Reliable and Privacy-Preserving Top-k DiseaseMatching Schemes for E-Healthcare Systems

IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 7, APRIL 1, 2022 5537 Reliable and Privacy-Preserving Top-k Disease Matching Schemes for E-Healthcare Systems Chang Xu , Ningning Wang, Liehuang Zhu , Member, IEEE, Chuan Zhang , Member, IEEE, Kashif Sharif , Senior Member, IEEE, and Huishu Wu Abstract—The integration of body sensors, cloud computing, and mobile communication technologies has significantly improved the development and availability of e-healthcare systems. In an e-healthcare system, health service providers upload real patients’ clinical data and diagnostic treatments to the cloud server. Afterward, the users can submit queries with specific body sensor parameters, to obtaining pertinent k diagnostic files. The results are ranked based on ranking algorithms that match the query parameters to the ones in diagnostic files. However, privacy concerns arise while matching disease, since the clinical data and diagnostic files contain sensitive information. In this work, we propose two reliable and privacy-preserving Top-k disease matching schemes. The first scheme is constructed based on our proposed weighted Euclidean distance comparison algorithm under secure k-nearest neighbor technique to get k diagnostic files. It allows users to set different weights for each body indicator as per their needs. The second scheme is designed by comparing Euclidean distances under the modified Paillier homomorphic encryption algorithm where a superlinear sequence is used to reduce the computational and communication overhead. The user side incurs slightly higher computational costs, but the trusted party does not need to execute encryption operations. Hence, the proposed two schemes can be applied in different application scenarios. Simulations on synthetic and real data prove the efficiency of the schemes, and security analysis establishes the privacy-preservation properties. Index Terms—Euclidean distances, homomorphic encryption, privacy preserving, secure k-nearest neighbor (kNN), top-k disease matching. I. INTRODUCTION WITH the development of body sensors, cloud computing, and the Internet of Things [1], E-healthcare networks have tremendously grown as an application domain for these technologies. Both academic and industrial organizations have made significant improvements in the availability and reliability of these networks. Along with this increase, the number of Manuscript received March 14, 2021; revised June 21, 2021; accepted August 26, 2021. Date of publication September 10, 2021; date of current version March 24, 2022. This work was supported by the National Natural Science Foundation of China under Grant 61972037, Grant 61402037, and Grant U1804263. (Corresponding author: Liehuang Zhu.) Chang Xu, Liehuang Zhu, and Chuan Zhang are with the School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing 100081, China (e-mail: xuchang@bit.edu.cn; liehuangz@bit.edu.cn; chuanz@bit.edu.cn). Ningning Wang and Kashif Sharif are with the School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China (e-mail: 2120171068@bit.edu.cn; kashif@bit.edu.cn). Huishu Wu is with the Department of International Law School, China University of Political Science and Law, Beijing 100088, China (e-mail: wuhuishu0122@gmail.com). Digital Object Identifier 10.1109/JIOT.2021.3111739 digital records has exponentially grown. The cloud computing paradigm provides an ideal platform for storing large amounts of documents uploaded by data owners, such as healthcare service providers, hospitals, and patients. The added benefit of cloud computing in this scenario is that the workload also shifts from the data owners to the cloud, where the document searches and queries can be optimized, thus reducing the storage and computation of individual data owners. Compared with the traditional medical system [2], [3], the E-healthcare systems allow the users to submit the data generated by the body sensors in different situations, and the corresponding diagnostic results based on existing patient records can be returned for treatment. Similarly, health service providers (HSPs) upload real patients’ clinical data and diagnostic treatments to the cloud server. Following this, the patient can submit their personal data generated in an emergency situation to the cloud server for a query, thereby obtaining diagnostic files that match the disease/symptoms. However, personal data in such solutions are extremely sensitive. Therefore, performing accurate data queries without revealing the user’s query data or the diagnostic results remains a challenge. In recent years, several searching schemes based on encrypted data have been proposed. However, to find the clinical data in the server that exactly matches the users’ symptoms (e.g., heartbeat, blood pressure, etc.) is not easy. The work of Li et al. [4] used attribute-based encryption [5] for securing shared data in the cloud servers. However, this scheme is limited to textual data only. The work of Li et al. [6] used the k-nearest neighbor (kNN) technique for a diverse multikeyword ranked-search scheme on encrypted data. It uses a single set of keys for encryption, which is shared by the users and data owners, creating a privacy loop hole if the users and servers collude. Moreover, digital and textual keywords are indexed together, and each keyword has the same value in the query. The work of Zhu et al. [7] proposed a body sensor data gathering and query scheme. However, it has a high computational cost due to multidimensional vector queries. Similarly, the scheme presented by Lin et al. [8] has high communication and computational overhead, due to serverside homomorphic encryption and reencryption technique, for analyzing the patient’s physiological data. Based on the challenges of privacy preservation while being able to query patient data cost effectively, in this work, we propose two reliable and privacy-preserving Top-k disease matching schemes for cloud-assisted e-healthcare systems. The first one is constructed based on a novel weighted Euclidean 2327-4662 c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information. Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. 5538 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 7, APRIL 1, 2022 distance comparison algorithm under a secure kNN technique to obtain the Top-k diagnostic files ranked with the similarity to the query. It allows the users to set different weights for each body sensor data indicator according to their needs. Moreover, this scheme has high reliability and low computation cost. However, the health center (HC) has to generate the cryptographic materials and is responsible for encrypting/decrypting clinical data and diagnostic files obtained from the cloud. This requires it to be always online during the query operation. Hence, this forms the basis of our second scheme, where the HC [trust authority (TA)] only needs to generate key materials. The scheme uses a modified Paillier homomorphic encryption algorithm to encrypt the data, and then uses the Euclidean distance comparison algorithm to obtain the Top-k diagnostic files with the highest similarity for the query under the ciphertexts. It uses a superlinear sequence to reduce the computational and communication overhead. Furthermore, the integrity and correctness of the returned diagnostic files can also be verified. The precise contributions of this work are as follows. 1) Scheme 1: A novel fundamental disease matching scheme is presented, which ranks and matches diagnostic data files with the query, using a weighted Euclidean distance under secure kNN to obtain the Top-k diagnostic files. Especially, it allows the user to set different weights for different physical indicators to achieve user personalization compared with other schemes. 2) Scheme 2: This version of the proposed novel disease matching scheme uses Euclidean distances under the modified Paillier homomorphic encryption algorithm. It takes superlinear sequences to reduce the computational and communication overhead caused by homomorphic encryption operations. Moreover, to prevent the injection of incorrect files, message authentication code (MAC) is used to verify the integrity and correctness of the returned diagnostic files. 3) Evaluation: Both schemes are implemented using realworld data sets as well as simulated synthetic data to demonstrate efficiency. We also present a comprehensive security analysis to prove the privacy-preservation property of both schemes. The remainder of this article is organized into seven sections. Section II introduces the system/security model and design goals of both the schemes. In Section III, we describe the modified Paillier encryption algorithm and the secure kNN computation method. In Section IV, we describe the two disease matching schemes. Section V gives performance evaluation, and Section VI shows security analysis. Section VII discusses the state-of-the-art works in this domain, and finally, Section VIII concludes this work. II. SYSTEM MODEL AND DESIGN GOALS In this work, we present two schemes with slightly different efficiencies and properties. In order to simplify the understanding, here we first describe the system model and the common elements for both, the security model for analysis TABLE I LIST OF NOTATIONS USED IN THIS WORK Fig. 1. System model of the first scheme. and evaluation, and the general design goals. In Table I, we list the notations used in this work. A. System Model In a Top-k disease matching system, HSPs have the patients’ clinical data and diagnostic files. These data and files are individually encrypted and stored in the cloud servers. In our proposed systems, different users can query the diagnostic files stored in the cloud, which are similar to the symptoms at hand. Furthermore, the privacy preservation of the requesting user as well as those of the patients’ clinical data and diagnostic files is primarily ensured. The proposed working of the two schemes is slightly different; hence, we first show the system model for Scheme 1 in Fig. 1 for basic understanding. It consists of four entities that are also explained below. The system model of Scheme 2 has minor differences with this one, and is explained in Section IV. 1) HSPs are the primary service providers. They collect patients’ clinical data and diagnostic files, and then send them to cloud servers through secure channels. 2) HC is a trusted entity that generates key materials. Meanwhile, it is also responsible for encrypting data Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. XU et al.: RELIABLE AND PRIVACY-PRESERVING TOP-K DISEASE MATCHING SCHEMES FOR E-HEALTHCARE SYSTEMS 5539 received from HSPs and users, which is ultimately stored on the cloud servers. Besides, it also decrypts the diagnostic files returned from the cloud server, before a user can use them. 3) Cloud server is the main storage facility, and also computes the similarity between the encrypted query-data submitted by users and the encrypted data stored in the cloud server. Then, it returns the Top-k encrypted diagnostic files ranked against the similarity. 4) Users send the query to the HC for encryption and obtain the appropriate Top-k diagnostic files from the cloud server. B. Security Model In the proposed model of Scheme 1, the HSPs are fully trusted, while the cloud server is considered to be honest-but-curious. Therefore, the cloud server formally follows the protocol operations but is curious about the patients’ clinical data and diagnostic results. The HC is regarded as a secure entity with the responsibility to encrypt the patients’ clinical data and diagnostic files and decrypt the diagnostic files returned from the cloud server. As for the system model of Scheme 2, the main entities remain the same, while the TA is fully trusted and is responsible for generating and distributing the key materials to other entities. However, the cloud servers SA and SB are considered as honest-but-curious. SA and SB formally execute the subsequent operations but are curious about the patients’ clinical data and diagnostic results. C. Design Goals 1) Data Privacy: The proposed two frameworks should protect data privacy from all entities that are not trusted and should remain available for trusted entities. The patients’ clinical data and diagnostic files at cloud servers should remain in encrypted form during all operations to avoid leakage of any sensitive information. 2) Query Confidentiality: The message of queries about users’ sensitive information should be protected and remain confidential. Thus, the proposed schemes should guarantee that the adversary cannot obtain the users’ query data. Besides, the adversary should not be able to determine the relationship between the data stored in cloud servers and the query data. 3) Query Unlinkability: To protect privacy, the queries of the same content or queries from the same user should not be linkable. Furthermore, the cloud servers should not be able to infer the relationship between these queries. 4) Verifiability: To prevent incorrect data injected, the users should be able to verify the correctness and integrity of the returned data. III. PRELIMINARIES In this section, we describe the modified Paillier encryption algorithm and secure kNN technique, which are the foundations of our schemes. A. Modified Paillier Encryption Algorithm Homomorphic encryption algorithms, as given in [9]–[11], can operate on encrypted data according to its homomorphism. The modified Paillier encryption algorithm [12] is a kind of homomorphic encryption, which has both additive and multiplicative homomorphism properties. Let m be a message and E(·) represents a modified Paillier encryption algorithm. Then, E(m) = is obtained by executing E(·) as shown in (1), where h = gsk, and sk is the secret key c1 = (1 + m ∗ n)hr mod n2 c2 = gr mod n2. (1) We introduce the modified Paillier’s additive homomorphism and multiplicative homomorphism in the following steps. Given the messages m1 and m2 and their ciphertexts E(m1) and E(m2), users can calculate E(m1 + m2) = E(m1) ∗ E(m2) to obtain a ciphertext of the sum of m1 and m2 by using modified Paillier’s additive homomorphism. Moreover, users can get the ciphertext of the product of m1 and m2 by computing E(m1 ∗ m2) = E(m1)m2 utilizing the modified Paillier’s multiplicative homomorphism. The plaintext message m can be obtained as m = c1/(c2) sk mod n − 1. (2) B. Secure kNN Computation The kNN scheme was presented by Wong et al. [13]. Initially, the secret key (P, M1, M2) is generated, where P is a binary vector and M1 and M2 are two matrices. P can split a plaintext vector into two random vectors. M1 and M2 are utilized to encrypt these two vectors. Let a and b be n-dimension plaintext vectors, where a = (a[1],..., a[j],..., a[n]) and b = (b[1],..., b[j],..., b[n]). An n-dimension binary vector P and two n × n-dimension matrices M1 and M2 are generated randomly, where P = (p[1],..., p[j],..., p[n]). Then, a is split into two ndimensional vector a1 = (a1[1],..., a1[j],..., a1[n]) and a2 = (a2[1],..., a2[j],..., a2[n]), while b is split into two n-dimension vector b1 = (b1[1],..., b1[j],..., b1[n]) and b2 = (b2[1],..., b2[j],..., b2[n]). If p[j] == 1 for 1 ≤ j ≤ n, a1[j] and a2[j] are generated by executing a1[j] = a2[j] = a[j], where a1[j] and a2[j] are generated to satisfy b[j] = b1[j]+b2[j]. Otherwise, if p[j] == 0, the values of a1[j] and a2[j] should satisfy a[j] = a1[j] + a2[j], and the values of b1[j] and b2[j] are set according to b1[j] = b2[j] = b[j]. Afterward, MT 1 and MT 2 , the transpose matrices of M1 and M2, are used to encrypt a to get C(a) = {a1MT 1 , a2MT 2 }, while M−1 1 and M−1 2 , which are the inverse matrices of M1 and M2, are used to encrypt b to obtain C(b) = {M−1 1 b1, M−1 2 b2}, where C(a) and C(b) are the ciphertexts of a and b. Moreover, the Euclidean distance Disab between a and b is calculated as Disab = C(a) · C(b) = a1MT 1 , a2MT 2 · M−1 1 b1, M−1 2 b2 = a · b = n j=1 (a[j] ∗ b[j]). (3) Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. 5540 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 7, APRIL 1, 2022 IV. PROPOSED SCHEMES In this section, we present the two novel Top-k disease matching systems for data queries, health monitoring, and online diagnostic files. In addition, we use a MAC to verify the integrity of the diagnostic files. A. First Scheme In this scheme, the patients’ clinical data and diagnostic files are recorded by HSPs and then sent to the HC by secure channels. The HC encrypts the clinical data and diagnostic files, respectively, and uploads them to the cloud server, as shown in Fig. 1. The cloud server acts as a query resolver for the users, who sends the desired matching values. The HC is charged with initializing the whole system parameters and generates the secret keys for all entities. This scheme contains four algorithms: 1) KeyGen; 2) DataEnc; 3) TrapGen; and 4) Query, which are explained here. KeyGen(n): Given the dimensions of the patients’ clinical data, HC first randomly chooses a 4n-dimension vector, which only contains 1 and 0 as P and two 4n × 4n invertible matrices M1 and M2 as secret keys SK = (P, M1, M2). Let SE=(SE.GenKey, SE.Enc, SE.Dec) as described in Table I, and HC executes SE.GenKey to obtain multiple different symmetric secret keys kSE to encrypt the diagnostic file DF. DataEnc(SK, D, DF): HSPs send the patient’s clinical data D and diagnostic file DF to HC. The HC then generates the encrypted clinical data file ED and encrypts the diagnostic file DF, as given here. 1) Step 1: HSPs produce the clinical data D, which is a 4ith dimension vector. Note that the element in the (4i − 3)th dimension is d2 i , while the elements in the (4i − 2)th dimension and (4i − 1)th dimension are −2di and 2di, respectively. The element in the 4ith dimension is 1. Here, di denotes the keyword such as (heartbeat: 66), and 1 ≤ i ≤ n. We can describe the clinical data vector as D = d2 1, −2d1, 2d1, 1,..., d2 i , −2di, 2di, 1 ..., d2 n, −2dn, 2dn, 1 . (4) 2) Step 2: HC splits the 4n-dimension vector D into two 4ndimension vectors D1 and D2 by using P. If P[l] = 1, D1[l] = D2[l] = D[l]; else, if P[l] = 0, then D1[l] + D2[l] = D[l], where 1 ≤ l ≤ 4n. 3) Step 3: The clinical data D are encrypted as {D1MT 1 , D2MT 2 }, and DF is encrypted as C(DF) by calculating C(DF) ←SE.Enc(kSE, DF). HC also computes Mac = H(C(DF)||σ ) and C = C(DF)||σ||kSE to verify the diagnostic file. HC sends {ED,C(DF), Mac,C,ID(DF)} to the cloud server, where ID(DF) is the identifier of the diagnostic file. TrapGen(SK,Q,V,W,r): In this function, the input includes the query Q = (q1,..., qi,..., qn), a noise list V = (v1,..., vi,..., vn), a random list W = (a1,..., ai,..., an), and a random number r. We denote the weights as W, where 0 ≤ ai ≤ 10 and 1 ≤ i ≤ n. The output is a 4n-dimension Algorithm 1 Trapdoor Generation Input: SK, Q, V, W, and r. Output: Trapdoor Ts. User: Given a search query Q, the noise list V, the list W and a random number r 1: for 1 ≤ i ≤ n do 2: Q[4i − 3] = ai; 3: Q[4i − 2] = ai · qi + vi; 4: Q[4i − 1] = vi; 5: Q[4i] = r; 6: end for 7: Send Q to the Health Center in a secure channel. Health Center: 8: for 1 ≤ l ≤ 4n do 9: if P[l] = 1 then 10: Q1[l] + Q2[l] = Q[l]; 11: else 12: Q1[l] = Q2[l] = Q[l]; 13: end if 14: end for 15: Return Ts = {M−1 1 Q1, M−1 2 Q2} to the cloud server. Algorithm 2 Top-k Matching Input: ScoresDQ, k. Output: resf . 1: Let res and resf be empty tables. 2: for 1 ≤ i ≤ k do 3: for each ScoresDQ ∈ CS and ScoresDQ ∈/ res do 4: Find and extract the minimum ScoresDQ and the corresponding file identifier ID(DF) 5: Insert ScoresDQ into res and ID(DF) into resf 6: end for 7: end for 8: Return resf . trapdoor Ts. The user then sends the trapdoor Ts to the cloud server as a data query. The trapdoor generation algorithm is generated using Algorithm 1. Query((ED,C(DF)), Ts): After getting the trapdoor Ts, the cloud server first calculates ScoresDQ as ScoresDQ = ED · Ts = D1MT 1 , D2MT 2 · M−1 1 Q1, M−1 2 Q2 = D · Q = n i=1 ai d2 i − 2ai · qi + r . (5) Then, CS obtains resf by using Algorithm 2. If ED ∈ res, then we consider that ED has matched successfully and (C(DF), Mac,C) corresponding to the file identifier ID(DF) in resf are returned to the HC. Afterward, the HC uses Algorithm 5 to obtain the plaintext of diagnostic files, and sends it to the user. Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. XU et al.: RELIABLE AND PRIVACY-PRESERVING TOP-K DISEASE MATCHING SCHEMES FOR E-HEALTHCARE SYSTEMS 5541 Fig. 2. System model of the second scheme. B. Second Scheme In this scheme, we utilize the Modified Paillier encryption algorithm instead of invertible matrixes to encrypt the patients’ data. Here, the trusted authority does not need to execute any encryption operation. Contrary to Scheme 1, here two cloud servers are utilized, and as shown in Fig. 2, and a total of five entities are included, i.e., HSPs, cloud server SA, cloud server SB, users, and TA. The difference in responsibilities, as compared to Scheme 1, is listed as follows. 1) HSPs have the patients’ clinical data and diagnostic files. They encrypt the data and files, and then send different encrypted data to SA and SB, respectively. 2) Users encrypt the queries and send them to the cloud servers, and obtain the Top-k results. 3) Cloud server A (SA) receives the encrypted data from HSPs, users, and SB, and processes it in collaboration with SB. Then, SA returns the Top-k similar diagnostic files to the users. 4) Cloud server B (SB) processes the encrypted data received from HSPs and users, and sends it to SA for collective processing. 5) TA only generates and distributes key materials to other entities compared with the HC in Scheme 1. In this scheme, the patients’ clinical data and diagnostic files are encrypted under the modified Paillier encryption algorithm and symmetric encryption algorithm by HSPs. This encrypted data are sent to SA and SB, respectively, for storage. Users utilize the modified Paillier encryption algorithm to encrypt the query and noise data, and send this encrypted data to SA and SB, respectively. SA and SB individually process it, and then SB sends the processed data to SA, which in return sends the query to SB, as shown in Fig. 2. Following this, SB sends the file identifiers of Top-k results to SA, who returns the corresponding Top-k encrypted diagnostic files to users. The system includes four algorithms, i.e., KeyGen, DataEnc, QueryEnc, and Query, as detailed as follows. KeyGen: TA selects a random number σ and a secure cryptographic hash function H, where H : {0, 1}∗ ← {0, 1}l and σ is used as a secret key to authenticate users. TA randomly chooses a secure random integer g and two secure large prime numbers p and q, where g ∈ Z∗ n2 , n = p ∗ q, λ = lcm(p − 1, q − 1), and l = gcd(L(gλ mod n2), n). TA generates the modified homomorphic secret keys skh,skh1,skh2, where (skh,skh1,skh2) ∈ Z∗ n ,skh = skh1+skh2, h = gskh , and pk = (h, g, n) is considered as the public key. A message m will be encrypted as E(pk,r, m) = (c1, c2) utilizing the modified Paillier homomorphic encryption algorithm, where r is a random number, and c1 = (1 + m ∗ n)hr mod n2 c2 = gr mod n2. (6) Let AC = (AC.GenKey, AC.Enc, AC.Dec) be an asymmetric cryptographic algorithm (RSA is used in this work). TA executes the AC.GenKey to generate the secret keys skA and skB and the public keys pkA and pkB, where skA and pkA are SA’s keys and skB and pkB are SB’s keys. TA sends skh1,skA to SA, and skh2,skB to SB. Then, TA chooses a superlinear sequence a = (a1,..., ai,..., an){1 ≤ i ≤ n}, where a1 a2 ··· ai ··· an−1 an. The public parameter pp = {pkA, pkB, pk, a}. DataEnc (pp, kSE, D, DF, σ): HSPs generate the encrypted clinical data E(D) & E(D2), and encrypts the diagnostic file DF, where a patient’s clinical data are D = (d1,..., di,..., dn){1 ≤ i ≤ n}. 1) Step 1: Let SE = (SE.GenKey, SE.Enc, SE.Dec), and HSPs execute the SE.GenKey to generate the secret key kSE. Then, HSPs calculates C(DF) ← SE.Enc(kSE, DF), Mac = H(C(DF)||σ ), and C = C(DF)||σ||kSE. 2) Step 2: HSPs encrypt the patient’s clinical data D as E(D) = (E(d1), . . . , E(di), . . . , E(dn)) and E(D2) = E(d2 1+ ···+ d2 i +···+ d2 n), where 1 ≤ i ≤ n. 3) Step 3: HSPs send {E(D2), E(D), C(DF), Mac,C, ID(DF)} to SA, and {E(D),ID(DF)} to SB. QueryEnc(pp, Q, V, a): Users encrypt the query data, and sends it to SA and SB, respectively. The detailed process is as follows. 1) Step 1: Users generate the query data Q = (q1,..., qi,..., qn){1 ≤ i ≤ n}, and randomly choose a sequence V = (v1,..., vi,..., vn){1 ≤ i ≤ n, vi ∈ Z∗ n }, as the noise data. 2) Step 2: Users calculate S2 Q = q2 1+· · ·+q2 i +· · ·+q2 n, SQ = 2∗(a1(q1+v1)+···+ai(qi+vi)+···+an(qn+vn)) and SV = 2∗(a1v1 +···+aivi +···+anvn). Then, users use the modified Paillier algorithm to encrypt S2 Q as E(S2 Q) = E(q2 1 + ··· + q2 i + ··· + q2 n), and encrypt SQ and SV utilizing pkA and pkB as CpkA (SQ) ← AC.Enc(pkA, SQ) and CpkB (SV) ← AC.Enc(pkB, SV). 3) Step 3: Users send (E(S2 Q),CpkA (SQ)) to SA, and CpkB (SV)) to SB. Query: SA and SB process the encrypted data received from users and HSPs, respectively. Then, SB sends the processed data to SA, which uses it to jointly decrypt the results with SB. Finally, SA returns the Top-k encrypted results to users. The process of this query is as follows. 1) Phase 1: a) SA receives (E(D2), E(D),C(DF), Mac,C, ID(DF)) from HSPs and (E(S2 Q),CpkA (SQ)) Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. 5542 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 7, APRIL 1, 2022 Algorithm 3 Linear Sequence Generation Input: SQ or SV. Output: sq or sv. 1: Let sq and sv are empty sequences. 2: for 1 ≤ i ≤ n do 3: if the input data is SQ then 4: 2(qi + vi) = SQ/ai. 5: SQ = SQ mod ai. 6: Set 2(qi + vi) ∈ sq. 7: else 8: 2vi = SV/ai. 9: SV = SV mod ai. 10: Set 2vi ∈ sv. 11: end if 12: end for 13: Return sq or sv. from users. SA decrypts the CpkA (SQ) to obtain SQ utilizing its secret key skA, where SQ = 2∗(a1(q1+ v1)···+ ai(qi + vi)···+ an(qn + vn)){1 ≤ i ≤ n}. b) SA uses Algorithm 3 to get sq = (2(q1 + v1), . . . , 2(qi + vi), . . . , 2(qn + vn)) {1 ≤ i ≤ n}. c) SA obtains E(sq) = E(−2d1(q1 +v1)...−2di(qi + vi)... − 2dn(qn + vn) + ra) by using (7) and (8), where 1 ≤ i ≤ n and ra is a random number, as E(di) −2(qi+vi) = E(−2di(qi + vi)), and (7) E(sq) = E(−2d1(q1 + v1)) ···∗ E(−2di(qi + vi)) ···∗ E(−2dn(qn + vn)) ∗ E(ra) = E(−2d1(q1 + v1) ···− 2di(qi + vi) ···− 2dn(qn + vn) + ra). (8) d) SB receives (E(D),ID(DF)) from HSPs and CpkB (SV) from users. SB decrypts CpkB (SV) using its secret key skB to get SV, where SV = 2∗(a1v1+ ···+ aivi +···+ anvn){1 ≤ i ≤ n}. e) SB uses Algorithm 3 to get sv = (2v1,..., 2vi,..., 2vn){1 ≤ i ≤ n}. f) SB obtains E(sv) = E(2d1v1) +···+ 2divi +···+ 2dnvn +rb) by using (9) and (10), where 1 ≤ i ≤ n and rb is a random number, as E(di) 2vi = E(2divi)), and (9) E(sv) = E(2d1v1) ∗···∗ E(2divi) ∗···∗ E(2dnvn) ∗ E(rb) = E(2d1v1 +···+ 2divi + ···+ 2dnvn + rb). (10) g) SB sends E(sv) to SA. 2) Phase 2: SA receives E(sv) from SB, and executes Algorithm 4 with SB. Then, SB sends resf to SA, and SA Algorithm 4 Top-k Encrypted Results Generation Input: E(sq), E(sv), E(S2 Q), E(D2), and k. Output: resf . 1: Let res and resf be empty tables. Cloud Server SA: 2: Receive E(sv) from SB. 3: Calculate E(SumDQ) = E(sq) ∗ E(sv) ∗ E(S2 Q) ∗ E(D2) = E((d1−q1)2+· · ·+(di−qi)2+· · ·+(dn−qn)2+ra+rb)(1 ≤ i ≤ n) as shown in Equation (11). 4: Compute D SumDQ = DE(skh1 , E(SumDQ)) by using its secret key skh1 . 5: Send D SumDQ to SB. Cloud Server SB: 6: Receive D SumDQ from SA. 7: Compute Sum = D SumDQ = DE(skh2 , D SumDQ ) by utilizing the secret key skh2 . 8: for 1 ≤ i ≤ k do 9: for each SumDQ ∈ CS and SumDQ ∈/ res do 10: Find and extract the minimum SumDQ and its file identifier ID(DF) 11: Insert SumDQ into res and ID(DF) into resf 12: end for 13: end for 14: Return resf to SA. Algorithm 5 Returning Diagnostic Results Input: (C(DF), Mac,C) and σ. Output: DF 1: Receive (C(DF), Mac,C) from the cloud server. 2: Compute Mac = H(C(DF)||σ ). 3: if Mac = Mac then 4: Compute kSE = C||C(DF)||σ. 5: Execute DF ← SE.Dec(kSE,C(DF)). 6: Return DF. 7: else 8: (C(DF), Mac,C) are rejected. 9: end if sends (C(DF), Mac,C) to users for each ID(DF) ∈ resf E SumDQ = E D2 ∗ E(sq) ∗ E(sv) ∗ E S2 Q ∗E d2 1 +···+ d2 i +···+ d2 n ∗E(−2d1(q1 + v1)... − 2dn(qn + vn) + ra) ∗E(2d1v1 +···+ 2dnvn + rb) ∗E q2 1 +···+ q2 i +···+ q2 n = E (d1 − q1) 2 +···+ (di − qi) 2 + ···+ (dn − qn) 2 + ra + rb . (11) 3) Phase 3: Users receive (C(DF), Mac,C) from SA, and execute Algorithm 5 to obtain the plaintext of diagnostic results. Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. XU et al.: RELIABLE AND PRIVACY-PRESERVING TOP-K DISEASE MATCHING SCHEMES FOR E-HEALTHCARE SYSTEMS 5543 TABLE II EXPERIMENTAL RESULTS USING REAL DATA Fig. 3. Execution time for different k against number of data files. (a) Number of users is 1. (b) Number of users is 20. V. PERFORMANCE ANALYSIS The evaluation of the proposed schemes has been done practically as well as analytically. The experimental evaluation is discussed in this section, while the security analysis is given in the next. Fundamental time complexity analysis can be done as follows: given m diagnostic files stored in the cloud server, k returned diagnostic files, and t user queries. Then, the time complexity of Top-k disease matching is O(m ∗ k + t). The proposed schemes are implemented in JAVA language, and AC and SE functions use RSA and AES algorithms, respectively. Besides, we use HMAC-SHA-256 to initialize the MAC. The experiments are executed on a 3.3 GHz Intel i5 system with 4 GB of RAM. The users, cloud servers, and HSPs are implemented as separate (but intercommunicating) processes. We use both real-world and synthetic data sets for extensive experimentation, as discussed as follows. A. Real-Data Experiments Two separate experiments are constructed based on Scheme 1 and Scheme 2, using real-world data to evaluate the efficiency of the proposed algorithms. The data set used in this work is the Indian Liver Patient Data set (ILPD).1 It contains 583 instances, each of which has 11 attributes/variables, i.e., Age, SGOT, A/G ratio, ALB (albumin), Gen (gender), SGPT, direct Bilirubin (DB), Alkphos, total proteins (TP), total Bilirubin (TB), and SET. Each instance is considered as a clinical data file, while each attribute is a keyword. 1Available at: http://archive.ics.uci.edu/ml/index.php. The results of the experimented are tabulated in Table II, where accuracy means whether the returned files are included in Top-k files and recall means whether the Top-k files are all returned. We perform the experiments on the two schemes with k varying from 1 to 20. For Scheme 1, we set different weights in the experiments. It can be deduced from Table II that the time required increases (slowly) as the number of returned diagnostic files increases, but remains in acceptable range. Moreover, the accuracy and recall of both schemes are near ideal in this experiment. Hence, we can conclude that the proposed system is practical in real medical application scenarios. B. Simulated-Data Experiments In this set of experiments, the patients’ clinical data and diagnostic files have been generated randomly and uniformly. Each of these files has 18 attribute pairs,2 which are given as . The algorithms of our scheme consider each pair as a single keyword (e.g., heartbeat: 63). 1) Scheme 1 Evaluation: In this experiment, each clinical data file corresponds to a diagnostic file. As is illustrated in Fig. 3, k is set as 1, 5, 10, 15, and 20, and the number of clinical data files ranges from 1000 to 10 000. Fig. 3(a) shows the execution time for the number of users n = 1, and the execution time increases with the number of files. For a given number of files, i.e., 5000, the time costs are 634 and 654 ms 2Available at http://www.clouddx.com/downloads/Heart-Friendly-Report2015-12-24-092313.pdf. Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. 5544 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 7, APRIL 1, 2022 Fig. 4. Execution time per k with different number of users. (a) Number of returned diagnostic files is 1. (b) Number of returned diagnostic files is 5. (c) Number of returned diagnostic files is 10. (d) Number of returned diagnostic files is 15. (e) Number of returned diagnostic files is 20. Fig. 5. Effect on time for increased n with varying k. for k = 1 and k = 20, respectively. Similarly, for any number of files, the difference between the time costs does not exceed 0.1 s, which means k only slightly affects the time overhead. However, for any given value of k, the time cost increases with the number of stored files, but even for 10 000 files, it remains below 1 s. In addition, Fig. 3(b) shows the time cost for 20 users that query concurrently. The pattern is similar to the earlier evaluation with n = 1; however, as expected the overall time cost has increased. Approximately, 2 s are required for 10 000 files in this case, which is still an acceptable value. In Fig. 4, we observe the effect of the number of users on execution time more closely. Here, n is set as 1 and 20, while Fig. 4(a)–(e) has k as 1, 5, 10, 15, and 20. It is obvious that the time cost will increase with the increase in the number of files; however, the increase with n = 1 is very slow (insignificant) as compared to n = 20, which shows a more linear growth. Hence, it can be concluded that the impact on execution time is more from n, then it is for k. In order to further determine the significance of the impact of the number of users, we have varied it from 50 to 550 as shown in Fig. 5, for different values of k. It can be observed that the execution time increases with the concurrent users; however, its range is acceptable. For 550 users with k = 20, the value is approximately 4.1 s. At the same time, the variation in k has an insignificant effect. In summary, the number of clinical data files, the number of concurrent users, and k, all affect the time cost. The execution time grows linearly with the number of files and the number of users. In contrast, k only slightly affects the time because the range of k is limited in the real world. Fig. 6. Execution time for different number of queries. 2) Scheme 2 Evaluation: For the evaluation of scheme 2, we have considered the same parameter but with different variables. In order to reduce the computational and communication overhead, we utilize a superlinear sequencing technique in this scheme. As illustrated in Fig. 6, the execution time increases with the number of queries. In the experiment without the superlinear technique the growth factor is much higher, as compared to the one with the superlinear technique. Note that here superlinear means that we use a superlinear sequence a = (a1,..., ai,..., an){1 ≤ i ≤ n} to aggregate the query data, where a1 a2 ··· ai ··· an−1 an. While, without superlinear means that we need to perform the encryption, uploading, and decryption operations on each query data. An important observation here is that with the increase in queries the gap between the two lines also increases, i.e., the rate of change for without superlinear sequencing is higher than the other. For example, the difference between the two lines is about 5 s when the number of queries is 5, but the difference is nearly 29 s when the number of queries is 30. This proves that the use of a superliner sequencing technique helps in reducing the execution time and communication cost of the system. Fig. 7 shows the execution time cost against increasing numbers of clinical data files. The results shown in Fig. 7(a)–(c) are individual plots of k = 1, k = 10, and k = 20, respectively, while Fig. 7(d) shows the collective comparison. The number of files varies from 1000 to 10 000. It can be observed that the trend is the same for all values of k, as it linearly grows as the Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. XU et al.: RELIABLE AND PRIVACY-PRESERVING TOP-K DISEASE MATCHING SCHEMES FOR E-HEALTHCARE SYSTEMS 5545 Fig. 7. Execution time for varying k and increasing number of data files. (a) Number of returned diagnostic files is 1. (b) Number of returned diagnostic files is 10. (c) Number of returned diagnostic files is 20. (d) Collective comparison for varying k from 1 to 20. Fig. 8. Execution time for varying k and increasing number of concurrent users. (a) Number of returned diagnostic files is 1. (b) Number of returned diagnostic files is 10. (c) Number of returned diagnostic files is 20. (d) Collective comparison for varying k from 1 to 20. number of files increases. It is important to note that the time cost is related to the test environment. On computationally better systems or real-world systems, the performance will automatically improve. In the current experiment, 10 000 files require approximately 90 s, which is still in an acceptable range. From Fig. 7(d), it is observed that the effect of k is almost negligible in all the experiments. Moreover, we also observe that higher k does not mean higher time, e.g., at 6000, 7000, and 8000 files, the time required for different k is uneven and has no specific pattern. As the evaluations have been averaged over several iterations, hence the confidence level is very high. Fig. 8 shows the execution time cost when the number of users increases. The presentation of this figure is the same as the previous one, where k is 1, 10, and 20, while the number of users ranges from 1 to 100. The increase in users has a linear effect on the execution time, as expected, and Fig. 8(d) shows that the change in k is irrelevant in this scenario. The minimum time for a single user is approximately 10 s and for 100 users it is almost 200 s. In summary, the superlinear sequence technique can help save the communication overhead and time cost. In this scheme, the number of files and the number of concurrent users have a near-linear effect on the execution time. In contrast, the number of returned files k has little influence on the time cost. Moreover, the effect of the number of users is greater as compared to the number of files. VI. SECURITY ANALYSIS In this section, we evaluate the security properties of the proposed schemes. These properties are based on the design goals described earlier. We evaluate both Scheme 1 and Scheme 2 separately, and prove that they fulfill the goals. A. Scheme 1 1) Data Privacy: The patients’ clinical data are encrypted by utilizing a 4n-dimension vector P and two 4n · 4n invertible matrices M1, M2. Besides, the diagnostic files are encrypted using a secret key kSE. The patients’ clinical data and diagnostic files are both encrypted by the HC and then saved in the cloud server in ciphertext form. Thus, data privacy can be achieved. 2) Query Confidentiality: In this scheme, the query Q is encrypted by the secret key SK as shown in Algorithm 1. If the key SK is kept secret, the adversary cannot decrypt the query data. 3) Query Unlinkability: The query data are encrypted as Ts = {M−1 1 Q1, M−1 2 Q2} by executing Algorithm 1. Since the encryption algorithm is probabilistic, it is hard for the cloud server to mine the relationship between two encrypted query data. 4) Verifiability: To prevent the adversary from uploading incorrect files, we use the MAC to verify the encrypted files. Users calculate Mac = H(C(DFj)||σ ) using encrypted file C(DF). If Mac = Mac, the encrypted file is accepted, otherwise, rejected. B. Scheme 2 1) Data Privacy: The patients’ clinical data are encrypted by using a modified Paillier encryption algorithm. The diagnostic files are encrypted using the secret key kSE. Without the knowledge of the secret keys, data privacy is ensured. 2) Query Confidentiality: In Scheme 2, the query data Q are first encrypted by adding noise data. Then, the encrypted Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. 5546 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 7, APRIL 1, 2022 query data and the noise data are encrypted by utilizing different servers’ public key. It is difficult for the attackers to get query data when the secret keys of different servers are kept confidential from the adversary. 3) Query Unlinkability: The query data are encrypted by adding the noise data V, which is randomly generated so that it is different for different queries. Hence, it is extremely difficult for the cloud servers to determine the relationship between two encrypted query data. 4) Verifiability: To prevent the adversary from uploading incorrect files, we use the MAC to verify the encrypted diagnostic files. Users calculate Mac = H(C(DF)||σ ) using received encrypted diagnostic file C(DF). Users can verify the integrity of the diagnostic files by computing Mac . If Mac = Mac, the received encrypted diagnostic file is real and accepts it, otherwise, the file is rejected. VII. RELATED WORKS The combination of the Internet of Things using wireless wearable devices and cloud computing [14], [15] has become a popular design platform for disease matching schemes in e-healthcare systems [16], [17]. Cloud computing can significantly reduce the high computation cost of users and the high storage cost of health services providers. For a disease matching e-healthcare system, HSPs submit real patients’ clinical data and their diagnostic files to the cloud servers. Then, the users can query the Top-k diagnostic results with the highest similarity from them. Moreover, to prevent leakage of sensitive information, the clinical data and diagnostic files of patients as well as the users’ queries should be privacy preserving. Searchable encryption is a fundamental approach for searching through encrypted cloud data. Several searchable symmetric encryption schemes have been proposed, which are summarized here. Li et al. [6] presented a kNN keyword search scheme for diverse multikeyword ranked search on encrypted cloud data. However, the data set of this scheme cannot be updated periodically. Kamara and Papamanthou [18] and Cash et al. [19] proposed and implemented searchable symmetric encryption schemes. However, these schemes only support dynamic single-keyword searches. Wang et al. [20] used the relevance score of keywords for a ranked keyword search scheme; however, it cannot be used for multikeyword searches. Xia et al. [21] adopted the vector space and TF × IDF model in a multikeyword ranked search of encrypted data. Their scheme supports dynamic updates and insertion/deletion of documents. Cao et al. [22] proposed a multikeyword ranked search scheme, which uses keyword matching rules to return documents. Mahdikhani et al. [23], [24] proposed privacy-preserving range query schemes based on homomorphic encryption techniques. Homomorphic encryption algorithms [10], [11], [25] can also be applied in data encryption as the cryptographic requirements increase. Using traditional encryption algorithms, the processing of data is not possible without its decryption first. However, homomorphic encryption allows some processing over encrypted data (without the need for decryption); hence, it can ensure the confidentiality of the data. Golle [25] proposed a private stable matching algorithm, based on an additively homomorphic and semantically secure public-key encryption scheme. Kapusta et al. [11] introduced additively homomorphic encryption and fragmentation scheme (AHEF), which relies on additive homomorphic fragmentation, instead of the additive homomorphic secret sharing, which is more common in different techniques. Moreover, to prevent incorrect files injection, the efficient MAC [26] is used to guarantee the integrity of returned files. VIII. CONCLUSION In this article, we presented novel, reliable, and privacypreserving Top-k disease matching schemes for cloud-based e-healthcare systems. These schemes enable users to send encrypted queries to match with the encrypted patients’ clinical data submitted by HSPs and obtain Top-k diagnostic files with the highest similarity. Two Top-k disease matching schemes are presented, where the first scheme uses the weighted Euclidean distance comparison algorithm over a secure kNN technique to obtain the Top-k diagnostic files. It allows users to set different weights for each body indicator according to their needs. The second scheme compares Euclidean distances under the modified Paillier homomorphic encryption algorithm to obtain the Top-k diagnostic files. It provides higher security than the first scheme, and a superlinear sequence is used to reduce the computational and communication overhead. In addition, MAC is used to verify the integrity and correctness of the returned diagnostic files and to prevent the injection of incorrect files. The experimental results and security analysis prove that both schemes are feasible and efficient while providing privacy preservation in the proposed system. In the future, we will focus on other security requirements of E-healthcare systems. Besides, we will optimize the scheme based on the Paillier encryption algorithm in terms of efficiency, i.e., to improve efficiency without losing security. REFERENCES [1] J. Li, Q. Yan, and V. I. Chang, “Internet of Things: Security and privacy in a connected world,” Future Gener. Comput. Syst., vol. 78, pp. 931–932, Jan. 2018. [2] M. Jayaratne et al., “A data integration platform for patient-centered ehealthcare and clinical decision support,” Future Gener. Comput. Syst., vol. 92, pp. 996–1008, Mar. 2019. [3] X. Yang, R. Lu, J. Shao, X. Tang, and H. Yang, “An efficient and privacy-preserving disease risk prediction scheme for e-healthcare,” IEEE Internet Things J., vol. 6, no. 2, pp. 3284–3297, Apr. 2019. [4] M. Li, S. Yu, K. Ren, and W. Lou, “Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings,” in Proc. ICST Conf. SecureComm, Sep. 2010, pp. 89–106. [5] S. Xu, G. Yang, and Y. Mu, “Revocable attribute-based encryption with decryption key exposure resistance and ciphertext delegation,” Inf. Sci., vol. 479, pp. 116–134, Apr. 2019. [6] H. Li, H. Ren, H. Yao, H. Chen, G. Xu, and Y. Dai, “Diverse multikeyword ranked search over encrypted cloud data supporting range query,” in Proc. IEEE/CIC Int. Conf. Commun. China (ICCC), Shenzhen, China, Nov. 2015, pp. 1–6. [7] H. Zhu, L. Gao, and H. Li, “Secure and privacy-preserving body sensor data collection and query scheme,” Sensors, vol. 16, no. 2, p. 179, 2016. Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply. XU et al.: RELIABLE AND PRIVACY-PRESERVING TOP-K DISEASE MATCHING SCHEMES FOR E-HEALTHCARE SYSTEMS 5547 [8] H. Lin, J. Shao, C. Zhang, and Y. Fang, “CAM: Cloud-assisted privacy preserving mobile health monitoring,” IEEE Trans. Inf. Forensics Security, vol. 8, pp. 985–997, 2013. [9] Z. Min, G. Yang, A. K. Sangaiah, S. Bai, and G. Liu, “A privacy protection-oriented parallel fully homomorphic encryption algorithm in cyber physical systems,” EURASIP J. Wireless Commun. Netw., vol. 2019, p. 15, Jan. 2019. [10] M. M. Nayyef and A. M. Sagheer, “Design of public-key algorithms based on partial homomorphic encryptions,” Int. J. Inf. Security Privacy, vol. 13, no. 2, pp. 67–85, 2019. [11] K. Kapusta, G. Memmi, and H. N. Noura, “Additively homomorphic encryption and fragmentation scheme for data aggregation inside unattended wireless sensor networks,” Annales des Télécommunications, vol. 74, no. 3–4, pp. 157–165, 2019. [12] C. Xu, N. Wang, L. Zhu, K. Sharif, and C. Zhang, “Achieving searchable and privacy-preserving data sharing for cloud-assisted e-healthcare system,” IEEE Internet Things J., vol. 6, no. 5, pp. 8345–8356, Oct. 2019. [13] W. K. Wong, D. W.-I. Cheung, B. Kao, and N. Mamoulis, “Secure kNN computation on encrypted databases,” in Proc. ACM SIGMOD Int. Conf. Manage. Data (SIGMOD), 2009, pp. 139–152. [14] Ö. B. Akan, S. Andreev, and C. Dobre, “Internet of Things and sensor networks,” IEEE Commun. Mag., vol. 57, no. 2, p. 40, Feb. 2019. [15] M. M. Dhanvijay and S. C. Patil, “Internet of Things: A survey of enabling technologies in healthcare and its applications,” Comput. Netw., vol. 153, pp. 113–131, Apr. 2019. [16] M. Elhoseny, G. R. González, O. M. Abu-Elnasr, S. A. Shawkat, N. Arunkumar, and A. Farouk, “Secure medical data transmission model for IoT-based healthcare systems,” IEEE Access, vol. 6, pp. 20596–20608, 2018. [17] C. Zhang, L. Zhu, C. Xu, and R. Lu, “PPDP: An efficient and privacypreserving disease prediction scheme in cloud-based e-healthcare system,” Future Gener. Comput. Syst., vol. 79, pp. 16–25, Feb. 2018. [18] S. Kamara and C. Papamanthou, “Parallel and dynamic searchable symmetric encryption,” in Proc. 17th Int. Conf. Financ. Cryptogr. Data Security, Okinawa, Japan, Apr. 2013, pp. 258–274. [19] D. Cash et al., “Dynamic searchable encryption in very-large databases: Data structures and implementation,” in Proc. 21st Annu. Netw. Distrib. Syst. Security Symp. (NDSS), San Diego, CA, USA, Feb. 2014, pp. 1–16. [20] C. Wang, N. Cao, J. Li, K. Ren, and W. Lou, “Secure ranked keyword search over encrypted cloud data,” in Proc. Int. Conf. Distrib. Comput. Syst. (ICDCS), Genova, Italy, Jun. 2010, pp. 253–262. [21] Z. Xia, X. Wang, X. Sun, and Q. Wang, “A secure and dynamic multikeyword ranked search scheme over encrypted cloud data,” IEEE Trans. Parallel Distrib. Syst., vol. 27, no. 2, pp. 340–352, Feb. 2016. [22] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving multikeyword ranked search over encrypted cloud data,” in Proc. INFOCOM 30th IEEE Int. Conf. Comput. Commun. Joint Conf. IEEE Comput. Commun. Soc., Shanghai, China, Apr. 2011, pp. 829–837. [23] H. Mahdikhani, R. Lu, Y. Zheng, and A. A. Ghorbani, “Achieving efficient and privacy-preserving range query in fog-enhanced IoT with bloom filter,” in Proc. IEEE Int. Conf. Commun. (ICC), Dublin, Ireland, Jun. 2020, pp. 1–6. [24] H. Mahdikhani, R. Lu, Y. Zheng, J. Shao, and A. A. Ghorbani, “Achieving o(log3n) communication-efficient privacy-preserving range query in fog-based IoT,” IEEE Internet Things J., vol. 7, no. 6, pp. 5220–5232, Jun. 2020. [25] P. Golle, “A private stable matching algorithm,” in Proc. 10th Int. Conf. Financ. Cryptogr. Data Security, Anguilla, British West Indies, 2006, pp. 65–80. [26] M. Blanton, “Message authentication codes,” in Encyclopedia of Database Systems, 2nd ed. New York, NY, USA: Springer, 2018. Chang Xu received the Ph.D. degree in computer science from Beihang University, Beijing, China, in 2013. She is currently an Associate Professor with the School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing. Her research interests include security and privacy in IoTs, and big data security. Ningning Wang received the bachelor’s degree in computer Science and technology from Zhengzhou University, Henan, China, in 2017, and the master’s degree in computer Science and technology from Beijing Institute of Technology, Beijing, China, in 2020. Her current research interests include security and privacy in medical systems, and searchable encryption. Liehuang Zhu (Member, IEEE) received the Ph.D. degree in computer science from Beijing Institute of Technology, Beijing, China, in 2004. He is currently a Professor with the School of Cyberspace Science and Technology, Beijing Institute of Technology. His research interests include security protocol analysis and design, group key exchange protocols, wireless sensor networks, and cloud computing. Chuan Zhang (Member, IEEE) received the Ph.D. degree from the School of Computer Science and Technology, Beijing Institute of Technology, Beijing, China, in 2021. He is currently an Assistant Professor with the School of Cyberspace Science and Technology, Beijing Institute of Technology. His current research interests include secure data services in cloud computing, security and privacy in IoTs, and big data security. Kashif Sharif (Senior Member, IEEE) received the M.S. degree in information technology and the Ph.D. degree in computing and informatics from the University of North Carolina at Charlotte, Charlotte, NC, USA, in 2004 and 2012, respectively. He is currently an Associate Professor with Beijing Institute of Technology, Beijing, China. His research interests include wireless and sensor networks, network simulation systems, software defined and data center networking, ICN, and Internet of Things. Dr. Sharif is a member of ACM. Huishu Wu received the bachelor’s degree in information management of computer science from Hebei Normal University, Shijiazhuang, China, in 2014, the master’s degree in management from China University of Political Science and Law, Beijing, China, in 2017, and the master’s and Ph.D. degrees from the University of Montreal, Montreal, QC, Canada, in 2017 and 2021, respectively. His research interest is in the area of data security and privacy in VANETs, and data governance. Authorized licensed use limited to: Chengdu University of Technology. Downloaded on April 18,2023 at 14:26:39 UTC from IEEE Xplore. Restrictions apply.