J Med Syst (2013) 37:9992DOI 10.1007/s10916-013-9992-x

ORIGINAL PAPER

Privacy Preserving Index for Encrypted ElectronicMedical Records

Yu-Chi Chen · Gwoboa Horng · Yi-Jheng Lin ·Kuo-Chang Chen

Received: 18 July 2013 / Accepted: 9 October 2013 / Published online: 26 October 2013© Springer Science+Business Media New York 2013

Abstract With the development of electronic systems, pri-vacy has become an important security issue in real-life.In medical systems, privacy of patients’ electronic medicalrecords (EMRs) must be fully protected. However, to com-bine the efficiency and privacy, privacy preserving index isintroduced to preserve the privacy, where the EMR can beefficiently accessed by this patient or specific doctor. In theliterature, Goh first proposed a secure index scheme withkeyword search over encrypted data based on a well-knownprimitive, Bloom filter. In this paper, we propose a newprivacy preserving index scheme, called position index (P-index), with keyword search over the encrypted data. Theproposed index scheme is semantically secure against theadaptive chosen keyword attack, and it also provides flex-ible space, lower false positive rate, and search privacy.Moreover, it does not rely on pairing, a complicate computa-tion, and thus can search over encrypted electronic medicalrecords from the cloud server efficiently.

Keywords Privacy preserving index · Electronic medicalrecord · Keyword search · Privacy · Security

Introduction

The security and privacy of electronic medical records(EMRs) have been drawn attention, because now medicalsystems usually adopt cloud services. Users can acquire ser-vices or aids from clouds. However, privacy protection of

Y.-C. Chen (�) · G. Horng · Y.-J. Lin · K.-C. ChenDepartment of Computer Science and Engineering,National Chung Hsing University, Taichung, Taiwane-mail: wycchen@ieee.org

personal sensitive information is a major security issue dur-ing communications, and EMRs as well. The private data inthe open network server should be accessed by the owner atanytime. Furthermore, we would like that attackers cannotobtain any useful information from private data.

There are many ways to protect privacy of data, forinstance, depending on encryption algorithm. A user storesencrypted data in the open server, and retrieves all theencrypted data through network when he needs. Wheneverthe user needs a segment of those data, he retrieves all theencrypted data, and then picks needed ones. This method issecure against the hostile server or attackers, but it is quiteinefficient. The large amount of data transmission is notafforded, since the user might owns weak devices in cloudcomputing. A new method to get rid off unnecessary datatransformation is essential. Keyword search over encrypteddata is presented to overcome this problem, which is alsoreferred to as Keyword-Searchable Encryption.

Nowadays, the file storage system is a common appli-cation as well as a cloud storage; for example, iCloud andDropbox. For different purposes, multiform secure cloudservices have been proposed [1–4]. However, for keyword-searchable encryption, the file server is defined as anhonest-but-curious server [5–9], which means the serverresponds any users’ request correctly but it wants to inferthe content of those data. Keyword-searchable encryption isappropriate in this system. The user is able to encrypt hisdata using any encryption such as DES or AES, and thenattaches the searchable ciphertext which is generated byusing keyword-searchable encryption. When the user needshis data, he only computes the trapdoor of keywords andsend it to the server. Finally, the server tests and looks forsearchable ciphertexts which correspond to the trapdoor, butit can not get any significant information from the results ofsearch or trapdoor.

9992, Page 2 of 7 J Med Syst (2013) 37:9992

Related work The first notion, proposed by Song et al.[9], allows the user to set up individual trapdoor to searchencrypted data. Song et al.’s scheme is based on thehash function, and they presented the security require-ments. Since then, lots of searchable encryption schemesare more powerful using fields as tags to achieve multi-keywords search [6–8] and improve the efficiency. More-over, searchable public key encryption schemes [10–15] arepractically used in the email system. There are plenty ofstudies have been proposed to discuss security and effi-ciency [16, 17]. However, most of schemes are based onpairing, a kind of complicated computation. Goh [18] pro-posed an index called Z-index based on Bloom filter withoutpairing.

Contributions In this paper, we propose an efficient secureindex scheme to realize the keyword-searchable encryptionto support keyword search over encrypted data. Because ofpairing-freeness, our scheme is more applicable to cloudstorage. We also give the formal security proof to analyzethat this scheme is semantically secure against the adaptivechosen keyword attack.

The rest of the paper is organized as follows. Prelimi-naries about the relevant research, and the assumptions aredepicted in section “Preliminaries”. Then, we briefly reviewGoh’s scheme [18] in section “Review of Goh’s secure indexscheme”. The proposed P-index and its security analysisare presented in section “Position index scheme (P-index)”.Finally, we conclude this paper in section “Conclusions”.

Preliminaries

We will briefly present EMRs and the framework and secu-rity model of the secure index in section “Electronic medicalrecord (EMR)”, “Framework of keyword-searchableencryption with secure index” and “Security model ofsecure index” respectively and then the hardness assumptionis given in section “Hardness assumption”.

Electronic medical record (EMR)

An electronic medical record is a notion providing a sys-tem to manage electronic medical or health information forindividual patients [19–21]. The EMR is a digital recordthat can be shared across different health care settings. Withnetworks, different hospitals can conveniently access theEMRs if needed. In addition, the EMRs are designed insteadof the paperwork records. In practice, EHRs include a rangeof data of patients, including demographics, medical history,medication and allergies, immunization status, laboratorytest results, radiology images, vital signs, personal statisticslike age and weight, and billing information.

The system is a centralized system and developed to dealwith the state of the patient at all times [22]. It eliminatesdata replication since there is only one modifiable file in thestorage server. Due to all the patient information storing ina single file, extracting and accessing medical data are quiteeffective and efficient for the examination of possible trendsand long term changes. The well known standard of EMRsis HL7. For the security purpose, we would like the EMRsare accessed by the eligible doctors or hospitals. Thereforethe privacy becomes an important issue in the EMRs [23].In this paper, we consider this issue to propose a privacypreserving index for EMRs based on keyword-searchableencryption. In the proposed scheme, the eligible party isable to access EMRs securely.

Framework of keyword-searchable encryptionwith secure index

In a keyword-searchable encryption scheme, an encrypteddocument with secure index must follow the format:[EK(M), id, Iid], where E is a secure symmetric encryp-tion1, K is the key, M is the plaintext of the document, theidentity of document is denoted by id, and Iid is the secureindex. Here, M could be the EMR.

Definition 1 A searchable encryption scheme with secureindex consists of following polynomial algorithms:

– KeyGen. This algorithm sets the public parameters andthe user’s key.

– Trapdoor. This algorithm, run by the user, takes the key-word w and key K as input, then returns the trapdoor T

which is used to search.– BuildIndex. This algorithm, run by the user, takes the

keyword w, the identity of the document Did and keyK as input, then returns the secure index Iid .

– SearchIndex. The server performs the algorithm to takethe trapdoor T and secure index Iid as input. Finally, itoutputs 1 if it finds Iid corresponding to T ; otherwise,outputs 0.

Security model of secure index

For proving the security, we have to consider the possibleadversary’s behaviors. Usually, we adopt the security gameto simulate the adaptive chosen keyword attack [18]. For-mally, there are two roles in the game: one is the adversaryA, and the other is challenger C. C must reply A’s queries,and finally will use A’s output to break a hard problem.

1E is outside the scope of discussing keyword-searchable encryption.It is assumed to be a secure encryption algorithm. For more details, wecan refer to [12, 18].

J Med Syst (2013) 37:9992 Page 3 of 7, 9992

The interaction between A and C is modelled by thefollowing game as follows:

1. A adaptively queries trapdoor and secure index of key-words W = [w1, ..., wm] with corresponding identityof the document.

2. When A wants to challenge, it generates set W ′ =[w′

1, ..., w′m] and a keyword pair (w0, w1) to C, where

w0, w1 /∈ W ′, and both of them are not queried for thetrapdoor.

3. C randomly chooses b −→ {0, 1} and takes the key-word wb into the document W ′. Finally, C generates theindex of keywords W ′ +{wb}, and then returns Ib to A.

4. A can keep on querying the index and trapdoor with arestriction that A cannot ask for keywords w0, w1.

5. Eventually, A outputs a value b′.

We define that A wins this game if and only if b = b′,while the adversary A has an ε-advantage to win such thatthe advantage is AdvA

(1k

) = |Pr[bA = b] − 1/2| > ε.Therefore, the secure index is said to be indistinguishableagainst the adaptive chosen keyword attack (IND-CKA) if ε

is negligible.

Hardness assumption

There are a few hardness assumptions described as follows.They are used to prove the security of our secure index inthis paper.

Pseudorandom generator

Pseudorandom Generator is randomly one-way function,and it applies in stream cipher. If G : {0, 1}n −→ {0, 1}∗ isεg-pseudorandom-generator with the following properties:

(1) G is a deterministic algorithm which can efficientlycompute and input s ∈ {0, 1}n, then output G(s) ∈{0, 1}∗.

(2) There exists Algorithm A to query to G function withmost t times. If A guesses G is a Pseudorandom Gen-erator Function, then outputs 1; Otherwise, outputs 0.A’s advantage is denoted by∣∣∣Pr

[AG(s) = 1

]− Pr

[AR = 1

]∣∣∣ < εg

where R is a real Random Generator.

Pseudorandom function

Pseudorandom Function is randomly one-way function. (i.e.input and output pair as (x1, f (x1, k)), (x2, f (x2, k)), ...,

(xm, f (xm, k))), then no adversary can predict f (xm+1, k)

from xm+1. If f : {0, 1}n × {0, 1}s −→ {0, 1}p isεf -pseudorandom-function with the following properties:

(1) f (x, k) denotes fk(x) that can be efficiently com-puted and take x ∈ {0, 1}n and key k ∈ {0, 1}s asinput.

(2) There exists Algorithm A queries to f function withmost t times. If A guesses f is a PseudorandomFunction, then outputs 1; Otherwise, outputs 0. A’sadvantage is denoted by∣∣∣Pr

[Af (.,k) = 1

]− Pr

[Ag = 1

]∣∣∣ < εf

where g is Random Function.

Pseudorandom permutation function

Pseudorandom Permutation Function is 1-to-1 and ran-domly one-way function, would is collision resistance. If� : {0, 1}u × {0, 1}s −→ {0, 1}u is εp-pseudorandom-permutation with the following properties:

(1) �(x, k) denotes �k(x) that can be efficiently com-puted and take x ∈ {0, 1}u and key k ∈ {0, 1}s asinput.

(2) There exists Algorithm A queries to � function withmost t time. If A guesses � is a Pseudorandom Per-mutation Function, then outputs 1; Otherwise, outputs0. A’s advantage is denoted by∣∣∣Pr

[A�(.,k) = 1

]− Pr

[AE(.) = 1

]∣∣∣ < εp

where E is Random Permutation Function.

Review of Goh’s secure index scheme

Goh’s Z-index scheme is composed of the followingalgorithms:

– KeyGen(l, t): Given security parameter l and a num-ber t , then generates a pseudorandom function f :{0, 1}k {0, 1}∗ → {0, 1}p and t independent hash func-tions hi : {0, 1}∗ → Z

∗m−1 for all i, 1 ≤ i ≤ t . Finally,

it returns the user’s key Kpriv.– Trapdoor(w, Kpriv): This algorithm takes the keyword

w and key set Kpriv = [k1, ..., kt ] as input, then com-putes the trapdoor T = [x1, ..., xt ] and delivers to theserver where xi = fki (w) for all i, 1 ≤ i ≤ t .

– BuildIndex(W, Kpriv): This algorithm takes keywordset W = [w1, ..., wn] and key Kpriv = [k1, ..., kt ] asinput, where n is the number of keywords. It builds theindex works as follows:

(1) For each keyword wi for 1 ≤ i ≤ n

as input, this algorithm first performs Trap-door(wi, Kpriv) to obtain the trapdoor Ti =(x1 = fk1(wi), ..., xt = fkt (wi))

9992, Page 4 of 7 J Med Syst (2013) 37:9992

(2) It takes x1, ..., xt and the identity of docu-ment id as input for pseudorandom functionto generate codeword y1 = fid(x1), ..., yt =fid(xt ).

(3) It takes the codeword y1, ..., yt as input forhash function h1 ht to get h1(y1), ..., ht (yt ).

(4) Given an array d which all bits initially are‘0’. As Bloom Filter [24], it sets that the cor-respond positions h1(y1), ..., ht (yt ) in array d

modify to ‘1’ for total (n∗t) hash value. Build-ing secure index Iid is completed as Fig. 1.

– SearchIndex(Iid, T ): The server receives the trapdoorT , and then this algorithm works as follows:

(1) This algorithm takes T and the identity of doc-ument id as input to compute the codewordy1 = fid(x1), ..., yt = fid(xt ).

(2) It takes y1 = fid(x1), ..., yt = fid(xt ) as inputto obtain the hash values h1(y1), ..., ht (yt ). Itthen checks positions in the array s which isbased on these t values as t positions. Allt positions are 1, which is denoted that thekeyword w is in the document with iden-tity id . The server returns the correspondingencrypted document to the user.

The Z-index scheme has following advantages. The timecomplexity of each document is O(1) for search via hashfunction. By the identity of document to compute codewordcauses one keyword in different documents mapping todifferent values. Indices and encrypted documents are inde-pendent, which supports any secure symmetric encryptionfor documents. Indeed, the Z-index also has some disad-vantage. To use Bloom filter exists the collision problem, itincurs false positive, i.e. a keyword sj is not in the set S, butby Bloom filter to check sj that is in S as showed in Fig. 2.In Goh’s Z-index, the size of the Bloom filter in array d ism bits and the false positive rate is (1/2)r , the relation ism = n′∗r/ ln 2, where n′ is the total number of all keywordsin the all documents. n′ makes the index space become verylarge for frequent uploading new indices, since Bloom filter

Fig. 1 Goh’s secure index

Fig. 2 An example of false positive in Goh’s scheme

must provide sufficient space such as (n′ ∗ t) to resist thecollision.

Position index scheme (P-index)

In this section, we propose an efficient secure index schemenamed position index (P-index, for short); moreover, we alsogive the security analysis of P-index.

A new construction

The proposed P-index scheme is a new construction com-posing with four algorithms as before.

– KeyGen(1l

): This algorithm takes security parameter 1l

to generate the secret key k ∈ {0, 1}l for the user. Itdecides �, G, and h, where � : {0, 1}l × {0, 1}∗ →{0, 1}r is the pseudorandom permutation function, G :{0, 1}r → {0, 1}∗ is the pseudorandom generator, andh : {0, 1}∗ → {0, 1}lgn is the hash function.

– Trapdoor(w, k): Takeing the keyword w and the user’ssecret key k as input, the algorithm outputs the trapdoorTw where Tw = �k(w).

– BuildIndex(id, W, k): Given the identity of the docu-ment id , keyword set W = {w1, ..., wn}, and the secretkey k, the algorithm generates the index Iid via thefollowing steps: (Fig. 3 shows an example of P-index.)

(1) The algorithm takes each keyword wi fromset W to get the trapdoors T1, ..., Tn whereTi = �k(wi).

(2) It takes id and T1, ..., Tn as input, and thencomputes xi = �id(Ti) and keyi =<

Di, Si,1, Si,2 > for all i, 1 ≤ i ≤ n

where Di, Si−1, Si−2 ∈ {0, 1}r are gener-ated by G(Ti ⊕ id). It returns x1, ..., xn andkey1, ..., keyn as the codewords.

(3) It builds an array d with n elements and anarray s with 2n elements, whereas the lengthof an element is r bits. It sets y1, ..., yn whereyi = h(xi) as a pointer and randomly and

J Med Syst (2013) 37:9992 Page 5 of 7, 9992

Fig. 3 An example of the proposed scheme

uniformly chooses two positions pi,1, pi,2 ofthe array s. Therefore, hash functions h mustbe different in different indices, because ofdifferent numbers for different keywords. Itfinally computes pi,1 ⊕ Di and inserts it intothe yi th position of the array d , computespi,2 ⊕Si,1 into the pi,1th position of the arrays, and pi,1 ⊕ Si,2 into the pi,2th position ofthe array s.

(4) When the collision occurs in yi th position ofthe array d , a pointer linked list is using toresolve the collision. There is an example asFig. 3 to denote the collision in which threedifferent xi mapping to the same y ′. Eventu-ally, this algorithm returns an index Iid =<

s, d, id, h >.

– SearchIndex(Tw, Iid): This algorithm, run by the server,takes the trapdoor Tw to search the corresponding doc-ument via P-index Iid and works as follows:

(1) It takes Tw to generate the codeword x =�id(Tw) and key = G(id ⊕ Tw) =<

D, S1, S2 >.(2) It computes y = h(x) and points yth position

of the array s.(3) If the value in yth position is empty, the

algorithm outputs 0. Otherwise, it checks allvalues on this chain in yth position.

(4) The algorithm first gets p′i,1 by decrypting

(p′i,1 ⊕Di) from the yth position of the array

d . It thus gets p′i,2 by decrypting (p′

i,2 ⊕Si,1)

from the p′i,1th position of the array s.

(5) Finally, it can get p′′ by decrypting (p′′ ⊕Si,2) from the p′

i,2th position of the arrays. If p′′ = p′

i,1, it outputs 1 in which theserver returns the corresponding encrypteddocuments to the user; otherwise, outputs 0.

Correctness proof.

pi,1 = (p′i,1 ⊕ Di) ⊕ Di, in yth position of Array d .

pi,2 = (p′i,2 ⊕ Si,1) ⊕ Si,1, in pi,1th position of Array s.

pi,1 = (p′i,1 ⊕ Si,2) ⊕ Si,2, in pi,2th position of Array s.

According to Fig. 3, we give an example. Assume the key1 is < D1,1, S1,1, S1,2 >, and y ′ = h(�id(Tw)). Firstly,we check y ′th position of Array d to get p1,1. Secondly, wekeep check p1,1th position of Array s to get p1,2. Finally, toget p′′ from p1,2th position with the key S1,2, we accept thetrapdoor if p′′ = p1,1.

Security analysis

The security game has been described in section “Securitymodel of secure index”, while the adversary’s behavior ismodelled by this game.

Definition 2 An index is the ε-IND-CKA index. It issemantically secure against the adaptive chosen keywordattack in the random oracle model if and only if the advan-tage of adversary A is AdvA = |Pr[b = b′] − 1/2| < ε.A’s goal is to guess keywords w0, w1 which is in the setW ′ + {wb}.

Theorem 1 P-index is the εp-IND-CKA index assum-ing the pseudorandom permutation function � is εp-pseudorandom-permutation.

Proof First we suppose that P-index is not εp-IND-CKA index. There exists an adversary A that has withnon-negligible advantage ε to win the security game. Weconstruct an algorithm C that breaks the pseudorandompermutation function �.

C acts as a challenger and returns A’s queries. C simu-lates P-index with asking for oracle OF as random oracle.When the game finishes, C will use the A’s answer to guesswhether F is a pseudorandom permutation function. A andC interact as follow:

Index & Trapdoor-queries. A produces a set W , andqueries to C for the correspond index IW . C maintainsOF -list to store the queries, it bases on OF -list to returnBuildIndex and Trapdoor for A’s queries. If the key-word does not exist in OF -list, the OF will set a randomvalue for this query and save into OF -list; otherwise, OF

returns the value as before following OF -list.Challenge. After several queries, A generates a chal-

lenge, included a keyword set W ′, and selects keywordpair (w0, w1), where w0, w1 /∈ W ′ have been never

9992, Page 6 of 7 J Med Syst (2013) 37:9992

asked Trapdoor byA. The challenger C randomly choicesb ∈ {0, 1} and obtain a set W ′ + {wb}, then computesindex IW ′+{wb}. Finally, C sends IW ′+{wb} to A.

More queries. A can keep on asking BouldIndex andTrapdoor queries for keywords wi which is restricted thatwi �= w0, w1.

Output. Eventually, A outputs a bit b′. When b = b′, Coutputs 1 to denote that C guesses F is a pseudorandompermutation function; otherwise, outputs 0.

C’s output is based on A’s answer. While F is a pseu-dorandom permutation function(�, PRP ), the environmentof C’s simulation is correct. That is said

AdvA =∣∣∣∣Pr[b = b′] − 1

2

∣∣∣∣

=∣∣∣∣Pr[b = b′|� : PRP ] − 1

2

∣∣∣∣

=∣∣∣∣Pr

[C�k(.) = 1|� : PRP

]− 1

2

∣∣∣∣ ≥ εp (1)

If F is a real random permutation function(E, RP ), thetrapdoor of w0, w1 can not be guessed, since the trapdoorfrom F is real random. It also is not based on the trapdooror the index to analysis, thus algorithm A guesses b = b′with probability 1/2 as follow:

Pr[A|win] = |Pr[b = b′|E : RP ]|=

∣∣∣Pr[C�k(.) = 1|� : RP

]∣∣∣

= 1/2 (2)

Because of (1), (2), the advantage of C is

AdvC=

∣∣∣Pr[C�k(.) = 1|� : PRP

]− Pr

[CE(.) = 1|E : RP

]∣∣∣

=∣∣∣∣Pr

[C�k(.) = 1|� : PRP

]− 1

2

∣∣∣∣ ≥ εp (3)

With above results, we show that if the pseudorandompermutation function � is εp-pseudorandom permutation,P-index is εp-IND-CKA index. This is, the proof of The-orem 1 is complete, while P-index will be the IND-CKAindex if and only if P-index uses the secure function tobuilding the trapdoor.

Comparisons

Now we compare our scheme to Goh’s [18] in terms ofspace cost and false positive in Table 1. We list the followingnotation for comparisons.

Notation:

n: number of keyword in the documentn′: total number of keyword in all documents

Table 1 Comparison of space and other attributes with Goh’s and theproposed scheme

Goh’s Z-IDX [18] P-Index

Search time O(1) O(1)

Index space cost O(n′t) O(nr)

False positive O((1/2)t ) O((1/2)3r )

t: number of hash functions in Bloom filterr: length of an element of array s

Due to n′ ≥ n, P-index uses more extra space to meetlower false positive rate; however, in the worst case, thespace cost is total 4nr bits. To build a Bloom filter in Z-index has to predict the number of all keywords, so spacecost of Z-index is n′t bits. Our scheme is flexible in thespace. However, it does not adopt the bilinear pairing thatis a complicated computation, and thus it is more efficientthan some schemes [11–15].

Conclusions

In this paper, we have proposed a new secure index schemefor keyword-search over encrypted ERMs, referred to as P-index. The main properties of P-index are flexible space andlower false positive on secure channel, and P-index main-tains the efficient searching, which would be suitable forthe mobile device or other lower computational machine.The proposed P-index is semantically secure against theadaptive chosen keyword attack in the random oracle modelassuming that the pseudorandom permutation function isintractable to break.

Acknowledgement

The research work was partially supported by the National ScienceCouncil of the Republic of China (Project Nos. NSC-96-2628-E-005-076-MY3 and NSC-100-2221-E-468-014).

References

1. Fan, C. I., Huang, S. Y., Controllable privacy preservingsearch based on symmetric predicate encryption in cloud sto-rage. Futur. Gener. Comput. Syst. 2012 (in Press). doi:10.1016/j.future.2012.05.005.

2. Kaufman, L. M., Data security in the world of cloud computing.IEEE Secur. Priv. 7:61–64, 2009.

3. Subashini, S., Kavitha, V., A survey on security issues in servicedelivery models of cloud computing. J. Netw. Comput. Appl. 34:1–11, 2011.

4. Wang, Q., Wang, C., Ren, K., Lou, W., Li, J., Enabling pub-lic auditability and data dynamics for storage security in cloudcomputing. IEEE Trans. Parallel Distrib. Syst. 22:847–859, 2011.

J Med Syst (2013) 37:9992 Page 7 of 7, 9992

5. Byun, J., and Lee, D., On a security model of conjunctive keywordsearch over encrypted relational database. J. Syst. Softw. 84:1364–1372, 2011.

6. Byun, J., Lee, D., Lim, J., Efficient conjunctive keyword search onencrypted data storage system. In: Proceedings of EuroPKI 2006,LNCS. Vol. 4043. pp. 184–196, 2006.

7. Golle, P., Staddon, J., Waters, B., Secure conjunctive keywordsearch over encrypted data. In: Proceedings of Applied Cryptog-raphy and Network Security Conference, LNCS. Vol. 3089, pp.31–45, 2004.

8. Jeong, I. R., and Kwon, J. O., Analysis of some keyword searchschemes in encrypted data. IEEE Commun. Lett. 12:213–215,2008.

9. Song, D., Wagner, D., Perrig, A., Practical techniques for searcheson encrypted data. In: Proceedings of 2000 IEEE Symposium onSecurity and Privacy, pp. 44–55, 2000.

10. Abdalla, M. et al., Searchable encryption revisited: Consistencyproperties, relation to anonymous IBE, and extensions. J. Cryptol.21:350–391, 2008.

11. Baek, J., Safavi-Naini, R., Susilo, W., A Public key encryptionwith keyword search revisited. In: Proceedings of ICCSA 2008,LNCS. Vol. 5072. pp. 1249–1259, 2008.

12. Boneh, D., Crescenzo, G. D., Ostrovsky, R., Persiano, G., Publickey encryption with keyword search. In: Proceedings of EURO-CRYPTO’04, LNCS. Vol. 3027. pp. 506–552, 2004.

13. Park, D. J., Kim, K., Lee, P. J., Public key encryption with con-junctive field keyword search. In: Proceedings of InformationSecurity Applications 2004, LNCS. Vol. 3325. pp. 73–86, 2004.

14. Rhee, H. S., Park, J. H., Susilo, W., Lee, D. H., Trapdoor securityin a searchable public-key encryption scheme with a designatedtester. J. Syst. Softw. 83:763–771, 2010.

15. Zhang, B., and Zhang, F., An efficient public key encryptionwith conjunctive-subset keywords search. J. Netw. Comput. Appl.34:262–267, 2011.

16. Bellare, M., Boldyreva, A., O’Neill, A., Deterministic and effi-ciently searchable encryption. In: Proceedings of CRYPTO’07,LNCS. Vol. 4622. pp. 535–552, 2007.

17. Brinkman, R., Schoenmakers, B., Doumen, J. M., Jonker, W.,Experiments with queries over encrypted data using secret sharing.In: Proceedings of Secure Data Management, LNCS. Vol. 3674.pp. 33-46, 2005.

18. Goh, E. J., Secure Indexes. The Cryptology ePrint Archive, Report2003/216. 2004. http://eprint.iacr.org/2003/216.pdf.

19. Archer, N., and Cocosila, M., A comparison of physician pre-adoption and adoption views on electronic health records inCanadian medical practices. J. Med. Internet Res. 13:3, 2011.

20. Gunter, T. D., and Nicolas, T. P., The emergence of nationalelectronic health record architectures in the United States and Aus-tralia: Models, costs, and questions. J. Med. Internet Res. 7:1,2005.

21. Garcia-Smith, D., and Effken, J. A., Development and initialevaluation of the clinical information systems success model(CISSM). Int. J. Med. Inform. 82:539–552, 2013.

22. Li, J. S., Zhang, X. G., Chu, J., Suzuki, M., Araki, K., Design anddevelopment of EMR supporting medical process management. J.Med. Syst. 36:1193–1203, 2012.

23. Benaloh, J., Chase, M., Horvitz, E., Lauter, K., Patient controlledencryption: ensuring privacy of electronic medical records, Pro-ceedings of the 2009 ACM workshop on Cloud computing security(CCSW ’09). pp. 103–114, 2009.

24. Bloom, B. H., Space/Time trade-offs in hash coding with allow-able errors. Commun. ACM 13:422–426, 1970.