Shucheng Yu,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/NPSEC.2008.4664879

2008-01-01

Abstract:Access control in content distribution networks (CDNs) is a long-standing problem and has attracted extensive research. Traditional centralized access control approaches, such as reference monitor based approach, do not suit for CDNs as such networks are of large scale and geographically distributed in nature. Current CDNs usually resort to cryptographic-based distributed approaches for better fulfilling the goal of access control. Hence, it is highly critical to design and adapt appropriate cryptographic primitives for such purpose. In this paper, we propose a novel distributed access control approach for CDNs by exploiting a new cryptographic primitive called Ciphertext Policy Attributed-Based Encryption (CP-ABE). Our approach provides flexible yet fine-grained access control (per file level) so that the contents are available only to the authorized users. We further consider the protection of user privacy and enhance the current design of CP-ABE so that not only the contents themselves but also the access policies, which could lead to the revelation of sensitive user information, are well protected.

Shucheng Yu,Kui Ren,Wenjing Lou,Jin Li

DOI: https://doi.org/10.1007/978-3-642-05284-2_18

2009-01-01

Abstract:Key-Policy Attribute-Based Encryption (KP-ABE) is a promising cryptographic primitive which enables fine-grained access control over sensitive data. However, key abuse attacks in KP-ABE may impede its wide application especially in copyright-sensitive systems. To defend against this kind of attacks, this paper proposes a novel KP-ABE scheme which is able to disclose any illegal key distributor's ID when key abuse is detected. In our scheme, each bit of user ID is defined as an attribute and the user secret key is associated with his unique ID. The tracing algorithm fulfills its task by tricking the pirate device into decrypting the ciphertext associated with the corresponding bits of his ID. Our proposed scheme has the salient property of black box tracing, i.e., it traces back to the illegal key distributor's ID only by observing the pirate device's outputs on certain inputs. In addition, it does not require the pirate device's secret keys to be well-formed as compared to some previous work. Our proposed scheme is provably secure under the Decisional Bilinear Diffie-Hellman (DBDH) assumption and the Decisional Linear (DL) assumption.

Tran Viet Xuan Phuong,Phuong, Tran Viet Xuan

DOI: https://doi.org/10.1007/s10623-024-01373-2

IF: 1.4

2024-04-07

Designs Codes and Cryptography

Abstract:Due to the high demands of data communication, the broadcasting system streams the data daily. This service not only sends out the message to the correct participant but also respects the security of the identity user. In addition, when delivered, all the information must be protected for the party who employs the broadcasting service. Currently, Attribute-Based Broadcast Encryption (ABBE) is useful to apply for the broadcasting service. (ABBE) is a combination of Attribute-Based Encryption (ABE) and Broadcast Encryption (BE), which allows a broadcaster (or encrypter) to broadcast an encrypted message, including a predefined user set and specified access policy to install the authorization mechanism. It is desirable to hide all the information when producing in the ciphertext, which has not been considered in the previous works of ABBE. Motivated by the above issue, we devise a solution to achieve anonymity for the ABBE scheme, which not only hides the access structures but also anonymizes the user's identity. In this work, we propose two schemes as Anonymous Key Policy (AKP)-ABBE and Anonymous Ciphertext Policy (ACP)-ABBE with supporting multiple access structures by using gates. Specifically, we present the generic constructions of AKP/ACP-ABBE on the building block of the Inner Product Encryption ( ), which enables the hidden user's identity and complex -Gate access structure. We show that our proposed schemes are secured under the standard models.

mathematics, applied,computer science, theory & methods

J. Li,X. Chen,H. Tian,C. Gao

DOI: https://doi.org/10.1504/ijahuc.2014.065156

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Since the notion of attribute-based encryption (ABE) was proposed, it has been found a lot of important applications such as fine-grained access control. However, the issue of key exposure problem in ABE has been solved completely. This problem is formally addressed and formulated in this paper. More specifically, we propose a new key-insulated ABE (KI-ABE) scheme as a solution to the key exposure problem. The definition and security model of KI-ABE is proposed. Then, a KI-ABE scheme is presented, which is provably secure under the proposed model. The scheme is secure in the remaining time periods against an adversary who compromises the insecure device and obtains secret keys for the periods of its choice. Finally, we show that the scheme also supports user delegation, which is critical when one wants to delegate part of attributes (privileges) to others.

Xing Zhang,Cancan Jin,Cong Li,Zilong Wen,Qingni Shen,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1007/978-3-319-28865-9_27

2015-01-01

Abstract:To ensure the security of sensitive data, people need to encrypt them before uploading them to the public storage. Attribute-based encryption (ABE) is a promising cryptographic primitive for fine-grained sharing of encrypted data. However, ABE lacks user and authority accountability. The user can share his/her secret key without being identified, while key generation center (KGC) can generate any user’s secret key. In this paper, we propose a practical large universe ciphertext-policy ABE (CP-ABE) with user and authority accountability in the white-box model. As embedding the user’s identity information into this user’s secret key directly, the trace stage has only O(1) time overhead. The property of accountability is proved against the dishonest user and KGC in the standard model. We implement our scheme in Charm. Experiments show that CP-ABE of Rouselakis and Waters in CCS 2013 is enhanced in user and authority accountability by our method with small computational cost.

Jin Li,Kui Ren,Bo Zhu,Zhiguo Wan

DOI: https://doi.org/10.1007/978-3-642-04474-8_28

2009-01-01

Abstract:As a new public key primitive, attribute-based encryption (ABE) is envisioned to be a promising tool for implementing fine-grained access control. To further address the concern of user access privacy, privacy-aware ABE schemes are being developed to achieve hidden access policy recently. For the purpose of secure access control, there is, how- ever, still one critical functionality missing in the existing ABE schemes, which is user accountability. Currently, no ABE scheme can completely prevent the problem of illegal key sharing among users. In this paper, we tackle this problem by firstly proposing the notion of accountable, anony- mous, and ciphertext-policy ABE (CP-A 3 BE, in short) and then giving out a concrete construction. We start by improving the state-of-the-art of anonymous CP-ABE to obtain shorter public parameters and ciphertext length. In the proposed CP-A 3 BE construction, user accountability can be achieved in black-box model by embedding additional user-specific information into the attribute private key issued to that user, while still maintaining hidden access policy. The proposed constructions are prov- ably secure.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1145/1755688.1755720

2010-01-01

Abstract:Ciphertext-Policy Attribute Based Encryption (CP-ABE) is a promising cryptographic primitive for fine-grained access control of shared data. In CP-ABE, each user is associated with a set of attributes and data are encrypted with access structures on attributes. A user is able to decrypt a ciphertext if and only if his attributes satisfy the ciphertext access structure. Beside this basic property, practical applications usually have other requirements. In this paper we focus on an important issue of attribute revocation which is cumbersome for CP-ABE schemes. In particular, we resolve this challenging issue by considering more practical scenarios in which semi-trustable on-line proxy servers are available. As compared to existing schemes, our proposed solution enables the authority to revoke user attributes with minimal effort. We achieve this by uniquely integrating the technique of proxy re-encryption with CP-ABE, and enable the authority to delegate most of laborious tasks to proxy servers. Formal analysis shows that our proposed scheme is provably secure against chosen ciphertext attacks. In addition, we show that our technique can also be applicable to the Key-Policy Attribute Based Encryption (KP-ABE) counterpart.

Peixuan He,Kaiping Xue,Jie Xu,Qiudong Xia,Jianqing Liu,Hao Yue

DOI: https://doi.org/10.1109/ICME.2019.00139

2019-01-01

Abstract:Nowadays, multimedia content retrieval has become the major service requirement of the Internet and the traffic of these contents has dominated the IP traffic. To reduce the duplicated traffic and improve the performance of distributing massive volumes of multimedia contents, in-network caching has been proposed recently. However, because in-network content caching can be directly utilized to respond users' requests, multimedia content retrieval is beyond content providers' control and makes it hard for them to implement access control and service accounting. In this paper, we propose an attribute-based accountable access control scheme for multimedia content distribution while making the best of in-network caching, in which content providers can be fully offline. In our scheme, the attribute-based encryption at multimedia content provider side and access policy based authentication at the edge router side jointly ensure the secure access control, which is also efficient in both space and time. Besides, secure service accounting is implemented by letting edge routers collect service credentials generated during users' request process. Through the informal security analysis, we prove the security of our scheme. Simulation results demonstrate that our scheme is efficient with acceptable overhead.

Weiqian Huo,Jisheng Pei,Ke Zhang,Xiaojun Ye

DOI: https://doi.org/10.1109/PAAP.2014.11

2014-01-01

Abstract:To allow fine-grained access control of sensitive data, researchers have proposed various types of functional encryption schemes, such as identity-based encryption, searchable encryption and attribute-based encryption. We observe that it is difficult to define some complex access policies in certain application scenarios by using these schemes individually. In this paper, we attempt to address this problem by proposing a functional encryption approach named Key-Policy Attribute-Based Encryption with Attribute Extension (KP-ABE-AE). In this approach, we utilize extended attributes to integrate various encryption schemes that support different access policies under a common top-level KP-ABE scheme, thus expanding the scope of access policies that can be defined. Theoretical analysis and experimental studies are conducted to demonstrate the applicability of the proposed KP-ABE-AE. We also present an optimization for a special application of KP-ABE-AE where IPE schemes are integrated with a KP-ABE scheme. The optimization results in an integrated scheme with better efficiency when compared to the existing encryption schemes that support the same scope of access policies.

Yingjie Xia,Wenzhi Chen,Xuejiao Liu,Luming Zhang,Xuelong Li,Yang Xiang

DOI: https://doi.org/10.1109/tits.2017.2653103

IF: 8.5

2017-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Vehicular ad-hoc networks (VANETs) have drawn much attention of researchers. The vehicles in VANETs frequently join and leave the networks, and therefore restructure the network dynamically and automatically. Forwarded messages in vehicular ad-hoc networks are primarily multimedia data, including structured data, plain text, sound, and video, which require access control with efficient privacy preservation. Ciphertext-policy attribute-based encryption (CP-ABE) is adopted to meet the requirements. However, solutions based on traditional CP-ABE suffer from challenges of the limited computational resources on-board units equipped in the vehicles, especially for the complex policies of encryption and decryption. In this paper, we propose a CP-ABE delegation scheme, which allows road side units (RSUs) to perform most of the computation, for the purpose of improving the decryption efficiency of the vehicles. By using decision tree to jointly optimize multiple factors, such as the distance from RSU, the communication and computational cost, the CP-ABE delegation scheme is adaptively activated based on the estimation of various vehicles decryption overhead. Experimental results thoroughly demonstrate that our scheme is effective and efficient for multimedia data forwarding in vehicular ad-hoc networks with privacy preservation.

Changsha Ma,Chang Wen Chen

DOI: https://doi.org/10.48550/arXiv.1511.03351

2015-11-11

Abstract:Media sharing is an extremely popular paradigm of social interaction in online social networks (OSNs) nowadays. The scalable media access control is essential to perform information sharing among users with various access privileges. In this paper, we present a multi-dimensional scalable media access control (MD-SMAC) system based on the proposed scalable ciphertext policy attribute-based encryption (SCP-ABE) algorithm. In the proposed MD-SMAC system, fine-grained access control can be performed on the media contents encoded in a multi-dimensional scalable manner based on data consumers' diverse attributes. Through security analysis, we show that the proposed MC-SMAC system is able to resist collusion attacks. Additionally, we conduct experiments to evaluate the efficiency performance of the proposed system, especially on mobile devices.

Multimedia,Cryptography and Security

Cong Li,Qingni Shen,Zhikang Xie,Jisheng Dong,Xinyu Feng,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1016/j.ins.2022.08.014

IF: 8.1

2022-01-01

Information Sciences

Abstract:Hierarchical-authority attribute-based encryption (HABE) can resolve the performance bottleneck of the key generation center in the traditional attribute-based encryption (ABE) system. HABE has numerous applications, such as cloud computing and smart grid systems. Nevertheless, almost all of the existing HABE schemes are in the ciphertext-policy setting and do not support non-monotonic access structures. In this work, we propose the first key-policy hierarchical-authority ABE with non-monotonic access structures, dubbed KP-HABE-NMaCS, which supports the authority key delegation, constant size ciphertexts and the large universe simultaneously. We further define the security model of KP-HABE-NMaCS and prove the selective security of it in the standard model. Then we optimize our scheme to realize the outsourced decryption. Subsequently, we present the detailed theoretical analysis of our constructions and the existing HABE constructions in computation and storage costs, and meanwhile implement ours and conduct a series of experiments. Both results indicate that our KP-HABE-NMaCS construction makes improvements in expressiveness and features, and achieves efficiency comparable to the previous HABE constructions. Furthermore, they also show that our extension construction is suitable for resource-limited applications. Eventually, we explore how to apply our KP-HABE-NMaCS to build an ABE with equality test and time-based authorization.

Anushree Belel,Ratna Dutta,Sourav Mukhopadhyay

DOI: https://doi.org/10.1007/s11042-024-18626-w

IF: 2.577

2024-02-29

Multimedia Tools and Applications

Abstract:With the advancement of technology, Multimedia Social Networks (MSN) have become one of the most promising platforms for managing and sharing multimedia content. The user outsources sensitive content to the Multimedia Social Networks Service Provider (MSNSP). The MSNSP accumulates data in the network, and the user can process and share content like files, audios, and videos with other users through MSN such as YouTube, Vimeo, Flicker, Google Video, Cloud Drive, and so on. Despite receiving wide attention, two main drawbacks regarding MSN platforms are user privacy and data security. Ciphertext-policy attribute-based encryption (CP-ABE) is an appealing cryptographic primitive that plays the principal role for fine-grained access control on encrypted content, thus resolving security and privacy issues smoothly. Recently, there has been a trend to design ABE schemes incorporating a variety of additional properties. In this paper, we have assimilated revocability and key-homomorphic property in ciphertext-policy attribute-based key encapsulation mechanism (CP-ABKEM). Our designs are the first to achieve these additional two properties concurrently in an attribute-based setting. We have provided two instantiations of key-homomorphic revocableCP-ABKEM - one is selective secure against chosen-plaintext attack (CPA) in the standard model under the hardness of the q-decisional bilinear Diffie-Hellman exponent (q-DBDHE) problem, while the other achieves selective CPA security in the random oracle model under the hardness of the n-multilinear decisional Diffie-Hellman (n-MDDH) problem. Furthermore, our first scheme performs better than existing similar schemes in terms of communication overhead and master secret key size. As an advanced version of CP-ABKEM, our proposal is significant and may be utilized for various privacy-preserving protocols.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Sumana Maiti,Sudip Misra,Ayan Mondal

DOI: https://doi.org/10.1109/jsyst.2024.3352809

IF: 4.802

2024-03-19

IEEE Systems Journal

Abstract:This article proposes attribute-based broadcast proxy (ABP) re-encryption with coalitional game theory—a scheme to share encrypted cloud data with Internet of Things (IoT) devices. The scheme reduces the decryption costs on the receiver's side. In the case of sharing data with a subgroup of IoT devices, i.e., identities, where attributes satisfy a particular access policy, and the cardinality of IoT devices satisfying the access policy is not known to the data owner, the existing encryption techniques, such as broadcast proxy re-encryption and attribute-based encryption, cannot solve the problem. Hence, we propose the concept of attribute-based encryption in broadcast proxy re-encryption, named ABP. In ABP, we use the coalitional game theory to find the optimal coalition for minimizing the decryption cost and the total cost of the system. We prove that ABP is a selective security chosen-plaintext attack secure under the random oracle model. The performance of ABP is evaluated and compared with the existing broadcast proxy re-encryption schemes. We observe that ABP reduces the decryption cost. Furthermore, the total cost of the system is reduced using the coalitional game.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Shucheng Yu,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1016/j.comnet.2009.09.009

IF: 5.493

2009-01-01

Computer Networks

Abstract:In many applications, it is desired to dynamically establish temporary multicast groups for secure message delivery. It is also often the case that the group membership information itself is sensitive and needs to be well protected. However, existing solutions either fail to address the issue of membership anonymity or do not scale well for dynamically established groups. In this paper, we propose a highly scalable solution for dynamical multicast group setup with group membership anonymity. In the proposed solution, scalability and membership anonymity are achieved via a novel design that integrates techniques such as ciphertext-policy attribute-based encryption (CP-ABE). In our design, multicast groups are specified through group member attributes. As these attributes are potentially able to be shared by unlimited number of group members, our proposed scheme scales well. Also, high level of membership anonymity is guaranteed such that every group member knows nothing but his own group membership only. The complexity of our proposed scheme in terms of computational overhead and ciphertext size is O(n), where n is the number of attributes and independent to the group size.

Huige Wang,Yuan Zhang,Kefei Chen,Guangye Sui,Yunlei Zhao,Xinyi Huang

DOI: https://doi.org/10.1016/j.ins.2019.06.028

IF: 8.1

2019-01-01

Information Sciences

Abstract:Cloud storage services provide data owners an efficient and flexible way to share data. Among the shared data, some of them are very sensitive, and should be prevented for any leakage. Should users conventionally encrypt the data, however, flexibly sharing is lost. Public-key encryption with access control (PEAC) resolves this tension. Most of existing PEAC schemes only support the data owner to control either the parts of data to be accessed by other users (file-based PEAC), or the membership of users that access the entire data set (receiver-based PEAC). However, in reality a PEAC scheme with both file-based and receiver-based functionalities is required to ensure the efficiency, flexibility, and fine-grainess of the data sharing service. In this paper, we introduce a primitive of functional broadcast encryption (FBE). FBE is a manifestation of PEAC that enables a data owner to share a set of data files to a group of users, where only a specific subset of data files can be accessed and decrypted by a specific subgroup of users. We describe a construction for FBE based on indistinguishability obfuscation (iO). Security analysis demonstrates that the proposed scheme achieves selective IND-CCA security, and a comprehensive performance analysis shows the proposed scheme is efficient.

Liqing Chen,Jiguo Li,Yang Lu,Yichen Zhang

DOI: https://doi.org/10.1016/j.ins.2020.05.092

IF: 8.1

2020-10-01

Information Sciences

Abstract:<p>The existing public key broadcast encryption schemes are mainly constructed in identity-based cryptosystem, which bears the inherent problems of key escrow and key distribution. The certificate-based encryption mechanism can effectively address the problems in identity-based cryptosystem. Meanwhile, it simplifies the certificate revocation issue for traditional public key cryptosystem. Inspired by the idea of certificate-based encryption, we put forward the new primitive certificate-based broadcast encryption as well as its formal definition and security model. In virtue of prime order bilinear groups, we present an instantiation scheme of certificate-based broadcast encryption. To our best knowledge, the proposed scheme is the first adaptively secure scheme for certificate-based broadcast encryption in the standard model against chosen-ciphertext attack. Compared with the previous work, our scheme has advantages in the respects of computation cost as well as security properties. Furthermore, we present an application scenario of the proposed scheme for data access control in cloud storage service.</p>

computer science, information systems

Chao Yuan,Mi-xue Xu,Xueming Si,Bin Li

DOI: https://doi.org/10.1109/ICPADS.2017.00111

2017-01-01

Abstract:As a recently proposed public key primitive, attribute-base encryption(ABE) divided into Ciphertext-policy ABE (CP-ABE) and Key-policy ABE (KP-ABE) is a highly promising tool for the management and protection of data. And Blockchain, as one of the core technologies of Bitcoin that is the most representative cryptocurrency, has received extensive attentions recently. Supervision and privacy protection are two difficulties in blockchain. In this paper, a new scheme combining blockchain and accountable CP-ABE is proposed. In this scheme, each change of the data is recorded on the blockchain. And the different permissions of access are realized through ABE. If a malicious user shares a decryption key illegally, it will be considered illegal. Similarly, if the authority generates a decryption key for any unauthorized user, it also will be considered illegal. This scheme allows any third party to publicly verify the identity of a decryption key. And it is achievable for an auditor to publicly audit whether a malicious user or the authority should be responsible for an exposed decryption key, and the key abuser cannot deny it. At last this scheme is applied to the management of electronic documents.