Practical Multiauthority Attribute-Based Access Control for Edge-Cloud-Aided Internet of Things

Huang, Kaiqing; Wang, Xueli; Lin, Zhiqiang

doi:https://doi.org/10.1155/2021/8872699

Security and Communication Networks

On this page

Abstract Introduction Preliminaries System Model Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 8872699 | https://doi.org/10.1155/2021/8872699

Practical Multiauthority Attribute-Based Access Control for Edge-Cloud-Aided Internet of Things

Kaiqing Huang,^1,2Xueli Wang,²and Zhiqiang Lin³

Academic Editor: Salvatore D'Antonio

Received28 Jun 2020

Revised11 Nov 2020

Accepted29 Nov 2020

Published02 Feb 2021

Abstract

With the assistance of edge computing which reduces the heavy burden of the cloud center server by using the network edge servers, the Internet of Things (IoTs) architectures enable low latency for real-time devices and applications. However, there still exist security challenges on data access control for the IoT. Multiauthority attribute-based encryption (MA-ABE) is a promising technique to achieve access control over encrypted data in cross-domain applications. Based on the characteristics and technical requirements of the IoT, we propose an efficient fine-grained revocable large universe multiauthority access control scheme. In the proposed scheme, the most expensive encryption operations have been executed in the user’s initialization phase by adding a reusable ciphertext pool besides splitting the encryption algorithm to online encryption and offline encryption. Massive decryption operations are outsourced to the near-edge servers for reducing the computation overhead of decryption. An efficient revocation mechanism is designed to change users’ access privileges dynamically. Moreover, the scheme supports ciphertext verification. Only valid ciphertext can be stored and transmitted, which saves system resources. With the help of the chameleon hash function, the proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption. The performance analysis results indicate that the proposed scheme is efficient and suitable in edge computing for the IoT.

1. Introduction

With the development of the 5G network and the Internet of Things (IoTs) technology, more and more objects are connected to the network via information sensing devices which generate a huge amount of data [1, 2]. Cisco predicted that the total amount of data created (and not necessarily stored) by any device will reach 847 ZB per year by 2021 [3].

In traditional cloud computing modes, these massive data are all sent to the cloud for storing and processing, which consumes a large amount of network bandwidth and computing resources. Moreover, massive access requests from users may lead to service interruption and generate traffic overload or even network delay, etc. As a result, the edge computing model is proposed to offload computing tasks to edge servers [4–9].

In an edge computing model, the network edge servers near the data source will preliminarily handle the data and tasks and serves the adjacent devices in time. Then, it selectively sends the important data to the core network (cloud). Consequently, the edge servers reduce the load of cloud centers and ensure efficient network operation for improved services.

However, edge computing is facing some new challenging issues [4–9]. On the one hand, the users’ data are mostly privacy-sensitive. A good way to ensure data security and privacy protection is that the data are encrypted before being outsourced and only allow authorized users to access it. On the other hand, users frequently enter and leave the network, and their access privileges change dynamically, which makes the access control of users’ data complex and dynamic. Unfortunately, it is difficult for traditional access control technology to deal with the above problems in such a complex edge computing environment. Therefore, an efficient lightweight data encryption mechanism with fine-grained access control is indispensable for the IoT.

Attribute-based encryption (ABE) is a promising technique (cryptosystem) for protecting data confidentiality and dynamic fine-grained authorized access control through the attribute management, with which the data owners can encrypt data files according to the attribute of the target recipients without knowing their exact identities.

In 2005, Sahai and Waters introduced fuzzy identity-based encryption (FIBE) which can be applied to enable encryption using error-tolerance biometric inputs as identities. Moreover, FIBE is extended into attribute-based encryption (ABE) by defining the biometric identity as a set of attributes [10]. In 2006, Goyal et al. distinguished ABE into key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE) [11]. In KP-ABE, secret keys are associated with access policies, and ciphertexts are associated with attributes, while in CP-ABE, the ciphertexts are associated with access policies, and secret keys are associated with attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. Goyal et al. gave a secure construction of KP-ABE [11], and Bethencourt et al. presented a secure CP-ABE construction against collusion attacks in the generic group model [12]. In 2008, Goyal et al. presented the first construction of a ciphertext-policy attribute-based encryption scheme with a security proof based on a number-theoretic assumption [13]. In 2011, Waters presented the first CP-ABE construction which is proven selectively secure under the decisional parallel bilinear Diffie-Hellman exponent (PBDHE) assumption in the standard model. In 2013, Rouselakis and Waters proposed two large universe attribute-based encryption constructions (CP-ABE and KP-ABE) on prime-order bilinear groups. Both schemes are selectively secure in the standard model under two “q-type” assumptions [14]. However, all these schemes are single-authority ABE.

1.1. Issues and Related Work

Attribute-based access control in the IoT should efficiently address some practical issues in the following details.

Firstly, the massive data produced in the IoT are used in large-scale cross-domain applications. Multipart collaborative (MPC) is one of the motivating scenarios, where data owners want to share their data across different domains and organizations. To illustrate, in a multiexpert cooperative diagnosis system, a patient Alice may need to share her medical data generated by medical wearing equipment with different experts in different affiliations. She defines the access policy as “surgeon@hospital A” or “surgeon@hospital B and medical researcher@research center C,” where the attributes “surgeon@hospital A,” “surgeon@hospital B,” and “medical researcher@research center C” are issued by “hospital A,” “hospital B,” and “research center C,” respectively. In this scenario, three authorities, “hospital A,” “hospital B,” and “research center C,” are needed. Meanwhile, in ABE schemes, if the system attribute universe is “small,” the attributes are fixed and enumerated at system setup, which is not practical in the IoT. Conversely, in “large universe” construction, any string can be used as an attribute, and the attributes are not necessarily enumerated at system setup, which is more flexible and practical for the IoT.

To deal with the scenario that the users’ attributes are issued by different authorities in the same system, Chase proposed multiauthority attribute-based encryption, which is the first construction to support multiple attribute authorities in 2007 [15]. In 2009, Chase and Chow proposed a solution that removes the trusted central authority and protects the users’ privacy by preventing the authorities from pooling their information on particular users [16]. In 2011, Lewko and Waters proposed the first fully secure multiauthority ciphertext-policy attribute-based encryption system which does not require any central authority and collision resistance. They proved their system secure using the dual system encryption methodology in the random oracle model [17]. In 2011, Liu et al. proposed a new multiauthority CP-ABE system which is adaptively secure in the standard model with adaptive authority corruption and can support the large attribute universe [18]. In 2015, Rouselakis and Waters proposed an efficient large-universe multiauthority ciphertext-policy attribute-based encryption system, which uses the significantly faster prime-order bilinear groups rather than composite order groups [19].

Secondly, in the IoT, data users may change their subscription or leave the system, which results in losing part of the access privileges or all the access privileges. To protect the interests of the data owners, an efficient and secure revocation mechanism must be designed. In the above example, an expert Bower with the attribute set “surgeon@hospital B, medical researcher@research center C” departures from research center C, then he loses the privilege to access Alice’s encrypted data. To avoid Alice’s privacy disclosure, the authority “research center C” should revoke Bower’s attribute “medical researcher@research center C.” Similarly, when Bower departures from the multiexpert cooperative diagnosis system, Bower should be revoked from the system. When the attribute “medical researcher@research center C” is dropped by the authority “research center C,” it also should be revoked.

To solve the security problems brought by the dynamic change in users’ access privilege, researchers have come up with revocable ABE. In 2008, Boldyreva et al. firstly proposed an ABE scheme with indirect user revocation. The sender encrypts with the present time slot regarded as an attribute. The authority who possesses the current revocation list, periodically announces the key update material so that only unrevoked users can update their key and decrypt ciphertexts [20]. In 2009, Attrapadung and Imai proposed an ABE system with direct user revocation. It allows senders to specify the revocation list directly when encrypting [21]. The authority does not need to update the secret key concerning the revoked attribute for each nonrevoked user. But it should publish a revocation list and the data users are required to synchronize this revocation list all the time, which makes it not suitable for large-scale systems. It still faces a backward security problem that the revoked users can access the old data they were authorized to access before being revoked. In 2009, Attrapadung and Imai presented the first hybrid revocable ABE scheme that allows senders to select on-the-fly whether to use either direct or indirect revocation mode when encrypting [22]. In 2011, based on the subset-cover revocation framework [23], Hur et al. proposed an access control mechanism using CP-ABE to enforce access control policies with efficient attribute and user revocation capability [24]. In 2012, Sahai et al. introduced the concept of revocable storage and proposed the revocable ABE by updating keys and CSP by updating ciphertext without accessing any secret information, and the updated ciphertexts are no longer decryptable by revoked users, but the schemes are inefficient [25]. In 2013, Yang et al. constructed a new multiauthority CP-ABE scheme and designed an attribute revocation method that can achieve both forward security and backward security, which is secure under weaker security assumptions [26]. However, the scheme only supports the small attribute universe. In 2017, Li et al. provided a CP-ABE scheme with efficient user revocation by introducing the concept of user group [27].

Thirdly, in ABE, bilinear pairing operation is an expensive computation cost, and its number increases along with the number of attributes involved in the access structure. The drawback of high computation overhead in the ABE schemes with multifunction becomes more serious for resource-constrained users such as mobile devices, sensors, and medical wearing equipment [28]. To save energy for the resource-constrained users and ensure the rapid generation and acquisition of the data, some technologies should be used to reduce the computational overhead both in the encryption phase and the decryption phase.

For eliminating the overhead of decryption for users, Matthew Green et al. [29] gave the methods for efficiently and securely outsourcing decryption which offloads most decryption operations to a third-part server provider and returns a partial decryption ciphertext. The user performs only a little time of exponential operation to recover the plaintext. In 2013, Lai et al. firstly constructed a concrete ABE scheme with verifiable outsourced decryption which allows for verifiability of the partial decryption ciphertext [30]. Li et al. proposed a new secure outsourced ABE system, which supports both secure outsourced key-issuing and decryption with checkability of the outsourced computation results in an efficient way [31]. There are also some works to make verifiable outsourced decryption more efficiently and securely in ABE [32–34].

Meanwhile, for saving online computation, Hohenberger and Waters proposed the first online/offline ABE [35] which splits the encryption into two phases: the data owner does as much precomputation as possible to encrypt a message or create a secret key in the offline phase and rapidly assembles a ciphertext or key in the online phase. It is a promising technique for resource-limited devices. In 2018, Li et al. proposed a new scheme that eliminates a majority of the encryption computation task by adding system public parameters [36].

Last but not the least, it may be that the data owner device makes an error to generate the wrong ciphertext, or the malicious user generates many wrong ciphertexts to attack the system. These wrong ciphertext not only waste system resources but also waste user resources. For example, it wastes data user resources to decrypt the error ciphertext which returns an error result even though his attributes satisfy the access structure. A ciphertext verification algorithm should be used to eliminate invalid ciphertexts as much as possible. In 2014, Liu et al. proposed a KP-ABE scheme with the public ciphertext test, but the verify equations grow linearly with the number of the attributes involved in the access structure, which requires high computation overhead [37].

1.2. Motivation and Contributions

Recently, there have been many researchers who proposed the multifunctional MA-ABE system trying to meet the above needs, but no one solving all the issues simultaneously. In 2017, De and Ruj proposed a decentralized attribute-based encryption scheme with online/offline encryption, outsourced decryption, and user revocation, but their scheme only supports the small universe [38]. In 2018, Liu et al. designed an MA-ABE scheme that simultaneously supports the large attribute universe, outsourcing decryption, and attribute revocation, but their scheme is statically secure, without online/offline encryption and ciphertext publicly verifiable [39]. In 2019, Li et al. constructed a CCA2-secure publicly verifiable revocable large-universe multiauthority attribute-based encryption, but their scheme does not support online/offline encryption and outsourcing decryption [40]. In their scheme, the verify equations grow linearly with the number of the attributes involved in the access structure, which require high computation overhead. Moreover, if the user’s some attributes involved in the ciphertext are revoked, she/he will fail to verify the validity of the ciphertext even though her/his rest attributes still have the access privilege to the ciphertext.

As we revisited the existing ABE schemes, no one simultaneously solves all the practical issues. Most of them only concentrate on solving one specific issue. A few schemes try to solve some issues but cause new problems. Therefore, we designed an efficient, CCA2-secure, flexible, fine-grained access control scheme for the IoT using edge computing, which can solve the above issues efficiently. The proposed scheme meets the need of the large-scale multidomain collaboration in the IoT by using multiauthority attribute-based encryption with the large attribute universe. More contributions are as follows:(1)By adding a reusable ciphertext pool, the most expensive encryption operations have been executed in the user’s initialization phase, which minimizes the offline/online encryption computation. At the same time, the near-edge servers can perform the major decryption with the help of transformed keys given by the data user. As a result, the computation overhead of encryption and decryption is substantially reduced both on the data owner and user sides, so the scheme is suitable for the resource-constrained users in the IoT.(2)The proposed scheme designs a fine-grained revocation mechanism to revoke an attribute from the user, by which the user or the attribute can be revoked from the system. So, it can change the user’s access privilege timely and is fit for the dynamic IoT.(3)The scheme supports efficient ciphertext verification, and only valid ciphertext can be stored and transmitted, which saves the system resources. For reducing the computation overhead, we combine all the verify equations into one equation like a “hash function” which reduces expensive pairing operation. Moreover, the user can verify the validity of the ciphertext even though some attributes involved in the ciphertext are revoked, only if the rest of her/his attributes still have the access privilege to the ciphertext.(4)With the help of the chameleon hash function, the simulator successfully prepares the challenge ciphertext with the dummy attribute in the security proof. Consequently, the proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption, which is more secure than the previous scheme. The performance analysis results indicate that the proposed scheme is efficient and suitable in edge computing for the IoT.

2. Preliminaries

2.1. Notations

In order to facilitate the understanding, we explain some notations used throughout this article in Table 1.

2.2. Bilinear Pairings and Complexity Assumption

Definition 1. (bilinear pairings). Let and be the cyclic multiplicative groups with prime order . The identities of and are denoted as and , respectively. We say a map is a bilinear pairing if it satisfies the following properties:(1)Bilinear. .(2)Nondegenerate. .(3)Computable. There is an efficient algorithm to compute .

Definition 2. (q-DPBDHE2 problem [41]). Let and be the bilinear groups with prime order and be a generator of . is a bilinear map defined on . Pick and . Givenand the algorithm is asked to distinguish from .

Definition 3. (q-DPBDHE2 assumption [41]). The q-DPBDHE2 assumption holds in if no probabilistic polynomial time algorithm has probability at least in solving the q-DPBDHE2 problem in for nonnegligible .

2.3. Access Structures and Linear Secret-Sharing Schemes

Definition 4. (access structure [42]). Let be a set of parties. A collection is monotone if and then . An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) of nonempty subsets of P, i.e., . The sets in are called the authorized sets, and the sets not in are called the unauthorized sets.
In the attribute-based encryption scheme, the parties are replaced by the attributes. An access structure will contain some authorized sets of attributes. Similarly, we restrict our attention to monotone access structures. From now on, by an access structure, we mean a monotone access structure.

Definition 5. (linear secret-sharing schemes (LSSS)) [42]). Let p be a prime and U the attribute universe. A secret-sharing scheme with domain of secrets realizing access structures on U is linear over if the following holds:(1)The shares of a secret for each attribute form a vector over .(2)For each access structure on U, there exists a matrix , called the share-generating matrix, and a function that labels the rows of M with attributes from U, i.e., , which satisfies the following: during the generation of the shares, we consider the column vector , where . Then, the vector of shares of the secret s according to is equal to . The share where “belongs” to attribute . We will be referring to the pair as the policy of the access structure .

2.4. Chameleon Hash Functions

A chameleon hash function consists of three polynomial time algorithms as follows [43]: KeyGen: it takes the security parameter as input and outputs a secret key and the corresponding public key . : it takes in the public key , a message , and an auxiliary parameter and then outputs the hashed value . TCollision: it takes as inputs the secret key , a message with its auxiliary parameter , and another and outputs another auxiliary parameter such that .

A secure chameleon hash function satisfies the requirements of collision resistance and uniformity. All messages induce the same probability distribution on for chosen uniformly at random. There is no efficient algorithm that takes as input the Chameleon hash public key to find two pairs , where such that except with negligible probability. Only the one who knows the chameleon hash secret key can find collision for every given input efficiently.

2.5. Subset-Cover Revocation Framework

Naor et al. proposed the subset-cover revocation framework [23] and described two algorithms: the complete subtree method and the subset difference method. We can realize the revocation in ABE based on the complete subtree method.

As shown in Figure 1, firstly, it establishes a binary state tree . Each user is assigned as a leaf node . Let denote a node and denote the left (right) child of . records all the nodes which are on the path from to the root. If a user is revoked, will be added into the revocation list . MinSubCover is an algorithm to generate the minimum subset cover whose descendant nodes cover all the unrevoked users (Algorithm 1).

(1)
(2)	for do
(3)	add to
(4)	end for
(5)	for do
(6)	if then
(7)	add to
(8)	end if
(9)	if then
(10)	add to
(11)	end if
(12)	end for
(13)	if then
(14)	add root to
(15)	end if
(16)	return

As shown in Figure 1, there are eight users . If the user is revoked, would be added into , and the MinSubCover outputs .

3. System Model and Security Model

3.1. System Model

As shown in Figure 2, our efficient CCA2-secure flexible fine-grained access control for the IoT by using edge computing consists of the following entities:

Central authority (CA): CA is a trusted entity that initializes the system by setting up the global public parameters. Moreover, it is responsible for the registration of users and authorized attribute authorities. CA assigns each user a unique identity , and each attribute authority is a unique identity . Attribute authority (AA): AA is a trusted entity that manages the users’ attributes. Each AA is an independent attribute authority and manages a disjoint attribute set, respectively, which means that each attribute is associated with a single AA. Each AA issues its public key, authenticates users’ attribute sets, and generates the corresponding private keys for them. It also can revoke and update users’ attributes by using attribute keys. Cloud service provider (CSP): CSP is semitrusted (honest-but-curious). It will honestly and correctly execute the tasks but be curious about the data messages which it receives. CSP will not conclude with the malicious users. It stores the valid ciphertexts which are sent from ESP. Edge service provider (ESP): ESP is semitrusted (honest-but-curious) and will not conclude with the malicious users. It has both computing capability and large storage. It is geographically close to the users (data owners and data users). ESP receives the ciphertext from users and re-encrypts the valid ciphertext by using attribute keys after verifying the validity of ciphertext and then sends the legal data to CSP for permanent storage. It is also in charge of re-encrypting and updating the ciphertext when a revocation happens. Furthermore, it provides partial decryption of ciphertext for some resource-limited users if they require it. Data owner (DO): to ensure data confidentiality and achieve flexible access to data, DO has two methods to encrypt data before uploading data to ESP. One is DO directly encrypting the data file under an access policy about who can get access to the data. The other is DO firstly encrypting the data file using a symmetric encryption algorithm which is a lightweight encryption method and then encrypting the symmetric key under the access policy. Data user (DU): each DU is assigned a global user identity by CA. DU obtains a set of attributes privileges and corresponding decryption private keys from authorities. DU can freely get any encrypted data from ESP and decrypt the ciphertext if and only if his/her attribute set satisfies the access policy. Moreover, some resource-limited users can outsource decryption to ESP.

3.2. Framework

This system mainly contains the following polynomial time algorithms: GlobalSetup: the global set up algorithm is run by CA to set up the system. It takes the system security parameter as input and outputs the system master key and the global public parameters . AASetup: the attribute authority set up algorithm is run by attribute authorities. It takes the authority’s identity as input and sets up the authority’s public key and secret key. The authority keeps the secret key and publishes the public key . UKeyGen: the user key generation algorithm is run by the authority . It takes the data user’s identity , his attribute , and the authority’s secret key as input and outputs the private key for the user , where the path key is generated by the attribute key generation algorithm. AttrKeyGen: the attribute key generation algorithm is run by the authority . Firstly, if the binary state tree has not been set up, it establishes an and initializes a revocation list , then chooses a random number as the attribute key. Each user with the attribute is assigned as a leaf node, and it increases the height with users increasing. For each node in the tree, it randomly picks . denotes the path of the user from its leaf node to the root node, then is the path key for the user which is the key used to recover . Finally, it sends to the user and then publishes and shares with ESP and CSP. CPoolGen: the ciphertext pool generation algorithm is run by data owners. It takes the data owner’s identity , the global public parameters , the authorities’ public keys as input and chooses an integer to determine the size of the attributes will be associated with any ciphertext and then outputs the immediate ciphertext pool . is saved in the encryption algorithm and can be reused. Moreover, it can be updated by the user whenever a new attribute authority joins the system or the data owner increases the size of attributes for improving the expressiveness. Enoff: the offline encryption algorithm is run by data owners. It takes the global public parameters as input and outputs the offline ciphertext . Enon: the online encryption algorithm is run by data owners. It takes a plaintext message , an access structure , the global public parameters , the immediate ciphertext pool , and an offline ciphertext as input and outputs the ciphertext . PublicTest: the public test algorithm can be run by any role in the system if she/he feels she/he needs it. It takes the global public parameters , part of ciphertext which is to be tested, the authorities’ public keys as input, and outputs if the ciphertext is valid. CReEnc: the algorithm is run by ESP. It firstly verifies the validity of the ciphertext by the algorithm PublicTest , where . If the public test algorithm outputs , it re-encrypts the ciphertext by using the latest attribute keys and outputs the new ciphertext . At last, ESP sends the ciphertext to CSP and drops the original ciphertext . Decrypt : the decryption algorithm is run by the data user with a set of attributes which wants to decrypt the ciphertext . If , the algorithm outputs . Otherwise, it outputs the message . The data user can choose to outsource decryption if he owns limited resource or for saving resource. This feature is implemented in the following three algorithms: TKGen: this algorithm is run by data users. It chooses a random numbers as the retrieving key , takes the unrevoked attributes private key , , and as input, then outputs the transformation key and the primitive ciphertext . PartialDec: this algorithm is run by ESP. It takes and as input and then outputs the partial decrypted ciphertext to the user. FullDec: this algorithm is run by data users. It works out the massage by using and . Revoke : this algorithm is run by attribute authorities. It takes the attribute and the user as input then publishes and outputs the update key for ESP and CSP to update the ciphertext and the attribute key, where is the new attribute key.

If wants to revoke the attribute from the system, it only sets all the users who own into and run the above operation.

If the system wants to revoke the user from the system, it asks all the involved attribute authorities to revoke all the involved attributes from the user , by running the above operation.

3.3. Security Model

In this section, our security model is similar to that in [40] which is named indistinguishability against selective authority and access policy and statically chosen-ciphertext attacks (IND-sAA-sCCA2). At the beginning of the security game, the adversary should claim the access policy which it will challenge, and it should also claim the corrupt authorities. The challenge message can be encrypted by some attributes from some of these corrupt authorities but should at least one attribute from an honest authority, which means that the ciphertext still cannot be attacked successfully if only part of the encrypted attributes is from corrupted authorities.

The security game played between adversary and challenger is as follows: Init: adversary selects a challenge access policy and a set of corrupt authorities and sends it to the challenger . Global setup: the challenger runs the GlobalSetup () algorithm to get a system master key and the global public parameters . It keeps and sends to . Phase 1: the adversary issues a polynomially bounded number of queries statically: Authority’s public key queries: submits a set of the noncorrupt authorities, and replies to with the corresponding public keys. can create the public keys of the corrupt authorities by itself. User’s secret key queries: submits some users identity and a set of his all attributes , gives the secret keys. If satisfies , revokes one of these attributes from all users. TransformKey queries: submits some users with a set of his all attributes , where there is no sense querying the transformation key for the same user who has been queried the secret key. Then, gives the transformation keys. CReEncryption queries: submits some ciphertext, then re-encrypts the ciphertext with the latest attribute keys and return them to . Decryption queries: submits a ciphertext and returns the message if the ciphertext is legitimate. Revocation queries: queries to revoke some users with a set of attributes. runs the algorithm Revoke to get the update keys and then re-encryptes the ciphertext with the latest update keys. Challenge: submits to two equal-length messages and . firstly randomly flips coin and encrypts with . Then, it re-encryptes the ciphertext by the latest attribute keys and sends to . Phase 2: the same as Phase 1, except that cannot make the secret key query for the selected access policy or make decryption query for the challenge ciphertext. Guess: outputs a guess bit and wins the game if .

Definition 6. The proposed scheme is indistinguishable against selective authority and access policy and statically chosen-ciphertext attacks if no probabilistic polynomial time adversary can break the above security game with a nonnegligible advantage.

4. Concrete Scheme

In this section, we present the concrete construction of our efficient CCA2-secure flexible fine-grained access control scheme for the IoT using edge computing based on prime-order bilinear groups which perform more efficiently than composite-order bilinear groups as follows: GlobalSetup: this algorithm is run by CA. It takes the system security parameter as input. It chooses two suitable multiplicative cyclic groups and with large prime-order . Let be a generator of and defines a bilinear map on . The attribute universe is . denotes the set of all attribute authorities. Additionally, it chooses three functions , , and . maps user identities to elements of . maps attributes to elements of . maps each attribute to the unique attribute authority who controls it. It picks a secure chameleon hash function and runs the algorithm to obtain a chameleon hash key pair . Finally, it picks two random numbers and computes and . This algorithm outputs the system master key and the global public parameters . AASetup: this algorithm is run by attribute authorities. For each authority , it chooses two as its secret key and publishes the public key: UKeyGen: since the attribute is managed by the authority , then this algorithm is run by the authority . Firstly, it chooses a random number . Then, it computes The path key is generated by the attribute key generation algorithm. AttrKeyGen: since the attribute is managed by the authority , this algorithm is run by the authority . Firstly, if the binary state tree has not been set up, it establishes an , initializes a revocation list , and then chooses a random number as the attribute key. Each user with the attribute is assigned as a leaf node, and it increases the height with users increasing. For each node in the tree, it randomly picks . denotes the path of the user from its leaf node to the root node, and then, is the path key for the user which is used to recover . Finally, it sends to the user, publishes , and then shares with CSP and ESP. Finally, the private key of the attribute for the data user is CPoolGen: this algorithm is run by data owners. The data owner chooses an integer to determine the size of the attributes will be associated with any ciphertext. , , the algorithm picks randomly numbers , and computes Set then the immediate ciphertext pool for the data owner is

Remark 1. is generated when the data owner initializes her/his client. It is saved on the data owner’s side and can be reused. Moreover, it can be updated by the data owner whenever a new attribute authority joins the system or the data owner increases the size of attributes for improving the expressiveness. Enoff: this algorithm is run by data owners. It picks randomly numbers , and computes Then, the offline ciphertext is

Remark 2. The offline ciphertext is used only one time. After it is used, the algorithm Enoff in the client generates a new offline ciphertext for the next plaintext message. Enon: this algorithm is run by data owners. It takes a plaintext message , an access structure , and a set of authority public keys as input, where and is a map from each row of to an attribute . Let be a function maps each row to the authority who manages attribute , i.e., . For encryption, the algorithm randomly picks numbers . Let and . For , it computes , , and . Then, the ciphertext is computed as follows: For , it randomly chooses immediate ciphertexts without repetition in and an auxiliary parameter , then computes At last, the ciphertext is PublicTest: the public test algorithm can be run by any role in the system, if she/he feels she/he needs it. Suppose the components which to be tested is It firstly computes and then If the above equation holds, it means that the ciphertext is legitimate. To be specific, it is encrypted exactly by the attribute set , and the legitimate private key set with respect to the attribute set can decrypt out the correct plaintext message when is an authorized set of . CReEnc: this algorithm is run by ESP. After receiving the data owner’s encrypted data, it first verifies the validity of the ciphertext by using the algorithm PublicTest , where . If the public-test algorithm outputs , it re-encrypts the ciphertext by using the latest attribute keys as follows: Finally, ESP sends the ciphertext to CSP. Decrypt: this algorithm is run by data users. Suppose a user with a set of attributes wants to decrypt the ciphertext . If , this algorithm outputs . Otherwise, it exist a subset of satisfy the access policy . Then, it calculates constants such that . For each attribute , it recovers by using the path keys and computes the original ciphertext except that for all . Then, it can verify the validity of the ciphertext by the algorithm PublicTest. If the public-test algorithm outputs , it computes Outsourcing decryption: the data user can choose to outsource decryption if he owns limited resource or for saving resource. This feature is implemented in three algorithms: TKGen: this algorithm is run by data users. Assuming that the subset of is unrevoked. Firstly, it chooses random numbers as the retrieving key, i.e., . Then, set the transformation key , for every . Secondly, it computes the ciphertext except that for all . At last, it keeps the retrieving key and then sends and to ESP. PartialDec: this algorithm is run by ESP. Assuming that the subset of satisfies the access policy . It calculates constants such that , and then, it computes Finally, it sets and sends it to the data user. FullDec: this algorithm is run by data users. It computes Revoke: if the authority wants to revoke the attribute from the data user , it adds into the revocation list of the attribute and chooses a new attribute key . Then, it sends the update keysto ESP and CSP and publishesESP or CSP updates the ciphertext related to using by calculatingand updates the attribute key by calculatingIf the authority wants to revoke the attribute from the system, it only sets all the data users who own into and runs the above operation.
If the system wants to revoke the data user from the system, it asks all the involved attribute authorities to revoke all the involved attributes from the user , by running the above operation.

5. Security Analysis

In this section, we prove the proposed scheme is IND-sAA-sCCA2 secure.

Lemma 1 (“zero-out” Lemma [19]). Let be a linear secret sharing schemes of an access policy and be a nonauthorized set of rows. Let be the dimension of the subspace spanned by the rows of . Then, the distribution of the shares sharing the secret generated with the matrix is the same as the distribution of the share sharing the same secret generated with some matrix , where for all .

The main security theorem is shown as follows.

Theorem 1. The proposed concrete scheme is IND-sAA-sCCA2 secure in the random oracle model if the assumption holds, the chameleon hash function is secure, and the size of challenge matrix is at most .

Proof. Suppose that there exists a PPT adversary who can break the proposed scheme with nonnegligible advantage , then we can build a simulator which can break the assumption with the tuple as input and interact with as follows: Init: initially, gives a set of corrupt authorities and a challenge access policy , where is a matrix whose size is at most and which implies that its attribute set is . Let be a function map in each row to the authority who manages attribute , i.e., , and denote by . Global setup: gets from challenger and substitutes with the matrix according to “zero-out” lemma where denotes by and restricts that, for each row , there is only one “” in one of the last positions and “” in others. It picks randomly a challenge message and sets . It selects a secure chameleon hash function and then runs the algorithm to get the key pair . It randomly chooses an auxiliary parameter and computes . Then, is regarded as a challenge on-the-fly dummy attribute authorized by controlled by . It calculates a matrix representing the access policy of ; is regarded as the row of , and then, becomes a matrix. randomly selects and sets Then, it calculates At last, sends to , where the random oracles and are programmed by the simulator. Phase 1: the adversary issues a polynomially bounded number of queries statically:(i)Authority’s public key queries: submits a set of the noncorrupt authorities and since can create the public keys of the corrupt authorities by himself. For each , considers two cases:(a): randomly selects and outputs the public key .(b): let , randomly selects and sets Then, it calculates(ii) H-oracle queries: queries to oracle for identity with attribute set . There are two cases:(a): randomly selects and computes(b): for some rows and , can find a vector with such that and for all and then randomly selects and computes(iii) F-oracle queries: queries to oracle for the attribute whose authority is . There are two cases:(a) or : randomly selects if it has not been stored.(b): let and randomly selects and outputs(iv)User’s secret keys queries: submits the user identity and a set of his all attributes , and gives the secret keys for every . Firstly, for each , runs the algorithm to generate a binary tree with an attribute key and the path key . Then, it considers the following three cases:(a): randomly selects if it has not been stored. Then, it outputs(b) and : according to the authority public key queries and -oracle and -oracle phases, where . randomly selects sets and computes(c) and : according to the authority public key queries and -oracle and -oracle phases, where and . Hence, , , and . randomly selects , sets , and computes At last, the secret key for is If satisfies , revokes one of these attributes from all users.(d)TransformKey queries: submits a user identity and a set of his all attributes . For every , generates the secret keys and for as shown in the phase of user’s secret key queries. Next, chooses a random number and then computes the transformation keys . At last, gives the transformation keys for every .(e)CReEncryption queries: submits some ciphertext and then re-encrypts the ciphertext with the latest attribute keys and returns them to .(v)Decryption queries: submits a ciphertext , and firstly transforms to the original ciphertext by the latest . Then, it judges the ciphertext is valid or not by the algorithm PublicTest. At last, decrypts the ciphertext with the corresponding secret keys and returns the message if the ciphertext is legitimate.(vi)Revocation queries: queries to revoke a user with a set of attribute . For every , runs the algorithm Revoke to get the update keys , re-encrypts the ciphertext with the latest update keys, and then publishes to . Challenge: submits to two equal-length messages and . firstly randomly flips coin and computes , where may be or . sets and . Then, it produces the cipertexts by considering the following two cases: and : implies that and . randomly selects and calculates and : and . sets and . Then, it randomly selects and computes Since are not properly distributed, randomly selects and random vectors , . Then, it computes the re-randomized ciphertext , : runs to get the such that . At last, it re-encryptes the ciphertext by the latest attribute keys and sends to . Phase 2: the same as Phase 1, except that cannot make the secret key query for the selected access policy or make decryption query for the challenge ciphertext. Guess: outputs a guess bit . If , then outputs that . Otherwise, outputs that .If , then plays the proper security game with , since is a valid ciphertext for the message . Denote the advantage of wins in this case by . Otherwise, , is a ciphertext of a random message, so the advantage of is 0. Therefore, has advantage in breaking the concrete scheme, and then, can break the -DPBDHE2 assumption with advantage .

6. Performance Analysis

In this section, we analyze and compare the proposed scheme with others in terms of characteristics and efficiency both in the theoretical method and in the experimental method.

6.1. Theoretical Analysis

We compare the proposed scheme with several related MA-CP-ABE schemes in the terms of the feature, the computation, and the storage, respectively, in Tables 2–4. Table 5 summarizes notations.

In Table 2, we compare the properties of our scheme with other previous schemes. All these MA-CP-ABE access control schemes are constructed on the prime-order bilinear group and support the large universe. We can observe that our scheme is superior to other existing previous relevant schemes. The schemes in [19, 39] cannot filter illegal or invalid ciphertext because they do not support the ciphertext public test. The schemes in [19, 40] deal with the scenario that dynamically change the users’ access privilege since they support users’ attribute revocation. They also cannot support outsourcing decryption to reduce the computation overhead on the users’ side. In the other schemes, the data owners will face a heavy computation load when encrypting the data. Only our scheme provides the online/offline encryption algorithm. Moreover, ours is CCA2-secure which is more secure than the other statically secure schemes.

In Table 3, we compare the computational complexity of our scheme with the previous schemes. As for the computation efficiency of the encryption, the proposed scheme is much more efficient than the other schemes since the expensive encryption operations have been executed in the user’s initialization phase by adding the reusable ciphertext pool and split to online encryption and offline encryption. In comparison with the scheme in [39], the computation complexity of final decryption (the last step to recover plaintext for the user) is substantially reduced in our scheme. Moreover, our scheme is more efficient than the scheme in [40] when publicly verifying the ciphertext.

In Table 4, we compare the storage overhead of these above schemes on every entity. The main storage overhead of each AA comes from the master secret key is the same constant in every scheme. The data owner’s storage overhead comes from the global public parameters and authority public keys. In our scheme, the data owner needs to shore the reusable ciphertext pool additionally. The data user’s storage overhead mainly comes from the attribute-related secret keys. In these schemes [39, 40], and our scheme, the data user needs to store the path key since they using the same revocation method.

6.2. Experimental Analysis

To evaluate the performance of our proposed scheme, we implemented and compared the computation cost of the RW15 scheme [19], the LLWG19 scheme [40], and ours in Charm [44] from the Stanford Pairing-Based Crypto library [45]. The program was running on a supersingular symmetric elliptic curve group (“SS512”), over 512-bit base field size. The curve group has a 160-bit order. All the experiments were conducted on a virtual machine platform: Vmware@Workstation 15 Pro 15.5.2 build-15785246, equipped with a 2.30 GHz Intel Cored CPU with 2 GB RAM running 64-bit Linux Ubuntu 18.04.4. We run the schemes for 100 rounds and calculate the average execution time they took, where the number of attributes is ranging from 1 to 50. Finally, the graphs are shown in Figure 3.

(a)

(b)

(c)

As shown in Figure 3, the encryption cost, the decryption cost, and the public ciphertext test cost grow linearly with the number of attributes in the access structure. From Figure 3(a), in the proposed scheme, the encryption is split into online encryption and offline encryption. The online encryption time grows with the number of attributes since the online encryption has to compute the hash operation and exponentiation operation related to attributes. However, the online encryption time can be nearly haft reduced. In Figure 3(b), the predecryption denotes the data user recovers the original ciphertext by the attribute keys when she/he chooses outsourcing decryption, so its time grows with the number of attributes. Moreover, the final decryption only requires a constant amount of computation, so its time is nearly constant. Taken together, the total decryption time in our proposed scheme is nearly a quarter of it in the RW15 scheme. Focusing on the public ciphertext test cost, Figure 3(c) shows that the public ciphertext test time in the proposed scheme is less than that in the LLWG19 scheme. Therefore, the proposed scheme is very efficient in terms of the encryption cost, the decryption cost, and the public ciphertext test cost.

In conclusion, our proposal is more flexible and supports more functions than other previous schemes, which is more suitable for the IoT.

7. Conclusion

In this paper, we design an efficient, CCA2-secure, flexible fine-grained access control scheme to solve the practical issues efficiently for the IoT using edge computing. The proposed scheme meets the need of the large-scale multidomain collaboration in the IoT by using multiauthority attribute-based encryption with the large attribute universe. By adding a reusable ciphertext pool, the most expensive encryption operations have been executed in the user’s initialization phase which minimizes the online encryption computation. At the same time, the near-edge servers can perform the major decryption for the data user. As a result, the computation overhead of encryption and decryption is substantially reduced both on the data owner and user sides. A fine-grained revocation mechanism is designed to revoke an attribute from the user, by which the user or the attribute can be revoked from the system. So it can change user’s access privileges timely and be suitable for the dynamic IoT. The scheme supports efficient ciphertext verification. Only valid ciphertext can be stored and transmitted, which saves the system resources. Moreover, the user can verify the validity of the ciphertext even though some attributes involved in the ciphertext are revoked, only if the rest of his attributes still has the access privilege to decrypt the ciphertext. The proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption, which is more secure than the previous scheme. The performance analysis results show that the proposed scheme is highly efficient and suitable in edge computing for the IoT.

Data Availability

No data were used to support the findings of this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research was funded by the Program for Young Innovative Talents in Higher Education of Guangdong, China (Grant no. 2019GKQNCX004), Scientific Research Foundation of Dongguan Polytechnic (Grant no. 2019a21), and National Natural Science Foundation of China (Grant no. 61902164).

References

J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things (IoT): a vision, architectural elements, and future directions,” Future Generation Computer Systems, vol. 29, no. 7, pp. 1645–1660, 2013.
View at: Publisher Site | Google Scholar
S. Madakam, R. Ramaswamy, and S. Tripathi, “Internet of things (IoT): a literature review,” Journal of Computer and Communications, vol. 3, no. 5, pp. 164–173, 2015.
View at: Publisher Site | Google Scholar
Cisco, “Cisco Global Cloud Index: Forecast and Methodology, 2016–2021,” vol. 1, 2018, White paper, Cisco Public, San Francisco, CA, USA, .
View at: Google Scholar
F. Bonomi, R. Milito, J. Zhu, and S. Addepalli, “Fog computing and its role in the internet of things,” in Proceedings of the First Edition of the MCC Workshop on Mobile Cloud Computing (MCC’12), pp. 13–16, Helsinki, Finland, August 2012.
View at: Google Scholar
F. Bonomi, R. Milito, P. Natarajan, and J. Zhu, “Fog computing: a platform for Internet of Things and analytics,” Big Data and Internet of Things: A Roadmap for Smart Environments, Springer, Cham, Switzerland, 2014.
View at: Google Scholar
S. Yi, C. Li, and Q. Li, “A survey of fog computing: concepts, applications and issues,” in Proceedings of the 2015 Workshop on Mobile Big Data (Mobidata ’15), pp. 37–42, Hangzhou, China, June 2015.
View at: Google Scholar
S. N. Shirazi, A. Gouglidis, A. Farshad, and D. Hutchison, “The extended cloud: review and analysis of mobile edge computing and fog from a security and resilience perspective,” IEEE Journal on Selected Areas in Communications, vol. 35, no. 11, pp. 2586–2595, 2017.
View at: Publisher Site | Google Scholar
E. Ahmed and M. H. Rehmani, “Mobile edge computing: opportunities, solutions, and challenges,” Future Generation Computer Systems, vol. 70, pp. 59–63, 2017.
View at: Publisher Site | Google Scholar
W. Yu, F. Liang, X. He et al., “A survey on the edge computing for the Internet of Things,” IEEE Access, vol. 6, pp. 6900–6919, 2017.
View at: Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in EUROCRYPT 2005: Advances in Cryptology-EUROCRYPT, pp. 457–473, Springer, Cham, Switzerland, 2005.
View at: Google Scholar
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS ’06), pp. 89–98, Alexandria, VA, USA, , 2006.
View at: Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the 2007 IEEE Symposium on Security & Privacy (SP’07), pp. 321–334, Oakland, CA, USA, May 2007.
View at: Google Scholar
V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded ciphertext policy attribute based encryption,” in Proceedings of the ICALP: International Colloquium on Automata, Languages, and Programming, pp. 579–591, Reykjavik, Iceland, July 2008.
View at: Google Scholar
Y. Rouselakis and B. Waters, “Practical constructions and new proof methods for large universe attribute-based encryption,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS’13), pp. 463–474, Berlin, Germany, November 2013.
View at: Google Scholar
M. Chase, “Multi-authority attribute based encryption,” in Proceedings of the Theory of Cryptography Conference (TCC 2007), pp. 515–534, Amsterdam, The Netherlands, February 2007.
View at: Google Scholar
M. Chase and S. S. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09), pp. 121–130, Chicago, IL, USA, 2009.
View at: Google Scholar
A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in Proceedings of the Advances in Cryptology (EUROCRYPT 2011), pp. 568–588, RI, USA, March 2011.
View at: Google Scholar
Z. Liu, Z. Cao, Q. Huang, D. S. Wong, and T. H. Yuen, “Fully secure multi-authority ciphertext-policy attribute-based encryption without random oracles,” in Proceedings of the European Symposium on Research in Computer Security (ESORICS 2011), pp. 278–297, Leuven, Belgium, September 2011.
View at: Google Scholar
Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” in Proceedings of the International Conference on Financial Cryptography and Data Security (FC 2015), pp. 315–332, San Juan, Puerto Ric, 2015.
View at: Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS ’08), pp. 417–426, Alexandria, VA, USA, October 2008.
View at: Google Scholar
N. Attrapadung and H. Imai, “Conjunctive broadcast and attribute-based encryption,” in Proceedings of the International Conference on Pairing-Based Cryptography (Pairing 2009), pp. 248–265, Palo Alto, CA, USA, 2009.
View at: Google Scholar
N. Attrapadung and H. Imai, “Attribute-based encryption supporting direct/indirect revocation modes,” in Proceedings of the IMA International Conference on Cryptography and Coding (IMACC 2009), pp. 278–300, Cirencester, UK, December 2009.
View at: Google Scholar
D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Proceedings of the Advances in Cryptology (CRYPTO 2001), pp. 41–62, Santa Barbara, CA, USA, August 2001.
View at: Google Scholar
J. Hur and D. K. Noh, “Attribute-based access control with efficient revocation in data outsourcing systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 7, pp. 1214–1221, 2010.
View at: Google Scholar
A. Sahai, H. Seyalioglu, and B. Waters, “Dynamic credentials and ciphertext delegation for attribute-based encryption,” in Proceedings of the Advances in Cryptology (CRYPTO 2012), pp. 199–217, Santa Barbara, CA, USA, 2012.
View at: Google Scholar
K. Yang, X. Jia, K. Ren, B. Zhang, and R. Xie, “DAC-MACS: effective data access control for multiauthority cloud storage systems,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 11, pp. 1790–1801, 2013.
View at: Publisher Site | Google Scholar
J. Li, W. Yao, Y. Zhang, H. Qian, and J. Han, “Flexible and fine-grained attribute-based data storage in cloud computing,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 785–796, 2017.
View at: Publisher Site | Google Scholar
G. Premsankar, M. Di Francesco, and T. Taleb, “Edge computing for the Internet of Things: a case study,” IEEE Internet of Things Journal, vol. 5, no. 2, pp. 1275–1284, 2018.
View at: Publisher Site | Google Scholar
M. Green, S. Hohenberger, and B. Waters, “Outsourcing the decryption of abe ciphertexts,” in Proceedings of the USENIX Security Symposium, San Francisco, CA, USA, August 2011.
View at: Google Scholar
J. Lai, R. H. Deng, C. Guan, and J. Weng, “Attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 8, pp. 1343–1354, 2013.
View at: Google Scholar
J. Li, X. Huang, J. Li, X. Chen, and Y. Xiang, “Securely outsourcing attribute-based encryption with checkability,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 8, pp. 2201–2210, 2013.
View at: Google Scholar
S. Lin, R. Zhang, H. Ma, and M. Wang, “Revisiting attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 10, pp. 2119–2130, 2015.
View at: Publisher Site | Google Scholar
X. Mao, J. Lai, Q. Mei, K. Chen, and J. Weng, “Generic and efficient constructions of attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Dependable and Secure Computing, vol. 13, no. 5, pp. 533–546, 2015.
View at: Google Scholar
B. Qin, R. H. Deng, S. Liu, and S. Ma, “Attribute-based encryption with efficient verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1384–1393, 2015.
View at: Google Scholar
S. Hohenberger and B. Waters, “Online/offline attribute-based encryption,” in Proceedings of the International Workshop on Public Key Cryptography (PKC2014), pp. 293–310, Buenos Aires, Argentina, March 2014.
View at: Google Scholar
J. Li, Y. Zhang, X. Chen, and Y. Xiang, “Secure attribute-based data sharing for resource-limited users in cloud computing,” Computers & Security, vol. 72, pp. 1–12, 2018.
View at: Publisher Site | Google Scholar
W. Liu, J. Liu, Q. Wu, B. Qin, and Y. Zhou, “Practical direct chosen ciphertext secure key-policy attribute-based encryption with public ciphertext test,” in Proceedings of the ESORICS 2014: European Symposium on Research in Computer Security, pp. 91–108, Wroclaw, Poland, September 2014.
View at: Google Scholar
S. J. De and S. Ruj, “Efficient decentralized attribute based access control for mobile clouds,” IEEE Transactions on Cloud Computing, vol. 8, no. 1, pp. 124–137, 2017.
View at: Publisher Site | Google Scholar
Z. Liu, Z. L. Jiang, X. Wang, and S. M. Yiu, “Practical attribute-based encryption: outsourcing decryption, attribute revocation and policy updating,” Journal of Network and Computer Applications, vol. 108, pp. 112–123, 2018.
View at: Publisher Site | Google Scholar
D. Li, J. Liu, Q. Wu, and Z. Guan, “Efficient CCA2 secure flexible and publicly-verifiable fine-grained access control in fog computing,” IEEE Access, vol. 7, pp. 11688–11697, 2019.
View at: Publisher Site | Google Scholar
B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Proceedings of the International Workshop on Public Key Cryptography (PKC 2011), pp. 53–70, Taormina, Italy, March 2011.
View at: Google Scholar
A. Beimel, Secure Schemes for Secret Sharing and Key Distribution, Technion-Israel Institute of Technology, Faculty of Computer Science, Haifa, Israel, 1996.
H. Krawczyk and T. Rabin, “Chameleon hashing and signatures,” vol. 8, no. 1, pp. 124–137, 2000, in Proceedings of the Network and Distributed System Security Symposium (NDSS 2000), vol. 8, no. 1, pp. 124–137, 2000.
View at: Google Scholar
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Publisher Site | Google Scholar
B. Lynn, The Pairing-Based Cryptography Library, 2020, https://crypto.stanford.edu/pbc/.

Copyright

Copyright © 2021 Kaiqing Huang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

742

Downloads

797

Citations