| 引用本文: |
-
宋智明,童慧,宋俊蓉,李佳欣,龙蕾瑾.融合区块链与安全可外包多授权机构CP-ABE的医疗云数据共享方案[J].信息安全学报,已采用 [点击复制]
- songzhiming,Tonghui,Songjunrong,Lijiaxin,Longleijin.A Blockchain-Integrated Medical Cloud Data Sharing Scheme Based on Secure and Outsourcable Multi-Authority CP-ABE[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着电子健康记录(Electronic Health Record,EHR)在医疗行业的广泛应用,EHR的隐私保护与跨机构安全共享需求日益迫切。现有共享方案普遍存在访问控制粒度不足、隐私保护能力有限、跨机构互信机制薄弱等问题,且在云环境下仍面临数据篡改与存储抵赖等风险。为此,本文提出一种融合区块链与密文策略属性基加密(Ciphertext-Policy Attribute-Based En-cryption,CP-ABE)的医疗云数据共享方案。方案具有如下主要特性:(1)功能完备性:设计了功能更为完备的CP-ABE算法,面向跨机构多角色场景同时支持多授权机构与大属性域,并进一步实现属性动态更新与撤销、访问策略隐藏、策略隐藏下的解密测试以及外包解密,从而在细粒度授权灵活性、策略(属性)隐私保护与轻量终端可用性之间实现协同兼顾;(2)安全增强性:构建面向云服务篡改与抵赖威胁的区块链协同防护机制,通过上链同步系统参数、存证共享数据哈希并记录云服务对密文的数字签名,形成“共享数据哈希—云服务签名—用户签名”的可审计、可追责证据链,增强跨机构共享过程的可信性、可追溯性与互操作性;(3)性能均衡性:在随机预言机模型下证明所提CP-ABE的静态安全性,并从策略与外包隐私、抗篡改与抗抵赖、属性更新与撤销的前向及后向安全等维度对整体方案进行系统分析。进一步的实验对比与开销评估也表明,方案在具备更加完备的安全功能的同时仍保持较优效率,实现了安全与性能的综合均衡。 |
| 关键词: 数据共享 区块链 CP-ABE 多授权机构 大属性域 策略隐藏 外包 |
| DOI: |
| 投稿时间:2025-09-15修订日期:2026-01-22 |
| 基金项目:国家自然科学基金、云南省科技计划项目(重大科技专项)、云南省基础研究计划项目、云南省刑事科学技术重点实验室开放课题 、云南省智慧城市网络空间安全重点实验室开放课题、教育部人文社会科学研究项目 |
|
| A Blockchain-Integrated Medical Cloud Data Sharing Scheme Based on Secure and Outsourcable Multi-Authority CP-ABE |
|
songzhiming, Tonghui, Songjunrong, Lijiaxin, Longleijin
|
| (Yunnan University of Finance and Economics) |
| Abstract: |
| With the widespread adoption of electronic health records (EHRs) in the healthcare industry, the demand for privacy preservation and secure cross-institution data sharing has become increasingly urgent. Existing sharing schemes commonly suffer from coarse-grained access control, limited privacy protection, and weak inter-organizational trust, and they still face risks such as data tampering and storage repudiation in cloud environments. To address these issues, this paper proposes a medical cloud data-sharing scheme that integrates blockchain with ciphertext-policy attrib-ute-based encryption (CP-ABE). The proposed scheme has the following key features: (1) Functional completeness: We design a more feature-complete CP-ABE algorithm that supports multi-authority settings and a large attribute universe for cross-institution, multi-role scenarios, and further enables dynamic attribute update and revocation, access-policy hiding, decryption testing under hidden policies, and verifiable outsourced decryption, thereby jointly achieving fi-ne-grained authorization flexibility, policy/attribute privacy protection, and lightweight usability for re-source-constrained users; (2) Enhanced security: We develop a blockchain-assisted collaborative protection mechanism against cloud-side tampering and repudiation by synchronizing system parameters on-chain, anchoring shared-data hashes, and recording the cloud service’s digital signatures on ciphertexts, forming an auditable and accountable evi-dence chain of “shared-data hash–cloud signature–user signature” to strengthen trustworthiness, traceability, and in-teroperability in cross-institution sharing; (3) Balanced performance: We prove the static security of the proposed CP-ABE in the random oracle model and conduct a systematic security analysis of the overall scheme from the per-spectives of policy and outsourcing privacy, tamper-/repudiation-resistance, and forward/backward security for attrib-ute update and revocation. Further experimental comparisons and overhead evaluations show that the scheme maintains favorable computational efficiency while incorporating critical security functionalities, achieving a comprehensive balance between security and performance. |
| Key words: Data sharing Blockchain CP-ABE Multi-Authority Large attribute universe Policy hiding Outsourcing |
