A New User Revocable Ciphertext-Policy Attribute-Based Encryption with Ciphertext Update

Liu, Zhe; Wang, Fuqun; Chen, Kefei; Tang, Fei

doi:https://doi.org/10.1155/2020/8856592

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8856592 | https://doi.org/10.1155/2020/8856592

A New User Revocable Ciphertext-Policy Attribute-Based Encryption with Ciphertext Update

Zhe Liu,¹Fuqun Wang,^1,2Kefei Chen,^1,2and Fei Tang³

Academic Editor: Kaitai Liang

Received29 Aug 2020

Revised30 Oct 2020

Accepted22 Nov 2020

Published22 Dec 2020

Abstract

The revocable ciphertext-policy attribute-based encryption (R-CP-ABE) is an extension of ciphertext-policy attribute-based encryption (CP-ABE), which can realize user direct revocation and maintain a short revocation list. However, the revoked users can still decrypt the previously authorized encrypted data with their old key. The R-CP-ABE scheme should provide a mechanism to protect the encrypted data confidentiality by disqualifying the revoked users from accessing the previously encrypted data. Motivated by practical needs, we propose a new user R-CP-ABE scheme that simultaneously supports user direct revocation, short revocation list, and ciphertext update by incorporating the identity-based and time-based revocable technique. The scheme provides a strongly selective security proof under the modified decisional -parallel bilinear Diffie–Hellman Exponent problem, where “strongly” means that the adversary can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list.

1. Introduction

As a special kind of public key encryption (PKE), attribute-based encryption (ABE) is a one-to-many cryptographic primitive that can offer a fine-grained access control. In general, there are two types of ABE schemes, key-policy attribute-based encryption (KP-ABE) [1–4] and ciphertext-policy attribute-based encryption (CP-ABE) [5–8]. In the KP-ABE scheme, secret key is associated with an access structure, and ciphertext is labeled with a set of attributes. While in the CP-ABE scheme, secret key is related to a set of attributes, and ciphertext is associated with an access structure. Compared with the traditional method of access control system, ABE has many advantages so that it satisfies many applications for network such as cloud storage systems [9–12] and medical e-healthcare systems [13–18].

However, providing an efficient and practical revocation mechanism is very important in ABE since it can prevent a user from accessing encrypted data in cryptosystems by revoking the access authority. There are mainly two methods to revoke users in ABE, namely, direct revocation and indirect revocation. The indirect revocation [19, 20] requires an authority to update key only for the nonrevoked users so that they can continue to decrypt the encrypted data. The revoked users cannot decrypt any newly generated ciphertext since their keys were not updated. However, we cannot implement user instant revocation by using this approach. Suppose an employee’s access to the encrypted data is revoked some day before the key update time, he could still decrypt any newly generated encrypted data until the key is updated. If we update the key as soon as a user is revoked to realize user instant revocation, it will be a bottleneck and not practical for a large organization where there may be an army of revoked users. Moreover, the revoked users can still have access to the previously generated encrypted data. The direct revocation [21, 22] allows a public revocation list to be specified directly during encryption so that the ciphertext cannot be decrypted by those users who are in the revocation list even if their attributes/policies satisfy the policies/attributes related to the ciphertext. Ciphertext can only be decrypted by users who are not in the revocation list and whose attributes satisfy the access policy. This method can implement user instant revocation and does not need to update the secret key, while the disadvantage is that the revocation list gets longer over time. It will be inefficient for encryption and decryption, especially for a large system.

1.1. Related Work

Many schemes [23–28] are presented to deal with the revocation in attribute-based access control. Boldyreva et al. in [19] proposed a revocable KP-ABE. In their scheme, the authority stores a revocation list and executes key update algorithm for the nonrevoked users who are not in the revocation list. Using the key update approach, Yu et al. in [25] put forward a revocable CP-ABE. The revoked users cannot decrypt the updated ciphertext, but access policies rarely support logical AND in their contribution. In 2012, Sahai et al. in [20] proposed a concept of revocable-storage ABE. In the scheme, they added a ciphertext delegation and ciphertext updating algorithm so that ciphertext can be decrypted only if the encryption time , where is the key expiry time. In detail, the third party server can update stored ciphertext without any interaction with data owners as long as the revocation event happens and the re-encrypted ciphertext cannot be recovered by the revoked users any longer. Using the direct revocation, Balu et al. in [26] put forward a revocable CP-ABE. Their model, however, is weak that the adversary can only query the secret key of a user whose attribute set does not satisfy the challenge ciphertext access policy and whose identity is not in the revocation list.

Wang et al. in [23] proposed a new revocable CP-ABE that incorporates ID-based revocation ability. In their security definition, the adversary can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list. Nevertheless, the size of the ciphertext is linear with the number of users in the revocation list, which gets longer as time goes by. Liu et al. in [29] proposed a revocable CP-ABE by using direct approach. They put forward a secret key time validation technique to address the issue of growth of the revocation list. Users can decrypt the ciphertext if and only if the validity time period of the secret key completely covers the validity time period of the ciphertext. The size of the ciphertext is only related to the embedded policy, while the size of the secret key is not only linear with the maximum length of the revocation list but also the number of attributes of the user. Their scheme can implement user direct revocation and maintain a short revocation list. However, the revoked users can still decrypt the previously authorized ciphertext with their old key. We take this issue into account where users’ access authority changes with time and ciphertext is stored by a third party.

1.2. Our Contribution

We propose a R-CP-ABE scheme that can implement user direct revocation, maintain a short revocation list, and update ciphertext by incorporating the identity-based and time-based revocable technique. The main contributions of this paper can be summarised as follows:(1)User direct revocation. We have a public revocation list that contains the identity of a user who is revoked before the intended expiry time. This revocation list is embedded into the ciphertext by the encryptor to achieve user direct revocation. Users in the revocation list cannot decrypt any newly generated ciphertext even if their attribute set satisfies the access policy.(2)Short revocation list. Once the validity time expires, the users’ keys become invalid as they are unable to decrypt any newly generated ciphertext. The revoked users whose keys are expired can be removed from the revocation list after the expiry date of their keys. Therefore, we can maintain a short revocation list.(3)Ciphertext update. In the scheme, the ciphertext can be updated periodically using only publicly available information, and after the update process, all stored encrypted data (no matter how old) become inaccessible to the revoked users.(4)Strongly selective security. Our scheme provides a strongly selective security proof under the modified decisional -parallel bilinear Diffie–Hellman Exponent problem, where “strongly” means that the adversary can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list.

2. Preliminaries

2.1. Bilinear Pairings

Let and be two cyclic multiplicative groups of prime order , and be a generator of . A bilinear map is a function with the following properties:(i)Bilinearity: for all and all (ii)Nondegeneracy: (iii)Computability: there is a polynomial time algorithm to compute for any

2.2. Access Structure

Let a set of parties be . A collection is monotone if . If and , then . An access structure is a collection of nonempty subsets of , i.e., . For an access structure , the sets in are defined as authorized sets. Otherwise, the sets are defined as unauthorized sets.

2.3. Linear Secret-Sharing Schemes (LSSS)

An LSSS can represent an access control policy , where with rows and columns is called the share-generating matrix and the function defines the party labeling row as for all . A secret-sharing scheme over a set of parties is linear over if satisfies the following two conditions:(i)The shares of each parties form a vector over .(ii)The column vector is the secret to be shared, where and are chosen randomly. According to , is the vector of shares of the secret and the share belongs to party .

Our definition is adopted from [30], and it showed that every linear secret-sharing scheme enjoys the linear reconstruction property:(i)Suppose that is an LSSS for the access structure . Let any authorized set and . Then, there exist constants such that for valid shares of any secret , and we can find these constants in polynomial time.

We use the convention that the vector is the target vector for any linear secret-sharing scheme. The target vector is in the span of for any satisfying set of rows in . For any unauthorized set of rows , the target vector is not in the span of . A vector exists such that .

2.4. Security Assumption

The modified decisional -parallel bilinear Diffie–Hellman Exponent problem (M--parallel-BDHE) is defined as follows. Givenwhere is a group of prime order with a random generator and the random exponents , in order to distinguish from a random element .

The advantage of solving the M--parallel-BDHE problem in with algorithm is if the following equation holds:

The M--parallel-BDHE assumption holds if the advantage of any probabilistic polynomial time (PPT) algorithm to solve the M--parallel-BDHE problem is a negligible function of the security parameter.

3. Definition

3.1. Time Period

Similar to the definition of time period in [29], our time period is hierarchical that we use a hierarchical tree to represent the time period for year, month, and day. Let be the depth of the hierarchical tree, the first level represents the year, the second level represents the month, and the third level represents the day. Every node has children, and each node (except the root node) represents a time period in the tree. We assume that all users agree on how to divide time and how to specify each time period. A time period , where the -th component corresponds to the time period at level . For example, we use 2020.08.22 to represent a day, 2020.08 to represent a month and so on.

A secret key validity time for a user is a time period from a starting date to an ending date. For example, a user joins the organization on 2019.12.30 and ends on 2020.12.31, and then his secret key validity time is from 2019.12.30 to 2020.12.31. A decryptable time period is a time period set by the encryptor so that only users with validity time completely covers the period can decrypt. For example, suppose the decryptable time period is 2019.12 and the secret key validity of a user is only limited to 2019.12.31. This secret key is unable to decrypt as it does not have a complete cover for the decryptable time period. However, if the decryptable time period is 2019.12.31 and the secret key validity of a user is 2019.12, then it is able to decrypt as it has a complete cover for the decryptable time period.

3.2. Algorithms of R-CP-ABE

The R-CP-ABE scheme consists of five PPT algorithms: Setup, KeyGen, Encrypt, Decrypt, and CTUpdate:(i): the setup algorithm takes as input the security parameter , the number of attributes in the system , the depth of the time tree , and the identity set . It outputs the public parameters and a master key .(ii): the key generation algorithm takes as input the master key , a user’s , a set of attributes , and a range of time periods for the user’s . It outputs a private key .(iii): the encryption algorithm takes as input the public parameters , a message , a decryptable time period , a revoked set , and an access structure over the universe of attributes. It outputs a ciphertext .(iv): the decryption algorithm takes as input a ciphertext , with a description of a revoked set , an access structure and the time periods , and a private key . If and only if the user’s identity is not in the revocation list, the set of attributes satisfies the access structure associated with and the range of validity time periods completely covering the decryptable time periods , and then it outputs the message .(v): the ciphertext update algorithm takes as input the public parameters , the ciphertext , a new revoked set , the decryptable time period , and an access structure . It outputs a new ciphertext .

Note that compared to the algorithms of R-CP-ABE scheme [29], we add a ciphertext update algorithm to prevent the revoked users from accessing the previously authorized encrypted data. We do not explicitly propose a key update algorithm as its function can be covered by the algorithm. We run the algorithm to generate a new secret key with a new time period for the nonrevoked users during a reasonable period (e.g., employees that renew their contracts when they expire).

3.3. Security Model

Due to the updated ciphertext has the same distribution as the original ciphertext, we only consider the security of the original ciphertext. The security model is described by the following a game between a challenger and an adversary . In the game, needs to submit an access structure , a revocation list , and a decryptable time period to before seeing the public parameters . can query any private key at any time that cannot be used to decrypt the challenge ciphertext, which derives from the security definitions for identity-based revocation framework in [31] and general CP-ABE systems in [7]. In the security definition, we consider a strong adversary who can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list.(i): the adversary submits the challenge access structure , the challenge revocation list , and the challenge decryptable time period to the challenger .(ii): launches the algorithm to generate the system parameters. It keeps the master key and sends the public parameters to .(iii) makes private key queries repeatedly corresponding to the identity , the attribute set , and the range of time periods such that, for any single returned secret key , at least one of the following requirements is satisfied:(i) satisfies the access structure and the corresponding identity (ii) is not completely covered in (iv): submits two equal length messages and to . And then, flips a random coin and encrypts under the access structure , the revoked set , and the time period to obtain a ciphertext . Finally, sends the ciphertext to .(v): this phase is completely same as the Phase 1.(vi): outputs a guess of .

The advantage of winning the game is defined as .(i): if no adversary has a nonnegligible advantage to win the above game in polynomial time, then the revocable ciphertext-policy attribute-based encryption scheme is secure.

4. Our Scheme

4.1. Overview

Based on the scheme [23] and the secret key time validation technique in [29], we propose the R-CP-ABE scheme with ciphertext update. We incorporate identity and time period to the generating process of the secret key. The size of the revocation list can be reduced by incorporating validity time period technique. The identity of a user who is revoked before his intended expiry date is embedded into the revocation list by the encryptor to realize user direct revocation. Users in the revocation list cannot decrypt any newly encrypted data. In order to disqualify the revoked users from accessing the previously encrypted data, we provide a ciphertext update mechanism. Finally, our scheme can implement user direct revocation, maintain a short revocation list, and update ciphertext.

4.2. Technique Construction

Similar to the validity time technique in [29] from the hierarchical IBE (HIBE) scheme [13], we represent time period by using a hierarchical tree, which can shorten the size of the secret key. In this hierarchical tree, each node has a corresponding time period associated with the secret key, and the secret key of any node can derive the secret key for children of that node. For example, a user with secret key validity time period for the whole year can derive the key with validity time period for the underlying months of that year.

We select the minimum number of nodes that can represent all the validity time periods by using the set-cover approach. Suppose a user joins the organization on 2019.12.30 and ends on 2020.12.31, then his secret key validity time is from 2019.12.30 to 2020.12.31. He should obtain secret key from the nodes of , and 2020 by using the set-cover approach. Then, the secret time period is the set .

The detailed construction of the scheme is as follows:(i): is the number of attributes in the system. The time periods are represented as a -ary string . is the identity set. The algorithm chooses a bilinear group of prime order with a random generator and random group elements . It also randomly chooses and . It outputs: and .(ii): is the set of attributes of a user with identity . is the time period for the user . is denoted as the set-cover to represent which consists of some time elements for any . The algorithm randomly chooses , for any and computes Then, the secret key is(iii): the revocation list with revoked users. The message and the decryptable time period of the ciphertext is . denotes the representation of . It takes as input an LSSS access structure , where is an matrix and is a function maps rows of into attributes. The encryption algorithm chooses a random vector to share the encryption exponent . For , it calculates , where the vector corresponds to the -th row of . Let denote the -th identity in . The algorithm also chooses random such that = . It computes Then, along with a description of the revoked set , the access structure , and the time periods .(iv): the decryption algorithm takes as input a ciphertext with access structure , the revocation list , and the private key . If the following requirements occurs, output :(i) satisfies the access structure and the corresponding identity (ii) is not completely covered in , that is, and all its prefixes are not in Otherwise, we have , and satisfies the access structure . Define . There exists a set of constants such that , if are valid shares of any secret according to . It computes Denote . Finally, it computes The process is as follows:(v): the ciphertext update algorithm takes as input the ciphertext , the decryptable time period , and a new revocation list such that . Denote with revoked users. It takes an LSSS access structure , where is an matrix and is a function maps rows of into attributes. The algorithm chooses a random vector to share the encryption exponent . For , it calculates , where the vector corresponds to the -th row of . Let denote the -th identity. It also chooses random c such that and computes

Then, along with a description of the revoked set , the access structure , and the time periods .

5. Security Analysis

Our construction security is based on the modified decisional -parallel-BDHE assumption. It is apparent that the updated ciphertext has the same distribution as the original ciphertext, so we only prove the security associated with the original ciphertext.

Theorem1. Suppose the modified decisional -parallel-BDHE assumption holds. Then, no PPT adversary can selectively break our system in with a challenge matrix of size , where , a challenge revocation list where and a challenge time with -ary representation for some such that .

Proof. Suppose there is an adversary with nonnegligible advantage against our scheme in the selective security game. Then, simulator can solve the modified decisional -parallel-BDHE problem with nonnegligible advantage.(i): the simulator takes in a modified decisional -parallel-BDHE problem challenge : and decides if = using the adversary . Then, the adversary declares the challenge time with -ary representation for some and the challenge revocation list , where . also gives the challenge access structure to the simulator , where is . Let , where each row vector for .(ii): the simulator chooses a random value and lets to implicitly set . Moreover, it also implicitly sets by computing the public parameters as . To embed the revocation identification and the challenge access structure into the public parameters , we let the challenge matrix as a row vector set and divide it into three subsets such that and . Specially, , and are initially set to be empty set. Define the -dimension vectors and . For to , if is linearly independent on and cannot be linearly expressed by , then we merge into ; if is linearly independent on and can be linearly expressed by , then we merge into ; if is dependent on , then we merge into . As a result, is a linear independent vector group, while each vector in can be linearly expressed by . Although cannot be spanned by , it can be linearly expressed by merged with each vector in . Therefore, each vector in can be linearly expressed by .Next, we describe how the simulator programs the public parameters . Let denote the set of indices , such that = . Assume that there are vectors in and let . For each , its corresponding row vector can be written as , where . For each , we define a corresponding vector , where . As a result, we get a new vector group , and each is in the span of . By choosing a random value , the simulator programs and asIf is an empty set, it sets . And the simulator also randomly chooses and defines and = for . Then, publishes the above parameters as the public key and sends it to . We observe that the public parameters are distributed randomly as the real system and both the revoked identification and the challenge matrix are reflected in the simulation’s contribution of the parameter .(i): adversary makes repeated private keys queries corresponding to the tuple of identity, attributes, and time such that at least one of the following requirements is satisfied:(i)The attributes set satisfies the access structure and the corresponding identity (ii) and all its prefixes are not in , the set-cover of We separate into two cases:(i): the attributes set satisfies the access structure and the corresponding identity . Since each is in the span of and is not in the span of , we can still find a vector with and , where . The simulator chooses a random value and computes the private key as which implicitly sets the random as , where . So, it can cancel out the unknown term of the form in when creating the component in the private key as Next, it performs this by setting In order to prevent the appearance of the term of the form , it sets the private component as randomly chooses and sets = for all . Then, it computes also computes .(ii): and all its prefixes are not in , the set-cover of . For all =(), first define and . There exists a smallest index such that . Simulator randomly selects and implicitly defines . It performs this by setting then chooses a random element and sets . For all , it computes Simulator also computes and(iii): adversary submits two equal length messages and with the matrix of dimension at most columns to . flips a random coin and encrypts under the access structure , the revocation list , and the time with -ary representation . It chooses random values such that and creates the ciphertext components For , observe that since the challenge time is , the terms in are cancelled out. Then, it sets . also chooses random value and shares the secret using the vector . Next, it calculates And it generates the ciphertext component as(i)For , it defines as the set of the index such that . Finally, builds the ciphertext component as(ii): this phase is completely the same as the Phase 1.(iii): the adversary will finally output a guess of . outputs 0 to guess if ; otherwise, it outputs 1. When is a tuple, gives a perfect simulation, so we have that the advantage of the simulator is the same as the advantage of the adversary . Therefore, we haveThe message is completely hidden from the adversary when is a random group element, so we have . Therefore, if could attack scheme with nonnegligible advantage, then can also play the modified decisional -parallel-BDHE game with nonnegligible advantage.

6. Performance Analysis

In this section, we first give a functional comparsion between our scheme and other schemes [23, 29] in Table 1.

Our scheme can implement user direct revocation, maintain a short revocation list, and update ciphertext. Compared with [23], our scheme can maintain a short revocation list and update ciphertext. Compared with [29], our scheme can update ciphertext. The ciphertext update can provide the encrypted data confidentiality by disqualifying the revoked users’ access to the encrypted data, especially that generated previously. We can periodically run a ciphertext update algorithm and do not need to execute a key update algorithm frequently because users have a reasonable validity time.

Next, we mainly analyze the efficiency of the proposed scheme compared with [23, 29] in Table 2.

As shown in Table 2, the efficiency of the proposed scheme is a little lower than scheme [23], but we can reduce the size of ciphertext by maintaining a short revocation list. In addition, the efficiency of our scheme is lower than scheme [29] in terms of the ciphertext size and the decryption time of pairing, but our scheme is more efficient in the size of and . The number of exponentiation operations in the KenGen algorithm in the scheme [29] is times more than our scheme, and the number of exponentiation operations in the Encrypt algorithm in the scheme [29] is times more than our scheme. Our scheme is practical that it can revoke users immediately, maintain a short revocation list, and update ciphertext, but loses the advantage of efficiency in the ciphertext size and the decryption time.

7. Conclusion

In this work, we propose a user R-CP-ABE scheme with ciphertext update. The scheme can implement user direct revocation, maintain a short revocation list, and update ciphertext by incorporating the identity-based and time-based revocable technique. We provide a ciphertext update mechanism, using only publicly available information, to disqualify the revoked users from accessing previously encrypted data. Our scheme supports the key update function for the nonrevoked users when their validity time expires. Once the validity time expires, the user’s key becomes invalid and cannot decrypt any newly generated ciphertext after the expiry date. The security is based on the modified decisional -parallel bilinear Diffie–Hellman Exponent problem. In the security model, we consider a strong adversary that can query the secret key of a user whose attribute set satisfies the challenge ciphertext access policy and whose identity is in the revocation list. In the future research, we will consider a more efficient mechanism for the user revocation and ciphertext update.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Key RD Program of China (no. 2017YFB0802000), the National Nature Science Foundation of China (nos. U1705264, 61972124, 61672030, 11974096, and 61702067), the Zhejiang Provincial Natural Science Foundation of China (no. LY19F020019), and the Research Foundation of Hangzhou Normal University (no. 2017QDL002).

References

V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98, Chicago, IL, USA, 2006.
View at: Google Scholar
R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonoc access structures,” in Proceedings of the 14th ACM Conference on Computer and Communications Security 2007, pp. 195–203, Alexandria, VA, USA, 2007.
View at: Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in EUROCRYPT 2005, R. Cramer, Ed., vol. 196, pp. 457–473, Springer, Berlin, Germany, 2005.
View at: Google Scholar
N. Attrapadung, B. Libert, and E. de Panafieu, “Expressive key-policy attribute-based encryption with constant-size ciphertexts,” in Proceedings of the Public Key Cryptography–PKC 2011, Springer, Berlin, Germany, 2011.
View at: Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on IEEE, pp. 321–334, Washington, DC, USA, 2007.
View at: Google Scholar
L. Cheung and C. Newport, “Provably secure ciphertext policy ABE,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 456–465, CCS), Chicago, IL, USA, 2007.
View at: Google Scholar
B. Waters, Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, And Provably Secure Realization, University of Texas Springer, Austin, TX, USA, 2011.
J. Hong-Yong, C. Yue, M. Xiu-Qing et al., “Ciphertext-policy attribute-based encryption with non-monotonic access structure,” in Proceedings of the International Colloquium on Computing, Communication, Control, and Management, Guangzhou, China, 2008.
View at: Google Scholar
K. Liang, M. H. Au, J. K. Liu et al., “A dfa-based functional proxy re-encryption scheme for secure public cloud data sharing,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 10, pp. 1667–1680, 2014.
View at: Publisher Site | Google Scholar
K. Liang, M. H. Au, J. K. Liu et al., “A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing,” Future Generation Computer Systems, vol. 52, pp. 95–108, 2015.
View at: Publisher Site | Google Scholar
S. Wang, K. Liang, J. K. Liu, J. Chen, J. Yu, and W. Xie, “Attribute-based data sharing scheme revisited in cloud computing,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 8, pp. 1661–1673, 2016.
View at: Publisher Site | Google Scholar
C. Zuo, J. Shao, J. K. Liu, G. Wei, and Y. Ling, “Fine-grained two-factor protection mechanism for data sharing in cloud storage,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 1, pp. 186–196, 2018.
View at: Publisher Site | Google Scholar
Q. Huiling, L. Jiguo, Z. Yichen, and H. Jinguan, “Privacy-preserving personal health record using multi-authority attribute-based encryption with revocation,” International Journal of Information Security, vol. 14, no. 6, pp. 487–497, 2015.
View at: Google Scholar
M. H. Au, T. H. Yuen, J. K. Liu et al., “A general framework for secure sharing of personal health records in cloud system,” Journal of Computer and System Sciences, vol. 90, pp. 46–62, 2017.
View at: Google Scholar
K. He, J. Weng, J. K. Liu, W. Zhou, and J. Liu, “Efficient fine-grained access control for secure personal health records in cloud computing,” in Proceedings of the International Conference on Network and System Security, pp. 65–79, Springer, Taipei, Taiwan, 2016.
View at: Google Scholar
J. Liu, X. Huang, and J. K. Liu, “Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption,” Future Generation Computer Systems, vol. 52, pp. 67–76, 2015.
View at: Publisher Site | Google Scholar
L Jiguo, “Flexible and fine-grained attribute-based data storage in cloud computing,” Services Computing IEEE Transactions on, vol. 10, no. 5, pp. 785–796, 2017.
View at: Google Scholar
F. Xhafa, J. Wang, X. Chen, J. K. Liu, J. Li, and P. Krause, “An efficient PHR service system supporting fuzzy keyword search and fine-grained access control,” Soft Computing, vol. 18, no. 9, pp. 1795–1802, 2014.
View at: Publisher Site | Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 417–426, ACM, Chicago, IL, USA, 2008.
View at: Google Scholar
A. Sahai, H. Seyaloiglu, and B. Waters, “Dynamic credentials and ciphertext delegation for attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 199–217, Springer, 2012.
View at: Google Scholar
N. Attrapadung and H. Imai, “Conjunctive broadcast and attribute-based encryption,” in Proceedings of the International Conference on Cryptography and Coding, vol. 5671, pp. 248–265, Springer, Berlin, Germany, 2009.
View at: Google Scholar
Z. Liu and D. S. Wong, “Practical ciphertext-policy attribute-based encryption: traitor tracing, revocation and large universe,” The Computer Journal, vol. 59, no. 7, pp. 127–146, 2015.
View at: Google Scholar
W. Weijia, W. Zhijie, L. Bing, D. Qiuxiang, and H. Dijiang, “IR-CP-ABE: identity revocable ciphertext-policy attribute-based encryption for flexible secure group-based communication,” IACR Cryptology ePrint Archive, vol. 1100, p. 2017, 2017.
View at: Google Scholar
J. Ye, W. Zhang, S. Wu, Y. Gao, and J. Qiu, “Attribute-based fine-grained access control with user revocation,” in Proceedings of the EurAsia, pp. 586–595, Springer, 2014.
View at: Google Scholar
S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute revocation,” in Proceedings of the ASIACCS, pp. 261–270, ACM, 2010.
View at: Google Scholar
A. Balu and K. Kuppusamy, “Ciphertext-policy attribute-based encryption with user revocation support,” in Proceedings of the QShine, Volume 115 of Lecture Notes of the Institute for Computer Sciences, Social Informatices and Telecommunications Engineering, pp. 696–705, Springer, Berlin, Germany, 2013.
View at: Google Scholar
X. Liang, R. Lu, X. Lin, and X. Shen, “Ciphertext policy attribute based encryption with efficient revocation,” Tech. Rep., University of Waterloo, Waterloo, Canada, 2011, Technical Report.
View at: Google Scholar
X. Xie, H. Ma, J. Li, and X. Chen, “New ciphertext-policy attribute-based access control with efficient revocation,” in Proceedings of the Information and Communication Technology - EurAsia Conference, pp. 373–382, Springer, Bali, Indonesia, 2013.
View at: Google Scholar
J. K. Liu, T. H. Yuen, P. Zhang, and K. Liang, “Time-based direct revocable ciphertext-policy attribute-based encryption with short revocation list,” in Applied Cryptography and Network Security, Springer, Cham, Switzerland, 2018.
View at: Google Scholar
A. Beimel, “Schemes for secret sharing and key distribution,” in Proceedings of the Technion-Israel Institute of technology, Faculty of computer science, Haifa, Israel, 1996.
View at: Google Scholar
A. Lewko, A. Sahai, and B. Waters, “Security and privacy (SP),” in Proceedings of the 2010 IEEE Symposium on IEEE, pp. 273–285, 2010.
View at: Google Scholar

Copyright

Copyright © 2020 Zhe Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

957

Downloads

975

Citations