支持直接撤销的密文策略属性基加密方案

提出一种支持直接撤销的属性基加密方案,首先给出支持直接撤销的属性基加密定义和安全模型,其次给出具体的支持撤销的密文策略——属性基加密方案并对安全性进行证明,最后,与其他方案对比显示,该方案在密文和密钥长度方面都有所减少。该方案可以实现对用户进行即时撤销,当且仅当用户所拥有的属性满足密文的访问结构且不在用户撤销列表内时,才能使用自己的私钥解密出明文。     

标准模型下可证明安全的支持大规模属性集与属性级用户撤销的CP-ABE方案

密文策略属性加密方案,特别是不受某个特定值限制的大规模属性集下的密文策略属性加密方案在云存储中得到了越来越广泛的应用,它能够实现细粒度的访问控制。但是在原始的属性加密方案中,解决动态的用户与属性撤销,是当前面临的重要挑战。为了解决这一问题,该文提出一个标准模型下可证明安全的支持大规模属性集的密文策略属性加密方案,该方案能够实现属性级的用户撤销,即若用户的某个属性被撤销,不会影响该用户其他合法属性的正常访问。为了实现撤销,将密钥分为两部分：为用户生成的私钥以及为云存储中心生成的授权密钥。在该方案中,若用户的属性被撤销,那么该属性对应的密文将进行更新,只有该属性没有被撤销的用户才能够成功地进行密钥更新而解密密文。该文基于q-type 假设在标准模型下对方案进行了选择访问结构明文攻击的安全性证明。最后对方案进行了性能分析与实验验证,实验结果表明,与已有相关方案相比,虽然为了实现属性撤销,增加了存储中心的计算负载,但是不需要属性中心的参与,因此降低了属性中心的计算负载,而且用户除了密钥外不需要其它额外参数来实现属性撤销,因此大大节省了存储空间。     

支持属性撤销的可验证多关键词搜索加密方案

近年来,可搜索加密技术及细粒度访问控制的属性加密在云存储环境下得到广泛应用。考虑到现存的基于属性的可搜索加密方案存在仅支持单关键词搜索而不支持属性撤销的问题,以及单关键词搜索可能造成返回搜索结果部分错误并导致计算和宽带资源浪费的缺陷,该文提出一种支持属性撤销的可验证多关键词搜索加密方案。该方案允许用户检测云服务器搜索结果的正确性,同时在细粒度访问控制结构中支持用户属性的撤销,且在属性撤销过程中不需要更新密钥和重加密密文。该文在随机预言机模型下基于判定性线性假设被证明具有抵抗选择关键词集攻击安全性及关键词隐私性,同时从理论和实验两方面分析验证了该方案具有较高的计算效率与存储效率。

     

属性可撤销且密文长度恒定的属性基加密方案

密文策略属性基加密（ciphertext-policy attribute-based encryption,CP-ABE）类似于基于角色访问控制,可以为云存储系统提供灵活细粒度的访问控制.但大多数CP-ABE方案中,密文长度与访问策略复杂度成正相关,系统属性同时被多个用户共享而导致属性难以被撤销.针对上述问题,本文提出一种支持属性撤销且密文长度恒定的属性基加密方案.该方案中每个用户的属性群密钥不能通用,可以有效抵抗撤销用户与未撤销用户的合谋攻击.为减少属性授权机构和数据拥有者的计算负担,属性撤销过程所需的计算量外包给数据服务管理者;同时该方案采用支持多值属性和通配符的"AND"门策略,实现了密文长度恒定.所提方案基于决策性q-BDHE（q-bilinear Diffie-Hellman exponent）假设对方案进行了选择明文攻击的安全性证明.最后对方案进行了理论分析与实验验证,分析结果表明本文方案可以有效抵制用户合谋攻击,增加了方案的安全性.同时所提方案在功能和计算效率方面具有一定优势,适用于实际应用情况.     

支持用户撤销的属性认证密钥协商协议

用户撤销是基于属性的认证密钥协商(ABAKA, attribute-based authenticated key agreement)协议在实际应用中所必需解决的问题。通过将Waters的基于属性的加密方案和Boneh-Gentry-Waters的广播加密方案相结合,提出了一个支持用户撤销的ABAKA协议。该协议能够实现对用户的即时撤销且不需要密钥权威对所有未被撤销的用户私钥进行定期更新。相比于现有的协议,该协议具有较高的通信效率,并能够在标准模型和修改的ABCK模型下可证安全,具有弱的完美前向安全性,并能够抵抗密钥泄露伪装攻击。     

基于属性加密的高效密文去重和审计方案

针对当前支持去重的属性加密方案既不支持云存储数据审计,又不支持过期用户撤销,且去重搜索和用户解密效率较低的问题,该文提出一种支持高效去重和审计的属性加密方案。该方案引入了第3方审计者对云存储数据的完整性进行检验,利用代理辅助用户撤销机制对过期用户进行撤销,又提出高效去重搜索树技术来提高去重搜索效率,并通过代理解密机制辅助用户解密。安全性分析表明该方案通过采用混合云架构,在公有云达到IND-CPA安全性,在私有云达到PRV-CDA安全性。性能分析表明该方案的去重搜索效率更高,用户的解密计算量较小。

     

具有可撤销功能的属性协同访问控制方案

针对属性协同访问控制面临更复杂的权限动态更新问题,提出了具有属性即时撤销、属性级用户撤销和协同策略撤销的属性协同访问控制方案.所提方案给出了形式化定义与安全模型,以分组属性组内成员列表信息的变化反映用户权限的动态更新,进一步设计高效的重加密算法实现属性即时撤销和用户撤销.在协同策略撤销方面,利用转移节点的转移值特性,快...     

云存储环境下无密钥托管可撤销属性基加密方案研究

属性基加密因其细粒度访问控制在云存储中得到广泛应用。但原始属性基加密方案存在密钥托管和属性撤销问题。为解决上述问题,该文提出一种密文策略的属性基加密方案。该方案中属性权威与中央控制通过安全两方计算技术构建无密钥托管密钥分发协议解决密钥托管问题。通过更新属性版本密钥的方式达到属性级用户撤销,同时通过中央控制可以实现系统级用户撤销。为减少用户解密过程的计算负担,将解密运算过程中复杂对运算外包给云服务商,提高解密效率。该文基于q-Parallel BDHE假设在随机预言机模型下对方案进行了选择访问结构明文攻击的安全性证明。最后从理论和实验两方面对所提方案的效率与功能性进行了分析。实验结果表明所提方案无密钥托管问题,且具有较高系统效率。     

新的格上多机构属性基加密方案

针对基于双线性映射的属性基加密方案中无法抵抗量子攻击的问题,该文提出一种新的格上多机构属性基加密方案。先利用格上左抽样算法为用户生成密钥,使得用户私钥尺寸与级联矩阵的列数和用户属性个数相关,缩短用户私钥尺寸;然后采用Shamir门限秘密共享技术构造访问树,实现属性的与、或、门限3种操作,密文允许基于任意的访问结构生成,表达能力更加丰富,解决了大多方案中访问策略单一问题;方案证明可在标准模型下归约到判定性带误差学习问题的难解性。对比分析表明,方案系统公私钥、用户私钥和密文尺寸均有所优化,并较优于大多数单机构方案,此外方案存在多个属性机构,支持任意单调访问结构,安全性和实用性更满足云环境需求。     

面向智慧健康的可废除属性访问控制系统

针对智慧健康背景下隐私保护和健康信息共享存在矛盾的问题,提出新的属性访问控制系统.首先,在不影响安全性的条件下对Nishide等的密文策略属性加密方案做出修改;然后,利用代理重加密技术对该方案进行功能扩展,得到新的加密方案.最后,基于该加密方案构造了新型属性访问控制系统.系统符合智慧健康的应用需求,允许患者利用用户属性...     

数据外包环境下一种支持撤销的属性基加密方案

In order to support fine-grained attribute revocation in data outsourcing systems,an attribute-based encryption scheme with efficient revocation in indirect revocation model was proposed.The model of ABE supporting attribute revocation was given,and a concrete scheme was constructed which proved its security under the standard model.Compared to the existing related schemes,the size of ciphertext and private/secret key is reduced,and the new scheme achieves fine-grained and immediate attribute revocation which is more suitable for the practical applications.     

k-times attribute-based authentication scheme using direct anonymous attestation

s: At present, the main drawbacks of existing k-times attribute-based authentication (abbreviated to k-TABA) schemes and related attribute-based authentication schemes are that the computation cost of the authentication process depends on the size of the access formula and none of these schemes considers the problems of member revocation and attribute update. A new k-TABA scheme was constructed based on the building blocks of direct anonymous attestation, set membership proof and ciphertext-policy attribute-based encryption. Moreover, in order to reduce user's calculation as much as possible, the underlying attribute-based encryption scheme was modified, and then the main decryption operations were outsourced by using the key binding technique of Green et al. The new scheme can be deployed on a trusted platform and support expressive authentication policies. In addition, it also satisfies several ideal properties, such as registration process verifiability, member revocation, attribute update, and so on. The significant performance advantage of the new scheme is that the computation overhead of the user in the authentication phase is constant.     

Fine-grained data access control for distributed sensor networks

Distributed sensor networks are becoming a robust solution that allows users to directly access data generated by individual sensors. In many practical scenarios, fine-grained access control is a pivotal security requirement to enhance usability and protect sensitive sensor information from unauthorized access. Recently, there have been proposed many schemes to adapt public key cryptosystems into sensor systems consisting of high-end sensor nodes in order to enforce security policy efficiently. However, the drawback of these approaches is that the complexity of computation increases linear to the expressiveness of the access policy. Key-policy attribute-based encryption is a promising cryptographic solution to enforce fine-grained access policies on the sensor data. However, the problem of applying it to distributed sensor networks introduces several challenges with regard to the attribute and user revocation. In this paper, we propose an access control scheme using KP-ABE with efficient attribute and user revocation capability for distributed sensor networks that are composed of high-end sensor devices. They can be achieved by the proxy encryption mechanism which takes advantage of attribute-based encryption and selective group key distribution. The analysis results indicate that the proposed scheme achieves efficient user access control while requiring the same computation overhead at each sensor as the previous schemes.     

Attribute-based encryption scheme supporting attribute revocation in cloud storage environment

Attribute-based encryption (ABE) scheme is widely used in the cloud storage due to its fine-grained access control.Each attribute in ABE may be shared by multiple users at the same time.Therefore,how to achieve attribute-level user revocation is currently facing an important challenge.Through research,it has been found that some attribute-level user revocation schemes currently can’t resist the collusion attack between the revoked user and the existing user.To solve this problem,an attribute-based encryption scheme that supported the immediate attribute revocation was proposed.The scheme could achieve attribute-level user revocation and could effectively resist collusion attacks between the revoked users and the existing users.At the same time,this scheme outsourced complex decryption calculations to cloud service providers with powerful computing ability,which reduced the computational burden of the data user.The scheme was proved secure based on computational Diffie-Hellman assumption in the standard model.Finally,the functionality and efficiency of the proposed scheme were analyzed and verified.The experimental results show that the proposed scheme can safely implement attribute-level user revocation and has the ability to quickly decrypt,which greatly improves the system efficiency.     

Multi-authority attribute-based encryption with efficient revocation

Multi-authority attribute-based encryption was very suitable for data access control in a cloud storage environment.However,efficient user revocation in multi-authority attribute-based encryption remains a challenging problem that prevents it from practical applications.A multi-authority ciphertext-policy attribute-based encryption scheme with efficient revocation was proposed in prime order bilinear groups,and was further proved statically secure and revocable in the random oracle model.Extensive efficiency analysis results indicate that the proposed scheme significantly reduce the computation cost for the users.In addition,the proposed scheme supports large universe and any monotone access structures,which makes it more flexible for practical applications.     

云计算平台下基于属性加密的动态版权使用控制方案（英文）

In order to achieve fine-grained access control in cloud computing,existing digital rights management(DRM) schemes adopt attribute-based encryption as the main encryption primitive.However,these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud.In this paper,we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing.We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption.Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content.The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users,and also enables the license server to implement immediate attribute and user revocation.Moreover,our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption,which allows the license server in the cloud to update the users' usage rights dynamically without disclosing the plaintext.Extensive analytical results indicate that our proposed scheme is secure and efficient.     

MACPABE: Multi-Authority-based CP-ABE with efficient attribute revocation for IoT-enabled healthcare infrastructure

The Internet of Things (IoT) technology along with cloud computing has gained much attention in recent years for its potential to upgrade conventional healthcare systems. Outsourcing healthcare data to a cloud environment from IoT devices is very essential as IoT devices are lightweight. To maintain confidentiality and to achieve fine-grained access control, the ciphertext policy attribute-based encryption (CP-ABE) technique is utilized very often in an IoT-based healthcare system for encrypting patients' healthcare data. However, an attribute revocation may affect the other users with the same attribute set, as well as the entire system due to its security concerns. This paper proposes a novel CP-ABE-based fine-grained access control scheme to solve the attribute revocation problem. The proposed technique includes multiple attribute authorities to reduce the work overhead of having a single authority in the traditional CP-ABE systems. In addition, the proposed scheme outsources the decryption process to a decryption assistant entity to reduce the decryption overhead of the end-users. To prove the efficiency of the proposed scheme, both formal security analysis and performance comparisons are presented in this paper. Results and discussion prove the effectiveness of the proposed scheme over some well-known schemes.