decentralized attribute-based encryption and data...

15
China Communications • February 2018 138 I. INTRODUCTION In this paper, we consider data sharing scenar- ios in which otherwise distrusted authorities collaborate on specific projects. Such scenar- ios can arise as competitors work on a joint project, e.g., automotive safety equipment jointly developed by car manufacturers. In many cases, the data being shared is devel- oped not only by the authorities, but can orig- inate from a third party. In our example, some data may originate from a government agency that maintains sensitive data about failures and crashes. These types of scenarios are in- creasingly common, and require the ability to provide secure data access with fine-grained control. It is possible to provision such access using a trusted third party (TTP), such as a Certificate Authority that generates secret keys for specific data; however, TTP-based solu- tions are particularly problematic in multi-au- thority scenarios since they require distrusted principals to trust a single party. We introduce a system for data sharing be- tween users of distrusted authorities, without resorting to TTPs. Beyond authorities and the data owner, includes users who may not Abstract: In this paper, we consider the problems of data sharing between multiple distrusted authorities. Prior solutions rely on trusted third parties such as CAs, or are susceptible to collusion between malicious authorities, which can comprise the security of honest ones. In this paper, we propose a new multi-authority data sharing scheme – Decen- tralized Multi-Authority ABE (DMA), which is derived from CP-ABE that is resilient to these types of misbehavior. Our system distin- guishes between a data owner (DO) principal and attribute authorities (AAs): the DO owns the data but allows AAs to arbitrate access by providing attribute labels to users. The data is protected by policy encryption over these attributes. Unlike prior systems, attributes generated by AAs are not user-specific, and neither is the system susceptible to collusion between users who try to escalate their access by sharing keys. We prove our scheme correct under the Decisional Bilinear Diffie-Hellman (DBDH) assumption; we also include a com- plete end-to-end implementation that demon- strates the practical efficacy of our technique. Keywords: multi-authority; ABE; cloud stor- age; access policy Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage Xiehua Li*, Yanlong Wang, Ming Xu, Yaping Cui College of Computer Science and Electronic Engineering, Hunan University, Hunan 410082, China * The corresponding author, email: [email protected] COMPUTER SYSTEM SECURITY

Upload: others

Post on 11-Mar-2020

23 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018138

I. INTRODUCTION

In this paper, we consider data sharing scenar-ios in which otherwise distrusted authorities collaborate on specific projects. Such scenar-ios can arise as competitors work on a joint project, e.g., automotive safety equipment jointly developed by car manufacturers. In many cases, the data being shared is devel-oped not only by the authorities, but can orig-inate from a third party. In our example, some data may originate from a government agency that maintains sensitive data about failures and crashes. These types of scenarios are in-creasingly common, and require the ability to provide secure data access with fine-grained control. It is possible to provision such access using a trusted third party (TTP), such as a Certificate Authority that generates secret keys for specific data; however, TTP-based solu-tions are particularly problematic in multi-au-thority scenarios since they require distrusted principals to trust a single party.

We introduce a system for data sharing be-tween users of distrusted authorities, without resorting to TTPs. Beyond authorities and the data owner, includes users who may not

Abstract: In this paper, we consider the problems of data sharing between multiple distrusted authorities. Prior solutions rely on trusted third parties such as CAs, or are susceptible to collusion between malicious authorities, which can comprise the security of honest ones. In this paper, we propose a new multi-authority data sharing scheme – Decen-tralized Multi-Authority ABE (DMA), which is derived from CP-ABE that is resilient to these types of misbehavior. Our system distin-guishes between a data owner (DO) principal and attribute authorities (AAs): the DO owns the data but allows AAs to arbitrate access by providing attribute labels to users. The data is protected by policy encryption over these attributes. Unlike prior systems, attributes generated by AAs are not user-specific, and neither is the system susceptible to collusion between users who try to escalate their access by sharing keys. We prove our scheme correct under the Decisional Bilinear Diffie-Hellman (DBDH) assumption; we also include a com-plete end-to-end implementation that demon-strates the practical efficacy of our technique.Keywords: multi-authority; ABE; cloud stor-age; access policy

Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud StorageXiehua Li*, Yanlong Wang, Ming Xu, Yaping Cui

College of Computer Science and Electronic Engineering, Hunan University, Hunan 410082, China* The corresponding author, email: [email protected]

COMPUTER SYSTEM SECURITY

DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
Page 2: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018 139

used to manage all the attributes and distribute keys. Once the CA gets compromised, there would be no privacy of the stored data. In addition, these schemes have not put much thought on user revocation and key update, which makes them less attractive for real ap-plications. Moreover, these schemes cannot be directly applied to data access control for multi-authority based cloud storage and data sharing system.

There are many access control schemes has been proposed for the multi-authority ABE scenarios[32, 33]. Most of these schemes use CA as the TTP to generate public key and user secret keys. Chase firstly proposed a multi-au-thority ABE method[11] that introduced a global identifier (GID) for user secret key generation. Lewko and Waters et al. propose a new scheme based on multi- authority CP-ABE [15], this scheme uses CA only in the initialization phase. CA distributes the public parameters and verifies AAs according to the user’s request. Yang et al propose a DAC-MACS algorithm [16], CA is responsible for the generation of the global public key and private key and distribute a unique identity for the user and all the AAs. AAs issue attri-butes and generate attribute keys for each user. Yang Kan et al. proposed multi-authority ABE access control scheme [17, 18], CA is respon-sible for authenticating all the AAs and users. In addition, CA also assigns GID for users and AID to each AA. When an attribute revocation occurs, the corresponding authority only need to change its version key and generate an up-date key. The server re-encrypt the ciphertext using proxy encryption method. In order to solve the problem of user’s identity protec-tion, Taeho J et al. proposed an anonymous privilege control scheme [19]. It can address not only the data privacy problem in cloud storage, but also the user identity privacy. This scheme generalizes an access tree to a privi-lege tree. Several trees are required in every encrypted file to verify user’s identity and to grant him a privilege accordingly. Hierarchy attribute-based encryption is an extension of original ABE system. Gentry and Silverberg

belong to any authority but need access to the data, and an distrusted third-party storage pro-vider that hosts the data to be shared. Impor-tantly, it does not require authorities to agree on a global identity for users: they may pro-vide access attributes to users independently; the cryptographic mechanisms allow attributes from different authorities to combine to enable access to encrypted data and prevent collusion between authorities and users.

In this paper, we propose a novel scheme which provides fine-grained data sharing and access control among different authori-ties and revocation mechanism. Our scheme is based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) that is an attri-bute-based fine-grained access control and encryption method for secret data sharing. We extend the original CP-ABE into a multi-au-thority scenario and maintain its security and efficiency properties. The main contributions of this paper are as follows:

1) We propose a scheme which can achieve secure data sharing between authorities with-out revealing user’s information and is tolerant to authorities and users collusion attack.

2) We propose a revocation method which loads most of the heavy computation to the cloud without leaking either the secret infor-mation or the data attributes to any distrusted third party.

3) We firstly implement this on mobile phone and measure its efficiency.

The remaining of this paper is organized as follows: We introduces a discussion of related work in Section II. Then, we propose DMA scheme and security model in Section III. Next, we provide an efficient revocation scheme in Section IV. In Section V, we ana-lyze the performance of our scheme. We final-ly conclude this paper in Section Ⅵ .

II. RELATED WORK

ABE is a promising technique that enables fine-grained access control to encrypted data[2-6][10][12-13]. In various ABE-based schemes, a trusted central authority (CA) is

Our scheme presents the access contro l m e t h o d ba s e d o n multi-authority ABE.

Page 3: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018140

tation at every time of key update for non-re-voked users. There are also other applications using CP-ABE for securing data exchange [7].

III. PRELIMINARIES AND DEFINITIONS

We will first give the cryptographic back-ground information of bilinear map in [3] and security model. Then, we will describe the access structure of our DMA scheme and give the security model.

3.1 Preliminaries

Let G0 and G1 be two multiplicative cyclic groups for prime order p and g be a generator of G0. The bilinear map e is defined as, e: G0 × G0→ G1. The bilinear map e has the following properties: 1)bilinearity: ∀u, v ∈ G0 , and a, b ∈ ZP, then e(ua, vb) = e(u, v)ab. 2) Non-degen-eracy: e(g, g) ≠1. 3) Symmetry: e(ga, gb) = e(g, g)ab = e(gb, ga).

Definition: The Decisional Bilinear Dif-fie-Hellman(DBDH) assumption in a multipli-cative cyclic group G0 of prime order p with generator g is stated as: given ga, gb and gc for uniformly and independently chosen a, b, c ∈ ZP, the following two distributions are compu-tationally indistinguishable:

· G0, g, ga, gb , gab

· G0, g, ga, gb , gc

The security of our scheme is based on the DBDH assumption which is widely used in security proof of various ABE schemes. The assumption is reasonable because discrete logarithm problems in large number field are widely considered to be intractable.

3.2 Threats model

We assume that the data owners (DOs) are honest and have no interest in collusion attack with other service providers or authorities. This assumption is reasonable because DOs have the original plaintext information. There is no need for them to collude with anyone else to get the original plaintext.

Cloud Storage Providers (CSPs) are the storage media and semi-honest, which means they can implement the program properly but

first proposed the notion of hierarchical en-cryption scheme[31]. Few researches have been done on this area.

There has been some prior researches into dealing with user revocation in ABE systems[20][21]. However, although these schemes support user revocation, servers will incur heavy communication cost for ciphertext re-encryption and key updates. In addition, scheme[21] can only revoke up to a predefined number of users. Ostrovsky et al. [22] realized the immediate user revocation by using ABE that supports negative clauses. But it extends the length of the ciphertext and users’ keys. Xu and Martin [23]propose a model for dynamic user revocation and key refreshing. It uses proxy re-encryption and introduces a delega-tion attribute. The AA generates a delegation key share for the delegation attribute, which is used by the cloud storage for ciphertext re-encryption. However, the model was only applied to BSW’s scheme [3], it cannot be di-rectly applied to any CP-ABE scheme without modification. J.Hur and D.K.Noh[24] solve key-escrow by using the key issuing protocol. They use 2PC protocol to prevent the key au-thorities from obtaining any master secret in-formation of each other which can prevent the other to generate the whole set of user keys alone. Moreover, these revocation schemes are only appropriate for single authority. Ruj et al [25]construct a DACC scheme and propose an user revocation method for scheme[14].But their revocation method incurs a heavy communication cost since DO re-encrypts and distributes new ciphertext component for each non-revoked user. Li et al.[26]proposed an at-tribute revocation method for multi-authority ABE, the method is only appropriate for KP-ABE systems, which may lack efficiency of access control in cloud storage systems. In order to achieve multi-authority ABE with efficient revocation, J.Hur and D.K.Noh[27] propose a multi-authority ABE scheme for decentralized disruption-tolerant military network (DTN). They use the method in[24]. However, in the phase of key update, the data service manager will perform heavy compu-

Page 4: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018 141

A) Setup(PK, MK): this algorithm takes nothing but implicit security parameters as input. PK is computed by the data owner and then sent to all the AAs. AAs take the PK as input and calculate their own keys individual-ly. In addition, the data owner calculates the MK and keeps it for future use.

B) KeyGen I(MK): KeyGen I is the algo-rithm that will be run by the DO. It takes the MK and a random number as input and calcu-lates the part of the secret key component SKu for each registered user individually.

KeyGen II(PK, attr(i)i∈{1...n} ): this algo-rithm is run by multiple AAs for secret key components calculation. Each AA runs this algorithm to calculate the set of secret keys {SK1....SKi} for each registered user based on their attributes.

C) Encryption(PK, M, Γ ): this algorithm takes as input the PK, a message M, and an access tree Γ over the universe of attributes, where the access tree is defi ned by the DO. By running this algorithm, DO encrypts the mes-sage M, sends the set CT of ciphertext and the verifi cation parameters to the CSP.

D) Decryption(PK, CT, SK): The decryp-tion algorithm takes as input the public param-eters PK, a ciphertext set CT, and the private key set SK={SKu || SK1||SK2||...||SKn} for a set of attributes, where SKu is calculated by DO, {SKi }iϵ{1...n} are calculated by the AAs respec-tively, “||” is the concatenation of secret key components. If the set of attributes satisfi es the access tree AT then the algorithm can decrypt the ciphertext and return a message M.

are willing to get illegal profits if given the opportunity. The Attributes Authorities (AAs) are assumed to be distrusted. In our scheme, the AAs calculate and distribute attributes and partial secret keys to users. In general, AAs will follow the protocol, but they will try to collect all the secret key components and fi nd more useful information to decrypt any cipher-text. They have the intention to collude with other entities like user, CSP, or other AAs to gain the information they want. Our assump-tion is based on the real application in cloud storage, and is weaker than previous research-es on security issue (see [9], [29]).

Data users are distrusted entities. They are willing to collude with any entities in this system to collect useful information that they have no rights to access to.

3.3 Access tree defi nition in DMA

Let Γ be a tree representing an access struc-ture. Every non-leaf node of the tree rep-resents a threshold gate that is described by its children and a threshold value. If numx is the number of children of a node x and kx is its threshold value, then 0 < ≤k numx x . If kx =1 , the threshold gate is an ‘OR’ gate. If k numx x= , it is an ‘AND’ gate. Every leaf node x of the tree is described by an attribute and a threshold value kx =1. An example of access tree policy is shown in Figure 1.

The access tree in our scheme is defi ned as follows:

1) Access tree is defi ned by DO. Leaf nodes represent attributes that are distributed by AAs.

2) Each leaf node of the access tree is de-scribed as an attribute which is issued by its authority.

3) If a user’s attribute set S satisfi es the ac-cess tree Γ, he/she can decrypt the data that are encrypted with Γ.

3.4 Security model

Our DMA scheme consists of 4 fundamental algorithms which are formally defi ned as fol-lows: Fig. 1. Example of access tree policy in DMA.

or

and or

AAAA1.saftey saftey group or

AA1.manager AA1.analyst

AAAA2.safety safety safety group

AA3.safety group AA3.manager

Page 5: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018142

IV. SYSTEM ARCHITECTURE AND KEY DISTRIBUTION

4.1 System architecture

There are 4 entities involved in the DMA system: DO (Data Owner), AA (Attributes Authority), Cloud storage provider (CSP), and user. The system architecture of DMA is shown in Figure 2. The entities are described as follows:

1. DO (Data Owner). Data owner is re-sponsible for calculating public key, defi ning access policy and encrypting data under the access policy. Furthermore, the data owner needs to upload the encrypted data to the remote cloud storage server. DO keeps the at-tribute update list (AUL) and user list (UL) to identify the authorized user. Once revocation occurs, DO will update the two lists on both DO and CSP sides. For security purpose, DO computes part of users’ private keys called user specifi c key SKu and sends it directly to the particular users via secure channels. The reason why DO generates and distributes SKu is for preventing authorities collusion attack.

2. AA (Attribute Authority). AA plays the role of attributes distribution and user autho-rization. It computes users’ attributes based on the public parameters and distributes them to DO and users for access policy definition. Every AA can manage multiple attributes and has full control over those attributes. More-over, AA computes attribute secret keys SKAA-

i(attr(i)) and issues them to users via secure channel. AAi denotes the ith AA in our scheme, attr(i) denotes an attribute issued by a an AA.

3. Cloud Server Provider (CSP). CSP is considered as a semi-trusted storage media that stores data. It is also responsible for up-dating the ciphertext when attribute revocation occurs. The CSP does not have the secret keys, so it can’t decrypt the ciphertext. Based on the semi-trusted assumption, CSP can implement the algorithm honestly, but it will decrypt the ciphertext once it gets the key.

4. User. Ciphertext on the cloud server can be accessed freely by users. But only when the

We defi ne the security of our DMA with a game between challenger and attacker. The game is defi ned as follows:

Init: The adversary controls a set of com-promised attributes authorities {AAk} ⊂ A, but DO is not under the adversary’s control. The challenge access structure Γ is chosen and given to the challenger.

Setup: The challenger runs the Setup algo-rithm and gives the adversary PK.

Phase 1: The adversary submits a set of attributes S for secret key query. Provided S |≠ Γ , the challenger answers with a secret key SK for S . This can be repeated adaptive-ly.

Challenge: The adversary submits two equal length message M0 and M1 .The chal-lenger chooses b∈{0,1} at random and en-crypt Mb to Γ . The ciphertext is given to the adversary.

Phase 2: Same as Phase 1.Guess: The adversary outputs a guess b’of

b. If b’ = b, the adversary wins the above game. The advantage of adversary in the

above game is defi ned as Pr b b' = −

12

.

Definition: Our scheme is secure against chosen plaintext attack if all the adversaries have at most negligible advantage in above security game.

Fig. 2. DMA access control system architecture.

AA2

AA1

AAn

user

CSP

DO

<AA1_attr(attr(attr i),SKAASKAASK 1(attr(attr(attr i))>

SKu

Attributes(AAn)PK

.

.

.

DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
Page 6: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018 143

attr(i), AA calculates blinded attribute keys BSKi and sends them along with user’s attri-butes attr(i) and AA’s signature back to the user.

4. User forwards this message to DO. DO verifies AA, user’s attributes and give back unblinded attribute keys back to the user.

V. DMA ACCESS CONTROL SCHEME CONSTRUCTION

A. Setup(PK, MK). Let g be the generator of a bilinear group of G, and the prime order of G is p, e G G G: × → T as the bilinear map.. Let

H G: 0,1{ }∗ → be the hash function which maps attributes to G . DO selects two random exponents α η, ∈Z p , and computes public

key and master key as follows :

PK = (g G g g e g g, , , , ,η η1/ ( )α ) (2)

MSK = (gα ,η) (3)

PK will be published to all AAs.B. KeyGen I. In the DMA scheme, the

KeyGen is divided into two phrases, KeyGen I and KeyGen II.

KeyGen I(MK) is run by DO for generat-ing user specifi c secret key SKu.

SKu g= ( )/α η+r (4)Where r∈Zp is a random number chosen by

user’s attributes satisfy the access policy that defined in the ciphertext, can he/she decrypt the ciphertext. User’s attributes are distributed by a number of authorities according to the user privileges so that it can achieve cross-do-main access control. In addition, DO prevents the collusion attacks between users by embed-ding a random number in the private property.

4.2 Key distribution protocol

In our scheme, we refactor the original CP-ABE and extend the key generation algorithm to a multiple authority scenario. In this system, user needs to fi rst register in a set of AAs and get his secret key components from these AAs and DO. The registration and key distribution procedure is shown in Figure 3. There are few steps for key distribution, the more detailed key generation will be presented in section V.

1. Users first register in an AA, and get a message with freshly generated nonce Ni and AA’s signature over Ni. [sigAAi; m] denotes the signature of AAi over message m. This mes-sage is used for verification and preventing replay attack.

2. User forwards this message to DO. After verifying the user and AA, DO will generate user’s specifi c key SKu and send it to the user. Along with SKu DO generates another param-eter Pu for AA to calculate attribute secret key. Pu is a blinded partial attribute key.

Pu A g= * r (1)Where A is the blinder, such as gx, x, r∈Zp are random numbers chosen by DO when gen-erating user specific secret key. Here we can see that each user has a set of attribute keys that are in accordance with his/her user spe-cifi c secret key. The reason to blind the partial attribute key gr is because whoever gets gr can generates whatever attribute keys he/she wants. We will describe this in details in the next section. Pu is encrypted with AA’s public key, [encK_AAi; m] denotes encryption of mes-sage m over AAi’s public key K_AAi.

3. User keeps his user specific secret key and forwards the encrypted Pu to AA. AA decrypts Pu. According to user’s attributes

Fig. 3. Registration and key distribution protocol.

DO User AAi

RegisterRegisterNi, [sigAAiAAiAA ; UID,

Ni]]i]i

SKSKu, [encK_AAiAAiAA ; Pu]

[[encK_AAiAAiAA ; Pu]attr(attr(attr i),[sigAAi;

Ni,attr(attr(attr i)] Pu*H(attr(attr(attr i))ri

Veryfy attr(i) and AAi

gr*H(attr(attr( (attr(attr i(i( ))i))i ri+rt

UID, Ni, [sigAAiAAiAA ; UID, , NNii]]i]ii]i

attr(attr(attr i),[sigAAi; Ni,attr(attr(attr i)]

PPuu*HH((attrattr((attr(attrattr(attr ii))))riri

DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
DLK-E4
Highlight
Page 7: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018144

CT y Y C H att y= ∀ ∈ =

Γ = ⋅ =, , ,C M e g g C g

C g

'

y'

, ,

=

y

qy

(

(0)

()α s

( ))qy (0

η

)

s

(7)

D. Decrypt (CT ,SK ) . Only when the user’s attributes satisfy access policy de-fined in ciphertext, the user can decrypt the ciphertext.The decryption algorithm takes as inputs secret keys and ciphertext, where SK SK SK SK SK= ( u n|| || || ... ||1 2 ) . “ | | ” i s concatenation operation. We specify our de-cryption procedure as recursive algorithm. Let i attr y= ( ) , which attr y( ) represents the value of leaf node y , if the node x is a leaf node and x S∈ , then computes

=

=

=

Decrypt CT

e g g

e g g e H i g

e g H i g

(

(

(e g H i(

,

r

r , ,

( ,SK, x)

r

)

i

e g H i

rq

,

q q

(x x

(

x

(

(

0 0

0

)

r

()

i

)

ri

),

)

,q

(x (

(

q

0

x

)

)

(

=

(

)0

q

)

x

)(

e V C

e V C

)

0

ri

((

) )

i x

i x'

,

,

(

'

)

))

) (8)

I f i S∉ , t h e n w e d e f i n e Decrypt(CT,SK, x) =⊥ .

When the node x is not a leaf node, for all the nodes z that are the children of x, the outputs is stored as Fz . Let Sx be an arbitrary kx -sized set of child nodes. If no such set ex-ists, the function will return ⊥ . The recursive computation is shown as follows:

F Fx z

=

= =

=

=

where

∏z S

z S

z S

z S∈

x

x

x

x

((

(e g g

e g g

e g g e g g

=

(

(

(

i index z

S index z z S

i S

x x

,

'

,

,

, ,

x'

= ∈

(0

)

)

)

)

(rq

rq i rq

rq index

,

z

x x

parent z

(

(

(

0

)

)

)

(

)

)

(

)

i S

(

i S

,

,

x

)

x

'

'

(

(

:

0

0

)

)

(z)) )∆

(

i S,

)

x' (0)

) (0)

DO, r is unique for every user to prevent user collusion attack.

KeyGen II ((PK, attr(i)i∈{1...n} )) is run by multiple AAs to calculate attribute keys for users. AAs use the blinded parameter to calcu-late blinded attribute keys for user.

V A g H attr i V g

BSK

i i= =

i j

* * ( ( )) ,

= ∀ ∈(r

attr i S( ) ,AA

r ri i' ) (5)

Where SAAj denotes the set of attributes

that AAj holds. ri∈Zp is a random number for each attr i S( )∈ AAj chosen by AAj. From

equation (5) we can see that if gr is given to AA or user directly, any AA or user can forge arbitrary attribute keys since attr i( ) is a bina-ry string and ri is a random number. As shown in Figure 3, for preventing user from getting gr , DO will send user the final attribute keys

by unblinding BSKi and raising H attr i( ( ))ri

to H attr i( ( ))r ri t+ , where rt ∈Zp is a random number selected by DO. Since ri is a random number, this operation will not affect the de-cryption result.

The final attribute keys is described as fol-lows.

V g H attr i V g

SK

i i= =

i j= ∀ ∈

r

(* ( ( )) ,

attr i S( ) ,r r r

AA

i t i+ ' ) (6)

C. Encryption(PK, M, Γ ). DO encrypts the message M under public key and the access policy Γ . The encryption algorithm chooses a polynomial qx for each node x in the access tree. For each node x in the tree, set the degree dx of the polynomial qx, dx = kx -1, where kx is the threshold value of the chosen node. The algorithm starts at the root node R, it chooses a random exponent s Z∈ p and sets q sR (0) = . Then, for any other node x, the algorithm randomly chooses other coefficients and set qparent(x)(index(x)) such that qx(0)= qparent(x)(index(x)), is the index of node x’s child nodes, and parent(x) is node x’s parent node.

Suppose Y is the set of leaf nodes in Γ , the ciphertext is constructed as follows:

Page 8: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018 145

generated by DO, s is the root value of access policy. In our scheme we choose to update α when revoking a specific user, so that the access policy is maintained when user revoca-tion occurs. User revocation is carried out by DO directly.

When user revocation happens, DO needs to update both public parameter e(g, g)α and all effected ciphertexts to provide forward security. The ciphertext update will be im-plemented by the CSP to reduce computation load on DO. The user revocation procedure is shown in Figure 4.

In the user revocation, DO picks a random value α1 , update the public key and master se-cret key and the UL. DO sends e g g( , )( )α α1− s to the CSP to update the ciphertext. Based on the security assumption, CSP will honestly calculate C ' , but CSP cannot get anything about the original plaintext m. User who is still legitimate in the system can contact DO to update his user specific secret key. DO will check the user list and regenerate user’s spe-cific secret key. CSP will re-encrypt all cipher-texts to guarantee forward security.

6.2 Attribute revocation

In our scheme, the attribute revocation will re-voke a set of attributes and users who possess the revoked attributes.

Attribute revocation is a challenging task in cloud storage because it requires rekeying

(9)The algorithm recalls the Lagrange poly-

nomial interpolation to decrypt the ciphertext. If the set of attributes satisfy the access tree,

we define A e g g e g g= =( , ,)rq rsR (0) ( ) . Then computes:

C e u C A

= =

~

C e g g e g g M~

(

((SK

( (α η

, /

+r

)) , / ,

)ηs ) ( )rs )

(10)

VI. REVOCATION IN DMA

Revocation is an expensive computation in ABE system since revoking a specific attribute key of a user will rekey the whole set of key components. Therefore, a single attribute revo-cation in ABE requires all users who share the same attribute to update their secret keys even if other attributes are still valid. For example, in the joint project of car manufactures sce-nario, suppose there is a user Ux has attributes {AA1.safety group, AA1.analyst}, and a set of files that are encrypted under the access policy shown in Figure 1. In the ABE system, in or-der to revoke Ux either {AA1.safety group} or { AA1.analyst } should be revoked, which will rekey all other users who has these two attri-butes. Moreover, both the access policy and ciphertexts need to be updated. This seems very inefficient and may cause DO overload in terms of computation and communication costs.

In order to minimize the computation and communication costs of our system, we define two types of revocation: user revocation and attribute revocation. User revocation is im-plemented when DO wants to revoke specific user/users. Attribute revocation is implement-ed when DO or AA wants to revoke attribute.

6.1 User revocation

Based on our observation, revoking a specific user actually is revoking his privilege of de-crypting ciphertexts. In our scheme ciphertext C M e g g' = ⋅ ( , )α s , revocation can be done by

either update α or s. α is the secret parameter Fig. 4. User revocation procedure.

/* user revocation */DO:α α→ →1; ( , ) ( , )e g g e g gα α1 ; e g g( , )( )α α1− s

MSK ' ( , )= gα1 η/* update user specific secrete key */update ULSKu

' = g ( )/α η1+r

CSP:/* update ciphertext */

C M e g g e g g' = ⋅ ⋅

= ⋅M e g g

((

, ( , )

,

))

α

α1

s

s

( )α α1− s

Page 9: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018146

texts based on the new access tree. The add/delete attributes procedure is shown in Figure 5. In Figure 5, Γ ' is the updated access tree, Y ' is the updated attribute set that includes all leaf nodes in Γ ' . CT ' is the re-encrypted ciphertext over Γ ' .

B. Update attributes. Attributes update will not only cause the update of access tree and associated ciphertexts but also introduce rekeying of attribute secret keys for each af-fected user. For example, the attribute “AA1. safety group” in Figure 1 changes to “AA1. safety department” and the old attribute “AA1. safety group” no longer exists. This update will cause few operations: ① AA1 needs to generate attribute secret key of “AA1. safety department” and distributes it to people in the safety department. Meanwhile, the old at-tribute and secret key of “AA1. safety group” need to be eliminated; ② DO needs to update access tree and associated ciphertexts from “AA1. safety group” to “AA1. safety depart-ment” . ③ people from the old safety group now need to get attribute secret key of “AA1. safety department” from AA1. The new attri-bute key generation and distribution is activat-ed by AA1, the procedure follows the protocol shown in Figure 3 without user registration and SKu. Attribute update procedure is shown in Figure 6.

In Figure 6, i′ is the updated attribute, Γ ' , Y ' , CT ' have the same meaning with those described in Figure 5.

Revocation will not affect decryption pro-cess that is defined in Equation (7) to Equation (9). Our revocation scheme can achieve the fine-grained user-level and attribute-level ac-cess control such as an immediate user revoca-tion in attribute group and immediate attribute revocation. The whole revocation is completed by DO, CSP and AA. Compared with exist-ing schemes, DO’s computation cost is lower when revocation happens.

over large number of users and updating the ciphertexts encrypted with the revoked attri-butes. The traditional solution usually consists of few steps: ① DO re-defines the access pol-icy by eliminating revoked attributes; ② DO re-encrypts the affected files and uploads them to the CSP; ③ DO re-generates new secrete keys for the legitimate users who possess the revoked attributes. The traditional revocation requires DO to carry out all computation and communication, which is very inefficient and makes DO the bottleneck.

In our scheme, we shift the heavy compu-tation from DO to CSP to release DO from overwhelmed computation. Our attribute revocation scheme contains three operations: add attributes, delete attributes and attributes update.

A. Add/delete attributes. Adding or de-leting attributes from access policy will cause the update of access tree and associated ci-phertexts. User’s secret key will not change in the adding/deleting attribute procedure. Thus, communication is taking place only between CSP and DO. Based on the analysis in section 6.1, we can see that updating access tree re-quires changing of root value s. In this case, the DO will select a random number s Z'∈ p

and assign s ' as the new root value to the access tree Γ . CSP will re-encrypt the cipher-

/* Attribute adding/deleting */DO:/* DO updates access tree, regenerates root value s’ and

remain α ( ' )s s− secret */

s s→ ' ; e g g( , )α ( ' )s s−

update AUL;CSP:/* update ciphertext */

C M e g g e g g' ( ' )= ⋅ ⋅

= ⋅M e g g

((

, ( , )

,

))

α

α

s

s '

α s s−

CT ' =

∀ ∈ = =

Γ = ⋅ =

y Y C H att y C g

', , ,C M e g g C g' '

', ,y y

(

()α s

(

'

))qy (0)

ηs

' qy (0)

Fig. 5. Procedure of adding/deleting attributes.

DLK-E4
Highlight
Page 10: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018 147

public parameters to Adv .Phase 1 Adv queries for as many private

keys, which correspond to attribute sets S1, S2, … Sq, where none of them satisfy the Γ∗ . After receiving the key queries, Sim computes the private key components to respond Adv’s requests. Sim first defines a polynomial qx for each node x of Γ∗ . For each node x of Γ∗ , we know qx completely if x can be satisfied; if x

is not satisfied, then at least gqx (0) is known. Sim sets q aR (0) = , for each node x of ac-cess tree, Sim defines the final polynomial Q bqx x(⋅ = ⋅) ( ) and let s Q ab= =R (0) . For all i S∈ k , he randomly picks i S∈ k , and compute

D g= (c r+ ) η , V gi =d ri i , V gi

' = ri , otherwise

V g g g Bi = ⋅ = ⋅b r rβ βi i i i . Then, sim returns the created private key to Adv .

Challenge The adversary Adv submits two equal length challenge messages M0 and M1 to the challenger. The challenger flips a binary coinγ, and returns the following ciphertext to Adv .

VII. SECURITY AND PERFORMANCE ANALYSIS

7.1 Security analysis

The Decisional Bilinear Diffie-Hellman (DBDH) problem in group G of prime order p with generator g is defined as follows:

o n i n p u t g g g g G, , ,a b c ∈ a n d

e g g e g g G( , ,)abc z= ∈( ) T , where z abc= , decide whether z abc= or z is a random ele-ment.

Theorem 1: If Decisional Bilinear Dif-fie-Hellman assumption holds in group (G G, T ) , then our scheme is chosen-plaintext secure in standard model.

Proof: Suppose there exists a probabilistic polynomial time adversary Adv can attack our scheme in the security model above with advantage ε . We prove that the following DBDH game can be solved with advan-tage ε 2 . Let e G G G: × → T be a bilinear map, where G is a multiplicative cyclic group of prime order p and generator g. First the DBDH challenger flips a binary coin µ = {0,1} , if µ =1 , he sets (g A B C Z, , , , )= (g g g g e g g, , , , ,a b c ( )abc ) ; otherwise he

sets (g A B C Z, , , , ) = (g g g g e g g, , , , ,a b c ( )z ) ,

where a b c Z, , ∈ p are randomly selected.

The challenger then gives the simulator

(g A B C Z, , , , ) = (g g g g Z, , , ,a b c ) .The simu-

lator Sim then plays the role of a challenger in the following DBDH game.

Init The adversary Adv creates an access tree Γ∗ which he wants to be challenged (Nodes inside the tree should be defined by Adv ).

S e t u p Sim s e t s t h e p a r a m e -t e r Y e A B e g g: , ,= =( ) ( )ab . F o r a l l

i S∈ , it will choose a random d Zi p∈ and

set H attr i g( ( )) = di . Otherwise it choos-es a random number βi p∈Z and se ts

H attr i g B( ( )) = =bβ βi i .Then it will give this

/* Attribute update */AA: /* activate attribute update, regenerate attribute keys */

SKi i i' '= ∀ ∈ = =( attr i S V g H attr i V g( ') , * ( ( ')) ,AA j '

r r ri i' ' )

DO:/* DO updates access tree, regenerates root value sʹ and remain

α ( ' )s s− secret */

s s→ ' ; e g g( , )α ( ' )s s−

update AUL;

CSP:/* update ciphertext */

C M e g g e g g' ( ' )= ⋅ ⋅

= ⋅M e g g

((

, ( , )

,

))

α

α

s

s '

α s s−

CT ' =

∀ ∈ = =

Γ = ⋅ =

y Y C H att y C g

', , ,C M e g g C g' '

', ,y y

(

()α s

(

'

))qy (0)

ηs

' qy (0)

Fig. 6. Procedure of attributes update.

Page 11: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018148

collect al l valid at tr ibute secret keys, but from the form of attribute secret key SK i j i= ∀ ∈ =( attr i S V g H attr i( ) , * ( ( )) ,AA

r ri

V gi' = ri ) we can see that V g H attr ii =

r * ( ( ))ri ,

where r is a random value chosen uniquely for each legitimate user. Based on Equation (8) to Equation (10), decryption process can be implemented successfully iff (e u C A(SK , ) ⋅ )= e g g( , )α s , which requires user specific se-cret key of the authorized users. Based on the security assumption in section 3.2 authorized user will not participate in collusion attack.

In revocation, once the user is revoked, DO will re-encrypt the plaintext, generate new ciphertext Me g g( , )α 's or Me g g( , )α s ' and

new private key components SKu' = g ( )/α η1+r

or SKi i i' '' '= = =(V g H attr i V gr * ( ( ')) ,r ri i' ' ) ,

But the revoked users only has previous secret keys, so the revoked users can not decrypt. Our scheme can also resist collusion attacks between attribute authorities. Attribute author-ity is only responsible for generating the attri-bute keys, even if multiple authorities collude, they will not obtain calculating factor gr . Therefore, they can not get whole secret keys and decrypt the ciphertext.

7.2 Performance evaluation

We present the performance evaluation based on our DMA implementation prototype. Our experiment is implemented on a Linux Ubuntu with Inter(R)Core(TM) i5-6500 @ 3.2GHz and 2GB RAM. The code is modified on orig-inal CP-ABE library[28].The code uses the Pairing-Based Cryptography(PBC) library version 0.5.12 to implement the access control scheme. We will compare the computation ef-ficiency of both encryption and decryption in two criteria: the number of authorities and the number of attributes per authority. In order to show the efficiency of our scheme, we imple-ment other similar schemes that are propose in [9][29][32][33] for comparison purpose.

Figure 7 shows the comparison of key gen-eration time with different number of authori-

CT = ∀ ∈ = =

Γ = ⋅ =∗

y Y C C B

, ,C M Z C g'

, B ,y y

γ

d q qy y y(0 0)

ηs

' ( )

(11)I f μ =1 , Z e g g= ( , )abc . L e t α = ab ,

s c= , T h e n Z e g g e g g= =( , ,)abc s( )α . T h e r e f o r e , CT i s a v a l i d c i p h e r -text of the message mγ . Otherwise, if

µ = 0 , Z e g g= ( , )z , C M e g g' = b ( , )z . Since

z Z∈ p is a random element, C G' ∈ T is a ran-

dom element, therefore CT contains no infor-mation about mγ .

Phase 2 Repeat Phase 1 adaptively.Guess Adv submits a guess γ ' of γ . If

γ ' = γ , Sim outputs µ =1 , indicating that it was given a valid DBDH-tuple, otherwise it outputs µ = 0 , indicating that he was given a random 5-element tuple .

When µ = 0 , the adversary Adv learns no in format ion abou t γ , so we have

Pr | 0 γ γ µ≠ =' =1/2. Since the challeng-

er guesses µ ' = 0 when γ ' = γ , we have

Pr | 0 1 2 µ µ µ' = = = . If µ =1 , the adver-

sary Adv gets a valid ciphertext of mγ . Adv s' advantage in this situation is ε by definition, so we have Pr | 1

γ γ µ= =' = 1/ 2+ε . Since

the challenger guesses µ ' 1= when γ ' = γ ,

we have Pr | 0 1 2 µ µ µ ε' = = = + . So the

overall advantage of Sim in this DBDH game is:

= + + ⋅ −

=

1 1 12 2 2

ε

1 1 1 1 12 2 2 2 2

2

Pr | 1 Pr | 0

γ γ µ γ γ µ= = + ≠ = −

ε

' '

(12)Theorem2 Our scheme is secure against

collusion attack between users and authorities.In our scheme, in order to decrypt the

ciphertext, the attacker must obtain bi-linear pairing e g g( , )α s . In order to per-form attack successfully, attacker must

Page 12: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018 149

different file size. The number of attributes is set to be 20, the file size varies from 2 MB to 256 MB.

From the experiment results we find out that our scheme makes much improvement in key generation, encryption and decryption un-der different system set. The reason why our scheme is very efficient is that we refactor the original CP-ABE and extend it into multi-au-thority scenario.

7.3 APP performance evaluation

We firstly implement the DMA in mobile phone and measure its efficiency. The mea-surement is done by a public mobile applica-

ties. The number of authorities changes from 2 to 10, each authority issues 20 attribute keys. Figure 8 shows the comparison of key gener-ation time with different number of attributes. The number of authorities in this experiment is set to be 4, the number of attributes generat-ed by each authority varies from 2 to 25.

Figure 9 and Figure 10 show the compar-ison of encryption and decryption time with different number of attributes. The encryption and decryption time are measured under file size 100KB, attributes number varies from 2 to 20.

Figure 11 and Figure 12 show the compar-ison of encryption and decryption time with

Fig. 7. KeyGen time with different number of authorities.

Fig. 9. Encryption time with different number of authorities

Fig. 8. KeyGen time with different number of attributes.

Fig. 10. Decryption time with different number of attributes.

2 3 4 5 6 7 8 9 100

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2 x 104

number of attribute authority

MullerChaseLiTaehoours

keyg

entim

e(m

s)

0 5 10 15 20 250

500

1000

1500

2000

2500

3000

3500

number of attribute of each key

MullerChaseLiTaehoours

keyg

entim

e(m

s)

2 4 6 8 10 12 14 16 18 200

50

100

150

200

250

number of attributes

time(

ms)

mullerDecchaseDecliDectaehoDecourDec

2 4 6 8 10 12 14 16 18 200

100

200

300

400

500

600

700

800

number of attributes

time(

ms)

mullerEncchaseEncliEnctaehoEncourEnc

Page 13: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018150

we propose fine-grained user-level and attri-bute-level revocation schemes with low com-putation and communication costs.

ACKNOWLEDGEMENTS

This work is supported by the National Nat-ural Science Foundation of China under grant 61402160. Hunan Provincial Natu-ral Science Foundation of China under grant 2016JJ3043. Open Funding for Universities in Hunan Province under grant 14K023.

References[1] R. Chow, P. Golle, M. Jakobsson et al., “Con-

trolling Data in the Cloud: Outsourcing Com-putation without Outsourcing Control”. Pro-ceedings of IEEE 3rd International Conference on Cloud Computing, pp.85-90, July 2010.

[2] A. Shamir. “Identity-based crypto systems and signature schemes.” Proceedings of Advances in Cryptology (CRYPTO’84). Berlin, Springer Berlin Heidelberg, pp. 47–53, 1984.

[3] J. Bethencourt, A. Sahai, B. Waters. “Cipher-text-policy Attribute-based Encryption.” Pro-ceedings of IEEE Symposium Security and Priva-cy. Berkeley, CA, pp. 321-334, 2007.

[4] B. Waters. “Ciphertext-policy attribute-based encryption: An expressive, efficient, and prov-ably secure realization.” Proceedings of Public Key Cryptography (PKC’11) , pp.53-70, 2011.

[5] Shulan Wang, Junwei Zhou, Josph K. Liu, et al. “An Efficient File Hierarchy Attribute-Based Encryption Scheme in Cloud Computing”. IEEE Transactions on Information Forensics and Secu-

tion performance test platform www.testin.cn. The test is carried out on 50 mobile devices run Android system from different manufac-tures. The performance results of DMA is shown in Table I.

VIII. CONCLUSION

Our scheme presents the access control meth-od based on Multi-Authority ABE. We use ac-cess tree that manage attributes which belongs to different authorities to achieve cross-do-main data storage and access control. Theoret-ical analysis and experiment demonstrate that our scheme can not only achieve ciphertext access control, preventing collusion attacks between users and authorities; but also im-prove the efficiency of ciphertext encryption and decryption. Therefore, the proposed meth-od can be applied to multi-authority scenario in cloud storage for efficient data encryption and decryption and provides an effective way to access data for cross-domain. In addition,

Fig. 11. Encryption time with different size of files. Fig. 12. Decryption time with different size of files.

Table I. Performance of DMA on mobile phones.Mobile phone Start (s) CPU occupation(%) RAM (MB)

Samsung Galaxy Note 5 5.097 0.22 (Max 2.00) 78.51 (Max 81.09)

Huawei G7 Plus 3.4 0.02 (Max 1.00) 31.26 (Max 33.45)

OPPO R1 3.99 0.33 (Max 1.00) 18.87 (Max 19.89)

LE 2S Pro 3.936 0.20 (Max 2.00) 21.58 (Max 22.93)

Lenovo ZUK Z2 3.399 0.53 (Max 3.00) 28.65 (Max 31.54)

2 4 8 16 32 64 128 256102

103

104

file size(MB)

mullerEncchaseEncliEnctaehoEncourEnc

Enct

ime(

ms)

2 4 8 16 32 64 128 256101

102

103

104

file size(MB)

Dec

time(

ms)

mullerDecchaseDecliDectaehoDecourDec

Page 14: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018 151

for Multi-Authority System in Cloud Storage.” Proceedings of International Conference on Dis-tributed Computing Systems (ICDCS), pp. 536-545, 2012.

[18] K. Yang , X. Jia. “Expressive, Efficient and Revo-cable Data Access Control for Multi-Authority Cloud Storage.” IEEE Transactions on Parallel and Distributed Systems, vol.25, no.7, pp. 1735-1744, 2013.

[19] J. Taeho, X. Li, Z. Wan, et al. “Privacy Preserving Cloud Data Access With Multi-Authorities.” Proceedings of IEEE INFOCOM, pp. 2625-2633, 2013.

[20] S. Yu, C. Wang, K. Ren, and W. Lou. “Attribute based data sharing with attribute revocation.” Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 261–270, 2010.

[21] S. Jahid, P. Mittal, and N. Borisov, “Easier: En-cryption-based access control in social net-works with efficient revocation, ” Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 411–415, 2011.

[22] R. Ostrovsky, A.Sahai , B. Waters . “Attr i-bute-Based encryption with non-monotonic access structures.” Proceedings of the ACM Conference On Computer and Communications Security. pp. 195−203, 2007.

[23] Z. Xu and K. M. Martin. “Dynamic user revoca-tion and key refreshing for attribute-based en-cryption in cloud storage.” Proceedings of 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Commu-nications, pp. 844–849, 2012.

[24] J. Hur. “Improving Security and Efficiency in At-tribute-Based Data Sharing.” IEEE Transactions on Knowledge and Data Engineering, vol. 25, no. 10, pp. 2271 - 2282, 2013.

[25] S. Ruj, A. Nayak, I. Stojmenovic. “DACC: Distrib-uted Access Control in Clouds.” Proceedings of IEEE TrustCom , pp. 91-98, 2011.

[26] M. Li, S. Yu , Y. Zheng, et al. “Scalable and se-cure sharing of personal health records in cloud computing using attribute-based encryption.” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 1, pp. 131-143, 2012.

[27] J. Hur, K. Kang. “Secure Data Retrieval for De-centralized Disruption-Tolerant Military Net-works.” IEEE/ACM Transactions on Networking, vol. 22, no.1, pp. 16-26, 2014.

[28] J. Bethencour t, A. Sahai , B. Waters. The cpabe toolkit [OL]. http://acsc.csl.sri.com/cpabe/.2007.3.

[29] T. Jung, X. Li, Z. Wan, et al. “Control cloud data access privilege and anonymity with fully anon-ymous attribute-based encryption.” IEEE Trans-action on Information Forensics and Security, vol. 10, no. 1, pp. 190-199, Jan. 2015.

[30] R. Canetti. “Decisional Deffie-Hellman assump-

rity, vol.11, no.6, pp. 1265-1277, 2016.[6] A. Balu, K. Kuppusamy. “An expressive and prov-

ably secure ciphertext-policy attribute-based encryption.” Information Sciences, vol. 276, pp. 354–362, Aug. 2014.

[7] H. Kwon, D. Kim, C. Hahn, et al. “Security authentication using ciphertext policy attri-bute-based encryption in mobile multi-hop networks.” Multimedia Tools and Applications, vol.75, pp.1-15, 2016.

[8] V. Goyal, A. Jain, O. Pandey, A. Sahai, “Bounded ciphertext policy attribute based encryption.” Proceedings of the 35th International Colloquium (ICALP’08). Lecture Notes in Computer Science, vol. 5126. Springer, pp. 579–591, 2008.

[9] M. Chase. “Multi-authority attribute based encryption.” Proceedings of Cryptography Con-ference on Theory of Cryptography (TCC’07), Amsterdam, Springer Berlin Heidelberg, pp. 515 –534, 2007.

[10] J. Liu, X. Huang, and J. K. Liu, “Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption, ” Future Generation Computer Systems, vol. 52, pp. 67–76, Nov. 2015.

[11] M. Chase and S. S. M. Chow, “Improving privacy and security in multi-authority attribute-based encryption.” Proceedings of the 16th ACM Con-ference on Computer and Communications Se-curity (CCS’09), pp. 121–130, 2009.

[12] A. Ahire, P. Jawalkar. “Secure system for data sharing using cipher-text policy attribute en-cryption with message authentication codes for data integrity.” International Research Journal of Engineering and Technology, vol. 22, no.5, pp:1021-1027, Aug. 2015.

[13] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters. “Fully secure functional encryp-tion: Attribute-based encryption and (hierar-chical) inner product encryption.” Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology ( EUROC-RYPT’10). Springer, pp. 62–91, 2010.

[14] H. Lin, Z. F. Cao, X. Liang. “Secure threshold multi-authority attribute-based encryption without a central authority.” Proceedings of International Conference on Cryptology, pp. 426−436, 2008.

[15] A Lewko and B. Waters. “Decentralizing attri-bute-based encryption.“ Proceedings of Inter-national Conference on the Theory and Applica-tions of Cryptographic Techniques, pp. 568–588, 2011.

[16] K. Yang , X. Jia, K. Ren. “DAC-MACS: Effective Date Access Control for Multi-Authority Cloud Storage Systems.” IEEE Transactions on Infor-mation Forensics and Security, vol.8, no 11, pp. 1790-1801, 2013.

[17] K. Yang , X. Jia. “Attribute-based Access Control

Page 15: Decentralized Attribute-Based Encryption and Data …1croreprojects.com/dotnetbasepaper/cloud-dotnet...Decentralized Attribute-Based Encryption and Data Sharing Scheme in Cloud Storage

China Communications • February 2018152

Yanlong Wang, received his B.S. degree from Hunan Uni-versity of Science and Technol-ogy, China in 2015. At present, he is engaged in M.S. degree study at the College of Com-puter Science and Electronic Engineering, Hunan University,

China. His research interests include cryptography, programming language.

Ming Xu, received his B.S degree from Hunan Uni-versity, China in June 2017. He is currently a software development engineer. His research interests include cryptography, programming language.

Yaping Cui, received her B.S. degree from Jinzhong Univer-sity, China in 2015. At present, she is engaged in M.S. degree study at the College of Com-puter Science and Electronic Engineering, Hunan University, China. Her research interests

include software reliability, software system develop-ment.

tion.” Encyclopedia of Cryptography and Securi-ty, pp.140-142, 2005.

[31] C. Gentry, A. Silverberg. “Hierarchy ID-based cryptography.” Advances in Cryptology, pp.548-566, Dec. 2002.

[32] S. Muller, S. Katzenbeisser, and C. Eckert, “On multi-authority ciphertext-policy attri-bute-based encryption, ” Bulletin of the Korean Mathematical Society, vol. 46, no. 4, pp. 803–819, 2009.

[33] J. Li, Q. Huang, X. Chen, S. S. Chow, D. S. Wong, and D. Xie, “Multiauthority ciphertext-policy attribute-based encryption with accountability.” Proceedings of ACM Symposium on Information (ASIACCS), pp. 386-390, 2011.

BiographiesXiehua Li, received her B.S. degree and M.S. degree from Central South University, China in 2000 and 2003, respectively. Subsequently, she received her Ph.D. degrees from Shanghai Jiaotong University, China in 2007, in Communication and

Information System. She is currently an Assistant Professor in the College of Computer Science and Electronic Engineering, Hunan University, China. Her research interests include cryptography, cloud com-puting, system security. Email: [email protected]