Advanced
Attribute-Based Data Sharing with Flexible and Direct Revocation in Cloud Computing
Attribute-Based Data Sharing with Flexible and Direct Revocation in Cloud Computing
KSII Transactions on Internet and Information Systems (TIIS). 2014. Nov, 8(11): 4028-4049
Copyright © 2014, Korean Society For Internet Information
  • Received : May 28, 2014
  • Accepted : October 01, 2014
  • Published : November 30, 2014
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Yinghui Zhang
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, P.R. China
Xiaofeng Chen
State Key Laboratory of Integrated Service Networks (ISN), Xidian University, Xi'an 710071, P.R. China
Jin Li
School of Computer Science, Guangzhou University, Guangzhou 510006, P.R. China
Hui Li
State Key Laboratory of Integrated Service Networks (ISN), Xidian University, Xi'an 710071, P.R. China
Fenghua Li
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, P.R. China

Abstract
Attribute-based encryption (ABE) is a promising cryptographic primitive for implementing fine-grained data sharing in cloud computing. However, before ABE can be widely deployed in practical cloud storage systems, a challenging issue with regard to attributes and user revocation has to be addressed. To our knowledge, most of the existing ABE schemes fail to support flexible and direct revocation owing to the burdensome update of attribute secret keys and all the ciphertexts. Aiming at tackling the challenge above, we formalize the notion of ciphertext-policy ABE supporting flexible and direct revocation (FDR-CP-ABE), and present a concrete construction. The proposed scheme supports direct attribute and user revocation. To achieve this goal, we introduce an auxiliary function to determine the ciphertexts involved in revocation events, and then only update these involved ciphertexts by adopting the technique of broadcast encryption. Furthermore, our construction is proven secure in the standard model. Theoretical analysis and experimental results indicate that FDR-CP-ABE outperforms the previous revocation-related methods.
Keywords
1. Introduction
W ith the advent of cloud computing technology, sharing data through a third-party service provider has never been more economical and convenient than now. However, due to data outsourcing and untrusted storage servers, data access control becomes a challenging issue in cloud storage, where differentiated data access is frequently required in the sense that users with different attributes should be granted different levels of access privileges. Traditional methods based on access control lists are no longer suitable for cloud computing, because they require a fully trusted cloud server.
Aiming at providing fine-grained access control over cloud storage, a novel public key primitive namely attribute-based encryption (ABE) [1] was introduced in the cryptographic community, which enables public one-to-many encryption. ABE comes in two flavors called key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE) [2] . Compared with KP-ABE, CP-ABE is extremely suitable for cloud-based data sharing, because it enables data owners to make and enforce access policies themselves. In CP-ABE, every ciphertext is associated with an access policy, and every secret key is associated with a set of attributes. A particular attribute secret key can decrypt a ciphertext if and only if the attributes associated with the secret key match the underlying access policy in the ciphertext.
Though CP-ABE is a promising primitive for designing fine-grained access control systems in cloud computing, there are several challenges that remain in applications of CP-ABE.
  • On the one hand, revocation issues are essential and difficult in CP-ABE systems in that users may change their attributes frequently in practice and each attribute is conceivably shared by multiple users. Most of the existing CP-ABE schemes[3][4][5][6][7][8]only provide indirect revocation mechanisms, which suffer a severe efficiency drawback due to a key update phase. Direct revocation does not require users to update attribute secret keys periodically. However, existing CP-ABE schemes[9][10]only support direct user revocation, and hence cannot realize flexible attribute revocation. In particular, direct attribute revocation can realize a fine-grained revocation mechanism without affecting any non-involved users and hence is a preferable solution. Therefore, one challenge is how to realize direct attribute revocation in CP-ABE.
  • On the other hand, CP-ABE has a drawback that ciphertext length often grows with the complexity of access policies[3][10][11][12]. The drawback appears more serious for application scenarios where bandwidth issues are major concerns. Therefore, another challenge is how to keep ciphertext length of CP-ABE constant.
To the authors’ knowledge, however, there are no CP-ABE schemes, which have constant-size ciphertexts and provide direct attribute revocation mechanisms.
- 1.1 Our Contribution
Research contributions of this paper can be summarized as follows:
  • Firstly, we analyze security and efficiency goals of attribute-based data sharing in cloud computing. We formalize the notion of CP-ABE supporting flexible and direct revocation mechanisms (FDR-CP-ABE) in the setting of cloud computing, formulate a reasonable security model, and present a concrete construction. The proposed scheme is a directly revocable CP-ABE scheme, which supports direct user and attribute revocation and is applicable to data sharing architectures in cloud computing.
  • Secondly, in order to realize a flexible and direct revocation mechanism in the proposed FDR-CP-ABE scheme, we introduce an auxiliary function to specify which ciphertexts are involved in revocation events, and then use the technique of broadcast encryption to only update these involved ciphertexts. In addition, it is shown that our technique is also applicable to KP-ABE counterparts.
  • Thirdly, the proposed FDR-CP-ABE scheme is proven secure in the standard model. It achieves the security goals of data confidentiality, collusion-resistance, backward secrecy, and forward secrecy. Theoretical analysis and experimental results indicate that the proposed FDR-CP-ABE outperforms the previous revocation-related methods. In particular, it enjoys desirable properties such as no secret key update, partial ciphertext update, and constant-size ciphertexts.
- 1.2 Organization
The remaining of this work is organized as follows. In Section 2, we review the state-of-the-art attribute-based encryption schemes. Some preliminaries are given in Section 3. We formalize the notion and security model of FDR-CP-ABE in Section 4. Our FDR-CP-ABE construction is detailed in Section 5. Security results together with performance comparisons are presented in Section 6. In Section 7, the application of our technique to KP-ABE counterparts is discussed. Finally, we conclude this paper in Section 8.
2. Related Work
Since the introduction of ABE [1] in implementing fine-grained data access control systems, plenty of researches have been done on ABE. In KP-ABE, access policies are enforced in secret keys and ciphertexts are labeled with a set of attributes. In CP-ABE, the roles of the attribute set and the access policy are swapped from what we described for KP-ABE. The first KP-ABE construction [2] realized monotonic access structures for key policies. To enable more flexible access policies, Ostrovsky et al. [13] presented the first KP-ABE system that supports the expression of non-monotone formulas in key policies. On the other hand, Bethencourt et al. [3] proposed the first CP-ABE scheme, but the security proof is given in the generic group model. To overcome this weakness, Cheung and Newport [11] presented another construction that is proven selectively secure in the standard model. To achieve full security, Lewko et al. [12] proposed a fully secure CP-ABE scheme in composite order bilinear groups, and proved its security from three static assumptions. There are also many works proposed to make further improvements on ABE, such as accountable ABE [14] [15] , anonymous ABE [16] [17] [18] , ABE with constant-size ciphertexts [19] [20] [21] , etc. Despite various attractive features, the above CP-ABE schemes cannot realize a revocation mechanism, which is indispensable for attribute-based systems in that users’ secret keys might get compromised at some point in the future.
In order to deal with the challenging revocation issue in attribute-based systems, several attribute-revocable ABE schemes have been proposed [3] [4] . These schemes realize attribute revocation by setting an expiration time on each attribute, and hence the method is called a timed rekeying mechanism . However, these attribute-revocable ABE schemes suffer a security drawback in terms of the backward and forward secrecy, and the method based on validation time fails to realize attribute change in a timely fashion, i.e., the immediate attribute revocation. For the sake of practical ABE systems [5] [6] [7] [8] , Yu et al. [5] proposed a CP-ABE scheme supporting immediate attribute revocation mechanisms with the help of a semi-trusted proxy server. Hur et al. [6] proposed an immediate attribute revocation mechanism in CP-ABE by allowing a proxy server to re-encrypt ciphertexts with a set of attribute group keys. Yang et al. [7] proposed an attribute revocation method to cope with the dynamic changes of users’ access privileges. Li et al. [8] used ABE to realize secure sharing of personal health records and their solution supports attribute revocation. Researches on the security of e-healthcare have also been done in [22] [23] . However, all the above schemes only support indirect revocation , that is, the attribute center indirectly realizes revocation by only allowing non-revoked users to update secret keys. The indirect revocation method has a disadvantage that the key update phase can be a performance bottleneck for both the attribute center and all the non-revoked users.
To tackle the above issue, Attrapadung et al. [9] proposed directly user-revocable CP-ABE schemes by combining the techniques of ABE and broadcast encryption (BE). Direct revocation has a desirable property that revocation can be realized without affecting any non-involved users, that is, it does not require users to update attribute secret keys periodically. Since Fiat et al. [24] first introduced the notion of BE, Boneh et al. [25] proposed a collusion-resistant BE scheme with short ciphertexts and private keys. The methods in [9] require that data owners should take full charge of maintaining the membership lists for each attribute group. Accordingly, these schemes are not suitable for data sharing in cloud computing, where the data owners upload their data into clouds and they will no longer be in direct control of the data. Sahai et al. [10] presented a generic method to show that a CP-ABE scheme with ciphertext delegation and piecewise key generation implies a revocable storage CP-ABE scheme. Furthermore, they proposed a variant of the CP-ABE scheme [12] that supports ciphertext delegation and piecewise key generation. However, the proposed scheme fails to support direct attribute revocation and the ciphertext length is not constant. Other researches on direct revocation mechanisms can be seen in [26] [27] . The above directly revocable ABE schemes cannot efficiently realize attribute and user revocation, and the ciphertext size linearly increases with the number of revoked users or the complexity of access policies. In the extended abstract [28] of this paper, we formalized the notion of FDR-CP-ABE and presented a concrete scheme. We revise the paper a lot and add more technical details as compared to [28] . Firstly, in order to realize data sharing based on ABE in cloud computing, we add Section 4.2 to describe the system architecture, and add Section 4.3 to analyze security and efficiency goals of attribute-based data sharing systems. Secondly, for the FDR-CP-ABE construction, we provide detailed security proofs in the standard model in Section 6.1. Thirdly, we do intensive experiments and present more extensive performance comparisons in Section 6.2. Lastly, we add Section 7 to demonstrate that our technique is applicable to the KP-ABE counterpart.
3. Preliminaries
- 3.1 Bilinear Pairings
Let
PPT Slide
Lager Image
and
PPT Slide
Lager Image
be two cyclic multiplicative groups of prime order p , g be a generator of
PPT Slide
Lager Image
, and 1 be the identity of
PPT Slide
Lager Image
. We call map
PPT Slide
Lager Image
:
PPT Slide
Lager Image
×
PPT Slide
Lager Image
PPT Slide
Lager Image
a bilinear pairing if it satisfies the following properties. 1) Computability: there exists an efficient algorithm for computing map
PPT Slide
Lager Image
. 2) Bilinearity:
PPT Slide
Lager Image
( ga , gb ) =
PPT Slide
Lager Image
( g , g ) ab for all a , b
PPT Slide
Lager Image
. 3) Non-degeneracy:
PPT Slide
Lager Image
( g , g ) ≠ 1.
- 3.2 Complexity Assumptions
Bilinear Diffie-Hellman Exponent (BDHE) assumption: Let
PPT Slide
Lager Image
be a bilinear group of prime order p , and g , h be two independent generators of
PPT Slide
Lager Image
. Let
PPT Slide
Lager Image
g,a,l = ( g 1 , g 2 ,…, gl , gl +2 ,…, g 2 l ) ∈
PPT Slide
Lager Image
, where gi = g (αi) for some unknown α
PPT Slide
Lager Image
. An algorithm B that outputs μ ∈ {0, 1} has advantage ϵ in solving the decision -BDHE problem if
PPT Slide
Lager Image
We say the decision ( t , ϵ , )-BDHE assumption holds in
PPT Slide
Lager Image
if no t -time algorithm has advantage at least ϵ in solving the decision -BDHE problem in
PPT Slide
Lager Image
.
4. Definition and Models
- 4.1 Notations
For simplicity, we explain some notations in Table 1 , which are frequently used in this paper. Note that the attribute center in a data sharing system will publish an attribute revocation list on a public bulletin board when an attribute revocation event occurs. In Table 1 , the attribute revocation information R and the public parameter PP are published on the public bulletin board by the attribute center.
Notations frequently used in this paper
PPT Slide
Lager Image
Notations frequently used in this paper
- 4.2 System Architecture
As shown in Fig. 1 , the architecture of an attribute-based data sharing system in cloud computing consists of four types of parties: an attribute center, a cloud service provider, data owners, and users. Data owners and users are administrated by the attribute center. The cloud service provider is honest-but-curious and it manages a cloud to provide data storage service. Note that the cloud is assumed to have sufficient storage capacity and computation power. Data owners encrypt their contents and store ciphertext data in the cloud for sharing. To access the shared contents in the cloud, users download encrypted contents of interest from the cloud and then decrypt them based on their secret keys. In particular, the cloud service provider can update ciphertexts involved in some revocation events based on the delegation key from the attribute center.
PPT Slide
Lager Image
Architecture of an attribute-based data sharing system
- 4.3 Design Goals
We aim to propose a CP-ABE scheme supporting flexible and direct revocation mechanisms. On the one hand, it achieves the following security goals.
  • Data Confidentiality.Unauthorized users who do not have enough attributes matching the access policy specified for a ciphertext by a data owner should be prevented from accessing the plaintext of this ciphertext. In particular, unauthorized access from the cloud service provider to the plaintext should also be prevented.
  • Collusion-Resistance.If multiple users collude, they may be able to access the plaintext of a given ciphertext by combining their attributes even if each of them cannot decrypt the ciphertext alone. For access control systems in practice, these colluders should not succeed.
  • Backward and Forward Secrecy.Backward secrecy means that a newly joined user who has sufficient attributes should be able to decrypt the ciphertexts which were published before he holds the attributes. And, forward secrecy means that any user who is involved in a revocation event cannot access the plaintexts of the subsequent ciphertexts exchanged after he drops related attributes, unless the other attributes still satisfy the access policy.
On the other hand, the proposed scheme enjoys the following efficiency benefits.
  • No Secret Key Update.All the users need not to update attribute secret keys whenever a revocation event occurs. Notice that direct revocation mechanisms enjoy this property.
  • Partial Ciphertext Update.When an attribute revocation event occurs, the cloud service provider only needs to update partial ciphertexts of which the underlying access policies are involved in the revocation event1.
  • Constant-Size Ciphertexts.The length of a ciphertext is constant and it does not linearly increase with the number of attributes in universe or the number of revocation events.
- 4.4 Definition of FDR-CP-ABE
A FDR-CP-ABE scheme consists of six algorithms: Setup , KeyGen , Encrypt , UKeyGen , CTUpdate , and Decrypt , where Encrypt and CTUpdate play an important role in realizing revocation mechanisms. Particularly, there are four types of ciphertexts in FDR-CP-ABE: Type-1 ciphertexts, Type-2 ciphertexts, Type-3 ciphertexts, and Type-4 ciphertexts, which are defined in the following algorithms Encrypt and CTUpdate . It is worth noting that Type-1 and Type-2 ciphertexts are generated by encryptors in the algorithm Encrypt , while Type-3 and Type-4 ciphertexts are generated by cloud service providers in the algorithm CTUpdate .
  • ►Setup(1λ) → (PK,MK): On input a security parameter λ, it returns the system public keyPKwhich is distributed to users, and the master keyMKwhich is kept private by the attribute center.
  • ►KeyGen(PK,MK,S) →SKS: On inputPK,MKand an attribute setS, it outputs the attribute secret keySKSassociated with the setS.
  • ►Encrypt(PK,M,W,R) →CTW: On inputPK, a messageM, an access structureW, and the attribute revocation informationRto date, it generates a ciphertextCTWofMwith respect toW.
Remark 1. We say CTW is a ciphertext if W is not involved in R . Otherwise, CTW is said to be a Type-2 ciphertext if W is involved in R . Simply speaking, Type-1 ciphertexts are not involved in revocation events while Type-2 ciphertexts are relevant to revocation events. In the concrete scheme in Section 5.3, if a user is involved in any one of revocation events in R , he fails to recover M from CTW =Encrypt( PK , M , W , R ) even if his attribute set satisfies W . Hence, plays a role of attribute revocation.
  • ►UKeyGen(PK,MK,R(k)) → (PP(k),UK(k)):On inputPK,MK, and an attribute revocation listR(k)published by the attribute center when thek-th revocation event occurs, it generates the public parameterPP(k)and ciphertext update keyUK(k)corresponding toR(k). The attribute center publishesPP(k)on a public bulletin board, and sendsUK(k)to the cloud service provider through a secure channel.
  • ►CTUpdate(PK,CTW,UK(k),R(k)) →: On inputPK,CTWwith respect toW,UK(k)andR(k), it generates an updated ciphertextofCTWwithWunchanged if and only ifWis involved inR(k). It needs not to updateCTWifWis not involved inR(k).
Remark 2. We say
PPT Slide
Lager Image
is a Type-3 (resp. Type-4) ciphertext if CTW is a Type-1 (resp. Type-2) ciphertext. Furthermore, if CTW is a Type-3 (resp.Type-4) ciphertext, the updated ciphertext
PPT Slide
Lager Image
is still a Type-3 (resp. Type-4) ciphertext. Simply speaking, Type-3 ciphertexts are geneated by updating Type-1 or Type-3 ciphertexts, and Type-4 ciphertexts are geneated by updating Type-2 or Type-4 ciphertexts. In the concrete scheme in Section 5.3, if a user is involved in R (k) , he fails to decrypt
PPT Slide
Lager Image
=CTUpdate( PK , CTW , UK (k) , R (k) ) even if he can decrypt CTW . Hence, CTUpdate plays a role of attribute revocation.
  • ►Decrypt(PK,PP,CTW,SKS) →Mor ⊥: On inputPK, the public parametersPPcorresponding to all the attribute revocation events to date, a ciphertextCTWof a messageMunder the access policyW, and a secret keySKSassociated with the attribute setS, it checks ifS=WandSKSis not involved in attribute revocation events associated withCTW. If so, it returns messageM. Otherwise, it returns ⊥ with overwhelming probability.
- 4.5 Security Model
In order to achieve the security goals considered in Section 4.3, we model the capability of adversaries. We formalize two types of adversaries: Type-I adversary AI and Type-II adversary AII . AI aims to break the confidentiality of Type-1 ciphertexts in which no attribute revocation events are involved, and hence AI is not allowed to make a secret key query on the attribute set satisfying the challenge access structure. However, AII intends to break the confidentiality of Type-2, Type-3, and Type-4 ciphertexts, which are involved in revocation events, and hence AII is allowed to make a secret key query on any attribute sets. It is worth observing that the design goals of Data Confidentiality, Collusion-Resistance and Backward and Forward Secrecy are integrated in the indistinguishability against selective ciphertext-policy and chosen plaintext attacks (IND-sCP-CPA) model, which is based on the following IND-sCP-CPA game involving an adversary Ai ( i = I , II ) and a simulator B . In fact, in the initialization phase of the proposed security model, AI only needs to submit a challenge access structure W * to the simulator, and AII has to additionally submit attribute revocation information R * and an attribute revocation list R * (k) . In order to integrate collusion-resistance, different users are allowed to collude to guess the random bit chosen by the challenger in the security model. To demonstrate that backward and forward secrecy is reflected in the security model, different kinds of challenge ciphertexts are generated based on R * and R * (k) in the challenge phase. Hence, if the proposed scheme is proven secure in the proposed security model, it enjoys data confidentiality, collusion-resistance and backward and forward secrecy. The IND-sCP-CPA game is described as follows:
Init: Ai ( i = I , II ) chooses a challenge access structure W * and submits it to B . It should be noted that attribute revocation information is published on a public bulletin board by B . In addition, AII submits attribute revocation information and R * = { R * (1) , R * (2) ,…, R * (j) } an attribute revocation list R * (k) with k j + 1.
Setup: B chooses a security parameter λ, and runs the Setup algorithm to get a master key SK and the corresponding system public key PK . It retains SK and gives PK to Ai .
Phase 1: Ai issues a polynomially (in λ) bounded number of queries as follows:
  • KeyGen oracleOKeyGen:Aisubmits an attribute setS, andBanswers queries fromAIandAIIas follows:
  • ➢ ForAI,BreturnsSKSwith a restriction thatSW*, and returns ⊥ ifSW*.
  • ➢ ForAII,B, returnsSKSeven ifSW*.
  • UKeyGen oracleOUKeyGen:Aisubmits an attribute revocation listR(k), andBreturns the ciphertext update keyUK(k)corresponding toR(k).
  • CTUpdate oracleOCTUpdate:Aisubmits a ciphertextCTW, and attribute revocation listR(k)published by the attribute center.Breturns an updated ciphertextofCTW.
Challenge: Once Ai decides that Phase 1 is over, it outputs two equal length messages M 0 , M 1 on which it wishes to be challenged with respect to W *. B chooses a bit b R {0,1}, and generates challenge ciphertexts for Ai as follows:
  • ForAI,BreturnsCTW*= Encrypt(PK,Mb,W*, Ø), whereCTW*is of Type-1.
  • ForAII, we consider three circumstances.
  • ➢Case 1.W* is involved inR*. In this case,BreturnsCTW*= Encrypt(PK,Mb,W*,R*), and hence the challenge ciphertextCTW*is of Type-2.
  • ➢Case 2.W*is not involved inR*, but it is involved inR*(k). In this case,Breturns= CTUpdate (PK,CTW*,UK(k),R*(k)), whereCTW*= Encrypt(PK,Mb,W*,R*), and henceis of Type-3.
  • ➢Case 3.W* is involved inR* andR*(k)simultaneously. In this case,Bcomputesas in Case 2, and returnsas the challenge ciphertext, which is of Type-4.
Phase 2: The same as Phase 1. Furthermore, Ai can make ciphertext update queries on challenge ciphertexts.
Guess: Ai outputs a guess bit b' ∈ {0, 1} and wins the game if b' = b . The advantage of Ai in the above IND-sCP-CPA game is defined as
PPT Slide
Lager Image
.
Definition 1. A probabilistic algorithm A is said to ( t , ϵ , qK ) -break a FDR-CP-ABE scheme if A achieves an advantage
PPT Slide
Lager Image
, when running in at most steps, and making at most qK queries to the key generation oracle OKeyGen . A FDR-CP-ABE scheme is said to be ( t , ϵ , qK ) -secure if no forger can ( t , ϵ , qK ) -break it .
Given an access structure W and the attribute revocation information to date denoted by R, we check whether W is involved in R or not based on an auxiliary function RevoIndex, which is introduced in Section 5.2. Similarly, we can check whether W is involved in the i-th attribute revocation list R(i) or not based on RevoIndex.
5. Construction of FDR-CP-ABE
- 5.1 Attribute and Access Structure
Suppose there are n attributes in universe denoted by
PPT Slide
Lager Image
= { w 1 , w 2 ,…, wn } for a certain natural number n . And, each attribute wi would have three occurrences: positive
PPT Slide
Lager Image
, negative
PPT Slide
Lager Image
and “don't care” *, where
PPT Slide
Lager Image
represents a user has the attribute wi , and
PPT Slide
Lager Image
denotes a user does not have wi or wi is not a proper attribute of the user. We consider the access structure W that consists of AND gates on positive and negative attributes, that is,
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
W ⊆ {1, 2,…, n } is the index set of attributes specified in W and
PPT Slide
Lager Image
i is
PPT Slide
Lager Image
or
PPT Slide
Lager Image
. If an attribute does not appear in the AND gate, its occurrence is “don't care”. This kind of policies are also adopted in [5] [11] . It is noted that S
PPT Slide
Lager Image
W if and only if for i
PPT Slide
Lager Image
W , wi S when
PPT Slide
Lager Image
i =
PPT Slide
Lager Image
and wi S when
PPT Slide
Lager Image
i =
PPT Slide
Lager Image
.
- 5.2 Auxiliary Function
We introduce an auxiliary function Revolndex to check whether an access structure W is involved in an attribute revocation list R (k) or not. In other words, we can decide based on Revolndex if a ciphertext with the underlying access structure W should be updated when the k -th attribute revocation event occurs.
RevoIndex ( PK , W , R (k) ) →
PPT Slide
Lager Image
: On input PK , W and R (k) , RevoIndex outputs the index set
PPT Slide
Lager Image
associated with W of users involved in the k -th attribute revocation event. Note that
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
and
PPT Slide
Lager Image
.
PPT Slide
Lager Image
(k) is the set of attributes the attribute center has revoked. Let
PPT Slide
Lager Image
, then RevoIndex outputs
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
if
PPT Slide
Lager Image
i =
PPT Slide
Lager Image
and
PPT Slide
Lager Image
if
PPT Slide
Lager Image
i =
PPT Slide
Lager Image
. Suppose
PPT Slide
Lager Image
= RevoIndex( PK , W , R (k) ). If
PPT Slide
Lager Image
= ⵁ, the ciphertexts under W have not to be updated even if the k -th attribute revocation event occurs. Otherwise, ,
PPT Slide
Lager Image
≠ ⵁ, the ciphertexts under W have to be updated by the attribute center such that users specified by
PPT Slide
Lager Image
cannot access these ciphertexts again.
For a better understanding, we illustrate RevoIndex by an example. As shown in Table 2 , we consider n = 10, m = 20,
PPT Slide
Lager Image
and
PPT Slide
Lager Image
, it easily follows that
PPT Slide
Lager Image
W = {1,2,4},
PPT Slide
Lager Image
(k) = { w 1 , w 2 , w 3 } and
PPT Slide
Lager Image
Hence, we have
PPT Slide
Lager Image
and
PPT Slide
Lager Image
. From Table 2 , where RSN deontes the revocation serial number, we know that
PPT Slide
Lager Image
= {1,2,5,8}. That is, when the k -th attribute revocation event occurs, the ciphertexts under have to be updated such that users specified by
PPT Slide
Lager Image
= {1,2,5,8} cannot access them again.
Data structure of the attribute revocation listR(k)
PPT Slide
Lager Image
Data structure of the attribute revocation list R(k)
- 5.3 Construction
Setup (1 λ ) : Let
PPT Slide
Lager Image
,
PPT Slide
Lager Image
be cyclic multiplicative groups of prime order p , and
PPT Slide
Lager Image
:
PPT Slide
Lager Image
×
PPT Slide
Lager Image
PPT Slide
Lager Image
be a bilinear map. Define a hash function H : {1, 2,… ,2 n } →
PPT Slide
Lager Image
. The attribute center chooses a generator g R
PPT Slide
Lager Image
, x 1 , x 2 ,… , x 2 n R
PPT Slide
Lager Image
and y 1 , y 2 ,…, y 2 n R
PPT Slide
Lager Image
. For i = 1, 2,… ,2 n , the attribute center sets ui = g - xi , Yi =
PPT Slide
Lager Image
( g , g ) yiH(i) . It also picks and α , β R
PPT Slide
Lager Image
and sets v = gβ . Suppose the total number of users in the system is bounded above by some natural number m . For notational simplicity, we let
PPT Slide
Lager Image
m = {1, 2,… , m }in the following. For i = 1, 2,… , m , m + 2, m + 3,… , 2 m , the attribute center computes gi = g (αi) . The system public key is published as PK = < g , { uk , Yk } 1≤k≤2n , { gk } 1≤k≤2m,km+1 , v >. The master key is MK = <{ xk , yk } 1≤k≤2n , β >.
KeyGen ( PK , MK , S ) : Let S be an attribute set of the user who wants to obtain the corresponding attribute secret key. The attribute center chooses h R
PPT Slide
Lager Image
for the user. Then for i ∈ {1, 2,… , n }, it computes
PPT Slide
Lager Image
i as follows:
PPT Slide
Lager Image
Also, the attribute center computes d =
PPT Slide
Lager Image
, where sn ∈ {1, 2,… , m } is a serial number. Note that sn is used by the attribute center to indicate that the current user is the sn -th one to join the system. Finally, the attribute secret key is SKS = < sn , h , {
PPT Slide
Lager Image
i } 1 i n , d >.
Encrypt ( PK , M , W , R ) : 2 Suppose the attribute center has published a total of Nnow attribute revocation lists denoted by R . We have R = { R (i) } 1≤ i Nnow , where R (i) represents the i -th attribute revocation list. In order to encrypt a message M
PPT Slide
Lager Image
under a ciphertext policy
PPT Slide
Lager Image
, an encryptor computes
PPT Slide
Lager Image
, where <
PPT Slide
Lager Image
i ,
PPT Slide
Lager Image
i > is defined as follows:
  • Ifi=, then = = .
  • Ifi=, then = = .
In addition, for 1 ≤ i Nnow , the encryptor uses W and R (i) to call RevoIndex to generate
PPT Slide
Lager Image
= RevoIndex( PK , W , R (i) ). Then, it sets
PPT Slide
Lager Image
, where RW represents the attribute revocation information corresponding to W in R . The encryptor chooses s R
PPT Slide
Lager Image
and computes the ciphertext CTW of M with respect to W as follows:
  • IfRW= ⵁ, then a Type-1 ciphertext is generated. In this case, no revocation information ofWexists currently, and the encryptor sets the ciphertext asCTW= , whereC0=,C1=gs, andC2=.
  • IfRW≠ ⵁ, then a Type-2 ciphertext is generated. In this case, some revocation information to date is related toW, and the encryptor computesKR=(g1,gm)s,CR= (v· ∏i∈Im-RWgm+1-i)s. Then it setsC0=KR,C1=gs,C2=. Finally,CTW= .
UkeyGen ( PK , MK , R (k) ) : The attribute center chooses uk (k) R
PPT Slide
Lager Image
, sets UK (k) = uk (k) β and computes PP (k) = v uk(k) = g UK(k) . Then, it publishes PP (k) on a public bulletin board, and sends UK (k) to the cloud service provider through a secure channel.
CTUpdate ( PK , CTW , UK (k) , R (k) ) : In order to update the ciphertext CTW according to the k -th attribute revocation list R (k) , in the following, four circumstances are taken into consideration in terms of the type of CTW .
  • Case 1.CTW= is a Type-1 ciphertext generated by encryptors. In this case, we knowk= 1. For 1 ≤i≤k, the cloud service provider compute
PPT Slide
Lager Image
Subsequently, it sets
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
. Then, if
PPT Slide
Lager Image
, there is no need to update. Otherwise,
PPT Slide
Lager Image
, the cloud service provider computes K =
PPT Slide
Lager Image
( g 1 , gm ) UK(k) . Then it sets
PPT Slide
Lager Image
= C 0 · K , and computes
PPT Slide
Lager Image
= C R(k) , where
PPT Slide
Lager Image
Finally,
PPT Slide
Lager Image
= < W ,
PPT Slide
Lager Image
, C 1 , C 2 ,
PPT Slide
Lager Image
>, which is said to be a Type-3 ciphertext.
  • Case 2.CTW= is a Type-2 ciphertext generated by encryptors. SupposeR= {R(1),R(2),… ,R(j)}, we knowj≥ 1 andk=j+ 1. In this case, the cloud service provider generates the ciphertext componentsandas in Case 1. Finally,= , which is said to be a Type-4 ciphertext.
  • Case 3.CTW= is a Type-3 ciphertext generated by the cloud service provider. In this case,k≥ 2. For 1 ≤i≤k, the cloud service provider computes= RevoIndex(PK,W,R(i)). Subsequently, it sets. Then, if, there is no need to update. Otherwise,, the cloud service provider computesK=(g1,gm)UK(k). It sets=C0·Kand=·CR(k), where
PPT Slide
Lager Image
Finally,
PPT Slide
Lager Image
= < W ,
PPT Slide
Lager Image
, C 1 , C 2 ,
PPT Slide
Lager Image
>, which is still a Type-3 ciphertext.
  • Case 4.CTW= is a Type-4 ciphertext from the cloud service provider. SupposeR= {R(1),R(2),… ,R(j)}, we knowj≥ 1 andk≥j+ 2. In this case, the cloud service provider updates ciphertext componentsC0andas in Case 3. Finally,= , which is still a Type-4 ciphertext.
Decrypt ( PK , PP , CTW , SKS ) : The ciphertext CTW can be decrypted by a user with secret key SKS = < sn , h , {
PPT Slide
Lager Image
i } 1≤in , d > as follows. If S
PPT Slide
Lager Image
W , the algorithm returns ⊥. Otherwise, S
PPT Slide
Lager Image
W , there are four cases in terms of the type of CTW to be considered.
  • Case 1.For a Type-1 ciphertextCTW= , computeσW= ∏i∈IWi, and the message is recovered as
PPT Slide
Lager Image
  • Case 2.For a Type-2 ciphertextCTW= , supposeR= {R(1),R(2),… ,R(j)}, we knowj≥ 1. Then, for 1≤i≤j, the user computes= RevoIndex(PK,W,R(i)). Subsequently, it sets. Ifsn∈RW, return ⊥. Otherwise, the user computes andσW= ∏i∈IWiand
PPT Slide
Lager Image
Finally, the message can be recovered as
PPT Slide
Lager Image
  • Case 3.The ciphertextCTW= is of Type-3. SupposeR(Nnow)is the latest revocation list published by the attribute center. For 1 ≤i≤Nnow, the user computes= RevoIndex(PK,W,R(i)). It sets. Ifsn∈RW, the algorithm returns ⊥. Otherwise, the user computesσW= ∏i∈IWiand
PPT Slide
Lager Image
Finally, the message can be recovered as
PPT Slide
Lager Image
  • Case 4.For a Type-4 ciphertextCTW= , supposeR(Nnow)is the latest revocation list published by the attribute center andR= {R(1),R(2),… ,R(j)}, we know thatj≥ 1 andj+ 1 ≤Nnow. For 1 ≤i≤Nnow, the user computes= RevoIndex(PK,W,R(i)). Then it setsand. Ifsn∈, the algorithm returns ⊥. Otherwise, the user computesσW= ∏i∈IWi,
PPT Slide
Lager Image
Finally, the message can be recovered as
PPT Slide
Lager Image
We denote by Ru the index set of revoked users at some point. To realize user revocation on the system level, the encryptor just set RW = RWRu in the algorithm Encrypt. In addition, the cloud service provider can perform the algorithm CTUpdate based on each R(i) determined by Ru. That is, in any case, the revoked users are eliminated from the broadcast set.
6. Analysis of the Proposed FDR-CP-ABE Scheme
- 6.1 Security Analysis
Theorem 1. Suppose the decision ( t , ϵ , m )-BDHE assumption holds in
PPT Slide
Lager Image
, then the proposed FDR-CP-ABE scheme is ( t , ϵ , m )-secure, where m is an upper bound of the total number of users in the system.
Proof. Suppose there exists a t -time adversary A ( AI , AII ) such that
PPT Slide
Lager Image
. We build a simulator B that has advantage ϵ in solving the decision m -BDHE problem in
PPT Slide
Lager Image
. B takes as input a random decision m -BDHE challenge ( g ,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, Z )), where
PPT Slide
Lager Image
= ( g 1 , g 2 , … , gm , g m +2 , … , g 2 m ) and Z is either
PPT Slide
Lager Image
( g m +1 ,
PPT Slide
Lager Image
) or a random element in
PPT Slide
Lager Image
. The simulator B plays a role of the challenger in the IND-sCP-CPA game, and interacts with the adversary A ( AI , AII ) as follows.
Init. The simulator B receives a challenge access structure
PPT Slide
Lager Image
specified by the adversary A ( AI , AII ), where
PPT Slide
Lager Image
with w n represents the attribute index set specified in the challenge access structure W *. In addition, AII submits attribute revocation information R * = { R * (1) , R * (2) , …, R * (j) } and an attribute revocation list R * (k) with k j + 1.
Setup. B chooses j * ∈ R {1,2,…, w }, xij R
PPT Slide
Lager Image
for ij
PPT Slide
Lager Image
W* , and
PPT Slide
Lager Image
, yk R
PPT Slide
Lager Image
for 1 ≤ k ≤ 2 n . In the following, to generate components
PPT Slide
Lager Image
there are three cases to be considered.
  • Forij∈W*- {ij*},Bdoes the following:
  • ➢ If=, computes
PPT Slide
Lager Image
  • ➢ If=, computes
PPT Slide
Lager Image
  • Forij*,Bdoes the following:
  • ➢ If=, computes
PPT Slide
Lager Image
  • ➢ If=, computes
PPT Slide
Lager Image
  • For,Bcomputes
PPT Slide
Lager Image
Furthermore, B chooses β
PPT Slide
Lager Image
, and sets v = gβ (∏ jU* g m+1-j ) -1 , if R W* ≠ ⵁ, where U * ⊆ R W* denotes the target set of involved users to be challenged by the adversary AII when revocation events occur, else v = gβ if R W* ≠ ⵁ. Then the system public key is PK = < g , { uk , Yk } 1≤k≤2n , { gk } 1≤k≤2m, km+1 , v > and B sends PK to A .
Phase 1. The adversary A ( AI , AII ) makes the following queries.
  • KeyGen oracleOKeyGen(S): SupposeAsummits an attribute setSin a secret key query. IfSW*, there must existij∈W*such thatwij∉. Without loss of generality, we only consider the case ofwij∉Sand=.Bchoosesz∈Rand setsh=gijgz. Furthermore, forij,Bcomputes the attribute secret key component as. For≠ij,Bcomputesin the following:
  • Case 1.IfBcomputes
  • Case 2.If=ij*,Bcomputesij*as
PPT Slide
Lager Image
  • Case 3.If,Bcomputes
PPT Slide
Lager Image
Subsequently, if R W* ≠ ⵁ, B computes
PPT Slide
Lager Image
. It is noted that
PPT Slide
Lager Image
If R W* = ⵁ, B computes d =
PPT Slide
Lager Image
= v (αsn) . The key point is that sn m , and that since sn
PPT Slide
Lager Image
m - R W* we know sn j and the product defining d does not include the term g m+1 . It follows that B has all the necessary values to compute the secret component d . On the other hand, if A = AII and S
PPT Slide
Lager Image
W *, B chooses ij R
PPT Slide
Lager Image
W* and generates a secret key in the method above. In any case, B returns SKS = < sn , h , {
PPT Slide
Lager Image
i } 1≤in , d >.
  • UKeyGen oracleOUKeyGen:Asubmits an attribute revocation listR(k), andBchoosesuk(k)∈R, and computes the ciphertext update keyUK(k)=uk(k)βandPP(k)=vuk(k)=gUK(k)corresponding toR(k). ThenBreturnsUK(k)and publishesPP(k)on the public bulletin board.
  • CTUpdate oracleOCTUpdate:Asubmits a ciphertextCTW, and any attribute revocation listR(k)published by the attribute center.BusesUK(k)to generate a updated ciphertextofCTWbased on the algorithm definition and returns.
Challenge. B runs the IND-sCP-CPA game under the aggregated public encryption key. We denote
PPT Slide
Lager Image
. Then the aggregated public encryption key is < u W* , Y W* > , where
PPT Slide
Lager Image
B can challenge A as follows. A summits two messages M 0 and M 1 of equal length. B chooses b R {0,1}, and computes
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, and
PPT Slide
Lager Image
. Then B generates challenge ciphertexts for A as follows:
  • ForAI,Bretruns. Then,RW*= ⵁ andCTW*is of Type-1.
  • ForAII,RW*≠ ⵁ and there are three circumstances to be considered.
  • Case 1.W* is involved inR*. In this case,BcomputesKR*=Z,and. Then it sets, and henceis of Type-2.
  • Case 2.W* is not involved inR*, but it is involved inR*(k). In this case,Breturns=CTUpdate(PK,CTW*,UK(k),R*(k)), Where, and henceis of Type-3.
  • Case 3.W* is not only involved inR*, but also involved inR*(k). In this case,Bcomputesas in Case 2, and it returns, which is of Type-4.
The challenge ciphertext
PPT Slide
Lager Image
is a valid encryption of Mb whenever Z =
PPT Slide
Lager Image
( g m +1 ,
PPT Slide
Lager Image
). On the other hand, when Z is a random element,
PPT Slide
Lager Image
is independent of b in the adversary's view.
Phase 2: The same as Phase 1. Furthermore, the adversary A can make ciphertext update queries on challenge ciphertexts.
Guess: A outputs a guess bit b' of b . If b' = b , B outputs 1 in the m -BDHE game to guess that Z = ê( g m+1 ,
PPT Slide
Lager Image
). Otherwise, it outputs 0 to indicate that T is a random element in
PPT Slide
Lager Image
. Note that if Z =
PPT Slide
Lager Image
( g m +1 ,
PPT Slide
Lager Image
), then
PPT Slide
Lager Image
is a valid ciphertext and we have
  • .
If Z is a random element in
PPT Slide
Lager Image
, the message Mb is completely hidden from A , and we have
  • .
Therefore, it follows that B has advantage at least ϵ in solving decision m -BDHE in
PPT Slide
Lager Image
within time t . This concludes the proof of Theorem 1.
Remark 3. (A Possible Privacy Leakage) In the proposed security model, the adversaries who are able to learn of some correlations between the previous ciphertext and the updated ciphertext are not taken into consideration. It follows from the proposed scheme that many elements from
PPT Slide
Lager Image
are the same as CTW , which means some users may learn of the correlation between CTW and
PPT Slide
Lager Image
. In particular, if revoked users can find this correlation and collude with users who previously decrypt the ciphertexts, they would be able to obtain the plaintexts. So, the proposed scheme seems cannot tackle this kind of privacy leakage. In the proposed construction, it is assumed that the previous ciphertexts are deleted from storage servers by the cloud service provider. The ciphertexts which are involved in revocation events are updated based on the ciphertext update algorithm. Otherwise, revoked users only need to decrypt the previous ciphertexts to obtain corresponding plaintexts in that they have the decryption ability before revocation. On the other hand, in the proposed security model, two kinds of adversaries AI and AII are taken into account. In particular, AII is allowed to make secret key queries on any attribute sets. In the initialization phase, AII has to submit attribute revocation information R * = { R * (1) , R * (2) , … , R * (j) } and R * (k) with k j + 1. In the challenge phase, three types of updated ciphertexts are returned to AII as challenge ciphertexts, which are generated based on the above revocation information. However, AII fails to guess the random bit chosen by the challenger and hence finds no information about plaintexts from the challenge ciphertexts. In a word, the proposed scheme is proven secure in the proposed security model, and it has some limitations with respect to security considering the above possible privacy leakage.
- 6.2 Performance Comparison
In this section, we compare the security and efficiency of the proposed FDR-CP-ABE scheme with some existing revocable CP-ABE schemes [3] [5] [6] [9] [10] . The notations used in the comparison are described in Table 3 . In Table 4 , these schemes are compared with respect to the parameter size, the decryption cost, the type of revocation mechanisms, and the application in the setting of data sharing. It is noted that direct revocation can eliminate the performance bottleneck due to attribute secret key updates. As shown in Table 4 , only the schemes in [9] [10] and ours achieve direct user revocation on the system level, of which only the proposed scheme realizes direct attribute revocation. In particular, the proposed FDR-CP-ABE scheme is a directly revocable CP-ABE scheme applicable to the setting of data sharing.
Notations used in comparisons
PPT Slide
Lager Image
Notations used in comparisons
Security and efficiency comparisons of revocable CP-ABE schemes
PPT Slide
Lager Image
Security and efficiency comparisons of revocable CP-ABE schemes
On the other hand, ciphertext size implies the communication cost in the system. We note that only the proposed FDR-CP-ABE scheme has constant-size ciphertexts. Furthermore, whenever a revocation event occurs, all the ciphertexts in schemes [3] [5] [6] [9] have to be updated to realize secure access control, while our scheme only needs to update partial ciphertexts which are involved in revocation. Compared with the directly revocable schemes in [9] , our FDR-CP-ABE is more efficient in terms of the system public key size and decryption cost. The scheme [10] has two attractive properties: (1) The generality of the proposed method; (2) The support of updating ciphretexts to others with more restrictive access policies. However, the proposed method suffers an efficient drawback in that all the ciphertexts have to be updated whenever a revocation event occurs. In addition, the proposed concrete scheme in [10] fails to support direct attribute revocation and the ciphertext length is not constant. Compared with the scheme [10] , our construction is more desirable because it enjoys direct attribute revocation, partial ciphertext update, and constant-size ciphertexts. Our scheme has a disadvantage that it only achieves selective security. In future research, we will focus on directly attribute-revocable CP-ABE schemes with full security. In general, the proposed FDR-CP-ABE scheme is the first CP-ABE scheme supporting flexible and direct attribute revocation, and it has constant-size ciphertexts.
Considering the desirable properties of direct revocation, we compare schemes [9] denoted as BCP-ABE1 and BCP-ABE2, scheme [10] denoted as SSW-CP-ABE, and ours in terms of the ciphertext length and the decryption cost in Fig. 2 and Fig. 3 , respectively. For the ciphertext length comparison, we set L 0 = L 1 = 160 bits and the number of revocation events as r = 5. Notice that the ciphertext length in the scheme BCP-ABE2 linearly increases with r . In the decryption cost comparison, we set r = 5 and the maximum number of users in the system is m = 500. In order to precisely evaluate the performance of BCP-ABE1, BCP-ABE2, SSW-CP-ABE, and FDR-CP-ABE, our simulation experiments are based on the Stanford Pairing-Based Crypto library (version 0.5.12) [29] and a Linux machine with 3.30 GHz × 8 Intel Xeon(R) E3-1230 V2 CPU and 7.5 GB of RAM. In our experiments, we consider the worst case of the access policy, which ensures that all the ciphertext components are involved in decryption. Specifically, we generate 100 distinct access policies in the form of
PPT Slide
Lager Image
with t (= n ) increasing from 1 to 100. For each access policy, we repeat the experiment 10 times and take the average values as the final results. Given the number of revocation events, both the decryption cost of the schemes BCP-ABE1, BCP-ABE2, and SSW-CP-ABE is linearly proportional to the number of attributes or columns in access structures, and the decryption cost of ours is constant. Therefore, we argue that the proposed FDR-CP-ABE scheme is more suitable for data sharing in cloud computing.
PPT Slide
Lager Image
Comparison of ciphertext length
PPT Slide
Lager Image
Comparison of cost for decryption
The schemes [3][5][6] fail to support direct revocation mechanisms.
Only the proposed FDR-CP-ABE scheme enjoys the desirable property of partial ciphertext update.
7. FDR-KP-ABE: KP-ABE with Flexible and Direct Revocation
In this section, we show that the idea of constructing FDR-CP-ABE can be used to realize KP-ABE with flexible and direct revocation (FDR-KP-ABE). In KP-ABE, the roles of the attribute set and access policy are swapped from what we described for CP-ABE. That is, each ciphertext is labeled by the data owner with a set of descriptive attributes, while each secret key is associated with an access policy on attributes that specifies which type of ciphertexts the secret key can decrypt. A particular user can decrypt a particular ciphertext only if the ciphertext attributes satisfy the access policy of the key. An exciting application of KP-ABE is pay-TV systems, in which user access privileges are defined over content attributes and could be determined by the price they paid. In these scenarios, the issue of key revocation also exists. In order to realize flexible and direct revocation, we can introduce an auxiliary function to determine which ciphertext components are involved in some revocation events, and then use the BE technique to update these involved ciphertexts by setting the broadcast set as the index set of non-involved users. In the following, we illustrate the above method by an example.
Suppose a ciphertext corresponds to an attribute set
  • S={"CHANNEL: 1", "TYPE: SPORT", "TYPE: MOVIE", "TYPE: NEWS"},
while a key policy W is associated to TV program package keys that a particular user receives when subscribing programs, where
  • W="CHANNEL: 1" ∧ ("TYPE: SPORT" ∨ "TYPE: MOVIE" ∨ "TYPE: MUSIC" ∨ "TYPE: BUSINESS" ∨ "TYPE: NEWS").
Now, the user is allowed to access any programs of types "SPORT", "MOVIE", or "NEWS" provided by channel 1. Later, the system administrator wants to disable the user’s access right on programs with type "SPORT" for some reasons such as unpaid expenses. For this purpose, it is necessary to revoke the corresponding components of the user’s secret key. In fact, the storage server just needs to specify the broadcast set as the index set of all users excluding the revoked one, and then based on the technique of BE to update the ciphertext components associated with the attribute "TYPE: SPORT".
8. Conclusion
We formalize the notion of FDR-CP-ABE and present a concrete scheme, which is based on AND-gates policy supporting positive and negative attributes with wildcards. The proposed scheme is proven secure and enjoys desirable properties such as no secret key update, partial ciphertext update, and constant-size ciphertexts. The FDR-CP-ABE construction can be used to realize fine-grained attribute-based access control over encrypted data in cloud computing. In addition, we show that our technique is applicable to the KP-ABE counterpart.
BIO
Yinghui Zhang received his B.S. (2007) and M.S. (2010) from Nanchang Hangkong University and Xidian University, both in Mathematics. He got his Ph.D degree in Cryptography from Xidian University at 2013. Currently, he works at Xi’an University of Posts and Telecommunications. His research interests are in the areas of wireless network security, cloud security and cryptography.
Xiaofeng Chen received his B.S. and M.S. on Mathematics in Northwest University, China. He got his Ph.D degree in Cryptography from Xidian University at 2003. Currently, he works at Xidian University as a professor. His research interests include applied cryptography and cloud computing security. He has published over 80 research papers in refereed international conferences and journals. His work has been cited more than 1000 times at Google Scholar. He has served as the program/general chair or program committee member in over 20 international conferences.
Jin Li received his B.S. (2002) and M.S. (2004) from Southwest University and Sun Yat-sen University, both in Mathematics. He got his Ph.D degree in information security from Sun Yat-sen University at 2007. Currently, he is a professor at Guangzhou University. His research interests include design of secure protocols in Cloud Computing and cryptographic protocols. He served as a senior research associate at Korea Advanced Institute of Technology (Korea) and Illinois Institute of Technology (U.S.A.) from 2008 to 2010, respectively. He has published more than 40 papers in international conferences and journals, including IEEE INFOCOM, IEEE Transaction on Computers, IEEE Transaction on Parallel and Distributed Computation, etc. He also served as TPC committee for many international conferences.
Hui Li received his B.Sc. degree from Fudan University in 1990, M.A.Sc. and Ph.D. degrees from Xidian University, Xi’ an, China, in 1993 and 1998, respectively. He was as a Visiting Scholar with the Department of Electrical and Computer Engineering, University of Waterloo, Ontario, Canada, in 2009. Since June 2005, he has been a professor in the school of Telecommunications Engineering, Xidian University. His research interests are in the areas of cryptography, security of cloud computing, wireless network security, information theory, and network coding. He is the co-author of two books. He served as TPC co-chair of ISPEC 2009 and IAS 2009, general co-chair of e-forensic 2010, ProvSec 2011, and ISC 2011.
Fenghua Li received the B.S. degree, M.S. degree and PhD degree in Computer Science from Xidian University in 1987, 1990 and 2009, respectively. He is a professor of Institute of Information Engineering, Chinese Academy of Sciences. And he is also a doctoral supervisor of Xidian University. His main research interests are network security and system security.
References
Sahai A. , Waters B. “Fuzzy identity-based encryption,” EUROCRYPT'05, LNCS 3494 May 22-26, 2005 557 - 557
Goyal V. , Pandey O. , Waters B. “Attribute-based encryption for fine-grained access control of encrypted data,” in Proc. of the 13th ACM conference on Computer and Communications Security (CCS’06) October 30- November 3, 2006 89 - 98
Bethencourt J. , Sahai A. , Waters B. “Ciphertext-policy attribute-based encryption,” in Proc. of IEEE Symposium on Security and Privacy (SP’07) May 20-23, 2007 321 - 334
Boldyreva A. , Goyal V. , Kumar V. “Identity-based encryption with efficient revocation,” in Proc. of the 15th ACM conference on Computer and communications security (CCS’08) October 27-31, 2008 417 - 426
Yu S. , Wang C. , Ren K. , Lou W. “Attribute based data sharing with attribute revocation,” in Proc. of the 5th ACM Symposium on Information Computer and Communications Security (ASIACCS’10) April 13-16, 2010 261 - 270
Hur J. , Noh D. K. 2011 “Attribute-based access control with efficient revocation in data outsourcing systems,” IEEE Transactions on Parallel and Distributed Systems 22 (7) 1214 - 1221    DOI : 10.1109/TPDS.2010.203
Yang K. , Jia X. , Ren K. “Attribute-based fine-grained access control with efficient revocation in cloud storage systems,” in Proc. of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS’13) May 8-10, 2013 523 - 528
Li M. , Yu S. , Zheng Y. , Ren K. , Lou W. 2013 “Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption,” IEEE Transactions on Parallel and Distributed Systems 24 (1) 131 - 143    DOI : 10.1109/TPDS.2012.97
Attrapadung N. , Imai H. “Conjunctive broadcast and attribute-based encryption,” Pairing'09, LNCS 5671 August 12-14, 2009 248 - 265
Sahai A. , Seyalioglu H. , Waters B. “Dynamic credentials and ciphertext delegation for attribute-based encryption,” CRYPTO'12, LNCS 7417 August 19-23, 2012 199 - 217
Cheung L. , Newport C. “Provably secure ciphertext policy abe,” in Proc. of the 14th ACM conference on Computer and Communications Security (CCS’07) October 29-November 2, 2007 456 - 465
Lewko A. , Okamoto T. , Sahai A. , Takashima K. , Waters B. “Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption,” EUROCRYPT'10, LNCS 6110 May 30-June 3, 2010 62 - 91
Ostrovsky R. , Sahai A. , Waters B. “Attribute-based encryption with non-monotonic access structures,” in Proc. of the 14th ACM conference on Computer and Communications Security (CCS’07) October 29- November 2, 2007 195 - 203
Li J. , Ren K. , Zhu B. , Wan Z. “Privacy-aware attribute-based encryption with user accountability,” in Proc. of the International Information Security Conference (ISC’09), LNCS 5735 September 7-9, 2009 347 - 362
Liu Z. , Cao Z. , Wong D. S. “Blackbox traceable cp-abe: how to catch people leaking their keys by selling decryption devices on ebay,” in Proc. of the 20th ACM conference on Computer and Communications Security (CCS’13) November 4-8, 2013 475 - 486
Nishide T. , Yoneyama K. , Ohta K. “Abe with partially hidden encryptor-specified access structure,” in Proc. of Applied Cryptography and Network Security (ACNS’08), LNCS 5037 June 3-6, 2008 111 - 129
Lai J. , Deng R. H. , Li Y. “Expressive cp-abe with partially hidden access structures,” in Proc. of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS’12) May 2-4, 2012 18 - 19
Zhang Y. , Chen X. , Li J. , Wong D. S. , Li H. “Anonymous attribute-based encryption supporting efficient decryption test,” in Proc. of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS’13) May 8-10, 2013 511 - 516
Chen C. , Zhang Z. , Feng D. “Efficient ciphertext policy attribute-based encryption with constant-size ciphertext and constant computation-cost,” ProvSec'11, LNCS 6980 October 16-18, 2011 84 - 101
Herranz J. , Laguillaumie F. , Ràfols C. “Constant size ciphertexts in threshold attribute-based encryption,” PKC'10, LNCS 6056 May 26-28, 2010 19 - 34
Ge A. , Zhang R. , Chen C. , Ma C. , Zhang Z. “Threshold ciphertext policy attribute-based encryption with constant size ciphertexts,” in ACISP’12, LNCS 7372 July 9-11, 2012 336 - 349
Lu R. , Lin X. , Shen X. 2013 “SPOC: A secure and privacy-preserving opportunistic computing framework for mobile-healthcare emergency,” IEEE Transactions on Parallel and Distributed Systems 24 (3) 614 - 624    DOI : 10.1109/TPDS.2012.146
Han N. D. , Han L. , Tuan D. M. , In H. P. , Jo M. 2014 “A scheme for data confidentiality in cloud-assisted wireless body area networks,” Information Sciences 284 157 - 166    DOI : 10.1016/j.ins.2014.03.126
Fiat A. , Naor M. “Broadcast encryption,” CRYPTO'93, LNCS 773 August 22-26, 1993 480 - 491
Boneh D. , Gentry C. , Waters B. “Collusion resistant broadcast encryption with short ciphertexts and private keys,” CRYPTO'05, LNCS 3621 August 14-18, 2005 258 - 275
Wang P. , Feng D. , Zhang L. “Towards attribute revocation in key-policy attribute based encryption,” CANS'11, LNCS 7092 December 10-12, 2011 272 - 291
Cheng Y. , Wang Z. , Ma J. , Wu J. , Mei S. , Ren J. 2013 “Efficient revocation in ciphertext-policy attribute-based encryption based cryptographic cloud storage,” Journal of Zhejiang University-SCIENCE C 14 (2) 85 - 97    DOI : 10.1631/jzus.C1200240
Zhang Y. , Chen X. , Li J. , Li H. , Li F. “FDR-ABE: Attribute-based encryption with flexible and direct revocation,” in Proc. of the 5th International Conference on Intelligent Networking and Collaborative Systems (INCoS’13) September 9-11, 2013 38 - 45
Lynn B. 2014 “The stanford pairing based crypto library,”