Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1145/1755688.1755720

2010-01-01

Abstract:Ciphertext-Policy Attribute Based Encryption (CP-ABE) is a promising cryptographic primitive for fine-grained access control of shared data. In CP-ABE, each user is associated with a set of attributes and data are encrypted with access structures on attributes. A user is able to decrypt a ciphertext if and only if his attributes satisfy the ciphertext access structure. Beside this basic property, practical applications usually have other requirements. In this paper we focus on an important issue of attribute revocation which is cumbersome for CP-ABE schemes. In particular, we resolve this challenging issue by considering more practical scenarios in which semi-trustable on-line proxy servers are available. As compared to existing schemes, our proposed solution enables the authority to revoke user attributes with minimal effort. We achieve this by uniquely integrating the technique of proxy re-encryption with CP-ABE, and enable the authority to delegate most of laborious tasks to proxy servers. Formal analysis shows that our proposed scheme is provably secure against chosen ciphertext attacks. In addition, we show that our technique can also be applicable to the Key-Policy Attribute Based Encryption (KP-ABE) counterpart.

Hao Wang,Bo Yang,Yilei Wang

DOI: https://doi.org/10.1109/waina.2015.11

2015-01-01

Abstract:Attribute-based encryption (ABE) is a type of public key encryption that allows users to encrypt and decrypt messages based on user attributes. One drawback is that encryption and decryption computational costs scale with the complexity of the access policy or number of attributes. In practice, this makes encryption and decryption a possible bottleneck for some applications. In this work, we aim to mitigate this problem for cipher text-policy ABE (CP-ABE). We introduce the serve raided CP-ABE (SA-CP-ABE) system. In this system, users can precompute an intermediate cipher text before actual encryption to improve efficiency, and stores it on its storage server. Before decryption, user can call its computing server to transform the ciphertext to the partially decrypted ciphertext. This is significant for mobile devices to save local storage resources and computational resources. Then, we propose an SA-CP-ABE scheme, and prove its security in the standard model.

Zhang Ruoqing,Hui Lucas,Yiu Sm,Yu Xiaoqi,Liu Zechao,Zoe L. Jiang

DOI: https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.259

2017-01-01

Abstract:Ciphertext-Policy Attribute-based Encryption (CP-ABE) is a useful cryptographic scheme and is being considered for cloud application as more and more users leverage cloud platforms to store and process their data. However, existing CP-ABE schemes still have a number of limitations that make it not effective to be used in a practical application. Firstly, the size of the ciphertext and the time for decryption grow with the complexity of the access formula. This efficiency issue becomes a problem when using a cloudplatform and mobile devices with limited processing capacity. Secondly, in reality, the attributes of users may be changed from time to time, or some users may eventually leave the system due to resignation. This practical concern requires a scheme with flexible and fine-grained revocation optionsupporting attribute-level changes. Lastly, traceability is also an important feature to track potential traitors who leak the partial decryption keys if ABE is used in a real scenario. None of the existing CP-ABE schemes are able to satisfy these three properties simultaneously. In this paper, we propose apractical CP-ABE that can achieve all three requirements. Our system adopts techniques on secure outsourcing of pairings to support efficient outsourcing computation and makes use of a subset cover algorithm to meet the requirements of revocation and traceability. Our scheme is proved to be a selectively replayable chosen-ciphertext attack (RCCA) secure in random oracle model. The result of our work could provide a feasible, reliable and practical CP-ABE scheme for the realistic application.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.1109/cbd.2016.041

2016-01-01

Abstract:With the development and benefits of cloud computing, nowadays more and more users outsource their data to third party cloud storage servers for ease of sharing and cost saving. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a promising tool for enabling fine-grained access control over the shared data in the cloud. However, the practical application of CP-ABE in cloud data sharing system also has its own inherent challenge to regard with user revocation. To address this challenge, the paper proposes a CP-ABE scheme which supports an effective user revocation mechanism by introducing "the essential attribute" and by considering minimally trusted proxy servers; the essential attribute must be included in both ciphertext and update-key. By excluding the revoked users from update-key (which is a part of a decryption key) and by re-encrypting the only component in ciphertexts, which is associated with the essential attribute, our scheme achieves immediate and complete user revocation mechanism in CP-ABE. The proposed scheme enables a scalable and fine-grained access control for cloud data sharing system. Our scheme provides more efficiency and security level simultaneously comparing to the existing user revocable CP-ABE scheme.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.11989/jest.1674-862x.5121616

2017-01-01

Journal of Electronic Science and Technology

Abstract:Nowadays, there is the tendency to outsource data to cloud storage servers for data sharing purposes. In fact, this makes access control for the outsourced data a challenging issue. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution for this challenge. It gives the data owner (DO) direct control on access policy and enforces the access policy cryptographically. However, the practical application of CP-ABE in the data sharing service also has its own inherent challenge with regard to attribute revocation. To address this challenge, we proposed an attribute-revocable CP-ABE scheme by taking advantages of the over-encryption mechanism and CP-ABE scheme and by considering the semi-trusted cloud service provider (CSP) that participates in decryption processes to issue decryption tokens for authorized users. We further presented the security and performance analysis in order to assess the effectiveness of the scheme. As compared with the existing attribute-revocable CP-ABE schemes, our attribute-revocable scheme is reasonably efficient and more secure to enable attribute-based access control over the outsourced data in the cloud data sharing service.

Jingwei Wang,Xinchun Yin,Jianting Ning,Geong Sen Poh

DOI: https://doi.org/10.1007/978-3-030-14234-6_26

2018-01-01

Abstract:Ciphertext policy attribute-based encryption (CP-ABE) is a promising cryptographic technology and a key component that enable secure data sharing in a cloud environment through fine-grained access control. Since it was introduced, many interesting schemes have been proposed. However, in addition to managing data sharing through access control, a comprehensive scheme should also cater for user revocation and ciphertext queries. This is because in a cloud environment new users may join while existing users may leave the system. At the same time, given the potentially large amount of data stored in a cloud storage, user should be able to retrieve the required files efficiently in a privacy-preserving manner. To address the above issue, in this paper, we propose a practical searchable CP-ABE scheme supporting user revocation. In contrast to existing schemes that provide only single keyword query, our efficient search function provides conjunctive search, which allows user to locate a ciphertext related to a set of keywords. The computation overhead of our user revocation is at least on par with existing schemes. Besides, the security analysis indicates that the proposed scheme is secure under the decisional Bilinear Diffie-Hellman assumption. We also provide extensive experimental results to confirm the efficiency and feasibility of our proposed construction.

Yuechen Chen,Zoe L. Jiang,S. M. Yiu,Joseph K. Liu,Man Ho Au,Xuan Wang

DOI: https://doi.org/10.1007/978-3-319-21966-0_20

2015-01-01

Abstract:Attribute-Based Encryption (ABE) offers fine-grained decryption policy such that users can do decryption if their attributes satisfy the policy. Such flexibility enables it applicable in various applications in government and business. However, there are two issues that should be solved first before it is deployed in practice, namely user revocation and decryption outsourcing. In this paper, we adopt the slightly modified Lewko et al.'s fully-CCA-secure Ciphertext-Policy-ABE (CP-ABE) combining with Boneh et al.'s idea of mediated cryptography to propose a CP-ABE with SEcurity Mediator (SEM) supporting immediate user revocation. At the same time, by the introduce of SEM, we intendedly outsource most of the computation workload in decryption to SEM side and leave only one exponentiation and one division at user side for decryption. It is proved fully-RCCA-CCA-secure in random oracle model.

Shida Shamsazad

2024-01-25

Abstract:In this paper, we present a novel ciphertext-policy attribute based encryption (CP-ABE) scheme that offers a flexible access structure. Our proposed scheme incorporates an access tree as its access control policy, enabling fine-grained access control over encrypted data. The security of our scheme is provable under the hardness assumption of the decisional Ring-Learning with Errors (R-LWE) problem, ensuring robust protection against unauthorized access. CP-ABE is a cryptographic technique that allows data owners to encrypt their data with access policies defined in terms of attributes. Only users possessing the required attributes can decrypt and access the encrypted data. Our scheme extends the capabilities of CP-ABE by introducing a flexible access structure based on an access tree. This structure enables more complex and customizable access policies, accommodating a wider range of real-world scenarios. To ensure the security of our scheme, we rely on the decisional R-LWE problem, a well-established hardness assumption in cryptography. By proving the security of our scheme under this assumption, we provide a strong guarantee of protection against potential attacks. Furthermore, our proposed scheme operates in the standard model, which means it does not rely on any additional assumptions or idealized cryptographic primitives. This enhances the practicality and applicability of our scheme, making it suitable for real-world deployment. We evaluate the performance and efficiency of our scheme through extensive simulations and comparisons with existing CP-ABE schemes. The results demonstrate the effectiveness and scalability of our proposed approach, highlighting its potential for secure and flexible data access control in various domains.

Cryptography and Security

Fugeng Zeng ,Chunxiang Xu ,Xinpeng Zhang

DOI: https://doi.org/10.4156/aiss.vol4.issue12.23

2012-01-01

Abstract:In the ciphertext-policy ABE (CP-ABE) schemes, attributes are associated with secret keys and access structures are associated with ciphertexts. The access structures are described with the attributes and therefore the concept of CP-ABE is closely related to Role-Based Access Control. Because it requires both of the encryptor and the key generalization center meeting the construction, it will be more difficult to design. Ibraimi et al.[7] allegedly proposed an efficient and provable secure CP-ABE schemes. They require that the simulator can not send back the private keys of attributes which overlap with challenging access attributes. We point out their fault of security proof and their requirement is a small probability event and it is unreasonable to reduce to standard DBDH assumption. However, we give a proof in the generic bilinear group model, which is weaker than DBDH assumption.

Xing Zhang,Cancan Jin,Cong Li,Zilong Wen,Qingni Shen,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1007/978-3-319-28865-9_27

2015-01-01

Abstract:To ensure the security of sensitive data, people need to encrypt them before uploading them to the public storage. Attribute-based encryption (ABE) is a promising cryptographic primitive for fine-grained sharing of encrypted data. However, ABE lacks user and authority accountability. The user can share his/her secret key without being identified, while key generation center (KGC) can generate any user’s secret key. In this paper, we propose a practical large universe ciphertext-policy ABE (CP-ABE) with user and authority accountability in the white-box model. As embedding the user’s identity information into this user’s secret key directly, the trace stage has only O(1) time overhead. The property of accountability is proved against the dishonest user and KGC in the standard model. We implement our scheme in Charm. Experiments show that CP-ABE of Rouselakis and Waters in CCS 2013 is enhanced in user and authority accountability by our method with small computational cost.

Xiong Wang,Yaping Chi,Yang Zhang

DOI: https://doi.org/10.1109/iccea50009.2020.00026

2020-01-01

Abstract:Ciphertext policy Attribute-based encryption (CPABE) plays an increasingly important role in the field of fine-grained access control for cloud storage. However, The exiting solution can not balance the issue of user identity tracking and user revocation. In this paper, we propose a CP-ABE scheme that supports association revocation and traceability. This scheme uses identity directory technology to realize single user revocation and associated user revocation, and the ciphertext re-encryption technology guarantees the forward security of revocation without updating the private key. In addition, we can accurately trace the identity of the user according to the decryption private key and effectively solve the problem of key abuse. This scheme is proved to be safe and traceable under the standard model, and can effectively control the computational and storage costs while maintaining functional advantages. It is suitable for the practical scenarios of tracking audit and user revocation.

Zhang Wei,Zhang Zhishuo,Xiong Hu,Qin Zhiguang

DOI: https://doi.org/10.1007/s12652-021-02922-6

2021-01-01

Abstract:In recent years, attribute-based encryption (ABE) provides a new idea to help researchers solving the problem of data privacy protection in cloud. But there are two issues in traditional ABE, the first issue is that the attributes in the access structures will be sent to users in cleartext together with the ciphertext. So a attacker has the opportunity to obtain some of the private information from the plaintext access structure. And the other issue is the traditional ABE scheme cannot revoke the users' illegal keys in an efficient way. To handle both of the above challenges, we come up with a large universe ciphertext-policy ABE (CP-ABE) scheme which supports partially hidden access structures (PHAS) and highly efficient key revocation at the same time in this paper. What's more, unlike most previous schemes, first our access structure is based on the expressive linear secret sharing scheme (LSSS) which supports both AND and OR gates in access formulas and second our scheme is built from the prime-order bilinear pairing groups. The comparison with other relevant works presents that our scheme is more comprehensive and efficient. Finally we rigorously prove and analyze that our scheme is selectively indistinguishable secure under chosen plaintext attacks (IND-CPA) in the random oracle model (ROM) and our access structure is really anonymous against off-line dictionary attacks.

Qingshui Xue,Chenyang Wang,Zhen Xue

DOI: https://doi.org/10.1109/iceitsa57468.2022.00054

2022-01-01

Abstract:The traditional ciphertext-policy attribute-based encryption (CP-ABE) has the problems of poor security of key distribution by a single attribute authorization center and too much calculation on the client in the process of encryption and decryption. A CP-ABE scheme that can outsource encryption and decryption and support multi-authorization centers is introduced to solve the above two problems. In the key generation stage, the user's private key is generated by the attribute authorization center and the key generation center jointly executing the two-party secure computing protocol; In the encryption and decryption stage, the cloud encryption server and cloud storage server are used to handle most of the computing work. Security proof and performance analysis show that the scheme not only can effectively make up for the defect of all key leakage when the attribute authorization center is broken, but also can enhance the security of the system; Moreover, after using the cloud server to process data, users only need to perform a simple calculation on the client to complete encryption or decryption, thus reducing the user's computing workload.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2016.10.10.27

2016-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, more and more users outsource their data to third party cloud storage servers for the purpose of sharing, so cloud data sharing becomes one of the popular services offered by cloud service providers. However, the third party storage servers in cloud data sharing systems, which are not fully trusted by data owners, make access control to the shared data a challenging issue. Although Ciphertext-Policy AttributeBased Encryption (CP-ABE) is an emerging cryptographic solution for this issue, dealing with dynamic changes to users' access privileges (attribute revocation) in its practical applications as cloud data sharing systems is a real challenge. To overcome this challenge, we propose a fine-grained access control scheme for cloud data sharing systems by designing secure and efficient attribute-revocable CP-ABE scheme. Our scheme only allows non-revoked users in the attribute group to update their secret key by themselves using their unique key-update keys and the ciphertexts are updated by minimally trusted cloud server using a ciphertext-update key. Compared with the existing access controls achieved by attribute-revocable CP-ABE schemes, our proposed access control scheme reduces the trust degree of the cloud server in the attribute revocation mechanism. Furthermore, the analysis indicates that our access control scheme is more secure and efficient to apply to practical scenarios.

Xiaoyi Li,Kaitai Liang,Zhen Liu,Duncan Wong

DOI: https://doi.org/10.5220/0006220203090320

2016-01-01

Abstract:A Ciphertext-Policy Attribute-Based Encryption (CP-ABE) allows users to specify the access policies without having to know the identities of users. In this paper, we contribute by proposing an ABE scheme which enables revoking corrupted users. Given a key-like blackbox, our system can identify at least one of the users whose key must have been used to construct the blackbox and can revoke the key from the system. This paper extends the work of Liu and Wong to achieve traitor revocability. We construct an Augmented Revocable CP-ABE (AugR-CP-ABE) scheme, and describe its security by message-hiding and index-hiding games. Then we prove that an AugR-CP-ABE scheme with message-hiding and index-hiding properties can be transferred to a secure Revocable CP-ABE with fully collusion-resistant blackbox traceability. In the proof for index-hiding, we divide the adversary's behaviors in two ways and build direct reductions that use adversary to solve the D3DH problem. Our scheme achieves the sub-linear overhead of O(root N), where N is the number of users in the system. This scheme is highly expressive and can take any monotonic access structures as ciphertext policies.

Ruyuan Zhang,Jiguo Li,Yang Lu,Jinguang Han,Yichen Zhang

DOI: https://doi.org/10.1016/j.ins.2022.03.081

IF: 8.1

2022-07-01

Information Sciences

Abstract:There exists a key escrow issue in ciphertext-policy attribute-based encryption (CP-ABE). The key generator center issues all users' secret keys and can decrypt each ciphertext by calculating the corresponding secret key. Besides, applying CP-ABE in data sharing environment also brings another challenging problem which is users' revocation. To resolve the above issues, we provide a key escrow-free CP-ABE scheme with the user revocation, which withstands collusion attack between malicious users and revoked users. In our scheme, a secret key is calculated utilizing a secure key issuing protocol between key authority (KA) and data user (DU). KA is unable to obtain DU's secret value and generate the complete secret key independently, which solves the key escrow issue. When a user revokes from the system, the secret keys of the unrevoked users require to be updated. We introduce a group manager (GM) to update the unrevoked users' group secret keys and generate a re-encryption key. The re-encryption technology is applied to prevent the revoked users from decrypting ciphertexts. Moreover, the decryption cloud server provider (D-CSP) executes most of decryption operations to decrease computation costs. The performance analysis indicates that our scheme is practical and efficient. The security of the presented scheme is reduced to divisible computable Diffie-Hellman (DCDH) assumption.

computer science, information systems

Xingbing Fu,Fagen Li,Shengke Zeng

DOI: https://doi.org/10.14257/ijfgcn.2016.9.1.25

2016-01-01

International Journal of Future Generation Communication and Networking

Abstract:In this work, an oblivious transfer with complex access control scheme that is constructed based on ciphertext policy attribute based encryption (CP-ABE) scheme is proposed. In this scheme, the database server can enforce fine grained access control for each record where the authorized user is allowed to access, but the unauthorized user cannot, whereas it learns neither which record a user accesses, nor which attributes a user has. This scheme has the advantages as follows: First, it allows the expressive access control policies where access structures are based on linear secret sharing scheme that directly supports AND, OR and Threshold gates. Second, the communication complexity in this scheme is constant in the numbers of records which have been accessed. Third, this scheme is constructed in prime order bilinear group. Fourth, this scheme is secure in the standard model. To the best of our knowledge, this scheme is the first to obtain these features simultaneously.

Yang Zhao,Xin Xie,Xing Zhang,Yi Ding

DOI: https://doi.org/10.3934/mbe.2019211

2019-01-01

Mathematical Biosciences and Engineering

Abstract:The ciphertext policy attribute-based encryption (CP-ABE) is widely used in cloud storage. It not only provides a secure data sharing scheme but also has the characteristics of fine-grained access control. However, most CP-ABE schemes have problems such as the ciphertext length increases with the complexity of the access policy, the encryption scheme is complex, the computational efficiency is low, and the fine-grained revocation cannot be performed. In view of the above problems, this paper proposes an efficient CP-ABE scheme with fine-grained revocable storage and constant ciphertext length. The scheme combines proxy re-encryption with CP-ABE technology, adopts the flexible access strategy AND-gates on multi-valued attributes with wildcards (AND(m)*), and realizes revocable storage and fixed-length ciphertext. At the same time, in order to reduce the amount of user decryption calculation, the complex operation in the decryption process is outsourced to the third-party server and the decryption result is verified to ensure the correctness of the information. Finally, the security of the scheme is proved under the decisional bilinear Diffie-Hellman (DBDH) assumption. In addition, the performance analysis shows that the scheme is efficient and feasible in cloud storage.

Yang Zhao,Mao Ren,Songquan Jiang,Guobin Zhu,Hu Xiong

DOI: https://doi.org/10.1007/s00607-018-0637-2

2018-01-01

Computing

Abstract:As a special kind of public-key encryption, attribute-based encryption (ABE) is able to achieve fine-grained access control mechanism by offering one-to-many encryption. Due to such unique characteristic, this primitive is widely employed in the cloud computing environment to provide flexible and secure data sharing. However, how to revoke the access privilege of a user to access encrypted data stored in cloud servers is challenging. Furthermore, the complex operation of ABE may cause a huge computational cost and is usually considered to be a heavy burden for system users. Motivated by the practical needs, an ABE scheme called efficient and revocable storage CP-ABE scheme with outsourced decryption and constant-size ciphertexts and secret keys is proposed in this paper. Our scheme offers the following features: Chinese remainder theorem is utilized to achieve revocable storage. In detail, third party severs are allowed to update ciphertexts stored on them so that those revoked users cannot decrypt any ciphertexts any more. To minimize local operations, the concept of outsourced ABE system with constant-size ciphertexts and secret keys are introduced. More specifically, decryptor is able to outsource most of computing work to the outsourcing service providers. In addition, the scheme is provably secure against selectively chosen-ciphertext attack. At the end, we describe how to deploy the scheme in cloud computing environment.

Ting Guo,Abdugeni Abduxkur,Nurmamat Helil

DOI: https://doi.org/10.1049/2024/6963475

2024-06-20

IET Information Security

Abstract:Ciphertext‐policy attribute‐based encryption (CP‐ABE) is a cryptographic scheme suitable for secure data sharing on cloud storage. The CP‐ABE based on lattice theory has the property of resisting quantum attack. Some data objects uploaded to the cloud by the same data owner may cause conflicts of interest, or their combination may expose sensitive information. This paper proposes a revocable CP‐ABE scheme on the lattice, based on ring learning with error (R‐LWE) problem, to enforce access control constraints on user access to such data objects. In this scheme, first, the access policies of such data objects are amended by adding dummy attributes. Second, we control the secret key components associated with the dummy attributes or revoke the dummy attributes to prevent users from continuously accessing specific parts or all data objects from this kind of data set. Finally, we carry on the efficiency and security analysis of the scheme. The analysis results show that the scheme is efficient and safe.

computer science, information systems, theory & methods