Existing Attribute-based Encryption Schemes Research Articles

Policy-driven Data Sharing over Attribute-Based Encryption supporting Dual Membership

Attribute-Based Encryption (ABE) plays an important role in current secure data sharing through fine-grained customizable policies. However, the existing ABE schemes only support simple predicates, = and ≠, but cannot express a more general membership predicates, ∈ and ∉, in policies. The low expressivity of ABE will enlarge the ciphertext storage and reduce the communication efficiency. To overcome this problem, we propose an ABE supporting Dual Membership (DM-ABE). The core problem for implementing this scheme is how to use cryptographic methods to decide the membership between the verified element and the given set. In order to solve this problem, we design a cryptographic algorithm, called Secure Decision of Membership (SDM), based on aggregation functions. In this algorithm, any set can be aggregated into one cryptographic element, and the verified element and the given set can be converted into another cryptographic element in decision process. The membership between them can be decided by the above two cryptographic elements. Furthermore, we construct the DM-ABE by using SDM. Because of the good expressivity of our DM-ABE, we further propose a novel cryptographic data sharing framework by integrating DM-ABE and attribute-based access control to provide fine-grained access control and security protection for private data. In the security proof of DM-ABE, we prove that the DM-ABE satisfies the semantic security against chosen-plaintext attacks under the DBDHE assumption in the standard model through a unified way, considering both two encryption methods for ∈ and ∉ at the same time. Finally, we analyze our scheme in terms of time and space complexity, and compare it with some existing schemes. The results show that our DM-ABE has a better expressive ability on the boolean logic of general membership predicates, ∈ and ∉.

Practical revocable and multi-authority CP-ABE scheme from RLWE for Cloud Computing

Cloud computing provides enterprises and individuals with unlimited computing resources and expandable storage space. However, data leakage occurs frequently due to the lack of protection measures in the cloud storage environment. Consequently, how to protect data security in the cloud has become a critical issue. Attribute-based encryption (ABE) is an emerging encryption technique, which protects sensitive information and provides access control for data stored in the cloud. However, most of existing ABE schemes cannot resist quantum attacks and lack the capability of implementing flexible revocation on user or attribute when the attributes of a user change, which hinders the practical application of ABE. In this research, we present a Revocable and Multi-authority ciphertext-policy attribute-based encryption (RM-CP-ABE) from the ring learning with errors (RLWE) assumption, which supports multi-authority and multi-valued attributes. The scheme allows multiple authorities to involve in key distribution, and achieves the attribute revocation when the user’s access rights change. Also, the scheme enjoys reasonable computational cost and storage overhead, and is proven selectively secure under the RLWE assumption. The simulation results indicate that the performance of the proposed scheme is acceptable for practical applications.

MLS-ABAC: Efficient Multi-Level Security Attribute-Based Access Control scheme

Realizing access control to sensitive data offloaded to a Cloud is challenging in the Internet of Things, where various devices with low computational power and different security levels are interconnected. Despite various solutions, the National Institute of Standards and Technology (NIST)’s Attribute-Based Access Control (ABAC) model is one of the preferred techniques in the literature. In this model, users who satisfy access policies using both static and dynamic attributes are allowed to access the data. However, NIST’s ABAC model does not support encryption and therefore does not satisfy data confidentiality. Attribute-Based Encryption (ABE) is a known cryptographic primitive that enables fine-grained access control over encrypted data. However, currently the existing ABE schemes do not meet NIST’s ABAC requirements or are not computationally efficient enough for IoT applications. In this paper, we propose a Multi-Level Security ABAC (MLS-ABAC) scheme that satisfies the requirements of NIST’s ABAC model. Our construction is efficient and relies on a decryption outsourceable Ciphertext-Policy ABE scheme. Additionally, based on realistic application scenarios, only the authorized data users can decrypt the ciphertext, and check the integrity of the retrieved message. Furthermore, we present both conceptual and formal models for our proposed MLS-ABAC architecture along with performance metrics. The experimental results show that the proposed MLS-ABAC achieves a constant ciphertext size of ∼230 bytes and with encryption and decryption running times of ∼18 and ∼10 ms, respectively, independent of the number of attributes.

Lightweight Searchable Encryption Protocol for Industrial Internet of Things

Industrial Internet of Things (IoT) has suffered from insufficient identity authentication and dynamic network topology, thereby resulting in vulnerabilities to data confidentiality. Recently, the attribute-based encryption (ABE) schemes have been regarded as a solution to ensure data transmission security and the fine-grained sharing of encrypted IoT data. However, most of existing ABE schemes that bring tremendous computational cost are not suitable for resource-constrained IoT devices. Therefore, lightweight and efficient data sharing and searching schemes suitable for IoT applications are of great importance. To this end, In this article, we propose a light searchable ABE scheme (namely LSABE). Our scheme can significantly reduce the computing cost of IoT devices with the provision of multiple-keyword searching for data users. Meanwhile, we extend the LSABE scheme to multiauthority scenarios so as to effectively generate and manage the public/secret keys in the distributed IoT environment. Finally, the experimental results demonstrate that our schemes can significantly maintain computational efficiency and save the computational cost at IoT devices, compared to other existing schemes.

A Secure and Lightweight Fine-Grained Data Sharing Scheme for Mobile Cloud Computing.

With the explosion of various mobile devices and the tremendous advancement in cloud computing technology, mobile devices have been seamlessly integrated with the premium powerful cloud computing known as an innovation paradigm named Mobile Cloud Computing (MCC) to facilitate the mobile users in storing, computing and sharing their data with others. Meanwhile, Attribute Based Encryption (ABE) has been envisioned as one of the most promising cryptographic primitives for providing secure and flexible fine-grained “one to many” access control, particularly in large scale distributed system with unknown participators. However, most existing ABE schemes are not suitable for MCC because they involve expensive pairing operations which pose a formidable challenge for resource-constrained mobile devices, thus greatly delaying the widespread popularity of MCC. To this end, in this paper, we propose a secure and lightweight fine-grained data sharing scheme (SLFG-DSS) for a mobile cloud computing scenario to outsource the majority of time-consuming operations from the resource-constrained mobile devices to the resource-rich cloud servers. Different from the current schemes, our novel scheme can enjoy the following promising merits simultaneously: (1) Supporting verifiable outsourced decryption, i.e., the mobile user can ensure the validity of the transformed ciphertext returned from the cloud server; (2) resisting decryption key exposure, i.e., our proposed scheme can outsource decryption for intensive computing tasks during the decryption phase without revealing the user’s data or decryption key; (3) achieving a CCA security level; thus, our novel scheme can be applied to the scenarios with higher security level requirement. The concrete security proof and performance analysis illustrate that our novel scheme is proven secure and suitable for the mobile cloud computing environment.

Attribute-based Encryption for Cloud Computing Access Control

Attribute-based encryption (ABE) for cloud computing access control is reviewed in this article. A taxonomy and comprehensive assessment criteria of ABE are first proposed. In the taxonomy, ABE schemes are assorted into key-policy ABE (KP-ABE) schemes, ciphertext-policy ABE (CP-ABE) schemes, anti-quantum ABE schemes, and generic constructions. In accordance with cryptographically functional features, CP-ABE is further divided into nine subcategories with regard to basic functionality, revocation, accountability, policy hiding, policy updating, multi-authority, hierarchy, offline computation, and outsourced computation. In addition, a systematical methodology for discussing and comparing existing ABE schemes is proposed. For KP-ABE and each type of CP-ABE, the corresponding access control scenario is presented and explained by concrete examples. Specifically, the syntax of ABE is given followed by the adversarial model and security goals. ABE schemes are discussed according to the design strategies and special features and are compared in the light of the proposed assessment criteria with respect to security and performance. Compared to related state-of-the-art survey papers, this article not only provides a broader 12 categories of ABE schemes, but also makes a more comprehensive and holistic comparison. Finally, a number of open research challenges in ABE are pointed out.

Attribute-based encryption with outsourced decryption in blockchain

Attribute-based encryption (ABE) is a powerful cryptographic primitive for access control and fine-grained sharing on encrypted data. Due to this functionality, ABE is usually adopted in encrypted cloud storage for flexible data sharing. However, the main drawback of ABE is that the computational cost grows linearly with the complexity of the access policy. One of the promising solutions for the problem is to outsource computation securely. For example, the user can outsource most of the decryption cost to a proxy, while the underlying plaintext remains confidential. Nonetheless, all the existing ABE schemes with outsourced decryption ignore the fairness between the user and the proxy, i.e., the user may refuse to pay even if he/she obtain the valid result. To address this problem, in this paper we propose a new ABE scheme with fair outsourced decryption by using blockchain and sampling technique. In particular, we make use of the smart contract in blockchain to guarantee that the proxy can always get the reward with the valid outsourced decryption result. Furthermore, we apply the sampling technique to enable the miners in blockchain to check the validity of the outsourced decryption result. The detailed analysis conducts that our proposal is secure and fair under some reasonable assumptions, and the experimental results demonstrate that our proposal is efficient. At last, it may be of independent interest that our proposal is a generic construction for pairing-based ABE schemes.

Full Verifiability for Outsourced Decryption in Attribute Based Encryption

Attribute based encryption (ABE) is a popular cryptographic technology to protect the security of users’ data. However, the decryption cost and ciphertext size restrict the application of ABE in practice. For most existing ABE schemes, the decryption cost and ciphertext size grow linearly with the complexity of access structure. This is undesirable to the devices with limited computing capability and storage space. Outsourced decryption is considered as a feasible method to reduce the user's decryption overhead, which enables a user to outsource a large number of decryption operations to the cloud service provider (CSP). However, outsourced decryption cannot guarantee the correctness of transformation done by the cloud, so it is necessary to check the correctness of outsourced decryption to ensure security for users’ data. Current research mainly focuses on verifiability of outsourced decryption for the authorized users. It still remains a challenging issue that how to guarantee the correctness of outsourced decryption for unauthorized users. In this paper, we propose an ABE scheme with verifiable outsourced decryption (called full verifiability for outsourced decryption), which can simultaneously check the correctness for transformed ciphertext for the authorized users and unauthorized users. The proposed ABE scheme with verifiable outsourced decryption is proved to be selective CPA-secure in the standard model.

Key regeneration-free ciphertext-policy attribute-based encryption and its application

Attribute-based encryption (ABE) provides a promising solution for enabling scalable access control over encrypted data stored in the untrusted servers (e.g., cloud) due to its ability to perform data encryption and decryption defined over descriptive attributes. In order to bind different components which correspond to different attributes in a user’s attribute-based decryption key together, key randomization technique has been applied in most existing ABE schemes. This randomization method, however, also empowers a user the capability of regenerating a newly randomized decryption key over a subset of the attributes associated with the original decryption key. Because key randomization breaks the linkage between this newly generated key and the original key, a malicious user could leak the new decryption key to others without taking any responsibility for the key abuse. To solve this problem, we think of key regeneration-free ABE to disallow a user from randomizing his/her decryption key in any manner, i.e., a user can only delegate his/her decryption key in exactly the same form without any modification so that any abused or pirated key can be traced back to its original owner. Motivated by strongly unforgeable signature, we first define a security notion called strong key unforgeability, and show that ABE schemes equipped with the strong key unforgeability are immune to key regeneration. We then provide a generic transformation to convert ciphertext-policy ABE (CP-ABE) schemes of certain type to key regeneration-free CP-ABE schemes, and show how the transformation works by presenting two concrete constructions.

An Efficient Elliptic Curve Cryptography-Based Without Pairing KPABE for Internet of Things

The increasing deployment of Internet of Things in diversified fields provides groundwork for smart living. However, at the same time, it brings challenges like security and privacy. Among the numerous proposed security schemes, attribute-based encryption (ABE) is considered as one of the most promising security and privacy preserving scheme in distributed environment (or cloud environment). Many variants of the ABE exist, but most of them employ the expensive bilinear pairing operations. In this article, we have proposed a lightweight elliptic-curve-cryptography-based key-policy ABE without bilinear pairing and having a feature of key refresh/update mechanism. Also, the key distribution is done by the authority, which incorporates direct attribute/user revocation. The scheme is secured under elliptic curve decisional Diffie–Hellman assumption. The performance analysis demonstrates that the proposed scheme is efficient as compared to the existing ABE schemes.

Implementation of an Attribute-Based Encryption Scheme Based on SM9

In recent years, attribute-based encryption (ABE) has been widely applied in mobile computing, cloud computing, and the Internet of things, for supporting flexible and fine-grained access control of sensitive data. In this paper, we present a novel attribute-based encryption scheme that is based on bilinear pairing over Barreto and Naehrig curves (BN-curves). The identity-based encryption scheme SM9, which is a Chinese commercial cryptographic standard and a forthcoming part of ISO/IEC11770-3, has been used as the fundamental building block, and thus we first introduce SM9 and present our SM9 implementation in details. Subsequently, we propose the design and implementation of the ABE scheme. Moreover, we also develop a hybrid ABE for achieving lower ciphertext expansion rate when the size of access structure or plaintext is large. The performance and energy consumption of the implementation of the proposed ABE and its hybrid version are evaluated with a workstation, a PC, a smart phone, and an embedded device. The experimental results indicated that our schemes work well on various computing platforms. Moreover, the proposed schemes and their implementations would benefit developers in building applications that fulfill the regulatory compliance with the Chinese commercial cryptographic standard since there is no existing ABE scheme compatible with any Chinese cryptographic standard.

A Comprehensive Review of Access Control Mechanism Based on Attribute Based Encryption Scheme for Cloud Computing

Cloud computing is the most prevailing paradigm, which provides computing resources and services over the Internet. Due to immense development in services provided by cloud computing, the trend to share large-scale and confidential data on cloud has been increased. Though cloud computing provides many benefits, ensuring security of the data stored in cloud is the biggest challenge. The security concern about the data becomes main barrier for adoption of cloud. One of the important security aspects is fine grained access control mechanism. The most widely used and efficient access control scheme for cloud computing is Attribute Based Encryption (ABE). The Attribute Based Encryption (ABE) scheme provides a new technique for embedding access policies cryptographically into encryption process. The article presents an overview of various existing attribute-based encryption schemes and traditional access control models. Also, the comparison of existing ABE schemes for cloud computing, on basis of various criteria is presented in the article.

A conditional access system with revocation for mobile pay-TV systems revisited

In pay-TV, conditional access systems (CAS) are used by a rights issuer to guarantee that only authorized subscribers gain access to TV channels. A CAS scheme that applies attribute-based access control through attribute-based encryption (ABE) with revocation was proposed by Yeh and Huang (2013) [1]. Yeh and Huang extend an existing ABE scheme with a revocation mechanism. We show that the CAS by Yeh and Huang has security and efficiency problems. Particularly, we show that the revocation mechanism proposed by Yeh and Huang is vulnerable to collusion attacks.

An Efficient ABE Scheme With Verifiable Outsourced Encryption and Decryption

Attribute-based encryption (ABE) is a promising cryptographic tool for data owner (DO) to realize fine-grained date sharing in the cloud computing. In the encryption of most existing ABE schemes, a substantial number of modular exponentiations are often required; the computational cost of it is growing linearly with the complexity of the access policy. Besides, in the most existing ABE with outsourced decryption, the computation cost of generating transformation key is growing linearly with the number of attributes associated with user private key; these computations are prohibitively high for mobile device users, which becomes a bottleneck limiting its application. To address the above issues, we propose a secure outsourcing algorithm for modular exponentiation in one single untrusted server model and a new method to generate the transformation key. Based on these techniques and Brent Waters's ciphertext-policy ABE scheme, we propose an ABE scheme with verifiable outsourced both encryption and decryption, which can securely outsource encryption and decryption to untrusted encryption service provider (ESP) and decryption service provider (DSP), respectively, leaving only a constant number of simple operations for the DO and eligible users to perform locally. In addition, both DO and the eligible users can check the correctness of results returned from the ESP and the DSP with a probability, respectively. Finally, we provide the experimental evaluation and security analysis of our scheme, which indicates that our construction is suitable for the mobile environment.

Secure Fine-grained Encrypted Keyword Search for e-Healthcare Cloud

E-Healthcare systems are increasingly popular due to the introduction of wearable healthcare devices and sensors. Personal health records (PHRs) are collected by these devices and stored in a remote cloud. Due to privacy concern, these records should not be accessible by any unauthorized party, and the cloud providers should not be able to learn any information from the stored records. To address the above issues, one promising solution is to employ attribute based encryption (ABE) for fine-grained access control and searchable encryption for keyword search on encrypted data. However, most of existing ABE schemes leak the privacy of access policy which may also contain sensitive information. On the other hand, for users’ devices with limited computing power and bandwidth, the mechanism should enable them to be able to search the PHRs efficiently. Unfortunately, most existing works on ABE do not support efficient keyword search on encrypted data. In this work, we propose an efficient hidden policy ABE scheme with keyword search. Our scheme enables efficient keyword search with constant computational overhead and constant storage overhead. Moreover, we enhance the recipient’s privacy which hides the access policy. As of independent interest, we present a trapdoor malleability attack and demonstrate that some of previous schemes may suffer from such attack.

User Collusion Avoidance CP-ABE With Efficient Attribute Revocation for Cloud Storage

Attribute-based encryption (ABE) can guarantee confidentiality and achieve fine-grained data access control in a cloud storage system. Due to the fact that every attribute in ABE may be shared by multiple users and each user holds multiple attributes, any single-attribute revocation for some user may affect the other users with the same attribute in the system. Therefore, how to revoke attribute efficiently is an important and challenging problem in ABE schemes. In order to solve above problems, we first give a concrete attack to the existing ABE scheme with attribute revocation. Then, we formalize the definition and security model, which model collusion attack executed by the existing users cooperating with the revoked users. Finally, we present a user collusion avoidance ciphertext-policy ABE scheme with efficient attribute revocation for the cloud storage system. The problem of attribute revocation is solved efficiently by exploiting the concept of an attribute group. When an attribute is revoked from a user, the group manager updates other users’ secret keys. Furthermore, we prove that the proposed scheme is secure against collusion attack launched by the existing users and the revoked users. The security of the proposed scheme is reduced to the computational Diffie–Hellman assumption.

Blocked linear secret sharing scheme for scalable attribute based encryption in manageable cloud storage system

Cloud provides outsourced storage services in a cost-effective manner. A key challenge of cloud storage is the security and privacy of outsourced data. A security mechanism known as attribute-based encryption (ABE) represents the state-of-the-art in providing fine-grained access control for cloud storage. The managing of access policy is a critical issue of ABE. Policy managing may incur substantial computation and communication overhead in the ABE scheme with unscalable access policy. In this work, we firstly propose a form of scalable access policy named blocked linear secret sharing scheme (BLSSS). The scalability of BLSSS provides efficient policy managing interface for ABE scheme. Then, we propose a scalable ciphertext-policy attribute-based encryption (SCP-ABE) scheme which uses BLSSS as access policy. Significantly, the proposed SCP-ABE is low-cost in computation and communication during policy managing. Furthermore, sufficient simulation experiments demonstrate that SCP-ABE outperforms most existing ABE schemes in terms of policy managing.

Novel Leakage-Resilient Attribute-Based Encryption from Hash Proof System

As an important primitive, attribute-based encryption (ABE) has attracted much attention in the relative-leakage model. However, the leakage rate in almost all of the existing ABE schemes is restricted with a leakage parameter. It implicitly suggests that higher leakage rate results in larger ciphertexts and keys. Aiming at tackling the challenge, novel leakage-resilient ciphertext-policy attribute-based encryption (CP-ABE) and key-policy attribute-based encryption (KP-ABE) are designed in this paper. It achieves shorter secret key size and simultaneously does not suffer from the undesirable drawback above. To realize this, the concepts of CP-AB-HPS and KP-AB-HPS are introduced, which generalize the notion of hash proof system (HPS) to attribute-based setting. Under some static assumptions, the proposed schemes are proved adaptively secure in the standard model. In addition, the results in simulation experiments indicate that the proposed scheme is efficient and practical.

Attribute-based access control scheme with efficient revocation in cloud computing

Attribute-based encryption (ABE) supports the fine-grained sharing of encrypted data. In some common designs, attributes are managed by an attribute authority that is supposed to be fully trustworthy. This concept implies that the attribute authority can access all encrypted data, which is known as the key escrow problem. In addition, because all access privileges are defined over a single attribute universe and attributes are shared among multiple data users, the revocation of users is inefficient for the existing ABE scheme. In this paper, we propose a novel scheme that solves the key escrow problem and supports efficient user revocation. First, an access controller is introduced into the existing scheme, and then, secret keys are generated corporately by the attribute authority and access controller. Second, an efficient user revocation mechanism is achieved using a version key that supports forward and backward security. The analysis proves that our scheme is secure and efficient in user authorization and revocation.

Secured Web Service Communication using Attribute based Encryption and Outsource Decryption with Trusted Certificate Authorities (ABE-TCA)

Web services are one of the most aspired technologies in IT industry and more companies are adopting concepts and strategies used in web services for their businesses. User‘s set of attributes paves way for encryption and decryption of data by employing impregnable Attribute Based Encryption (ABE) for defended web service communication, which intensifies its privacy and security. In the existing ABE scheme, decryption involves an expensive process and increase the complexity of the access policy. To overcome the decryption overhead, outsourced decryption is used to authenticate the untrusted servers. The transformation key is responsible for reducing the decryption overhead by translating the complex ciphertext into simple ciphertext based on the user‘s attributes, and the overhead for the conversion of ciphertext to plaintext is acceptably minimal. Kerberos is incorporated to generate a ticket granting service that is used to verify authentication database and after verification of both parties, replies to the requested user for authentication. Furthermore to secure outsourcing agents, Certificate Authority is used to segregate unauthorized users. During data transmission integrity of the data can be verified by hashing algorithms.