Skip to main content
Heliyon logoLink to Heliyon
. 2024 Jun 7;10(12):e32404. doi: 10.1016/j.heliyon.2024.e32404

Efficient and accountable anti-leakage attribute-based encryption scheme for cloud storage

Li Yan a, Gaozhou Wang a, Hongxin Feng b,, Peishun Liu b, Haojie Gao b, Wenbin Zhang a, Hailin Hu a, Fading Pan a
PMCID: PMC11226792  PMID: 38975165

Abstract

To ensure secure and flexible data sharing in cloud storage, attribute-based encryption (ABE) is introduced to meet the requirements of fine-grained access control and secure one-to-many data sharing. However, the computational burden imposed by attribute encryption renders it unsuitable for resource-constrained environments such as the Internet of Things (IoT) and edge computing. Furthermore, the issue of accountability for illegal keys is crucial, as authorized users may actively disclose or sell authorization keys for personal gain, and keys may also passively leak due to management negligence or hacking incidents. Additionally, since all authorization keys are generated by the attribute authorization center, there is a potential risk of unauthorized key forgery. In response to these challenges, this paper proposes an efficient and accountable leakage-resistant scheme based on attribute encryption. The scheme adopts more secure online/offline encryption mechanisms and cloud server-assisted decryption to alleviate the computational burden on resource-constrained devices. For illegal keys, the scheme supports accountability for both users and the authorization center, allowing the revocation of decryption privileges for malicious users. In the case of passively leaked keys, timely key updates and revocation of decryption capabilities for leaked keys are implemented. Finally, the paper provides selective security and accountability proofs for the scheme under standard models. Efficiency analysis and experimental results demonstrate that the proposed scheme enhances encryption/decryption efficiency, and the storage overhead for accountability is also extremely low.

Keywords: Attribute-based encryption, Assisted decryption, Accountable, Online/offline, Anti-leakage

1. Introduction

As the increasing popularity of IoT applications and the rapid maturation of cloud computing, cloud storage outsourcing services [1], [2], [3], [4] have become increasingly prevalent. This practice reduces the need for local storage and facilitates efficient data sharing. While cloud service providers offer substantial computing and storage benefits, complete trust in them is not assured, as they possess access to the stored data. As a precaution, encryption mechanisms are typically employed before outsourcing to ensure data security in a semi-trusted or compromised cloud environment. Additionally, given that data on the cloud is accessed by numerous users, the establishment of appropriate access control schemes becomes imperative to restrict data access.

Although public key encryption provides powerful encryption functions, it requires the public keys of all users to encrypt data, leading to the generation of multiple copies of encrypted data. Meanwhile, when numerous participants engage in data sharing, symmetric encryption may encounter maintenance costs and key distribution problems. For the aforementioned issues, Attribute-Based Encryption (ABE) [5], proposed by Sahai and Waters, is considered a promising encryption method. It associates access control with users' attributes, allowing only users who satisfy specific attribute requirements to access data. This feature makes it particularly useful for securely sharing data in outsourcing scenarios. Subsequently, scholars have proposed more ABE schemes specifically for use on public cloud platforms such as AWS and Azure [6], [7], with ongoing efforts focused on enhancing their functionality, efficiency, and resilience against attacks [8], [9], [10], [11].

In the past, traditional attribute-based encryption methods [12] were limited in their application in IoT and edge computing due to their relatively complex computation process. Particularly in these environments, devices like smart sensors and edge devices often possess limited computational resources. Traditional attribute-based encryption methods cannot meet the requirements of these resource-limited devices for efficient encryption and decryption functions. Employing online/offline encryption mechanisms [13] and outsourcing decryption processes [14] can effectively alleviate the computational burden overhead associated with encryption and decryption tasks. However, ensuring the security of offline ciphertext and the correctness of outsourced decryption poses a significant challenge, especially in the face of potential malicious attacks or system failures.

In attribute-based encryption systems, malicious users can sell their authorized attribute keys to unauthorized users for profit. Due to the fact that in most schemes, authorized keys are independently generated by the authority center, this would result in the authority center being able to forge keys with decryption capabilities. Based on this, malicious users can claim that the illegal key was leaked by the authorization center rather than themselves when they are traced [15]. Therefore, supporting the accountability of both the user and the authorization center for illegal keys is an important design consideration [16]. However, there are certain limitations when it comes to addressing passively leaked user keys. Considering that passive leakage may result from external attacks, hacking incidents, or management oversights, merely revoking a user's decryption privileges might not be the most appropriate response. Therefore, to ensure data is protected against unauthorized access via leaked keys, a more intelligent key update method is needed, one that can effectively revoke the decryption ability of leaked keys.

1.1. Related work

In 2005, Sahai and Waters first proposed a fuzzy identity-based encryption scheme [5], which was the first attribute-based encryption algorithm. In 2007, Bethencourt et al. [17] extended this concept to introduce ciphertext-policy attribute-based encryption (CP-ABE). In CP-ABE, a user's key embeds a set of attributes related to their identity, while data owners define access policies to determine which individuals with specific attributes can access ciphertext. This imbues CP-ABE with high flexibility and wide applicability in cloud services. However, as the access control capabilities have improved, attribute-based encryption systems face the challenge of high computational overhead, which inconveniences resource-limited users. To address the issue of inefficient user decryption, Green et al. [18] proposed a ciphertext outsourcing decryption scheme based on attribute based encryption in 2011, which utilizes blind techniques to handle attribute keys. This scheme is widely used in outsourcing decryption. Subsequently, based on the outsourcing decryption scheme [18], subsequent scholars proposed various outsourcing decryption schemes with richer functions [19], [20], [21], [22]. Li et al. [23] developed an ABE scheme that facilitates efficient verification of outsourced decryption results. Varri et al. [24] leveraged edge computing to alleviate the burden of resource consumption caused by encryption and decryption on users. Apart from the decryption overhead, attribute-based encryption processes remain challenging for resource-constrained devices. To alleviate the computational load during encryption, Even et al. [25] introduced the concept of online/offline encryption algorithms in 1996, allowing pre-computation of intensive tasks in an offline phase. Building on this concept, Hohenberger and Waters [26] incorporated the online/offline encryption method into ABE, proposing the first online/offline ABE scheme. In 2017, Zhang et al. [27] proposed an unbounded online/offline CP-ABE scheme based on non-monotonic access structures.

On the other hand, user accountability in CP-ABE continues to be a major concern. Malicious users may intentionally share their keys with unauthorized individuals, granting these individuals access to encrypted data. Additionally, since users' attribute keys are solely generated by the authority center, this could lead to instances of authority center key abuse. Specifically, the authority center is capable of generating and distributing authorized decryption keys according to a user's attribute list without the risk of being detected for key abuse. Auditors face difficulties in determining the culpability of key owners since it is possible that the authority center may have leaked legitimate keys to unauthorized users. A common approach to address this issue is to embed some user private information in their keys that the authority center is unaware of. Li et al. [28] were the first to propose a scheme addressing illegal key sharing and implementing access policy hiding to protect user privacy. Liu et al. [29], [30] introduced two schemes that support black-box tracing and white-box tracing for illegal keys. But both schemes are constructed using composite order bilinear group, impacting algorithm efficiency. To enhance efficiency, Ning et al. [31], [32] developed two CP-ABE schemes supporting white-box tracking using prime order bilinear group construction. Zhang et al. [33] proposed a traceable scheme featuring online/offline encryption. Additionally, Zhang et al. [34] proposed a CP-ABE scheme supporting authority center accountability through techniques such as discrete logarithm zero-knowledge proofs. In 2016, Yu et al. [35] proposed an authority-traceable ABE scheme with public verifiability, allowing auditors to verify publicly whether leaked keys originated from malicious users or authority entities. In 2017, in the scheme designed by Zhang et al. [36], decryption keys are generated through interaction between users and the authority center, and auditors can identify the identity of forgers. In 2020, Li et al. [37] built an authority center accountable scheme supporting access policy hiding based on prime-order bilinear groups. In 2021, Hei et al. [38] proposed a solution assisted by blockchain to address illegal authorization and key leakage issues.

1.2. Motivation and our contributions

1.2.1. Motivation

We have analyzed certain limitations present in existing solutions. Our work aims to design an efficient and flexible ABE scheme for secure cloud storage, addressing these constraints.

(1) High Computational Costs: The high computational costs associated with encryption and decryption pose critical barriers to deploying traditional attribute-based encryption schemes on resource-constrained devices. While some schemes adopt online/offline encryption mechanisms and outsourced decryption to alleviate computational pressure, they still face challenges related to the secure storage of offline ciphertexts [18], [33], [39] and the correctness of outsourced decryption [19], [27], [28].

(2) Key Escrow Problem: In schemes [19], [34], [35], the majority involve the attribute authorization center generating outsourced keys and final decryption keys for users, leading to a key custody problem. During the process of tracking malicious users, those accused may argue that the keys were not leaked by them but rather by the attribute authorization center. To eliminate disputes, the issue of key custody must be addressed.

(3) Abuse of Attribute Keys: Malicious users may exploit attribute keys for personal gain by selling their authorized attribute keys to unauthorized users, thereby enabling unauthorized users to gain access to encrypted data. Additionally, the attribute authorization center could also fabricate a decryption key with the ability to decrypt, without the risk of being discovered [36], [37]. Therefore, tracking and assigning accountability for illegal keys is an urgent issue in need of resolution.

(4) Inappropriate User Revocation: Considering that users may involuntarily leak their keys due to improper personal storage practices or external attacks, directly revoking decryption privileges might not be an appropriate solution.

1.2.2. Our contributions

In response to the aforementioned issues, this paper proposes an efficient and accountable anti-leakage attribute encryption scheme, which offers the following contributions:

(1) Secure Online/Offline Encryption: To mitigate the substantial computational burden imposed by attribute encryption on devices with limited computing resources, we have adopted a more secure online/offline encryption technique. Recognizing the potential vulnerability of offline ciphertexts to attacks, which could allow unauthorized decryption of attribute ciphertexts, this paper introduces an additional layer of encryption for offline ciphertexts, decrypted and utilized upon going online.

(2) Key Escrow Free: To diminish dependence on the attribute authorization center, the complete attribute key is generated by the cooperation between the attribute authorization center and the user. The user selects and keeps the final decryption key private. Without it, the attribute authorization center cannot generate a valid decryption key for a legitimate user.

(3) Verifiable Outsourced Decryption: In order to release the user's decryption pressure, cloud servers use outsourced decryption keys for semi decryption. Based on the discrete logarithm problem, cloud servers cannot obtain plaintext without the final decryption key. To avoid cloud servers returning incorrect semi decryption results due to system errors or external attacks, users can verify the correctness of cloud server semi decryption through verification key.

(4) Illegal Key Accountability: For captured illegal keys, we establish white-box traceability. Any user's voluntary disclosure of keys or the attribute authorization center's forging of keys can be traced back. Users are mandated to digitally sign their final decryption keys for identity verification in cases of illegal key accountability.

(5) Passive Leakage Updateable: In instances of users voluntarily disclosing keys, they are removed from the authorized user list, thereby revoking their decryption privileges. In cases of passive key leakage due to attacks or intrusion, users can promptly update their decryption keys to annul the decryption capabilities of the original keys.

Our scheme innovatively proposes an efficient and accountable anti-leakage attribute-based encryption scheme. The scheme cleverly combines online/offline encryption and outsourced decryption, alleviating the computational burden of encryption and decryption. Furthermore, the scheme also addresses the issues of key escrow and key misuse by users and the authorization center. It specifically designs key update algorithm in the event of key leakage. Finally, we provide proof against selective plaintext attack and accountability of the scheme.

2. Preliminaries

In this section, we introduce several preliminary knowledge related to the proposed scheme.

2.1. Bilinear maps

Definition 3

(Bilinear Maps) Let G0 and GT be two groups with the prime order p. A bilinear pairing satisfies the following properties.

(1) bilinearity: ∀u,vG0, a,bZp, e(ua,vb)=e(u,v)ab.

(2) non-degeneracy: e(u,v)1.

(3) Computability: There is a polynomial time algorithm to compute e(u,v)GT for any u,vG0.

2.2. Assumptions

Definition 4

(qSDH Assumption [40]) Let G be a bilinear group of prime order p and g be a generator of G, the q-Strong Diffie-Hellman (qSDH) problem in G is defined as follows: given (g,ga,ga2,...,gaq) as inputs, output a pair (β,g1/(β+a))Zp×G. An algorithm A has advantage ε in solving qSDH in G if

Pr[A(g,ga,ga2,...,gaq)=(β,g1/(β+a))]ε

Definition 5

(qBDHE Assumption [41]) Let G be a bilinear group of prime order p and g be a generator of G. Let λ,s,a1,...,aqZp be chosen at random. If an adversary A is given

y¯={g,gs,gλi,i[2q],iq+1gsaj,j[q]gλi/aj,(i,j)[2q,q],iq+1gsλiaj/aj,(i,j,j)[q,q,q],jj}

it is hard for the attacker A to distinguish e(g,g)sλq+1GT from an element T that is randomly chosen from GT.

2.3. Notations

The main notations presented in this paper are summarized in Table 1.

Table 1.

Summary of Notations.

Notation Description
K key space
xRB randomly select an element from set B
h hash function h:{0,1}K
H hash function H:{0,1} → Zp
PP/MSK public parameters/master secret key
S/(M,ρ) attribute set/access structure
SKid,S attribute key of user (with identity id and attribute set S)
UL authorized user list
CT/FT/TCT ciphertext/Offline ciphertext/Semi decrypted ciphertext
Kpub,id/Kpri,id digital signature public/private key pair of user id
VKM verification key
SEnc/SDec cryptographic secure symmetric encryption/decryption pair
SigM/Sigid digital signature of verification key/user id
sign/ver digital signature/verify signature

3. Problem formulation

In this section, we will introduce the system model, the definition of the scheme algorithm, and the security model for the proposed scheme in this paper.

3.1. System model

The system model proposed in this paper is illustrated in Fig. 1. It consists of six types of entities: Certificate Authority (CA), Attribute Authority (AA), Third Party Auditor (TPA), Cloud Server (CS), Data Owner (DO), and Data User (DU).

Figure 1.

Figure 1

System model.

Certificate Authority (CA): CA performs system parameter configuration and distributes digital signature keys to users.

Attribute Authority (AA): AA is responsible for user registration and generating attribute keys for users. It also generates an authorized user list and uploads it to the cloud server.

Third Party Auditor (TPA): The TPA validates the validity of the keys in the system and holds entities accountable for any illegal activities. If the AA forges the keys, further actions are taken against the involved parties. If a malicious user actively leaks the keys, their decryption privileges are revoked.

Cloud Server (CS): The CS has powerful computing capabilities and immense storage capacity. It stores encrypted files of the data owners and, upon receiving decryption requests from data users, partially decrypts the ciphertext, sending the partially decrypted results and relevant verification information to the users.

Data Owner (DO): The DO utilizes cloud storage services to store files. Before storage, the DO encrypts the plaintext. Specifically, the DO specifies an access policy, embedding it into the ciphertext during encryption to achieve fine-grained access control.

Data User (DU): DU can request access to data from the cloud server. If the user's attributes satisfy the access policy defined by the DO, the cloud server will respond to the decryption request. The DU can perform the final decryption on the partially decrypted ciphertext. Additionally, DU can update the leaked key and revoke the decryption ability of the leaked key.

3.2. Definition of our scheme

The efficient and accountable anti-leakage encryption scheme consists of 10 algorithms:

  • Setup(κ). CA takes a security parameter as input and generates two outputs: public parameters (PP) and master secret key (MSK).

  • KeyGen(MSK,PP,id,S). AA interacts with the user to output attribute keys. AA takes inputs such as the public parameters PP, the system master key MSK, the user id, and the attribute set S, and outputs the user's attribute key SK and the authorized user list UL. The attribute key SK embeds the information of the AA and the user.

  • Offline.Encrypt(PP,U). The input consists of public parameters PP and attribute universe U, and the output is the offline ciphertext CFT obtained through symmetric encryption.

  • Online.Encrypt(PP,CFT,(M,ρ)). The input consists of public parameters PP, encrypted offline ciphertext CFT, and an access policy (M,ρ). The output includes attribute ciphertext CT, verification keys VKM, and the signature of the verification keys SigM.

  • Cloud.Decrypt(CT,UL,SKid,S). The input includes attribute ciphertext CT, authorized user list UL, and user attribute key SKid,S. If the user is part of the authorized user list and their attribute set satisfies the access policy, the output is the partially decrypted ciphertext TCT. Otherwise, the output indicates a failure in partial decryption.

  • User.Decrypt(TCT,C,CM,Kfin). The input consists of the partially decrypted ciphertext TCT, the ciphertext C and CM, and the user's final decryption key Kfin. The output is the plaintext M.

  • Verify(ζ,CM,VKM,SigM). The input includes the decryption result ζ, the symmetric ciphertext CM, the verification key VKM, and the signature of the verification key SigM. If the verification is successful, the output is 1. Otherwise, the output is 0.

  • Accountability(SKid,S,PP,UL). The input includes the captured illegal key SKid,S, public parameters PP, and the authorized user list UL. If the illegal key fails the validity check, the output ⊥ indicates that it is not a valid key. Otherwise, the output indicates either a user or AA.

  • UserRevocation(id,UL). The input consists of the malicious user id and the authorized user list UL. The output is the updated authorized user list UL after revocation.

  • KeyUpdate(SKid,S). The input is the leaked key SKid,S, and the output the updated key SKid,S,new.

3.3. Security model

3.3.1. IND-CPA security model

In this section, we will describe the security model of our scheme through a game between an adversary and a challenger. The specific game is shown in Fig. 2.

Figure 2.

Figure 2

IND-CPA security game.

Definition 6

If for any PPT adversary, the advantage of winning in the above game is negligible, then the scheme is considered INDCPA secure.

3.3.2. Accountability security model

As shown in Figure 3, Figure 4, we will define two games for accountability targeting dishonest AA and dishonest users, respectively.

Figure 3.

Figure 3

The DishonestAA Game.

Figure 4.

Figure 4

The DishonestUser Game.

In the dishonest AA game, malicious AA will attempt to calculate the key family number b in the user's decryption key. We define the DishonestAA Game of our scheme through an interactive game between an adversary and a challenger.

In the dishonest user game, if the adversary generates a new secret key SKid associated with the queried identity id, it means that the information related to the identity id in the key has been successfully modified.

Definition 7

If the advantage of winning in the above two games is negligible for any PPT adversary, then the scheme is considered accountable.

4. Construction of our scheme

In this section, we have described the specific construction of the scheme proposed in this paper.

(1) Setup(κ). Let G be a bilinear group of prime order p and g be a generator of G. Let e:G×GGT be the bilinear map. Define attribute universe U and hash functions h:{0,1}K and H:{0,1}Zp. Generate digital signature key pairs {Kpub,id,Kpri,id} for user id in the system. Given a security parameter κ as input, CA randomly selects α,a,δRZp. The public parameters of the system PP=(g,A=ga,gδ,e(g,g)α,h,H) and the master key MSK=(α,a,δ). The CA distributes MSK to the registered attribute authority.

(2) KeyGen(MSK,PP,id,S). When a user applies to join the system, it first chooses a random number bRZp and compute θ=gb. Set its personal final decryption key Kfin=b and keep it secret. Additionally, it calculates the signature Sigid=signKpri,id(H(id||b)). The user sends both θ and Sigid to the AA. Based on the user id and attribute set S, AA generates attribute key for the user.

AA randomly selects γ,tRZp and computes Kid=θαδ+γθat=gαbδ+γgbat, K1=γ, K2=θt=gbt, K3=θδt=gδbt, Kx=θH(x)(δ+γ)t=gH(x)(δ+γ)bt(xS). Output the attribute key for the user as SKid,S=(Kid,K1,K2,K3,{Kx}xS). The user adds Kfin=b to obtain its complete attribute key SKid,S=(Kid,K1,K2,K3,Kfin,{Kx}xS).

AA adds (id,γ,Sigid,Kid) to the authorized user list UL and uploads UL to the cloud server for storage.

(3) Offline.Encrypt(PP,U). Input the public parameters PP. Randomly choose sRZp and compute D1=gs,D2=gδs,D3=e(g,g)αs. For each i[U], randomly select λi,riRZp and calculate Ci,1=gaλi,Ci,2=gHρ(i)ri,Ci,3=gri. Output the offline ciphertext FT=(D1,D2,D3,{Ci,1,Ci,2Ci,3}i[U]).

To prevent potential security risks from offline ciphertext leakage, the offline ciphertext is symmetrically encrypted and stored locally. It can be decrypted when needed. The encrypted offline ciphertext CFT=SEnckFT(FT), where kFT represents the symmetric encryption key, which is kept secret by the data owner.

(4) Online.Encrypt(PP,M,CFT,(M,ρ)). Input the public parameters PP, plaintext set M, encrypted offline ciphertext CFT, and the access policy (M,ρ). Let M be an l×n matrix and ρ be the function that associates rows of M to attributes.

Randomly select ζRGT and compute the symmetric key kM=h(ζ). Then, use this symmetric key to encrypt the plaintext set M={M1,M2,...,Mm}, resulting in a ciphertext set CM={CMj}1jm, CMj=SEnckM(Mj). Compute the verification key VKMj=H(ζ||CMj) to validate the correctness of the partially decrypted result from the cloud server. Using the signature private key of the data owner KPri,o to calculate digital signature SigMj=signKpri,o(VKMj) for the verification key. Decrypt the offline ciphertext FT=SDeckFT(CFT) using the key kFT. Randomly choose y2,y3,...,ynRZp and let υ=(s,y2,...,yn). Compute λi=Miυ¯,i=1,...,l, where Mi is the i-th row vector of M. Randomly select r1,...,rlRZp and compute the ciphertext C=ζD3, Ci,4=λiλi. Output the ciphertext CT=((M,ρ),CM,C,D1,D2,{Ci,1,Ci,2,Ci,3,Ci,4}i=[l]).

The data owner uploads the ciphertext CT, verification key {VKMj}, and the signature {SigMj} to the cloud server.

(5) Cloud.Decrypt(CT,UL,SKid,S). Input the ciphertext CT, authorized user list UL, and user attribute key SKid,S. The parameters Kid and Kfin do not need to be uploaded. If the user belongs to the UL and its attribute set satisfies the access policy, there exists a set of constants {ωiZp}iI so that iIωiλi=s. Let I{1,2,...,l} be defined as I={i:ρ(i)S}. The cloud server retrieves the corresponding Kid for the user from the UL and calculates the partially decrypted result using the following method:

TCT=e(D1K1D2,Kid)iS[e(Ci,1ACi,4Ci,2,K2K1K3)e(Ci,3,Kρ(i))]ωi

The cloud server returns the partially decrypted result TCT, verification key {VKMj}, signature {SigMj}, C and CM to the user.

(6) User.Decrypt(TCT,C,CM,Kfin). Upon receiving the partially decrypted result TCT, the user calculates ζ=CTCTKfin1. Then, compute kM=h(ζ) and restore plaintext through M=SDeckM(CM).

(7) Verify(ζ,CM,VKM,SigM). Verify whether the equation H(ζ||CMj)=VKMj holds. If it holds true, use VKMj=verKpub,o(SigMj) to verify the validity of its signature. If successful, it confirms that the cloud server's partial decryption is correct.

(8) Accountability(SKid,S,PP,UL). If an illegal key is detected in the system, first check the validity of the illegal key. If it passes the following checks, it indicates that the key is valid. Otherwise, output ⊥.

  • The illegal key is in the form of (Kid,K1,K2,K3,Kfin,{Kx}), K1,KfinZp,

    Kid,K2,K3,{Kx}G.

  • e(g,K3)=e(gδ,K2)

  • e(gδgK1,Kid)=(e(g,g)α)Kfine(K2K1K3,ga)

  • e(iIgH(ρ(i)),K2K1K3)=e(g,iIKx)

If the illegal key is valid, extract K1=γ from the key and search for tuples in the UL that contain K1. If there are no tuples in the UL with the mentioned condition, it implies that the illegal key has been forged by the AA. If such tuples exist, extract the user id from the tuple and compare Kfin=b of the illegal key with Kfin,id=bid of the user id. If b=bid, it indicates that the invalid key has been maliciously leaked by the mentioned user. If bbid and bid=verKpub,id(Sigid), it indicates that the invalid key has been forged by the AA.

(9) UserRevocation(id,UL). Input the user id to be revoked and the authorized user list UL, then remove the corresponding tuple (id,γ,Sigid,Kid) from the UL.

(10) KeyUpdate(SKid,S). Input the user key SKid,S=(Kid,K1,K2,K3,Kfin,{Kx}xS) and randomly select bRZp to compute Kid,new=Kidb, K2,new=K2b, K3,new=K3b, Kfin,new=Kfinb, Kx,new=Kxb, Sigid,new=signKpri,id(H(id||bb)). Output the new attribute key SKid,S,new=(Kid,new,K1,K2,new,K3,new,Kfin,new,{Kx,new}xS). The user sends Kid,new and Sigid,new to the cloud server, which updates them in the authorized user list.

Discussion: Detecting illegal secret keys is paramount. We need to clarify in this paper that if an authorized user privately provides his authorization key to an unauthorized user, the key cannot be found, as an unauthorized user with a real key and an authentic user cannot be differentiated. In addition, assuming that authorized users publicly sell or publish keys on any Web-based business platform, such improper behavior will be discovered and considered as “abuse of secret key”. On the other hand, we hope to incorporate more refined monitoring mechanisms, such as identifying potential illegal key usage through behavior analysis or anomaly detection.

5. Security analysis

5.1. IND-CPA security analysis

We reduce the IND-CPA security of our scheme to scheme [41]. Under the qBDHE assumption, scheme [41] has been proven to be IND-CPA secure.

Theorem 1

If there is an adversary A that can break our scheme with a non-negligible advantage ε, we can construct an algorithm B that breaks the scheme [41] at the advantage ε.

Proof

We assume there exists an adversary A that can break our scheme with a non-negligible advantage ε. We construct an algorithm B that breaks the scheme [41] with the same advantage ε. Define C as the challenger that interacts with B in the scheme [41].

Setup: The adversary A first sends the access policy (M,ρ) it wants to attack to B. B will send it to the challenger C. C returns the public parameters to B. B randomly selects δ and h and returns the public parameters PP=(g,e(g,g)α,ga,gδ,h,H) to A, where for each attribute xi in the attribute universe U, hi=gH(xi).

Phase 1: The adversary A queries B for the attribute key corresponding to the attribute set (id1,S1), (id2,S2),,(idq1,Sq1). Here it requires that for any i[q1], Si cannot satisfy the access policy (M,ρ). B sends Si to C to obtain the key K=gαgat,L=gt,Kx=hxt of Scheme [41]. B randomly selects γ and sets t=t/(δ+γ), calculates Kfin=b, K1=γ, K2=Lb/(δ+γ)=gbt, K3=K2δ=gδbt, Kx=Kxb=gH(x)(δ+γ)bt. B sends SKid,S=(Kid,K1,K2,K3,{Kx}xS) to A. Kfin=b is only known to A.

Challenge:A submits two equal-length messages M0,M1 to B. B sends them to the challenger C. C runs the encryption algorithm to obtain ciphertext C,C=gs,Ci=gaλihρ(i)ri and returns them to B. For C, C randomly selects b{0,1}, and C may be Mbe(g,g)αs or a random value in GT. B returns the challenge ciphertext CT= (D1=gs, D2=gδs, Ci,1=gaλi, Ci,2=gHρ(i)ri, Ci,3=gri, Ci,4=λiλi) to A.

Phase 2:A repeats the queries from Phase 1, similarly all the queried attribute sets do not satisfy the access policy (M,ρ) mentioned earlier.

Guess:A outputs a guessed result b{0,1} to B. B sends b to C.

If A can break our scheme with advantage ε, then the simulator can break the [41] scheme with the same advantage ε. □

5.2. Accountability security analysis

a) Analysis of the DishonestAA Game

Theorem 2

If computing discrete logarithm in group G is difficult, then for our scheme, the advantage of any PPT adversary in the DishonestAA Game can be negligible.

Proof

To prove this theorem, we assume that there is a adversary A which has a non-negligible advantage AdvA in the DishonestAA Game in our scheme. Then we can use this adversary to build a PPT simulator B to solve the discrete logarithm problem in the group G with a non-negligible advantage.

Setup: The adversary A (acting as a malicious AA) runs the Setup algorithm and sends the public parameters PP=(g,e(g,g)α,ga,gδ,h,H) and a user's identity id to the simulator B. B checks whether the formats of PP and id are correct. If the check fails, the game aborts

Key Generation:B calls the challenger C, passing g to C. C randomly selects bZp and returns the challenge θ=gb to B. B sends θ and a zero-knowledge proof of θ to A. Then A calls KeyGen(MSK, PP,id,S)SK and sends SK to B.

Key Forgery:A will output a decryption key SK=(Kid,K1,K2,K3,Kfin=b,{Kx}xS) related with id. B checks whether the format of SK is correct. If the check fails, the game aborts. If the format of SK is correct, B sends b to C.

If the advantage AdvA in the DishonestAA Game in our scheme is non-negligible, we can construct a PPT simulator B that can solve the discrete logarithm problem with a non-negligible advantage. However, since the computation of the discrete logarithm problem is considered difficult, there is no PPT adversary A in our scheme that can win the DishonestAA Game with a non-negligible advantage AdvA. □

b) Analysis of the DishonestUser Game

Theorem 3

Under the qSDH assumption, an adversary's advantage in winning DishonestUser Game is negligible.

Proof

Assume there is a PPT adversary A can win the DishonestUser Game by a non-negligible advantage AdvA. Then, we can construct a PPT algorithm C to break the qSDH assumption. C is given a problem instance of qSDH:(gˆ,gˆδ,gˆδ2,...,gˆδq). Set Ai=gˆδi for i{0,1,...,q}.

Setup:C chooses c1,...,cqZp randomly and sets f(x)=i=1q(x+ci)=i=0qαixi, where α0,...,αqZp are the coefficients of f(x). Then, C sets g=i=0q(Ai)αi=gˆf(δ),gδ=i=1q(Ai)αi1=gˆf(δ)δ. Then C selects α,aZp and outputs the public key PP=(g,e(g,g)α,ga,gδ,h,H).

Key Query:A submits (idi,Si) to C as the ith secret key query (iq). Set fi(x)=i=0q1βixi, where β0,...,βq1Zp are the coefficients of fi(x). Compute σi=j=0q1(Aj)βj=gˆfi(δ)=gˆf(δ)/(δ+γi)=g1/(δ+γi).

C selects tZp and computers Kid=gαbδ+γigbat, K1=γi, K2=gbt, K3=gδbt, Kx=gH(x)(δ+γ)bt(xS). Finally, C outputs the queried secret key SKidi,Si=(Kid,K1,K2,K3,{Kx}xSi).

Key Forgery:A outputs a challenge secret key SK. Let ξA denote the event that A wins the game, i.e., SK passes the key sanity check and K1{γ1,...,γq}.

- If ξA does not happen, C selects a random tuple (c,w)Zp×G as the solution for q-SDH problem.

- If ξA happens, C makes use of SK to break qSDH problem.

C utilizes long division to represent f(x) as f(x)=φ(x)(x+K1)+φ1 for some φ1Zp. Since f(x)=i=1q(x+γi) and K1{γ1,...,γq}, (x+K1) does not divide f(x). Then φ10(modp) and gcd(φ1,p)=1. Expend φ(x) to be φ(x)=i=0q1φixi, where φ0,...,φq1Zp are the coefficient of φ(x).

C computes Ψ=[Kid/(K2)a](αb)1=g1(δ+K1)=(gˆf(δ))1(δ+K1)=gˆφ(δ)gˆφ1(δ+K1).

C sets c=K1 and computes w=(Ψi=1q1Aiφi)1φ1=gˆ1(δ+K1). Then, (c,w) is a well constructed solution for the qSDH problem.

Let ξSDH denote the event that is (c,w) a solution for qSDH problem. Suppose A has advantage ξ in attacking qSDH assumption and C has advantage ξ in winning this game. Then,

ξ=Pr[ξSDH]=Pr[ξSDH|Awin]Pr[Awin]+Pr[ξSDH|Awin]Pr[Awin]=Pr[ξSDH|Awin]Pr[Awin]+Pr[ξSDH|Awingcd(φ1,p)1]  Pr[Awingcd(φ1,p)1]+Pr[ξSDH|Awingcd(φ1,p)=1]  Pr[Awingcd(φ1,p)=1]=0+0+1Pr[Awingcd(φ1,p)=1]=Pr[Awin]Pr[gcd(φ1,p)=1]=Pr[Awin]1=ξ.

If C wins the game with non-negligible probability, then A can solve the qSDH problem with non-negligible probability using C's forged key. However, since solving the qSDH problem is difficult for polynomial-time algorithm, there is no PPT adversary C in our scheme that has non-negligible advantage in the DishonestUser Game. □

6. Performance evaluation

In this section, we performed theoretical analysis and experimental analysis.

6.1. Theoretical analysis

In this section, we compared our scheme with other related CP-ABE schemes in terms of functionality and performance to highlight the advantages of our scheme. We use P to represent the time for a pairing operation and E to represent the time for an exponential operation. This analysis omits the computational costs of hash operations and multiplications because their costs are far less than P and E. The results are shown in Table 2 and Table 3.

Table 2.

Functional comparison.

Scheme A1 A2 A3 A4 A5 A6 A7
[22] LSSS No Yes Yes No selectively secure No
[24] LSSS No Yes Yes No selectively secure No
[29] LSSS No No Yes No selectively secure No
[33] LSSS Yes No Yes No Selectively secure No
[34] LSSS No No Yes Yes selectively secure No
Ours LSSS Yes Yes Yes Yes Selectively secure Yes

A1: Access structure A2: Sonline/offline encryption A3: Outsourced decryption A4: User accountability A5: Authority accountability A6: Security model A7: Updatable key.

Table 3.

Storage and computation overhead comparison.

Scheme B1 B2 B3 B4 B5 B6
[22] 4G + 2GT (|S| + 3)G + |Zp| (l + 3)G + 2GT + |Zp| 0 (2l + 6)E + 3P E
[24] (|U| + 3)G + GT (|S| + 1)G + 3|Zp| (2l + 1)G + GT 0 (3l + 2)E + P E + P
[29] (|U| + 4)G (|S| + 3)G + |Zp| (2l + 2)G + GT 0 (3l + 3)E + P (2|S| + 1)(E + P)
[33] 6G + GT (2|S| + 4)G (5l + 2)G (5l + 3)E + P 0 (2|S| + 2)P + (3|S| + 3)E
[34] 7G + GT (2|S| + 7)G (3l + 3)G + GT 0 (5l + 4)E + P (3|S| + 3)E + (3|S| + 1)P
Ours 3G + GT (|S| + 3)G + 2|Zp| (3l + 2)G + GT + l|Zp| (3l + 3)E + P 0 E

B1: Public parameter B2: Secret key size B3: Ciphertext size B4: Offline encryption B5: Online encryption B6: Decryption

|S|: size of attribute set S|U|: size of the universe attribute set U l: matrix M has l rows.

From Table 2 and Table 3, it can be clearly seen that the scheme proposed in literature [22] introduced outsourced decryption and user accountability without incorporating authority accountability. Moreover, its encryption overhead involves more bilinear pairings compared to other schemes. The approach outlined in literature [24] lacks support for an online/offline encryption mechanism. Despite this, it reduces encryption and decryption computation costs by leveraging edge fog nodes, effectively mitigating the storage overhead of user keys. Nonetheless, similar to the scheme in literature [29], the size of public parameters in this scheme increases as the attribute domain expands. Additionally, while it integrates user accountability, it overlooks accountability for authority organizations or edge nodes. In the scheme proposed by [29], although its key size and ciphertext size are marginally smaller than our scheme, the encryption and decryption costs exhibit a significantly larger gap compared to ours. The scheme described in [33] adopts the same online/offline encryption mechanism as our scheme. However, its decryption computation burden rests solely on the user. Regarding the scheme introduced in literature [34], it offers both user and authority accountability. Nevertheless, its key size and ciphertext size surpass ours, resulting in significantly higher encryption and decryption computation costs compared to other schemes. Importantly, while these schemes incorporate user accountability mechanisms, none address passive key leakage of user keys. In contrast, our scheme includes a key update algorithm designed specifically to counter passive key leakage of user keys.

6.2. Experimental analysis

To evaluate performance, the schemes in literatures [22], [29], [34] and our scheme were simulated and compared using the PBC library. The experimental configuration was Ubuntu 18.04.1, Intel Core i5-8300H CPU 2.30 GHz. The curve is determined as y2=x3+x over the field Fp for some prime p=3(mod4). The parameter p=8780710799663312522437781984754049815806883199414208211028653399266475630880222957078625179422662221423155858769582317459277713367317481324925129998224791, which was provided by the PBC library.

In Figure 5, Figure 6, we conducted simulated efficiency experiments on various schemes outlined in literature [22], [29], [34], including our own, and compared their performance. The horizontal axis represents the number of attributes, ranging from 10 to 100 with increments of 10, while the vertical axis indicates the time required to execute the corresponding operation in milliseconds. Specifically, Fig. 5(a) illustrates a comparison of key generation times among the mentioned schemes. The scheme proposed in reference [34], due to its complex key structure, has a significantly higher key size with an increasing number of user attributes than other schemes, leading to significantly longer processing time. The key generation scheme in reference [22] requires two rounds of symmetric encryption to embed the user ID into the key, making it slightly faster than our scheme. The scheme in reference [29] is constructed from composite order groups, while our scheme is constructed from prime order groups, which is more efficient. In Fig. 5(b), we compared encryption times. Our scheme adopts an online/offline encryption mechanism, predominantly completing computations offline. Consequently, the online encryption overhead for the data owner involves minimal operations—primarily a single multiplication and multiple subtractions—making it negligible. Fig. 5(c) showcases decryption computations. Observably, the user overhead for the schemes in literature [22] and our scheme remains constant, around 0.07 ms. This is because both literature [22] and our scheme adopt cloud server assisted decryption, greatly reducing the computational pressure on users. However, the schemes in literature [29] and [34] will bring great computational burden to users in environments with more complex access structures and more user attributes. In Fig. 5(d), we analyzed the efficiency of key updating in our scheme. As the number of user attributes increases, the updating time gradually rises. However, even with 100 attributes, the update time remains under 100 ms, and the algorithm can execute during user idle periods, which does not bring too much computational pressure to the user. Moving to Fig. 6(a) and Fig. 6(b), we conducted comparative analyses on the encryption and decryption efficiency of our scheme, both with and without online/offline encryption and outsourced decryption. Notably, the computational overhead of online encryption and user decryption is negligible, as most of the encryption and decryption workload is completed during the offline and outsourced phases. In conclusion, the experimental results confirm that our scheme is more efficient and practical than existing relevant CP-ABE schemes.

Figure 5.

Figure 5

Computation overheads.

Figure 6.

Figure 6

Computation savings.

7. Conclusion

In the realm of secure cloud storage systems, the issue of access control based on attribute encryption has garnered significant attention. In this study, we propose a novel, efficient, and flexible scheme for attribute-based encryption access control. This approach adopts a more secure online/offline encryption mechanism and verifiable outsourced decryption, aiming to address scenarios with constrained computing resources. We have successfully tackled both key Escrow and key misuse concerns. Malicious users actively disclosing keys for personal gain or attribute authorization centers forging keys can be traced. For users affected by passive key leakage, timely key updates allow for the revocation of the original key's decryption capabilities. Theoretical analysis clearly demonstrates the algorithm's efficiency in terms of computational complexity and storage overhead. Experimental results show a substantial reduction in the computational costs for users during online encryption and decryption, leading to significant savings in computing resources. This study demonstrates practical applicability across diverse fields, presenting an innovative solution to tackle data security challenges in resource-constrained environments. It is especially relevant in domains, including IoT, smart meter data collection, healthcare data management, and finance. We hope that this research can provide some insights for the future development of secure cloud storage systems.

Funding

This research was funded by State Grid Shandong Electric Power Company Technology Project (No. 520627230004).

CRediT authorship contribution statement

Li Yan: Investigation, Data curation. Gaozhou Wang: Investigation. Hongxin Feng: Writing – original draft, Formal analysis. Peishun Liu: Writing – review & editing, Supervision. Haojie Gao: Writing – review & editing, Resources. Wenbin Zhang: Supervision. Hailin Hu: Data curation. Fading Pan: Supervision.

Declaration of Competing Interest

The authors declare the following financial interests/personal relationships which may be considered as potential competing interests: Peishun Liu and Hongxin Feng report financial support was provided by National Key Research and Development Program of China. Peishun Liu and Hongxin Feng report financial support was provided by State Grid Shandong Electric Power Company. If there are other authors, they declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Data availability statement

The data used in this study is currently not publicly available. If necessary, please contact the corresponding author.

References

  • 1.Huang Cheng, Lu Rongxing, Zhu Hui, Shao Jun, Lin Xiaodong. Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM; Xi'an China: May 2016. FSSR: fine-grained EHRs sharing via similarity-based recommendation in cloud-assisted eHealthcare system; pp. 95–106. [Google Scholar]
  • 2.Miao Yinbin, Weng Jian, Liu Ximeng, Choo Kim-Kwang Raymond, Liu Zhiquan, Li Hongwei. Enabling verifiable multiple keywords search over encrypted cloud data. Inf. Sci. October 2018;465:21–37. [Google Scholar]
  • 3.Miao Yinbin, Ma Jianfeng, Liu Ximeng, Weng Jian, Li Hongwei, Li Hui. Lightweight fine-grained search over encrypted data in fog computing. IEEE Trans. Serv. Comput. September 2019;12(5):772–785. Conference Name: IEEE Transactions on Services Computing. [Google Scholar]
  • 4.Miao Yinbin, Ma Jianfeng, Liu Ximeng, Li Xinghua, Jiang Qi, Zhang Junwei. Attribute-based keyword search over hierarchical data in cloud computing. IEEE Trans. Serv. Comput. 2020;13(6):985–998. [Google Scholar]
  • 5.Sahai Amit, Waters Brent. In: Advances in Cryptology – EUROCRYPT 2005. Cramer Ronald., editor. vol. 3494. Springer; Berlin, Heidelberg: 2005. Fuzzy identity-based encryption; pp. 457–473. (Lecture Notes in Computer Science). [Google Scholar]
  • 6.Khuntia Sucharita. Secure attribute-based user access control over AWS cloud. IJRASET. February 2021;9(2):7–33. [Google Scholar]
  • 7.Bhatt Smriti, Pham Thanh Kim, Gupta Maanak, Benson James, Park Jaehong, Sandhu Ravi. Attribute-based access control for AWS Internet of things and secure industries of the future. IEEE Access. 2021;9:107200–107223. Conference Name: IEEE Access. [Google Scholar]
  • 8.Liu Zechao, Jiang Zoe L., Wang Xuan, Yiu S.M. Practical attribute-based encryption: outsourcing decryption, attribute revocation and policy updating. J. Netw. Comput. Appl. April 2018;108:112–123. [Google Scholar]
  • 9.Fan Wenjie, Li Feng, Chen Xiaowan, Jiang Hai, Li Zhongwen, Li Kuan Ching. Deploying parallelised ciphertext-policy attributed-based encryption in clouds. IJCSE. 2018;16(3):321–333. [Google Scholar]
  • 10.Cui Mingming, Han Dezhi, Wang Jun. An efficient and safe road condition monitoring authentication scheme based on fog computing. IEEE Int. Things J. October 2019;6(5):9076–9084. [Google Scholar]
  • 11.Li Xiaoyi, Liang Kaitai, Liu Zhen, Wong Duncan. Proceedings of the 7th International Conference on Cloud Computing and Services Science. SCITEPRESS - Science and Technology Publications; Porto, Portugal: 2017. Attribute based encryption: traitor tracing, revocation and fully security on prime order groups; pp. 309–320. [Google Scholar]
  • 12.Niu Shufen, Hu Ying, Zhou Siwei, Shao Honglin, Wang Caifen. Attribute-based searchable encryption in edge computing for lightweight devices. IEEE Syst. J. September 2023;17(3):3503–3514. Conference Name: IEEE Systems Journal. [Google Scholar]
  • 13.Zhang Leyou, You Wenting, Mu Yi. Secure outsourced attribute-based sharing framework for lightweight devices in smart health systems. IEEE Trans. Serv. Comput. September 2022;15(5):3019–3030. [Google Scholar]
  • 14.Wang Huiyong, Liang Jialing, Ding Yong, Tang Shijie, Wang Yujue. Ciphertext-policy attribute-based encryption supporting policy-hiding and cloud auditing in smart health. Comput. Stand. Interfaces. March 2023;84 [Google Scholar]
  • 15.Zhang Zhiting, Zeng Peng, Pan Bofeng, Choo Kim-Kwang Raymond. Large-universe attribute-based encryption with public traceability for cloud storage. IEEE Int. Things J. October 2020;7(10):10314–10323. Conference Name: IEEE Internet of Things Journal. [Google Scholar]
  • 16.Liu Zhenhua, Ding Yingying, Yuan Ming, Wang Baocang. Black-box accountable authority CP-ABE scheme for cloud-assisted E-health system. IEEE Syst. J. March 2023;17(1):756–767. Conference Name: IEEE Systems Journal. [Google Scholar]
  • 17.Bethencourt John, Sahai Amit, Waters Brent. 2007 IEEE Symposium on Security and Privacy (SP '07) IEEE; Berkeley, CA: May 2007. Ciphertext-policy attribute-based encryption; pp. 321–334. [Google Scholar]
  • 18.Green Matthew, Hohenberger Susan, Waters Brent. Outsourcing the decryption of ABE ciphertexts. Proceedings of the 20th USENIX Conference on Security; SEC'11; San Francisco, USA: USENIX Association; August 2011. p. 34. [Google Scholar]
  • 19.Li Jiguo, Sha Fengjie, Zhang Yichen, Huang Xinyi, Shen Jian. Verifiable outsourced decryption of attribute-based encryption with constant ciphertext length. Secur. Commun. Netw. 2017;2017(2):1–11. [Google Scholar]
  • 20.Zuo Cong, Shao Jun, Wei Guiyi, Xie Mande, Ji Min. CCA-secure ABE with outsourced decryption for fog computing. Future Gener. Comput. Syst. January 2018;78:730–738. [Google Scholar]
  • 21.Li Jiguo, Wang Yao, Zhang Yichen, Han Jinguang. Full verifiability for outsourced decryption in attribute based encryption. IEEE Trans. Serv. Comput. May 2020;13(3):478–487. [Google Scholar]
  • 22.Yang Yang, Liu Ximeng, Zheng Xianghan, Rong Chunming, Guo Wenzhong. Efficient traceable authorization search system for secure cloud storage. IEEE Trans. Cloud Comput. 2020;8(3):819–832. [Google Scholar]
  • 23.Li Jiguo, Lin Xiaonan, Zhang Yichen, Han Jinguang. KSF-OABE: outsourced attribute-based encryption with keyword search function for cloud storage. IEEE Trans. Serv. Comput. September 2017;10(5):715–725. [Google Scholar]
  • 24.Varri Uma Sankararao, Kasani Sreekanth, Pasupuleti Syam Kumar, Kadambari K.V. FELT-ABKS: fog-enabled lightweight traceable attribute-based keyword search over encrypted data. IEEE Int. Things J. May 2022;9(10):7559–7571. [Google Scholar]
  • 25.Even Shimon, Goldreich Oded, Micali Silvio. On-line/off-line digital signatures. J. Cryptol. March 1996;9(1):35–67. [Google Scholar]
  • 26.Hohenberger Susan, Waters Brent. Proceedings of the 17th International Conference on Public-Key Cryptography. vol. 8383. Springer-Verlag; Berlin, Heidelberg: March 2014. Online/offline attribute-based encryption; pp. 293–310. [Google Scholar]
  • 27.Zhang Junqi, Cheng Qingfeng, Wei Fushan, Zhang Xinglong. In: Security, Privacy, and Anonymity in Computation, Communication, and Storage. Wang Guojun, Atiquzzaman Mohammed, Yan Zheng, Choo Kim-Kwang Raymond., editors. vol. 10658. Springer International Publishing; Cham: 2017. A compact construction for non-monotonic online/offline CP-ABE scheme; pp. 507–523. (Lecture Notes in Computer Science). [Google Scholar]
  • 28.Li Jin, Ren Kui, Zhu Bo, Wan Zhiguo. In: Information Security. Samarati Pierangela, Yung Moti, Martinelli Fabio, Ardagna Claudio A., editors. vol. 5735. Springer; Berlin, Heidelberg: 2009. Privacy-aware attribute-based encryption with user accountability; pp. 347–362. (Lecture Notes in Computer Science). [Google Scholar]
  • 29.Liu Zhen, Cao Zhenfu, Wong D.S. White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures. IEEE Trans. Inf. Forensics Secur. January 2013;8(1):76–88. [Google Scholar]
  • 30.Liu Zhen, Cao Zhenfu, Wong Duncan S. Blackbox traceable CP-ABE: how to catch people leaking their keys by selling decryption devices on ebay. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security; CCS '13; New York, NY, USA: Association for Computing Machinery; November 2013. pp. 475–486. [Google Scholar]
  • 31.Ning Jianting, Cao Zhenfu, Dong Xiaolei, Wei Lifei, Lin Xiaodong. In: Computer Security - ESORICS 2014. Kutyłowski Mirosław, Vaidya Jaideep., editors. Springer International Publishing; Cham: 2014. Large universe ciphertext-policy attribute-based encryption with white-box traceability; pp. 55–72. (Lecture Notes in Computer Science). [Google Scholar]
  • 32.Ning Jianting, Dong Xiaolei, Cao Zhenfu, Wei Lifei, Lin Xiaodong. White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes. IEEE Trans. Inf. Forensics Secur. June 2015;10(6):1274–1288. [Google Scholar]
  • 33.Kai Zhang, Jianfeng M., Junwei Z., Zuobin Ying, Tao Zhang, Ximeng Liu. Online/offline traceable attribute-based encryption. J. Comput. Res. Dev. 2018;55(1):216–224. [Google Scholar]
  • 34.Zhang Xing, Jin Cancan, Li Cong, Wen Zilong, Shen Qingni, Fang Yuejian, Wu Zhonghai. In: Security and Privacy in Communication Networks. Thuraisingham Bhavani, Wang XiaoFeng, Yegneswaran Vinod., editors. vol. 164. Springer International Publishing; Cham: 2015. Ciphertext-policy attribute-based encryption with user and authority accountability; pp. 500–518. (Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering). [Google Scholar]
  • 35.Yu Gang, Cao Zhenfu, Zeng Guang, Han Wenbao. In: Provable Security. Chen Liqun, Han Jinguang., editors. vol. 10005. Springer International Publishing; Cham: 2016. Accountable ciphertext-policy attribute-based encryption scheme supporting public verifiability and nonrepudiation; pp. 3–18. (Lecture Notes in Computer Science). [Google Scholar]
  • 36.Zhang Yinghui, Li Jin, Zheng Dong, Chen Xiaofeng, Li Hui. Towards privacy protection and malicious behavior traceability in smart health. Pers. Ubiquitous Comput. October 2017;21(5):815–830. [Google Scholar]
  • 37.Li Jiguo, Zhang Yichen, Ning Jianting, Huang Xinyi, Poh Geong Sen, Wang Debang. Attribute based encryption with privacy protection and accountability for CloudIoT. IEEE Trans. Cloud Comput. 2020;10(2):762–773. [Google Scholar]
  • 38.Hei Yiming, Liu Jianwei, Feng Hanwen, Li Dawei, Liu Yizhong, Wu Qianhong. Making MA-ABE fully accountable: a blockchain-based approach for secure digital right management. Comput. Netw. May 2021;191:1286–1389. [Google Scholar]
  • 39.Ning Jianting, Dong Xiaolei, Cao Zhenfu, Wei Lifei. In: Computer Security – ESORICS 2015. Pernul Günther, Ryan Peter Y.A., Weippl Edgar., editors. vol. 9327. Springer International Publishing; Cham: 2015. Accountable authority ciphertext-policy attribute-based encryption with white-box traceability and public auditing in the cloud; pp. 270–289. (Lecture Notes in Computer Science). [Google Scholar]
  • 40.Boneh Dan, Boyen Xavier. In: Advances in Cryptology - EUROCRYPT 2004. Cachin Christian, Camenisch Jan L., editors. Springer; Berlin, Heidelberg: 2004. Short signatures without random oracles; pp. 56–73. (Lecture Notes in Computer Science). [Google Scholar]
  • 41.Waters Brent. In: Public Key Cryptography – PKC 2011. Catalano Dario, Fazio Nelly, Gennaro Rosario, Nicolosi Antonio., editors. vol. 6571. Springer; Berlin, Heidelberg: 2011. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization; pp. 53–70. (Lecture Notes in Computer Science). [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Data Availability Statement

The data used in this study is currently not publicly available. If necessary, please contact the corresponding author.


Articles from Heliyon are provided here courtesy of Elsevier

RESOURCES