expressive cp-abe scheme for mobile devices in iot satisfying...

SPECIAL SECTION ON SECURITY AND PRIVACY IN APPLICATIONS AND SERVICESFOR FUTURE INTERNET OF THINGS

Received January 16, 2017, accepted February 6, 2017, date of publication February 16, 2017, date of current version March 28, 2017.

Digital Object Identifier 10.1109/ACCESS.2017.2669940

Expressive CP-ABE Scheme for Mobile Devices inIoT Satisfying Constant-Size Keys and CiphertextsVANGA ODELU1, ASHOK KUMAR DAS2,MUHAMMAD KHURRAM KHAN3, (Senior Member, IEEE),KIM-KWANG RAYMOND CHOO4, (Senior Member, IEEE),AND MINHO JO5, (Senior Member, IEEE)1Department of Computer Convergence Software, Indian Institute of Information Technology, Sricity 517 588, India2Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India3Center of Excellence in Information Assurance, King Saud University, Riyadh 12372, Saudi Arabia4Department of Information Systems and Cyber Security, The University of Texas at San Antonio, TX 78249, USA5Department of Computer Convergence Software, Korea University, Sejong Metropolitan city 30019, South Korea

Corresponding author: M. Jo ([email protected])

This research was supported in part by the Korea-China Joint Research Center Program through National Research Foundation (NRF),South Korea, under Grant 2016K1A3A1A20006024 and in part by Deanship of Scientific Research at King Saud University under GrantPRG-1436-16.

ABSTRACT Designing lightweight security protocols for cloud-based Internet-of-Things (IoT) applicationsfor battery-limited mobile devices, such as smart phones and laptops, is a topic of recent focus. Ciphertext-policy attribute-based encryption (CP-ABE) is a viable solution, particularly for cloud deployment, as anencryptor can ‘‘write’’ the access policy so that only authorized users can decrypt and have access to thedata. However, most existing CP-ABE schemes are based on the costly bilinear maps, and require longdecryption keys, ciphertexts and incur significant computation costs in the encryption and decryption (e.g.costs is at least linear to the number of attributes involved in the access policy). These design drawbacksprevent the deployment of CP-ABE schemes on battery-limited mobile devices. In this paper, we propose anew RSA-based CP-ABE scheme with constant size secret keys and ciphertexts (CSKC) and hasO(1) time-complexity for each decryption and encryption. Our scheme is then shown to be secure against a chosen-ciphertext adversary, as well as been an efficient solution with the expressive AND gate access structures(in comparison to other related existing schemes). Thus, the proposed scheme is suitable for deployment onbattery-limited mobile devices.

INDEX TERMS Mobile devices, cloud computing, ciphertext-policy attribute-based encryption, constant-size secret key, constant-size ciphertext, RSA-based cryptography.

I. INTRODUCTIONWith the popularity and availability of battery-limited mobiledevices (e.g. Android and iOS devices), there is an increasingdemand to design efficient and secure lightweight applica-tions for such devices [1]–[3]. In a ciphertext-policy attribute-based encryption (CP-ABE), data are encrypted based onthe access policy and each user associated with a set ofattributes is able to decrypt a ciphertext, if and only, if theuser’s attributes fulfill the ciphertext access policy. Thus,CP-ABE is extremely suitable for cloud computing environ-ment because it enables data owners to make and enforceaccess policies themselves [4]–[8], [49]. Since most mobiledevices are battery-limited, key design criteria in a CP-ABEscheme should include constant size secret key and constantsize ciphertext, as well as a cost efficient mechanism forencryption and decryption.

In the literature, several identity-based encryption schemes[9]–[11] with constant size secret keys and ciphertexts havebeen proposed. Attribute-based encryption (ABE), an exten-sion of identity-based encryption, scheme was first intro-duced by Sahai-Waters [12] and has two variants, namely:Key-Policy ABE (KP-ABE) [12]–[15] and ciphertext-policyABE (CP-ABE) [16]–[20]. In KP-ABE, ciphertext is asso-ciated with the attribute set and the secret key is associatedwith an access policy. The ciphertext can be decrypted withthe secret key if and only if the attribute set of ciphertextsatisfies the access policy of secret key. On the contrary, inCP-ABE, the ciphertext is associated with an access policyand the secret key is associated with an attribute set. Theciphertext can be decrypted with the secret key if and only ifthe attributes of the secret key satisfies the ciphertext accesspolicy. As CP-ABE enables the data encryptor to choose

VOLUME 5, 20172169-3536 2017 IEEE. Translations and content mining are permitted for academic research only.

Personal use is also permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

3273

V. Odelu et al.: Expressive CP-ABE Scheme for Mobile Devices in IoT Satisfying Constant-Size Keys and Ciphertexts

TABLE 1. Attribute-based encryption schemes: A comparative summary.

the access policy and decide who can access the data, it ismore suited for access control applications as compared toKP-ABE schemes.

Unsurprisingly, several CP-ABE schemes with constantsize ciphertexts [4], [21]–[23] and constant size secret keys[21], [24] with an expressive access structure based onbilinear maps have been proposed in recent times. In theseschemes, with the exception of the EMNOS scheme [21],only the ciphertexts or the secret keys are of constant size(but not both). The EMNOS scheme [21] offers only (n, n)-threshold and most existing schemes require significant com-putational complexity for encryption and decryption, whichare at least linear to the number of attributes involved in theaccess policy. In addition, these schemes are based on bilinearmaps, which is significantly more costly than schemes basedon conventional cryptosystems [9], [25]. Thus, designing acost efficient and expressive access structure CP-ABE withthe constant size secret keys and ciphertexts (CSKC) usingconventional public-key cryptosystems remains a researchchallenge. This is the gap that we seek to address.

In this paper, we propose a RSA-based AND-gate accessstructure CP-ABE scheme, which offers constant size secretkeys and ciphertexts with efficient encryption and decryptionmechanism. In our scheme, a secret key associated with anattribute set A is used to decrypt ciphertexts with the accesspolicy P if and only if P ⊆ A. Our scheme requires onlyO(1)time-complexity. It is clear from Table 1, only our schemeprovides constant size secret keys and ciphertexts withoutusing bilinear maps. We then demonstrate the security ofthe scheme under the selective security model. To the bestof our knowledge, this is the first attempt to design sucha provably secure RSA-based AND-gate access structureCP-ABE scheme. Due to the underlying RSA architecture,our scheme is suitable for practical deployments on battery-limited devices. Moreover, our scheme provides an efficientsolution to the encryption and decryption, which requiresonly O(1) time-complexity (see Tables 3 and 6).

The rest of the paper is organized as follows. In Section II,we discuss the mathematical preliminaries and definitionsrequired in the understanding of the proposed scheme. InSection III, we briefly discuss the key management in adefined access structure. In Sections IV and V, we presentthe proposed scheme and the security analysis, respectively.In Section VI, we evaluate the performance of our schemewith related schemes. Finally, the paper is concluded inSection VII.

II. MATHEMATICAL PRELIMINARIES AND DEFINITIONSIn this section, we discuss the mathematical preliminaries anddefinitions associated with ciphertext-policy attribute-basedencryption.

A. ATTRIBUTE AND ACCESS STRUCTUREWe define the attribute and access policy as provided in [24].Let the attribute universe U = {A1,A2, · · · ,An} be the setof n attributes A1,A2, · · · ,An. We denote an attribute set ofa user by A ⊆ U, and an n-bit string a1a2 · · · an associatedwith A is defined as follows: ai = 1, if Ai ∈ A and ai = 0,if Ai /∈ A. For example, if n = 4 and A = {A1,A2,A4},the 4-bit string associated with A becomes 1101. In addition,we define an access policy by P specified with attributesin U, and an n-bit string b1b2 · · · bn associated with P isdefined as follows: bi = 1, if Ai ∈ P and bi = 0, ifAi /∈ P. For example, for n = 4 the string 1010 associ-ated with P means that P requires the set of the attributes{A1,A3}.In this paper, we consider the AND gate access con-

trol structure represented by the attributes from U. Assumethat a1a2 · · · an is an n-bit string associated with attributeset A and b1b2 · · · bn an n-bit string associated withthe access policy P. Then, P ⊆ A if and only ifai ≥ bi, for all i = 1, 2, · · · , n. We call that theattribute set A fulfills the access policy P if and only ifP ⊆ A.

3274 VOLUME 5, 2017


B. COMPUTATIONALLY HARD PROBLEMSIn this section, we consider the following two computationalproblems.

1) INTEGER FACTORIZATION PROBLEM (IFP)Let p and q be ρ-bit primes and N = pq. Assume thatGenF be a polynomial-time algorithm which takes an input1ρ and outputs (N , p, q). The factoring assumption relativeto GenF states that given N , it is computationally infeasible(hard) problem to derive p and q, except with negligibleprobability in ρ. The formal definition of this problem fol-lows that of [28]: for a probabilistic polynomial-time (PPT)algorithm A, the factoring advantage is defined by

AdvIFPGenF ,A(ρ)=Pr[(N , p, q)← GenF (1ρ) : A(N ) = {p, q}].

The factoring assumption (with respect to GenF ) states thatAdvIFPGenF ,A(ρ) is negligible in ρ for every PPTA. We say that(tIFP, εIFP)-IFP assumption holds ifAdvIFPGenF ,A(ρ) ≤ εIFP(ρ),for any sufficiently small εIFP(ρ) > 0, and its running time isat most tIFP.

2) COMPUTATIONAL Diffie-Hellman PROBLEM (CDHP)The problem of breaking the Diffie-Hellman scheme with aRSAmodulusN = pq and base g is equivalent to the problemof computing a value of the following function [29]:

CDHP(N , g,X ,Y ) : 〈g〉N × 〈g〉N → 〈g〉N ,

which is defined by

CDHP(N , g, ga, gb) = gab (mod N ).

Here, 〈g〉N represents a cyclic subgroup of Z∗N generated byg. The adversary A advantage in solving the CDHP is:

AdvCDHPZN ,A (ρ) = Pr[A(N , g, ga, gb) = gab].

We say that (tCDHP, εCDHP)-CDH assumption holds ifAdvCDHPZN ,A (ρ) ≤ εCDHP, for any sufficiently small εCDHP > 0,with its running time at most tCDHP.

As stated in [29], any algorithm that will break the CDHPfor a non-negligible proportion of the possible inputs can beused to factor N . This implies any algorithm that will breakthe CDHP for a given modulus N can also be used to breakthe original Diffie-Hellman scheme for the prime moduli thatare factors of N .Definition 1 ((t, ε)-Hard n-IF-CDH Problem): We say

that a t-polynomial time algorithm A, which outputs a bitγ ∈ {0, 1}, has an advantage AdvIF−CDHZN ,A (ρ) = ε in solvingthe n-IF-CDH problem in ZN if∣∣∣Pr[A(N , p1, · · · , pn, g, gk , gx , gkr , gxr , gd , grd ) = 0

]−Pr

[A(N , p1, · · · , pn, g, gk , gx , gkr , gxr , gd ,T )= 0

]∣∣∣≥ε.

C. DEFINITION OF CP-ABE SCHEMEA CP-ABE encryption scheme is composed of four algo-rithms, namely, Setup, Encrypt, KeyGen, and Decrypt. Thesealgorithms are defined as follows [24]:• Setup: This algorithm takes a security parameter ρ andthe universe of attributes U = {A1, A2, · · · , An} asinputs, and then outputs a master public key MPK andits corresponding master secret key MSK .

• Encrypt: It takes an access policy P, the master publickey MPK and plaintext M as inputs. The encryptionalgorithm E[P,M ] outputs a ciphertext C .

• KeyGen: The inputs of this algorithm are an attributeset A, the master public keyMPK and the master secretkey MSK . The key generation algorithm then outputs auser secret key (decryption key) ku corresponding to A.

• Decrypt: It takes a ciphertext C generated with accesspolicy P, the public keyMPK and the secret key ku cor-responding to the attribute set A as inputs, and outputsthe plaintextM or outputs null (⊥) using the decryptionalgorithm D[C,P, ku,A].

A CP-ABE scheme must satisfy the following property. Forany (MPK ,MSK ), a ciphertext E[P,M ] and the secret keyku, if P ⊆ A, the decryption algorithm always outputs thecorrected plaintext M . Otherwise, the plaintext in E[P,M ]cannot be decrypted using the key ku.

D. SELECTIVE GAME FOR CP-ABE SCHEMEIn order to prove the security under chosen ciphertext attack,we use the selective game for a CP-ABE scheme as definedin [21], [24]. The CP-ABE game captures the indistinguisha-bility of messages and the collision-resistance of user secretkeys, namely, attackers cannot generate a new secret keyby combining their secret keys. To capture the collision-resistance, the multiple secret key queries can be issued byan adversaryA after the challenge phase. The game betweenthe adversary A and a challenger B is described as follows.• Initialization:A outputs the challenge as an n-bit accesspolicy P′ and sends it to the challenger B.

• Setup: B runs Setup and KeyGen algorithms withthe security parameter ρ to generate the key pair(MSK ,MPK ) and then gives MPK to A.

• Query: A makes following queries to the challenger B.– A queries for the secret key kui of any attribute set

Ai, which does not fulfill the access policy P′. Banswers with a secret key kui for these attributes.

– The decryption query on ciphertext E[Pi,M i].• Challenge: In this phase, the adversary A outputs(M0,M1) for challenge. It requires thatA does not querya secret key on an attribute set A satisfying P′ ⊆ A. Thechallenger B responds by picking a random c′ ∈ {0, 1}and computing ciphertext E[P′,Mc′ ] for challenge toA.

• Query: The adversary A can continue with the secretkey queries and decryption queries except with a secretkey query on anyA fulfillingP′ and the decryption queryon E[P′,Mc′ ].

VOLUME 5, 2017 3275


• Guess: The adversary A outputs a guess c′g of c′, andwins the game if c′g = c′.

In this game, the advantage ε of A is defined by

ε = Pr[c′g = c′]−12.

Definition 2: The CP-ABE scheme is said to be (t,qe,qc,ε)selectively secure against a chosen-ciphertext attack, if forall t-polynomial time adversaries who make the qe secret keyqueries at most and qc decryption queries at most, ε is anegligible function of ρ.

III. KEY MANAGEMENT IN DEFINED ACCESS STRUCTUREIn this section, we discuss the key management in the definedaccess structure motivated by the scheme in [30], which isa variant of Akl-Taylor’s scheme [31]. The scheme in [30]is proven secure against key recovery attacks. Let ZN be theset of equivalence classes of the integers modulo N = pq,where p and q are RSA secure primes with p 6= q. For anynon-zero element a ∈ ZN , gcd(a,N ) = 1 if and only ifthere exists a multiplicative inverse b for a (mod N ), thatis, ab ≡ 1 (mod N ) or b ≡ a−1 (mod N ) which canbe computed efficiently using the extended Euclidean gcdalgorithm, where 1 ∈ ZN is the multiplicative identity. Thekey management is described below.

Pick a secure prime number pi such that gcd(pi, φ(N )) = 1,∀i = 1, 2, · · · , n, to each attribute Ai ∈ U. Then, compute theinverse qi of pi such that piqi ≡ 1 (mod φ(N )), where pi 6= pjif and only if i 6= j. Assume that {φ(N ), q1, · · · , qn} be thesecret parameters and {N , p1, · · · , pn} the public parameters.Since factoring the product N = pq is computationally hardproblem, computing φ(N ) = (p − 1)(q − 1) without theknowledge of secure primes p and q is also computationallyinfeasible. This implies that computing the secret primesqi using the corresponding public prime pi depends on theinteger factorization problem, and as a result, computing theprime qi such that piqi ≡ 1 (mod φ(N )) is also computation-ally hard problem.

Choose a random number g such that 2 < g < N − 1,and gcd(g,N ) = 1, and compute the secret keys KA andKP associated to the attribute set A and access policy P,respectively, as follows:

KA = gdA (mod N ),

KP = gdP (mod N ),

where dA =∏n

i=1 qaii , ai ∈ A and dP =

∏ni=1 q

bii , bi ∈ P.

Proposition 1: The attribute set A fulfills access policy P(that is, P ⊆ A) if and only if eAeP is an integer, where eP =∏n

i=1 pbii , eA =

∏ni=1 p

aii , and KP = K

eAePA (mod N ). In this

case, we can write eAeP=∏n

i=1 pai−bii as an integer.

Proof: Assume that A does not fulfill P, that is, P * A.Then, ai − bi ∈ {−1, 0, 1} as ai, bi ∈ {0, 1}. This implies thatin the fraction eA

ePat least one inverse term, say p−1j exists,

and thus, computing p−1j without factoring N = pq is a hardproblem. As a result, eAeP can not be an integer when P * A.

On the other hand, if P ⊆ A, the secret key KP is computedas follows:

KP = KeAePA (mod N )

=

(gdA (mod N )

)∏ni=1 p

aii∏n

i=1 pbii (mod N )

= gdA(∏ni=1 p

ai−bii ) (mod N )

= g(∏ni=1 (qi)

ai )(∏ni=1 p

ai−bii ) (mod N )

= g(∏ni=1 q

ai−bi+bii )(

∏ni=1 p

ai−bii ) (mod N )

= g(∏ni=1 q

bii )(

∏ni=1 q

ai−bii (pi)ai−bi ) (mod N )

= g(∏ni=1 q

bii )(

∏ni=1 (qipi)

ai−bi ) (mod N )

= g∏ni=1 q

bii (mod N )

= gdP (mod N ).

Thus, we arrive at the result. �Example 1: This is an example related to the key manage-

ment problem in the defined access structure. Let 1101 and1001 be the 4-bit strings associated with the attribute set Aand access policy P, respectively. Suppose the chosen RSApairs corresponding to the attributes Ai’s are (pi, qi), wherei = 1, 2, 3, 4. Thus, A = {A1,A2,A4} and P = {A1,A4}. Itis clearly that P ⊆ A. Then, we have KA = gq1q2q4 , KP =gq1q4 , eA = p1p2p4 and eP = p1p4. KP using KA is computedas follows:

KP = KeAePA (mod N )

= (gq1q2q4 )p1p2p4p1p4 (mod N )

= (gq1q2q4 )p2 (mod N )

= g(q1q4)(q2p2) (mod N )

= gq1q4 (mod N ).

IV. PROPOSED CP-ABE-CSKC SCHEMEIn this section, we present the proposed CP-ABE schemewithconstant size secret keys and ciphertexts, hereafter referredto as CP-ABE-CSKC. The notations used in our schemeare listed in Table 2. For ease of reading, mod(N ) will beomitted from gz (mod N ) for the remainder of this paper(i.e. gz instead of gz (mod N )). The CP-ABE-CSKC schemeconsists of the following four phases, namely: Setup, Encrypt,KeyGen and Decrypt.

A. SETUP PHASEIn this phase, the setup algorithm takes the security parameterρ and the universe of attributes U = {A1,A2, · · · ,An} asinputs. This algorithm consists of the following steps:S1. Choose two RSA primes p and q with p 6= q, and

compute N = pq. Then, randomly select the RSApublic exponent pi with gcd(pi, φ(N )) = 1, and com-pute qi such that piqi ≡ 1 (mod φ(N )) correspondingto each attribute Ai ∈ U, ∀i = 1, 2, · · · , n. Fur-ther, pick two system private keys k and x such that

3276 VOLUME 5, 2017


TABLE 2. Notations.

gcd(k, φ(N )) = 1, gcd(k, qi) = 1 and gcd(x, qi) = 1for all i = 1, 2, · · · , n. Next, select a random number gsuch that 2 < g < N − 1 and gcd(g,N ) = 1.

S2. Choose three one-way collision-resistance hash func-tions H1, H2 and H3 as follows:

H1 : {0, 1}∗ → {0, 1}ρ,

H2 : {0, 1}∗ → {0, 1}lσ ,

H3 : {0, 1}∗ → {0, 1}lm ,

where lσ is the length of a random string under the secu-rity parameter and lm the length of plaintext messageM .

S3. Compute the public parameters DU = gdU , Y = gx andR = gk , where dU =

∏Ai∈U qi.

S4. Finally, output the master secret key MSK and masterpublic key MPK , where

MSK = {k, x, p, q, q1, · · · , qn},

MPK = {N ,DU,Y ,R,H1,H2,H3, p1, · · · , pn}.

B. ENCRYPT PHASEOur encryption is based on the approach presented in[9], [24], [32] to achieve security against chosen-ciphertextattack:

E(σm,H1(P,M , σm)),H3(σm)⊕M , Sm = H1(σm,M )

where E(σm,H1(P,M , σm) represents an attribute-basedencryption on a random secret σm using the hash outputrm = H1(P,M , σm) as the random number. More precisely,the random secret σm is encrypted with the key grmdP , and theplaintextM is encrypted with random secret σm, and they aredenoted by Cσm and Cm, respectively, in the ciphertext C . Inaddition, we compute the signature Sm = H1(σm,M ) on theplaintextM using the random secret σm in order to verify thevalidity of the derived plaintextM . The other components ofthe ciphertext C are Ym and Rm.Our new encryption algorithm takes an access policy P ⊆

U, where |P| 6= 0, the master public key MPK and a plain-text message M as inputs, and outputs the ciphertext C ={Ym,Rm,Cσm ,Cm, Sm} using the following steps:

E1. Pick a random number σm ∈ {0, 1}lσ and computerm = H1(P,M , σm).

E2. Compute Km as

Km = Drm

eUeP

U

=(gdU

)rm eUeP

= grmdP ,

where dP =∏

Ai∈P qi, eP =∏

Ai∈P pi andeU =

∏Ai∈U pi.

E3. Compute Ym = gxrm , Rm = gkrm , Cσm = H2(Km) ⊕ σm,Cm = H3(σm)⊕M , and Sm = H1(σm,M ).

Finally, output the ciphertextC asC = {P, Ym, Rm,Cσm ,Cm,Sm}.

C. KeyGen PHASEIn this phase, the key generation algorithm takes a userattribute setA, master public keyMPK and master secret keyMSK as inputs, and then generates a user secret key ku usingthe following steps:K1. Compute dA =

∏ni=1 q

aii , where ai = 1 if Ai ∈ A and

ai = 0 if Ai /∈ A.K2. Pick two random numbers ru and tu, and compute su

such that it satisfies the condition dA = ksu + rux(mod φ(N )). Then, compute k1 = su + xtu (mod φ(N ))and k2 = ru − ktu (mod φ(N )).

Finally, this algorithm outputs the user secret key ku asku = (k1, k2).

D. DECRYPT PHASEThis phase describes our decryption algorithm. The decryp-tion algorithm takes the secret key ku = (k1, k2) correspond-ing to the attribute setA and ciphertextC = {P,Ym,Rm,Cσm ,Cm, Sm} corresponding to the access policy P, and outputs theplaintext message M using the following steps:D1. From Proposition 1, eA

ePis an integer, if and only, if

P ⊆ A. In this case, compute

Km =(Y k2m R

k1m

) eAeP

=

(gxrm(ru−ktu)gkrm(su+xtu)

) eAeP

=

(grm(xru+ksu)gxrm(−ktu)+krm(xtu)

) eAeP

=

(grmdA

) eAeP

= grmdP .

Otherwise, eAeP is not an integer; thus, computation of Kmis computationally infeasible.

D2. Compute σ ′m = H2(Km)⊕Cσm andM ′ = Cm⊕H3(σ ′m).D3. Checks whether the condition Sm = H1(σ ′m,M

′) holdsor not. If it holds, output the plaintext message M ;otherwise, output null (⊥).

V. SECURITY ANALYSISIn this section, we analyze the security of the proposed CP-ABE-CSKC scheme for different possible attacks. The main

VOLUME 5, 2017 3277


goal of selective security for a CP-ABE scheme is to capturethe indistinguishability of messages and the collision resis-tance of secret keys, that is, attackers are not able to generatea new user secret key by combining their secret keys (see[27], [33]). In this paper, we follow the group generic modelto prove that our scheme is secure against possible knownattacks under the hardness assumption of factorization ofRSAmodulusN = pq and hardness of solving computationalDiffie-Hellman problem (CDHP) in ZN , where p and q arelarge primes and p 6= q. We then prove that our scheme issecure against chosen-ciphertext attack under the selectivesecurity game.Proposition 2: Let ci = aiy + biz, for i = 1, 2, · · · , l, be

a system of l linear equations in y and z, where ai = aj andbi = bj if and only if i = j. We define the following threecases [34], [35]:• If both ai and bi are known, the equations form a systemof l linear equations with two unknowns y and z. Thesystem is solvable for y and z, and has a unique solution.

• If ai (or bi) is unknown, the equations form a systemof l equations with l + 2 unknowns ai (or bi), y and z.The system is solvable, however it has infinitely manysolutions.

• If both ai and bi are unknown, the equations form asystem of l equations with 2l + 2 unknowns ai, bi, y andz. The system is also solvable, however it has infinitelymany solutions.

Example 2: When i = 2, we have two linear equationsc1 = a1y+b1z and c2 = a2y+b2z in the variables y and z. Ifthe values a1, a2, b1, and b2 are known, these equations turnout to be a system of two linear equations with two unknownsy and z. In this case, the system is solvable and will have aunique solution. Otherwise, the system is still solvable, but itwill have infinitely many solutions.Theorem 1: Our scheme is secure against an adversary for

deriving the system private key pair (k, x) by collision attack.Proof: Assume that a group of users ui, i = 1, · · · , l,

corresponding to the attribute set Ai collaborate among eachother and try to derive the system private key pair (k, x) usingtheir valid secret keys kui = (k i1, k

i2), where

k i1 = sui + x · tui (mod φ(N )), (1)

k i2 = rui − k · tui (mod φ(N )). (2)

From Step K2 of the KeyGen algorithm (Section IV-C), wehave

dAi = k · sui + x · rui (mod φ(N )). (3)

From Equation (3), it is clear that if sui and rui are known, itis solvable for k and x, and has a unique solution. Thus, thesolution produces the original values of k and x. However,Equations (1) and (2) respectively form the system of l linearequations with 2l + 1 unknowns. From Proposition 2, notethat Equation (1) requires to randomly guess two unknowns(sui , tui ) in order to solve x, and Equation (2) also requiresto randomly guess two unknowns (rui , tui ) to solve k . Hence,

from the corrupted user secret keys kui , ∀i = 1, 2, · · · , l, thesystem’s private key pair (k, x) is unknown, and as result,the random numbers sui and rui are also unknown to anadversary. �Theorem 2: Our scheme is secure against an adversary for

deriving the valid user secret key ku = (k1, k2) correspondingto the attribute set A.

Proof: From Theorem 1, it follows that computing thesystem private key pair (k, x) is computationally infeasibleby an adversary A. This implies that it is computationallyinfeasible for the adversaryA to compute the valid pair ku =(k1, k2) corresponding to the attribute set A. The adversaryAcan randomly choose ru and tu, and compute su such that itsatisfies the condition dA = ksu+rux (mod φ(N )). However,to compute the value su, A requires the system private keypair (k, x) and RSA secret dA. Thus, generating the valid usersecret key ku is computationally infeasible problem byA dueto the intractability of the Integer Factorization Problem (IFP)because it depends on the Euler’s totient function φ(N ) =(p− 1)(q− 1). �Theorem 3: Under the hardness of solving the integer fac-

torization problem, our scheme is secure against an adver-sary (also a legitimate user u) for deriving the key Km from aciphertext C = {P, Ym, Rm, Cσm , Cm, Sm} corresponding tothe attribute set A with P * A. Hence, it is computationallyinfeasible problem for the user u to decrypt the unauthorizedciphertexts.

Proof: Let ku = (k1, k2) be the secret key of a user ucorresponding to the attribute set A, and C = {P, Ym, Rm,Cσm , Cm, Sm} be the ciphertext to decrypt, where P * A. Theuser u can compute grmdA as

Y k2m Rk1m = gxrm(ru−ktu)gkrm(su+xtu)

= grm(xru+ksu)gxrm(−ktu)+krm(xtu)

= grmdA .

However, if P * A, from Proposition 1, it is computationally

infeasible to compute Km, where Km =(grmdA

) eAeP without

solving the integer factorization problem. Thus, decryptingC is as hard as factoring the RSA modulus N = pq. Conse-quently, our scheme is secure against unauthorized decryp-tion of ciphertexts. �Remark 1: Note that if an attackerA (a legitimate user u)

has the ability to compute the inverse qi of pi modulo φ(N )with the valid secret key ku corresponding to the attributeset A, he/she can derive the key Km from any ciphertext Ccorresponding to the access policy P such that P * A asfollows. First, A can compute grmdA using his/her secret keyku and the ciphertext C = {P,Ym,Rm,Cσm ,Cm, Sm}. Then,A can compute Km as

e−1P (mod φ(N )) ← IFP(N , eP),

Km =( (

grmdA)eA )e−1P

= grmdP ,

where dP (mod φ(N )) = e−1P (mod φ(N )).

3278 VOLUME 5, 2017


Theorem 4: Under the hardness of solving CDHP (orIFP), our scheme is secure against deriving the key Km corre-sponding to a ciphertext C = {P,Ym,Rm,Cσm ,Cm, Sm} by agroup of collaborative unauthorized users ui’s correspondingto the attribute sets Ai, i = 1, · · · , l, where P * Ai.

Proof: We prove this theorem for two users and thesame argument is then extended for a group of users. Supposeu1 and u2 be two users corresponding to the attribute setsA and B, respectively, and try to decrypt the cipher C ={P,Ym,Rm,Cσm ,Cm, Sm}, where P * A, P * B, and P ⊆ (AOR B)= D. From Theorem 2, both u1 and u2 cannot succeedto derive the valid secret key ku corresponding to the attributepolicy D such that P ⊆ D. However, they derive grmdA andgrmdB using their own secret keys ku1 and ku2 , respectively. Letg1 = grm =

(grmdA

)eA , and we then have gdA1 = grmdA andgdB1 = grmdB . If A can solve the CDH problem, then he/shecan compute the key Km as follows:

gdAdB1 ← CDHP(g1, gdA1 , g

dB1 ),

Km =((gdAdB1

)eC) eDeP ,

where C = A AND B.For example, assume U = {A1,A2,A3,A4} is an attribute

universe with four attributes A1,A2,A3,A4. Let A = 0110,B = 1100, and P = 1010. Therefore,D = (AOR B) = 1110and C = (A AND B) = 0100. Then, P * A, P * B, andP ⊆ D. The key Km derivation is as follows:

g(q2q3)(q1q2)1 ← CDHP(g1, gq2q31 , gq1q21 ),

Km =((g(q2q3)(q1q2)1

)p2) p1p2p3p1p3

=(g(q1q2q3)1

)p2= g(q1q3)1 = gdP1 = grmdP .

Since solving the CDH problem in ZN is as hard as solvingfactorization of RSA modulus N = pq, no collaborative usercan derive the valid key Km of C when P * A and P * Bunder the CDH assumption. �Remark 2: In the defined attribute-based encryption, the

components are computed as Cσm = H2(Km) ⊕ σm, Cm =H3(σm)⊕M. The random secret σm is encrypted with the keyKm = grmdP and the plaintext M is encrypted with randomsecret σm. Thus, without the knowledge of valid user key, ifan adversary derives the key Km using the available publicinformation {N , p1, · · · , pn, g, gk , gx , gkrm , gxrm , gdP}, thenhe/she can succeed in retrieving the plaintextM by computingthe random secret σm. From the above analysis, we show thatderiving the key Km without the valid user key is computa-tionally hard problem to the adversary. In Theorem 5, weshow that the indistinguibility of chosen ciphertext under thehardness of solving the CDH problem in ZN .Remark 3: From the above discussion, it is clear that our

scheme is secret-key collision resistance. Thus, computing thekey Km from any ciphertext C corresponding to the accesspolicy P without the valid user secret key is as hard as theinteger factorization (or computational Diffi-Hellman prob-lem). Let N = pq be the RSA modulus and g ∈ ZN such that

2 < g < N − 1. Given {N , p1, · · · , pn, g, gk , gx , gkrm , gxrm ,gdP} and T ∈ ZN , the n-IF-CDH problem reduces to decidingwhether T is equal to grmdP or a random element in ZN .Theorem 5: Our CP-ABE-CSKC scheme is (t, qe, qc, ε)

selectively secure if the n-IF-CDH problem is (t ′, ε′)-hard,where t ′ = t +O(qctc + qetinv + qH1 texp), ε

′=

1qc+qH2

(ε −

qH1N

), n = |U|, tc-time to respond for the decryption query,

tinv and te respectively represent the average time requiredfor group inverse and exponentiation operations, qH1 and qH2

respectively denote the number of queries made to the randomoracles H1 and H2, and |U| denotes the number of attributesin U.

Proof: We follow the contradiction proof method aspresented in [9], [24], [36] to prove that an algorithm B hasan advantage more than 1

qc+qH2

(ε−

qH1N

)in solving the CDH

problem.The following three random oracles are used by an

adversary:

• H2 oracle: Let the query to this oracle be Km. Theresponse of the query H2(Km) is a random numberRi ∈ {0, 1}lσm .

• H3 oracle: Let the query to this oracle be ti. The responseof the query H3(ti) is a random number Qi ∈ {0, 1}łm .

• H1 oracle: Let the query to this oracle be (Pi,Mi, ti). Thequery to H1(Pi,Mi, ti) responds with a random numberri ∈ {0, 1}ρ .

Then, the adversary queries for the secret keys and thequery responds with the valid secret keys (user secret keys).For any decryption query on E[Pi,Mi], if there exists(Pi,Mi, ti, ri,Ri,Qi) in the query list such that the cipher-text is generated using ri, the decryption query outputs Mi.Otherwise, it outputs null. Assume that no query will beaborted since all valid encryptions need the response fromhash oracles, and the response contains the random numberri used in encryption.Next, the adversary outputs two messages (M0,M1) for the

challenge, and then the challenge query replies with the fol-lowing ciphertext Cc′ corresponding to the challenged accesspolicy P′ such that no queried secret keys satisfy P′:• Choose R′ ∈ {0, 1}lσm , Q′ ∈ {0, 1}łm , and S ′ ∈ {0, 1}ρ .• Choose a random number r ′m ∈ {0, 1}

ρ .• Compute the challenge ciphertext Cc′ = {P′, Y ′m, R′m,C ′σm , C

′m, S′m}, where Y

′m = gxr

′m , R′m = gkr

′m , C ′σm = R′,

C ′m = Q′, and S ′m = S ′ which is a valid encryption ofaccess policy P′.

In this case, the challenged ciphertext Cc′ is indistinguishablewith a real ciphertext. The adversary outputs a guess c′g of c

′

and wins the game if c′g = c′. Otherwise, T = gr′mdP is a

random group element.The advantage of algorithm B in solving the CDH prob-

lem in the RSA group ZN is denoted by AdvCDHPZN ,B . SupposePr[Abort] denotes the probability that B aborts. Then, wehave Pr[Abort] ≤ qH1/N . If B does not abort, the adversaryA’s view is identical to its view in the real attack. Thus, we

VOLUME 5, 2017 3279


have

|Pr[c′g = c′]− Pr[c′g 6= c′]| ≥ ε −qH1

N.

Let S be an event that the adversary A queries the oracleH2 at an element T = gr

′mdP ∈ ZN . Then, we have

Pr[S] ≥ |Pr[c′g = c′]− Pr[c′g 6= c′]|.

From Theorem 4, B knows the private keys, which donot satisfy the challenge ciphertext Cc′ . Then, grmdP can becomputed only if the CDH problem can be solved in the RSAgroup ZN . When B chooses randomly a tuple in the H2 querylist, the probability that the chosen tuple is equal to grmdP isgiven by 1

qc+qH2Pr[S]. Thus, we have

AdvCDHPZN ,B =1

qc + qH2

Pr[S] ≥1

qc + qH2

(ε −

qH1

N

).

The computation of each secret key requires O(1) groupinverse operations and each decryption requires O(1) groupexponentiation operations. According to B, time to solve theCDH problem in ZN is t ′ = t + O(qctc + qetinv + qH1 texp).From the above result, we see that it is contradictive with

ε′ = AdvCDHPZN ,B =1

qc + qH2

(ε −

qH1

N

).

Hence, the theorem is proved. �

VI. PERFORMANCE COMPARISONBoth ZZCLL [4] and our scheme require only O(1) timecomplexity for each encryption and decryption (see Table 3).However, from Table 1, it is clear that the ZZCLL scheme [4]does not provide constant size secret keys for the users,which is an essential security requirement for mobile devicedeployment. On the other hand, the EMNOS scheme [21]offers constant size ciphertexts and secret keys. However,it provides only (n, n)-threshold and incurs significant com-putational cost for encryption. The GSWV scheme [24] isefficient for shorter secret keys, but it fails to provide constantsize ciphertexts or efficient encryption and decryption withO(1) time-complexity.

TABLE 3. Computational costs comparison.

Also demonstrated in Table 1, our scheme is the onlyscheme to provide both constant size secret keys and cipher-texts with expressive access structure, and efficient encryp-tion and decryption withO(1) time-complexity without usingbilinear maps.

Following the approach in [25], we will now evaluatethe performance using experiments. The execution timingsfor various operations using MIRACL [37] and PBC [38]

TABLE 4. Execution timings for various operations used in theexperiment.

libraries are listed in Table 4. The experiment is conducted forthe groupG over the FST curve. Note that one point multipli-cation operation TG in G requires 1.1 ms and the correspond-ing paring operation Te requires 3.1ms, whereas one 1024-bitRSA decryption and encryption operations require 3.88 msand 0.02 ms, respectively. Also, one field exponentiationoperation TZN in Z∗N (|N | = 1024) requires 0.64 ms. Sincethe computation cost required for hashing operation and AESencryption/decryption operation are negligible [25], [39], weomit these operations in our performance comparison.

For the experiments, let the total number of attributes inthe system be n = 1000. We also assume that |P| = 500 and|A| = 600. The parameters used in the experiment are shownin Table 5.

TABLE 5. Parameters used in the experiment.

TABLE 6. Computational costs from the experiments: A comparativesummary.

Table 6 lists the comparison of experimental computa-tional costs among our scheme and other related schemes.We observe that encryption and decryption for EMNOS [21]require 1102.38 ms and 7.48 ms, respectively. ZZCLL [4],ZH [22] and GSWV [24] require 3.30 ms and 6.20 ms,2.20 ms and 3103.10 ms, 1102.20 ms and 229.94 ms forencryption and decryption, respectively. On the other hand,our scheme needs only 1.92 ms and 1.92 ms for encryptionand decryption, respectively. Thus, it clear that our schemerequires minimal computational costs for both encryption anddecryption, compared to the other related CP-ABE schemesin Table 6.

VII. CONCLUDING REMARKSIn the current Internet-connected society, battery-limitedmobile devices are likely to be more prevalent. For exam-ple, an Internet-of-Things (IoT) or Cloud-of-Things (CoT)environment generally consists of battery-limited devicessuch as Radio-Frequency Identification (RFID) tags, sensors,actuators, mobile devices, and wearable devices. Hence, IoT

3280 VOLUME 5, 2017


(or CoT) security [40], [41], forensics [42], [43] and privacy[44] are topics of current interest. Due to the nature (e.g.heterogeneous) and level of interactivity between IoT or CoTdevices, the design of any security solution needs to takeinto consideration efficiency and lightweight requirements[2], [3]. Although CP-ABE is one efficient and viable methodthat can be widely applied to realize access control in awide range of applications, such as in medical systems andeducation systems [45]–[48], it may not be naively deployedin an IoT and CoT environment due to its complexity and highoverhead.

The scheme presented in this paper, however, is suitedfor IoT and CoT deployments. Our RSA-based CP-ABE-CSKC scheme offers constant size secret keys and constantsize ciphertexts with an expressive AND gate access structurewithout using bilinear maps. To the best of our knowledge,this is the first such scheme.We demonstrated that the schemeprovides an efficient solution to both encryption and decryp-tion with O(1) time-complexity. We also proved that ourscheme is secure against possible known attacks, such as keyrecovery and collision attacks, as well as under the chosen-ciphertext adversary.

REFERENCES[1] S. Abolfazli, Z. Sanaei, E. Ahmed, A. Gani, and R. Buyya, ‘‘Cloud-

based augmentation for mobile devices: Motivation, taxonomies, and openchallenges,’’ IEEE Commun. Surveys Tuts., vol. 16, no. 1, pp. 337–368,1st Quart., 2014.

[2] Y. Yang, H. Cai, Z. Wei, H. Lu, and K.-K. R. Choo, ‘‘Towards lightweightanonymous entity authentication for IoT applications,’’ in Proc. Austral.Conf. Inf. Secur. Privacy, 2016, pp. 265–280.

[3] Y. Yang, J. Lu, K.-K. R. Choo, and J. K. Liu, ‘‘On lightweight secu-rity enforcement in cyber-physical systems,’’ in Proc. Int. WorkshopLightweight Cryptogr. Secur. Privacy, 2015, pp. 97–112.

[4] Y. Zhang, D. Zheng, X. Chen, J. Li, and H. Li, ‘‘Computationallyefficient ciphertext-policy attribute-based encryption with constant-sizeciphertexts,’’ in Provable Security. Hong Kong, China: Springer, 2014,pp. 259–273.

[5] J. K. Liu, M. H. Au,W. Susilo, K. Liang, R. Lu, and B. Srinivasan, ‘‘Securesharing and searching for real-time video data in mobile cloud,’’ IEEENetw., vol. 29, no. 2, pp. 46–50, Mar./Apr. 2015.

[6] M. Ambrosin, C. Busold, M. Conti, A.-R. Sadeghi, and M. Schunter,‘‘Updaticator: Updating billions of devices by an efficient, scalable andsecure software update distribution over untrusted cache-enabled net-works,’’ in Computer Security—ESORICS. Wroclaw, Poland: Springer,2014, pp. 76–93.

[7] Y. Yang, H. Zhu, H. Lu, J. Weng, Y. Zhang, and K.-K. R. Choo, ‘‘Cloudbased data sharing with fine-grained proxy re-encryption,’’ Pervas. MobileComput., vol. 28, pp. 122–134, Jun. 2016.

[8] Y. Yang, J. K. Liu, K. Liang, K.-K. R. Choo, and J. Zhou, ‘‘Extended proxy-assisted approach: Achieving revocable fine-grained encryption of clouddata,’’ in Proc. Eur. Symp. Res. Comput. Secur., 2015, pp. 146–166.

[9] M. Zheng, Y. Xiang, and H. Zhou, ‘‘A strong provably secure IBE schemewithout bilinear map,’’ J. Comput. Syst. Sci., vol. 81, no. 1, pp. 125–131,2015.

[10] C. Delerablée, ‘‘Identity-based broadcast encryption with constant sizeciphertexts and private keys,’’ in Advances in Cryptology—ASIACRYPT.Kuching, Malaysia: Springer, 2007, pp. 200–215.

[11] F. Guo, Y.Mu, andW. Susilo, ‘‘Identity-based traitor tracing with short pri-vate key and short ciphertext,’’ inComputer Security—ESORICS. Kuching,Malaysia: Springer, 2012, pp. 609–626.

[12] A. Sahai and B. Waters, ‘‘Fuzzy identity-based encryption,’’ in Advancesin Cryptology—EUROCRYPT. Pisa, Italy: Springer, 2005, pp. 457–473.

[13] V. Goyal, O. Pandey, A. Sahai, and B. Waters, ‘‘Attribute-based encryptionfor fine-grained access control of encrypted data,’’ inProc. 13th ACMConf.Comput. Commun. Secur. (CCS), 2006, pp. 89–98.

[14] R. Ostrovsky, A. Sahai, and B. Waters, ‘‘Attribute-based encryption withnon-monotonic access structures,’’ in Proc. 14th ACM Conf. Comput.Commun. Secur. (CCS), 2007, pp. 195–203.

[15] N. Attrapadung, B. Libert, and E. de Panafieu, ‘‘Expressive key-policyattribute-based encryption with constant-size ciphertexts,’’ in Public KeyCryptography—PKC. Taormina, Italy: Springer, 2011, pp. 90–108.

[16] J. Herranz, F. Laguillaumie, and C. Ràfols, ‘‘Constant size ciphertexts inthreshold attribute-based encryption,’’ in Public Key Cryptography—PKC.Paris, France: Springer, 2010, pp. 19–34.

[17] C. Chen et al., ‘‘Fully secure attribute-based systems with short cipher-texts/signatures and threshold access structures,’’ in Topics in Cryptology—CT-RSA. San Francisco, CA, USA: Springer, 2013, pp. 50–67.

[18] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, ‘‘Fullysecure functional encryption: Attribute-based encryption and (hierarchical)inner product encryption,’’ in Advances in Cryptology—EUROCRYPT.French Riviera: Springer, 2010, pp. 62–91.

[19] B. Waters, ‘‘Ciphertext-policy attribute-based encryption: An expressive,efficient, and provably secure realization,’’ in Public Key Cryptography—PKC. Taormina, Italy: Springer, 2011, pp. 53–70.

[20] A. Lewko and B. Waters, ‘‘New proof methods for attribute-based encryp-tion: Achieving full security through selective techniques,’’ in Advancesin Cryptology—CRYPTO. Santa Barbara, CA, USA: Springer, 2012,pp. 180–198.

[21] K. Emura, A. Miyaji, A. Nomura, K. Omote, and M. Soshi, ‘‘A ciphertext-policy attribute-based encryption scheme with constant ciphertext length,’’in Information Security Practice and Experience. XiŠan, China: Springer,2009, pp. 13–23.

[22] Z. Zhou and D. Huang, ‘‘On efficient ciphertext-policy attribute basedencryption and broadcast encryption: Extended abstract,’’ in Proc. 17thACM Conf. Comput. Commun. Secur., 2010, pp. 753–755.

[23] N. Doshi and D. C. Jinwala, ‘‘Fully secure ciphertext policy attribute-basedencryption with constant length ciphertext and faster decryption,’’ Secur.Commun. Netw., vol. 7, no. 11, pp. 1988–2002, 2014.

[24] F. Guo, Y. Mu, W. Susilo, D. S. Wong, and V. Varadharajan,‘‘CP-ABE with constant-size keys for lightweight devices,’’ IEEE Trans.Inf. Forensics Security, vol. 9, no. 5, pp. 763–771, May 2014.

[25] H. Li, X. Lin, H. Yang, X. Liang, R. Lu, and X. Shen, ‘‘EPPDR: An effi-cient privacy-preserving demand response scheme with adaptive key evo-lution in smart grid,’’ IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 8,pp. 2053–2064, Aug. 2014.

[26] J. Bethencourt, A. Sahai, and B. Waters, ‘‘Ciphertext-policy attribute-based encryption,’’ in Proc. IEEE Symp. Secur. Privacy (SP), May 2007,pp. 321–334.

[27] L. Cheung and C. Newport, ‘‘Provably secure ciphertext policy ABE,’’in Proc. 14th ACM Conf. Comput. Commun. Secur. (CCS), 2007,pp. 456–465.

[28] D. Hofheinz and E. Kiltz, ‘‘Practical chosen ciphertext secure encryptionfrom factoring,’’ inAdvances in Cryptology—EUROCRYPT. Tokyo, Japan:Springer, 2009, pp. 313–332.

[29] K. S. McCurley, ‘‘A key distribution system equivalent to factoring,’’J. Cryptol., vol. 1, no. 2, pp. 95–105, 1988.

[30] L. Harn and H.-Y. Lin, ‘‘A cryptographic key generation scheme formultilevel data security,’’ Comput. Security, vol. 9, no. 6, pp. 539–546,Oct. 1990.

[31] S. G. Akl and P. D. Taylor, ‘‘Cryptographic solution to a problem ofaccess control in a hierarchy,’’ ACM Trans. Comput. Syst., vol. 1, no. 3,pp. 239–248, 1983.

[32] E. Fujisaki and T. Okamoto, ‘‘Secure integration of asymmetric and sym-metric encryption schemes,’’ J. Cryptol., vol. 26, no. 1, pp. 80–101, 2013.

[33] K. Emura, A. Miyaji, K. Omote, and A. Nomura, ‘‘A ciphertext-policyattribute-based encryption scheme with constant ciphertext length,’’ Int.J. Appl. Cryptogr., vol. 2, no. 1, pp. 46–59, 2010.

[34] T. Elgamal, ‘‘A public key cryptosystem and a signature scheme based ondiscrete logarithms,’’ IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469–472,Jul. 1985.

[35] L. Harn and Y. Xu, ‘‘Design of generalised ElGamal type digital signatureschemes based on discrete logarithm,’’ Electron. Lett., vol. 30, no. 24,pp. 2025–2026, 1994.

[36] J. Li, Q. Wang, C. Wang, and K. Ren, ‘‘Enhancing attribute-basedencryption with attribute hierarchy,’’ Mobile Netw. Appl., vol. 16, no. 5,pp. 553–561, 2011.

[37] Miracl Crypto, accessed on Jan. 2017. [Online]. Available:https://certivox.com/solutions/miracl-crypto-sdk/

VOLUME 5, 2017 3281


[38] B. Lynn. PBC Library, accessed on Jan. 2017. [Online]. Available:http://crypto.stanford.edu/pbc/

[39] W. Dai. (2009). Crypto++ 5.6.0 Benchmarks. [Online]. Available:http://www.cryptopp.com/benchmarks.html

[40] C. J. Dorazio, K.-K. R. Choo, and L. T. Yang, ‘‘Data exfiltration fromInternet of Things devices: iOS devices as case studies,’’ IEEE InternetThings J., to be published.

[41] B. Do, Q.Martini, and K.-K. R. Choo, ‘‘Is the data on your wearable devicesecure? An Android Wear smartwatch case study,’’ Softw., Pract. Exper.,vol. 47, no. 4, pp. 391–403, 2017.

[42] N. H. Ab Rahman, W. B. Glisson, Y. Yang, and K.-K. R. Choo, ‘‘Forensic-by-design framework for cyber-physical cloud systems,’’ IEEE CloudComput., vol. 3, no. 1, pp. 50–59, Jan./Feb. 2016.

[43] N. D.W. Cahyani, B.Martini, K.-K. R. Choo, andM.H. Al-Azhar, ‘‘Foren-sic data acquisition from cloud-of-things devices: Windows smartphonesas a case study,’’ Concurrency Comput., Pract. Exper., to be published.

[44] B. Li, R. Lu, W. Wang, and K.-K. R. Choo, ‘‘DDOA: A Dirichlet-based detection scheme for opportunistic attacks in smart grid cyber-physical system,’’ IEEE Trans. Inf. Forensics Security, vol. 11, no. 11,pp. 2415–2425, Nov. 2016.

[45] X. Wang, J. Zhang, E. M. Schooler, and M. Ion, ‘‘Performance evaluationof attribute-based encryption: Toward data privacy in the IoT,’’ in Proc.IEEE Int. Conf. Commun. (ICC), Jun. 2014, pp. 725–730.

[46] M. Zhang, Y. Zhang, Y. Su, Q. Huang, and Y. Mu, ‘‘Attribute-basedhash proof system under learning-with-errors assumption in obfuscator-free and leakage-resilient environments,’’ IEEE Syst. J., to be published,doi: 10.1109/JSYST.2015.2435518.

[47] S. Amendola, R. Lodato, S. Manzari, C. Occhiuzzi, and G. Marrocco,‘‘RFID technology for IoT-based personal healthcare in smart spaces,’’IEEE Internet Things J., vol. 1, no. 2, pp. 144–152, Apr. 2014.

[48] L. Touati, Y. Challal, and A. Bouabdallah, ‘‘C-CP-ABE: Cooperativeciphertext policy attribute-based encryption for the Internet of Things,’’in Proc. Int. Conf. Adv. Netw. Distrib. Syst. Appl. (INDS), 2014, pp. 64–69.

[49] J. Li, X. Li, L. Wang, D. He, H. Ahmad, and X. Niu, ‘‘Fuzzy encryption incloud computation: Efficient verifiable outsourced attribute-based encryp-tion,’’ Soft Comput., pp. 1–8, Jan. 2017, doi: 10.1007/s00500-017-2482-1.

VANGA ODELU received the M.Tech. and Ph.D.degrees in computer science and data processingfrom IIT Kharagpur, India. He is currently anAssistant Professor with the Department of Com-puter Science and Engineering, Indian Institute ofInformation Technology at Sri City, Sri City, India.His research interests include cryptography, net-work security, hierarchical access control, remoteuser authentication, security in cloud computing,and smart grid. He has authored over 30 papers in

international journals and conferences in the above areas. He is a member ofthe ACM.

ASHOK KUMAR DAS received the M.Sc. degreein mathematics, the M.Tech. degree in com-puter science and data processing, and the Ph.D.degree in computer science and engineering fromIIT Kharagpur, Kharagpur, India. He is cur-rently an Assistant Professor with the Centerfor Security, Theory and Algorithmic Research,International Institute of Information Technol-ogy at Hyderabad, Hyderabad, India. His currentresearch interests include cryptography, wireless

sensor network security, hierarchical access control, data mining, securityin vehicular ad hoc networks, smart grid and cloud computing, and remoteuser authentication. He has authored over 125 papers in international journalsand conferences in the above areas. He was a recipient of the InstituteSilver Medal from IIT Kharagpur. He is in the Editorial Board of the KSIITransactions on Internet and Information Systems, and the InternationalJournal of Internet Technology and Secured Transactions (Inderscience), anda Guest Editor of the Computers & Electrical Engineering (Elsevier) for theSpecial Issue on Big data and Internet of Things in e-healthcare, and hasserved as a Program Committee Member in many international conferences.

MUHAMMAD KHURRAM KHAN (SM’12) iscurrently working as a Full Professor with theCenter of Excellence in Information Assurance(CoEIA), King Saud University, Saudi Arabia. Heis one of the founding members of CoEIA and hasserved as the Manager Research and Developmentfrom 2009 to 2012. He is an Adjunct Professorwith the Fujian University of Technology, China,and an Honorary Professor with IIIRC, ShenzhenGraduate School, Harbin Institute of Technology,

China. He developed and successfully managed the research program ofCoEIA, which transformed the center as one of the best centers of researchexcellence in Saudi Arabia as well as in the region. He has authored over280 research papers in the journals and conferences of international repute.He holds ten US/PCT patents. He has edited seven books/proceedings pub-lished by the Springer-Verlag and the IEEE. He has secured several nationaland international research grants in the domain of information security. Hisresearch areas of interest are cybersecurity, digital authentication, biometrics,multimedia security, and technological innovation management.

Prof. Khurram is a fellow of the IET, U.K., a fellow of the BCS, U.K., a fel-low of the FTRA, South Korea, a member of the IEEE Technical Committeeon Security & Privacy, and a member of the IEEE Cybersecurity community.He was a recipient of the King Saud University Award for Scientific Excel-lence (Research Productivity) in 2015, the King Saud University Award forScientific Excellence (Inventions, Innovations, and Technology Licensing)in 2016. He has secured an outstanding leadership award at the IEEE interna-tional conference on Networks and Systems Security 2009, Australia. He hasbeen included in theMarquisWho’sWho in theWorld 2010 edition. Besides,he has received certificate of appreciation for outstanding contributionsin biometrics & information security research with the AIT internationalConference, Japan, 2010. He received the Gold Medal for the Best Invention& Innovation Award at 10th Malaysian Technology Expo in 2011, Malaysia,the Bronze Medal at 41st International Exhibition of Inventions, Geneva,Switzerland, in 2013, for his invention, and the best paper award from theJournal of Network & Computer Applications (Elsevier) in 2015. He is oneof the organizing chairs of over five dozen international conferences and amember of technical committees of over ten dozen international conferences.He has recently played a leading role in developing BS Cybersecurity DegreeProgram and Higher Diploma in Cybersecurity with King Saud University.He has been the Editor-in-Chief of a well-esteemed ISI-indexed internationaljournal Telecommunication Systems (Springer-Verlag, since 1993) with animpact factor of 1.163 (JCR 2013). Furthermore, he is the full-time Editor/Associate Editor of several ISI-indexed international journals/magazines,including the IEEE Communications Magazine, the Journal of Network andComputer Applications (Elsevier), the IEEE Access Journal, the Securityand Communication Networks (Wiley), the IEEE Consumer ElectronicsMagazine, the PLOS ONE (USA), the IET Wireless Sensor Systems, Elec-tronic Commerce Research (Springer), the Journal of Information Hidingand Multimedia Signal Processing, the International Journal of Biometrics(Inderscience), the Journal of Physical & Information Sciences, and theJournal of Independent Studies and Research-Computing. He has also playedrole of the Guest Editor of several international ISI-indexed journals ofSpringer-Verlag and Elsevier Science. He is an Active Reviewer of manyinternational journals.

3282 VOLUME 5, 2017


KIM-KWANG RAYMOND CHOO (SM’15)received the Ph.D. in information security from theQueensland University of Technology, Australia,in 2006. He current holds the Cloud TechnologyEndowed Professorship with The University ofTexas at San Antonio. He serves on the Edito-rial Board of the Cluster Computing, the DigitalInvestigation, the IEEE Cloud Computing, theFuture Generation Computer Systems, the Journalof Network and Computer Applications, and the

PLoS ONE, the Special Issue Guest Editor of the ACM Transactions onEmbedded Computing Systems (2017; DOI: 10.1145/3015662), the ACMTransactions on Internet Technology (2016; DOI: 10.1145/3013520), theDigital Investigation (2016; DOI: 10.1016/j.diin.2016.08.003), the FutureGeneration Computer Systems (2016; DOI: 10.1016/j.future.2016.04.017),the IEEE Cloud (2015; DOI: 10.1109/MCC.2015.84), the IEEE Network(2016; DOI: 10.1109/MNET.2016.7764272), the Journal of Computer andSystem Sciences (2017; DOI: 10.1016/j.jcss.2016.09.001), the MultimediaTools and Applications (2017; DOI: 10.1007/s11042-016-4081-z), and thePervasive andMobile Computing (2016; DOI: 10.1016/j.pmcj.2016.10.003).He was a recipient of various awards, including ESORICS 2015 Best PaperAward, Winning Team of the Germanys University of Erlangen-Nuremberg(FAU) Digital Forensics Research Challenge in 2015, the 2014 Highly Com-mended Award by the Australia New Zealand Policing Advisory Agency,the Fulbright Scholarship in 2009, the 2008 Australia Day AchievementMedallion, and the British Computer Societys Wilkes Award in 2008. Heis also a fellow of the Australian Computer Society

MINHO JO (M’07–SM’16) received the B.A.degree from the Department of Industrial Engi-neering, Chosun University, South Korea, in 1984,and the Ph.D. degree from the Department ofIndustrial and Systems Engineering, Lehigh Uni-versity, USA, in 1994. He is currently a Professorwith the Department of Computer and InformationScience, South Korea University, Sejong, SouthKorea. He is one of founders of Samsung Electron-ics LCD Division. Areas of his current interests

include LTE-Unlicensed, cognitive radio, Internet of Things, HetNets in 5G,green (energyefficient) wireless communications, mobile cloud computing,network function virtualization, 5G wireless communications, optimizationand probability in networks, network security, and massive MIMO. Hereceived the Headong Outstanding Scholar Prize in 2011. He is currently anEditor of IEEE Wireless Communications, an Associate Editor of the IEEEAccess, and an Associate Editor of the IEEE Internet of Things Journal,respectively. And he is currently an Associate Editor of the Security andCommunication Networks, and an theWireless Communications and MobileComputing. He is the Founder and the Editor-in-Chief of the KSII Transac-tions on Internet and Information Systems (SCI and SCOPUS indexed). Heis currently the Vice-President of Korea Society for Internet Informationsand was the Vice-President of the Institute of Electronics and of the KoreaInformation Processing Society, respectively. His current research interestsinclude LTE-unlicensed, cognitive radio, IoT, deep learning AI and big datain IoT, HetNets in 5G, green (energy-efficient) wireless communications,mobile cloud computing, wireless energy hatvesting, 5G wireless commu-nications, optimization and probability in networks, network security, andmassive MIMO.

VOLUME 5, 2017 3283

expressive cp-abe scheme for mobile devices in iot satisfying...

Documents