In this section, we analyze the security of the scheme, including correctness, unforgeability and privacy.

*Theorem 1.* Authorized *DR* can correctly verify the integrity of the data stored in *CSS*.

Proof. Theorem 1 can be proved by verifying the correctness of eq. (4). The proof is as follows.

$$ \kern1em \boldsymbol{TP}\bigoplus \boldsymbol{L} $$

$$ ={\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{T}}_{\boldsymbol{i}}\bigoplus {\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{sig}}_{\boldsymbol{g}}\left(\boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\bigoplus {\boldsymbol{H}}_{\mathbf{1}}\left({\boldsymbol{t}}_{\boldsymbol{i}}\parallel {\boldsymbol{v}}_{\boldsymbol{i}}\right)\right) $$

$$ ={\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{sig}}_{\boldsymbol{g}}\left({\boldsymbol{m}}_{\boldsymbol{i}}\bigoplus {\boldsymbol{H}}_{\mathbf{1}}\left({\boldsymbol{t}}_{\boldsymbol{i}}\parallel {\boldsymbol{v}}_{\boldsymbol{i}}\right)\right)\bigoplus {\boldsymbol{sig}}_{\boldsymbol{g}}\left(\boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\bigoplus {\boldsymbol{H}}_{\mathbf{1}}\left({\boldsymbol{t}}_{\boldsymbol{i}}\parallel {\boldsymbol{v}}_{\boldsymbol{i}}\right)\right) $$

$$ ={\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{sig}}_{\boldsymbol{g}}\left({\boldsymbol{m}}_{\boldsymbol{i}}\bigoplus \boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\right) $$

$$ ={\boldsymbol{sig}}_{\boldsymbol{g}}\left({\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}\left({\boldsymbol{m}}_{\boldsymbol{i}}\bigoplus \boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\right)\right) $$

From the proof of eq. (4), *DR* can verify whether the data is undamaged stored in *CSS*.

*Theorem 2.* Authorized *DR* can correctly recover the shared data if he owns the legal attributes.

Proof. Theorem 2 can be proved by verifying the correctness of eq. (5). The proof is as follows.

$$ {\mathrm{C}\mathrm{K}}^{\prime }=\frac{\mathrm{e}\left({\mathrm{C}}^{\prime },\mathrm{K}\right)}{\mathrm{W}} $$

$$ =\frac{\mathrm{e}\left({\mathrm{C}}^{\prime },\mathrm{K}\right)}{\prod_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\mathrm{C}}_{\mathrm{i}},{\mathrm{K}}^{\prime}\right)\mathrm{e}\left({\mathrm{E}}_{\mathrm{i}},{\mathrm{K}}_{\uprho \left(\mathrm{i}\right)}\right)\right)}^{\upomega_{\mathrm{i}}}} $$

$$ =\frac{\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{g}}^{\upalpha}{\upsigma}^{\mathrm{t}}\mathrm{V}\right)}{\prod_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\mathrm{C}}_{\mathrm{i}},{\mathrm{g}}^{\mathrm{t}}{\mathrm{V}}^{\prime}\right)\mathrm{e}\left({\mathrm{E}}_{\mathrm{i}},{\mathrm{K}}_{\uprho \left(\mathrm{i}\right)}\right)\right)}^{\upomega_{\mathrm{i}}}} $$

$$ =\frac{\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{g}}^{\upalpha}{\upsigma}^{\mathrm{t}}\mathrm{V}\right)}{\prod_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\upsigma}^{\uplambda_{\mathrm{i}}}{\mathrm{f}}_{\uprho \left(\mathrm{i}\right)}^{-{\mathrm{r}}_{\mathrm{i}}},{\mathrm{g}}^{\mathrm{t}}\mathrm{V}\right)\mathrm{e}\left({\mathrm{g}}^{{\mathrm{r}}_{\mathrm{i}}},{{\mathrm{f}}_{\uprho \left(\mathrm{i}\right)}}^{\mathrm{t}}{\mathrm{V}}_{\uprho \left(\mathrm{i}\right)}\right)\right)}^{\upomega_{\mathrm{i}}}} $$

$$ =\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\upalpha \mathrm{s}} $$

$$ ={\uptheta}^{\mathrm{s}} $$

Then *DR* computes **S***K = C*/*CK*^{′}*,F = H*_{2}(*SK*) *⨁ F*^{′} to recover the plaintext of shared data.

*Theorem 3.* It is computationally infeasible for *CSS, CMS* and unauthorized *DR* to get the plaintext of health data in the scheme.

Proof. In data processing phase, *DO* encrypts file *F* to *F*^{′} with *F*^{′} **=** *H*_{2}(*SK*) *⨁ F*, where *SK* is only secret to *DO*. Therefore, the file is confidential to both *CSS* and *CMS*. The confidentiality guarantee depends on the security of hash function *H*_{2}. As *H*_{2} is a secure one-way hash function, the data is private to *CSS* and *CMS*. In data sharing phase, *CSS* sends { *C*, *F*^{′}} to *DR*, where *C = SK* · *θ*^{s} and *F*^{′} is the cipher text of shared data. *CMS* computes the intermediate value for *DR* to decrypt the shared data *F*^{′} only if *DR’s* attributes satisfy the access structure. Therefore, any unauthorized *DR* cannot get any information on the sensitive data.

*Theorem 4.* It is computationally impossible for *CSS* to forge an integrity proof to pass the public verification, if XOR-homomorphic function is secure.

Proof. We can prove the theorem with the following games. In the games, we suppose the adversary is the party who forge an integrity proof to pass the public verification.

Game 1 is the challenge game. The challenger generates public-private key pair ( *PK*, *MK*) and provides *PK* to the adversary. The adversary is able to interact with the challenger and query some data blocks. Then the challenger computes corresponding block tags and returns the tags to the adversary. When challenger launches challenge to the adversary, he can respond to the challenger with data proof and tag proof.

Game 2 is another challenge game in which the challenger keeps all the tags ever issued as part of the queries. If the challenger detects the aggregated block tags *TP* is not equal to \( TP={\sum}_{i=1}^c{T}_i \), he declares the game fails.

Game 3 is the same as game 2 with one difference that the challenger keeps all response sequences to the adversary’s queries. Suppose the challenger sends *ch* = (*i*, *R*_{i}) to the adversary, the adversary’s reply to the query is *P* = (*DP*, *TP*) where \( T={\sum}_{i=1}^c{T}_i \). In the scheme, *P* is the correct proof and equation *DP* = *TP* ⨁ *L* holds. Suppose the adversary’s proof is *P*^{′} = (*DP*^{′}, *TP*^{′}), where \( {TP}^{\prime }={\sum}_{i=1}^c{T_i}^{\prime } \), then the equation *DP*^{′} = *TP*^{′} ⨁ *L* also holds. We define △*DP* = *DP*^{′} ⨁ *DP*, △*TP* = *TP*^{′} ⨁ *TP*.We make the *XOR* operation on the above two verification equations and get △*DP* = △ *DP*. The above equation holds with the probability is \( \frac{1}{q} \). The probability can be negligible.