Review Article  Open Access
A Survey of Research Progress and Development Tendency of AttributeBased Encryption
Abstract
With the development of cryptography, the attributebased encryption (ABE) draws widespread attention of the researchers in recent years. The ABE scheme, which belongs to the public key encryption mechanism, takes attributes as public key and associates them with the ciphertext or the user’s secret key. It is an efficient way to solve open problems in access control scenarios, for example, how to provide data confidentiality and expressive access control at the same time. In this paper, we survey the basic ABE scheme and its two variants: the keypolicy ABE (KPABE) scheme and the ciphertextpolicy ABE (CPABE) scheme. We also pay attention to other researches relating to the ABE schemes, including multiauthority, user/attribute revocation, accountability, and proxy reencryption, with an extensive comparison of their functionality and performance. Finally, possible future works and some conclusions are pointed out.
1. Introduction
With the development of the Internet and the distributed computing technology, there is a growing demand for data sharing and processing in an open distributed computing environment. The data provider needs to provide expressive access control and data confidentiality when communicating with customers. What is more, it is urgent for largescale distributed applications to support onetomany communication mode to reduce the enormous costs of data encryption.
The traditional encryption mechanism based on public key infrastructure (PKI) [1] can achieve data confidentiality; however, it has disadvantages. On one hand, in order to encrypt data, the data provider needs firstly to obtain the public keys of authorized users and then sends the encrypted data separately to the corresponding user, which increases the processing overhead and the bandwidth demand [2]. On the other hand, although broadcast encryption [3] can solve the efficiency problem mentioned above, the data provider must obtain the user’s list before encryption. In addition, if the data provider wants the recipient to be the one with certain identity not the one who is specified, the public key encryption will not work anymore. Therefore, more applicable encryption mechanisms are required.
Identitybased encryption (IBE) [4] mechanism allows a sender to encrypt a message to an identity without accessing his public key certificate, which simplifies the certificate management procedure and reduces certificate transmission overhead. The ability to carry out public key encryption without certificates makes IBE suitable for many practical applications. For example, Alice can send a message encrypted by Bob’s email address (e.g., Bob@hotmail.com) to Bob without the support of PKI.
One common feature of all previous IBE schemes is that they regard identities as a string of characters. However, in 2005, Sahai and Waters [5] proposed a new type of IBE scheme called fuzzy IBE (FIBE) which regards identities as a set of descriptive attributes. FIBE can be regarded as the first concept of ABE in which the data owner can encrypt a message to all users that have a certain set of attributes. In the same year, Nali et al. [6] proposed a threshold ABE scheme. Although this scheme can prevent the collusion attacks, it introduces new disadvantage that the threshold semantics are limited in designing more general systems which need expressive access control.
In ABE scheme, attribute plays a very important role. Attributes have been exploited to generate a public key for encryption data and have been used as an access policy to control users’ access. Based on the access policy, subsequent researches can be roughly categorized [7] as either keypolicy or ciphertextpolicy. The first KPABE scheme that allows any monotone access structures was proposed by Goyal et al. [7], and the first CPABE scheme was presented by Bethencourt et al. [8]. After that, several KPABE [9–11] and CPABE schemes [12–20] were proposed. Goyal et al. [12] presented a bounded CPABE scheme in the standard model, but the first fully expressive CPABE scheme in the standard model was proposed by Waters [13]. Subsequently, Attrapadung and Imai [21] proposed a DualPolicy ABE scheme which allows keypolicy and ciphertextpolicy to act on encrypted data simultaneously.
Moreover, Müller et al. [22, 23] proposed a distributed ABE scheme with a constant number of bilinear pairing operations during decryption. Yu et al. [24] proposed a finegrained data access control encryption scheme. Tang and Ji [25] proposed a verifiable ABE scheme, and Wang et al. [26, 27] proposed a hierarchical ABE (HABE) scheme in 2010 and 2011, respectively. In these schemes, Wang et al. used the disjunctive normal form policy to generate the keys hierarchically, assuming that all attributes in one conjunctive clause are administered by the same domain authority. More studies on HABE are in literatures [28–30].
In each ABE scheme mentioned above, the user must go to a trusted party to prove his identity before obtaining a secret key which allows him to decrypt messages. Chase [31] gave an efficient multiauthority ABE scheme in which the user’s secret key is no longer authorized by a single center authority but authorized separately by different cooperative and independent authorities. In addition to this, there are also some multiauthority ABE schemes [31–37].
According to the existing schemes, a summary [38] of the criterial functionalities in an ideal ABE scheme is listed as follows. (1) Data confidentiality: unauthorized participants cannot know the information about the encrypted data. (2) Finegrained access control: in order to achieve flexible access control, even for users in the same group, their access rights are not the same. (3) Scalability: the number of authorized users cannot affect the performance of the scheme. That is to say, the scheme can deal with the case that the number of the authorized users increases dynamically. (4) User/attribute revocation: if a user quits the system, the scheme can revoke his access right. Similarly, attribute revocation is inevitable. (5) Accountability: in all previous schemes, the dishonest users can just directly give away part of their original or transformed keys such that nobody can tell who has distributed these keys. The above problem which is called key abuse should be prevented by accountability. (6) Collusion resistance: the dishonest users cannot combine their attributes to decrypt the encrypted data.
In order to realize an ideal ABE scheme, some researches which are aimed at addressing the issue of user/attribute revocation [8, 9, 39–48] and accountability [49–53] in ABE schemes have been published on journals or academic conferences. What is more, with its own advantages, the attributebased cryptosystem has the ability and possibility to be applied to other areas. Particularly, lots of studies which focus on the applications of ABE in proxy reencryption [54–59] have been proposed.
In conclusion, the existing research results about ABE can be generally divided into the design of ABE schemes, the multiauthority ABE schemes, and the user/attribute revocation, accountability, and applications of ABE schemes, which can be shown in Figure 1. According to this classification, the rest of this paper can be organized as follows. We introduce the basic ABE scheme in Section 2. The KPABE, CPABE, and Dualpolicy ABE are examined in Section 3. Then, multiauthority ABE is surveyed in Section 4. User/attribute revocation and accountability in ABE are shown in Sections 5 and 6, respectively. One application of ABE, the attributebased proxy reencryption, is surveyed in Section 7. What is more, in Section 8, we point out the problems worth further studying. Finally, we make some conclusions in Section 9.
2. Formal Model of the Basic ABE
In 2005, Sahai and Waters [5] proposed the FIBE which views identities as a set of descriptive attributes. With its basic and descriptive algorithms, to say the least, this scheme is usually regarded as the basic ABE scheme. In this section, firstly, we deal with the complexity assumptions used in the basic ABE scheme. Then, we give the formal algorithm and security model of it.
2.1. Complexity Assumptions
The complexity assumptions are stated below.
Definition 1 (decisional bilinear DiffieHellman (BDH) assumption). Suppose a challenger chooses at random. The decisional BDH assumption is that no polynomialtime adversary is able to distinguish the tuple (, , , ) from the tuple (, , , ) with a negligible advantage.
Definition 2 (decisional modified Bilinear DiffieHellman (MBDH) assumption). Suppose a challenger chooses at random. The decisional MBDH assumption is that no polynomialtime adversary is able to distinguish the tuple (, , , ) from (, , , ) with a negligible advantage.
2.2. Formal Definition of Algorithm Model
Sahai and Waters [5] gave the formal definition of the FIBE. Generally speaking, an ABE scheme usually consists of the following four fundamental algorithms, namely, Setup, Key Generation, Encryption, and Decryption, and it has a sender, an authority, and some receivers as participants.
The four algorithms in the basic ABE scheme are shown as follows.
Setup. This is a randomized algorithm performed by an authority in order to create a new ABE scheme. It takes no input other than the implicit security parameter and outputs a set of public parameters PK and a master key MK.
Key Generation. The authority executes this algorithm for the purpose of generating a secret key. It takes as input a set of attributes , the master key MK, and the public parameters PK and outputs a decryption key SK.
Encryption. This randomized algorithm is run by a sender who wants to encrypt a message , with a set of attributes , and the public parameters PK. It outputs the ciphertext CT.
Decryption. This algorithm takes as input the ciphertext that has been encrypted under the set of attributes, the decryption key SK associated with , and the public parameters PK. It outputs the message if , and here is a threshold parameter.
In the basic ABE scheme, the user’s secret key and the ciphertext are labeled with sets of descriptive attributes. A particular key can decrypt a particular ciphertext only if there are at least attributes overlapped between the attributes of the ciphertext and the user’s key. The decryption condition in a KPABE or CPABE scheme is that the attributes set satisfies the access structure specified in the secret key or ciphertext.
2.3. Security Model
We now discuss the security of the basic ABE scheme. A selectiveset model is defined for proving the security of the scheme under chosen plaintext attack [5]. The fuzzy selectiveID game is very similar to the standard selectiveID model for identitybased encryption [4] with the exception that the adversary is only allowed to query for secret keys for identities which have or less attributes overlapped with the target identify.
The selectiveID game played between a challenger and an adversary is shown below.
Fuzzy SelectiveID Model of the Basic ABE
Init. The adversary declares the identity, , upon which he wishes to be challenged.
Setup. The challenger runs the Setup algorithm and tells the adversary the public parameters.
Phase 1. The adversary is allowed to issue queries for secret keys of multiple identities, , where , for all .
Challenge. The adversary submits two messages and with equal length. The challenger flips a random coin to choose a value and encrypts with . The ciphertext is passed to the adversary.
Phase 2. Phase 1 is repeated.
Guess. The adversary outputs a guess of .
The advantage of an adversary in this game is defined as
Definition 3. A scheme is secure in the fuzzy selectiveID security model if all polynomialtime adversaries have at most a negligible advantage in the above game.
Sahai and Waters [5] proved the CPA security of the basic ABE scheme in the selectiveID model by reducing it to the hardness of the decisional MBDH assumption. They also pointed out that the scheme can be extended to the chosenciphertext model by applying the technique of the simulationsound noninteractive zero knowledge (NIZK) proofs to achieve the CCA security [60]. It is well known that the CPA security is the most basic security requirement of the public key encryption mechanism and that the CCA security is a stronger one. However, most of the existing ABE schemes can only be proved CPA secure and it still remains as an open problem to design a CCA secure ABE scheme. To some degree, the security proofs in the existing ABE schemes have the same thought with the idea that an ABE scheme is a secure one if no probabilistic polynomial time adversary can win the corresponding game with a nonnegligible advantage, a generally accepted fact that will be shown in the next section.
3. ABE Schemes
With stronger and richer expression capability, the FIBE [5] scheme which was introduced in Section 2 is considered as the extension of the traditional IBE scheme [4]. In an FIBE scheme, ciphertexts are labeled with a set of attributes and a user’s secret key is associated with both a threshold parameter and another set of attributes . To enable a user to decrypt a ciphertext, it is inevitable that there are at least attributes overlapped between the ciphertext and his secret key. The only access structure supported in the FIBE scheme is “threshold” which is fixed at the setup phase by the authority. However, there is an increasing need of flexible access control policies supporting the operations like “and,” “or,” “threshold,” “non,” and so forth, in many practical applications. That is to say, the FIBE scheme is limited in many general application scenarios. Therefore, more and richer types of ABE schemes were proposed. These schemes in accordance with the different protection strategy deployment ways can be divided into two main categories [7]: KPABE schemes and CPABE schemes. Also, there is a hybrid type called the dualpolicy ABE scheme, a combination of the above two types. A brief introduction to these schemes will be given in this section.
3.1. KPABE
In 2006, Goyal et al. [7] introduced the idea of a more general keypolicy attributebased cryptosystem for finegrained sharing of encrypted data and proved its security in the attributebased selectiveset model under the decisional bilinear DiffieHellman (DBDH) assumption. This scheme is called the KPABE scheme since each secret key is associated with a tree access structure which specifies the type of ciphertexts which can be decrypted by this secret key, where ciphertexts are simply labeled with a set of descriptive attributes. If and only if the attributes set satisfies the access structure specified in the secret key, the user can decrypt the ciphertext. Their scheme gives us a powerful tool for encryption with finegrained access control for applications such as sharing audit log information. It also supports delegation of secret keys. Unfortunately, with a drawback that the access policy is built into the secret key, the data owner in a KPABE scheme cannot decide the one who can decrypt the ciphertext, and he can only choose a set of attributes to control the access of ciphertexts. Besides, the access structure is a monotonic access structure which cannot express the negative attribute to exclude the participants with whom the data owner does not want to share data.
Subsequently, Ostrovsky et al. [9] proposed a scheme with a nonmonotonic access structure where the secret keys are labeled with a set of attributes including positive and negative attributes. Comparatively, the ABE scheme with nonmonotonic access structure can express a more complicated access policy. Unfortunately, this mechanism doubles the size of the ciphertext and secret key and adds encryption/decryption overheads at the same time. Ostrovsky et al.’s initial construction is recently improved by Lewko et al. [10] who used a new technique to achieve user revocation and design the most efficient nonmonotonic KPABE scheme.
In the above KPABE schemes, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exception only supports restricted forms of threshold access policies. Attrapadung et al. [11] proposed the first KPABE scheme with nonmonotonic access structures and constant ciphertext size. The disadvantage is that the secret key has quadratic size in the number of attributes.
3.2. CPABE
Goyal et al. [7] suggested the possibility of a CPABE scheme, but they did not offer any constructions. In a CPABE scheme, a user’s secret key will be associated with an arbitrary number of attributes expressed as strings, while ciphertext is associated with an access structure. A user will only be able to decrypt a ciphertext if his attributes satisfy the access structure of the ciphertext.
In 2007, using a monotonic access tree as access structure, Bethencourt et al. [8] proposed the first CPABE construction. Their scheme can support flexible access control policies like the KPABE [7] scheme, but the security proof is in the generic group model.
Cheung and Newport [14] provided a provably secure CPABE scheme which is proved to be secure under the standard model and their scheme supports AND gate on positive and negative attributes as its access policy. They use a do not care element to indicate the attribute which does not appear in the AND gate. Intuitively, the public key elements , , and correspond to the three types of occurrences of : positive, negative, and do not care. This scheme is proved to be the CPA secure under the DBDH assumption for the first time. And, it improves the security proof in Bethencourt et al.’s [8]. Unfortunately, two drawbacks remain. Firstly, it is not sufficiently expressive because it supports only policies with logical conjunction. Secondly, the size of the ciphertext and the secret key increases linearly with the total number of attributes in this scheme. These two shortcomings make this scheme less efficient than Bethencourt et al.’s [8].
Based on Cheung and Newport’s scheme [14], Nishide et al. [15] and Emura et al. [16] improved the efficiency and achieved hidden policies, respectively. Nishide et al. [15] proposed a scheme with AND gates on multivalue attributes as its access policy. Emura et al. [16] used the same access policy and propose an improved scheme. And this scheme also achieves a constant length of ciphertext and constant number of bilinear pairing operations.
In order to design CPABE scheme with flexible strategy under the DBDH assumption, Goyal et al. [12] and Liang et al. [17] adopted bounded tree structure. Goyal et al. [12] presented a bounded CPABE (BCPABE) scheme in the standard model and generalized the transformational approach to show how to transform a KPABE scheme into a CPABE one by using what they called “universal access tree.” The BCPABE scheme supports any access formulas of polynomial bounded size (including the “and,” “or,” and “threshold” operations) with a shortcoming that the sender is restricted to use only an access tree whose depth (here indicates the depth of the access trees defined in the setup phase). Liang et al. [17] improved the BCPABE scheme [12] by improving the efficiency of the encryption/decryption algorithm and shortening the length of public key, secret key, and ciphertext.
Later, Ibraimi et al. [18] used the general access tree structure to eliminate the boundary constraints in [12, 17] and presented a new technique to realize the CPABE scheme without Shamir’s threshold secret sharing. In their scheme, the sender defines the privacy policy by using an access tree which is ary tree represented by and and or nodes. Note that, realizing a scheme without threshold secret sharing is important for resourceconstrained devices since calculating polynomial interpolations to construct the secret is computationally expensive. Finally, compared with Cheung and Newport’s [14], it requires less computation overheads during the Encryption, Key Generation, and Decryption phases.
In 2011, Waters [13] proposed a new methodology for realizing CPABE under concrete and noninteractive cryptographic assumptions in the standard model. He expressed access control by a linear secret sharing scheme (LSSS) matrix over the attributes in the system (previously used structures can be expressed succinctly in terms of an LSSS). In this most efficient scheme, the ciphertext size and the encryption/decryption overheads increase linearly with the complexity of the access formula. As a result, his scheme achieves the same performance and functionality as Bethencourt et al.’s [8].
Finally, Lewko et al. [19] recently leveraged the encoding technique from Waters’s scheme [13] to propose an ABE scheme that achieves adaptive (nonselective) security. Their scheme is based on composite order groups, which results in some loss of practical efficiency when compared with Waters’.
In recent years, almost all the schemes available, to the best of our knowledge, are constructed from bilinear pairings. J. Zhang and Z. F. Zhang [20] presented a CPABE scheme which supports AND gates without bilinear pairings. Their scheme is built based on ary lattices and has a very strong security proof based on worstcase hardness. Though it seems to be not much efficient, it gives light to the possibility of constructing attributebased schemes under other hard problem assumptions (i.e., lattice problems), instead of the bilinear pairingrelated assumptions.
3.3. DualPolicy ABE
In 2009, Attrapadung and Imai [21] presented a new ABE scheme called the DualPolicy ABE. Basically, it is a conjunctively combined scheme of Goyal et al.’s KPABE scheme [7] and Waters’ CPABE scheme [13]. It allows simultaneously two access control mechanisms over encrypted data. One involves policies over objective attributes ascribed to data and the other involves policies over subjective attributes ascribed to user credentials. These two access control mechanisms can only allow either functionality above one at a time. What is more, the security proof is based on decisional bilinear DiffieHellman exponent (DBDHE) assumption.
3.4. Comparison
From what has been mentioned above, it is obvious that the basic ABE scheme and KPABE and CPABE schemes are different in complexity hypothesis, strategic flexibility, and applications. A conclusion can be made as follows.
The basic ABE scheme, which only supports “threshold” policy, is suitable for simply policyrequired applications. At the same time, KPABE and CPABE schemes, which support complex strategies, are appropriate for the applications of finegrained data sharing. In addition, in KPABE schemes, the access policy is built into the user’s secret key, so the data owner cannot choose the person who can decrypt the data. Compared with KPABE schemes, CPABE schemes are more suitable for the realistic scenes. Generally speaking, KPABE schemes apply to query applications, such as pay TV system, audit log, targeted broadcast, and database access. On the contrary, CPABE schemes are used for access control applications, such as social networking site access, and electronic medical system.
The security model of the basic ABE scheme has been shown in Section 2. Both the basic ABE scheme and KPABE schemes [7, 9] use the DBDH assumption. And the situation in CPABE schemes is more complex. It is known that the more complex a strategy is, the more complex a CPABE scheme will be and the more difficult it is to prove its security. To achieve the CPA security under the standard complexity assumption, the main research on the CPABE is focused on designing the access structure. According to different access structures, the research can be divided into three kinds: AND gate, Tree, and LSSS matrix. Now a comparison of Access structure, Complexity assumption, Security model, and Supported policy in different CPABE schemes is made in Table 1.

The comparisons of the size of keys and ciphertext and the encryption/decryption computation overhead in different CPABE schemes are given in Tables 2 and 3, respectively. We can draw a conclusion from these tables: Emura et al.’s [16] scheme is the shortest in ciphertext and SK, Bethencourt et al.’s [8] in PK, and Waters’ [13] in MK. What is more, in Bethencourt et al.’s [8], PK and MK have nothing to do with system attributes. As for computation overhead, Emura et al.’s [16] processes the lowest encryption/decryption overhead, and Ibraimi et al.’s [18] scheme has a lower one than Waters’ [13].
 
: attributes of ciphertext ; : attribute of user . : Number of element in *; : operation, where denotes bilinear paring. : Group or operation in group, or 2; is a random generator of . : Least interior nodes satisfying an access structure (include root node). : Bit length of element in *; n: number of attributes in systems. : Total number of possible value of attributes, where is the number of possible values for attribute . 
4. Multiauthority ABE
Sahai and Waters [5] introduced a singleauthority ABE scheme; however, they left the following open question: is it possible to construct an ABE scheme in which multiple authorities operate simultaneously, each distributing secret subkeys for a different set of attributes during the Key Generation phase? Subsequently, this question was answered by Chase [31] who proposed the first multiauthority ABE scheme.
In a singleauthority ABE scheme, the authority can decrypt all ciphertexts, which is not proper from the point of security. Therefore, multiauthority ABE schemes [31–37] were proposed. These schemes can be divided into two types. One needs a central authority (CA, for short) which is used to guarantee the proper decryption and can also decrypt all ciphertexts, such as schemes [31, 33, 36], while the other does not need a CA, such as schemes [32, 34, 35, 37]. In this section, we survey these existing multiauthority ABE schemes in detail.
4.1. Multiauthority ABE with a CA
Chase’s [31] proposed the first multiauthority ABE scheme where there are one central authority and attribute authorities. The CA issues identityrelated keys to users and the attribute authorities manage attributes and issue attributerelated keys. A user’s keys from different attribute authorities are linked together by the user’s global identifier (GID). In Chase’s scheme, an sender specifies, for each attribute authority , a set of attributes and a trapdoor value . He can then encrypt a message such that a user can only decrypt if he has at least of the given attributes from each attribute authority . Although this scheme increases the computation and communication cost and needs to maintain such a fully trusted authority, Chase made an important step from the singleauthority ABE to the multiauthority ABE.
To solve the problem that the CA must be fully trusted in Chase’s [31] scheme, Bozovic et al. [33] constructed a threshold multiauthority ABE scheme which offers the same security guarantees provided by Chase. In addition, it can tolerate an “honestbutcurious” CA which has a definition that it honestly follows the protocol, while it is curious to decrypt arbitrary ciphertexts, thus violating the intent of the encrypting party.
Recently, based on Lewko et al.’s CPABE scheme [19], Liu et al. [36] proposed an adaptive secure multiauthority CPABE scheme which has multiple central authorities and attribute authorities in the standard model. The central authorities issue identityrelated keys to users and the attribute authorities issue attributerelated keys to users. Prior to obtaining attribute keys from the attribute authorities, the user must obtain his secret keys from multiple central authorities. In terms of efficiency, this scheme is the same with Lewko et al.’s [19].
4.2. Multiauthority ABE without a CA
The utilization of a CA brings new security vulnerability and increases the computation and communication cost. So, in 2010, Lin et al. [32] adopted the distributed key generation (DKG) protocol [60] and the joint zero secret sharing (JZSS) [61] protocol to construct the secure threshold multiauthority fuzzy identitybased encryption (threshold MAFIBE) scheme without a central authority for the first time. To initialize the idea, the multiple authorities must cooperatively execute the DKG protocol and the JZSS protocol twice and times, respectively, where is the degree of the polynomial selected by each authority. Each authority must maintain secret keys. This scheme is resilient; namely, the scheme is secure if and only if the number of the colluding users is no more than , and must be fixed in the setup algorithm.
Chase and Chow [34] proposed a multiauthority KPABE scheme which removes the central authority by using a distributed PRF (pseudorandom functions) technique. Notably, they also addressed the privacy of the user. In previous multiauthority ABE schemes [31, 32], the user must submit his GID to each authority to obtain the corresponding secret key. This will increase the risk of user traced by a group of corrupted authorities. In order to avoid this risk, Chase and Chow [34] provided an anonymous key issuing protocol for the GID, where a 2party secure computation technique is employed. This scheme is tolerant; namely, the scheme is secure if and only if the number of the corrupted authorities is no more than , where is the number of the authorities. Chase and Chow also left an open problem on how to construct a privacy preserving multiauthority ABE scheme without the need of cooperation among the authorities.
Han et al. [37] answered the question left by Chase and Chow [34] affirmatively by proposing a decentralized KPABE scheme with the privacypreserving key extraction protocol. In their scheme, multiple authorities can work independently without any cooperation and a central authority. The GID is used to tie all the user’s secret keys together, while the corrupted authorities cannot pool the user’s attributes by tracing it. The scheme is any number tolerant for the users and tolerant for the authorities, where is the number of the authorities.
In 2011, Lekwo and Waters [35] proposed a new multiauthority scheme. Although their scheme may become inefficient for large attribute universe [13], it is the first adaptively secure multiauthority CPABE scheme proved in the random oracle model. This scheme improves the previous multiauthority ABE schemes, because it does not require collaboration among multiple authorities in the setup and key generation phases, and there is no central authority. Note that the authority in this scheme can join or leave the system freely without reinitializing the system. Besides the low efficiency, this scheme has another drawback that the attributes of the user can be collected by tracing his GID.
4.3. Comparison
The comparison between the different multiauthority schemes is shown in Tables 4 and 5. By , , and , we denote the number of the universal attributes, the attributes held by user , and the attributes required by the ciphertext, respectively. and denote the index set of the authorities. By and , we denote one exponential and one paring operation, respectively. By and , we denote one element in group and one element in group , respectively. denotes the number of the authorities in the systems. By , we denote the number of the central authorities in [36].

5. Revocation Mechanism of ABE
Revocation mechanism is necessary for any multiuser encryption systems to deal with malicious behaviors. The revocation mechanism of ABE schemes is more complicated than that of traditional public key cryptosystem or IBE schemes [40, 62–65]. For example, in CPABE schemes, different users may hold the same secret key in function related to the same attribute set, leading to additional difficulties in the design of a revocation mechanism.
In this section, we focus on ABE schemes that support revocation. In attributebased setting, revocation mechanism can usually be divided into two kinds: user revocation and attribute revocation. Currently, there are mainly two ways to realize revocation [48]: one is the indirect revocation method [8, 39–44] and the other is the direct revocation method [9, 45–47].
5.1. Indirect Revocation Method
The indirect revocation method enforces revocation by the authority who releases a key update material periodically in such a way that only nonrevoked users can update their keys (hence, revoked users’ keys are implicitly rendered useless). The indirect method has an advantage that senders do not need to know the revocation list. However, it also has a disadvantage that the key update phase can be a bottleneck since it requires communication from the authority to all nonrevoked users at all time slots. Recently, several attribute revocable ABE schemes have been proposed based on the indirect revocation method [8, 39–44].
There are several schemes [8, 39, 40] which realize attribute revocation by setting expiration time on each attribute. However, these approaches have two main problems. One is the security degradation in terms of the backward and forward security [43]. The other is the scalability problem. The authority periodically announces a key update material at each time slot so that all of the nonrevoked users can update their keys, which leads to a bottleneck for the authority.
To reduce the burden of authority and achieve immediate attribute revocation, two CPABE schemes with immediate attribute revocation with the help of semihonest service provider were proposed by Ibraimi et al. [41] and Yu et al. [42], respectively. However, they also have failed to achieve finegrained user access control in the data outsourcing environment.
For this reason, Hur and Noh [43] proposed a CPABE scheme with finegrained attribute revocation with the help of the honestbutcurious proxy deployed in the data service provider. It is an efficient revocation method by employing the binary tree representing revocation introduced by Boldyreva et al. [40] and reencrypting the ciphertext. However, their scheme cannot resist the collusion attack.
Aiming at reducing the computation overhead of data service manager, Xie et al. [44] proposed new CPABE construction with efficient user and attribute revocation. Compared with Hur and Noh’s [43], in the key update phase, the computation overhead of the data service manager will be reduced by half.
5.2. Direct Revocation Method
The direct revocation method enforces revocation directly by the sender who specifies the revocation list while encrypting the ciphertext. An advantage of the direct method over the indirect one is that it does not involve the key update phase for all nonrevoked users interacting with the authority. Although it has the above advantage, in contrast, its disadvantage is that it requires the sender to possess the current revocation list whose management could be also a troublesome task. Recently, several attribute revocable ABE schemes [9, 45–47] that used the direct mode have been proposed.
For KPABE, a direct revocation method is, however, not possible yet for the normal present form of the KPABE algorithm since a normal KPABE scheme allows the sender only to specify attribute set associated to the ciphertext. A directly revocable KPABE scheme was first mentioned by Staddon et al. [66], but their scheme only works when the number of attributes associated with a ciphertext is exactly half of the size of the universe of real attributes.
And, for CPABE, such direct revocation can be done by using Ostrovsky et al.’s [9] scheme that supports negative clauses. To do so, one just adds conjunctively the AND of negation of revoked user identities (where each is considered as an attribute here). However, this solution is still somewhat low in efficiency. Because in this scheme, the ciphertext overhead scales with and the secret key overhead scales with where is the maximum size of revoked attributes set .
Attrapadung and Imai [45] suggested a userrevocable ABE scheme by combining broadcast encryption schemes with ABE schemes. However, the data owner should take full charge of maintaining all the membership lists for each attribute group to enable the direct user revocation. This scheme is not applicable to the data outsourcing architecture, because the data owner will no longer be directly in control of data distribution after outsourcing their data to the external data server.
Liang et al. [46] proposed a CPABE scheme with efficient revocation. Their construction uses linear secret sharing and binary tree techniques, and can be proved secure in the standard model. In addition to the attribute set, each user is also assigned a unique identifier. Therefore, a user can be easily revoked by using his/her unique identifier.
All the above schemes [9, 45, 46] support user revocation, but they have no effect on attribute revocation. Recently, Wu and Zhang [47] first formalized the notion of adaptively secure ABE scheme supporting attribute revocation under direct revocation mode.
5.3. Hybrid Revocation Method
Combining the best advantages of both indirect and direct methods, Attrapadung and Imai [48] put forward the first hybrid revocable ABE scheme (HRABE) that allows a sender Alice to be able to select whether to use either direct or indirect revocation mode when encrypting a message. An HRABE scheme works as follows. When Alice selects the direct mode, she will specify the revocation list directly into the encryption algorithm. And, when selecting the indirect mode, she is required only to specify the present time slot . A user Bob has one secret key. Let be the access policy associated to Bob’s secret key. In addition, his secret key will be associated with a unique serial number ID. If ciphertext was from the direct mode, one can decrypt it solely by his key. If ciphertext was from indirect mode, he must obtain an update key from the authority at time . Let be the attribute set associated with ciphertext. In this case, he can decrypt the ciphertext if satisfies , and . Notice that in the latter case, the authority specifies when creating the update key and hence enforces revocation indirectly. This method supports user revocation, but it is unable to achieve attribute revocation. And the utilization of two subsystems increases the user’s secret key in length.
So far, we showed and discussed revocable ABE schemes which are realized in two different ways. Both of them have advantages and disadvantages. For future work, the efficiency of the proposed schemes should be improved in shortening the secret key in length, reducing the update information published in quantity, and improving encryption and decryption algorithm in efficiency.
6. Accountable ABE
The ABE mechanism is a highly promising tool for secure finegrained access control. For the purpose of secure access control, there is, however, still a critical functionality missing in the existing ABE schemes to prevent from key abuse. In particular, two problems of key abuse are extremely important in an ABEbased access control system: (i) illegal key sharing among colluding users and (ii) misbehavior of the semitrusted attribute authority including illegal key (re)distribution.
To make the problems more concrete, in this section, we focus on the prevention of key abuse in ABE. At present, accountable ABE schemes can be divided into two kinds: accountable CPABE schemes [49–51] and accountable KPABE schemes [52, 53].
6.1. Accountable CPABE
The notion of accountable CPABE (CPA^{2}BE, in short) was first proposed by Li et al. [49] to address the key abuse problem existing in access control based on ABE. In the CPA^{2}BE scheme, user accountability is achieved by embedding additional userspecific information in the secret key. It can prevent sharing keys among users based on the following observation: The user’s secret key consists of the attribute secret key and the user’s identity. Therefore, if the user shares his secret key, the identity will be detected from the pirated device. The CPA^{2}BE scheme assumes that the key in a pirated device has a format specification, so it can only do white box tracking. In addition, it can only support operation between attributes and has a limited ability to express strategies. What is more, the public key certificate center is responsible for issuing certificates for all users, which has a serious impact on performance.
Li et al. [50] prevented illegal key sharing among users by proposing the notion of accountable and anonymous CPABE (CPA^{3}BE), firstly. This idea is achieved by binding user identity in the attribute secret key. In the proposed CPA^{3}BE scheme, user accountability can be achieved in blackbox model by embedding additional userspecific information into the attribute secret key issued to that user, while still maintaining hidden access policy. But the disadvantage is that it increases the length of the decryption key and ciphertext.
Li et al. [51] proposed an accountable multiauthority CPABE scheme, which allows tracing the identity of a misbehaving user who leaks the decryption key to others and reduces the trust assumptions on not only the authorities but also the users. The tracing process is efficient because it has a lower computational cost compared with the existing accountable ABE schemes.
6.2. Accountable KPABE
The KPABE scheme is a promising cryptographic primitive which enables finegrained access control over sensitive data. However, key abuse attacks in KPABE schemes may impede its wide applications especially in copyrightsensitive systems. To defend against this attack, Yu et al. [52] proposed an abuse free KPABE (AFKPABE) scheme by introducing hidden attributes such that the tracing algorithm can use them to identify any single piracy or partial colluding users. Their design enables black box tracing and does not require the wellformed secret key of the pirated device when compared with previous works. It is also efficient since the size of both the secret key and the ciphertext is , where is the total number of users. This scheme is proved secure under the DBDH assumption and the Dlinear assumption.
As a future work, one may focus on designing a tracing system to protect against arbitrary colluders. Recently, Wang et al. [53] first presented an accountable authority KPABE scheme which is proved secure under the modified Bilinear Decisional DiffieHellman (mBDDH) assumption in the standard model.
6.3. Comparison
A comparison of the CPA^{2}BE [49], CPA^{3}BE [50], and AFKPABE [52] schemes is given in Table 6, from which we can draw conclusions below. First, all of these three schemes can achieve user accountability. Second, although the CPA^{2}BE scheme achieves the authority accountability, it lacks feasibility by assuming a format specification of secret keys. And, third, both the CPA^{3}BE and the AFKPABE protect the sender’s privacy, but the later can only partly hide attributes.
7. AttributeBased Proxy Reencryption
To make data sharing more efficient, proxy reencryption (PRE) is proposed. Introduced by Mambo and Okamoto [67] and first defined by Blaze et al. [68], PRE extends the traditional public key encryption (PKE) to support the delegation of decryption rights. It allows a semitrusted party called proxy to transform a ciphertext encrypted under Alice’s public key into another ciphertext of the same plaintext intended for Bob. The proxy, however, learns neither the decryption key nor the underlying plaintext. PRE is a useful cryptographic primitive and has many applications, such as secure distributed files systems [69] and email forwarding [68]. Considering an email forwarding scenario, Alice is going on vacation and wishes the others to be able to read the message in the encrypted email aiming to her. With a PRE scheme, she could fulfill this task without giving her secret key to either the mail server or Bob.
To date, PRE has been extended to adapt different cryptographic settings. In 2007, Green and Ateniese [70] extended the PRE technique in the identitybased cryptosystem and gave its applications. Meanwhile, another new notion was proposed in 2005, which is called the attributebased cryptosystem [5]. However, the ABE scheme does not offer the capability of decryption to others when the user is offline. For this reason, the attributebased PRE (ABPRE) scheme is proposed, which combines the traditional proxy reencryption with the ABE, so a user is able to empower designated users to decrypt the reencrypted ciphertext with the associated attributes of designated users.
Guo et al. [54] proposed the first attributebased proxy reencryption scheme, but their scheme is based on keypolicy and bidirectional. In 2009, Liang et al. [55] proposed the first ciphertextpolicy attributebased PRE (CPABPRE) scheme, in which a proxy is allowed to transform a ciphertext under a specified access policy (which is only represented as AND gates on positive and negative attributes) into the one under another access policy.
The previous ABPRE scheme demands a number of pairing operations that imply huge computational overhead. Based on Emura et al.’s [16] CPABE scheme which has a constant ciphertext length, Luo et al. [56] presented another ABPRE scheme with constant number of bilinear pairing operations. The computation cost and ciphertext length are reduced significantly compared to previous schemes.
In 2012, Seo and Kim [57] proposed a CPABPRE scheme which supports AND gates on multivalued and negative attributes. Compared with Liang et al.’s [55] scheme, Luo et al.’s have a new property named reencryption control which means the encryptor can decide whether the ciphertext can be reencrypted.
A CPABPRE scheme has many practical applications, such as finegrained access control in cloud storage systems and medical records sharing among different hospitals. The aforementioned CPABPRE schemes, however, are only secure against CPA and support AND gates over attributes. The construction of a CCA secure CPABPRE scheme supporting any monotonic access policy remains unsolved. Liang et al. [58], for the first time, proposed a new singlehop unidirectional CPABPRE scheme, which supports attributebased reencryption with any monotonic access structure, to tackle this problem. Despite being constructed in the random oracle model, it can be proved CCA secure under the decisional parallel BDHE assumption.
In 2013, Li presented a new ciphertext policy ABPRE scheme [59]. The ciphertext policy realized in his scheme is matrix access policy based on LSSS matrix access structure which is also used in Waters’ CPABE scheme [13].
In future, we hope more and richer access policies such as hidden policies, tree policies, or access structures can be used in attributebased PRE schemes. In addition, for the needs of practical applications, the efficiency of the schemes should be improved.
8. Future Work
The previous sections discuss the research process of ABE which has received considerable achievements. However, there still exist many problems worth further studying. According to application requirements and the shortcoming of the existing algorithms, some possible future works remain open and they are shown as follows.(1)Optimizing the construction method of CPABE schemes: it is known that the more complex an access structure is, the more complex a CPABE scheme will be and the more difficult it is to prove its security. Many existing construction methods add additional redundancy or restrictions (e.g., an attribute cannot repeatedly appear in the access structure), so it is necessary to optimize them. One solution is that we can try to design a new access structure which can be expressed in terms of monotone boolean formula and realized by an LSSS matrix whose size is as small as possible.(2)Improving the efficiency of attributebased encryption schemes: almost all of the existing ABE schemes take bilinear pairings as a convenient construction way. But bilinear pairing has a higher computational complexity, which makes algorithms inefficient to some extent. Reducing the number of bilinear pairing operations will be a meaningful work. We can construct schemes where ciphertexts can be decrypted with a constant number of pairings by mathematics method. Or even we can also try not to use bilinear pairings in the design of the ABE algorithm (see next item).(3)Trying to build an ABE scheme by other technologies: identitybased encryption schemes can be built with the help of three theories, including bilinear pairings, quadratic residue, and lattice. ABE is widely considered to be a generalization and an expansion of IBE, but it is only built by the bilinear pairings which have limitations in terms of efficiency. So the research which uses lattice [20] or quadratic residue theory to build an ABE scheme is obviously a very meaningful work.(4)Accountable ABE: accountability can be a very good solution to prevent key abuse and key cloning. However, the existing accountable ABE schemes are only proved to be secure in the selective model. For further study, under three assumptions of the subgroup decision problem for 3 primes (3PSDP) [19], it is necessary to design a highefficiency accountable ABE scheme which can be proved to be full (adaptive) secure by using the dual system encryption method.(5)Focusing on the applicable and practicable research of ABE: ABE was initially put forward to achieve data confidentially and finegained access control. Then, it has been considered as the suitable cryptographic technology for the cloud environment. So on the basis of solving efficiency drawbacks, combined with technologies including PRE, anonymous authentication, access control, and keyword search, it is meaningful to propose more practical ABE schemes in cloud environment. ABE has received considerable achievements at the theoretical level, but unfortunately, it has not been widely used in practical applications. So we can expect that attributebased cryptosystem and its applications will continue to be a research hot spot in the next few years.
The above is some possible future works of ABE and, certainly, there may be other problems which have been pointed out.
9. Conclusion
In recent years, attributebased encryption is a relatively attractive research topic and has many attracting properties. It provides a finegrained and noninteractive access control mechanism of encrypted data and has great potential applications in many fields. In this paper, firstly, we expound the emergence and development of ABE schemes. Then, we pay attention to main research directions of ABE, including multiauthority, use/attribute revocation, accountability, and proxy reencryption. Finally, we point out some possible future works of attributebased encryption.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgment
This work is supported by the National Natural Science Foundation of China under Grant nos. 61103178, 61103199, and 60803151, and the Basic Science Research Fund in Xidian University.
References
 R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and publickey cryptosystems,” Communications of the Association for Computing Machinery, vol. 21, no. 2, pp. 120–126, 1978. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 L. Pang, H. Li, and Y. Wang, “NMIBAS: a novel multireceiver IDbased anonymous signcryption with decryption fairness,” Computing and Informatics, vol. 32, no. 3, pp. 441–460, 2013. View at: Google Scholar  MathSciNet
 L. Pang, H. Li, and Q. Pei, “Improved multicast key management of Chinese wireless local area network security standard,” IET Communications, vol. 6, no. 9, pp. 1126–1130, 2012. View at: Publisher Site  Google Scholar
 A. Shamir, “Identitybased cryptosystems and signature schemes,” in Advances in Cryptology: Proceedings of (CRYPTO '84), vol. 196 of Lecture Notes in Computer Science, pp. 47–53, Springer, Berlin, Germany, 1985. View at: Publisher Site  Google Scholar  MathSciNet
 A. Sahai and B. Waters, “Fuzzy identitybased encryption,” in Advances in Cryptology—EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 457–473, Springer, Berlin, Germany, 2005. View at: Publisher Site  Google Scholar  MathSciNet
 D. Nali, C. Adams, and A. Miri, “Using threshold attributebased encryption for practical biometricbased access control,” International Journal of Network Security, vol. 1, no. 3, pp. 173–182, 2005. View at: Google Scholar
 V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attributebased encryption for finegrained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, November 2006. View at: Publisher Site  Google Scholar
 J. Bethencourt, A. Sahai, and B. Waters, “Ciphertextpolicy attributebased encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, May 2007. View at: Publisher Site  Google Scholar
 R. Ostrovsky, A. Sahai, and B. Waters, “Attributebased encryption with nonmonotonic access structures,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 195–203, November 2007. View at: Publisher Site  Google Scholar
 A. Lewko, A. Sanais, and B. Waters, “Revocation systems with very small private keys,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '10), pp. 273–285, Oakland, Calif, USA, May 2010. View at: Publisher Site  Google Scholar
 N. Attrapadung, B. Libert, and E. de Panafieu, “Expressive keypolicy attributebased encryption with constantsize ciphertexts,” in Public Key Cryptography—PKC 2011, vol. 6571, pp. 90–108, Springer, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded ciphertext policy attribute based encryption,” in Automata, Languages and Programming: Part II, vol. 5126 of Lecture Notes in Computer Science, pp. 579–591, Springer, Berlin, Germany, 2008. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 B. Waters, “Ciphertextpolicy attributebased encryption: an expressive, efficient, and provably secure realization,” in Public Key Cryptography (PKC '11), pp. 53–70, Springer, Berlin, Germany, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 L. Cheung and C. Newport, “Provably secure ciphertext policy ABE,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 456–465, November 2007. View at: Publisher Site  Google Scholar
 T. Nishide, K. Yoneyama, and K. Ohta, “Attributebased encryption with partially hidden encryptorspecified access structures,” in Applied Cryptography and Network Security (ACNS 2008), pp. 111–129, Springer, Berlin, Germany, 2008. View at: Google Scholar
 K. Emura, A. Miyaji, K. Omote, A. Nomura, and M. Soshi, “A ciphertextpolicy attributebased encryption scheme with constant ciphertext length,” International Journal of Applied Cryptography, vol. 2, no. 1, pp. 46–59, 2010. View at: Publisher Site  Google Scholar  MathSciNet
 X. Liang, Z. Cao, H. Lin, and D. Xing, “Provably secure and efficient bounded ciphertext policy attribute based encryption,” in Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security (ASIACCS '09), pp. 343–352, March 2009. View at: Publisher Site  Google Scholar
 L. Ibraimi, Q. Tang, P. Hartel, and W. Jonker, “Efficient and provable secure ciphertextpolicy attributebased encryption schemes,” in Information Security Practice and Experience (ISPE 2009), pp. 1–12, Springer, Berlin, Germany, 2009. View at: Google Scholar
 A. Lewko, T. Okamoto, A. Sahai, and B. Waters, “Fully secure functional encryption: attributebased encryption and (hierarchical) inner product encryption,” in Advances in Cryptology: EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 62–91, Springer, Berlin, Germany, 2010. View at: Publisher Site  Google Scholar  MathSciNet
 J. Zhang and Z. F. Zhang, “A ciphertext policy attributebased encryption scheme without pairings,” in Information Security and Cryptology (ISC '12), pp. 324–340, Springer, Berlin, Germany, 2012. View at: Publisher Site  Google Scholar  MathSciNet
 N. Attrapadung and H. Imai, “Dualpolicy attribute based encryption,” in Applied Cryptography and Network Security, pp. 168–185, Springer, Berlin, Germany, 2009. View at: Google Scholar
 S. Müller, S. Katzenbeisser, and C. Eckert, “Distributed attributebased encryption,” in Information Security and Cryptology—ICISC 2008, vol. 5461 of Lecture Notes in Computer Science, pp. 20–36, Springer, Berlin, Germany, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 S. Muller, S. Katzenbeisser, and C. Eckert, “On multiauthority ciphertextpolicy attributebased encryption,” Bulletin of the Korean Mathematical Society, vol. 46, no. 4, pp. 803–819, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, and finegrained data access control in cloud computing,” in Proceedings of the IEEE INFOCOM, pp. 1–9, March 2010. View at: Publisher Site  Google Scholar
 Q. Tang and D. Ji, “Verifiable attribute based encryption,” International Journal of Network Security, vol. 10, no. 2, pp. 114–120, 2010. View at: Google Scholar
 G. Wang, Q. Liu, and J. Wu, “Hierarchical attributebased encryption for finegrained access control in cloud storage services,” in Proceeings of the 17th ACM Conference on Computer and Communications Security (CCS '10), pp. 735–737, October 2010. View at: Publisher Site  Google Scholar
 G. Wang, Q. Liu, J. Wu, and M. Guo, “Hierarchical attributebased encryption and scalable user revocation for sharing data in cloud servers,” Computers and Security, vol. 30, no. 5, pp. 320–331, 2011. View at: Publisher Site  Google Scholar
 J. E. Liu, Z. G. Wan, and M. Gu, “Hierarchical attributeset based encryption for scalable, flexible and finegrained access control in cloud computing,” in Information Security Practice and Experience, pp. 98–107, Springer, Berlin, Germany, 2011. View at: Google Scholar
 A. Lewko and B. Waters, “Unbounded {HIBE} and attributebased encryption,” in Advances in Cryptology (EUROCRYPT '11), pp. 547–567, Springer, Berlin, Germany, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 M. Asim, T. Ignatenko, M. Petkovic, D. Trivellato, and N. Zannone, “Enforcing access control in virtual organizations using hierarchical attributebased encryption,” in Proceedings of the 7th International Conference on Availability, Reliability and Security (ARES '12), pp. 212–217, Prague, Czech Republic, August 2012. View at: Publisher Site  Google Scholar
 M. Chase, “Multiauthority attribute based encryption,” in Theory of Cryptography, vol. 4392 of Lecture Notes in Computer Science, pp. 515–534, Springer, Berlin, Germany, 2007. View at: Publisher Site  Google Scholar  MathSciNet
 H. Lin, Z. Cao, X. Liang, and J. Shao, “Secure threshold multi authority attribute based encryption without a central authority,” Information Sciences, vol. 180, no. 13, pp. 2618–2632, 2010. View at: Publisher Site  Google Scholar  MathSciNet
 V. Bozovic, D. Socek, R. Steinwandt, and V. I. Villanyi, “Multiauthority attributebased encryption with honestbutcurious central authority,” International Journal of Computer Mathematics, vol. 89, no. 3, pp. 268–283, 2012. View at: Publisher Site  Google Scholar  MathSciNet
 M. Chase and S. S. M. Chow, “Improving privacy and security in multiauthority attributebased encryption,” in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09), pp. 121–130, Chicago, Ill, USA, November 2009. View at: Publisher Site  Google Scholar
 A. Lewko and B. Waters, “Decentralizing attributebased encryption,” in Advances in Cryptology—EUROCRYPT 2011, vol. 6632 of Lecture Notes in Computer Science, pp. 568–588, Springer, Heidelberg, Germany, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 Z. Liu, Z. Cao, Q. Huang, D. S. Wong, and T. H. Yuen, “Fully secure multiauthority ciphertextpolicy attributebased encryption without random oracles,” in Proceedings of the European Symposium on Research in Computer Security (ESORICS '11), pp. 278–297, Springer, 2011. View at: Google Scholar
 J. Han, W. Susilo, Y. Mu, and J. Yan, “Privacypreserving decentralized keypolicy attributebased encryption,” IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 11, pp. 2150–2162, 2012. View at: Publisher Site  Google Scholar
 C. Lee, P. Chung, and M. Hwang, “A survey on attributebased encryption schemes of access control in cloud environments,” International Journal of Network Security, vol. 15, no. 4, pp. 231–240, 2013. View at: Google Scholar
 M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure attributebased systems,” Journal of Computer Security, vol. 18, no. 5, pp. 799–837, 2010. View at: Publisher Site  Google Scholar
 A. Boldyreva, V. Goyal, and V. Kumart, “Identitybased encryption with efficient revocation,” in Proceedings of the 15th ACM conference on Computer and Communications Security (CCS '08), pp. 417–426, October 2008. View at: Publisher Site  Google Scholar
 L. Ibraimi, M. Petkovic, S. Nikova, P. Hartel, and W. Jonker, “Mediated ciphertextpolicy attributebased encryption and its application,” in Information Security Applications, pp. 309–323, Springer, Berlin, Germany, 2009. View at: Google Scholar
 S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute revocation,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communication Security, (ASIACCS '10), pp. 261–270, April 2010. View at: Publisher Site  Google Scholar
 J. Hur and D. K. Noh, “Attributebased access control with efficient revocation in data outsourcing systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 7, pp. 1214–1221, 2011. View at: Publisher Site  Google Scholar
 X. Xie, H. Ma, J. Li, and X. F. Chen, “New ciphertextpolicy attributebased access control with efficient revocation,” in Information and Communication Technology, vol. 7804 of Lecture Notes in Computer Science, pp. 373–382, Springer, Berlin, Germany, 2013. View at: Publisher Site  Google Scholar
 N. Attrapadung and H. Imai, “Conjunctive broadcast and attributebased encryption,” in PairingBased Cryptography (Pairing '09), pp. 248–265, Springer, Berlin, Germany, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 X. Liang, R. Lu, X. Lin, and X. Shen, “Ciphertext policy attribute based encryption with efficient revocation,” Tech. Rep., University of Waterloo, 2010. View at: Google Scholar
 Q. X. Wu and M. Zhang, “Adaptively secure attributebased encryption supporting attribute revocation,” China Communications, vol. 9, no. 9, pp. 22–40, 2012. View at: Google Scholar
 N. Attrapadung and H. Imai, “Attributebased encryption supporting direct/indirect revocation modes,” in Cryptography and Coding, vol. 5921 of Lecture Notes in Computer Science, pp. 278–300, Springer, Berlin, Germany, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 J. Li, K. Ren, and K. Kim, “A^{2}BE: accountable attributebased encryption for abuse free access control,” IACR Cryptology ePrint Archive, 2009/118, 2009. View at: Google Scholar
 J. Li, K. Ren, B. Zhu, and Z. G. Wan, “Privacyaware attributebased encryption with user accountability,” in Information Security, vol. 5735 of Lecture Notes in Computer Science, pp. 347–362, Springer, Berlin, Germany, 2009. View at: Publisher Site  Google Scholar
 J. Li, Q. Huang, X. Chen, S. S. M. Chow, D. S. Wong, and D. Xie, “Multiauthority ciphertextpolicy attributebased encryption with accountability,” in Proceedings of the 6th International Symposium on Information, Computer and Communications Security (ASIACCS '11), pp. 386–390, March 2011. View at: Publisher Site  Google Scholar
 S. C. Yu, K. Ren, W. J. Lou, and J. Li, “Defending against key abuse attacks in KPABE enabled broadcast systems,” in Security and Privacy in Communication Networks, pp. 311–329, Springer, Berlin, Germany, 2009. View at: Google Scholar
 Y. Wang, K. Chen, Y. Long, and Z. Liu, “Accountable authority key policy attributebased encryption,” Science China: Information Sciences, vol. 55, no. 7, pp. 1631–1638, 2012. View at: Publisher Site  Google Scholar  MathSciNet
 S. Guo, Y. Zeng, J. Wei, and Q. Xu, “Attributebased reencryption scheme in the standard model,” Wuhan University Journal of Natural Sciences, vol. 13, no. 5, pp. 621–625, 2008. View at: Publisher Site  Google Scholar  MathSciNet
 X. Liang, Z. Cao, H. Lin, and J. Shao, “Attribute based proxy reencryption with delegating capabilities,” in Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security (ASIACCS '09), pp. 276–286, March 2009. View at: Publisher Site  Google Scholar
 S. Luo, J. B. Hu, and Z. Chen, “Ciphertext policy attributebased proxy reencryption,” in Information and Communications Security, pp. 401–415, 2010. View at: Google Scholar
 J. H. Seo and H. Kim, “Attributebased proxy reencryption with a constant number of pairing operations,” Journal of Information and Communication Convergence Engineering, vol. 10, no. 1, pp. 53–60, 2012. View at: Google Scholar
 K. T. Liang, L. M. Fang et al., “A ciphertextpolicy attributebased proxy reencryption with chosenciphertext security,” IACR Cryptology ePrint Archive 2013/236, 2013. View at: Google Scholar
 K. Y. Li, “Matrix access structure policy used in attributebased proxy reencryption,” http://arxiv.org/abs/1302.6428. View at: Google Scholar
 R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure distributed key generation for discretelog based cryptosystems,” in Advances in Cryptology—EUROCRYPT ’99, vol. 1592, pp. 295–310, Springer, Berlin, Germany, 1999. View at: Publisher Site  Google Scholar
 R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Robust threshold DSS signatures,” in Advances in Cryptology—EUROCRYPT '96, pp. 354–371, Springer, Berlin, Germany, 1996. View at: Publisher Site  Google Scholar
 S. Micali, “Efficient certificate revocation,” Tech. Rep. MIT/LCS/TM542b, 1996. View at: Google Scholar
 W. Aiello, S. Lodha, and R. Ostrovsky, “Fast digital identity revocation (extended abstract),” in Proceedings of the 18th Annual International Cryptology Conference (CRYPTO '98), pp. 137–152, Springer, 1998. View at: Google Scholar
 D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Advances in Cryptology—CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 41–62, Springer, Berlin, Germany, 2001. View at: Publisher Site  Google Scholar  MathSciNet
 B. Libert and D. Vergnaud, “AdaptiveID secure revocable identitybased encryption,” in Topics in Cryptology—CTRSA 2009, vol. 5473 of Lecture Notes in Computer Science, pp. 1–15, Springer, Berlin, Germany, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 J. Staddon, P. Golle, M. Gagne, and P. Rasmussen, “A contentdriven access control system,” in Proceedings of the 7th Symposium on Identity and Trust on the Internet (IDtrust '08), pp. 26–35, March 2008. View at: Publisher Site  Google Scholar
 M. Mambo and E. Okamoto, “Proxy cryptosystems: delegation of the power to decrypt ciphertexts,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 80, no. 1, pp. 54–62, 1997. View at: Google Scholar
 M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic proxy cryptography,” in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '98), pp. 127–144, Espoo, Finland, 1998. View at: Google Scholar
 G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy reencryption schemes with applications to secure distributed storage,” ACM Transactions on Information and System Security, vol. 9, no. 1, pp. 1–30, 2006. View at: Publisher Site  Google Scholar  Zentralblatt MATH
 M. Green and G. Ateniese, “Identitybased proxy reencryption,” in Applied Cryptography and Network Security, pp. 288–306, Springer, Berlin, Germany, 2007. View at: Google Scholar
Copyright
Copyright © 2014 Liaojun Pang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.