Abstract

Security threats such as data forgery and leakage may occur when sharing data in cloud environments. Therefore, it is important to encrypt your data and securely access it when sharing it with other users via a cloud server. Of the various security technologies, research on secure data sharing commonly employs Key Policy Attribute-Based Encryption (KP-ABE). However, existing KP-ABE schemes generally lack ciphertext search features. Furthermore, even if a KP-ABE scheme incorporates it, the number of searches required increases markedly by the number of attributes used in the search. It in turn proportionally increases the ciphertext size. In addition, the attribute authority (AA) could be attacked, which can result in the leakage of users’ decryption keys. AA is a server that manages user attributes and decryption keys when using attribute-based encryption in a cloud environment. If the AA is curious, it can cause problems with the key escrow with the attributes and decryption (secret) key information of the users it knows. In this paper, to solve all these problems, we present a new scheme called Searchable Key-Policy Attribute-Based Encryption (SKP-ABE) for secure and efficient data sharing in the cloud. This proposed SKP-ABE scheme allows fast ciphertext search and keeps the ciphertext of constant size. The key escrow problem is solved via user key generation.

1. Introduction

Developments in cloud computing technology have made it possible to collect, manage, and share big data from the Internet of Things (IoT)-Cloud environments such as Unmanned Traffic Management (UTM), companies, and the Internet of Medical Things (IoMT). However, as shown in Figure 1, several security threats exist in the cloud [1, 2]. First, cloud service providers cannot be completely trusted. Users think that their data is securely protected if an external cloud is used. However, the service provider may know the data contents stored and utilized on their server. An attacker (a malicious user) can compromise shared data for another security threat. An attacker may access the server, tamper with the stored data, and leak the data. If the data stored on the cloud server is sensitive information, this will pose a significant security threat [3, 4]. Therefore, a security technique that encrypts data stored and transferred in the cloud is required, as is access control for this encrypted data. Of the various security technologies, attribute-based encryption (ABE) ensures secure data encryption/decryption and access control. ABE performs encryption/decryption employing multiple user attributes. It is widely used for secure data sharing in the cloud. ABE schemes include key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). The two ABE schemes depend on the data Access Structure (AS) contained in the ciphertext and the data user secret key. If the AS is included in the ciphertext, the CP-ABE scheme is used, and if the AS is included in the data user secret key, the KP-ABE scheme is used. The differences between the two types of ABE schemes are explained in Section 2 [5, 6].

In this paper, we intend to research data sharing in an N:1 cloud environment where data users can decrypt ciphertexts with the attributes of the AS included in the secret key. Here, “N” means multiple users. Since the KP-ABE scheme is suitable in an N:1 cloud environment, research on KP-ABE was conducted. To date, various KP-ABE schemes have been analyzed for secure data storage and sharing technology. However, there are security threats and inefficient schemes among the existing KP-ABE schemes.

First, the traditional KP-ABE schemes encrypt and store data in the cloud that cannot be searched. Therefore, all stored ciphertexts must be decrypted when seeking a desired ciphertext among numerous ciphertexts. This makes the process inefficient. To solve this problem, efforts have been made to introduce searchable encryption [710]. However, the number of searches required and the ciphertext size increase proportionally to the number of attributes [11, 12]. This wastes storage space on the server. In addition, when using attribute-based encryption, a server known as the attribute authority (AA) manages user attributes. The AA plays a role in creating secret keys (ciphertext decryption keys) that include public parameters and user attributes. Data owners and users apply the keys to encrypt/decrypt data. If an AA is attacked, users’ secret keys may be leaked. Furthermore, most KP-ABE schemes trust their AAs. But still curious AAs can access and decrypt the ciphertexts stored in the cloud with the stored user’s attribute information and secret key information. In other words, a key escrow problem may occur by AA [1315].

In this paper, we propose secure and efficient data storage and sharing system after researching and analyzing ABE to solve the security threats in cloud environments. Our system allows fast ciphertext search, and the ciphertext size is kept constant. The key escrow problem is solved via user key generation. In summary, we establish secure and efficient data storage and sharing system by proposing a searchable key-policy attribute-based encryption (SKP-ABE) system to which various requirements are applied. The contributions of this paper are as follows: (i)Efficiency of ciphertext search: The cloud server uses searchable encryption technology to quickly search for the ciphertext requested by the user [16, 17]. Compared with existing KP-ABE schemes, this proposed SKP-ABE scheme aggregates the attribute values included in the ciphertext index. In this case, when searching for a ciphertext, it is possible to find the ciphertext in one search regardless of the number of attributes(ii)Output of ciphertext of constant size: A ciphertext of a constant size is output by aggregating the values of the attributes included in the ciphertext and expressing them as a single value. The size of the ciphertext does not increase according to the number of attributes included in the ciphertext(iii)Solution of key escrow problem: In existing KP-ABE schemes, the AA generates a key corresponding to the user’s AS and transmits it to the user. That is, the AA knows information about the users’ secret keys and attributes. It can sufficiently cause a key escrow problem. In this proposed scheme, the AA creates a partial secret key and sends it to the user. The user creates a final secret key with the received partial secret key that can decrypt the ciphertext. Therefore, the AA does not know the users’ secret key information, and the key escrow problem that occurs in an AA is solved

The remainder of this paper is organized as follows: Section 2 describes the research background; ABE is explained. It also describes existing KP-ABE schemes and the KP-ABE security model. Section 3 describes the security requirements to be provided. Section 4 describes the proposed SKP-ABE scheme. Section 5 analyzes the security and efficiency of the scheme, and Section 6 concludes the paper.

2. Background

This section describes ABE and the preliminaries and formulas for understanding it. Then, the KP-ABE system and KP-ABE security model are explained.

2.1. Preliminaries
2.1.1. Bilinear Map

Bilinear mapping has been proposed as a tool to attack elliptic curve cryptosystems in the past. However, recently, it has been used as a cryptography tool for information protection, and the algorithms elliptic curve cryptography (ECC), which are based on bilinear mapping, are widely used in IoT environments. A bilinear pairing function is called a bilinear mapping, and the notation is expressed as follows: Suppose we have multiplicative groups and with the same order . Assume that it is difficult to solve the discrete logarithm problem within a group. Let be a generator group of and let be a bilinear mapping that satisfies the following properties: (1)Bilinearity: For all and all (2)Nondegeneracy: For all , if , then (3)Computability: For all , there is an efficient algorithm to compute

2.1.2. Bilinear Diffie Hellman (BDH) Assumption

The deterministic BDH assumption means that, given two pairs and , there is no algorithm A that can distinguish between the two pairs with meaningful probability. Here, If algorithm A is able to solve the deterministic BDH assumption, that is if satisfied, then algorithm A has an advantage of [18].

2.1.3. Bilinear Diffie Hellman Exponent (BDHE) Assumption

The deterministic BDHE assumption means that, given , there is no algorithm A that can compute with a meaningful probability. Here,, and ; when the next two pairs are (), (). If algorithm A is able to solve the deterministic BDHE assumption, that is if satisfied, then algorithm A has an advantage of [18].

2.1.4. Decisional Bilinear Diffie-Hellman (DBDH) Assumption

Given , , , where l, m, n ∈ , the DBDH problem is to distinguish from , where z ∈ . Given B is an algorithm, and its advantage in solving the problem is . The DBDH assumption states that the advantage of an algorithm B in solving DBDH problem is negligible.

2.1.5. Elliptic Curve Discrete Logarithm Problem (ECDLP) Assumption

Elliptic curve cryptography can achieve the same security as previous public key encryption methods with fewer bits; it is widely used in IoT and other lightweight environments. Compared to the previous public key encryption methods, it uses short keys, so it is easier to manage the keys, and the encryption is processed at high speed. To use ECC, an elliptic curve is a set of solutions of the equation defined for arbitrary integers and . The fact that the point is on the elliptic curve means that the previous equation is satisfied. can be defined for any integer for two points and . Finding the solution is the discrete logarithm for elliptic curves. That is, it is easy to find by using in . However, it is very difficult to infer the value of even if you know and [19].

2.2. Attribute-Based Encryption
2.2.1. Access Structure

ABE is a scheme of performing encryption/decryption based on an AS created using a set of attributes (e.g., affiliation and occupation) for each entity. Here, the AS is shown in Figure 2. In the access tree, denoted by T, each non-leaf node can represent a threshold gate: an OR gate or an AND gate, depending on the threshold. In general, for all nodes , we use the notations and to represent the threshold of and the number of children, respectively. For a non-leaf node , if =1, then represents an OR gate. If = , it represents an AND gate. If 1 < <, then is a threshold gate. We define =1 and =0 for leaf node [5, 6, 20, 21].

2.2.2. Types of ABE

ABE includes CP-ABE or KP-ABE depending on the AS created by the user. In Figure 3(a), the data owner includes the AS when generating the ciphertext and stores it on the cloud server and multiple users can access it. At this time, only if a user’s attributes match the attributes of the AS included with the ciphertext can they be decrypted. For example, if the AS is created with {{Director AND Manager} OR Company A}, only users with the Director and Manager attributes among users with the company A attribute can decrypt the ciphertext [5]. The CP-ABE scheme has the advantage of being accessible to any users with the attribute of the AS included in the ciphertext. Therefore, it is widely used in cloud 1:N (N is the number of users) environment. Figure 3(b) shows the KP-ABE scheme. Data users create an AS using their attributes in a KP-ABE scheme and create a corresponding secret, ciphertext decryption key. When data owners generate ciphertexts, they encode the attributes of the users with whom the data will be shared. The ciphertext is stored on the cloud server. Data users can access the cloud server at any later time using a secret key that includes the AS and decrypts the ciphertext with the correct attribute values. For example, if a data owner creates a ciphertext with the attributes {{Director}, {Company A}} and uploads it, only users with the attributes {{Director}, {Company A}} in their AS can decrypt it. In the KP-ABE scheme, when multiple users encrypt data with the attributes of the users who want to share data and upload it to the cloud server, only users with the AS of the attributes designated by the data owner can decrypt the ciphertexts. Therefore, it is widely used in cloud N:1 environment. Figure 3 shows how ABE can be applied to an N: N cloud environment. This paper intends to research a data sharing system in an N:1 cloud environment that allows an authenticated user to decrypt a number of ciphertexts stored with their private key when a large number of data is encrypted and collected and stored. Therefore, research on KP-ABE is suitable.

2.2.3. KP-ABE Model

Figure 4 shows an application of a KP-ABE scheme to cloud environments. There are four entities: an AA, a data owner (users who uploads ciphertext to the cloud), a data user (users who attempts to decrypt ciphertext stored on the cloud), and a cloud storage server. First, a master key and public parameters are generated during the setup phase of the AA. Next, the users create an AS using their attributes, send them to the AA, and request a secret ciphertext decryption key. In a KP-ABE scheme, AS can be created by the user, and an AA can be required to create the AS for the user. In the latter case, the AA generates a secret key corresponding to the user’s AS and sends it to the user with the public parameters. When a data owner generates a ciphertext, encryption is performed based on attributes of users that should be allowed access to them. Next, the ciphertext is uploaded and stored on a cloud server. Users registered in AA generate tokens and send them to the cloud server. The cloud server transmits the ciphertext requested by the users. Finally, the users obtain the data by decrypting the ciphertext using the AS with that attribute and the received secret key [6, 22].

2.3. Challenges to Build KP-ABE Scheme

Various requirements must be provided to build a secure and efficient data sharing system by applying KP-ABE. The requirements are keyword search, constant-size ciphertext output, key escrow problem solving, verifiable outsourcing, attribute withdrawal, AS anonymization, etc. In order to build a secure KP-ABE scheme, research is needed to provide the abovementioned requirements. However, the KP-ABE scheme is inefficient because the scheme (model) becomes heavy when all requirements are applied. Therefore, there is a need for research to apply the requirements according to the environment.

The SKP-ABE scheme proposed in this paper is also that provides an existing ciphertext search. The difference from the existing KP-ABE scheme, which provides ciphertext search, is to provide a fast ciphertext search by aggregating the attributes included in the token. In addition, it solved the key escrow problem that occurs in AA and provided a ciphertext of a constant size. Therefore, it provides better requirements than the KP-ABE scheme, which provides only the existing keyword search.

2.3.1. Searchable Encryption

As cloud computing develops, users store and manage large amounts of data using storage space provided by an external service provider such as Google cloud. However, when sensitive personal information is stored externally, security issues arise. Therefore, it is important to encrypt all data. However, then the cloud server must decrypt all stored ciphertexts to find data requested by a user. This is very computationally inefficient [710]. One of the security technologies to solve this is searchable encryption. Data can be found without decrypting the ciphertext requested by the user. Therefore, when multiple owners encrypt and store data on the cloud, users can efficiently locate the desired ciphertext.

An early version of searchable encryption, proposed by Song, Wagner, and Perrig in 2000, is a hidden search designed to be searchable without leaking plaintext information [23]. However, the initial version lacked a clear definition of security. Since then, searchable encryption systems that use symmetric or asymmetric keys have attracted much attention. Currently, searchable encryption technology is used with ABE to improve ciphertext search efficiency [710].

Figure 5 shows a KP-ABE scheme with searchable encryption applied. The existing KP-ABE scheme assumes that when a user requests a ciphertext from the cloud server, the cloud server transmits the ciphertext to the user. However, KP-ABE schemes with searchable encryption add the phase of searching for a ciphertext on the cloud server.

In detail, the ciphertext is retrieved from the cloud server based on keywords and attribute values. The data owner selects keywords and attribute values, creates an index, and uploads it to the cloud along with the ciphertext. Next, the user creates a search token using keywords and attribute values to find the ciphertext. Then, it is sent to the cloud server to request the ciphertext. The cloud server searches for the ciphertext by comparing the stored ciphertext index value (including keyword values and attributes) with the search token values (including keyword values and attributes). If matching ciphertexts are found, they are sent to the user. The cloud server finds the requested ciphertext but does not decrypt it [24].

2.3.2. Key Escrow Problem

Key escrow is a system that entrusts encryption (secret) keys to a third party (server) and stores them. If the user key is damaged or lost, the previously entrusted secret key can be issued through the server. However, a server that knows the information about the key may cause a key escrow problem that may attempt to access and decrypt the ciphertext. As a result, user data may be leaked, and various security threats such as abuse of access rights may occur. From the past to the present, in various cryptographic research fields such as key recovery, signature, and ABE, it often occurs in servers (key generation center (KGC) and AA, etc.) that generate and manage keys [2528]. In an environment where a key escrow problem occurs, it is assumed that users do not completely trust the server managing the key. Therefore, entrusting all key information to the server is a risk factor [29].

The AA is a trusted server that manages properties and generates keys in a data sharing environment using KP-ABE. However, in some KP-ABE schemes, AA is recognized as a semi-trusted server that manages user attributes, so it is mentioned that key escrow problems can occur sufficiently in AA. The term semi-trusted means that the AA is not fully trusted because it has information about the users’ secret keys that could cause a key escrow problem. The AAs are honest but curious and have the right to view user information at any time. In the KP-ABE scheme, AA generates a ciphertext decryption key corresponding to the user’s attributes and transmits it to the user. Since the AA knows your secret key, it can use it to access the cloud and crack your ciphertext. Therefore, research is being conducted from the existing KP-ABE scheme with single AA to the KP-ABE scheme with multi-AA scheme. This research aims to prevent a key escrow problem in advance with the users’ key and attribute information that the AA alone knows [13, 28].

In the multi-AA scheme, when a user requests a secret key by global identity (GID), values corresponding to user attributes are calculated in each AA to create a secret key and send it to the user. Although there is a scheme in which the user generates a secret key with the attribute value received from the AA, usually, multi-AAs generate a secret user key and send it to the user. Above all, since multi-AAs share information about the users’ secret key, the AA cannot independently cause a key escrow problem. However, the multi-AA scheme has a disadvantage. The amount of computation required to generate a user secret key increases according to the number of AAs, and a collusion attack between AAs must also be considered. Furthermore, in some KP-ABE schemes, the multi-AA scheme is also viewed as a concept managed by a Central Authority.

2.4. Related Work

In 2006, an initial version of the KP-ABE system was proposed, and based on this, research was conducted to satisfy various requirements. This SKP-ABE scheme provides ciphertext search, constant-size ciphertext, and key escrow problem solving. Table 1 lists an analysis of existing KP-ABE schemes. The description of the KP-ABE scheme that provides the ciphertext search is as follows.

Yin et al. [7] developed a model that adds searchable encryption to the KP-ABE scheme. It is useful when searching for ciphertext in a cloud that manages big data, but the ciphertext size increases with the number of attributes. In addition, as the data owner creates a secret key and transmits it to the user via a secure channel, the data owner knows its secure key. Thus, a key escrow problem may occur.

Ameri et al. [8] considered an environment where the cloud provider was not completely trusted. Their scheme allows the creation of a search token at any time. This token matches all ciphertexts containing the keyword. However, as information leakage is possible, Ameri et al. proposed KP-ABE schemes, in which the search token matches only ciphertext generated within a specified time interval [8]. That is, it is a scheme that can share ciphertexts within a specified time frame using temporary keywords. Nonetheless, they did not consider the key escrow problem. They assumed that the AA was fully trusted. However, since the AA knows the users’ key information, this can cause a key escrow problem. Also, ciphertext size increases by the number of attributes included in the ciphertext.

Li et al. [9] proposed a secured ABE scheme with a searchable encryption function to protect the security and privacy of sensitive data. To counter keyword-guessing attacks, all keywords were signed using secret keys of the data owners when generating ciphertexts. However, depending on the number of attributes, it can increase the size of the ciphertext, and it has the key escrow problem.

Meng et al. proposed a scheme that improved computation efficiency by using a constant-size output ciphertext and a constant pairing operation in a KP-ABE scheme that provides searchable encryption [10]. However, the key escrow problem remained possible.

Figure 6 shows how ciphertext is searched on the cloud server. It assumes that three ciphertexts are stored on the cloud server, each with two attributes. When the server searches for a ciphertext, the first search compares the first attribute of the token with the first attribute of the ciphertext. The second search compares the second attribute of the token with the second attribute of the ciphertext and finds a matching ciphertext. In Figure 6(a), the number of ciphertext searches increases proportionally to the number of attributes contained in the token and ciphertexts. For example, the searchable KP-ABE scheme was mentioned above (Yin et al., Ameri et al., Li et al., and Meng et al.). To solve this problem, an aggregate operation is performed on the attribute value included in the ciphertext and the attribute value of the token generated by the user. Then, the aggregated attribute values of the token and the ciphertext are compared to find a matching ciphertext [16, 17, 32]. Figure 6(b) shows the aggregate attributes of tokens and ciphertexts when searching for a ciphertext. As a result, the number of ciphertext searches is not affected by the number of attributes contained in the tokens and ciphertexts. The disadvantage is that tokens can be generated in multiple ways depending on the aggregate attributes of the ciphertext that the user wants to find. However, if an aggregation operation is used, searching for a ciphertext requested by the user on the server will be more efficient than the scheme in Figure 6(a). In terms of decryption, since the goal is to find the ciphertext in most KP-ABE schemes that provide searchable encryption, the decryption process of the ciphertext is omitted. Therefore, partial decryption is not provided.

The KP-ABE scheme that solves the key escrow problem and constant size is as follows. The KP-ABE schemes of Longo et al. [13] and Leyou Zhang et al. [14] solved the key escrow problem using a multi-AA or decentralized AA. By dividing the key generation authority of a single AA among multiple AAs, no individual AA knows all of the information about a users’ secret key. However, the ciphertext search function is not provided, and constant-size ciphertext and partial decryption are provided depending on the scheme. The schemes of both Kai Zhang et al. [30] and Belguith et al. [31] output constant-size ciphertext [26, 27].

2.5. KP-ABE Security Model Definition

The security goal of searchable ABE is to prevent an attacker from obtaining information about a keyword from the search token and index keywords in the ciphertext. In other words, if a search token is not found, it should not disclose information about the index keyword w. KP-ABE schemes must provide security against attackers who can obtain search tokens for arbitrary keywords w of their choosing. Even in these attacks, the attacker should not be able to distinguish the encryption of the keyword and the encryption of the keyword , which does not include obtaining the trapdoor [7, 16]. We use an adaptive chosen keyword attack game and an adaptive chosen plaintext attack game to define the security model of search tokens and index keywords. We provide a formal definition of security through the following games between a probabilistic polynomial-time attacker A and challenger C.

2.5.1. Adaptive Chosen Keyword Attack Game

(1)Challenger C executes to generate master key MK and public parameter PP. Then, it sends the PP to attacker A(2)Attacker A can adaptively query the ciphertext for all search keywords. Accordingly, when A requests the ciphertext for the search keyword , C generates the ciphertext as and sends it to the attacker A(3)Attacker A selects two keywords and and sends them to challenger C. C fairly selects a random bit value as , has the attribute set {} received from the attacker, and encrypts it with to generate . And it sends the ciphertext index to the attacker(4)Attacker A continuously requests a private key query from challenger C and generates a legitimate search token by encrypting the query keyword w (w is expressed as or )(5)Attacker A guesses that b is b. We define the advantage that attacker A wins in the above game within stochastic polynomial time as .

Definition 1. Searchable ABE is semantically secure against adaptive chosen keyword attacks in the above security game when the attacker has at most a negligible advantage in probabilistic polynomial time (PPT). That is, in the chosen keyword attack model, the search token and index keyword should not expose the plaintext information of the query keyword.

2.5.2. Adaptive Chosen Plaintext Attack Game

(1)Challenger C executes to generate master key MK and public parameter PP and sends PP to attacker A. A sends a set of attributes {} that it wants to test to C(2)Attacker A requests a secret key query corresponding to the access structure {}from C. At this time, the limitation is that the set of attributes {} must not satisfy the access structure {}. Attacker A receives the secret key from C, encrypts the keyword to be queried, and generates a search token(3)Attacker A selects two messages and and sends them to challenger C. C fairly selects a random bit value as , and encrypts it as with the attribute set {} received from the attacker. And it sends the ciphertext to the attacker(4)Attacker A continuously requests the secret key query corresponding to the access structure {} from challenger C as in (2). Restrictions here are the same as in (2).

Attacker A guesses that b is b. We define the advantage that attacker A wins in the above game within stochastic polynomial-time as .

Definition 2. Searchable ABE is semantically secure against adaptive chosen plaintext attacks in the security game above if the attacker has at most a negligible advantage in PPT.

3. Security Requirements

This section describes the requirements in terms of security and efficiency, such as data encryption/decryption and data access for secure and efficient data storage and sharing in the cloud. (i)Shared data confidentiality and integrity: If data stored and shared in the cloud is in plain text, the data is exposed to various security threats. Therefore, security for the shared data is required, and the confidentiality and integrity of shared data must be ensured. The ciphertext should be decryptable only by legitimate users(ii)No access for unauthorized users: If anyone can access cloud data, various security threats arise. Thus, access control is required. ABE is a security and access control technology. Only an authenticated user can decrypt accessed data by comparing an attribute value specified by the data owner with the AS attribute value of the user’s secure key. Thus, users without the correct attributes cannot decrypt the data even if they access it(iii)Ciphertext search efficiency: It is difficult for a user to search for the desired data among the numerous ciphertexts stored in the cloud. To search for a ciphertext requested by a user, all stored ciphertexts must be decrypted to check the contents of their data. This is inefficient. Therefore, searchable encryption technology which enables users to search for the requested data without decryption is essential [710]. However, in some of the existing schemes, the number of searches increases proportionally to the number of attributes when searching for a ciphertext. Therefore, in the KP-ABE scheme, it is necessary to aggregate the values of the attributes corresponding to the ciphertext keywords. As a result, the user should quickly search for the desired ciphertext(iv)Constant-size ciphertext: In existing KP-ABE schemes, the size of the generated ciphertext is proportional to the number of included attributes. Cloud storage space is used inefficiently due to the increased ciphertext size [11, 12]. Therefore, it is needed to research in which the size of the ciphertext can be constant output regardless of the number of attributes(v)The key escrow problem: Since the AA knows information about the users’ secret keys, it is cannot be fully trusted because that can cause a key escrow problem. Therefore, it is necessary to reduce AAs secret key generation authority. Specifically, the key escrow problem can be solved by generating a secret key using multiple AAs. For example, a user receives a partial secret key from the AA and generates the final secret key [33, 34].

4. The Proposed SKP-ABE Scheme

In this section, our proposed SKP-ABE scheme is described (see Figure 7). When searching for a ciphertext, the attribute values of the token and ciphertext are aggregated and compared.

Therefore, it is possible to find the requested ciphertext quickly. Furthermore, the key escrow problem on an AA is solved by generating a final ciphertext decryption key using a partial secret key received from the AA. In addition, by using a constant-size ciphertext, the effects of attribute number on ciphertext size are minimized. Finally, the cloud server finds the ciphertext and sends it to the user, and the user decrypts it to obtain data.

4.1. System Model
4.1.1. System Entities

(i)Data Owner: The data owner encrypts data and uploads it to the cloud. The owner generates a ciphertext with the attributes of the users who can access the data. Then, an index is created by selecting keywords that can represent the ciphertext (CT). Finally, the CT and index are uploaded together to the cloud server(ii)Cloud Server: In general, a cloud server includes a storage server in which data is stored and a server that performs operations. For example, the cloud server stores and manages data. When a user requests ciphertext, the server performs a ciphertexts search using the ciphertext index and token value received from the user. After that, the retrieved ciphertexts are sent to the user(iii)Attribute Authority: The AAs are honest but curious and have the right to view user information at any time. In this proposed SKP-ABE scheme, the secret key generation phase of the AA is modified to the partial secret key generation phase. In addition, when registering a user, a certificate that can be authenticated is generated and then sent to the user. The certificate is used to verify that the user is registered when the user later accesses the cloud server(iv)Data User: A data user is an entity that downloads and decrypts ciphertext uploaded to the cloud. The user generates a final secret key (FSK) to decrypt the ciphertext using the PSK received from the AA. In addition, by selecting the keywords of the ciphertext to be found, a token is generated. A user can request ciphertexts from the cloud server with a token. When the user receives the ciphertext from the cloud server, it uses FSK to perform decryption to obtain the ciphertext to obtain the data

4.1.2. System Parameters

The system parameters used in the proposed SKP-ABE scheme is shown in Table 2.

4.1.3. Procedure

This proposed SKP-ABE scheme provides secure and efficient data storage and sharing in cloud environments. Compared to existing KP-ABE schemes shown in Table 1, the proposed SKP-ABE scheme meets more requirements. This SKP-ABE scheme consists of 7 phases. The phase are as follows. (i): The AA generates master key (MK) and public parameters (PP) with security parameter k as input. The data user generates a private/public key pair(ii): When a user requests registration and a partial secret key from the AA, the AA creates AS based on the user’s attributes. Next, it generates a partial secret key (PSK) also based on the user’s attributes, creates a certificate () based on the user’s and public key, and sends them all to the user(iii): The user receives PSK and AS from the AA and generates the final secret key (FSK) corresponding to the AS(iv): The data owner selects the message (M) and encrypts with the attribute sets (A) and PP of the users who can access their data. In addition, index value () is created by selecting keywords that represent the CT and transmitted to the cloud server along with the CT. A keyword is a word that can represent a CT and is known only to the data owner and user(v): The user generates a token to find the CT in the cloud. At this time, a token is generated with the keywords of the CTs to be found and the FSK received from the AA. It then signs the token with the certificate and sends the TK to the cloud to request the CT(vi): The cloud server verifies that the CT of the registered user is requested through. Then, the CT requested by the user is found using the received and the CT index (). The searched CT is expressed as {0, 1}, and as a result, 0 means not found, and 1 means found. The retrieved ciphertexts are sent to the user(vii): When the user receives the CTs from the cloud server, it decrypts by comparing the attribute value in the AS with the attribute value in the CT. If the decryption is successful, the user can obtain a message M

4.2. Description of the Proposed SKP-ABE Scheme

The AA generates two cycle multiplication groups and of prime order and generates a bilinear map (). Let denote a generator of . The AA generates a subgroup of elliptic curve points of prime order and chooses a generator P of . Elliptic curve point-based crypto-operations are used to generate user keys, and key security assumes the intractability of ECDLP. Here, the user key means the initially generated key pair () for users to register with AA. Assume that there are attributes in the universe where the universal set is . is an AS and includes attributes, such as .

4.2.1. Setup Phase

Initially, the AA creates in the setup phase. The AA generates random values ,

The public parameters, master key, and public key are generated as follows:

The data user selects a random value for and generates a private key/public key pair as follows:

The user requests registration and a partial secret key by transmitting their attribute set , public key , and identifier to the AA.

4.2.2. PSK and Certificate Generation Phase

The AA creates an access tree AS with a leaf node value set based on user attributes. And PSK is created with the attribute value corresponding to AS. In addition, the user’s public key and ID are used to generate a certificate. The AA sends the PP to the data owner and , to the user:

When creating a certificate, select .

4.2.3. FSK Generation Phase

Then, the user selects a random value and generates an FSK with the PSK and AS received from AA:

Random number , .

4.2.4. Data Encryption Phase

The data owner creates a ciphertext with the PP and the attribute of the user that can access the data. Then, keywords representing the ciphertext are selected, and an index value is generated for the keyword and transmitted together with the CT (see Equations (9)-(12)).

Select messageand add random numbers .

Select attribute set A and keyword w (the keyword is a value that indicates the ciphertext created by the data owner and requested by the user. A ciphertext index can use a single keyword, and multiple keywords are more secure).

An index value of is set for each . The data owner sends and to the cloud server. The cloud server securely stores the and received from the data owner.

4.2.5. Token Generation Phase

The user selects a keyword in the ciphertext to found. Then, the user generates a token using FSK that can be used to find a ciphertext. After token generation, the token is signed with the certificate received from AA (see Equations (13) and (14)).

Select a keyword to search for and generate a token.

Sign using a certificate:

The user requests a ciphertext by sending to the cloud server.

4.2.6. Search Phase

The cloud server verifies the registered user and token through. After verification, received from the user is compared to the of the CTs stored on the server, and matching ciphertexts are found. This will only happen when the keyword selected by the user and the keyword w selected by the data owner are the same. The search result is displayed as . The retrieved ciphertexts are sent to the user:

Ciphertext search:

4.2.7. Data Decryption Phase

The user performs decryption by comparing the attribute value specified in the user AS with the attribute values included in the ciphertext. Parameter refers to the attribute value (leaf-node) of the user AS. If the decryption is successful, the users obtain M (see Equations (17) and (18)).

Access structure

If , compute

If , compute

5. Analysis of Proposed SKP-ABE Scheme

This proposed SKP-ABE scheme was analyzed for security and efficiency to satisfy the security requirements detailed in Section 3. Table 3 is an analysis table comparing the existing scheme and the proposed SKP-ABE scheme in terms of security and efficiency.

5.1. Security Analysis

(i)Shared data confidentiality and integrity: Data confidentiality and integrity are protected because data are encrypted, stored, and shared using a KP-ABE scheme. Data is encrypted using attributes Therefore, only a user with an AS matches the attributes for the ciphertext and has the corresponding FSK can decrypt and obtain the data. An attacker who steals data cannot decrypt it(ii)Access control: In the existing KP-ABE scheme, if the user had the secret key received from AA, the user could create a token and request a ciphertext by accessing the cloud. It is possible to access the cloud and request a ciphertext without further authentication. Ciphertext is decrypted using the user attributes. However, if anyone can access the cloud server, it is difficult to restrict the users. If anyone can access the cloud server, it is difficult to restrict the users. Furthermore, data theft or forgery may occur if a user is malicious. Therefore, an access control function that ensures that only registered users can access the cloud server is required. In the proposed SKP-ABE scheme, only users registered by the AA can access the cloud and request a ciphertext. Each registered user receives an from the AA. The cloud server verifies the validity of using the user’s public key and , and ; the ciphertext search is performed. Then, the found ciphertext is sent to the user. Therefore, unauthorized users or third parties cannot access the cloud server other than registered users(iii)Key escrow problem: To solve the key escrow problem, the AA does not know the users’ secret key information completely. In our proposed SKP-ABE system, the user receives a partial secret key from AA and generates a final secret key. The value () included in the final secret key is a value required for the users to decrypt data, and only the user who generated the final secret key knows. In the SKP-ABE system, when requesting a ciphertext, an access token signed with a certificate is required, so AA cannot generate it and therefore cannot request a ciphertext. If it is assumed that the AA acquires the user’s partial secret key and search token and accesses the cloud, it can search for and attempt to decrypt the ciphertext but cannot finally decrypt the ciphertext. This scheme is similar to solving the key escrow problem from KGC in the certificate-based signature. It was applied to our proposed scheme. In the phase where AA issues to the user, even if the attacker obtains , the attacker cannot access the cloud with the obtained certificate because he does not know the users’ private key. In general, an ABE scheme assumes that the communication channel between the AA and the data owner and between the AA and the data user is a secure(iv)Protection against chosen keyword attacks using a secure game model: The proposed SKP-ABE scheme counters a selectively chosen keyword attack game performed by an attacker if the DBDH assumption is valid. In the secure game model, attacker A can adaptively query the ciphertext for all search keywords. In that case, the plaintext of an index keyword is not exposed. In the security game model, it is assumed that probabilistic polynomial time attacker A and simulator B communicate with each other. Simulator B executes generates master key , and public parameter , and sends PP to attacker A. A sends the attributes set ; it wants to challenge to B. Attacker A requests the ciphertext index for the search keyword w’ from B, and B outputs the ciphertext index (Index()). Then, it sends the output value to A. Attacker A selects two keywords and and sends them to B. B fairly selects a random bit of b ∈ {0,1}, has the attribute set and from the attacker, and outputs the corresponding value . Attacker A continuously requests a partial secret key query from B as in 2) and generates a final secret key. . Then, by selecting the query keywords , a valid search token is continuously generated. Attacker A extracts b from with . However, it is difficult for an attacker to guess . Thus, the system is secure against selective chosen keyword attacks because the attacker finds it very difficult to win the game within probabilistic polynomial time. That is, it is difficult to guess the keyword plaintext information with the ciphertext index value created by Simulator B(v)Protection against adaptively chosen plaintext attacks using a secure game model: The proposed SKP-ABE scheme counters an adaptively chosen plaintext attack game performed by an attacker if the DBDH assumption is valid. In the secure game model, attacker A can adaptively query the ciphertext for the selected plaintext and communicate with simulator B with each other. Simulator B executes generates and , the same as the chosen keyword attacks security game model. Attacker A requests a partial secret key query corresponding to the access structure {} from B. At this time, the limitation is that the attribute set must not satisfy the access structure { }. Attacker A receives the partial secret key from B and generates a final secret key . Attacker A selects two messages and and sends them to B. B fairly selects a random bit of and outputs the corresponding ciphertext with the attribute set and w. And it sends the ciphertext to the attacker. Attacker A continuously requests the partial secret key query corresponding to the access structure { } from B. Attacker A extracts from . However, it is difficult for an attacker to guess . In other words, the system is selectively secure against adaptively chosen plaintext attacks, because the attacker finds it very difficult to win the game within the probabilistic polynomial time. It is difficult to guess the plaintext information through the ciphertext created by Simulator B

5.2. Efficiency

The computational amount measurements shown in Figure 8 were performed using a Windows system equipped with a 3.50GHz Intel Core i5-4690 processor and 8GB of RAM. Pairing calculations used the pairing-based cryptographic library available at [35]. ECC implementation used the Koblitz elliptic curve with and and the random prime defined as . The proposed scheme includes a process of aggregating attributes in the encryption phase. Therefore, it can be seen from Figure 8 that the amount of computation required for keyword index encryption (a) and data encryption (b) is larger than that of the existing KP-ABE scheme. However, ciphertext search performance (c) and ciphertext decryption performance (d) are more efficient than the existing KP-ABE scheme. Therefore, the proposed SKP-ABE scheme efficiently provides ciphertext search and the user's ciphertext decryption performance. In order to compare the amount of computations in the same environment, one AA was assumed for the scheme of Longo et al. [13], and the scheme of Zhang et al. [14], when the calculation were performed. (i)Efficient ciphertext search: When a user requests a ciphertext stored on the cloud server using keywords, search is generally inefficient because the server decrypts all ciphertexts to find required data. Accordingly, we implement searchable encryption, which allows users to search for a requested ciphertext without having to decrypt the ciphertext. However, such schemes still suffer from several problems, as discussed above. Therefore, in our proposed SKP-ABE scheme, to address inefficient searching, the parameters of index , that is, the attribute values corresponding to keywords in , are aggregated and expressed a single value. The attribute values included in the token are also aggregated and expressed as one value. Thus, if the attributes are {{Director}, {Company A}}, this can be expressed as {{Director}, {Company A}} = . The ciphertext search seeks matches to regardless of the number of attributes. This is faster than the existing analyzed KP-ABE schemes because the number of searches is reduced as the number of attributes is irrelevant. Because the values of attributes are pre-aggregated, the user rapidly finds the required ciphertext(ii)Constant-size ciphertext: In existing KP-ABE schemes, the size of the ciphertext increases in proportion to the number of attributes specified when generating a ciphertext. For example, in Yin et al.’s scheme, it can be seen through I(w) =  that the size of the ciphertext increases according to the number of attributes in . The size of the ciphertext varies depending on the attribute value of 1 or a. In this proposed scheme, to provide a ciphertext of a constant size, the attribute values included in the ciphertext are aggregated and expressed as one value of . Regardless of whether the number of attributes is 1 or , all are all expressed as . Therefore, it is possible to solve the problem that the number of existing attributes affects the size of the ciphertext. This only affects the ciphertext size, and since the attribute-based aggregation operation is performed in the data encryption phase, the disadvantage is that the amount of data encryption is large compared to the existing KP-ABE scheme(iii)Efficiency of ciphertext decryption computations: In Table 3, several of the existing schemes (Yin et al., Ameri et al., and Li et al.) do not perform a decryption operation. Therefore, our proposed SKP-ABE scheme is compared with the scheme of Longo et al. and the scheme of Zhang et al., for decryption performance. As shown in Figure 8(d), the cost of decryption by the users is decreased compared to existing schemes (Longo et al., and Zhang et al.). Also, since the two schemes have the disadvantage that the decryption performance increases according to the number of AA, the efficiency of the proposed SKP-ABE scheme is better in terms of the user’s decryption cost.

6. Conclusions

In this paper, we proposed an SKP-ABE system for secure and efficient data sharing in cloud environments. The proposed SKP-ABE scheme guarantees data confidentiality and integrity. Those who lack access rights are blocked. Specifically, the attribute value included in the token and the attribute value of the ciphertext are aggregated, and the ciphertext is searched using the aggregated value. As a result, since the number of ciphertext searches is not affected by the number of attributes, ciphertext searches can be performed quickly. Compared with the existing searchable KP-ABE schemes (Yin et al., Ameri et al., and Li et al.), the computation is efficient in terms of the number of ciphertext searches. In addition, when the data owner generates the ciphertext, the size of the ciphertext can be constant output without being proportional to the number of attributes by aggregating the values of the attributes included in the ciphertext. Finally, to solve the key escrow problem in AA, the user receives the PSK from the AA and generates the FSK in this proposed scheme. As a result, since the AA does not know information about the users’ FSK, a key escrow problem cannot occur. Therefore, even if you try to decrypt the ciphertext stored in the cloud with only the users’ PSK, data cannot be obtained. Compared to the existing KP-ABE scheme (Longo et al. and Zhang et al.) using multiple AA, the proposed scheme has better decryption performance efficiency.

The proposed SKP-ABE scheme is applied to N:1 cloud environment where a large number of data owners and a small number of data users share data. The scheme can be applied in various IoT-cloud environments, such as data sharing between nurses, doctors, and patients in a medical environment data sharing collected by drones in a UTM environment [3638]. The shared data is secured because only authenticated users have access.

In the future, for the expansion of the proposed SKP-ABE scheme, additional research that can provide the requirements (security and efficiency) considered by KP-ABE is needed. Additionally, a signature and verification phase is required to decrypt the data user and verify that the owner uploads the data obtained.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there is no conflict of interests regarding the publication of this paper.

Authors’ Contributions

Yong-Woon Hwang and Su-Hyun Kim contributed equally to this work.

Acknowledgments

This research was supported by the Republic of Korea’s MSIT (Ministry of Science and ICT), under the High-Potential Individuals Global Training Program (2021-0-01516) supervised by the IITP (Institute of Information and Communications Technology Planning & Evaluation), and this work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. 2022R1A2B5B01002490) and the Soonchunhyang University Research Fund.