design and implementation of a confidentiality and access control solution for publish/subscribe...

Computer Networks 56 (2012) 2014–2037

Contents lists available at SciVerse ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/locate /comnet

Design and implementation of a confidentiality and access control solutionfor publish/subscribe systems

Mihaela Ion a, Giovanni Russello a,b,⇑, Bruno Crispo c

a CREATE-NET International Research Center, Via alla Cascata 56 D, 38123 Trento, Italyb Department of Computer Science, University of Auckland, Private Bag 92019, Auckland 1142, New Zealandc Department of Information Engineering and Computer Science, University of Trento, Trento, Italy

a r t i c l e i n f o

Article history:Received 1 June 2011Received in revised form 9 January 2012Accepted 20 February 2012Available online 28 February 2012

Keywords:Publish/subscribeConfidentialityAttribute-based encryptionEncrypted search

1389-1286/$ - see front matter � 2012 Elsevier B.Vdoi:10.1016/j.comnet.2012.02.013

⇑ Corresponding author at: CREATE-NET InternatiVia alla Cascata 56 D, 38123 Trento, Italy.

E-mail addresses: [email protected] (auckland.ac.nz, [email protected] (Gdisi.unitn.it (B. Crispo).

a b s t r a c t

The publish/subscribe model offers a loosely-coupled communication paradigm whereapplications interact indirectly and asynchronously. Publishers generate events that aresent to interested applications through a network of brokers. Subscribers express theirinterest by specifying filters that brokers can use for routing the events. Supporting confi-dentiality of messages being exchanged is still challenging. First of all, it is desirable thatany scheme used for protecting the confidentiality of both the events and filters shouldnot require publishers and subscribers to share secret keys. In fact, such a restriction isagainst the loose-coupling of the model. Moreover, such a scheme should not restrict theexpressiveness of filters and should allow the broker to perform event filtering to routethe events to the interested parties. Existing solutions do not fully address these issues.In this paper, we provide a novel scheme that supports (i) confidentiality for events andfilters; (ii) allows publishers to express further constraints about who can access theirevents; (iii) filters that can express very complex constraints on events even if brokersare not able to access any information in clear on both events and filters; (iv) and, finally,it does not require publishers and subscribers to share keys. Furthermore, we show how weapplied our scheme to a real-world e-health scenario, developed together with a hospital.We also describe the implementation of our solution in Java and the integration with anexisting publish/subscribe system.

� 2012 Elsevier B.V. All rights reserved.

1. Introduction

The publish/subscribe (pub/sub) model is an asynchro-nous communication paradigm where senders, known aspublishers, and receivers, known as subscribers, exchangemessages in a loosely coupled manner, i.e. without estab-lishing direct contact. The messages that publishers gener-ate are called events. Publishers do not send events directlyto subscribers, instead a network of interconnected brokers

. All rights reserved.

onal Research Center,

M. Ion), g.russello@. Russello), crispo@

is responsible for delivering the events to the interestedsubscribers. In fact, publishers do not know who receivestheir events and subscribers are not aware of the sourceof information. In order to receive events, subscribers needto register their interest with a broker through a filter.When a new event is published, brokers forward it to allsubscribers that expressed a filter that matches the event.

The pub/sub communication paradigm has the advan-tage of allowing the full decoupling of the communicatingentities [1] which enables dynamic and flexible informationexchange between a large number of entities. The commu-nicating parties do not need to know each other or establishcontact in order to exchange content. Moreover, if durablesubscription is enabled, publishers and subscribers do notneed to actively participate in the interaction at the same

http://dx.doi.org/10.1016/j.comnet.2012.02.013

mailto:[email protected]

mailto:g.russello@ auckland.ac.nz

mailto:g.russello@ auckland.ac.nz

mailto:[email protected]

mailto:crispo@ disi.unitn.it

mailto:crispo@ disi.unitn.it

http://dx.doi.org/10.1016/j.comnet.2012.02.013

http://www.sciencedirect.com/science/journal/13891286

http://www.elsevier.com/locate/comnet

M. Ion et al. / Computer Networks 56 (2012) 2014–2037 2015

time. If a subscriber is offline when a publisher creates anevent, the broker will store the event until the subscriberbecomes online and the event can be delivered.

These characteristics make the pub/sub communicationmodel well suited for a wide range of information-drivenand event-driven applications. For example, pub/sub hasbeen proposed for information dissemination applicationssuch as instant news delivery, stock market quotes distri-bution, auction bids [2], and air traffic control. Other appli-cations of pub/sub are mobile systems [3], ubiquitouscomputing [4], distributed workflow management systems[5], and peer-to-peer systems [6].

Most of the research in pub/sub has been focusing onefficient routing of events [7]. However, there are manyscenarios that require control over who can access theinformation. For example, a stock quote service could pro-vide to paying customers information on stock prices. Inthis case, only paying subscribers should be able to accessthe events. At the same time, subscribers may wish to keepthe details of their filters private from anybody spying ontheir interests. Another application scenario is in the med-ical sector where physicians are notified when certainevents happen such as changes in the condition of a pa-tient. Such information should be available to the author-ised personnel only to protect the patient’s privacy.Moreover, when events contain sensitive informationabout individuals or institutions (e.g. personal and medicaldata), it should be possible to enforce access control poli-cies on the content of the events.

If the brokers are trusted, for example if they are underthe direct control of the organisation using the pub/subsystem, the confidentiality of the events and filters canbe ensured by securing the communication between bro-kers, between publishers and brokers, and between bro-kers and subscribers. However, in many scenarios brokerscannot be considered trusted, either because a maliciousemployee could get access to the data (i.e. events and fil-ters) and misuse it, or because the pub/sub system hasbeen outsourced to another company. Outsourcing the ITinfrastructure is a business model adopted more and moreby companies because it reduces costs and improves thequality of services and operations. In fact, even sectorssuch as healthcare, initially reluctant to adopting this mod-el, are slowly employing it [8]. Because of that, there is aneed for confidentiality and access control solutions thatcan be applied when brokers are untrusted and could com-promise the confidentiality of events and filters.

One of the main challenges that pub/sub systems arestill facing is protecting the confidentiality of the ex-changed information in the presence of untrusted brokerswithout limiting the decoupling of the paradigm. Publish-ers and subscribers do not establish contact so they cannotexchange keying material. Moreover, protecting the confi-dentiality from malicious brokers is very difficult. Brokersshould be able to route events by matching them againstcomplex filters expressed by subscribers without havingaccess to the actual content of events and filters. Currentsolutions are not able to provide event and filter confiden-tiality, while at the same time supporting complex filtersand keeping key management scalable. For example, in or-der to support routing based on expressive filters, [9]

encrypts only certain event fields while other fields are leftas cleartext so that they can be used for routing. Othersolutions [10] require publishers and subscribers to sharea group key which hampers the loosely coupling and scala-bility of the pub/sub model. Ref. [11] provides confidential-ity of events and filters but the filter is restricted toequality with one keyword.

Another challenge that pub/sub systems are still facingis enforcing access control policies in the presence ofuntrusted brokers. Access control mechanisms usually re-quire a trusted authority that has access to the securitypolicies and enforces them. In fact, current access controlsolutions for pub/sub systems [12,13] rely on brokers toenforce the policies, and assume brokers are trusted bothwith the content of policies and events. Such solutions can-not be applied in an outsourced environment in which bro-kers are untrusted. Enforcing access control policies on thecontent of the events without revealing the access policyand the event content to the brokers is still an open issue.

The main contribution of this paper is to present an ap-proach catering for confidentiality in pub/sub systemswhen brokers are untrusted such that: (i) it provides con-fidentiality of events and filters, (ii) it allows publishersto express further constraints about who can access theirevents, (iii) it does not require publishers and subscribersto share keys, and (iv) it allows subscribers to express fil-ters that can define any monotonic and non-monotonicconditions. To achieve this, our solution combines attri-bute-based encryption and an encrypted search scheme.We show how to apply our solution to provide confidenti-ality of messages exchanged in a real-world e-health appli-cation. We then implement our scheme in Java andintegrate it with an existing publish/subscribe system.We measure the overhead introduced for encryptingevents and filters and performing encrypted match.

The rest of the paper is structured as follows: Section 2introduces the pub/sub communication model and pro-vides an example of an application where pub/sub confi-dentiality and access control are required. Section 3describes the problem of confidentiality and the propertiesachieved by our solution. Section 4 presents related workand shows that none of the current solutions supports allthe properties identified by us. Section 5 introduces therelevant encryption mechanisms used by our scheme. Sec-tions 7 and 6 give the details of our solution. Section 8 re-vises the application example described in Section 2implemented with our approach. Section 9 provides thesecurity analysis of our scheme. Section 10 describes theimplementation and the integration with an existingpub/sub system. Section 11 provides the performance eval-uation and Section 12 concludes the paper.

2. The publish/subscribe communication paradigm

Several pub/sub implementations that differ in thegranularity used in the definition of the filters have beenproposed in the literature. The most simple one is topic-based, in which subscribers subscribe to a topic identifiedby a keyword [14]. A topic-based scheme is similar to thenotion of group communication. When subscribing to a

2016 M. Ion et al. / Computer Networks 56 (2012) 2014–2037

topic T, a subscriber becomes a member of group T. Whenan event for topic T is published, the event is broadcastedto all the members of that group. Organizing topics in hier-archies allows a better management of subscriptions [15].For example, by registering to a topic, a subscriber is alsoregistered to all subtopics (see Fig. 1).

Topic-based schemes are easy to implement but theyoffer limited expressiveness. Content-based schemes aremore flexible and allow specifying subscriptions based onthe actual content of the event. To express a filter on thecontent of an event, subscribers need a query languageand understanding of the data formats. For example, inGryphon [16] and Siena [17] events consist of sets of (attri-butename = attributevalue) pairs and filters are specified asSQL WHERE clauses. Java Message Service (JMS) [18] doesnot allow filtering on the content of the event, but instead,events carry properties in their headers and subscriberscan define filters on them. Filters that apply to the compo-sition of simple events have also been proposed (such as in[19]). When expressing such a filter, subscribers are noti-fied upon the occurrence of the composite event.

Because of its generality and expressiveness, we will fo-cus on content-based filtering. Topic-based filtering can beconsidered a sub-case of content-based where filters con-tain only one attribute (or keyword). We assume that fil-ters define constrains in the form of name-op-valuewhere op can be one of the comparison operators such as=, 6, <, P, and >. Constrains can be logically combinedusing AND, OR and NOT to form complex subscriptionpatterns.

In the following we motivate the need for confidential-ity and access control in pub/sub systems through anexample.

2.1. An e-health application for monitoring chronic diseases

In the following, we present the details of a real e-health application developed for the San Raffaele Hospitalin Milan, Italy. The e-health application is designed for re-motely monitoring patients with a chronic disease that donot require hospitalisation, such as heart diseases or diabe-tes. While the patient is at home, it is necessary to contin-uously monitor specific vital sign parameters. Moreover,for these kinds of patients a continuous and correct life-style is fundamental in order to improve the quality oftheir lives. In particular, in patients with heart diseases itis important to monitor both some physiological parame-ters and the patients’ habits, including the diet and the

Fig. 1. The pub/sub infrastructure connects publishers and subscribersvia a network of interconnected brokers.

physical activities. This information needs to be distributedto the interested parties such as professional caregivers toprovide required feedback, prescribe medicines, and sche-dule appointments in case of unexpected conditions.

The e-health application presented in this paper is com-posed of several distributed components that are shown inFig. 2. Each component is described in details as follows.

The in-Home Monitoring System (iHMS) is a componentthat performs the gathering of patient’s data through theuse of electronic devices self-managed by the patient.These devices have wireless means to connect to a centralgateway where the data is gathered. Regarding the physi-ological parameters it could be useful to monitor the bloodpressure, the heart rate and the ECG at regular time inter-vals. Regarding the life style, the relevant data to be mon-itored is the weight and the amount of physical exercises(e.g. walking and/or running). In our application, we em-ploy the following devices:

� a wrist integrated device able to measure the bloodpressure and the blood oxygen levels;� a portable device for ECG and heart rate monitoring;� a smart scale that automatically sends the periodic

weight measures;� a device to be worn during physical exercises that can

monitor some relevant parameters, such as the numberof steps during a walking activity, the total energy con-sumption (kcal), the duration of the physical activity,etc.

In the hospital, the Medical Console (MC) retrieves thedata collected by the iHMS. The patient’s doctor can usedthe MC for accessing the vital signs and lifestyle datastored in the Medical Repository (MR). The MC can alsoalert the doctor if the values exceed some personalisedthresholds. The doctor can inform the patient that a visitis required and some more specific medical tests have tobe performed. The doctor can also decide to prescribe atherapy, composed of a list of drugs to be regularly as-sumed by the patient, and to give advice in order to im-prove the patient’s lifestyle.

The drug therapy, depending on the specific disease, caninclude drugs that can be directly provided by the hospitaland/or drugs to be purchased through the territorial phar-

Fig. 2. e-Health application scenario for monitoring chronic diseases.


macies. In the former case, the drugs provided by the hos-pital are reimbursed by the Healthcare Authority (HA). Inorder to assure the appropriateness of the therapy andthe exact amount of costs to be reimbursed, the hospitalhas to provide to the HA data related to the patient’s con-ditions and drug costs.

The Drug Stock Management (DSM) is in charge of pre-paring a personalised drug kit, composed of the drugs pre-scribed by the doctor for a specific patient. To prepare thetherapy kit, the doctor has to provide to the DSM personnelthe therapeutic data. The drugs can be delivered at homethanks to a Drug Delivery Service (DDS) that performsthe transportation directly to the patient’s home.

Finally, there is a Research Centre that performs data pro-cessing on the received information from various hospitalsand healthcare authorities. Examples of possible data pro-cessing are the analysis of epidemiological data (e.g. numberof patients with heart diseases treated with a specific drug)and the calculation of quantitative clinical and expenditureindicators (e.g. number of patients with repeated outpatientvisits or total average cost for each patient).

Part of the IT infrastructure is outsourced to an externalcompany. For instance, in our case the San Raffaele hospitalhas decided to outsource the pub/sub system to an IT com-pany that provides and maintains the servers where theservice is deployed. The pub/sub system connects all pub-lishers and subscribers and allows them to send and re-ceive events asynchronously through a shared set ofinterfaces. Subscribers can specify their interest in particu-lar messages through filters. Filters are strings which ex-press constrains on the attributes of the events.

If messages are sent on the clear, a malicious employeeof the company managing the pub/sub system can easilyget access to the events that are exchanged through thebrokers. Therefore, in this settings the patients’ privacy isat risk. We illustrate the risk of violating the patients’ pri-vacy through an example.

Let us suppose that a patient named ‘‘John Smith’’ suf-fering from a heart condition is monitored remotely by adoctor. The medical devices carried by the patient monitorthe blood pressure, heart rate and ECG. At regular timeintervals, these values are sent by the Gateway on the noti-fication service.

The doctor monitoring the patient registered the fol-lowing filter with a broker to be notified immediately ofany significant change in the patient’s condition. The doc-tor expressed the following filter:

name = ‘‘John Smith’’ AND (heart_rate > 120 OR sys-tolic_pressure > 150 OR diastolic_pressure > 100).

The doctor will be notified when values exceed thespecified thresholds. When values are normal, they arelogged in the patient’s history and the doctor can retrievethem when necessary. If an employee is able to capturethe filter, he will be able to infer that John Smith is suffer-ing from a heart condition.

Now let us suppose that the doctor received an eventwhich indicates a change in the patient’s condition andneeds to write the following prescription:

name = ‘‘John Smith’’, age = 70, address = ‘‘via Tartini 12,Padova’’, symptom = ‘‘high blood pressure’’, disease =‘‘primary hypertension’’, medication = ‘‘Catapres’’.

The doctor publishes this message through a broker. Anemployee of the company providing the pub/sub systemcould access the messages that come in and out the broker.If the event is sent in cleartext, the employee would learnthe personal data and medical condition of this patient,and even infer that the prescribed drugs will be deliveredto the patient the next day at the specified address. Theemployee could also access the filter registered by the doc-tor and infer that the patient John Smith has a heart prob-lem. That is why, in order to protect the confidentiality ofsensitive data contained by events and filters transmittedover an untrusted outsourced pub/sub system, crypto-graphic mechanisms are needed. Moreover, because differ-ent policies apply to different attributes of the event,without a proper access control system, legitimate sub-scribers would learn information that they are not sup-posed to. For example, if no access control mechanismsare in place, researchers would learn the names and ad-dresses of patients, though only anonymized data shouldbe available to them.

The next section discusses the problems of confidential-ity and access control in pub/sub systems and defines thethreat model. It also defines the properties that we aimto provide with our scheme.

3. Confidentiality and access control in publish/subscribe systems

In many applications such as the one introduced above,the pub/sub system is outsourced and brokers cannot beconsidered trusted. Such applications require mechanismsfor protecting the content of events. If publishers require afee in exchange of the data (e.g. stock quote dissemina-tion), mechanisms are needed to ensure that only payingsubscribers can read the events. Unauthorised parties thatare able to eavesdrop on events should not be able to ac-cess their content. Subscribers express their interests inspecific information through filters. For example, a sub-scriber may wish to receive market data about particularcompanies or be notified when IBM quotes are less than128. Filters reveal information about a subscriber’s inter-ests and they may wish to keep the details of their filtersprivate. Providing confidentiality of filters ensures thattheir content remains hidden from other parties.

Confidentiality of events and filters should be providedtogether [11], otherwise an attacker could learn sensitiveinformation by analysing the flow of messages. If only sub-scription confidentiality is provided, by analysing the mes-sages received by various subscribers, one can infer manythings about their subscription filters. Similarly, if onlyevent confidentiality is provided, an attacker can inferthe content of a message by analysing filters that matchedand did not match the event.

Another issue we need to consider is the privacy of thedata transmitted over the pub/sub network, because itcould contain sensitive information about individuals ororganisations. When such sensitive information is beingsent, it should be possible to control how the data is dis-closed and to whom. The disclosure of sensitive data isusually protected through the enforcement of access


control policies. A policy specifies who can access some dataand under which conditions. Events contain multiple attri-butes and different access control policies could apply toeach. For example, in the e-health application introducedin Section 2, the name of the patient should be disclosedto the Healthcare Authority, but not to the researcher. Ac-cess control solutions for pub/sub systems [12,13] requirebrokers to have access both to the policies and the contentof events in order to enforce fine-grained policies on theattributes of the event (e.g. name, address). However, thesesolutions are not suitable for outsourced environments be-cause they reveal the content of events to the untrustedbrokers. On the other hand, encrypting only the contentof events and leaving the access control policies unen-crypted so that they can be enforced by brokers may notbe sufficient because the policies could reveal sensitiveinformation about the data. For example, if an event sentby the Gateway installed at a patient’s home has attacheda policy granting access to the data to a cardiologist, thecurious employee could infer that the patient suffers froma heart condition even if the actual event is encrypted.

3.1. Threat model

We assume an honest-but-curious model for publishers,brokers and subscribers, as in many papers [20,11]. Thismodel assumes that the entities follow the protocol, butmay be curious to find out information by analysing themessages (events or filters) that are exchanged. For exam-ple, a broker may try to read the content of an event ortry to learn the filtering constraints of subscribers. Sub-scribers may want to read the events delivered to other sub-scribers. We do not consider the case in which publishersand subscribers flood the network with a large number ofmessages in order to disrupt its functioning (denial of ser-vice attack), generate fake message, or brokers drop eventsor do not follow the routing protocol. We assume othermechanisms are in place to detect such misbehaviour.

Moreover, we assume that subscribers have differentaccess rights and that not all events or attributes of anevent should be accessible to all subscribers.

We assume that there is at least a Trusted Authoritywhich generates the encryption and decryption keys. Theauthority does not misbehave and is trusted by all the enti-ties of the system.

In the following we define the properties that a confi-dentiality and access control scheme for pub/sub systemsshould provide, assuming an honest-but-curious trustmodel.

3.2. Properties

This paper proposes an encryption scheme for pub/subsystems in which the following properties are supported:

Definition 1 (P1: Publication confidentiality). Providing thepublication confidentiality property ensures that the con-tent of the event is hidden from the brokers and onlyintended subscribers are able to decrypt the event. Byintended subscribers we mean subscribers that registereda filter matched by the event.

Definition 2 (P2: Subscription confidentiality). Providingthe subscription confidentiality property ensures that thedetails of the filters are hidden from the brokers. The bro-ker should be able only to tell if an event matches a filterbut gain no other information about the event or the filter.

Definition 3 (P3: Scalable key management). Providing asimplified and scalable key management that does notrequire publishers and subscribers to share keys fully sup-ports the loosely-coupled model of the pub/sub paradigm.Key sharing would require redistribution of new keys to allparticipants and re-encryption of all filters when a filter isunsubscribed, thus affecting the scalability of the system.

Definition 4 (P4: Complex encrypted matching). Brokersshould be able to match complex encrypted filters againstencrypted events without learning anything about the con-tent of events or filters. With complex encrypted filters wemean filters that can express conjunctions and disjunc-tions of equalities, inequalities and negations in anencrypted form.

Definition 5 (P5: Access control). Providing access controlmechanisms enables publishers to specify constrains aboutwho can access the content of events. The enforcement ofaccess control policies should not reveal any informationabout the events or filters to brokers. Policies could beenforced for the whole event or for specific attributes ofthe event.

In the following section we provide a review of relatedwork and show that none of the surveyed solutions cansupport all the identified properties.

4. Related work

Current solutions for ensuring confidentiality in pub/sub systems provide only some of the properties satisfiedby our solution, but not all of them at the same time.

Khurana [9] proposes a scheme that targets confidenti-ality of events but not of filters. Events are encoded in XMLformat and only specific fields (e.g., price) are encryptedwith a symmetric key k. The publisher then encrypts k withits public key and attaches it to the message. The brokersforward the events based on the fields left unencryptedand a proxy service changes the encryption of k to anencryption with the public key of the subscriber. This solu-tion achieves partially P1 encrypting only specific fields butnot the entire event. Properties P2 and P4 are not ad-dressed because events are forwarded based on unen-crypted event fields and filters. Key management isscalable and does not require publishers and subscribersto share a key, hence achieving P3.

Raiciu and Rosenblum [10] target simultaneous eventand filter confidentiality. The method primarily encryptsonly the attribute value. The name of the attribute can behidden by concatenating it with the attribute type and sizeand then hashing it (P1 and P2 can be achieved). Publishersand subscribers are required to share a group key (P3 is notachieved) which is used to encrypt events and filters. The


subscriber uses the shared key to ‘‘garble’’ the circuit rep-resentation of the subscription function. The publisher en-crypts the event in a way compatible with the subscriber’scircuit. The broker inputs the encrypted event to the sub-scription circuit in order to check if there is match. Themethod can support equality filtering, range matchingand keyword matching (P4 is partially achieved).

Srivatsa and Liu [20] propose a specific hierarchical keymanagement scheme that achieves confidentiality ofevents (P1) and filters (P2). A trusted centralised authoritydistributes encryption keys to publishers and authorisationkeys to subscribers. To support range matching, keys areorganised in a hierarchical structure, each key correspond-ing to an interval. An authorisation key corresponds to afilter and is able to derive the encryption key for an eventthat matches the filter. Because all publishers and sub-scribers obtain the same keys, unsubscription requiresrekeying. At specific time intervals, keys are regeneratedand subscriptions need to be reconfirmed, which is themain disadvantage of this method. Property P3 is thusnot achieved. Each event has a routable topic attributewhich is encrypted using an encrypted search technique.To prevent dictionary attacks on the events, the routableattributes are tokenized and transformed into pseudo-ran-dom chains. The approach is vulnerable to inference at-tacks which use information about the frequency atwhich events are published to learn information about anevent. To prevent these attacks, a probabilistic multi-pathevent routing scheme is proposed at the cost of extra over-head. This method supports routing based on only one key-word (the topic), hence not achieving P4. It is possible toexpress inequality conditions but they can only be checkedat the subscriber side and not by the brokers. When thesubscriber receives an event matching the expressed topic,the authorisation key of the subscriber will allow derivinga correct decryption key only if the numerical value of theattribute is in the range specified by the subscriber.

Shikfa et al. [11] propose a solution based on multiplelayer commutative encryption that achieves content andfilter confidentiality (P1 and P2). The method uses a localkey management in which each node needs to share a se-cret key with the immediate r neighbours. This has theadvantage that if a subscriber leaves the system, only localkeys need to be revoked. However, this solution requiresmanaging a large number of keys and does not adapt wellto network changes. For example, in a pub/sub system witha single broker, each publisher would need to share a keywith each subscriber and an event will need to be en-crypted for each possible subscriber. Thus key manage-ment is not scalable and P3 is not achieved. To avoidcollusion attacks, r can be set as big as necessary. If r con-secutive nodes collude, they can decrypt their children’ssubscriptions, but not the subscriptions of other nodes.Events and filters contain only one keyword. Encryptedrouting tables are created for a single keyword and thematching operation is basically an equality test (P4 is notachieved).

Chen et al. [21] target information (P1) and subscription(P2) confidentiality and use symmetric encryption toachieve this goal. Their scheme requires the publisher todistribute a secret key k and a random number r to all

subscribers. The random r is added to numerical valuesby both publisher and subscribers in order to hide the realvalues from the brokers. This method has the drawbacksthat it requires a publisher to establish contact with allsubscribers and to redistribute keys and re-encrypt sub-scriptions every time a subscriber leaves the system (P3is not achieved). The scheme can express equalities ofnumerical and non-numerical attributes, and numericalcomparisons. The paper targets only filters with single con-strain (P4 is partially achieved).

Nabeel et al. [22] propose a scheme based on Pedersencommitment and Pailier homomorphic encryption toachieve blinding of attribute values in notifications and fil-ters. The scheme supports only equality of strings andnumerical attributes and inequalities of numerical attri-butes, hence P4 is only partially achieved. Because theattribute names are left unencrypted, P1 and P2 are onlypartially achieved. In order to register a filter, subscribersneed to register themselves first with the publisher to ob-tain a private key k for decryption the message content(encrypted with symmetric encryption) and secret valuesused to blind attribute values. Publishers use the counter-parts secrets to encrypt the events. Because the scheme re-quires publishers and subscribers to share keys, P3 is notachieved.

Choi et al. [23] propose a scheme based on AsymmetricScalar-product Preserving Encryption which allows tocompare the distance between a data point and a querypoint with the distance between the same query pointand another data point. This allows brokers to check equal-ity and inequality conditions without learning the valuesof the attributes (P1 and P2 are achieved). The scheme sup-ports equality, inequality, range and conjunction filtering(P3 is partially achieved). The scheme requires that pub-lishers and subscribers share a secret which is used forencrypting numerical values, hence P4 is not achieved.

Ion et al. [24] analyse requirements for a pub/sub confi-dentiality scheme and suggest a possible solution that ad-dresses properties P1–P4 by combining attribute-basedencryption and encrypted search. However, the paper doesnot provide the concrete construction with formal proof ofsecurity, an access control solution, implementation andintegration with an existing pub/sub system and perfor-mance evaluation. In this paper we extend the work fromRef. [24] to further address these issues.

None of the above solutions addresses the access con-trol problem (P5). Some solutions [12,13] address the prob-lem of access control in pub/sub systems. However, theymake the assumption that the brokers are trusted toread/write events and enforce the policies, which is notapplicable to our application scenario. Bacon et al. [13]proposed a role-based access control mechanism for multi-ple administrative domains sharing a pub/sub network.They assume that each publisher and subscriber is con-nected to a local broker which is trusted to perform theencryption and decryption of the events or filters. An eventis an instance of an event type. An event type has an owner,a type name, and a list of event attributes. Each event attri-bute is associated with its own independent secret key towhich trusted brokers have access. In order to performcontent-based routing, brokers need to be authorised to


access the decryption keys. Intermediate brokers are as-sumed to be untrusted, and hence, they can only forwardevents based on a topic. Access control over the event con-tent is enforced by controlling access to the decryptionkeys. Local brokers check the client’s credentials againstaccess control policies. To perform fine-grained access con-trol over the content of an event, brokers can transform anevent instance either after publication or before notifica-tion to a particular subscriber. Transformations may alterthe values of an event or transform the event into anothertype. A broker can degrade, enrich or produce related eventinstances. This model allows fine-grained enforcement ofaccess control policies over the attributes of events, but itneeds to trust the brokers to enforce the policies and trans-form events. If intermediate brokers are not trusted, con-tent-based routing of events cannot be performed.

Concluding the related work, we observe that in orderto provide confidentiality of events and filters, currentsolutions require publishers and subscribers to share keys,thus hampering the scalability of the system. In order toenforce access control policies, current solutions requirebrokers to have access to the content of events, which iscontrary to the event confidentiality requirements. Ourgoal is to propose a solution that can achieve both confi-dentiality of event and filters, complex filters and enforce-ment of access control policies, while keeping keymanagement scalable.

In the following section, we describe the techniquesused in our approach for supporting all P1-P5 properties.

5. Background

This section provides background information on thetechniques used in our solution. We are particularly inter-ested in encryption schemes that do not require publishersand subscribers to share keys such as proxy encryption andattributed-based encryption, and in encrypted search tech-niques that possess the same property.

5.1. Proxy encryption

Proxy encryption techniques [25] rely on a proxy totransform a ciphertext encrypted under A’s key into aciphertext of the same message that can be decrypted byB’s key. While performing the transformation, the proxyserver does not learn the content of the message. Suchschemes do not require A and B to share keys.

5.2. Attribute-based encryption (ABE)

The concept of attribute-based encryption (ABE) wasfirst introduced in [26]. In their construction, both cipher-text and keys are labelled with sets of attributes. A key isable to decrypt a ciphertext if at least k attributes matchbetween key and ciphertext.

Goyal et al. [27] extended this construction and intro-duced Key-Policy ABE (KP-ABE) in which ciphertexts arelabelled with sets of attributes and private keys are associ-ated with access structures. A key is able to decrypt aciphertext if its associated access structure is satisfied by

the attributes of the ciphertext. The access structure, rep-resented as a tree, allows expressing any monotone accessformula consisting of AND, OR, or threshold gates.

Ostrovsky et al. [28] proposed a KP-ABE scheme thatcan additionally handle negations (i.e. NOT). The data canbe decrypted only if a given attribute (embedded in thekey) is not present among the attributes of the ciphertext.

Bethencour et al. [29] proposed a construction forciphertext policy ABE (CP-ABE) in which policies (accessstructures) are associated with data and attributes areassociated with keys. This is similar to the capability modelin access control. A key can decrypt some data if its associ-ated attributes satisfy the policy associated with the data.They also show how to construct the access tree in orderto additionally handle inequalities.

5.3. Multi-user encrypted search

To preserve the decoupling of publishers and subscrib-ers, we require an encrypted search technique that allowsmultiple users to encrypt data and perform queries on thedata without sharing keys. The main idea of encryptedsearch is that the cryptographic components are dividedbetween users and servers. Users are able to encrypt anddecrypt, and make queries, while the server performs com-putations on the encrypted data, without learning the con-tent of the data or the queries. Many single-user encryptedsearch techniques have been proposed [30–32] which cansupport keyword search or conjunction of keywords. Thedisadvantage is that in order to support multiple users,the users would need to share keys.

More recently, multi-user encrypted search methodswere introduced [33,34]. With these schemes, each userhas its own pair of secret keys which can be revoked whenthe user leaves the system. Ref. [34] propose a data encryp-tion scheme that allows an untrusted server to perform en-crypted searches on data without revealing the data or thekeywords to the server. The advantage of this method isthat it allows multi-user access without the need for ashared key between users. Each user in the system has aunique set of keys. The data encrypted by one user canbe decrypted by any other authorized user. The schemeis built on top of proxy encryption schemes. The idea isthat a user defines a set of keywords for each document.The keywords and document are encrypted using proxyencryption and stored on the server. When a user wantsto search for a document, it needs to create a trapdoorfor each keyword. The trapdoor is used by the server tomatch the search keywords against the keywords of thestored document. The server can identify a match withoutlearning the keyword.

6. Confidentiality solution

In this section, we discuss in details our scheme for pro-viding confidentiality in pub/sub systems.

We assume that an event E consists of: (i) the messageM that represents the content of the event and (ii) a set ofattributes ai that characterise M and are used for event fil-tering by the brokers. An attribute can be a string (e.g.

Fig. 3. Event encryption with proxy encryption.


‘‘financial news’’), or have the form attr_name = attr_value,where attr_value can be either a string or a number. Filtersrepresent conjunctions and disjunctions of attributes,equalities of the form attr_name = attr_value and numericalinequalities such as attr_name op attr_value, where op canbe one of 6, <, P, and >. Current content-based pub/subsystems use a similar model. For example, in JMS eventsconsist of a message body, and a header defining propertiesin the form prop_name = value. Subscribers can define con-strains on the values of the properties. In Siena, an eventconsists of (attribute,value) pairs. To encrypt such an eventwith our method, we assume the content M consists of the(attribute,value) pairs, so M simply contains all attributesai.

To provide confidentiality of the event, both M and theattributes ai need to encrypted. The content M needs to beencrypted by the publisher and decrypted by all theauthorised subscribers, without requiring publishers andsubscribers to share keys (P3). Brokers forwarding theevent from publishers to subscribers should not be ableto access M. The attributes ai describe the event and areused by brokers to match the event against registered fil-ters. Hence, attributes and filters need to be encrypted bypublishers and subscribers in such a way that brokers areable to evaluate encrypted filters using the encrypted attri-butes and without learning what they are. In the sametime, publishers and subscribers should not be requiredto share keys. In the following we give the details and dis-cuss a basic solution and an improved scheme for confi-dentiality of events and filters.

6.1. Basic solution using proxy encryption

Proxy encryption (PE) has the property that it allowsfull decoupling of the communicating parties. In PE, eachuser (publisher or subscriber in our case) has a privatekey that allows it to encrypt and decrypt messages. To pub-lish a message, a publisher needs to encrypt it just oncewith its private key. Before the message is delivered to aparticular subscriber, the broker performs a re-encryptionof the message so that the message can be decrypted bythe subscriber with its private key. Hence, if an eventmatches n filters, the publisher needs to encrypt it justonce, and the brokers will need to perform n re-encryp-tions, one for each subscriber. The advantage of this meth-od is that the publishers and subscribers do not need toshare keys. To encrypt the message M, we use the proxyencryption (PE) method described in [34].

Providing encrypted filtering can be seen as a problemof encrypted search. The broker needs to verify if a list ofattributes attached to the event match a complex en-crypted filter. Current solutions for pub/sub systems [21–23] which achieve filters more complex than keywordsearch, require publishers and subscribers to share secretkeys. On the other hand, multi-user encrypted search tech-niques [34,33] which do not require users to share keys,only provide keyword search. In order to support complexfilters without requiring publishers and subscribers toshare keys, we represent filters as tree access structures[29] capable of expressing conjunctions and disjunctionsof equalities and inequalities, and encrypt the leaf nodes

of the tree with multi-user searchable data encryption(SDE) scheme [34].

In the following, we show the steps that are performedin our scheme.

6.1.1. Init (1k)The initialisation is run by a Trusted Authority (TA) once

at setup and defines the security parameters for the ElGamal based multi-user searchable data encryption (SDE)scheme as in [34]. On input k, the security parameter, out-put two prime numbers p0 and q0 such that q0 = (p0 � 1)/2and jq0j = k, and a cyclic group G0 with generator g0 suchthat G0 is the unique order q0 subgroup of Z�p0

. Let x be cho-sen uniformly at random from Z�p0

and compute h ¼ gx0. Let

H be a collision resistant hash function, f a pseudorandomfunction and s0 a random key for f. Output the public andsecret parameters for El Gamal based SDE: publishPKSE ¼ ðG0; g0; q0;h;H; f Þ, and keep securely MKSE = (x,s0).

For every user (publisher or subscriber), run Key-gen(MKSE, i) as in SDE, where i is the identity of the user.This function chooses xi1 random from Zp0 and gives tothe user (publisher or subscriber) the set (s0,xi1) and com-putes xi2 = x � xi1 and gives to the broker connected to theuser the key (i,xi2).

6.1.2. Event encryptionFig. 3 shows the event encryption steps, run by the pub-

lisher. The publisher defines a set of attributesc = {a1, . . . ,an} and the content M of the event to beencrypted.

Step 1. To encrypt the message M, the publisher p calls thefunction PEnc � U on M. The function chooses rrandomly from Zp0

and outputs the ciphertext cp

ðMÞ ¼ ðgr0; g

rxp10 ÞM.

Step 2. To encrypt the attributes, for every attribute a 2 c,the publisher computes a trapdoor by callingTrap � U((xp1,s0),a) as in multi-user SDE. Trap � U


chooses a random ra in Zq0and computes

TDp(a) = (td1, td2) such that td1 ¼ g�ra0 gra

0 andtd2 ¼ hra g�xp1ra

0 gxp1ra

0 ¼ gðx�xp1Þra

0 gxp1ra

0 ¼ gxp2ra

0 gxp1ra

0 ,where ra ¼ fs0 ðaÞ.

Step 3. The publisher sends the encrypted message cp(M)together with the attribute trapdoors to the bro-ker: Ep = (cp(M), {TDp(a)}a2c).

Step 4. The broker locates the key (p,xp2) corresponding tothe publisher and re-encrypts the message and thetrapdoors. To re-encrypt the message, the brokercalls PEnc � B which computes ðgr

0Þxp2 � grxp1

0 M ¼grðxp1þxp2Þ

0 M ¼ grx0 M and outputs the ciphertext

cðMÞ ¼ ðgr0; g

rx0 MÞ.

Step 5. For each trapdoor TDp(a) = (td1, td2) the brokercomputes TDðaÞ ¼ tdxp2

1 td2 ¼ ðg�ra0 gra

0 Þxp2 � gxp2ra

0 gxp10

ra ¼ gðxp1þxp2Þra

0 ¼ gxra0 ¼ hra . The final encrypted

event is:

Ep ¼ ðcðMÞ; fTDðaÞga2rÞ ¼ gr0; g

rx0 M

� �; fhraga2r

� �

6.1.3. Filter encryptionFig. 4 shows the main steps for generating and encrypt-

ing the filter.

Step 1. The subscriber defines the filter as an access tree F.The main idea is that any filter representing con-junctions and disjunctions of attributes can be rep-resented as a tree in which leaf nodes areattributes and non-leaf nodes are threshold gates.A threshold gate is described by a threshold valueand its children. Let x be a non-leaf node withthreshold value kx and having a number of chil-dren equal to numx. The threshold value kx repre-sents the number of children of the non-leafnode that need to be satisfied in order for the nodeto be satisfied. When kx = 1 it means that only onechild needs to be satisfied, making the thresholdgate an OR. When kx = numx, all children need tobe satisfied making the threshold gate an AND.By allowing threshold values between 1 and numx

(i.e. 1 6 kx 6 numx), we can express more generalconditions such as 2 out of 3 attributes should besatisfied. Each leaf node x is described by an attri-bute and has a threshold value kx = 1, meaning that

Fig. 4. Filter generation and encryption.

the leaf node is satisfied when the attribute ispresent, and not satisfied otherwise.Numeric inequalities can be represented as shownin [29] by using a ‘‘bag of bits’’ representation ofthe numeric attribute. For example, a < 5 can berepresented as shown in Fig. 5, assuming that ais represented on 4 bits.We additionally define the following functions onthe tree: parent(x) returns the parent of a node xand att(x) is defined only for a leaf node andreturns the attribute associated with x. Further,we define an ordering between the children ofevery node x and give each child an index from 1to numx. The function index(x) returns the indexassociated to node x.

Step 2. To provide confidentiality of the filter, the sub-scriber encrypts the leaf nodes using multi-userSDE. For every leaf node x in F run KEnc � U(xs1,aj),where aj = att(x). Choose rj at random from Zp0 andcompute c�ðajÞ ¼ ðcb1; cb2; cb3Þ where cb1 ¼ g

rjþrj0 ;

rj ¼ fs0 ðbÞ; cb2 ¼ cxs1b1 , and cb3 ¼ Hðhrj Þ.

Step 3. The subscriber sends the encrypted filter F⁄ to thebroker. The broker locates the key (s,xs2) corre-sponding to the subscriber and re-encrypts theleaf-node attributes of F⁄. For each attribute c⁄(aj)run KEnc � B(xs2,c⁄(aj)). First compute c(b) =

(cb1,cb2) such that cb1¼ cxs2b1 cb2¼ cxs2þxs1

b1 ¼ grjþrj0

� �x¼

hrjþrj where rj¼ fs0 ðajÞ and cb2¼ cb3.The above operations provide confidentiality of the filter,thus achieving property P2. At the same time, the filter isable to express any monotone and non-monotone accessformula, thus achieving property P3.

6.1.4. Filtering of eventsWhen a new event E is published, for every filter F⁄ the

broker runs a recursive algorithm on the tree F⁄ startingwith the root node to check if it is satisfied by the attri-butes of the event. A non-leaf node x is satisfied if the num-ber or satisfied children is equal of greater than kx, thethreshold value of the node. A leaf node containing attri-bute b encrypted as c(b) = (cb1,cb2) is satisfied if b is amongthe attributes of the event, encrypted as {TD(a)}a2c. Tocheck if a leaf node attribute b matches an event attributea, the broker needs to verify if cb2 = H(cb1TD(a)�1), wherecb2 ¼ Hðhrb Þ and Hðcb1TDðaÞ�1Þ ¼ Hðhrbþrb h�ra Þ. The equal-ity holds if ra = rb, which means that a = b. If the equalitydoes not hold, a does not match b. If the filter F⁄ is satisfied,

Fig. 5. Tree representation for a < 5 on 4 bits.


the broker pre-decrypts the event E using the key (s,xs2)corresponding to the subscriber s and forwards the pre-de-crypted event Es to the subscriber s.

6.1.5. Event decryption

Step 1. Before sending the event to the subscriber, thebroker pre-decrypts c(M) = (gr,grxM) by callingthe function PDec � B as shown in Fig. 6. The bro-ker retrieves the key (s,xs2), corresponding to thesubscriber s and computes grxM � ðgrÞ�xs2 ¼ grðx�xs2Þ

M ¼ grx1 M. The broker forwards the event Es ¼ðgr ; grxs1 MÞ to the subscriber.

Step 2. After receiving the event, the user decrypts theciphertext as grxs1 M � ðgrÞ�xs1 ¼ M.

6.2. Enhanced scheme with KP-ABE encryption

In this section we provide an enhanced scheme that ad-dresses a more powerful threat model in which the entitiescan collude in order to get access to the content of eventsor filters.

6.2.1. Threat modelWe previously assumed an honest-but-curious threat

model for brokers, publishers and subscribers whichmeans that they follow the protocol correctly, but are curi-ous to learn as much as possible about the exchanged mes-sages. Under this assumption, brokers forward eventsaccording to the protocol and do not disclose encryptedevent content or keys to other entities in the system. Inthe following, we additionally assume that brokers maytry to collude with publishers or subscribers, or that pub-lishers and subscribers might collude between them in or-der to get access to the content of events and filters forwhich they are not authorised. This means that brokerscould make encrypted events available to publishers or

Fig. 6. Event decryption.

subscribers that did not express a valid filter for them.Moreover, we assume that subscribers who do not havethe credentials to decrypt an event but are able to get ac-cess to the ciphertext, might collude in order to decryptthe event by combining their keys. In the following we de-scribe how to enhance the previous scheme to additionallyhandle collusions.

Definition 6 (P6: Collusion resistance). Providing the col-lusion resistance property ensures that publishers, brokersand subscribers are not able to combine their keys in orderto gain unauthorised access to the content of events orfilters.

Our basic solution provides confidentiality of events(P1) and filters (P2), complex filters (P4), while not requir-ing publishers and subscribers to share keys (P4). Thescheme is also secure against collusions between publish-ers and subscribers. If any number of publishers and sub-scribers share there keys, there are still not able todetermine the master key and decrypt other messages be-cause the broker holds the other side of all their keys. How-ever, if a publisher or subscriber collude with the broker,they can compute the master key for proxy encryption xand then are able to decrypt all the events. In order to cir-cumvent this weakness, we need an encryption schemethat is collusion resistant and assigns to each subscribera key that decrypts only events that satisfy the subscriber’sfilter. If a subscriber colludes with a broker, other subscrib-ers or publishers, they should not be able to decrypt eventsfor which they did not register a valid filter. In the follow-ing we introduce a new scheme that can additionally pro-vide the collusion resistance property.

To achieve this, we use KP-ABE encryption. In KP-ABE,messages are encrypted under a set of attributes. In ourscenario, publishers attach a set of attributes to each event.So the message content M could be encrypted under the setof attributes c. Decryption keys in KP-ABE are defined foran access policy and can decrypt only ciphertext that hasattached attributes that satisfy the policy. Hence, if theTrusted Authority gives each subscriber a KP-ABE decryp-tion key corresponding to the subscriber’s filter, the sub-scriber will be able to decrypt only events that satisfy thefilter and not others. In this way, each subscriber has aset of keys that decrypt only events to which it subscribed.KP-ABE [27] is collusion resistant. Brokers do not get anyKP-ABE keys, so they cannot collude with publishers orsubscribers. Publishers are only given public keys, so theycannot collude either. Subscribers are given a secret keyfor each filter policy, but because the TA uses a unique ran-dom to blind each policy, subscribers cannot combine theirkeys and get access to events for which they did not sub-scribe. In the following we give the details of the enhancedscheme using KP-ABE.

6.2.2. Init (1k)The initialisation is run by a Trusted Authority and de-

fines the security parameters for KP-ABE and El Gamalbased SDE schemes.

We describe how to generate the KP-ABE parameters.Let G1 be a bilinear group of prime order p, and let g be agenerator of G1. Additionally, let e : G1xG1 ! G2 be a


bilinear map. A security parameter k will determine thesize of the groups. In addition, define the Lagrange coeffi-cient Di,S for i 2 Zp and a set S of elements in Zp:Di;SðxÞ ¼

Qj2S;j–i

x�ji�j. Each attribute will be mapped to a

number in Z�p by using a collision resistant functionH1 : f0;1g� ! Z�p. This allows using arbitrary strings asattributes and adding them to a user’s private key. Theevent will be encrypted using a set of at most n elementsof Z�p.

Choose a random y 2 Zp and compute g1 = gy. Alsochoose a random element g2 from G1. Let N be the set{1,2, . . . ,n + 1}, where n is the maximum number of attri-butes used for event encryption. Choose t1, . . ., tn+1 uni-formly at random from G1. Define a function T as:

TðXÞ ¼ gXn

2

Ynþ1

i¼1

tDi;NðXÞi :

Publish the public parameters as: PKKP: g1, g2, t1, . . ., tn+1,and keep securely the master key MKKP: y.

The parameters for the El Gamal based SDE scheme aredefined as described in Section 6.1.1. The TA publishes thepublic parameters PKSE ¼ ðG0; g0; q0;h;H; f Þ, and keeps se-curely MKSE = (x,s1). Additionally, compute and give toevery user i (publisher or subscriber) the secret key (s,xi1)and give the corresponding key (i,xi2) to the broker.

6.2.3. Event encryptionFig. 7 shows the steps needed to encrypt an event. The

publisher specifies a set of attributes c under which thecontent M 2 G2 of the event will be encrypted.

Step 1. The publisher encrypts the message M under c asin KP-ABE. Choose a random s 2 Zp and computethe ciphertext as:

EncryptðM; c; PKKPÞ ¼ ðc; E0 ¼ Meðg1; g2Þs;

E00 ¼ gs; fEa ¼ TðaÞsga2cÞ

Step 2. To encrypt the attributes, for every attribute a 2 c,the publisher computes a trapdoor by callingKEnc � U((xp1,s0),a) as in multi-user SDE. Trap � Uchooses a random ra in Zq0 and computes TDp(a) =(td1, td2) such that td1 ¼ g�ra

0 gra0 and td2 ¼ hra g�xp1ra

0

gxp1ra

0 ¼ gðx�xp1Þra

0 gxp1ra

0 ¼ gxp2ra

0 gxp1ra

0 where ra¼ fs0 ðaÞ.

Fig. 7. Event encryption.

Step 3. The publisher sends the encrypted message cp(M)together with the attribute trapdoors to thebroker:

Ep ¼ ðfTDpðaÞga2c; E0 ¼ Meðg1; g2Þs;

E00 ¼ gs; fEa ¼ TðaÞsga2cÞ

Note that we replaced the unencrypted set ofattributes c (as it appears in KP-ABE) with the en-crypted trapdoor values {TDp(a)}a2c.

Step 4. The broker locates the key (p,xp2) corresponding tothe publisher and re-encrypts the trapdoors{Tp(a)}a2c. For each trapdoor TDp(a) = (td1, td2)it computes TDðaÞ ¼ tdxp2

1 td2 ¼ g�ra0 gra

0

� �xp2 � gxp2ra

0

gxp1ra

0 ¼ gðxp1þxp2Þra

0 ¼ gxra0 ¼ hra . The final encrypted

event is:

E ¼ ðfTDðaÞga2c; E0 ¼ Meðg1; g2Þs;

E00 ¼ gs; fEa ¼ TðaÞsga2cÞ:

The above operations provide confidentiality of the mes-sage and attributes of the event, thus achieving propertyP1.

6.2.4. Filter encryptionFig. 8 shows the main steps for generating and encrypt-

ing the filter. Filter construction as an access tree andencryption with SDE is performed as in Section 6.1.3. Addi-tionally, we require that the TA generates a decryption keycorresponding to the filter policy that decrypts only eventsthat match the filter. The steps that need to be performedare the following.

Step 1. The subscriber defines the filter as an access tree F.The access tree is constructed as in Section 6.1.3,Step 1.

Step 2. The subscriber sends the filter F to the TA andrequests a decryption key DF. The key is computedas follows. Choose a polynomial qx for each node xin the tree F. The polynomials are chosen in a top

Fig. 8. Filter generation and encryption.


down manner, starting from the root node r. Foreach node x in the tree, set the degree dx of thepolynomial qx to be one less than the thresholdvalue kx of that node, that is, dx = kx � 1. Now forthe root node r, set qr(0) = y and dr other pointsof the polynomial qr randomly to define it com-pletely. For any other node x, set qx(0) =qparent(x)(index(x)) and choose dx other points ran-domly to completely define qx.Once the polynomials have been decided, for eachleaf node x, the TA gives the following secret val-ues to the subscriber:

Dx ¼ gqxð0Þ�TðbÞrx

2 ; where b ¼ attðxÞRx ¼ grx

where rx is chosen uniformly at random from Zp

for each node x. The set of the above values isthe filter DF, corresponding to a decryption keyin KP-ABE.

Step 3. The TA sends the decryption key DF to the sub-scriber on a secure channel. The subscriber storesthe key securely.

Step 4. To provide confidentiality of the filter, the sub-scriber encrypts the leaf nodes using multi-userSDE as described in Section 6.1.3, Step 2. For everyleaf node x in F run KEnc � U(xs1,aj), where aj =att(x). Choose rj at random from Zp0

and computec�ðajÞ ¼ ðcb1; cb2; cb3Þ where cb1 ¼ g

rjþrj0 ; rj ¼ fs0 ðbÞ;

cb2 ¼ cxs1b1 , and cb3 ¼ Hðhrj Þ. The subscriber sends

F⁄ to the broker.Step 5. The broker re-encrypts the filter as in the previous

scheme. The broker locates the key (s,xs2) corre-sponding to the subscriber and re-encrypts theleaf-node attributes of F⁄. For each attribute c⁄(aj)run KEnc � B(xs2,c⁄(aj)). First compute c(b) =(cb1,cb2) such that cb1 ¼ cxs2

b1 cb2 ¼ cxs2þxs1b1 ¼

grjþrj0

� �x¼ hrjþrj where rj ¼ fs0 ðajÞ and cb2 ¼ cb3.

6.2.5. Event decryption

Step 1. The subscriber performs the KP-ABE decryption ofthe event using the key DF. The subscriber calls arecursive function DecryptNode(Ep,DF,x) on theroot node of the tree F. If x is a leaf node, the func-tion first checks if att(x) = b encrypted as (cb1,cb2)is contained in the set of attributes of the event.For every attribute a in the event encrypted asTD(a), checks if cb2 = H(cb1 � TD�1). If this is thecase, compute:

DecryptNodeðEp;DF ; xÞ ¼eðDx; E

00ÞeðRx; EbÞ

¼ eðgqxð0Þ2 � TðbÞrx ; gsÞeðgrx ; TðbÞsÞ

¼ eðgqxð0Þ2 ; gsÞ � eðTðbÞrx ; gsÞ

eðgrx ; TðbÞsÞ¼ eðg; g2Þ

sqxð0Þ

otherwise, DecryptNode(E,DF,x) = \.

We now consider the recursive case when x is anon-leaf node. The algorithm DecryptNode(E,DF,x) thenproceeds as follows. For all nodes z that are children of x,it calls DecryptNode(E,DF,z) and stores the output as Fz.Let Sx be an arbitrary kx-sized set of child nodes z suchthat Fz – \. If no such set exists then the node was notsatisfied and the function returns \. Otherwise, wecompute:

Fx ¼Yz2Sx

FDi;S0xð0Þz ; where i¼ indexðzÞ; S0x ¼ findexðzÞ : z2 Sxg

¼Yz2Sx

ðeðg;g2Þs�qzð0ÞÞDi;S0x

ð0Þ

¼Yz2Sx

ðeðg;g2Þs�qparentðzÞðindexðzÞÞÞDi;S0x

ð0Þðby constructionÞ ð1Þ

¼Yz2Sx

ðeðg;g2Þs�qxð0ÞÞDi;S0x

ð0Þ

¼ eðg;g2Þsqxð0Þ ðusing polynomial interpolationÞ

and return the result. In case of a successful match, thesubscriber obtains M from E0 = Me(g1,g2)s by dividing itwith e(g1,g2)s.

6.3. User revocation and subscription expiration

Users can be prevented from publishing new events andregistering new filters by revoking their SDE broker side ofthe key (i,xi2). The Trusted Authority revoking the user’srights needs to send a request to the broker to delete theuser’s key from its keystore. In the basic scheme, subscrib-ers have one key for decrypting all events. So if a subscriberhas registered several filters and the authority wants to re-voke a subset of the filters, the only way to prevent thesubscriber from receiving events matching the revokedsubscriptions, is for the TA to contact the broker and re-quest to unsubscribe the expired filters.

In the enhanced scheme, subscribers get a uniquedecryption key from the TA for each filter. The TA can makedecryption keys valid until a specific date or time. Afterthat, the subscriber cannot use the key any more to decryptevents and needs to contact the TA to renew the key. Thesubscriber does not need to contact the broker to renewthe filter every time the key gets renewed. We present inthe following the modified enhanced scheme with sub-scription expiration dates.

6.3.1. Init (1k)It is run by the TA as in the previous scheme.

6.3.2. Event encryptionTo prevent subscribers from using expired decryption

keys, publishers add to the list of attributes under whichM is encrypted date information. For example, the pub-lisher adds to the list of attributes {ai} describing the eventthe following attributes: ‘‘day = 17, month = 9, year =2011’’. These attributes do not need to be encrypted, butonly used in the KP-ABE encryption of M. So for every dateattribute a, the publisher needs to additionally compute

Fig. 9. Example of a policy for expiration date 15/12/2012.


Ea = T(a)s and add it to the encrypted event Ep (see Section6.2.3).

6.3.3. Filter encryptionThe subscriber generates the filter and sends it to the TA

to obtain a decryption key as before. The TA extends theaccess tree structure of the filter F with the condition thatdate is prior to a specific expiration date and creates a KP-ABE decryption key for the extended access structure. Theextended access structure becomes F AND date policy. Fig. 9shows an example of a date policy. The leaf nodes repre-senting numeric qualities and inequalities need to furtherbe expanded as sub-trees using ‘‘bag of bits’’ representa-tions of the attributes as shown in Fig. 5.

6.3.4. Filtering of eventsThis operation is performed by the broker as in the pre-

vious scheme. The date attributes added by the publisherto the event are simply ignored by the broker.

6.3.5. Event decryptionThe subscriber uses the KP-ABE decryption key to de-

crypt the event. The decryption succeeds only if the keyis unexpired.

%

%

Fig. 10. Decryption key generation and attribute encryption.

7. Access control with encrypted policies

Enforcing access control policies in outsourced pub/subsystems is more challenging because of the loose couplingof publishers and subscribers, and because brokers are nottrusted. When publishers publish a new event, they do notknow exactly who will receive it. An access control for pub/sub systems should not rely on knowing the identities ofthe receiving parties, but instead describe receivers bytheir credentials or attributes. To control the disseminationof events, some solutions [13,12] proposed that the brokersbe trusted to enforce the policies. In these solutions, bro-kers have access to the content of events and the accesscontrol policies. However, this assumption limits the appli-cability of the model to scenarios in which the brokers arecontrolled by a trusted institution. In the following we pro-pose a solution for enforcing access control policies in pub/sub systems which does not reveal any information aboutthe event or the access control policies to the brokers.

To allow publishers to express constrains on who canaccess the message content M (or parts of the content),we can use CP-ABE encryption. CP-ABE allows a publisherto encrypt a message under an access policy, similar tothe policy we used to represent a filter. Only subscriberspossessing attributes that satisfy the policy can decryptthe message. For example, a publisher might specify thatonly employees of a particular organisation holding a spe-cific position should have access to the content of event.The drawback of CP-ABE is that it sends the encryption pol-icy on the clear together with the ciphertext. To hide thepolicy from the broker, the policy could be encrypted usingPE. When the subscriber receives the policy, it can decryptthe event only if it has the required credentials. However,this approach does not enable the broker to check the pol-icies. If the broker is able to check if a subscriber is author-ised to read an event or not, the number of events thatbrokers need to forward is reduced. In the following we de-scribe a solution using the multi-user SDE scheme to en-crypt policies and subscribers’ attributes. In this way, it ispossible to verify if a subscriber satisfies the access policyexpressed by the publisher, while not revealing the policyto the broker, and without requiring publishers and sub-scribers to share keys.

Fig. 10 shows the steps needed to generate a CP-ABEdecryption key for the subscriber and to encrypt the sub-scriber’s attributes using SDE.

Step 1. The TA runs the Init(k) algorithm which generatesthe public key PKCP and the master secret key MKCP

for CP-ABE.Step 2. The TA generates a decryption key Ks for the sub-

scriber’s attributes. To make the decryption keyvalid until a specific expiration date, the TA

Fig. 11. Policy encryption.

Fig. 12. Access tree implementing heart_rate > 120.


includes in the key attributes for the expirationdate such as ‘‘day = 1’’, ‘‘month = 12’’, ‘‘year =2012’’.

Step 3. The subscriber encrypts its attributes using multi-user SDE by invoking the method KEnc � Udescribed in Section 6.

Step 4. The broker re-encrypts the subscriber’s attributesby calling the method KEnc � B.

Fig. 11 shows the steps for encrypting the policy andencrypting the event under the encrypted policy.

Step 1. The publisher generates the policy P as an accesstress structure. The policy includes a conditionfor date prior to the current date (i.e. the date atwhich the event is generated). The publisherencrypts the message using CP-ABE under policy P.

Step 2. The publisher encrypts the policy P with SDE bycalling the function KEnc � U described in Section6 on the leaf nodes of the policy. The subscriberthen forwards the ciphertext together with theencrypted policy to the broker. If needed, the sub-scriber could re-encrypt the message using theenhanced method. The CP-ABE encryption ensuresthat only subscribers possessing the required attri-butes are able to decrypt the message, thus enforc-ing the access control policy. The enhancedmethod ensures that only subscribers who regis-tered a filter matching the event can decrypt it.

Step 3. The broker re-encrypts the policy P⁄ by callingKEnc � B on the leaf nodes of the access tree. Thebroker can now match the policy P against theattributes TD(a1), . . ., TD(an) of the publisher andwill forward the event to the subscriber, if (i) theevent matches the subscriber’s interest, and (ii)the subscriber has the required attributes.

8. The e-health application revisited

In the following we show how by applying our solutionto the example in Section 2.1 we are able to provide confi-dentiality of the data and enforce that only authorised par-ties are able to access it.

First we show how filters are generated and encrypted.Filters are expressed as access trees following the

construction from [29], which is able to express inequali-ties of numerical attributes. The idea is to create an attri-bute for each bit of the number and use AND and ORgates to express the inequality. We illustrate how to do thisfor heart rate > 120 in Fig. 12. 120 = 1111000 in binary.

The leaf attributes of the tree are encrypted using SDE.The filter becomes:

c⁄(name = John_Smith) AND.(c⁄(heart_rate = 1⁄⁄⁄⁄⁄⁄) AND c⁄(heart_rate = ⁄1⁄⁄⁄⁄⁄)

AND c⁄(heart_rate = ⁄⁄1⁄⁄⁄⁄) AND c⁄(heart_rate = ⁄⁄⁄1⁄⁄⁄)AND c⁄(heart_rate = ⁄⁄⁄⁄1⁄⁄) OR c⁄(heart_rate = ⁄⁄⁄⁄⁄1⁄)OR c⁄(heart_rate = ⁄⁄⁄⁄⁄⁄1)) OR c⁄(systolic_pressure > 150)OR c⁄(diastolic_pressure > 100).

We do not show all the details for c⁄(systolic_pressure > 150) and c⁄(diastolic_pressure > 100).

To encrypt a prescription, a doctor proceeds as follows.For every attribute like patient name, age, address, medica-tion, etc. there is a hospital policy in place which specifieswho can view the attribute and under which conditions.The policy is expressed using a CP-ABE access tree. Eachattribute will be encrypted under the corresponding CP-ABE access tree. For example, the doctor would need to en-crypt the prescription under the following policies.

Pname: (nurse AND level > 3 AND San_Raffaele) OR (doc-tor AND San_Raffaele) OR DMSPage: senior_researcher OR (auditor AND HA1) OR (doc-tor AND San_Raffaele) OR DMSPaddress: DSM OR (nurse AND level > 3 AND San_Raffaele)OR (doctor AND San_Raffaele)Psymptom: senior_researcher OR auditor OR (nurse ANDlevel > 3 AND San_Raffaele) OR (doctor ANDSan_Raffaele)Pdisease: DSM OR senior_researcher OR (auditor ANDHA1) OR (nurse AND level > 3 AND San_Raffaele) OR(doctor AND San Raffaele)Pmedication: DSM OR senior_researcher OR (auditor ANDHA1) OR (nurse AND level > 3 AND San_Raffaele) OR(doctor AND San_Raffaele)

The prescription becomes:

fname ¼ JohnSmithgPname; fage ¼ 70gPage

,faddress ¼ via Tartini 12; PadovagPaddress

,fsymptom ¼ high blood pressuregPsymptom

,fdisease ¼ primary hypertensiongPdisease

,fmedication ¼ CatapresgPmedication

.


Each attribute of the prescription will be encrypted un-der the corresponding policy. Though different parts of theinformation should be made available to different consum-ers such as the patient, Healthcare Authority, ResearchCenter, DMS, other doctors or nurses working in the hospi-tal, with our solution the message is published only once.Without a proper encryption technique in place, a differentmessage would need to be created for each different con-sumer type, as has been proposed in [13,12], where the lo-cal broker takes care of creating the different events.

Then the whole event is encrypted using KP-ABE underthe attributes it contains, i.e. name = John Smith, age = 70,etc. This ensures that only subscribers that expressed a fil-ter matched by attribute of the event will receive theevent. Brokers will be able to perform the check withoutlearning the attributes of the event or the details of the fil-ter. To hide the attributes from the broker, the publisherwill replace them with trapdoors computed as in SDE.

The published message contains the encrypted pre-scription (using CP-ABE and KP-ABE) and the trapdoors ofthe prescription attributes computed as shown in step (3)in Fig. 2. The trapdoors will be: TD (name = John Smith),TD (age = 70).

TD (symptom = primary hypertension) etc. The en-crypted prescription will be forwarded to consumers bychecking if these attributes satisfy the filters they regis-tered. When they receive the message, only those who sat-isfy the CP-ABE policies will be able to recover the contentof the prescription (or specific parts of it).

9. Security analysis

This section evaluates the security of the schemes. Westart by introducing some concepts needed to understandthe analysis and then discuss the security of the filterencryption and event encryption.

9.1. Preliminaries

We start by defining some concepts that are useful tounderstand the proof. In general a scheme is considered se-cure if no adversary can break the scheme with probabilitysignificantly greater than random guessing. The adver-sary’s advantage in breaking the scheme should be a neg-ligible function of the security parameter.

Definition 7 (Negligible Function). A function f is negligibleif for each polynomial p() there exists N such that for allintegers n > N it holds that f ðnÞ < 1

pðnÞ.

Fig. 13. Event and filter encryption.

We consider a realistic adversary that is computation-ally bounded and show that our scheme is secure againstsuch an adversary. We model the adversary as a random-ized algorithm that runs in polynomial amount of timeand show that the success probability of any such adver-sary is negligible. An algorithm that is randomized andruns in polynomial amount of time is called a probabilisticpolynomial time (PPT) algorithm.

Our scheme relies on the existence of a pseudorandomfunction f. Intuitively, the output a pseudorandom functioncannot be distinguished by a realist adversary from that of

a truly random function. Formally, a pseudorandom func-tion is defined as:

Definition 8 (Pseudorandom Function). A function f:{0,1}⁄ � {0,1}⁄? {0,1}⁄ is pseudorandom if for all PPTadversaries A, there exists a negligible function negl suchthat:

jPr½Afkð�Þ ¼ 1� � Pr½AFð�Þ ¼ 1�j < neglðnÞ

where k ? {0,1}n is chosen uniformly randomly and F is afunction chosen uniformly randomly from the set of func-tion mapping n-bit strings to n-bit strings.

Our proof relies on the assumption that the DecisionalDiffie-Hellman (DDH) is hard in a group G, i.e. it is hardfor an adversary to distinguish between group elementsgab and gc given ga and gb.

Definition 9 (DDH Assumption). The Decisional Diffie-Hellman (DDH) problem is hard regarding a group G iffor all PPT adversaries A, there exists a negligible functionnegl such that jPr½AðG; q; g; ga; gb; gabÞ ¼ 1� � Pr½AðG; q;g; ga; gb; gcÞ ¼ 1�j < neglðkÞ where G is a cyclic group oforder q (jqj = k) and g is a generator of G, and a; b; c 2 Zq

are uniformly randomly chosen.
The schemes we are using in our solution (i.e. SDE, KP-
ABE and CP-ABE) have been proven to be indistinguishableunder chosen plaintext attack (IND-CPA) and we will provethat our scheme is also IND-CPA secure. A cryptosystem isconsidered IND-CPA secure if no PPT adversary, given anencryption of a message randomly chosen from two plain-text messages chosen by the adversary, can identify themessage choice with non-negligible probability.

9.2. Scheme overview

Fig. 13 shows the different encryption schemes that areused to provide confidentiality of events and filters.

To ensure confidentiality of events, our scheme en-crypts both the message content M and its associated attri-butes {ai}. In the basic scheme, messages are encryptedusing proxy encryption (PE), while the enhanced schemeencrypts messages using KP-ABE [27]. If access control pol-icies need to be enforced, then M is also encrypted with CP-ABE [29]. Both schemes encrypt event and filter attributesusing multi-user SDE [34].


[35] proves that the concrete PE construction and thesingle keyword encryption scheme (KEnc) built upon ElGamal are IND-CPA under the assumption the DDH prob-lem is hard relative to the group on which El Gamal is de-fined. In the following we show that the filter encryptionand event encryption schemes are also IND-CPA secure.We show that breaking our scheme reduces to breakingthe above cryptosystems (i.e. PE, KEnc) that have been pro-ven to be IND-CPA secure.

9.3. Security of filter encryption

Our filter encryption scheme FE uses the single keywordencryption scheme KEnc of SDE to encrypt the leaf nodes ofthe tree. We recap bellow the operations needed to encrypta filter:

Init(k) The TA generates the public key PK ¼ ðG0; g0;

q0; h;H; f Þ, and the master secret key MK = (x,s0).KeyGen(MK, i) The TA gives to user i the key (xi1,s0) and

to the broker (i,xi2).FE � U(F) On every leaf node l of the filter, the user calls

KEnc � U(xi1, l) and computes c1 ¼ cxi21 c1 ¼ cxi2þxi1

1 ¼grþrl

0

� �x ¼ hrþrl .FE � B(F) The broker re-encrypts every leaf node by call-

ing KEnc � B(xi2,c⁄(l)). Compute c(l) = (c1,c2) such that

cl1 ¼ cxi21 c2 ¼ cxi2þxi1

1 ¼ grþrj0

� �x¼ hrþrj where c2 ¼ c3.

In the following we prove that the filter encryptionscheme is secure in the sense that the broker learns noth-ing about the encrypted leaf nodes in a chosen plaintextattack.

[35] showed that the single keyword encryptionscheme KEnc is IND-CPA secure against the broker andproved that the following holds:

Theorem 1. If the DDH problem is hard relative to G0, thenthe keyword encryption KEnc scheme is IND-CPA secureagainst the broker. That is, for all PPT adversaries A thereexists a negligible function negl such that:

SuccAKE;BðkÞ ¼ Pr b0 ¼ b

ðParams;MKÞ Initð1kÞðKu;KsÞ KeyGenðMK;UÞkw0; kw1 AKEnc�UðKu ;�ÞðKsÞ

b R f0;1gc�i ðkwbÞ ¼ KEnc � Uðxi1; kwbÞb0 AKEnc�UðKu ;�Þ Ks; c�i ðkwbÞ

� �

��

3777777777775

2666666666664

<12þ neglðkÞ ð2Þ

Using this result, we now show that our filter encryp-tion scheme FE using KEnc to encrypt the leaf nodes ofthe tree is also IND-CPA against the broker.

Theorem 2. If the single keyword encryption KEnc scheme isIND-CPA secure against the broker, then the filter encryptionscheme FE is also IND-CPA. That is, for all PPT adversaries A,there exists a negligible function negl such that SuccAFE;BðkÞ <12þ neglðkÞ.

Proof. To prove FE is secure, we define the following gamein which the adversaryA challenges the game with two fil-ters F0 and F1 having the same structure and the samenumber of leaf nodes t. We construct the following vectorcontaining the encryption of leaf nodes from both filters:

C!ðiÞ ¼ C l1

0

� �; . . . ;C li

0

� �;C liþ1

1

� �; . . . ;C lt

1

� �. The success

probability of the adversary in distinguishing the encryp-tion of the two filters is defined as:

SuccAðkÞ ¼12

Pr½AðC!0Þ ¼ 0� þ 1

2Pr½AðC

!tÞ ¼ 1� ð3Þ

In the following we show that breaking the FE schemereduces to breaking the KEnc game. In the KEnc game fromRef. [35], the adversary challenges the game with twokeywords kw0 and kw1 and tries to distinguish betweentheir encryptions. Let us consider a PPT adversary A0 whoattempts to challenge the single keyword encryptionscheme KEnc using the corresponding FE adversary A as asub-routine The game is the following:

� A0 is given the parameters ðG0; q0; g0;h;H; f Þ as inputand for each user i is given (i,xi2).� A0 passes these parameters to A.� A generates two filters F0 and F1 having the same non-

leaf nodes and the same number of leaf-nodes t andgives them to A0.� A0 chooses i r ½1; t�. It then uses li

0; li1 to challenge the

single keyword encryption KEnc game. The adversarygets back ci

b as the result, where cib is the encryption

of either li0 or li

1. A0 uses this result to construct a hybridvector c1

0; . . . ; ci�10 ; ci

b; ciþ11 ; . . . ; ct

1

� �and sends it to A.

� A0 outputs b0, the bit output by A.

A is required to distinguish C!ðiÞ and C

!ði�1Þ and theprobability of A’s success in distinguishing correctly is:

SucciAðkÞ ¼

12

Pr½AðC!ðiÞÞ ¼ 0� þ 1

2Pr½AðC

!ði�1ÞÞ ¼ 1� ð4Þ

Because i is randomly chosen, it holds that:

SuccA0 ðkÞ ¼Xt

i¼1

SucciAðtÞ �

1t

¼ 12t

Pr½AðC!0Þ ¼ 0� þXt�1

i¼1

ðPr½AðC!iÞ ¼ 0�

þ Pr½AðC!iÞ ¼ 1�Þ þ 12

Pr½AðC!tÞ ¼ 1�

¼ 1t

12

Pr½AðC!0Þ ¼ 0� þ 12

Pr½AðC!tÞ ¼ 1��

þ t � 12t

¼ 1t

SuccAðkÞ þt � 1

2tð5Þ

Because the success probability of A0 to break the singlekeyword encryption scheme is SuccA0 ðkÞ < 1

2þ neglðkÞ, itfollows that SuccAðkÞ < 1

2þ neglðkÞ. h

9.4. Security of event encryption

The main task of a broker in a pub/sub system is tomatch incoming events against stored filters. Though both

=

∨

∧

Fig. 14. Event matching against two filters. TD(a1) matches li1 and lj2.


events and filters are encrypted, the protocol leaks to thebroker the outcome of the matching operation, whichevents match which filters, and the pattern of the sequenceof events and filters arriving at the broker. In the followingwe show that our basic scheme does not leak anything be-yond this. The proof of security for the enhanced scheme issimilar.

We adapt the definition of non-adaptive indistinguish-ability security introduced for encrypted databases byCurtmola et al. [36] and adapted by Dong et al. [35] in amulti-user setting. As opposed to encrypted databaseswhere the server stores the data and executes queries asthey come, a broker in a pub/sub system stores the filters(i.e. the queries) and evaluates all of them on a given event(i.e. a data item). For our proof we use the same idea as in[36,35] and show that given two non-adaptively generatedhistories with the same length and outcome, no PPT adver-sary can distinguish one from another based on what it canobserve from the interaction. Non-adaptive history meansthat the adversary cannot choose sequences of eventsbased on previous events and matching outcomes.

In our protocol, a history is represented by the interac-tions between a broker B and all publishers and subscribersconnected to the broker, i.e a history is a sequence ofevents and filters arriving at the broker. We will refer inthe following to these as requests.

Definition 10 (History). A history Hi is an interactionbetween a broker and all publishers and subscribersconnected to it, over i requests (event publication or filtersubscription), on a set of filters F stored by the broker.Hi ¼ ðF ; ru1

1 ; . . . ; ruii Þ, where ui are the identifiers of the

users (publishers or subscribers) making the requests(publications or subscriptions).

We formalize the information leaked to a broker as atrace. We define two kinds of traces: the trace of a singlerequest and the trace of a history. The trace of an eventpublication request leaks to the broker (i) the list of filtersthat match a given event, and (ii) which event attributematches which leaf node in the filters. The outcome ofthe event matching operation can be represented as a setof filter ids that match the event, a list of event attributetrapdoors, and for each trapdoor, a list of indexes pointingto filter leaf nodes matching the trapdoor. The encryptionof filter attributes is non-deterministic, meaning that equalattributes encrypt to different ciphertexts due to the factthat a unique random number is selected every time anattribute is encrypted. Because of this, all leaf nodes in fil-ters are different and the broker cannot tell if two leaf nodeciphertexts encrypt the same attribute or not. However,when the broker matches an event against the filters, itcan identify which filter attributes match the same trap-door of an event. Formally, a trace of a publication requestcan be written as: pt(E) = {id(F1), . . . , id(Fm), jc(M)j, (TD(a1),indexk, . . . , indexj), . . . , (TD(an), indexl, . . . , indexv)}, wherejc(M)j is the size of the ciphertext.

Fig. 14 shows an event containing two attributes withtheir trapdoors TD(a1) and TD(a2) and two filters registeredon the broker Fi and Fj. Let’s assume that TD(a1) matchesleaf nodes li1 of Fi and lj2 of Fj, and that TD(a2) does not

match any leaf nodes. In this case only filter Fi is satisfied.The trace of the event is pt(E) = {Fi, jc(M)j, (TD(a1), li1, lj2),TD(a2)}.

A subscription request leaks to the server the tree struc-ture of the filter, i.e the internal nodes of the filter contain-ing threshold gates such as AND and OR conditions. Werefer to the structure of F without any leaf node informa-tion as struct(F).

Definition 11 (Trace of a Request). We define the trace of arequest r as:

TrðrÞ ¼u;ptðEÞ if publicationu; idðFÞ; structðFÞ if subscription

ð6Þ

where u is the id of the user.We define the event filtering pattern P over a historyHi

to be a binary matrix with columns corresponding toevents and rows corresponding to trapdoors. P½j; k� ¼ 1 iftrapdoor j was present in event k and P½j; k� ¼ 0 otherwise.

The trace of a history includes the encrypted filter set Fstored by the broker and which can change as filters areregistered and deregistered, the trace of each request (i.e.filter subscription or event publication), and the eventpublication pattern Pi.

Definition 12 (Trace of a History). We define the trace of ahistory Hi ¼ ðF ; ru1

1 ; . . . ; ruii Þ as:

TrðHiÞ ¼ ðF ; Tr ru11

� �; . . . ; Tr rui

i

� �;PiÞ ð7Þ

During an interaction, the adversary cannot see directlythe plaintext of the event, instead it sees the ciphertext.The view of a request is defined as:

Definition 13 (View of a Request). We define the view of arequest tu1

1 under a key set Kui as:

VKuiðtui Þ ¼

cðMÞ; ptðtui Þ if publicationstructðFÞ and leaf nodes fcui

ða1Þ; . . . ; cuiðanÞg

if subscription

8><>:

ð8Þ

Definition 14 (View of a History). We define the view of ahistory Hi ¼ F ; ru1

1 ; . . . ; ruii

� �as:

VKu ðHiÞ ¼ ðF ;VKu1 ðru1 Þ; . . . ;VKuiðrui ÞÞ ð9Þ

The security definition is based on the idea that thescheme is secure if nothing is leaked to the adversary be-yond what the adversary can learn from traces.


We define the following game in which an adversary Agenerates two histories Hi0 and Hi1 with the same traceover i requests. Then the adversary is challenged to distin-guish the views of the two histories. If the adversary suc-ceeds with negligible probability, the scheme is secure.

Definition 15 (Non-adaptive indistinguishability against acurious broker). The basic confidentiality scheme is securein the sense of non-adaptive indistinguishability against acurious broker if for all i 2 N and for all PPT adversaries Athere exists a negligible function negl such that:

Pr b0 ¼ b

ðParams;MKÞ Initð1kÞðKu;KsÞ KeyGenðMK;UÞ

Hio;Hi1 AðKsÞ

b R f0;1gb0 AðKs;VKu ðHibÞÞ

��

266666664

377777775<

12þ neglðkÞ

ð10Þwhere U is a set of user IDs, Ku are the user side key sets, Ks

are the broker side keys,Hi1 andHi0 are two histories over irequests such that TrðHi0Þ ¼ TrðHi1Þ.

Theorem 3. If the Decisional Diffie-Hellman (DDH) problemin hard relative to G0, then the basic scheme is a non-adaptiveindistinguishable secure scheme. The success probability of aPPT adversary A in breaking the basic scheme is defined as:

SuccAðkÞ ¼ 12

Pr½AððPEðM!0Þ; FEð F!

0Þ; TDð~a0ÞÞÞ

¼ 0� þ 12


1Þ; TDð~a1ÞÞÞ

¼ 1� < 12þ neglðkÞ ð11Þ

Proof. We consider an adversary A0 that challenges the PEIND-CPA game using A as a sub-routine. A0 does thefollowing:

� A0 receives public parameters G0; q0; g0 and the serverside (i,xi2) keys. It then picks a random user ID u andqueries the oracle with m = 1 to obtain the ciphertextgr

0; grxu10

� �. A0 then computes grxu1

0 grxu20 ¼ grx

0 . It can thencompute for every user i; grxi1

0 ¼ grx0 g�rxi2

0 because itknows xi2 = x � xx1.� A0 computes g ¼ gr

0 and h ¼ grx0 ¼ gx and chooses H, f, s0.

A0 sends ðG0; q0; g;h;H; f Þ to A together with the serverside keys.� To generate a view of a history Hi ¼ ðF ; qu1

1 ; . . . ; quii Þ. A

0

performs the following steps:– For each filter F 2 F , do the following: for each attri-

bute b in F, choose a random number z and computec1 ¼ gzþr; c2 ¼ grxi1

0

� �zþr ¼ ðgzþrÞxi1 ; c3 ¼ HðhzÞ wherer = fs(b). Then compute (c1,c2) as c1 ¼ cx

i2 � c2; c2 ¼c3. (c1,c2) is the ciphertext for attribute b.

– For each publication request rui = (M, {ai}), computecðMÞ ¼ ðg~r ; g~rxMÞ, where ~r is random and for eachattribute a compute TD(a) = (td1, td2) such thattd1 ¼ g�ra gra and td2 ¼ gxi2ra gxi1ra , where ra ¼ fs0 ðaÞ.Then partially decrypt c0ðMÞ ¼ ðg~r

0; g~rxui1 MÞ.

– For each subscription request qrui = F, for each attri-bute in F compute ðc1; c2; c3Þ.

� A outputs Hi0;Hi1. A0 encrypts every keyword and trap-door in Hi1 by itself and challenges the PE IND-CPAgame with M

!0 and M

!1, the vectors of all event messages

in the two histories. It gets the result PEðM!bÞ whereb R f0;1g and forms a view of a history ðPEðM!bÞ;FEð F!

1Þ; TDð~a1ÞÞ, where FEð~F1Þ is the encryption of theleaf nodes of the filter trees and TDð~a1Þ are the trap-doors computed for all attributes of each event in thetrace. It sends the view to A.� A tries to determine which vector was encrypted and

outputs b0 2 {0,1}.� A0 outputs b0.

Ref. [35] proved that the El Gamal based PE scheme isIND-CPA. We proved that the filter encryption scheme FE isalso IND-CPA secure. From these two results it followsthat:

12þ neglðkÞ > SuccA

0

PEðkÞ

¼ 12


1Þ; TDð~a1ÞÞÞ

¼ 0� þ 12


1Þ; TDð~a1ÞÞÞ

¼ 1� ð12Þ

Now let us consider another adversary A00 who wants todistinguish the pseudorandom function f using A as a sub-routine. The adversary does the following:

� It generates ðG0; q0; g0;h;HÞ as public parameters, andsends them to A along with f. For each user i, it choosesrandomly xi1, xi2 such that xi1 + xi2 = x. It sends all (i,xi2)to A and keeps all (i,xi1,xi2).� A outputsHi0;Hi1. A00 encrypts all the event messages inHi0 as PEðM!0Þ. It chooses b R f0;1g and asks the oracleto encrypt all keywords and trapdoors in Hib. It com-bines the results to form a view ðPEðM!0Þ; FEð F

!bÞ;

TDð~abÞÞ and returns it to A.� A outputs b0. A00 outputs 1 if b0 = b and 0 otherwise.

There are two cases to consider: Case 1: the oracle inA00s game is the pseudorandom function f, then:

Pr½A00fsð:Þð1kÞ ¼ 1� ¼ 12


0Þ; TDð~a0ÞÞÞ ¼ 0�

þ 12



ð13Þ

Case 2: the oracle in A00s game is a random function F,then for each distinct attribute a, ra is completely randomto A. Moreover we know the traces are identical, so KEð F

!bÞ

and TDð~abÞ are completely random to A. In this case:

Pr½A00fsð:Þð1kÞ ¼ 1� ¼ 12

ð14Þ

Because f is a pseudorandom function, by definition itholds that:


jPr½A00fsð:Þð1kÞ ¼ 1� � Pr½A0fsð:Þð1kÞ ¼ 1�j

< neglðkÞPr½A00fsð:Þð1kÞ ¼ 1�


Sum up SuccA0

PEðkÞ and Pr½A00fsð:Þð1kÞ ¼ 1�:

1þ neglðkÞ > 12



þ 12



þ 12



þ 12



¼ 12



þ 12þ 1

2Pr½AððPEðM!1Þ; FEð F

!1Þ; TDð~a1ÞÞÞ ¼ 1�

¼ 12þ SuccAðkÞ ð16Þ

Therefore SuccAðkÞ < 12þ neglðkÞ. h

1 http://gas.dia.unisa.it/projects/jpbc/.

9.5. Security of the enhanced scheme

The filter and attribute encryptions are the same forboth the basic and enhanced schemes. To prove the secu-rity of the enhanced scheme, we only need to prove thatthe message content encryption using KP-ABE is IND-CPAsecure. About KP-ABE, [28] proves that the KP-ABE withnon-monotonic access structures in the attribute-basedselective-set model reduces to the hardness of the Deci-sional Bilinear Diffie-Hellmann (DBDH) assumption, gener-ally considered a hard problem.

Theorem 4. If the Decisional Bilinear Diffie-Hellmann(DBDH) problem in hard relative to G, then the enhancedscheme is a non-adaptive indistinguishable secure scheme.The success probability of a PPT adversary A in breaking theenhanced scheme is defined as:

SuccAðkÞ ¼ 12

Pr½AððKPðM!0Þ; FEð F!


þ 12

Pr½AððKPðM!1Þ; FEð F!



The proof of this theorem is similar to Theorem 3. Thedifference is that instead of considering the Proxy Encryp-tion (PE), we consider an adversary A0 that challenges theKP-ABE IND-CPA game using A as a subroutine and showthat breaking the scheme reduces to breaking the KP-ABEIND-CPA game.

To provide access control mechanisms, we use two lay-ers of encryption: KP-ABE and CP-ABE. [37] proves CP-ABEto be IND-CPA under the DBDH assumption. [38] showsthat if a cryptosystem is secure in the sense of indistin-guishability, then the cryptosystem in the multi-user set-ting, where related messages are encrypted using

different keys, is also secure. In our case each encryptionlayer uses an independent key so the combination is atleast as secure as any individual encryption. Thus, encryp-tion using KP-ABE and CP-ABE is at least IND-CPA secure.To prove that message encryption using the access controlscheme is secure, we need to prove the following theorem.

Theorem 5. If the Decisional Bilinear Diffie-Hellmann(DBDH) problem in hard relative to G0, then the enhancedscheme with access control is a non-adaptive indistinguish-able secure scheme. The success probability of a PPT adversaryA in breaking the scheme is defined as:

SuccAðkÞ ¼ 12

Pr½AððCPðKPðM!0ÞÞ; FEð F!


þ 12

Pr½AððCPðKPðM!1ÞÞ; FEð F!



Again, the proof of this theorem is similar to Theorem 3where we consider an adversary A0 that challenges the KP-ABE and CP-ABE IND-CPA game using A as a subroutineand show that breaking the scheme reduces to breakingthe KP-ABE and CP-ABE IND-CPA game.

10. Implementation

This section describes the implementation of ourscheme. We implemented the encryption scheme de-scribed in Section 6 and then integrated it with PADRES[39], a distributed publish/subscribe middleware and eval-uated its performance.

The encryption schemes were implemented in Java. Weimplemented the KP-ABE and CP-ABE schemes as de-scribed in [27,29] based on the Java Pairing Based Cryptog-raphy Library (jPBC).1 Based on these and on the SDEimplementation from Ref. [34], we implemented the func-tions for event and filter encryptions at the client side, re-encryption at the broker side, encrypted filtering and eventdecryption.

10.1. PADRES

We integrated our scheme with the Publish/SubscribeApplied to Distributed Resource Scheduling (PADRES) mid-dleware [40]. PADRES is a very scalable pub/sub system de-signed for large-scale event management applications.PADRES is designed for event-driven enterprise applica-tions such as supply chain and logistics, workflows, busi-ness processes and job scheduling, RFID and sensornetworks, and service oriented architectures. In theseapplications, an event triggers the execution of otherevents and jobs, which makes a scalable and reliable con-tent-based routing middleware such as PADRES very suit-able for event delivery.

PADRES consists of a set of clients connected by brokersorganised in a peer-to-peer overlay network. Clients canconnect to brokers through different binding interfaces

http://gas.dia.unisa.it/projects/jpbc/

Fig. 15. A simple PADRES network.

Fig. 16. PADRES router extended with encryption functionality.


such as Java Remote Method Invocation (RMI) and JMS.Fig. 15 shows a simple PADRES network in which two cli-ents are connected by a network of 3 brokers. Both clientscan subscribe to events and publish events. A PADRES sub-scription is a conjunction of predicates, where a predicatehas the form [attribute,operator,value]. Messages have amandatory tuple describing the class of the message. Mes-sage routing is based on the publish/subscribe-advertisemodel from SIENA [17]. In order to publish an event, a pub-lisher needs to advertise first the class and attributes of theevent. Advertisements are used to create the SubscriptionRouting Table (SRT), based on which subscriptions are for-warded. The SRT is a list of [advertisment, last hop] tuples. Asubscription is forwarded to a next hop if it overlaps anadvertisement in the SRT. Hence, a subscription is routedhop by hop to the last hop broker that sent an advertise-ment that matches the subscription. Subscriptions are usedto create Publication Routing Tables (PRT), used to routepublications. The PRT consists of tuples of the form [sub-scription, last hop]. If a publication matches a subscription,it will be forwarded hop by hop until it reaches the sub-scriber. Brokers route publications to subscribers bymatching them against the registered subscriptions. Toefficiently match subscriptions, PADRES implements Rete[41], an efficient pattern matching algorithm.

10.2. Confidential PADRES

PADRES does not provide any confidentiality mecha-nisms, instead all messages are sent unencrypted betweenclients and brokers, and brokers have full access to the con-tent of events and filters.

We extended PADRES to provide confidentiality ofevents and filters. We added a third entity to the PADRESnetwork, the Key Management Authority (KMA), and ex-tended the functionality of the PADRES broker and client.We also extended the Publication and Subscription datatypes to support sending encrypted publications (orevents) and subscriptions (or filters).

The KMA is responsible for generating the publicparameters and the secret keys for encryption and decryp-tion. When started, the KMA runs the Init(1k) algorithm de-scribed in Section 6. The KMA which needs to be startedbefore starting the brokers and clients exposes API for get-ting the public parameters and keys, generating the SDEkey pairs when a new user joins the system, requesting adecryption key corresponding to a filter, and requesting adecryption key for the client’s attributes.

We extended the functionality of the PADRES brokerand client as follows. We enriched the broker with

functionality for adding a new client and revoking a client.When a client is added, the broker stores the correspond-ing key share of the client, and when a client is revoked,the broker simply removes the client’s key pair from thekey store. Fig. 16 shows a simplified architecture of the ex-tended PADRES broker. Messages received are passed tothe Input queue. The input queue processes messagessequentially, sending them one by one to the Router. Therouter consists of a Preprocessor, a Matching engine, a For-warder and a Post-processor. We modify the functionalityof the Router and create a new class EncRouter with the fol-lowing modifications. We modify the PreProcessor to re-en-crypt the publication and subscription. This operation isperformed only by the broker directly connected with theclient. We add another matcher to the matching engine,EncMatcher which matches encrypted publications againstencrypted subscriptions.

Finally, we extend the client with encryption anddecryption functionality.

Our extended implementation can work both with en-crypted and non-encrypted messages. In fact, control mes-sages that allow brokers and clients to discover each otherand build the network topology are sent unencrypted. Weonly encrypt application-specific events and filters.

11. Performance evaluation

In our implementation we used the symmetric ‘‘type A’’pairings provided by jPBC, which are constructed on thecurve y2 = x3 + x over the field Fq, for some prime q =3mod4. G1 is the group of points E(Fq) with order r, someprime factor of q + 1. As parameters, we used 160 bits forr and 512 bits for q. We tested the implementation on anIntel Core2 Duo 2.8 GHz with 3.48 GB of RAM.

We are mainly interested in the delay at the broker le-vel introduced by our encrypted filtering scheme. Becausethe communication between publishers and subscribers isasynchronous, the extra time it takes to encrypt and de-crypt events and filters at their side is not critical. We con-sider the latency introduced at the broker side to be themost important measure for the performance of ourscheme. Because we do not work with low-capacity de-vices, memory and bandwidth consumptions are not aconcern.

1

2

3

4

5

6

7

ms

DecKP(S)DecPE(S)


In all the experiments presented in the following, weconsider as maximum number of attributes in events andfilters to be 20. This is due to practical considerations de-rived from the design document of SPECjms2007 bench-mark [42], a industry-standard benchmark used formeasuring the performance of pub/sub systems. In thisspecification, the average number of attributes used in atypical application is 12. Therefore the maximum numberof attributes used in our experiments represents an upperbound of what is the typical number used in realapplications.

0 0 5 10 15 20

attributes

Fig. 18. Event decryption times-comparison of the basic and enhancedmethods.

11.1. Event encryption and decryption

We compare the times needed for event encryption atthe publisher side and re-encryption at the broker side,for the two methods described in Section 6. Fig. 17 showsthe event encryption times at the publisher side, EncPE (P)for the basic method and EncKP (P) for the enhanced meth-od. We notice that event encryption using KP-ABE to en-crypt the message content M is only a little moreexpensive than the encryption that uses PE. On the otherside, event re-encryption at the broker side is slightlyslower when PE is used. That is because additionally tore-encrypting the attributes, the basic method also needsto re-encrypt the message content. In Fig. 17, the timesfor event re-encryption using the basic method ReEncPE(B) and using the enhanced method ReEncPE (B) are com-parable. The encryption times grow linearly with the num-ber of non-numerical attributes. When numericalattributes are used, a non-numerical attribute is createdfor each bit on which the attribute value is represented,and the encryption times grow faster. The encryptiontimes shown in the figure are expressed in millisecondsand represent an average over 1000 executions.

Fig. 18 compares the event decryption times whenusing the two methods. Event decryption with PE is con-stant, while decryption with KP-ABE grows linearly withthe number of attributes. In order to reduce the eventdecryption time at the subscriber side, we use an opti-mised method in which the subscriber does not repeatthe encrypted matching operations between attributes of

0

50

100

150

200

250

0 5 10 15 20

ms

attributes

EncKP(P)ReEncKP(B)

EncPE(P)ReEncPE(B)

Fig. 17. Event encryption times-comparison of the basic and enhancedmethods.

event and filter, already performed by the broker. The bro-ker attaches to the filter the information about which leafnodes are satisfied by which attributes of the event. Thisreduces the KP-ABE decryption time for which we obtainbetter result than with PE when the number of attributesis smaller than 11. For values greater then 11, decryptiontimes are bigger for the enhanced method.

11.2. Encrypted filtering

The basic and enhanced methods generate and encryptthe filter in the same way. Event matching at the brokerside is also the same for both methods. The only differenceis that the enhanced method using KP-ABE requires the TAto compute a decryption key for each filter, while in the ba-sic method subscribers use the same key to decrypt allevents. Fig. 19 shows the time for the subscriber to encryptthe filter, Enc (S), and the filter re-encryption time by thebroker, Re-enc (B). The operations are performed for differ-ent numbers of leaf nodes (i.e. attributes) of the tree. Weobserve that the times grow linearly with the number ofattributes and that the re-encryption time at the brokerside is much smaller than the encryption at the subscriberside, which fits our goal to introduce a minimum latencyon the broker side.

0

50

100

150

200

250

0 5 10 15 20

ms

attributes

Enc(S)Re-enc(B)

Fig. 19. Filter encryption and re-encryption times.

0

500

1000

1500

2000

2500

3000

0 5 10 15 20

ms

attributes

KeyGenEnc

DKGenDec

Fig. 22. CP-ABE encryption time.


In the enhanced scheme, for each filter registered by asubscriber, the TA generates a KP-ABE decryption key thatenables the subscriber to decrypt only events matchingthis filter. The decryption key generation is more expensivethan filter encryption, but this can be acceptable if we as-sume that the TA has more computational resources than asubscriber. Fig. 20 shows the times for key generation for afilter, computed by the TA, Keygen (TA), for different num-ber of attributes. We observe again that the times grow lin-early with the number of attributes.

The matching time of an event against a filter at thebroker side depends both on the structure of the tree andon the number of attributes in the event. Matching a filtercontaining only one attribute against an event with oneattribute takes 0.44 ms. The matching time of the filter in-creases linearly with the number of performed equalitychecks between leaf nodes and event attributes. We usedthe same number of attributes in the filter and in the eventand measured the worst case scenario in which all theattributes in the filter need to be checked. The worst casescenario corresponds to an AND filter that is satisfied bythe event. If one attribute is not satisfied, then the AND fil-ter is not satisfied and the broker does not need to checkthe rest of the attributes. If the filter contains disjunctions,

0

0.5

1

1.5

2

2.5

3

3.5

0 5 10 15 20

s

attributes

Keygen(TA)

Fig. 20. Decryption key generation times.

0.1

1

10

0 5 10 15 20

ms

attributes

encno-enc

Fig. 21. Matching times comparison PADRES and PADRES withencryption.

the number of equality checks is less or equal to the ANDfilter. Fig. 21 shows the encrypted matching times com-pared with the matching times for PADRES with no encryp-tion on a logarithmic scale. The times are an average over1000 executions and are given in ms.

11.3. CP-ABE encryption

If the publisher wants to express additional constraintson who can read the content of an event, the event needsto be encrypted with CP-ABE. Fig. 22 shows the decryptionkey generation for the attributes of the subscriber per-formed by the TA (DKGen), the encryption policy genera-tion performed by the publisher (KeyGen), the messageencryption (Enc), and the message decryption (Dec) times.To measure the performance of the CP-ABE encryption, weencrypted a simple message string under different policieswith different numbers of attributes. We notice that thetimes increase linearly with the number of attributes inthe policy. The decryption time depends both on the num-ber of attributes in policy and on the number of attributesin the key. We used the same attributes for both and weconsidered the worst case scenario in which all the attri-butes in the policy need to be checked.

12. Conclusions

In this paper, we presented a solution for providing con-fidentiality in pub/sub systems. Our solution is an encryp-tion scheme based on CP-ABE, KP-ABE and multi-user SDE.Our scheme supports both the publication and the sub-scription confidentiality properties while at the same timedoes not require publishers and subscribers to share secretkeys. Moreover, our scheme allows publishers do defineadditional constraints in the form of CP-ABE policies aboutwho can access the content of events. Although events andfilters are encrypted, brokers can still perform event filter-ing without learning any information. Finally, our schemeallows subscribers to express filters that can define anymonotonic and non-monotonic constraints on events. Weshowed how to apply our scheme to a real-world e-healthapplication to provide confidentiality of the data ex-changed over a pub/sub system. We implemented and


integrated our scheme with PADRES, a popular open sourcemessage bus system.

Acknowledgement

We thank Andrea Micheletti from San Raffaele Hospitalin Milan for supporting us in developing the e-healthapplication.

References

[1] P. Eugster, P. Felber, R. Guerraoui, A. Kermarrec, The many faces ofpublish/subscribe, ACM Computing Surveys (CSUR) 35 (2) (2003)131.

[2] C. Bornhovd, M. Cilia, C. Liebig, A. Buchmann, An infrastructure formeta-auctions, in: Second International Workshop on AdvancedIssues of E-Commerce and Web-Based Information Systems, 2000(WECWIS 2000), IEEE, 2002, pp. 21–30.

[3] G. Cugola, H. Jacobsen, Using publish/subscribe middleware formobile systems, ACM SIGMOBILE Mobile Computing andCommunications Review 6 (4) (2002) 25–33.

[4] M. Langheinrich, F. Mattern, K. Romer, H. Vogt, First steps towards anevent-based infrastructure for smart things, in: UbiquitousComputing Workshop, PACT 2000, Citeseer, 2000.

[5] G. Cugola, E. Di Nitto, A. Fuggetta, The JEDI event-basedinfrastructure and its application to the development of the OPSSWFMS, Software Engineering, IEEE Transactions on 27 (9) (2002)827–850.

[6] D. Heimbigner, Adapting publish/subscribe middleware to achieveGnutella-like functionality, in: Proceedings of the 2001 ACMsymposium on Applied computing, ACM, 2001, pp. 176–181.

[7] Z. Jerzak, C. Fetzer, Bloom filter based routing for content-basedpublish/subscribe, in: Proceedings of the second internationalconference on Distributed event-based systems, ACM, 2008, pp.71–81.

[8] K. Ondo, M. Smith, Outside IT: the case for full IT outsourcing,Healthcare financial management: journal of the HealthcareFinancial Management Association 60 (2) (2006) 92.

[9] H. Khurana, Scalable security and accounting services for content-based publish/subscribe systems, in: Proceedings of the 2005 ACMsymposium on Applied computing, ACM, 2005, p. 807.

[10] C. Raiciu, D. Rosenblum, Enabling confidentiality in content-basedpublish/subscribe infrastructures, Securecomm and Workshops 28(2006) 1–11.

[11] A. Shikfa, M. Onen, R. Molva, Privacy-preserving content-basedpublish/subscribe networks, in: Proceedings of Emerging Challengesfor Security, Privacy and Trust: 24th Ifip Tc 11 InternationalInformation Security Conference, SEC 2009, Pafos, Cyprus, May 18–20, 2009, Springer, 2009, p. 270.

[12] Z. Miklos, Towards an access control mechanism for wide-areapublish/subscribe systems, in: In International Workshop onDistributed Event-based Systems, IEEE Press, 2002.

[13] J. Bacon, D. Eyers, J. Singh, P. Pietzuch, Access control in publish/subscribe systems, in: Proceedings of the second internationalconference on Distributed event-based systems, ACM, 2008, pp.23–34.

[14] S. Zhuang, B. Zhao, A. Joseph, R. Katz, J. Kubiatowicz, Bayeux: Anarchitecture for scalable and fault-tolerant wide-area datadissemination, in: Proceedings of the 11th international workshopon Network and operating systems support for digital audio andvideo, ACM, 2001, p. 20.

[15] Z. Singhera, A workload model for topic-based publish/subscribesystems, 2008.

[16] G. Banavar, T. Chandra, B. Mukherjee, J. Nagarajarao, R. Strom, D.Sturman, An efficient multicast protocol for content-based publish–subscribe systems, International Conference on DistributedComputing Systems, Vol. 19, IEEE COMPUTER SOCIETY PRESS,1999, pp. 262–272.

[17] A. Carzaniga, D. Rosenblum, A. Wolf, Design and evaluation of awide-area event notification service, ACM Transactions on ComputerSystems (TOCS) 19 (3) (2001) 332–383.

[18] M. Hapner, R. Burridge, R. Sharma, J. Fialli, K. Stout, Java messageservice, Sun Microsystems Inc., Santa Clara, CA, 2002.

[19] J. Bacon, K. Moody, J. Bates, R. Hayton, C. Ma, A. McNeil, O. Seidel, M.Spiteri, Generic support for distributed applications, IEEE Computer33 (3) (2000) 68–76.

[20] M. Srivatsa, L. Liu, Secure event dissemination in publish–subscribenetworks, in: Proceedings of the 27th International Conference onDistributed Computing Systems, Citeseer, 2007, p. 22.

[21] W. Chen, J. Jiang, N. Skocik, On the privacy protection in publish/subscribe systems, in: 2010 IEEE International Conference onWireless Communications, Networking and Information Security(WCNIS), IEEE, 2010, pp. 597–601.

[22] M. Nabeel, N. Shang, E. Bertino, Privacy-preserving filtering andcovering in content-based publish subscribe systems, Tech. rep.,Purdue University, 6, 2009.

[23] S. Choi, G. Ghinita, E. Bertino, A Privacy-Enhancing Content-BasedPublish/Subscribe System Using Scalar Product PreservingTransformations, in: Database and Expert Systems Applications,Springer, 2010, pp. 368–384.

[24] M. Ion, G. Russello, B. Crispo, Providing confidentiality in content-based publish/subscribe systems, in: Proceedings of the 2010International Conference on Security and Cryptography (SECRYPT),IEEE, 2010, pp. 1–6.

[25] R. Canetti, S. Hohenberger, Chosen-ciphertext secure proxy re-encryption, in: Proceedings of the 14th ACM conference onComputer and communications security, ACM, 2007, p. 194.

[26] A. Sahai, B. Waters, Fuzzy identity-based encryption, EUROCRYPT,Vol. 3494, Springer, 2005, pp. 457–473.

[27] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryptionfor fine-grained access control of encrypted data, in: Proceedings ofthe 13th ACM conference on Computer and communicationssecurity, ACM, 2006, p. 98.

[28] R. Ostrovsky, A. Sahai, B. Waters, Attribute-based encryption withnon-monotonic access structures, in: Proceedings of the 14th ACMconference on Computer and communications security, ACM, 2007,p. 203.

[29] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-basedencryption, in: IEEE Symposium on Security and Privacy, Citeseer,2007, pp. 321–334.

[30] D. Song, D. Wagner, A. Perrig, Practical techniques for searches onencrypted data, in: Proceedings of 2000 IEEE Symposium on Securityand Privacy, 2000 (S&P 2000), 2000, pp. 44–55.

[31] P. Golle, J. Staddon, B. Waters, Secure conjunctive keyword searchover encrypted data, Lecture notes in computer science 3089 (2004)31–45.

[32] J. Katz, A. Sahai, B. Waters, Predicate encryption supportingdisjunctions, polynomial equations, and inner products, in: N.Smart (Ed.), Advances in Cryptology EUROCRYPT 2008, LectureNotes in Computer Science, Vol. 4965, Springer, Berlin/Heidelberg,2008, pp. 146–162.

[33] F. Bao, R.H. Deng, X. Ding, Y. Yang, Private query on encrypted data inmulti-user settings, in: ISPEC’08: Proceedings of the 4thinternational conference on Information security practice andexperience, Springer-Verlag, Berlin, Heidelberg, 2008, pp. 71–85.

[34] C. Dong, G. Russello, N. Dulay, Shared and Searchable Encrypted Datafor Untrusted Servers, Lecture Notes in Computer Science 5094(2008) 127–143.

[35] C. Dong, G. Russello, N. Dulay, Shared and searchable encrypted datafor untrusted servers, Journal of Computer Security 19 (3) (2011)367–397.

[36] R. Curtmola, J. Garay, S. Kamara, R. Ostrovsky, Searchable symmetricencryption: improved definitions and efficient constructions, in:Proceedings of the 13th ACM conference on Computer andcommunications security, ACM, 2006, pp. 79–88.

[37] L. Cheung, C. Newport, Provably secure ciphertext policy abe, in: CCS’07: Proceedings of the 14th ACM conference on Computer andcommunications security, ACM, New York, NY, USA, 2007, pp. 456–465.

[38] M. Bellare, A. Boldyreva, J. Staddon, Multi-recipient encryptionschemes: Security notions and randomness re-use, PKC 2003: PublicKey Cryptography, Vol. 2567, Springer-Verlag, 2003.

[39] H. Jacobsen, A. Cheung, G. Li, B. Maniymaran, V. Muthusamy, R.Kazemzadeh, The PADRES Publish/Subscribe System, Principle andApplications of Distributed Event-based Systems, IGI Global, 2010.

[40] E. Fidler, H. Jacobsen, G. Li, S. Mankovski, The PADRES distributedpublish/subscribe system, Feature Interactions in Telecommunica-tions and Software Systems, VIII, 2005.

[41] C. Forgy, Rete: A fast algorithm for the many pattern/many objectpattern match problem⁄ 1, Artificial intelligence 19 (1) (1982) 17–37.


[42] SPECjms2007 Design Document, <http://www.spec.org/jms2007/docs/DesignDocument.html>.

Mihaela Ion received her BSc in InformationTechnology and MSc in Computer Sciencefrom International University in Germany.During her studies she conducted variousresearch projects with University of Marseillein France, SAP Waldorf and IBM ResearchBoeblingen in Germany. She joined CREATE-NET in 2007 where she’s been working onvarious EU and Italian projects. Her researchtopics include data confidentiality in publish/subscribe systems, privacy for e-healthapplications, distributed identity and trust

management. She is currently a PhD candidate at the University of Trentoworking on security of publish/subscribe systems.

Giovanni Russello is a lecturer at the Uni-versity of Auckland, New Zealand, and leadsthe Security technical group within theiNSPIRE Area at CREATE-NET in Trento, Italy.He received his MSc (summa cum laude) inComputer Science from University of Catania,Italy in 2000. In 2006, he obtained his PhDfrom the Eindhoven University of Technology.After obtaining his PhD, he moved to thePolicy Group in the Department of Computingat Imperial College London. His researchinterests include policy-based security sys-

tems, privacy and confidentiality in cloud computing, smartphone secu-rity, and applied cryptography.

Bruno Crispo received his PhD in ComputerSecurity from University of Cambridge, UK in1999, and hold a MSc in Computer of Science(1993) from University of Turin, Italy. He iscurrently associate professor at University ofTrento in Italy. He published more than 90papers in international journals and in theproceedings of international conferences inthe area of security and privacy. His researchinterests include security protocols andapplied cryptography, access control, run-time policy enforcement and more recently

smart-phone security and malware detection. He is senior member ofIEEE and member of ACM.

http://www.spec.org/jms2007/docs/DesignDocument.html

http://www.spec.org/jms2007/docs/DesignDocument.html

design and implementation of a confidentiality and access control solution for publish/subscribe...

Documents