Key-policy Attribute-based Encryption Scheme Research Articles

IoT-friendly, pre-computed and outsourced attribute based encryption

The Internet of Things (IoT) and its applications are growing at an unprecedented rate. In such a complex network with an enormous number of nodes, an important challenge is how to securely handle the access control problem. Attribute Based Encryption (ABE) is a powerful and flexible cryptographic primitive to address the challenge of realizing fine-grained access control in many systems. However, using ABE in IoT systems is often problematic due to the heavy computational overhead originating from the bilinear pairing operations and the relatively large key sizes of ABE schemes.This paper deals with this challenge by proposing some solutions to overcome the limitations of using ABE in IoT systems. The contributions of this paper are divided into three parts. In the first part, we propose modified fuzzy identity-based encryption (FIBE) schemes that use fewer optimal ate pairing operations compared to the original FIBE. FIBE is a special case of ABE, in which the access structure simplifies to a threshold gate. We also introduce a new security notion named the Conditional Chosen Ciphertext Attack-2 (Conditional CCA-2) selective security which is stronger than the CPA selective security notion. We prove that the proposed FIBE schemes have Conditional CCA-2 selective security, under the Asymmetric Decisional Modified Bilinear Diffie–Hellman (ADMBDH) assumption. In the second part, we proposed Key Policy Attribute Based Encryption (KP-ABE) schemes that use fewer pairing operations compared to the previous KP-ABE schemes. Our FIBE and KP-ABE schemes use elliptic curve groups which ensure shorter keys. In the third part of our contribution, we propose secure methods to outsource the heavy operations in FIBE and KP-ABE schemes (i.e. scalar multiplication by a curve point, exponentiation, and pairing) such that IoT devices can cope with the complexity.

Blockchain Based Multi-Authority Fine-Grained Access Control System With Flexible Revocation

Traditional data sharing systems are facing new challenges when implementing access control with more and more complex data sharing requirements. Flexibility of user revocation in completely decentralized environments needs to be taken into account. In this article, we propose a Key-Policy Attribute-Based Encryption scheme with Multiple and Flexible Revocation (MAFR-KP-ABE) to achieve the features of decentralized authorization and flexible revocation. We prove the security of our MAFR-KP-ABE scheme in the standard model and provide the comparison with relevant schemes to demonstrate its efficiency. Then we propose a fine-grained access control system based on MAFR-KP-ABE scheme and blockchain that matches the need of paid data sharing services with several security properties enhanced. Security analysis and system implementation are given subsequently to demonstrate our system efficient and secure.

Revocable attribute-based encryption from standard lattices

Attribute-based encryption (ABE) is an attractive extension of public key encryption, which provides fine-grained and role-based access to encrypted data. In its key-policy flavor, the secret key is associated with an access policy and the ciphertext is marked with a set of attributes. In many practical applications, and in order to address scenarios where users become malicious or their secret keys are compromised, it is necessary to design an efficient revocation mechanism for ABE. However, prior works on revocable key-policy ABE schemes are based on classical number-theoretic assumptions, which are vulnerable to quantum attacks. In this work, we propose the first revocable key-policy ABE scheme that offers an efficient revocation mechanism while maintaining fine-grained access control to encrypted data. Our scheme is based on the learning with errors (LWE) problem, which is widely believed to be quantum-resistant. Our scheme supports polynomial-depth policy function and has short secret keys, where the size of the keys depends only on the depth of the supported policy function. Furthermore, we prove that our scheme satisfies selective revocation list security in the standard model under the LWE assumption.

An SKP-ABE Scheme for Secure and Efficient Data Sharing in Cloud Environments

Security threats such as data forgery and leakage may occur when sharing data in cloud environments. Therefore, it is important to encrypt your data and securely access it when sharing it with other users via a cloud server. Of the various security technologies, research on secure data sharing commonly employs Key Policy Attribute-Based Encryption (KP-ABE). However, existing KP-ABE schemes generally lack ciphertext search features. Furthermore, even if a KP-ABE scheme incorporates it, the number of searches required increases markedly by the number of attributes used in the search. It in turn proportionally increases the ciphertext size. In addition, the attribute authority (AA) could be attacked, which can result in the leakage of users’ decryption keys. AA is a server that manages user attributes and decryption keys when using attribute-based encryption in a cloud environment. If the AA is curious, it can cause problems with the key escrow with the attributes and decryption (secret) key information of the users it knows. In this paper, to solve all these problems, we present a new scheme called Searchable Key-Policy Attribute-Based Encryption (SKP-ABE) for secure and efficient data sharing in the cloud. This proposed SKP-ABE scheme allows fast ciphertext search and keeps the ciphertext of constant size. The key escrow problem is solved via user key generation.

Toward Vehicular Digital Forensics From Decentralized Trust: An Accountable, Privacy-Preserving, and Secure Realization

With the increasing number of traffic accidents and terrorist attacks by modern vehicles, vehicular digital forensics (VDF) has gained significant attention in identifying evidence from the related digital devices. Ensuring the law enforcement agency to accurately integrate various kinds of data is a crucial point to determine the facts. However, malicious attackers or semi-honest participants may undermine the digital forensic procedures. Enabling accountability and privacy preservation while providing secure data access control in VDF is a nontrivial challenge. To mitigate this issue, in this article, we propose a blockchain-based decentralized solution for VDF named BB-VDF, in which the accountable protocols and privacy-preserving algorithm are constructed. The desirable security properties and fine-grained data access control are achieved based on smart contract and the customized cryptographic construction. Specifically, we design a distributed key-policy attribute-based encryption scheme with partially hidden access structures, named DKP-ABE-H, to realize the secure fine-grained forensics data access control. Further, a novel smart contract is designed to model the forensics procedures as a finite state machine, which guarantees accountability that each participant performs auditable cooperation under tamper resistant and traceable transactions. Systematic security analysis and extensive experimental results show the feasibility and practicability of our proposed BB-VDF scheme.

A Fully Secure KP-ABE Scheme on Prime-Order Bilinear Groups through Selective Techniques

Key-policy attribute-based encryption (KP-ABE) is the cryptographic primitive which enables fine grained access control while still providing end-to-end encryption. Although traditional encryption schemes can provide end-to-end encryption, users have to either share the same decryption keys or the data have to be stored in multiple instances which are encrypted with different keys. Both of these options are undesirable. However, KP-ABE can provide less key overhead compared to the traditional encryption schemes. While there are a lot of KP-ABE schemes, none of them simultaneously supports multiuse of attributes, adaptive security, monotone span programs, and static security assumption. Hence, we propose a fully secure KP-ABE scheme for monotone span programs in prime-order group. This scheme uses selective security proof techniques to obtain the requisite ingredients for full security proof. This strengthens the correlation between selective and full security models and enables the transition of the best qualities in selective security models to fully secure systems. The security proof is based on decisional linear assumption and three-party Diffie–Hellman assumption.

An ECC-based access control scheme with lightweight decryption and conditional authentication for data sharing in vehicular networks

Nowadays, more and more data are stored on cloud for sharing in vehicular networks, but the increasing number of cloud data security incidents makes how to guarantee confidentiality of sharing data one of the main concerns. Attribute-based encryption is considered as a suitable method to solve this issue. However, the requirements of lightweight and privacy make it difficult to apply the existing attribute-based encryption schemes directly in vehicular networks. In this paper, we put forward an access control scheme with lightweight decryption and conditional authentication for secure data sharing in vehicular networks. In this scheme, we extend elliptic-curve cryptography-based key-policy attribute-based encryption scheme with token-based decryption for lightweight access control. Moreover, we integrate Elliptic Curve Qu-Vanstone implicit certificate with ELGamal encryption algorithm to achieve both mutual authentication and conditional privacy protection. The performance analysis shows that the proposed scheme requires less time for both encryption and decryption on the user side. The security analysis shows that the proposed scheme can provide conditional anonymity.

Expressive Public-Key Encryption With Keyword Search: Generic Construction From KP-ABE and an Efficient Scheme Over Prime-Order Groups

Public key encryption with keyword search (PEKS) allows a cloud server to retrieve particular ciphertexts without leaking the contents of the searched ciphertexts. This kind of cryptographic primitive gives users a special way to retrieve the encrypted documents they need while preserving privacy. Nevertheless, most existing PEKS schemes only offer single-keyword search or conjunctive-keyword searcha. The poorly expressive ability and constantly inaccurate search results make them hard to meet users' requirements. Although several expressive PEKS (EPEKS) schemes were proposed, they entail high computation and communication costs. An ideal EPEKS scheme should enable fast and accurate ciphertext retrieval, while lowering the storage server's load and reducing the amount of communication data. Drawing on the strongly expressive ability of key-policy attribute-based encryption (KP-ABE), we propose a generic construction of EPEKS from KP-ABE. We demonstrate that the derived EPEKS scheme is secure under the chosen keyword attack if the implicit KP-ABE scheme fulfills the anonymity under the chosen plaintext attack. Furthermore, we present a concrete EPEKS scheme over the prime-order groups. The comparison and experimental results indicate that our scheme is more efficient than the existing EPEKS schemes.

Fine-Grained Access Control-Enabled Logging Method on ARM TrustZone

Most applications for the Internet of Things operate on embedded systems. In particular, embedded devices intended for smart healthcare, smart homes, and smart cars generate logs containing sensitive user information. These logs must be protected from malicious users while also being accessible for legitimate users to utilize them for providing customized services. Unfortunately, the existing logging system only supporting one-to-one encryption based on a server-client model, so there are limitations in building a decentralized logging infrastructure for the hyper-connected era. In this paper, we propose a new secure logging method that supports one-to-many encryption and extends existing logging systems to a decentralized logging infrastructure. In the proposed method, log publishers are able to encrypt generated logs and distribute them to cloud storage in real time and can ensure that only authorized log subscribers access the logs. For one-to-many encryption, we apply a key-policy attribute-based encryption scheme which is suitable for logging systems. For reliability and efficiency of logs, we apply a key-derivation process that cooperates with one-way hash functions within a trusted execution environment. In a real time logging scenario, the proposed method is 93% faster and occupies 83% less storage space than when an original attribute-based encryption scheme is applied. In addition, performance-tunable parameters can optimize our method for various environments.

Enhancement of a Lightweight Attribute-Based Encryption Scheme for the Internet of Things

In this paper, we present the enhancement of a lightweight key-policy attribute-based encryption (KP-ABE) scheme designed for the Internet of Things (IoT). The KP-ABE scheme was claimed to achieve ciphertext indistinguishability under chosen-plaintext attack in the selective-set model but we show that the KP-ABE scheme is insecure even in the weaker security notion, namely, one-way encryption under the same attack and model. In particular, we show that an attacker can decrypt a ciphertext which does not satisfy the policy imposed on his decryption key. Subsequently, we propose an efficient fix to the KP-ABE scheme as well as extending it to be a hierarchical KP-ABE (H-KP-ABE) scheme that can support role delegation in IoT applications. An example of applying our H-KP-ABE on an IoT-connected healthcare system is given to highlight the benefit of the delegation feature. Lastly, using the NIST curves secp192k1 and secp256k1, we benchmark the fixed (hierarchical) KP-ABE scheme on an Android phone and the result shows that the scheme is still the fastest in the literature.

A REVIEW PAPER ON ATTRIBUTE-BASED ENCRYPTION FOR MESSAGE PRIVACY IN CLOUD

The notion of attribute-based encryption (ABE)was proposed as an economical alternative to public-keyinfrastructures. It is the set of descriptive attributes, used as anidentity to generate a secret key, as well as serving as theaccess structure that performs access control. ABE is also auseful building block in various cryptographic primitives suchas searchable encryption. . It successfully integratesEncryption and Access Control and is ideal for sharing secretsamong groups, especially in a Cloud environment. Mostdeveloped ABE schemes support key-policy or ciphertextpolicyaccess control in addition to other features such asdecentralized authority, efficient revocation and keydelegation. This paper surveys mainstream papers, analyzesmain features for desired ABE systems, and classifies theminto different categories. With this high-level guidance, futureresearchers can treat these features as individual modules andselect related ones to build their ABE systems on demand.For ABE, it is not realistic to trust a single authority tomonitor all attributes and hence distributing control over manyattribute-authorities is desirable.A multi-authority ABE scheme can be realized with a trustedcentral authority (CA) which issues part of the decryption keyaccording to a user's global identifier (GID). However, this CAmay have the power to decrypt every cipher text, and the useof a consistent GID allowed the attribute-authorities tocollectively build user's attributes. Decentralized ABE schemecan eliminate the burden of heavy communication andcollaborative computation. It is observed that privacypreservingdecentralized key-policy ABE scheme has claimedto achieve better privacy for users and is provably secure inthe standard model

Multi-Authority Non-Monotonic KP-ABE With Cryptographic Reverse Firewall

The revelations of Snowden show that hardware and software of devices may corrupt users' machine to compromise the security in various ways. To address this concern, Mironov and Stephen-Davidowitz introduce the Cryptographic Reverse Firewall (CRF) concept that is able to resist the ex-filtration of secret information for some compromised machine (Eurocrypt 2015). There are some applications of CRF deployed in many cryptosystems, but less studied and deployed in Attribute-Based Encryption (ABE) field, which attracts a wide range of attention and is employed in real-world scenarios (i.e., data sharing in cloud). In this work, we focus how to give a CRF security protection for a multi-authority ABE scheme and hence propose a multi-authority key-policy ABE scheme with CRF (acronym, MA-KP-ABE-CRF), which supports attribute distribution and non-monotonic access structure. To achieve this, beginning with revisiting a MA-KP-ABE with non-trivial combining non-monotonic formula, we then give the randomness of ciphertexts and secret keys with reverse firewall and give formal security analysis. Finally, we give a simulation on our MA-KP-ABE-CRF system based on Charm library whose the experimental results demonstrate practical efficiency.

Key-policy attribute-based encryption against continual auxiliary input leakage

Attribute-based encryption mechanism can achieve very flexible access control, so it has a wide range of applications in the distributed environment, such as fine-grained access control, audit log applications, cloud storage systems. Key-policy attribute-based encryption (KP-ABE) scheme is especially suitable for video on demand, pay TV, etc. Most of the existing KP-ABE schemes do not consider the side channel attacks which probably leak some secret information about the cryptosystems. In the paper, we present the formal definition and security model of key-policy attribute-based encryption scheme which is resilient to continual auxiliary input (CAI) leakage. What is more, we present a concrete KP-ABE scheme. The proposed scheme is proved secure under the static assumptions.

An Efficient Tate Pairing Algorithm for a Decentralized Key-Policy Attribute Based Encryption Scheme in Cloud Environments

Attribute-based encryption (ABE) is used for achieving data confidentiality and access control in cloud environments. Most often ABE schemes are constructed using bilinear pairing which has a higher computational complexity, making algorithms inefficient to some extent. The motivation of this paper is on achieving user privacy during the interaction with attribute authorities by improving the efficiency of ABE schemes in terms of computational complexity. As a result the aim of this paper is two-fold; firstly, to propose an efficient Tate pairing algorithm based on multi-base number representation system using point halving (TP-MBNR-PH) with bases 1/2, 3, and 5 to reduce the cost of bilinear pairing operations and, secondly, the TP-MBNR-PH algorithm is applied in decentralized KP-ABE to compare its computational costs for encryption and decryption with existing schemes.

Implementation and Evaluation of a Lattice-Based Key-Policy ABE Scheme

In this paper, we report on our implementation of a lattice-based key-policy attribute-based encryption (KP-ABE) scheme, which uses short secret keys. The particular KP-ABE scheme can be used directly for attribute-based access control applications, as well as a building block in more involved applications and cryptographic schemes, such as audit log encryption, targeted broadcast encryption, functional encryption, and program obfuscation. We adapt a recently proposed KP-ABE scheme based on the learning with errors (LWE) problem to a more efficient scheme based on the ring learning with errors (RLWE) problem, and demonstrate an implementation that can be used in practical applications. Our state-of-the-art implementation on graphics processing units shows that the homomorphic public key and ciphertext evaluation operations, which dominate the execution time of the KP-ABE scheme, can be performed in a reasonably short amount of time. Our practicality results also hold when scaled to a relatively large number of attributes. To the best of our knowledge, this is the first KP-ABE implementation that supports both ciphertext and public key homomorphism, and the only experimental practicality results reported in this paper.

Efficient attribute-based encryption with attribute revocation for assured data deletion

Cloud storage allows customers to store their data on remote cloud servers. With the advantage of reducing the burden of data management and storage, an increasing number of users prefer to store their data on the cloud. While secure data deletion is a crucial, it is a challenging issue in cloud storage. Logically deleted data may be easily exposed to un-authorized users in the cloud storage scenario thanks to its salient features such as multi-tenancy, virtualization and elasticity. Moreover, cloud servers might not delete customers’ data as instructed for hidden business interest. Hence, assured deletion is highly sought after. It helps preserve cloud users’ data privacy and is a necessary component of data retention regulations in cloud storage. In this paper, we first investigate the goals of assured data deletion and formalize its security model.Then, we propose a key-policy attribute-based encryption scheme for assured deletion (AD-KP-ABE) of cloud data. Our construction makes use of the attribute revocation cryptographic primitive and Merkle Hash Tree to achieve fine-grained access control and verifiable data deletion. The proposed AD-KP-ABE enjoys desirable properties such as no secret key update, partial ciphertext update and assured data deletion. The detailed security proof and implementation results demonstrate the security and practicality of our proposal.

Insecurity of A Key-Policy Attribute Based Encryption Scheme With Equality Test

Attribute-based encryption is a popular cryptographic technology to protect the privacy of clients' data in cloud computing. In order to make the scheme have the functionality of comparing ciphertext, Zhu et al. combined concepts of key-policy attributed-based encryption with public key encryption with equality test and proposed key-policy attributed-based encryption with equality test. They defined its security model and put forward a scheme from bilinear pairing. In this paper, we first use two methods to show that their scheme is not secure for one-way under chosen ciphertext attack. Next, we show that the scheme is not secure for a test under chosen ciphertext attack defined in their paper yet. Finally, we point out the definition of a test under chosen ciphertext attack is very strong, which causes no scheme to satisfy the model.

Improving Privacy-Preserving and Security for Decentralized Key-Policy Attributed-Based Encryption

Decentralized attribute-based encryption (ABE) is an efficient and flexible multi-authority attribute-based encryption system, since it does not requires the central authority and does not need to cooperate among the authorities for creating public parameters. Unfortunately, recent works show that the reality of the privacy preserving and security in almost well-known decentralized key policy ABE (KP-ABE) schemes are doubtful. How to construct a decentralized KP-ABE with the privacy-preserving and user collusion avoidance is still a challenging problem. Most recently, Y.Rahulamathavam et al. proposed a decentralized KP ABE scheme to try avoiding user collusion and preserving the user’s privacy. However, we exploit the vulnerability of their scheme in this paper at first and present a collusion attack on their decentralized KP-ABE scheme. The attack shows the user collusion cannot be avoided. Subsequently, a new privacy-preserving decentralized KP-ABE is proposed. The proposed scheme avoids the linear attacks at present and achieves the user collusion avoidance. We also show that the security of the proposed scheme is reduced to decisional bilinear Diffie–Hellman assumption. Finally, numerical experiments demonstrate the efficiency and validity of the proposed scheme.

A Secure Data Sharing Mechanism In Dynamic Cloud By Using KP-ABE

Now day cloud computing is reaching the people with very efficiently and quickly because of advantages of cloud computing. Cloud has a nature of low preservation which will gives an efficient result to share the resources with user group in cloud. Important issues in public cloud is share documents and data related on control policies of fine grained access, because of regular change of the data membership sharing in dynamic groups to protect data and privacy identity from cloud that is unfaithful one is still critical problem. The changing membership is important issue when multi owner type of cloud computing, because protecting data and individuality privacy. By using group signature and techniques of dynamic broadcast encryption, any user can secretly share data with other user. The important aim is to gives many-owner data distributing by secure way with dynamically form groups. KP-ABE (Key Policy Attribute Based Encryption) scheme is proposed chose dynamic AA (Attribute authorities). By using the group signature, dynamic transmit and signed receipts, cloud user can namelessly distribute data with other user. This approach is used to reduce computation cost, encryption and overhead of storage. Using this approach any can share a data with other user

A compact construction for non-monotonic key-policy attributebased encryption

The attribute-based encryption (ABE) scheme with monotonic access structure cannot deal with an access structure that is associated with the negation of attributes, which is not convenient for real world applications. In this paper, we attempt to propose a more expressive non-monotonic ABE scheme through a new method. To achieve this goal, we firstly propose a linear two-mode identity-based broadcast encryption (TIBBE) scheme based on an identity-based broadcast encryption (IBBE) scheme. We introduce the concept of identity-based revocation (IBR) for this scheme without increasing the size of parameters in IBBE. The scheme is selective identity secure under the m-DBDHE assumption. Then, we convert the TIBBE scheme into a non-monotonic key-policy attribute-based encryption (KP-ABE) scheme with compact parameters. Our KP-ABE scheme could achieve constant-size ciphertexts, and the scale of the private keys grows linearly with the scale of the attribute set. Besides, the computational cost is the lowest compared with other existing non-monotonic KP-ABE schemes.