Multi-Authority Criteria-Based Encryption Scheme for IoT

Sun, Jianguo; Yang, Yang; Liu, Zechao; Qiao, Yuqing

doi:https://doi.org/10.1155/2021/9174630

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy for Edge-Assisted Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 9174630 | https://doi.org/10.1155/2021/9174630

Multi-Authority Criteria-Based Encryption Scheme for IoT

Jianguo Sun,¹Yang Yang,¹Zechao Liu,¹and Yuqing Qiao¹

Academic Editor: Qi Jiang

Received06 Apr 2021

Accepted07 Jul 2021

Published17 Jul 2021

Abstract

Currently, the Internet of Things (IoT) provides individuals with real-time data processing and efficient data transmission services, relying on extensive edge infrastructures. However, those infrastructures may disclose sensitive information of consumers without authorization, which makes data access control to be widely researched. Ciphertext-policy attribute-based encryption (CP-ABE) is regarded as an effective cryptography tool for providing users with a fine-grained access policy. In prior ABE schemes, the attribute universe is only managed by a single trusted central authority (CA), which leads to a reduction in security and efficiency. In addition, all attributes are considered equally important in the access policy. Consequently, the access policy cannot be expressed flexibly. In this paper, we propose two schemes with a new form of encryption named multi-authority criteria-based encryption (CE) scheme. In this context, the schemes express each criterion as a polynomial and have a weight on it. Unlike ABE schemes, the decryption will succeed if and only if a user satisfies the access policy and the weight exceeds the threshold. The proposed schemes are proved to be secure under the decisional bilinear Diffie–Hellman exponent assumption (q-BDHE) in the standard model. Finally, we provide an implementation of our works, and the simulation results indicate that our schemes are highly efficient.

1. Introduction

As an emerging concept, the Internet of Things (IoT) offers great convenience to our daily lives since it provides individuals with ultra-fast data transmission and quality storing services by edge infrastructure. Many well-known IT enterprises such as Google, Microsoft, and Amazon have deployed edge computing platforms to integrate edge infrastructure and various devices, so that individuals can benefit in many fields [1]. Unfortunately, due to the complexity of architecture, there are inevitably some security risks in IoT, especially that some unsupervised edge infrastructures may quietly capture users’ sensitive information or be compromised by malicious users, which poses a severe threat to individuals [2, 3]. For example, edge devices may reveal sensitive data such as health records and personal finances to the public. Therefore, data security in IoT has become a significant concern for many enterprises or individuals.

To alleviate this situation, Yeh et al. [4] proposed an access control framework for IoT with the property of attribute revocation. Qiu et al. [5] constructed an authentication and key agreement (AKA) protocol for lightweight devices in IoT. The protocol was proved to be secure in the random oracle model and enjoyed desirable computing efficiency. Wang et al. [6] conducted a detailed analysis of the vulnerability for IoT devices and offered targeted countermeasures depending on the types of attacks. However, traditional public-key techniques only support one-to-one encryption, i.e., messages encrypted by public keys can only be decrypted by their corresponding private keys. This means that there needs to be sufficient storage space to store the ciphertext in practical applications, whereas edge devices generally have limited storage capacity.

Attribute-based encryption (ABE) is an effective encryption tool that provides fine-grained and one-to-many access control for outsourcing data in IoT [7]. According to different encryption mechanisms, ABE can be divided into ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In CP-ABE, the data owner can construct an access policy and embed it into the ciphertext, and the user’s attribute set is embedded in the secret key. On the contrary, the private keys in KP-ABE are associated with the access policy, and the ciphertext is labeled with attributes. A user can successfully recover messages if and only if his/her attributes satisfy the access policy. Many excellent ABE schemes for access control in IoT have been proposed [8–11]. However, most of them have two problems. On the one hand, only a single attribute authority (AA) manages the whole attribute set and generates the secret keys. If a large number of users request private keys, the server will be at risk of crashing. Furthermore, once the attribute authority is compromised, any user with unauthorized attributes will be able to decrypt the ciphertext. Therefore, ABE schemes supporting multiple authorities should be considered, i.e., the attribute universe should be managed by multiple attribute authorities. In this way, even if an authority compromises or collapses, a user can still obtain the secret key from other authorities. On the other hand, all attributes in the access policy of the previous schemes are regarded at the same level, which ignores the scenario that some attributes may be more important than the others. More precisely, in an IoT-based medical system, it is desirable to grant doctors higher weights than the nurses.

In order to distinguish the importance among attributes, some weighted ABE schemes [12–14] have been proposed. Liu et al. [12] proposed a weighted CP-ABE scheme. However, in the scheme, the attribute universe is managed by a single central authority. Wang et al. [13] constructed a multi-authority weighted ABE scheme in cloud computing. In the scheme, CA is still required in the key generation phase, which reduces the security of the scheme. Yan et al. [14] introduced a weighted attribute-based encryption scheme. However, the weight corresponding to each attribute is specified by a central authority, while in the actual scenario of encryption, the data owner should be allowed to decide the weight of each attribute in the access policy. To address the above problems, Phuong et al. [15] first proposed criteria-based encryption (CE) scheme, which supports the weighting of each criterion in the access policy. To be precise, each criterion is expressed as a polynomial, each root of which corresponds to a case satisfying the polynomial-associated criterion. The access policy consists of a series of weighted criteria containing at least one case. For this, the main difference between ABE and CE is that each criterion contains multiple satisfying cases and has a reasonable weight specified by the encryptor. An instance of intuition is provided as follows. Suppose that in a smart medical system, the government needs to monitor the health of community members. Since medical data involve sensitive information of individuals and are not available to others, the receivers need to meet certain restrictions to make access possible ((the receiver must be an authorized chief physician, weighted 5, and marked as a criterion ) AND (the receiver has more than 5 years of work experience, weighted 2, and marked as a criterion ) OR (the receiver is a community manager employed by the government, weighted 1, and marked as a criterion ) OR (the receiver is a community member holding a legal device, weighted 6, and marked as a criterion )). And in order to access the data, the cumulative weight of the receiver must be more than 5. Bob is a community manager hired by the government and has 6 years of work experience related to medical treatment. He cannot obtain approval for not reaching the cumulative weight threshold as required. Alice is a chief physician who has served the community for seven years. She satisfies both the access policy and the threshold, so she can be authorized. As shown in Figure 1, the criterion corresponds to two cases (roots): the receiver is a community manager and appointed by the government. But unfortunately, the issue of generating keys by only a single authority is still unsolved in their scheme.

In this paper, we propose two types of multi-authority criteria-based encryption schemes, named MA-CE-Verify Root and MA-CE-Root Equality, respectively, which aim to solve the problems we mentioned above. Specifically, we denote each criterion as a polynomial. One can assign a weight for each criterion freely according to demands. In addition, the corresponding cases of satisfying the criteria are represented as the roots of polynomials. In the first scheme, at least a case (or root) of each criterion specified in the access policy should be held by the decryptor, and the cumulative weight needs to exceed the threshold as well for successful decryption, while in the second scheme, only if the decryptor satisfies all the cases (or all roots) for each criterion and the cumulative weight exceeds the threshold, he/she can decrypt correctly. Moreover, in our schemes, multiple authorities manage the global criterion universe and perform key generation, which solves the bottleneck of performance and improves the security of the system.

1.1. Our Contributions

In this work, our main contributions can be summarized as follows:(1)We propose two types of multi-authority criteria-based encryption schemes, which support the weighting of each criterion. In our schemes, multiple AAs jointly manage the criterion universe using the -threshold sharing technology. Furthermore, data owners can freely set the weight of each criterion as required. Thus, flexible access control is provided by our schemes.(2)The security proof shows that our schemes achieve indistinguishability under chosen-plaintext attack (IND-CPA) under the decisional bilinear Diffie–Hellman exponent assumption (q-BDHE).(3)We implement the proposed schemes and provide theoretical analysis. The results show that our constructions have desirable performance in practical situations.

1.2. Related Work

Goyal et al. [16] proposed attribute-based encryption (ABE) that provides one-to-many encryption. In their works, ABE is divided into two forms: ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). Sahai et al. [17] realized a revocable ABE (RABE) scheme, in which the outsourcing server updates the encrypted data to revoke the user’s decryption permission. On the downside, the complexity of bilinear-pairing operations makes it difficult to directly apply this scheme to IoT. Agrawal et al. [18] proposed two versatile ABE architectures with short ciphertext and key. One limitation is that the scheme does not consider that different attributes in the access policy are at different levels of importance, i.e., the attributes do not carry reasonable weights. Waters [19] and Agrawal et al. [20] proposed ABE schemes that support arbitrary length input and provide a general ABE structure. In these schemes, the management of attribute universe and key generation are only implemented by a single attribute authority. Once the authority is corrupted, the adversary can directly generate the key of any user with legal status to decrypt the message [21]. ABE schemes with multiple authorities have been proposed to solve this issue. Lewko et al. [22] constructed an ABE scheme in which any party can become an attribute authority. Moreover, the scheme can resist collision attacks. However, the construction based on composite order group seriously affects the execution efficiency of the scheme. In [23–26], the schemes are provided for different practical application scenarios. Unfortunately, these schemes are limited by some security issues or computational complexity. In this context, there are obstacles to directly applying them in IoT scenarios. Sandor et al. [27] presented an efficient decentralized multi-authority ABE scheme that can significantly solve the key escrow problem for mobile devices. Generally, decentralizing ABE solves the problem of accessing encrypted data when the attributes of users come from multiple authorities, in which each authority is only in charge of issuing attributes and keys in its domain. However, in the schemes, an adversary can still compromise the server of AA to obtain some information that he should not have. The issue can be solved by using -threshold sharing in our works. The adversary cannot get any information related to the key unless the number of corrupted authorities is greater than .

1.3. Organization

In Section 2, we present the notation and preliminaries. In Section 3, we provide three components. The system model and some requirements of the schemes are described in Section 3.1. We define the framework of the schemes in Section 3.2, while the security model is given in Section 3.3. In Section 4, we illustrate how to construct our two schemes. We give the security proof of our schemes in Section 5. The performance analysis of proposed schemes is represented in Section 6. At the end of our work, the conclusions and extensions are put forward in Section 7.

2. Preliminaries

We now introduce some notations and preliminaries.

2.1. Notation

For a positive integer , . For vector and , let be the inner product of two vectors. We use to denote a random element drawn from set uniformly. For a matrix , its -th row is denoted by , and its -element is . We use the symbol to denote the criterion set satisfies the access structure . Note that the (monotonic) access structure used in this work is similar to that in literature [8], so the concrete concept is not repeated here. For any set , denotes the number of its elements.

2.2. Bilinear Maps

Let and be two multiplicative cyclic groups of order , where is a large prime number and is generated by . Let be an admissible bilinear map, if it satisfies the following properties:(1)Bilinearity: for any and , .(2)Nondegeneracy: for any , .(3)Computability: for any , there is an efficient algorithm to calculate .

2.3. -Threshold Secret Sharing

Suppose that several participants intend to share a secret with each other, while they do not hope that any one of them can obtain the secret independently, due to the privacy requirement of the secret. Secret sharing is a technique proposed to be used in the scenario above. In the secret-sharing scheme, each party can obtain a share of the secret, which is actually a part of information about the secret, and the whole secret can be reconstructed only by the cooperation of participants, which means that any party cannot know what the secret is individually. There have been many various secret-sharing schemes suitable for different situations proposed, and the -threshold sharing is one of the most widely applicable and basic schemes among them. It was first proposed by Shamir [28] and then improved into many practical schemes, such as [21, 29]. In this work, we adopt the definition in [21].

We take the set as members of the system. The identity of each member is taken from the finite field . Let the positive integer denote a threshold. Additionally, let represent the subsecret of each member, such that . The -threshold secret sharing can be described as follows.

Share. Each member constructs the polynomial of degree , such that . For to , each member calculates subshare and assigns to member .

Reconstruction. Suppose that there is a function , such that . Each member calculates the share . The shares of any members are sufficient to reconstruct the function according to the Lagrange interpolating formula. The master secret can be constructed by .

2.4. Linear Secret-Sharing Schemes

We make use of Linear Secret-Sharing Schemes (LSSSs) in [22]. A secret-sharing scheme defined on a set of parties is linear over if(1)The shares for each party constitute a vector over .(2)The matrix with rows and columns is called the share-generating matrix. And the function maps to a party , where . When it comes to the column vector , where is the secret to be shared and are randomly chosen, then is the vector composed of shares of the secret in accordance with . The share belongs to party .

Linear reconstruction is defined as follows: suppose that is an LSSS of the access structure . Let be any authorized set, and define as . Then, there exists a set of constants that satisfy the proposition; if are valid shares of any secret according to , then .

Definition 1. (Decisional Bilinear Diffie–Hellman Exponent Assumption (q-BDHE)). Let be a group of prime order and be short for . Given and , the decision q-BDHE problem [30] can be defined as follows: the adversary is given a vectorand it is hard to distinguish from a random element in . There is an algorithm that outputs with advantage in solving decisional q-BDHE in ifThe decisional q-BDHE assumption holds if there is no polynomial-time algorithm that can solve the (decision) q-BDHE problem with non-negligible advantage.
Mathematically, the Vieta’s theorem is used to express the relationship between the root of a polynomial and its coefficients. In our schemes, it is a building block for computing the elements of the ciphertext/secret key.

Definition 2 (Vieta’s theorem) (see [15]). Let represent a polynomial of degree , and its coefficients are expressed as the vectorFor any , we represent as follows:where element is a root of , if the inner product . Suppose are the roots of ; then, we have

3. Multi-Authority Criteria-Based Encryption

3.1. System Model and Requirements

In this section, we define the notion of the system model and illustrate some requirements in our multi-authority criteria-based encryption schemes. As shown in Figure 2 [31], the system consists of a global central authority (CA), multiple criterion authorities (AAs), the edge infrastructures, data owners (DO), and data consumers (user). Here, we give the formal definition of them as follows.(1)The central authority (CA) in the whole system is considered to be completely trusted and in charge of system establishment and initialization, including the generation of system parameters and the master public key. When a user (or AA) requests registration, CA verifies the legitimacy of his identity and assigns a unique for the user and an for the AA, respectively. Besides, CA determines the threshold in threshold sharing among attribute authorities, which is necessary for the process of secret key generation. In contrast, we note that CA is not responsible for any other issues in the system except for what has been described above. In other words, CA does not participate in the threshold sharing among AAs and key generation, which is the core of decentralization.(2)A criterion authority (AA) mainly generates the component of the user secret key associated with the criteria in its domain and plays a role in system establishment as well. What’s worthy of mention is that, compared with common multi-authority CP-ABE, in our proposed system, all AAs manage the entire criterion universe together. We use the technique of threshold sharing among AAs so that each AA shares a piece of secret key calling its private key, which can ensure that a malicious user cannot get any information unless the number of corrupted authorities exceeds . After that, CA accepts public keys from all AAs to generate the system public key. Finally, when a user requests for his/her user’s secret key, each AA only distributes its corresponding share of user secret key. Namely, there is no need for an AA to communicate with any other AA during the period of encryption and key generation.(3)A data owner (DO) encrypts the data. He/she specifies the access policy over criteria, the weight of each criterion, and the cumulative weight threshold that a user needs to satisfy. Concretely, DO runs the encryption algorithm and generates a ciphertext associated with all these requirements above and then uploads the ciphertext to edge infrastructure.(4)The user obtains a global identity issued by CA and AAs. Besides, any user in the system can download the encrypted data but can get access to the plaintext only when he/she satisfies both the access policy and weight requirement that the data owner specifies.(5)Each edge infrastructure is an entity that provides storage and computing services for DO. It accepts encrypted data sent by DO. Then, the data can be obtained by any registered user in the system.

For precision and unambiguity, some default definitions and requirements in our proposed schemes are provided here. In the system model, we suppose that CA is unconditionally credible and cannot be compromised. On the other hand, a user can download whichever encrypted data he wants but can recover the corresponding plaintext if and only if he/she satisfies both the access policy and the cumulative weight threshold. Moreover, since the weights reflect the difference in importance among criteria when formulating an access policy, the ideal situation is that the user criteria that satisfy the policy contain more relatively significant (higher weight) criteria rather than a simple patchwork of low-weight criteria. Therefore, we consider that data owners are all sufficiently rigorous to design access policies, endue weight on each criterion, and set the thresholds over criteria. Furthermore, there are at least two authorities in the system.

3.2. Syntax of Scheme

The syntax of the multi-authority criteria-based encryption scheme consists of the following PPT algorithms:(1): the algorithm is performed by CA. It takes as input security parameter . It consists of three steps. CA first performs the group generation algorithm to obtain and defines criterion universe with size . Then, it chooses to label each polynomial . Eventually, CA receives registration requests from users and AAs and records the number of AAs as . It outputs public parameter .(2): the algorithm is performed by CA. For each authority , it first chooses at random, such that . Note that the value of is secret to any . Then, all the authorities run -threshold secret sharing according to . Each authority outputs and keeps as secret.(3): the algorithm is performed by CA and AA. It receives public parameter , public keys from all the AAs, and degree of polynomials. It outputs public key and implicitly keeps values for secret.(4): the algorithm is performed by DO. It takes in public parameter , the public key , a message , an access structure , a weight vector , and weight threshold . It outputs a ciphertext .(5): the algorithm is performed by the user with identity . It takes in , public key , the global identity of a user, and the set of cases belonging to the user. It outputs a .(6): it takes in the public parameter , the secret key , and the ciphertext . The algorithm outputs either a message or the distinctive symbol .

For the correctness of our schemes, we require that for the and the , one can execute algorithm to obtain the correct message with overwhelming probability.

3.3. Security Model

Here, the IND-CPA security [16] for proposed scheme is defined in the following game which has a challenger and an adversary .

Init. performs the algorithm , , and and then sends the and to .

Phase 1. repeatedly performs private key associated with sets of case .

Challenge. specifies two messages , a challenge access structure , a vector , and a weight threshold to . The default condition is that cannot satisfy the access structure . Then, randomly picks an element and executes algorithm to generate under . Finally, obtains the ciphertext from .

Phase 2. can repeatedly make the same queries as Phase 1, except that cannot satisfy .

Guess. The adversary outputs a guess of .

The advantage of the adversary in this game is defined as .

Definition 3. The proposed multi-authority criteria-based encryption scheme is secure if all polynomial-time adversaries have at most a negligible advantage in the above game.

4. Construction

In this section, we first provide an overview of the proposed schemes and then give the detailed constructions of the two schemes.

4.1. Overview

What we first consider is how to find a form to express the criteria. In our schemes, the criterion is related to a polynomial, and each root of the polynomial corresponds to a case that satisfies the criteria. The first scheme requires that the user satisfies at least one case of the criterion, while in the second, there is a stricter restriction that the user must satisfy all cases of the criteria. In this context, our scheme improves the flexibility of access policy in practical application. Specifically, recall the access policy described in Figure 1. DO specifies an access policy , and the cumulative weight threshold is set to . The observation is that the criterion set with cumulative weight exceeding can be expressed as . Clearly, Alice is a chief physician who has served the community for seven years. The case set and criterion set can be described as . She can successfully decrypt the data due to the fact that set (i.e., and . Bob is a community manager hired by the government and has 6 years of work experience related to medical treatment. He cannot decrypt the message successfully, since .

From the practical perspective, the first scheme is suitable for edge computing platforms, while the second is suitable for users’ private edge devices because those devices are more vulnerable to attacks by adversaries. Moreover, we introduce the multi-authority mechanism to solve the security problem caused by all attributes being managed by one authority. In this work, the criterion universe is jointly managed by AAs. The restriction is that there is no collusion between AAs. Specifically, CA cannot interact with users except for generating global unique identities for them. The user can reconstruct the secret key, which has the term of , after interacting with different AAs. This way, we make it impossible for each AA to generate a valid key individually. Meanwhile, data owners can assign a reasonable weight for each criterion and the cumulative weight according to their requirements, which makes the scheme suitable for real application scenarios.

4.2. MA-CE-Verify Root Scheme

Here, we provide our first multi-authority criteria-based encryption scheme that requires the user to have at least one root of a polynomial (or criterion).(1): CA first runs to obtain , where is a generator of and and are two multiplicative cyclic groups with the same order , such that . Then, CA defines the criterion universe with size and chooses to label each polynomial . Moreover, CA receives registration requests from AAs and users, records the number of AAs as , and generates the global unique identity for AA and user, respectively. At last, CA defines threshold according to the value . It outputs public parameter .(2): firstly, each authority chooses the secret , such that master secret . Then, randomly sets a polynomial of degree which satisfies . Other obtains the value calculated by . Meanwhile, calculates for itself. Finally, calculates its secret key and public key .(3): CA randomly picks of AAs’ public keys. Additionally, it picks and calculates as Then, CA selects and calculates . For criterion universe , it picks a set of -degree polynomials with coefficients and labels with . In this case, the set of polynomials can be described as For to , CA computes and . It outputs and keeps the values for secret.(4): in this phase, the encryption algorithm sets the access policy , where the size of the matrix is , and the function maps to a criterion. Then, it specifies the weight vector , where the element represents the weight of each criterion. Also, it takes to construct vector , where the first element is the secret value to be shared. For to , it computes . After completing the above processes, it computes the set according to weight threshold , where indicates the length of -th subset and denotes index in . Finally, the algorithm calculates It outputs ciphertext as .(5): the key generation algorithm is implemented by the user interacting with AAs according to the requirements. The restriction is that cannot communicate with each other. Let be a root of the polynomial at . For each root that belongs to user, AA creates the vector . We use to denote a set of cases, which belong to the user with . Let denote the set of criteria requested by the user and be all combinations of entities in set , where denotes the length of subset and denotes index in . picks and calculates as After interacting with AAs, the user constructs the secret key as For all , we have For simplicity, we make . For this, the secret key of the user can be represented as(6): the decryption algorithm can successfully be invoked by the user with a valid identity. Namely, the user can download encrypted data from the edge infrastructures, and they can decrypt data successfully if their case set satisfies access policy and the requirement of cumulative weight.

Suppose that the ciphertext is encrypted under the access policy . We recall the definition of LSSS. Let represent a case such that . To decrypt the ciphertext, the user with computes ; if is valid share corresponding access policy , then the secret can be calculated. To summarize, the decryption process is as follows:

Define set . For each , let and denote the index in set and , respectively. Then, compute

The user can recover the plaintext from the following equation:

4.3. MA-CE-Root Equality Scheme

Here, we provide our second scheme, which needs all the roots (or cases) of each polynomial (or criterion) to be held by the user.(1): this algorithm is similar to scheme MA-CE-Verify Root. CA runs to obtain and defines the criterion universe with size . CA also generates unique identity for AAs and users, respectively. Then, it chooses a threshold and picks . Note that is not used to label the polynomial . It outputs public parameter .(2): the algorithm is similar to the in the first scheme. For each authority , it inputs the public parameter and returns a pair of keys , where is kept secret for other AAs.(3): CA randomly chooses public keys from AAs. In addition, it picks and calculates Then, CA randomly picks and computes . For to , it picks a set of -degree polynomials , which can be described as It outputs and keeps the values for secret.(4): the encryption algorithm sets the access policy , the size of the matrix is , and the function maps to a criterion. Then, it specifies the weight vector , where the element represents the weight of each criterion. Moreover, it constructs the vector . For to , it computes and set according to the weight threshold , where indicates the length of -th subset and denotes index in . Finally, the algorithm computes as It outputs ciphertext as .(5): the user with interacts with any AAs to obtain the key according to requirements. It takes the set to represent all the roots of the polynomial at . According to Vieta’s theorem, AA uses to construct the following vector: Let represent the cases belonging to the user with identity , set denote the set of criteria requested by the user, and set be all combinations of entities in set , where denotes the length of -th subset and denotes index in . picks and calculates as After interacting with AAs, the user constructs the secret key as follows:(6): to recover the encrypted data under access policy , the user first calculates constants and then computes

For , the symbols and denote the index in set and , respectively; then, compute

The user can recover the plaintext .

5. Security Proof

To prove the security of our constructions, the theorem in [8] is introduced as shown below.

Theorem 1. If the decisional q-BDHE assumption holds, then any polynomial-time adversary cannot selectively break the MA-CE-Verify Root scheme with a challenge matrix of size , where .

Here, we briefly overview the proof technique under the decisional q-BDHE assumption. Suppose that there exists an adversary with a nonnegligible advantage can selectively break the proposed scheme. is allowed to select a matrix with the size of at most . Here, the restriction is that the key queried from the challenger cannot decrypt the message. Then, we construct a PPT simulator , which solves the q-BDHE assumption.

Init. first receipts the q-BDHE challenge and . Then, sends the challenge structure , a weight vector , and a weight threshold to .

Setup. In this phase, picks and implicitly takes by making . Then, randomly generates for polynomial . The symbol represents the collection of indexes , such that . Next, takes

We note that , and if . Finally, chooses and computeswhich implicitly takes .

Phase 1. replies private key queries for , where cannot satisfy . For each , first creates vector and chooses . Then, according to the definition of LSSS, calculates a vector such that . For all such that , we have that the inner product . Finally, implicitly defines as

Therefore, the value can be denoted as

We now consider for the case that there is no such that has a root equal to . can simply take . Otherwise, it calculates as

Note that by defining , has the form of in the exponent for some . However, we have that , and the term of can be cancelled. Consequently, can be expressed as

We now consider simulating the value of . Let be the set of criteria corresponding to the criterion universe and be all combinations of entities in set . For to , we have

Otherwise, we have

Challenge. We show how to build challenge ciphertext. submits two messages and to . The simulator selects at random and constructs , . Then, it picks and secret using the vector

Finally, chooses threshold value and performs algorithm to construct , , and as follows:

Phase 2. can adaptively make queries the same as Phase 1 with the restriction that none of those cases satisfy the access structure corresponding to the Challenge phase.

Guess. The adversary eventually outputs a guess bit of b. If correctly guesses , then returns to guess that ; otherwise, it outputs 1 to demonstrate that it considers is a random element obtained from group . When is a tuple, the simulator performs a perfect simulation. In this case, we have that

When is a random element in , simulates a completely random challenge ciphertext for adversary , and we have

Consequently, can play the decisional q-BDHE game with non-negligible advantage.

Theorem 2. If the decisional q-BDHE assumption holds, then no polynomial-time adversary can selectively break our MA-CE-Root Equality scheme with a challenge matrix of size , where .

The proof of this theorem is similar to Theorem 1 (here we omit the proof process).

6. Performance Analysis

We now provide theoretical analysis and implementation evaluation of the two schemes in this section.

6.1. Theoretical Analysis

There is the comparison of the four schemes, including [12–14] and our two schemes, in terms of storage overhead and computation cost. Let indicate a pairing operation. and denote an exponential operation of group and , respectively. and represent the size of elements in group and , respectively. In our schemes, represents the size of the criterion universe, while it represents attribute universe in [12–14]. and denote the number of criteria (or attributes) in the access matrix and the number of criteria that are satisfied by the user, respectively. Let denote the number of attributes managed by attribute authority. is the number of all criterion sets with cumulative weight greater than . is the size of the criterion set that satisfies the access policy and cumulative weight.

We first compare the storage overhead of the four schemes, as shown in Table 1. In terms of ciphertext size, our schemes are better than [12–14], since they require storing a large amount of leaf nodes information of the access tree. It can be observed that [13] is superior to our schemes in terms of key size and public key size. The reason is that the public key in our schemes needs to contain information corresponding to the criterion. All weights are specified by the trusted authority TA in [13]. Different from [13], the phase of our schemes requires enumerating the criterion set that exceeds the weight. The performance of our schemes in terms of key size is comparable to that of [14]. However, the scheme in [14] cannot support multiple authorities, and the weight of each attribute is specified by TA. This inevitably limits the ability of the scheme in practical scenarios.

Table 2 shows the computation cost of these schemes in , , and phases. In the phase, the scheme in [13] performs better than other schemes, because the calculation of all the criterion sets takes up the main computation cost in our schemes and the scheme of [12]. In and phases, our schemes cost less time than [13] in practical application, since the computation cost of the latter is occupied by a large number of exponential and pairing operations. Moreover, it can be seen that the performance of [14] is similar to our first scheme and slightly inferior to the second scheme. The advantage of our schemes is that users can flexibly choose the weights in the access policy according to different application scenarios.

6.2. Implementation and Evaluation

We implement the proposed schemes in Charm [32] using Python 3.6.5. The programs adopt the Pairing-Based Cryptography (PBC) library version-0.5.14. We pick the symmetric curve with a 512 bit base field, and it provides 160 bit group order. All our programs were executed on VMware @ Workstation Pro 15.5.5 with a dual core Intel (R) Core (TM) i7-7700HQ CPU @2.8 GHz and 2.0 GB RAM running Ubuntu 18.04. All experimental results are taken from the average value of the program executed 20 times.

Figure 3 shows the value of key generation time with threshold . We set the number of AAs to 10 in the system. As known from the figure, with the increase of threshold , the time consumed for key generation is fixed basically, due to the fact that the user requests keys from AAs in the meantime, while the time consumption of each AA for calculating subshare of a key is almost the same. Moreover, the value of is generally within 10 in actual application scenarios. In summary, it can be considered that the time consumption is hardly affected by the threshold in the phase.

Figure 4 shows the time consumption of , , and algorithms as the number of user attributes increases in the proposed schemes. We take the number of AAs as 10 and the threshold as 6. The performance of scheme-2 is slightly better than scheme-1 because the former has shorter ciphertext and key, which reduces exponential and pairing operations. We observe that the time consumption of each stage shows a nonlinear increasing trend. What mainly affects computational efficiency are summarized as follows. The first aspect is that the encryption algorithm needs to calculate all cases that exceed the cumulative threshold . Another reason is that calculating the criteria set that belong to the user dominates the execution time of the key generation algorithm (see Section 4 ()). In addition, it takes a relatively long time to evaluate the intersection of set and in the decryption phase. Nevertheless, our schemes enjoy tolerable computational efficiency for the following reasons. Clearly, the time consumption does not exceed 130 ms in all phases. To be precise, when a user owns 30 attributes, the time consumption of the first scheme is 123 ms, while that of the second scheme is 120 ms. Therefore, the efficiency of our proposed schemes is acceptable in practical scenarios. Furthermore, we remark that in the IoT scenario, the relatively intensive computation can be offloaded to some outsourced equipment, and the rest of the operations remain on the receiver.

(a)

(b)

7. Conclusion

In this paper, we propose two multi-authority criteria-based encryption schemes that support data access control in IoT and are proved to be secure in the standard model. Specifically, they solve the problem of security bottleneck and server overload caused by involving only a single authority in the phase of key generation. Moreover, each criterion carries a weight specified by the encryptor, which allows the access policy to be expressed more flexibly. The theoretical analysis and simulation evaluation demonstrate that our schemes can conform to the actual application scenarios. The remaining problem is that the time consumption of each phase in the schemes increases nonlinearly, which limits the size of the criterion universe. In future work, we are committed to constructing more lightweight frameworks.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This study was supported by the Fundamental Research Funds for the Central Universities (no. 3072020CFJ0601) and CSIC 722 Innovation Fund (no. KCJJ2019-12).

References

C. Wang, D. Wang, G. Xu, and D. He, Efficient Privacy-Preserving User Authentication Scheme with Forward Secrecy for Industry 4.0, Science China Information Sciences, Beijing, China.
R. Roman, J. Lopez, and M. Mambo, “Mobile edge computing, fog et al.: a survey and analysis of security threats and challenges,” Future Generation Computer Systems, vol. 78, pp. 680–698, 2018.
View at: Publisher Site | Google Scholar
D. Wang, X. Zhang, Z. Zhang, and P. Wang, “Understanding security failures of multi-factor authentication schemes for multi-server environments,” Computers & Security, vol. 88, Article ID 101619, 2020.
View at: Publisher Site | Google Scholar
L.-Y. Yeh, P.-Y. Chiang, Y.-L. Tsai, and J.-L. Huang, “Cloud-based fine-grained health information access control framework for lightweight IoT devices with dynamic auditing and attribute revocation,” IEEE Transactions on Cloud Computing, vol. 6, no. 2, pp. 532–544, 2018.
View at: Publisher Site | Google Scholar
S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, 2020.
View at: Publisher Site | Google Scholar
C. Wang, D. Wang, Y. Tu, G. Xu, and H. Wang, “Understanding node capture attacks in user authentication schemes for wireless sensor networks,” IEEE Transactions on Dependable and Secure Computing, 2020.
View at: Publisher Site | Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the EUROCRYPT, pp. 457–473, Aarhus, Denmark, May 2005.
View at: Publisher Site | Google Scholar
B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Proceedings of 14th International Conference on Practice and Theory in Public Key Cryptography (PKC’11), pp. 53–70, Taormina, Italy, March 2011.
View at: Publisher Site | Google Scholar
N. Attrapadung, “Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more,” in Proceedings of the EUROCRYPT, pp. 457–473, Aarhus, Denmark, May 2014.
View at: Publisher Site | Google Scholar
Q. Li, J. Ma, R. Li, J. Xiong, and X. Liu, “Provably secure unbounded multi-authority ciphertext‐policy attribute‐based encryption,” Security and Communication Networks, vol. 8, no. 18, pp. 4098–4109, 2015.
View at: Publisher Site | Google Scholar
J. Li, S. Wang, and Y. Li, “An efficient attribute-based encryption scheme with policy update and file update in cloud computing,” IEEE Transactions on Industrial Informatics, vol. 15, no. 12, pp. 6500–6509, 2019.
View at: Publisher Site | Google Scholar
X. Liu, J. Ma, J. Xiong et al., “Ciphertext-policy weighted attribute-based encryption for fine-grained access control,” in Proceedings of the International Conference on Intelligent Networking and Collaborative Systems, pp. 51–57, IEEE, Xi’an, China, May 2013.
View at: Publisher Site | Google Scholar
Y. Wang, D. Zhang, and H. Zhong, “Multi-authority based weighted attribute encryption scheme in cloud computing,” in Proceedings of the International Conference on Natural Computation, pp. 1033–1038, IEEE, Xiamen, China, August 2014.
View at: Publisher Site | Google Scholar
X. Yan, X. Yuan, Q. Zhang, and Y. Tang, “Traceable and weighted attribute-based encryption scheme in the cloud environment,” IEEE Access, vol. 8, pp. 38285–38295, 2020.
View at: Publisher Site | Google Scholar
T. V. X. Phuong, G. Yang, and W. Susilo, “Criteria-based encryption,” The Computer Journal, vol. 61, no. 4, pp. 512–525, 2018.
View at: Publisher Site | Google Scholar
V. Goyal, O. Pandey, A. Sahai et al., “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 89–98, Alexandria, VA, USA, October 2006.
View at: Publisher Site | Google Scholar
A. Sahai, H. Seyalioglu, and B. Waters, “Dynamic credentials and ciphertext delegation for attribute-based encryption,” in Proceedings of the CRYPTO, pp. 199–217, Santa Barbara, CA, USA, August 2012.
View at: Publisher Site | Google Scholar
S. Agrawal and M. Chase, “Fast attribute-based message encryption,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 665–682, Dallas, TX, USA, October 2017.
View at: Google Scholar
B. Waters, “Functional encryption for regular languages,” in Proceedings of the CRYPTO, pp. 218–235, Santa Barbara, CA, USA, August 2012.
View at: Publisher Site | Google Scholar
S. Agrawal, M. Maitra, and S. Yamada, “Attribute based encryption for deterministic finite automata from DLIN,” in Proceedings of the Theory of Cryptography Conference, pp. 91–117, Nuremberg, Germany, November 2019.
View at: Publisher Site | Google Scholar
W. Li, K. Xue, Y. Xue, and J. Hong, “A robust and verifiable threshold multi-authority access control system in public cloud storage,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 5, pp. 1484–1496, 2015.
View at: Google Scholar
A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in Proceedings of the EUROCRYPT, pp. 568–588, Tallinn, Estonia, May 2011.
View at: Publisher Site | Google Scholar
J. Wei, W. Liu, and X. Hu, “Secure and efficient attribute-based access control for multi-authority cloud storage,” IEEE Systems Journal, vol. 12, no. 2, pp. 1731–1742, 2016.
View at: Google Scholar
Q. Li, J. Ma, R. Li, X. Liu, J. Xiong, and D. Chen, “Secure, efficient and revocable multi-authority access control system in cloud storage,” Computers & Security, vol. 59, pp. 45–59, 2016.
View at: Publisher Site | Google Scholar
J. Li, X. Chen, S. S. M. Chow, Q. Huang, D. S. Wong, and Z. Liu, “Multi-authority fine-grained access control with accountability and its application in cloud,” Journal of Network and Computer Applications, vol. 112, pp. 89–96, 2018.
View at: Publisher Site | Google Scholar
Q. M. Malluhi, A. Shikfa, V. D. Tran, and V. C. Trinh, “Decentralized ciphertext-policy attribute-based encryption schemes for lightweight devices,” Computer Communications, vol. 145, pp. 113–125, 2019.
View at: Publisher Site | Google Scholar
V. K. A Sandor, Y. Lin, X. Li, F. Lin, and S. Zhang, “Efficient decentralized multi-authority attribute-based encryption for mobile cloud data storage,” Journal of Network and Computer Applications, vol. 129, pp. 25–36, 2019.
View at: Publisher Site | Google Scholar
A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
View at: Publisher Site | Google Scholar
T. P. Pedersen, “A threshold cryptosystem without a trusted party,” in Proceedings of the EUROCRYPT, pp. 522–526, Brighton, UK, April 1991.
View at: Google Scholar
Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 315–332, San Juan, Puerto Rico, January 2015.
View at: Publisher Site | Google Scholar
https://support.microsoft.com/zh-cn/visio.
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Jianguo Sun et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

540

Downloads

622

Citations