Peng Wang,Tao Xiang,Xiaoguo Li,Hong Xiang

DOI: https://doi.org/10.1016/j.ins.2020.09.004

IF: 8.1

2021-02-01

Information Sciences

Abstract:<p>With the increasing popularity of Internet of Energy (IoE), more and more physical devices connected to IoE depend on the information system for energy control and coordination. Under this condition, how to achieve information flow control in IoE becomes a great challenge. Access control encryption (ACE) is a promising technology to address the problem. However, existing ACE requires a centralized sanitizer, hindering its successful application in IoE. In this paper, we construct a new kind of ACE without sanitizers for IoE. We first construct a basic ACE scheme based on number-theoretic assumptions (i.e., DBDH assumption), and this scheme can control not only what users can read but also what they can write. To resist against the quantum attacks, we further construct a more secure ACE scheme based on learning with errors (LWE). We formally prove that our proposed two ACE schemes are secure under the proposed security definition, and we also evaluate the applicability and the efficiency of them in experiments.</p>

computer science, information systems

Peng Jiang,Qi Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/tifs.2023.3340066

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cryptographic access control guarantees that authorized users can access data while unauthorized get nothing. Such an all-or-nothing access mode achieves secrecy but does not fit strong-privacy scenarios. FE-based access control breaks it and reaches a balance between data privacy and data utilization. To resist malicious senders, Damgard et al. introduced sanitizable functional encryption that enables a bi-directional control to both senders and receivers. However, its centralized structure means that the compromise of the authority incurs massive secret leakage and undermines the system’s reliability. In this work, we present SanIdea, a sanitizable, decentralized and privacy-preserving access control framework which embraces a sanitizer in the distributed-authority-domain access control setting. We instantiate it by proposing a cryptographic primitive named sMABE, which adds a $\mathsf {Sanitize}$ algorithm over multi-authority attribute-based encryption. We formally prove its security in the IND-CPA model and the Sanitization Security model under the DBDH assumption. We demonstrate its reasonable efficiency through algorithm simulation, where the sanitization time is less than 0.1s with the configuration of 5 attribute authorities and 25 user attributes. We design an SABC system by integrating SanIdea with the blockchain, where SABC uses a smart contract to ensure the correctness of the distributed secret key parts. We implement SABC in an Ethereum testbed and the experiment results show that the $\mathsf {upload}$ algorithm costs about 163000 user gas and the $\mathsf {download}$ algorithm costs about 84000 user gas, which is cost-reasonable.

computer science, theory & methods,engineering, electrical & electronic

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Peng Jiang,Qi Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/tifs.2024.3393391

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Access control encryption enables access control on both senders and receivers, and enhances message sanitization compared with traditionally cryptographic access control mechanisms. However, it is usually built on top of encrypted messages, which makes it difficult to identify malicious data and amplifies abusive message transmission. Message franking and source tracing mechanisms facilitate a report of abusive messages while support only plain-data moderation in end-to-end encryption. In this work, we present sMAC, a purified access control framework which supports both sanitization and moderation over the encrypted messages. It enables security of the data privacy, sender anonymity and backward security. We instantiate it by proposing a cryptographic primitive named amenable ACE, which expands the message accountability algorithm module in addition to access control encryption. We give formal security proof of amenable ACE in the standard model. The experimental results show that amenable ACE is efficient where computational costs of , , and are independent of the message size.

computer science, theory & methods,engineering, electrical & electronic

Lintao Dang,Qiang Li,Jun Wu,Jianhua Li

DOI: https://doi.org/10.1145/3199478.3199485

2018-01-01

Abstract:Access Control Encryption (ACE) is a novel cryptographic primitive that controls not only what the users in a system can read, but also what they are allowed to write. Based on the concept of partially ordered set, this paper proposes a hierarchical access control encryption scheme (HACE), which, while maintaining the three properties of ACE: Correctness, No-Read Rule and No-Write Rule, enjoys the newly defined No-Leaking Hierarchy Rule under CPA attack in the random oracle model. This rule ensures that the sanitizer cannot learn any information about the access control hierarchy. The performance evaluation shows that the HACE scheme reduces the space overhead for the parameter storage compared with the ACE scheme for multiple identities.

Jinlu Liu,Jing Qin,Wenchao Wang,Lin Mei,Huaxiong Wang

DOI: https://doi.org/10.1016/j.csi.2023.103800

IF: 3.721

2023-10-18

Computer Standards & Interfaces

Abstract:Cloud computing has become the priority for users to store and share data due to its numerous tempting advantages. The "encryption-before-outsourcing" mechanism is necessary to protect data privacy against the semi-trusted cloud server. Key-Aggregate Cryptosystem (KAC) is a novel encryption paradigm for cloud data sharing. It enables users to decrypt multiple data encrypted with different keys using a constant size aggregate key. When selectively sharing data, the KAC effectively addresses the challenges of expensive key management in symmetric encryption (SE) and eliminates the need for multiple copies of ciphertexts in public key encryption (PKE). However, previous KAC schemes can only control what data users are allowed to receive by distributing aggregate keys, but not what data users can send. This limitation could potentially allow a malicious data owner to leak sensitive information by distributing aggregate keys to unauthorized users. Therefore, this paper aims to design the key-aggregate cryptosystem with bidirectional access control, which can control both what the user can receive and what the data owner can send. Inspired by access control encryption (ACE), we first propose a key-aggregate based access control encryption with user level (KA-ACE-UL) system that can control whether a sender can share his data with a receiver. Then, we investigate a finer-grained access control policy and propose a key-aggregate based access control encryption with user-data level (KA-ACE-UDL) system that can control the data classes a sender can share with a receiver. We instantiate the KA-ACE-UL and KA-ACE-UDL schemes based on Chu et al.'s KAC scheme. We prove our proposed schemes can achieve both secure data storage and controlled data sharing, ensuring security against unauthorized receivers and malicious senders. Finally, theoretical performance analysis and practical experiments show the efficiency of our proposed schemes.

computer science, software engineering, hardware & architecture

Shuang Hu,Renjun Zhang,Fuqun Wang,Kefei Chen,Bin Lian,Gongliang Chen

DOI: https://doi.org/10.1016/j.jisa.2022.103371

IF: 4.96

2022-01-01

Journal of Information Security and Applications

Abstract:Sanitizable signcryption adds sanitization functionality to signcryption, such that a delegated sanitizer can modify a signcryptext and still derive a valid signcryptext without cooperation of the original sender. Sanitizable signcryption is useful for data sharing with authentication and access control. Existing sanitizable signcryption scheme cannot achieve public verifiability, which can prevent malicious senders or sanitizers from cheating the receivers. In order to realize public verifiability, we propose a new composition method called "Encrypt-then-Commit-then-Sign (EtCtS)". In particular, our method carefully embeds a key-exposure free chameleon hash function (also known as trapdoor commitment) between encryption and signing operations. Accordingly, we convert the sanitization operation into finding collisions in the key-exposure free chameleon hash function using the trapdoor key, and after sanitization the plaintext is still confidential to the sanitizer. Based on the EtCtS method, we construct the first sanitizable signcryption scheme that is public verifiable. We give a rigorous security proof of our scheme in the random oracle model. We also provide an implementation of our scheme for performance analysis.

Yuting Zuo,Li Xu,Jiguo Li,Jie Li,Xiaoding Wang,Md. Jalil Piran

DOI: https://doi.org/10.1109/tce.2024.3486157

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:Secure data access control is widely concerned in Cyber Physical Systems (CPSs) to protect consumer rights. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is an ideal solution that supports fine-grained access control. It is a pity that they fail to consider the attribute control and the verifiable legitimacy when consumer’s attributes are updated. Additionally, the existing revocable CP-ABE schemes are unsuitable for resource-constrained consumer electronic devices due to their high computational and storage overhead. This paper proposes a blockchain-based access control scheme with attribute update. A new revocation mechanism is designed to guarantee the forward/backward security of the attribute update. The lightweight ciphertext update protocol is proposed to optimize the computation cost. To realize secure and efficient attribute management, this paper designs the on-chain/off-chain separation storage mode, and proposes the traceability-based attribute set generation and validation algorithm. This paper performs the formal security proof. The experimental results demonstrate that the scheme is efficient in terms of encryption and decryption.

GU Bolun,XU Zikai,LI Weihai,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024055

2024-01-01

Abstract:With the rapid development and application of the Internet, traditional storage resources have been found unable to meet the growing demand for massive data storage. An increasing number of users have attempted to upload their data to third-party cloud servers for unified storage. Efficient deduplication and secure file sharing in the cloud have emerged as critical concerns. Moreover, users have always preferred to customize their passwords for encrypting and decrypting files, only sharing encrypted files when necessary. Based on this preference, a deterministic stepwise encryption algorithm was first designed. It was such that when the keys for the two steps of encryption satisfied a certain relationship, the two steps of encryption could be equivalent to a single encryption process. A novel key-customizable encrypted deduplication scheme with access control for cloud storage was proposed, utilizing the deterministic stepwise encryption algorithm to encrypt files and a ciphertext-policy attribute-based encryption algorithm to encrypt file keys. This scheme not only offered the flexibility to customize encryption and decryption keys for different users with the same files, but also ensured secure file sharing through a dynamic access control mechanism. Moreover, the optional access control component was made compatible with the majority of existing ciphertext-policy attribute-based encryption (CP-ABE) schemes, even allowing for different CP-ABE schemes within different attribute groups. Security analysis results show that the proposed scheme achieves the highest level of security under the current encrypted deduplication paradigm. Experimental and analytical results indicate that it effectively meets the practical needs of cloud service providers and users, and also achieves acceptable efficiency.

Hu Xiong,Qiang Wang,Jianfei Sun

DOI: https://doi.org/10.1016/j.ipl.2017.07.008

IF: 0.851

2017-01-01

Information Processing Letters

Abstract:Attribute-based encryption (ABE) with outsourced decryption not only allows fine-grained and versatile sharing of encrypted data, but also largely mitigates the decryption overhead and the ciphertext size in the standard ABE schemes. Very recently, Xu et al. (2016) [3] proposed a hybrid ciphertext-policy ABE with verifiable outsourced decryption in which the authors claimed that the correctness of the outsourced decryption can be verified by the user. Unfortunately, after carefully revisiting the scheme, we found that Xu et al.'s scheme is not secure against forgery attack, hence, a security vulnerability appears. Our proposed attack demonstrates that anyone can forge or tamper a valid ciphertext with a different message to replace the original ciphertext the user intends to decrypt.

Shengmin Xu,Xingshuo Han,Guowen Xu,Jianting Ning,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3321314

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Cloud computing is the widespread acceptance of a promising paradigm offering a substantial amount of storage and data services on demand. To preserve data confidentiality, many cryptosystems have been introduced. However, current solutions are incompatible with the resource-constrained end-devices because of a variety of vulnerabilities in terms of practicality and security. In this article, we propose a practical and secure data-sharing system by introducing a new design of attribute-based encryption with verifiable outsourced decryption-attribute-based encryption (VO-ABE for short). Our system offers: (1) data sharing at a fine-grained level; (2) a scalable key issuing protocol without any secure channel; (3) a verifiable outsourced decryption mechanism for resource-constrained end-devices against the malicious cloud service provider; and (4) adaptive security against the real-world attacks. To formalize our solution with cryptographic analysis, we present the formal definition of VO-ABE and its concrete construction with provable security. In particular, our design leverages the techniques of the traditional ABE, verifiable outsourced decryption, and randomness extractor to support fine-grained access control, cost-effective data sharing, and security assurance with high entropy. Moreover, our design is provably secure in the adaptive model under the standard assumption, which offers a stronger security guarantee since the state-of-the-art solution is selectively secure under the non-standard assumption and suffers from a variety of real-world attacks. The implementation and evaluation demonstrate that our solution enjoys superior functionality and better performance than the relevant solutions. More importantly, our solution is compatible with the resource-constrained end-devices since the decryption mechanism takes around 1.1 ms and is 22.7x faster than the state-of-the-art solution.

Kaiping Xue,Yingjie Xue,Jianan Hong,Wei Li,Hao Yue,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2016.2647222

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is a challenging issue in public cloud storage systems. Ciphertext-policy attribute-based encryption (CP-ABE) has been adopted as a promising technique to provide flexible, fine-grained, and secure data access control for cloud storage with honest-but-curious cloud servers. However, in the existing CP-ABE schemes, the single attribute authority must execute the time-consuming user legitimacy verification and secret key distribution, and hence, it results in a single-point performance bottleneck when a CP-ABE scheme is adopted in a large-scale cloud storage system. Users may be stuck in the waiting queue for a long period to obtain their secret keys, thereby resulting in low efficiency of the system. Although multiauthority access control schemes have been proposed, these schemes still cannot overcome the drawbacks of single-point bottleneck and low efficiency, due to the fact that each of the authorities still independently manages a disjoint attribute set. In this paper, we propose a novel heterogeneous framework to remove the problem of single-point performance bottleneck and provide a more efficient access control scheme with an auditing mechanism. Our framework employs multiple attribute authorities to share the load of user legitimacy verification. Meanwhile, in our scheme, a central authority is introduced to generate secret keys for legitimacy verified users. Unlike other multi-authority access control schemes, each of the authorities in our scheme manages the whole attribute set individually. To enhance security, we also propose an auditing mechanism to detect which attribute authority has incorrectly or maliciously performed the legitimacy verification procedure. Analysis shows that our system not only guarantees the security requirements but also makes great performance improvement on key generation.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2016.10.10.27

2016-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, more and more users outsource their data to third party cloud storage servers for the purpose of sharing, so cloud data sharing becomes one of the popular services offered by cloud service providers. However, the third party storage servers in cloud data sharing systems, which are not fully trusted by data owners, make access control to the shared data a challenging issue. Although Ciphertext-Policy AttributeBased Encryption (CP-ABE) is an emerging cryptographic solution for this issue, dealing with dynamic changes to users' access privileges (attribute revocation) in its practical applications as cloud data sharing systems is a real challenge. To overcome this challenge, we propose a fine-grained access control scheme for cloud data sharing systems by designing secure and efficient attribute-revocable CP-ABE scheme. Our scheme only allows non-revoked users in the attribute group to update their secret key by themselves using their unique key-update keys and the ciphertexts are updated by minimally trusted cloud server using a ciphertext-update key. Compared with the existing access controls achieved by attribute-revocable CP-ABE schemes, our proposed access control scheme reduces the trust degree of the cloud server in the attribute revocation mechanism. Furthermore, the analysis indicates that our access control scheme is more secure and efficient to apply to practical scenarios.

Zhishuo Zhang,Wen Huang,Lin Yang,Yongjian Liao,Shijie Zhou

DOI: https://doi.org/10.1109/jiot.2023.3268699

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Outsourced Decryption Attribute-based Encryption (OD-ABE) is emerging as a promising cryptographic tool to provide efficient fine-grained access control for data accessing and sharing in cloud-assisted Intelligent Internet of Mobile Things (IIoMT). Decryption verification is an essential property of OD-ABE to enable the mobile user to verify the precision of the decryption data. Unfortunately, the most representative verification (commitment) algorithms have various security flaws. In this paper, we first indicate that the two state-of-art key-based commitment schemes are vulnerable to “Commitment Extract(Decrypt)-then-Reuse Attack” and “Commitment Impersonation Attack” which demolish the unforgeability of the commitment. Then to cover all the existing attacks to commitment algorithms, we re-define a robuster verifiable security model for verifiable OD-ABE. Subsequently, we invent a ciphertext fingerprint (CTfp) based commitment scheme and give rigorous proof to the proposed commitment scheme including binding, hiding, unforgeability, and non-repudiation (traceability) in the random oracle. Next, we apply our CTfp-based commitment to the widely used OD-ABE schemes to provide them robuster verifiability. Finally, the theoretical comparison and simulation experiments are presented to show our new type of commitment algorithm is more secure and practical.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tao Ye,Yongquan Cai,Xu Zhao,Yongli Yang,Wei Wang,Yi Zhu

DOI: https://doi.org/10.1504/ijwmc.2019.097424

2019-01-01

Abstract:The CP-ABE-based access control scheme, which can better realise the access control of many-to-multi-ciphertext shared in the cloud storage architecture, is still facing the problems that the system cost is too large, and the policy attribute revocation or restore is not flexible. This paper proposes an efficient access control scheme based on CP-ABE with supporting attribute change in cloud storage system. The fine-grained access control can be achieved by re-encryption mechanism which takes the minimum shared re-encryption key for policy attribute set. And then the access structure tree is expanded by creating a corresponding virtual attribute for each leaf node attribute. The analysis results of the scheme indicate that the efficient and flexibility of the attribute change is not only improved, but also the system cost is reduced.

Cong Li,Qingni Shen,Zhikang Xie,Xinyu Feng,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1093/comjnl/bxaa075

2021-01-01

The Computer Journal

Abstract:Attribute-based encryption with equality test (ABEET) simultaneously supports fine-grained access control on the encrypted data and plaintext message equality comparison without decrypting the ciphertexts. Recently, there have been several literatures about ABEET proposed. Nevertheless, most of them explore the ABEET schemes in the random oracle model, which has been pointed out to have many defects in practicality. The only existing ABEET scheme in the standard model, proposed by Wang et al., merely achieves the indistinguishable against chosen-plaintext attack security. Considering the aforementioned problems, in this paper, we propose the first direct adaptive chosen-ciphertext security ciphertext-policy ABEET scheme in the standard model. Our method only adopts a chameleon hash function and adds one dummy attribute to the access structure. Compared with the previous works, our scheme achieves the security improvement, ciphertext validity check and large universe. Besides, we further optimize our scheme to support the outsourced decryption. Finally, we first give the detailed theoretical analysis of our constructions in computation and storage costs, then we implement our constructions and carry out a series of experiments. Both results indicate that our constructions are more efficient in Setup and Trapdoor and have the shorter public parameters than the existing ABEET ones do.

Jia-An Hong,Kaiping Xue,Li, W.

DOI: https://doi.org/10.1109/TIFS.2015.2407327

2015-01-01

Abstract:In the above paper, Yang et al. have proposed a multi-authority ciphertext-policy attribute-based encryption-based data access control for cloud storage, in which the authors claimed that the mechanism in dealing with attribute revocation could achieve both forward security and backward security. Unfortunately, our further analysis and investigation show that their work adopts a bidirectional re-encryption method in ciphertext updating, so a security vulnerability appears. Our proposed attack method demonstrates that a revoked user can still decrypt new ciphertexts that are claimed to require the new-version secret keys to decrypt.

Wu Deming,Zhang Yu,Wang Lina,Hou Jian,Xiao Lei,Chen Wei,Zhou Qing

DOI: https://doi.org/10.1049/cje.2017.11.009

IF: 1.019

2018-01-01

Chinese Journal of Electronics

Abstract:To guarantee that electronic publications are accessible only to the authorized users via cloud, we propose an Efficient access control scheme（EACS） based on Attribute-based encryption（ABE）, which is suitable for fine-grained access control. Compared with existing stateof-the-art schemes, EACS is more practical by following functions. Considering the factor that the user membership may change frequently, EACS has the capability of coping with dynamic membership efficiently. Arbitrary-State is also supported to facilitate the system management and improve efficiency. Besides, we prove in the standard model that the security of EACS is based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of EACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results show that our proposal is efficient and practical for electronic publishing under cloud environment.

Xiong Li,Tian Liu,Chaoyang Chen,Qingfeng Cheng,Xiaosong Zhang,Neeraj Kumar

DOI: https://doi.org/10.1109/jiot.2022.3165576

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:As an extension of cloud computing, edge computing has attracted the attention of academia and industry because of its characteristics of low latency, high bandwidth, and low energy consumption. However, due to limited terminal resources and insufficient security design, the edge computing environment still faces many challenges in terms of data security and privacy protection. Among them, how to effectively control access to outsourced data is one of the main issues. In this article, we propose a lightweight and verifiable ciphertext-policy attribute-based encryption (CP-ABE)-based multiauthority access control scheme for edge computing-assisted Internet of Things (IoT), which adopts the method of outsourcing decryption to mitigate the computational cost of data users with limited resources. In addition, our scheme realizes the feature of attribute revocation, and the design of the multiauthority mechanism enables our scheme to avoid the problem of key escrow. Therefore, our proposed scheme not only ensures data confidentiality but also can resist the collusion attack. Besides, our scheme is secure against the chosen plaintext attack in the random oracle model under the decision $q$ -BDHE assumption. Finally, we compared our scheme with some related work in performance, and the results demonstrate that our scheme is efficient in computation and communication. Because our scheme greatly mitigates the overhead of data users, it is very suitable for edge computing supported IoT applications with restricted computation resources.

Zechao Liu,Zoe L. Jiang,Xuan Wang,Xinyi Huang,S. M. Yiu,Kunihiko Sadakane

DOI: https://doi.org/10.1002/cpe.3915

2016-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryIn this big data era, service providers tend to put the data in a third‐party cloud system. Social networking websites are typical examples. To protect the security and privacy of the data, data should be stored in encrypted form. This brings forth new challenges: how to allow different users to access only the authorized part of the data without decryption of the data. Attribute‐based encryption (ABE) offers fine‐grained access control policy over encrypted data such that users can decrypt successfully only if their attributes satisfy the policy. However, one drawback of ABE is that the computational cost grows linearly with the complexity of ciphertext policy or the number of attributes. The situation becomes worse for mobile devices with limited computing resources. To solve this problem, we adopt the offline/online technique combining with the verifiable outsourced computation technique to propose a new ciphertext‐policy ABE scheme using bilinear groups in prime order, supporting the offline/online key generation and encryption, as well as the verifiable outsourced decryption. As a result, most computations of key generation and encryption can be executed offline, and the majority of computational workload in decryption can be outsourced to third parties. The scheme is selectively chosen‐plaintext attack‐secure in the standard model. We also provide the proof of verifiability on outsourced decryption. The simulation results show that our proposed scheme can effectively reduce the computational cost imposed on resource‐constrained devices. Copyright © 2016 John Wiley & Sons, Ltd.