Meiyan Xiao,Hongbo Li,Qiong Huang,Shui Yu,Willy Susilo

DOI: https://doi.org/10.1109/tifs.2022.3173412

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Attribute-based encryption scheme is a promising mechanism to realize one-to-many fine-grained access control which strengthens the security in cloud computing. However, massive amounts of data and various data sharing requirements bring great challenges to the complex but isolated and fixed access structures in most of the existing attribute-based encryption schemes. In this paper, we propose an attribute-based hierarchical encryption scheme with extendable policy, called Extendable Hierarchical Ciphertext-Policy Attribute-Based Encryption (EH-CP-ABE), to improve the data sharing efficiency and security simultaneously. The scheme realizes the function of hierarchical encryption, in which, data with hierarchical access control relationships could be encrypted together flexibly to improve the efficiency. The scheme also achieves external and internal extension of the access structure to further encrypt newly added hierarchical data without updating the original ciphertexts or with only a minor update depending on the data sharing requirements, which simplifies the encryption process and greatly reduces the computation overhead. We formally prove the security of the scheme is IND-CCA secure in the random oracle model based on bilinear Diffie-Hellman assumption, and we also implement our scheme to demonstrate its efficiency and practicality.

Cong Li,Qingni Shen,Zhikang Xie,Jisheng Dong,Xinyu Feng,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1016/j.ins.2022.08.014

IF: 8.1

2022-01-01

Information Sciences

Abstract:Hierarchical-authority attribute-based encryption (HABE) can resolve the performance bottleneck of the key generation center in the traditional attribute-based encryption (ABE) system. HABE has numerous applications, such as cloud computing and smart grid systems. Nevertheless, almost all of the existing HABE schemes are in the ciphertext-policy setting and do not support non-monotonic access structures. In this work, we propose the first key-policy hierarchical-authority ABE with non-monotonic access structures, dubbed KP-HABE-NMaCS, which supports the authority key delegation, constant size ciphertexts and the large universe simultaneously. We further define the security model of KP-HABE-NMaCS and prove the selective security of it in the standard model. Then we optimize our scheme to realize the outsourced decryption. Subsequently, we present the detailed theoretical analysis of our constructions and the existing HABE constructions in computation and storage costs, and meanwhile implement ours and conduct a series of experiments. Both results indicate that our KP-HABE-NMaCS construction makes improvements in expressiveness and features, and achieves efficiency comparable to the previous HABE constructions. Furthermore, they also show that our extension construction is suitable for resource-limited applications. Eventually, we explore how to apply our KP-HABE-NMaCS to build an ABE with equality test and time-based authorization.

J. Li,X. Chen,H. Tian,C. Gao

DOI: https://doi.org/10.1504/ijahuc.2014.065156

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Since the notion of attribute-based encryption (ABE) was proposed, it has been found a lot of important applications such as fine-grained access control. However, the issue of key exposure problem in ABE has been solved completely. This problem is formally addressed and formulated in this paper. More specifically, we propose a new key-insulated ABE (KI-ABE) scheme as a solution to the key exposure problem. The definition and security model of KI-ABE is proposed. Then, a KI-ABE scheme is presented, which is provably secure under the proposed model. The scheme is secure in the remaining time periods against an adversary who compromises the insecure device and obtains secret keys for the periods of its choice. Finally, we show that the scheme also supports user delegation, which is critical when one wants to delegate part of attributes (privileges) to others.

Hanshu Hong,Zhixin Sun

DOI: https://doi.org/10.1186/s40064-016-1765-9

2016-02-19

SpringerPlus

Abstract:AbstractAttribute based encryption (ABE) has been widely applied for secure data protection in various data sharing systems. However, the efficiency of existing ABE schemes is not high enough since running encrypt and decrypt algorithms need frequent bilinear pairing operations, which may occupy too much computing resources on terminal devices. What’s more, since different users may share the same attributes in the system, a single user’s private key exposure will threaten the security and confidentiality of the whole system. Therefore, to further decrease the computation cost in attribute based cryptosystem as well as provide secure protection when key exposure happens, in this paper, we firstly propose a high efficient key-insulated ABE algorithm without pairings. The key-insulated mechanism guarantees both forward security and backward security when key exposure or user revocation happens. Besides, during the running of algorithms in our scheme, users and attribute authority needn’t run any bilinear pairing operations, which will increase the efficiency to a large extent. The high efficiency and security analysis indicate that our scheme is more appropriate for secure protection in data sharing systems.

Cong Li,Yuejian Fang,Xing Zhang,Cancan Jin,Qingni Shen,Zhonghai Wu

DOI: https://doi.org/10.1002/cpe.3957

2016-01-01

Abstract:SummaryWe present a practical large universe hierarchical attribute‐based encryption (LU‐HABE) scheme, which supports monotone access structures. In our system, key generation centers (KGCs), any one in which is labeled by a unique identity, are organized as a hierarchical structure. Thus, all secret keys issued by the KGC contain 2 parts: the identity‐related one and the attribute‐related one. Once the data owner wants to encrypt his/her data, he/she needs to specify certain numbers of pairs according to his/her demand. The pair consists of an identity of a KGC and a policy of attributes managed by the corresponding KGC, eg, IDi and (Mi, ρi). If and only if an identity associated with user's secret key is equal to or is an ancestor of one of the identities appearing in ciphertext, and simultaneously a set of attributes belonging to the user satisfies the policy, the user can decrypt it successfully. Our scheme is proved to be selectively secure in the standard model under the modified “q‐type” assumption similar to the ones used in former works and is extended to support online/offline encryption. To show the efficiency of our construction, we implement our original scheme and the extended one in Charm. Analyses show that both of them are very practical.

Yan Zhu,Di Ma,Changjun Hu,Dijiang Huang

DOI: https://doi.org/10.1145/2484402.2484411

2013-01-01

Abstract:ABSTRACTThis paper addresses how to construct a RBAC-compatible attribute-based encryption (ABE) for secure cloud storage, which provides a user-friendly and easy-to-manage security mechanism without user intervention. Similar to role hierarchy in RBAC, attribute lattice introduced into ABE is used to define a seniority relation among all values of an attribute, whereby a user holding the senior attribute values acquires permissions of their juniors. Based on these notations, we present a new ABE scheme called Attribute-Based Encryption with Attribute Lattice (ABE-AL) that provides an efficient approach to implement comparison operations between attribute values on a poset derived from attribute lattice. By using bilinear groups of composite order, we propose a practical construction of ABE-AL based on forward and backward derivation functions. Compared with prior solutions, our scheme offers a compact policy representation solution, which can significantly reduce the size of privatekeys and ciphertexts. Furthermore, our solution provides a richer expressive power of access policies to facilitate flexible access control for ABE scheme.

Oberko Prince Silas Kwesi,Obeng Victor-Hillary Kofi Setornyo,Xiong Hu

DOI: https://doi.org/10.1007/s12652-021-02915-5

IF: 3.662

2021-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:The introduction of attribute-based encryption (ABE) targets to achieve the implementation of single-to-numerous encryption; however, the sole authority challenge and the issue of distributed management of attributes are bottlenecks to its realization. Multi-authority attribute-based encryption (MA-ABE) where various attribute authorities (which may be independent of each other) control different attribute universe and are involved in the administration of attribute keys for decryption provides the necessary platform to undertake the implementation of fine-grained access regulation over shared data while achieving single-to-numerous encryption. In recent years, research into MA-ABE has seen rapid advancement, and we believe that it is a suitable solution to thwarting the key escrow problem as well as the problem of distributed management of attributes. This paper offers a thorough survey and examines the state-of-the-art of some traditional ABE as well as multi-authority attribute-based encryption schemes over the past decade. Furthermore, the survey gives detailed insights on some essential techniques as well as some classic concretely constructed algorithms. Moreover, we discuss an extension (the different directions) of MA-ABE and its progress since its inception. We also provide design principles of MA-ABE and also show comparisons between existing works on areas as security, performance, and functionality. This paper also discusses several interesting open problems. As far as we can tell, no comparable survey on MA-ABE exists in literature so far.

Zechao Liu,Zoe L. Jiang,Xuan Wang,S. M. Yiu

DOI: https://doi.org/10.1016/j.jnca.2018.01.016

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:Attribute-Based Encryption (ABE) offers fine-grained access control policy over encrypted data, and thus applicable in cloud storage to provide authorized data privacy. However, there are some issues that should be solved before deploying ABE in practice. Firstly, as the heavy decryption cost grows with the complexity of access policy, an ABE with outsourcing decryption is preferred to relieve user's computation cost. Secondly, when user's attributes are altered, it is required for ABE supporting attribute revocation to change user's access privilege timely and effectively. Thirdly, in the case of access control policy changed by data owner, policy updating requirement must be met in designing ABE. Therefore, a practical ABE scheme is proposed which can solve aforementioned issues simultaneously. In order to support flexible number of attributes, our scheme also achieves large universe and multiple attribute authorities. The security and performance of the proposed scheme are discussed, followed by extensive experiments to demonstrate its effectiveness and practicability.

Cong Li,Qingni Shen,Zhikang Xie,Xinyu Feng,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1093/comjnl/bxaa075

2021-01-01

The Computer Journal

Abstract:Attribute-based encryption with equality test (ABEET) simultaneously supports fine-grained access control on the encrypted data and plaintext message equality comparison without decrypting the ciphertexts. Recently, there have been several literatures about ABEET proposed. Nevertheless, most of them explore the ABEET schemes in the random oracle model, which has been pointed out to have many defects in practicality. The only existing ABEET scheme in the standard model, proposed by Wang et al., merely achieves the indistinguishable against chosen-plaintext attack security. Considering the aforementioned problems, in this paper, we propose the first direct adaptive chosen-ciphertext security ciphertext-policy ABEET scheme in the standard model. Our method only adopts a chameleon hash function and adds one dummy attribute to the access structure. Compared with the previous works, our scheme achieves the security improvement, ciphertext validity check and large universe. Besides, we further optimize our scheme to support the outsourced decryption. Finally, we first give the detailed theoretical analysis of our constructions in computation and storage costs, then we implement our constructions and carry out a series of experiments. Both results indicate that our constructions are more efficient in Setup and Trapdoor and have the shorter public parameters than the existing ABEET ones do.

Yongtao Wang,Kefei Chen,Yu Long

DOI: https://doi.org/10.3772/j.issn.1006-6748.2013.01.015

2013-01-01

Abstract:An accountable authority attribute-based encryption (A-ABE) scheme is presented in this paper. The notion of accountable authority identity-based encryption (A-IBE) was first introduced by Goyal at Crypto'07. It is a novel approach to mitigate the (inherent) key escrow problem in identity-based cryptosystems. In this work, the concept of accountable authority to attribute-based encryption (ABE) setting is generalized for the first time, and then a construction is given. The scheme non-trivially integrates an A-IBE scheme proposed by Libert et al. with an ABE scheme. In our construction, a user will be identified by a pair (id, ω), where id denotes the user's identity and ω denotes the set of attributes associated to the user. In addition, our construction is shown to be secure under some reasonable assumptions. © by HIGH TECHNOLOGY LETTERS PRESS.

Yinghui Zhang,Robert H. Deng,Shengmin Xu,Jianfei Sun,Qi Li,Dong Zheng

DOI: https://doi.org/10.1145/3398036

IF: 16.6

2021-07-31

ACM Computing Surveys

Abstract:Attribute-based encryption (ABE) for cloud computing access control is reviewed in this article. A taxonomy and comprehensive assessment criteria of ABE are first proposed. In the taxonomy, ABE schemes are assorted into key-policy ABE (KP-ABE) schemes, ciphertext-policy ABE (CP-ABE) schemes, anti-quantum ABE schemes, and generic constructions. In accordance with cryptographically functional features, CP-ABE is further divided into nine subcategories with regard to basic functionality, revocation, accountability, policy hiding, policy updating, multi-authority, hierarchy, offline computation, and outsourced computation. In addition, a systematical methodology for discussing and comparing existing ABE schemes is proposed. For KP-ABE and each type of CP-ABE, the corresponding access control scenario is presented and explained by concrete examples. Specifically, the syntax of ABE is given followed by the adversarial model and security goals. ABE schemes are discussed according to the design strategies and special features and are compared in the light of the proposed assessment criteria with respect to security and performance. Compared to related state-of-the-art survey papers, this article not only provides a broader 12 categories of ABE schemes, but also makes a more comprehensive and holistic comparison. Finally, a number of open research challenges in ABE are pointed out.

computer science, theory & methods

Mohammad Ali,Javad Mohajeri,Mohammad-Reza Sadeghi

DOI: https://doi.org/10.48550/arXiv.1810.05864

2018-10-13

Abstract:Ciphertext-policy hierarchical attribute-based encryption (CP-HABE) is a promising cryptographic primitive for enforcing the fine-grained access control with scalable key delegation and user revocation mechanisms on the outsourced encrypted data in a cloud. Wang et al. (2011) proposed the first CP-HABE scheme and showed that the scheme is semantically secure in the random oracle model [4, 5]. Due to some weakness in its key delegation mechanism, by presenting two attacks, we demonstrate the scheme does not offer any confidentiality and fine-grained access control. In this way, anyone who has just one attribute can recover any outsourced encrypted data in the cloud.

Cryptography and Security

Kang Yang,Guohua Wu,Chengcheng Dong,Xingbing Fu,Fagen Li,Ting Wu

2020-01-01

Abstract:Attribute-based encryption (ABE) can be used in many cloud storage and computing applications, and it is an attractive alternative to identity-based encryption. The feature of the ABE is that it provides a flexible mechanism to achieve fine-grained access control. The revocable ABE (RABE) is an extension of the ABE. The attribute revo-cation is essential because of the factors such as changes of user’s attributes, key exposures and key loss. In this paper, we propose a revocable ciphertext policy ABE (CP-RABE) scheme from lattices, which supports flexible access control and efficient revocation. In our scheme, a binary tree with an attribute revocation list is used to re-voke attributes, and key update is logarithmically related to the number of each user attribute. Finally, the security of the scheme is proved to be selective-attribute secure in the standard model and security can be reduced to hardness of learning with error assumption.

Weiqian Huo,Jisheng Pei,Ke Zhang,Xiaojun Ye

DOI: https://doi.org/10.1109/PAAP.2014.11

2014-01-01

Abstract:To allow fine-grained access control of sensitive data, researchers have proposed various types of functional encryption schemes, such as identity-based encryption, searchable encryption and attribute-based encryption. We observe that it is difficult to define some complex access policies in certain application scenarios by using these schemes individually. In this paper, we attempt to address this problem by proposing a functional encryption approach named Key-Policy Attribute-Based Encryption with Attribute Extension (KP-ABE-AE). In this approach, we utilize extended attributes to integrate various encryption schemes that support different access policies under a common top-level KP-ABE scheme, thus expanding the scope of access policies that can be defined. Theoretical analysis and experimental studies are conducted to demonstrate the applicability of the proposed KP-ABE-AE. We also present an optimization for a special application of KP-ABE-AE where IPE schemes are integrated with a KP-ABE scheme. The optimization results in an integrated scheme with better efficiency when compared to the existing encryption schemes that support the same scope of access policies.

XiaoFang Huang,Qi Tao,BaoDong Qin,ZhiQin Liu

DOI: https://doi.org/10.1109/icccn.2015.7288431

2015-01-01

Abstract:Attribute Based Encryption (ABE) scheme can achieve information sharing of one-to-many users, without considering the number of users and the users identity. But, the traditional single Attribute Authority (AA) ABE scheme can hardly meet requirements of different agencies in distributed application environment and it is easy to form the system performance bottlenecks. Based on ciphertext-policy ABE scheme, this paper proposes a multi-authority revocable ABE scheme, where the classification manages user attributes, effectively relieving the management burden of single organization. In addition, it can achieve fine grained access control of shared information by adopting tree access strategy and secret sharing scheme, and support system attribute revocation. Finally, we show that the scheme is secure against chosen plaintext attack under the Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Muhammad Asim,Tanya Ignatenko,Milan Petkovic,Daniel Trivellato,Nicola Zannone

DOI: https://doi.org/10.48550/arXiv.1205.5757

2012-05-26

Abstract:Virtual organizations are dynamic, inter-organizational collaborations that involve systems and services belonging to different security domains. Several solutions have been proposed to guarantee the enforcement of the access control policies protecting the information exchanged in a distributed system, but none of them addresses the dynamicity characterizing virtual organizations. In this paper we propose a dynamic hierarchical attribute-based encryption (D-HABE) scheme that allows the institutions in a virtual organization to encrypt information according to an attribute-based policy in such a way that only users with the appropriate attributes can decrypt it. In addition, we introduce a key management scheme that determines which user is entitled to receive which attribute key from which domain authority.

Cryptography and Security

Yinghui Zhang,Robert H. Deng,Shengmin Xu,Jianfei Sun,Qi Li,Dong Zheng

DOI: https://doi.org/10.1145/3398036

IF: 16.6

2020-01-01

ACM Computing Surveys

Abstract:Attribute-based encryption (ABE) for cloud computing access control is reviewed in this article. A taxonomy and comprehensive assessment criteria of ABE are first proposed. In the taxonomy, ABE schemes are assorted into key-policy ABE (KP-ABE) schemes, ciphertext-policy ABE (CP-ABE) schemes, anti-quantum ABE schemes, and generic constructions. In accordance with cryptographically functional features, CP-ABE is further divided into nine subcategories with regard to basic functionality, revocation, accountability, policy hiding, policy updating, multi-authority, hierarchy, offline computation, and outsourced computation. In addition, a systematical methodology for discussing and comparing existing ABE schemes is proposed. For KP-ABE and each type of CP-ABE, the corresponding access control scenario is presented and explained by concrete examples. Specifically, the syntax of ABE is given followed by the adversarial model and security goals. ABE schemes are discussed according to the design strategies and special features and are compared in the light of the proposed assessment criteria with respect to security and performance. Compared to related state-of-the-art survey papers, this article not only provides a broader 12 categories of ABE schemes, but also makes a more comprehensive and holistic comparison. Finally, a number of open research challenges in ABE are pointed out.

Zoe L. Jiang,Ruoqing Zhang,Zechao Liu,S. M. Yiu,Lucas C. K. Hui,Xuan Wang,Junbin Fang

DOI: https://doi.org/10.1007/978-3-319-69605-8_14

2017-01-01

Abstract:Attribute-Based Encryption (ABE) is a generalized cryptographic primitive from normal public key encryption. It provides an access control mechanism over encrypted message using access policies and ascribed attributes. This scheme can solve the privacy issue when data is outsourced to cloud for storage well. However, there are some practical issues which must be fixed before ABE becomes applicable. One is that both the ciphertext size and the decryption time grows with the complexity of the access policy, which brings pressure to mobile devies. The other is that, from practical point of view, some users might be disabled for some attributes or be removed from the system. It demands on flexible revocation mechanism supporting both user and attribute granularities. In this research, we propose a solution adopting techniques on secure outsourcing of pairings to support outsourcing computation and adopting some techniques based on the tree-based scheme to solve user revocation and attribute revocation. We also give its security model and proof.

Jin Li,Xiaofeng Chen,Jingwei Li,Chunfu Jia,Jianfeng Ma,Wenjing Lou

DOI: https://doi.org/10.3233/jcs-150533

2015-01-01

Journal of Computer Security

Abstract:As cloud computing becomes prevalent, more and more sensitive data is being centralized into the cloud for sharing, which brings forth new challenges for outsourced data security and privacy. Attribute-based encryption (ABE) is a promising cryptographic primitive, which has been widely applied to design fine-grained access control system recently. However, ABE is criticized for its high scheme overhead as the computational cost grows with the complexity of the access formula. This disadvantage becomes more serious for mobile devices with constrained computing resources. Aiming at tackling the challenge above, we present a generic and efficient solution to implement attribute-based access control system by introducing secure outsourcing techniques into ABE. More precisely, two cloud service providers (CSPs), namely key generation-cloud service provider (KG-CSP) and decryption-cloud service provider (D-CSP) are introduced to perform the outsourced key-issuing and decryption on behalf of attribute authority and users respectively. In order to outsource heavy computation to both CSPs without private information leakage, we formalize an underlying primitive called outsourced ABE (OABE) and propose several constructions with outsourced decryption and key-issuing. Finally, extensive experiment demonstrates that with the help of KG-CSP and D-CSP, efficient key-issuing and decryption are achieved in our constructions.

Kaiping Xue,Jianan Hong,Yingjie Xue,David S. L. Wei,Nenghai Yu,Peilin Hong

DOI: https://doi.org/10.1109/tc.2017.2693265

2017-01-01

Abstract:Attribute-based encryption (ABE) has opened up a popular research topic in cryptography over the past few years. It can be used in various circumstances, as it provides a flexible way to conduct fine-grained data access control. Despite its great advantages in data access control, current ABE based access control system cannot satisfy the requirement well when the system judges the access behavior according to attribute comparison, such as "greater than x" or "less than x", which are called comparable attributes in this paper. In this paper, based on a set of well-designed sub-attributes representing each comparable attribute, we construct a comparable attribute-based encryption scheme (CABE for short) to address the aforementioned problem. The novelty lies in that we provide a more efficient construction based on the generation and management of the sub-attributes with the notion of 0-encoding and 1-encoding. Extensive analysis shows that: Compared with the existing schemes, our scheme drastically decreases the storage, communication and computation overheads, and thus is more efficient in dealing with the applications with comparable attributes.