YAO Wen-bin,HAN Si,LI Xiao-yong

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015211

2015-01-01

Abstract:With the convenient of storing and sharing data in cloud storage environment,the concerns about data security arised as well.To achieve data security on untrusted servers,user usually stored the encrypted data on the cloud storage environment.How to build a cipertext-based access control scheme became a pot issue.For the access control problems of ciphertext in cloud storage environment,a CP-ABE based data sharing scheme was proposed.Novel key generation and distribution strategies were proposed to reduce the reliance on a trusted third party.Personal information was added in decryption key to resistant conclusion attacks at the same time.Moreover,key revocation scheme was proposed to provide the data backward secrecy.The security and implement analysis proves that proposed scheme is suit for the real application environment.

Leyou Zhang,Yilei Cui,Yi Mu

DOI: https://doi.org/10.1109/JSYST.2019.2911391

IF: 4.802

2020-01-01

IEEE Systems Journal

Abstract:Data sharing is a convenient and economic service supplied by cloud computing. Data contents privacy also emerges from it since the data is outsourced to some cloud servers. To protect the valuable and sensitive information, various techniques are used to enhance access control on the shared data. In these techniques, Ciphertext-policy attribute-based encryption (CP-ABE) can make it more convenient and secure. Traditional CP-ABE focuses on data confidentiality merely, while the user's personal privacy protection is an important issue at present. CP-ABE with hidden access policy ensures data confidentiality and guarantees that user's privacy is not revealed as well. However, most of the existing schemes are inefficient in communication overhead and computation cost. Moreover, most of those works take no consideration about authority verification or the problem of privacy leakage in authority verification phase. To tackle the problems mentioned above, a privacy preserving CP-ABE scheme with efficient authority verification is introduced in this paper. Additionally, the secret keys of it achieve constant size. Meanwhile, the proposed scheme achieves the selective security under the decisional n-BDHE problem and decisional linear assumption. The computational results confirm the merits of the presented scheme.

Huang Qinlong,Ma Zhaofeng,Yang Yixian,Fu Jingyi,Niu Xinxin

DOI: https://doi.org/10.1049/cje.2015.10.033

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:Ciphertext-policy attribute-based encryption（CP-ABE） is becoming a promising solution to guarantee data security in cloud computing. In this paper,we present an attribute-based secure data sharing scheme with Efficient revocation（EABDS） in cloud computing.Our scheme first encrypts data with Data encryption key（DEK） using symmetric encryption and then encrypts DEK based on CP-ABE, which guarantees the data confidentiality and achieves fine-grained access control. In order to solve the key escrow problem in current attribute based data sharing schemes, our scheme adopts additively homomorphic encryption to generate attribute secret keys of users by attribute authority in cooperation with key server, which prevents attribute authority from accessing the data by generating attribute secret keys alone.Our scheme presents an immediate attribute revocation method that achieves both forward and backward security.The computation overhead of user is also reduced by delegating most of the decryption operations to the key server.The security and performance analysis results show that our scheme is more secure and efficient.

Ningyu Chen,Jiguo Li,Yichen Zhang,Yuyan Guo

DOI: https://doi.org/10.1109/tc.2020.3043950

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:Attribute-based encryption (ABE) is a preferred technology used to access control the data stored in the cloud servers. However, in many cases, the authorized decryption user may be unable to decrypt the ciphertext in time for some reason. To be on the safe side, several alternate users are delegated to cooperate to decrypt the ciphertext, instead of one user doing that. We provide a ciphertext-policy ABE scheme with shared decryption in this article. An authorized user can recover the messages independently. At the same time, these alternate users (semi-authorized users) can work together to get the messages. We also improve the basic scheme to ensure that the semi-authorized users perform the decryption tasks honestly. An integrated access tree is used to improve the efficiency for our scheme. The new scheme is proved CPA-secure in the standard model. The experimental result shows that our scheme is very efficient on both computational overhead and storage cost.

engineering, electrical & electronic,computer science, hardware & architecture

Hong Zhong,Wenlong Zhu,Yan Xu,Jie Cui

DOI: https://doi.org/10.1007/s00500-016-2330-8

2016-01-01

Abstract:For realizing the flexible, scalable and fuzzy fine-grained access control, ciphertext policy attribute-based encryption (CP-ABE) scheme has been widely used in the cloud storage system. However, the access structure of CP-ABE scheme is outsourced to the cloud storage server, resulting in the disclosure of access policy privacy. In addition, there are multiple authorities that coexist and each authority is able to issue attributes independently in the cloud storage system. However, existing CP-ABE schemes cannot be directly applied to data access control for multi-authority cloud storage system, due to the inefficiency for user revocation. In this paper, to cope with these challenges, we propose a decentralized multi-authority CP-ABE access control scheme, which is more practical for supporting the user revocation. In addition, this scheme can protect the data privacy and the access policy privacy with policy hidden in the cloud storage system. Here, the access policy that is realized by employing the linear secret sharing scheme. Finally, the security and performance analyses demonstrate that our scheme has high security in terms of access policy privacy and efficiency in terms of computational cost of user revocation.

Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong,Nenghai Yu

DOI: https://doi.org/10.1109/tdsc.2020.2987903

2022-01-01

Abstract:Under the assumption of honest-but-curious cloud service provider, various cryptographic techniques have been used to address the issues of data access control and confidentiality in public cloud storage. Among which, attribute-based encryption (ABE) has been shown to be an attractive scheme. Although the technique of ABE brings in various benefits, its onerous overhead should not be ignored. In this article, based on an improved LSSS (linear secret sharing scheme) matrix expression integrated in CP-ABE (Ciphertext-Policy Attribute-Based Encryption) algorithm, we present an efficient and secure attribute-based access control scheme for the scenarios where multiple data are shared and encrypted with frequently used sub-policies. In the scheme, a user can store the parameters about a specific sub-policy in his/her first decryption, which can be reused in the subsequent data decryptions whose embedded access policies include the same sub-policy so as to significantly reduce the computation cost. Our proposed scheme is proved to be semantically secure under chosen plaintext attacks and can well preserve the confidentiality of the data sharing system. Our analysis and experimentation also show that our scheme does significantly reduce the decryption time and while trades in only very little storage overhead, and thus effectively promotes the efficiency.

Li Kang,Leyou Zhang

2020-01-01

Abstract:The huge storage space and powerful computing power make cloud servers be the best place for people to store data. However, convenience comes with the risk of data leakage as the cloud servers are not completely reliable. To ensure data confidentiality and user privacy, decentralized attribute-based encryption (ABE) can provide a solu-tion. Nevertheless, most of existing works cannot provide a complete method since there are some vulnerabilities in users’ collusion resilience and privacy protection. In this paper, a decentralized ciphertext-policy (CP) ABE scheme is proposed for the secure sharing of data. In the proposed scheme, without requiring any cooperation and knowing users’ global identifiers (GID), authorities can issue private keys for users independently through a privacy-preserving key generation protocol. Additionally, this scheme supports policy anonymity. The security of the proposed scheme is reduced to the decisional bilinear Diffie-Hellman (DBDH) assumption. Theoretical analysis and performance evaluations illustrate the efficiency of the scheme.

Jianwei Chen,Huadong Ma

DOI: https://doi.org/10.1109/CLOUD.2014.74

2014-01-01

Abstract:Along with a large amount of data being outsourced to the cloud, it is imperative to enforce a secure, efficient and privacy-aware access control scheme on the cloud. Decentralized Attribute-based Encryption (ABE) is a variant of multi-authority ABE scheme which is regarded as being more suited to access control in a large-scale cloud. Constructing a decentralized ABE scheme should not need a central Attribute Authority (AA) and any cooperative computing, where most schemes are not efficient enough. Moreover, they introduced a Global Identifier (GID) to resist the collusion attack from users, but corrupt AAs can trace a user by his GID, resulting in the leakage of the user's identity privacy. In this paper, we design a privacy-preserving decentralized access control framework for cloud storage systems, and propose a decentralized CP-ABE access control scheme with the privacy preserving secret key extraction. Our scheme does not require any central AA and coordination among multi-authorities. We adopt Pedersen commitment scheme and oblivious commitment based envelope protocols as the main cryptographic primitives to address the privacy problem, thus the users receive secret keys only for valid identity attributes while the AAs learn nothing about the attributes. Our theoretical analysis and extensive experiment demonstrate the presented scheme's security strength and effectiveness in terms of scalability, computation and storage.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.1109/cbd.2016.041

2016-01-01

Abstract:With the development and benefits of cloud computing, nowadays more and more users outsource their data to third party cloud storage servers for ease of sharing and cost saving. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a promising tool for enabling fine-grained access control over the shared data in the cloud. However, the practical application of CP-ABE in cloud data sharing system also has its own inherent challenge to regard with user revocation. To address this challenge, the paper proposes a CP-ABE scheme which supports an effective user revocation mechanism by introducing "the essential attribute" and by considering minimally trusted proxy servers; the essential attribute must be included in both ciphertext and update-key. By excluding the revoked users from update-key (which is a part of a decryption key) and by re-encrypting the only component in ciphertexts, which is associated with the essential attribute, our scheme achieves immediate and complete user revocation mechanism in CP-ABE. The proposed scheme enables a scalable and fine-grained access control for cloud data sharing system. Our scheme provides more efficiency and security level simultaneously comparing to the existing user revocable CP-ABE scheme.

Yang Chen,Wenmin Li,Fei Gao,Wei Yin,Kaitai Liang,Hua Zhang,Qiaoyan Wen

DOI: https://doi.org/10.1093/comjnl/bxz052

2019-01-01

Abstract:Online data sharing has become a research hotspot while cloud computing is getting more and more popular. As a promising encryption technique to guarantee the security shared data and to realize flexible fine-grained access control, ciphertext-policy attribute-based encryption (CP-ABE) has drawn wide attentions. However, there is a drawback preventing CP-ABE from being applied to cloud applications. In CP-ABE, the access structure is included in the ciphertext, and it may disclose user's privacy. In this paper, we find a more efficient method to connect ABE with inner product encryption and adopt several techniques to ensure the expressiveness of access structure, the efficiency and security of our scheme. We are the first to present a secure, efficient fine-grained access control scheme with hidden access structure, the access structure can be expressed as AND-gates on multi-valued attributes with wildcard. We conceal the entire attribute instead of only its values in the access structure. Besides, our scheme has obvious advantages in efficiency compared with related schemes. Our scheme can make data sharing secure and efficient, which can be verified from the analysis of security and performance.

Xin Dong,Jiadi Yu,Yuan Luo,Yingying Chen,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1016/j.cose.2013.12.002

IF: 5.105

2014-01-01

Computers & Security

Abstract:Data sharing in the cloud, fueled by favorable trends in cloud technology, is emerging as a promising technique for allowing users to conveniently access data. However, the growing number of enterprises and customers who stores their data in cloud servers is increasingly challenging users' privacy and the security of data. This paper focuses on providing a dependable and secure cloud data sharing service that allows users dynamic access to their data. In order to achieve this, we propose an effective, scalable and flexible privacy-preserving data policy with semantic security, by utilizing ciphertext policy attribute-based encryption (CP-ABE) combined with identity-based encryption (IBE) techniques. In addition to ensuring robust data sharing security, our policy succeeds in preserving the privacy of cloud users and supports efficient and secure dynamic operations including, but not limited to, file creation, user revocation and modification of user attributes. Security analysis indicates that the proposed policy is secure under the generic bilinear group model in the random oracle model and enforces fine-grained access control, full collusion resistance and backward secrecy. Furthermore, performance analysis and experimental results show that the overheads are as light as possible.

Su Huang,Yuan Luo

DOI: https://doi.org/10.1049/cp.2014.1263

2014-01-01

Abstract:Cloud storage services enable users to remotely store their data and conveniently share their information. One critical issue is how to achieve data security and realize data access policy in cloud storage services. Existing schemes based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) have been proposed to achieve secure access control for outsourced data in cloud computing. However, due to the inefficiency of decryption and the inflexibility, most of these schemes are not suitable to realize distributed access control for cloud storage systems. In this paper, we propose a fully distributed, scalable and effective data access control scheme to encrypt and decrypt data, which bases on the lowest density maximum distance separable (LD-MDS) code.The introduction of the LD-MDS code in this field improves performance greatly in decryption stage. Security analysis indicates that the proposed scheme is secure and achieves fine-grained access control, collusion resistant, backward security and forward security simultaneously. Extensive performance analysis and experiment show that our scheme is much more efficient than existing CP-ABE system in cloud storage services.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2016.10.10.27

2016-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, more and more users outsource their data to third party cloud storage servers for the purpose of sharing, so cloud data sharing becomes one of the popular services offered by cloud service providers. However, the third party storage servers in cloud data sharing systems, which are not fully trusted by data owners, make access control to the shared data a challenging issue. Although Ciphertext-Policy AttributeBased Encryption (CP-ABE) is an emerging cryptographic solution for this issue, dealing with dynamic changes to users' access privileges (attribute revocation) in its practical applications as cloud data sharing systems is a real challenge. To overcome this challenge, we propose a fine-grained access control scheme for cloud data sharing systems by designing secure and efficient attribute-revocable CP-ABE scheme. Our scheme only allows non-revoked users in the attribute group to update their secret key by themselves using their unique key-update keys and the ciphertexts are updated by minimally trusted cloud server using a ciphertext-update key. Compared with the existing access controls achieved by attribute-revocable CP-ABE schemes, our proposed access control scheme reduces the trust degree of the cloud server in the attribute revocation mechanism. Furthermore, the analysis indicates that our access control scheme is more secure and efficient to apply to practical scenarios.

Kaiping Xue,Weikeng Chen,Wei Li,Jianan Hong,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2018.2809679

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, ciphertext-policy attribute-based encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch economic denial of sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of the CP-ABE. We present two protocols for different settings, followed by performance and security analysis.

Jianting Ning,Zhenfu Cao,Xiaolei Dong,Kaitai Liang,Lifei Wei,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/tsc.2018.2791538

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:Secure cloud storage, which is an emerging cloud service, is designed to protect the confidentiality of outsourced data but also to provide flexible data access for cloud users whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is regarded as one of the most promising techniques that may be leveraged to secure the guarantee of the service. However, the use of CP-ABE may yield an inevitable security breach which is known as the misuse of access credential (i.e., decryption rights), due to the intrinsic “all-or-nothing” decryption feature of CP-ABE. In this paper, we investigate the two main cases of access credential misuse: one is on the semi-trusted authority side, and the other is on the side of cloud user. To mitigate the misuse, we propose the first accountable authority and revocable CP-ABE based cloud storage system with white-box traceability and auditing, referred to as CryptCloud±. We also present the security analysis and further demonstrate the utility of our system via experiments.

Tao Ye,Yongquan Cai,Xu Zhao,Yongli Yang,Wei Wang,Yi Zhu

DOI: https://doi.org/10.1504/ijwmc.2019.097424

2019-01-01

Abstract:The CP-ABE-based access control scheme, which can better realise the access control of many-to-multi-ciphertext shared in the cloud storage architecture, is still facing the problems that the system cost is too large, and the policy attribute revocation or restore is not flexible. This paper proposes an efficient access control scheme based on CP-ABE with supporting attribute change in cloud storage system. The fine-grained access control can be achieved by re-encryption mechanism which takes the minimum shared re-encryption key for policy attribute set. And then the access structure tree is expanded by creating a corresponding virtual attribute for each leaf node attribute. The analysis results of the scheme indicate that the efficient and flexibility of the attribute change is not only improved, but also the system cost is reduced.

Anping Xiong,Chunxiang Xu

DOI: https://doi.org/10.1080/10798587.2015.1095488

2015-01-01

Abstract:Ciphertext Policy Attribute-Based Encryption ( CP-ABE) has been widely studied in recent years because it is more suitable for access control of shared data under cloud storage environment. In view of problems of flexibility and efficiency of the existing encryption schemes under cloud storage environment, combined with digital envelopes technology, the paper puts forward an optimized scheme based on supporting fine-grained access control. The scheme has the following advantages: Adopting digital envelopes technology, reducing the computational overhead of Data Owner significantly on the basis of the ensuring data confidentiality, using proxy re-encryption technology to realize the support of user and attribute revocation flexibly, furthermore, the backward and forward secrecy also have been ensured. Adopting security protocols to distribute the shared keys between users and cloud storage server, cloud storage server can save the overhead in maintenance of a large user key's tree. Security and performance analysis show that Cloud storage access control scheme of ciphertext algorithm based on digital envelope can ensure the confidentiality of data, resist collusion attack with forward and backward security, and also reduce the calculation works of the user owners and accessing users.

Yinghui Zhang,Dong Zheng,Xiaofeng Chen,Jin Li,Hui Li

DOI: https://doi.org/10.1016/j.pmcj.2015.06.009

IF: 3.848

2016-01-01

Pervasive and Mobile Computing

Abstract:Ciphertext-policy attribute-based encryption (CP-ABE) is extremely suitable for cloud computing environment in that it enables data owners to make and enforce access policies themselves. However, most of existing CP-ABE schemes suffer severe efficiency drawbacks due to large ciphertext size and computation cost, and hence are not suitable for mobile clouds, where users are usually resource-limited. In this paper, we first present a generic attribute-based data sharing system based on a hybrid mechanism of CP-ABE and a symmetric encryption scheme. Then, we propose a CP-ABE scheme which features constant computation cost and constant-size ciphertexts. The proposed CP-ABE scheme is proven selective-secure in the random oracle model under the decision n -BDHE assumption, where n represents the total number of attributes in universe. It can efficiently support AND-gate access policies with multiple attribute values and wildcards. Theoretical analysis and experimental results indicate that the proposed scheme is extremely suitable for data sharing in mobile clouds.

Zhan-bin LIU,Hong LIU,Yi-mang HUO

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.07.011

2014-01-01

Abstract:Cloud computing provides an emerging data interactive paradigm, and realizes users’ data remote storage, sharing and computing. Due to the system complexity, network openness, resource concentration, and data sensitivity, the process of the user accessing the cloud server is suffering from severe security threats, which make that the cloud data protection becomes an important issue. This work first introduces the system components, trust model, and attack model, and proposes a ciphertext-policy attribute based encryption (CP-ABE) based data access control protocol to achieve data protection. The proposed protocol applies the semi-group property of Chebyshev chaotic map for authentication, and adopts lightweight CP-ABE scheme for authorization. Meanwhile, the security mechanisms including authentication, access control, and forward security are applied to achieve user identification and data access control. According to the storage requirement analysis, the protocol owns fixed storage requirements in the attribute set and key, avoiding the linear growth of massive data interaction. It turns out that the protocol is secure, reliable and flexible for the large-scale data interactions in the cloud environments.

Shulan Wang,Junwei Zhou,Joseph K. Liu,Jianping Yu,Jianyong Chen,Weixin Xie

DOI: https://doi.org/10.1109/tifs.2016.2523941

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Ciphertext-policy attribute-based encryption (CP-ABE) has been a preferred encryption technology to solve the challenging problem of secure data sharing in cloud computing. The shared data files generally have the characteristic of multilevel hierarchy, particularly in the area of healthcare and the military. However, the hierarchy structure of shared files has not been explored in CP-ABE. In this paper, an efficient file hierarchy attribute-based encryption scheme is proposed in cloud computing. The layered access structures are integrated into a single access structure, and then, the hierarchical files are encrypted with the integrated access structure. The ciphertext components related to attributes could be shared by the files. Therefore, both ciphertext storage and time cost of encryption are saved. Moreover, the proposed scheme is proved to be secure under the standard assumption. Experimental simulation shows that the proposed scheme is highly efficient in terms of encryption and decryption. With the number of the files increasing, the advantages of our scheme become more and more conspicuous.