private key, which would be a disaster to the e-heathcare system. As these authorized work are usually operated on the proxy server (assumed to be a third-party service provider), which for security reason is assumed to be untrusted. Hence, it is necessary to provide collusion-resistance in a secure e-healthcare system. VOLUME 10, 2022 FIGURE 2. System model.
• Keyword Search: Encrypting is considered to be a simple and efficient solution to guarantee data confidentiality, but it also makes search over encrypted data extremely difficult. Searchable encryption technology realizes the search operation of encrypted data without decryption, and solves the problem that users cannot control remotely because of data encryption. Hence, searchable is necessary in the e-healthcare system.
As can be seen from Table 1 by giving a comparison among existing shcemes, no scheme can realize secure and reliable ciphertext retrieval functions in the e-healthcare system. In a e-healthcare system, the wearable devices continuously collecting medical data from real body environment. The massive sensitive data leads to a great security and efficiency challenge to the current e-healthcare system due to lack of efficient information retrieve mechanism and poor fine-grained access control. In this paper, we aim to design an efficient, searchable and privacy-preserving e-healthcare system. The overall system consists of three main entities as shown in Fig. 2.
With the proposed infrastructure above, we design a secure data sharing and authorized searchable scheme for ehealthcare system. We show it by exhibiting an example as follow: As shown in Fig. 2, patients continuously collects PHRs with sensors from physical environments and sends these encrypted PHRs (encrypted under A's public key) to his doctor-in-charge A seeking for medical treatment. In some case, doctor A wants to share some but not all these PHRs to doctor B. To achieve access authorization, A generates a re-encryption key based on his private key and the public key of B. Given the re-encryption key, cloud server is able to convert the ciphertext of A (encrypted under A's public key) to that of B (encrypted under B's public key). Obviously, if there are no restrictions, the cloud server can convert any ciphertext of A, which could make privacy disclosure by sharing unnecessary information.
In order to prevent privacy disclosure, we generate a conditional re-encryption by embedding a trapdoor (e.g.,pneumonia) in the re-encryption key so that the cloud server can only convert ciphertext under the designated condition. Moreover, the cloud server is responsible for storing the encrypted data and providing keyword search services and also acts as a proxy to perform re-encryption for data users. When a keyword search request with a trapdoor is received from B, the cloud server performs information retrieval over the encrypted PHRs. Finally, B can decrypt ciphertext by using only his private key to obtain specific medical information. In summary, users (e.g., patients, doctors, research institutions) enjoy an efficient, searchable, privacy protection service in our e-healthcare system. The main results are as follows: 1. Data privacy: patients' data collected by the sensor devices are encrypted before they are uploaded to the cloud storage server. This ensures privacy and confidentiality of data since the cloud server will not be able to learn any information from the encrypted PHRs. 2. Conditional authorization: In the event where the doctorin-charge (Alice) is unavailable, our scheme enables the delegation of the task to another doctor (Bob) through a cloud server, without the need to decrypt the PHRs thus minimizing information exposure to the cloud server. 3. Condition-hiding: Our scheme not only guarantees patients's PHRs privacy through encrypted data but also preserves the privacy of the condition embedded in the re-encryption key. 4. Proxy invisibility: In our scheme, the authorized doctor (Bob) or a malicious user cannot distinguish which ciphertext is sent to delegatee and which ciphertext is re-encrypted by the cloud delegated by Alice. 5. Collusion resistance: In our scheme, even a dishonest proxy colludes with Bob, Alice's private key can still be secure.

II. PRELIMINARIES
In this section, we present basic assumptions and cryptographic concepts.

A. BILINEAR MAPS
We briefly review describe bilinear maps and bilinear map groups (For more detail, see [6]). Consider the following setting: G and G T are two multiplicative cyclic groups of prime order p; the group action on G and G T can be computed efficiently; g is a generator of G; and e : G × G → G T is a bilinear map. The bilinear map e has the following properties: • Non-degeneracy: e(g, g) = 1. We say that G is a bilinear group if the group operations in G and the bilinear map e : G × G → G T can both be computed efficiently. Notice that the map e(·, ·) is symmetric since e(g a , g b ) = e(g, g) ab = e(g b , g a ).

B. HARD ASSUMPTIONS
The modified Decisional Bilinear Diffie Hellman assumption (mDBDH) problem is defined as follow. Let G be bilinear group of prime order p and g is a generator of G. Given (g, g a , g b , g c ) for random a, b, c ∈ Z * p and Z ∈ G T , decide whether Z = e(g, g) ab/c . An algorithm A that outputs b ∈ {0, 1} has advantage ε in solving the mDBDH problem if where the probability is over the random choice of a, b, c ∈ Z * p , the random choice Z ∈ G T , and the random bits consumed by A. We say that the mDBDH assumption holds in G if no PPT algorithm has advantage at least in solving the mDBDH problem.
The q-weak Decisional Bilinear Diffie Hellman Inversion assumption (q-DBDHI) problem is defined as follow, let G be bilinear group of prime order p and g is a generator of G.
where the probability is over the random choice of g, g in G, the random choice α ∈ Z * p , the random choice of Z ∈ G T , and the random bits consumed by A. We say that the q-DBDHI assumption holds in G if no PPT algorithm has advantage at least in solving the q-DBDHI problem.

III. SYSTEM ARCHITECTURE AND CONSTRUCTION
In this section, we first introduce the algorithms definition and system architecture, and then propose the construction of our conditional proxy re-encryption with keyword search system, which is proxy-invisible, condition-hiding and CCAsecure.

A. DEFINITION
A conditional proxy re-encryption with keyword search system consists of the following polynomial time algorithms: • Setup(1 λ ) → param: Given a security parameter λ, outputs public parameters param to be used by all parties.
• Enc(pk, m, w) → CT : Given a public key pk, a keyword w, and a message m, the encryption algorithm outputs a ciphertext CT of m corresponding to keyword w.
• ReKeyGen(sk i , pk j , w) → rk w i→j : Given a user i's private key sk i , a user j's public key pk j and condition w, the re-encryption key generation algorithm outputs a re-encryption key rk w i→j . • ReEnc(rk w i→j , CT i ) → CT j : Given the re-encryption key rk w i→j and a ciphertext CT i corresponding public key pk i , the re-encryption algorithm outputs another ciphertext CT j corresponding public key pk j or the special character ⊥ indicating an error. • Trapdoor(sk, w) → t w : Given a user's private key sk and a keyword w, the trapdoor algorithm outputs a trapdoor t w of keyword w corresponding to the user.
• Test(CT , t w ) → 0 or 1: Given ciphertext CT , and a trapdoor t w , the test algorithm outputs 1 if a given ciphertext CT contains the keyword w specified by the trapdoor t w or 0 otherwise.
• Dec(sk, CT ) → m: Given a user's private key sk and a ciphertext CT , the decryption algorithm outputs the corresponding message m or the special character ⊥ indicating an error.

B. SYSTEM ARCHITECTURE
In this paper, we design a new cloud storage framework for e-healthcare system which provides efficient and privacy-preserving information retrieve service and meet the above requirements. The e-healthcare system generally consists of the following phases: • Setup phase: In this phase, patients' sensors choose a security parameter 1 λ , run algorithms Setup and KeyGen to generate and store parameters param, public key and private key (pk, sk) for all patients in the real world to collect PHRs.
• Data collection and encryption phase: The sensors continuously collect PHRs F from physical environments, then extract keyword w from these data, run algorithm Enc to generate medical information under doctor Alice's public key pk Alice . Finally, upload all ciphertext CT Alice to the cloud server.
• Data conversion phase: Alice is able to delegate search and decrypt operation to Bob through the cloud server with the following steps if Alice is unavailable. First, Alice runs algorithm ReKeyGen to generate re-encryption key for the cloud server under Alice's private key sk Alice and Bob's public key pk Bob . Second, given re-encryption key, the cloud server runs algorithm ReEnc to convert the corresponding ciphertext. Finally, stores the converted ciphertext CT Bob . To achieve conditional authorization, algorithm ReKeyGen requires Alice's private key as part of the input. Therefore, anyone (without Alice's private key) given Bob's public key could not launch conditional authorization.
• Data retrival phase: Bob is able to search and decrypt the converted ciphertext with the following steps. First, Bob runs algorithm Trapdoor to generate a trapdoor t w under keyword w and his private key sk Bob . Second, given the trapdoor t w and ciphertext CT Bob , the cloud server runs algorithm Test to find the matching ciphertext. Finally, Bob obtains the intended data by decrypting the matched ciphertext with his private key sk Bob by running algorithm Dec.  patients' data collected by the sensor devices are encrypted before they are uploaded to the cloud storage server. This ensures privacy and confidentiality of data since the cloud server will not be able to learn any information from the encrypted personal health records (PHRs). The red arrows in figure represent the process of secure data query: Only the authorised doctor have access to the PHRs. In the event where the doctor-in-charge is unavailable, our scheme enables the delegation of task to another doctor through a cloud server, without the need to decrypt the PHRs thus minimising information exposure to the cloud server, which shown with green arrow in the figure.

C. DSAS CONSTRUCTION
Let G and G T be groups of order p, and let e : G × G → G T be the bilinear map. Our conditional proxy re-encryption with keyword search system works as follows.
• Enc(pk, m, w): To encrypt a message m ∈ G T under the public key pk i , the data owner selects a one-time signature key pair (ssk, svk) ← G(λ), picks random s, r ∈ Z * p , and sets where ID i is identity of user i. Then, the data owner generates a one-time signature σ = S(ssk, (C 6 , C 7 )), outputs the ciphertext as • ReKeyGen(sk i , pk j , w): Given a user i's private key sk i , a user j's public key pk j and condition w, user i sets re-encryption key rk w i→j = (rk 1 , rk 2 , rk 3 ) as Given the re-encryption key rk w i→j = (rk 1 , rk 2 , rk 3 ) and a ciphertext CT i = (svk, C 1 , C 2 , C 3 , C 4 , C 5 , C 6 , C 7 , σ ), the cloud server first checks whether the condition hold by running Test. If the outputs is ⊥ then terminate; Otherwise, the cloud server picks random t ∈ Z * p and computes The re-encrypted ciphertext for user j is • Trapdoor(sk, w): On input a user i's private key sk i and a keyword w, output the keyword w's trapdoor as : Given the trapdoor t w and ciphertext CT i , the cloud server checks the the validity of the ciphertext by testing the following relations.

IV. SECURITY DEFINITION AND PROOF
In this section, we give the security definition and the concrete proof of the proposed DSAS scheme.

A. SYSTEM THREAT MODEL
We assume cloud server is always online with sufficient storage and computing capacity. Also, we assume that doctor Alice is online most of the time. In some cases, when Alice is not online, he authorizes access to the PHRs to doctor Bob or other medical institutions by distributing a re-encryption key through a secure channel between cloud server and himself. However, the possible attacks on our system are as follows: 1. The could server is ''honest-but-curious'', which follows many related work on e-healthcare cloud computing system [12], [32], [35]- [37], which means the cloud server ''honestly'' follows the designated protocol, but ''curiously'' infers additional privacy information of the encrypted PHRs content or the search query. 2. Unlike FSGW [12], SCLL [32], WHYLW [37] and YM [46], the cloud server in our system may collude with authorized doctors to export the delegator's private key to access data beyond their access privileges.

B. SYSTEM SECURITY MODEL
We define security for our system in the sense of semanticsecurity. We need to ensure that a ciphertext CT does not reveal any information about the keyword w unless the keyword trapdoor t w is available. We define security against an active attacker who is able to obtain trapdoors t w for any w of his choice, even under such attack, the attacker should not be able to distinguish encryption of a keyword w 0 from encryption of a keyword w 1 for which he did not obtain the trapdoor. Formally, we define security against an active adversary A using the following game between a challenger B and the adversary A. Game 1: (IND-CKA game: Privacy of keyword) • Setup: Challenger B runs the Setup algorithm and forwards public parameters param to adversary A.
• Phase 1: Adversary A can adaptively make the following queries: -Uncorrupted key generation oracle O pk : B obtain a public/private key pair (pk i , sk i ), and sends pk i to A. -Corrupted key generation oracle O sk : B obtain a public/private key pair (pk i , sk i ), and sends (pk i , sk i ) to A. -Trapdoor generation oracle O td : B runs trapdoor generation to generate a trapdoor t w and sends it to A. -Re-encryption key generation oracle O rk : B runs re-encryption key generation to generate a re-encryption key rk w i→j and sends it to A. -Re-encryption oracle O re : B runs re-encryption generation to convert ciphertext CT i to ciphertext CT j and sends CT j to A.
• Challenge: At some point, the adversary A sends the challenger B two keywords w 0 , w 1 , a message m and a public key pk * on which it wishes to be challenged. The challenger B picks a random b ∈ {0, 1} and gives adversary the challenge index CT * b .
• Phase 2: Adversary A can adaptively make more queries as in Phase 1: • Guess: Eventually, the adversary A outputs b ∈ {0, 1} and wins the game if b = b . During the above game, adversary A is subject to the following restrictions where w * ∈ {w 0 , w 1 }: 1. A cannot query the target private key sk i * . 2. A cannot query the trapdoor of (pk i * , w * ). 3. A cannot issue re-encryption key rk w * i * →j if pk j appears in a previous corrupted key generation query. 4. A cannot issue re-encryption on pk i * , pk j , (w * , CT * ) if pk j appears in a previous corrupted key generation query. The advantage of an adversary is defined to be Adv = We now define security for our system to ensure that CT does not reveal any information about M . Formally, we define security against an active adversary A using the following game between a challenger B and the adversary A. • Challenge: At some point, the adversary A sends the challenger B two message m 0 , m 1 , a conditional keyword w and a public key pk * on which it wishes to be challenged. The challenger B picks a random b ∈ {0, 1} and gives adversary the challenge ciphertext CT * b . • Phase 2: Adversary A can adaptively make more queries as in Phase 1: • Guess: Eventually, the adversary A outputs b ∈ {0, 1} and wins the game if b = b . During the above game, adversary A is subjected to the following restrictions where w * ∈ {w 0 , w 1 }: 1. A cannot query the target private key sk i * . 2. A cannot query the trapdoor of (pk i * , w * ). 3. A cannot issue re-encryption key rk w * i * →j if pk j appears in a previous corrupted key generation query. 4. A cannot issue re-encryption on pk i * , pk j , (w * , CT * ) if pk j appears in a previous corrupted key generation query. 5. A cannot issue decryption query on neither pk i * , CT * i nor pk j , CT * j , where pk j , CT * j is a re-encryption of the challenge ciphertext. The advantage of an adversary is defined to be Adv = | Pr[b = b ] − 1/2| in this game. VOLUME 10, 2022

C. SECURITY PROOF
We now prove that our condition-hiding proxy re-encryption with keyword search system is IND-CKA secure based on the mDBDH assumption in the random oracle model.
Theorem 1: If the mDBDH assumption holds in G and G T , then our construction is IND-CKA secure in the random oracle model.
Proof: Suppose there exists a polynomial-time adversary A that breaks the IND-CKA security of system described above with advantage . We construct an algorithm B that uses A to solve mDBDH problem with probability ( 1 2 + e·q H 1 ). B takes as input a random mDBDH challenge ab c or random element of G T . B interacts with A in the security game as follows: The system public parameters are (G, G T , e, g, f , h, u, v, Sig, H 1 , H 2  O pk : On input an identity ID i , B picks random O re : On input identities of the delegator and delegatee and the original ciphertext to get rk 1 and tuple (ID, r 2 ) in table T H 2 , and picks random t ∈ Z * p and computes • Challenge: Eventually adversary A produces a pair of keywords w 0 and w 1 , a message m and a public key pk * on which it wishes to be challenged. If pk * is not in table T k , or corrupted = 1, B terminates. If coin 0 = 1 and coin 1 = 1, B aborts. Otherwise, B chooses a random number b ∈ {0, 1} such that coin d = 0 and selects random s ∈ Z * p and responds A with the challenge ciphertext CT * b : where r 1 is the corresponding value to w d in table T H 1 , r 2 is the corresponding value to ID i * in table T H 2 and y i is the corresponding value to pk * in table T k .
• Phase 2: A repeats the query of phase 1 subject to the restrictions defined in Game 1.
• Guess: Eventually, the adversary A outputs b ∈ {0, 1}. We note that the above simulations are valid and the keyword of the oracles are uniformly distributed in the keyword space. Hence, the adversary cannot find inconsistence between the simulation and the real world. The challenge ciphertext is a valid ciphertext under randomness r = b c and s. Success probability: If B does not abort, A's view is identical to its view in the real attack. Now, we analyze the probability that B does not abort. We define three independent events: B does not abort as a result of any A's trapdoor queries, re-encryption key queries and reencryption queries. ε 2 : B does not abort during the challenge phase. We assume that A does not ask for the O H 1 of the same keyword twice. The probability that a O H 1 query to abort is 1/(q H 1 ). Assume that A makes at most q H 1 O H 1 queries, we have pr[ε 1 ] ≥ (1 − 1/(q H 1 + 1)) q H 1 ≥ 1/e and pr[ε 2 ] ≥ 1/q H 1 . Therefore pr[ε 1 ∧ ε 2 ] ≥ 1/(e · q H 1 ). Since B does not abort with probability at least 1/(e · q H 1 ), that B's success probability overall is at least /(e · q H 1 ). So that B can use A to solve mDBDH problem with probability ( 1 2 + e·q H 1 ). We now prove that our condition-hiding re-encryption with keyword search system is IND-CCA secure under the q-wDBDHI assumption.
Theorem 2: Our construction is IND-CCA secure in the random oracle model if the q-wDBDHI assumption holds in G and the one-time signature Sig is strongly unforgeable.
Proof: Suppose there exists a polynomial-time adversary A that breaks the IND-CCA security of system described above with advantage . We construct an algorithm B that uses A to solve q-wDBDHI problem with probability n where n is the number of honest users. B takes as input a random q-wDBDHI challenge (g, g 1 , g 2 , . . . , g q , g , Z ), where Z is either e(g, g ) 1 α or random element of G T . B interacts with A in the security game as follows: of degree q − 1 and sets h = g f (α) = On A s queries, B builds the following oracles. O pk : On input an identity ID i , B picks random O sk : On input an identity ID i , B picks random where r 2 is the corresponding value to ID i in table T H 2 and (µ i , i = 0, 1, . . . , q − 2) are the coefficients of polynomial of F r 2 (x). When i = i * , B computes When i = i * , B can easily compute re-encryption key by using the known private key. O re : On input identities of the delegator and delegatee and the original ciphertext to get rk 1 and tuple (ID, r 2 ) in table T H 2 , and picks random t ∈ Z * p and computes by A, if svk = svk * , B terminates and returns a random bit. If svk = svk * , when i = i * , B computes Then B computes m = C 7 · e(f , h) s . When i = i * , B can easily compute m by using the known private key.
• Challenge: Eventually adversary A produces a pair of keywords m 0 and m 1 , a condition w and a public key pk * on which it wishes to be challenged. B chooses a random number b ∈ {0, 1} such that coin w = 0 and selects random c ∈ Z * p and responds A with the challenge ciphertext CT * b : where r 2 * is the corresponding value to ID i * in table T H 2 and y i is the corresponding value to pk * in table T k .
• Phase 2: A repeats the query of phase 1 subject to the restrictions defined in Game 2.
• Guess: Eventually, the adversary A outputs b ∈ {0, 1}. We note that the above simulations are valid and the keyword of the oracles are uniformly distributed in the keyword space. Hence, the adversary cannot find inconsistence between the simulation and the real world. Let s = β α ,r = c α where β = log g g . If Z = e(g, g ) 1 α , CT * b is a valid ciphertext. Success probability: If Z = e(g, g ) 1 α , A's view is identical to the view in the real attack environment. In contrast, Z = e(g, g ) 1 α , Z has a random distribution on G T , thus A cannot guess b with probability better than 1/2. A finally output b , which used by B in its own game. If b = b then B decides that Z = e(g, g ) 1 α , otherwise, B decides that Z = e(g, g ) 1 α . Therefore, we have | pr[B(g, g 1 , . . . , g q , g , e(g, g ) 1/α ) = 0] −pr[B(g, g 1 , . . . , g q , g , R) = 0] |≥ /n.

V. FUNCTIONALITY ANALYSIS
In this section, we compare our proposed DSAS scheme with other proxy re-encryption schemes of BVS [4], [5], HYF [21], SYL [31], WLQ [36], and ZCR [49], proxy searchable re-encryption schemes of FSGW [12], SCLL [32], WHYLW [37] and YM [46] in terms of functionality. Table 2 gives the comparison between our scheme and several related works in terms of features (i.e. uni-directional, proxy-invisible, condition-hiding, collusion-resistance, keyword search.) • Uni-directional: Generally speaking, uni-directional proxy re-encryption is more superior than multidirectional proxy re-encryption, because the latter can be constructed by two different directions of the former, while the former can not be constructed by the latter. As shown in Table 2, all the schemes meet this security need.
• Proxy-invisible: As shown in Table 2, it is obvious that only [31] and our scheme have this property, which is more secure for e-healthcare system.
• Condition-Hiding: With condition-hiding, the cloud server get less sensitive information, which makes the system more secure. This expected goal is achieved in [12] and our scheme as shown in Table 2.
• Collusion-resistance: As shown in Table 2, it is obvious that only [12], [31] and our scheme achieve this security property where a delegator's private key is still secure even a dishonest cloud colludes with the delegatee.

VI. PERFORMANCE ANALYSIS
In this section, we evaluate the performance of our DSAS system based on both real experiments and simulation.

A. EXPERIMENTAL SETTING
By adopting the Type A curves within the Paring Based Cryptography (PBC) library [22], we perform our proposed scheme on a laptop with 1.8-GHz Intel Core processor i5-8250U (Window 10 operation system, and a RAM of 8 GB) to act as the cloud server. This simulation environment is used to perform algorithms ReEnc and Test, which require a great computational and storage capability. In contrast, the users or sensor devices in our system require low computational capability, to perform algorithms KeyGen, Enc, ReKeyGen, Trapdoor and Dec, we deploy two Raspberry Pi sensor nodes (ARM Cortex-A53 1.2GHz 64-bit quad-core ARMv8 CPU) to form a wireless linked Industrial Internet of Things (IIoT). The nodes communicate with each other by ZigBee protocol. The sensor nodes communicate with the cloud server through one-hop or multihop manner. In the experiment, Let |G| denote a bit length of an element of G, |G T | denote a bit length of an element of G T . Since only schemes FSGW [12] and YM [46] are about conditional searchable proxy reencryption, hence, we only compare our scheme with these two schemes, and the simulation results are exhibited in Fig. 4 to Fig. 11.

B. EXPERIMENTAL EVALUATION
In key generation phase, the system constructs public-private key pairs for each user with only 2 exponential operations    in DSAS. Cost in FSGW [12] and YM [46] are 4 exponential operations and 1 exponential operation respectively. The computational cost of key generation in all schemes for each user is constant, which have significantly efficiency for lightweight devices in e-healthcare system as shown from Fig. 4, the computation cost increases linearly with the growth of users.    On receiving public-private key pairs, sensors for data collection encrypt the collected PHRs with doctor Alice's public key before uploading them to the cloud server. First, the sensors continuously collect PHRs F from physical envi-ronments, then extract keyword w from these data. Second, run algorithm Enc to generate searchable index healthcare ciphertext under doctor Alice's public key pk Alice . Finally, upload all ciphertext CT Alice to the cloud server. There are 5|G|+2|G T | cost for each file in DSAS, and 3|G|+2|G T | and 3|G| + 1|G T | in FSGW [12] and YM [46] respectively. The computational cost of ciphertext generation in all schemes for each file is constant. Clearly from Fig. 5 and Fig. 6, the computation cost increases linearly with the growth of files.
On receiving the ciphertext, Alice is able to delegate search and decrypt operation to Bob through a cloud server if Alice is unavailable. The computational cost for re-encryption key generation is exhibited in Fig. 7. Cost in FSGW [12] and YM [46] are 4|G| and 2|G| respectively. DSAS requires 1|G| + 2|G T | for each re-encryption key, however, because DSAS considers embeds the trapdoor into re-encryption key, in which way can hidden the proxy condition. Obliviously, DSAS sacrifices some computing efficiency, thus obtaining better security.
Given re-encryption key, the cloud server runs algorithm ReEnc to convert the corresponding ciphertext to CT Bob under Bob's public key with only 4 exponential operations in DSAS. Cost in FSGW [12] and YM [46] are 3 exponential operations and 6 exponential operation respectively. Next is about the encrypted keyword search, given trapdoor generated by Bob, the cloud server runs algorithm Test to perform information retrieve over encrypted PHRs. Cost of DSAS is only 3 pairing operations and cost in FSGW [12] and YM [46] are 2 pairing operations and 2 exponential operations and 3 pairing operations and 2 exponential operations respectively. As shown in Fig. 8 and Fig. 10, DSAS and YM [46] have more advantages on re-encryption and encrypted keyword search over FSGW [12].
Bob is able to search the converted ciphertext by running algorithm Trapdoor to generate a trapdoor t w under keyword w and his private key sk Bob . Cost in YM [46] and DSAS are 1 exponential operation and 4 exponential operations in FSGW [12]. Given the trapdoor t w and ciphertext CT Bob , the cloud server runs algorithm Test to find the matching ciphertext. Finally, Bob obtains the intended data by decrypting the matched ciphertext with his private key sk Bob by running algorithm Dec. Because YM [46] has no capability for decryption, it is not considered in our comparison. As shown in Fig. 9 and Fig. 11, DSAS is as efficient in decryption as FSGW [12].
In summary, compared with FSGW, DSAS requires a little bit high cost in KeyGen and Encrypt; compared with YM, DSAS requires a little bit high cost in Index Encrypt. However, these results are acceptable since these costs are one-time, that is, users only need to take the corresponding costs when joining the system and uploading the e-healthcare records. In order to protect the privacy of conditions, we explore the embedding technology of trapdoor in searchable encryption, which make the performance of ReKeyGen unsatisfactory, which is what we need to improve in the future. Last but not least, our proposed scheme DSAS enjoys a good efficiency in encrypted information retrieve and ciphertext decryption requirement which show that our scheme DSAS is suitable for the e-healthcare system.

VII. CONCLUSION
In this paper, we presented a proxy-invisible condition-hiding proxy re-encryption scheme which supports keyword search that can be applied to securing data sharing and delegation in e-healthcare systems. With our new system, a doctor, Alice (delegator), may construct a conditional authorization for a doctor, Bob (delegatee), by specifying a re-encryption key. With the re-encryption key, the cloud server can perform ciphertext transformation so that Bob is able to access the PHRs original encrypted under Alice's public key, thus enabling secure delegation. The cloud server can operate search over encrypted PHRs on behalf of the doctor without learning information about the keyword or the underlying condition. Specifically, we achieved the property of proxy-invisible in the system. We have also obtained the property of collusion-resistance in the system, where a delegator's (Alice) private key is still secure even a dishonest cloud server colludes with the delegatee (Bob). We have demonstrated security through a rigorous proof, and the performance analysis confirms that our proposed scheme DSAS is efficient and practical.