Submitted:
02 July 2026
Posted:
03 July 2026
You are already at the latest version
Abstract
Keywords:
1. Introduction
- Is there any approach that enables the signature exposing no information of signer’s identity while the signer does not need to save numerous pseudonyms?
- Whether any method exists to allow someone other than the signer to modify the signed data non-interactively without changing the data source?
- Whether any method exists to allow the signer specify who can modify the signed data and which parts of the data can be modified through a fine-grained access control policy?
- Fine-grained Access Control: Users and medical institutions can specify who can modify the data and which parts of the data they sign can be modified through a fine-grained access control policy. Only authorized entities can modify the permitted parts of the signed data.
- Privacy Preserving: In our scheme, to hide the identity, the user and the medical institutions sign the data with a fresh related signing key each time, which belongs to the same equivalence class. Unauthorized entities without the corresponding trapdoor cannot link these different keys, i.e., unauthorized entities cannot trace the original signer and modifier of the signed data. Thus, the transmitted data do not reveal user’s personal information.
- Transparency: Authorized entity can sign the modified data in a non-interactive way, and the signature is difficult to distinguish from the original signature.
- Accountability: Neither the original signer (the user or the medical institutions) nor the authorized modifier can accuse the other’s signature. Only authorized entities can trace to the malicious signer or the modifier accurately.
- Friendly to Resource-Constrained Sensors and IoT Nodes: We further design a verifiable outsourced authentication scheme for IoT-connected healthcare sensor networks. In this scheme, the time-consuming pairing operations are outsourced to two cloud servers that are mutually distrusted. In this way, the verification process only needs six multiplication operations, which is friendly to resource-constrained users, wearable devices, sensor gateways, and edge relay nodes.
1.1. Related Work
1.2. Organization
2. Materials and Methods
2.1. Prime Order Bilinear Groups
- Bilinearity: For all , , and ,
- Non-degeneracy: For all and , .
- Computability: For all and , can be efficiently computed.
2.2. Monotone Span Program
2.3. Ciphertext-Policy Attribute-Based Encryption
Definition: Ciphertext-Policy Attribute-Based Encryption ().
- takes the security parameter as input and outputs the public parameter and the master secret key .
- takes the public parameter , the access policy A, and the message m as input, and outputs the ciphertext .
- takes the master secret key and the set of attributes S as input, and outputs the secret key for S.
- takes the public parameter , the ciphertext , and the secret key as input, and outputs the message .
2.4. Non-Interactive Zero-Knowledge Proof (NIZK)
- takes the security parameter as input and outputs the common reference string .
- takes , the statement x, and the corresponding witness as input, and outputs the proof .
- takes , the statement x, and the proof as input, and outputs 1 if is valid; otherwise, it outputs 0.
2.5. Signature with Flexible Public Key
Definition: Signature with Flexible Public Keys ().
- inputs the security parameter and outputs the public reference string , which is then used as the default input to subsequent algorithms.
- inputs the security parameter and the random coins , and outputs the public/private key pair .
- inputs the security parameter and the random coins , and outputs the public/private key pair and the trapdoor .
- inputs the signing key and the message , and outputs the signature .
- outputs 1 if ; otherwise, it outputs 0.
- inputs the public key , which is a delegate of the equivalence class , and random coins r, and outputs a different delegate .
- inputs the secret key , which is a delegate of the equivalence class , and random coins r, and outputs a different delegate .
- inputs the public key , the message m, and the signature , and outputs 1 if the signature is valid; otherwise, it outputs 0.
2.6. Programmable Hash Functions
- inputs the security parameter and outputs the key .
- inputs the key and , and deterministically outputs the hash value y, where represents the length of .
3. System Model and Security Model
3.1. System Model
- Users: Users collect health data through wearable or portable IoT devices. A user may be malicious in the sense that an unauthorized user may attempt to impersonate a legitimate subscriber of a remote diagnosis service. Multiple IoT devices owned by the same user correspond to the same set of keys. Before transmission, the user removes personal information from the collected health data, specifies which medical institutions may modify the signed data and which parts may be modified, and signs the transmitted health data with a fresh related signing key.
- Sensor/edge relay nodes: Wearable sensors, home gateways, mobile medical terminals, and edge relay nodes provide sensing, communication, relay, and lightweight verification support between users and medical institutions, especially in continuous monitoring, emergency response, rural coverage, temporary medical service, and public-safety healthcare scenarios. These nodes are not assumed to be fully trusted with identity information. They may forward signed health data, help perform verification, or interact with outsourced cloud servers, but they should not be able to infer the identities of users or medical institutions from transmitted signatures.
- Trusted Authority: The TA is considered honest. It generates signing private keys for users and medical institutions, and issues attributes and attribute keys to all entities other than itself. The TA also supports the traceability function required for accountability.
- Medical Institutions: Medical institutions are semi-honest. They can add or remove users’ personal information from signed data when they are authorized by the access control policy, generate diagnoses based on the recovered medical context, and sign diagnoses with fresh related signing keys. A valid signature generated after authorized modification is indistinguishable from an original signature.
3.2. Design Goals
- Fine-grained Access Control: Users and medical institutions can determine which entities may modify the signed data and which parts of the signed data may be modified through a specified fine-grained access control policy. Authorized entities can generate a new signature for modified data in a non-interactive manner, and the new signature is indistinguishable from the original signature.
- Privacy Preserving: The personal information of users and medical institutions should remain hidden during transmission through sensor, IoT, edge, and cloud communication channels.
- Transparency: The signature of modified data generated by authorized entities is indistinguishable from the signature of the original data.
- Accountability: Neither the original signer nor the authorized modifier can falsely accuse the other of signing. Authorized entities can trace malicious signers or modifiers accurately.
- Sensor/IoT Friendliness: The authentication mechanism should reduce online verification overhead so that sensor gateways, wearable devices, mobile medical terminals, and other resource-constrained IoT entities can participate in secure healthcare data exchange.
3.3. Definition
Definition: Fine-Grained and Flexible Privacy-Preserving Dual Authentication Scheme for IoT-Connected Healthcare Sensor Networks.
- : TA runs the setup algorithm, inputs the security parameter , and outputs the public/private key pair .
- : TA runs the key generation algorithm for signers, inputs , and outputs the signer’s signing public/private key pair .
- : TA runs the key generation algorithm for all entities, inputs and the entity-owned attribute set S, and outputs the private attribute key and the public/private key pair of the entity.
- : Users or medical institutions run the signing algorithm, input , the private signing key , the access control policy A, and the message m, and output a valid signature .
- : Authorized entities run the signature modification algorithm, input , the previous signature , the modified message , and the private attribute key , and output a new signature for the modified message.
- : Anyone can run the verification algorithm with input , , m, and the signer’s public key . The algorithm outputs 1 if the signature is valid; otherwise, it outputs 0.
- : Authorized entities run the trace algorithm with input , , and the proof , and output the identity of the last signer.
3.4. Security Model
Definition: Fine-grained Access Control.
Definition: Transparency.
Definition: Privacy Preserving.
Definition: Accountability.
4. The Proposed Scheme
4.1. Overview
4.2. Description of the Proposed Scheme
-
Setup. . Letbe a bilinear pairing, where , , and are three multiplicative cyclic groups with prime order p, and and are generators of and , respectively. TA randomly choosesselects a random string , and obtains . It then computesFinally, TA outputs
-
KGenS. . TA first computesrandomly selects and , and computesIt outputs
-
KGenA. . TA first selects and computesFor and , it computeswhere and . TA setsFor , TA computeswhere , and setsThe entity computes , where f is a one-way function and x is a random number in , sends y to TA, and proves to TA that it owns x by zero knowledge. Finally, TA outputs
-
Sign. . The user or medical institution computeswhere is a random coin, , and for . It selects and computesSimilarly, it selects and obtainsThen it computes . Specifically, it randomly chooses and computeswhere is a monotone span program corresponding to the access structure, M has rows and columns, , and . It computesand outputsNext, it computeswhere and is the statement. It chooses and computesIn the same vein, it computeswhere represents a collection of message blocks that are not allowed to be modified and t represents the expiration time of the signature. Finally, it outputs
-
SignChg. . The authorized entity computesLet satisfy . The authorized entity computesandIt outputsThe authorized entity computeswhere and is a proof of . Finally, it outputs
- Verify. . The verifier first computes and checks whether it is equal to in . If so, the verifier checks whether in is equal to the corresponding value in . If the checks pass, it returnsotherwise, it returns ⊥. If is not equal to in , the verifier computes and checks whether it equals in , and then checks whether in equals the corresponding value in . If all checks pass, it returns b; otherwise, it returns ⊥.
- Trace. . Ifthe algorithm returns the identity corresponding to y; otherwise, it returns ⊥.
4.3. A Verifiable Outsourced Authentication Scheme
-
Pre-computation. is performed offline by the entity. The entity randomly selects q integers and computesIt computes and stores and locally. For vector generation, the entity selects a set E such that and . For each , it randomly chooses , where v is a small integer and , and computesIf , it repeats the operation; otherwise, it computesIn the same vein, it computes , , , and . It randomly selects and computesFinally, it stores
-
Outsourced verification. . When the verifier runs , the pairing operations can be outsourced to two cloud servers and . LetThe verifier needs to checkTo outsource , the verifier sendsto . Then computesand sends and to the verifier. The verifier sendsto . Then computesand sends to the verifier. The verifier checks whetherIf the checks hold, the verifier setsIn the same vein, the verifier obtains and checks whetherholds. It also checks whetherholds. If the above equations hold, the verifier outputs 1; otherwise, it outputs 0. Therefore, after outsourcing one pairing operation, the verifier only needs to perform three modular multiplication operations, and the whole verification process only needs six multiplication operations.
5. Results
5.1. Security Analysis
5.2. Performance Evaluation
5.3. Functionality Comparison
5.4. Performance Analysis and Comparison
5.4.1. The Comparison of Storage Space
5.4.2. The Comparison of Computation Overhead
6. Conclusions
Author Contributions
Funding
Conflicts of Interest
Abbreviations
| ABSS | Attribute-based sanitizable signature |
| CP-ABE | Ciphertext-policy attribute-based encryption |
| IoT | Internet of Things |
| NIZK | Non-interactive zero-knowledge proof |
| PBC | Pairing-Based Cryptography |
| PHF | Programmable hash function |
| SFPK | Signature with flexible public key |
| TA | Trusted authority |
References
- Gubbi, J.; Buyya, R.; Marusic, S.; Palaniswami, M. Internet of Things (IoT): A vision, architectural elements, and future directions. Future Gener. Comput. Syst. 2013, 29, 1645–1660. [Google Scholar] [CrossRef]
- Leroy, G. A.; Chen, H.; Rindflesch, T. C. Smart and connected health. IEEE Intell. Syst. 2014, 29, 2–5. [Google Scholar] [CrossRef]
- Kiourtis, A.; Mavrogiorgou, A.; Kyriazis, D. A semantic similarity evaluation for healthcare ontologies matching to HL7 FHIR resources. Stud. Health Technol. Inform. 2020, 270, 13–17. [Google Scholar] [CrossRef] [PubMed]
- Kai, S.; Slamanig, D. Policy-based sanitizable signatures. CT-RSA 2020, 12006. [Google Scholar]
- Ateniese, G.; Chou, D. H.; Medeiros, B.; Tsudik, G. Sanitizable signatures. ESORICS 2005, 3679, 159–177. [Google Scholar] [CrossRef]
- Brzuska, C.; Fischlin, M.; Lehmann, A.; Schroder, D. Unlinkability of sanitizable signatures. PKC 2010, 6056, 444–461. [Google Scholar] [CrossRef]
- Canard, S.; Laguillaumie, F.; Milhau, M. Trapdoor sanitizable signatures and their application to content protection. ACNS 2008, 5037, 258–276. [Google Scholar] [CrossRef]
- Lai, J.; Ding, X.; Wu, Y. Accountable trapdoor sanitizable signatures. ISPEC 2013, 7863, 117–131. [Google Scholar] [CrossRef]
- Miyazaki, K.; Hanaoka, G.; Imai, H. Digitally signed document sanitizing scheme based on bilinear maps. In 2006 ACM CCS; 2006; pp. 343–354. [Google Scholar]
- Yuen, T. H.; Susilo, W.; Liu, J. K.; Mu, Y. Sanitizable signatures revisited. CANS 2008, 5339, 80–97. [Google Scholar] [CrossRef]
- Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In 13th ACM CCS; 2006; pp. 89–98. [Google Scholar]
- Ning, J.; Cao, Z.; Dong, X.; Ma, H.; Wei, L.; Liang, K. Auditable sigma-times outsourced attribute-based encryption for access control in cloud computing. IEEE Trans. Inf. Forensics Secur. 2018, 13, 94–105. [Google Scholar] [CrossRef]
- Ning, J.; Cao, Z.; Dong, X.; Liang, K.; Wei, L.; Choo, K. CryptCloud+: Secure and expressive data access control for cloud storage. IEEE Trans. Serv. Comput. 2021, 14, 111–124. [Google Scholar]
- Maji, H. K.; Prabhakaran, M.; Rosulek, M. Attribute-based signatures. CT-RSA 2011, 6558, 376–392. [Google Scholar] [CrossRef]
- Cui, H.; Deng, R.; Wang, G. An attribute-based framework for secure communications in vehicular ad hoc networks. IEEE/ACM Trans. Netw. 2019, 27, 721–733. [Google Scholar] [CrossRef]
- Li, J.; Au, M. H.; Susilo, W.; Xie, D.; Ren, K. Attribute-based signature and its applications. In 5th ACM CCS; 2010; pp. 60–69. [Google Scholar]
- Okamoto, T.; Takashima, K. Efficient attribute-based signatures for non-monotone predicates in the standard model. PKC 2011, 6571, 35–52. [Google Scholar] [CrossRef]
- Su, Q.; Zhang, R.; Xue, R.; Sun, Y.; Gao, S. Distributed attribute-based signature with attribute dynamic update for smart grid. IEEE Trans. Ind. Inform. 2023, 19, 9424–9435. [Google Scholar] [CrossRef]
- Rao, Y. S.; Dutta, R. Efficient attribute-based signature and signcryption realizing expressive access structures. Int. J. Inf. Secur. 2016, 15, 81–109. [Google Scholar]
- Li, J.; Chen, X.; Huang, X. New attribute-based authentication and its application in anonymous cloud access service. Int. J. Web Grid Serv. 2015, 11, 125–141. [Google Scholar] [CrossRef]
- Liu, X. Attribute based sanitizable signature scheme. J. Commun. 2013, 34, 148–155. [Google Scholar]
- Xu, L.; Zhang, X.; Wu, X.; Shi, W. ABSS: an attribute-based sanitizable signature for integrity of outsourced database with public cloud. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy; 2015; pp. 167–169. [Google Scholar]
- Mo, R.; Ma, J.; Liu, X.; Li, Q. FABSS: Attribute-based sanitizable signature for flexible access structure. ICICS 2017, 10631. [Google Scholar]
- Beimel, A. Secret-sharing schemes: A survey. In Coding and Cryptology, IWCC 2011; 2011; Volume 6639. [Google Scholar]
- Agrawal, S.; Chase, M. FAME: Fast attribute-based message encryption. In ACM CCS 2017; 2017; pp. 665–682. [Google Scholar]
- Backes, M.; Hanzlik, L.; Kluczniak, K.; Schneider, J. Signatures with flexible public key: Introducing equivalence classes for public keys. In ASIACRYPT 2018; 2018. [Google Scholar]
- Hofheinz, D.; Kiltz, E. Programmable hash functions and their applications. In CRYPTO 2008; 2008; pp. 21–38. [Google Scholar]
- Tian, H.; Zhang, F.; Ren, K. Secure bilinear pairing outsourcing made more efficient and flexible. In ASIA CCS 2015; 2015; pp. 417–426. [Google Scholar]
- Pairing-Based Cryptography (PBC) library. Available online: https://crypto.stanford.edu/pbc/howto.html.
- The GNU Multiple Precision Arithmetic Library (GMP). Available online: http://gmplib.org.




| Metric | The scheme in [4] | Ours |
|---|---|---|
| Length of signing key | ||
| Length of authorized entities’ key | ||
| Length of signature | ||
| Time of signature generating () | 0.128 s | 0.806 s |
| Time of signature changing () | 0.109 s | 0.089 s |
| Algorithm | Construction summary |
|---|---|
| Setup | ; ; ; return and . |
| KGenS | ; return and . |
| KGenA | ; ; return , , and . |
| Sign | ; ; ; ; ; ; return . |
| SignChg | ; ; ; return . |
| Verify | ; return b. |
| Trace | If , return ; if , return ⊥. |
| Scheme | FGAC | Unforgeability | Transparency | Accountability | Privacy | RCU-friendly |
|---|---|---|---|---|---|---|
| [6] | N | Y | Y | N | N | N |
| [9] | N | Y | Y | N | N | N |
| [16] | N | Y | N | N | N | N |
| [17] | N | Y | N | N | N | N |
| [21] | N | Y | Y | N | N | N |
| [22] | Y | Y | – | – | N | N |
| [23] | Y | Y | Y | N | Y | N |
| [4] | Y | Y | Y | Y | Y | N |
| Ours | Y | Y | Y | Y | Y | Y |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).