In this section, we analyze the security of the scheme, including correctness, unforgeability and privacy.
Theorem 1. Authorized DR can correctly verify the integrity of the data stored in CSS.
Proof. Theorem 1 can be proved by verifying the correctness of eq. (4). The proof is as follows.
$$ \kern1em \boldsymbol{TP}\bigoplus \boldsymbol{L} $$
$$ ={\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{T}}_{\boldsymbol{i}}\bigoplus {\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{sig}}_{\boldsymbol{g}}\left(\boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\bigoplus {\boldsymbol{H}}_{\mathbf{1}}\left({\boldsymbol{t}}_{\boldsymbol{i}}\parallel {\boldsymbol{v}}_{\boldsymbol{i}}\right)\right) $$
$$ ={\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{sig}}_{\boldsymbol{g}}\left({\boldsymbol{m}}_{\boldsymbol{i}}\bigoplus {\boldsymbol{H}}_{\mathbf{1}}\left({\boldsymbol{t}}_{\boldsymbol{i}}\parallel {\boldsymbol{v}}_{\boldsymbol{i}}\right)\right)\bigoplus {\boldsymbol{sig}}_{\boldsymbol{g}}\left(\boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\bigoplus {\boldsymbol{H}}_{\mathbf{1}}\left({\boldsymbol{t}}_{\boldsymbol{i}}\parallel {\boldsymbol{v}}_{\boldsymbol{i}}\right)\right) $$
$$ ={\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}{\boldsymbol{sig}}_{\boldsymbol{g}}\left({\boldsymbol{m}}_{\boldsymbol{i}}\bigoplus \boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\right) $$
$$ ={\boldsymbol{sig}}_{\boldsymbol{g}}\left({\sum}_{\boldsymbol{i}=\mathbf{1}}^{\boldsymbol{c}}\left({\boldsymbol{m}}_{\boldsymbol{i}}\bigoplus \boldsymbol{h}\left({\boldsymbol{R}}_{\boldsymbol{i}}\right)\right)\right) $$
From the proof of eq. (4), DR can verify whether the data is undamaged stored in CSS.
Theorem 2. Authorized DR can correctly recover the shared data if he owns the legal attributes.
Proof. Theorem 2 can be proved by verifying the correctness of eq. (5). The proof is as follows.
$$ {\mathrm{C}\mathrm{K}}^{\prime }=\frac{\mathrm{e}\left({\mathrm{C}}^{\prime },\mathrm{K}\right)}{\mathrm{W}} $$
$$ =\frac{\mathrm{e}\left({\mathrm{C}}^{\prime },\mathrm{K}\right)}{\prod_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\mathrm{C}}_{\mathrm{i}},{\mathrm{K}}^{\prime}\right)\mathrm{e}\left({\mathrm{E}}_{\mathrm{i}},{\mathrm{K}}_{\uprho \left(\mathrm{i}\right)}\right)\right)}^{\upomega_{\mathrm{i}}}} $$
$$ =\frac{\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{g}}^{\upalpha}{\upsigma}^{\mathrm{t}}\mathrm{V}\right)}{\prod_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\mathrm{C}}_{\mathrm{i}},{\mathrm{g}}^{\mathrm{t}}{\mathrm{V}}^{\prime}\right)\mathrm{e}\left({\mathrm{E}}_{\mathrm{i}},{\mathrm{K}}_{\uprho \left(\mathrm{i}\right)}\right)\right)}^{\upomega_{\mathrm{i}}}} $$
$$ =\frac{\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{g}}^{\upalpha}{\upsigma}^{\mathrm{t}}\mathrm{V}\right)}{\prod_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\upsigma}^{\uplambda_{\mathrm{i}}}{\mathrm{f}}_{\uprho \left(\mathrm{i}\right)}^{-{\mathrm{r}}_{\mathrm{i}}},{\mathrm{g}}^{\mathrm{t}}\mathrm{V}\right)\mathrm{e}\left({\mathrm{g}}^{{\mathrm{r}}_{\mathrm{i}}},{{\mathrm{f}}_{\uprho \left(\mathrm{i}\right)}}^{\mathrm{t}}{\mathrm{V}}_{\uprho \left(\mathrm{i}\right)}\right)\right)}^{\upomega_{\mathrm{i}}}} $$
$$ =\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\upalpha \mathrm{s}} $$
$$ ={\uptheta}^{\mathrm{s}} $$
Then DR computes SK = C/CK′,F = H2(SK) ⨁ F′ to recover the plaintext of shared data.
Theorem 3. It is computationally infeasible for CSS, CMS and unauthorized DR to get the plaintext of health data in the scheme.
Proof. In data processing phase, DO encrypts file F to F′ with F′ = H2(SK) ⨁ F, where SK is only secret to DO. Therefore, the file is confidential to both CSS and CMS. The confidentiality guarantee depends on the security of hash function H2. As H2 is a secure one-way hash function, the data is private to CSS and CMS. In data sharing phase, CSS sends { C, F′} to DR, where C = SK · θs and F′ is the cipher text of shared data. CMS computes the intermediate value for DR to decrypt the shared data F′ only if DR’s attributes satisfy the access structure. Therefore, any unauthorized DR cannot get any information on the sensitive data.
Theorem 4. It is computationally impossible for CSS to forge an integrity proof to pass the public verification, if XOR-homomorphic function is secure.
Proof. We can prove the theorem with the following games. In the games, we suppose the adversary is the party who forge an integrity proof to pass the public verification.
Game 1 is the challenge game. The challenger generates public-private key pair ( PK, MK) and provides PK to the adversary. The adversary is able to interact with the challenger and query some data blocks. Then the challenger computes corresponding block tags and returns the tags to the adversary. When challenger launches challenge to the adversary, he can respond to the challenger with data proof and tag proof.
Game 2 is another challenge game in which the challenger keeps all the tags ever issued as part of the queries. If the challenger detects the aggregated block tags TP is not equal to \( TP={\sum}_{i=1}^c{T}_i \), he declares the game fails.
Game 3 is the same as game 2 with one difference that the challenger keeps all response sequences to the adversary’s queries. Suppose the challenger sends ch = (i, Ri) to the adversary, the adversary’s reply to the query is P = (DP, TP) where \( T={\sum}_{i=1}^c{T}_i \). In the scheme, P is the correct proof and equation DP = TP ⨁ L holds. Suppose the adversary’s proof is P′ = (DP′, TP′), where \( {TP}^{\prime }={\sum}_{i=1}^c{T_i}^{\prime } \), then the equation DP′ = TP′ ⨁ L also holds. We define △DP = DP′ ⨁ DP, △TP = TP′ ⨁ TP.We make the XOR operation on the above two verification equations and get △DP = △ DP. The above equation holds with the probability is \( \frac{1}{q} \). The probability can be negligible.