decentralized attribute-based encryption and data ... decentralized attribute-based encryption and...
Post on 11-Mar-2020
Embed Size (px)
China Communications • February 2018138
In this paper, we consider data sharing scenar- ios in which otherwise distrusted authorities collaborate on specific projects. Such scenar- ios can arise as competitors work on a joint project, e.g., automotive safety equipment jointly developed by car manufacturers. In many cases, the data being shared is devel- oped not only by the authorities, but can orig- inate from a third party. In our example, some data may originate from a government agency that maintains sensitive data about failures and crashes. These types of scenarios are in- creasingly common, and require the ability to provide secure data access with fine-grained control. It is possible to provision such access using a trusted third party (TTP), such as a Certificate Authority that generates secret keys for specific data; however, TTP-based solu- tions are particularly problematic in multi-au- thority scenarios since they require distrusted principals to trust a single party.
We introduce a system for data sharing be- tween users of distrusted authorities, without resorting to TTPs. Beyond authorities and the data owner, includes users who may not
Abstract: In this paper, we consider the problems of data sharing between multiple distrusted authorities. Prior solutions rely on trusted third parties such as CAs, or are susceptible to collusion between malicious authorities, which can comprise the security of honest ones. In this paper, we propose a new multi-authority data sharing scheme – Decen- tralized Multi-Authority ABE (DMA), which is derived from CP-ABE that is resilient to these types of misbehavior. Our system distin- guishes between a data owner (DO) principal and attribute authorities (AAs): the DO owns the data but allows AAs to arbitrate access by providing attribute labels to users. The data is protected by policy encryption over these attributes. Unlike prior systems, attributes generated by AAs are not user-specific, and neither is the system susceptible to collusion between users who try to escalate their access by sharing keys. We prove our scheme correct under the Decisional Bilinear Diffie-Hellman (DBDH) assumption; we also include a com- plete end-to-end implementation that demon- strates the practical efficacy of our technique. Keywords: multi-authority; ABE; cloud stor- age; access policy
Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage Xiehua Li*, Yanlong Wang, Ming Xu, Yaping Cui
College of Computer Science and Electronic Engineering, Hunan University, Hunan 410082, China * The corresponding author, email: email@example.com
COMPUTER SYSTEM SECURITY
China Communications • February 2018 139
used to manage all the attributes and distribute keys. Once the CA gets compromised, there would be no privacy of the stored data. In addition, these schemes have not put much thought on user revocation and key update, which makes them less attractive for real ap- plications. Moreover, these schemes cannot be directly applied to data access control for multi-authority based cloud storage and data sharing system.
There are many access control schemes has been proposed for the multi-authority ABE scenarios[32, 33]. Most of these schemes use CA as the TTP to generate public key and user secret keys. Chase firstly proposed a multi-au- thority ABE method that introduced a global identifier (GID) for user secret key generation. Lewko and Waters et al. propose a new scheme based on multi- authority CP- ABE , this scheme uses CA only in the initialization phase. CA distributes the public parameters and verifies AAs according to the user’s request. Yang et al propose a DAC- MACS algorithm , CA is responsible for the generation of the global public key and private key and distribute a unique identity for the user and all the AAs. AAs issue attri- butes and generate attribute keys for each user. Yang Kan et al. proposed multi-authority ABE access control scheme [17, 18], CA is respon- sible for authenticating all the AAs and users. In addition, CA also assigns GID for users and AID to each AA. When an attribute revocation occurs, the corresponding authority only need to change its version key and generate an up- date key. The server re-encrypt the ciphertext using proxy encryption method. In order to solve the problem of user’s identity protec- tion, Taeho J et al. proposed an anonymous privilege control scheme . It can address not only the data privacy problem in cloud storage, but also the user identity privacy. This scheme generalizes an access tree to a privi- lege tree. Several trees are required in every encrypted file to verify user’s identity and to grant him a privilege accordingly. Hierarchy attribute-based encryption is an extension of original ABE system. Gentry and Silverberg
belong to any authority but need access to the data, and an distrusted third-party storage pro- vider that hosts the data to be shared. Impor- tantly, it does not require authorities to agree on a global identity for users: they may pro- vide access attributes to users independently; the cryptographic mechanisms allow attributes from different authorities to combine to enable access to encrypted data and prevent collusion between authorities and users.
In this paper, we propose a novel scheme which provides fine-grained data sharing and access control among different authori- ties and revocation mechanism. Our scheme is based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) that is an attri- bute-based fine-grained access control and encryption method for secret data sharing. We extend the original CP-ABE into a multi-au- thority scenario and maintain its security and efficiency properties. The main contributions of this paper are as follows:
1) We propose a scheme which can achieve secure data sharing between authorities with- out revealing user’s information and is tolerant to authorities and users collusion attack.
2) We propose a revocation method which loads most of the heavy computation to the cloud without leaking either the secret infor- mation or the data attributes to any distrusted third party.
3) We firstly implement this on mobile phone and measure its efficiency.
The remaining of this paper is organized as follows: We introduces a discussion of related work in Section II. Then, we propose DMA scheme and security model in Section III. Next, we provide an efficient revocation scheme in Section IV. In Section V, we ana- lyze the performance of our scheme. We final- ly conclude this paper in Section Ⅵ .
II. RELATED WORK
ABE is a promising technique that enables fine-grained access control to encrypted data[2-6][12-13]. In various ABE-based schemes, a trusted central authority (CA) is
Our scheme presents the access contro l m e t h o d ba s e d o n multi-authority ABE.
China Communications • February 2018140
tation at every time of key update for non-re- voked users. There are also other applications using CP-ABE for securing data exchange .
III. PRELIMINARIES AND DEFINITIONS
We will first give the cryptographic back- ground information of bilinear map in  and security model. Then, we will describe the access structure of our DMA scheme and give the security model.
Let G0 and G1 be two multiplicative cyclic groups for prime order p and g be a generator of G0. The bilinear map e is defined as, e: G0 × G0→ G1. The bilinear map e has the following properties: 1)bilinearity: ∀u, v ∈ G0 , and a, b ∈ ZP, then e(ua, vb) = e(u, v)ab. 2) Non-degen- eracy: e(g, g) ≠1. 3) Symmetry: e(ga, gb) = e(g, g)ab = e(gb, ga).
Definition: The Decisional Bilinear Dif- fie-Hellman(DBDH) assumption in a multipli- cative cyclic group G0 of prime order p with generator g is stated as: given ga, gb and gc for uniformly and independently chosen a, b, c ∈ ZP, the following two distributions are compu- tationally indistinguishable:
· G0, g, ga, gb , gab
· G0, g, ga, gb , gc
The security of our scheme is based on the DBDH assumption which is widely used in security proof of various ABE schemes. The assumption is reasonable because discrete logarithm problems in large number field are widely considered to be intractable.
3.2 Threats model
We assume that the data owners (DOs) are honest and have no interest in collusion attack with other service providers or authorities. This assumption is reasonable because DOs have the original plaintext information. There is no need for them to collude with anyone else to get the original plaintext.
Cloud Storage Providers (CSPs) are the storage media and semi-honest, which means they can implement the program properly but
first proposed the notion of hierarchical en- cryption scheme. Few researches have been done on this area.
There has been some prior researches into dealing with user revocation in ABE systems. However, although these schemes support user revocation, servers will incur heavy communication cost for ciphertext re-encryption and key updates. In addition, scheme can only revoke up to a predefined number of users. Ostrovsky et al.  realized the immediate user revocation by using ABE that supports negative clauses. But it extends the length of the ciphertext and users’ keys. Xu and Martin propose a model for dynamic user revocation and key refreshing. It uses proxy re-encryption and introduces a delega- tio