A Study on Data Sharing Scheme using ECP-ABSC that Provides Data User Traceability in the Cloud

Abstract

Recently, various security threats such as data leakage and data forgery have been possible in the communication and storage of data shared in the cloud environment. This paper conducted a study on the CP-ABSC scheme to solve these security threats. In the existing CP-ABSC scheme, if the data is obtained by the unsigncryption of the data user incorrectly, the identity of the data owner who uploaded the ciphertext cannot be known. Also, when verifying the leaked secret key, the identity information of the data user who leaked the secret key cannot be known. In terms of efficiency, the number of attributes can affect the ciphertext. In addition, a large amount of computation is required for the user to unsigncrypt the ciphertext. In this paper, we propose ECP-ABSC that provides data user traceability, and use it in a cloud environment to provide an efficient and secure data sharing scheme. The proposed ECP-ABSC scheme can trace and verify the identity of the data owner who uploaded the ciphertext incorrectly and the data user who leaked the secret key for the first time. In addition, the ciphertext of a constant size is output and the efficiency of the user's unsigncryption computation were improved.

1. Introduction

It has recently become possible to securely store and share data between users in the cloud. Because it can manage and share a lot of big data used in hospitals, companies, and public institutions, the development of cloud computing technology gives users many advantages. However, some security threats may occur when data is shared in a cloud environment [1-2]. First, providers of cloud services cannot be fully trusted. If you use an externally provided cloud, you can securely protect your stored data from external threats. The stored data can be secure from external threats if an externally provided cloud is used. However, the provider knows the content of the data stored and used. Shared data can be leaked or deleted by an attacker (a malicious user). The attacker accesses the server, leak the data to the outside and tamper with the stored data. If it is a cloud server that manages and stores users' personal (sensitive) information, it becomes a serious security threat [3-4]. Accordingly, cloud data encryption is required, along with data access control.

Attribute-based encryption allows for both data access control and encryption/decryption. This access and encryption are particularly applicable to the cloud environment [5-6]. However, attribute-based encryption does not allow the data user to trust the data obtained by the decrypted ciphertext. That is, it is impossible to verify data reliability. Questions arise such as who uploaded the data? Are the decrypted data those uploaded by the owner? And has the data been tampered with? To solve this problem, many scholars have researched attribute-based signcryption scheme [7-9]. Attribute-based signcryption is a security technology that combines the characteristics of attribute-based signature and attribute-based encryption. In Chapter 2, attribute-based signcryption was explained in detail. Our scheme is a variation of ciphertext-policy attribute-based signcryption (CP-ABSC).

Several CP-ABSC schemes have been researched, but the security threat still remains and or is inefficient in terms of the amount of computation. First, the data user must ask the owner of the uploaded data to take responsibility if the decrypted ciphertext is unclear. However, it is possible to know what attributes of the data owner, but not the identity of the data owner [10-11]. In addition, an external (unregistered) user can access the cloud server using a registered user’s secret key (i.e., Leaked unsigncryption key). If data leakage is detected, the user's identity information is checked by verifying the user's secret key. However, the secret key contains only the user attribute value of the initially issued data, and the identity of the data user is unknown [12-13]. The above problem occurs because the anonymity between each object is provided by using the CP-ABSC scheme. Therefore, while providing anonymity, it should be possible to verify the identity of data users (owners/users) in the event of a problem. Here, the problem means that the acquired data is wrong or the leaked secret key is first distributed. Second, a solution is needed because the number of attributes included in the ciphertext affects the size of the ciphertext by the data owner during the encryption phase [14-15]. Finally, since the amount of operation required for a user to unsigncryption the ciphertext is large. Therefore, it is limited for users who are burdened with device performance among users who try to access through a device in an IoT-Cloud or a mobile computing environment [16-17].

In this paper, we propose the Efficient Ciphertext-Policy Attribute-based Signcryption (ECP-ABSC) scheme that provides data user traceability, and use it to provide efficient and secure data sharing in the cloud. Specifically, the proposed ECP-ABSC scheme possible to verify the identity information of a data owner or user via cooperation between a Trace Authority (TA) and Attribute Authority (AA) when a leaked secret key or shared data is unclear. In addition, the number of attributes does not affect the size of the ciphertext, and is output in a constant size. Finally, the cloud server supports some amounts of unsigncryption computation to improve the computation efficiency when the user unsigncryption the ciphertext.

1.1 Contribution

The contributions of the proposed ECP-ABSC are as follows.

• Data user traceability and identification: In the proposed scheme, a trusted entity called TA is used. The TA does not participate in data-sharing; it only registers the identities of data users and issues pseudonyms. In detail, anonymity is provided because data users perform data sharing by registering an identity from the TA and issuing a pseudonym. If the data obtained from the ciphertext is unclear, or when the identity of the data user who leaked the secret key is to be verified, the TA and the AA can cooperate to check the identity of the requested data user. Compared to the traditional CP-ABSC scheme, this provides anonymity to data users and can trace and identify data users when a problem arises.

• Ciphertext output of a constant size: In the proposed scheme aggregates the attribute values included in the ciphertext, and calculates them as a single value. Then it is included in the ciphertext to provide a ciphertext output of a constant size. Compared to the existing scheme, the number of attributes contained in a ciphertext does not affect the size of the ciphertext.

• Efficient user unsigncryption operation: In the proposed scheme, performs a partial unsigncryption phase that can compare and calculate ciphertext and user attributes in the cloud server. Then, the user receives the unsigncrypted ciphertext and performs the final unsigncryption to obtain data. This process can reduce the user's ciphertext unsigncryption operation amount compared to the existing scheme for the user to unsigncrypt the entire ciphertext. As a result, even a user with a performance burden can sufficiently perform ciphertext unsigncryption through the outsourced server.

1.2 Organizaion

Each chapter of the paper is as follows. Chapter 2 is the background and describes attributebased signcryption, the existing CP-ABSC scheme, and related works. Chapter 3 describes the requirements(security, efficiency) of the cloud, and Chapter 4 describes the proposed ECP-ABSC scheme. Chapter 5 focuses on the efficiency and security aspects of our scheme. Chapter 6 presents our conclusion.

2. Backgrounds

This chapter describes attribute-based signcryption and the existing CP-ABSC scheme and related works.

2.1 Preliminaries

2.1.1 Bilinear Map

Recently, bilinear mapping is used as a cryptography tool for information security. The bilinear pairing function is also called bilinear mapping. Below is a description of the notation:

Assume that there are multiplicative group 𝐺₁and 𝐺₂ with the same order 𝑝. Suppose a discrete log problem is difficult to solve within a group. Let 𝑔 be a generator group of 𝐺₁, and

let 𝑒: 𝐺₁𝑋𝐺₁ → 𝐺₂ be a bilinear mapping that satisfies the following properties:

1. Bilinearity: For all 𝑃,𝑄 ∈ 𝐺₁ and all 𝑎, 𝑏 ∈ Z_𝑝, 𝑒(𝑃^𝑎, 𝑄^𝑏) = 𝑒(𝑃, 𝑄)^ab.

2. Non-degeneracy: For all 𝑄 ∈ 𝐺₁, if 𝑒(𝑃, 𝑄) = 1, then 𝑃 = 0.

3. Computability: There is an algorithm that computes 𝑒(𝑃, 𝑄) ∈ 𝐺₂ for all 𝑃, 𝑄 ∈ 𝐺₁,.

2.1.2 Bilinear Diffie Hellman (BDH) Assumption

The deterministic BDH assumption is that two pairs (𝑔^𝑎, 𝑔^𝑏, 𝑔^𝑐, W = e(𝑔, 𝑔)^𝑧) and (𝑔^𝑎, 𝑔^𝑏, 𝑔^𝑐, T = e(𝑔, 𝑔)^abc), have no algorithm A to distinguish two pairs with meaningful probability. Here it is 𝑎, 𝑏, 𝑐, 𝑧 ∈ 𝑍_𝑝 . If algorithm A to solve the deterministic BH assumption that if |Pr(g^a, g^b, g^c, T) = 1] − Pr[A(𝑔^𝑎, 𝑔^𝑏, 𝑔^𝑐, W) = 1]| ≥ 𝜖 is satisfied, then algorithm A has a profit of 𝜖 [18].

2.1.3 Bilinear Diffie Hellman Exponent (BDHE) Assumption

The deterministic BDHE assumption is that given (h, 𝑔, 𝑔^𝛼 … . , 𝑔^𝛼𝛽, 𝑔^𝛼𝛽+2, … 𝑔^𝛼2𝛽 ), there is no algorithm A can compute T = e(h, 𝑔)^𝛼𝛽+1 with meaningful probability. Here is ℎ, 𝑔 ∈ 𝐺₁. As defined by 𝑔_𝑖 = g^αi (i = 1, … ,2B) and 𝑔_𝛼,𝛽 = (𝑔₁, … , 𝑔_𝐵, 𝑔_𝐵+2, …, 𝑔_2𝐵), when the next two pairs are (ℎ, 𝑔, 𝑔_𝛼,𝛽, 𝑊 = e(h, 𝑔)^𝑧), (ℎ, 𝑔, 𝑔_𝛼,𝛽, T = e(h, 𝑔)^𝛼𝛽+1 ) the algorithm A to solve the deterministic BDHE assumption that if |Pr[A(ℎ, 𝑔, 𝑔_𝛼,𝛽, T) = 1] − Pr[A(ℎ, 𝑔, 𝑔_𝛼,𝛽, W = 1]| ≥ 𝜖 is satisfied, then algorithm A has a profit of 𝜖 [18].

2.1.4 Elliptic Curve Discrete Logarithm Problem (ECDLP) Assumption

Elliptic curve cryptography is a public key encryption method that uses the mathematical properties (discrete logarithm problem for elliptic curve are difficult) of elliptic curves in a finite field. To use elliptic curve cryptography, an elliptic curve is a set of solutions (X, Y) to the equation 𝑦² = 𝑥³ + 𝑎x + 𝑏 (mod 𝑝) defined for arbitrary integers a, b. The fact that there is a point P = (X, Y) on the elliptic curve means that the above equation is satisfied. Q = x · P can be expressed as a definition of an arbitrary integer x for two points P and Q. The solution to find x is a problem with discrete logarithm elliptic curves. That is, assuming that Q = x·P, it is easy to ind Q using x · P. However, it is very difficult to infer the value of x even if Q and P are known [18].

2.2 Attribute Based Signcryption

Signcryption is a cryptographic signature/encryption tool that guarantees confidentiality, integrity, and non-repudiation. In particular, it has the advantage of effectively reducing operating costs and communication overhead compared to the existing encryption method after signing. In 1997, the first signcryption was proposed by Zheng et al., followed by various attribute-based technologies [19]. ABSC performs signcryption/unsigncryption based on a set of attributes (affiliation, job, etc.) of each participant and the access structure created based on it [7-9]. That is, it has the characteristics of ABE and ABS [5-6][20].

The ABSC consists of CP-ABSC and KP-ABSC and this proposed scheme conducted research on CP-ABSC. In the CP-ABSC scheme, the ciphertext contains an access structure created by collecting user attributes. A user with the attributes specified in the access structure can access and decrypt the ciphertext. For example, suppose the access structure is {{Nurse AND Doctor} OR Hospital A}, and is included in the ciphertext. Only nurse and doctor from hospital A can access the ciphertext and decrypt.

The CP-ABSC is widely used in a data-sharing environment between users in a public cloud. In particular, it is widely used in 1:N (where N indicates “many”) cloud environments because it has the attributes of sharing data by accessing the ciphertext uploaded by the data owner.

2.2.1 Access Structure

ABE performs encryption/decryption with an access structure created with a set of attributes (e.g., job, affiliation) for each entity. The ABSC is also a scheme of performing signcryption/unsigncryption using an access structure. In detail, two access structures are used in ABSC. The access structure 𝛾_𝑒 is similar to the access structure used in ABE. Another access structure 𝛾_𝑠, creates the ciphertext from the attributes of the data owner. In the access structure, denoted by T, each non-leaf node can represent a threshold gate such as an AND gate or an OR gate depending on the threshold. In general, for all nodes x ∈ T, we use the notations num_𝑥 and 𝑘_𝑥 to represent the threshold of x and the number of children. For a non-leaf node x, if 𝑘_𝑥 = num_𝑥, then x represents an AND gate. If 𝑘_𝑥 = 1, it represents an OR gate. If 1 < 𝑘_𝑥 < num_𝑥, then x is a threshold gate. We define 𝑘_𝑥 = 1 and num_𝑥 = 0 for leaf node x.

2.2.2 CP-ABSC Scheme

Fig. 1 shows the basic structure of CP-ABSC. A CP-ABSC scheme has an AA, cloud server, and data owners and users (see Chapter 4). The overall scenario of CP-ABSC consists of a total of four phases: setup, key generation, data signcryption/unsigncryption.

Fig. 1. CP-ABSC scheme structure

First, AA creates public parameters and master keys through the setup phase. Second, when a data user(owner/user) requests a secret key (signature secret key, ciphertext unsigncryption key) from AA, the AA generates a signature secret key/ciphertext unsigncryption key. In detail, the AA generates a signature secret key is based on the data owner's attributes and sends it to the data owner (with the PPs). It then generates a ciphertext unsigncryption key with the attributes s of the users, which is sent to the user (with the PPs). Third, the data owner generates access structure (𝛾_𝑆, 𝛾_𝑒). 𝛾_𝑆 is an access structure that can represent the data owner, and is generated with the data owner’s attributes. γ_𝑒 is generated with the attributes of the data users who needs to access the ciphertext. Then, the owner signcrypt the using the access structures, PPs, and signature secret key. Then sends the ciphertext to the cloud server. Finally, the data user requests a ciphertext from the cloud server. And it performs unsigncryption by comparing its own attribute with the attribute value of the access structure in the ciphertext. This requires the user’s unsigncryption key, the ciphertext, and PPs. User with the required ciphertext attributes can unsigncrypt. Through the data verification process, the attribute value of the data owner and the integrity of the acquired data can be verified.

2.3 Related Work

2.3.1 The need for user tracing and identification in the CP-ABSC scheme

The existing CP-ABSC scheme communicates shared data by signcrypting and unsigncrypting user attributes. Accordingly, anonymity is provided between entities that want to participate in data sharing. This can protect privacy between users. However, this several problems occur as follows.

First, the shared ciphertext includes the attributes of the data owner. Assumed that the user acquires data after performing unsigncryption. If the data are unclear, the identity of the owner who uploaded them cannot be verified because the owner information in the ciphertext is exclusively attributes [10].

For example (Fig. 2), assume that Teams A and C of a company collaborate on a project. Team A encrypts and uploads data (“Project version 5”) with user attributes they want to share with team C. Data with Team A attributes are shared by insiders or other data (“Project version 3”) can be modulated by the addition of Team C attributes and then re-uploaded (re-encrypted). However, Team C cannot know whether the data obtained (“Project Version 3”) are inaccurate, or, if they recognize that the data are inaccurate, they cannot know the identity of the owner who uploaded them [10-11].

Fig. 2. Requires data user tracing and identity verification

Another problem arises (Fig. 2) when a leaked secret key is detected. It is assumed that one of the users in Team C leaks secret key (i.e., gives the secret key that accesses the cloud to a third party for money). The third party can obtain data by accessing the cloud with the key and attempting to decrypt the ciphertext. At this time, when the cloud server detects the risk of data leakage and requests an investigation from a trusted authority, the trusted authority verifies the secret key of the user who can access to the data. However, the secret key lacks user identity information and it is impossible to trace the leaked user [12-13].

In the existing ABE scheme, research to find a user who has leaked an abused secret key is continuously being conducted. When a legitimate user privately provides a secret key to another user, the user who has been provided with the secret key can access the cloud and decrypt. The secret key provided to other users is referred to as an abused secret key. For example, there are cases in which an authorized user publicly leaks or sells an attribute secret key through an e-commerce platform. At this time, after obtaining an abused key from KGC or a trusted authority, the key is verified through the key sanity check process to verify the user's identity [22-24].

The above two problems can occur sufficiently in the CP-ABSC environment. Therefore, depending on the circumstances, it should be possible to track and verify the identity of the data user.

2.3.2 The need for efficiency in the CP-ABSC scheme

In the traditional CP-ABSC schemes, the attributes included in the ciphertext affect the size of the ciphertext. Since ciphertext is communicated, stored, shared, and processed, the ciphertext size has a significant impact. To solve this problem, the attributesto be included in the ciphertext are collected and aggregated into a single value. In this case, ciphertext may be output in a constant size. However, it only affects the size of the ciphertext and does not affect the amount of computation required for signcryption/unsigncryption. Rather, since the aggregate operation is performed, the amount of operation is added compared to the CP-ABSC scheme that does not provide a ciphertext of a constant size. To efficiently process the amount of computation, it is necessary to support the amount of computation of the server such as outsourcing.

In the existing CP-ABSC schemes, the user receives the requested ciphertext from the cloud server and performs unsigncryption. However, if the user performing unsigncryption with a device or terminal may have limited performance, there are cases where the user cannot properly unsigncrypt the ciphertext. To solve this problem, research should be conducted to utilize an outsourced server to provide a part of the computational amount of the user's ciphertext unsigncryption.

2.3.3 Previously researched CP-ABSC scheme

The first signcryption was proposed by Zheng and based on this scheme, attribute-based signcryption was then proposed by Gangé et al. in 2010 [7]. Since then, the attribute-based signcryption that provides various requirements has been continuously researched based on Gangé et al.

The schemes of Deng et al. and Sana et al. are the CP-ABSC schemes that provide the requirements for outputting a ciphertext of a constant size [14-15]. Both schemes aggregate the attributes into a single value. This is one of the important requirements to provide because the size of the shared ciphertext affects communication and storage.

The scheme of Sana et al., Hundera et al., and Deng et al., are the CP-ABSC schemes that provides requirements for outsourcing server support to improve computational efficiency [16-17, 22-23]. In terms of data owners and users, signcryption and unsigncryption processes require a lot of operation. Therefore, operational support from a reliable outsourced server is required to handle this efficiently. In particular, partial unsigncryption by the server reduces the user burden.

The schemes of Lu et al. and Wei et al. are the CP-ABSC schemes that provides a requirement for identify by tracing the data owner [10-11]. Thus, as mentioned above, if the data obtained are incorrect, the identity of the owner can be verified. Identities are initially registered with the AA. If a problem occurs, the user requests the owner’s identity from the AA. However, the default anonymity of traditional CP-ABSC is then lost. Therefore, it must be able to work with a separate trusted server such as a TA to verify the identity of the owner.

The schemes of Rohit et al. and Hong et al. are the CP-ABSC schemes that provide traceability requirements that enable identity verification by tracing the data user who was issued the secret key when a leaked secret key is detected [12-13]. All data user identities are initially registered with the AA. If a leaked secret key is detected, the identity information can be checked by tracing the data user who first issued the key can be verified through AA. However, as mentioned above, anonymity between AA and data users is not provided.

Our ECP-ABSC scheme was proposed as a model that satisfies the three requirements by analyzing the above-mentioned CP-ABSC schemes. The requirements provided include data user tracing and identity verification, ciphertext of a constant size, partial unsigncyrption performed on a cloud server

3. Security Requirements

An CP-ABSC scheme shares signcrypted data using only the attributes of the data owner and users. Therefore, anonymity basically provided for the data user and owner. In the secure CP-ABSC scheme provides confidentiality and integrity for shared data. The user access control function for accessing the ciphertext is also a basic requirement. In addition, in order to build a secure data sharing system using CP-ABSC, various requirements should be considered. The requirements are efficiency in CP-ABSC scheme, data owner and user identity trace, attribute revocation of withdrawn users, multi-AA for key escrow problem solving, and ensures that user attribute management is secure etc. The CP-ABSC scheme, which provides all requirements, is the most secure and efficient scheme. However, as the requirements apply, the CP-ABSC system becomes heavy (inefficient). Therefore, research that can apply the necessary requirements according to the environment is required.

Our proposed ECP-ABSC scheme is to focus on the requirements for tracing data users and verifying the identity, and for outputting a constant size of ciphertext and performing partial unsigncryption to provide efficiency. The description of the requirements to be provided are as follows.

• Data user traceability and identification: In the CP-ABSC scheme, if the data obtained during unsigncryption are incorrect, the identity of the owner who uploaded the ciphertext cannot be known. If a problem arises, it is essential to identify the data owner who uploaded the ciphertext using the AA or a cloud server, and takes appropriate action. In traditional CP-ABSC schemes, the secret key issued by the data user does not contain a value that can identify the data user. Therefore, such a user may leak the key and attribute values to others for profit or out of malice. That third party can access the cloud, obtain ciphertext, and perform unsigncryption. This can cause data leakage. Therefore, it is necessary to verify the identity information of the user who was issued the secret key for the first time. This means that the data user cannot provide the secret key to other users in advance [25].

• Output constant-sized ciphertext: In some CP-ABSC schemes, the size of the ciphertext is affected by the number of attributes in the ciphertext. If the size of the ciphertext increases, it affects the cloud storage where the ciphertext is stored. To solve this problem, research that can output the ciphertext of a constant size without affecting the number of attributes is required.

• Efficient user unsigncryption operation: In general, partial unsigncryption is performed by comparing attribute values when decrypting ciphertext, and final unsigncryption is performed through a secret key to obtain data. However, the amount of operation required when the user decrypts the ciphertext makes users who lack computing power feel a burden. To solve this problem, research should be conducted to utilize an outsourced server that can handle part of the operational amount of ciphertext (partial unsigncryption) [26-27].

• Security (confidentiality, integrity) and access control for shared data: If the data shared and stored in the cloud is plaintext, attackers can create various security threats such as data leakage and forgery with shared data as targets. Therefore, it is important to provide security and access control for data. Data must be encrypted and shared, and confidentiality must be provided so that only legitimate users with authority can decrypt it. By verifying the unsigncrypted data, it is necessary to verify the integrity of the data uploaded by the data owner. In order for the user to access the stored ciphertext, an element for access control is required so that only the user with the attributes specified in the access structure by the data owner can access.

4. The Proposed Scheme

In this chapter, we propose the ECP-ABSC scheme that provides data user traceability, and use it to provide efficient and secure data sharing in a cloud environment. The feature of the proposal scheme is to provide anonymity between each participating entity. If a problem arises (If there is a problem with the data obtained by the data user decrypting the signature, or if it is necessary to verify the identity of the first leaker of the leaked user's secret key), the TA and AA cooperate to identify the owner or user involved. In addition, the size of the ciphertext proportional to the number of existing attributes was minimized by outputting the ciphertext size as a constant. Finally, the cloud server partially unsigncrypts the ciphertext requested by the user. As a result, the user's ciphertext unsigncryption amount is reduced, thereby increasing the user's operation amount efficiency.

Fig. 3 shows the overall scenario of the proposed scheme. Participants consist of the AA, TA, cloud server, data users (owners and users). The detailed descriptions follow.

Fig. 3. Overall Scenario of proposed ECP-ABSC scheme

4.1 System Model

4.1.1 System Entity

The description of the role of each entity in the ECP-ABSC scheme are as follows.

• Attribute Authority: In this proposed scheme, AA is a semi-trusted server that manages the attributes of users. Here, the expression “semi-trust” refers to an entity that can be trusted by users but, since service providers are curious subjects, they have the right to obtain user information whenever they want. Accordingly, when requesting a secret key from the AA, the data owner and the user request the secret key using a pseudonym. AA has the attributes of owner and user and plays the role of creating a signature secret key and a secret key (ciphertext unsigncryption key) and sending it to the user.

• Trace Authority (TA): The TA is a trusted server outside the data-sharing environment. Even though there is AA, the reason for having TA is that if AA has the identity information of data users to provide data traceability, problems such as key escrow may occur with the information of data users in AA. In order not to cause this problem, TA was needed to divide the authority and role of AA. The TA manages the identities and pseudonyms of owners and users. When the AA requests an identity for the pseudonym value in the future, it serves to confirm and inform it.

• Cloud Server: It usually consists of storage where files are server that performs operations and stored. This proposed scheme is expressed as a cloud server. It performs storage and management of shared data. When the user asks for a ciphertext, it performs partial unsigncryption by comparing the attributes in the ciphertext access structure with the user's attributes and the result is sent to the user.

• User(Data Owner): It means the user who signcrypts data and uploads it. The attributes of a user who needs to access the data, an access structure is created based on the attributes of the owner. Then, using the secret signature key and public parameters received from the AA, signcryption is performed, and ciphertext is created and uploaded.

• User(Data User): It refers to a user who receives partially unsigncrypted ciphertext from the cloud and performs final unsigncryption to obtain data. After that, you can verify that the data is correct. If there is a problem with the data(the ciphertext), the user can verify by ask the AA and TA to identity who uploaded the data.

4.1.2 System Parameter

The proposed ECP-ABSC method uses the following system parameters (see Table 1).

Table 1. System parameter notation ABSC schemes

4.1.3 Procedure

Our CP-ABSC data-sharing scheme identifies data ownership and prevents key leakage. It is possible to verify owner/user identity. In addition, the output of a constant size of the ciphertext and it improves the efficiency of the user's unsigncryption calculation amount through partial unsigncryption. The cloud server and the user perform the unsigncryption process in this proposed scheme separately. Each phase proceeds as follows.

• Setup phase: The data owner or user transmits an ID to the TA, requests registration, and receives the AID_∗ corresponding to the ID_∗. In addition, PP and MK are generated by inputting security parameter k in AA.

• SignerKeyGen phase: The data owner sends the AID_DO to the AA to request the SSK_DO. AA generates the data owner's SSK_DO with 𝑃𝑃, MK, AID_DO, A_DO and securely transmits 𝑃𝑃, SSK_DO to the data owner.

• UserKeyGen phase: The data user sends the AID_DU to the AA and requests the DSK_DU (ciphertext unsigncryption key) corresponding to the attribute. AA generates the data user's DSK_DU with 𝑃𝑃, MK, AID_DU, 𝐴_DU and securely transmits 𝑃𝑃, DSK_DU to the data user.

• Signcryption phase: The data owner creates the 𝛾_𝑒 of the ciphertext as the attributes of users and the 𝛾_𝑠 based on his/her own attributes. Then, with PP, SSK_DO, the message M is signcrypted. The CT_𝛾𝑒 and 𝛾_𝑠 are transmitted together to the cloud server, which stores them.

• Unsigncryption (Partial) phase: A user generates a token and requests a CT_𝛾𝑒 from the cloud. The cloud server performs partial unsigncryption by comparing the attribute value included in the access structure 𝛾_𝑒 to those of the user. After partial unsigncryption, the result values C and SS are transmitted to the user with CT_𝛾𝑒.

• Unsigncryption (Final) phase: The user performs final unsigncryption of SS, C, CT_𝛾𝑒 received from the cloud server with his/her DSK_DU. If unsigncryption is successful, the user obtains M. The integrity of the M can then be verified.

• Trace and Identification phase: If a problem arises with CT_𝛾𝑒 or leaked DSK_DU, it is possible to identify the owner who uploaded CT_𝛾𝑒 or the user who was issued DSK_DU. The AA employs the CT_𝛾𝑒 or PSK_∗, TI_∗ included in DSK_DU to calculate the pseudonym ID (i.e., AID_∗) of the owner or user. The AA sends this to the TA and requests identification; the TA accepts the AID_∗value and engages in calculation employing this value, and the user attribute values, and extracts the user ID and sends it to the AA.

4.2 Description of the Proposed ECP-ABSCE Scheme

In this ECP-ABSC scheme, two cycle multiplication groups 𝐺, 𝐺_𝑇 of prime number p are generated, and a bilinear mapping map 𝑒: 𝐺 × 𝐺 → 𝐺_𝑇(∀𝑖, 𝑗 ∈ 𝐺, 𝑒(𝑖,𝑗) = 𝑣, 𝑣 ∈ 𝐺_𝑇) is generated. Let 𝑔 be the generator of G. AA creates a subgroup 𝐺₂ of elliptic curve points of fractional order q and chooses the generator P of 𝐺₂. Suppose there are 𝑛 attributes in the universe where the universal set is 𝐴_∗ = {Att_1(∗), 𝐴tt_2(∗) Att_3(∗), … ,Att_𝑛(∗)}. 𝛾_𝑒 is a tree-type access structure created with the attributes of the user who needs to access the ciphertext. 𝛾_𝑠 is a tree-type access structure composed of the attributes of the data owner. Both access structures are expressed as 𝛾_∗ = {𝛾_1(∗), 𝛾_2(∗), 𝛾_3(∗), … , 𝛾_𝑛(∗)}. Att_𝑛(∗) is included in 𝛾_∗(𝑛).

4.2.1 Setup Phase

First, PP and MK are created through the setup phase in AA. When the prime order of a bilinear group G is p, the AA generates random value α, s ∈ 𝑍_𝑝^∗ , tr_𝑖 ∈ 𝐺, and then generates PP, MK, and public key as follows.

PP < e, g, G, G_T, G₂{TR_i = g^tr_i}_i∈[1,n], h = g^s, e(g, g)^α, H₁, H₂, H₃ >       (1)

MK < α, {tr_i}_{i∈[1, n]} > PK_AA = <α · P>       (2)

The data user or owner sends the ID to the TA to request registration. The TA calculates a corresponding pseudonym ID value AID_∗ using the user ID and attribute values, and transmits this to the data owner or user. The calculated value F is used as PP.

• Random number 𝑓 ∈ 𝑍_𝑝^∗, F=𝑔^𝑓

• Create data owner pseudonym: AID_DO = ID_DO ⊕ 𝐻₂(ℎ^𝑓) ⊕ 𝑓

• Create data user pseudonym: AID_DU = 𝐼𝐷_DU ⊕ 𝐻₂(ℎ^𝑓) ⊕ 𝑓

4.2.2 Key Generation Phase

The data owner and user transmit their pseudonym AID_D∗ values and attributes to the AA when requesting a secret key. In detail, the data owner requests a SSK_DO to be used for signcryption, and the data user requests a DSK_DU. The AA generates a SSK_DO based on the data owner’s attributes, and securely transmits 𝑃𝑃, SSK_DO to the owner. In addition, the AA generates a DSK_DU based on the data user’s attributes, and securely transmits 𝑃𝑃, DSK_DU to the user.

• Random number 𝛽 ∈ 𝑍_𝑝^∗ .

< SingerKeyGen(PP, MK, AID_DO, A_DO >

• Random number r_DOi ∈ Z_𝑝^*, {r_DOi,n∈ Z𝑝^*}_i∈[1,n], r_DO = Σ_i=1ⁿ r_DOi

\(\begin{aligned}K=g^{\alpha-r_{D o_{i}}}, K_{i}^{\prime}=g \cdot H_{1}\left(A t t_{i}\right)^{r_{D o_{i, n}}}, K_{i}^{\prime \prime}=H_{1}\left(A t t_{i}\right)^{\frac{r_{D o_{i, n}}}{t r_{i}}} \end{aligned}\)       (3)

PSK_DO = α + H₁(AID_DO) · α       (4)

TI_DO = AID_DO ⊕ β ⊕ PSK_DO       (5)

SSK_DO = {PSK_DO, TI_DO, K, {K_i^', K_i^''}_Atti∈[ADO]}       (6)

< UserKeyGen(PP, MK, AID_DU, A_DU)>

• Random number r_DUi ∈ Z_𝑝^*, {r_DUi,n∈ Z𝑝^*}_i∈[1,n], r_DU = Σ_i=1ⁿ r_DUi

\(\begin{aligned}D_{i}=g^{\alpha-r_{D U_{i}}}, D_{i}^{\prime}=g^{\frac{r_{D U_{i}}}{t r_{i}}}, D_{i}^{\prime \prime}=g^{s \cdot r_{D U_{i} / t r_{i}}}\end{aligned}\)       (7)

PSK_DU = α + H₁(AID_DU) · α       (8)

TI_DU = AID_DU ⊕ β ⊕ PSK_DU       (9)

DSK_DU = {PSK_DU, TI_DU, D, {D_i^', D_i^''}_Atti∈[ADU]}       (10)

4.2.3 Data Signcryption Phase

The data owner signcrypt the data, and sends it to the cloud server. In detail, the data owner creates the access structure 𝛾_𝑒 of the ciphertext based on the attributes of users, and creates the access structure 𝛾_𝑠 with his/her own attributes. The owner selects a message and signcrypt it using the PP, secret signature key, and access structures. Then,send the CT_𝛾𝑒 to the cloud server. The server stores the received CT_𝛾𝑒 and 𝛾_𝑠.

• Random number 𝑜, 𝑜′ ∈ 𝑍_𝑝^∗

Access structure as 𝛾_𝑒 = {𝛾_𝑒1, 𝛾_𝑒2, 𝛾_𝑒3, … , 𝛾_𝑒n}.

• If Att_𝑖,1 ∈ 𝛾_𝑒i, computes 𝐶_𝑖 = (𝑔^{𝑡𝑟_𝑖})^𝑜

• If Att_𝑖,1 ∉ 𝛾_𝑒i, computes 𝐶_𝑖 = (𝑔^{𝑡𝑟_𝑖+1})^𝑜

\(\begin{aligned}C_{0}=M \cdot e(g, g)^{\alpha \cdot o}, C_{1}=g^{o}, C_{2}=h^{o} \cdot \prod_{i \in n} C_{i}\end{aligned}\)      (11)

V = e(C1, go'), VA = H3(M||V)       (12)

R = g^o' · K^VA, R_i^' = (K_i^')^o · TR_i, R_i^'' = (K_i^'')^o · TR_i       (13)

CT_𝛾𝑒 =< 𝛾_𝑒, 𝛾_s, PSK_DO, TI_DO, C₀, C₁, C₂, VA, R, {R_i', R_i"}>       (14)

4.2.4 Data Unsigncryption (Partial and Final) Phase

The user generates a token and sends it to the cloud server to request the ciphertext. The server performs partial unsigncryption by calculating and comparing the attributes specified in the ciphertext access structure requested by the user with the attributes of the user.

𝛾e$, A_DU>

\(\begin{array}{l}C=\frac{e\left(C_{2}, \prod_{i \in \gamma_{e}} D_{i}^{\prime}\right)}{e\left(C_{1},\left(\prod_{i \in \gamma_{e}} D_{i}^{\prime \prime}\right)\right)}=\frac{e\left(h^{o} \cdot \prod_{i \in n} C_{i}, \prod_{i \in \gamma_{e}} g^{r_{D U} / t U_{i}}\right)}{e\left(g^{o}, \prod_{i \in \gamma_{e}} g^{S \cdot r_{D U} / t r_{i}}\right)}=e(g, g)^{r_{D U} \cdot o} \\ S S=\frac{\prod_{i \in A_{D O}} e\left(R_{i}^{\prime}, g\right)}{\prod_{i \in A_{D O}} e\left(T R_{i}, R_{i}^{\prime \prime}\right)}=\frac{\prod_{i \in A_{D O}} e\left(g \cdot H_{1}\left(A t t_{i}\right)^{r_{D o_{i, n}} \cdot o} \cdot g^{t r_{i}}, g\right)}{\prod_{i \in A_{D O}} e\left(g^{t r_{i}},\left(g^{t r_{i}} \cdot H_{1}\left(A t t_{i}\right)^{\frac{r_{D o_{i n}}}{t r_{i}} \cdot o}\right)\right)}=e(g, g)^{r_{D o_{i}} \cdot o} \\\end{array}\)       (15)

After performing partial unsigncryption C, SS, 𝐶T_𝛾𝑒 are sends to the user from the cloud server. The user performs final unsigncryption with DSK_DU and PP. The obtained message content and integrity are then verified.

DU, C, SS, CT_𝛾e)>

\(\begin{aligned}\begin{array}{l}M=\frac{C_{0}}{e\left(C_{1}, D\right) \cdot C}=\frac{M \cdot e(g, g)^{\alpha \cdot o}}{e\left(g^{o}, g^{\alpha-r_{D U_{i}}}\right) \cdot e(g, g)^{r_{D U_{i}} \cdot \circ}} \\ V^{\prime}=\frac{e\left(C_{1}, R\right)}{\left(e(g, g)^{\alpha \cdot o} \cdot S S^{-1}\right)^{V A}} \rightarrow V^{\prime} ?=V(\text { true or false }), \quad V A^{\prime}=V A \\\end{array}\end{aligned}\)       (16)

4.2.5 Trace and Identification Phase

The trace and identification phase verifies the identity of the data owner who uploaded ciphertext, and that of the data user who was first issued a leaked secret key for the first time. If the integrity of data obtained by the user on decrypting the ciphertext is compromised or the wrong data are uploaded, the data owner must be traced to verify their identity. It is also to prevent unauthorized third parties from obtaining keys from someone and accessing the cloud. If there is a problem with a leaked key, the identity information of the data user who was first issued the key is verified. The AA uses PSK_∗, TI_∗ included in CT_𝛾𝑒 or DSK_DU to calculate the pseudonym ID(AID_∗) of the data owner or user.

< Trace(PSK_*, TI_*)>

PSK_𝐷∗ ⋅ 𝑃 = PK_𝐴𝐴 + 𝐻₁(AID_𝐷∗) ⋅ PK_𝐴𝐴       (17)

AID_𝐷∗ = 𝛽 ⊕ TI_D∗ ⊕ PSK_𝐷∗       (18)

The AA sends AID_𝐷∗ ⊕ 𝐻₂(𝐹^𝑠) to the TA to request the identity of the pseudonym. The TA uses the AID_∗ and the corresponding user attribute value, to perform calculations, and extracts the user ID and gives it to the AA.

ID_𝐷∗ = AID_𝐷∗ ⊕ 𝐻₂(𝐹^𝑠) ⊕ 𝑓       (19)

5. Analysis of proposed scheme

Our proposed ECP-ABSC scheme analyzed the security and efficiency to satisfy the requirements presented in Chapter 3. Table 2 compares and analyzes the existing CP-ABSC scheme based on the requirements to be provided by CP-ABSC scheme. Table 3 and Fig. 4 shows the amount of operation required to be performed in the signcryption phase and the unsigncryption phase of the existing CP-ABSC schemes.

Table 2. Comparison of security requirements between the existing CP-ABSC scheme and the proposed scheme

Table 3. Comparison of calculation amount between the existing CP-ABSC scheme and the proposed scheme

Fig. 4. Comparison of operational amount when performing signcryption and Unsigncryption of user ciphertext

5.1 Security Analysis

• Data user traceability and identification: In this proposed scheme, the data owner and user initially receive the pseudonym AID_𝐷∗ after registration from the TA, and perform data sharing. Therefore, anonymity between each entity participating in sharing is provided. In addition, when the data obtained by the data user unsigncryting the ciphertext is unclear(incorrect), the ciphertext may be transmitted to the AA to request the identity of the data owner who uploaded the ciphertext. The AA extracts the pseudonym value AID_DO = 𝛽 ⊕ TI_DO ⊕ PSK_DO from the ciphertext with the value PSK_DO, TI_DO that can trace the owner of the data. XOR operation is performed on the extracted pseudonym value with 𝐻₂(𝐹^𝑠), and it is transmitted to the TA to request the identity of the data owner. The TA verifies the identity of the data owner corresponding to the pseudonym through operation (ID_DO = AID_DO ⊕ 𝐻₂(𝐹^𝑠) ⊕ 𝑓), and transmits the information to the AA.

From another perspective, when a leaked secret key is detected, the leaked secret key is transmitted to the AA. Then, the first secret key is issued and the identity of the leaked data user is requested. AA extracts the pseudonym value AID_DU = 𝛽 ⊕ TI_DU ⊕ PSK_DU with PSK_DU, TI_DU included in the secret key. In the above method, the identity of the data user ID_DU can be verified by requesting the TA.

• Security (confidentiality, integrity) and access control for shared data: This proposed scheme encrypts, stores, and shares data using CP-ABSC scheme, confidentiality and integrity of data are provided from third parties. In detail, the 𝐶T_𝛾𝑒 with γ_e generated based on user attribute 𝐴_𝐷𝑈 = {𝐴tt₁, 𝐴tt₂, 𝐴tt₃, … , 𝐴tt_𝑛} the only users who want to decrypt it are users with attribute 𝐴_DU = {𝐴tt₁, 𝐴tt₂, 𝐴tt₃, … , 𝐴tt_𝑛} and secret key DSK_DU included in the ciphertext. Confidentiality of data is provided because data cannot be obtained even when unsigncryption is attempted by taking the CT_𝛾𝑒 other than that. In addition, the user can check whether the data uploaded by the data owner is correct through the data verification process and the integrity of the shared data through operation \(\begin{aligned}(V'=\frac{e\left(C_{1}, R\right)}{\left(e(g, g)^{\alpha \cdot o \cdot} S S^{-1}\right)^{V A}} \rightarrow V^{\prime} ?=V)\end{aligned}\). In the proposed scheme, when a user requests a ciphertext from the cloud server, the ciphertext access structure is calculated by comparing with the user's attributes. If they match, partial unsigncryption is performed and the ciphertext and partial unsigncrypted result are sent to the user. That is, when a user who does not have an attribute and a secret key request a ciphertext, the server cannot perform partial unsigncryption. Accordingly, an access control function for the ciphertext is provided by the data owner, and access from unauthorized users can be blocked.

5.2 Efficiency

The computational amount of signcryption/unsigncryption of the proposed scheme was measured on a Windows machine with a 3.50GHz Intel Core i5-4690 processor and 8GB of RAM. The pairing operations, was performed with reference to the pairing-based cryptographic library [28]. The ECC implementation used a Koblitz elliptic curve 𝑦² = 𝑥³ + 𝑎x + 𝑏 (mod 𝑝) with a=1 and b=1 with a 163-bit random prime efined in 𝐹_2¹⁶³. In Fig. 4, the amount of user unsignryption operation shown is compared only with CP-ABSC schemes that provide partial unsigncryption requirements in Table 3.

• Provide a constant-size ciphertext output: In the proposed ECP-ABSC scheme, an aggregate operation is used to solve the problem that 𝐶_𝑖 included in the ciphertext increases according to the attribute in the existing CP-ABSC scheme. In detail, 𝐶_𝑖 is expressed as a single number 𝐶₂ by performing an aggregate operation as in 𝐶₂ = ℎ^𝑜 ∙ ∏_𝑖∈𝑛𝐶_𝑖. This does not mean that the amount of computation for the ciphertext generation process and the decryption process is reduced, but simply means that ciphertext of a constant size can be output without affecting of the number of attributes. By outputting a ciphertext of a constant size, it effectively affects the ciphertext that is communicated, stored, and shared.

• Efficient user unsigncryption operation: This proposed scheme supports a part of the amount of operation required for the user to unsigncrypt the existing ciphertext through partial unsigncryption(\(\begin{aligned}C=\frac{e\left(C_{2}, \Pi_{i \in \gamma_{e}} D_{i^{\prime}}\right)}{e\left(C_{1},\left(\prod_{i \in \gamma_{e}} D_{i}^{\prime \prime}\right)\right)}\\\end{aligned}\), \(\begin{aligned}S S=\frac{\prod_{i \in A_{D O}} e\left(R_{i}^{\prime}, g\right)}{\prod_{i \in A_{D O}} e\left(T R_{i}, R_{i}^{\prime \prime}\right)}\\\end{aligned}\)) in the cloud server. That is, since the user can acquire the M only by receiving the result C and SS, the ciphertext 𝐶T_𝛾𝑒 from the partial unsigncryption from the cloud server and performing the final unsigncryption. Therefore, compared to the data user's unsigncryption of the ciphertext in the existing CP-ABSC scheme, the amount of user ciphertext unsigncryption operation in the CP-ABSC scheme that provides partial unsigncryption is greatly reduced. As shown in Table 3, the efficiency of the amount of unsigncryption operation is high in terms of the user compared to the scheme of Sana et al., Lu et al., Rohit et al. that do not perform partial unsigncryption. However, the CP-ABSC scheme providing partial unsigncryption has a similar amount of unsigncryption operation compared to the scheme of Hundera et al., Ningzhi Deng et al. Since the scheme of Hundera et al., Ningzhi Deng et al. process a large amount of computation by partial unsigncryption in the cloud server, the amount of computational amount of unsigncryption from the user side is more efficient compared to the proposed scheme. However, in this proposed scheme, the requirements (data user tracing and identification) not provided by the scheme of Hundera et al., Ningzhi Deng et al. are provided. the efficiency is good.

6. Conclusion

In this paper, we propose the ECP-ABSC scheme that provides data user traceability, and use it to provide efficient and secure data sharing in a cloud environment. The ECP-ABSC scheme has the following advantages. First, it guarantees the integrity and confidentiality of shared data and blocks access by unauthorized users. Data are securely managed and protected. Second, the anonymity of the user is maintained, and in some cases the data owner or user can be traced to verify their identity. For example, if ciphertext obtained by a user is unclear(incorrect), the identity of the owner who uploaded the ciphertext may be verified. It can also verify the identity information of the user who was initially issued a unsigncryption key obtained by an illegal user. This prevents an authenticated user from exposing the key. In addition, cloud storage can be used efficiently because it provides constant output of the number of attributes without affecting the size of the ciphertext. Finally, the cloud server supports some unsigncryption operations of a user, which aids a user with relatively limited computing resources.

This proposed scheme targets a cloud environment that is used by a large number of data users and owners. In particular, it can be applied in a cloud environment that manages data communicated between nurses/doctors and patients in healthcare, IoT-Cloud environments, and data shared within companies/public enterprises. This proposed scheme conducted research with the goal of performing security on shared data and authentication of users who access data.

In the future research, damage occurs due to the leakage of personal information due to the sensitive attributes of the access structure. Therefore, it is considered that research that can hide or anonymize sensitive attribute values in the access structure is also needed.