Electronic protected health information flow method and system based on temporary access control

By employing a hierarchical key generation mechanism and a cloud-fog collaborative architecture, the temporary access control problem of ePHI in the medical IoT is solved, enabling accurate time unit attribution determination and efficient data flow, thus meeting the resource constraints and high concurrency requirements of medical IoT terminals.

CN122372249APending Publication Date: 2026-07-10XIDIAN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
XIDIAN UNIV
Filing Date
2026-03-31
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies for temporary access control of electronically protected health information (ePHI) in the medical Internet of Things (IoT) suffer from problems such as inaccurate determination of time unit ownership, high overhead of keys and parameters, and inefficient policy deployment, making it difficult to meet the needs of limited resources and high concurrency in medical IoT terminals.

Method used

A hierarchical key generation mechanism based on epoch parameters and overall attributes is adopted. Fog node time keys, cloud time keys, and local keys are generated through cryptographic operations. Combined with a collaborative architecture of cloud auditing and fog node verification, precise temporary access control of electronically protected health information is achieved.

Benefits of technology

It enables precise temporary access control of electronically protected health information, reduces the complexity of cryptographic operations and the computational power consumption of devices, alleviates the burden on local terminal storage, improves the efficiency of policy implementation and data circulation, and ensures the secure circulation of ePHI in cloud and fog environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372249A_ABST
    Figure CN122372249A_ABST
Patent Text Reader

Abstract

This invention discloses a method and system for the circulation of electronically protected health information based on temporary access control. The method is as follows: Security parameters, epoch parameters, and attribute set are obtained; an epoch public key and an epoch private key are generated through cryptographic operations; a fog node time key, a cloud time key, and a local key are generated based on these two; an attribute key is obtained by combining the epoch private key with the medical provider attribute set; the plaintext ePHI, fixed and temporary access policies are obtained; the plaintext ePHI is encrypted and encapsulated to obtain ePHI ciphertext; cloud auditing is performed based on the ePHI ciphertext, attribute key, and cloud time key, and the audit result is sent to the fog node; after verification, the fog node converts the ePHI ciphertext using its own time key to obtain converted ciphertext; finally, the original plaintext ePHI is decrypted using the local key. This invention can solve problems such as inaccurate time unit attribution determination, high key and parameter overhead, and inefficient policy deployment in ePHI temporary access control.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of information security, specifically relating to a method and system for the circulation of electronic protected health information based on temporary access control. Background Technology

[0002] As a core supporting technology for smart healthcare systems, the Internet of Things (IoT) in healthcare relies on interconnected sensors, embedded terminal devices, and cloud computing platforms to achieve comprehensive collection, intelligent analysis, and precise assessment of health data. By acquiring electronic protected health information (ePHI) in real time, it effectively promotes the transformation of traditional medical models from passive disease treatment to proactive health prevention, significantly improving the convenience and accuracy of medical services. However, at the same time, as sensitive data involving core patient privacy, the flow of ePHI throughout the entire process between IoT terminals, transmission links, and cloud servers has also raised increasingly serious privacy and security issues such as data leakage, unauthorized tampering, and unauthorized access. How to ensure the secure flow of ePHI under controllable and trustworthy conditions has become a key technical bottleneck for the large-scale deployment of IoT in healthcare.

[0003] To address the privacy protection needs of ePHI in medical IoT scenarios, existing technologies, guided by the core principles of controllable policies and secure reliability, have developed a series of ePHI circulation management methods. Their core design objectives focus on three main dimensions: First, ensuring that medical requesters have legitimate access to their own ePHI and the right to know the specific usage methods and scenarios; second, granting medical requesters the right to correct and supplement their own ePHI data, ensuring the accuracy and completeness of the data and preventing erroneous data from affecting medical diagnosis and health assessment; and third, standardizing the storage and management practices of medical institutions regarding ePHI, requiring them to reasonably set ePHI data retention periods and develop compliant and secure destruction and disposal measures for expired ePHI data to eliminate the risk of expired data leakage.

[0004] To address the needs of temporary access and permission management in ePHI, time-constrained access control technology became an early research hotspot, and related technical solutions gradually implemented time-based binding of access permissions. As early as 2002, Bertino et al. [1] Paterson pioneered the discretionary access control method, limiting authorized permissions to be effective only within a specific time frame. It also supports configuring authorization dependencies through predefined rules, laying the theoretical foundation for time-constrained access control. Inspired by this time-binding approach, temporary access control schemes with dynamic permission constraints have emerged, such as Paterson and Quaglia. [2]They proposed a time-specific encryption primitive that deeply binds data decryption capabilities to time parameters. Only when the access time falls within the specified time interval of the ciphertext can the data receiver obtain decryption privileges and access core data; Kasamatsu et al. [3] Based on a forward-secure encryption mechanism, a novel time-specific encryption method was constructed. By binding two restricted keys inseparably, it effectively resists combined key attacks launched by malicious users, thus improving the anti-attack capability of the encryption scheme; Ishizaka et al. [4] By combining layered identity-based encryption technology and relying on a wildcard mechanism without key escrow, a time-specific encryption architecture for constant-scale keys is realized, thus optimizing key management efficiency.

[0005] While the aforementioned early time-constrained access control schemes achieved basic time-based access control, they were limited by insufficient expressive power of time and access policies. These schemes could only achieve coarse-grained access control and could not formulate control rules for finer dimensions such as patient identity, disease type, treatment scenario, and data permission level. Therefore, they were ill-suited to the diverse and fine-grained ePHI access needs of the medical IoT scenario. [5] There are problems such as rigid access control and incomplete privacy protection.

[0006] To overcome the limitations of coarse-grained access control, the industry has further conducted research on fine-grained temporary access control technologies, integrating attribute encryption, proxy re-encryption, and other technologies to achieve policy optimization. Xiong et al. [6] A temporary access control mechanism was constructed by combining time-specific encryption and key policy attribute encryption, achieving dual binding of permissions with time and attributes. However, this mechanism is only suitable for small-scale attribute scenarios, and the parameter scale increases linearly with the total number of attributes and the length of the time range, making it extremely unsuitable for multi-attribute, high-traffic scenarios in the medical IoT. Ma et al. [7] A dual control scheme of access policy and time policy was designed, and a semi-trusted time server was introduced to support dynamic adjustment of the encrypted time range, improving policy flexibility. However, this scheme explicitly embeds the time policy into the encrypted structure, making it highly vulnerable to malicious tampering and forgery attacks, and the policy security is difficult to guarantee. Zhu et al. [8] Introducing the time factor into the integer range comparison mechanism, combined with proxy re-encryption technology, enables time-controlled access in cloud computing scenarios, further expanding the flexibility of policy configuration; Wang et al. [9] By embedding the comparable range into the key structure and integrating multi-attribute data into a single ciphertext, a constant-scale ciphertext design is achieved, optimizing data transmission and storage efficiency.

[0007] Based on the above research ideas, Miao et al.

[10] A time-controllable keyword search scheme is proposed, supporting users to match and retrieve encrypted indexes within a specific time range, adapting to the data retrieval needs in mobile medical cloud scenarios; Tong et al.

[11] To address the issue of generalized and abused time-based policies in mobile computing scenarios, an attribute-based Boolean range query scheme integrating temporary access control is designed. This alleviates the limitation that spatiotemporal data can only be shared by a single user and expands the scenarios for multi-user data sharing. However, the above optimization scheme... [8][9]

[10]

[11] All of these solutions employ comparable expressions based on composite order groups to construct the core algorithm, resulting in high computational complexity and low execution efficiency. However, medical IoT terminals are mostly resource-constrained embedded devices, and cloud platforms need to handle the concurrent processing of massive amounts of ePHI data. Such inefficient solutions cannot meet the real-time and high-concurrency application requirements of medical IoT, and their practicality and applicability in actual ePHI circulation scenarios are severely lacking.

[0008] References [1]Bertino E, Bettini C, Ferrari E, et al. A temporal access control mechanism for database systems[J]. IEEE Transactions on Knowledge and DataEngineering, 2002, 8(1): 67–80. [2]Paterson KG, Quaglia E A. Time-specific encryption[J]. IACRCryptology ePrint Archive, 2010: 347. [3]Kasamatsu K, Matsuda T, Emura K, et al. Time-specific encryption from forward-secure encryption: generic and direct constructions[J]. International Journal of Information Security, 2016, 15(5): 549-571. [4]Ishizaka M, Kiyomoto S. Time-specific encryption with constant-size secret-keys secure under standard assumption[J]. Cryptology ePrintArchive, 2020. [5]Fan H, Li Q, Xiong J, et al. Decentralized Access Control forPrivacy-Preserving Cloud-Based Personal Health Record with Verifiable PolicyUpdate[J]. IEEE Internet of Things Journal, 2024, 11(9): 16887–16901. [6]Xiong J, Liu X, Yao Z, et al. A secure data self-destructingscheme in cloud computing[J]. IEEE Transactions on Cloud Computing, 2014, 2(4): 448-458. [7]Ma S, Lai J, Deng R H, et al. Adaptable key-policy attribute-basedencryption with time interval[J]. Soft Computing, 2017, 21(20): 6191-6200. [8]Zhu Y, Hu H, Ahn G J, et al. Towards temporal access control incloud computing[C]. Proceedings of the 31st IEEE International Conference onComputer Communications (INFOCOM 2012). Orlando, FL, USA. IEEE, 2012: 2576–2580. [9]Wang Z, Huang D, Zhu Y, et al. Efficient attribute-basedcomparable data access control[J]. IEEE Transactions on computers, 2015, 64(12): 3430-3443.

[10] Miao Y, Li F, Li X, et al. Time-controllable keywordsearch scheme with efficient revocation in mobile e-health cloud[J]. IEEE Transactions onMobile Computing, 2023, 23(5): 3650-3665.

[11] Tong Q, Li X, Miao Y, et al. Privacy-preserving boolean rangequery with temporal access control in mobile computing[J]. IEEE Transactionson Knowledge and Data Engineering, 2022, 35(5): 5159-5172. Summary of the Invention The purpose of this invention is to address the problems in the prior art by providing a method and system for the circulation of electronic protected health information based on temporary access control. This method supports optimized coding structure and time-specific attribute encryption for fine-grained ePHI authorization, balances the inherent relationship between policy expression and performance overhead, and alleviates the current situation where ePHI circulation is hindered in cloud and fog environments.

[0009] To achieve the above objectives, the present invention provides the following technical solution: Firstly, a method for the circulation of electronically protected health information based on temporary access control is provided, including: Obtain security parameters Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era ask ; Based on the epoch public key epk and the private key of the era ask Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lock ; Combined with the aforementioned epoch private key ask The set of attributes corresponding to medical providers Obtain the attribute key Atk ; Obtain plaintext electronic protected health information (ePHI) to be distributed Message Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Message Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. ; Based on the ePHI ciphertext Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node; Based on the audit results, the fog node Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. ; Receive the converted ciphertext Combined with local key Lock For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext. Message .

[0010] As a preferred solution, it is implemented by the key management center, medical cloud, fog nodes, medical requesters, and medical providers; The key management center is a fully trusted entity used to initialize the time epoch and generate epoch keys and attribute keys for different participants. The medical cloud is a semi-trusted entity used to perform attribute permission verification services for medical providers. The fog node is a semi-trusted entity used to determine temporary access permissions. The medical requester specifies the access policy and temporary policy, and encapsulates the plaintext ePHI into ePHI ciphertext in encrypted form, outsourcing the ePHI ciphertext to the medical cloud. After obtaining the semi-decrypted converted ciphertext, the medical provider completes decryption using a local key to recover the original plaintext ePHI.

[0011] As a preferred solution, the acquisition of security parameters Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era ask The steps are through EpochInit The algorithm implementation specifically includes: input security parameters. Epoch Parameters and attributes overall Choose three prime numbers p Factorial Cyclic Group , and And define asymmetric pairing mappings From the group Randomly select generators and From the group Randomly select generators and from the set of integers Random selection Construct a collision-resistant hash function Based on epoch parameters Initialize an empty binary tree and encode it as follows: Set the root node to null, and you will get... ;for and Iteration definition ,in, express Specific time units and From the group Random selection The algorithm outputs the epoch public key. and the private key of the era It was released to the public, and the current state of the complete binary tree is defined as follows: .

[0012] As a preferred solution, through EpochKGen The algorithm is based on the epoch public key. epk and the private key of the era ask Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lock Specifically, it includes: Key management center based on Epoch public key epk and the private key of the era ask From the set of integers Random selection and The fog node time key is calculated using the following expression. ,in :

[0013] Calculate the cloud time key using the following expression. Ctk Defined as ,in :

[0014] Define the local key as ; The key management center will use fog node time keys Ftk Send to fog node, send cloud time key Ctk Send to the medical cloud and send the local key Lock Send to the healthcare provider.

[0015] As a preferred solution, through AttrKGen The algorithm combines the epoch private key. ask The set of attributes corresponding to medical providers Obtain the attribute key Atk Specifically, this includes: inputting the epoch private key into the key management center. ask and the attribute set corresponding to the medical provider From the set of integers Random selection This allows the attribute key to be calculated and output. The calculation expression is as follows:

[0016] The attribute key obtained by the key management center Send to the medical cloud.

[0017] As a preferred solution, through EncPHIAlgorithm obtains plaintext electronic protected health information (ePHI) to be circulated. Message Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Message Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. Specifically, it includes: The medical requester is from a set of integers Select a set of random numbers and secret vector and specify x OK y Column share generation matrix ; the secret vector Left-multiply share generation matrix The share vector is calculated. Obtain expressive access strategies ; Get the interval covering set And use the following expression to convert the plaintext ePHI Message Encapsulated as ePHI ciphertext ,in and :

[0018] The medical requester will send ePHI encrypted messages. Send to the medical cloud.

[0019] As a preferred solution, through Privacy Policy The algorithm is based on the ePHI ciphertext. Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node, specifically including: Enter ePHI ciphertext Attribute key Atk and cloud time key Ctk Medical cloud-based attribute set Does the user have the necessary authorization permissions? (For any set of authorized attributes) There exists a reconstructed vector. , making ,in, ; Therefore, the following calculations are performed:

[0020] for and ,calculate ; The medical cloud will audit the results Send to the fog node.

[0021] As a preferred solution, through TimeVrfy The algorithm is based on the audit results from the fog nodes. Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. Specifically, it includes: Fog node input audit results Fog Node Time Key Ftk Fog node test equation Whether it holds true: If the equation does not hold true, the algorithm terminates; if the equation holds true, then according to... Perform assignment operation and And calculate according to the following formula ; Fog nodes will convert ciphertext Send to the healthcare provider.

[0022] As a preferred solution, through DecPHI The algorithm receives the converted ciphertext Combined with local key Lock For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext Msg, which includes: Medical provider input conversion ciphertext and local key Lock The original ePHI plaintext can be calculated and recovered using the following expression. Message : .

[0023] Secondly, a protected electronic health information circulation system based on temporary access control is provided, comprising: The epoch initialization module is used to obtain security parameters. Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era ask ; An epoch key generation module is used to generate an epoch key based on the epoch public key. epk and the private key of the era ask Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lock ; The attribute key generation module is used to combine the epoch private key. ask The set of attributes corresponding to medical providers Obtain the attribute key Atk ; The ePHI encryption module is used to obtain the plaintext ePHI of the electronic protected health information to be circulated. Message Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Message Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. ; The authorization verification module is used to verify the ePHI ciphertext. Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node; A temporary verification module is used by fog nodes based on the audit results. Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. ; The ePHI decryption module is used to receive the converted ciphertext. Combined with local key Lock For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext. Message .

[0024] Compared with the prior art, the present invention has at least the following beneficial effects: To address the technical shortcomings of temporary access control for Electronic Protected Health Information (ePHI) in medical IoT scenarios, such as inaccurate time unit attribution determination, high key and parameter overhead, and inefficient policy deployment, this invention provides a temporary access control-based method for the circulation of ePHI that can accurately achieve temporary access management and completely solve the problem of time unit attribution determination. Addressing the industry pain points of high overhead in public parameters and key materials and high computational complexity in traditional access control methods, this invention employs a hierarchical key generation mechanism driven by security parameters and epoch parameters. First, based on basic security parameters, epoch parameters, and overall attributes, a epoch public key corresponding to the epoch is generated through cryptographic operations. epk and the private key of the era ask Then relying on the Epoch Public Key epk and the private key of the era ask Generating fog node time keys through step-by-step operations Ftk Cloud Time Key Ctk and local key Lock This design achieves structured optimization of the key system, reducing the complexity of public parameter generation and time key computation from exponential to linear levels compared to traditional schemes, significantly reducing cryptographic computation time and equipment computing power consumption. Simultaneously, healthcare providers only need to maintain a constant-sized local key. Lock This eliminates the need to store massive amounts of temporary keys and redundant public parameters, significantly reducing the storage burden on local terminals and perfectly adapting to the actual deployment scenarios of medical IoT terminals with limited computing power and scarce storage resources. The method of this invention adopts a layered collaborative architecture combining cloud auditing and fog node verification conversion. First, the cloud verifies the data based on ePHI ciphertext... Attribute key Atk and cloud time key Ctk Perform cloud-based auditing operations, generate corresponding audit results, and push them to the target fog node. The fog node then performs temporary access verification based on the audit results, simultaneously combining the fog node's time key. Ftk ePHI ciphertext Perform conversion processing to generate converted ciphertext adapted for local decryption. The final recipient combines the local key. Lock For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext. MessageThis process enables the integrated deployment of fixed and temporary access policies, eliminating the cumbersome policy configuration and key synchronization steps of traditional solutions and significantly improving policy implementation efficiency. Simultaneously, the distributed processing mode of cloud-fog collaboration distributes the computational burden of ePHI encryption / decryption and permission verification, effectively shortening data flow time and alleviating the problems of ePHI flow obstruction and high transmission latency in cloud-fog hybrid environments. It balances the inherent contradiction between policy expressiveness and system performance overhead, improving policy deployment and ePHI flow efficiency and solving the problem of flow obstruction in cloud-fog environments. This invention's method constructs a closed-loop security management system covering the entire process, from security parameter and epoch parameter acquisition, epoch key generation, layered time key and attribute key derivation, ePHI plaintext encryption and encapsulation, to cloud audit verification, fog node ciphertext conversion, and local decryption and restoration. The periodic iteration mechanism of the epoch key, the permission isolation design of the hierarchical time key, and the binding logic between the attribute key and the access subject effectively strengthen the protection level of ePHI ciphertext; the verification results generated by cloud auditing can realize the full traceability and verification of temporary access behavior, which can not only meet the hard requirements of medical data security supervision, but also quickly identify abnormal access behavior, and comprehensively protect the security of the entire life cycle of electronic protected health information.

[0025] Furthermore, the method of this invention utilizes epoch parameters and fog node time keys. Ftk Cloud Time Key Ctk The hierarchical key design, combined with a complete binary tree structure and binary encoding mechanism, maps temporary access strategies to a set of mutually exclusive nodes. This enables unique and high-precision determination of the attribution of specific time units for medical visits, completely overcoming the shortcomings of traditional schemes that cannot accurately match temporary access periods. Furthermore, it relies on the overall attribute population, attribute set, and attribute key... Atk The association binding logic, combined with the dual encryption encapsulation rules of fixed access policies and temporary access policies, embeds the access policy into the ePHI encryption process, realizing fine-grained access authorization and precise matching control at the attribute level. This not only ensures the compliance of temporary access, but also strictly defines the permission boundaries of different access subjects, thereby eliminating the risk of unauthorized access from the root. Attached Figure Description

[0026] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention. For those skilled in the art, other related drawings can be obtained from these drawings without creative effort.

[0027] Figure 1 Design architecture diagram of the electronic protected health information circulation method based on temporary access control according to an embodiment of the present invention; Figure 2 Flowchart of the main steps of the electronic protected health information circulation method based on temporary access control according to an embodiment of the present invention; Figure 3 The method of this invention is similar to the solution proposed by Ma et al. EpochKGen Performance comparison charts in the algorithms; Figure 4 The method of this invention is similar to the solutions of Fan et al. and Ma et al. AttrKGen Performance comparison charts in the algorithms; Figure 5 The method of this invention is similar to the solutions of Fan et al. and Ma et al. EncPHI Performance comparison charts in the algorithms; Figure 6 The method of this invention is similar to the solutions of Fan et al. and Ma et al. DecPHI Performance comparison chart of the algorithm. Detailed Implementation

[0028] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, those skilled in the art can obtain other embodiments without creative effort.

[0029] Under the existing regulatory framework, the high sensitivity and dynamic circulation characteristics of ePHI make its access requirements significantly temporary. ePHI often only has legitimate access rights within specific medical procedures or authorization periods, and continuous access beyond the established scope faces the risk of privacy leakage. Therefore, temporary access control has gradually become a key technical means in ePHI protection. By introducing time constraints into the access policy, dynamic granting of ePHI access rights can be achieved. Temporary access control based on time constraints can automatically take effect for access to encrypted ePHI within the legitimate scope, effectively preventing medical providers from unauthorized access to temporary ePHI. Logically speaking, temporary access control supporting edge-cloud collaborative computing can be divided into two categories: 1) invalidating the decryption permission of the key; 2) invalidating the access scope of the ciphertext. The first type of method refers to the legitimate key no longer having the ability to decrypt a certain type of ciphertext after meeting a trigger condition. This type of technology is usually executed by a self-maintaining key management server, and the sender lacks verifiability for the invalidation of the key. The second type of method refers to the ciphertext expression being logically no longer compatible with the original key. Compared to the former, the latter stems from the earlier research of Bertino et al. [1]This approach emphasizes the autonomy and controllability of data. The use of ciphertext structures to express access control transfers control to the data layer, realizing "whoever owns the data, controls access." However, fine-grained access control mechanisms for temporary policies still have many shortcomings. Due to the large parameter size in composite order groups, some methods are difficult to operate efficiently on resource-constrained edge service devices, thus their applicability in the medical IoT is questionable. Furthermore, several time-specific and attribute-based encryption schemes explicitly embed the access scope into the ciphertext, affecting policy privacy. Therefore, accurately determining the ownership of specific time units, reducing the overhead of public parameters and key materials, and efficiently deploying temporary and access policies remain key challenges in the current medical IoT.

[0030] Please see Figure 1 and Figure 2 This invention proposes a method for the circulation of electronically protected health information based on temporary access control, comprising: Obtain security parameters Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era ask ; Based on the epoch public key epk and the private key of the era ask Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lock ; Combined with the aforementioned epoch private key ask The set of attributes corresponding to medical providers Obtain the attribute key Atk ; Obtain plaintext electronic protected health information (ePHI) to be distributed Message Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Message Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. ; Based on the ePHI ciphertext Attribute key Atk and cloud time key CtkPerform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node; Based on the audit results, the fog node Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. ; Receive the converted ciphertext Combined with local key Lock For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext. Message .

[0031] like Figure 1 As shown, the method for circulating electronically protected health information based on temporary access control in this embodiment of the invention is implemented by a key management center, a medical cloud, a fog node, a medical requester, and a medical provider. The key management center is a fully trusted entity used to initialize the time epoch and generate epoch keys and attribute keys for different participants; the medical cloud is a semi-trusted entity used to perform attribute permission verification services for medical providers; the fog node is a semi-trusted entity used to determine temporary access permissions; the medical requester specifies the access policy and temporary policy, and encapsulates the ePHI plaintext into ePHI ciphertext in encrypted form, and outsources the ePHI ciphertext to the medical cloud; after obtaining the semi-decrypted converted ciphertext, the medical provider completes decryption using a local key to recover the original ePHI plaintext.

[0032] In one possible implementation, the electronically protected health information circulation method based on temporary access control in this invention is implemented by combining seven sub-algorithms, which respectively include EpochInit , EpochKGen , AttrKGen , EncPHI , Privacy Policy , TempVrfy and DecPHI The execution objectives of the seven sub-algorithms are as follows: (1) EpochInit Epoch initialization is performed by the key management center. It uses security parameters. Epoch Parameters and attributes overall Input: Epoch Public Key epk and the private key of the era ask .

[0033] (2) EpochKGen Epoch key generation is performed by the key management center. It uses the epoch public key. epk Epoch Private Key ask and time units Input: Fog Node Time Key Ftk Cloud Time Key Ctk and local key Lock .

[0034] (3) AttrKGen The attribute key generation is performed by the key management center. It uses the epoch public key. epk and attribute set Input, output attribute key Atk .

[0035] (4) EncPHI ePHI encryption is performed by the medical requester. It is implemented via message. Message Epoch Public Key epk, Access Policy and temporary strategies Input is ePHI ciphertext, output is ePHI ciphertext. .

[0036] (5) Privacy Policy : Access verification is performed by the medical cloud. It uses ePHI encryption. Attribute key Atk and cloud time key Ctk Input, output audit results .

[0037] (6) TempVrfy Temporary verification is performed by the fog node. It outputs audit results. Fog Node Time Key Ftk Input, output ciphertext .

[0038] (7) DecPHI ePHI decryption is performed by the medical provider. It involves converting the ciphertext. and local key Lock Input is ePHI plaintext, output is ePHI plaintext. .

[0039] Furthermore, in one possible implementation, the acquisition of security parameters described in this embodiment... Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era ask The steps are through EpochInit The algorithm implementation specifically includes: Input security parameters Epoch Parameters and attributes overall Choose three prime numbers p Factorial Cyclic Group , and And define asymmetric pairing mappings From the group Randomly select generators and From the group Randomly select generators and from the set of integers Random selection Construct a collision-resistant hash function Based on epoch parameters Initialize an empty binary tree and encode it as follows: Set the root node to null, and you will get... ;for and Iteration definition ,in, express Specific time units and From the group Random selection The algorithm outputs the epoch public key. and the private key of the era It was released to the public, and the current state of the complete binary tree is defined as follows: .

[0040] In one possible implementation, by EpochKGen The algorithm is based on the epoch public key. epk and the private key of the era ask Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lock Specifically, it includes: Key management center based on Epoch public key epk and the private key of the era ask From the set of integers Random selection and The fog node time key is calculated using the following expression. ,in :

[0041] Calculate the cloud time key using the following expression. Ctk Defined as ,in :

[0042] Define the local key as ; The key management center will use fog node time keys Ftk Send to fog node, send cloud time key Ctk Send to the medical cloud and send the local key Lock Send to the healthcare provider.

[0043] In one possible implementation, by AttrKGen The algorithm combines the epoch private key. ask The set of attributes corresponding to medical providers Obtain the attribute key Atk Specifically, this includes: inputting the epoch private key into the key management center. ask and the attribute set corresponding to the medical provider From the set of integers Random selection This allows the attribute key to be calculated and output. The calculation expression is as follows:

[0044] The attribute key obtained by the key management center Send to the medical cloud.

[0045] In one possible implementation, by EncPHI Algorithm obtains plaintext electronic protected health information (ePHI) to be circulated. Message Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Message Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. Specifically, it includes: The medical requester is from a set of integers Select a set of random numbers and secret vector and specify x OK y Column share generation matrix ; the secret vector Left-multiply share generation matrix The share vector is calculated. Obtain expressive access strategies ; Get the interval covering set And use the following expression to convert the plaintext ePHI Message Encapsulated as ePHI ciphertext ,in and :

[0046] The medical requester will send ePHI encrypted messages. Send to the medical cloud.

[0047] In one possible implementation, by Privacy Policy The algorithm is based on the ePHI ciphertext. Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node, specifically including: Enter ePHI ciphertext Attribute key Atk and cloud time key Ctk Medical cloud-based attribute set Does the user have the necessary authorization permissions? (For any set of authorized attributes) There exists a reconstructed vector. , making ,in, ; Therefore, the following calculations are performed:

[0048] for and ,calculate ; The medical cloud will audit the results Send to the fog node.

[0049] In one possible implementation, by TimeVrfy The algorithm is based on the audit results from the fog nodes. Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. Specifically, it includes: Fog node input audit results Fog Node Time Key Ftk Fog node test equation Whether it holds true: If the equation does not hold true, the algorithm terminates; if the equation holds true, then according to... Perform assignment operation and And calculate according to the following formula ; Fog nodes will convert ciphertext Send to the healthcare provider.

[0050] In one possible implementation, by DecPHI The algorithm receives the converted ciphertext Combined with local key Lock For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext Msg, which includes: Medical provider input conversion ciphertext and local key Lock The original ePHI plaintext can be calculated and recovered using the following expression. Message : .

[0051] The following simulation experiment further illustrates the implementation effect of the electronic protected health information circulation method based on temporary access control in the embodiments of the present invention.

[0052] The simulation experiments were run on a desktop computer equipped with an Intel® Core™ i5-13500H 2.60 GHz CPU and 16GB of integrated RAM. This is in contrast to the method used by Fan et al. [5] and the methods of Ma et al. [7] This embodiment uses g149 and d159 curves from the paired cryptography library to evaluate the runtime and storage overhead of the key algorithms in this embodiment of the invention, including... EpochKGen , AttrKGen , EncPHI and DecPHI algorithm.

[0053] Figure 3 The present invention relates to references [5], [7], and the present invention. EpochKGen The key generation overhead of the algorithm. The time slot tree depth is set as an independent variable for comparative analysis. Figure 3 (a) and Figure 3 In (b), the results presented by the present invention are significantly better than those in reference [7] in terms of both time overhead and storage overhead. In contrast, since reference [7] must perform an exponential commitment for each time unit, the overhead of generating and storing the time key increases exponentially with the increase of the time slot tree depth. Figure 3 (c) and Figure 3 (d) further refines the overhead of each component in the time key. Specifically, when the time tree depth is 13, under curve g149, Ftk , Ctk and Lock The generation times were 37.883 milliseconds, 59.667 milliseconds, and 3.9×, respectively. Milliseconds; under the d159 curve, these are 21.313 milliseconds, 46.312 milliseconds, and 1.8 × 10⁻⁶ milliseconds, respectively. Milliseconds. Meanwhile, the corresponding storage overhead is 722 bytes, 684 bytes, and 19 bytes under the g149 curve, and 680 bytes, 640 bytes, and 20 bytes under the d159 curve.

[0054] Figure 4 The literature [5], literature [7] and the present invention have been quantified. AttrKGen The computational and storage overhead in the algorithm. Clearly, among the three schemes... Atk The expenses were all positively correlated with the number of attributes or shares. This difference stems from the literature. [5] and literature [7] The previous method used computationally expensive exponential and modular multiplication operations on the attributes or share quantities, while in this invention, only... A component needs to perform a one-way hash function and a modular multiplication operation. When the number of attributes or shares reaches 100, the computational overhead of this invention, reference [5] and reference [7] under the g149 curve is 165.398 ms, 1359.575 ms and 603.218 ms, respectively, and under the d159 curve it is 182.377 ms, 1532.042 ms and 656.827 ms, respectively. In terms of key length, this invention, reference [5] and reference [7] occupy 3.934 KB, 7.422 KB and 18.555 KB, respectively, under the g149 curve, and 4.063 KB, 7.813 KB and 19.531 KB, respectively, under the d159 curve.

[0055] Figure 5 (a) and Figure 5 (b) shows EncPHI The running time in the algorithm Figure 5 (c) and Figure 5 (d) describes the overhead variations of this invention in terms of both slot tree depth and share quantity. In this invention, The size depends on the interval cover set The scale. In order to obtain as many coverage nodes as possible, without loss of generality, we adopt... As a temporary strategy. Subject to The computational overhead of this invention is slightly higher than that of the online / offline encryption strategy configuration and reference [5]. However, the intermediate ciphertext and final ciphertext in reference [5] introduce a huge storage overhead. When the number of shares is 100, the storage of the intermediate ciphertext under the g149 curve is 80.546 KB and the final ciphertext is 83.682 KB, both of which are much higher than that of this invention. The running time of reference [7] increases exponentially with the depth of the time slot tree because it is in the interval and Each time unit requires modular multiplication and exponentiation operations. In contrast, when the number of shares is 100, this invention only adds two nodes in each iteration of the time slot tree depth, so the increase in its time overhead is negligible.

[0056] Please see Figure 6 ,for DecPHI Both the algorithm in this invention and reference [5] exhibit constant complexity, with the present invention having a slight advantage. In contrast, the runtime at the attribute level in reference [7] increases with the number of attributes, linearly increasing from 619.932 milliseconds to 6240.923 milliseconds under the g149 curve, and from 383.429 milliseconds to 2097.018 milliseconds under the d159 curve.

[0057] Another embodiment of the present invention also proposes an electronically protected health information circulation system based on temporary access control, comprising: The epoch initialization module is used to obtain security parameters. Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era ask ; An epoch key generation module is used to generate an epoch key based on the epoch public key. epk and the private key of the era ask Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lock ; The attribute key generation module is used to combine the epoch private key. ask The set of attributes corresponding to medical providers Obtain the attribute key Atk ; The ePHI encryption module is used to obtain the plaintext ePHI of the electronic protected health information to be circulated. Message Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Message Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. ; The authorization verification module is used to verify the ePHI ciphertext. Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node; A temporary verification module is used by fog nodes based on the audit results. Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. ; The ePHI decryption module is used to receive the converted ciphertext. Combined with local key Lock For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext. Message .

[0058] Another embodiment of the present invention also provides an electronic device comprising: A memory that stores at least one instruction; and a processor that executes the instructions stored in the memory to implement the electronic protected health information circulation method based on temporary access control.

[0059] Another embodiment of the present invention provides a computer-readable storage medium storing at least one instruction, which is executed by a processor in an electronic device to implement the electronic protected health information circulation method based on temporary access control.

[0060] The computer program includes computer program code, which can be in the form of source code, object code, executable file, or some intermediate form. The computer-readable storage medium can include any entity or device capable of carrying the computer program code, a medium, a USB flash drive, a portable hard drive, a magnetic disk, an optical disk, a computer memory, a read-only memory, a random access memory, an electrical carrier signal, a telecommunication signal, and a software distribution medium, etc. It should be noted that the content included in the computer-readable medium can be appropriately added or removed according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, according to legislation and patent practice, the computer-readable medium does not include electrical carrier signals and telecommunication signals. For ease of explanation, the above content only shows the parts related to the embodiments of the present invention; for specific technical details not disclosed, please refer to the method section of the embodiments of the present invention. This computer-readable storage medium is non-transitory and can be stored in storage devices formed by various electronic devices, enabling the execution process described in the method of the embodiments of the present invention.

[0061] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0062] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure one One or more processes and / or boxes Figure one A device that provides the functions specified in one or more boxes.

[0063] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure one One or more processes and / or boxes Figure one The function specified in one or more boxes.

[0064] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure one One or more processes and / or boxes Figure one The steps of the function specified in one or more boxes.

[0065] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.

Claims

1. A method for the circulation of electronically protected health information based on temporary access control, characterized in that, include: Obtain security parameters Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era esk ; Based on the epoch public key epk and the private key of the era esk Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lok ; Combined with the aforementioned epoch private key esk The set of attributes corresponding to medical providers Obtain the attribute key Atk ; Obtain plaintext electronic protected health information (ePHI) to be distributed Msg Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Msg Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. ; Based on the ePHI ciphertext Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node; Based on the audit results, the fog node Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. ; Receive the converted ciphertext Combined with local key Lok For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext. Msg .

2. The method for the circulation of electronically protected health information based on temporary access control according to claim 1, characterized in that: It is implemented by the key management center, medical cloud, fog nodes, medical requesters, and medical providers; The key management center is a fully trusted entity used to initialize the time epoch and generate epoch keys and attribute keys for different participants. The medical cloud is a semi-trusted entity used to perform attribute permission verification services for medical providers. The fog node is a semi-trusted entity used to determine temporary access permissions. The medical requester specifies the access policy and temporary policy, and encapsulates the plaintext ePHI into ePHI ciphertext in encrypted form, outsourcing the ePHI ciphertext to the medical cloud. After obtaining the semi-decrypted converted ciphertext, the medical provider completes decryption using a local key to recover the original plaintext ePHI.

3. The method for the circulation of electronically protected health information based on temporary access control according to claim 2, characterized in that: The acquisition of security parameters Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era esk The steps are through EpochInit The algorithm implementation specifically includes: input security parameters. Epoch Parameters and attributes overall Choose three prime numbers p Factorial Cyclic Group , and And define asymmetric pairing mappings From the group Randomly select generators and From the group Randomly select generators and from the set of integers Random selection Construct a collision-resistant hash function Based on epoch parameters Initialize an empty binary tree and encode it as follows: Set the root node to null, and you will get... ;for and Iteration definition ,in, express Specific time units and From the group Random selection The algorithm outputs the epoch public key. and the private key of the era It was released to the public, and the current state of the complete binary tree is defined as follows: .

4. The method for the circulation of electronically protected health information based on temporary access control according to claim 3, characterized in that: pass EpochKGen The algorithm is based on the epoch public key. epk and the private key of the era esk Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lok Specifically, it includes: Key management center based on Epoch public key epk and the private key of the era esk From the set of integers Random selection and The fog node time key is calculated using the following expression. ,in : Calculate the cloud time key using the following expression. Ctk Defined as ,in : Define the local key as ; The key management center will use fog node time keys Ftk Send to fog node, send cloud time key Ctk Send to the medical cloud and send the local key Lok Send to the healthcare provider.

5. The method for the circulation of electronically protected health information based on temporary access control according to claim 4, characterized in that: pass AttrKGen The algorithm combines the epoch private key. esk The set of attributes corresponding to medical providers Obtain the attribute key Atk Specifically, this includes: inputting the epoch private key into the key management center. esk and the attribute set corresponding to the medical provider From the set of integers Random selection This allows the attribute key to be calculated and output. The calculation expression is as follows: The attribute key obtained by the key management center Send to the medical cloud.

6. The method for the circulation of electronically protected health information based on temporary access control according to claim 5, characterized in that: pass EncPHI Algorithm obtains plaintext electronic protected health information (ePHI) to be circulated. Msg Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Msg Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. Specifically, it includes: The medical requester is from a set of integers Select a set of random numbers and secret vector and specify x OK y Column share generation matrix ; the secret vector Left-multiply share generation matrix The share vector is calculated. Obtain expressive access strategies ; Get the interval covering set And use the following expression to convert the plaintext ePHI Msg Encapsulated as ePHI ciphertext ,in and : The medical requester will send ePHI encrypted messages. Send to the medical cloud.

7. The method for the circulation of electronically protected health information based on temporary access control according to claim 6, characterized in that: pass PrivVrfy The algorithm is based on the ePHI ciphertext. Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node, specifically including: Enter ePHI ciphertext Attribute key Atk and cloud time key Ctk Medical cloud-based attribute set Does the user have the necessary authorization permissions? (For any set of authorized attributes) There exists a reconstructed vector. , making ,in, ; Therefore, the following calculations are performed: for and ,calculate ; The medical cloud will audit the results Send to the fog node.

8. The method for the circulation of electronically protected health information based on temporary access control according to claim 7, characterized in that: pass TimeVrfy The algorithm is based on the audit results from the fog nodes. Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. Specifically, it includes: Fog node input audit results Fog Node Time Key Ftk Fog node test equation Whether it holds true: If the equation does not hold true, the algorithm terminates; if the equation holds true, then according to... Perform assignment operation and And calculate according to the following formula ; Fog nodes will convert ciphertext Send to the healthcare provider.

9. The method for the circulation of electronically protected health information based on temporary access control according to claim 8, characterized in that: pass DecPHI The algorithm receives the converted ciphertext Combined with local key Lok For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext Msg, which includes: Medical provider input conversion ciphertext and local key Lok The original ePHI plaintext can be calculated and recovered using the following expression. Msg : .

10. A protected electronic health information circulation system based on temporary access control, characterized in that, include: The epoch initialization module is used to obtain security parameters. Epoch Parameters and attributes overall And based on the security parameters Epoch Parameters and attributes overall Generate the epoch public key corresponding to the epoch through cryptographic operations. epk and the private key of the era esk ; An epoch key generation module is used to generate an epoch key based on the epoch public key. epk and the private key of the era esk Generate fog node time keys separately Ftk Cloud Time Key Ctk and local key Lok ; The attribute key generation module is used to combine the epoch private key. esk The set of attributes corresponding to medical providers Obtain the attribute key Atk ; The ePHI encryption module is used to obtain the plaintext ePHI of the electronic protected health information to be circulated. Msg Fixed access policy and temporary access policies Based on the fixed access policy and temporary access policies Regarding the circulation of protected health information in plaintext ePHI format Msg Perform the encryption and encapsulation operation to obtain the corresponding ePHI ciphertext. ; The authorization verification module is used to verify the ePHI ciphertext. Attribute key Atk and cloud time key Ctk Perform cloud-based audit calculations to generate audit results. and the audit results Send to the corresponding fog node; A temporary verification module is used by fog nodes based on the audit results. Perform a temporary access verification operation, combined with the fog node time key. Ftk For the ePHI ciphertext Perform the conversion process to generate the corresponding converted ciphertext. ; e The PHI decryption module is used to receive the converted ciphertext. Combined with local key Lok For the converted ciphertext Perform the decryption and restoration operation to recover the original ePHI plaintext. Msg .