Stereo storage structure assisted one-way anonymous auditing protocol in e-health system

Aim: With the popularity of cloud storage, data integrity has become a hot research spot. As clients’ data is outsourced to the cloud, how to prevent clients’ privacy from being leaked has become an urgent problem to be solved. In addition, the design of the storage structure in the cloud is also a challenge. To solve the above problem, we focus on enabling data integrity verification in the medical environment with clients’ privacy protection and a novel storage structure assisted. Methods: By leveraging the one-way anonymous key agreement and the novel stereo storage structure, a novel stereo storage structure assisted one-way anonymous auditing protocol in e-health system is proposed. First, the one-way anonymous auditing protocol can realize the adaptive anonymity of clients in the e-health system. Second, the novel stereo storage structure can implement the storage and fast search of medical data. Results: The theoretical analyses indicate that the proposed scheme is secure under the Computational DiffieHellman problem and Discrete algorithm problem and it has a decent performance in computational overhead. Besides, the simulation results demonstrate that the computational cost of the user is constant. Conclusion: To protect the user’s private information in e-health system, we propose a stereo storage structure assisted one-way anonymous auditing protocol in this paper. In the proposed scheme, fast searching of data, the one-way anonymity and the data auditing with mutual supervision are supported, which is necessary for the patients and the medical personnel in a real e-health scenario.


INTRODUCTION
The development of society is inseparable from the advancement of science and technology. As the huge development of the internet industry and the rise of data applications such as artificial intelligence and big data spread throughout people's lives, people begin to generally realize the importance of data. The world is gradually stepping into the era of data dominance, and all walks of life are generating data all the time. Due to the sheer amount of data that is ever increasing, traditional storage methods cannot meet the needs of the people anymore which leads to the emergence of cloud storage.
Cloud platform provides individuals and organizations with powerful storage services which brings great benefits as follows: (1) users only need to pay for the actual storage without worrying about insufficient storage resources; (2) with data hosted to cloud platform, local data will no longer be stored, which can reduce the purchase cost and energy consumption cost of storage equipment; (3) the maintenance of data storage can be left to cloud service providers (CSP) to save the cost of maintaining large amounts of data for users; (4) cloud data can form linkage with local data to make redundant backup to each other; and (5) users can easily access the data in the cloud through web interface or application.
While cloud storage has many advantages, there are also some security threats [1,2] . On the one hand, the cloud infrastructure may suffer some inevitable hardware or software failures or external attacks that lead to data corruption could occur, but cloud server providers could deliberately hide the fact of data corruption for the sake of their business reputation. On the other hand, the outsourced data stored in the cloud might suffer from illegal behaviors from CSP for commercial benefits. What is more, the outsourcing of data results in users no longer physically owning the data, so users cannot even verify whether their data is complete, available, or secure.
Therefore, how to guarantee the data integrity and the privacy of users on the cloud server has become a key issue for cloud storage services. More data security issues are increasingly prominent such as whether the user data is securely stored or whether the user privacy is leaked and so on [3][4][5] . When it comes to the electronic heath system, a physician records the information of patients' medical treatment electronically through electronic health records which involves the collection, quality control, transmission, storage, statistics, and utilization of patient information. Obviously, it is difficult for traditional storage methods to screen and retrieve typical health records for medical statistics and scientific research. An electronic health system can not only retrieve all kinds of medical records quickly, but also make the previously laborious process of obtaining medical statistics become very simple and fast, providing first-hand data for scientific research and teaching. Nevertheless, such information often contains confidential and sensitive information, and the disclosure or falsification of such information may damage the reputation and property of patients.
In order to address these issues, considerable efforts have been made. Among existing proposals, great amounts of cloud data integrity auditing schemes based on privacy protection have been proposed [6][7][8][9] . To verify whether the outsourced data remains intact, file owners or auditors can challenge the cloud server with low communication overheads and computation costs.
Motivation of this paper: Medical data include patients' information such as admissions, discharges, transfers, e-health system patient records, diagnoses, treatments, medical images, economic/financial data, and so on. The quality, confidentiality, and integrity of medical data will affect the real-time, shortterm, and long-term performance of the application. First, it will directly affect the daily management and treatment of patients. Second, the application of software and systems for obtaining information and decision support may be affected. Third, there are unknown impacts data storage failure may cause on medical research which can lead to irreparable consequences. At present, researchers have designed many protection schemes for data in the cloud. However, there is no complete data protection scheme specially designed for medical data.

Our contributions
To solve the above security protection problem of cloud medical data, this paper designs a one-way anonymous auditing protocol in the e-health system. The contributions of this paper can be summarized as follows.
1.1 1 A novel stereo storage structure is proposed to assist the auditing protocol in the e-health system As stated above, medical data consists of a variety of data types. Therefore, we propose a novel data storage structure to store medical data, which can achieve fast search of data. In addition, the design of this structure saves the storage overhead of index tables.

A one-way anonymous e-health system model is presented
In view of the current status of the medical environment, for better protection of the privacy of patients, we propose an e-health system model that supports one-way anonymity, which means patients in this system model can keep their identities anonymous. Simultaneously, medical personnel identity information is disclosed in the system, so that patients can find the responsible person when a medical accident occurs.

An auditing protocol aiming to support both physician and patient validation is provided
This scheme innovatively enables patients and attending physicians to independently verify the integrity of their commonly relevant medical data. In other words, both patients and their attending physicians can verify whether medical data file in the cloud is correct and complete. In addition, it can promote information exchange and mutual supervision between physicians and patients.

Related works
In the past few years, data integrity in the cloud has received much attention as a core security issue. Hereafter, abundant security models and data protection schemes have been proposed by researchers around the world to solve the integrity audit problem of outsourced data [10,11] . In 2003, Deswarte et al. [12] first put forward the theoretical model of remote verification of data integrity of untrusted servers based on the Diffie-Hellman key agreement protocol. The proposed model consists of only two entities, the user and the cloud server provider. The user can directly initiate data integrity verification to the cloud service provider, laying a foundation for the subsequent cloud data auditing protocol. At that time, cloud storage was not yet widespread, and only a few users outsourced a small amount of data on remote servers, so that the protocol did not take into account a situation where a large community of users are storing a great deal of data on cloud servers which we see today. Once the data stored by the user on the remote server is too large, the computing overhead on the user side cannot be borne by ordinary computers, and the protocol cannot work normally. Thus, to solve that problem, a third-party auditor entity is introduced to validate the integrity of the outsourced data in the cloud.
With a growing number of users using the storage service on the cloud, cloud data auditing protocols are rapidly being developed, and many scholars are proposing plentiful valuable solutions. In 2007, Ateniese et al. [13] firstly put forward a notion of Provable Data Possession to confirm the outsourced data possession on the untrusted cloud, which is based on RSA homomorphic linear verification and supports third-party public auditing. However, the dynamic update of data is not supported in this scheme, and this scheme cannot protect users' privacy. In the same year, Juels et al. [14] proposed a model named Proof of Retrievability, as well as presented a practical scheme which supports the integrity verification of data and the recovery of damaged data. Nevertheless, this scheme has a limited number of times to verify data integrity and does not support dynamic auditing or batch auditing. Since then, to solve the aforementioned problems, many scholars have devoted themselves to making improvements based on these two schemes, and they have made great progress in supporting more performance such as batch auditing, operating efficiency, and dynamic data update. Nevertheless, few people paid attention to the problem that these schemes leak users' private data to third-party auditors in the process of auditing. In 2010, Wang et al. [15] first proposed an auditing scheme that can be publicly verified to support user privacy protection. This scheme is based on public key homomorphic label technology so that the auditor can perform auditing without obtaining all the data of the user which greatly increases the operating efficiency of the system. The scheme also uses a random masking technique which makes it impossible for third party auditors to obtain users' private information through the verification returned by cloud service providers. In addition, the auditing protocol supports dynamic update of data, batch auditing, and multiple auditing tasks that can be performed simultaneously. It was later confirmed that there were still security risks. Therefore, in 2011, Wang et al. [16] improved the system for the security but caused a huge computing burden on the cloud server, greatly reducing the efficiency of system operation. In terms of this problem, in 2015, Worku et al. [17] increased the efficiency of system operation while ensuring data security, but unfortunately, it did not support dynamic data operations.
Besides storage data, users would like to perform updates to outsourced data directly in the cloud. Based on this, Wang et al. [18] proposed a relatively complete protocol which can support data update, user privacy protection, and batch auditing, but it will lead to the problem of high computing cost on the client side. Then, Garg et al. [19] designed a protocol that can minimize the computational complexity for the client during the system setup phase, which is publicly verifiable and supports dynamic operations on data.
After that, many multi-user modification and user revocation schemes have been proposed [20][21][22][23] . However, the above scheme cannot solve the problem of data redundancy well. To solve that problem, Wu et al. [24] , Daniel and Vasanthi [25] removed redundant data from the cloud server which saved the storage cost of cloud service providers and greatly improved the efficiency of data validation. However, none of the above schemes have been designed specifically for images stored on the cloud, thus Tang et al. [26] proposed an efficient real-time integrity auditing protocol specially designed for cloud images, which also supported fair arbitration. In 2019, based on a new primitive fuzzy identity, Zhao et al. [27] presented a dynamic auditing protocol for the integrity verification of big data. This scheme applies fuzzy identity to the integrity verification of big data for the first time.
However, the above existing solutions cannot be well applied to the e-health systems due to the special relationship between medical staff and patients, and the particularity of medical data. Therefore, we explore a novel storage structure for storing medical data for the e-health system and design a one-way anonymous auditing protocol in this paper.

Organization
The rest of this paper consists of the following parts: We first introduce the preliminaries in Section 2, mainly including some definitions and basic properties about bilinear pairing and one-way anonymous key agreement required for this paper. Then, we describe the system architecture that contains the proposed system model, system components, and stereo storage structure in Section 3. In Section 4, we formalize the security model of the proposed one-way anonymous auditing protocol. In Section 5, a detailed description of the proposed scheme is demonstrated. After that, a security analysis is presented in Section 6. In addition, performance analysis of our stereo storage structure assisted one-way anonymous auditing protocol in e-health system is given in Section 7. Finally, Section 8 concludes the findings of the paper.

PRELIMINARIES
Necessary preliminaries mainly including some definitions and basic properties about bilinear pairing and one-way anonymous key agreement required for this paper are introduced in this section.

Bilinear pairing
Let G 1 and G 2 be two groups of the same prime order q. Let G 1 be an additive group, and let G 2 be a multiplicative group. A mapping e on (G 1 , G 2 ): G 1 2 → G 2 satisfying the following properties is named a cryptographic bilinear map [28] .

Non-degeneracy
If P is a generator of G 1 , then e( P , P ) is a generator of G 2 . That is to say, e( P , P ) ≠ 1.

One-way anonymous key agreement
One-way anonymous key agreement was proposed by Kate et al. [29] . Suppose Alice ID A and Bob ID B are clients of the same key generation center, whose master secret is s and d i = s . H(ID i ) for clients with their identity ID. Then, clients can compute a shared key by using their own privacy key and the identity ID of the other participant. What is more, suppose Alice wants to remain anonymous with Bob. Hereafter, the key agreement protocol process can be roughly divided into the following two parts: (1) first, Alice computes

System model
Stereo storage structure assisted one-way anonymous auditing scheme in e-health system involves four entities: key generation center, users, the third-party auditor, and cloud server. Figure 1 illustrates the relationship between those four entities.

User
In our model, patients and physicians are considered as the two main electronic health system (EHS)related personnel types. For instance, when a patient seeks a diagnosis through interview by a physician in EHS, the patient needs to inform the physician of his or her own information at first. To realize the privacy protection of the patient's identity, our scheme will set up a false name for the patient based on the patient's identity ID to interact with the physician. A physician needs to generate patients' electronic health records (EHRs), which contains basic information about the physician and the patient as well as the patient's medical data, and upload it to the cloud. Although physicians and patients are two different entities, their functional needs for data in the EHS are similar. Therefore, we consider the physicians and the patient as one object in this system. As user, both physicians and patients can access the relevant EHRs and validate the integrity of their data by authorizing the TPA.

Key generation center
The key generation center is a trusted party in e-health system responsible for setting system parameters and generating the corresponding privacy key based on the client's identity and distributing it to the user.

Cloud server
It is supposed that the cloud server is a terminal that provides unlimited computing and storage capacity. Users can upload data through the cloud storage service and share it with other users. During the data integrity auditing process, Cloud server (CS) can respond to the challenges that users delegate to thirdparty auditor (TPA).

The TPA
TPA is a public verifier, which is assumed to be a terminal with unlimited computing and storage capability. TPA provides data auditing services and is entrusted by users to verify the integrity of cloud data.

System components
Stereo storage structure assisted one-way anonymous auditing protocol in e-health system consists of the following four algorithms: Setup, KeyGen, Extract, and Audit. Specifically, these algorithms are described as follows: (1 ) ( , ) κ → Setup para msk : On input l where is a security parameter, the system setup algorithm, which is a probabilistic algorithm run by the Key generation center (KGC), generates the public parameter PP for the system and a master secret key msk for the KGC itself.
: This algorithm is a probabilistic algorithm run by a user. The user is given system parameters PP, key KAB , file F and its file name. It outputs a verifiable file tag t , a set of block authenticators [1, ] { } σ ∈ i i n of the processed file blocks

Audit PP
: This algorithm is a probabilistic algorithm jointly run by the auditor and cloud server. It outputs 1 to indicate all of the data block can be verified to be original and integrated by t .

Stereo storage structure
The novel stereo storage structure proposed in this paper is aimed to realize fast retrieval and query of data and assist the auditing protocol in the e-health system. As is shown in Figure 2, a three-dimensional storage structure is designed to store mass amounts of medical data from the users. Specifically, each plane of the three-dimensional structure on the left part of the figure contains a header file and a series of f diagnosis and treatment files of a certain physician corresponding to a certain patient. The header file contains the identity information of the physician and the patient, which is convenient for quick search of the file. Here, 1 ≤ f ≤ , and is the upper limit of file number of each plane in the stereo storage structure. And those medical files contained in one plane can be generated, shared with, and verified for integrity by both of the specific physician and the patient. In other words, all diagnosis and treatment files of a physician D d for one of his/her patients P P are stored in the same plane. For example, F 1,1,f represents the f-th files of the physician D 1 and the patient P 1 , and F 1,2,f represents the f-th files of the physician D 1 and the patient P 2 . In the same way, the patient P 2 can also consult with the physician D 2 , during which a series of files will be generated.
In this e-health system, we suppose the user set contains a set of physician D and a set of patient P, and the index of the physician and patient is d and p, respectively. Here, the f-th files of the physician D d and the patient P P is denoted as F d,p,f , and the header file of this series of files in the same plane is represented as F d,p . In addition, the f files corresponding to one of the planes are shown on the right in the figure, which together form a smaller three-dimensional storage structure. Each plane in the right picture represents a file. In order to better process the file data, we uniformly divide each file into n blocks and each block Furthermore, there are a warrant list of corresponding files in the header file of each plane in the structure for the auditing of the log information, which include the file origin, file type, and consistency of outsourced files. Based on this stereo storage structure, we can quickly search any user's file and the corresponding data block fragments to assist one-way anonymous auditing protocol. Additionally, dynamic data updates are an important part of the auditing schemes. However, due to the particularity of medical data, changes in the data may cause irreversible effects on the medical data. Therefore, dynamic data updates in this paper need both patients' and their attending physicians' authorization; however, those updates will not change the division of the original file.

SECURITY MODEL
The following security model of the stereo storage structure assisted one-way anonymous auditing scheme is proposed by designing a series of games between an adversary and a challenger . Taking into account in our security model the fact that the cloud server may modify or remove the data in the cloud due to software and hardware failure or man-made destruction, we view the untrusted cloud server as an adversary and the user as a challenger . The formalized security model of the game is as follows: (1) Setup. Once security parameter is inputted in the system, the challenger runs the system Setup algorithm, and generates the system public parameter PP and a master secret key msk. Then, the challenger sends the system public parameters PP to .
(2) Query. In this process, can spontaneously issue the following two queries to : KeyGen Queries: At first, queries the secret key for the patient P A and physician Q B . Then, runs the KeyGen algorithm in the system to generate a secret key KAB and sends the secret key to . Extract Queries: Then, in these queries, adaptively make queries of the signatures for the file M. After runs the KeyGen algorithm and gets the secret key, runs the Extract algorithm to generate the signatures of the file M. Next, sends the signatures of the file M to .
(3) Challenge. In this phase, plays the role of a prover to yield a valid proof and acts as a verifier to check out the correctness of the proof. The challenger samples a series of random numbers and sends the challenge (4) Output. Once receiving the challenge from the challenger , the adversary generates corresponding proof P and feedback to . If this proof P can be verified by with a non-negligible probability, that is to say, this game ends and ultimately successful in the game above.

OUR PROPOSED SCHEME
Our proposed scheme is demonstrated in four phases in this section. Firstly, in the system setup phase, the KGC sets the system public parameters and a master secret key. Secondly, the KGC generates privacy keys for users and secret keys for auditing in the registration phase. Next, in the storage phase, users upload and update files to the cloud along with file warrants, authenticators, and tags. Finally, in the integrity verification phase, TPA is entrusted by the data owner to verify corresponding data integrity. Note that for simplicity, some primary notations used throughout the paper are summarized in Table 1. Moreover, the scheme is described in detail as follows:

System setup: Setup
Once taking a security parameter as input, the KGC randomly selects two multiplicative cyclic groups G and G T with prime order q, where g is a generator of G. e: G × G → G T denotes a bilinear map. After that, the KGC picks an integer * ∈ R q a Z at random and computes 1 = a g g where ∈ g G. . Finally, the master secret key msk is set as g Gand keeps the msk in secret by the KGC.

Registration: KeyGen
The KGC runs the KeyGen algorithm to yield a shared secret key for users with the msk and public parameter PP. The registration procedure consists of two phases: PrivacyKeyGen and SecretKeyGen.
(1) PrivacyKeyGen: First, the KGC generates and distributes the corresponding private key for every user who may be a patient or a consultant in e-healthy system. In detail, the KGC computes i Q based on user's identity as 1

Storage: Extract
The storage procedure contains the following three phases: WarrantGen, AuthenticatorGen, and TagGen.
(1) WarrantGen: When user uploads or updates a new medical data, the corresponding file information will be updated. For confirming some additional information about the source, type, and consistency of the files If the above equation is true, the attending physician B accepts the authorization δ Λ ; otherwise, the patient A fails to generate a valid warrant.
(2) AuthenticatorGen: Given a medical file F to be outsourced, the user first splits F into n blocks, and each contains s sectors: For each file F, choose a random number * ϑ ∈ R q t Z , and for the i-th block, yield a block authenticator as follows: (3) TagGen: A random name FID is chosen for a file from * q Z , and s random elements 1 , , In addition, the processed file * F that comprises F , FID , Λ , δ Λ , andσ i is uploaded to the CS and can be stored in the proposed stereo storage structure and removed from the user's local side.

Integrity verification: Audit
The auditing procedure contains following three phases: Challenge, Response, and Verification. And the process of integrity verification is shown in Figure 3. K . If the file tag t of outsourced file cannot pass the verification, then the auditing task will not be executed, and the protocol aborts; otherwise, the TPA will analyze t 0 to acquire the total number n of outsourced file blocks. The TPA picks a random nonempty subset [ (3) Verification: Once receiving the proof P, with public system parameter PP and file tag t , the TPA first verifies the validity of δ Λ by demonstrating the equation (6), and then, verifies aggregate block authenticator σ as follows: e g e g g KP WP e u g (9) If the equation (9) is true, the challenged outsourced file in the cloud is verified as intact; otherwise, the challenged file is corrupted. In the above auditing process, TPA can also audit the details of the challenged file warrant. That is, the proof P, which will be fed back by CS, should contain more file details.

SECURITY ANALYSIS
We analyzed the soundness of our scheme at first. That is, if all the entities are honest in this identity-based one-way anonymous e-health system, then the processed files and log warrants about medical data can be audited correctly. Then, we propose a simple security analysis for this scheme.
Theorem 1: In an appropriate registration process, the KGC is supposed to generate a correct privacy key for the user. In addition, the patient always produces a valid log warrant for his or her attending physician to render certain the authenticity of medical data. If the outsourced file in the cloud is not corrupted or tampered with, then the proof yielded by CS will be confirmed as valid.
Proof: As shown in Equation (2), we can confirm the correctness directly. Since patient A and the attending physician B have the shared auditing key, it follows that:    Here, we suppose that the signature algorithm is efficient and secure, and can generate file tags validly and correctly. And it is supposed that the Computational Diffie-Hellman (CDH) assumption holds in bilinear groups. The identity-based one-way anonymous scheme is secure against adaptive simulation. In detail, neither an untrusted cloud server nor the adversary can forge a valid proof to get through the verification of the auditor successfully if the data in the cloud is tampered with or corrupted.
Proof: We utilize the theory of knowledge proof and a series of security games to prove this theorem which can acquire the challenged data blocks in the aforementioned game. When the adversary interacts with the challenger and generates a valid proof P, adversary can successfully pass the verification for the challenged data blocks in the aforementioned game; there is a constructed knowledge extractor that can capture the challenged data blocks. It is assumed that the adversary can get through the TPA's verification successfully without keeping the outsourced file integrity. Then, we can capture the whole challenged data blocks through the interaction between the constructed knowledge extractor and the proposed scheme.
Game 0: The challenger and the adversary behave in Game 0 in a manner similar to that described in Section 4. First, the challenger executes the preprocessing Setup algorithm to obtain the public parameter PP and a master secret key msk, and then sends PP to the adversary . Next, performs the KeyGen algorithm to obtain the secret key of user. Then, picks a list of data blocks and queries the signatures of them. According to the queries, executes the Extract algorithm to generate corresponding signatures for the data blocks and transmit these requested signatures to the . After that, sends a challenge to , and generates corresponding proof to . Finally, succeeds and the game aborts if the proof can get through the verification of successfully with non-negligible probability.
Game 1: This game is identical to Game 0 with one difference. The challenger keeps a list of query records about the requested signature of . If the adversary is able to yield a aggregate signature, which is valid under the verification of the challenger and is not generate by , the game aborts and the adversary succeeds.
Analysis: It is supposed that wins in the Game 1 with non-negligible probability. With this in mind, we can construct a simulator in our scheme to solve the CDH problem in bilinear groups. Given a group G with prime order q , , , α ∈ g g h G as input, the simulator is to generate α h by interacting with . The simulator acts like the challenger and runs as follows: (2) When processing a file F, the simulator first yields a secret key for user as KAB by executing KeyGen algorithm. Hereafter, the simulator picks a random unique identifier for file F and a random element Based on equation (10), we have: In addition, the simulator computes the block authentication for file block x i as . From the perspective of , s i is computationally indistinguishable from the real value.
(3) With the constant interaction, the simulator sends the processed files * F to the adversary , which contains [1, ] {{ } , , } σ δ ∈ Λ i i n FID . Then, outputs a forgeryσ with a non-negligible probability. Finally, if the adversary is succeed to pass the validation, but the aggregate authenticationσ is unequal to the excepted aggregate authentication s calculated by the simulator, then the game aborts.
According to the correctness of the proposed protocol, it is obvious that a correct proof 1 , , , χ χ σ  s can get through the verification successfully of the equation as follow: It is obvious thatχ χ ≠ j j , otherwise~= σ σ . Then, define a set~ [ 1, ] { } χ χ χ ∈ ∆ = − j j j j s , which means at least one element of χ ∆ j is non-zero. After that, divide equation (13) by equation (12) and get the following equation: It further implies:~1 Finally, we can get the value of α h as follow: As long as the~1 x q q , which is contradictory with the assumptions of the CDH problem. It means that if the adversary has a different probability of success in Game 0 versus Game 1, which is nonnegligible, then the simulator can be constructed to solve the CDH problem.
Game 2: Game 2 is similar with Game 1, except the following difference. The challenger keeps interaction with the adversary and holds all the processed outsourced files that have been sent to . In the process of the proposed auditing protocol, if the aggregate authenticatorσ yielded by is not equality to the aggregate authenticatorσ of the challenged file blocks, then the game aborts and the adversary succeeds.
Analysis: Suppose the adversary wins in this Game with a non-negligible probability. Hereafter, a simulator is constructed to work out the Discrete algorithm (DL) problem if the adversary can succeed in this game. Given a group G with prime order q, , ∈ g h G as input, the target of the simulator is to yield a by interacting with , which satisfies α = h g . The simulator behaves like in Game 2, but with the following differences: (1) Before processing a file F, the simulator first performs the KeyGen algorithm and yields a secret key for user as KAB. Then, following the process of the presented scheme in this paper, the simulator uses (2) The simulator keeps interacting with to execute the auditing protocol proposed in this paper. As described in Game 1, if the aggregate file sectorsχ j generated by the adversary is not equal to the aggregate file sectors χ j of the challenged sectors, then the game aborts and the adversary succeeds. It is easy to know thatσ σ = for the reason that Game 1 is not aborted. Next, with this in mind, compared with equation (12) and equation (13), we can get the following equation: In addition, set~ [ 1, ] { } χ χ χ ∈ ∆ = − j j j j s , which means at least one element of χ ∆ j is non-zero. After that, compute: Finally, the value of a is as follow: q q, which is contradictory with the assumption of the DL problem. It means that if the adversary has a different probability of success in Game 1 and Game 2, which is nonnegligible, then the simulator can be constructed to solve the DL problem. To summarize, the proposed one-way anonymous auditing protocol is secure and can be proven by uniting Game 0, Game 1, and Game 2.

PERFORMANCE ANALYSIS
In this section, we first compare our scheme with the related schemes in terms of various characteristics. In Table 2, we can clearly conclude that our solution can better satisfy all the major characteristics.
Then, we give the numerical analysis of the computation overhead of the proposed stereo storage structure assisted one-way anonymous auditing protocol and then evaluate the performance of our scheme. In Table 3, we analyze and present the computation overhead of each algorithm respectively in the proposed scheme. Primarily, the following notations are defined to represent the various operations in the specific algorithms of each phase. The symbols , , and denote a multiplication operation, a exponentiation operation and a hashing operation in G, respectively. In this paper, H 1 , H 2 , and H 3 are not distinguished and all can be expressed as . Similarly, the symbols T and T are respectively expressed as a multiplication operation and a exponentiation operation in G T . and q are indicated as one addition operation and one multiplication operation in q Z , respectively. And represents a bilinear pairing evaluation operation : × → T e G G G . Considering that both 1 g and 2 g are public system parameters in our protocol, then 2 1 ( , ) e g g can be calculated in advance and viewed as a public value. Therefore, the computation overhead of 2 1 ( , ) e g g is not contained in Table 3. Furthermore, the symbols .
S Sign and . S Vrf are used to denote the signature and verification file tag processes. Hereafter, as shown in Table 3, Setup is a system preprocessing phase, which is performed by KGC and needs 2 . In the algorithm of KeyGen(a), KGC needs + operations to generate a privacy key for user, and both the physician and the patient need 2 + + T operations to verify the validity of the private key distributed by KGC. In the algorithm of KeyGen(b), the patient performs one operation and one q operation more than the physician to generate a pseudonym. To process a medical file, patient firstly yields a warrant for the physician, which needs 2 + + ( + 1) operations. Then, the physician verifies the validity of the warrant, which needs 3 + 2 + 2 T + operations. denotes the string length of warrant. The amount of file data blocks and sectors are expressed as n and s. After that, physician performs another + + (s + 1) operation to generate a block authenticator. After receiving a challenge from TPA, CS executes n |I| q + n (|I| -1) + (|I| -1) + |I| operations to yield a proof P, where the |I| is indicated as a set of nonempty challenge file randomly selected by TPA for auditing. Finally, TPA performs (s + 1) + + (|I| -1) + 3 + 3 T + (s + 1) + T operations to verify data integrity in the cloud. Figure 4 shows the computational cost of each entity in the proposed scheme for auditing an outsourced medical file with various numbers of data blocks. In this scheme, the time costs of TPA to prepare a challenge |I| is not taken into account, for TPA can sample a series of random elements by running offline.
In the experiments, we set = 160 in this scheme and each file block consists of 160 sectors, which means that it has around 4 KB of size. Moreover, we compare the efficiency of processing a 1 MB file by set challenge data block as 20, 40, ... , 100, 200, respectively.
The simulation results of Figure 4 demonstrate that the computational cost of the user is independent of the number of data blocks in the file in carrying out the extraction algorithm. Specifically, this experiment of our scheme only considers the case that patients generate warrants for files, which can be verified by physicians and generate file tags for those files, so the calculation cost of physicians is slightly higher than that of patients, which is in line with the theoretical computational overhead analysis of the proposed scheme shown in Table 3. In addition, if it is necessary, the division of work between the physician and the patient is interchangeable during the file processing phase. After that, in the audit phase, TPA has transferred part of the calculate task to CS. Therefore, we can conclude that, as shown in Figure 4, with the increase of data blocks, the calculation cost of CS increases gradually.

CONCLUSION
In this paper, we proposed a stereo storage structure assisted one-way anonymous auditing protocol aiming the e-health system for the particularity of medical data. In our scheme, medical data can be reviewed, used and verified for integrity by relevant medical personnel and relevant patients. Besides, both the file origin and the file integrity of medical data in EHS can be verified. In addition, the proposed stereo storage structure can effectively assist the storage and quick search of various types of medical data. Both the security analyses and experimental results demonstrate that the proposed scheme in this paper is efficient and secure in the cloud.

Authors' contributions
Made substantial contributions to conception and design of the study and write the manuscript: Jiang LH Provided administrative, technical, and material support: Wang C, Shen J Ethical approval and consent to participate