WANG Ji-lin,CHEN Xiao-feng,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2006.04.010

2006-01-01

Abstract:Exchange of digitally signed certificates was often used to establish mutual trust between strangers that wish to share resources or to conduct business transactions.Automated trust negotiation(ATN) was an approach to regulate the flow of sensitive information during such an exchange.But ATN cannot handle cyclic policy interdependency satisfactorily.Oblivious signature-based envelope(OSBE) is a scheme to solve this problem.However,the existed scheme could only be implemented on a secure channel.An efficient OSBE scheme without the secure channel is proposed using the ideas of identity-based systems and certificate-based encryption,which satisfies all the properties required by OSBE such as soundness and oblivious et al.Also,the scheme can achieve the desired security notations in the random oracle model.

Xingbing Fu,Shengke Zeng,Fagen Li

2015-01-01

Abstract:Oblivious transfer with access control is a protocol where data in the database server are protected with access control policies and users with credentials satisfying the access policies are allowed to access them, whereas the database server learns nothing about the data accessed by users or about her credentials.Our scheme has the advantages as follows: First, our scheme maintains the privacy property of oblivious transfer and offers access control mechanism. Second, it allows the expressive access control polices that directly supports AND, OR and Threshold gates. Third, the communication complexity in our scheme is constant in the numbers of records which have been accessed. Fourth, our scheme is constructed in prime order bilinear group.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

A. Balu,K. Kuppusamy

DOI: https://doi.org/10.48550/arXiv.1011.0527

2010-11-02

Abstract:In Ciphertext Policy Attribute based Encryption scheme, the encryptor can fix the policy, who can decrypt the encrypted message. The policy can be formed with the help of attributes. In CP-ABE, access policy is sent along with the ciphertext. We propose a method in which the access policy need not be sent along with the ciphertext, by which we are able to preserve the privacy of the encryptor. The proposed construction is provably secure under Decision Bilinear Diffe-Hellman assumption.

Cryptography and Security

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Jin Li,Kui Ren,Bo Zhu,Zhiguo Wan

DOI: https://doi.org/10.1007/978-3-642-04474-8_28

2009-01-01

Abstract:As a new public key primitive, attribute-based encryption (ABE) is envisioned to be a promising tool for implementing fine-grained access control. To further address the concern of user access privacy, privacy-aware ABE schemes are being developed to achieve hidden access policy recently. For the purpose of secure access control, there is, how- ever, still one critical functionality missing in the existing ABE schemes, which is user accountability. Currently, no ABE scheme can completely prevent the problem of illegal key sharing among users. In this paper, we tackle this problem by firstly proposing the notion of accountable, anony- mous, and ciphertext-policy ABE (CP-A 3 BE, in short) and then giving out a concrete construction. We start by improving the state-of-the-art of anonymous CP-ABE to obtain shorter public parameters and ciphertext length. In the proposed CP-A 3 BE construction, user accountability can be achieved in black-box model by embedding additional user-specific information into the attribute private key issued to that user, while still maintaining hidden access policy. The proposed constructions are prov- ably secure.

Zhang Wei,Zhang Zhishuo,Xiong Hu,Qin Zhiguang

DOI: https://doi.org/10.1007/s12652-021-02922-6

2021-01-01

Abstract:In recent years, attribute-based encryption (ABE) provides a new idea to help researchers solving the problem of data privacy protection in cloud. But there are two issues in traditional ABE, the first issue is that the attributes in the access structures will be sent to users in cleartext together with the ciphertext. So a attacker has the opportunity to obtain some of the private information from the plaintext access structure. And the other issue is the traditional ABE scheme cannot revoke the users' illegal keys in an efficient way. To handle both of the above challenges, we come up with a large universe ciphertext-policy ABE (CP-ABE) scheme which supports partially hidden access structures (PHAS) and highly efficient key revocation at the same time in this paper. What's more, unlike most previous schemes, first our access structure is based on the expressive linear secret sharing scheme (LSSS) which supports both AND and OR gates in access formulas and second our scheme is built from the prime-order bilinear pairing groups. The comparison with other relevant works presents that our scheme is more comprehensive and efficient. Finally we rigorously prove and analyze that our scheme is selectively indistinguishable secure under chosen plaintext attacks (IND-CPA) in the random oracle model (ROM) and our access structure is really anonymous against off-line dictionary attacks.

Anping Xiong,Chunxiang Xu

DOI: https://doi.org/10.1080/10798587.2015.1095488

2015-01-01

Abstract:Ciphertext Policy Attribute-Based Encryption ( CP-ABE) has been widely studied in recent years because it is more suitable for access control of shared data under cloud storage environment. In view of problems of flexibility and efficiency of the existing encryption schemes under cloud storage environment, combined with digital envelopes technology, the paper puts forward an optimized scheme based on supporting fine-grained access control. The scheme has the following advantages: Adopting digital envelopes technology, reducing the computational overhead of Data Owner significantly on the basis of the ensuring data confidentiality, using proxy re-encryption technology to realize the support of user and attribute revocation flexibly, furthermore, the backward and forward secrecy also have been ensured. Adopting security protocols to distribute the shared keys between users and cloud storage server, cloud storage server can save the overhead in maintenance of a large user key's tree. Security and performance analysis show that Cloud storage access control scheme of ciphertext algorithm based on digital envelope can ensure the confidentiality of data, resist collusion attack with forward and backward security, and also reduce the calculation works of the user owners and accessing users.

Mostafa Chegenizadeh,Mohammad Ali,Javad Mohajeri,Mohammad Reza Aref

DOI: https://doi.org/10.48550/arXiv.2107.10133

2021-07-21

Abstract:Attribute-based encryption (ABE) is a promising cryptographic mechanism for providing confidentiality and fine-grained access control in the cloud-based area. However, due to high computational overhead, common ABE schemes are not suitable for resource-constrained devices. Moreover, data owners should be able to update their defined access policies efficiently, and in some cases, applying hidden access policies is required to preserve the privacy of clients and data. In this paper, we propose a ciphertext-policy attribute-based access control scheme which for the first time provides online/offline encryption, hidden access policy, and access policy update simultaneously. In our scheme, resource-constrained devices are equipped with online/offline encryption reducing the encryption overhead significantly. Furthermore, attributes of access policies are hidden such that the attribute sets satisfying an access policy cannot be guessed by other parties. Moreover, data owners can update their defined access policies while outsourcing a major part of the updating process to the cloud service provider. In particular, we introduce blind access policies that enable the cloud service provider to update the data owners' access policies without receiving a new re-encryption key. Besides, our scheme supports fast decryption such that the decryption algorithm consists of a constant number of bilinear pairing operations. The proposed scheme is proven to be secure in the random oracle model and under the hardness of Decisional Bilinear Diffie-Hellman (DBDH) and Decision Linear (D-Linear) assumptions. Also, performance analysis results demonstrate that the proposed scheme is efficient and practical.

Cryptography and Security

Xingbing Fu,Fagen Li,Shengke Zeng

DOI: https://doi.org/10.14257/ijfgcn.2016.9.1.25

2016-01-01

International Journal of Future Generation Communication and Networking

Abstract:In this work, an oblivious transfer with complex access control scheme that is constructed based on ciphertext policy attribute based encryption (CP-ABE) scheme is proposed. In this scheme, the database server can enforce fine grained access control for each record where the authorized user is allowed to access, but the unauthorized user cannot, whereas it learns neither which record a user accesses, nor which attributes a user has. This scheme has the advantages as follows: First, it allows the expressive access control policies where access structures are based on linear secret sharing scheme that directly supports AND, OR and Threshold gates. Second, the communication complexity in this scheme is constant in the numbers of records which have been accessed. Third, this scheme is constructed in prime order bilinear group. Fourth, this scheme is secure in the standard model. To the best of our knowledge, this scheme is the first to obtain these features simultaneously.

Li Yang,Cheng Li,Yuting Cheng,Shui Yu,Jianfeng Ma

DOI: https://doi.org/10.1016/j.ins.2021.09.034

IF: 8.1

2022-01-01

Information Sciences

Abstract:Increasingly more user data are transferred to the cloud for storage and analysis. Due to the dishonesty of the cloud, user data are at risk of leakage. CP-ABE is considered one of the most promising technologies for protecting outsourced data. However, in most existing schemes, the attacker may learn user privacy information from the policy plaintext. Furthermore, schemes supporting policy hiding either only achieve partial policy hiding or cannot hide policies in large universes. In this paper, we use hide both the values and names of attributes in policies by using private set intersections (PSIs). CP-ABE supports a complete hiding strategy. At the same time, it can calculate the authorization relationship and mapping between the user's password and key. We use polynomial-based PSI and a recursive algorithm to calculate the former. With the help of this algorithm and tag vectors, the mapping is determined in the case of communication restrictions. By outsourcing exponents, we achieve an efficient hiding policy and effectively reduces users' computing overhead. We also prove its security. Finally, the performance evaluation and simulation results reveal that our model achieves better performance compared with other schemes while preserving sensitive attributes.

computer science, information systems

Chao Luo,Jiaoli Shi,Minchen Xie,Chao Hu,Lihua Wang,Zhuolin Mei,Shimao Yao,Hui Li

DOI: https://doi.org/10.1007/978-981-97-0942-7_22

2024-01-01

Abstract:Traditional CP-ABE (Ciphertext-Policy Attribute-Based Encryption) schemes require the access policy to be uploaded to the cloud along with the ciphertext, but access policies often also involve some private information, which can lead to privacy leakage. Moreover, the decryption cost of the traditional CP-ABE scheme is too high, which is not suitable for source-limited end devices, such as medical monitoring terminals. To achieve policy hiding, decryption lightening, and high expressiveness of access policy all at the same time, we present a new CP-ABE scheme, in which a PBF (Path Bloom Filter) is designed based on ROBDD (Reduced Ordered Binary Decision Diagram). The ROBDD, as the access structure, can provide more vital and more flexible expressiveness. Then the PBF can hide the access policy, reduce the decryption cost, and accelerate the decryption speed. Analysis and simulation study show that our proposed scheme is secure under Decisional q-BDHE assumption and superior to previous schemes concerning computational cost.

Cancan Jin,Xinyu Feng,Qingni Shen

DOI: https://doi.org/10.1145/3017971.3017981

2016-01-01

Abstract:In ciphertext policy attribute-based encryption scheme, access policies are associated with ciphertext and tied to it. It is necessary to hide the access policy in the most sensitive spots such as political, medical and economic fields, that is, receiver's anonymity. In this paper, we propose an efficient CP-ABE construction with hidden policy and prove it to be fully secure under static assumptions applying the dual system encryption methodology. Access structures in our construction are AND gates on positive, negative and wildcard attributes and the ciphertext size is short, which is only concerned with the number of wildcards.

Bian, Qingquan,Zhang, Yue,Song, Chang,Wu, Axin

DOI: https://doi.org/10.1007/s12083-023-01619-1

IF: 3.488

2024-01-12

Peer-to-Peer Networking and Applications

Abstract:Internet of Things (IoT) applications are revolutionizing lifestyles and social management. In IoT environments, there is a need to deploy a large number of sensing devices, which are typically resource-constrained, with limited computational power and communication resources. Due to its open nature, IoT applications confront potential security and privacy risks in exchange for convenience, with data privacy being a significant concern. Predicate encryption (PE) offers a promising approach to address this concern. However, most PE schemes are public-key cryptosystems, which are more expensive compared to symmetric cryptography. These costs are burdensome for resource-constrained devices, especially when dealing with massive amounts of data. A recent study by Viet et al. (ESORICS'2022) introduced a symmetric PE scheme. However, this scheme's representation of attributes and predicates is limited. To overcome this limitation, we propose a flexible symmetric PE scheme. In the proposed scheme, predicates and attributes are represented using vectors. Tokens are related to predicates, while ciphertexts are associated with attributes. The encrypted message can be decrypted when the values of the predicate vector and attribute vector are pairwise unequal. This scheme enables fine-grained access control over encrypted data, ensuring that users with any attribute value in the vector embedded in the ciphertext cannot decrypt it. The security analysis demonstrates that the proposed scheme effectively protects data privacy. Additionally, performance evaluations indicate that the scheme is efficient, providing a lightweight solution for data privacy in IoT environments.

computer science, information systems,telecommunications

Zhishuo Zhang,Wei Zhang,Zhiguang Qin

DOI: https://doi.org/10.1016/j.future.2021.04.022

IF: 7.307

2021-01-01

Future Generation Computer Systems

Abstract:In recent years, to address the security defect that the explicit attribute values in access policies may reveal the privacy, a new variant of ciphertext-policy attribute-based encryption(CP-ABE)——hidden policy CP-ABE (HP-CP-ABE) is proposed in some recent works. But there are two tremendous flaws in most existing HP-CP-ABE schemes. The one issue is that an attacker can launch the attribute values guessing attacks (AVGA) to detect the attribute values in access policies of many HP-CP-ABE schemes. And another issue is that, if the HP-CP-ABE schemes are using the “Linear Secret Sharing Schemes (LSSS)” as their access structures, as the rows of the LSSS matrix grows, the time complexity of the decryption testing algorithm will boost rapidly which will greatly aggravate the computing burden of the user. So in this paper, we propose a partially HP-CP-ABE (PHP-CP-ABE) scheme which can perfectly withstand the attribute values guessing attacks (AVGA). As our access structure is using the LSSS, to alleviate the computing burden of the user, we design a online privacy-protective decryption testing algorithm for the users to privately and securely outsource the decryption testing phase to the cloud server. Our online testing algorithm is privacy-protective which means during running the privacy-protective decryption testing algorithm, the cloud server has no chance to know anything about the attribute values in the access policy and the attribute values of the user. This will prevent the privacy from leaking out to the third party cloud server. Then we rigorously prove that our scheme is selectively indistinguishable secure under chosen plaintext attacks (IND-CPA). Next, by reduction to the computational q-PBDHE assumption which is firstly proposed in our paper, we prove that our HP-CP-ABE scheme is indistinguishable secure under the attribute values guessing attacks (IND-AVGA). Finally through the comparison with the state-of-art HP-CP-ABE schemes from the perspective of functionality and efficiency, it is easily to observe that our scheme has high-security and high-efficiency. In appendix, we give a straightaway analysis to some relevant works to point out the security vulnerabilities in their schemes.

Fugeng Zeng ,Chunxiang Xu ,Xinpeng Zhang

DOI: https://doi.org/10.4156/aiss.vol4.issue12.23

2012-01-01

Abstract:In the ciphertext-policy ABE (CP-ABE) schemes, attributes are associated with secret keys and access structures are associated with ciphertexts. The access structures are described with the attributes and therefore the concept of CP-ABE is closely related to Role-Based Access Control. Because it requires both of the encryptor and the key generalization center meeting the construction, it will be more difficult to design. Ibraimi et al.[7] allegedly proposed an efficient and provable secure CP-ABE schemes. They require that the simulator can not send back the private keys of attributes which overlap with challenging access attributes. We point out their fault of security proof and their requirement is a small probability event and it is unreasonable to reduce to standard DBDH assumption. However, we give a proof in the generic bilinear group model, which is weaker than DBDH assumption.

Jianfei Sun,Yangyang Bao,Xuyun Nie,Hu Xiong

DOI: https://doi.org/10.1109/access.2018.2843565

IF: 3.9

2018-01-01

IEEE Access

Abstract:Public key encryption with equality test (PKE-ET) enables anyone to perform equivalence test between two messages encrypted under distinct public keys. Attribute-hiding predicate encryption is a paradigm for public key encryption that supports both attribute-hiding and fine-grained access control. In this paper, we first initialize the concept of attribute-hiding predicate encryption with equality test (AH-PE-ET) by incorporating the notions of PKE-ET and PE, and then propose a concrete AH-PE-ET scheme. Inheriting the merits of predicate encryption, versatile access control can be achieved such that the ciphertexts and the secret key are, respectively, associated with the descriptive attributes x and the boolean functions f and decryption can only be done if f (x) returns true. In the AH-PE-ET scheme, one data receiver can calculate a trapdoor using his/her private key and delivers this trapdoor to an untrusted cloud server, who in turn compares the ciphertexts from this receiver with other receivers' ciphertexts. During the comparison, the information about the trapdoor as well as the attributes associated with the ciphertexts will not be disclosed to this cloud server. Furthermore, it is also proven to be selectively secure against the chosen plaintext attack in the standard model under the decisional bilinear Diffie-Hellman assumption. Finally, the theoretical performance analysis and experimental simulation indicate the feasibility and practicability of our suggested scheme.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1002/cpe.5556

2020-01-01

Abstract:Owing to the rapid progress of network researching, attribute-based access control (ABAC) has attracted more and more attention due to its appreciable expressiveness, flexibility, and scalability. Unfortunately, collecting user attributes is necessary to complete the standard ABAC decision process, which increases the risk of privacy disclosure. This problem increases public doubts about ABAC and hinders its popularization. In this paper, a privacy-protected and efficient attribute-based access control (EPABAC) scheme is proposed to prevent the privacy leakage of access subject in the decision-making process of ABAC by introducing a novel hash-based binary search tree. The analyses and experimental evaluations show that the EPABAC achieves user privacy protection in the decision-making process with acceptable additional computing overhead.

Xiaohui Li,Dawu Gu,Yanli Ren,Ning Ding,Kan Yuan

DOI: https://doi.org/10.1007/978-3-642-34883-9_12

2012-01-01

Abstract:In an anonymous ciphertext-policy attribute-based encryption (CP-ABE) scheme, the encryptor-specified access structure is hidden in ciphertexts. The decryptor gets his secret key from a trust authority according to his attributes. However, he cannot decrypt any ciphertext or guess even what access structure was specified by the encryptor if his attributes do not satisfy the access structure associated with the ciphertext. All previous anonymous CP-ABE schemes are inefficient in that each ciphertext grows linearly with the number of attributes. In this paper, we propose an efficient anonymous CP-ABE scheme that reduces both the length of each ciphertext and the number of pairing operations to a constant level, but still leverages a hidden policy to keep recipients' privacy preserved. Furthermore, our scheme is fully secure in the standard model based on the decisional Bilinear Diffie-Hellman (DBDH) assumption in composite order groups. We remark that in our security definition, only the legitimate decryptor knows access structures associated with ciphertexts.

Chao Ma,Haiying Gao,Bin Hu

DOI: https://doi.org/10.1007/s11227-023-05867-z

IF: 3.3

2024-02-03

The Journal of Supercomputing

Abstract:Attribute-based encryption is a new cryptographic primitive that supports fine-grained access control of cloud data, and its access control function relies on the interaction of attributes and access structures. To achieve more flexible access control, attribute revocation has become an important problem that must be considered in the application process of attribute-based encryption. We propose and implement an efficient revocable ciphertext policy attribute-based encryption scheme based on the improvement of the scheme proposed by Tomida et al. Our scheme has the following characteristics: (1) It is adaptively secure under the Matrix Decisional Diffie–Hellman assumption; (2) it supports the multi-use of attribute classes and the negation of attribute values; (3) it supports the revocation of system attributes; and (4) the update of the key and ciphertext is completed by the trusted center and the cloud server, respectively, thereby decreasing revocation overhead for users.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture