Transcript

Research ArticleModified Ciphertext-Policy Attribute-Based Encryption Schemewith Efficient Revocation for PHR System

Hongying Zheng1 JiemingWu2 BoWang2 and Jianyong Chen2

1School of Software Engineering Shenzhen Institute of Information Technology Shenzhen China2School of Computer and Software Engineering Shenzhen University Shenzhen China

Correspondence should be addressed to Jianyong Chen jychenszueducn

Received 26 January 2017 Accepted 3 August 2017 Published 30 August 2017

Academic Editor Haipeng Peng

Copyright copy 2017 Hongying Zheng et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

Attribute-based encryption (ABE) is considered a promising technique for cloud storage where multiple accessors may read thesame file For storage system with specific personal health record (PHR) we propose a modified ciphertext-policy attribute-basedencryption scheme with expressive and flexible access policy for public domains Our scheme supports multiauthority scenarioin which the authorities work independently without an authentication center For attribute revocation it can generate differentupdate parameters for different accessors to effectively resist both accessor collusion and authority collusion Moreover a blacklistmechanism is designed to resist role-based collusion Simulations show that the proposed scheme can achieve better performancewith less storage occupation computation assumption and revocation cost compared with other schemes

1 Introduction

Personal health record (PHR) system is a novel applicationthat can bring great convenience in healthcare The privacyand security of PHR are the major concerns of the userswhich could hinder further development and wide adoptionof the system [1 2] PHR is a typical usage of cloud storagetaking advantages of elastic computing resources to provideflexible pervasive and on-demand health cloud servicePatients store their PHRs in cloud storage servers and there-fore can share these data with friends or doctors convenientlyHowever such promising cloud-based applicationmeets newsecurity challenges (1) Since PHRs need to be shared amongdoctors researchers patients and so on the sharing scenariois complicated Patients should be able to control the accessin a fine-grained manner (2) PHRs may be migrated amongdifferent cloud storage servers which cannot be fully trustedTherefore patients cannot rely on servers to protect theirPHRs Traditionally outsourced data is usually encryptedwith cipher-key and the storage servers are responsible fordistributing cipher-keys to legal accessors However suchmechanism is just secure in specific domain but not suitablefor PHR system which works across several domains

It is significant to find out a fine-grained access controltechnique for PHR system In recent years attribute-basedencryption (ABE) [3ndash8] seemed to be a promising techniquefor such one-file-multiaccess cloud storage scenario In ABEalgorithm patient can control the security by directly specify-ing access policies for their outsourced PHRs while the third-party entities named authorities are responsible for attributemanagement and key distribution Cloud storage only needsto store the encrypted PHRs In this way PHR service isoriented to patients across several domains

Typically ABE schemes work in two models key-policyABE (KP-ABE) [9] and ciphertext-policy ABE (CP-ABE)[10] KP-ABE applies policy in attribute keys of accessorsTherefore once a key is predefined and is used to encryptPHRs accessors who can decrypt them are limited Accessorcan only decrypt the PHRs associated with a set of attributesthat satisfies the key That is to say PHR owner should knowall attributes that accessors own before he encrypts one PHRso that he can associate a correct set of attributes It is notnatural and practical unless the attributes of accessors aregenerated and distributed by PHR owner himself CP-ABEscheme works in the opposite manner which is conceptually

HindawiMathematical Problems in EngineeringVolume 2017 Article ID 6808190 10 pageshttpsdoiorg10115520176808190

2 Mathematical Problems in Engineering

closer to the traditional access control methods such as Role-Based Access Control (RBAC) [10] The access policy is setby PHR owner during PHR encryption where the policy isa Boolean formula consisting of public attributes and logicaloperations like ldquoANDrdquo and ldquoORrdquo PHR owner does not needto know who can access his PHRs because it is responsibilityof authority Only the accessors with attributes that satisfyaccess policy can decrypt ciphertext of PHR Evidently itis more reasonable to implement CP-ABE scheme in publicattributes scenario and it is also convenient for PHR ownerwithout keeping online all the time

Based on the application scenarios of KP-ABE and CP-ABE Li et al [11] proposed a PHR system framework thatcombines KP-ABE and CP-ABE together In the frameworkusers are divided into personal domains (PSDs) and publicdomains (PUDs) according to their roles Usually PHRowners (patients) normally knows users who access thesystem via PSDs It would be better to apply revocable KP-ABE scheme for PSDs [12] so that patients are responsiblefor defining attributes and authorizing accessors Professionalusers access the system via PUDs They should have publicroles such as doctor and researcher Therefore it is better forthe attributes in PUD to be defined and authorized by third-party attribute authorities (abbreviated as AA119904 in this paper)Li et al uses Chase-Chow multiauthority ABE scheme (CCMA-ABE) [13] with an attribute revocationmethod to controlthe attributes in PUDs

Although there are some advantages for the division ofuser domains several shortcomings still exist for Lirsquos ABEscheme [11] (abbreviated as Lirsquos MA-ABE) which are listedas follows (1) Since it works based on CC MA-ABE whichis exactly a variant KP-ABE scheme it is limited on a strictldquoANDrdquo policy over a predetermined set of authorities Ascommented by Lewko and Waters [14] such policy is notflexible and expressive In order to get the same functionof CP-ABE it uses an additional conjunctive normal form(CNF) rule for generation of both policy and encryption(2) PUDs and PSDs have to apply different ABE schemesand work in parallel However our paper reveals an implicitcollusion named role-based collusion between users fromPUDs and PSDs Specifically users in PSDs may also haveprofessional roles such as doctors with public attributes inPUDs In this situation one PHR owner can prevent specificaccessor from PSD by associating his PHR with a set of PSDattributes but may fail to prevent this accessor from accessingvia PUD For example patient A has a friend B who worksas a physician in hospital C Patient A goes to hospital C fordiagnosis He specifies an access policy for his encrypted PHRto allow all the physicians in hospital C access However hesuddenly remembers that his friend B also works there and hedoes not want him to know the diagnosis Although patientA does not authorize friend B to decrypt via PSD he cannotstop friend B from accessing via PUD

There exist several MA-CP-ABE schemes [11 13 15ndash18]but they are not designed for PUDrsquos scenario Commented bypaper [14] CCMA-ABE [13 17] is limited by the strict ldquoANDrdquopolicy Muller et al proposed an ABE scheme that can realizeany access structure but needs an authentication center [16]The usage of authentication center may face security and

performance bottleneck because all the authorities should becontrolled by center Lin et al [15] gave a scheme withoutauthentication center but needs to fix the set of authoritiesahead of time It can resist collusion of users less than 119898where 119898 is a chosen parameter at setup phase LewkorsquosABE solution [14] is flexible but lacks attribute revocationmechanism Ruj et al proposed a solution based on LewkorsquosABE to make attribute revocable [19] However it requiresPHR owner to stay online for revocation and its efficiency isquite low

More importantly the role-based collusion which issignificant for PHR system is not solved in these previousMA CP-ABE schemes In order to resist the collusion ourproposed MA CP-ABE scheme designs a blacklist for ownerEach user (PHR owner) can specify a blacklist of accessoridentities that cannot decrypt his data from PUD Thisblacklist is delegated to a third-party authority that the ownertrusts The authority tags each blacklist with a unique publicattribute in PUD so that the owner can use this unique publicattribute to specify his access policy However the amount ofpublic attributes will increase linearly with PUD users whichresults in a heavy burden for authorities

Consequently our paper aims to construct the CP-ABEscheme for PUD scenario which has efficient revocation andsupports multiple authorities without an authentication cen-ter Compared with Lirsquos ABE scheme in PUD our proposedscheme realizes access control with flexible access policyMoreover the proposed role-based collusion is also solvedefficiently Our contributions are concluded as follows

(1) We propose a modified multiauthority CP-ABEscheme based on Lewkorsquos scheme [14] With it PHRowner can specify flexible and expressive access pol-icy to protect their outsourced PHRs Meanwhileauthorities need not communicate with each otheror be controlled by an authentication center Thenumber of attributes is almost unrestricted since theincrease of attributes does not occupymore resources

(2) We proposed an efficient attribute revocation mech-anism for our scheme Attribute can be revokedefficiently through the proxy reencryption and lazyrevocation while the scheme does not need anauthentication center and any additional communi-cations among authorities

(3) To resist the role-based collusion we suggest a black-list solution to prevent it By replacing the specificattribute master key and public key with hash valueof attributersquos descriptive name the storages in author-ities keep small even when number of attributesincreases

2 Related Work

Sahai and Waters [8] proposed the first ABE scheme inwhich ciphertext is encrypted and associated with a set 120572 ofattributes An accessor can successfully decrypt ciphertext ifand only if he gets a set 120573 of attributes components where theset overlap between the two attributes sets that is |120572 cap 120573|is beyond a predefined threshold Afterwards Goyal et al

Mathematical Problems in Engineering 3

[9] proposed KP-ABE scheme in which a set of attributesfrom an accessor is constructed through a tree-like policywhich is taken as key of the accessor The leaf nodes ofthe tree associated with attributes and the nonleaf nodesare logical operations such as ldquoorrdquo and ldquoandrdquo Data ownerassociates his ciphertext with a set of attributes Once theassociated attributes satisfy a specific key-policy of accessorthe accessor can decrypt the ciphertext However the dataowner should know all the keys of accessors before heencrypts the data and then he can suitably associate theciphertext with corresponding attributes Such requirementsof KP-ABE are not suitable for public access scenario wherethe data owner cannot predict which person can access hisdata

Consequently Bethencourt et al [10] proposed CP-ABEwhich is conceptually closer to the traditional access controlmethods such as RBAC CP-ABE scheme attaches accesspolicy in ciphertext instead of attributes of accessors It ismore intuitive for the data owner to specify such policy atthe time he encrypts the data For accessors they shouldown enough attributes issued by the third party namedauthorities to decrypt the ciphertext correctly Furthermoreordered binary decision diagram (OBDD) is used to describeaccess policies in CP-ABE The system makes full use ofboth the powerful description ability and the high calculatingefficiency of OBDD and improve both performance andefficiency [20] However only one single authority maycause bottleneck of performance [21] Moreover it is morenatural and practical withmultiple professional organizations(authorities) to manage distinct sets of attributes Securitycan be improved with the multiauthority because an attackershould compromise several authorities at the same time toget the keys associated with enough sets of attributes fordecryption

There are already some attempts to solve multiauthorityABE problem with new cryptographic solutions Chase andChow [13] firstly proposed a multiauthority ABE scheme(CC MA-ABE) in which each user is authorized based ona global identifier (GID) such as a social security numberThe GID plays a linchpin to associate usersrsquo keys fromdifferent authorities together But the solution still relies onan authentication center and the access policy is not flexibleand expressivewhich is limited on ldquoANDrdquogate policy over thepredetermined set of authorities Later Li et al [11] proposedan ABE scheme with attribute revocation mechanism basedon CC MA-ABE which is limited on a rule of CNF inthe access policy A threshold multiauthority CP-ABE accesscontrol scheme was proposed for public cloud storage withwhich both security and performance are improved [22]

Actually it is important for MA CP-ABE to support anexpressive and flexible access policy For example AmericanMedical Association (AMA) authorizes attributes of medicalprofessional licenses such as junior nurse license and expe-rienced nurse license while American Hospital Association(AHA) authorizes attributes of affiliations such as hospitalA and hospital B If one patient thinks that the diagnosisand treatment in hospital A are better than those in hospitalB he may specify an access policy that permits the nurseswith any level of license in hospital A to access his PHR

files and only allow the nurses with junior level of licensefrom hospital B access Such expressive policy is presentedas policy = ((junior nurse level or experienced nurse level)and hospital A) or (junior nurse level and hospital B) Thepolicy can be transformed to the ldquoANDrdquo policy for examplepolicy = (1198601 = 11988611) or sdot sdot sdot or (1198601 = 11988611198891) and sdot sdot sdot and (119860119898 =1198861198981) or sdot sdot sdot or (119860119898 = 119886119898119889119898) where 119860119898 refers to the 119898thauthority and 119886119898119889119894 refers to the policy managed by 119860119898 andone authority has only one clause [11]

There are some other schemes which can set the accesspolicy in any Boolean formula over attributes from any num-ber of authorities Among them Muller proposed anotherMA-ABE scheme which is realized on any access structurewith an authentication center Yang and Jia [18] proposeda variant CP-ABE scheme to support multiauthority but itstill requires an additional authentication center to generateuser secret key and authority secret key Moreover it is weakin revocation security Based on Yangrsquos scheme an extensivescheme was proposed to withstand the vulnerability [23] ForMA-ABE scheme with an authentication center to controlmultiple authorities once the authentication center is brokenthe entire ABE system will be compromised Therefore itshould be fully trusted which is hard to guarantee More-over the whole ABE system is hard to be expanded Someresearches try to remove the authentication center from MACP-ABE schemes Chase and Chow [13] used pseudorandomfunctions (PRFs) between different authorities without thecenter However it is still limited on ldquoANDrdquo access policyover a determined set of authorities Lin et al [15] proposeda threshold based ABE scheme that is decentralized andenforces an efficient attribute revocation scheme The systemis collusion-resistant for fewer 119898 users where 119898 is chosenstatically during the setup phase However the authoritiesset should be configured before the setup phase and is fixedin running The authorities should interact with each otherat the setup phase and the access policy is inflexible LaterLewko and Waters [14] proposed a scheme for decentralizedABE scenario in which the authorities work independentlywithout coordination among them A main drawback isthat the scheme has no revocation function Although afurther paper (DACC) [19] addressed it the computationsof key update and communication overhead for attributerevocation are quite heavy Besides DACC requires the dataowner to take part in revocation and transmit an updatedciphertext component to every unrevoked user It means thatthe data owner should keep being online all the time as isunreasonable in practical application scenario

Attribute revocation is an important issue for an ABEsystem and benefits security of the system Once a malicioususer is identified by an authority all his attributes or oneof his specific attributes should be revoked by the authoritywhich means the malicious user can no longer decrypt theABE-generated ciphertext associated with those attributes Insingle authority ABE scheme Yu et al [7] introduced the con-cept of proxy reencryption into CP-ABE to realize attributerevocation in which the affected attribute components ofciphertext and the attributes components stored in terminalsof unrevoked users are updated via reencryption Inspired bypaper [7] Yang and Jia [18] proposed the CP-ABE scheme

4 Mathematical Problems in Engineering

Table 1 Comparison among previous MA CP-ABE schemes and ours

Lin [15] Muller [16] Chase [17] Lewko [14] DACC [19] Li [11] Yang [18] OursFlexible access policy radic radic radic radic radic radicResistance of accessor collusion radic radic radic radic radic radic radicWithout an authentication center radic radic radic radic radic radicAuthority independence radic radic radic radic radic radic radicEfficient revocation radic mdash radic radic radic

Cloud storage

Authority

Authority

Authority

AccessorOwner

CT CT

PKPK

PK

SKSK

SK

(AA1)

(AA2)

(AAk)

Figure 1 MA CP-ABE system model

with a more efficient revocation than that in [19] Howeverit requires an authentication center to control the multipleauthorities Based on the above depiction the comparisonsamong previous MA CP-ABE schemes and our proposedscheme are listed in Table 1

3 System Model and Security Definitionfor MA CP-ABE

31 System Model The MA CP-ABE scheme for PUDinvolves three kinds of participants that is cloud storageauthorities and users (including data owner and accessors)as shown in Figure 1 The scheme consists of five basicalgorithms System Setup Authority Setup Encrypt KeyGenand Decrypt They are described as follows

System Setup (120582) rarr (119901119886119903119886) The setup algorithm takes secu-rity parameter 120582 as input and outputs global parameters para

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) Each attribute author-ity (AA) runs its own authority setup process The setupalgorithm takes system global parameters para and AArsquosdescriptive attributes as input Then for each attribute thatAA manages AA generates a master key msk and thecorresponding public key 119901119896 The master keys 119898119904119896119904 are keptsecret while the public keys 119901119896119904 are published

119864119899119888119903119910119901119905 (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) Once the data owner gets public keys 119901119896119904 fromauthorities he can execute encryption process in his ownterminal The algorithm takes 119901119896119904 from several authoritiesdata 119863 for encryption and an access policy T specified bythe data owner as inputs Then the algorithm encrypts 119863 to

a ciphertext 119863 and generates a public attribute component(abbreviated as pAC) for each leaf node ofT The whole datatuple of 119862119879 = 119863 119901119900119897119894119888119910 T pAC119904 is the final ciphertexttuple and is uploaded to cloud storage

119870119890119910119866119890119899 (119901119886119903119886119898119904119896) rarr (119878119870 119906119860119862119904) Each authoritymanages its own attributes set and is responsible for keydistribution to legal users (accessors) Once an authorityauthenticates identity of an accessor it will process key gen-eration which takes themaster keys mk119904 for a requested set ofattributes 120596as input and outputs user attribute components(abbreviated as uAC119904) for each attribute All the attributesuAC119904 generated for the specific accessor are collected as secretkey of the accessor SK and sent back to the accessor secretly

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119872) An accessor exe-cutes the decryption algorithm which takes the ciphertexttuple CT from cloud storage and the public keys pk119904 andsecret keys SK119904 from authorities as inputs If the attributes setassociated with SK119904 satisfies access policyT the accessor candecrypt the plaintext data 119872 Otherwise it returns an errorsymbol perp

32 PHR Upload and Access Based on CP-ABE scheme(Figure 1) we can easily figure out the PHR upload and PHRaccess procedures Specifically once a data owner needs toupload his specific PHR file ldquopFilerdquo to cloud storage he doesthe following steps (1) Cut the data into contents segments119904 (2) Pick random content key 119888119896 for each content segment(3) Encrypt the segment via symmetric cryptography and getresult 119904 = 119864119888119896(119904) (4) Define an access policy over a set ofattributes encrypt content key 119888119896 as owner data 119872 via ourproposed MA CP-ABE scheme and get the ciphertext tupleCT (6) Finally upload 119904 and CT together as an integratedtuple to the cloud storage The data owner can go offline andauthorities perform other key distribution workflows

When an accessor needs to read the plaintext of onespecific PHR on the cloud storage he should process thefollowing steps (1) Get the whole ciphertext tuple 119904 and CTfrom the cloud storage (2) Read the access policy from theCTand know aminimal set of attributes required for decryption(3) Get identity authenticated by several authorities withwhich these authorities can return the keys associated withattributes (uAC119904) to the accessor respectively (4) Collectenough keys to recover content key 119888119896 from CT (5) Decrypt119904 to 119904 via symmetric cryptography by content key 119888119896 and thenconstruct the original PHR file ldquopFilerdquo

Mathematical Problems in Engineering 5

4 Modified MA CP-ABE Scheme for PUD

41 Scheme Construction Our proposed MA CP-ABEscheme has five algorithms that is System Setup AuthoritySetup KeyGen Encrypt and Decrypt They are depicted asfollows

System Setup rarr (119901119886119903119886) System first selects a bilinear groupG of order 119873 = 119901111990121199013 and bilinear map function 119890 G times G rarr G119879 and then picks a generator 1198921 of G1199011 [14 24]A hash function 119867 0 1lowast rarr G is used to map globalidentities GID119904 of an accessor and descriptive names of hisattributes such as doctor to elements in G Once the hashfunction is fixed the value119867(GID) is modelled as a randomoracle Finally all these system parameters are published as119901119886119903119886 = (119890 1198921 119867(sdot)119873)

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) For each authority AA119896whichmanages attributes setA119896 AA119896 takes para as input andgenerates two public keys as 1198921205721198961 1198921205731198961 where the two values120572119896 120573119896 are picked randomly from Z119873 The values 119898119904119896119896 =(120572119896 120573119896) are stored secretly by AA119896 as master keys while thepublic keys 119901119896119896 = (1198921205721198961 1198921205731198961 ) are published

KeyGen (119901119886119903119886119898119904119896) rarr (119878119870 = 119906119860119862119904) Suppose that a legalaccessor with GID requests authority AA119896 for attributes set119860119906 and he owns attributes set 119860119906119896 in AA119896 Then AA119896 willgenerate secret key (SK) of the accessor which is associatedwith attributes set 119860119906 cap 119860119906119896 Specifically for each attribute119894 isin 119860119906 cap 119860119906119896 AA119896 generates a user attribute component(uAC119894 = 119867(119894)120572119896 sdot 119867(GID)120573119896) for the accessor Finally all thecomponents uAC119894|119894isin119860119906cap119860119906119896 are combined as secret keys ofthe accessor and SK = uAC119904 is sent back to the accessorsecretly for further decryption

Encrypt (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) In encryption phase the data owner specifies anaccess policy treeT to restrict the accessors The encryptionalgorithm encrypts data119863 into119863 = 119863 sdot 119890(1198921 1198921)119904 where thevalue 119904 isin Z119899 is selected randomly Meanwhile a set of publicattribute components (pAC119904) will be generated according tothe value 119904 and the access policyT

Specifically as shown in previous paper [11] any mono-tone access tree T can be translated to an access structure(M 120588) over the involved attributes whereM is a ℓtimes119899matrixand ℓ denotes the number of leaf nodes in the access treeTThe function 120588maps the 119909th row ofmatrixM119909 to an attribute119894 = 120588(M119909) The encryption algorithm chooses two random

vectors 997888rarr120592 = (119904 1199032 119903119899) isin Z119899119873 and997888rarr1205921015840 = (0 11990310158402 1199031015840119899) isin Z119899119873

and then computes 120582119909 = 997888rarr120592 sdot M119909 and ]119909 =997888rarrV1015840 sdot M119909 Notice

that the former vector 997888rarr120592 is used to distribute the value 119904while the latter vector formula distributes the zero value 0For each leaf node119909 ofT associatedwith attribute 119894 = 120588(M119909)the algorithm computes the three pAC119904 as follows where thevalue 120583119909 is picked arbitrarily in Z119899

pAC0 (119909119894) = 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909

pAC1 (119909119894) = 1198921120583119909

pAC2 (119909119894) = 1198921120573119896sdot120583119909+120596119909 (1)

Finally the owner sends the ciphertext 119863 together withpAC119904 and access structure (M 120588) to the semitrust cloudstorage The uploaded data 119862119879 is presented as

119862119879 = (119863 (M 120588) pAC0(119909119894) pAC1(119909119894) pAC2(119909119894) |

(119894 = 120588 (M119909))amp (1 le 119909 le 119877)) (2)

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119863) An accessor receives119862119879 from the cloud storage finds out the minimal set ofattributes A119906 for decryption according to the policy Tand then requests corresponding AA119904 for attributes (uAC119904)Notice that theminimal attributes setA119906 is mapped to ℓ1015840rowsof matrixMThe rows set is labeled as 119868119909 where |119868119909| = ℓ1015840and ℓ1015840 le ℓ According to submatrix 119868119909 the algorithm cancompute ℓ1015840 values 120577119909 isin Z119899|119909isin119868119909 which has the relationshipwith 119904 = sum119909isin119868119909 120577119909120582119909 and 0 = sum119909isin119868119909 120577119909120596120596119909 (interpolation)

Consequently for each leaf node which is associated withthe 119909th row of 119868119909 the algorithm can decrypt it via thefollowing formula

pAC0 (119909119894) sdot 119890 (119867 (GID) pAC2119909119894)119890 (uAC119894 pAC1119909119894)

=119890 (1198921 1198922)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909 sdot 119890 (119867 (GID) 119892120573119896sdot120583119909+1205961199091 )

119890 (119867 (119894)120572119896 sdot 119867 (GID)120573119896 1198921205831199091 )

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909

(3)

By collecting ℓ1015840 decryption values of leaf nodes the algorithmcan easily recover value 119890(1198921 1198921)119904 via interpolation depictedas follows

prod119909isin119868119909

(119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909)120577119909

= 119890 (1198921 1198921)sum119909isin119868119909(120577119909 sdot120582119909) sdot 119890 (119867 (GID) 1198921)sum119909isin119868119909(120577119909sdot120596119909)

= 119890 (1198921 1198921)119904 sdot 119890 (119867 (GID) 1198921)0 = 119890 (1198921 1198921)119904

(4)

Finally the plaintext119863 is computed by119863 = 1198631015840119890(1198921 1198921)119904

42 Efficient Lazy Revocation There are two levels of revo-cation that is attribute revocation and accessor revocationThe attribute revocation is done by updating the attributeassociated pACs stored in cloud storage so that the previousauthenticated pACs is no longer useful for decryption Theaccessor revocation can be done by revocation of all theattributes that an accessor owns

Normally the command of attribute revocation is startedfrom authority when there are changes in management ofaccessors Firstly authority AA119896 sends update parameter to

6 Mathematical Problems in Engineering

the cloud storage and then the cloud storage updates pAC119904via proxy reencryption technique [12] In our revocationscheme the corresponding pAC119904 will not be updated untilsomeone requests them Specifically the cloud storage storesthe update parameters in an attribute history list (AHL)for each attribute revocation command Once a ciphertext(associated with a set of pAC119904) is requested it can be updatedonly once according to AHL although the update parametershave been updated many times and recorded in AHL Suchmechanism is called lazy revocation which can accumulateupdate of parameters over time Our revocation model ismore efficient thanDACCrsquos solution [19] when AA119896 delegatesmost computationworkloads to the cloud storage and the lazyrevocation is used

For accessors once pAC119904 stored in the cloud storage isupdated their corresponding uAC119904 can no longer decryptthe ciphertext Consequently these accessors need to requestauthorities to update parameters Instead of regeneratingthe accessorsrsquo uAC119904 the authorities can simply generateparameters that is update keys (UK119904) and let these accessorsupdate their uAC119904 at their terminal

In previous papers [11 12 25] the revocation methodswill generate the same update keys for all accessors Thisis efficient but weak in security Therefore our proposedrevocation scheme can support two methods One methodis to generate the same update parameters for all accessorsand the other one is to generate different update parametersfor different accessors It is obvious that the former methodis efficient but has potential risk in some circumstance Thelatter method is the opposite PHR system can choose eithermethod according to its strategy and environment

Attribute Revocation (119901119886119903119886119898119904119896) rarr (119880119870119886119860119862 119880119870119901119860119862) Toexecute the revocation command for attribute 119894 its corre-sponding authority AA119896 takes public system parameters paraand its own master key (120572119896 120573119896) as input Then AA119896 generatesregeneration key UKpAC for the cloud storage and generatesUKaAC for the accessors All these regeneration keys aretransmitted secretly

Method 1 (Same Update Parameter) Specifically AA119896 selectsa random value 120572 isin 119885119873 and then generates UKaAC119894 =UKpAC119894 = 119867(119894)1198861015840119896minus119886119896 The cloud storage updates the attribute119894 associated pAC0 (119909119894) through (5) uAC119894 of the accessor isupdated through (6) at the terminals of accessors or at theauthority

pAc0 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(5)

uAC1015840119894 = uAC119894 sdot UKaAC119894 = 119867 (119894)1205721015840119896 sdot 119867 (GID)120573119896 (6)

Method 2 (Different Update Parameters) Specifically AA119896selects random values 1205721015840119896 1205731015840119896 isin Z119899 and generates UKpAC119894 =119867(119894)1205721015840119896minus120572119896 and UKpAC119894 = 1205731015840119896 minus 120573119896 for the cloud stor-age For each accessor with GID AA119896 generates specificUKaAC119894GID = 119867(119894)1205721015840119896minus120572119896 sdot 119867(GID)1205731015840119896minus120573119896 The cloud storage

updates the attribute 119894 associated pAC0 (119909 119894) and pAC2 (119909 119894)through (7) and (8) The accessorrsquos uAC119894 is updated through(9)

pAC10158400 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(7)

pAC10158402 (119909119894) = pAC2 (119909119894) sdot PACUKpAC1198941119909119894

= 1198921205731015840119896sdot120583119909+1205961199091

(8)

uAC1015840119894 = uAC119894 sdot UK120572AC119894 GID = 119867 (119894)1205721015840119896 sdot 119867 (GID)1205731015840119896 (9)

Accessor Revocation Supposing that the attributes set A120572 isowned by the accessor the corresponding authority AA119896can execute attribute revocations for these |A120572| attributes intotal Moreover to avoid fake revocation commands boththe authority and the cloud storage use digital signaturetechnique to confirm validity as implemented in paper [12]

43 Collusion Resistant The same as most of previous papers[11 18] our proposed MA CP-ABE scheme can resist bothaccessor collusion and authority collusion Besides the mali-cious but implicit role-based collusion can also be resisted

As discussed in Introduction role-based collusion iscaused by the fact that PHR owner cannot predict the exactuser identity who is an accessor from PUD because theattribute authentication is controlled by the third authorityparty To resist the collusion it is essential for PHR ownerto specify a blacklist which contains the access identitiesthat are not allowed access from PUD and delegates theblacklist to a third authority party The authority maps eachblacklist to an attribute such as attribute ldquoAlic119890s Blacklist1rdquoso that an owner can combine such attributes in his accesspolicy in PUD to restrict specific identity from accessNormally the amount of blacklist attributes will grow linearlywith users in PHR system Fortunately our proposed ABEconstruction is efficient in managing attributes because thealgorithms replace attribute master keys with the hash valuesof attributesrsquo descriptive names The storage for attributemanagement can keep small at the authority even when thenumber of attributes increases It means that the blacklistsolution is highly efficient

Accessor collusion denotes that different accessors willcombine their attribute components (pACs) together fordecryption of a file despite the fact that they do not haveenough attributes to decrypt it alone Our proposed MA CP-ABE scheme can resist the accessor collusion by embeddingthe accessorrsquos hash value into their pACs Consequently thetemporary result in decryption phase that is 119890(1198921 1198921)120582119909 sdot119890(119867(GID) 1198921)120583119909 differs among accessors Therefore thedecryption process is resisted

Authority collusion is an important security metric inmultiauthority scenario In our proposed scheme since theauthorities do not communicate with each other or have nopredefined parameters among them the authority collusionis impossible in our proposed scheme

Mathematical Problems in Engineering 7

Table 2 Storage overhead on each entity

DACC Yang OursAuthority 2 lowast 119899att 119899att + 2 lowast 119899user + 3 2Owner 119899119888 + 2 lowast 119899att + 2 3 lowast 119899AA + 2 lowast 119899att + 3 2 lowast 119899AA + 1Accessor 119899pAC119904 + 119899att 2 lowast 119899AA + 119899att + 2 119899attCloud storage (3 lowast avg + 1) lowast 119899cipher (4 lowast avg + 3) lowast 119899cipher (3 lowast avg + 1) lowast 119899cipher

Table 3 Time consumption of different types of operation

Type Description Time for 1000 operationsT0 Time for two-vector multiplication Depending on the vector lengthT1 Time for one PBC pairing operation 875443 (us)T2 Time for one PBC exponent operation 1419140 (us)T3 Time for one PBC multiply operation 13264 (us)T4 Time for one PBC addition operation 1196 (us)

Table 4 Computation efficiency

Time for encryption Time for decryptionDACC 119899pAC119904 sdot (2 sdot 1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793)pAC119904Yang 119899pAC119904 sdot (1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (3 sdot 1198792 + 119899AA sdot 1198793) 119899 sdot (4 sdot 1198791 + 2 sdot 1198792 + 4 sdot 1198793) + 119899AA sdot (2 sdot 1198791 + 1198793) + (1198792 + 1198793)pAC119904Ours 119899pAC119904 sdot (2 sdot 1198790 + 1198791 + 4 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793) sdot 119899pAC119904

5 Performance

In this section we will compare performances between ourproposed scheme and previous MA CP-ABE schemes inaspects of storage cost computation efficiency and revoca-tion cost Since Lirsquos ABE scheme for PUD is actually a variantKP-ABE scheme we will compare our scheme with bothDACCrsquos [19] and Yangrsquos scheme [18]

51 Storage The storage overheads on each entity are listedin Table 2 Notice that 119899user is the amount of users (accessors)in PHR system 119899att denotes the number of all attributes 119899AAdenotes the number of authorities 119899cipher is the number of allciphertext tuples 119899119888 stored in cloud storage and 119899pAC119904 denotesthe number of generated pAC119904 at terminal of accessor Forcomparison the storage overheads of these parameters are119899119888 119899cipher 119899user and 119899pAC119904 gt 119899att gt 119899AA Specifically storageoverhead at authority (AA) is mainly the space occupation ofmaster keys and public keys for attributes Since our proposedscheme uses hash values to replace keys for attributes thestorage space at authorities can be saved evidently Wesuppose that each ciphertext is associated with avg attributeson average From Table 2 it is evident that our scheme hasthe smallest storage overhead at authority terminal of ownerterminal of accessor and cloud storage compared with bothDACCrsquos and Yangrsquos schemes

52 Computation Efficiency In this section we compare thecomputation costs for these three schemes by implementingthem on a Linux system with an Intel Core i7 CPU at220GHz and 100GBRAMThe codes are constructed basedon the Pairing-Based Cryptography (PBC) library version

0514 A symmetric elliptic curve 120572-curve whose base fieldsize is 512 bits is set up to execute the pairing operation Thegroup order of 120572-curve is of 160 bits that is 1199011 is a 160-bit length prime All the simulation results come from theaverage of 20 trials

Before the simulations time consumption values of fourPBC functional operations are compared which are listed inTable 3 It is obvious that pairing operation and exponentoperation consume more time than multiplication and addi-tion Furthermore time consumption for encryption anddecryption is shown in Table 4 where 1198991015840 denotes the numberof pACs required in each decryption

We compare the computation efficiencies of both encryp-tion and decryption in two criteria (1)Thenumber of author-ities is changeable while the number of attributes in eachauthority is fixed (2)The number of authorities is fixed whilethe number of attributes in each authority is changeable Theresult is shown in Figure 2 In the first simulation the numberof related authorities (119909-axis) changes from 2 to 20 and theinvolved attributes of each authority are set to be 10 Time forencryption is shown in Figure 2(a) while time for decryptionis presented in Figure 2(b) The second simulation is theoppositeThe number of involved attributes in each authoritychanges from 2 to 20 and related authorities are set to be 10Time for encryption and time for decryption are shown inFigures 2(c) and 2(d) respectively Evidently our proposedscheme has better performance in computation efficiencybecause of less number of PBC exponent operations

53 Revocation Cost As shown in Table 5 we use expressionsto denote the communication overheads between terminalsand the cloud storage In DACC it is the responsibility

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

2 Mathematical Problems in Engineering

closer to the traditional access control methods such as Role-Based Access Control (RBAC) [10] The access policy is setby PHR owner during PHR encryption where the policy isa Boolean formula consisting of public attributes and logicaloperations like ldquoANDrdquo and ldquoORrdquo PHR owner does not needto know who can access his PHRs because it is responsibilityof authority Only the accessors with attributes that satisfyaccess policy can decrypt ciphertext of PHR Evidently itis more reasonable to implement CP-ABE scheme in publicattributes scenario and it is also convenient for PHR ownerwithout keeping online all the time

Based on the application scenarios of KP-ABE and CP-ABE Li et al [11] proposed a PHR system framework thatcombines KP-ABE and CP-ABE together In the frameworkusers are divided into personal domains (PSDs) and publicdomains (PUDs) according to their roles Usually PHRowners (patients) normally knows users who access thesystem via PSDs It would be better to apply revocable KP-ABE scheme for PSDs [12] so that patients are responsiblefor defining attributes and authorizing accessors Professionalusers access the system via PUDs They should have publicroles such as doctor and researcher Therefore it is better forthe attributes in PUD to be defined and authorized by third-party attribute authorities (abbreviated as AA119904 in this paper)Li et al uses Chase-Chow multiauthority ABE scheme (CCMA-ABE) [13] with an attribute revocationmethod to controlthe attributes in PUDs

Although there are some advantages for the division ofuser domains several shortcomings still exist for Lirsquos ABEscheme [11] (abbreviated as Lirsquos MA-ABE) which are listedas follows (1) Since it works based on CC MA-ABE whichis exactly a variant KP-ABE scheme it is limited on a strictldquoANDrdquo policy over a predetermined set of authorities Ascommented by Lewko and Waters [14] such policy is notflexible and expressive In order to get the same functionof CP-ABE it uses an additional conjunctive normal form(CNF) rule for generation of both policy and encryption(2) PUDs and PSDs have to apply different ABE schemesand work in parallel However our paper reveals an implicitcollusion named role-based collusion between users fromPUDs and PSDs Specifically users in PSDs may also haveprofessional roles such as doctors with public attributes inPUDs In this situation one PHR owner can prevent specificaccessor from PSD by associating his PHR with a set of PSDattributes but may fail to prevent this accessor from accessingvia PUD For example patient A has a friend B who worksas a physician in hospital C Patient A goes to hospital C fordiagnosis He specifies an access policy for his encrypted PHRto allow all the physicians in hospital C access However hesuddenly remembers that his friend B also works there and hedoes not want him to know the diagnosis Although patientA does not authorize friend B to decrypt via PSD he cannotstop friend B from accessing via PUD

There exist several MA-CP-ABE schemes [11 13 15ndash18]but they are not designed for PUDrsquos scenario Commented bypaper [14] CCMA-ABE [13 17] is limited by the strict ldquoANDrdquopolicy Muller et al proposed an ABE scheme that can realizeany access structure but needs an authentication center [16]The usage of authentication center may face security and

performance bottleneck because all the authorities should becontrolled by center Lin et al [15] gave a scheme withoutauthentication center but needs to fix the set of authoritiesahead of time It can resist collusion of users less than 119898where 119898 is a chosen parameter at setup phase LewkorsquosABE solution [14] is flexible but lacks attribute revocationmechanism Ruj et al proposed a solution based on LewkorsquosABE to make attribute revocable [19] However it requiresPHR owner to stay online for revocation and its efficiency isquite low

More importantly the role-based collusion which issignificant for PHR system is not solved in these previousMA CP-ABE schemes In order to resist the collusion ourproposed MA CP-ABE scheme designs a blacklist for ownerEach user (PHR owner) can specify a blacklist of accessoridentities that cannot decrypt his data from PUD Thisblacklist is delegated to a third-party authority that the ownertrusts The authority tags each blacklist with a unique publicattribute in PUD so that the owner can use this unique publicattribute to specify his access policy However the amount ofpublic attributes will increase linearly with PUD users whichresults in a heavy burden for authorities

Consequently our paper aims to construct the CP-ABEscheme for PUD scenario which has efficient revocation andsupports multiple authorities without an authentication cen-ter Compared with Lirsquos ABE scheme in PUD our proposedscheme realizes access control with flexible access policyMoreover the proposed role-based collusion is also solvedefficiently Our contributions are concluded as follows

(1) We propose a modified multiauthority CP-ABEscheme based on Lewkorsquos scheme [14] With it PHRowner can specify flexible and expressive access pol-icy to protect their outsourced PHRs Meanwhileauthorities need not communicate with each otheror be controlled by an authentication center Thenumber of attributes is almost unrestricted since theincrease of attributes does not occupymore resources

(2) We proposed an efficient attribute revocation mech-anism for our scheme Attribute can be revokedefficiently through the proxy reencryption and lazyrevocation while the scheme does not need anauthentication center and any additional communi-cations among authorities

(3) To resist the role-based collusion we suggest a black-list solution to prevent it By replacing the specificattribute master key and public key with hash valueof attributersquos descriptive name the storages in author-ities keep small even when number of attributesincreases

2 Related Work

Sahai and Waters [8] proposed the first ABE scheme inwhich ciphertext is encrypted and associated with a set 120572 ofattributes An accessor can successfully decrypt ciphertext ifand only if he gets a set 120573 of attributes components where theset overlap between the two attributes sets that is |120572 cap 120573|is beyond a predefined threshold Afterwards Goyal et al

Mathematical Problems in Engineering 3

[9] proposed KP-ABE scheme in which a set of attributesfrom an accessor is constructed through a tree-like policywhich is taken as key of the accessor The leaf nodes ofthe tree associated with attributes and the nonleaf nodesare logical operations such as ldquoorrdquo and ldquoandrdquo Data ownerassociates his ciphertext with a set of attributes Once theassociated attributes satisfy a specific key-policy of accessorthe accessor can decrypt the ciphertext However the dataowner should know all the keys of accessors before heencrypts the data and then he can suitably associate theciphertext with corresponding attributes Such requirementsof KP-ABE are not suitable for public access scenario wherethe data owner cannot predict which person can access hisdata

Consequently Bethencourt et al [10] proposed CP-ABEwhich is conceptually closer to the traditional access controlmethods such as RBAC CP-ABE scheme attaches accesspolicy in ciphertext instead of attributes of accessors It ismore intuitive for the data owner to specify such policy atthe time he encrypts the data For accessors they shouldown enough attributes issued by the third party namedauthorities to decrypt the ciphertext correctly Furthermoreordered binary decision diagram (OBDD) is used to describeaccess policies in CP-ABE The system makes full use ofboth the powerful description ability and the high calculatingefficiency of OBDD and improve both performance andefficiency [20] However only one single authority maycause bottleneck of performance [21] Moreover it is morenatural and practical withmultiple professional organizations(authorities) to manage distinct sets of attributes Securitycan be improved with the multiauthority because an attackershould compromise several authorities at the same time toget the keys associated with enough sets of attributes fordecryption

There are already some attempts to solve multiauthorityABE problem with new cryptographic solutions Chase andChow [13] firstly proposed a multiauthority ABE scheme(CC MA-ABE) in which each user is authorized based ona global identifier (GID) such as a social security numberThe GID plays a linchpin to associate usersrsquo keys fromdifferent authorities together But the solution still relies onan authentication center and the access policy is not flexibleand expressivewhich is limited on ldquoANDrdquogate policy over thepredetermined set of authorities Later Li et al [11] proposedan ABE scheme with attribute revocation mechanism basedon CC MA-ABE which is limited on a rule of CNF inthe access policy A threshold multiauthority CP-ABE accesscontrol scheme was proposed for public cloud storage withwhich both security and performance are improved [22]

Actually it is important for MA CP-ABE to support anexpressive and flexible access policy For example AmericanMedical Association (AMA) authorizes attributes of medicalprofessional licenses such as junior nurse license and expe-rienced nurse license while American Hospital Association(AHA) authorizes attributes of affiliations such as hospitalA and hospital B If one patient thinks that the diagnosisand treatment in hospital A are better than those in hospitalB he may specify an access policy that permits the nurseswith any level of license in hospital A to access his PHR

files and only allow the nurses with junior level of licensefrom hospital B access Such expressive policy is presentedas policy = ((junior nurse level or experienced nurse level)and hospital A) or (junior nurse level and hospital B) Thepolicy can be transformed to the ldquoANDrdquo policy for examplepolicy = (1198601 = 11988611) or sdot sdot sdot or (1198601 = 11988611198891) and sdot sdot sdot and (119860119898 =1198861198981) or sdot sdot sdot or (119860119898 = 119886119898119889119898) where 119860119898 refers to the 119898thauthority and 119886119898119889119894 refers to the policy managed by 119860119898 andone authority has only one clause [11]

There are some other schemes which can set the accesspolicy in any Boolean formula over attributes from any num-ber of authorities Among them Muller proposed anotherMA-ABE scheme which is realized on any access structurewith an authentication center Yang and Jia [18] proposeda variant CP-ABE scheme to support multiauthority but itstill requires an additional authentication center to generateuser secret key and authority secret key Moreover it is weakin revocation security Based on Yangrsquos scheme an extensivescheme was proposed to withstand the vulnerability [23] ForMA-ABE scheme with an authentication center to controlmultiple authorities once the authentication center is brokenthe entire ABE system will be compromised Therefore itshould be fully trusted which is hard to guarantee More-over the whole ABE system is hard to be expanded Someresearches try to remove the authentication center from MACP-ABE schemes Chase and Chow [13] used pseudorandomfunctions (PRFs) between different authorities without thecenter However it is still limited on ldquoANDrdquo access policyover a determined set of authorities Lin et al [15] proposeda threshold based ABE scheme that is decentralized andenforces an efficient attribute revocation scheme The systemis collusion-resistant for fewer 119898 users where 119898 is chosenstatically during the setup phase However the authoritiesset should be configured before the setup phase and is fixedin running The authorities should interact with each otherat the setup phase and the access policy is inflexible LaterLewko and Waters [14] proposed a scheme for decentralizedABE scenario in which the authorities work independentlywithout coordination among them A main drawback isthat the scheme has no revocation function Although afurther paper (DACC) [19] addressed it the computationsof key update and communication overhead for attributerevocation are quite heavy Besides DACC requires the dataowner to take part in revocation and transmit an updatedciphertext component to every unrevoked user It means thatthe data owner should keep being online all the time as isunreasonable in practical application scenario

Attribute revocation is an important issue for an ABEsystem and benefits security of the system Once a malicioususer is identified by an authority all his attributes or oneof his specific attributes should be revoked by the authoritywhich means the malicious user can no longer decrypt theABE-generated ciphertext associated with those attributes Insingle authority ABE scheme Yu et al [7] introduced the con-cept of proxy reencryption into CP-ABE to realize attributerevocation in which the affected attribute components ofciphertext and the attributes components stored in terminalsof unrevoked users are updated via reencryption Inspired bypaper [7] Yang and Jia [18] proposed the CP-ABE scheme

4 Mathematical Problems in Engineering

Table 1 Comparison among previous MA CP-ABE schemes and ours

Lin [15] Muller [16] Chase [17] Lewko [14] DACC [19] Li [11] Yang [18] OursFlexible access policy radic radic radic radic radic radicResistance of accessor collusion radic radic radic radic radic radic radicWithout an authentication center radic radic radic radic radic radicAuthority independence radic radic radic radic radic radic radicEfficient revocation radic mdash radic radic radic

Cloud storage

Authority

Authority

Authority

AccessorOwner

CT CT

PKPK

PK

SKSK

SK

(AA1)

(AA2)

(AAk)

Figure 1 MA CP-ABE system model

with a more efficient revocation than that in [19] Howeverit requires an authentication center to control the multipleauthorities Based on the above depiction the comparisonsamong previous MA CP-ABE schemes and our proposedscheme are listed in Table 1

3 System Model and Security Definitionfor MA CP-ABE

31 System Model The MA CP-ABE scheme for PUDinvolves three kinds of participants that is cloud storageauthorities and users (including data owner and accessors)as shown in Figure 1 The scheme consists of five basicalgorithms System Setup Authority Setup Encrypt KeyGenand Decrypt They are described as follows

System Setup (120582) rarr (119901119886119903119886) The setup algorithm takes secu-rity parameter 120582 as input and outputs global parameters para

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) Each attribute author-ity (AA) runs its own authority setup process The setupalgorithm takes system global parameters para and AArsquosdescriptive attributes as input Then for each attribute thatAA manages AA generates a master key msk and thecorresponding public key 119901119896 The master keys 119898119904119896119904 are keptsecret while the public keys 119901119896119904 are published

119864119899119888119903119910119901119905 (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) Once the data owner gets public keys 119901119896119904 fromauthorities he can execute encryption process in his ownterminal The algorithm takes 119901119896119904 from several authoritiesdata 119863 for encryption and an access policy T specified bythe data owner as inputs Then the algorithm encrypts 119863 to

a ciphertext 119863 and generates a public attribute component(abbreviated as pAC) for each leaf node ofT The whole datatuple of 119862119879 = 119863 119901119900119897119894119888119910 T pAC119904 is the final ciphertexttuple and is uploaded to cloud storage

119870119890119910119866119890119899 (119901119886119903119886119898119904119896) rarr (119878119870 119906119860119862119904) Each authoritymanages its own attributes set and is responsible for keydistribution to legal users (accessors) Once an authorityauthenticates identity of an accessor it will process key gen-eration which takes themaster keys mk119904 for a requested set ofattributes 120596as input and outputs user attribute components(abbreviated as uAC119904) for each attribute All the attributesuAC119904 generated for the specific accessor are collected as secretkey of the accessor SK and sent back to the accessor secretly

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119872) An accessor exe-cutes the decryption algorithm which takes the ciphertexttuple CT from cloud storage and the public keys pk119904 andsecret keys SK119904 from authorities as inputs If the attributes setassociated with SK119904 satisfies access policyT the accessor candecrypt the plaintext data 119872 Otherwise it returns an errorsymbol perp

32 PHR Upload and Access Based on CP-ABE scheme(Figure 1) we can easily figure out the PHR upload and PHRaccess procedures Specifically once a data owner needs toupload his specific PHR file ldquopFilerdquo to cloud storage he doesthe following steps (1) Cut the data into contents segments119904 (2) Pick random content key 119888119896 for each content segment(3) Encrypt the segment via symmetric cryptography and getresult 119904 = 119864119888119896(119904) (4) Define an access policy over a set ofattributes encrypt content key 119888119896 as owner data 119872 via ourproposed MA CP-ABE scheme and get the ciphertext tupleCT (6) Finally upload 119904 and CT together as an integratedtuple to the cloud storage The data owner can go offline andauthorities perform other key distribution workflows

When an accessor needs to read the plaintext of onespecific PHR on the cloud storage he should process thefollowing steps (1) Get the whole ciphertext tuple 119904 and CTfrom the cloud storage (2) Read the access policy from theCTand know aminimal set of attributes required for decryption(3) Get identity authenticated by several authorities withwhich these authorities can return the keys associated withattributes (uAC119904) to the accessor respectively (4) Collectenough keys to recover content key 119888119896 from CT (5) Decrypt119904 to 119904 via symmetric cryptography by content key 119888119896 and thenconstruct the original PHR file ldquopFilerdquo

Mathematical Problems in Engineering 5

4 Modified MA CP-ABE Scheme for PUD

41 Scheme Construction Our proposed MA CP-ABEscheme has five algorithms that is System Setup AuthoritySetup KeyGen Encrypt and Decrypt They are depicted asfollows

System Setup rarr (119901119886119903119886) System first selects a bilinear groupG of order 119873 = 119901111990121199013 and bilinear map function 119890 G times G rarr G119879 and then picks a generator 1198921 of G1199011 [14 24]A hash function 119867 0 1lowast rarr G is used to map globalidentities GID119904 of an accessor and descriptive names of hisattributes such as doctor to elements in G Once the hashfunction is fixed the value119867(GID) is modelled as a randomoracle Finally all these system parameters are published as119901119886119903119886 = (119890 1198921 119867(sdot)119873)

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) For each authority AA119896whichmanages attributes setA119896 AA119896 takes para as input andgenerates two public keys as 1198921205721198961 1198921205731198961 where the two values120572119896 120573119896 are picked randomly from Z119873 The values 119898119904119896119896 =(120572119896 120573119896) are stored secretly by AA119896 as master keys while thepublic keys 119901119896119896 = (1198921205721198961 1198921205731198961 ) are published

KeyGen (119901119886119903119886119898119904119896) rarr (119878119870 = 119906119860119862119904) Suppose that a legalaccessor with GID requests authority AA119896 for attributes set119860119906 and he owns attributes set 119860119906119896 in AA119896 Then AA119896 willgenerate secret key (SK) of the accessor which is associatedwith attributes set 119860119906 cap 119860119906119896 Specifically for each attribute119894 isin 119860119906 cap 119860119906119896 AA119896 generates a user attribute component(uAC119894 = 119867(119894)120572119896 sdot 119867(GID)120573119896) for the accessor Finally all thecomponents uAC119894|119894isin119860119906cap119860119906119896 are combined as secret keys ofthe accessor and SK = uAC119904 is sent back to the accessorsecretly for further decryption

Encrypt (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) In encryption phase the data owner specifies anaccess policy treeT to restrict the accessors The encryptionalgorithm encrypts data119863 into119863 = 119863 sdot 119890(1198921 1198921)119904 where thevalue 119904 isin Z119899 is selected randomly Meanwhile a set of publicattribute components (pAC119904) will be generated according tothe value 119904 and the access policyT

Specifically as shown in previous paper [11] any mono-tone access tree T can be translated to an access structure(M 120588) over the involved attributes whereM is a ℓtimes119899matrixand ℓ denotes the number of leaf nodes in the access treeTThe function 120588maps the 119909th row ofmatrixM119909 to an attribute119894 = 120588(M119909) The encryption algorithm chooses two random

vectors 997888rarr120592 = (119904 1199032 119903119899) isin Z119899119873 and997888rarr1205921015840 = (0 11990310158402 1199031015840119899) isin Z119899119873

and then computes 120582119909 = 997888rarr120592 sdot M119909 and ]119909 =997888rarrV1015840 sdot M119909 Notice

that the former vector 997888rarr120592 is used to distribute the value 119904while the latter vector formula distributes the zero value 0For each leaf node119909 ofT associatedwith attribute 119894 = 120588(M119909)the algorithm computes the three pAC119904 as follows where thevalue 120583119909 is picked arbitrarily in Z119899

pAC0 (119909119894) = 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909

pAC1 (119909119894) = 1198921120583119909

pAC2 (119909119894) = 1198921120573119896sdot120583119909+120596119909 (1)

Finally the owner sends the ciphertext 119863 together withpAC119904 and access structure (M 120588) to the semitrust cloudstorage The uploaded data 119862119879 is presented as

119862119879 = (119863 (M 120588) pAC0(119909119894) pAC1(119909119894) pAC2(119909119894) |

(119894 = 120588 (M119909))amp (1 le 119909 le 119877)) (2)

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119863) An accessor receives119862119879 from the cloud storage finds out the minimal set ofattributes A119906 for decryption according to the policy Tand then requests corresponding AA119904 for attributes (uAC119904)Notice that theminimal attributes setA119906 is mapped to ℓ1015840rowsof matrixMThe rows set is labeled as 119868119909 where |119868119909| = ℓ1015840and ℓ1015840 le ℓ According to submatrix 119868119909 the algorithm cancompute ℓ1015840 values 120577119909 isin Z119899|119909isin119868119909 which has the relationshipwith 119904 = sum119909isin119868119909 120577119909120582119909 and 0 = sum119909isin119868119909 120577119909120596120596119909 (interpolation)

Consequently for each leaf node which is associated withthe 119909th row of 119868119909 the algorithm can decrypt it via thefollowing formula

pAC0 (119909119894) sdot 119890 (119867 (GID) pAC2119909119894)119890 (uAC119894 pAC1119909119894)

=119890 (1198921 1198922)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909 sdot 119890 (119867 (GID) 119892120573119896sdot120583119909+1205961199091 )

119890 (119867 (119894)120572119896 sdot 119867 (GID)120573119896 1198921205831199091 )

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909

(3)

By collecting ℓ1015840 decryption values of leaf nodes the algorithmcan easily recover value 119890(1198921 1198921)119904 via interpolation depictedas follows

prod119909isin119868119909

(119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909)120577119909

= 119890 (1198921 1198921)sum119909isin119868119909(120577119909 sdot120582119909) sdot 119890 (119867 (GID) 1198921)sum119909isin119868119909(120577119909sdot120596119909)

= 119890 (1198921 1198921)119904 sdot 119890 (119867 (GID) 1198921)0 = 119890 (1198921 1198921)119904

(4)

Finally the plaintext119863 is computed by119863 = 1198631015840119890(1198921 1198921)119904

42 Efficient Lazy Revocation There are two levels of revo-cation that is attribute revocation and accessor revocationThe attribute revocation is done by updating the attributeassociated pACs stored in cloud storage so that the previousauthenticated pACs is no longer useful for decryption Theaccessor revocation can be done by revocation of all theattributes that an accessor owns

Normally the command of attribute revocation is startedfrom authority when there are changes in management ofaccessors Firstly authority AA119896 sends update parameter to

6 Mathematical Problems in Engineering

the cloud storage and then the cloud storage updates pAC119904via proxy reencryption technique [12] In our revocationscheme the corresponding pAC119904 will not be updated untilsomeone requests them Specifically the cloud storage storesthe update parameters in an attribute history list (AHL)for each attribute revocation command Once a ciphertext(associated with a set of pAC119904) is requested it can be updatedonly once according to AHL although the update parametershave been updated many times and recorded in AHL Suchmechanism is called lazy revocation which can accumulateupdate of parameters over time Our revocation model ismore efficient thanDACCrsquos solution [19] when AA119896 delegatesmost computationworkloads to the cloud storage and the lazyrevocation is used

For accessors once pAC119904 stored in the cloud storage isupdated their corresponding uAC119904 can no longer decryptthe ciphertext Consequently these accessors need to requestauthorities to update parameters Instead of regeneratingthe accessorsrsquo uAC119904 the authorities can simply generateparameters that is update keys (UK119904) and let these accessorsupdate their uAC119904 at their terminal

In previous papers [11 12 25] the revocation methodswill generate the same update keys for all accessors Thisis efficient but weak in security Therefore our proposedrevocation scheme can support two methods One methodis to generate the same update parameters for all accessorsand the other one is to generate different update parametersfor different accessors It is obvious that the former methodis efficient but has potential risk in some circumstance Thelatter method is the opposite PHR system can choose eithermethod according to its strategy and environment

Attribute Revocation (119901119886119903119886119898119904119896) rarr (119880119870119886119860119862 119880119870119901119860119862) Toexecute the revocation command for attribute 119894 its corre-sponding authority AA119896 takes public system parameters paraand its own master key (120572119896 120573119896) as input Then AA119896 generatesregeneration key UKpAC for the cloud storage and generatesUKaAC for the accessors All these regeneration keys aretransmitted secretly

Method 1 (Same Update Parameter) Specifically AA119896 selectsa random value 120572 isin 119885119873 and then generates UKaAC119894 =UKpAC119894 = 119867(119894)1198861015840119896minus119886119896 The cloud storage updates the attribute119894 associated pAC0 (119909119894) through (5) uAC119894 of the accessor isupdated through (6) at the terminals of accessors or at theauthority

pAc0 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(5)

uAC1015840119894 = uAC119894 sdot UKaAC119894 = 119867 (119894)1205721015840119896 sdot 119867 (GID)120573119896 (6)

Method 2 (Different Update Parameters) Specifically AA119896selects random values 1205721015840119896 1205731015840119896 isin Z119899 and generates UKpAC119894 =119867(119894)1205721015840119896minus120572119896 and UKpAC119894 = 1205731015840119896 minus 120573119896 for the cloud stor-age For each accessor with GID AA119896 generates specificUKaAC119894GID = 119867(119894)1205721015840119896minus120572119896 sdot 119867(GID)1205731015840119896minus120573119896 The cloud storage

updates the attribute 119894 associated pAC0 (119909 119894) and pAC2 (119909 119894)through (7) and (8) The accessorrsquos uAC119894 is updated through(9)

pAC10158400 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(7)

pAC10158402 (119909119894) = pAC2 (119909119894) sdot PACUKpAC1198941119909119894

= 1198921205731015840119896sdot120583119909+1205961199091

(8)

uAC1015840119894 = uAC119894 sdot UK120572AC119894 GID = 119867 (119894)1205721015840119896 sdot 119867 (GID)1205731015840119896 (9)

Accessor Revocation Supposing that the attributes set A120572 isowned by the accessor the corresponding authority AA119896can execute attribute revocations for these |A120572| attributes intotal Moreover to avoid fake revocation commands boththe authority and the cloud storage use digital signaturetechnique to confirm validity as implemented in paper [12]

43 Collusion Resistant The same as most of previous papers[11 18] our proposed MA CP-ABE scheme can resist bothaccessor collusion and authority collusion Besides the mali-cious but implicit role-based collusion can also be resisted

As discussed in Introduction role-based collusion iscaused by the fact that PHR owner cannot predict the exactuser identity who is an accessor from PUD because theattribute authentication is controlled by the third authorityparty To resist the collusion it is essential for PHR ownerto specify a blacklist which contains the access identitiesthat are not allowed access from PUD and delegates theblacklist to a third authority party The authority maps eachblacklist to an attribute such as attribute ldquoAlic119890s Blacklist1rdquoso that an owner can combine such attributes in his accesspolicy in PUD to restrict specific identity from accessNormally the amount of blacklist attributes will grow linearlywith users in PHR system Fortunately our proposed ABEconstruction is efficient in managing attributes because thealgorithms replace attribute master keys with the hash valuesof attributesrsquo descriptive names The storage for attributemanagement can keep small at the authority even when thenumber of attributes increases It means that the blacklistsolution is highly efficient

Accessor collusion denotes that different accessors willcombine their attribute components (pACs) together fordecryption of a file despite the fact that they do not haveenough attributes to decrypt it alone Our proposed MA CP-ABE scheme can resist the accessor collusion by embeddingthe accessorrsquos hash value into their pACs Consequently thetemporary result in decryption phase that is 119890(1198921 1198921)120582119909 sdot119890(119867(GID) 1198921)120583119909 differs among accessors Therefore thedecryption process is resisted

Authority collusion is an important security metric inmultiauthority scenario In our proposed scheme since theauthorities do not communicate with each other or have nopredefined parameters among them the authority collusionis impossible in our proposed scheme

Mathematical Problems in Engineering 7

Table 2 Storage overhead on each entity

DACC Yang OursAuthority 2 lowast 119899att 119899att + 2 lowast 119899user + 3 2Owner 119899119888 + 2 lowast 119899att + 2 3 lowast 119899AA + 2 lowast 119899att + 3 2 lowast 119899AA + 1Accessor 119899pAC119904 + 119899att 2 lowast 119899AA + 119899att + 2 119899attCloud storage (3 lowast avg + 1) lowast 119899cipher (4 lowast avg + 3) lowast 119899cipher (3 lowast avg + 1) lowast 119899cipher

Table 3 Time consumption of different types of operation

Type Description Time for 1000 operationsT0 Time for two-vector multiplication Depending on the vector lengthT1 Time for one PBC pairing operation 875443 (us)T2 Time for one PBC exponent operation 1419140 (us)T3 Time for one PBC multiply operation 13264 (us)T4 Time for one PBC addition operation 1196 (us)

Table 4 Computation efficiency

Time for encryption Time for decryptionDACC 119899pAC119904 sdot (2 sdot 1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793)pAC119904Yang 119899pAC119904 sdot (1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (3 sdot 1198792 + 119899AA sdot 1198793) 119899 sdot (4 sdot 1198791 + 2 sdot 1198792 + 4 sdot 1198793) + 119899AA sdot (2 sdot 1198791 + 1198793) + (1198792 + 1198793)pAC119904Ours 119899pAC119904 sdot (2 sdot 1198790 + 1198791 + 4 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793) sdot 119899pAC119904

5 Performance

In this section we will compare performances between ourproposed scheme and previous MA CP-ABE schemes inaspects of storage cost computation efficiency and revoca-tion cost Since Lirsquos ABE scheme for PUD is actually a variantKP-ABE scheme we will compare our scheme with bothDACCrsquos [19] and Yangrsquos scheme [18]

51 Storage The storage overheads on each entity are listedin Table 2 Notice that 119899user is the amount of users (accessors)in PHR system 119899att denotes the number of all attributes 119899AAdenotes the number of authorities 119899cipher is the number of allciphertext tuples 119899119888 stored in cloud storage and 119899pAC119904 denotesthe number of generated pAC119904 at terminal of accessor Forcomparison the storage overheads of these parameters are119899119888 119899cipher 119899user and 119899pAC119904 gt 119899att gt 119899AA Specifically storageoverhead at authority (AA) is mainly the space occupation ofmaster keys and public keys for attributes Since our proposedscheme uses hash values to replace keys for attributes thestorage space at authorities can be saved evidently Wesuppose that each ciphertext is associated with avg attributeson average From Table 2 it is evident that our scheme hasthe smallest storage overhead at authority terminal of ownerterminal of accessor and cloud storage compared with bothDACCrsquos and Yangrsquos schemes

52 Computation Efficiency In this section we compare thecomputation costs for these three schemes by implementingthem on a Linux system with an Intel Core i7 CPU at220GHz and 100GBRAMThe codes are constructed basedon the Pairing-Based Cryptography (PBC) library version

0514 A symmetric elliptic curve 120572-curve whose base fieldsize is 512 bits is set up to execute the pairing operation Thegroup order of 120572-curve is of 160 bits that is 1199011 is a 160-bit length prime All the simulation results come from theaverage of 20 trials

Before the simulations time consumption values of fourPBC functional operations are compared which are listed inTable 3 It is obvious that pairing operation and exponentoperation consume more time than multiplication and addi-tion Furthermore time consumption for encryption anddecryption is shown in Table 4 where 1198991015840 denotes the numberof pACs required in each decryption

We compare the computation efficiencies of both encryp-tion and decryption in two criteria (1)Thenumber of author-ities is changeable while the number of attributes in eachauthority is fixed (2)The number of authorities is fixed whilethe number of attributes in each authority is changeable Theresult is shown in Figure 2 In the first simulation the numberof related authorities (119909-axis) changes from 2 to 20 and theinvolved attributes of each authority are set to be 10 Time forencryption is shown in Figure 2(a) while time for decryptionis presented in Figure 2(b) The second simulation is theoppositeThe number of involved attributes in each authoritychanges from 2 to 20 and related authorities are set to be 10Time for encryption and time for decryption are shown inFigures 2(c) and 2(d) respectively Evidently our proposedscheme has better performance in computation efficiencybecause of less number of PBC exponent operations

53 Revocation Cost As shown in Table 5 we use expressionsto denote the communication overheads between terminalsand the cloud storage In DACC it is the responsibility

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

Mathematical Problems in Engineering 3

[9] proposed KP-ABE scheme in which a set of attributesfrom an accessor is constructed through a tree-like policywhich is taken as key of the accessor The leaf nodes ofthe tree associated with attributes and the nonleaf nodesare logical operations such as ldquoorrdquo and ldquoandrdquo Data ownerassociates his ciphertext with a set of attributes Once theassociated attributes satisfy a specific key-policy of accessorthe accessor can decrypt the ciphertext However the dataowner should know all the keys of accessors before heencrypts the data and then he can suitably associate theciphertext with corresponding attributes Such requirementsof KP-ABE are not suitable for public access scenario wherethe data owner cannot predict which person can access hisdata

Consequently Bethencourt et al [10] proposed CP-ABEwhich is conceptually closer to the traditional access controlmethods such as RBAC CP-ABE scheme attaches accesspolicy in ciphertext instead of attributes of accessors It ismore intuitive for the data owner to specify such policy atthe time he encrypts the data For accessors they shouldown enough attributes issued by the third party namedauthorities to decrypt the ciphertext correctly Furthermoreordered binary decision diagram (OBDD) is used to describeaccess policies in CP-ABE The system makes full use ofboth the powerful description ability and the high calculatingefficiency of OBDD and improve both performance andefficiency [20] However only one single authority maycause bottleneck of performance [21] Moreover it is morenatural and practical withmultiple professional organizations(authorities) to manage distinct sets of attributes Securitycan be improved with the multiauthority because an attackershould compromise several authorities at the same time toget the keys associated with enough sets of attributes fordecryption

There are already some attempts to solve multiauthorityABE problem with new cryptographic solutions Chase andChow [13] firstly proposed a multiauthority ABE scheme(CC MA-ABE) in which each user is authorized based ona global identifier (GID) such as a social security numberThe GID plays a linchpin to associate usersrsquo keys fromdifferent authorities together But the solution still relies onan authentication center and the access policy is not flexibleand expressivewhich is limited on ldquoANDrdquogate policy over thepredetermined set of authorities Later Li et al [11] proposedan ABE scheme with attribute revocation mechanism basedon CC MA-ABE which is limited on a rule of CNF inthe access policy A threshold multiauthority CP-ABE accesscontrol scheme was proposed for public cloud storage withwhich both security and performance are improved [22]

Actually it is important for MA CP-ABE to support anexpressive and flexible access policy For example AmericanMedical Association (AMA) authorizes attributes of medicalprofessional licenses such as junior nurse license and expe-rienced nurse license while American Hospital Association(AHA) authorizes attributes of affiliations such as hospitalA and hospital B If one patient thinks that the diagnosisand treatment in hospital A are better than those in hospitalB he may specify an access policy that permits the nurseswith any level of license in hospital A to access his PHR

files and only allow the nurses with junior level of licensefrom hospital B access Such expressive policy is presentedas policy = ((junior nurse level or experienced nurse level)and hospital A) or (junior nurse level and hospital B) Thepolicy can be transformed to the ldquoANDrdquo policy for examplepolicy = (1198601 = 11988611) or sdot sdot sdot or (1198601 = 11988611198891) and sdot sdot sdot and (119860119898 =1198861198981) or sdot sdot sdot or (119860119898 = 119886119898119889119898) where 119860119898 refers to the 119898thauthority and 119886119898119889119894 refers to the policy managed by 119860119898 andone authority has only one clause [11]

There are some other schemes which can set the accesspolicy in any Boolean formula over attributes from any num-ber of authorities Among them Muller proposed anotherMA-ABE scheme which is realized on any access structurewith an authentication center Yang and Jia [18] proposeda variant CP-ABE scheme to support multiauthority but itstill requires an additional authentication center to generateuser secret key and authority secret key Moreover it is weakin revocation security Based on Yangrsquos scheme an extensivescheme was proposed to withstand the vulnerability [23] ForMA-ABE scheme with an authentication center to controlmultiple authorities once the authentication center is brokenthe entire ABE system will be compromised Therefore itshould be fully trusted which is hard to guarantee More-over the whole ABE system is hard to be expanded Someresearches try to remove the authentication center from MACP-ABE schemes Chase and Chow [13] used pseudorandomfunctions (PRFs) between different authorities without thecenter However it is still limited on ldquoANDrdquo access policyover a determined set of authorities Lin et al [15] proposeda threshold based ABE scheme that is decentralized andenforces an efficient attribute revocation scheme The systemis collusion-resistant for fewer 119898 users where 119898 is chosenstatically during the setup phase However the authoritiesset should be configured before the setup phase and is fixedin running The authorities should interact with each otherat the setup phase and the access policy is inflexible LaterLewko and Waters [14] proposed a scheme for decentralizedABE scenario in which the authorities work independentlywithout coordination among them A main drawback isthat the scheme has no revocation function Although afurther paper (DACC) [19] addressed it the computationsof key update and communication overhead for attributerevocation are quite heavy Besides DACC requires the dataowner to take part in revocation and transmit an updatedciphertext component to every unrevoked user It means thatthe data owner should keep being online all the time as isunreasonable in practical application scenario

Attribute revocation is an important issue for an ABEsystem and benefits security of the system Once a malicioususer is identified by an authority all his attributes or oneof his specific attributes should be revoked by the authoritywhich means the malicious user can no longer decrypt theABE-generated ciphertext associated with those attributes Insingle authority ABE scheme Yu et al [7] introduced the con-cept of proxy reencryption into CP-ABE to realize attributerevocation in which the affected attribute components ofciphertext and the attributes components stored in terminalsof unrevoked users are updated via reencryption Inspired bypaper [7] Yang and Jia [18] proposed the CP-ABE scheme

4 Mathematical Problems in Engineering

Table 1 Comparison among previous MA CP-ABE schemes and ours

Lin [15] Muller [16] Chase [17] Lewko [14] DACC [19] Li [11] Yang [18] OursFlexible access policy radic radic radic radic radic radicResistance of accessor collusion radic radic radic radic radic radic radicWithout an authentication center radic radic radic radic radic radicAuthority independence radic radic radic radic radic radic radicEfficient revocation radic mdash radic radic radic

Cloud storage

Authority

Authority

Authority

AccessorOwner

CT CT

PKPK

PK

SKSK

SK

(AA1)

(AA2)

(AAk)

Figure 1 MA CP-ABE system model

with a more efficient revocation than that in [19] Howeverit requires an authentication center to control the multipleauthorities Based on the above depiction the comparisonsamong previous MA CP-ABE schemes and our proposedscheme are listed in Table 1

3 System Model and Security Definitionfor MA CP-ABE

31 System Model The MA CP-ABE scheme for PUDinvolves three kinds of participants that is cloud storageauthorities and users (including data owner and accessors)as shown in Figure 1 The scheme consists of five basicalgorithms System Setup Authority Setup Encrypt KeyGenand Decrypt They are described as follows

System Setup (120582) rarr (119901119886119903119886) The setup algorithm takes secu-rity parameter 120582 as input and outputs global parameters para

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) Each attribute author-ity (AA) runs its own authority setup process The setupalgorithm takes system global parameters para and AArsquosdescriptive attributes as input Then for each attribute thatAA manages AA generates a master key msk and thecorresponding public key 119901119896 The master keys 119898119904119896119904 are keptsecret while the public keys 119901119896119904 are published

119864119899119888119903119910119901119905 (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) Once the data owner gets public keys 119901119896119904 fromauthorities he can execute encryption process in his ownterminal The algorithm takes 119901119896119904 from several authoritiesdata 119863 for encryption and an access policy T specified bythe data owner as inputs Then the algorithm encrypts 119863 to

a ciphertext 119863 and generates a public attribute component(abbreviated as pAC) for each leaf node ofT The whole datatuple of 119862119879 = 119863 119901119900119897119894119888119910 T pAC119904 is the final ciphertexttuple and is uploaded to cloud storage

119870119890119910119866119890119899 (119901119886119903119886119898119904119896) rarr (119878119870 119906119860119862119904) Each authoritymanages its own attributes set and is responsible for keydistribution to legal users (accessors) Once an authorityauthenticates identity of an accessor it will process key gen-eration which takes themaster keys mk119904 for a requested set ofattributes 120596as input and outputs user attribute components(abbreviated as uAC119904) for each attribute All the attributesuAC119904 generated for the specific accessor are collected as secretkey of the accessor SK and sent back to the accessor secretly

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119872) An accessor exe-cutes the decryption algorithm which takes the ciphertexttuple CT from cloud storage and the public keys pk119904 andsecret keys SK119904 from authorities as inputs If the attributes setassociated with SK119904 satisfies access policyT the accessor candecrypt the plaintext data 119872 Otherwise it returns an errorsymbol perp

32 PHR Upload and Access Based on CP-ABE scheme(Figure 1) we can easily figure out the PHR upload and PHRaccess procedures Specifically once a data owner needs toupload his specific PHR file ldquopFilerdquo to cloud storage he doesthe following steps (1) Cut the data into contents segments119904 (2) Pick random content key 119888119896 for each content segment(3) Encrypt the segment via symmetric cryptography and getresult 119904 = 119864119888119896(119904) (4) Define an access policy over a set ofattributes encrypt content key 119888119896 as owner data 119872 via ourproposed MA CP-ABE scheme and get the ciphertext tupleCT (6) Finally upload 119904 and CT together as an integratedtuple to the cloud storage The data owner can go offline andauthorities perform other key distribution workflows

When an accessor needs to read the plaintext of onespecific PHR on the cloud storage he should process thefollowing steps (1) Get the whole ciphertext tuple 119904 and CTfrom the cloud storage (2) Read the access policy from theCTand know aminimal set of attributes required for decryption(3) Get identity authenticated by several authorities withwhich these authorities can return the keys associated withattributes (uAC119904) to the accessor respectively (4) Collectenough keys to recover content key 119888119896 from CT (5) Decrypt119904 to 119904 via symmetric cryptography by content key 119888119896 and thenconstruct the original PHR file ldquopFilerdquo

Mathematical Problems in Engineering 5

4 Modified MA CP-ABE Scheme for PUD

41 Scheme Construction Our proposed MA CP-ABEscheme has five algorithms that is System Setup AuthoritySetup KeyGen Encrypt and Decrypt They are depicted asfollows

System Setup rarr (119901119886119903119886) System first selects a bilinear groupG of order 119873 = 119901111990121199013 and bilinear map function 119890 G times G rarr G119879 and then picks a generator 1198921 of G1199011 [14 24]A hash function 119867 0 1lowast rarr G is used to map globalidentities GID119904 of an accessor and descriptive names of hisattributes such as doctor to elements in G Once the hashfunction is fixed the value119867(GID) is modelled as a randomoracle Finally all these system parameters are published as119901119886119903119886 = (119890 1198921 119867(sdot)119873)

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) For each authority AA119896whichmanages attributes setA119896 AA119896 takes para as input andgenerates two public keys as 1198921205721198961 1198921205731198961 where the two values120572119896 120573119896 are picked randomly from Z119873 The values 119898119904119896119896 =(120572119896 120573119896) are stored secretly by AA119896 as master keys while thepublic keys 119901119896119896 = (1198921205721198961 1198921205731198961 ) are published

KeyGen (119901119886119903119886119898119904119896) rarr (119878119870 = 119906119860119862119904) Suppose that a legalaccessor with GID requests authority AA119896 for attributes set119860119906 and he owns attributes set 119860119906119896 in AA119896 Then AA119896 willgenerate secret key (SK) of the accessor which is associatedwith attributes set 119860119906 cap 119860119906119896 Specifically for each attribute119894 isin 119860119906 cap 119860119906119896 AA119896 generates a user attribute component(uAC119894 = 119867(119894)120572119896 sdot 119867(GID)120573119896) for the accessor Finally all thecomponents uAC119894|119894isin119860119906cap119860119906119896 are combined as secret keys ofthe accessor and SK = uAC119904 is sent back to the accessorsecretly for further decryption

Encrypt (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) In encryption phase the data owner specifies anaccess policy treeT to restrict the accessors The encryptionalgorithm encrypts data119863 into119863 = 119863 sdot 119890(1198921 1198921)119904 where thevalue 119904 isin Z119899 is selected randomly Meanwhile a set of publicattribute components (pAC119904) will be generated according tothe value 119904 and the access policyT

Specifically as shown in previous paper [11] any mono-tone access tree T can be translated to an access structure(M 120588) over the involved attributes whereM is a ℓtimes119899matrixand ℓ denotes the number of leaf nodes in the access treeTThe function 120588maps the 119909th row ofmatrixM119909 to an attribute119894 = 120588(M119909) The encryption algorithm chooses two random

vectors 997888rarr120592 = (119904 1199032 119903119899) isin Z119899119873 and997888rarr1205921015840 = (0 11990310158402 1199031015840119899) isin Z119899119873

and then computes 120582119909 = 997888rarr120592 sdot M119909 and ]119909 =997888rarrV1015840 sdot M119909 Notice

that the former vector 997888rarr120592 is used to distribute the value 119904while the latter vector formula distributes the zero value 0For each leaf node119909 ofT associatedwith attribute 119894 = 120588(M119909)the algorithm computes the three pAC119904 as follows where thevalue 120583119909 is picked arbitrarily in Z119899

pAC0 (119909119894) = 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909

pAC1 (119909119894) = 1198921120583119909

pAC2 (119909119894) = 1198921120573119896sdot120583119909+120596119909 (1)

Finally the owner sends the ciphertext 119863 together withpAC119904 and access structure (M 120588) to the semitrust cloudstorage The uploaded data 119862119879 is presented as

119862119879 = (119863 (M 120588) pAC0(119909119894) pAC1(119909119894) pAC2(119909119894) |

(119894 = 120588 (M119909))amp (1 le 119909 le 119877)) (2)

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119863) An accessor receives119862119879 from the cloud storage finds out the minimal set ofattributes A119906 for decryption according to the policy Tand then requests corresponding AA119904 for attributes (uAC119904)Notice that theminimal attributes setA119906 is mapped to ℓ1015840rowsof matrixMThe rows set is labeled as 119868119909 where |119868119909| = ℓ1015840and ℓ1015840 le ℓ According to submatrix 119868119909 the algorithm cancompute ℓ1015840 values 120577119909 isin Z119899|119909isin119868119909 which has the relationshipwith 119904 = sum119909isin119868119909 120577119909120582119909 and 0 = sum119909isin119868119909 120577119909120596120596119909 (interpolation)

Consequently for each leaf node which is associated withthe 119909th row of 119868119909 the algorithm can decrypt it via thefollowing formula

pAC0 (119909119894) sdot 119890 (119867 (GID) pAC2119909119894)119890 (uAC119894 pAC1119909119894)

=119890 (1198921 1198922)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909 sdot 119890 (119867 (GID) 119892120573119896sdot120583119909+1205961199091 )

119890 (119867 (119894)120572119896 sdot 119867 (GID)120573119896 1198921205831199091 )

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909

(3)

By collecting ℓ1015840 decryption values of leaf nodes the algorithmcan easily recover value 119890(1198921 1198921)119904 via interpolation depictedas follows

prod119909isin119868119909

(119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909)120577119909

= 119890 (1198921 1198921)sum119909isin119868119909(120577119909 sdot120582119909) sdot 119890 (119867 (GID) 1198921)sum119909isin119868119909(120577119909sdot120596119909)

= 119890 (1198921 1198921)119904 sdot 119890 (119867 (GID) 1198921)0 = 119890 (1198921 1198921)119904

(4)

Finally the plaintext119863 is computed by119863 = 1198631015840119890(1198921 1198921)119904

42 Efficient Lazy Revocation There are two levels of revo-cation that is attribute revocation and accessor revocationThe attribute revocation is done by updating the attributeassociated pACs stored in cloud storage so that the previousauthenticated pACs is no longer useful for decryption Theaccessor revocation can be done by revocation of all theattributes that an accessor owns

Normally the command of attribute revocation is startedfrom authority when there are changes in management ofaccessors Firstly authority AA119896 sends update parameter to

6 Mathematical Problems in Engineering

the cloud storage and then the cloud storage updates pAC119904via proxy reencryption technique [12] In our revocationscheme the corresponding pAC119904 will not be updated untilsomeone requests them Specifically the cloud storage storesthe update parameters in an attribute history list (AHL)for each attribute revocation command Once a ciphertext(associated with a set of pAC119904) is requested it can be updatedonly once according to AHL although the update parametershave been updated many times and recorded in AHL Suchmechanism is called lazy revocation which can accumulateupdate of parameters over time Our revocation model ismore efficient thanDACCrsquos solution [19] when AA119896 delegatesmost computationworkloads to the cloud storage and the lazyrevocation is used

For accessors once pAC119904 stored in the cloud storage isupdated their corresponding uAC119904 can no longer decryptthe ciphertext Consequently these accessors need to requestauthorities to update parameters Instead of regeneratingthe accessorsrsquo uAC119904 the authorities can simply generateparameters that is update keys (UK119904) and let these accessorsupdate their uAC119904 at their terminal

In previous papers [11 12 25] the revocation methodswill generate the same update keys for all accessors Thisis efficient but weak in security Therefore our proposedrevocation scheme can support two methods One methodis to generate the same update parameters for all accessorsand the other one is to generate different update parametersfor different accessors It is obvious that the former methodis efficient but has potential risk in some circumstance Thelatter method is the opposite PHR system can choose eithermethod according to its strategy and environment

Attribute Revocation (119901119886119903119886119898119904119896) rarr (119880119870119886119860119862 119880119870119901119860119862) Toexecute the revocation command for attribute 119894 its corre-sponding authority AA119896 takes public system parameters paraand its own master key (120572119896 120573119896) as input Then AA119896 generatesregeneration key UKpAC for the cloud storage and generatesUKaAC for the accessors All these regeneration keys aretransmitted secretly

Method 1 (Same Update Parameter) Specifically AA119896 selectsa random value 120572 isin 119885119873 and then generates UKaAC119894 =UKpAC119894 = 119867(119894)1198861015840119896minus119886119896 The cloud storage updates the attribute119894 associated pAC0 (119909119894) through (5) uAC119894 of the accessor isupdated through (6) at the terminals of accessors or at theauthority

pAc0 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(5)

uAC1015840119894 = uAC119894 sdot UKaAC119894 = 119867 (119894)1205721015840119896 sdot 119867 (GID)120573119896 (6)

Method 2 (Different Update Parameters) Specifically AA119896selects random values 1205721015840119896 1205731015840119896 isin Z119899 and generates UKpAC119894 =119867(119894)1205721015840119896minus120572119896 and UKpAC119894 = 1205731015840119896 minus 120573119896 for the cloud stor-age For each accessor with GID AA119896 generates specificUKaAC119894GID = 119867(119894)1205721015840119896minus120572119896 sdot 119867(GID)1205731015840119896minus120573119896 The cloud storage

updates the attribute 119894 associated pAC0 (119909 119894) and pAC2 (119909 119894)through (7) and (8) The accessorrsquos uAC119894 is updated through(9)

pAC10158400 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(7)

pAC10158402 (119909119894) = pAC2 (119909119894) sdot PACUKpAC1198941119909119894

= 1198921205731015840119896sdot120583119909+1205961199091

(8)

uAC1015840119894 = uAC119894 sdot UK120572AC119894 GID = 119867 (119894)1205721015840119896 sdot 119867 (GID)1205731015840119896 (9)

Accessor Revocation Supposing that the attributes set A120572 isowned by the accessor the corresponding authority AA119896can execute attribute revocations for these |A120572| attributes intotal Moreover to avoid fake revocation commands boththe authority and the cloud storage use digital signaturetechnique to confirm validity as implemented in paper [12]

43 Collusion Resistant The same as most of previous papers[11 18] our proposed MA CP-ABE scheme can resist bothaccessor collusion and authority collusion Besides the mali-cious but implicit role-based collusion can also be resisted

As discussed in Introduction role-based collusion iscaused by the fact that PHR owner cannot predict the exactuser identity who is an accessor from PUD because theattribute authentication is controlled by the third authorityparty To resist the collusion it is essential for PHR ownerto specify a blacklist which contains the access identitiesthat are not allowed access from PUD and delegates theblacklist to a third authority party The authority maps eachblacklist to an attribute such as attribute ldquoAlic119890s Blacklist1rdquoso that an owner can combine such attributes in his accesspolicy in PUD to restrict specific identity from accessNormally the amount of blacklist attributes will grow linearlywith users in PHR system Fortunately our proposed ABEconstruction is efficient in managing attributes because thealgorithms replace attribute master keys with the hash valuesof attributesrsquo descriptive names The storage for attributemanagement can keep small at the authority even when thenumber of attributes increases It means that the blacklistsolution is highly efficient

Accessor collusion denotes that different accessors willcombine their attribute components (pACs) together fordecryption of a file despite the fact that they do not haveenough attributes to decrypt it alone Our proposed MA CP-ABE scheme can resist the accessor collusion by embeddingthe accessorrsquos hash value into their pACs Consequently thetemporary result in decryption phase that is 119890(1198921 1198921)120582119909 sdot119890(119867(GID) 1198921)120583119909 differs among accessors Therefore thedecryption process is resisted

Authority collusion is an important security metric inmultiauthority scenario In our proposed scheme since theauthorities do not communicate with each other or have nopredefined parameters among them the authority collusionis impossible in our proposed scheme

Mathematical Problems in Engineering 7

Table 2 Storage overhead on each entity

DACC Yang OursAuthority 2 lowast 119899att 119899att + 2 lowast 119899user + 3 2Owner 119899119888 + 2 lowast 119899att + 2 3 lowast 119899AA + 2 lowast 119899att + 3 2 lowast 119899AA + 1Accessor 119899pAC119904 + 119899att 2 lowast 119899AA + 119899att + 2 119899attCloud storage (3 lowast avg + 1) lowast 119899cipher (4 lowast avg + 3) lowast 119899cipher (3 lowast avg + 1) lowast 119899cipher

Table 3 Time consumption of different types of operation

Type Description Time for 1000 operationsT0 Time for two-vector multiplication Depending on the vector lengthT1 Time for one PBC pairing operation 875443 (us)T2 Time for one PBC exponent operation 1419140 (us)T3 Time for one PBC multiply operation 13264 (us)T4 Time for one PBC addition operation 1196 (us)

Table 4 Computation efficiency

Time for encryption Time for decryptionDACC 119899pAC119904 sdot (2 sdot 1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793)pAC119904Yang 119899pAC119904 sdot (1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (3 sdot 1198792 + 119899AA sdot 1198793) 119899 sdot (4 sdot 1198791 + 2 sdot 1198792 + 4 sdot 1198793) + 119899AA sdot (2 sdot 1198791 + 1198793) + (1198792 + 1198793)pAC119904Ours 119899pAC119904 sdot (2 sdot 1198790 + 1198791 + 4 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793) sdot 119899pAC119904

5 Performance

In this section we will compare performances between ourproposed scheme and previous MA CP-ABE schemes inaspects of storage cost computation efficiency and revoca-tion cost Since Lirsquos ABE scheme for PUD is actually a variantKP-ABE scheme we will compare our scheme with bothDACCrsquos [19] and Yangrsquos scheme [18]

51 Storage The storage overheads on each entity are listedin Table 2 Notice that 119899user is the amount of users (accessors)in PHR system 119899att denotes the number of all attributes 119899AAdenotes the number of authorities 119899cipher is the number of allciphertext tuples 119899119888 stored in cloud storage and 119899pAC119904 denotesthe number of generated pAC119904 at terminal of accessor Forcomparison the storage overheads of these parameters are119899119888 119899cipher 119899user and 119899pAC119904 gt 119899att gt 119899AA Specifically storageoverhead at authority (AA) is mainly the space occupation ofmaster keys and public keys for attributes Since our proposedscheme uses hash values to replace keys for attributes thestorage space at authorities can be saved evidently Wesuppose that each ciphertext is associated with avg attributeson average From Table 2 it is evident that our scheme hasthe smallest storage overhead at authority terminal of ownerterminal of accessor and cloud storage compared with bothDACCrsquos and Yangrsquos schemes

52 Computation Efficiency In this section we compare thecomputation costs for these three schemes by implementingthem on a Linux system with an Intel Core i7 CPU at220GHz and 100GBRAMThe codes are constructed basedon the Pairing-Based Cryptography (PBC) library version

0514 A symmetric elliptic curve 120572-curve whose base fieldsize is 512 bits is set up to execute the pairing operation Thegroup order of 120572-curve is of 160 bits that is 1199011 is a 160-bit length prime All the simulation results come from theaverage of 20 trials

Before the simulations time consumption values of fourPBC functional operations are compared which are listed inTable 3 It is obvious that pairing operation and exponentoperation consume more time than multiplication and addi-tion Furthermore time consumption for encryption anddecryption is shown in Table 4 where 1198991015840 denotes the numberof pACs required in each decryption

We compare the computation efficiencies of both encryp-tion and decryption in two criteria (1)Thenumber of author-ities is changeable while the number of attributes in eachauthority is fixed (2)The number of authorities is fixed whilethe number of attributes in each authority is changeable Theresult is shown in Figure 2 In the first simulation the numberof related authorities (119909-axis) changes from 2 to 20 and theinvolved attributes of each authority are set to be 10 Time forencryption is shown in Figure 2(a) while time for decryptionis presented in Figure 2(b) The second simulation is theoppositeThe number of involved attributes in each authoritychanges from 2 to 20 and related authorities are set to be 10Time for encryption and time for decryption are shown inFigures 2(c) and 2(d) respectively Evidently our proposedscheme has better performance in computation efficiencybecause of less number of PBC exponent operations

53 Revocation Cost As shown in Table 5 we use expressionsto denote the communication overheads between terminalsand the cloud storage In DACC it is the responsibility

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

4 Mathematical Problems in Engineering

Table 1 Comparison among previous MA CP-ABE schemes and ours

Lin [15] Muller [16] Chase [17] Lewko [14] DACC [19] Li [11] Yang [18] OursFlexible access policy radic radic radic radic radic radicResistance of accessor collusion radic radic radic radic radic radic radicWithout an authentication center radic radic radic radic radic radicAuthority independence radic radic radic radic radic radic radicEfficient revocation radic mdash radic radic radic

Cloud storage

Authority

Authority

Authority

AccessorOwner

CT CT

PKPK

PK

SKSK

SK

(AA1)

(AA2)

(AAk)

Figure 1 MA CP-ABE system model

with a more efficient revocation than that in [19] Howeverit requires an authentication center to control the multipleauthorities Based on the above depiction the comparisonsamong previous MA CP-ABE schemes and our proposedscheme are listed in Table 1

3 System Model and Security Definitionfor MA CP-ABE

31 System Model The MA CP-ABE scheme for PUDinvolves three kinds of participants that is cloud storageauthorities and users (including data owner and accessors)as shown in Figure 1 The scheme consists of five basicalgorithms System Setup Authority Setup Encrypt KeyGenand Decrypt They are described as follows

System Setup (120582) rarr (119901119886119903119886) The setup algorithm takes secu-rity parameter 120582 as input and outputs global parameters para

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) Each attribute author-ity (AA) runs its own authority setup process The setupalgorithm takes system global parameters para and AArsquosdescriptive attributes as input Then for each attribute thatAA manages AA generates a master key msk and thecorresponding public key 119901119896 The master keys 119898119904119896119904 are keptsecret while the public keys 119901119896119904 are published

119864119899119888119903119910119901119905 (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) Once the data owner gets public keys 119901119896119904 fromauthorities he can execute encryption process in his ownterminal The algorithm takes 119901119896119904 from several authoritiesdata 119863 for encryption and an access policy T specified bythe data owner as inputs Then the algorithm encrypts 119863 to

a ciphertext 119863 and generates a public attribute component(abbreviated as pAC) for each leaf node ofT The whole datatuple of 119862119879 = 119863 119901119900119897119894119888119910 T pAC119904 is the final ciphertexttuple and is uploaded to cloud storage

119870119890119910119866119890119899 (119901119886119903119886119898119904119896) rarr (119878119870 119906119860119862119904) Each authoritymanages its own attributes set and is responsible for keydistribution to legal users (accessors) Once an authorityauthenticates identity of an accessor it will process key gen-eration which takes themaster keys mk119904 for a requested set ofattributes 120596as input and outputs user attribute components(abbreviated as uAC119904) for each attribute All the attributesuAC119904 generated for the specific accessor are collected as secretkey of the accessor SK and sent back to the accessor secretly

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119872) An accessor exe-cutes the decryption algorithm which takes the ciphertexttuple CT from cloud storage and the public keys pk119904 andsecret keys SK119904 from authorities as inputs If the attributes setassociated with SK119904 satisfies access policyT the accessor candecrypt the plaintext data 119872 Otherwise it returns an errorsymbol perp

32 PHR Upload and Access Based on CP-ABE scheme(Figure 1) we can easily figure out the PHR upload and PHRaccess procedures Specifically once a data owner needs toupload his specific PHR file ldquopFilerdquo to cloud storage he doesthe following steps (1) Cut the data into contents segments119904 (2) Pick random content key 119888119896 for each content segment(3) Encrypt the segment via symmetric cryptography and getresult 119904 = 119864119888119896(119904) (4) Define an access policy over a set ofattributes encrypt content key 119888119896 as owner data 119872 via ourproposed MA CP-ABE scheme and get the ciphertext tupleCT (6) Finally upload 119904 and CT together as an integratedtuple to the cloud storage The data owner can go offline andauthorities perform other key distribution workflows

When an accessor needs to read the plaintext of onespecific PHR on the cloud storage he should process thefollowing steps (1) Get the whole ciphertext tuple 119904 and CTfrom the cloud storage (2) Read the access policy from theCTand know aminimal set of attributes required for decryption(3) Get identity authenticated by several authorities withwhich these authorities can return the keys associated withattributes (uAC119904) to the accessor respectively (4) Collectenough keys to recover content key 119888119896 from CT (5) Decrypt119904 to 119904 via symmetric cryptography by content key 119888119896 and thenconstruct the original PHR file ldquopFilerdquo

Mathematical Problems in Engineering 5

4 Modified MA CP-ABE Scheme for PUD

41 Scheme Construction Our proposed MA CP-ABEscheme has five algorithms that is System Setup AuthoritySetup KeyGen Encrypt and Decrypt They are depicted asfollows

System Setup rarr (119901119886119903119886) System first selects a bilinear groupG of order 119873 = 119901111990121199013 and bilinear map function 119890 G times G rarr G119879 and then picks a generator 1198921 of G1199011 [14 24]A hash function 119867 0 1lowast rarr G is used to map globalidentities GID119904 of an accessor and descriptive names of hisattributes such as doctor to elements in G Once the hashfunction is fixed the value119867(GID) is modelled as a randomoracle Finally all these system parameters are published as119901119886119903119886 = (119890 1198921 119867(sdot)119873)

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) For each authority AA119896whichmanages attributes setA119896 AA119896 takes para as input andgenerates two public keys as 1198921205721198961 1198921205731198961 where the two values120572119896 120573119896 are picked randomly from Z119873 The values 119898119904119896119896 =(120572119896 120573119896) are stored secretly by AA119896 as master keys while thepublic keys 119901119896119896 = (1198921205721198961 1198921205731198961 ) are published

KeyGen (119901119886119903119886119898119904119896) rarr (119878119870 = 119906119860119862119904) Suppose that a legalaccessor with GID requests authority AA119896 for attributes set119860119906 and he owns attributes set 119860119906119896 in AA119896 Then AA119896 willgenerate secret key (SK) of the accessor which is associatedwith attributes set 119860119906 cap 119860119906119896 Specifically for each attribute119894 isin 119860119906 cap 119860119906119896 AA119896 generates a user attribute component(uAC119894 = 119867(119894)120572119896 sdot 119867(GID)120573119896) for the accessor Finally all thecomponents uAC119894|119894isin119860119906cap119860119906119896 are combined as secret keys ofthe accessor and SK = uAC119904 is sent back to the accessorsecretly for further decryption

Encrypt (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) In encryption phase the data owner specifies anaccess policy treeT to restrict the accessors The encryptionalgorithm encrypts data119863 into119863 = 119863 sdot 119890(1198921 1198921)119904 where thevalue 119904 isin Z119899 is selected randomly Meanwhile a set of publicattribute components (pAC119904) will be generated according tothe value 119904 and the access policyT

Specifically as shown in previous paper [11] any mono-tone access tree T can be translated to an access structure(M 120588) over the involved attributes whereM is a ℓtimes119899matrixand ℓ denotes the number of leaf nodes in the access treeTThe function 120588maps the 119909th row ofmatrixM119909 to an attribute119894 = 120588(M119909) The encryption algorithm chooses two random

vectors 997888rarr120592 = (119904 1199032 119903119899) isin Z119899119873 and997888rarr1205921015840 = (0 11990310158402 1199031015840119899) isin Z119899119873

and then computes 120582119909 = 997888rarr120592 sdot M119909 and ]119909 =997888rarrV1015840 sdot M119909 Notice

that the former vector 997888rarr120592 is used to distribute the value 119904while the latter vector formula distributes the zero value 0For each leaf node119909 ofT associatedwith attribute 119894 = 120588(M119909)the algorithm computes the three pAC119904 as follows where thevalue 120583119909 is picked arbitrarily in Z119899

pAC0 (119909119894) = 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909

pAC1 (119909119894) = 1198921120583119909

pAC2 (119909119894) = 1198921120573119896sdot120583119909+120596119909 (1)

Finally the owner sends the ciphertext 119863 together withpAC119904 and access structure (M 120588) to the semitrust cloudstorage The uploaded data 119862119879 is presented as

119862119879 = (119863 (M 120588) pAC0(119909119894) pAC1(119909119894) pAC2(119909119894) |

(119894 = 120588 (M119909))amp (1 le 119909 le 119877)) (2)

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119863) An accessor receives119862119879 from the cloud storage finds out the minimal set ofattributes A119906 for decryption according to the policy Tand then requests corresponding AA119904 for attributes (uAC119904)Notice that theminimal attributes setA119906 is mapped to ℓ1015840rowsof matrixMThe rows set is labeled as 119868119909 where |119868119909| = ℓ1015840and ℓ1015840 le ℓ According to submatrix 119868119909 the algorithm cancompute ℓ1015840 values 120577119909 isin Z119899|119909isin119868119909 which has the relationshipwith 119904 = sum119909isin119868119909 120577119909120582119909 and 0 = sum119909isin119868119909 120577119909120596120596119909 (interpolation)

Consequently for each leaf node which is associated withthe 119909th row of 119868119909 the algorithm can decrypt it via thefollowing formula

pAC0 (119909119894) sdot 119890 (119867 (GID) pAC2119909119894)119890 (uAC119894 pAC1119909119894)

=119890 (1198921 1198922)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909 sdot 119890 (119867 (GID) 119892120573119896sdot120583119909+1205961199091 )

119890 (119867 (119894)120572119896 sdot 119867 (GID)120573119896 1198921205831199091 )

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909

(3)

By collecting ℓ1015840 decryption values of leaf nodes the algorithmcan easily recover value 119890(1198921 1198921)119904 via interpolation depictedas follows

prod119909isin119868119909

(119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909)120577119909

= 119890 (1198921 1198921)sum119909isin119868119909(120577119909 sdot120582119909) sdot 119890 (119867 (GID) 1198921)sum119909isin119868119909(120577119909sdot120596119909)

= 119890 (1198921 1198921)119904 sdot 119890 (119867 (GID) 1198921)0 = 119890 (1198921 1198921)119904

(4)

Finally the plaintext119863 is computed by119863 = 1198631015840119890(1198921 1198921)119904

42 Efficient Lazy Revocation There are two levels of revo-cation that is attribute revocation and accessor revocationThe attribute revocation is done by updating the attributeassociated pACs stored in cloud storage so that the previousauthenticated pACs is no longer useful for decryption Theaccessor revocation can be done by revocation of all theattributes that an accessor owns

Normally the command of attribute revocation is startedfrom authority when there are changes in management ofaccessors Firstly authority AA119896 sends update parameter to

6 Mathematical Problems in Engineering

the cloud storage and then the cloud storage updates pAC119904via proxy reencryption technique [12] In our revocationscheme the corresponding pAC119904 will not be updated untilsomeone requests them Specifically the cloud storage storesthe update parameters in an attribute history list (AHL)for each attribute revocation command Once a ciphertext(associated with a set of pAC119904) is requested it can be updatedonly once according to AHL although the update parametershave been updated many times and recorded in AHL Suchmechanism is called lazy revocation which can accumulateupdate of parameters over time Our revocation model ismore efficient thanDACCrsquos solution [19] when AA119896 delegatesmost computationworkloads to the cloud storage and the lazyrevocation is used

For accessors once pAC119904 stored in the cloud storage isupdated their corresponding uAC119904 can no longer decryptthe ciphertext Consequently these accessors need to requestauthorities to update parameters Instead of regeneratingthe accessorsrsquo uAC119904 the authorities can simply generateparameters that is update keys (UK119904) and let these accessorsupdate their uAC119904 at their terminal

In previous papers [11 12 25] the revocation methodswill generate the same update keys for all accessors Thisis efficient but weak in security Therefore our proposedrevocation scheme can support two methods One methodis to generate the same update parameters for all accessorsand the other one is to generate different update parametersfor different accessors It is obvious that the former methodis efficient but has potential risk in some circumstance Thelatter method is the opposite PHR system can choose eithermethod according to its strategy and environment

Attribute Revocation (119901119886119903119886119898119904119896) rarr (119880119870119886119860119862 119880119870119901119860119862) Toexecute the revocation command for attribute 119894 its corre-sponding authority AA119896 takes public system parameters paraand its own master key (120572119896 120573119896) as input Then AA119896 generatesregeneration key UKpAC for the cloud storage and generatesUKaAC for the accessors All these regeneration keys aretransmitted secretly

Method 1 (Same Update Parameter) Specifically AA119896 selectsa random value 120572 isin 119885119873 and then generates UKaAC119894 =UKpAC119894 = 119867(119894)1198861015840119896minus119886119896 The cloud storage updates the attribute119894 associated pAC0 (119909119894) through (5) uAC119894 of the accessor isupdated through (6) at the terminals of accessors or at theauthority

pAc0 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(5)

uAC1015840119894 = uAC119894 sdot UKaAC119894 = 119867 (119894)1205721015840119896 sdot 119867 (GID)120573119896 (6)

Method 2 (Different Update Parameters) Specifically AA119896selects random values 1205721015840119896 1205731015840119896 isin Z119899 and generates UKpAC119894 =119867(119894)1205721015840119896minus120572119896 and UKpAC119894 = 1205731015840119896 minus 120573119896 for the cloud stor-age For each accessor with GID AA119896 generates specificUKaAC119894GID = 119867(119894)1205721015840119896minus120572119896 sdot 119867(GID)1205731015840119896minus120573119896 The cloud storage

updates the attribute 119894 associated pAC0 (119909 119894) and pAC2 (119909 119894)through (7) and (8) The accessorrsquos uAC119894 is updated through(9)

pAC10158400 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(7)

pAC10158402 (119909119894) = pAC2 (119909119894) sdot PACUKpAC1198941119909119894

= 1198921205731015840119896sdot120583119909+1205961199091

(8)

uAC1015840119894 = uAC119894 sdot UK120572AC119894 GID = 119867 (119894)1205721015840119896 sdot 119867 (GID)1205731015840119896 (9)

Accessor Revocation Supposing that the attributes set A120572 isowned by the accessor the corresponding authority AA119896can execute attribute revocations for these |A120572| attributes intotal Moreover to avoid fake revocation commands boththe authority and the cloud storage use digital signaturetechnique to confirm validity as implemented in paper [12]

43 Collusion Resistant The same as most of previous papers[11 18] our proposed MA CP-ABE scheme can resist bothaccessor collusion and authority collusion Besides the mali-cious but implicit role-based collusion can also be resisted

As discussed in Introduction role-based collusion iscaused by the fact that PHR owner cannot predict the exactuser identity who is an accessor from PUD because theattribute authentication is controlled by the third authorityparty To resist the collusion it is essential for PHR ownerto specify a blacklist which contains the access identitiesthat are not allowed access from PUD and delegates theblacklist to a third authority party The authority maps eachblacklist to an attribute such as attribute ldquoAlic119890s Blacklist1rdquoso that an owner can combine such attributes in his accesspolicy in PUD to restrict specific identity from accessNormally the amount of blacklist attributes will grow linearlywith users in PHR system Fortunately our proposed ABEconstruction is efficient in managing attributes because thealgorithms replace attribute master keys with the hash valuesof attributesrsquo descriptive names The storage for attributemanagement can keep small at the authority even when thenumber of attributes increases It means that the blacklistsolution is highly efficient

Accessor collusion denotes that different accessors willcombine their attribute components (pACs) together fordecryption of a file despite the fact that they do not haveenough attributes to decrypt it alone Our proposed MA CP-ABE scheme can resist the accessor collusion by embeddingthe accessorrsquos hash value into their pACs Consequently thetemporary result in decryption phase that is 119890(1198921 1198921)120582119909 sdot119890(119867(GID) 1198921)120583119909 differs among accessors Therefore thedecryption process is resisted

Authority collusion is an important security metric inmultiauthority scenario In our proposed scheme since theauthorities do not communicate with each other or have nopredefined parameters among them the authority collusionis impossible in our proposed scheme

Mathematical Problems in Engineering 7

Table 2 Storage overhead on each entity

DACC Yang OursAuthority 2 lowast 119899att 119899att + 2 lowast 119899user + 3 2Owner 119899119888 + 2 lowast 119899att + 2 3 lowast 119899AA + 2 lowast 119899att + 3 2 lowast 119899AA + 1Accessor 119899pAC119904 + 119899att 2 lowast 119899AA + 119899att + 2 119899attCloud storage (3 lowast avg + 1) lowast 119899cipher (4 lowast avg + 3) lowast 119899cipher (3 lowast avg + 1) lowast 119899cipher

Table 3 Time consumption of different types of operation

Type Description Time for 1000 operationsT0 Time for two-vector multiplication Depending on the vector lengthT1 Time for one PBC pairing operation 875443 (us)T2 Time for one PBC exponent operation 1419140 (us)T3 Time for one PBC multiply operation 13264 (us)T4 Time for one PBC addition operation 1196 (us)

Table 4 Computation efficiency

Time for encryption Time for decryptionDACC 119899pAC119904 sdot (2 sdot 1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793)pAC119904Yang 119899pAC119904 sdot (1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (3 sdot 1198792 + 119899AA sdot 1198793) 119899 sdot (4 sdot 1198791 + 2 sdot 1198792 + 4 sdot 1198793) + 119899AA sdot (2 sdot 1198791 + 1198793) + (1198792 + 1198793)pAC119904Ours 119899pAC119904 sdot (2 sdot 1198790 + 1198791 + 4 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793) sdot 119899pAC119904

5 Performance

In this section we will compare performances between ourproposed scheme and previous MA CP-ABE schemes inaspects of storage cost computation efficiency and revoca-tion cost Since Lirsquos ABE scheme for PUD is actually a variantKP-ABE scheme we will compare our scheme with bothDACCrsquos [19] and Yangrsquos scheme [18]

51 Storage The storage overheads on each entity are listedin Table 2 Notice that 119899user is the amount of users (accessors)in PHR system 119899att denotes the number of all attributes 119899AAdenotes the number of authorities 119899cipher is the number of allciphertext tuples 119899119888 stored in cloud storage and 119899pAC119904 denotesthe number of generated pAC119904 at terminal of accessor Forcomparison the storage overheads of these parameters are119899119888 119899cipher 119899user and 119899pAC119904 gt 119899att gt 119899AA Specifically storageoverhead at authority (AA) is mainly the space occupation ofmaster keys and public keys for attributes Since our proposedscheme uses hash values to replace keys for attributes thestorage space at authorities can be saved evidently Wesuppose that each ciphertext is associated with avg attributeson average From Table 2 it is evident that our scheme hasthe smallest storage overhead at authority terminal of ownerterminal of accessor and cloud storage compared with bothDACCrsquos and Yangrsquos schemes

52 Computation Efficiency In this section we compare thecomputation costs for these three schemes by implementingthem on a Linux system with an Intel Core i7 CPU at220GHz and 100GBRAMThe codes are constructed basedon the Pairing-Based Cryptography (PBC) library version

0514 A symmetric elliptic curve 120572-curve whose base fieldsize is 512 bits is set up to execute the pairing operation Thegroup order of 120572-curve is of 160 bits that is 1199011 is a 160-bit length prime All the simulation results come from theaverage of 20 trials

Before the simulations time consumption values of fourPBC functional operations are compared which are listed inTable 3 It is obvious that pairing operation and exponentoperation consume more time than multiplication and addi-tion Furthermore time consumption for encryption anddecryption is shown in Table 4 where 1198991015840 denotes the numberof pACs required in each decryption

We compare the computation efficiencies of both encryp-tion and decryption in two criteria (1)Thenumber of author-ities is changeable while the number of attributes in eachauthority is fixed (2)The number of authorities is fixed whilethe number of attributes in each authority is changeable Theresult is shown in Figure 2 In the first simulation the numberof related authorities (119909-axis) changes from 2 to 20 and theinvolved attributes of each authority are set to be 10 Time forencryption is shown in Figure 2(a) while time for decryptionis presented in Figure 2(b) The second simulation is theoppositeThe number of involved attributes in each authoritychanges from 2 to 20 and related authorities are set to be 10Time for encryption and time for decryption are shown inFigures 2(c) and 2(d) respectively Evidently our proposedscheme has better performance in computation efficiencybecause of less number of PBC exponent operations

53 Revocation Cost As shown in Table 5 we use expressionsto denote the communication overheads between terminalsand the cloud storage In DACC it is the responsibility

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

Mathematical Problems in Engineering 5

4 Modified MA CP-ABE Scheme for PUD

41 Scheme Construction Our proposed MA CP-ABEscheme has five algorithms that is System Setup AuthoritySetup KeyGen Encrypt and Decrypt They are depicted asfollows

System Setup rarr (119901119886119903119886) System first selects a bilinear groupG of order 119873 = 119901111990121199013 and bilinear map function 119890 G times G rarr G119879 and then picks a generator 1198921 of G1199011 [14 24]A hash function 119867 0 1lowast rarr G is used to map globalidentities GID119904 of an accessor and descriptive names of hisattributes such as doctor to elements in G Once the hashfunction is fixed the value119867(GID) is modelled as a randomoracle Finally all these system parameters are published as119901119886119903119886 = (119890 1198921 119867(sdot)119873)

Authority Setup (119901119886119903119886) rarr (119898119904119896 119901119896) For each authority AA119896whichmanages attributes setA119896 AA119896 takes para as input andgenerates two public keys as 1198921205721198961 1198921205731198961 where the two values120572119896 120573119896 are picked randomly from Z119873 The values 119898119904119896119896 =(120572119896 120573119896) are stored secretly by AA119896 as master keys while thepublic keys 119901119896119896 = (1198921205721198961 1198921205731198961 ) are published

KeyGen (119901119886119903119886119898119904119896) rarr (119878119870 = 119906119860119862119904) Suppose that a legalaccessor with GID requests authority AA119896 for attributes set119860119906 and he owns attributes set 119860119906119896 in AA119896 Then AA119896 willgenerate secret key (SK) of the accessor which is associatedwith attributes set 119860119906 cap 119860119906119896 Specifically for each attribute119894 isin 119860119906 cap 119860119906119896 AA119896 generates a user attribute component(uAC119894 = 119867(119894)120572119896 sdot 119867(GID)120573119896) for the accessor Finally all thecomponents uAC119894|119894isin119860119906cap119860119906119896 are combined as secret keys ofthe accessor and SK = uAC119904 is sent back to the accessorsecretly for further decryption

Encrypt (119863 119901119886119903119886 119901119900119897119894119888119910 T 119901119896119904) rarr (119862119879 = 119863 119901119900119897119894119888119910 T119901119860119862119904) In encryption phase the data owner specifies anaccess policy treeT to restrict the accessors The encryptionalgorithm encrypts data119863 into119863 = 119863 sdot 119890(1198921 1198921)119904 where thevalue 119904 isin Z119899 is selected randomly Meanwhile a set of publicattribute components (pAC119904) will be generated according tothe value 119904 and the access policyT

Specifically as shown in previous paper [11] any mono-tone access tree T can be translated to an access structure(M 120588) over the involved attributes whereM is a ℓtimes119899matrixand ℓ denotes the number of leaf nodes in the access treeTThe function 120588maps the 119909th row ofmatrixM119909 to an attribute119894 = 120588(M119909) The encryption algorithm chooses two random

vectors 997888rarr120592 = (119904 1199032 119903119899) isin Z119899119873 and997888rarr1205921015840 = (0 11990310158402 1199031015840119899) isin Z119899119873

and then computes 120582119909 = 997888rarr120592 sdot M119909 and ]119909 =997888rarrV1015840 sdot M119909 Notice

that the former vector 997888rarr120592 is used to distribute the value 119904while the latter vector formula distributes the zero value 0For each leaf node119909 ofT associatedwith attribute 119894 = 120588(M119909)the algorithm computes the three pAC119904 as follows where thevalue 120583119909 is picked arbitrarily in Z119899

pAC0 (119909119894) = 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909

pAC1 (119909119894) = 1198921120583119909

pAC2 (119909119894) = 1198921120573119896sdot120583119909+120596119909 (1)

Finally the owner sends the ciphertext 119863 together withpAC119904 and access structure (M 120588) to the semitrust cloudstorage The uploaded data 119862119879 is presented as

119862119879 = (119863 (M 120588) pAC0(119909119894) pAC1(119909119894) pAC2(119909119894) |

(119894 = 120588 (M119909))amp (1 le 119909 le 119877)) (2)

119863119890119888119903119910119901119905 (119901119886119903119886 119862119879 119878119870119904 119901119896119904) rarr (119863) An accessor receives119862119879 from the cloud storage finds out the minimal set ofattributes A119906 for decryption according to the policy Tand then requests corresponding AA119904 for attributes (uAC119904)Notice that theminimal attributes setA119906 is mapped to ℓ1015840rowsof matrixMThe rows set is labeled as 119868119909 where |119868119909| = ℓ1015840and ℓ1015840 le ℓ According to submatrix 119868119909 the algorithm cancompute ℓ1015840 values 120577119909 isin Z119899|119909isin119868119909 which has the relationshipwith 119904 = sum119909isin119868119909 120577119909120582119909 and 0 = sum119909isin119868119909 120577119909120596120596119909 (interpolation)

Consequently for each leaf node which is associated withthe 119909th row of 119868119909 the algorithm can decrypt it via thefollowing formula

pAC0 (119909119894) sdot 119890 (119867 (GID) pAC2119909119894)119890 (uAC119894 pAC1119909119894)

=119890 (1198921 1198922)120582119909 sdot 119890 (119867 (119894) 1198921)120572119896sdot120583119909 sdot 119890 (119867 (GID) 119892120573119896sdot120583119909+1205961199091 )

119890 (119867 (119894)120572119896 sdot 119867 (GID)120573119896 1198921205831199091 )

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909

(3)

By collecting ℓ1015840 decryption values of leaf nodes the algorithmcan easily recover value 119890(1198921 1198921)119904 via interpolation depictedas follows

prod119909isin119868119909

(119890 (1198921 1198921)120582119909 sdot 119890 (119867 (GID) 1198921)120596119909)120577119909

= 119890 (1198921 1198921)sum119909isin119868119909(120577119909 sdot120582119909) sdot 119890 (119867 (GID) 1198921)sum119909isin119868119909(120577119909sdot120596119909)

= 119890 (1198921 1198921)119904 sdot 119890 (119867 (GID) 1198921)0 = 119890 (1198921 1198921)119904

(4)

Finally the plaintext119863 is computed by119863 = 1198631015840119890(1198921 1198921)119904

42 Efficient Lazy Revocation There are two levels of revo-cation that is attribute revocation and accessor revocationThe attribute revocation is done by updating the attributeassociated pACs stored in cloud storage so that the previousauthenticated pACs is no longer useful for decryption Theaccessor revocation can be done by revocation of all theattributes that an accessor owns

Normally the command of attribute revocation is startedfrom authority when there are changes in management ofaccessors Firstly authority AA119896 sends update parameter to

6 Mathematical Problems in Engineering

the cloud storage and then the cloud storage updates pAC119904via proxy reencryption technique [12] In our revocationscheme the corresponding pAC119904 will not be updated untilsomeone requests them Specifically the cloud storage storesthe update parameters in an attribute history list (AHL)for each attribute revocation command Once a ciphertext(associated with a set of pAC119904) is requested it can be updatedonly once according to AHL although the update parametershave been updated many times and recorded in AHL Suchmechanism is called lazy revocation which can accumulateupdate of parameters over time Our revocation model ismore efficient thanDACCrsquos solution [19] when AA119896 delegatesmost computationworkloads to the cloud storage and the lazyrevocation is used

For accessors once pAC119904 stored in the cloud storage isupdated their corresponding uAC119904 can no longer decryptthe ciphertext Consequently these accessors need to requestauthorities to update parameters Instead of regeneratingthe accessorsrsquo uAC119904 the authorities can simply generateparameters that is update keys (UK119904) and let these accessorsupdate their uAC119904 at their terminal

In previous papers [11 12 25] the revocation methodswill generate the same update keys for all accessors Thisis efficient but weak in security Therefore our proposedrevocation scheme can support two methods One methodis to generate the same update parameters for all accessorsand the other one is to generate different update parametersfor different accessors It is obvious that the former methodis efficient but has potential risk in some circumstance Thelatter method is the opposite PHR system can choose eithermethod according to its strategy and environment

Attribute Revocation (119901119886119903119886119898119904119896) rarr (119880119870119886119860119862 119880119870119901119860119862) Toexecute the revocation command for attribute 119894 its corre-sponding authority AA119896 takes public system parameters paraand its own master key (120572119896 120573119896) as input Then AA119896 generatesregeneration key UKpAC for the cloud storage and generatesUKaAC for the accessors All these regeneration keys aretransmitted secretly

Method 1 (Same Update Parameter) Specifically AA119896 selectsa random value 120572 isin 119885119873 and then generates UKaAC119894 =UKpAC119894 = 119867(119894)1198861015840119896minus119886119896 The cloud storage updates the attribute119894 associated pAC0 (119909119894) through (5) uAC119894 of the accessor isupdated through (6) at the terminals of accessors or at theauthority

pAc0 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(5)

uAC1015840119894 = uAC119894 sdot UKaAC119894 = 119867 (119894)1205721015840119896 sdot 119867 (GID)120573119896 (6)

Method 2 (Different Update Parameters) Specifically AA119896selects random values 1205721015840119896 1205731015840119896 isin Z119899 and generates UKpAC119894 =119867(119894)1205721015840119896minus120572119896 and UKpAC119894 = 1205731015840119896 minus 120573119896 for the cloud stor-age For each accessor with GID AA119896 generates specificUKaAC119894GID = 119867(119894)1205721015840119896minus120572119896 sdot 119867(GID)1205731015840119896minus120573119896 The cloud storage

updates the attribute 119894 associated pAC0 (119909 119894) and pAC2 (119909 119894)through (7) and (8) The accessorrsquos uAC119894 is updated through(9)

pAC10158400 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(7)

pAC10158402 (119909119894) = pAC2 (119909119894) sdot PACUKpAC1198941119909119894

= 1198921205731015840119896sdot120583119909+1205961199091

(8)

uAC1015840119894 = uAC119894 sdot UK120572AC119894 GID = 119867 (119894)1205721015840119896 sdot 119867 (GID)1205731015840119896 (9)

Accessor Revocation Supposing that the attributes set A120572 isowned by the accessor the corresponding authority AA119896can execute attribute revocations for these |A120572| attributes intotal Moreover to avoid fake revocation commands boththe authority and the cloud storage use digital signaturetechnique to confirm validity as implemented in paper [12]

43 Collusion Resistant The same as most of previous papers[11 18] our proposed MA CP-ABE scheme can resist bothaccessor collusion and authority collusion Besides the mali-cious but implicit role-based collusion can also be resisted

As discussed in Introduction role-based collusion iscaused by the fact that PHR owner cannot predict the exactuser identity who is an accessor from PUD because theattribute authentication is controlled by the third authorityparty To resist the collusion it is essential for PHR ownerto specify a blacklist which contains the access identitiesthat are not allowed access from PUD and delegates theblacklist to a third authority party The authority maps eachblacklist to an attribute such as attribute ldquoAlic119890s Blacklist1rdquoso that an owner can combine such attributes in his accesspolicy in PUD to restrict specific identity from accessNormally the amount of blacklist attributes will grow linearlywith users in PHR system Fortunately our proposed ABEconstruction is efficient in managing attributes because thealgorithms replace attribute master keys with the hash valuesof attributesrsquo descriptive names The storage for attributemanagement can keep small at the authority even when thenumber of attributes increases It means that the blacklistsolution is highly efficient

Accessor collusion denotes that different accessors willcombine their attribute components (pACs) together fordecryption of a file despite the fact that they do not haveenough attributes to decrypt it alone Our proposed MA CP-ABE scheme can resist the accessor collusion by embeddingthe accessorrsquos hash value into their pACs Consequently thetemporary result in decryption phase that is 119890(1198921 1198921)120582119909 sdot119890(119867(GID) 1198921)120583119909 differs among accessors Therefore thedecryption process is resisted

Authority collusion is an important security metric inmultiauthority scenario In our proposed scheme since theauthorities do not communicate with each other or have nopredefined parameters among them the authority collusionis impossible in our proposed scheme

Mathematical Problems in Engineering 7

Table 2 Storage overhead on each entity

DACC Yang OursAuthority 2 lowast 119899att 119899att + 2 lowast 119899user + 3 2Owner 119899119888 + 2 lowast 119899att + 2 3 lowast 119899AA + 2 lowast 119899att + 3 2 lowast 119899AA + 1Accessor 119899pAC119904 + 119899att 2 lowast 119899AA + 119899att + 2 119899attCloud storage (3 lowast avg + 1) lowast 119899cipher (4 lowast avg + 3) lowast 119899cipher (3 lowast avg + 1) lowast 119899cipher

Table 3 Time consumption of different types of operation

Type Description Time for 1000 operationsT0 Time for two-vector multiplication Depending on the vector lengthT1 Time for one PBC pairing operation 875443 (us)T2 Time for one PBC exponent operation 1419140 (us)T3 Time for one PBC multiply operation 13264 (us)T4 Time for one PBC addition operation 1196 (us)

Table 4 Computation efficiency

Time for encryption Time for decryptionDACC 119899pAC119904 sdot (2 sdot 1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793)pAC119904Yang 119899pAC119904 sdot (1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (3 sdot 1198792 + 119899AA sdot 1198793) 119899 sdot (4 sdot 1198791 + 2 sdot 1198792 + 4 sdot 1198793) + 119899AA sdot (2 sdot 1198791 + 1198793) + (1198792 + 1198793)pAC119904Ours 119899pAC119904 sdot (2 sdot 1198790 + 1198791 + 4 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793) sdot 119899pAC119904

5 Performance

In this section we will compare performances between ourproposed scheme and previous MA CP-ABE schemes inaspects of storage cost computation efficiency and revoca-tion cost Since Lirsquos ABE scheme for PUD is actually a variantKP-ABE scheme we will compare our scheme with bothDACCrsquos [19] and Yangrsquos scheme [18]

51 Storage The storage overheads on each entity are listedin Table 2 Notice that 119899user is the amount of users (accessors)in PHR system 119899att denotes the number of all attributes 119899AAdenotes the number of authorities 119899cipher is the number of allciphertext tuples 119899119888 stored in cloud storage and 119899pAC119904 denotesthe number of generated pAC119904 at terminal of accessor Forcomparison the storage overheads of these parameters are119899119888 119899cipher 119899user and 119899pAC119904 gt 119899att gt 119899AA Specifically storageoverhead at authority (AA) is mainly the space occupation ofmaster keys and public keys for attributes Since our proposedscheme uses hash values to replace keys for attributes thestorage space at authorities can be saved evidently Wesuppose that each ciphertext is associated with avg attributeson average From Table 2 it is evident that our scheme hasthe smallest storage overhead at authority terminal of ownerterminal of accessor and cloud storage compared with bothDACCrsquos and Yangrsquos schemes

52 Computation Efficiency In this section we compare thecomputation costs for these three schemes by implementingthem on a Linux system with an Intel Core i7 CPU at220GHz and 100GBRAMThe codes are constructed basedon the Pairing-Based Cryptography (PBC) library version

0514 A symmetric elliptic curve 120572-curve whose base fieldsize is 512 bits is set up to execute the pairing operation Thegroup order of 120572-curve is of 160 bits that is 1199011 is a 160-bit length prime All the simulation results come from theaverage of 20 trials

Before the simulations time consumption values of fourPBC functional operations are compared which are listed inTable 3 It is obvious that pairing operation and exponentoperation consume more time than multiplication and addi-tion Furthermore time consumption for encryption anddecryption is shown in Table 4 where 1198991015840 denotes the numberof pACs required in each decryption

We compare the computation efficiencies of both encryp-tion and decryption in two criteria (1)Thenumber of author-ities is changeable while the number of attributes in eachauthority is fixed (2)The number of authorities is fixed whilethe number of attributes in each authority is changeable Theresult is shown in Figure 2 In the first simulation the numberof related authorities (119909-axis) changes from 2 to 20 and theinvolved attributes of each authority are set to be 10 Time forencryption is shown in Figure 2(a) while time for decryptionis presented in Figure 2(b) The second simulation is theoppositeThe number of involved attributes in each authoritychanges from 2 to 20 and related authorities are set to be 10Time for encryption and time for decryption are shown inFigures 2(c) and 2(d) respectively Evidently our proposedscheme has better performance in computation efficiencybecause of less number of PBC exponent operations

53 Revocation Cost As shown in Table 5 we use expressionsto denote the communication overheads between terminalsand the cloud storage In DACC it is the responsibility

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

6 Mathematical Problems in Engineering

the cloud storage and then the cloud storage updates pAC119904via proxy reencryption technique [12] In our revocationscheme the corresponding pAC119904 will not be updated untilsomeone requests them Specifically the cloud storage storesthe update parameters in an attribute history list (AHL)for each attribute revocation command Once a ciphertext(associated with a set of pAC119904) is requested it can be updatedonly once according to AHL although the update parametershave been updated many times and recorded in AHL Suchmechanism is called lazy revocation which can accumulateupdate of parameters over time Our revocation model ismore efficient thanDACCrsquos solution [19] when AA119896 delegatesmost computationworkloads to the cloud storage and the lazyrevocation is used

For accessors once pAC119904 stored in the cloud storage isupdated their corresponding uAC119904 can no longer decryptthe ciphertext Consequently these accessors need to requestauthorities to update parameters Instead of regeneratingthe accessorsrsquo uAC119904 the authorities can simply generateparameters that is update keys (UK119904) and let these accessorsupdate their uAC119904 at their terminal

In previous papers [11 12 25] the revocation methodswill generate the same update keys for all accessors Thisis efficient but weak in security Therefore our proposedrevocation scheme can support two methods One methodis to generate the same update parameters for all accessorsand the other one is to generate different update parametersfor different accessors It is obvious that the former methodis efficient but has potential risk in some circumstance Thelatter method is the opposite PHR system can choose eithermethod according to its strategy and environment

Attribute Revocation (119901119886119903119886119898119904119896) rarr (119880119870119886119860119862 119880119870119901119860119862) Toexecute the revocation command for attribute 119894 its corre-sponding authority AA119896 takes public system parameters paraand its own master key (120572119896 120573119896) as input Then AA119896 generatesregeneration key UKpAC for the cloud storage and generatesUKaAC for the accessors All these regeneration keys aretransmitted secretly

Method 1 (Same Update Parameter) Specifically AA119896 selectsa random value 120572 isin 119885119873 and then generates UKaAC119894 =UKpAC119894 = 119867(119894)1198861015840119896minus119886119896 The cloud storage updates the attribute119894 associated pAC0 (119909119894) through (5) uAC119894 of the accessor isupdated through (6) at the terminals of accessors or at theauthority

pAc0 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(5)

uAC1015840119894 = uAC119894 sdot UKaAC119894 = 119867 (119894)1205721015840119896 sdot 119867 (GID)120573119896 (6)

Method 2 (Different Update Parameters) Specifically AA119896selects random values 1205721015840119896 1205731015840119896 isin Z119899 and generates UKpAC119894 =119867(119894)1205721015840119896minus120572119896 and UKpAC119894 = 1205731015840119896 minus 120573119896 for the cloud stor-age For each accessor with GID AA119896 generates specificUKaAC119894GID = 119867(119894)1205721015840119896minus120572119896 sdot 119867(GID)1205731015840119896minus120573119896 The cloud storage

updates the attribute 119894 associated pAC0 (119909 119894) and pAC2 (119909 119894)through (7) and (8) The accessorrsquos uAC119894 is updated through(9)

pAC10158400 (119909119894) = pAC0 (119909119894) sdot 119890 (UKpAC119894 pAC1119909119894)

= 119890 (1198921 1198921)120582119909 sdot 119890 (119867 (119894) 1198921)1205721015840119896sdot120583119909

(7)

pAC10158402 (119909119894) = pAC2 (119909119894) sdot PACUKpAC1198941119909119894

= 1198921205731015840119896sdot120583119909+1205961199091

(8)

uAC1015840119894 = uAC119894 sdot UK120572AC119894 GID = 119867 (119894)1205721015840119896 sdot 119867 (GID)1205731015840119896 (9)

Accessor Revocation Supposing that the attributes set A120572 isowned by the accessor the corresponding authority AA119896can execute attribute revocations for these |A120572| attributes intotal Moreover to avoid fake revocation commands boththe authority and the cloud storage use digital signaturetechnique to confirm validity as implemented in paper [12]

43 Collusion Resistant The same as most of previous papers[11 18] our proposed MA CP-ABE scheme can resist bothaccessor collusion and authority collusion Besides the mali-cious but implicit role-based collusion can also be resisted

As discussed in Introduction role-based collusion iscaused by the fact that PHR owner cannot predict the exactuser identity who is an accessor from PUD because theattribute authentication is controlled by the third authorityparty To resist the collusion it is essential for PHR ownerto specify a blacklist which contains the access identitiesthat are not allowed access from PUD and delegates theblacklist to a third authority party The authority maps eachblacklist to an attribute such as attribute ldquoAlic119890s Blacklist1rdquoso that an owner can combine such attributes in his accesspolicy in PUD to restrict specific identity from accessNormally the amount of blacklist attributes will grow linearlywith users in PHR system Fortunately our proposed ABEconstruction is efficient in managing attributes because thealgorithms replace attribute master keys with the hash valuesof attributesrsquo descriptive names The storage for attributemanagement can keep small at the authority even when thenumber of attributes increases It means that the blacklistsolution is highly efficient

Accessor collusion denotes that different accessors willcombine their attribute components (pACs) together fordecryption of a file despite the fact that they do not haveenough attributes to decrypt it alone Our proposed MA CP-ABE scheme can resist the accessor collusion by embeddingthe accessorrsquos hash value into their pACs Consequently thetemporary result in decryption phase that is 119890(1198921 1198921)120582119909 sdot119890(119867(GID) 1198921)120583119909 differs among accessors Therefore thedecryption process is resisted

Authority collusion is an important security metric inmultiauthority scenario In our proposed scheme since theauthorities do not communicate with each other or have nopredefined parameters among them the authority collusionis impossible in our proposed scheme

Mathematical Problems in Engineering 7

Table 2 Storage overhead on each entity

DACC Yang OursAuthority 2 lowast 119899att 119899att + 2 lowast 119899user + 3 2Owner 119899119888 + 2 lowast 119899att + 2 3 lowast 119899AA + 2 lowast 119899att + 3 2 lowast 119899AA + 1Accessor 119899pAC119904 + 119899att 2 lowast 119899AA + 119899att + 2 119899attCloud storage (3 lowast avg + 1) lowast 119899cipher (4 lowast avg + 3) lowast 119899cipher (3 lowast avg + 1) lowast 119899cipher

Table 3 Time consumption of different types of operation

Type Description Time for 1000 operationsT0 Time for two-vector multiplication Depending on the vector lengthT1 Time for one PBC pairing operation 875443 (us)T2 Time for one PBC exponent operation 1419140 (us)T3 Time for one PBC multiply operation 13264 (us)T4 Time for one PBC addition operation 1196 (us)

Table 4 Computation efficiency

Time for encryption Time for decryptionDACC 119899pAC119904 sdot (2 sdot 1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793)pAC119904Yang 119899pAC119904 sdot (1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (3 sdot 1198792 + 119899AA sdot 1198793) 119899 sdot (4 sdot 1198791 + 2 sdot 1198792 + 4 sdot 1198793) + 119899AA sdot (2 sdot 1198791 + 1198793) + (1198792 + 1198793)pAC119904Ours 119899pAC119904 sdot (2 sdot 1198790 + 1198791 + 4 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793) sdot 119899pAC119904

5 Performance

In this section we will compare performances between ourproposed scheme and previous MA CP-ABE schemes inaspects of storage cost computation efficiency and revoca-tion cost Since Lirsquos ABE scheme for PUD is actually a variantKP-ABE scheme we will compare our scheme with bothDACCrsquos [19] and Yangrsquos scheme [18]

51 Storage The storage overheads on each entity are listedin Table 2 Notice that 119899user is the amount of users (accessors)in PHR system 119899att denotes the number of all attributes 119899AAdenotes the number of authorities 119899cipher is the number of allciphertext tuples 119899119888 stored in cloud storage and 119899pAC119904 denotesthe number of generated pAC119904 at terminal of accessor Forcomparison the storage overheads of these parameters are119899119888 119899cipher 119899user and 119899pAC119904 gt 119899att gt 119899AA Specifically storageoverhead at authority (AA) is mainly the space occupation ofmaster keys and public keys for attributes Since our proposedscheme uses hash values to replace keys for attributes thestorage space at authorities can be saved evidently Wesuppose that each ciphertext is associated with avg attributeson average From Table 2 it is evident that our scheme hasthe smallest storage overhead at authority terminal of ownerterminal of accessor and cloud storage compared with bothDACCrsquos and Yangrsquos schemes

52 Computation Efficiency In this section we compare thecomputation costs for these three schemes by implementingthem on a Linux system with an Intel Core i7 CPU at220GHz and 100GBRAMThe codes are constructed basedon the Pairing-Based Cryptography (PBC) library version

0514 A symmetric elliptic curve 120572-curve whose base fieldsize is 512 bits is set up to execute the pairing operation Thegroup order of 120572-curve is of 160 bits that is 1199011 is a 160-bit length prime All the simulation results come from theaverage of 20 trials

Before the simulations time consumption values of fourPBC functional operations are compared which are listed inTable 3 It is obvious that pairing operation and exponentoperation consume more time than multiplication and addi-tion Furthermore time consumption for encryption anddecryption is shown in Table 4 where 1198991015840 denotes the numberof pACs required in each decryption

We compare the computation efficiencies of both encryp-tion and decryption in two criteria (1)Thenumber of author-ities is changeable while the number of attributes in eachauthority is fixed (2)The number of authorities is fixed whilethe number of attributes in each authority is changeable Theresult is shown in Figure 2 In the first simulation the numberof related authorities (119909-axis) changes from 2 to 20 and theinvolved attributes of each authority are set to be 10 Time forencryption is shown in Figure 2(a) while time for decryptionis presented in Figure 2(b) The second simulation is theoppositeThe number of involved attributes in each authoritychanges from 2 to 20 and related authorities are set to be 10Time for encryption and time for decryption are shown inFigures 2(c) and 2(d) respectively Evidently our proposedscheme has better performance in computation efficiencybecause of less number of PBC exponent operations

53 Revocation Cost As shown in Table 5 we use expressionsto denote the communication overheads between terminalsand the cloud storage In DACC it is the responsibility

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

Mathematical Problems in Engineering 7

Table 2 Storage overhead on each entity

DACC Yang OursAuthority 2 lowast 119899att 119899att + 2 lowast 119899user + 3 2Owner 119899119888 + 2 lowast 119899att + 2 3 lowast 119899AA + 2 lowast 119899att + 3 2 lowast 119899AA + 1Accessor 119899pAC119904 + 119899att 2 lowast 119899AA + 119899att + 2 119899attCloud storage (3 lowast avg + 1) lowast 119899cipher (4 lowast avg + 3) lowast 119899cipher (3 lowast avg + 1) lowast 119899cipher

Table 3 Time consumption of different types of operation

Type Description Time for 1000 operationsT0 Time for two-vector multiplication Depending on the vector lengthT1 Time for one PBC pairing operation 875443 (us)T2 Time for one PBC exponent operation 1419140 (us)T3 Time for one PBC multiply operation 13264 (us)T4 Time for one PBC addition operation 1196 (us)

Table 4 Computation efficiency

Time for encryption Time for decryptionDACC 119899pAC119904 sdot (2 sdot 1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793)pAC119904Yang 119899pAC119904 sdot (1198790 + 5 sdot 1198792 + 2 sdot 1198793) + (3 sdot 1198792 + 119899AA sdot 1198793) 119899 sdot (4 sdot 1198791 + 2 sdot 1198792 + 4 sdot 1198793) + 119899AA sdot (2 sdot 1198791 + 1198793) + (1198792 + 1198793)pAC119904Ours 119899pAC119904 sdot (2 sdot 1198790 + 1198791 + 4 sdot 1198792 + 2 sdot 1198793) + (1198792 + 1198793) 119899 sdot (2 sdot 1198791 + 1198792 + 3 sdot 1198793) sdot 119899pAC119904

5 Performance

In this section we will compare performances between ourproposed scheme and previous MA CP-ABE schemes inaspects of storage cost computation efficiency and revoca-tion cost Since Lirsquos ABE scheme for PUD is actually a variantKP-ABE scheme we will compare our scheme with bothDACCrsquos [19] and Yangrsquos scheme [18]

51 Storage The storage overheads on each entity are listedin Table 2 Notice that 119899user is the amount of users (accessors)in PHR system 119899att denotes the number of all attributes 119899AAdenotes the number of authorities 119899cipher is the number of allciphertext tuples 119899119888 stored in cloud storage and 119899pAC119904 denotesthe number of generated pAC119904 at terminal of accessor Forcomparison the storage overheads of these parameters are119899119888 119899cipher 119899user and 119899pAC119904 gt 119899att gt 119899AA Specifically storageoverhead at authority (AA) is mainly the space occupation ofmaster keys and public keys for attributes Since our proposedscheme uses hash values to replace keys for attributes thestorage space at authorities can be saved evidently Wesuppose that each ciphertext is associated with avg attributeson average From Table 2 it is evident that our scheme hasthe smallest storage overhead at authority terminal of ownerterminal of accessor and cloud storage compared with bothDACCrsquos and Yangrsquos schemes

52 Computation Efficiency In this section we compare thecomputation costs for these three schemes by implementingthem on a Linux system with an Intel Core i7 CPU at220GHz and 100GBRAMThe codes are constructed basedon the Pairing-Based Cryptography (PBC) library version

0514 A symmetric elliptic curve 120572-curve whose base fieldsize is 512 bits is set up to execute the pairing operation Thegroup order of 120572-curve is of 160 bits that is 1199011 is a 160-bit length prime All the simulation results come from theaverage of 20 trials

Before the simulations time consumption values of fourPBC functional operations are compared which are listed inTable 3 It is obvious that pairing operation and exponentoperation consume more time than multiplication and addi-tion Furthermore time consumption for encryption anddecryption is shown in Table 4 where 1198991015840 denotes the numberof pACs required in each decryption

We compare the computation efficiencies of both encryp-tion and decryption in two criteria (1)Thenumber of author-ities is changeable while the number of attributes in eachauthority is fixed (2)The number of authorities is fixed whilethe number of attributes in each authority is changeable Theresult is shown in Figure 2 In the first simulation the numberof related authorities (119909-axis) changes from 2 to 20 and theinvolved attributes of each authority are set to be 10 Time forencryption is shown in Figure 2(a) while time for decryptionis presented in Figure 2(b) The second simulation is theoppositeThe number of involved attributes in each authoritychanges from 2 to 20 and related authorities are set to be 10Time for encryption and time for decryption are shown inFigures 2(c) and 2(d) respectively Evidently our proposedscheme has better performance in computation efficiencybecause of less number of PBC exponent operations

53 Revocation Cost As shown in Table 5 we use expressionsto denote the communication overheads between terminalsand the cloud storage In DACC it is the responsibility

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

8 Mathematical Problems in Engineering

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(a) Enc time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(b) Dec time (10 attributes per AA)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(c) Enc time (10 authorities)

DACCYangOurs

2 201816141210864Number of authorities

4

30

20

10

00

Tim

e (s)

(d) Dec time (10 authorities)

Figure 2 Time for encryption (Enc time) and decryption (Dec time)

Table 5 Communication overhead of attribute revocation

DACC Yangrsquos scheme Ours (method 1) Ours (method 2)Update parameters for accessors (1198991015840pAC119904 lowast 1198991015840user + 1) lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816 1198991015840user lowast 10038161003816100381610038161199011

1003816100381610038161003816 1198991015840user lowast 100381610038161003816100381611990111003816100381610038161003816

Update parameters for cloud storage server 1198991015840pAC119904 lowast10038161003816100381610038161199011

1003816100381610038161003816 2 lowast 100381610038161003816100381611990111003816100381610038161003816

100381610038161003816100381611990111003816100381610038161003816 2 lowast 10038161003816100381610038161199011

1003816100381610038161003816Notes 1198991015840pAC119904 is the number of ciphertexts which is associated with the revoked attribute 119894 1198991015840user is the number of unrevoked accessors |1199011| is the length of eachupdate parameter

of data owner to generate update parameters for attributerevocation In some other schemes authority generates theupdate parameters and the data owner can stay offline Itis clear that DACC is inefficient because the data ownershould regenerate all the related pACs manually Both Yangrsquosscheme and our two revocation methods (the same update

parameters and different update parameters) use the proxyreencryption technique to reduce communication cost andcomputation cost

Time revocation for different number of attributes isshown in Figure 3 where the 119909-axis denotes number of therevoked attributes and the 119910-axis is time consumption For

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

Mathematical Problems in Engineering 9

8

0

1

2

3

4

5

6

7

Number of revoked attributes2 201816141210864

DACCYang

Ours with method 1 Ours with method 2

lowast108

(s

)

Figure 3 Revocation time with different number of attributes

simplify we set the related ciphertext as 119899 tuples and eachciphertext is associated with 10 attributes (so that 1198991015840pAC119904 =1000 lowast 10)

It is inefficient for the data owner to generate updateparameters for each attribute associated pAC in DACCwhichmeans the data owner should always keep being onlineOur second revocationmethod (different update parameters)is as efficient as Yangrsquos scheme [18] while our first revocationmethod (same update parameter) is more efficient because itgenerates the same update parameters for all accessors It isnoticed that the difference of computation time will be moreobvious if 1198991015840pAC119904 or 119899

1015840user are getting bigger From both Table 5

and Figure 3 we can conclude that our scheme has higherefficiency in in communication and computation

6 Conclusion

In this paper we proposed amodifiedMACP-ABE scheme toimplement fine-grained access control Our proposed schemesupports expressive access policy and can resist user collusionwithout an authentication center Moreover two types ofattribute revocation methods which can revoke attributeefficiently are proposed The system can choose one of themaccording to different application scenarios Simulations andanalysis show that the proposed scheme can achieve less instorage occupation computation assumption and revocationcost compared with other schemes

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China under Grant 61402291 and the Technology

Planning Project from Guangdong Province China underGrant no 2014B010118005

References

[1] J Li ldquoEnsuring privacy in a personal health record systemrdquoComputer vol 48 no 2 Article ID 7042698 pp 24ndash31 2015

[2] Y Yang and M Ma ldquoConjunctive keyword search with desig-nated tester and timing enabled proxy re-encryption functionfor e-health cloudsrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 4 pp 746ndash759 2016

[3] A Ge J Zhang R Zhang C Ma and Z Zhang ldquoSecurity anal-ysis of a privacy-preserving decentralized key-policy attribute-based encryption schemerdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 11 pp 2319ndash2321 2013

[4] M Li ldquoFractal time seriesmdasha tutorial reviewrdquo MathematicalProblems in Engineering Article ID 157264 Art ID 157264 26pages 2010

[5] M Li ldquoRecord length requirement of long-range dependentteletrafficrdquo Physica A Statistical Mechanics and its Applicationsvol 472 pp 164ndash187 2017

[6] S Wang J Zhou J K Liu J Yu J Chen and W Xie ldquoAnefficient file hierarchy attribute-based encryption scheme incloud computingrdquo IEEE Transactions on Information Forensicsand Security vol 11 no 6 pp 1265ndash1277 2016

[7] S Yu C Wang K Ren and W Lou ldquoAttribute based datasharingwith attribute revocationrdquo inProceedings of the 5thACMSymposium on Information Computer and CommunicationSecurity (ASIACCS rsquo10) pp 261ndash270 April 2010

[8] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in cryptology vol 3494 of Lecture Notes in ComputSci pp 457ndash473 Springer Berlin 2005

[9] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[10] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[11] M Li S Yu Y Zheng K Ren andW Lou ldquoScalable and securesharing of personal health records in cloud computing usingattribute-based encryptionrdquo IEEE Transactions on Parallel andDistributed Systems vol 24 no 1 pp 131ndash143 2013

[12] S Yu CWang K Ren andW Lou ldquoAchieving secure scalableand fine-grained data access control in cloud computingrdquo inProceedings of the IEEE INFOCOM pp 1ndash9 March 2010

[13] M Chase and S S M Chow ldquoImproving privacy and securityin multi-authority attribute-based encryptionrdquo in Proceedingsof the 16th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo09) pp 121ndash130 Chicago Ill USA November2009

[14] A Lewko and B Waters ldquoDecentralizing attribute-basedencryptionrdquo inAdvances in cryptology vol 6632 ofLectureNotesin Comput Sci pp 568ndash588 Springer Heidelberg 2011

[15] H Lin Z Cao X Liang and J Shao ldquoSecure thresholdmulti authority attribute based encryption without a centralauthorityrdquo Information Sciences An International Journal vol180 no 13 pp 2618ndash2632 2010

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

10 Mathematical Problems in Engineering

[16] S Muller S Katzenbeisser and C Eckert ldquoDistributedattribute-based encryptionrdquo in Information security and cryp-tology vol 5461 of Lecture Notes in Comput Sci pp 20ndash36Springer Berlin 2009

[17] M Chase ldquoMulti-authority attribute based encryptionrdquo inTheory of Cryptography vol 4392 of Lecture Notes in ComputerScience pp 515ndash534 Springer Berlin Germany 2007

[18] K Yang and X Jia ldquoExpressive efficient and revocable dataaccess control for multi-authority cloud storagerdquo IEEE Trans-actions on Parallel and Distributed Systems vol 25 no 7 pp1735ndash1744 2014

[19] S Ruj A Nayak and I Stojmenovic ldquoDACC distributed accesscontrol in cloudsrdquo in Proceedings of the IEEE 10th InternationalConference on Trust Security and Privacy in Computing andCommunications (TrustCom rsquo11) pp 91ndash98 Changsha ChinaNovember 2011

[20] L Li T L Gu L Chang Z B Xu Y N Liu and J Y QianldquoA ciphertext-policy attribute-based encryption based on anordered binary decision diagramrdquo IEEE Access vol 5 pp 1137ndash1145 2017

[21] L Ibraimi M Asim and M Petkovic ldquoSecure managementof personal health records by applying attribute-based encryp-tionrdquo in Proceedings of the 6th International Workshop onWearableMicro andNano Technologies for PersonalizedHealthpp 71ndash74 Oslo Norway June 2009

[22] W Li K Xue Y Xue and J Hong ldquoTMACS A Robust andVerifiable Threshold Multi-Authority Access Control Systemin Public Cloud Storagerdquo IEEE Transactions on Parallel andDistributed Systems vol 27 no 5 pp 1484ndash1496 2016

[23] X Wu R Jiang and B Bhargava ldquoOn the security of dataaccess control for multiauthority cloud storage systemsrdquo IEEETransactions on Services Computing vol PP no 99 2015

[24] D Boneh E-J Goh and K Nissim ldquoEvaluating 2-DNF for-mulas on ciphertextsrdquo in Theory of cryptography vol 3378 ofLecture Notes in Comput Sci pp 325ndash341 Springer Berlin2005

[25] SWang K Liang J K Liu J Chen J Yu andWXie ldquoAttribute-Based Data Sharing Scheme Revisited in Cloud ComputingrdquoIEEE Transactions on Information Forensics and Security vol 11no 8 pp 1661ndash1673 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 201

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of


Top Related