Chao Yuan,Mi-xue Xu,Xueming Si,Bin Li

DOI: https://doi.org/10.1109/ICPADS.2017.00111

2017-01-01

Abstract:As a recently proposed public key primitive, attribute-base encryption(ABE) divided into Ciphertext-policy ABE (CP-ABE) and Key-policy ABE (KP-ABE) is a highly promising tool for the management and protection of data. And Blockchain, as one of the core technologies of Bitcoin that is the most representative cryptocurrency, has received extensive attentions recently. Supervision and privacy protection are two difficulties in blockchain. In this paper, a new scheme combining blockchain and accountable CP-ABE is proposed. In this scheme, each change of the data is recorded on the blockchain. And the different permissions of access are realized through ABE. If a malicious user shares a decryption key illegally, it will be considered illegal. Similarly, if the authority generates a decryption key for any unauthorized user, it also will be considered illegal. This scheme allows any third party to publicly verify the identity of a decryption key. And it is achievable for an auditor to publicly audit whether a malicious user or the authority should be responsible for an exposed decryption key, and the key abuser cannot deny it. At last this scheme is applied to the management of electronic documents.

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101854

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:Ciphertext-policy attribute-based encryption(CP-ABE) has been widely studied and used in access control schemes for secure data sharing. Since in most of the existing attribute-based encryption methods, all user attributes are managed by a single central authority, it is easy to cause a single point of failure. Therefore, several multi-authority CP-ABE schemes are proposed to manage user attributes by multiple authorities. However, these schemes still do not eliminate the single point of failure in essence or suffer from high computation and communication overhead on data users. In this paper, we propose a Blockchain-based Multi-authority Access Control scheme called BMAC for sharing data securely. Shamir secret sharing scheme and permissioned blockchain (Hyperledger Fabric) are introduced to implement that each attribute is jointly managed by multiple authorities to avoid single point of failure. In addition, we take advantage of blockchain technology to establish trust among multiple authorities and exploit smart contracts to compute tokens for attributes managed across multiple management domains, which reduces communication and computation overhead on the data user side. Moreover, blockchain helps to record the access control process in a secure and auditable way. Finally, we analyze the security of the proposed algorithm. Further analysis and comparison show the performance of the proposed method.

Jingchi Zhang,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.2309.04125

2023-09-08

Abstract:In a traditional cloud storage system, users benefit from the convenience it provides but also take the risk of certain security and privacy issues. To ensure confidentiality while maintaining data sharing capabilities, the Ciphertext-Policy Attribute-based Encryption (CP-ABE) scheme can be used to achieve fine-grained access control in cloud services. However, existing approaches are impaired by three critical concerns: illegal authorization, key disclosure, and privacy leakage. To address these, we propose a blockchain-based data governance system that employs blockchain technology and attribute-based encryption to prevent privacy leakage and credential misuse. First, our ABE encryption system can handle multi-authority use cases while protecting identity privacy and hiding access policy, which also protects data sharing against corrupt authorities. Second, applying the Advanced Encryption Standard (AES) for data encryption makes the whole system efficient and responsive to real-world conditions. Furthermore, the encrypted data is stored in a decentralized storage system such as IPFS, which does not rely on any centralized service provider and is, therefore, resilient against single-point failures. Third, illegal authorization activity can be readily identified through the logged on-chain data. Besides the system design, we also provide security proofs to demonstrate the robustness of the proposed system.

Cryptography and Security

Zhaoqian Zhang,Jianbiao Zhang,Yilin Yuan,Zheng Li

DOI: https://doi.org/10.1109/jiot.2021.3117378

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:As the public cloud becomes one of the leading ways in data-sharing nowadays, data confidentiality and user privacy are increasingly critical. Partially policy-hidden ciphertext policy attribute-based encryption (CP-ABE) can effectively protect data confidentiality while reducing privacy leakage by hiding part of the access structure. However, it cannot satisfy the need of data sharing in the public cloud with complex users and large amounts of data, both in terms of less expressive access structures and limited granularity of policy hiding. Moreover, the verification of access right to shared data and correctness of decryption are ignored or conducted by an untrusted third party, and the prime-order groups are seldom considered in the expressive policy-hidden schemes. This article proposes a fully policy-hidden CP-ABE scheme constructed on linear secret sharing scheme (LSSS) access structure and prime-order groups for public cloud data sharing. To help users decrypt, hidden vector encryption (HVE) with a "convert step" is applied, which is more compatible with CP-ABE. Meanwhile, decentralized credible verification of access right to shared data and correctness of decryption based on blockchain are also provided. We prove the security of our scheme rigorously and compare the scheme with others comprehensively. The results show that our scheme performs better.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhixin Ren,Enhua Yan,Taowei Chen,Yimin Yu

DOI: https://doi.org/10.1016/j.jksuci.2024.101969

IF: 9.006

2024-03-02

Journal of King Saud University - Computer and Information Sciences

Abstract:Nowadays, the integration of blockchain technology with Ciphertext-Policy Attribute-Based Encryption (CP-ABE) has drawn the researcher attention because it can provide key security auditing and transaction traceability in the context of data sharing. However, in a majority of existing blockchain-based CP-ABE schemes, private keys were still issued by one central authority that would lead to heavy computation, higher transaction costs, and restricted scalability within the decentralized system. To address these challenges, we present an enhancement approach towards utilizing distributed key management service (KMS) and zero-knowledge paradigms. In our improved novel blockchain system model, we define two types of blockchain nodes for the CP-ABE scheme through staking mechanism. Firstly, the proxy re-encryption nodes are introduced to offer secure multi-party management and distribution of the CP-ABE's master secret key, eliminating dependence on a central authority and producing proofs of re-encryption correctness. Secondly, the operator nodes can collect all transactional information in blockchain-based CP-ABE scheme and then send the Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARKs) proofs to verify the batch's integrity via smart contract. Subsequently, we employ the staking economic incentive model with reward determination and slashing in the decentralized blockchain system to ensure network security. Finally, simulation results validate the effectiveness of our proposed scheme in achieving secure and efficient data sharing. Even amidst the pressure of 100 simultaneous transactions, the average response time for a single node remains at an approximate 28 s. Additionally, there is a notable decrease in on-chain gas consumption, with a gas reduction exceeding 61%. Comparative analyses further indicate that our blockchain-based CP-ABE scheme, in conjunction with a decentralized KMS, offers a superior balance between computational efficiency and functional capability.

computer science, information systems

Ye Lu,Tao Feng,Chunyan Liu,Wenbo Zhang

DOI: https://doi.org/10.32604/cmc.2023.046106

2024-01-01

Abstract:The Access control scheme is an effective method to protect user data privacy. The access control scheme based on blockchain and ciphertext policy attribute encryption (CP–ABE) can solve the problems of single—point of failure and lack of trust in the centralized system. However, it also brings new problems to the health information in the cloud storage environment, such as attribute leakage, low consensus efficiency, complex permission updates, and so on. This paper proposes an access control scheme with fine-grained attribute revocation, keyword search, and traceability of the attribute private key distribution process. Blockchain technology tracks the authorization of attribute private keys. The credit scoring method improves the Raft protocol in consensus efficiency. Besides, the interplanetary file system (IPFS) addresses the capacity deficit of blockchain. Under the premise of hiding policy, the research proposes a fine-grained access control method based on users, user attributes, and file structure. It optimizes the data-sharing mode. At the same time, Proxy Re-Encryption (PRE) technology is used to update the access rights. The proposed scheme proved to be secure. Comparative analysis and experimental results show that the proposed scheme has higher efficiency and more functions. It can meet the needs of medical institutions.

computer science, information systems,materials science, multidisciplinary

Ying He,Haiyan Wang,Yuan Li,Ke Huang,Victor C. M. Leung,F. Richard Yu,Zhong Ming

DOI: https://doi.org/10.1109/jiot.2021.3099171

IF: 10.6

2022-02-15

IEEE Internet of Things Journal

Abstract:In the last few decades, ciphertext-policy attribute-based encryption (CP-ABE) technology has attracted great interest, since it can provide fine-grained, flexible, and access control for sensitive data to implement a high secure and efficient data-sharing mechanism. In this article, based on the linear secret sharing scheme (LSSS), an efficient scheme is proposed to realize a collaborative decryption function. For any user group, when the user's attribute set cannot access the ciphertext alone, the private key of other users in the same group can be used for collaborative decryption with the permission of the data owner. Our scheme uses the LSSS matrix that can significantly reduce the computation and storage overhead when comparing with the existing schemes. Then, a multiauthorization model is created based on the Bohen–Lynn–Shacham technology in order to solve the key-management issue. Finally, we implemented the specific functions of the framework through JAVA, and built a private chain to verify the feasibility of data transfer between users.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zesen Hou,Jianting Ning,Xinyi Huang,Shengmin Xu,Leo Yu Zhang

DOI: https://doi.org/10.1016/j.csi.2024.103854

IF: 3.721

2024-03-21

Computer Standards & Interfaces

Abstract:Attribute-based encryption (ABE) has been widely applied in cloud services for access control. However, a large number of pairing operations required for decryption affect the wide use of ABE on lightweight devices. A general solution is to outsource the heavy computation to the cloud service provider (CSP), leaving the lighter computation to the data user. Nevertheless, it is impractical to assume that the CSP will provide free services. A recent ABE scheme with payable outsourced decryption ABEPOD (TIFS'20) provides a solution for the above payment issue. The CSP is generally untrusted, however, ABEPOD does not offer a verification mechanism for the data user to verify the correctness of the message. Moreover, the use of dual key pairs in ABEPOD incurs a significant computational overhead for data users during the key generation phase. We address the above issues by presenting a new blockchain-based verifiable outsourced attribute-based encryption system that enables data users to verify the correctness of plaintexts. We implement batch verification using homomorphic technical to optimize the verification process. We use the technique of dichotomous search to accurately locate problematic plaintexts. Additionally, we optimize three key-generation algorithms to transfer the computational cost from the data user to the key generation center. We offer the formal security models and the instantiation system with security analysis. As compared to ABEPOD , we further optimize the key-generation algorithms such that the computational overhead of transformation-key and verification-key generation for data users is reduced from O( Ω ) to O(1) and reduced by half respectively, where Ω is the number of attributes.

computer science, software engineering, hardware & architecture

Ningyu Chen,Jiguo Li,Yichen Zhang,Yuyan Guo

DOI: https://doi.org/10.1109/tc.2020.3043950

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:Attribute-based encryption (ABE) is a preferred technology used to access control the data stored in the cloud servers. However, in many cases, the authorized decryption user may be unable to decrypt the ciphertext in time for some reason. To be on the safe side, several alternate users are delegated to cooperate to decrypt the ciphertext, instead of one user doing that. We provide a ciphertext-policy ABE scheme with shared decryption in this article. An authorized user can recover the messages independently. At the same time, these alternate users (semi-authorized users) can work together to get the messages. We also improve the basic scheme to ensure that the semi-authorized users perform the decryption tasks honestly. An integrated access tree is used to improve the efficiency for our scheme. The new scheme is proved CPA-secure in the standard model. The experimental result shows that our scheme is very efficient on both computational overhead and storage cost.

engineering, electrical & electronic,computer science, hardware & architecture

Xiaohui Yang,Wenjie Li,Kai Fan

DOI: https://doi.org/10.1007/s12083-022-01387-4

2022-09-25

Abstract:With the development of digital healthcare, sharing electronic medical record data has become an indispensable part of improving medical conditions. Aiming at the centralized power caused by the single attribute authority in current CP-ABE schemes and the problem that cloud servers are curious and even malicious, we design a revocable CP-ABE EHR sharing scheme with multiple authorities (MA-RABE) in blockchain. In this solution, a group of authorities complete user attribute distribution, key generation and user management through secret sharing and transactions. Besides, we innovatively implemented a distributed one-way anonymous key agreement so that other participants cannot obtain useful information from the fully hidden policy embedded in the ciphertext. Taking into account the computational overhead of a large number of bilinear operations in the decryption process, the solution also supports the cloud server to pre-decrypt the ciphertext, and the data user only needs to perform exponentiation operation once to obtain the plaintext from the pre-decryption result. Theoretical analysis and performance evaluation show that the scheme has reliable security and lower user revocation and ciphertext update overhead.

computer science, information systems,telecommunications

DOI: https://doi.org/10.1186/s13677-023-00414-w

2023-03-13

Journal of Cloud Computing

Abstract:Cloud file sharing (CFS) has become one of the important tools for enterprises to reduce technology operating costs and improve their competitiveness. Due to the untrustworthy cloud service provider, access control and security issues for sensitive data have been key problems to be addressed. Current solutions to these issues are largely related to the traditional public key cryptography, access control encryption or attribute-based encryption based on the bilinear mapping. The rapid technological advances in quantum algorithms and quantum computers make us consider the transition from the tradtional cryptographic primitives to the post-quantum counterparts. In response to these problems, we propose a lattice-based Ciphertext-Policy Attribute-Based Encryption(CP-ABE) scheme, which is designed based on the ring learing with error problem, so it is more efficient than that designed based on the learing with error problem. In our scheme, the indirect revocation and binary tree-based data structure are introduced to achieve efficient user revocation and dynamic management of user groups. At the same time, in order to further improve the efficiency of the scheme and realize file sharing across enterprises, the scheme also allows multiple authorities to jointly set up system parameters and manage distribute keys. Furthermore, by re-randomizing the user's private key and update key, we achieve decryption key exposure resistance(DKER) in the scheme. We provide a formal security model and a series of security experiments, which show that our scheme is secure under chosen-plaintext attacks. Experimental simulations and evaluation analyses demonstrate the high efficiency and practicality of our scheme.

Yang Zhao,Xin Xie,Xing Zhang,Yi Ding

DOI: https://doi.org/10.3934/mbe.2019211

2019-01-01

Mathematical Biosciences and Engineering

Abstract:The ciphertext policy attribute-based encryption (CP-ABE) is widely used in cloud storage. It not only provides a secure data sharing scheme but also has the characteristics of fine-grained access control. However, most CP-ABE schemes have problems such as the ciphertext length increases with the complexity of the access policy, the encryption scheme is complex, the computational efficiency is low, and the fine-grained revocation cannot be performed. In view of the above problems, this paper proposes an efficient CP-ABE scheme with fine-grained revocable storage and constant ciphertext length. The scheme combines proxy re-encryption with CP-ABE technology, adopts the flexible access strategy AND-gates on multi-valued attributes with wildcards (AND(m)*), and realizes revocable storage and fixed-length ciphertext. At the same time, in order to reduce the amount of user decryption calculation, the complex operation in the decryption process is outsourced to the third-party server and the decryption result is verified to ensure the correctness of the information. Finally, the security of the scheme is proved under the decisional bilinear Diffie-Hellman (DBDH) assumption. In addition, the performance analysis shows that the scheme is efficient and feasible in cloud storage.

Kaiping Xue,Yingjie Xue,Jianan Hong,Wei Li,Hao Yue,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2016.2647222

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is a challenging issue in public cloud storage systems. Ciphertext-policy attribute-based encryption (CP-ABE) has been adopted as a promising technique to provide flexible, fine-grained, and secure data access control for cloud storage with honest-but-curious cloud servers. However, in the existing CP-ABE schemes, the single attribute authority must execute the time-consuming user legitimacy verification and secret key distribution, and hence, it results in a single-point performance bottleneck when a CP-ABE scheme is adopted in a large-scale cloud storage system. Users may be stuck in the waiting queue for a long period to obtain their secret keys, thereby resulting in low efficiency of the system. Although multiauthority access control schemes have been proposed, these schemes still cannot overcome the drawbacks of single-point bottleneck and low efficiency, due to the fact that each of the authorities still independently manages a disjoint attribute set. In this paper, we propose a novel heterogeneous framework to remove the problem of single-point performance bottleneck and provide a more efficient access control scheme with an auditing mechanism. Our framework employs multiple attribute authorities to share the load of user legitimacy verification. Meanwhile, in our scheme, a central authority is introduced to generate secret keys for legitimacy verified users. Unlike other multi-authority access control schemes, each of the authorities in our scheme manages the whole attribute set individually. To enhance security, we also propose an auditing mechanism to detect which attribute authority has incorrectly or maliciously performed the legitimacy verification procedure. Analysis shows that our system not only guarantees the security requirements but also makes great performance improvement on key generation.

Suhui Liu,Jiguo Yu,Yinhao Xiao,Zhiguo Wan,Shengling Wang,Biwei Yan

DOI: https://doi.org/10.1109/jiot.2020.2993231

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) changed our lives with huge amounts of data production. Due to source-limited IoT devices, one of the best ways to process the data is cloud storage. However, a series of security and privacy issues arise, such as illegal data access, data tampering, and privacy leak. Though symmetric encryption can guarantee data confidentiality, it cannot realize fine-grained data sharing and searching. The keyword-based searchable attribute-based encryption (KSABE) can achieve data confidentiality and fine-grained access control. More importantly, it realizes a keyword-based search for data users. However, the heavy decryption computation burden and the management of massive user keys appear when implementing attribute-based encryption schemes to IoT. Therefore, this article proposes a blockchain-aided searchable attribute-based encryption (BC-SABE) with efficient revocation and decryption, where the traditional centralized server is replaced with a decentralized blockchain system being in charge of the threshold parameter generation, key management, and user revocation. All revocation tasks are done by the blockchain and it is on longer necessary for ciphertext reencryption and key update. Moreover, users utilize the coalition blockchain to generate partial tokens. Besides, the cloud server contained in our scheme not only stores the massive encrypted data but also performs search and predecryption for users who only require one exponentiation in the group ${mathbb {G}}$ to decrypt fully. Security analyses prove that our scheme realizes the security under the chosen plaintext attack and the chosen keyword attack. Simulations show that the decryption and token generation cost of our scheme are preferable.

computer science, information systems,telecommunications,engineering, electrical & electronic

Meikang Qiu,Han Qiu,Hui Zhao,Meiqin Liu,Bhavani Thuraisingham

DOI: https://doi.org/10.1109/SmartBlock52591.2020.00010

2020-01-01

Abstract:With the rapid development of cloud technology and the huge amount of big data generation, outsourcing data storage to a cloud service provider is an efficient solution. The challenges on the trustworthiness of cloud providers are urgent to be solved due to many security and privacy violation incidents in recent years. Some enhanced data protection methods such as All-Or-Nothing Transformation (AONT) are proposed to provide additional protection on data security. However, the key management and access revocation operations will become a difficult task and the key manager will be vulnerable. In this paper, we propose to use the scalable consortium blockchain system to solve the key management for the AON-based data protection and outsourcing in the multi-clouds scenario. We propose a model that can provide secure data sharing through untrusted clouds with the key management provided by the consortium blockchain system as a service. We also provide practical case studies for using the novel AON data approaches to protect data security and tamper-proofing on key management.

Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong,Nenghai Yu

DOI: https://doi.org/10.1109/tdsc.2020.2987903

2022-01-01

Abstract:Under the assumption of honest-but-curious cloud service provider, various cryptographic techniques have been used to address the issues of data access control and confidentiality in public cloud storage. Among which, attribute-based encryption (ABE) has been shown to be an attractive scheme. Although the technique of ABE brings in various benefits, its onerous overhead should not be ignored. In this article, based on an improved LSSS (linear secret sharing scheme) matrix expression integrated in CP-ABE (Ciphertext-Policy Attribute-Based Encryption) algorithm, we present an efficient and secure attribute-based access control scheme for the scenarios where multiple data are shared and encrypted with frequently used sub-policies. In the scheme, a user can store the parameters about a specific sub-policy in his/her first decryption, which can be reused in the subsequent data decryptions whose embedded access policies include the same sub-policy so as to significantly reduce the computation cost. Our proposed scheme is proved to be semantically secure under chosen plaintext attacks and can well preserve the confidentiality of the data sharing system. Our analysis and experimentation also show that our scheme does significantly reduce the decryption time and while trades in only very little storage overhead, and thus effectively promotes the efficiency.

Jian Jiang,Yulong Gao,Yufei Gong,Zhengtao Jiang

DOI: https://doi.org/10.3390/s24144493

2024-07-11

Abstract:Although the copyright protection schemes supported by blockchain have significantly changed traditional copyright data management, there are still some data security challenges that cannot be ignored, especially the secure access and controllable management of copyright data. Quantum computing attacks also pose a threat to its security. Targeting these issues, we design and propose a blockchain copyright protection scheme based on attribute-based encryption (ABE). In this scheme, the security advantages of blockchain technology are utilized to ensure the authenticity and integrity of copyright data. Based on lattice cryptography and the decision ring learning with errors (R-LWE) problem, a new ABE algorithm that supports searchable ciphertext and policy updates is designed. Then, we introduce it into the blockchain copyright protection scheme, which enables secure access to copyright data and fine-grained control. In addition, the lattice cryptography can strengthen this scheme against quantum attacks. Through security analysis, our scheme can prove to be secure against adaptive chosen keyword attacks, selective chosen plaintext attacks, and adaptive chosen policy attacks in the random oracle model. More importantly, the comparison analysis and experimental results show that our proposed approach has lower computation costs and storage costs. Therefore, our scheme has better security and performance in copyright protection.

Chong Wang,Hao Jin,Ronglei Wei,Ke Zhou

DOI: https://doi.org/10.1007/s11227-021-04277-3

IF: 3.3

2022-01-20

The Journal of Supercomputing

Abstract:Attribute-based encryption(ABE) can enable user-centered data sharing in untrusted cloud scenario where users usually lack control on their outsourced data. However, existing ABE schemes have intrinsic limitations on scalability and revocation efficiency due to the bottleneck of a central authority and heavy re-encryption overhead on revocations. In this paper, we present a revocable decentralized attribute-based encryption scheme for data access control in cloud storage. In particular, by integrating decentralized attribute-based encryption, key regression technique, all-or-nothing transform, revocation list for involved attributes, and blacklist in a novel way, we provide a revocable ABE scheme with practical dynamic group membership and identity privacy protection, and meanwhile, it enhances the re-encryption efficiency caused by revocations without sacrificing security. We analyzed the security of our scheme. The experimental evaluation demonstrates that the cryptographic overhead on key derivation, encryption(decryption), and ABE ciphertext update are reasonable, and for the throughput of accessing encrypted data from the cloud, our scheme outperforms other schemes.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.ins.2020.12.035

IF: 8.1

2021-01-01

Information Sciences

Abstract:Attribute-based encryption (ABE) is considered to be one of the most suitable schemes for cryptographic access control in the big data environment. But it still faces many challenges to be applied in the Internet of Things (IoT). ABE is implemented based on bilinear pairing, which is considered to be an expensive operation. However, there are lots of IoT devices with constrained resources. Proxy re-encryption methods based on the cloud are proposed to reduce computing overhead on the user side, but an untrusted cloud may give incorrect computing results to mislead users. To solve this problem, an access control scheme with lightweight decryption based on ABE and blockchain technologies is proposed. We assume that the cloud is untrusted, and guarantee the accuracy of proxy re-encryption calculation based on blockchain. In addition, how to encourage users to obtain authorization through blockchain and record access behavior on the blockchain is a problem worthy of attention. This paper proposes a user credibility incentive mechanism, which calculates the user's credibility according to the user's access behavior and gives a reputation score, so as to dynamically adjust the endorsement protocol. Security analysis and experimental results show that the proposed method is reliable and efficient. (C) 2020 Elsevier Inc. All rights reserved.