Bo Hong,Jie Chen,Kai Zhang,Haifeng Qian

DOI: https://doi.org/10.1109/access.2019.2950394

IF: 3.9

2019-01-01

IEEE Access

Abstract:The revelations of Snowden show that hardware and software of devices may corrupt users’ machine to compromise the security in various ways. To address this concern, Mironov and Stephen-Davidowitz introduce the Cryptographic Reverse Firewall (CRF) concept that is able to resist the ex-filtration of secret information for some compromised machine (Eurocrypt 2015). There are some applications of CRF deployed in many cryptosystems, but less studied and deployed in Attribute-Based Encryption (ABE) field, which attracts a wide range of attention and is employed in real-world scenarios (i.e., data sharing in cloud). In this work, we focus how to give a CRF security protection for a multi-authority ABE scheme and hence propose a multi-authority key-policy ABE scheme with CRF (acronym, MA-KP-ABE-CRF), which supports attribute distribution and non-monotonic access structure. To achieve this, beginning with revisiting a MA-KP-ABE with non-trivial combining non-monotonic formula, we then give the randomness of ciphertexts and secret keys with reverse firewall and give formal security analysis. Finally, we give a simulation on our MA-KP-ABE-CRF system based on Charm library whose the experimental results demonstrate practical efficiency.

Yinghui Zhang,Xiaofeng Chen,Jin Li,Hui Li,Fenghua Li

DOI: https://doi.org/10.1109/incos.2013.16

2013-01-01

Abstract:In attribute-based encryption (ABE) systems, the revocation issue is essential and difficult, since users may change their attributes frequently in practice and each attribute is conceivably shared by multiple users. To our knowledge, all the existing ABE schemes fail to support flexible and direct revocation due to the burdensome update of attribute secret keys and cipher texts. Aiming at tackling the challenge above, in this paper, we formalize the notion of cipher text policy ABE with flexible and direct revocation (FDR-CP-ABE), and give out a concrete construction, which supports direct attribute and user revocation and is applicable to the data sharing architecture. The proposed FDR-CP-ABE scheme outperforms the previous revocation-related methods in that it has constant-size cipher texts and only partial cipher texts need to be updated whenever revocation events occur. Furthermore, we show that our FDR-CP-ABE scheme is provably secure in the standard model and it cannot be achieved by trivial combinations of the techniques of CP-ABE and BE.

Kang Yang,Guohua Wu,Chengcheng Dong,Xingbing Fu,Fagen Li,Ting Wu

2020-01-01

Abstract:Attribute-based encryption (ABE) can be used in many cloud storage and computing applications, and it is an attractive alternative to identity-based encryption. The feature of the ABE is that it provides a flexible mechanism to achieve fine-grained access control. The revocable ABE (RABE) is an extension of the ABE. The attribute revo-cation is essential because of the factors such as changes of user’s attributes, key exposures and key loss. In this paper, we propose a revocable ciphertext policy ABE (CP-RABE) scheme from lattices, which supports flexible access control and efficient revocation. In our scheme, a binary tree with an attribute revocation list is used to re-voke attributes, and key update is logarithmically related to the number of each user attribute. Finally, the security of the scheme is proved to be selective-attribute secure in the standard model and security can be reduced to hardness of learning with error assumption.

Yinghui Zhang,Xiaofeng Chen,Jin Li,Hui Li,Fenghua Li

DOI: https://doi.org/10.3837/tiis.2014.11.021

2014-01-01

Abstract:Attribute-based encryption (ABE) is a promising cryptographic primitive for implementing fine-grained data sharing in cloud computing. However, before ABE can be widely deployed in practical cloud storage systems, a challenging issue with regard to attributes and user revocation has to be addressed. To our knowledge, most of the existing ABE schemes fail to support flexible and direct revocation owing to the burdensome update of attribute secret keys and all the ciphertexts. Aiming at tackling the challenge above, we formalize the notion of ciphertext-policy ABE supporting flexible and direct revocation (FDR-CP-ABE), and present a concrete construction. The proposed scheme supports direct attribute and user revocation. To achieve this goal, we introduce an auxiliary function to determine the ciphertexts involved in revocation events, and then only update these involved ciphertexts by adopting the technique of broadcast encryption. Furthermore, our construction is proven secure in the standard model. Theoretical analysis and experimental results indicate that FDR-CP-ABE outperforms the previous revocation-related methods.

J. Li,X. Chen,H. Tian,C. Gao

DOI: https://doi.org/10.1504/ijahuc.2014.065156

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Since the notion of attribute-based encryption (ABE) was proposed, it has been found a lot of important applications such as fine-grained access control. However, the issue of key exposure problem in ABE has been solved completely. This problem is formally addressed and formulated in this paper. More specifically, we propose a new key-insulated ABE (KI-ABE) scheme as a solution to the key exposure problem. The definition and security model of KI-ABE is proposed. Then, a KI-ABE scheme is presented, which is provably secure under the proposed model. The scheme is secure in the remaining time periods against an adversary who compromises the insecure device and obtains secret keys for the periods of its choice. Finally, we show that the scheme also supports user delegation, which is critical when one wants to delegate part of attributes (privileges) to others.

Yang Zhao,Yuwei Pang,Xingyu Ke,Bintao Wang,Guobin Zhu,Mingsheng Cao

DOI: https://doi.org/10.1016/j.future.2023.04.025

IF: 7.307

2023-05-01

Future Generation Computer Systems

Abstract:Metaverse is an immersive, hyperspace virtual reality space. Due to its characteristics of hyperspace and immersive realism, metaverse has a bright future, but ubiquitous user analysis and calculation make it difficult to achieve one-to-multiple data sharing. As an innovative encryption algorithm, ciphertext-policy attribute-based encryption (CP-ABE) can realize one-to-multiple secure file sharing through fine-grained access control. Many evidences show that attackers may add backdoors to internal devices to make encryption algorithms insecure, CP-ABE also faces the above threats. In order to deal with such attacks, researchers put forward the notion of cryptographic reverse firewall (CRF), which has the ability of resistance to insider attack. However, the existing ABE scheme supporting CRF have the problems of low efficiency and no support for malicious user tracking.To improve safety and efficiency, we constructed an efficient CP-ABE scheme supporting CRF protection which has function of outsourcing decryption, offline encryption and black-box tracking.

computer science, theory & methods

Zoe L. Jiang,Ruoqing Zhang,Zechao Liu,S. M. Yiu,Lucas C. K. Hui,Xuan Wang,Junbin Fang

DOI: https://doi.org/10.1007/978-3-319-69605-8_14

2017-01-01

Abstract:Attribute-Based Encryption (ABE) is a generalized cryptographic primitive from normal public key encryption. It provides an access control mechanism over encrypted message using access policies and ascribed attributes. This scheme can solve the privacy issue when data is outsourced to cloud for storage well. However, there are some practical issues which must be fixed before ABE becomes applicable. One is that both the ciphertext size and the decryption time grows with the complexity of the access policy, which brings pressure to mobile devies. The other is that, from practical point of view, some users might be disabled for some attributes or be removed from the system. It demands on flexible revocation mechanism supporting both user and attribute granularities. In this research, we propose a solution adopting techniques on secure outsourcing of pairings to support outsourcing computation and adopting some techniques based on the tree-based scheme to solve user revocation and attribute revocation. We also give its security model and proof.

XiaoFang Huang,Qi Tao,BaoDong Qin,ZhiQin Liu

DOI: https://doi.org/10.1109/icccn.2015.7288431

2015-01-01

Abstract:Attribute Based Encryption (ABE) scheme can achieve information sharing of one-to-many users, without considering the number of users and the users identity. But, the traditional single Attribute Authority (AA) ABE scheme can hardly meet requirements of different agencies in distributed application environment and it is easy to form the system performance bottlenecks. Based on ciphertext-policy ABE scheme, this paper proposes a multi-authority revocable ABE scheme, where the classification manages user attributes, effectively relieving the management burden of single organization. In addition, it can achieve fine grained access control of shared information by adopting tree access strategy and secret sharing scheme, and support system attribute revocation. Finally, we show that the scheme is secure against chosen plaintext attack under the Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Fucai Luo,Saif Al-Kuwari,Haiyan Wang,Fuqun Wang,Kefei Chen

DOI: https://doi.org/10.1016/j.csi.2022.103698

2023-03-01

Abstract:Attribute-based encryption (ABE) is an attractive extension of public key encryption, which provides fine-grained and role-based access to encrypted data. In its key-policy flavor, the secret key is associated with an access policy and the ciphertext is marked with a set of attributes. In many practical applications, and in order to address scenarios where users become malicious or their secret keys are compromised, it is necessary to design an efficient revocation mechanism for ABE. However, prior works on revocable key-policy ABE schemes are based on classical number-theoretic assumptions, which are vulnerable to quantum attacks. In this work, we propose the first revocable key-policy ABE scheme that offers an efficient revocation mechanism while maintaining fine-grained access control to encrypted data. Our scheme is based on the learning with errors (LWE) problem, which is widely believed to be quantum-resistant. Our scheme supports polynomial-depth policy function and has short secret keys, where the size of the keys depends only on the depth of the supported policy function. Furthermore, we prove that our scheme satisfies selective revocation list security in the standard model under the LWE assumption.

computer science, software engineering, hardware & architecture

Xiaoguo Li,Guomin Yang,Tao Xiang,Shengmin Xu,Bowen Zhao,HweeHwa Pang,Robert H. Deng

DOI: https://doi.org/10.1109/sp54263.2024.00100

2024-01-01

Abstract:As an advanced one-to-many public key encryption system, attribute-based encryption (ABE) is widely believed to be a promising technology for achieving flexible and fine-grained access control of encrypted data on untrusted storage servers (e.g., public cloud servers). However, user revocation in ABE is a critical but challenging problem, and designing efficient revocable ABE has been an active research topic in the past decade. Almost all the existing revocable ABE schemes incorporate a timestamp in the encryption algorithm such that revoked users cannot decrypt ciphertexts generated in future time intervals. To prevent revoked users from decrypting past ciphertexts, the storage server needs to perform a process called ciphertext delegation (Sahai et al., CRYPTO’12) that periodically updates the timestamp for all ciphertexts. As the number of ciphertexts could be huge in a storage system, ciphertext delegation could pose a huge computation overhead to the server.Motivated by the popularity of commodity Trusted Execution Environment (TEE) technologies, this paper initiates the study on hardware-based revocable ABE (HR-ABE) to eliminate the (unscalable) ciphertext delegation and prevent collusion attacks between an untrusted storage server and revoked users. We formalize this new notion and present an efficient HR-ABE construction that also supports outsourced decryption for resource-constrained data users. Furthermore, HR-ABE is also designed to address the potential secret leakage problem suffered by TEE (e.g., due to side-channel attacks) so that the leakage of secrets possessed by TEE does not lead to leakage of user data. We prove HR-ABE’s security formally and benchmark its performance experimentally.

An-Ping Xiong,Chun-Xiang Xu,Qi-Xian Gan

DOI: https://doi.org/10.1109/ICCWAMTIP.2014.7073420

2014-01-01

Abstract:Attribute Based Encryption (CP-ABE) access control schemes has become a heated topic area in security since it is more suitable for access control mechanism. Due to the problems such that system attribute revocation is not flexible, system overhead is too big and other issues for existing CP-ABE access control schemes under cloud environment, with the limited access condition of `AND' and `OR' in an access tree, based on AB-ACER schemes, we proposed a CP-ABE scheme with system attribute revocation in Cloud storage. This scheme is based on many minimum attribute sets which shared Re-encryption keys, storage service provider re-encrypts ciphertext when a system attribute is revoked. This scheme is not only keeps security and fine-grained access control of original scheme, but also has a good flexibility and efficiency.

Hu Xiong,Xin Huang,Minghao Yang,Lili Wang,Shui Yu

DOI: https://doi.org/10.1109/jiot.2021.3094323

IF: 10.6

2022-02-15

IEEE Internet of Things Journal

Abstract:Existing attribute-based encryption (ABE) schemes with revocation to secure the cloud-assisted Internet of Things (IoTs) raise challenges, such as eliminating the need for predefined public parameters in system initialization, performing the encryption and decryption operations efficiently, and achieving adaptive security under standard security assumption. In this article, we address these challenges by proposing an unbounded and efficient revocable ABE scheme with adaptive security for cloud-assisted IoTs. Distinct from the previous approaches in this field, our scheme not only efficiently realizes access control over encrypted data in a fine-grained and revocable way but also is proved to be adaptively secure under standard decision linear assumption. Meanwhile, the parameters do not need to be predefined in the system initialization and thus, our scheme satisfies the unbounded property. Moreover, the monotonic span program (MSP) is elegantly utilized as the access structure to reduce the number of bilinear pairing and exponentiation operations for encryption and decryption. Theoretical performance analysis and experiment evaluation disclose that our proposed scheme owns outstanding feasibility, efficiency, and effectiveness.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1145/1755688.1755720

2010-01-01

Abstract:Ciphertext-Policy Attribute Based Encryption (CP-ABE) is a promising cryptographic primitive for fine-grained access control of shared data. In CP-ABE, each user is associated with a set of attributes and data are encrypted with access structures on attributes. A user is able to decrypt a ciphertext if and only if his attributes satisfy the ciphertext access structure. Beside this basic property, practical applications usually have other requirements. In this paper we focus on an important issue of attribute revocation which is cumbersome for CP-ABE schemes. In particular, we resolve this challenging issue by considering more practical scenarios in which semi-trustable on-line proxy servers are available. As compared to existing schemes, our proposed solution enables the authority to revoke user attributes with minimal effort. We achieve this by uniquely integrating the technique of proxy re-encryption with CP-ABE, and enable the authority to delegate most of laborious tasks to proxy servers. Formal analysis shows that our proposed scheme is provably secure against chosen ciphertext attacks. In addition, we show that our technique can also be applicable to the Key-Policy Attribute Based Encryption (KP-ABE) counterpart.

DOI: https://doi.org/10.1186/s13677-023-00414-w

2023-03-13

Journal of Cloud Computing

Abstract:Cloud file sharing (CFS) has become one of the important tools for enterprises to reduce technology operating costs and improve their competitiveness. Due to the untrustworthy cloud service provider, access control and security issues for sensitive data have been key problems to be addressed. Current solutions to these issues are largely related to the traditional public key cryptography, access control encryption or attribute-based encryption based on the bilinear mapping. The rapid technological advances in quantum algorithms and quantum computers make us consider the transition from the tradtional cryptographic primitives to the post-quantum counterparts. In response to these problems, we propose a lattice-based Ciphertext-Policy Attribute-Based Encryption(CP-ABE) scheme, which is designed based on the ring learing with error problem, so it is more efficient than that designed based on the learing with error problem. In our scheme, the indirect revocation and binary tree-based data structure are introduced to achieve efficient user revocation and dynamic management of user groups. At the same time, in order to further improve the efficiency of the scheme and realize file sharing across enterprises, the scheme also allows multiple authorities to jointly set up system parameters and manage distribute keys. Furthermore, by re-randomizing the user's private key and update key, we achieve decryption key exposure resistance(DKER) in the scheme. We provide a formal security model and a series of security experiments, which show that our scheme is secure under chosen-plaintext attacks. Experimental simulations and evaluation analyses demonstrate the high efficiency and practicality of our scheme.

Chao Ma,Haiying Gao,Bin Hu

DOI: https://doi.org/10.1007/s11227-023-05867-z

IF: 3.3

2024-02-03

The Journal of Supercomputing

Abstract:Attribute-based encryption is a new cryptographic primitive that supports fine-grained access control of cloud data, and its access control function relies on the interaction of attributes and access structures. To achieve more flexible access control, attribute revocation has become an important problem that must be considered in the application process of attribute-based encryption. We propose and implement an efficient revocable ciphertext policy attribute-based encryption scheme based on the improvement of the scheme proposed by Tomida et al. Our scheme has the following characteristics: (1) It is adaptively secure under the Matrix Decisional Diffie–Hellman assumption; (2) it supports the multi-use of attribute classes and the negation of attribute values; (3) it supports the revocation of system attributes; and (4) the update of the key and ciphertext is completed by the trusted center and the cloud server, respectively, thereby decreasing revocation overhead for users.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Qiang Li,Dengguo Feng,Liwu Zhang

DOI: https://doi.org/10.1109/GLOCOM.2012.6503225

2012-01-01

Abstract:As a new public key primitive, attribute-based encryption (ABE) is envisioned to be a promising tool for implementing fine-grained access control. When applying ABE schemes to practical applications, revocation mechanism is very necessary for any ABE schemes involving many users. Revocation for ABE schemes is a challenge issue since each attribute is conceivably shared by multiple users. Revocation of any single user would affect others who share his attributes. In this paper, we propose a KP-ABE scheme with fine-grained attribute revocation under the direct revocation model. In our scheme, we can revoke one attribute of a user instead of all attributes issued to him and the user can complete decryption as long as the unrevoked attributes of the user satisfy the access structure. The revocation does not affect any other user's private key. Moreover, our scheme supports an important property for achieving the user accountability to prevent illegal key sharing among colluding users. We show how to construct such a KP-ABE scheme with fine-grained attribute revocation and prove its security under the q-BDHE assumption in the standard model.

Chong Wang,Hao Jin,Ronglei Wei,Ke Zhou

DOI: https://doi.org/10.1007/s11227-021-04277-3

IF: 3.3

2022-01-20

The Journal of Supercomputing

Abstract:Attribute-based encryption(ABE) can enable user-centered data sharing in untrusted cloud scenario where users usually lack control on their outsourced data. However, existing ABE schemes have intrinsic limitations on scalability and revocation efficiency due to the bottleneck of a central authority and heavy re-encryption overhead on revocations. In this paper, we present a revocable decentralized attribute-based encryption scheme for data access control in cloud storage. In particular, by integrating decentralized attribute-based encryption, key regression technique, all-or-nothing transform, revocation list for involved attributes, and blacklist in a novel way, we provide a revocable ABE scheme with practical dynamic group membership and identity privacy protection, and meanwhile, it enhances the re-encryption efficiency caused by revocations without sacrificing security. We analyzed the security of our scheme. The experimental evaluation demonstrates that the cryptographic overhead on key derivation, encryption(decryption), and ABE ciphertext update are reasonable, and for the throughput of accessing encrypted data from the cloud, our scheme outperforms other schemes.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Zechao Liu,Zoe L. Jiang,Xuan Wang,S. M. Yiu

DOI: https://doi.org/10.1016/j.jnca.2018.01.016

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:Attribute-Based Encryption (ABE) offers fine-grained access control policy over encrypted data, and thus applicable in cloud storage to provide authorized data privacy. However, there are some issues that should be solved before deploying ABE in practice. Firstly, as the heavy decryption cost grows with the complexity of access policy, an ABE with outsourcing decryption is preferred to relieve user's computation cost. Secondly, when user's attributes are altered, it is required for ABE supporting attribute revocation to change user's access privilege timely and effectively. Thirdly, in the case of access control policy changed by data owner, policy updating requirement must be met in designing ABE. Therefore, a practical ABE scheme is proposed which can solve aforementioned issues simultaneously. In order to support flexible number of attributes, our scheme also achieves large universe and multiple attribute authorities. The security and performance of the proposed scheme are discussed, followed by extensive experiments to demonstrate its effectiveness and practicability.

Peng Zhang,Zehong Chen,Kaitai Liang,Shulan Wang,Ting Wang

DOI: https://doi.org/10.1007/978-3-319-40253-6_32

2016-01-01

Abstract:Ciphertext-policy attribute-based encryption (CP-ABE) is a well-known cryptographic technology for guaranteeing data confidentiality but also fine-grained data access control. It enables data owners to define flexible access policy for cloud-based data sharing. However, the user revocation and attribute update problems existing in CP-ABE systems that are long-standing unsolved in the literature. In this paper, we propose the first access control (CP-ABE) scheme supporting user revocability and attribute update. Specifically, the user revocation is defined in the identity-based setting that does not conflict our attribute-based design. The cost brought by attribute update is efficient in the sense that we only concentrate on the update of the ciphertexts associated with the corresponding updated attribute. Moreover, the security analysis shows that the proposed scheme is secure under the decisional Bilinear DiffieHellman assumption.

Zhang Ruoqing,Hui Lucas,Yiu Sm,Yu Xiaoqi,Liu Zechao,Zoe L. Jiang

DOI: https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.259

2017-01-01

Abstract:Ciphertext-Policy Attribute-based Encryption (CP-ABE) is a useful cryptographic scheme and is being considered for cloud application as more and more users leverage cloud platforms to store and process their data. However, existing CP-ABE schemes still have a number of limitations that make it not effective to be used in a practical application. Firstly, the size of the ciphertext and the time for decryption grow with the complexity of the access formula. This efficiency issue becomes a problem when using a cloudplatform and mobile devices with limited processing capacity. Secondly, in reality, the attributes of users may be changed from time to time, or some users may eventually leave the system due to resignation. This practical concern requires a scheme with flexible and fine-grained revocation optionsupporting attribute-level changes. Lastly, traceability is also an important feature to track potential traitors who leak the partial decryption keys if ABE is used in a real scenario. None of the existing CP-ABE schemes are able to satisfy these three properties simultaneously. In this paper, we propose apractical CP-ABE that can achieve all three requirements. Our system adopts techniques on secure outsourcing of pairings to support efficient outsourcing computation and makes use of a subset cover algorithm to meet the requirements of revocation and traceability. Our scheme is proved to be a selectively replayable chosen-ciphertext attack (RCCA) secure in random oracle model. The result of our work could provide a feasible, reliable and practical CP-ABE scheme for the realistic application.