A privilege-constrained sanitizable signature scheme for e-health systems

Electronic health record (EHR) sharing schemes are widely used in healthcare, medical, and research. However, privacy may be a concern for patients with EHRs. In this paper, a secure EHR sharing scheme with sanitizable signature is proposed to protect patients’ privacy and enhance accountability. Our proposed scheme makes the following contributions: (1) doctors can specify patients to modify some fields before the expiration time; (2) patients can convert the original signature into a new and unlinkable signature for the modified record without interacting with the doctor; (3) the scheme satisfies traceability and can distinguish the generator of a given signature. In contrast to existing approaches, we introduce a new limited sanitizable signature scheme as the main ingredient, which allows the signer not only to decide which message blocks can be modified, but also to determine the maximum number of modifiable blocks and the expiration time for sanitization. Finally, the security analysis and experimental results show that the security and efficiency of our scheme can be approved. [Display omitted] •A secure EHR sharing scheme with sanitizable signature.•A sanitizable signature with time-bound and block-limit.•Sanitizer can only execute sanitization before the expiration time.•Signer and sanitizer independently prove which party generated the message/signature pair.•Distinguishability of generators for the sanitized signatures.•Unlinkability and traceability.