1 Introduction

Medical records actually store patients’ medical histories; therefore, medical record management is one of the most important systems in a hospital. Advances in information technology and environmental concerns are motivating a transition from paper-based medical records to electronic medical records (EMRs). EMRs are prospective to bring wide range of advantages to healthcare provider. In order to increase the usage of EMR, many researches have been conducted [6, 7, 19, 20, 22].

The digitisation of medical records raises the issue of security. In 1998, Toyoda [25] mentioned that “ensuring the authenticity of the record” is one of the essential legal and administrative requirements of implementing EMR systems. HIPAA was enacted by the U.S. Congress in 1996 [26]. According to this Act, the digital signature cryptographic method is important to ensure the integrity and authenticity of EMRs. The Taiwanese Electronic Medical Record Produce and Management Act was passed by the Legislative Yuan of Republic of China in 2005. It also mandated that all EMRs be electronically signed by the doctors who composed them.

There is no doubt that digital signatures [28] are a good way to ensure the integrity and authenticity of EMRs, and it is used incorporated with smartcards [10, 12] in healthcare systems.

However, the current most frequently used digital signature scheme, the RSA public key system, suffers from efficiency and key renewing issues when used on EMRs in hospitals.

Consider this scenario: Dr. AAA and Dr. AAB are in the same department of a hospital. Dr. AAA wants to verify the digital signature of a medical record issued by Dr. AAB. According to the RSA algorithm, if Dr. AAA wishes to verify Dr. AAB’s signature, then Dr. AAA has to search the key directory and find Dr. AAB’s corresponding public key. This is because the RSA algorithm does not support the concept of a “group.” On the other hand, if the doctors could share the same group public key in the department, the group public key could be used to verify both Dr. AAA’s and Dr. AAB’s digital signatures. Hence, Dr. AAA would not need to search for Dr. AAB’s public key in the key directory. A group certificate digital signature scheme could be used in EMR systems to increase efficiency and reduce key search time and key directory size. However, simply enforcing the idea of a group is still not enough to solve the key renewal problem. A forward-secure function is also important for signature schemes. In 2010, Yu et al. [31] mentioned there are three reasons that a private key needs to be revoked and renewed: (1) loss of the private key (medical staff card), (2) expiration of the private key (medical staff card) and (3) retirement of the medical personnel. When any one of these three situations occurs, the EMRs are no longer verifiable. Hence, it is necessary to have a new “forward-secure” key that allows a medical staff to retain the trustworthiness of the previously signed medical records.

This research aims to develop an efficient forward-secure group certificate digital signature scheme for EMRs in hospitals. In this paper, we propose a “group certificate” signature scheme that supports forward-secure functionality and satisfies four principal requirements: (1) the private key is updatable to solve the key renewal problem; (2) private key lifetime is not predetermined; (3) only one public key certificate is needed in a group; and (4) each user should have a unique private key that can be used for generating individual signatures on behalf of the group.

This new forward-secure group certificate digital signature scheme is based on Shamir’s (t,n) threshold scheme [23] and Schnorr’s digital signature scheme [21] and includes four algorithms: key generation, key update, signing, and verifying. The proposed scheme has the following four advantages that fulfill the abovementioned four principles:

  1. 1.

    Forward-secure functionality is enabled.

  2. 2.

    There is no need to predetermine the lifetime of private key (T).

    Note: If the private key reaches the upper bound of the key lifetime T, then the whole group needs to be rekeyed. To prevent such a problem, the proposed scheme is designed with no need to predetermine private key lifetimes.

  3. 3.

    One group public key certificate is needed to authenticate the identity of the group and verify the individual digital signature.

  4. 4.

    Each member within a group holds an individual user private key that can be used to generate individual digital signatures on behalf of the group.

2 Background information

In this section, brief background information on group-oriented, group certificate and forward-secure signature schemes is provided.

2.1 Group-oriented and group certificate signature scheme

In 1994, Harn [8] first proposed a “group-oriented” threshold digital signature scheme. According to Harn, the group-oriented threshold digital signature scheme should satisfy five properties: (1) it is required to have at least t group users to mutually generate group signatures; (2) the group signature size is the same as the individual signature size; (3) the signature verification process is more efficient, because there is only one group public key; (4) the group signature is verifiable by any users who are outside the group; and (5) it is the group members’ responsibility to sign the group signature. In the following years, several group-oriented threshold digital signature schemes were proposed [9, 15, 16, 18, 24, 27, 29, 30].

In Harn’s scheme, the group secret key, SK, breaks into n different shadows, SK1, SK2, SK3,…,SK n , and these n shadows are distributed to n group members to generate a group signature. The limitation of the group-oriented threshold digital signature schemes is that all group members do not hold the individual secret key; therefore, individual group members are not able to generate individual signatures.

In 2004, Chen et al. [5] proposed the “group certificate” authentication scheme. The main difference between Chen et al.’s “group certificate” scheme and Harm’s “group-oriented” scheme is that Chen et al.’s scheme enables each group member to hold a private key, and each group member is capable of generating an individual signature on behalf of the group. However, Chen et al.’s scheme does not support forward-secure functionality.

2.2 Forward-secure signature scheme

In 1999, Anderson [2] noted that the most frequently used digital signature algorithms, such as RSA and DSS, faced a serious security threat: if the private key of the signer is compromised, all signatures issued with the compromised private key are no longer trusted. Anderson proposed the concept of the forward-secure signature scheme. After Anderson presented this concept in 1999, Bellare and Miner [3] proposed the first forward-secure signature scheme. In the following years, several forward-secure digital signature schemes were developed [1, 4, 11, 13, 14, 17].

3 Methods

3.1 Description of the scheme

There is no doubt that currently there is no suitable forward-secure group certificate digital signature scheme that can be used in hospitals to solve the problems that we mentioned in the Introduction section. Therefore, in this section, the authors have decided to create a new forward-secure group certificate digital signature scheme, and it is suitable for hospital use.

Before the forward-secure group certificate digital signature scheme can be designed, we also need a forward-secure transformation model. In this section, we propose a new forward-secure transformation model and use the transformation model to create the forward-secure group certificate digital signature scheme.

3.2 The transformation model

To prevent the aforementioned shortcomings, we do not fully adopt Krawczky’s scheme to achieve forward security in our proposed scheme. Instead, we look into the basic principle of forward security and decide to adopt hash chain technology to build a new Forward-Secure Pseudorandom Generator (FSPRG). FSPRG simply requires a seed (User ID i,t–1) to generate a new ID i,t for time period t. This ID i,t is then inputted to key generation process to get an updated private key, x i,t . The algorithm is as follows;

$${\text{FSPRG}} \left( {{\text{ID}}_{i,t - 1} } \right) \to {\text{ID}}_{i,t}$$

New private key at time period t, x i,t  = f(ID i,t ).

Hence, the forward-secure functionality is enabled without extra public key certificates, and at each time period, extra storage is not needed and total lifetime of private key T is not predetermined.

3.3 Signature scheme

Our model contains three entities, the key distribution centre (KDC), group users and the verifier. The group header plays the role of a KDC, which is trusted by all users. In this scheme, it is assumed that all group users do not have the ability to generate private keys, so the KDC is responsible for generating private keys for all users, and all users share only one public key. When any group user’s private key is compromised, the KDC also helps the specific user to update the compromised private key into a new private time. The proposed scheme is depicted in Fig. 1, which shows that in a group with 4 group members and each member owns a private key and there is only one public key owned by the group header.

Fig. 1
figure 1

Scheme model (N = 4)

Full size image

There are four algorithms in the proposed scheme, including the key generation algorithm, the key update algorithm, the signing algorithm and the verifying algorithm.

Notations

p :

Prime number

q :

Prime number

β :

β < p and is a primitive root of p

z q *:

Finite field

Y :

Group public key

x i,n :

User private key

h():

Collision-resistant one-way hash function

FDPRG():

Forward-Secure Pseudorandom Generator

k :

Integer

s :

Signature value

M :

Message

m :

Hash value, so m = h(M)

  1. 1.

    Key generation algorithm

The key generation algorithm is used to generate group public key (\(Y = \beta^{X} \bmod p\)) and user private key (x i,0 = f(ID i,0), where i denotes the User i). Within a group, when the key generation algorithm is done, each group member will be assigned a user private key, and only public key is generated for the group.

  1. 2.

    Key update algorithm

As mentioned before, there are many reasons that a key holder requires key update, such key expiration, key leakage, etc. This algorithm is used to update the old key (x i,t−1 = f(ID i,t−1)) into a new key (x i,t  = f(ID i,t )).

  1. 3.

    Signing Algorithm

This algorithm is used to generate digital signature (σ i,t  = (s i,t , r i,t )), where σ i,t represents the signature of the EMRs.

  1. 4.

    Verifying Algorithm

This algorithm is to prove that \(\beta^{{s_{{{\text{i}},{\text{t}}}} }}\) equal to \(Y^{{h\left( {m,r_{i,t} } \right)}} \cdot r_{i,t} \bmod p\) If they are equal, then the digital signature is legitimate.

Because the private keys used in this scheme are not pre-computed, it is not required to predetermine the time period (T), and there is no need to have secure storage to store the valuables. There is only one public key certificate used in this proposed scheme. The most important contribution in this scheme is that the each user’s private key is updated individually. This means if a medical staff accidently lost his healthcare personnel card, only his private key is renewed. All other private keys used by medical staffs in the hospital remain the same.

3.4 Algorithms

  1. 1.

    Key Generation Algorithm

    1. 1.1

      KDC first picks two large primes p and q, such that q|p−1. |p| and |q| denote the bit lengths of p and q respectively. |p| ≥ 512, |q| ≥ 160.

    2. 1.2

      KDC selects β in z * q as a secret parameter.

    3. 1.3

      KDC randomly generates an n−1 degree polynomial

      $$\begin{aligned}f\left( z \right) &= b_{0} + b_{1} z + b_{2} z^{2} + \cdots + b_{n - 1} z^{n - 1} \bmod q,\\&{\text{where}}\quad b_{j} \in Z_{q } \quad {\text{for}} \quad j = 1, \ldots , n - 1\end{aligned}$$
    4. 1.4

      KDC generates

      1. (i)

        Group public key: y = β X mod p, where X = b 0

      2. (ii)

        User I private key: x i,0 = f(ID i,0) for the initial stage

  2. 2.

    Key update Algorithm

    • A Forward-Secure Pseudorandom Generator is used to make the scheme capable of forward-secure function.

      $${\text{FSPRG}} ({\text{ID}}_{i,t - 1} ) \to {\text{ID}}_{i,t}$$

    • New private key at time period t, x i,t  = f(ID i,t )

  3. 3.

    Signing

    • There is a message M to be signed.

    1. 3.1.

      m = h(M), where h() denotes a collision-resistant one-way hash function.

    2. 3.2.

      User i at time t randomly selects an integer k i,t  ∈ Z p *

    3. 3.3.

      User I computes \(r_{i,t} = \beta^{k_{i,t}} {\bmod}p\)

    4. 3.4.

      User i computes

      $$s_{i,t} = x_{i,t} \cdot h\left( {m, r_{i,t} } \right) + k_{i,t} - \left[ {x_{i,t} - b_{0} } \right] \cdot h\left( {m,r_{i,t} } \right) \bmod p$$
    5. 3.5

      The signature of message M is σ i,t  = (s i,t r i,t )

  4. 4.

    Verify

    Check whether β i,t equals to \(Y^{{h(m,r_{i,t} )}} \cdot r_{i,t} \bmod p\)

Theorem 1

If the signatory and verifier follow the algorithm above, then the verifier will accept the signature as valid.

Proof

$$\begin{aligned} \beta^{{s_{i,t} }} {\bmod} p & = \beta^{{x_{i,t} \cdot h\left( {m,r_{i,t} } \right) + k_{i,t} - \left[ {\sum\nolimits_{j,j \ne 1}^{n - 1} {b_{j} \left( {ID_{i,t} } \right)^{i} } } \right]{\bmod} p}} {\bmod} p \\ & = \left.\beta^{{\left[ {b_{0} + \sum\nolimits_{j,j \ne 1}^{n - 1} {b_{j} \left( {{\text{ID}}_{i,t} } \right)^{i} \cdot \beta^{{k_{i,t} }} } } \right]}} \right/\beta^{{\sum\nolimits_{j,j \ne 1}^{n - 1} {b_{j} \left( {{\text{ID}}_{i,t} } \right)^{i} \cdot h\left( {m,r_{i,t} } \right)} }} {\text{mod}}\,p \\ & = \beta^{{b_{0} h\left( {m,r_{i,t} } \right)}} \cdot \beta^{{\left[ {\sum\nolimits_{j,j \ne 1}^{n - 1} {b_{j} \left( {{\text{ID}}_{i,t}^{i} } \right)} } \right] \cdot h\left( {m,r_{it} } \right)}} \cdot \beta^{{k_{i,t} }} /\beta^{{\left[ {\sum\nolimits_{j,j \ne 1}^{n - 1} {b_{j} \left( {{\text{ID}}_{i,t}^{i} } \right)} } \right] \cdot h\left( {m,r_{it} } \right)}} {\text{mod}}\,p \\ & { = }Y^{{h\left( {m,r_{i,t} } \right)}} \cdot r_{i,t} {\bmod}\;p \\ \end{aligned}$$

Lemma 1

(Reference to William [28])

  • For any integer t

  • If \(g = h^{(p - 1)/q} mod p\)

  • Then \(g^{t} \bmod p = g^{t \bmod q } \bmod p\)

Proof

By Fermat’s theorem, because h is relatively prime to p, \(h^{p - 1} \bmod p = 1\)

If we have a nonnegative integer n,

$$\begin{aligned} g^{\text{nq}} \bmod p & = \left( {h^{(p - 1)/q} \bmod p} \right)^{\text{nq}} \bmod\,p \\ &= \text{}h^{{((p - 1)/q)^{\text{nq}} }} \bmod p \\ & = h^{{\left( {p - 1} \right)n}} {\bmod}\,p \\ & = \left( {\left( {h^{p - 1} } \right){\bmod}\,p} \right)^{n} {\bmod}\,p \\ \end{aligned}$$

So, for nonnegative integers n and z, we have

$$\begin{aligned} g^{{{\text{nq}} + z}} \bmod p & = \left( {g^{\text{nq}} g^{z} } \right) \bmod p \\ & = \left( {\left( {g^{\text{nq}} \bmod p} \right)\left( {g^{z} \bmod p} \right)} \right)\bmod p \\ & = g^{z} \bmod p \\ \end{aligned}$$

Any nonnegative integer t can be represented uniquely as t = nq +z, where n and z are nonnegative integers, and 0 < z q. So, z = t mod q.

4 Results

In order to prove that the proposed scheme is workable, in this section, a scenario is provided to show how the proposed scheme can be used in EMR system.

4.1 Application scenario on EMR

In this section, a scenario is provided to explain how the proposed scheme works. Figure 2 shows a hierarchical structure, representing the organisational structure of a hospital. On the top of the structure is the hospital administration, which is responsible for administrative issues and manages public and private keys for the entire hospital. In other words, the administration plays the role of a KDC. This structure can be organized into five groups (G1 through G5). Also, Fig. 2 shows the corresponding keys for each group; for example, the members of G1 are hospital administration (Hospital A), Dept. AA, Dept. AB, Dept. AC and Dept. AD. Within G1, each member shares a group certificate (public key certificate), puk A .

Fig. 2
figure 2

Healthcare system structure

Full size image

Dept. AA owns a private key, priAA, and a public key certificate, pukAA. Dept. AB owns a private key, priAB, and a public key certificate, pukAB. Dept. AA uses private key priAA to generate signatures and Dept. AB uses private key priAB to generate signatures. These signatures generated by Dept. AA and Dept. AB can be verified by Hospital A’s public key, pukA. In this structure, if RSA public key infrastructure is used, then 26 keys (including public and private keys) are needed. For our proposed scheme to work, only 17 keys are needed. In general, the total keys required is reduced by m + 1, where m is the total number of doctors in the hospital (the leaf nodes in the hierarchical structure). Therefore, our proposed scheme eases the problem of key management in the healthcare system structure.

Let’s return to the scenario mentioned in the introduction. Dr. AAA and Dr. AAB are in the same department, Dept. AA. Dr. AAA wants to verify an EMR composed and signed by Dr. AAB. In the RSA public key infrastructure, Dr. AAA has to search the key directory and find Dr. AAB’s public key. If we assume that the key directory is well sorted and the search algorithm is binary, then the time needed to search Dr. AAB’s public key from the key directory is O(log n), where n is the size of the key directory. In our scheme, Dr. AAA and Dr. AAB are in the same department, and they share the same public key certificate, pukAA, so the search time is not required for Dr. AAA. Hence, our proposed scheme is more efficient than the RSA scheme.

In another scenario, Dr. AAA wants to verify an EMR composed and signed by Dr. ABA. Because Dr. AAA and Dr. ABA are not in the same department, Dr. AAA has to search the public key directory and find the group key (pukAB) belonging to Dep. AB. The public key search time in our scheme is O(log n − m−1), because there are only n − m−1 public keys in the public key directory. Therefore, our proposed scheme is still more efficient than the RSA scheme.

Also, the proposed scheme has the ability to update private keys, so if Dr. AAA’s private key is lost or expires, Dr. AAA can file an application form to hospital administration and receive an updated private key. With forward-secure ability, although Dr. AAA’s private key is updated, all the signed EMRs with private keys are still verifiable, which means their trustworthiness is maintained.

4.2 Simulated EMR system

In this section, a simulated EMR system is provided to show the proposed scheme can easily be programmed to perform the tasks. For the following, we use the implemented EMR system to simulate the scenario, which is mentioned in Sect. 4.1.

In the initialization step, all private keys and public keys are generated by the key generation tool, which is shown in Fig. 3, and then the private keys are distributed to all doctors in the hospital. Table 1 summarizes the simulated hospital information, and it shows the private key for each doctor in all departments and the public key for each department.

Fig. 3
figure 3

Key generation tool

Full size image
Table 1 Simulated hospital information
Full size table

According to the following results, we have proved that the proposed scheme not only works theoretically but also it can be implemented and work in practical.

When doctors receive their own private key, they can use the private key to sign electronic records; for example, the Fig. 4 shows the electronic record was signed by Dr. AAA, and Fig. 5 shows the electronic record was signed by Dr. AAB. Because Dr. AAA and Dr. AAB are the same department, these two EMR can be verified by the same group public key (G2 Public Key); the result is shown in Figs. 6 and 7.

Fig. 4
figure 4

Patient record signed by Dr. AAA (ID: 93010)

Full size image
Fig. 5
figure 5

Patient record signed by Dr. AAB (ID: 93011)

Full size image
Fig. 6
figure 6

Patient record verified by group public key (G2 Public Key)

Full size image
Fig. 7
figure 7

Patient Record verified by group public key (G2 Public Key)

Full size image

5 Discussion

In this section, in order to show the proposed scheme is more efficient than the currently used RSA scheme by providing the comparison between the proposed scheme and RSA scheme in Sect. 5.1. Also, a security analysis is provided in Sect. 5.2 to prove that the proposed scheme is strong enough to against the well know attacks.

5.1 Comparisons

In this section, a comparison will show the differences between currently used RSA signatures and our proposed signatures.

We assume there are n members in a group in the same department. If RSA public key infrastructure is used, then n public key certificates are needed, and 2n keys (public/private keys) are required. Also, RSA is not forward-secure. It is assumed that a binary search is used, so the time to search the public key directory is O(log n).

On the other hand, if our scheme is adopted, because our scheme introduces the concept of the group, only one public key certificate is needed, and only n + 1 keys (n private keys and one public key) are necessary. In addition, our scheme is equipped with forward-security function to solve the re-key problem. A group of members share one public key; therefore, there is no need to search the public key directory for the corresponding public key to verify signatures. A summary of the comparisons is shown in Table 2.

Table 2 Comparisons
Full size table

5.2 Security analysis

An attacker can forge signatures either by finding the signer’s private key x or by finding collisions in the hash function. Finding the signer’s private key is equivalent to solving a discrete logarithm problem; however, it is computationally infeasible to find the collision, such that h(M) = h(M′). Therefore, both problems are considered difficult.

There are several possible attacks on our proposed scheme. The following shows that the proposed scheme is secure.

5.2.1 Attack 1

An outsider of the group can correct signatures, \(\sigma_{i,t} = \left( {s_{i,t} ,r_{i,t} } \right)\), issued by a particular Useri at time period 1 to t and use these signatures to derive this User i ’s corresponding private key, x i,t .

Cryptanalysis of Attack 1

By giving the outsider the knowledge of signatures, σ i,t  = (s i,t r i,t ), attackers can compute x i,t from the equation \(s_{i,t} = x_{i,t} \cdot h\left( {m, r_{i,t} } \right) + k_{i,t} - \left[ {x_{i,t} - b_{0} } \right] \cdot h\left( {m,r_{i,t} } \right) \bmod p\) by first finding k i,t ; however, finding k i,t is a Discrete Logarithm Problem (DLP).

5.2.2 Attack 2

An outsider of the group can correct signatures\(\sigma_{i,t} = \left( {s_{i,t} ,r_{i,t} } \right)\) issued by User i at time period t, where i = 1…n and use these signatures to derive a particular User i ’s corresponding private key, x i,t .

Cryptanalysis of Attack 2

By giving the outsider the knowledge of signatures σ i,t  = (s i,t r i,t ) issued by User i at time period t, where i = 1…n and use these signatures to derive a particular User i ’s corresponding private key x i,t , the outsider still needs to find k i,t ; however, finding k i,t is a DLP.

5.2.3 Attack 3

An adversary tries to forge a signature σ i,t  = (s i,t r i,t ) for a given M’ that has been delegates to a particular User i at time period t without knowing x i,t .

Cryptanalysis of Attack 3

In equation \(s_{i,t} = x_{i,t} \cdot h\left( {m, r_{i,t} } \right) + k_{i,t} - \left[ {x_{i,t} - b_{0} } \right] \cdot h\left( {m,r_{i,t} } \right) \bmod p\), we assume that the σ i,t  = (s i,t r i,t ) is known and that it is difficult to forge a signature over message M’ for a particular Useri at time period t. To achieve this attack, the adversary first has to find k i,t ; however, this is DLP. Secondly, the adversary needs to find collision to satisfy h(M’) = m; however, it is infeasible to find M’ due to the non-invertible property of h(). Third, according to Shamir’s (t,n) threshold scheme, it is required that at least t insiders work together to reconstruct \(f\left( z \right) = b_{0} + b_{1} z + b_{2} z^{2} + \cdots + b_{n - 1} z^{n - 1} \bmod q\); therefore, it is not possible for the adversary to do so.

5.2.4 Attack 4

Fewer than t insiders try to derive the private keys of the other participants of the group.

Cryptanalysis of Attack 4

According to Shamir’s (t,n) threshold scheme, it is required that at least t insiders work together to reconstruct \(f\left( z \right) = b_{0} + b_{1} z + b_{2} z^{2} + \cdots + b_{n - 1} z^{n - 1} \bmod q\); therefore, it is not possible to reconstruct f(x) with fewer than t insider.

5.2.5 Attack 5

Fewer than t insiders attempt to forge a signature on message M’, which has been delegates to particular User i at time period t without the knowledge of x i,t .

Cryptanalysis of Attack 5

For this attack to work, all the corrupt insider needs to do is either reconstruct User i ’s private key at time period t, x i,t , or find the collision of h(). According to Shamir’s (t,n) threshold scheme, which is based on Lagrange Interpolating Polynomial, the attacker needs t shadows to reconstruct all private keys for User i , where i = 1…n − 1 form the following equation.

$$H\left( x \right) = \mathop \sum \limits_{s = 1}^{t} k_{{i_{s} }} \mathop \prod \limits_{j = , j \ne s}^{t} \frac{{x - x_{{i_{j} }} }}{{x_{{i_{s} }} - x_{{i_{j} }} }} \bmod p$$

Therefore, fewer than t insiders are not capable of reconstructing the private key for Useri at time period t. Also, the insiders need to find the collision to satisfy h(M) = m at time period t − 1.

5.2.6 Attack 6

A User can use the current private key x i,t to derive previous key x i,t−1 at time period t − 1.

Cryptanalysis of Attack 6

Forward-Secure Pseudorandom Generator is a one-way function, so it is computationally infeasible to derive x i,t−1 from x i,t .

Although the strength of our proposed algorithm is not RSA rely on the factoring problem, in this section, we have successfully demonstrated how the proposed scheme can be attacked and how the proposed scheme can protect itself against all above-mentioned attack base on the mathematic properties.

6 Conclusions

Regulation, standardization, technology and security are key concerns in the development of a system of EMRs. When paper-based medical records are transformed into EMRs and put on the open Internet for exchange, security becomes a crucial topic. In this paper, we focused on the security problems of the current most frequently used digital signature scheme, RSA, and presented an efficient forward-secure group certificate digital signature scheme to manage EMR’s security issues. We performed a security analysis, and its results showed that the proposed digital signature is robust against attacks. Comparisons between RSA and our proposed scheme are provided to show the advantages of our scheme. These advantages include the following: (1) only one group certificate is needed within a group, (2) fewer keys are needed, (3) forward security is enabled and (4) there is no search time needed in a group. In summary, the proposed efficient forward-secure group certificate digital signature scheme does not only solve the security issues of the EMR but also increases the efficiency of the EMR authentication process and eases the problems of key directory management.

7 Future work

This newly proposed signature scheme creates a whole new signature system with better efficiency and forward-secure function, but this proposed scheme is not like current used RSA digital signature scheme; therefore, it is not compatible with HIS. Our future work is to discover a new digital signature scheme that not only contains the same advantages as the proposed scheme in this paper but also can be incorporated with HIS easily.