Multi-authority Ciphertext-policy Attribute-based Encryption Research Articles

A Secure G-Cloud-Based Framework for Government Healthcare Services

Within the literature, we have witnessed in the healthcare sector, the growing demand for and adoption of software development in the cloud environment to cope with and fulfill current and future demands in healthcare services. In this paper, we propose a flexible, secure, cost-effective, and privacy-preserved cloud-based framework for the healthcare environment. We propose a secure and efficient framework for the government EHR system, in which fine-grained access control can be afforded based on multi-authority ciphertext-policy attribute-based encryption (CP-ABE), together with a hierarchical structure, to enforce access control policies. The proposed framework will allow decision-makers in Saudi Arabia to develop the healthcare sector and to benefit from the existing e-government cloud computing platform “Yasser,” which is responsible for delivering shared services through a highly efficient, reliable, and safe environment. This framework aims to provide health services and facilities from the government to citizens (G2C). Furthermore, multifactor applicant authentication has been identified and proofed in cooperation with two trusted authorities. The security analysis and comparisons with the related frameworks have been conducted.

Large universe multi-authority attribute-based PHR sharing with user revocation

In the patient-centric model of health information exchange, personal health record (PHR) is often outsourced to third parties, such as cloud service providers (CSPs). Attribute-based encryption (ABE) can be used to realise flexible access control on PHRs in cloud environment. Nevertheless, the issues of scalability in key management, user revocation and flexible attributes remain to be addressed. In this paper, we propose a large-universe multi-authority ciphertext-policy ABE system with user revocation. The proposed scheme achieves scalable and fine-grained access control on PHRs. In our scheme, there are a central authority (CA) and multiple attribute authorities (AAs). When a user is revoked, the system public key and the other users' secret keys need not be updated. Furthermore, because our scheme supports large attribute universe, the number of attributes is not polynomially bounded and the public parameter size does not linearly grow with the number of attributes. Our system is constructed on prime order groups and proven selectively secure in the standard model.

Secure and Efficient Attribute-Based Access Control for Multiauthority Cloud Storage

Cloud storage facilitates both individuals and enterprises to cost effectively share their data over the Internet. However, this also brings difficult challenges to the access control of shared data since few cloud servers can be fully trusted. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising approach that enables the data owners themselves to place fine-grained and cryptographically-enforced access control over outsourced data. In this paper, we present secure and cost-effective attribute-based data access control for cloud storage systems. Specifically, we construct a multiauthority CP-ABE scheme that features: 1) the system does not need a fully trusted central authority, and all attribute authorities independently issue secret keys for users; 2) each attribute authority can dynamically remove any user from its domain such that those revoked users cannot access subsequently outsourced data; 3) cloud servers can update the encrypted data from the current time period to the next one such that the revoked users cannot access those previously available data; and 4) the update of secret keys and ciphertext is performed in a public way. We show the merits of our scheme by comparing it with the related works, and further implement it to demonstrate its practicality. In addition, the proposed scheme is proven secure in the random oracle model.

Multi-authority fine-grained access control with accountability and its application in cloud

Attribute-based encryption (ABE) is one of critical primitives for the application of fine-grained access control. To reduce the trust assumption on the attribute authority and in the meanwhile enhancing the privacy of users and the security of the encryption scheme, the notion of multi-authority ABE with an anonymous key issuing protocol has been proposed. In an ABE scheme, it allows to encrypt data for a set of users satisfying some specified attribute policy and any leakage of a decryption key cannot be associated to a user. As a result, a misbehaving user could abuse the property of access anonymity by sharing its key other unauthorized users. On the other hand, the previous work mainly focus on the key-policy ABE, which cannot support ciphertext-policy access control. In this paper, we propose a privacy-aware multi-authority ciphertext-policy ABE scheme with accountability, which hides the attribute information in the ciphertext and allows to trace the dishonest user identity who shares the decryption key. The efficiency analysis demonstrates that the new scheme is efficient, and the computational overhead in the tracing algorithm is only proportional to the length of the identity. Finally, we also show how to apply it in cloud computing to achieve accountable fine-grained access control system.

Achieving Collaborative Cloud Data Storage by Key-Escrow-Free Multi-Authority CP-ABE Scheme with Dual-Revocation

Nowadays, more and more users store their data in cloud storage servers for great convenience and real benefits offered by the service, so cloud data storage becomes one of the desirable services provided by cloud service providers. Multi-Authority Ciphertext-Policy Attribute-Based Encryption (MA-CP-ABE) is an emerging cryptographic solution to data access control for large-scale collaborative cloud storage service, which allows any data owner to outsource the data to cloud data storage in order to enable users from collaborating domains or organizations to access the outsourced data. However, the existing MA-CP-ABE schemes cannot be directly applied to collaborative cloud storage services as data access control due to the key escrow problem and the absence of dual revocation mechanism (user revocation and attribute revocation). By addressing these issues, this paper presents a Key-Escrow- Free Multi-Authority Ciphertext-Policy Attribute-Based Encryption Scheme with Dual-Revocation by introducing ＂the essential attribute＂ and making use of a certificate authority apart from attribute authorities. Compared with the existing MA-CP-ABE schemes, the proposed scheme is the most suitable one to enable data access control for collaborative cloud storage systems. Furthermore, the security and performance analysis indicates that our scheme is more secure and reasonably efficient to be applied to practical scenarios as collaborative cloud storage systems.

Robust and Scalable Data Access Control in D2D Communications

As an emerging technique in 5G cellular networks, D2D communication efficiently utilizes the available resources. However, the concerns of data security, identity privacy, and system scalability have not been sufficiently addressed. In this paper, we propose a robust and scalable data access control scheme (RSDAC) in D2D communication, where the key build block is a multi-authority ciphertext-policy attribute-based encryption (MA-CP-ABE) with the large universe and verifiable outsourced decryption. In RSDAC, the system attribute universe is scalable, which is exponentially large without resource waste. Each base station (BS) governs the whole attribute universe individually. The data owner can define any monotonic access structure to encrypt its data. During the key generation phase, each BS can independently verify the user’s legitimacy and then generate an intermediate key for the legal user according to its attribute set. A core network server (CNS) acts as the central authority which will generate the final private key for the user basing on his intermediate key. We also design an efficient method to offload the complicated decryption to some devices with adequate computation resource and further check the correctness of decryption result. The security analysis and performance comparison indicate that our scheme is secure, efficient, and applicable.

Efficient and Secure Access Control Scheme in the Standard Model for Vehicular Cloud Computing

Vehicular networking involves the storage, compute, and analysis of massive vehicular data. Vehicular cloud computing, as a special cloud computing platform, seamlessly combines vehicular ad hoc networks and conventional cloud computing. However, in the vehicular cloud computing, there is still the problem of unauthorized users accessing and stealing data. In the traditional ciphertext-policy attribute-based encryption (CP-ABE) scheme, a trusted central authority is employed to manage attributes and distribute keys. Based on multi-authority (MA) CP-ABE, we propose a secure and revocable access control scheme for vehicular cloud computing in this paper, in which the requester can decrypt the ciphertext with only a small amount of computation. We show that our MA-CP-ABE scheme can prevent static corruption of authorities in the standard model under the decisional q-parallel bilinear Diffie–Hellman exponent assumption. Theoretical analysis and experimental simulation results show that our scheme has lower communication cost and lower computational complexity than other schemes.

An Efficient Hierarchical Multi-Authority Attribute Based Encryption Scheme for Profile Matching using a Fast Ate Pairing in Cloud Environment

In cloud environment, profile matching is a key technique in applications such as health care and social networks. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is suitable technique for data sharing in such environments. In this paper, we propose an asymmetric pairing based Hierarchical Multi-Authority CP-ABE (HM-CP-ABE) construction for profile matching. We utilize the fast Ate pairing to make the proposed HM-CP-ABE scheme efficient. The performance analysis of the proposed scheme shows improved efficiency in terms of computational costs for initialization, key generation and encryption using ELiPS library when compared with existing works.

Efficient large-universe multi-authority ciphertext-policy attribute-based encryption with white-box traceability

Traceable multi-authority ciphertext-policy attribute-based encryption (CP-ABE) is a practical encryption method that can achieve user traceability and fine-grained access control simultaneously. However, existing traceable multi-authority CP-ABE schemes have two main limitations that prevent them from practical applications. First, these schemes only support small universe: the attributes must be fixed at system setup and the attribute space is restricted to polynomial size. Second, the schemes are either less expressive (the access policy is limited to “AND gates with wildcard) or inefficient (the system is constructed in composite order bilinear groups). To address these limitations, we present a traceable large universe multi-authority CP-ABE scheme, and further prove that it is statically secure in the random oracle model. Compared with existing traceable multi-authority CP-ABE schemes, the proposed scheme has four advantages. First, the attributes are not fixed at setup and the attribute universe is not bounded to polynomial size. Second, the ciphertext polices can be expressed as any monotone access structures. Third, the proposed scheme is constructed in prime order groups, which makes this scheme more efficient than those in composite order bilinear groups. Finally, the proposed scheme requires neither a central authority nor an identity table for tracing.

Secure, efficient and revocable data sharing scheme for vehicular fogs

With the rapid development of vehicular networks, the problem of data sharing in vehicular networks has attached much attention. However, existing data access control schemes in cloud computing cannot be applied to the scenario of vehicular networks, because cloud computing paradigm cannot satisfy the rigorous requirement posed by latency-sensitive mobile application. Fog Computing is a paradigm that extends Cloud computing and services to the edge of the network. The vehicular fog is the ideal platform to achieve data sharing in vehicular networks. In this paper, we propose a revocable data sharing scheme for vehicular fogs. We construct a new multi-authority ciphertext policy attribute-based encryption (CP-ABE) scheme with efficient decryption to realize data access control in vehicular network system, and design an efficient user and attribute revocation method for it. The analysis and the simulation results show that our scheme is secure and highly efficient.

Attribute-based fuzzy identity access control in multicloud computing environments

Firstly, we propose a multiauthority ciphertext policy attribute-based encryption scheme. It achieves fine-grained access control based upon fuzzy identity over encrypted data without any trusted center or extra interaction among multiple authorities. Moreover, it satisfies the collusion resistance requirement as long as at least one of the attribute authorities is honest. The security proof demonstrates that the proposed scheme is secure against chosen plaintext attacks in random oracle model under decisional multilinear Diffie–Hellman assumption. Secondly, we construct an attribute-based access control system for proxy-based multicloud environment to achieve distributed access control without any trusted center, manager, or additional secret keys. In our construction, the original secret keys are split into a control key, a decryption key and a set of transformation keys. It only takes the mobile device a lightweight decryption with a single decryption key. The overwhelming majority of decryption operations are outsourced to cloud via transformation keys. In addition, the attribute revocation can be realized by updating transformation keys using the control key, while ciphertexts and user’s decryption key still remain unchanged. Furthermore, proxies are helpful to promote the collaboration among multiple clouds in file access control system. Finally, the performance analysis shows that our construction is flexible and practical for mobile users in proxy-based multicloud environment.

Securing Outsourced Data in the Multi-Authority Cloud with Fine-Grained Access Control and Efficient Attribute Revocation

Data outsourcing is a promising service for data owners, where their data are stored on a cloud storage provider. Since the cloud is not fully trusted, data access control has become a challenging issue in the Cloud Storage System (CSS). Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a feasible technique for ensuring access control in the CSS, where an attribute authority is responsible to manage attributes and distribute keys. In this paper, we propose a novel revocable Multi-Authority CP-ABE scheme, in which the access policy can be constructed as an arbitrary tree rather than a matrix used by existing schemes. The tree-like policy makes our scheme more flexible. Consequently, the encryption, decryption and attribute revocation operations are also more efficient. Our scheme is also proved to be secure under the standard assumption. It can resist user collusion attack, while the attribute revocation operation also achieves both forward security and backward security. Simulation results show that our scheme is highly efficient

Privacy protection based access control scheme in cloud-based services

With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection (PS-ACS). In the PS-ACS scheme, we divide users into private domain (PRD) and public domain (PUD) logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption (KAE) and the Improved Attribute-based Signature (IABS) respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption (CP-ABE) scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users' privacy in cloud-based services.

Two-Factor Data Access Control With Efficient Revocation for Multi-Authority Cloud Storage Systems

Attribute-based encryption, especially for ciphertext-policy attribute-based encryption, can fulfill the functionality of fine-grained access control in cloud storage systems. Since users’ attributes may be issued by multiple attribute authorities, multi-authority ciphertext-policy attribute-based encryption is an emerging cryptographic primitive for enforcing attribute-based access control on outsourced data. However, most of the existing multi-authority attribute-based systems are either insecure in attribute-level revocation or lack of efficiency in communication overhead and computation cost. In this paper, we propose an attribute-based access control scheme with two-factor protection for multi-authority cloud storage systems. In our proposed scheme, any user can recover the outsourced data if and only if this user holds sufficient attribute secret keys with respect to the access policy and authorization key in regard to the outsourced data. In addition, the proposed scheme enjoys the properties of constant-size ciphertext and small computation cost. Besides supporting the attribute-level revocation, our proposed scheme allows data owner to carry out the user-level revocation. The security analysis, performance comparisons, and experimental results indicate that our proposed scheme is not only secure but also practical.

Multi-Authority CP-ABE with Policy Update in Cloud Storage

Multi-Authority CP-ABE with Policy Update in Cloud Storage

Multi-authority attribute-based encryption access control scheme with policy hidden for cloud storage

For realizing the flexible, scalable and fuzzy fine-grained access control, ciphertext policy attribute-based encryption (CP-ABE) scheme has been widely used in the cloud storage system. However, the access structure of CP-ABE scheme is outsourced to the cloud storage server, resulting in the disclosure of access policy privacy. In addition, there are multiple authorities that coexist and each authority is able to issue attributes independently in the cloud storage system. However, existing CP-ABE schemes cannot be directly applied to data access control for multi-authority cloud storage system, due to the inefficiency for user revocation. In this paper, to cope with these challenges, we propose a decentralized multi-authority CP-ABE access control scheme, which is more practical for supporting the user revocation. In addition, this scheme can protect the data privacy and the access policy privacy with policy hidden in the cloud storage system. Here, the access policy that is realized by employing the linear secret sharing scheme. Finally, the security and performance analyses demonstrate that our scheme has high security in terms of access policy privacy and efficiency in terms of computational cost of user revocation.

TMACS: A Robust and Verifiable Threshold Multi-Authority Access Control System in Public Cloud Storage

Attribute-based Encryption (ABE) is regarded as a promising cryptographic conducting tool to guarantee data owners’ direct control over their data in public cloud storage. The earlier ABE schemes involve only one authority to maintain the whole attribute set, which can bring a single-point bottleneck on both security and performance. Subsequently, some multi-authority schemes are proposed, in which multiple authorities separately maintain disjoint attribute subsets. However, the single-point bottleneck problem remains unsolved. In this paper, from another perspective, we conduct a threshold multi-authority CP-ABE access control scheme for public cloud storage, named TMACS, in which multiple authorities jointly manage a uniform attribute set. In TMACS, taking advantage of ( $t,n$ ) threshold secret sharing, the master key can be shared among multiple authorities, and a legal user can generate his/her secret key by interacting with any $t$ authorities. Security and performance analysis results show that TMACS is not only verifiable secure when less than $t$ authorities are compromised, but also robust when no less than $t$ authorities are alive in the system. Furthermore, by efficiently combining the traditional multi-authority scheme with TMACS, we construct a hybrid one, which satisfies the scenario of attributes coming from different authorities as well as achieving security and system-level robustness.

Mobile edge computing and field trial results for 5G low latency scenario

In most existing CP-ABE schemes, there is only one authority in the system and all the public keys and private keys are issued by this authority, which incurs ciphertext size and computation costs in the encryption and decryption operations that depend at least linearly on the number of attributes involved in the access policy. We propose an efficient multi-authority CP-ABE scheme in which the authorities need not interact to generate public information during the system initialization phase. Our scheme has constant ciphertext length and a constant number of pairing computations. Our scheme can be proven CPA-secure in random oracle model under the decision q-BDHE assumption. When user's attributes revocation occurs, the scheme transfers most re-encryption work to the cloud service provider, reducing the data owner's computational cost on the premise of security. Finally the analysis and simulation result show that the schemes proposed in this thesis ensure the privacy and secure access of sensitive data stored in the cloud server, and be able to cope with the dynamic changes of users' access privileges in large-scale systems. Besides, the multi-authority ABE eliminates the key escrow problem, achieves the length of ciphertext optimization and enhances the efficiency of the encryption and decryption operations.

Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage

Data access control is an effective way to ensure the data security in the cloud. Due to data outsourcing and untrusted cloud servers, the data access control becomes a challenging issue in cloud storage systems. Ciphertext-Policy Attribute-based Encryption (CP-ABE) is regarded as one of the most suitable technologies for data access control in cloud storage, because it gives data owners more direct control on access policies. However, it is difficult to directly apply existing CP-ABE schemes to data access control for cloud storage systems because of the attribute revocation problem. In this paper, we design an expressive, efficient and revocable data access control scheme for multi-authority cloud storage systems, where there are multiple authorities co-exist and each authority is able to issue attributes independently. Specifically, we propose a revocable multi-authority CP-ABE scheme, and apply it as the underlying techniques to design the data access control scheme. Our attribute revocation method can efficiently achieve both forward security and backward security. The analysis and simulation results show that our proposed data access control scheme is secure in the random oracle model and is more efficient than previous works.

Privacy-aware attribute-based PHR sharing with user accountability in cloud computing

As an emerging patient-centric model of health information exchange, personal health record (PHR) is often outsourced to be stored at a third party. The value of PHR data is its long-term cumulative record relevant with personal health which can be significant in the future when faced with disease occurrences. As a promising public key primitive, attribute-based encryption (ABE) has been used to design PHR sharing systems. However, the existing solutions fail to achieve several important security objectives, that is, no need for a single authority to issue private keys to all PHR users, user access privacy protection, and user accountability. In this paper, we propose a multi-authority ciphertext-policy ABE scheme with user accountability and apply it to design an attribute-based PHR sharing system. In the proposed solution, the access policy is hidden and hence user access privacy is protected. In particular, the global identity of a misbehaving PHR user who leaked the decryption key to other unauthorized users can be traced, and thus the trust assumptions on both the authorities and the PHR users are reduced. Extensive analysis shows that the proposed scheme is provably secure and efficient.