Ying He,Haiyan Wang,Yuan Li,Ke Huang,Victor C. M. Leung,F. Richard Yu,Zhong Ming

DOI: https://doi.org/10.1109/jiot.2021.3099171

IF: 10.6

2022-02-15

IEEE Internet of Things Journal

Abstract:In the last few decades, ciphertext-policy attribute-based encryption (CP-ABE) technology has attracted great interest, since it can provide fine-grained, flexible, and access control for sensitive data to implement a high secure and efficient data-sharing mechanism. In this article, based on the linear secret sharing scheme (LSSS), an efficient scheme is proposed to realize a collaborative decryption function. For any user group, when the user's attribute set cannot access the ciphertext alone, the private key of other users in the same group can be used for collaborative decryption with the permission of the data owner. Our scheme uses the LSSS matrix that can significantly reduce the computation and storage overhead when comparing with the existing schemes. Then, a multiauthorization model is created based on the Bohen–Lynn–Shacham technology in order to solve the key-management issue. Finally, we implemented the specific functions of the framework through JAVA, and built a private chain to verify the feasibility of data transfer between users.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jingchi Zhang,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.2309.04125

2023-09-08

Abstract:In a traditional cloud storage system, users benefit from the convenience it provides but also take the risk of certain security and privacy issues. To ensure confidentiality while maintaining data sharing capabilities, the Ciphertext-Policy Attribute-based Encryption (CP-ABE) scheme can be used to achieve fine-grained access control in cloud services. However, existing approaches are impaired by three critical concerns: illegal authorization, key disclosure, and privacy leakage. To address these, we propose a blockchain-based data governance system that employs blockchain technology and attribute-based encryption to prevent privacy leakage and credential misuse. First, our ABE encryption system can handle multi-authority use cases while protecting identity privacy and hiding access policy, which also protects data sharing against corrupt authorities. Second, applying the Advanced Encryption Standard (AES) for data encryption makes the whole system efficient and responsive to real-world conditions. Furthermore, the encrypted data is stored in a decentralized storage system such as IPFS, which does not rely on any centralized service provider and is, therefore, resilient against single-point failures. Third, illegal authorization activity can be readily identified through the logged on-chain data. Besides the system design, we also provide security proofs to demonstrate the robustness of the proposed system.

Cryptography and Security

Ningyu Chen,Jiguo Li,Yichen Zhang,Yuyan Guo

DOI: https://doi.org/10.1109/tc.2020.3043950

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:Attribute-based encryption (ABE) is a preferred technology used to access control the data stored in the cloud servers. However, in many cases, the authorized decryption user may be unable to decrypt the ciphertext in time for some reason. To be on the safe side, several alternate users are delegated to cooperate to decrypt the ciphertext, instead of one user doing that. We provide a ciphertext-policy ABE scheme with shared decryption in this article. An authorized user can recover the messages independently. At the same time, these alternate users (semi-authorized users) can work together to get the messages. We also improve the basic scheme to ensure that the semi-authorized users perform the decryption tasks honestly. An integrated access tree is used to improve the efficiency for our scheme. The new scheme is proved CPA-secure in the standard model. The experimental result shows that our scheme is very efficient on both computational overhead and storage cost.

engineering, electrical & electronic,computer science, hardware & architecture

Zhaoqian Zhang,Jianbiao Zhang,Yilin Yuan,Zheng Li

DOI: https://doi.org/10.1109/jiot.2021.3117378

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:As the public cloud becomes one of the leading ways in data-sharing nowadays, data confidentiality and user privacy are increasingly critical. Partially policy-hidden ciphertext policy attribute-based encryption (CP-ABE) can effectively protect data confidentiality while reducing privacy leakage by hiding part of the access structure. However, it cannot satisfy the need of data sharing in the public cloud with complex users and large amounts of data, both in terms of less expressive access structures and limited granularity of policy hiding. Moreover, the verification of access right to shared data and correctness of decryption are ignored or conducted by an untrusted third party, and the prime-order groups are seldom considered in the expressive policy-hidden schemes. This article proposes a fully policy-hidden CP-ABE scheme constructed on linear secret sharing scheme (LSSS) access structure and prime-order groups for public cloud data sharing. To help users decrypt, hidden vector encryption (HVE) with a "convert step" is applied, which is more compatible with CP-ABE. Meanwhile, decentralized credible verification of access right to shared data and correctness of decryption based on blockchain are also provided. We prove the security of our scheme rigorously and compare the scheme with others comprehensively. The results show that our scheme performs better.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kai Fan,Tingting Liu,Kuan Zhang,Hui Li,Yintang Yang

DOI: https://doi.org/10.1016/j.jpdc.2019.09.008

IF: 4.542

2020-01-01

Journal of Parallel and Distributed Computing

Abstract:<p>With the development of computer technology, it makes malicious users more easily get data stored in cloud. However, these data are always related to users' privacy, and it is harmful when the data are acquired by attackers. Ciphertext-policy attribute-based encryption (CP-ABE) is suitable to achieve privacy and security in cloud. In this paper, we put forward a secure and efficient outsourced computation algorithm on data sharing scheme for privacy computing. Existing schemes only outsource decryption computation to the cloud, users still have heavy burden in encryption. In order to reduce the computing burden of users, most encryption and decryption computations are outsourced to the cloud service provider in our construction. At the same time, to apply in practice, we propose efficient user and attribute revocation. Finally, the security analysis and simulation results show that our scheme is secure and efficient compared with existing schemes.</p>

computer science, theory & methods

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Chao Yuan,Mi-xue Xu,Xueming Si,Bin Li

DOI: https://doi.org/10.1109/ICPADS.2017.00111

2017-01-01

Abstract:As a recently proposed public key primitive, attribute-base encryption(ABE) divided into Ciphertext-policy ABE (CP-ABE) and Key-policy ABE (KP-ABE) is a highly promising tool for the management and protection of data. And Blockchain, as one of the core technologies of Bitcoin that is the most representative cryptocurrency, has received extensive attentions recently. Supervision and privacy protection are two difficulties in blockchain. In this paper, a new scheme combining blockchain and accountable CP-ABE is proposed. In this scheme, each change of the data is recorded on the blockchain. And the different permissions of access are realized through ABE. If a malicious user shares a decryption key illegally, it will be considered illegal. Similarly, if the authority generates a decryption key for any unauthorized user, it also will be considered illegal. This scheme allows any third party to publicly verify the identity of a decryption key. And it is achievable for an auditor to publicly audit whether a malicious user or the authority should be responsible for an exposed decryption key, and the key abuser cannot deny it. At last this scheme is applied to the management of electronic documents.

Suhui Liu,Jiguo Yu,Liquan Chen,Baobao Chai

DOI: https://doi.org/10.1109/tnsm.2022.3185237

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Public clouds have drawn increasing attention from academia and industry due to their high computational and storage performance. Attribute-based encryption (ABE) is the most promising technology to simultaneously achieve confidentiality and fine-grained access control of the cloud-stored data. However, traditional ABE that relies on centralized authority faces several key management issues, such as the key escrow, key distribution, key tracking, key update, and heavy communication and computing overhead for users, which will cause security concerns and impede its widespread application. On the other hand, blockchain technology preserves distributed ledgers to ensure the immutability and transparency of data, which can further solve the security vulnerabilities caused by system centralization. This paper proposes a blockchain-assisted transformation method to solve all the key management problems mentioned above in ciphertext-policy ABE by utilizing technologies such as secret sharing protocols. In addition, our transformation method realizes two additional benefits: outsourced decryption and efficient user revocation, which are extremely valuable for practical implementations. We simulate a demonstration by adopting the most popular permissioned blockchain, Hyperledger Fabric. The security and efficiency analysis reveals that the scheme obtained from our transformation method can achieve replayable chosen-ciphertext security with extremely efficient decryption.

computer science, information systems

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101854

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:Ciphertext-policy attribute-based encryption(CP-ABE) has been widely studied and used in access control schemes for secure data sharing. Since in most of the existing attribute-based encryption methods, all user attributes are managed by a single central authority, it is easy to cause a single point of failure. Therefore, several multi-authority CP-ABE schemes are proposed to manage user attributes by multiple authorities. However, these schemes still do not eliminate the single point of failure in essence or suffer from high computation and communication overhead on data users. In this paper, we propose a Blockchain-based Multi-authority Access Control scheme called BMAC for sharing data securely. Shamir secret sharing scheme and permissioned blockchain (Hyperledger Fabric) are introduced to implement that each attribute is jointly managed by multiple authorities to avoid single point of failure. In addition, we take advantage of blockchain technology to establish trust among multiple authorities and exploit smart contracts to compute tokens for attributes managed across multiple management domains, which reduces communication and computation overhead on the data user side. Moreover, blockchain helps to record the access control process in a secure and auditable way. Finally, we analyze the security of the proposed algorithm. Further analysis and comparison show the performance of the proposed method.

Xin Sun,Yiyang Yao,Yingjie Xia,Xuejiao Liu,Jian Chen,Zhiqiang Wang

DOI: https://doi.org/10.3837/tiis.2016.04.024

2016-01-01

Abstract:Mobile social network is becoming more and more popular with respect to the development and popularity of mobile devices and interpersonal sociality. As the amount of social data increases in a great deal and cloud computing techniques become developed, the architecture of mobile social network is evolved into cloud-based that mobile clients send data to the cloud and make data accessible from clients. The data in the cloud should be stored in a secure fashion to protect user privacy and restrict data sharing defined by users. Ciphertext-policy attribute-based encryption (CP-ABE) is currently considered to be a promising security solution for cloud-based mobile social network to encrypt the sensitive data. However, its ciphertext size and decryption time grow linearly with the attribute numbers in the access structure. In order to reduce the computing overhead held by the mobile devices, in this paper we propose a new Outsourcing decryption and Match-then-decrypt CP-ABE algorithm (OM-CP-ABE) which firstly outsources the computation-intensive bilinear pairing operations to a proxy, and secondly performs the decryption test on the attributes set matching access policy in ciphertexts. The experimental performance assessments show the security strength and efficiency of the proposed solution in terms of computation, communication, and storage. Also, our construction is proven to be replayable choosen-ciphertext attacks (RCCA) secure based on the decisional bilinear Diffie-Hellman (DBDH) assumption in the standard model.

Kaiping Xue,Weikeng Chen,Wei Li,Jianan Hong,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2018.2809679

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, ciphertext-policy attribute-based encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch economic denial of sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of the CP-ABE. We present two protocols for different settings, followed by performance and security analysis.

Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong,Nenghai Yu

DOI: https://doi.org/10.1109/tdsc.2020.2987903

2022-01-01

Abstract:Under the assumption of honest-but-curious cloud service provider, various cryptographic techniques have been used to address the issues of data access control and confidentiality in public cloud storage. Among which, attribute-based encryption (ABE) has been shown to be an attractive scheme. Although the technique of ABE brings in various benefits, its onerous overhead should not be ignored. In this article, based on an improved LSSS (linear secret sharing scheme) matrix expression integrated in CP-ABE (Ciphertext-Policy Attribute-Based Encryption) algorithm, we present an efficient and secure attribute-based access control scheme for the scenarios where multiple data are shared and encrypted with frequently used sub-policies. In the scheme, a user can store the parameters about a specific sub-policy in his/her first decryption, which can be reused in the subsequent data decryptions whose embedded access policies include the same sub-policy so as to significantly reduce the computation cost. Our proposed scheme is proved to be semantically secure under chosen plaintext attacks and can well preserve the confidentiality of the data sharing system. Our analysis and experimentation also show that our scheme does significantly reduce the decryption time and while trades in only very little storage overhead, and thus effectively promotes the efficiency.

Ye Lu,Tao Feng,Chunyan Liu,Wenbo Zhang

DOI: https://doi.org/10.32604/cmc.2023.046106

2024-01-01

Abstract:The Access control scheme is an effective method to protect user data privacy. The access control scheme based on blockchain and ciphertext policy attribute encryption (CP–ABE) can solve the problems of single—point of failure and lack of trust in the centralized system. However, it also brings new problems to the health information in the cloud storage environment, such as attribute leakage, low consensus efficiency, complex permission updates, and so on. This paper proposes an access control scheme with fine-grained attribute revocation, keyword search, and traceability of the attribute private key distribution process. Blockchain technology tracks the authorization of attribute private keys. The credit scoring method improves the Raft protocol in consensus efficiency. Besides, the interplanetary file system (IPFS) addresses the capacity deficit of blockchain. Under the premise of hiding policy, the research proposes a fine-grained access control method based on users, user attributes, and file structure. It optimizes the data-sharing mode. At the same time, Proxy Re-Encryption (PRE) technology is used to update the access rights. The proposed scheme proved to be secure. Comparative analysis and experimental results show that the proposed scheme has higher efficiency and more functions. It can meet the needs of medical institutions.

computer science, information systems,materials science, multidisciplinary

Zesen Hou,Jianting Ning,Xinyi Huang,Shengmin Xu,Leo Yu Zhang

DOI: https://doi.org/10.1016/j.csi.2024.103854

IF: 3.721

2024-03-21

Computer Standards & Interfaces

Abstract:Attribute-based encryption (ABE) has been widely applied in cloud services for access control. However, a large number of pairing operations required for decryption affect the wide use of ABE on lightweight devices. A general solution is to outsource the heavy computation to the cloud service provider (CSP), leaving the lighter computation to the data user. Nevertheless, it is impractical to assume that the CSP will provide free services. A recent ABE scheme with payable outsourced decryption ABEPOD (TIFS'20) provides a solution for the above payment issue. The CSP is generally untrusted, however, ABEPOD does not offer a verification mechanism for the data user to verify the correctness of the message. Moreover, the use of dual key pairs in ABEPOD incurs a significant computational overhead for data users during the key generation phase. We address the above issues by presenting a new blockchain-based verifiable outsourced attribute-based encryption system that enables data users to verify the correctness of plaintexts. We implement batch verification using homomorphic technical to optimize the verification process. We use the technique of dichotomous search to accurately locate problematic plaintexts. Additionally, we optimize three key-generation algorithms to transfer the computational cost from the data user to the key generation center. We offer the formal security models and the instantiation system with security analysis. As compared to ABEPOD , we further optimize the key-generation algorithms such that the computational overhead of transformation-key and verification-key generation for data users is reduced from O( Ω ) to O(1) and reduced by half respectively, where Ω is the number of attributes.

computer science, software engineering, hardware & architecture

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Yang Zhao,Xin Xie,Xing Zhang,Yi Ding

DOI: https://doi.org/10.3934/mbe.2019211

2019-01-01

Mathematical Biosciences and Engineering

Abstract:The ciphertext policy attribute-based encryption (CP-ABE) is widely used in cloud storage. It not only provides a secure data sharing scheme but also has the characteristics of fine-grained access control. However, most CP-ABE schemes have problems such as the ciphertext length increases with the complexity of the access policy, the encryption scheme is complex, the computational efficiency is low, and the fine-grained revocation cannot be performed. In view of the above problems, this paper proposes an efficient CP-ABE scheme with fine-grained revocable storage and constant ciphertext length. The scheme combines proxy re-encryption with CP-ABE technology, adopts the flexible access strategy AND-gates on multi-valued attributes with wildcards (AND(m)*), and realizes revocable storage and fixed-length ciphertext. At the same time, in order to reduce the amount of user decryption calculation, the complex operation in the decryption process is outsourced to the third-party server and the decryption result is verified to ensure the correctness of the information. Finally, the security of the scheme is proved under the decisional bilinear Diffie-Hellman (DBDH) assumption. In addition, the performance analysis shows that the scheme is efficient and feasible in cloud storage.

Rui Luo,Yuanzhi Yao,Weihai Li,Nenghai Yu

DOI: https://doi.org/10.1007/978-3-031-06761-7_43

2022-01-01

Abstract:Cloud storage service has significant advantages on both cost reduction and convenient data sharing. It frees data owners from technical management. However, it poses new challenges on privacy and security protection. To protect data confidentiality and privacy of users against malicious entities in the cloud, fine-grained data access control in cloud storage has become a challenging issue and draws considerable investigation. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic technique to address the above issue. In many scenarios, access policies are associated with privacy and sensitive information of users which needs to be preserved from disclosure. However, existing schemes cannot simultaneously support time-sensitive data publishing and attribute information preservation. In this paper, we propose a privacy-preserving time and attribute factors combined cloud data access control with computation outsourcing scheme (named PTAC). To preserve attribute privacy, we design a dual access policy tree mechanism where one access policy tree is public and another is sensitive and hidden. Moreover, time-sensitive data publishing can be achieved by combining CP-ABE with timed-release encryption. By using edge computing and cloud computing, we also outsource partitive computational cost of encryption and decryption to third parties. Extensive security and performance analysis demonstrate the security and efficiency of our proposed scheme in cloud storage. As a result, valuable attribute information in the access policy can be preserved in case of disclosing to unauthorized recipients.

Peng Li,Dehua Zhou,Haobin Ma,Junzuo Lai

DOI: https://doi.org/10.1016/j.sysarc.2023.103033

IF: 5.836

2023-11-27

Journal of Systems Architecture

Abstract:With the rapid development of the healthcare industry, many Electronic Health Records (EHRs) have emerged in different healthcare centers. However, lots of personal medical data are stored directly in plaintext at a single healthcare center, which makes it suffer from the single point of failure and brings many security and privacy issues such as privacy information leakage or tampering. The combination of blockchain and attributed-based cryptography can effectively solve the above problems. Therefore, in order to enable flexible fine-grained access control and efficient data retrieval while achieving privacy protection, we employ the ciphertext-policy attributed-based encryption (CP-ABE) and ciphertext-policy attribute-based searchable encryption (CP-ABSE) to propose a hidden policy attribute-based access control scheme. In addition, we combine consortium blockchain and smart contract to provide secure and reliable search and outsourcing decryption. Finally, through the security analysis and experimental results, we demonstrate that our scheme is secure and efficient.

computer science, software engineering, hardware & architecture

DOI: https://doi.org/10.1186/s13677-023-00414-w

2023-03-13

Journal of Cloud Computing

Abstract:Cloud file sharing (CFS) has become one of the important tools for enterprises to reduce technology operating costs and improve their competitiveness. Due to the untrustworthy cloud service provider, access control and security issues for sensitive data have been key problems to be addressed. Current solutions to these issues are largely related to the traditional public key cryptography, access control encryption or attribute-based encryption based on the bilinear mapping. The rapid technological advances in quantum algorithms and quantum computers make us consider the transition from the tradtional cryptographic primitives to the post-quantum counterparts. In response to these problems, we propose a lattice-based Ciphertext-Policy Attribute-Based Encryption(CP-ABE) scheme, which is designed based on the ring learing with error problem, so it is more efficient than that designed based on the learing with error problem. In our scheme, the indirect revocation and binary tree-based data structure are introduced to achieve efficient user revocation and dynamic management of user groups. At the same time, in order to further improve the efficiency of the scheme and realize file sharing across enterprises, the scheme also allows multiple authorities to jointly set up system parameters and manage distribute keys. Furthermore, by re-randomizing the user's private key and update key, we achieve decryption key exposure resistance(DKER) in the scheme. We provide a formal security model and a series of security experiments, which show that our scheme is secure under chosen-plaintext attacks. Experimental simulations and evaluation analyses demonstrate the high efficiency and practicality of our scheme.

Liang Yan,Lina Ge,Zhe Wang,Guifen Zhang,Jingya Xu,Zheng Hu

DOI: https://doi.org/10.1186/s13677-023-00444-4

2023-04-19

Journal of Cloud Computing

Abstract:With the rapid development of cloud computing technology, how to achieve secure access to cloud data has become a current research hotspot. Attribute-based encryption technology provides the feasibility to achieve the above goal. However, most of the existing solutions have high computational and trust costs. Furthermore, the fairness of access authorization and the security of data search can be difficult to guarantee. To address these issues, we propose a novel access control scheme based on blockchain and attribute-based searchable encryption in cloud environment. The proposed scheme achieves fine-grained access control with low computation consumption by implementing proxy encryption and decryption, while supporting policy hiding and attribute revocation. The encrypted file is stored in the IPFS and the metadata ciphertext is stored on the blockchain, which ensures data integrity and confidentiality. Simultaneously, the scheme enables the secure search of ciphertext keyword in an open and transparent blockchain environment. Additionally, an audit contract is designed to constrain user access behavior to dynamically manage access authorization. Security analysis proves that our scheme is resistant to chosen-plaintext attacks and keyword-guessing attacks. Theoretical analysis and experimental results show that our scheme has high computational and storage efficiency, which is more advantageous than other schemes.