前向安全的密文策略基于属性加密方案

为降低密文策略基于属性加密（ABE, ciphertext-policyattribute-based encryption）体制中私钥泄漏带来的损害,首先给出了前向安全CP-ABE体制的形式化定义和安全模型,然后构造了一个前向安全的CP-ABE方案。基于判定性l-BDHE假设,给出了所提方案在标准模型下的安全性证明。从效率和安全性2个方面讨论了所提方案的性能,表明所提方案在增强CP-ABE体制安全性的同时,并没有过多地增加计算开销和存储开销,更适合在实际中应用。     

A break-glass protocol based on ciphertext-policy attribute-based encryption to access medical records in the cloud

Annals of Telecommunications - In emergency care, fast and efficient treatment is vital. The availability of Electronic Medical Records (EMR) allows healthcare professionals to access a...     

Secure personal data sharing in cloud computing using attribute-based broadcast encryption

The ciphertext-policy (CP) attribute-based encryption (ABE) (CP-ABE) emergings as a promising technology for allowing users to conveniently access data in cloud computing. Unfortunately, it suffers from several drawbacks such as decryption overhead, user revocation and privacy preserving. The authors proposed a new efficient and privacy-preserving attribute-based broadcast encryption (BE) (ABBE) named EP-ABBE, that can reduce the decryption computation overhead by partial decryption, and protect user privacy by obfuscating access policy of ciphertext and user's attributes. Based on EP-ABBE, a secure and flexible personal data sharing scheme in cloud computing was presented, in which the data owner can enjoy the flexibly of encrypting personal data using a specified access policy together with an implicit user index set. With the proposed scheme, efficient user revocation is achieved by dropping revoked user's index from the user index set, which is with very low computation cost. Moreover, the privacy of user can well be protected in the scheme. The security and performance analysis show that the scheme is secure, efficient and privacy-preserving.     

Continual auxiliary leakage-resilient attribute-based broadcast encryption with constant size ciphertexts

Attribute-based broadcast encryption ( ABBE) under continual auxiliary leakage-resilient ( CALR) model can enhance the security of the shared data in broadcasting system since CALR model brings the possibility of new leakage-resilient (LR) guarantees. However, there are many shortcomings in the existing works, such as relying on the strong assumptions, low computational efficiency and large size of ciphertexts, etc. How to solve the trade-off between security and efficiency is a challenging problem at present. To solve these problems, this paper gives an ABBE scheme resisting continual auxiliary leakage ( CAL ) attack. ABBE scheme achieves constant size ciphertexts, and the computational complexity of decryption only depends on the number of receivers instead of the maximum number of receivers of the system. Additionally, it achieves adaptive security in the standard model where the security is reduced to the general subgroup decision (GSD) assumptions (or called static assumptions in the subgroup). Furthermore, it can tolerate leakage on the master secret key and private key with continual auxiliary inputs. Performance analysis shows that the proposed scheme is more efficient and practical than the available schemes.     

Wireless broadcast encryption based on smart cards

Wireless broadcasting is an efficient way to broadcast data to a large number of users. Some commercial applications of wireless broadcasting, such as satellite pay-TV, desire that only those users who have paid for the service can retrieve broadcast data. This is often achieved by broadcast encryption, which allows a station securely to broadcast data to a dynamically changing set of privileged users through open air. Most existing broadcast encryption schemes can only revoke a pre-specified number of users before system re-setup or require high computation, communication and storage overheads in receivers. In this paper, we propose a new broadcast encryption scheme based on smart cards. In our scheme, smart cards are used to prevent users from leaking secret keys. Additionally, once an illegally cloned smart card is captured, our scheme also allows tracing of the compromised smart card by which illegal smart cards are cloned, and can then revoke all cloned smart cards. The new features of our scheme include minimal computation needs of only a few modular multiplications in the smart card, and the capability to revoke up to any number of users in one revocation. Furthermore, our scheme is secure against both passive and active attacks and has better performance than other schemes.     

Efficient revocable attribute-based encryption scheme

In the existing solutions,the time-based scheme is difficult to achieve immediate revocation,and the third-party-based scheme often requires re-encryption,which needs large amount of calculation and doesn’t apply to mas-sive data.To solve the problem,an efficient and immediate CP-ABE scheme was proposed to support user and attribute lev-els revocation.The scheme was based on the classic LSSS access structure,introducing RSA key management mechanism and attribute authentication.By means of a semi-trusted third party,the user could be authenticated before decryption.Com-pared with the existing revocation schemes,The proposed scheme didn’t need the user to update the key or re-encrypt the ciphertext.The semi-trusted third party wasn’t required to update the RSA attribute authentication key.The scheme greatly reduced the amount of computation and traffic caused by revocation,while ensuring anti-collusion attacks and forward and backward security.Finally,the security analysis and experimental simulation show that the scheme has higher revocation ef-ficiency.     

Multi-authority attribute-based encryption with efficient revocation

Multi-authority attribute-based encryption was very suitable for data access control in a cloud storage environment.However,efficient user revocation in multi-authority attribute-based encryption remains a challenging problem that prevents it from practical applications.A multi-authority ciphertext-policy attribute-based encryption scheme with efficient revocation was proposed in prime order bilinear groups,and was further proved statically secure and revocable in the random oracle model.Extensive efficiency analysis results indicate that the proposed scheme significantly reduce the computation cost for the users.In addition,the proposed scheme supports large universe and any monotone access structures,which makes it more flexible for practical applications.     

属性加密在电子书包系统中的应用

电子书包意即利用信息化设备进行教育教学的便携式终端。目前,在一些大城市的中小学已率先使用。随着教育教学改革的不断发展,电子书包已是大势所趋,不可逆转。电子书包是一款致力于提高中国教育信息化、提高家庭和学校配合效率的产品,产品将主要针对小学教育。其中主要包含了家校沟通功能,提供更加丰富的教育信息化功能等。然而学校的数字化教育资源、学生的成长史等隐私信息并不希望被泄漏。文章通过属性加密的方法,对电子书包使用者的私钥设置属性集,为数据密文设置访问结构,由属性集和访问结构之间的匹配关系确定电子书包使用者的访问能力,从而让其真正成为孩子们学习和生活的信息助手,一个真正的安全可靠的数字化书包。     

适应性安全的可追踪叛徒的基于属性加密方案

针对基于属性加密(ABE, attribute-base encryption)机制存在的密钥滥用问题,为每个用户增加唯一的身份标识符,将联合安全编码和叛徒追踪机制引入到ABE方案中,给出适应性安全的可追踪叛徒ABE的定义、安全模型和可追踪模型,提出一种适应性安全的可追踪叛徒的ABTT方案,该方案允许适应性追踪指定策略盗版解码器中的叛徒。基于合数阶群上的子群判定假设和DDH假设,证明所提方案是适应性安全和适应性可追踪的。因此,所提方案不仅可以适应性追查指定策略盗版解码器中的叛徒,而且进一步增强了ABE系统的安全性,具有一定的理论和应用价值。     

云环境下基于属性加密体制算法加速方案

云计算为租户提供存储、计算和网络服务,数据安全保护和租户间的数据共享与访问控制是其必不可少的能力。基于属性的加密体制是一种一对多的加密体制,可以根据用户属性实现细粒度访问控制,适用于云计算环境多租户数据共享。但现有的基于属性加密体制的算法效率较低,难以在实际环境中应用。分析了基于属性的加密体制的两种类型及其应用场景,提出一个基于属性加密体制算法的加速方案。通过实验表明,提出的方案可提高基于属性加密体制的密钥生成算法、加密算法和解密算法的效率。     

属性基加密算法在云计算中的应用

由于信息传递迅速,云计算的优势越来越明显。目前,基于属性密码得到了进一步发展—密文策略。文章将主要对密文ABE加密模型进行安全性分析,结合AES加密方式的优势,设计出全新的混合加密方案,并运用在云计算中。     

Privacy-preserving attribute-based encryption scheme on ideal lattices

Based on the small key size and high encryption efficiency on ideal lattices,a privacy-preserving attribute-based encryption scheme on ideal lattices was proposed,which could support flexible access policies and privacy protection for the users.In the scheme,a semi-hidden policy was introduced to protect the users’ privacy.Thus,the sensitive values of user’s attributes are hidden to prevent from revealing to any third parties.In addition,the extended Shamir secret-sharing schemes was used to construct the access tree structure which can support “and” “or” and “threshold” operations of attributes with a high flexibility.Besides,the scheme was proved to be secure against chosen plaintext attack under the standard mode.Compared to the existing related schemes,the scheme can yield significant performance benefits,especially the size of system public/secret keys,users’ secret key and ciphertext.It is more effective in the large scale distributed environment.     

Revocable and traceable key-policy attribute-based encryption scheme

The existing key-policy attribute-based encryption (KP-ABE) scheme can not balance the problem of attribute revocation and user identity tracking.Hence,a KP-ABE scheme which supported revocable and traceable was proposed.The scheme could revoke the user attributes without updating the system public key and user private key with a less update cost.Meanwhile,it could trace the user identity based on decryption key which could effectively prevent anonymous user key leakage problem.The proposed scheme was based on linear secret sharing scheme (LSSS),which was more efficient than tree-based access structure.Based on the deterministic q-BDHE hypothesis,the proposed scheme gave security proof until standard mode.Finally,compared with the existing KP-ABE scheme,the scheme has a shorter public key length,lower computational overhead and realizes the traceability function of user identity based on the revocable attribute,which has obvious advantages.     

新型自适应安全的密钥策略ABE方案

基于3维对偶正交基的技术,提出了一种新的密钥策略的基于属性的加密方案。该方案在素数阶群上构造,支持单调访问结构,具有自适应安全性。方案利用双重系统加密的证明方法将方案的自适应安全性归约到判定线性假设。与同样是自适应安全的密钥策略ABE方案相比,提出的方案在同等安全性上具有更高的效率。     

基于区块链且支持验证的属性基搜索加密方案

针对一对多搜索模型下共享解密密钥缺乏细粒度访问控制且搜索结果缺乏正确性验证的问题,提出了一种基于区块链且支持验证的属性基搜索加密方案。通过对共享密钥采用密文策略属性加密机制,实现细粒度访问控制。结合以太坊区块链技术,解决半诚实且好奇的云服务器模型下返回搜索结果不正确的问题,在按需付费的云环境下,实现用户和云服务器之间服务-支付公平,使各方诚实地按照合约规则执行。另外,依据区块链的不可篡改性,保证云服务器得到服务费,用户得到正确的检索结果,而不需要额外验证,减少用户计算开销。安全性分析表明,所提方案满足自适应选择关键词语义安全,能很好地保护用户的隐私以及数据的安全。性能对比及实验结果表明,所提方案在安全索引产生、搜索令牌生成、检索效率以及交易数量方面有一定的优化,更加适用于智慧医疗等一对多搜索场景。     

抗密钥委托滥用的可追踪属性基加密方案

针对可追踪属性基加密方案利用追踪功能解决密钥委托滥用问题的不完备性,提出了一种抗密钥委托滥用的可追踪属性基加密方案。将秘密参数分享给用户私钥中关联属性的全部组件,使解密过程必须由全部组件共同参与完成,仅由用户私钥的一部分不能进行解密操作,从而实现真正的抗密钥委托滥用。利用一种短签名技术保护用户私钥中的追踪参数,防止追踪参数被伪造,从而获得对用户的追踪能力。同时支持抗密钥委托滥用和可追踪增强了所提方案的安全性。与相关方案的对比分析表明,所提方案在参数尺寸和计算代价上具有更好的性能优势。     

Multi-authority attribute-based encryption scheme with policy dynamic updating

Attribute-based encryption (ABE) is a new cryptographic technique which guarantees fine-grained access control of outsourced encrypted data in the cloud environment.However,a key limitation remains,namely policy updating.Thus,a multi-authority attribute-based encryption scheme with policy dynamic updating was proposed.In the scheme,an anonymous key issuing protocol was introduced to protect users’ privacy and resist collusion attack of attribute authority.The scheme with dynamic policy updating technique was secure against chosen plaintext attack under the standard model and can support any types of policy updating.Compared to the existing related schemes,the size of ciphertext and users’ secret key is reduced and can significantly reduce the computation and communication costs of updating ciphertext.It is more effective in the practical application.     

支持直接撤销的密文策略属性基加密方案

提出一种支持直接撤销的属性基加密方案,首先给出支持直接撤销的属性基加密定义和安全模型,其次给出具体的支持撤销的密文策略——属性基加密方案并对安全性进行证明,最后,与其他方案对比显示,该方案在密文和密钥长度方面都有所减少。该方案可以实现对用户进行即时撤销,当且仅当用户所拥有的属性满足密文的访问结构且不在用户撤销列表内时,才能使用自己的私钥解密出明文。     

Reconfigurable key management for broadcast encryption

A novel approach for the cryptographic keys management in the broadcasting scenario with a conditional access control is proposed. It employs the reconfiguration concept, and it is based on a collection of the underlying structures - at each instant of time a structure from the collection is employed for updating the session key so that the communication overhead of updating is minimized. A receiver has a fixed set of cryptographic keys and in a general case, each of these keys plays a different role determined by the employed underlying structure.     

面向云存储的基于属性加密的多授权中心访问控制方案

已有基于属性加密的访问控制研究多是基于单授权中心来实现,该种方案在授权方不可信或遭受恶意攻击的情况下可能会造成密钥泄露。提出一种基于属性加密的多授权中心访问控制模型PRM-CSAC。基于CP-ABE方法,设计多授权中心的属性加密方案以提高密钥安全性;设计最小化属性分组算法,使用户访问文件时,能够按需分配密钥,减少不必要的属性密钥分配,降低重加密属性数量,提高系统效率;增加读写属性加强加密方对文件的访问控制,使访问控制策略更加完善。安全性分析及仿真实验表明,相比已有方案,PRM-CSAC对用户访问请求的响应时间更短,开销较小,且能够提供很高的安全性。