Attribute-Based Access Control With Constant-Size Ciphertext in Cloud Computing

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation

information: DOI 10.1109/TCC.2015.2440247, IEEE Transactions on Cloud Computing
IEEE TRANSACTIONS ON CLOUD COMPUTING, MANUSCRIPT ID 1
Attribute-based Access Control with

Constant-size Ciphertext in Cloud Computing
Wei Teng, Geng Yang, Member, IEEE, Yang Xiang, Senior Member, IEEE,
Ting Zhang and Dongyang Wang
Abstract—With the popularity of cloud computing, there have been increasing concerns about its security and privacy. Since
the cloud computing environment is distributed and untrusted, data owners have to encrypt outsourced data to enforce
confidentiality. Therefore, how to achieve practicable access control of encrypted data in an untrusted environment is an urgent
issue that needs to be solved. Attribute-Based Encryption (ABE) is a promising scheme suitable for access control in cloud
storage systems. This paper proposes a hierarchical attribute-based access control scheme with constant-size ciphertext. The
scheme is efficient because the length of ciphertext and the number of bilinear pairing evaluations to a constant are fixed. Its
computation cost in encryption and decryption algorithms is low. Moreover, the hierarchical authorization structure of our
scheme reduces the burden and risk of a single authority scenario. We prove the scheme is of CCA2 security under the
decisional q-Bilinear Diffie-Hellman Exponent assumption. In addition, we implement our scheme and analyse its performance.
The analysis results show the proposed scheme is efficient, scalable, and fine-grained in dealing with access control for
outsourced data in cloud computing.
Index Terms—access control, cipertext-policy attribute-based encryption, constant ciphertext length
——————————  ——————————
1 INTRODUCTION
N owadays, as an emerging and efficient computing

model, cloud computing has attracted widespread
occurred at many IT companies, including Google, Mi-
crosoft, and Amazon. These incidents affected the infor-
attention and support in many fields. In the cloud compu- mation services to millions of consumers. Therefore, it is
ting environment, many services such as resource renting, important that security problems in cloud computing re-
application hosting, and service outsourcing show the ceives significant attention.
core concept of an on-demand service in the IT field. In In cloud computing, users store their data files in cloud
recent years, many IT tycoons are developing their busi- servers. Thus, it is crucial to prevent unauthorized access
ness cloud computing system, e.g. Amazon’s EC2 [1], to these resources and realize secure resource sharing. In
Amazon’s S3 [2], Google App Engine [3] and Microsoft’s traditional access control methods, we generally assume
Azure [4] etc. Cloud computing can provide flexible data owners and the storage server are in the same secure
computing capabilities, reduce costs and capital expendi- domain and the server is fully trusted. However, in the
tures and charge according to usage. cloud computing environment, cloud service providers
Although the cloud computing paradigm brings many may be attacked by malicious attackers. These attacks
benefits, there are many unavoidable security problems may leak the private information of users for commercial
caused by its inherent characteristics such as the dynamic interests as the data owners commonly store decrypted
complexity of the cloud computing environment, the data in cloud servers. How to realize access control to the
openness of the cloud platform and the high concentra- encrypted data and ensure the confidentiality of data files
tion of resources. One of the important problems is how of users in an untrusted environment are problems that
to ensure the security of user data. Security problems, must be solved by cloud computing technologies and
such as data security and privacy protection in cloud applications. Moreover, since the number of users is large
computing, have become serious obstacles which, if not in a cloud computing environment, how to realize scala-
appropriately addressed, will prevent the development ble, flexible and fine-grained access control is strongly
and wide application of cloud computing in the future. In desired in the service-oriented cloud computing model.
2009, a few serious security incidents with cloud service This paper proposes a hierarchical ciphertext-policy at-
tribute-based encryption (CP-ABE) access control scheme
————————————————
with constant-size ciphertext that can realize scalable,
 W.Teng is with College of Telecommunications & Information Engineering,
Nanjing University of Posts &Telecommunications Nanjing 210023, Chi- flexible, and fine-grained access control of outsourced
na and the College of Computer Science & Engineering,Jiangsu University data in cloud computing.
of Science & Technology, Zhenjiang 212003, China. E-mail: tengwei@ Our contributions are: the proposed scheme adopts
just.edu.cn.
CP-ABE with constant ciphertext size and maintains the
 G.Yang is with the Graduate School, Nanjing University of Posts & Tele-
communications, Nanjing 210046, China. E-mail: yangg@njupt.edu.cn. size of ciphertext and the computation of bilinear pairing
 Y.Xiang is with the Network Security and Computing Lab,School of Infor- at a constant value, which improves the efficiency of the
mation Technology, Deakin University, 221 Burwood Highway, Burwood, system and reduces the extra overhead of space storage,
VIC 3125, Australia.Email: yang@deakin.edu.au
2168-7161 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution

xxxx-xxxx/0x/$xx.00 © 200x IEEE
requires IEEE permission. See
Published by the IEEE Computer Society
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
2 IEEE TRANSACTIONS ON CLOUD COMPUTIN, MANUSCRIPT ID
data transmission and computation. Second, we design a out asking for the receiver’s public key beforehand. The
hierarchical access control system. This system supports first fully functional IBE scheme was presentedby Boneh
inheritance of authorization that reduces the burden and and Franklin [11]. They constructed an IBE scheme by
risk in the case of single authority. Finally, we prove our exploiting the Weil pairing and they proved its selec-
scheme has indistinguishable security under an adaptive tivesecurity in the random oracle model. Similarly to IBE,
chosen ciphertext attack and we analyze the performance a number of identity-based cryptographic primitives have
of our scheme. We present a simulation model to apply been proposed [12][13][14][15][16][17][18].Several ad-
our scheme in a cloud environment. vanced cryptographic primitives allow defining more
The rest of this paper is organized as follows. Section 2 controllable decryption. Hierarchical identity-based en-
introduces related work. We provide the background cryption (HIBE), first proposed by [19], is an identity-
knowledge and assumptions in Section 3. Section 4 de- based cryptographic primitive that extends IBE with key
scribes the system scheme and operations in detail. Sec- delegation to relieve the private key generator in IBE
tion 5 proves the security of our scheme. In Section 6, we from heavy key management burden when there is a
analyze the performance of the scheme and present a large number of users in the system.
simulation model in a cloud environment. We conclude In 2005，a fuzzy identity-based encryption algorithm
this paper in Section 7. was proposed by Sahai and Water [20]. The conception of
attribute was introduced first and an identity was viewed
as a set of attributes. In 2006, Goyal et al. [21] extended
2 RELATED WORK this idea and introduced two variants: key-policy attrib-
Access control is a classic security issue. Various ac- ute-based encryption (KP-ABE) and ciphertext-policy
cess control models have been proposed since the 1970s, attribute-based encryption (CP-ABE). In a KP-ABE sys-
e.g. DAC [5],MAC [6], Bell-La Padula [7], Biba [8] etc. In tem, decryption keys are associated with access policies,
1996，Sandhu et al. proposed the Role-Based Access Con- and ciphertexts are associated with sets of attributes. A
trol Model [9] (RBAC). Various improved RBAC models user can decrypt ciphertexts if and only if his set of at-
have been proposed and been widely used in practice. tributes satisfies the access structure. While in a CP-ABE
With the development of information technology, tradi- system, the situation is reversed: a user’s private key is
tional access control is not very suitable for access control associated with a set of attributes and encrypted cipher-
in cloud computing for the following reasons. First, the text will specify an access policy over attributes. A user
flexibility of the access policy is inadequate and it is more can decrypt the ciphertexts if and only if his attributes
difficult to extend it to a hierarchical and large-scale ap- satisfy the ciphertext’s policy. In 2007, the first CP-ABE
plication in a cloud computing environment. Second, scheme was proposed by Bethencourt et al. [22] which
these access control schemes needs to strengthen their adopted the general group model and threshold access
adaptability to a cloud computing environment. Third, tree. This scheme is suitable for an application needing a
their adaptability to dynamically change roles is simply simple access policy. Many improved ABE algorithms
not enough. The role of users changes dynamically in have been introduced [23][24][25][26][27] and ABE
many applications. For example, when a doctor works in schemes have been presented. Since users’ decryption
an outpatient department during the day, he can access keys are associated with a set of attributes, CP-ABE is
the data of an outpatient in the health-care information conceptually closer to traditional access control models
system. But when he works in the inpatient department at such as Role-Based Access Control (RBAC). Thus, it is
night, he can access the data of an inpatient in the system. more natural to apply CP-ABE to enforce access control of
How to achieve a dynamic change of role is a problem encrypted data. However the disadvantages of these
that should be solved regarding traditional access control. schemes relate to the size of ciphertext, and the computa-
Finally, high security requirements need a new access tion of encryption and decryption depends linearly on the
control model. In traditional access control schemes, we number of attributes. In cloud computing, it will limit the
generally assume the storage server is fully trusted. How- application of ABE in practice if the number of attributes
ever, in a cloud computing environment the data owners is too large and the length of ciphertext is too long. In
and storage server are not in the same secure domain and addition, the huge user numbers in a cloud computing
the cloud service provider may be untrusted. A general environment means it is impractical to complete the au-
solution for this problem is to store the encrypted data file thorization and distribute secret keys using only one at-
in a server and decryption keys to authorized users.Thus, tribute authority. Ruj et al. [28] proposed a new model for
unauthorized users (includes cloud service provider) data storage and access in clouds. This scheme distributes
cannot decrypt the encrypted files and we can control the keys to data owners and users by key distribution centers
decryption ability of users to achieve access control. This (KDC). In 2011, Wang et al. [29] proposed a hierarchical
method provides an idea for realizing the confidentiality attribute-based encryption scheme (HABE) by combining
of data stored on untrusted server. a HIBE system and a CP-ABE system to provide not only
To achieve easy public-key encryption deployment, fine-grained access control but also full delegation and
Shamir proposed the concept of identity-based encryp- high performance. In 2012, Wan et al. [30] proposed a
tion (IBE) [10].A user’s public key is his/her identity, hierarchical authority structure with a central authority
such as e-mail address or phone number. An encryptor (Central Authority) and used the algorithm ASBE [31] to
can create a ciphertext underthe receiver’s identity with- realize scalable and flexible access control and valid at-
2168-7161 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
TENG ET AL.: ATTRIBUTE-BASED ACCESS CONTROL WITH CONSTANT-SIZE CIPHERTEXT IN CLOUD COMPUTING 3
tribute revocation in clouds. In 2014, Deng et al. [32] pro- tion in and the bilinear map e :   T are both
posed a new versatile cryptosystem referred to as cipher- computable in a polynomial time. Notice the map e is
text-policy hierarchical ABE (CP-HABE) with short ci- symmetric since e( g a , g b )  e( g , g )ab  e( g b , g a ) .
phertexts.These schemes suppose KDC or CA is fully-
trusted and can defend against various malicious attacks 3.3 Complexity Assumption
that are difficult to realize in a cloud. However, in a cloud The security of our CP-ABE scheme is based on the de-
computing environment the service provider may be un- cisional q-BDHE assumption [35], which is defined as
trusted. Furthermore, in previous ABE schemes, the size follows:
of the ciphertext and the number of pairing computations Definition 1. Decisional q-BDHE Assumption
vary linearly with the number of attributes. These limit is cyclic (multiplicative) groups of order p and e is
the usage of ABE in real applications because the size of bilinear maps e :   T .The decisional q-BDHE
the ciphertext is too long with the thousands of attributes assumption2 is qa problem, q 2
for given a 2q  1 tuple
( g , h, g  , g  , , g  , g  , , g  )  (where  is un-
2q
in a cloud computing environment. The first CP-ABE
known ,   p )q1and a random element T  T to de-
*
scheme with a constant ciphertext size was proposed by 
Emura et al. in [23] and the policies were restricted to cide T  e( g , h) or not.
AND-gates. Herranz et al. [33]constructed another con-
3.4 IND-CCA2 Security Model
stant size ciphertext CP-ABE scheme that may work for
the (t,n)-threshold policy. Ge et al. [34] proposed a CCA IND-CCA2(CCA) means an attacker has indistinguish-
secure CP-ABE scheme with constant size ciphertexts that able security to challenger under the adaptive chosen
can support flexible threshold access structure in the ciphertext attack. In a public-key cryptosystem, CCA se-
standard model. curity is an acknowledged security performance that can
be acceptable.
Definition 2. An encryption system is called
3 BACKGOUND AND ASSUMPTIONS (t ,  , qK , qD )  CCA2 secure if within polynomial time t
In this section, we first provide the formal definitions adversaries have less than a negligible value  after qK
for Cipertext-Policy Attribute Based Encryption (CP-ABE). private key queries and qD queries.
We follow with a brief review of bilinear maps and the The indistinguishable chosen ciphertext attack security
decisional q-BDHE assumption, and then state the securi- model of CP-ABE is described by a game between an ad-
ty model that will be used for our proofs of security. versary and a challenger as follows:
(1) Initialization. Adversary first declares a chal-
3.1 CP-ABE Scheme lenge structure *t* , * .
CP-ABE consists of four polynomial time algorithms:
(2) Setup. The challenger takes a security parameter
Setup, Encrypt, KeyGen, and Decrypt [22]. The detailed
k and runs the Setup algorithm and gives the public key
algorithms are defined as follows:
PK to adversary and keeps the master key MK secret.
Setup( , ) ：This algorithm takes as input the initial
(3) Phase 1. The adversary makes polynomial time
information such as security parameter  and attribute
queries and gives corresponding answers.
universe description , and outputs a public key PK
Private key query: randomly selects an attribute set
and master secret key MK .
and |  | t . The adversary
* *
query secret keys
Encrypt( PK , M , t , ) ：This algorithm takes as input
for sets of attributes . The challenger responds by
a public key PK , a message M and an access structure
running algorithm to generate decryption key ski and
t , , and outputs a ciphertext CT .
sends ski to the adversary .
KeyGen(MK , ) ：This takes as input MK and , and
Decrypt query: randomly selects a ciphertext that
outputs a secret key SK associated with , where is
can be decrypted by an access structure t , . The adver-
an attribute set for a user.
sary query message for the ciphertext . The challenger
Decrypt( PK , SK , CT ) ：This algorithm takes as input
runs algorithm Decrypt to decrypt the ciphertext us-
PK , a secret key SK and CT , and outputs a message
ing the decryption key ski . It sends the adversary the
M if and only if the set of attributes satisfies an access
resulting plaintext.
structure t , , associated with the ciphertext.
(4) Challenge: Adversary sends two equal length
3.2 Bilinear Maps
messages M 0 and M 1 to the challenger . flips a
The ABE algorithm is mainly implemented by bilinear
random coin  {0,1} and encrypts M  under t* , * .
*
maps on an elliptic curve. The definition of bilinear maps
The result ciphertext CT is given to .
*
is presented as follows:
Let , T be cyclic (multiplicative) groups of order (5) Phase 2: Same as Phase 1. But can't take a de-
p , and p is a big prime number. Let g be a generator of crypt query to CT .
*
. Then e :   T is a bilinear map if it has the (6) Guess: Finally, adversary outputs a guess 
'
following properties: for  .

1. Bilinearity: for all u, v  and a, b  p ,we have
We say adversary  '   , and the ad-
succeeds if
e(u a , vb )  e(u, v)ab . 1
2. Non-degeneracy: e( g , g )  1 . vantage of is defined as Adv( ) | Pr[  '   ]  | .
2
We say that is a bilinear group if the group opera-
4 THE SYSTEM MODELS AND PRPOPOSED The root authority has the top authority and is re-
SCHEMES sponsible for generating system parameters and authoriz-
ing top-level domain authorities. Each domain authority
This section first describes the system model of our is responsible for managing domain authorities at the
scheme and the basic security assumption in the cloud next level or the data owners/users in its domain. This
computing environment. The system model utilizes a hi- inherited structure of attribute authority reduces the
erarchical structure which is formed with root authority, computation and disperses the burden and risk of the
top-level domain authorities and low-level domain au- authority of the central attribute authority. Each data
thorities to realize attribute management and authority. owner/consumer is administrated by a domain authority.
The structure can disperse the burden and risk of the au- A domain authority is managed by its parent domain
thority of the single central attribute authority in a cloud authority or a trusted authority.
computing environment. Moreover, we propose a hierar-
chical CP-ABE access control scheme with constant-size
ciphertext and discuss the algorithms in detail for our
scheme. This scheme can fix the size of ciphertext and the
computation of encryption and decryption at a constant Figure 2. Format of a data file stored on the cloud
value in addition to improving the efficiency of the sys- In the security model, we assume users access the data
tem. The data owner first encrypts the data file using a files in a read-only way. Additionally, we assume the
symmetric key DEK and then encrypts DEK by using the cloud server provider is semi-trusted in the sense which
proposed scheme with a specific access control policy. abides by the agreement and faithfully carries out the
The data owner uploads the final ciphertext and stores it operating request of a legal user. However it may try to
in the cloud servers. Whether a user can access and de- pry into the private files of users or collude with mali-
crypt the data file depends on how to obtain the symmet- cious users to harvest file information stored in a cloud
ric key, which is decided by the user’s set of access attrib- for its own benefit. Moreover, we assume communication
utes. channels between all parties of a system model are se-
cured. In Section 5, we describe a security model, that is
4.1 The Models of Our Scheme
defined by a security game between a challenger and a
As depicted in Fig. 1, the system model consists of five adversary . We also prove our scheme is secure against
types of parties: data owners, users, a cloud service pro- chosen ciphertext attacks, assuming the decisional q-
vider, a root authority, and a number of domain authori- BDHE assumption is hard to solve in the standard model.
ties. The cloud service provider manages the cloud serv-
ers and provides a data storage service. Data owners en- 4.2 Our Scheme
crypt their shared data files and store them in the cloud. In order to solve the problem of ciphertext size that
The format of a stored file in a cloud environment is depends linearly on the number of attributes in general
shown in Fig. 2, where ID is the identity number of a file, CP-ABE schemes, our scheme adopts an encrypting algo-
DEK is a symmetric key, and CT is the ciphertext of DEK rithm with constant ciphertext size in [34] which is based
by an ABE algorithm. Since the access structure is implied on the hierarchical system model.
in ciphertext, only the user with corresponding attributes The proposed scheme includes six operations: System
can decrypt the ciphertext (we think the cloud service Setup, Top-Level Domain Authority Grant, New Us-
provider is also a kind of user). Unauthorized users can- er/Domain Authority Grant, New File Creation, File Ac-
not access the data file. Therefore, we realize access con- cess, and File Deletion [30].
trol based on attribute-based encryption with constant- (1) System setup： Setup( , )
size ciphertext. To access the shared data files, users The root authority calls the algorithm Setup( , ) to
download a previously encrypted data file from the cloud create a system public parameter PK and master key MK0.
and then decrypt the first part of the file CT based on the PK is publicly known to other parties in the system and
set of attributes to get the symmetric key. The access po- MK0 is secretly kept by the root authority. The root au-
lices are expressed in terms of the set of attributes. The thority can authorize the top-level domain authority by
user obtains the data file by using the symmetric key to using PK and MK0. Let  {att1 , att2 , , attN } be a set of
decrypt the ciphertext of the data file. real attributes and atti (1  i  N ) as a real attribute. Let
'
 {att1' , att2' , , att N' 1}  {att N 1 , att N  2 , , att2 N 1} be a
set of dummy attributes and atti ( N  1  i  2 N  1) as a
dummy attribute ( atti is required for each encryption and
decryption which can ensure encryption consistent with
decryption). All parties in the system have all dummy
attributes.
Algorithm 1 Setup( , ) ：
Input：The system security parameter  and the set
of all real attributes;
Output：The public parameters PK and a master key
MK0.
Figure 1. System model
Step 1：Select an appropriate coding function  which Step 2：Output the secret of new members as follows:
maps each attribute atti to an unique value, that is SK DA SKu  {ski }i
 (atti )  xi  p . For each atti   ' (where
(4) New File Creation: Encrypt ( PK , M , t , )
 {1, 2, , N} , '  {N  1, N  2, , 2 N  1} ), we de-
In order to ensure the confidentiality and integrity of
fine  (atti )  i .
the data, owners of data will store the encrypted data files
Step 2：Randomly select g2 , h0 , h1 , , h2 N 1 , 1 ,  2 , 3  ,
in the cloud and realize access control to the files by con-
x  *p and select a collision-free hash function H, which
trolling the decryption ability of users. The complexity of
is H :{0,1}  p . Then compute g1  g x and
* *
the CP-ABE algorithm means it is not suitable to encrypt
Z  e( g1 , g2 ) .
large data files. Therefore, we first encrypt the data file
Step 3：Output the public key and master secret key as
using a symmetric data encryption key DEK and get the
follows:
same ciphertext of data files as [28]. Then，we encrypt
PK  ( g , g2 , Z , h0 , h1 , , h2 N 1 , 1 ,  2 , 3 , H ) , MK0  x
DEK using the CP-ABE algorithm with constant-size ci-
(2) Top-Level Domain Authority Grant: phertext and obtain the ciphertext of DEK. Therefore, us-
CreateDA(MK0 , PK , ) ers can access the data file by decrypting the ciphertext of
When a new top-level domain authority DA requests DEK and the ciphertext of the data file in turn.
to join the system, the root authority will first verify Before uploading a file to the cloud servers, the data
whether it is a valid domain authority. If so, the root au- owner processes the data file as follows:
thority calls the CreateDA algorithm to generate the mas- Step 1: Select a unique ID for the data file.
ter key for DA. After obtaining the master key, DA can Step 2: Randomly select a symmetric data encryption
authorize the next level domain authorities or users in its key DEK from  , where  is a key space, and encrypt
domain. the data file using DEK.
Algorithm 2 CreateDA(MK0 , PK , ) ： Step 3: Define a set of attributes and a threshold ac-
Input：The system public key, master secret key and cess structure t , , where  and 1  t | | . This
the attribute set of the top-level domain authority DA； means if a user wants to decrypt the file, he must hold t of
Output：The secret key SK DA of DA. | | attributes.
Step 1：Randomly select a polynomial q( ) of degree Step 4: Call Encrypt ( PK , M , t , ) to encrypt DEK，
N-1, where q(0)  x . and output ciphertext CT. We then upload the whole file,
Step 2：If the real attributes of the top-level domain which is composed of CT (ciphertext of DEK), and the
authority are  , the set of its attributes is data file is decrypted by DEK (ciphertext of data). The file
  ' .For each attribute i  ,we select a random is then sent to the cloud.
number ri  p and compute ski as follows： Algorithm 4 Encrypt ( PK , M , t , ) ：
Input ： The public key PK, a message M and the
ski  ( g2q (i ) (h0 hi )ri , g ri , h1ri , , hiri 1 , hiri 1 , , h2riN 1 )
threshold access structure t , corresponding to M ;
 (ai , bi , ci ,1 , , ci ,i 1 , ci ,i 1 , , ci ,2 N 1 ) Output：The ciphertext of DEK.
Step 1：The data owner selects a subset of dummy at-
Step 3：Output the secret key DA：
tributes  ' and  {N  1, N  2, , 2 N  t} .
SK DA  {ski }i Step 2：The data owner randomly selects s, r  p ,
(3) Domain Authority Grant / New User: and computes as follows:
Delegate(SK DA , ) C0  M  Z s , C1  g s , C2  (h0  h j )s , C3  (1c 2r 3 ) s
j 
where c  H (t , , C0 , C1 , C2 ) .
When a new subordinate domain authority, denoted as Step 3：Output the ciphertext CT：
DA , or a new user, denoted as U, wants to join the sys- CT  (r , C0 , C1 , C2 , C3 )
tem, the administrating domain authority, denoted as DA, (5) File Access： Decrypt (t , , PK , SKu , CT )
will first verify whether the new entity is valid. If true, When a user requests access to the files stored in the
DA calls the Delegate algorithm and generates the corre- cloud, the cloud server sends the corresponding cipher-
sponding secret key to the new subordinate domain au- text to the user. Firstly, the user decrypts the files by call-
thority or new user. Then DA can authorize the lower ing the Decrypt algorithm to obtain DKE. If the set of real
level domain authorities or users in its domain, and U can attributes is satisfied with the threshold access struc-
access the data files it has access privilege to. ture t , (that is a subset '
  ,| '
| t and
Algorithm 3 Delegate(SK DA , ) ：
1  t | | ), the user can decrypt CT using the secret key
Input：The secret key SK DA of the superior domain
SKu  {ski }i to obtain DEK and then decrypt the cipher-
authority and the attribute set of the new member; text of data using DEK to obtain the original data file.
Output：The secret key SK DA SKu of a new member. Algorithm 5 Decrypt (t , , PK , SKu , CT ) ：
Step 1：If the real attributes of new member are , the Input：The access structure t , ，the public key PK ,
set of attributes is   ' and  . For each the secret key of user SK u and the ciphertext CT.
i  ,we randomly select ri  p and computer as follows： Output：A symmetric data encryption key DEK.
Step 1：Suppose a ciphertext CT  (r, C0 , C1, C2 , C3 ) , the
ski  (ai (h0hi )ri , bi g ri , ci ,1h1ri , , ci ,i 1hiri 1, ci ,i 1hiri 1, , ci,2 N 1h2riN 1 ) user should first check the following two equations:
 (ai , bi , ci ,1, , ci ,i 1, ci ,i 1, , ci ,2 N 1 )
e( g , C2 )  e(C1 , h0  h j ) g1  g x  g  g  , g2  g  .
' q
j 
e( g , C3 )  e(C1 , 1c 2r  3 ) In addition, randomly selects d2 , d3 , e1 , e2 , e3  p

*
If one of the two equations does not hold, the user to compute 1  g2 g e1 ,  2  g2d2 g e2 , 3  g2d3 g e3 . The chal-
considers the ciphertext as invalid and returns  . Oth- lenger provides with the public key
erwise, the user can go on to decrypt the ciphertext. PK  ( g , g2 , Z , h0 , h1 , , hq , 1 ,  2 , 3 , H ) , where
Step 2：Compute the following two equations:
Z  e( g1 , g2 )  e( g  , g  )e( g  , g  ) , and H is a collision-
' q
 (0)
D1   (ai  
'
ci , j ) resistant hash function.
i,
i '
 jS  ，j  i
 (0) Phase 1: In this phase, challenger answers private

D2   (bi ) i, '
key queries and decryption queries from adversary .

i '

Step 3：Compute and output M (that is DEK)： 1) Private Key Queries: Suppose adversary can
M  C0  e(C2 , D2 ) e(C1 , D1 ) make at most qK1 queries for the private key of attributes
(6) File Deletion with the restriction that |  | t . Define three sets
* *
When the data owner sends a file deletion request to in the following manner:  (  ) 
' '' * *
, , ,
the cloud server, he should send the file’s unique ID and  (  ' * *
) , and ''
  {0} . For each attrib-
'
its signature on this ID to the cloud server. Only upon ute i   ' , randomly chooses an N-1 degree poly-
successful verification of the information, the cloud server nomial q( ) so that q(0)  x     (Actually does
' q
accepts the request and deletes the data file. not know the value of x.). For each attribute i , we com-
pute its private key ski as follows:
5. SECURITY PROOF (1) For i  ' , i.e., i  ( 
* *
) . randomly selects
In this section, we use the decisional (t ,  , q)  BDHE
' ' ti , ri '  p and lets q(i)  ti , ri   i  ri ' , then it computes：
assumption to argue that no efficient adversary can break ski  ( g2q (i ) (h0 hi )ri , g ri , h1ri , , hiri 1 , hiri 1 , , hqri )
the security of our scheme with any reasonable probabil-
 ( g2ti (h0 hi )  ri , g   ri , h1  ri , , hi1 ri , hi1 ri , , hq  ri )
i ' i ' i ' i ' i ' i '
ity.
Theorem 1. Our scheme is (t ,  , qK , qD )  CCA2 secure
 ( g 2ti (h0 hi ) ri ( g r0  hi1 ) , g ri g  , h1  ri'
' i ' i i
in the standard model. Suppose the decisional , ,

(t ' ,  ' , q)  BDHE assumption holds in the bilinear group, i  , j i
* *
( , T ) exists and an adversary can make, at most, hi1 ri , hi1 ri ,

i ' i '
, hq
i
 ri'
)
qK private key queries and qD decryption queries. Here
 '  (  qD / p) / 2 and t '  t  O(qD ) P , where P is the (2) For i  '
, i.e., i  (
*
 *
). randomly selects
time of computing a bilinear pairing.
ri  and sets ri  ri  0, '' (i) . By using the Lagrange
'
Proof：Suppose there exists a (t ,  , qK , qD ) adversary
' i
p
against our scheme. In this case, we can construct a
probabilistic polynomial time algorithm that can solve the
interpolation: q(i)  0, '' (i)q(0)   j, '' (i)q( j ) , it then
j '
decisional q-BDHE problem with the probability of at
least  ' and in time at most t ' . Suppose the challenger computes：
is given a decisional q-BDHE challenge
q 2 ski  ( g2q (i ) (h0 hi )ri , g ri , h1ri , , hiri 1 , hiri 1 , , hqri )
( g , h, g ,qg1 , , g , g , , g , T ) , where T is either
2 q 2q
e( g , h) or a random element of T ( T  T ) .  ( i ) q (0)  '  j , '' (i )q ( j )

0, '' ri'  ( i ) i ri'  ( i ) i
Consider the game between adversary and chal-  ( g2 j
(h0 hi ) 0, ''
,g 0, ''
,
lenger as follows:
ri'  ( i ) i ri'  ( i ) i ri'  ( i ) i ri'  ( i ) i
Init: receives a challenge access structure *t* , * . h1 0, ''
, , hi 1 0, ''
, hi 1 0, ''
, , hq 0, ''
)
Setup: Challenger first defines the set of real at- 
0, ''
( i )  '
'  j , '' ( i )t j  ( i ) i  (i ) ri
 ( g2 (g )
' i
tributes used in this system as  {1, 2, , N} and the j
(h0 hi ) ri (h0 ) 0, '' 0, ''
,
 {N  1, N  2, ,2 N  1} . ri'  '' ( i ) ri'  '' ( i ) ri'  '' ( i )
' i i i
set of dummy attributes g 0,
, h1 0,
, , hi 1 0,
,
Here we let q  2 N  1 and the set of N  t dummy *
ri'  '' ( i ) i
ri'  '' ( i ) i
hi 1 0,
, , hq 0,
)
attributes in the challenge *t* , * be
Note：The most important part is to simulate ski so
*
 {N  1, N  2, , 2 N  t *} . chooses rj (0  j  q)
 q 1
it contains terms of the form g which is unknown to
from p
randomly and computes
' ''
. By dividing three sets: , , , all of these terms of

q  j 1
h0  g r0 hi1, h j  g j g 
r
. Then, randomly chooses  q 1
can be canceled out. Obviously, for i  , the term
'
i *
 * g
 
q 1
x ' q g  can be canceled out by (h0 hi ) ; for i 
' * i
p and implicitly sets by letting '
,the term
 q 1
can be canceled out by g2 q (0) (hi ) . As 6. PERFORMANCE ANALYSIS
i
of g
q 2 In this section, we analyze the performance of the
( g , g , , g , g , , g  ) is known to
2 q 2q
, does
proposed schemes in terms of computation cost, memory
 q 1
not need to know g for the above calculation, therefore requirement, and make a comparison with other schemes.
the simulator can make the private key for each attribute
6.1 The Computation Complexity of Operations
i  . Furthermore, the distribution of the private
'
Since the bilinear pairing and exponentiation calcula-
key is identical to that of the original scheme. tion are the main operations in algorithms, we will dis-
2) Decryption Queries: Adversary submits a ci- cuss the computation cost of these two parts. Let P and
phertext CT  (r , C0 , C1 , C2 , C3 ) which is encrypted by a
E be one time pairing computation and one time expo-
threshold access structure t , . Challenger first com-
nentiation computation, respectively.
putes c  H (t , , C0 , C1 , C2 ) and checks whether the ci-
System Setup: When the system is set up, the root
phertext is consistent:
authority selects a bilinear group and some random
e( g , C2 )  e(C1 , h0 
j 
hj ) numbers. When PK and MK0 are generated, there will be
one pairing and one exponentiation operation. The com-
e( g , C3 )  e(C1 , 1c 2r  3 ) putation is P  E and the computation complexity is
If one of the two equations does not hold, abort the O(1) .
decryption and return  . Otherwise, checks whether
Top-Level Domain Authority Grant: When a ski is
the equation c  rd2  d3  0 is established or not (Note,
the probability that c  rd2  d3  0 is established is at generated by a root authority, there will be 2N+1 expo-
most 1 / p .). If so, challenger aborts and randomly nentiation operations. Altogether there are | | (2 N  1)
outputs information; otherwise outputs: exponentiation operations when SK DA  {ski }i are gen-
1
M  C0 e((C3 C1ce1  re2 e3 ), g1(c  rd2  d3 ) ) erated. The computation is | | (2 N  1)  E and the com-
Challenge: Adversary submits two challenge putation complexity is O(| | (2 N  1)) .
messages M 0 and M 1 of equal length to the challenger
Domain Authority Grant/New User: The major
. flips a fair binary coin  {0,1} , and returns an
computation of this operation is the re-randomization of
encryption of M  to . The ciphertext
secret keys. There will be 2N exponentiation operations
CT *  (r * , C0* , C1* , C2* , C3* ) is output as follows:
when ski is generated. Therefore, there are altogether
C0*  M  T  e(h, g 2 ), C1*  h, C2*  h r0 ,
'
| | 2N exponentiation operations when

C3*  hc e1  r e2  e3 , r *  (c*  d3 ) / d 2
* *
where c*  H (C0* , C1* , C2* , ** * ) . SK DA SKu  {ski }i are generated. The computation is
t ,
 q1
If   0 , then T  e( g , h) , and the challenge ci- | | 2N  E and the computation complexity is
phertext is a valid encryption of M  . If   1 , the adver- O(| | N ) .
sary thinks the challenger ciphertext is irrelevant to
. New File Creation: The major computation of this
Phase 2: continues to make private key and de- operation is file encryption using the symmetric key DEK
cryption queries, and responds in similar to Phase 1. and DEK encryption using CP-ABE algorithm. The com-
Guess: Adversary will eventually output a guess putation complexity of the former depends on the size of
 ' of  . If   q1' , challenger outputs  '  0 to guess the data file and the underlying symmetric key encryp-
that T  e( g , h)

; otherwise, challenger outputs tion algorithm. The latter carries out six exponentiation
  1 to indicate that it believes T is a random element
' operations. So the computation is 6E and the computa-
in group T .
tion complexity is O(1) .
If   1 , i.e., T is a random element in group T , File Access: The major computation of this operation
adversary cannot gain any information about  . is the decryption of ciphertext. A user first obtains DEK
1
Therefore, we have Pr[ '   |   1]  Pr[ '   |   1]  . If with the Decrypt algorithm and then decrypts data files
  0 , this means 2
achieves ciphertext of M  , and the using DEK. We will focus on the computation complexity
advantage of adversary is at least  . The probability of the Decrypt algorithm. The cost of decrypting a cipher-
that aborts during the simulation is at most qD / p . text varies depending on the decrypting key. The algo-
1
Therefore, we have Pr[  '   |   0]     qD / p . rithm consists of six bilinear pairing operations, two ex-
2
ponentiation operations for each attribute i of a private
The overall advantage of challenger in the game is:
(where i  '  ), which can satisfy the threshold ac-
1 1 1
Pr[    |   0]  Pr[    |   1] 
' '
cess structure. Thus the computation complexity varies
2 2 2 depending on the access sturcure and the attributes of
 (  qD ) / 2 user.
This completes the proof. It should be noted the decryption operation is per-
formed locally by the user so the computation does not
affect the efficiency of the access control system. cret key. In the algorithm Setup( , ) , the public key is
File Deletion: When the data owner sends a file dele-
PK  ( g , g2 , Z , h0 , h1 , , h2 N 1 , 1 ,  2 , 3 , H ) , where only
tion request to the cloud server, the cloud only needs to
verify its identity. If the entity is the data owner, the file the number of hi is variable. Thus, the length of PK
will be deleted by the cloud. Otherwise, the request will grows linearly with the number of attributes N in set
be refused. This means the computation complexity is (see Fig. 3).
O(1) . 35
Table 1 provides a comparison of the computation
30
complexity of operations in our scheme and others. Let N
Size of Public Key File(KB)

be the number of real attributes, be the attribute set of 25
a new member(that is a domain authority or a user), M be

20
the number of attribute subsets of a user, be the set of
translating nodes [30], be the attribute set of the access 15
structure, and be the attribute set of the file.L denotes 10

the number of rows of the attribute matrix, S is the
5
number of attribute vectors associated with a user of
depth k, l and n are the number of rows and the number 0
5 10 15 20 25 30 35 40 45 50
of columns of the share-generating matrix, respective- Numbers of Attributes in U
ly[32]. P is the number of conjunctive clauses in an access Figure 3 . The relationship between number of attributes and the
length of the public key
structure and m is the total number of attributes of the
DNF access control policy [29]. Compared with the In the algorithm CreateDA(MK0 , PK , ) , the attribute
schemes in Table 1, our scheme has an advantage with
i of the secret key is i  , where   '
and
the encryption computation operation and the size of ci-
 , and the secret key is
phertext.
ski  ( g2q (i ) (h0hi )ri , g ri , h1ri , , hiri 1, hiri 1, , h2riN 1 )
Table 1. Comparison with other CP-ABE schemes with computa-
 (ai , bi , ci ,1, , ci ,i 1, ci ,i 1, , ci ,2 N 1 ) . If we assume there are
tion complexity and the length of ciphertexts
a attributes in the attribute set , and N attributes in the
set , the structure of the secret key is a 2 N  (a  N  1)
matrix. Thus, there are the 2 N 2  2 N *(a  1) elements in
the secret key. We assume the number of system attrib-
utes N is fixed, for example, if the value is eight. The
length of the secret key grows linearly with a , where a
is less than or equal to N as shown in Fig. 4. Therefore, if
we fix the number of attributes of the secret key (for ex-
ample, the value of a is three) , the length of the secret
key will grow quadratically with the number of attributes
6.2 Simulation and Analysis N , as shown in Fig. 5.
3) The Analysis of Ciphertext Length
1) Simulation Environment
As mentioned previously, the ciphertext stored in the
This sub-section focuses on the simulation of our
cloud server is made of the file’s ID, the ciphertext of DEK
scheme based on PBC [36] and GMP [37] libraries. The
and the ciphertext of data. We mainly consider the size of
Pairing-Based Cryptography (PBC) Library is developed
by the security laboratory of the Stanford University, 3000
which is an open source code library in C language in a

Linux or Windows environment.
Size of Secret Key File(KB)
The simulating configuration is Windows with a 2500

CPU (2 cores) of 2.00 GHz, ROM of 2GB, and the version
of PBC-0.5.12. The elliptic curves are y 2  x3  x , r is
160 bits and q is 512 bits. In other words, the size of the 2000
master key is 160 bits, member of group and T is
1024 bits. The plaintext M has been mapped to a random
point in T with 1024 bits. We analyse experimental data 1500
5 10 15 20 25 30 35 40 45 50
and provide the result. Numbers of Attributes in Secret Key
2) The Analysis of Key Length Figure 4. The relationship between number of attributes of the secret
In this part, we discuss the relationship between the key and the length of the private key
number of attributes and the length of the public and se-
untu_testD and Ubuntu_testU. These are the data owner

2000
and user respectively. All nodes are assigned different IP
addresses. We assum that every party of our system
Size of Secret Key File(KB)
1500 model stores its privacy information about encryptin and

decryption independently on HDFS and cannot access the
information of other party except be authorized.
1000 According to Fig. 1 and the proposed scheme, Ub-
untu1 acts as the root authority, with Ubuntu2 and Ub-
untu3 acting as the domain authorities. The procedure
500
consists of the following steps:
Step 1: As a root authority, Ubuntu1 generates the
0
user attribute set , the public key PK and the secret key
5 10 15 20 25 30 35 40 45 50
Numbers of Attributes in U
of domain authority SK DA in accordance with the system
Figure 5. The relationship between number of attributes in U and the attribute set . Ubuntu1 then sends the quadruple ( ,
length of the private key
, PK, SK DA ) to HDFS (Hadoop Distributed File System)
which is denoted by the order number ① in Fig.7.
1.6 Step 2: Ubuntu2 and Ubuntu3 play the role of do-
main authority. They get ( , , PK, SK DA ) from HDFS
Size of Ciphertext File(KB)
1.5
1.4
and generate the secret key of users SKu , which is shown
1.3
1.2
by the numbered ② in Fig. 7.
1.1
Step 3: Ubuntu2 sends the system attribute set ,
1
the user attribute set , the public key PK and the secret
0.9 key of user SKu to users via a secure transmission chan-
0.8 nel, for example SSL, which is shown by the order num-
0.7
5 10 15 20 25 30 35 40 45 50
ber ③ in Fig. 7. Moreover, Ubuntu_testD acts as a data
Numbers of Attributes in U owner. It first encrypts its original data file using a sym-
Figure 6. The relationship between number of attributes in U and the metric data encryption key DEK. Then, it runs the algo-
length of ciphertext
rithm Encrypt ( PK , M , t , ) to encrypt DEK and creates
the ciphertext of DEK. Let | |, | T | and | p | be the an encrypted file CT , which implies the access structure
length of each element in , T and p respectively, of DEK. At last Ubuntu_testD structures a file whose
format is shown in Fig. 2, and sends the file to the node
the size of ciphertext is a constant value | 3 | || |.
T p
Ubuntu2 in the cloud environment, which is shown by
In the algorithm Encrypt ( PK , M , t , ) , the ciphertext CT the order number ⑤ in Fig. 7. Ubuntu2 saves the file in
is CT  (r , C0 , C1 , C2 , C3 ) ,where Ci ( i  0,1, 2,3 ) is the HDFS which is shown the order number ④ in Fig. 7.
point in group , and r is r  Z P . This means that Step 4: When a user Ubuntu_testU requests access to
T
files stored in the cloud, Ubuntu2 downloads the file (its
ciphertext CT is a set of five points. In addition, the en-
format is shown in Fig. 2) from HDFS which is shown as
cryption algorithm depends on the public key. Therefore,
② in Fig. 7, and sends the file to Ubuntu_testU which is
regardless of changing to the number of attributes N, the
shown as ⑥ in Fig. 7. Ubuntu_testU extracts CT from the
length of ciphertext is constant as Fig. 6 shows. Table 1
file and runs Decrypt (t , , PK , SKu , CT ) to try to decrypt
demonstrates that the size of ciphertext depends linearly
on the number of attributes in other scheme. Compared CT . If the set of user attributes do not associate with
with other scheme, our scheme is more efficient. the access structure t , , the user cannot decrypt CT and
6.3 Application Scenario Analysist resume the original data file. Otherwise, the user can use
This subsection presents an example to illustrate how the secret key SKu to decrypt CT and obtain DEK. Ub-
to use the proposed scheme in a cloud environment. The untu_testU then extracts the ciphertext of the data file
simulating configuration is under Win7 x64 bit with a from the download file and decrypts the ciphertext using
CPU of Intel Core i5-2450M (4 cores) 2.50 GHz, ROM of DEK to obtain the original data file.
4GB. The cloud environment is built with VMware Work-
station and Hadoop-1.0.4.
Fig. 7 shows a distributed cloud environment which
consists of three nodes: Ubuntu1, Ubuntu2 and Ubuntu3.
The platform Hadoop is installed in all nodes. The node
Ubuntu1 is a master node, while the nodes Ubuntu2 and
Ubuntu3 are slave nodes. The user nodes are Ub-
No. 2011M500095.
REFERENCES
[1]
Amazon Elastic Compute Cloud (Amazon EC2).
http://aws.amazon.com/ec2/
[2] Amazon Web Service (AWS). http://s3.amazonaws.com/
[3] Google App Engine (GAE).
http://code.google.com/appengine/
[4] Microsoft Azure. http://www.windowsazure.com
[5] R.W. Conway, W.L. MaxWell and H.L. Morgan, “On the im-
plementation of security measures in formation systems,”
Communations of the ACM, vol. 15, no. 4, pp:211-220, April. 1972.
[6] D.E. Denning,”A Lattice Model of Secure Information Flow,”
Communications of the ACM, vol. 19, no. 5, pp:236-243, May. 1976.
[7] D.E. Bell and L.J. LaPadula, “Secure Computer System: Unified
Exposition and Multics Interpretation,” Technical Report TR-
A885320, The MITRE Corp., Bedford, MA, Mar. 1976.
Figure 7. The system simulation based on the Hadoop distributed [8] K.J. Biba, “Integrity Considerations for Secure Computer Sys-
cloud environment tems,” Technical Report TR-A423930, The MITRE Corp., Bed-
ford, MA, Apr. 1977.
7. CONCLUSION [9] R. Sandhu, E.J. Coyne and H.L. Feinstein, “Role-based access
control models,” IEEE Computer, vol. 29, no. 2, pp:38-47, Feb.
Secure sharing of data plays an important role in
1996.
cloud computing. Attribute-based access control can real-
[10] A. Shamir, “Identity-based cryptosystems and signature
ize data confidentiality in the untrusted environment of schemes”, Advances in Cryptology: Conf. of CRYPTO 84,
server-end, fine-grained access control and large-scale LNCS 196, pp: 47-53, 1984.
dynamic authorization which are the difficult problems to [11] D. Boneh, M. Franklin, Identity-based encryption from the Weil
solve the traditional access control. This paper proposes a pairing, Advances in Cryptology : 21st Annual International Cryp-
structure of hierarchical attribute authority based on tology Conf. (CRYPTO 2001), LNCS 2139, pp:213-229, 2001.1.
cloud computing which reduces the burden and disperses [12] M. Green, G. Ateniese, “Identity-based proxy re-encryption”,
the risk of the single authority. The proposed scheme Applied Cryptography and Network Security: 5th International Conf.
adopts CP-ABE with constant-size ciphertext that solves (ACNS 2007),LNCS 4521, pp:288-306, 2007.
the problem of the ciphertext size depending linearly on [13] H. Wang, Z. Cao, L. Wang, “Multi-use and unidirectional iden-
the number of attributes. Our scheme can maintain the tity-based proxy re-encryption schemes”, Information Sciences,
size of ciphertext and the computation of encryption and vol.180, no.20 ,pp: 4042–4059, 2010.
decryption at a constant value. Therefore, the scheme can [14] J. Shao, Z. Cao, “Multi-use unidirectional identity-based proxy
improve the efficiency of the system. We have performed re-encryption from hierarchical identity-based encryption”, In-
some numerical simulation and the testing results are formation Sciences, vol. 206, pp: 83–95,2012.
coincident with the theoretical analysis. In addition, we [15] J. Yu, R. Hao, F. Kong, X. Cheng, J. Fan, Y. Chen, “Forward-
prove the scheme is of CCA2 security under the decision- secure identity-based signature: security notions and construc-
al q-Bilinear Diffie-Hellman Exponent assumption. Final- tion”, Information Sciences, vol.181,no.3,pp:648–660,2011.
ly, we also demonstrate an application model in a Ha- [16] L. Chen, Z. Cheng, N.P. Smart, “Identity-based key agreement
doop distributed cloud environment. This shows our protocols from pairings”, International Journal of Information Se-
scheme has good adaptability and scalability in cloud curity ,Vol.6,no.4 ,pp:213–241 ,July 2007.
computing. In further research, we intend to focus on [17] L. Zhang, Q. Wu, B. Qin, J. Domingo-Ferrer, “Provably secure
making the CP-ABE algorithm simpler and more efficient one-round identity-based authenticated asymmetric group key
along with making it even more suitable for access con- agreement protocol”,Information Sciences, vol.181,no.19,pp:
trol in a cloud environment. 4318–4329, 2011.
[18] S. Liu, Y. Long, K. Chen, “Key updating technique in identity-
based encryption”, Information Sciences, vol.181,no.11, pp: 2436–
ACKNOWLEDGMENT
2440,2011.
This research is supported by the National Basic Re- [19] J. Horwitz, B. Lynn, “Toward hierarchical identity-based en-
search Program (973 Program) of China under grant No. cryption”, Advances in Cryptology: International Conference on the
2011CB302903, the National Natural Science Foundation Theory and Applications of Cryptographic Techniques (EU-
of China under grant Nos. 61272084 and 61202004, the ROCRYPT 2002),LNCS 2332, pp:466-481, 2002.
Specialized Research Fund for the Doctoral Program of [20] A. Sahai and B. Waters, “Fuzzy Identity-Based Encryp-
Higher Education under grant Nos. 20113223110003 and tion,”EUROCRYPT ’05: Proc. Advances in Cryptology, R. Cramer,
20093223120001, the Key Project of Natural Science Re- ed.,pp. 457-473, May. 2005.
search of Jiangsu University under grant No.11KJA520002, [21] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-
and the Chinese Post-doctoral Foundation under grant BasedEncryption for Fine-Grained Access Control of Encrypted
Data,”Proc. ACM Conf. Computer and Comm. Security (CCS ’06),

A. Juels,R.N. Wright, and S.D.C. di Vimercati, eds., pp. 89-98, Wei TENG received the M.E. degree in com-
Oct./Nov.2006. puter science from Jiangsu University of Sci-
ence & Technology, Zhenjiang, China, in 2004
[22] J. Bethencourt, A. Sahai and B. Waters, “Ciphertext-Policy at- where she is also a lecturer. She is working
tribute-based encryption,” Proceedings – IEEE Symposium on Se- toward a Ph.D degree at College of Tele-
curity and Privacy, pp. 321-334, May. 2007. communications & Information Engineering,
[23] K. Emura, A. Miyaji, A. Nomura, K. Omote and M. Soshi, “A Nanjing University of Post
&Telecommunication, Nanjing, China. Her
ciphertext-policy attribute-based encryption scheme with con- research interests include network security,
stant ciphertext length,” Information Security Practice and Experi- cloud computing and access control.
ence: 5th International Conf. (ISPEC 2009),LNCS 5451, pp:13-23,
2009.
Geng YANG received a Ph.D degree in Com-
[24] V. Goyal, O. Pandey, and A. Sahai, “Bounded ciphertext policy putational Mathematics from Laval University
attribute-based encryption,” Automata, Languages and Program- in 1994, and was a post-doctoral research
ming: 35th International Colloquium(ICALP 2008),LNCS 5126, fellow at the Center for Research on Compu-
tation & its Applications at the University of
pp:579-591, 2008. Montreal from 1994 to 1996 in Canada. His
[25] L. Ibraimi, Q. Tang, P. Hartel and Q. Jonker, ”Efficient and research interest includes network security,
provable secure ciphertext-policy attribute-based encryption parallel & distributed computing, and mobile
schemes,” Information Security Practice and Experience : 5th Inter- computing. Professor Yang is a member of
the IEEE Computer Society and a Standing
national Conf.(ISPEC 2009),LNCS 5451, pp:1-12, 2009. Member of the Chinese Computer Education
[26] M. Chase, “Multi-Authority attribute based encryption,” Lecture Society.
Notes in Computer Science, vol.4392, pp: 515-534, 2007.
Yang XIANG received the Ph.D. degree in
[27] S. Yu, C. Wang, K. Ren and W. Lou, “Achieving Secure, Scala-
computer science from Deakin University,
ble, and Fine-grained Data Access Control in Cloud Compu- Victoria, Australia, in 2007. He is currently
ting,” Proceedings – IEEE INFOCOM, pp:1-9, 2010. with the School of Information Technology,
[28] S. Ruj, A. Nayak and I. Stojmenovic, “DACC: Distributed Ac- Deakin University, Australia. His research
interests include network and system security,
cess Control in Clouds,” Proc. 10th Int’l Con. Trust, Security and and wireless systems. He has been a PC
Privacy in Computing and Communications (TrustCom), IEEE, pp: member for many international conferences
91-98, Nov. 2011. such as IEEE ICC, IEEE GLOBECOM, SE-
CRYPT, Malware, and IEEE ICPADS. He has
[29] G. Wanga, Q. Liu, J. Wu and M. Guo, “Hierarchical attribute-
served as reviewer for many international
based encryption and scalable user revocation for sharing data journals such as IEEE TRANSACTIONS ON PARALLEL AND DIS-
in cloud servers”, computers and security,vol.30,pp:320-331,2011. TRIBUTED SYSTEMS, IEEE TRANSACTIONS ON DEPENDABLE
[30] Z. Wan, J. Liu and R.H.Deng, “HASBE: A Hierarchical Attrib- AND SECURE COMPUTING, IEEE COMMUNICATIONS LETTERS,
and IEEE JOURNAL ON SELECTED AREAS IN COMMUNICA-
ute-Based Solution for Flexible and Scalable Access Control in TIONS. He is on the editorial board of the Journal of Network and
Cloud Computing,” IEEE Transactions on Information Forensics Computer Applications.
and Security, vol. 7, no. 2, pp: 743-754, Apr. 2012.
[31] R. Bobba, H. Khurana and M. Prabhakaran, “Attribute-sets: A Ting ZHANG received the B.S degree at the
Nanjing University of Post
practically motivated enhancement to attribute-based encryp- &Telecommunication, Nanjing, China. She is
tion,” Computer Security: 14th European Symposium on Research in working toward the M.E. degree at the same
Computer Security (ESORICS 2009),LNCS 5789, pp: 587-604, 2009. university. Her research interests include cloud
computing and information security.
[32] H. Deng, Q. Wu, B. Qin, J. Domingo-Ferrer d and L. Zhang,”
Ciphertext-policy hierarchical attribute-based encryption with
short ciphertexts”, Information Sciences,vol.275,pp:370-384,2014.
[33] J. Herranz, F.Laguillaumie and C.R`afols, ”Constant Size Ci-
phertexts in Threshold Attribute-Based Encryption”,Public Key
Dongyang WANG received the B.S degree in
Cryptography: 13th International Conference on Practice and Theory Nanjing University of Post
in Public Key Cryptography (PKC 2010), LNCS 6056, pp: 19–34, &Telecommunication, Nanjing, China. He is
2010. working toward the M.E. degree at the same
university. His research interests include in-
[34] A. Ge, R. Zhang and C. Chen, “Threshold Ciphertext Policy
formation security, cloud computing and ac-
Attribute-Based Encryption with Constant Size Ciphertexts,” cess control.
Public Key Cryptography : 13th International Conference on Practice
and Theory in Public Key Cryptography (PKC 2010),LNCS 7372,
pp: 336-349, 2012.
[35] D. Boneh, X. Boyen and E.-J. Goh, “Hierarchical Identity Based
Encryption with Constant Size Ciphertext,” EUROCRYPT ’05:
Prof.Advances in Cryptology, R. Cramer, ed., vol.3494, pp: 440-
456, 2005.
[36] The Pairing-Based Cryptography Library.
http://crypto.stanford.edu/pbc/
[37] The GNU Multiple Precision Arithmetic Library.
http://gmplib.org/

Attribute-Based Access Control With Constant-Size Ciphertext in Cloud Computing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Attribute-Based Access Control With Constant-Size Ciphertext in Cloud Computing

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation

IEEE TRANSACTIONS ON CLOUD COMPUTING, MANUSCRIPT ID 1

Attribute-based Access Control with

Index Terms—access control, cipertext-policy attribute-based encryption, constant ciphertext length

N owadays, as an emerging and efficient computing

2168-7161 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution

2 IEEE TRANSACTIONS ON CLOUD COMPUTIN, MANUSCRIPT ID

following properties: for  .

4 IEEE TRANSACTIONS ON CLOUD COMPUTIN, MANUSCRIPT ID

6 IEEE TRANSACTIONS ON CLOUD COMPUTIN, MANUSCRIPT ID

e( g , C3 )  e(C1 , 1c 2r  3 ) In addition, randomly selects d2 , d3 , e1 , e2 , e3  p

 (0) Phase 1: In this phase, challenger answers private

key queries and decryption queries from adversary .

in the standard model. Suppose the decisional , ,

( , T ) exists and an adversary can make, at most, hi1 ri , hi1 ri ,

e( g , h) or a random element of T ( T  T ) .  ( i ) q (0)  '  j , '' (i )q ( j )

| | 2N exponentiation operations when

8 IEEE TRANSACTIONS ON CLOUD COMPUTIN, MANUSCRIPT ID

Size of Public Key File(KB)

a new member(that is a domain authority or a user), M be

structure, and be the attribute set of the file.L denotes 10

which is an open source code library in C language in a

The simulating configuration is Windows with a 2500

untu_testD and Ubuntu_testU. These are the data owner

1500 model stores its privacy information about encryptin and

10 IEEE TRANSACTIONS ON CLOUD COMPUTIN, MANUSCRIPT ID

Data,”Proc. ACM Conf. Computer and Comm. Security (CCS ’06),

You might also like