Attribute-Based Encryption(ABE)has emerged as a fundamental access control mechanism in data sharing,enabling data owners to define flexible access policies.A critical aspect of ABE is key revocation,which plays a piv...Attribute-Based Encryption(ABE)has emerged as a fundamental access control mechanism in data sharing,enabling data owners to define flexible access policies.A critical aspect of ABE is key revocation,which plays a pivotal role in maintaining security.However,existing key revocation mechanisms face two major challenges:(1)High overhead due to ciphertext and key updates,primarily stemming from the reliance on revocation lists during attribute revocation,which increases computation and communication costs.(2)Limited universality,as many attribute revocation mechanisms are tailored to specific ABE constructions,restricting their broader applicability.To address these challenges,we propose LUAR(Lightweight and Universal Attribute Revocation),a novel revocation mechanism that leverages Intel Software Guard Extensions(SGX)while minimizing its inherent limitations.Given SGX’s constrained memory(≈90 MB in a personal computer)and susceptibility to side-channel attacks,we carefully manage its usage to reduce reliance while mitigating potential collusion risks between cloud service providers and users.To evaluate LUAR’s lightweight and universality,we integrate it with the classic BSW07 scheme,which can be seamlessly replaced with other ABE constructions.Experimental results demonstrate that LUAR enables secure attribute revocation with low computation and communication overhead.The processing time within the SGX environment remains stable at approximately 55 ms,regardless of the complexity of access policies,ensuring no additional storage or computational burden on SGX.Compared to the Hardware-based Revocable Attribute-Based Encryption(HR-ABE)scheme(IEEE S&P 2024),LUAR incurs a slightly higher computational cost within SGX;however,the overall time from initiating a data request to obtaining plaintext is shorter.As access policies grow more complex,LUAR’s advantages become increasingly evident,showcasing its superior efficiency and broader applicability.展开更多
Attribute-based encryption is drawing more attention with its inherent attractive properties which are potential to be widely used in the newly developing cloud computing. However, one of the main obstacles for its ap...Attribute-based encryption is drawing more attention with its inherent attractive properties which are potential to be widely used in the newly developing cloud computing. However, one of the main obstacles for its application is how to revoke the attributes of the users, though some ABE schemes have realized revocation, they mostly focused on the user revocation that revokes the user's whole attributes, or attribute revocation under the indirect revocation model such that all the users' private keys will be affected by the revocation. In this paper, we define the model of CP-ABE supporting the attribute revocation under the direct revocation model, in which the revocation list is embed in the ciphertext and none of the users' private keys will be affected by the revocation process. Then we propose a generic construction, and prove its security with the decision q-BDHE assumption.展开更多
Attribute-based encryption(ABE)has been a preferred encryption technology to solve the problems of data protection and access control,especially when the cloud storage is provided by third-party service providers.ABE ...Attribute-based encryption(ABE)has been a preferred encryption technology to solve the problems of data protection and access control,especially when the cloud storage is provided by third-party service providers.ABE can put data access under control at each data item level.However,ABE schemes have practical limitations on dynamic attribute revocation.We propose a generic attribute revocation system for ABE with user privacy protection.The attribute revocation ABE(AR-ABE)system can work with any type of ABE scheme to dynamically revoke any number of attributes.展开更多
Access control scheme is proposed for System Wide Information Management (SWIM) to address the problem of attribute revocation in practical applications. Based on the attribute based encryption (ABE), this scheme ...Access control scheme is proposed for System Wide Information Management (SWIM) to address the problem of attribute revocation in practical applications. Based on the attribute based encryption (ABE), this scheme introduces the proxy re-encryption mechanism and key encrypting key (KEK) tree to realize fine-grained access control with attribute revocation. This paper defines the attributes according to the status quo of civil aviation. Compared with some other schemes proposed before, this scheme not only shortens the length of ciphertext (CT) and private key but also improves the efficiency of encryption and decryption. The scheme can resist collusion attacks and ensure the security of data in SWIM.展开更多
In most existing CP-ABE schemes, there is only one authority in the system and all the public keys and private keys are issued by this authority, which incurs ciphertext size and computation costs in the encryption an...In most existing CP-ABE schemes, there is only one authority in the system and all the public keys and private keys are issued by this authority, which incurs ciphertext size and computation costs in the encryption and decryption operations that depend at least linearly on the number of attributes involved in the access policy. We propose an efficient multi-authority CP-ABE scheme in which the authorities need not interact to generate public information during the system initialization phase. Our scheme has constant ciphertext length and a constant number of pairing computations. Our scheme can be proven CPA-secure in random oracle model under the decision q-BDHE assumption. When user's attributes revocation occurs, the scheme transfers most re-encryption work to the cloud service provider, reducing the data owner's computational cost on the premise of security. Finally the analysis and simulation result show that the schemes proposed in this thesis ensure the privacy and secure access of sensitive data stored in the cloud server, and be able to cope with the dynamic changes of users' access privileges in large-scale systems. Besides, the multi-authority ABE eliminates the key escrow problem, achieves the length of ciphertext optimization and enhances the effi ciency of the encryption and decryption operations.展开更多
To share data securely with secure attribute revocation,anti-collusion,and dynamic user management in the 5G device-to-device(D2D)environment,a novel dynamic anti-collusion ciphertext policy attribute-based encryption...To share data securely with secure attribute revocation,anti-collusion,and dynamic user management in the 5G device-to-device(D2D)environment,a novel dynamic anti-collusion ciphertext policy attribute-based encryption(NDA-CP-ABE)scheme in the 5G D2D environment is proposed.On the basis of the ciphertext policy attribute-based encryption algorithm,fine-grained access control and secure attribute revocation are realized,and the confidentiality of data is guaranteed.A polynomial function is adopted in the ciphertext generation phase to realize dynamic user management.A random number is used to prevent a collusion attack among the legitimate user equipment(UE),revoked UE,and external network attackers.Finally,on the basis of the Diffie-Hellman problem,the NDA-CP-ABE scheme is formally proved,and the simulation performances are compared with those of similar schemes.The results show that data can be securely shared through a D2D channel with secure attribute revocation,anti-collusion,and dynamic user management.Moreover,compared with similar schemes,the NDA-CP-ABE scheme has higher efficiency in encryption,decryption,and storage.展开更多
Despite that existing data sharing systems in online social networks(OSNs)propose to encrypt data before sharing,the multiparty access control of encrypted data has become a challenging issue.In this paper,we propose ...Despite that existing data sharing systems in online social networks(OSNs)propose to encrypt data before sharing,the multiparty access control of encrypted data has become a challenging issue.In this paper,we propose a secure data sharing scheme in 0SNs based on ciphertext-policy attribute-based proxy re-encryption and secret sharing.In order to protect users'sensitive data,our scheme allows users to customize access policies of their data and then outsource encrypted data to the OSNs service provider.Our scheme presents a multiparty access control model,which enables the disseminator to update the access policy of ciphertext if their attributes satisfy the existing access policy.Further,we present a partial decryption construction in which the computation overhead of user is largely reduced by delegating most of the decryption operations to the OSNs service provider.We also provide checkability on the results returned from the OSNs service provider to guarantee the correctness of partial decrypted ciphertext.Moreover,our scheme presents an efficient attribute revocation method that achieves both forward and backward secrecy.The security and performance analysis results indicate that the proposed scheme is secure and efficient in OSNs.展开更多
In the growing demand for data sharing,how to realize fine-grained trusted access control of shared data and protect data security has become a difficult problem.Ciphertext policy attribute-based encryption(CP-ABE)mod...In the growing demand for data sharing,how to realize fine-grained trusted access control of shared data and protect data security has become a difficult problem.Ciphertext policy attribute-based encryption(CP-ABE)model is widely used in cloud data sharing scenarios,but there are problems such as privacy leakage of access policy,irrevocability of user or attribute,key escrow,and trust bottleneck.Therefore,we propose a blockchain-assisted CP-ABE(B-CP-ABE)mechanism for trusted data access control.Firstly,we construct a data trusted access control architecture based on the B-CP-ABE,which realizes the automated execution of access policies through smart contracts and guarantees the trusted access process through blockchain.Then,we define the B-CP-ABE scheme,which has the functions of policy partial hidden,attribute revocation,and anti-key escrow.The B-CP-ABE scheme utilizes Bloom filter to hide the mapping relationship of sensitive attributes in the access structure,realizes flexible revocation and recovery of users and attributes by re-encryption algorithm,and solves the key escrow problem by joint authorization of data owners and attribute authority.Finally,we demonstrate the usability of the B-CP-ABE scheme by performing security analysis and performance analysis.展开更多
基金support from the National Key Research and Development Program of China(Grant No.2021YFF0704102)the Chongqing Education Commission Key Project of Science and Technology Research(Grant No.KJZD-K202400610)the Chongqing Natural Science Foundation General Project(Grant No.CSTB2025NSCQ-GPX1263).
文摘Attribute-Based Encryption(ABE)has emerged as a fundamental access control mechanism in data sharing,enabling data owners to define flexible access policies.A critical aspect of ABE is key revocation,which plays a pivotal role in maintaining security.However,existing key revocation mechanisms face two major challenges:(1)High overhead due to ciphertext and key updates,primarily stemming from the reliance on revocation lists during attribute revocation,which increases computation and communication costs.(2)Limited universality,as many attribute revocation mechanisms are tailored to specific ABE constructions,restricting their broader applicability.To address these challenges,we propose LUAR(Lightweight and Universal Attribute Revocation),a novel revocation mechanism that leverages Intel Software Guard Extensions(SGX)while minimizing its inherent limitations.Given SGX’s constrained memory(≈90 MB in a personal computer)and susceptibility to side-channel attacks,we carefully manage its usage to reduce reliance while mitigating potential collusion risks between cloud service providers and users.To evaluate LUAR’s lightweight and universality,we integrate it with the classic BSW07 scheme,which can be seamlessly replaced with other ABE constructions.Experimental results demonstrate that LUAR enables secure attribute revocation with low computation and communication overhead.The processing time within the SGX environment remains stable at approximately 55 ms,regardless of the complexity of access policies,ensuring no additional storage or computational burden on SGX.Compared to the Hardware-based Revocable Attribute-Based Encryption(HR-ABE)scheme(IEEE S&P 2024),LUAR incurs a slightly higher computational cost within SGX;however,the overall time from initiating a data request to obtaining plaintext is shorter.As access policies grow more complex,LUAR’s advantages become increasingly evident,showcasing its superior efficiency and broader applicability.
文摘Attribute-based encryption is drawing more attention with its inherent attractive properties which are potential to be widely used in the newly developing cloud computing. However, one of the main obstacles for its application is how to revoke the attributes of the users, though some ABE schemes have realized revocation, they mostly focused on the user revocation that revokes the user's whole attributes, or attribute revocation under the indirect revocation model such that all the users' private keys will be affected by the revocation. In this paper, we define the model of CP-ABE supporting the attribute revocation under the direct revocation model, in which the revocation list is embed in the ciphertext and none of the users' private keys will be affected by the revocation process. Then we propose a generic construction, and prove its security with the decision q-BDHE assumption.
基金Project supported by the Ningbo eHealth Project,China(No.2016C11024)
文摘Attribute-based encryption(ABE)has been a preferred encryption technology to solve the problems of data protection and access control,especially when the cloud storage is provided by third-party service providers.ABE can put data access under control at each data item level.However,ABE schemes have practical limitations on dynamic attribute revocation.We propose a generic attribute revocation system for ABE with user privacy protection.The attribute revocation ABE(AR-ABE)system can work with any type of ABE scheme to dynamically revoke any number of attributes.
基金supported by the National Natural Science Foundation of China and Civil Aviation Administration of China Joint Fund Project(U1533107)the Major Program of Natural Science Foundation of Tianjin(17JCZDJC30900)
文摘Access control scheme is proposed for System Wide Information Management (SWIM) to address the problem of attribute revocation in practical applications. Based on the attribute based encryption (ABE), this scheme introduces the proxy re-encryption mechanism and key encrypting key (KEK) tree to realize fine-grained access control with attribute revocation. This paper defines the attributes according to the status quo of civil aviation. Compared with some other schemes proposed before, this scheme not only shortens the length of ciphertext (CT) and private key but also improves the efficiency of encryption and decryption. The scheme can resist collusion attacks and ensure the security of data in SWIM.
基金supported by National Natural Science Foundation of China under Grant No.60873231Natural Science Foundation of Jiangsu Province under Grant No.BK2009426+1 种基金Major State Basic Research Development Program of China under Grant No.2011CB302903Key University Science Research Project of Jiangsu Province under Grant No.11KJA520002
文摘In most existing CP-ABE schemes, there is only one authority in the system and all the public keys and private keys are issued by this authority, which incurs ciphertext size and computation costs in the encryption and decryption operations that depend at least linearly on the number of attributes involved in the access policy. We propose an efficient multi-authority CP-ABE scheme in which the authorities need not interact to generate public information during the system initialization phase. Our scheme has constant ciphertext length and a constant number of pairing computations. Our scheme can be proven CPA-secure in random oracle model under the decision q-BDHE assumption. When user's attributes revocation occurs, the scheme transfers most re-encryption work to the cloud service provider, reducing the data owner's computational cost on the premise of security. Finally the analysis and simulation result show that the schemes proposed in this thesis ensure the privacy and secure access of sensitive data stored in the cloud server, and be able to cope with the dynamic changes of users' access privileges in large-scale systems. Besides, the multi-authority ABE eliminates the key escrow problem, achieves the length of ciphertext optimization and enhances the effi ciency of the encryption and decryption operations.
基金The National Natural Science Foundation of China(No.61372103)the Natural Science Foundation of Jiangsu Province(No.SBK2020020282)+1 种基金the Program of Key Laboratory of Information Network Security of the Ministry of Public Security(No.C19607)the Program of Key Laboratory of Computer Network Technology of Jiangsu Province.
文摘To share data securely with secure attribute revocation,anti-collusion,and dynamic user management in the 5G device-to-device(D2D)environment,a novel dynamic anti-collusion ciphertext policy attribute-based encryption(NDA-CP-ABE)scheme in the 5G D2D environment is proposed.On the basis of the ciphertext policy attribute-based encryption algorithm,fine-grained access control and secure attribute revocation are realized,and the confidentiality of data is guaranteed.A polynomial function is adopted in the ciphertext generation phase to realize dynamic user management.A random number is used to prevent a collusion attack among the legitimate user equipment(UE),revoked UE,and external network attackers.Finally,on the basis of the Diffie-Hellman problem,the NDA-CP-ABE scheme is formally proved,and the simulation performances are compared with those of similar schemes.The results show that data can be securely shared through a D2D channel with secure attribute revocation,anti-collusion,and dynamic user management.Moreover,compared with similar schemes,the NDA-CP-ABE scheme has higher efficiency in encryption,decryption,and storage.
基金supported by the National Natural Science Foundation of China under Grant No.61272519the Specialized Research Fund for the Doctoral Program of Higher Education under Grant No.20120005110017the National Key Technology R&D Program under Grant No.2012BAH06B02
文摘Despite that existing data sharing systems in online social networks(OSNs)propose to encrypt data before sharing,the multiparty access control of encrypted data has become a challenging issue.In this paper,we propose a secure data sharing scheme in 0SNs based on ciphertext-policy attribute-based proxy re-encryption and secret sharing.In order to protect users'sensitive data,our scheme allows users to customize access policies of their data and then outsource encrypted data to the OSNs service provider.Our scheme presents a multiparty access control model,which enables the disseminator to update the access policy of ciphertext if their attributes satisfy the existing access policy.Further,we present a partial decryption construction in which the computation overhead of user is largely reduced by delegating most of the decryption operations to the OSNs service provider.We also provide checkability on the results returned from the OSNs service provider to guarantee the correctness of partial decrypted ciphertext.Moreover,our scheme presents an efficient attribute revocation method that achieves both forward and backward secrecy.The security and performance analysis results indicate that the proposed scheme is secure and efficient in OSNs.
基金supported by the National Key R&D Program of China(2022YFB2703400)the BUPT Excellent Ph.D.Students Foundation(CX2022218).
文摘In the growing demand for data sharing,how to realize fine-grained trusted access control of shared data and protect data security has become a difficult problem.Ciphertext policy attribute-based encryption(CP-ABE)model is widely used in cloud data sharing scenarios,but there are problems such as privacy leakage of access policy,irrevocability of user or attribute,key escrow,and trust bottleneck.Therefore,we propose a blockchain-assisted CP-ABE(B-CP-ABE)mechanism for trusted data access control.Firstly,we construct a data trusted access control architecture based on the B-CP-ABE,which realizes the automated execution of access policies through smart contracts and guarantees the trusted access process through blockchain.Then,we define the B-CP-ABE scheme,which has the functions of policy partial hidden,attribute revocation,and anti-key escrow.The B-CP-ABE scheme utilizes Bloom filter to hide the mapping relationship of sensitive attributes in the access structure,realizes flexible revocation and recovery of users and attributes by re-encryption algorithm,and solves the key escrow problem by joint authorization of data owners and attribute authority.Finally,we demonstrate the usability of the B-CP-ABE scheme by performing security analysis and performance analysis.
