KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Ciphertext-Policy Attribute-Based Encryption with Hidden Access Policy and Testing

  • Li, Jiguo (College of Computer and Information, Hohai University) ;
  • Wang, Haiping (College of Computer and Information, Hohai University) ;
  • Zhang, Yichen (College of Computer and Information, Hohai University) ;
  • Shen, Jian (School of Computer and Software, Nanjing University of Information Science and Technology)
  • Received : 2016.01.26
  • Accepted : 2016.06.17
  • Published : 2016.07.31
Download PDF
⟨ Previous Next ⟩

Abstract

In ciphertext-policy attribute-based encryption (CP-ABE) scheme, a user's secret key is associated with a set of attributes, and the ciphertext is associated with an access policy. The user can decrypt the ciphertext if and only if the attribute set of his secret key satisfies the access policy specified in the ciphertext. In the present schemes, access policy is sent to the decryptor along with the ciphertext, which means that the privacy of the encryptor is revealed. In order to solve such problem, we propose a CP-ABE scheme with hidden access policy, which is able to preserve the privacy of the encryptor and decryptor. And what's more in the present schemes, the users need to do excessive calculation for decryption to check whether their attributes match the access policy specified in the ciphertext or not, which makes the users do useless computation if the attributes don't match the hidden access policy. In order to solve efficiency issue, our scheme adds a testing phase to avoid the unnecessary operation above before decryption. The computation cost for the testing phase is much less than the decryption computation so that the efficiency in our scheme is improved. Meanwhile, our new scheme is proved to be selectively secure against chosen-plaintext attack under DDH assumption.

Keywords

1. Introduction

To provide fine-grained access control over encrypted data, Sahai and Waters [1] introduced a novel public key primitive namely attribute-based encryption (ABE). The ABE mechanism enables public key-based one-to-many encryption. A lot of ABE schemes [2-12] have been presented. Goyal et al. [2] further clarified the concept of ABE. The ABE schemes are divided into two kinds. One is key-policy ABE (KP-ABE), where key is associated with access policy and ciphertext is associated with attribute set. The other is ciphertext-policy ABE (CP-ABE), which was first proposed by Bethencourt et al. [3]. This scheme [3] is proved secure under the generic group model. Cheung and Newport proposed a CP-ABE scheme [4] which was secure in the standard model. Goyal et al. [6] presented a bounded CP-ABE scheme with expressive access policy using access tree with threshold gates as its nodes. The scheme was proved to be secure under the DBDH assumption. Recently, Li et al. [13] proposed a flexible and fine-grained attribute-based data storage in cloud computing, which can withstand collusion attack performed by revoked users cooperating with existing users. To improve the computation cost, they outsource high computation load to cloud service providers without leaking data content and secret keys.

All the constructions mentioned above share one fatal defect that their access policies have to be shown in the ciphertexts because the decryptors need to do their decryption with them. To protect user’s privacy in an access policy, Kapadia et al. proposed a CP-ABE scheme with hidden ciphertext policies [14]. However, the scheme [14] cannot resist collusion attack. Later, Nishide et al. [15] presented two improved schemes with partially hidden ciphertext policies, which were proved secure under DBDH assumption and D-Linear assumption. Li et al. [16] presented an anonymous CP-ABE scheme which can prevent the problem of illegal key sharing among users. Müller and Katzenbeisser [17] provided a cryptographic access control with hidden access policy, which is selectively secure. Lai et al. [18,19] proposed a fully secure CP-ABE with partially hidden access policy. Qian et al. [20,21] presented a privacy-preserving decentralized ciphertext-policy attribute-based encryption with fully hidden access structure, which is applied in personal health record. Xhafa et al. [22] proposed a multi-authority anonymous ciphertext-policy ABE scheme with user accountability, which can be used to design an attribute-based PHR sharing system. Sabitha et al. [23] proposed a scheme which was able to ensure security, integrity, privacy of preserved fine-grained access control and prevent data mining attacks on shared data. However, all these extensional CP-ABE schemes realize the attribute matching detection only after decryption which is not practical due to large computation cost. As the amount of encrypted files stored in cloud are becoming very huge, which will hinder efficient query processing, keyword search and data auditing [24-27] have become an important and challenge issue in cloud storage. To solve above problem, Li et al. [28,29] presented two attribute-based encryption schemes with keyword search function for cloud storage. In order to protect privacy, Padhya et al. [30] presented a searchable CP-ABE scheme with hidden ciphertext policy. In order to prevent key abuse problem, Liu et al. [31] provided a blackbox traceable CP-ABE scheme. Ning et al. [32] proposed a white-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes.

1.1 Our Motivations and Contributions

In CP-ABE scheme, the user is able to decrypt the ciphertext only if the attributes defined in the secret key satisfy the access policy specified in the ciphertext. The access policy should be sent to the user along with the corresponding ciphertext. However, the access policy may contain some sensitive information. Some CP-ABE schemes with hidden access policy were presented to protect the privacy for users. However, in the present CP-ABE schemes with hidden access policy, the users need to do excessive calculation for decryption whether their attributes match the access policy specified in the ciphertext or not, which makes the users do useless computation if the attributes don’t match the hidden access policy. We present a CP-ABE scheme with hidden access policy and testing. Our scheme adds a test about whether the attribute lists matches the hidden attributes policy in ciphertexts or not before the decryption. The computation amount for the test is much less than the decryption. What’s more, many present CP-ABE with hidden access policy can only use simple access policy such as one to one, which means that the attribute list of the decryptor must be as the same as the access policy hidden in the ciphertexts. Our scheme is based on AND-gates on multi-valued attributes with wildcards. We prove the security of our scheme under CDH assumption and D-Linear assumption.

1.2 Organization

We organize the rest of the paper as follows. In section 2, we review some preliminary knowledges used in our paper. In Section 3, we present a new CP-ABE scheme with hidden access policy and testing. We prove the security of our scheme in Section 4. In Section 5, we give some efficiency comparison with the existing schemes. Finally, we conclude the paper in Section 6.

 

2. Preliminaries

2.1 Bilinear maps

Let G and GT be multiplicative cyclic groups of prime order p . g is a generator of G . Let e :G × G →GT be a bilinear map. The bilinear map satisfies following properties:

(1) Bilinearity: For all u,v∈G , and , a,b∈Zp which is selected randomly, we have e(ua,vb) = e(u,v)ab.

(2) Non-degeneracy: There exists u,v∈G such that e(u,v) ≠1.

(3) Computability: For all u,v∈G , there is an efficient algorithm to compute e(u,v) .

2.2 Complexity assumption

We state the complexity assumption below to be used in the paper.

Difinition 1 (The Decisional Diffie-Hellman Assumption[33]). Let z1,z2∈R, Z*p, Z∈G be chosen at random and g ∈ G be a generator. The DDH assumption is that no probabilistic polynomial-time algorithm can distinguish the tuple [g, gz1, gz2, gz1z2] from the tuple [g, gz1, gz2, Z] with non-negligible advantage.

2.3 Access policy

In our context, the user’s authority is expressed by the attributes. We use AND-gates on multi-valued attributes with wildcards as follows:

Definition 2 (Access policy[34]). Let U = {att1,...,attn} be a set of attributes. For atti∈U, Si = {vi,1,vi,2,...,vi,ni} is a set of possible values, where ni is the number of possible values for atti. L = [L1,L2,...,Ln] is an attribute list where Li = vi,ti ∈Si and ti ∈ {1,2,...,ni} for a user. W = [W1,W2,...,Wn] is an access policy where Wi ⊂ Si. The notation that an attribute list L satisfies an access policy W means that Li ∈ Wi (∀i = 1,2,...,n). Wi = Si means wildcard that plays the role of “don’t care” value.

2.4 Definition of CP-ABE with Hidden Access Policy

There are three entities: a trusted authority (TA), an encryptor and a decryptor in CP-ABE scheme with hidden access policy. TA is responsible for the issue of attribute associated with private key of decryptors. The encryptor appoints the access policy that controls which ciphertexts a decryptor is able to decrypt. In order to represent simply, we use a function F with two inputs to describe whether the attribute list L satisfies access policy W . F(L,W) = 1 means that the attribute list L satisfies access policy W and F(L,W) = 0 means the opposite.

Our CP-ABE scheme with hidden access policy and testing consists of four algorithms based on [14], namely, Setup , KeyGen , Encryption , and Decryption , which are defined as follows:

2.5 Security Model

The goals of an adversary A in an CP-ABE system with hidden access policy include extracting information of a plaintext from the ciphertext and distinguishing hidden access policy in ciphertexts. We call it IND-sCP-CPA. So the security model is described as a security game between a challenger S and an adversary A based on [30]. The game proceeds as follows:

Initial . The adversary A commits to the challenge ciphertext policies . The challenger S chooses a sufficiently large security parameter 1λ , and runs Setup(1λ) algorithm to get a master secret key MSK and public key PK . The challenger S reserves MSK and gives PK to A.

Phase 1 . A submits the attribute list L for a KeyGen query. If , the challenger S gives the adversary the secret key skL.

Challenge. A submits two equal length messages to the challenger on which it wishes to challenge with respect to . The challenger S flips a random coin b∈{0,1} and passes the ciphertext to A.

Phase 2 . A continues to issue queries as Phase 1 , with the same restriction that

Guess . Finally, A outputs a guess b'∈{0,1} of b .

The advantage of an adversary in this game is defined as .

Definition 3. A hidden access policy CP-ABE scheme is secure against selectively chosen-plaintext attack if all polynomial time adversaries have at most a negligible advantage in the above game.

 

3. Construction for CP-ABE Scheme with Hidden Access Policy and Testing

In this section, we present the concrete CP-ABE scheme with hidden access policy and testing. Let U = {att1,...,attn} be a set of attributes. For atti ∈ U, Si = {vi,1,vi,2,...,vi,ni} is a set of possible values, where ni is the number of possible values for atti. L = [L1,L2,...,Ln] is an attribute list for a user, where Li ∈ Si. W = [W1,W2,...,Wn] is an access policy, where Wi ⊂ Si.

Setup(1λ) : The algorithm takes as input a security parameter 1λ . TA obtains a bilinear group (p,G,GT,e), where G and GT are multiplicative cyclic groups of prime order p and e : G × G → GT is the bilinear map. TA chooses α,β ∈R ZP and ai,t ∈R ZP (i ∈ [1,n], t ∈[1,ni]). TA computes Y = e(g,g)α, X = gβ andTi,t = gai,t (i ∈[1,n],t ∈[1,ni]). PK=(e,G,GT,g,Y,X,{Ti,t}i∈[1,n],t∈[1,ni]) are published as the public parameters. The master secret key is MSK = (α, β, {αi,t} i∈[1,n],t∈[1,ni]).

KeyGen(MSK,PK, L) : The key generation algorithm takes as input the master secret key MSK , public key PK , and a set of attributes L = [L1,L2,...,Ln]. The algorithm performs as follows:

TA chooses u,r* ∈R Zp and λi ∈R Zp for the user, where 1 ≤ i ≤ n. TA computes D0=gα+βu, Di,1=gu+ai,tλi, Di,2=Xλi where Li=vi,t for decryption. Furthermore, TA computes where Li=vi,t, is used to test whether the user’s attribute list L satisfies the access policy W . The secret key is delivered to the user.

Encrypt(PK,M,W) : The encryption algorithm takes as input the public parameters PK , a message M ∈ GT and access policy W=[W1,W2,...,Wn]. The encryptor randomly chooses s, s* ∈ Zp, and computes . The encryptor picks up random values si ∈ Zp such that and computes Ci,1=Xsi, where 1≤i≤n. If vi,t ∈ Wi, the encryptor computes else are random elements in G. is the ciphertext for M with respect to W .

Decrypt(PK, CTW, skL) : Taking public key PK, ciphertext CTW, and secret key skL as input, the decryptor proceeds as follows:

Testing Phase: The user checks whether F(L,W)=1. F(L,W)=1 if and only if =1 holds, where Li=vi,t. If F(L,W)=0, it returns ⊥ and terminates. If F(L,W)=1, it enters into the Decryption Phase .

Decryption Phase: The user decrypts the ciphertext to get M by the following eqution.

If a user’s attribute list L satisfies the access policy W , the correctness of the proposed scheme can be verified as follows:

On the base of that, the user can decrypt the ciphertext:

 

4. Security Proof

Our CP-ABE scheme with hidden access policy is proved selectively secure under the assumption. As for selectively secure, the adversary should commit to the challenge access policies at the beginning of the game.

A sequence of hybrid games are used to argue that the adversary cannot win the security game denoted by G with non-negligible probability. Firstly, the original game G is modified into a game G0, which is the same as G except how the challenge ciphertext is generated. In the game G0, the part of the challenge ciphtertext is randomly selected from GT regardless of the random coin b when the attribute list L satisfies that F(L,W0)=0∧F(L,W1)=0. The adversary can get the rest of the ciphertext normally. As for F(L,W0)=1∧F(L,W1)=1, G0 is the same as G that the challenge ciphertext in G0 is generated correctly. We use assumption to prove that game G and game G0 is indistinguishable.

Theorem 1. If there exists an adversary A that can distinguish game G and game G0 with the advantage ε, we can construct an algorithm B that can solve the DDH assumption with the advantage ε.

Proof: Given a DDH paradigm (g,gz1,gz2,Z), the simulator B creates the following simulation.

Init: The simulator B runs A. A gives B two challenge chiphertext policies . Then B flips a random coin b∈{0,1}.

Setup: B sets Y=e(g,g)α=e(g,gz1)=e(g,g)z1. This implies α=z1. B chooses β∈R Zp. For ∀1≤i≤n, B generates {Ti,t}1≤t≤ni such that Ti,t=gai,t, if vi,t∈Wb,i, Ti,t=gz1ai,t , if vi,t∉Wb,i with {ai,t∈R Zp}1≤t≤ni. B publishes public parameters PK=(e,G,GT,g,Y,{Ti,t}i∈[1,n],t∈[1,ni]) as in the real scheme.

Phase1: A submits an attribute list L=[L1, L2,..., Ln] in a secret key query. Considering , there must be j∈{1,...,n} such that Lj(vj,tj)∉Wb,j. B picks up u,r* ∈R Zp. For 1≤i≤n, λi ∈R Zp.

The component D0 of the secret key skL can be computed as D0=gα+βu=gz1+βu.

For i = j, B computes the components

For i ≠ j, B computes the components

Challenge: A submits messages to the challenger on which it wishes to challenge with respect to . B sets C0 = gz2 , and which implies s = z2. For ∀1≤i≤n,i≠j, B chooses si∈R Zp and for i = j, B computes

For i = j , the components of the ciphertext is computed as

For i ≠ j , the components of the ciphertext is computed as

Phase2: Phase 1 is repeated.

Guess: From the above considerations, the adversary can decide a guess b' of b when Z = e(g,g)z1z2, A is in game G. Else A only makes a random guess because A is in game G0 when Z is random. If b' = b, B outputs β = 1 and otherwise outputs β = 0. Therefore B can break the DDH problem with the probability ε.

Secondly, G0 is modified by changing how to generate the ciphertext components {Ci,1}i∈[1,n] and define a sequence of games as follows.

If vi,t is (vi,t ∈W0,i ∧ vi,t ∈ W1,i) or (vi,t ∉W0,i ∧ vi,t ∉ W1,i), the ciphertext component {Ci,1}i∈[1,n] is obtained as in the real scheme through the sequence of all the games. But for vi,t such that (vi,t ∈ W0,i ∧ vi,t ∉ W1,i) or (vi,t ∉ W0,i ∧ vi,t ∈ W1,i), the ciphertext component {Ci,1}i∈[1,n] which is obtained normally in the game Gl-1 is replaced by the random values in the new modified game Gl ignoring the random coin b. To be specific, we won’t make a new game by replacing the ciphertext component {Ci,1}i∈[1,n] until there is no vi,t such that (vi,t ∈ W0,i ∧ vi,t ∉ W1,i) or (vi,t ∉ W0,i ∧ vi,t ∈ W1,i). We use DDH assumption to prove that the game Gl and Gl-1 is indistinguishable.

Lastly, we can get the obvious conclusion that in the last game of the game sequence, the advantage of the adversary is 0 because the adversary is given a ciphertext chosen from the same access policy regardless of the random coin b.

Theorem 2. If there exists an adversary A that can distinguish game Gl-1 and game Gl with the advantage ε , we can construct an algorithm B that can solve the DDH assumption with the advantage ε .

Proof: Given a DDH paradigm [g, gz1, gz2, Z], where Z is either gz1z2 or random with equal probability, the simulator B creates the following simulation.

As mentioned above, the ciphertext components {Ci,1}i∈[1,n] is generated as in the real scheme in game Gl-1. But in game Gl, the components are random regardless of the random coin b .

Init: The simulator B runs A. A gives B two challenge chiphertext policies . Then B flips a random coin b ∈ {0,1}. When viI,tI ∈ W1,i ∧ viI,tI ∈ W0,i or viI,tI ∉ W1,i ∧ viI,tI ∉ W0,i, game Gl-1 is the same as game Gl according to the game definition. We can only need to consider the case when viI,tI ∈ W1,i ∧ viI,tI∉ W0,i or viI,tI ∉ W1,i ∧ viI,tI ∈ W0,i.

Setup: B sets Y = e(g, g)α and X = gβ = gz1, which implies β = z1. For ∀1 ≤ i ≤ n, B generates {Ti,t}1≤t≤ni such that Ti,t = gai,t, if vi,t ∈ Wb,i, Ti,t = gz1ai,t, if vi,t ∉ Wb,i with {ai,t ∈R Zp}1≤t≤ni. B publishes public parameters PK = (e, G, GT, g, Y, {Ti,t}i∈[1,n],t∈[1,ni]) as in the real scheme.

Phase1: A submits an attribute list L = [L1, L2,...,Ln] in a secret key query.

B chooses u,r* ∈R Zp and λi ∈R Zp for the user, where 1 ≤ i ≤ n. B computes the secret key components as follows Di,1 = gu+ai,tλi, Di,2 = Xλi = (gz1)λi where Li = vi,t for decryption. And then D0 = gα+βu = gα+z1u = (gz1)ugα, .

Challenge: A submits messages to the challenger on which it wishes to challenge with respect to . B sets C0 = gz2 which implies s = z2, and where s* ∈R Zp. For 1 ≤ i ≤ n, i ≠ I, si ∈R Zp. For i = I,

For i = l , the components [CI,1,CI,t,2] of the ciphertext is computed as

If Z = gz1z2, the components are well-formed and A is in game Gl-1. And if Z is random, A is in game Gl.

Phase2: Phase1 is repeated.

Guess: From the above considerations, the adversary can decide a guess b ' of b when Z = gz1z2, A is in game Gl-1. Else A only makes a random guess when Z is random, A is in game Gl. Therefore B can break the DDH problem with the probability ε.

 

5. Performance Comparison

In this section, we compare our work with previous works which are all CP-ABE schemes with hidden access policy to expound our scheme’s advantages. For convenience, PK , MSK , SK , CT are the shortened form for the size of the public key, the master secret key, the secret key, and the ciphertext length excluding the access policy respectively. What’s more, Enc. and Dec. are the shortened form for the computational time of encryption and decryption respectively. |G| , |GT| , |Zp| denote the bit-length of the elements belongs to G, GT, Zp. Let U = {att1,..., attn} be the attribute universe. n is the number of all attributes in universe. ni is the number of atti. expresses the total number of possible values of all attributes. Let the notation kG and kGT be k-times calculations over the group G and group GT , respectively. Ce means the time for one pairing.

Compared with the other schemes, our construction shows many merits (see Table 1- Table 4). Firstly, for the size of parameters, the size of the PK and MSK in our schem is the shortest ones, and the size of SK and CT of our scheme are relatively very short, so our scheme’s communication cost is small. Secondly, our sheme’s computation time of encryption is smaller than Müller’s [17], but the efficiency of decryption in our scheme is high. Thirdly, our scheme is selectively secure with testing phase which can avoid excessive computaions before decryption and improve the efficiency for the decryptor. On the whole, our scheme has relatively lower communication and computaion cost than exsiting CP-ABE schemes.

Table 1.Size of each value

Table 2.Computational Cost of Encryption and Decryption

Table 3.Security Properties of CP-ABE

Table 4.Expressiveness of Policy

As you can see from the tables above, the decryption cost of CP-ABE scheme with hidden access policy is always huge. If there is no testing, the decryptor may spend much time on pairing computaion because one pairing costs a lot of time. But in our scheme, we add a test before decryption. The decryptor then does decryption if she passes the testing. The time of one testing is 2Ce + 2nG, which reduce the time for pairing computaion to a large extent. And our scheme shows a little advantage especially for public key and computational time of decryption.

 

6. Conclusion

In this paper, we propose a new CP-ABE scheme with hidden access policy. We prove the scheme is selectively secure in standard model. Security in our scheme is reduced to DDH assumption. The access policy is based on AND-gates on multi-valued attributes with wildcards, which is very expressive. Moreover, we add a testing phase before decryption. The cost of one test is small so it is effective.

References

  1. A. Sahai and B. Waters, "Fuzzy identity-based encryption," in Proc. of EUROCRYPT 2005, LNCS 3494, pp. 457-473, 2005. Article (CrossRef Link)
  2. V. Goyal, O. Pandey, A. Sahai and B. Waters, "Attribute-based encryption for fine-grained access control of encrypted data," in Proc. of the 13th ACM Conf. on Computer and Communications Security, pp. 89-98, 2006. Article (CrossRef Link)
  3. J. Bethencourt, A. Sahai and B. Waters, "Ciphertext-policy attribute-based encryption," in Proc. of IEEE Symposium on Security and Privacy, pp. 321-334, May 20-23, 2007. Article (CrossRef Link)
  4. L. Cheung and C. Newport, "Provably secure ciphertext policy ABE," in Proc. of the 14th ACM Conf. on Computer and Communications Security, pp. 456-465, 2007. Article (CrossRef Link)
  5. D. Boneh and B. Waters, "Conjunctive, subset, and range queries on encrypted data," Theory of Cryptography, LNCS 4392, pp. 535-554, 2007. Article (CrossRef Link)
  6. V. Goyal, A. Jain, O. Pandey and A. Sahai, "Bounded ciphertext policy attribute based encryption," Automata, Languages and Programming, LNCS 5126, pp. 579-591, 2008. Article (CrossRef Link)
  7. A. Lewko, T. Okamoto, K. Takashima and B. Water, "Fully secure functional encryption: attributed-based encryption and (hierarchical) inner product encryption," EUROCRYPT 2010, LNCS 6110, pp. 62-91, 2010. Article (CrossRef Link)
  8. T. Okamato and K. Takashima, "Fully secure function encryption with general relations from the decisional linear assumption," in Proc. of CRYPTO 2010, LNCS 6223, pp. 191-208, 2010. Article (CrossRef Link)
  9. R. Ostrovsky, A. Sahai and B. Waters, "Attribute-based encryption with non-monotonic access structures," in Proc. of the 14th ACM Conf. on Computer and Communications Security, pp. 195-203, 2007. Article (CrossRef Link)
  10. B. Waters, "Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization," PKC 2011, LNCS 6571, pp. 53-70, 2011. Article (CrossRef Link)
  11. S. Yamada, N. Attrapadung, G. Hanaoka and N. Kunihiro, "Generic constructions for chosen-ciphertext secure attribute based encryption," PKC 2011, LNCS 6571, pp. 71-89, 2011. Article (CrossRef Link)
  12. S. Yu, K. Ren and W. Lou, "Attribute-based content distribution with hidden policy," in Proc. of NPSEC 2008, pp. 39-44, October 19-19, 2008. Article (CrossRef Link)
  13. J. G. Li, W. Yao, Y. C. Zhang, H. L. Qian, and J. G. Han, "Flexible and fine-grained attribute-based data storage in cloud computing," IEEE Transactions on Services Computing, DOI: 10.1109/TSC.2016.2520932, 2016. Article (CrossRef Link)
  14. A. Kapadia, P. P. Tsang and S. W. Smith, "Attribute-based publishing with hidden credentials and hidden policies," in Proc. of NDSS 2007, vol. 7, pp. 179-192, 2007. Article (CrossRef Link)
  15. T. Nishide, K. Yoneyama and K. Ohata, "Attribute-based encryption with partially hidden encryptor-specified access structures," in Proc. of ACNS 2008, LNCS 5037, pp. 111-129, 2008. Article (CrossRef Link)
  16. J. Li, K. Ren, B. Zhu and Z. Wan, "Privacy-aware attribute-based encryption with user accountability," in Proc. of ISC 2009, LNCS 5735, pp. 347-362, 2009. Article (CrossRef Link)
  17. S. Müller and S. Katzenbeisser, "Hiding the policy in cryptographic access control," Security and Trust Management, LNCS 7170, pp. 90-105, 2012. Article (CrossRef Link)
  18. J. Lai, R. H. Deng, and Y. Li, "Expressive CP-ABE with partially hidden access structures," in Proc. of the 7th ACM Conf. on Information, Computer and Communications Security, pp. 18-19, 2012. Article (CrossRef Link)
  19. J. Lai, R. H. Deng and Y. Li, "Fully secure ciphertext-policy hiding CP-ABE," in Proc. of ISPEC 2011, LNCS 6672, pp. 24-39, 2011. Article (CrossRef Link)
  20. H. L. Qian, J. G. Li and Y. C. Zhang, "Privacy-preserving decentralized ciphertext-policy attribute-based encryption with fully hidden access structure," in Proc. of ICICS 2013, LNCS 8233, pp. 363-372, 2013. Article (CrossRef Link)
  21. H. L. Qian, J. G. Li, Y. C. Zhang and J. G. Han, “Privacy preserving personal health record using multi-authority attribute-based encryption with revocation,” International Journal of Information Security, vol. 14, no. 6, pp. 487-497, 2015. Article (CrossRef Link) https://doi.org/10.1007/s10207-014-0270-9
  22. F. Xhafa, J. Feng, Y. Zhang, X. Chen and J. Li, “Privacy-aware attribute-based PHR sharing with user accountability in cloud computing,” Journal of Supercomputing, vol. 71, no. 5, pp. 1607-1619, 2015. Article (CrossRef Link) https://doi.org/10.1007/s11227-014-1253-3
  23. S. Sabitha and M. S. Rajasree, "Anonymous-CPABE: privacy preserved content disclosure for data sharing in cloud," in Proc. of ARCS 2015, LNCS 9017, pp. 146-157, 2015. Article (CrossRef Link)
  24. Z. J. Fu, X. M. Sun, Q. Liu, L. Zhou, and J. G. Shu, “Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing,” IEICE Transactions on Communications, vol. E98-B, no. 1, pp.190-200, 2015. Article (CrossRef Link) https://doi.org/10.1587/transcom.E98.B.190
  25. Y. J. Ren, J. Shen, J. Wang, J. Han and S. Y. Lee, “Mutual verifiable provable data auditing in public cloud storage,” Journal of Internet Technology, vol. 16, no. 2, pp. 317-323, 2015. Article (CrossRef Link) https://doi.org/10.6138/JIT.2015.16.2.20140918
  26. Z. H. Xia, X. H. Wang, X. M. Sun, and Q. Wang, “A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 2, pp. 340-352, 2015. Article (CrossRef Link) https://doi.org/10.1109/TPDS.2015.2401003
  27. Z. J. Fu, K. Ren, J. G. Shu, X. M. Sun, and F. X. Huang, “Enabling personalized search over encrypted outsourced data with efficiency improvement,” IEEE Transactions on Parallel and Distributed Systems, DOI: 10.1109/TPDS.2015.2506573, 2015. Article (CrossRef Link)
  28. J. G. Li, X. N. Lin, Y. C. Zhang and J. G. Han, “KSF-OABE: Outsourced attribute-based encryption with keyword search function for cloud storage,” IEEE Transactions on Services Computing, DOI:10.1109/TSC.2016.2542813, 2016. Article (CrossRef Link)
  29. J. G. Li, Y. R. Shi and Y. C. Zhang, “Searchable ciphertext-policy attribute-based encryption with revocation in cloud storage,” International Journal of Communication Systems, DOI: 10.1002/dac.2942, 2015. Article (CrossRef Link)
  30. M. Padhya and D. Jinwala, "A novel approach for searchable CP-ABE with hidden ciphertext-policy," in Proc. of International Conference on Information Systems Security, LNCS 8880, pp. 167-184, 2014. Article (CrossRef Link)
  31. Z. Liu, Z. F. Cao, D. S. Wong, "Blackbox traceable CP-ABE: how to catch people leaking their keys by selling decryption devices on eBay," in Proc. of the 20th ACM Symposium on Computer and Communications Security, ACM, pp. 475-486, 2013. Article (CrossRef Link)
  32. J. T. Ning, X. L. Dong, Z. F. Cao, L. F. Wei, X. D. Lin, “White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes,” IEEE Transactions Information Forensics and Security, vol.10, no. 6, pp.1274-1288, 2015. Article (CrossRef Link) https://doi.org/10.1109/TIFS.2015.2405905
  33. I. Shaparlinski, “Computational Diffie-Hellman problem,” Encyclopedia of Cryptography and Security, pp. 240-244, 2011. Article (CrossRef Link)
  34. K. Emura, A. Miyaji, A. Nomura, K. Omote and M. Soshi, "A ciphertext-policy attribute-based encryption scheme with constant ciphertext length," in Proc. of ISPEC 2009 , LNCS 5451, pp. 13-23, 2009. Article (CrossRef Link)

Cited by

  1. Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant Ciphertext Length vol.2017, pp.None, 2016, https://doi.org/10.1155/2017/3596205
  2. Improving Security and Privacy-Preserving in Multi-Authorities Ciphertext-Policy Attribute-Based Encryption vol.12, pp.10, 2018, https://doi.org/10.3837/tiis.2018.10.025
  3. Offline/Online Outsourced Attribute-Based Encryption with Partial Policy Hidden for the Internet of Things vol.2020, pp.None, 2016, https://doi.org/10.1155/2020/8861114
  4. Offline/Online Outsourced Attribute-Based Encryption with Partial Policy Hidden for the Internet of Things vol.2020, pp.None, 2016, https://doi.org/10.1155/2020/8861114
  5. Ontology Based Privacy Preservation over Encrypted Data using Attribute-Based Encryption Technique vol.6, pp.2, 2021, https://doi.org/10.25046/aj060244