Efficient Hierarchical and Time-Sensitive Data Sharing with User Revocation in Mobile Crowdsensing

Zhang, Jiawei; Ma, Jianfeng; Li, Teng; Jiang, Qi

doi:https://doi.org/10.1155/2021/6646445

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries System Model Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security, Privacy and Trust Challenges in Mobile Crowdsensing

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6646445 | https://doi.org/10.1155/2021/6646445

Efficient Hierarchical and Time-Sensitive Data Sharing with User Revocation in Mobile Crowdsensing

Jiawei Zhang,¹Jianfeng Ma,¹Teng Li,¹and Qi Jiang^1,2,3

Academic Editor: Athanasios V. Vasilakos

Received18 Nov 2020

Revised05 Dec 2020

Accepted14 Feb 2021

Published27 Feb 2021

Abstract

Recently, cloud-based mobile crowdsensing (MCS) has developed into a promising paradigm which can provide convenient data sensing, collection, storage, and sharing services for resource-constrained terminates. Nevertheless, it also inflicts many security concerns such as illegal access toward user secret and privacy. To protect shared data against unauthorized accesses, many studies on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) have been proposed to achieve data sharing granularity. However, providing a scalable and time-sensitive data-sharing scheme across hierarchical users with compound attribute sets and revocability remains a big issue. In this paper, we investigate this challenge and propose a hierarchical and time-sensitive CP-ABE scheme, named HTR-DAC, which is characteristics of time-sensitive data access control with scalability, revocability, and high efficiency. Particularly, we propose a time-sensitive CP-ABE for hierarchical structured users with recursive attribute sets. Moreover, we design a robust revocable mechanism to achieve direct user revocation in our scheme. We also integrate verifiable outsourced decryption to improve efficiency and guarantee correctness in decryption procedure. Extensive security and performance analysis is presented to demonstrate the security requirement satisfaction and high efficiency for our data-sharing scheme in MCS.

1. Introduction

As a promising paradigm, the adoption of the Mobile Crowdsensing (MCS), which can take advantage of individual resource-limited mobile terminals to sense, collect, and analyze data rather than massive static sensors deployment, grows rapidly, and a large number of mobile users are willing to enjoy the convenient services of MCS, such as smart health, smart cities, and intelligent transportation [1]. These days, the wide spread of Internet of Things [2] and the emerging 5G communication network which can support fast speed and massive access [3] also facilitate the application of MCS. Thus, the cloud-based mobile crowdsensing is proposed for optimizing data collection and minimizing the cost in both sensing and reporting [4]. As shown in Figure 1, the sensing data gathered by mobile terminals (e.g., laptops, vehicles, and IoT devices) are transmitted to cloud via 5G communications network or even satellites for data collection, storage, and sharing. However, the sensitive and private in such sensing data may be breached in untrusted cloud, which may prevent the further participation of mobile users, especially when their data are illegally accessed.

There have been many data access control solutions, such as access control list (ACL), Bell-La Padula (BLP), BiBa, and role-based access control (RBAC). Nevertheless, all of these solutions suffer from different drawbacks, such as inflexibility, high computation complexity, and coarse-grained access control [5]. In recent years, prospective ciphertext-policy attribute-based encryption (CP-ABE) is proposed to control data access based on attributes to achieve flexibility and fine granularity [6–9]. In CP-ABE, data producers are required to designate a specific access policy to obtain the ciphertext of their data before outsourcing. When accessing these shared contents, users need to decrypt the data with their secret keys and recover the plaintext if and only if they are authorized. However, these solutions cannot be directly utilized in the applications of time-sensitive data sharing across hierarchical users with revocability and recursive attribute set as some challenges remain unsolved.

Let us take an example of the smart health record (SHR) sharing system [10]. In general, the mobile users in the SHR system are usually in hierarchical structure and large scale which need a scalable architecture. In the meantime, these users may have the following attribute set:

This recursive attribute set indicates the user that holds corresponding recursive key structure is both an intermediate dean and a senior surgeon of cardiac surgery in central hospital. Furthermore, the SHRs contain a lot of sensitive and private data, such as social security number, health condition, and disease, which need to be protected with fine-grained access control. Besides, many SHRs are time sensitive, that is, the data in high confidentiality are generally accessed by part of users (e.g., the hospital director) at the first time and following another part of users in a timed sequence. In addition, the mobile users in the system are dynamically changing, which requires an effective revocation mechanism. Therefore, it is the key to design a data-sharing scheme that deals with time-sensitive data and supports hierarchical and revocable users with recursive key structure efficiently in MCS.

Although these days, the authors in [11] have solved the issues of hierarchical users with compound key structure in CP-ABE by combining the scheme of HIBE and ASBE, and the scheme in [12] proposed a time-based ABE by introducing time-releasing encryption (TRE) into CP-ABE. However, these schemes cannot support user dynamicity. The work in [13] proposed an effective direct user revocation, but it cannot achieve effective security as the revoked users can neglect the related mechanism in decryption to recover the plaintext. Thus, the security cannot be guaranteed. Moreover, all the above schemes incur high computation cost, which cannot adapt to the environment of MCS with resource-limited mobile terminals. Comprehensively, how to design an efficient access control scheme towards time-sensitive data with fine granularity, hierarchical users holding recursive attribute set, and user revocability simultaneously is still a big challenge.

In this paper, inspired by the above scenario and the challenges in existing related work, a hierarchical and time-sensitive revocable data access control (HTR-DAC) scheme is put forward. Specifically, we present a scalable CP-ABE scheme for time-sensitive data-sharing service across hierarchical users that holds compound attribute set and can be revoked directly if they conduct malicious activities for illicit purpose. Besides, our scheme can improve efficiency and guarantee the correctness of decryption. Our main contributions are three folds:(i)We put forward a scalable sharing scheme for time-sensitive data across hierarchical users with structured keys. The users’ keys are issued by the delegation of the domain authorities they belong to. Moreover, a cloud user can access ciphertexts if and only if he is authorized with correct attribute sets and exposed time trapdoors, which ensures the fine-grained and time-sensitive data access control.(ii)We design a new approach to realize user revocability and high efficiency of our scheme. We integrate the verifiable outsourced decryption and a direct user revocation mechanism into our scheme. The approach can not only greatly improve the efficiency in decryption but also guarantee the correctness of decryption result.(iii)We present the security analysis for our proposal to show the scheme achieves its security goals. We also implement our scheme and conduct extensive experimental simulations with performance evaluations to display our proposal with better efficiency and practicality.

Our paper is outlined as follows. Section 2 reviews some related work, and Section 3 gives several relevant notations together with definitions. The system model, adversary model, and design goals are shown in Section 4 following the system definition and of our scheme with its security model presented in Section 5. Based on this, we show the concrete description for our scheme in Section 6. Section 7 presents a thorough analysis for security, and Section 8 displays the performance evaluation for our scheme. In the end, we make a summary for our work in Section 9.

This section reviews some related works on attribute-based encryption (ABE) technique.

As a prospective technique, ABE was first introduced in [14] for access control in fine granularity. Later, Goyal et al. [15] divided ABE into two types: CP-ABE and KP-ABE (key-policy ABE). In the former, data owner can flexibly designate the access policy for ciphertext. Thus, we focus on this technique for data access control in MCS. Subsequently, a great many studies were dedicated on CP-ABE, such as large universe CP-ABE [16], multiauthority CP-ABE [17], traceable CP-ABE, and revocable CP-ABE [18].

2.1. Hierarchical ABE and Time-Release Encryption

Currently, many ABE schemes only support single authority for managing users’ secret keys. While, in a large scale, it is not suitable to fulfill the large number of user key management tasks. To find out a solution, the researchers in [19] raised the first hierarchical ABE scheme with the idea of hierarchical identity-based encryption. The scheme in [11] solves the problem of hierarchical user structure with key structure by combining the concept of HABE and ASBE (ABE with the attribute set). Recently, Wang and Gao [20] propose a CP-HABE scheme to solve the user privacy in Bitcoin Financial Systems. However, the scheme incurs continuous auxiliary input leakage. To solve the problem, the scheme [21] proposed a leakage-resilience CP-HABE scheme by introducing continuous leakage-resilience mechanism into the CP-ABE scheme. Later on, the work in [8] proposes a lightweight CP-HABE scheme to support flexibility and scalability and user revocation.

As many applications in cloud is time-sensitive, time-release encryption (TRE) was first introduced in [22] which introduces a trust time agent to release the access right at a specific time point uniformly. Later, many schemes [23, 24] have integrated TRE to different cryptographic schemes to adapt to different application scenarios. These days, some studies try to combine TRE with ABE. The scheme in [25] proposes a time-sensitive data-sharing scheme in cloud. However, it merely supports coarse-grained access control and incurs a heavy burden for cloud users. Then, the work in [26] proposes a CP-ABE-based data access control scheme with time domain by combining the attribute set of users and access time inspired by [27]. Although the scheme eliminates much of work for data owner, it brings extra overhead for authority. Recently, the work in [12] proposes a time-sensitive CP-ABE scheme with high efficiency and fine-grained access control.

2.2. Revocable ABE and Verifiable Outsourced Computing

Current revocable schemes can be classified as user-level and attribute-level ones in which the former involves direct revocation and indirect revocation. In direct user revocation schemes [13, 28–30], the data producer can integrate revocation list into ciphertext and requires no key updates in revocation. While, the indirect user revocation schemes [30–32] periodically update nonrevoked users’ secret key without data producers knowing the revocation list. In particular, the work in [13] proposes a novel direct user revocation CP-ABE scheme. However, the scheme suffers from a low security as, in their revocation mechanism, any data user including revoked and nonrevoked user can recover the plaintext by skipping the revocation procedure in decryption. Later, the proposals in [28–30] extend the direct user revocation mechanisms, but they fail to solve the problem in [13] and the low efficiency caused by direct revocation.

As the decryption cost in ABE is very high, many researchers have studied on this topic. The scheme in [33] introduced outsourced computing into ABE scheme to improve the decryption efficiency. Later, many studies are in this direction. In these schemes, the ciphertexts can be translated to a constant-sized ElGamal-typed ones and cloud gains nothing about the content. However, this kind of schemes cannot ensure the ciphertexts are decrypted by the cloud correctly. To overcome this flaw, Lai et al. [34] raise an outsourced decryption scheme with verifiability that ensures the decryption is executed correctly. Then, the scheme in [35] proposes another verifiable scheme by introducing token mechanism which eliminates the pairing computations. The work in [36] proposes a verifiable scheme with exculpability, while the scheme incurs heavy computational overhead. To improve efficiency, the scheme in [37] introduces a verification code for correctness of decryption with high efficiency.

3. Preliminaries

This section presents several relevant notions and definitions employed in our paper.

3.1. Notations

We summarize several notations used in our scheme as well as their descriptions in Table 1.

3.2. Access Structure and Key Structure

Definition 1 (access structures, see [38]). Suppose is a party set. One of the collection is considered to be monotone . An access structure that is monotone is defined as one of the nonempty subsets of . The elements in are defined as authorized sets and the other sets are defined as unauthorized sets. Without loss of generality, we can describe users with their attribute set.

Definition 2 (key structure, see [11]). As for most of the practical situations, each user’s attribute set is organized in a tree-like recursive set structure in which each element of is an attribute set or a single attribute. As a result, the corresponding key structure of each user is similar to the attribute structure. The of (also, the key structure) is the number of levels for the recursive set. Suppose a key structure; the level 1 members can be either attribute sets or attributes, while the level 2 members may only be attributes. The key structure in Figure 2 is of , denoting that the user is both an intermediate dean and a senior surgeon in cardiac surgery in central hospital. Moreover, in the key structure, each set is assigned a unique label which is a unique index of the recursive set, and each attribute in an element set is labeled by the set’s index together with its name. Suppose a key structure of with attribute sets is represented by , where is the set at depth 1 and other sets are at depth 2. As in Figure 2, = {Org: Central Hospital, Dept: Cardiac Surgery}, = {Role: dean, Staff level: intermediate}, and = {Role:surgeon, Staff level: senior}. Then, the attribute ”Role:dean” can be denoted by (1, Role:dean).

3.3. Access Policy Tree

Definition 3 (access tree, see [39]). Similar to [39], suppose is a policy tree with each node , where we use a threshold gate to represent nonleaf nodes and a leaf node is an attribute . As to a threshold gate , we use which is the number of children and the threshold value to depict it. Specifically, if , it is an gate, and if , it is an gate. If is a leaf node, its threshold value is .
Moreover, suppose is the root node. If is a nonleaf node, is a collection of its children and denotes the parent node of . Thus, we can infer that . We use the function to signify the unique index value of each node .
Access Tree Satisfaction. Suppose is an access tree rooted from node ; then, we use to denote a subtree rooted from node . Here, we define when and only when (a attribute set) is satisfactory to the subtree , that is, when a leaf node has , then , and when a nonleaf node has , the number of satisfying exceeds , .
Moreover, consider the key structure with , where denotes the th attribute set and denotes the index of each set. If satisfies , then will return a nonempty label set . Here, is also computed recursively as before and satisfies access tree if and only if it consists of at least one set having all elements required to be satisfactory to . Generally, combining attributes in different attribute sets of that are satisfactory to is impossible without translating nodes in . Given a is a translating node , the attributes needed to meet belonging to different sets in can be combined to make the predicate with hold.

3.4. Cryptographic Background

Definition 4 (bilinear maps, see [39]). We consider two -ordered and groups that are multiplicative cyclic, where is a prime. are two generators of group . If satisfies the following properties,(1)Bilinearity: (2)Nondegeneracy: , is a generator of (3)Computability: is efficiently computable for all then, we call it a bilinear map.

Definition 5 (decisional bilinear Diffie–Hellman (DBDH) assumption, see [40]). Given two cyclic groups and and their orders are both the prime . Suppose a generator and a bilinear mapping . The DBDH problem is defined to find out the difference between and on inputting the tuple , where .
It is considered that DBDH assumption holds when no probabilistic polynomial time (PPT) adversaries can deal with the DBDH problem whose advantages are nonnegligible.

4. System Model

We present the system and adversary model as well as corresponding design goals for our proposal in this section.

4.1. System Model

Figure 3 shows the model of our system for HTR-DAC. It consists six entities: Cloud Service Provider (CSP), Trusted Authority (TA), several Domain Authorities (DAs), Data User (DU), and Data Owner (DO), which are described below:(i)CSP: the CSP has unlimited resources, such as computation and storage resources. It can provide cloud users with centralized service, e.g., storage service, data-sharing service, and outsourced computing.(ii)TA: this entity takes charge of initializing the system with parameters and the master key for the whole system. It also supports user authentication in its domain and enrollment of domain authorities of top level.(iii)DAs: DAs are in hierarchical structure involving several domain authorities of the top level and authorities of the low level. Each domain authority is responsible for managing the lower level domain authority, i.e., authenticating and generating master keys for the lower-level authorities in its domain. Moreover, each domain authority also takes charge of assigning secret attribute keys and transformation keys for cloud users.(iv)DO: the DO uploads his important information through all kinds of mobile devices to CSP. Before outsourcing these data, DO needs to encrypt the whole data for confidentiality and unauthorized access prevention by designating specific policy.(v)DU: the DU downloads the data from CSP according to his requirements and decrypts the data if he has enough rights. He then recovers the correct plaintext after verification. If any DU has malicious activities, it will be revoked directly.

Then, we depict an overview for our HTR-DAC scheme based on the above system model involving the following four phases:(i)Initialization. In this phase, TA initiates the whole system by generating the corresponding public key and master key. All entities are able to get the system public key.(ii)Enrollment. In this phase, TA authenticates the top-level domain authorities and assigns them with the master keys. Recursively, each domain authority authenticates the domain authorities in the lower level within its domain and also creates master keys for them. Moreover, each domain authority manages cloud users in its domain by generating attribute keys and transformation keys for them after successful user authentication.(iii)Encryption. In this phase, DO encrypts the sensitive and important data using symmetric encryption algorithm before uploading them to the CSP. Moreover, DO designates an access policy for the ciphertexts outsourced in CSP.(iv)Decryption. In this phase, DU requests data files that he needs from CSP. After outsourced decryption, CSP returns the DU with the partially decrypted ciphertexts. Then, the DU verifies if the outsourced decryption is correct and recovers the plaintext according to the result of verification.

4.2. Adversary Model

In our proposal, the TA, DAs, and DO are regarded as the fully trusted entities, while the CSP is considered to be untrusted which may intentionally leak or modify the content of sensitive data. Moreover, some unauthorized DU may illegally access the sensitive data which will break the data security and privacy. Besides, some DU may conduct malicious activities for extrainterest revenues.

According to the ability of adversary, we consider classifying the attacks into two types:(1)Type-A attack: the adversary has insufficient privileges for data access, even he is not revoked or arrives at release time(2)Type-B attack: the adversary has enough rights but he conducts accesses before relevant releasing time arrives

Focusing on these attacks, we take the following security requirements into consideration:(i)Data confidentiality: the data generated by DO and outsourced in CSP should be secured against illegal sniffering and eavesdropping by attackers. Moreover, the outsourced data should also not be accessed by any malicious access without enough access rights.(ii)Collusion-resistance: the scheme should prevent users anyone of whom is not authorized from colluding through combining their secret keys to access the shared data.(iii)Revocability: any malicious cloud users that conduct malicious activities should be revoked and the revoked users should get rid of all the access rights.

In addition, the following aspects are also in our consideration:(i)Efficiency: as the resource-limited mobile devices are utilized in cloud-based mobile crowdsensing, it is preferable for DU to outsource the high-computational burden in decryption to CSP to improve efficiency(ii)Verifiability: due to the untrusted CSP, DU should have the ability to check if the result of outsourced decryption procedure is correct

5. Security Model

This section presents the formal definition and the security model for our proposed scheme.

5.1. Definition of Our HTR-DAC Scheme

We propose a CP-ABE scheme in which the authorities and users are in the hierarchical structure each of which manages the domain authorities at lower level and cloud users in its charge. Moreover, the attribute set of each user is formed in recursive attribute sets. Besides, the scheme can revoke users in a direct way. Specifically, the algorithms in our scheme are as follows:(i): this procedure is executed by TA to initialize whole system. Given system security parameter and -depth of key structure, it outputs the system public parameters and the master key .(ii): the procedure is executed by TA. Given , , and the compound attribute set of authority which is at the top level, it outputs the master key for .(iii): the procedure is run by top level domain authority or the lower level domain authority managing the cloud user. On inputting of and the compound attribute set of the next-level domain authority or a cloud user , it returns the master key for domain authority or the secret attribute key for cloud user .(iv): the procedure is executed by the corresponding domain authority to create transformation key pair for the cloud user. Given and the secret attribute key of the cloud user, it outputs the transformation key pair .(v): this algorithm is run by DO to generate ciphertexts for fine-grained access control. It takes the system public parameters , the message to be encrypted, the designated access policy tree , and user revocation list as input and returns the ciphertext of .(vii): the procedure is executed by TA to create time token at different fixed time points orderly. On inputting the system public parameters and the time point , the algorithm outputs the time token of the time point .(vii): the procedure is run by CSP to expose the trapdoor in the access policy tree of ciphertexts stored in it. Given the system public parameters and time token , the algorithm outputs the exposed trapdoor .(viii): the procedure is executed by CSP to partially decrypt the ciphertext. Given , the public transformation key of DU, and the ciphertext to be decrypted, it outputs the partially decrypted ciphertext .(ix): this algorithm is executed by DU to recover the plaintext of the ciphertext. On inputting , the secret transformation key of DU, and denoting the partially decrypted ciphertext, the algorithm returns the plaintext .(x): the procedure is executed by DU to verify if the outsourced decryption is correct. Given the system public parameters , the recovered random , verification code , and the symmetric ciphertext , the algorithm checks if the recovered random is correct, i.e., if CSP correctly executes outsourced decryption. Finally, it outputs the result of verification.

5.2. Security Model

Here, we describe the IND-CPA security model for our HTR-DAC scheme corresponding to the attacks described before and conduct a selective security game between an adversary and a challenger specified as follows: Init: sends a challenge access policy tree and user revocation list to . Setup 1: executes the algorithm of our scheme and outputs the public parameters to . Phase 1: issues a polynomial number of queries , where belongs to the following queries:(1)SK query: requests for secret key with an identity and a recursive attribute set that is unsatisfactory to before arriving at a time point . As a response, outputs the secret key and publishes a series of time tokens before and returns them to .(2)TK query: issues queries for transformation key similar to that in SK Query. executes to generate transformation key pairs and send it to . Challenge: finishes the above phase and issues two equal-length data and to . Then, randomly picks a bit and encrypts according to and and sends it to . Phase 2: it is similar to Phase 1 and before a later time point . Guess: publishes his guess for . If , he wins the security game. The advantage of is defined as .

Definition 6. A HTR-DAC scheme is indistinguishable against chosen-plaintext attack (CPA) if all probabilistic polynomial adversaries cannot break the security game.

6. Proposed HTR-DAC Scheme

This section describes the concrete construction of our proposal. In particular, our scheme involves the following algorithms: , , , , , , , , , and , which are described in detail below.

6.1. Initialization Phase

(i): on inputting the security parameter and the depth of the key structure , the algorithm generates two multiplicative bilinear groups and of prime order with a generator of bilinear group and a bilinear map and selects random numbers , where which is used to represent the depth of key structure. Here, we take as an example. The algorithm chooses a probabilistic symmetric encryption scheme from a binary string to and selects collision-resistant hash functions , where and are the output length of hash function and , respectively. Then, the algorithm sets the time format . Next, it computes and outputs the system public key and master key as follows:

Finally, TA publishes and stores locally in secret.

6.2. Domain/User Enrollment Phase

In this phase, TA invokes the algorithm to generate the master key for a new valid top domain authority after receiving the request to take part in the system from . Subsequently, can manage the next-level domain authorities or users within its domain by calling the algorithm . As to a cloud user, TA also takes charge of the generation of transformation keys for users after they get their secret attribute keys from their domain authority:(i): on receiving the request from a domain authority at top level to take part in the system after being checked by TA, the algorithm generates master key for by selecting a random number . Then, it picks according to , where is each attribute set. Moreover, the algorithm picks according to , where is each attribute and and . The algorithm computes the master key for as follows: In the master key of a top-level domain authority, is used to translate of to of at the node. Meanwhile, and can translate to by computing .(ii): the algorithm is used to generate master key for a new domain authority or the attribute secret key of a user. Given the master key of , the algorithm picks for the user or domain authority, for each attribute set , and for each attribute . For different kinds of entity, the algorithm generates corresponding key for the entity.(1)If the entity is a domain authority (i.e., ), the algorithm generates the master key for as follows:(2)If the entity is a user with identity , the algorithm generates the attribute secret key for the user as follows:(iii): TA selects as the secret transformation key of the user and computes the public transform key , where

Finally, the algorithm outputs the transformation key pair for the cloud user who keeps the secret and publishes .

6.3. Encryption Phase

(1): on inputting , the data to be encrypted, the designated access policy tree , and the revocation list , the algorithm consists the following steps:(i)The algorithm chooses a random and computes as the symmetric encryption key. Then, it encrypts the data with to get , where is the symmetric encryption algorithm of our scheme. Moreover, the algorithm computes the verification code for , where .(ii)With the designate access policy tree whose root node is denoted by , the algorithm chooses a random number as the base secret value of and computes . Then, for each node in , the algorithm picks two random number and , which satisfy the following equation:(iii)Given the user revocation list , the algorithm selects a random for , where . Then, the algorithm computes the corresponding ciphertext component , where(iv)Then, for a trapdoor related to the time release and a secret parameter , DO picks a random number and generates of node as follows:(v)Next, the algorithm computes the ciphertext in a top-to-bottom way by executing the following steps:(1)For each nonleaf node with , the DO chooses a polynomial whose degree and . For each of ’s child node with a unique index , DO sets .(2)For a leaf node with and related attribute , the algorithm generates corresponding ciphertext components as follows: where is the leaf node set in .(3)For each translating node in , the algorithm computes the corresponding ciphertext component as follows: where is the translating node set in .

Finally, the DO outputs the ciphertext and uploads it to CSP.

6.4. Time-Release Phase

(i): as the system runs at a uniform time and the time is counted by the number of time point here. When each time point arrives, TA published a time token which can be received by each entity in the system.(ii): when CSP receives a at releasing time point published by CA, it finds all trapdoors related to time point in all access policies of files stored in CSP. For each of these trapdoors , the CSP computes the following equation:

Then, the CSP replaces these with for the ciphertexts of related files. Thus, if the above equation is correctly executed, the related trapdoor will be exposed to be .

6.5. Decryption Phase

The decryption phase involves the following algorithms:(i): the algorithm is executed by CSP for outsourced decryption of . As to each node , we have the exposed trapdoor, i.e., , as follows: The algorithm first runs to check if the key structure in satisfies the policy tree in . Then, the algorithm gets a label set for each node when it recursively runs . If does not satisfy , then the algorithm returns ; Otherwise, the algorithm chooses from label set returned by and performs as follows. For each leaf node , if , where belongs to the attribute set of DU and the trapdoor set upon the node has been correctly exposed, the CSP can execute as follows: For each nonleaf node with label , the algorithm directly executes as follows:(i)Firstly, assume be arbitrary -sized set of child nodes of the node , and we have only if or and is a translating node. If no such set exists, it returns null.(ii)Moreover, for each node , if , the algorithm executes and gets its output , and if , the algorithm executes and gets . Then, the algorithm translates to by computing the following:(iii)Furthermore, the algorithm computes according to polynomial interpolation by , where and . Thus, it gets the result as(iv)In addition, the algorithm executes on root node and gets in a bottom-up way. Then, it outputs the final result as follows:(v)Later, the algorithm computes:

Finally, the CSP sends partially decrypted ciphertext to the DU.(i): after receiving the system public parameters , the secret transformation key , and the partially decrypted ciphertext , the algorithm gets the random element by computing . If the algorithm returns , it computes and recovers the plaintext . Otherwise, it outputs .(ii): on inputting a recovered random element , the DU computes and checks the following equations:

If equation (19) holds, the algorithm outputs . Otherwise, it outputs .

7. Security Analysis

This section presents the formal security analysis for HTR-DAC.

Theorem 1. Our scheme achieves soundness if and only if the data user has enough rights and correct exposed trapdoors.

Proof. If and only if the data user has enough rights and correct exposed trapdoors, we have the following equations.
For each node , suppose , and we haveThen, for each , if , the translating procedure is performed as follows:(i)If ,(ii)If ,Finally, we haveTherefore, the proposed HTR-DAC is sound if and only if the data user has enough rights and correct exposed trapdoors.

Theorem 2. No PPT adversaries can selectively win the security game of our scheme with an advantage that is nonnegligible on condition the DBDH assumption holds.

Proof. When the advantage of adversary is nonnegligible when he selectively breaks the security game against our scheme, we can create a simulator who is able to distinguish a DBDH parameter from a random parameter with an identical advantage to that of .

Init: the simulator of DBDH game creates the bilinear group , where and . It then selects randoms and . If , the challenger generates a tuple ; otherwise, it generates . then sends the tuple to . In the meantime, the adversary submits a selected challenging access policy tree , a revocation list , and a time point to challenger of our scheme.

Setup 2: after the challenger gets the DBDH tuple and bilinear group from , it randomly chooses and hash functions . Then, for Type-A attack, computes , and for Type-B attack, it simulates . also simulates , where . Finally, generates system public parameters , and the master key . It keeps the privately and sends the to the adversary .

Phase 3: the adversary submits a series of queries for secret key and transformation key as follows:(i)SK query: requests for secret key with his identity that and a recursive attribute set that is unsatisfactory to at time . Then, computes . For all , it generates , and for all , it computes , where and are randomly picked. For Type-B attack, designate a time point at which the recursive attribute set satisfies and computes , where . Finally, returns to and publishes .(ii)TK query: similar to the SK query, the challenger runs algorithm to generate transformation key pair and sends them to .

Challenge: the adversary finishes the Phase 1 and submits two data and with equal length to . First, picks and computes . For each in the submitted user revocation list , chooses a random number so that and computes . Then, according to the challenging access policy tree , , if it is related to a trapdoor, chooses a random ; otherwise, it sets . Next, computes , where and is a -sized polynomial. It also designates the translating node set in and computes for each node . Finally, the challenger returns the ciphertext to . For Type-B attack, acts as [12].

With respect to the adversary , when , , and according to the decryption procedure, the adversary can get from . Nevertheless, when , is a random element. Thus, cannot get any information about from .

Phase 4: the adversary repeats the procedures in Phase 1 with the same restriction that the and the attribute set in queries do not satisfy .

Guess: the adversary outputs the guess of bit . If , the challenger guesses with his output 0; otherwise, it guesses as a random element. If the adversary has the advantage of , then the challenger can break the DBDH game with advantage given that the variables and are independent. The computation of the advantage for is the same as in [12].

In conclusion, if an adversary can win the security game of our scheme with a nonnegligible advantage , then the challenger can break the DBDH game with identical advantage. Therefore, our scheme is IND-CPA secure in our security model.

8. Performance Evaluation

Here, we analyze the performance for our scheme in functional, theoretical, and experimental respects.

First of all, we present the function comparison between our scheme and some existing related CP-ABE schemes, i.e., [8, 12, 37, 41–43], as shown in Table 2. We observe that our HTR-DAC scheme supports hierarchical authorities and users, time-sensitive data sharing, large universe, direct revocability, efficient decryption, and verifiability, simultaneously, which are more flexible and scalable than others. Then, to demonstrate the theoretical performance evaluation, we compare the computation complexity and storage complexity of our scheme with that of the state-of-the-art scheme in [12]. The comparison results are shown in Table 3, which summarizes the complexity of , , , , and denoting the computation complexity of encryption, decryption, and key generation algorithms, as well as the storage complexity of the public parameter size and user key size, respectively.

To obtain precise evaluation of the performance, we implement our scheme and the scheme [12] using Java Programming Language and Java Pairing-Based Cryptography library (JPBC) [44] which supports operations of pairing, exponential, addition, multiplication, and inversion in finite field and groups. In our development, we adopt the Type A curve with prime order. It is defined over a 160 bit elliptic curve group and a 512 bit finite field. Moreover, our experimental simulations are conducted on Windows system equipped with CPU of Intel Core i5 CPU 2.13 GHz and RAM of 8.00 GB.

Before our analysis, we let denote the size of leaf node set, nonleaf node set, translating node set, trapdoor set in access policy tree , and the size of revocation list. denote the exponential operation and the multiplication operation in as well as the pairing and hash function operations. denote the length of elements in , respectively. The symbols denote the number of sets and attributes in an recursive attribute set.

Figure 4 shows the actual performance of in both schemes. We notice that the computational cost of encryption in the other scheme is affected by the factors of the number of leaf nodes and the number of trapdoors in access policy tree , while our scheme is affected by the size of translating node set and revocation list in addition. These two additional factors are brought about by the features of user key structure and direct revocation in our scheme and incur extracomputation in encryption. In our experiments, we set and adjust the value of . Figure 4 shows the actual time cost in different numbers of translating nodes. With the same access policy and fixed size of revocation list, the time cost in our scheme is more, and as the number of translating nodes grows, the gap becomes larger. However, we notice that the difference between two schemes is tiny on the whole.

(a)

(b)

(c)

(d)

In Figure 5, we describe the comparison of time cost in algorithm for the two schemes. We notice that, within the same size of user attribute set, the decryption time cost in our scheme is smaller and nearly constant as the number of ciphertexts grows, while in scheme [12], it is far more and linear with the growth of the number of ciphertexts. In theory, the computation complexity in our scheme and the other are and , respectively. In our experiments, we set . It is obvious from the figure that the computation complexity in our scheme is constant and far smaller while that of the other scheme is affected by the size of the user attribute set. Moreover, within the same size of the user attribute set, the time cost of decryption for one data file is far more than that of our scheme, and as the number of ciphertexts grows, the gap becomes larger.

(a)

(b)

(c)

(d)

Figure 6 shows the actual performance of key generation procedure in the two schemes. From the theoretical analysis, the computation complexity of our scheme and the other are and , respectively, which means the time cost in key generation in our scheme is affected by not only the number of attributes of a user but also the attribute sets of a user in his key structure , which will incur extra time cost. Moreover, as the figure shows, the time cost in our scheme for key generation in the same number of user attributes is nearly the same as that of the scheme [12]. As the number of attribute set in key structure grows, the gap is still very small. We can infer that the difference in time cost for key generation between the two schemes is tiny.

(a)

(b)

(c)

(d)

Figure 7 depicts the storage overhead for our scheme and the scheme [12]. We notice that the actual storage overhead in system public parameters, as Figure 7(a) shows, is larger in our scheme as we takes the storage complexity of in our scheme which is more than of the other scheme. This is because, in our scheme, to adapt to hierarchical users, we need more parameters for each level of user hierarchy. Moreover, in Figure 7(b), the storage overhead of user key size in our scheme is both smaller and constant while that of the other scheme is far more and proportional to the size of user attribute set. As we introduce outsourced decryption, the user key size just costs in storage while that of the other scheme costs . Thus, we greatly lower the storage cost for key size.

(a)

(b)

In conclusion, our scheme outperforms existing related schemes no matter from the respects of efficiency or storage overhead. Thus, it is more suitable for the environment of mobile crowdsensing.

9. Conclusion

Ensuring fine granularity for time-sensitive data-sharing service in MCS across hierarchical users with recursive attribute sets and revocability is a big challenge. In our work, we propose a hierarchical and time-sensitive data access control scheme with revocability in cloud-based mobile crowdsensing. Our proposal realizes the properties of fine-grained access control, large attribute universe, hierarchical user, and revocability, which suits for data-sharing applications in MCS. Besides, we discuss the security and display the precise performance evaluation by implementing our scheme and conducting extensive experimental simulations which demonstrates the efficiency and practicality.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was funded by the National Natural Science Foundation of China (nos. 61902291 and 62072352), China Postdoctoral Science Foundation Funded Project (2019M653567), National Natural Science Foundation of Shaanxi Province (2019JM-425), and Fundamental Research Funds for the Central Universities (JB191507).

References

L. Ma, X. Liu, Q. Pei, and Y. Xiang, “Privacy-preserving reputation management for edge computing enhanced mobile crowdsensing,” IEEE Transactions on Services Computing, vol. 12, no. 5, pp. 786–799, 2018.
View at: Publisher Site | Google Scholar
Y. Liu, X. Ma, L. Shu et al., “Internet of things for noise mapping in smart cities: state-of-the-art and future directions,” IEEE Network, vol. 34, no. 4, pp. 112–118, 2020.
View at: Publisher Site | Google Scholar
X. Wang, S. Garg, H. Lin et al., “An intelligent privacy-preserving mobile edge crowdsensing strategy for industrial iot,” IEEE Internet of Things Journal, 2020.
View at: Publisher Site | Google Scholar
A. Capponi, C. Fiandrino, D. Kliazovich, P. Bouvry, and S. Giordano, “A cost-effective distributed framework for data collection in cloud-based mobile crowd sensing architectures,” IEEE Transactions on Sustainable Computing, vol. 2, no. 1, pp. 3–16, 2017.
View at: Publisher Site | Google Scholar
N. H. Sultan, V. Varadharajan, L. Zhou, and F. A. Barbhuiya, “A role-based encryption scheme for securing outsourced cloud data in a multi-organization context,” 2020, https://arxiv.org/2004.05419.
View at: Google Scholar
J. Li, Y. Zhang, J. Ning, X. Huang, G. S. Poh, and D. Wang, “Attribute based encryption with privacy protection and accountability for cloudiot,” IEEE Transactions on Cloud Computing, 2020.
View at: Publisher Site | Google Scholar
M. Rasori, P. Perazzo, and G. Dini, “A lightweight and scalable attribute-based encryption system for smart cities,” Computer Communications, vol. 149, pp. 78–89, 2020.
View at: Publisher Site | Google Scholar
M. Ali, M.-R. Sadeghi, and X. Liu, “Lightweight revocable hierarchical attribute-based encryption for internet of things,” IEEE Access, vol. 8, Article ID 23964, p. 23951, 2020.
View at: Publisher Site | Google Scholar
H. Deng, Z. Qin, Q. Wu, Z. Guan, and Y. Zhou, “Flexible attribute-based proxy re-encryption for efficient data sharing,” Information Sciences, vol. 511, pp. 94–113, 2020.
View at: Publisher Site | Google Scholar
Y. Zhang, D. Zheng, and R. H. Deng, “Security and privacy in smart health: efficient policy-hiding attribute-based access control,” IEEE Internet of Things Journal, vol. 5, no. 3, pp. 2130–2145, 2018.
View at: Publisher Site | Google Scholar
Z. Wan, J. Liu, and R. H. Deng, “Hasbe: a hierarchical attribute-based solution for flexible and scalable access control in cloud computing,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 743–754, 2011.
View at: Publisher Site | Google Scholar
J. Hong, K. Xue, Y. Xue et al., “Tafc: time and attribute factors combined access control for time-sensitive data in public cloud,” IEEE Transactions on Services Computing, vol. 13, no. 1, pp. 158–171, 2017.
View at: Publisher Site | Google Scholar
P. Zhang, Z. Chen, K. Liang, S. Wang, and T. Wang, “A cloud-based access control scheme with user revocation and attribute update,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 525–540, Springer, Melbourne, Australia, July 2016.
View at: Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Springer, Aarhus, Denmark, May 2005.
View at: Google Scholar
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98, Acm, Alexandria, VA, USA, October 2006.
View at: Google Scholar
Z. Zhang, P. Zeng, B. Pan, and K.-K. R. Choo, “Large-universe attribute-based encryption with public traceability for cloud storage,” IEEE Internet of Things Journal, vol. 7, no. 10, 2020.
View at: Publisher Site | Google Scholar
K. Sethi, A. Pradhan, and P. Bera, “Practical traceable multi-authority cp-abe with outsourcing decryption and access policy updation,” Journal of Information Security and Applications, vol. 51, Article ID 102435, 2020.
View at: Publisher Site | Google Scholar
P. K. Premkamal, S. K. Pasupuleti, and P. Alphonse, “Dynamic traceable CP-ABE with revocation for outsourced big data in cloud storage,” International Journal of Communication Systems, vol. 34, Article ID e4351, 2020.
View at: Google Scholar
G. Wang, Q. Liu, and J. Wu, “Hierarchical attribute-based encryption for fine-grained access control in cloud storage services,” in Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 735–737, Chicago, IL, USA, October 2010.
View at: Google Scholar
Y. Wang and J. Gao, “A regulation scheme based on the ciphertext-policy hierarchical attribute-based encryption in bitcoin system,” IEEE Access, vol. 6, pp. 16 267–316 278, 2018.
View at: Publisher Site | Google Scholar
J. Li, Q. Yu, and Y. Zhang, “Hierarchical attribute based encryption with continuous leakage-resilience,” Information Sciences, vol. 484, pp. 113–134, 2019.
View at: Publisher Site | Google Scholar
R. L. Rivest, A. Shamir, and D. A. Wagner, Time-lock Puzzles and Timed-release Crypto, ACM, New York, NY, USA, 1996.
K. Yuan, Z. Liu, C. Jia, J. Yang, and S. Lv, “Public key timed-release searchable encryption,” in Proceedings of the 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies, pp. 241–248, IEEE, Xi’an, China, September 2013.
View at: Google Scholar
L. Xu, F. Zhang, and S. Tang, “Timed-release oblivious transfer,” Security and Communication Networks, vol. 7, no. 7, pp. 1138–1149, 2014.
View at: Publisher Site | Google Scholar
E. Androulaki, C. Soriente, L. Malisa, and S. Capkun, “Enforcing location and time-based access control on cloud-stored data,” in Proceedings of the 2014 IEEE 34th International Conference on Distributed Computing Systems, pp. 637–648, IEEE, Madrid, Spain, July 2014.
View at: Google Scholar
K. Yang, Z. Liu, X. Jia, and X. S. Shen, “Time-domain attribute-based access control for cloud-based video content sharing: a cryptographic approach,” IEEE Transactions on Multimedia, vol. 18, no. 5, pp. 940–950, 2016.
View at: Publisher Site | Google Scholar
Y. Zhu, H. Hu, G.-J. Ahn, D. Huang, and S. Wang, “Towards temporal access control in cloud computing,” in Proceedings of the 2012 IEEE INFOCOM, pp. 2576–2580, IEEE, Orlando, FL, USA, March 2012.
View at: Google Scholar
J. K. Liu, T. H. Yuen, P. Zhang, and K. Liang, “Time-based direct revocable ciphertext-policy attribute-based encryption with short revocation list,” in Proceedings of the International Conference on Applied Cryptography and Network Security, pp. 516–534, Springer, Leuven, Belgium, July 2018.
View at: Google Scholar
K. Fan, J. Wang, X. Wang, H. Li, and Y. Yang, “Secure, efficient and revocable data sharing scheme for vehicular fogs,” Peer-to-Peer Networking and Applications, vol. 11, no. 4, pp. 766–777, 2018.
View at: Publisher Site | Google Scholar
P. K. Premkamal, S. K. Pasupuleti, and P. J. A. Alphonse, “Efficient revocable cp-abe for big data access control in cloud computing,” International Journal of Security and Networks, vol. 14, no. 3, pp. 119–132, 2019.
View at: Publisher Site | Google Scholar
B. Qin, Q. Zhao, D. Zheng, and H. Cui, “(Dual) server-aided revocable attribute-based encryption with decryption key exposure resistance,” Information Sciences, vol. 490, pp. 74–92, 2019.
View at: Publisher Site | Google Scholar
H. Cui, T. Hon Yuen, R. H. Deng, and G. Wang, “Server-aided revocable attribute-based encryption for cloud computing services,” Concurrency and Computation: Practice and Experience, John Wiley & Sons, Hoboken, NJ, USA, 2020.
View at: Google Scholar
M. Green, S. Hohenberger, B. Waters et al., “Outsourcing the decryption of abe ciphertexts,” in Proceedings of the USENIX Security Symposium, vol. 3, San Francisco, CA, USA, 2011.
View at: Google Scholar
J. Lai, R. H. Deng, C. Guan, and J. Weng, “Attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 8, pp. 1343–1354, 2013.
View at: Publisher Site | Google Scholar
K. Yang, X. Jia, K. Ren, B. Zhang, and R. Xie, “Dac-macs: effective data access control for multiauthority cloud storage systems,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 11, pp. 1790–1801, 2013.
View at: Publisher Site | Google Scholar
H. Ma, R. Zhang, Z. Wan, Y. Lu, and S. Lin, “Verifiable and exculpable outsourced attribute-based encryption for access control in cloud computing,” IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 6, pp. 679–692, 2015.
View at: Publisher Site | Google Scholar
S. Belguith, N. Kaaniche, M. Laurent, A. Jemai, and R. Attia, “PHOABE: securely outsourcing multi-authority attribute based encryption with policy hidden for cloud assisted IoT,” Computer Networks, vol. 133, pp. 141–156, 2018.
View at: Publisher Site | Google Scholar
X. Fu, X. Nie, T. Wu, and F. Li, “Large universe attribute based access control with efficient decryption in cloud storage system,” Journal of Systems and Software, vol. 135, pp. 157–164, 2018.
View at: Publisher Site | Google Scholar
P. Zhang, Z. Chen, J. K. Liu, K. Liang, and H. Liu, “An efficient access control scheme with outsourcing capability and attribute update for fog computing,” Future Generation Computer Systems, vol. 78, pp. 753–762, 2018.
View at: Publisher Site | Google Scholar
L. Li, Z. Wang, and N. Li, “Efficient attribute-based encryption outsourcing scheme with user and attribute revocation for fog-enabled iot,” IEEE Access, vol. 8, pp. 176738–176749, 2020.
View at: Publisher Site | Google Scholar
J. Ning, X. Dong, Z. Cao, L. Wei, and X. Lin, “White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 6, pp. 1274–1288, 2015.
View at: Publisher Site | Google Scholar
K. Zhang, H. Li, J. Ma, and X. Liu, “Efficient large-universe multi-authority ciphertext-policy attribute-based encryption with white-box traceability,” Science China Information Sciences, vol. 61, no. 3, Article ID 032102, 2018.
View at: Publisher Site | Google Scholar
X. Yan, X. He, J. Yu, and Y. Tang, “White-box traceable ciphertext-policy attribute-based encryption in multi-domain environment,” IEEE Access, vol. 7, pp. 128298–128312, 2019.
View at: Publisher Site | Google Scholar
A. De Caro and V. Iovino, “jpbc: Java pairing based cryptography,” in Proceedings of the 16th IEEE Symposium on Computers and Communications, ISCC 2011, pp. 850–855, Kerkyra, Greece, July 2011.
View at: Google Scholar

Copyright

Copyright © 2021 Jiawei Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

493

Downloads

714

Citations

Security and Communication Networks

Security, Privacy and Trust Challenges in Mobile Crowdsensing

Efficient Hierarchical and Time-Sensitive Data Sharing with User Revocation in Mobile Crowdsensing

Abstract

1. Introduction

2. Related Work

2.1. Hierarchical ABE and Time-Release Encryption

2.2. Revocable ABE and Verifiable Outsourced Computing

3. Preliminaries

3.1. Notations

3.2. Access Structure and Key Structure

3.3. Access Policy Tree

3.4. Cryptographic Background

4. System Model

4.1. System Model

4.2. Adversary Model

5. Security Model

5.1. Definition of Our HTR-DAC Scheme

5.2. Security Model

6. Proposed HTR-DAC Scheme

6.1. Initialization Phase

6.2. Domain/User Enrollment Phase

6.3. Encryption Phase

6.4. Time-Release Phase

6.5. Decryption Phase

7. Security Analysis

8. Performance Evaluation

9. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright