支持直接撤销的密文策略属性基加密方案

提出一种支持直接撤销的属性基加密方案,首先给出支持直接撤销的属性基加密定义和安全模型,其次给出具体的支持撤销的密文策略——属性基加密方案并对安全性进行证明,最后,与其他方案对比显示,该方案在密文和密钥长度方面都有所减少。该方案可以实现对用户进行即时撤销,当且仅当用户所拥有的属性满足密文的访问结构且不在用户撤销列表内时,才能使用自己的私钥解密出明文。     

Multi-authority attribute-based encryption scheme with policy dynamic updating

Attribute-based encryption (ABE) is a new cryptographic technique which guarantees fine-grained access control of outsourced encrypted data in the cloud environment.However,a key limitation remains,namely policy updating.Thus,a multi-authority attribute-based encryption scheme with policy dynamic updating was proposed.In the scheme,an anonymous key issuing protocol was introduced to protect users’ privacy and resist collusion attack of attribute authority.The scheme with dynamic policy updating technique was secure against chosen plaintext attack under the standard model and can support any types of policy updating.Compared to the existing related schemes,the size of ciphertext and users’ secret key is reduced and can significantly reduce the computation and communication costs of updating ciphertext.It is more effective in the practical application.     

Multi-authority attribute-based encryption with efficient revocation

Multi-authority attribute-based encryption was very suitable for data access control in a cloud storage environment.However,efficient user revocation in multi-authority attribute-based encryption remains a challenging problem that prevents it from practical applications.A multi-authority ciphertext-policy attribute-based encryption scheme with efficient revocation was proposed in prime order bilinear groups,and was further proved statically secure and revocable in the random oracle model.Extensive efficiency analysis results indicate that the proposed scheme significantly reduce the computation cost for the users.In addition,the proposed scheme supports large universe and any monotone access structures,which makes it more flexible for practical applications.     

面向云存储的基于属性加密的多授权中心访问控制方案

已有基于属性加密的访问控制研究多是基于单授权中心来实现,该种方案在授权方不可信或遭受恶意攻击的情况下可能会造成密钥泄露。提出一种基于属性加密的多授权中心访问控制模型PRM-CSAC。基于CP-ABE方法,设计多授权中心的属性加密方案以提高密钥安全性;设计最小化属性分组算法,使用户访问文件时,能够按需分配密钥,减少不必要的属性密钥分配,降低重加密属性数量,提高系统效率;增加读写属性加强加密方对文件的访问控制,使访问控制策略更加完善。安全性分析及仿真实验表明,相比已有方案,PRM-CSAC对用户访问请求的响应时间更短,开销较小,且能够提供很高的安全性。     

基于属性的多授权中心身份认证方案

针对现有的基于属性的身份认证方案均是基于单授权中心实现的,存在密钥托管问题,即密钥生成中心知道所有用户的私钥,提出了一种基于属性的多授权中心的身份认证方案.所提方案结合分布式密钥生成技术实现用户属性私钥的(t,n)门限生成机制,可以抵抗最多来自t-1个授权中心的合谋攻击.利用双线性映射构造了所提方案,分析了所提方案的安...     

前向安全的密文策略基于属性加密方案

为降低密文策略基于属性加密（ABE, ciphertext-policyattribute-based encryption）体制中私钥泄漏带来的损害,首先给出了前向安全CP-ABE体制的形式化定义和安全模型,然后构造了一个前向安全的CP-ABE方案。基于判定性l-BDHE假设,给出了所提方案在标准模型下的安全性证明。从效率和安全性2个方面讨论了所提方案的性能,表明所提方案在增强CP-ABE体制安全性的同时,并没有过多地增加计算开销和存储开销,更适合在实际中应用。     

Efficient revocable ID‐based encryption with cloud revocation server

The capability to efficiently revoke compromised/misbehaving users is important in identity‐based encryption (IBE) applications, as it is not a matter of if but of when that one or more users are compromised. Existing solutions generally require a trusted third party to update the private keys of nonrevoked users periodically, which impact on scalability and result in high computation and communication overheads at the key generation center. Li et al proposed a revocable IBE scheme, which outsources most of the computation and communication overheads to a Key Update Cloud Service Provider (KU‐CSP). However, their scheme is lack of scalability since the KU‐CSP must maintain a secret value for each user. Tseng et al proposed another revocable IBE scheme with a cloud revocation authority, seeking to provide scalability and improve both performance and security level. In this paper, we present a new revocable IBE scheme with a cloud revocation server (CRS). The CRS holds only one secret time update key for all users, which provides the capability to scale our scheme. We demonstrate that our scheme is secure against adaptive‐ID and chosen ciphertext attacks under the k‐CAA assumption and outperforms both schemes mentioned above, in terms of having lower computation and communication overheads.     

高效的模糊属性基签密方案

多用户通信是当今信息交互的主要模式,提高通信安全性与解决通信效率问题是当前研究的重点。属性基签密保证了多用户在通信中消息的机密性与完整性,并通过一步操作实现对多用户的消息发送,提高了签密的效率。利用密钥共享模型及双线性对,提出一种高效的模糊属性基签密方案,基于DMBDH与CDH问题证明了机密性与不可伪造性,同时还满足可公开验证性与短密文性。分析对比表明,签密与解签密的运算量仅为(n+3)e和ne+(n+4)p,远小于同类方案的运算量,实现了算法的高效性。     

Privacy-preserving attribute-based encryption scheme on ideal lattices

Based on the small key size and high encryption efficiency on ideal lattices,a privacy-preserving attribute-based encryption scheme on ideal lattices was proposed,which could support flexible access policies and privacy protection for the users.In the scheme,a semi-hidden policy was introduced to protect the users’ privacy.Thus,the sensitive values of user’s attributes are hidden to prevent from revealing to any third parties.In addition,the extended Shamir secret-sharing schemes was used to construct the access tree structure which can support “and” “or” and “threshold” operations of attributes with a high flexibility.Besides,the scheme was proved to be secure against chosen plaintext attack under the standard mode.Compared to the existing related schemes,the scheme can yield significant performance benefits,especially the size of system public/secret keys,users’ secret key and ciphertext.It is more effective in the large scale distributed environment.     

新型自适应安全的密钥策略ABE方案

基于3维对偶正交基的技术,提出了一种新的密钥策略的基于属性的加密方案。该方案在素数阶群上构造,支持单调访问结构,具有自适应安全性。方案利用双重系统加密的证明方法将方案的自适应安全性归约到判定线性假设。与同样是自适应安全的密钥策略ABE方案相比,提出的方案在同等安全性上具有更高的效率。     

云存储系统中支持用户隐私保护的细粒度访问控制

从云存储实际需求出发,设计了一个云存储环境下支持用户隐私保护和用户属性撤销的多属性权威的属性加密机制,为了保证系统实现的效率和减轻数据持有者的负担,在属性撤销中,复杂的计算任务都委托给可信第三方或云服务器完成。所提方案在DBDH假设下被证明是安全的。     

数据外包环境下一种支持撤销的属性基加密方案

In order to support fine-grained attribute revocation in data outsourcing systems,an attribute-based encryption scheme with efficient revocation in indirect revocation model was proposed.The model of ABE supporting attribute revocation was given,and a concrete scheme was constructed which proved its security under the standard model.Compared to the existing related schemes,the size of ciphertext and private/secret key is reduced,and the new scheme achieves fine-grained and immediate attribute revocation which is more suitable for the practical applications.     

高效可证明安全的基于属性的在线/离线加密机制

为了提高加密的效率,将在线/离线密码技术引入到ABE中,提出了基于属性的在线/离线加密(ABOOE)机制。ABOOE将加密过程非平凡地分解成离线和在线2个阶段,离线阶段在不知明文和所需属性集合的前提下,对复杂计算进行预处理;在线阶段获知消息和属性集合后,仅需少量简单计算即可生成密文。首先构建出一个CPA安全的ABOOE方案。为了提高ABOOE的安全性,提出基于属性的在线/离线密钥封装机制(ABOOKEM)和一个相应方案,并构造出一种将单向性ABOOKEM转化成CCA安全ABOOE的通用性方法。该方法在不增加计算量的前提下有效提高了ABOOE的安全性。与知名ABE方案相比,所提出的ABOOE极大地提高了ABE中加密的效率,特别适用于计算能力高度受限的终端设备。     

Attribute-based encryption scheme supporting attribute revocation in cloud storage environment

Attribute-based encryption (ABE) scheme is widely used in the cloud storage due to its fine-grained access control.Each attribute in ABE may be shared by multiple users at the same time.Therefore,how to achieve attribute-level user revocation is currently facing an important challenge.Through research,it has been found that some attribute-level user revocation schemes currently can’t resist the collusion attack between the revoked user and the existing user.To solve this problem,an attribute-based encryption scheme that supported the immediate attribute revocation was proposed.The scheme could achieve attribute-level user revocation and could effectively resist collusion attacks between the revoked users and the existing users.At the same time,this scheme outsourced complex decryption calculations to cloud service providers with powerful computing ability,which reduced the computational burden of the data user.The scheme was proved secure based on computational Diffie-Hellman assumption in the standard model.Finally,the functionality and efficiency of the proposed scheme were analyzed and verified.The experimental results show that the proposed scheme can safely implement attribute-level user revocation and has the ability to quickly decrypt,which greatly improves the system efficiency.     

Revocable and traceable key-policy attribute-based encryption scheme

The existing key-policy attribute-based encryption (KP-ABE) scheme can not balance the problem of attribute revocation and user identity tracking.Hence,a KP-ABE scheme which supported revocable and traceable was proposed.The scheme could revoke the user attributes without updating the system public key and user private key with a less update cost.Meanwhile,it could trace the user identity based on decryption key which could effectively prevent anonymous user key leakage problem.The proposed scheme was based on linear secret sharing scheme (LSSS),which was more efficient than tree-based access structure.Based on the deterministic q-BDHE hypothesis,the proposed scheme gave security proof until standard mode.Finally,compared with the existing KP-ABE scheme,the scheme has a shorter public key length,lower computational overhead and realizes the traceability function of user identity based on the revocable attribute,which has obvious advantages.     

一种基于KeyRev的无线传感器网络密钥撤销方案

KeyRev密钥撤销方案可以在一定程度上销毁无线传感网络中的受损节点,并可以生成新一轮通信中会话密钥,已生成会话密钥的节点即可生成数据加密密钥和MAC校验密钥。但因其是采用明文广播受损节点信息。使遭受攻击的节点很容易发现自己身份暴露,从而采取欺骗、篡改等手段依然参与网络通信。对此方案予以改进优化,对广播信息隐蔽处理,更加安全有效地剔除网络中的受损节点。     

基于区块链且支持验证的属性基搜索加密方案

针对一对多搜索模型下共享解密密钥缺乏细粒度访问控制且搜索结果缺乏正确性验证的问题,提出了一种基于区块链且支持验证的属性基搜索加密方案。通过对共享密钥采用密文策略属性加密机制,实现细粒度访问控制。结合以太坊区块链技术,解决半诚实且好奇的云服务器模型下返回搜索结果不正确的问题,在按需付费的云环境下,实现用户和云服务器之间服务-支付公平,使各方诚实地按照合约规则执行。另外,依据区块链的不可篡改性,保证云服务器得到服务费,用户得到正确的检索结果,而不需要额外验证,减少用户计算开销。安全性分析表明,所提方案满足自适应选择关键词语义安全,能很好地保护用户的隐私以及数据的安全。性能对比及实验结果表明,所提方案在安全索引产生、搜索令牌生成、检索效率以及交易数量方面有一定的优化,更加适用于智慧医疗等一对多搜索场景。     

Broadcast encryption schemes based on RSA

Three broadcast schemes for small receiver set using the property of RSA modulus are presented. They can solve the problem of data redundancy when the size of receiver set is small. In the proposed schemes, the center uses one key to encrypt the message and can revoke authorization conveniently. Every authorized user only needs to store one decryption key of a constant size. Among these three schemes, the first one has indistinguishability against adaptive chosen ciphertext attack (IND-CCA2) secure, and any collusion of authorized users cannot produce a new decryption key but the sizes of encryption modulus and ciphertext are linear in the number of receivers. In the second scheme, the size of ciphertext is half of the first one and any two authorized users can produce a new decryption key, but the center can identify them using the traitor tracing algorithm. The third one is the most efficient but the center cannot identify the traitors exactly.     

抗密钥委托滥用的可追踪属性基加密方案

针对可追踪属性基加密方案利用追踪功能解决密钥委托滥用问题的不完备性,提出了一种抗密钥委托滥用的可追踪属性基加密方案。将秘密参数分享给用户私钥中关联属性的全部组件,使解密过程必须由全部组件共同参与完成,仅由用户私钥的一部分不能进行解密操作,从而实现真正的抗密钥委托滥用。利用一种短签名技术保护用户私钥中的追踪参数,防止追踪参数被伪造,从而获得对用户的追踪能力。同时支持抗密钥委托滥用和可追踪增强了所提方案的安全性。与相关方案的对比分析表明,所提方案在参数尺寸和计算代价上具有更好的性能优势。     

Secure personal data sharing in cloud computing using attribute-based broadcast encryption

The ciphertext-policy (CP) attribute-based encryption (ABE) (CP-ABE) emergings as a promising technology for allowing users to conveniently access data in cloud computing. Unfortunately, it suffers from several drawbacks such as decryption overhead, user revocation and privacy preserving. The authors proposed a new efficient and privacy-preserving attribute-based broadcast encryption (BE) (ABBE) named EP-ABBE, that can reduce the decryption computation overhead by partial decryption, and protect user privacy by obfuscating access policy of ciphertext and user's attributes. Based on EP-ABBE, a secure and flexible personal data sharing scheme in cloud computing was presented, in which the data owner can enjoy the flexibly of encrypting personal data using a specified access policy together with an implicit user index set. With the proposed scheme, efficient user revocation is achieved by dropping revoked user's index from the user index set, which is with very low computation cost. Moreover, the privacy of user can well be protected in the scheme. The security and performance analysis show that the scheme is secure, efficient and privacy-preserving.