Professional Documents
Culture Documents
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
AbstractAttribute Based Encryption (ABE) has emerged as entitled to view all data while students have limited access
a promising solution for access control to diverse set of users in to data) using policy named Simple defined as: University
cloud computing systems. Policy can just specify whether (or (Professor OR Student), for users with attributes University
not) any specific user should be given access to data, but it
lacks to provide data owner the privilege to specify (how much) and Professor , University and Student to retrieve the data.
fraction, or (which) specific chunk from that data to be accessed We tag this policy as Simple, because in rest of paper we will
or decrypted. In this paper, we address this issue, and propose a refer to this specific policy using its tag. Policy can just define
scheme that will give data owner excessive access control, so that here that any user with attributes can access the data, but it
he can specify specific chunk out of total data to be accessed by fails to define that out of those user attributes, which attributes
user depending on his attributes. In our scheme, a data owner
can encrypt data over attributes specified in a policy, but even if allows access to which fraction (chunk) of data. We further
users attributes satisfy the policy; he can decrypt data (partially elaborate it by the scenario; lets consider a video provider is
or fully) fractionally based on his attributes specified by owner. encrypting a video for attributes F reeU ser , and P aidU ser .
Owner can also prioritize users access based on his designation, If the policy is defined to be: (F reeU ser OR P aidU ser ),
or hierarchal role in a specific organization. We also address to then individual users having attributes either F reeU ser , or
resolve the issue of attributes repetition, due to which the cost
of computations in encryption by owner and ciphertext size is P aidU ser can decrypt the video. Although, user with any
reduced. Furthermore, we achieve it with a single ciphertext over (one) of these attributes will have access to data, but now
policy for entire data, and proof our scheme to be secure in the the owner wants to restrict the user with F reeU ser attribute
generic group and random oracle model. Theoretical comparisons to decrypt and view just starting five minutes of video, and
of computations with existing constructions, and performance of user with P aidU ser attribute to decrypt and view the whole
the scheme evaluated in Charm simulator is reasonable enough
to be adopted in practice. video. Although, both attributes satisfy the policy and have
access to data, but now they differ in the data being accessed
Index TermsAttribute, Partial, Full, Encryption, Decryption,
using them. In other words, video provider in this case has
Symmetric key, Chunk, Excessive Access, Repetition, Fractional.
restricted the access of F reeU ser to a fraction of video instead
of whole video.
I. I NTRODUCTION
This is an important issue, which should be addressed to
TTRIBUTE Based Encryption (ABE) has evolved as an
A access control mechanism for large target community.
Cloud storage is a service of cloud computing [30], utilized
give the data owner more privileges, so that he can specify
how much (fraction) of data can be accessed by users using
their attributes. To differentiate, there are two things; one is
by data owners to outsource their data to the servers. ABE is users attributes that qualify it for data access, if they satisfy
considered as a promising solution for data access in cloud the policy specified by owner, while the other thing is how
computing. much fraction of data can be accessed by using those attributes.
As cloud servers are not trust worthy, so owner undertakes For Simple policy, as Student and Professor have access to
the responsibility to encrypt its data before outsourcing it to the dissimilar variant of data; hence, we list them under different
server. Owner defines an access policy for specific attributes attribute set Wi in policy, where Wi is a set of attributes in
that it wishes to be mandatory for data access, and then sends policy providing access to different variants of data. Another
it along with ciphertext to the server. If attributes of user key issue, to be addressed is the repeated attribute (University in
satisfy the policy specified in ciphertext; user then can decrypt Simple policy) appearing in multiple attribute sets Wi leading
ciphertext correctly to get data. In ABE, for example, the to more computation cost in encryption operation at data
University can share an examination notice, or provide access owner.
to particular data placed on its server (where professors are
This work was supported by the National Natural Science Foundation of Although, for both the scenarios (Simple and Video
China under Grant U1401251 and Grant 61272457. Provider policy); which we explained above can be dealt with
F. Khan is with the State Key Laboratory of Integrated Service Net- by defining two separate policies over ciphertexts (based on
works, School of Cyber Engineering and with the School of International
Education, Xidian University, Xian, Shaanxi 710071, P.R. China (e-mail: attribute-sets Wi ), with different symmetric decryption keys
fawad.khan.xdu@gmail.com). for fractional data access; we argue that it should be done with
H. Li and L. Zhang are with the State Key Laboratory of Inte- a single ciphertext over one policy with no attributes repetition.
grated Service Networks, School of Cyber Engineering , Xidian Univer-
sity, Xian, Shaanxi 710071, P.R. China (e-mail: lihui@mail.xidian.edu.cn, Throughout the paper, we will use words fractional, variant,
lxzhaang@foxmail.com ). and partial interchangeably for referring to a chunk of data.
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
Zp . Q same model has been used by Chase and Chow [9], and
2. A share generating matrix A exists for . Matrix A Chase [8] respectively. In our model, we give more powers to
has m rows and n columns. For x = 1 to m each xth attacker, that he can choose public keys of corrupt authorities
row of A corresponds to a party P (x). We let a column by himself; instead given to him by challenger at the start of
vector v = {s, v2 , ..., vn } be a sharing vector; where game.
s is the secret to be shared is selected from Zp , and We let S denote the set of all the authorities in system and
v2 , ..., vn Zp . Then A.v is the vector of m shares of s U denote the attributes universe. Each attribute belongs to
Q
according to . The share i = (A v )i belongs to party p(i). one authority.
Setup: The global setup algorithm is run. The attacker
We let S denote the set of attributes. Define L {1, ..., m} specifies a set of corrupt (S0 S) authorities to the
as L = {x|p(x) S}. There exists a vector (1,0,...,0) in the challenger. Challenger then obtains the public and private
span of Ax indexed by L, where Ax represent rows of A. keys of uncorrupt (S S0 ) authorities by running the
For linear reconstruction, we have constants of the form { authority setup algorithm. Finally, challenger reveals the
wx Zp }xL acquired public keys to the attacker.
Q such that, if x are valid shares ofP secret s
according to , then s can be reconstructed by xL wx Phase 1: The attacker queries challenger for key pairs
x = s. (i, GID) corresponding to attribute i of good authority and
user identity GID. The challenger replies to the queries by
sending out the key pairs of the form Ki,GID to the attacker.
C. Multi-authority EAC CP-ABE
For attributes in corrupt authority, the attacker can generate
We briefly describe the algorithms that are part of the multi decryption keys by himself.
authority Excessive Access Control (EAC) CP-ABE scheme. Challenge Phase: Attacker then specifies two equal length
Global Setup() GP : The algorithm takes as input the messages under the access structure (A, ). Moreover,
security parameter and outputs the global parameters GP specifies for each attribute in that it belongs to which
for the system. attribute set Wi . Let V denote the subset of rows of access
Authority Setup(GP ) SK, P K: In this algorithm, matrix A controlled by corrupt authorities. We denote VGID
the input is global parameters of the system and output as the subset of rows of A for which the attacker can acquire
corresponds to secret SK / public P K keys of the the keys (i, GID) corresponding to attribute i and identity
authorities. GID for uncorrupt authorities. The constraint on access
Encrypt(S, (A, ), GP, P K) CT : Encrypt algorithm takes matrix is that the subspace spanned by V U VGID should
as input the message S (symmetric keys for data chunks), not include (1,0,...,0) in its span for any of attribute set Wi .
access matrix (A, ) , global parameters and the public keys In other words, the attacker cannot ask for those specific
of authorities to output the ciphertext CT. keys which he can combine with keys of corrupt authorities
KeyGen (GID, GP, i, SK) Ki,GID : KeyGen algorithm to allow successful decryption for specific attribute and
takes as input the user identity GID, specific attribute i, identity GID. Also the attacker gives public keys of corrupt
GP and secret key of corresponding authority to generate a authorities attributes to challenger which appears in the image
decryption key Ki,GID for user. . Challenger flips a random coin = {0, 1} and encrypts a
Decrypt (CT, GP, Ki,GID ) S: To decrypt the ciphertext, message M according to access policy.
this algorithm takes as input CT, GP and the set of user Phase 2: Attacker makes further key queries (i, GID) but
attribute keys. For successful decryption the user attribute keys under the constraint that queries dont violate the challenge
should correctly satisfy the access matrix in the ciphertext. matrix (A, ) .
Guess: Attacker submits a guess 0 for . Attacker wins the
Definition 3.3: A multi authority EAC CP-ABE scheme is game if 0 = . The advantage of attacker in the security
correct if the GP is obtained from global setup algorithm, CT game is Pr[ 0 = ] 1/2.
from encrypt algorithm, keys Ki,GID corresponding to specific
attributes of user GID are generated using keygen algorithm Definition 4.1: A multi authority ciphertext policy attribute
and message (S) is obtained from CT using decrypt algorithm, based encryption scheme with excessive access control is
if the set of attributes in key satisfy the access matrix in CT. secure (against static corruption of authorities) if all polyno-
mial time adversaries have at most a negligible advantage in
IV. O UR C ONSTRUCTION security game.
In this section, we will provide a detailed construction of
our scheme. B. System Model
We let a multi-authority cloud storage system as shown
A. Security Model in Fig.1. It consists of owners, users, server, and attribute
We define the security game for EAC CP-ABE system authorities (AA).
between challenger and attacker in the following way. We Owner An entity who wants to publish data on the server
assume that the adversary can corrupt authorities statically to be retrieved later by other users based on their attributes.
but can make queries adaptively till the end of game. This For publishing data it will first split the data into chunks and
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
TABLE I TABLE II
C OMPARISON WITH EXISTING WATER S CONSTRUCTIONS . C OMPARISON OF COMPUTATIONS FOR SIMPLE AND COMPLEX POLICY.
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
group Zp . Each of 0 and 1 is an injective map from Zp to hence, he cannot gain non negligible advantage in real security
{0, 1}m for m > 3log(p). Formally, we represent the groups game.
as: G0 = {0 (x) : x Zp } and G1 = {1 (x) : x Zp }. We condition on attackers queries to input values, as the
Assume that we have access to oracles for evaluating the group values given to attacker during simulation, or the values which
operations in G0 and G1 . Moreover, we have the oracle to he received in response of previous queries which he made to
compute the non-degenerate bilinear map e : G0 G0 G1 . oracles. The event occurs with greater probability. As 0 and
In the security game, the attacker has to distinguish between 1 are random injective maps from Zp into a set with greater
Ci = M0 e(g, g)qi and Ci = M1 e(g, g)qi . We now consider than p3 elements; to guess an element appearing in image of
a modification in the game [2], where the attacker must 0 , 1 occurs with negligible probability which has not been
distinguish between Ci = M0 e(g, g)qi and Ci = M0 e(g, g)ai , attained before.
where ai Zp is selected for each attribute set Wi . We Under aforementioned condition, attacker can query as a
simplify the notations that we use as: g denote 0 (1), g x multi variate polynomial in variables ai , j ,t,x ,wx ,hGID ,
denote 0 (x), e(g, g) denote 1 (1) and e(g, g)y denote 1 (y). where j stands for uncorrupted authorities, x ranges over
We now simulate the modified security game in generic rows of challenge access matrix and GID ranges over
bilinear group model, where Ci is set to e(g, g)ai . Moreover, allowed identities. We take x as the linear combination
S represents the set of authorities and U represents the of variables (qi , vi,2 , ..., vi,n ) for attribute sets Wi and wx
set of attributes universe. Simulator runs the global setup = (0, w2 , ..., wn ). Further, we state that for each different
algorithm and gives g to the attacker. Attacker then specifies pair of queries responding to unlike polynomials, attacker
a set S 0 S of corrupt authorities, and discloses it to the receives different answers. Difference is non-zero for random
simulator. Simulator randomly chooses t Zp for uncorrupted assignment of values to variables for two query polynomials.
authorities, and i Zp where i U corresponds to attributes This event occurs with greater probability which we can
that are controlled by uncorrupted authorities; queries group realize using union bound and Schwartz-Zippel lemma as the
oracles for evaluating g t , e(g, g)i and gives these values to polynomials have at most degree 4.
attacker. We see that ai only appears as e(g, g)ai , so the queries
Attacker then requests H(GID) for the first time. Simulator attacker can make about ai will be of the form cai + other
chooses a random value hGID Zp , queries group oracles terms, where c is constant. Attackers view can change only
for g hGID and sends it to attacker. Also, the simulator keeps when it makes two different polynomial queries, f and f 0
a copy of the sent value, so that the requested GID value in into G1 but if it replace ai = qi ; the result will be same (one)
future will be dealt with the same evaluated value. Attacker polynomial. This implies that, f f 0 = cai cqi for some
then requests a key Ki,GID for an attribute i belonging to a constant c. We conclude that attacker can query cqi .
particular authority and identity GID. In response, simulator Now we will show that a query cqi cannot be made by
computes g i /t H(GID)1/t by querying the group oracles, attacker, and hence we arrive at a contradiction. We can see
and send it back to the attacker. After some time, attacker will the possible queries attacker can make in TABLE IV. By
specify an access matrix (A, ) for challenge ciphertext with inspecting we came at a conclusion that attacker can only
attributes specified for attributes sets Wi . Moreover, values make queries of the form which are linear combinations of
of corrupt authority attributes that appear in (corresponding 1, ai and other terms appearing in TABLE IV.
to rows of A) of access matrix will be sent by attacker to We remind that attacker knows the values of i , t for
simulator. Simulator confirms the validity of these attributes corrupted authorities; thats why the linear combinations of
by querying group oracles. these values can appear in TABLE IV .
Simulator will now produce the challenge ciphertext. To Recall that qi can be constructed by x = Ax vi where
follow up, it will first choose random values qi , vi,2 , ..., vi,n vi = (qi , vi,2 , ..., vi,n ) for attribute set Wi . Hence the only
Zp to form a sharing vector vi = {qi , vi,2 , ..., vi,n }; where appearance of qi in TABLE IV can be constructed using the
qi is secret to be shared for each attribute set Wi . Further, linear combination of x . To order query of the P form cqi ;
it computes x = Ax vi for Ax Wi where Ax is xth attacker needs to choose constants x such that x x = cqi
row of LSSS matrix A with no repeated attributes. Moreover, by asking for query (x +(x) wx ) to form x (x +(x) wx ).
selects a vector w = {0, w2 , ..., wn } where each w2 , ..., wn For corrupt authorities attributes, attacker can construct poly-
is selected randomly from Zp and evaluates wx = Ax w . nomials of the form x (x) wx to cancel out this term for
Simulator will give x shares values to elimination algorithm the above polynomial. For uncorrupted authorities attributes,
for removal of repeated attributes. Finally it will select random attacker needs to query ((x) wx + hGID wx ) this; in-order
values ai Zp for Wi . With the help of group oracles the to cancel out x (x) wx , which leaves an extra term of
simulator now computes the ciphertext as: x hGID wx . We note that attacker can access this term
{C0 = e(g, g)ai , C1,x = e(g, g)x e(g, g)(x) wx , C2,x = ((x) wx + hGID wx ) if it requests for a key corresponding to
g twx x }. a particular attribute (x) and identity GID.
The challenge ciphertext is given to the attacker. We argue The gathering of these terms for each identity GID will
that by all, but with negligible probability, an attacker view cancel this term only if the span (1,0,...,0) of length n vector
regarding if Ci is set to e(g, g)ai in place of e(g, g)qi is is in the rows Ax Wi of A belonging to corrupt authorities,
identical in simulation. This illustrates that attacker cannot or uncorrupted ones for which he acquired the keys for
attain non negligible advantage in modified security game; ((x), GID). Under this condition, the attacker has broken
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
VI. C ONCLUSION
In this paper, we have proposed an excessive access control
scheme for data owner using a single ciphertext over policy
without attributes repetition. The owner can enjoy limiting the
users access to just specified chunks of data, instead of whole
data. Moreover, owner can also grant privileged data access to
users based on their hierarchal role in a specific organization.
Comparison, in contrast to traditional approaches depicts its
effectiveness in terms of providing variant data access in a
single policy over ciphertext, and by less computations in
encryption and decryption operation. Our proposed scheme Fig. 4. LSSS Matrix (a) Shares of secret s for all attributes, (b). Shares of
is proven secure in generic group and random oracle model. secret q1 for attribute set W1 , (c). Shares of secret q2 for attribute set W2 ,
(d). Shares of q1 &q2 for all attributes with no repetition.
Performance evaluation of scheme in Charm simulator is good
to adopt it in practice. We will try to further enhance its
Take any random value of 1 Zp (here its taken as
performance in future, and extend it to other types of access
10), putting values of q1 , q2 , c1 , c2 and c3 , we get values of
structures besides LSSS.
2 , 3 as seen in Fig.4 (d). We note here, that the users
having attributes (either Professor, OR Student) if combine
A PPENDIX A their shares 2 , 3 with 1 corresponding to University; this
R EMOVING R EPEATED ATTRIBUTES FROM LSSS MATRIX will lead to one of the secret recovery either q1 or q2 . Different
Here, we demonstrate how to remove the repeated attributes secret reconstruction will lead to a variant data decryption key.
from LSSS matrix. Suppose the data owner wants to share The attribute shares in Fig.4 (d) will be used for evaluating the
fractional access of data using the Simple policy University ciphertext by owner. Finally, comparing Fig.4 (a), (d) we see
(Professor OR Student). For this policy, the attribute sets that in-contrast to a single secret being shared in prior one,
are W1 = (University Professor) and W2 = (University we can share multiple secrets over same set of attributes and
Student). Using T-ABE schemes, this policy is broken down policy with no repetition.
based on the attribute sets Wi , and a separate ciphertext will
be evaluated for both Wi . Attribute University appears in both R EFERENCES
Wi ; hence, it will be evaluated for both the ciphertexts.
For Our proposed scheme, the data owner will write this [1] Boneh, Dan, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based
encryption with constant size ciphertext. Advances in CryptologyEURO-
policy in its compact form with no attributes repetition as: CRYPT 2005. Springer Berlin Heidelberg, 2005. 440-456.
University (Professor OR Student). For this compact policy [2] Bethencourt, John, Amit Sahai, and Brent Waters. Ciphertext-policy
the LSSS matrix M based on AND-OR gates [4], [33] is attribute-based encryption. Security and Privacy, 2007. SP07. IEEE
Symposium on. IEEE, 2007.
shown in Fig.4 (a). For demonstration purpose (to have an idea [3] Waters, Brent. Ciphertext-policy attribute-based encryption: An expres-
regarding secret sharing and its re-construction), the shares of sive, efficient, and provably secure realization. Public Key Cryptogra-
secret s are calculated as 1 , 2 and 3 . For re-construction phyPKC 2011. Springer Berlin Heidelberg, 2011. 53-70.
[4] Lewko, Allison, and Brent Waters. Decentralizing attribute-based en-
the users based Pon their attributes will find the coefficients ci cryption. Advances in CryptologyEUROCRYPT 2011. Springer Berlin
by the relation ci Mi = (1,0,...,0). In this case c1 = c2 = Heidelberg, 2011. 568-588.
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
[5] Rouselakis, Yannis, and Brent Waters. Practical constructions and new [29] Huang, RuWei, et al. Research on privacy-preserving cloud storage
proof methods for large universe attribute-based encryption. Proceedings framework supporting ciphertext retrieval. Network Computing and
of the 2013 ACM SIGSAC conference on Computer & communications Information Security (NCIS), 2011 International Conference on. Vol. 1.
security. ACM, 2013. IEEE, 2011.
[6] Rouselakis, Yannis, and Brent Waters. Efficient statically-secure large- [30] Mell, Peter, and Tim Grance. The NIST definition of cloud computing.
universe multi-authority attribute-based encryption. International Con- (2011): 20-23.
ference on Financial Cryptography and Data Security. Springer Berlin [31] http://www.charm-crypto.com/
Heidelberg, 2015. [32] Lewko, Allison, et al. Fully secure functional encryption: Attribute-
[7] Beimel, Amos. Secure schemes for secret sharing and key distribution. based encryption and (hierarchical) inner product encryption. Advances
Technion-Israel Institute of technology, Faculty of computer science, in CryptologyEUROCRYPT 2010. Springer Berlin Heidelberg, 2010. 62-
1996. 91.
[8] Chase, Melissa. Multi-authority attribute based encryption. Theory of [33] Liu, Zhen, Zhenfu Cao, and Duncan S. Wong. Efficient Generation of
cryptography. Springer Berlin Heidelberg, 2007. 515-534. Linear Secret Sharing Scheme Matrices from Threshold Access Trees.
[9] Chase, Melissa, and Sherman SM Chow. Improving privacy and security [34] Akinyele, Joseph A., et al. Charm: a framework for rapidly prototyping
in multi-authority attribute-based encryption. Proceedings of the 16th cryptosystems. Journal of Cryptographic Engineering 3.2 (2013): 111-
ACM conference on Computer and communications security. ACM, 2009. 128.
[10] Shoup, Victor. Lower bounds for discrete logarithms and related [35] Odelu, Vanga, et al. Pairing-based CP-ABE with constant-size cipher-
problems.Advances in CryptologyEUROCRYPT97. Springer Berlin Hei- texts and secret keys for cloud environment. Computer Standards &
delberg, 1997. Interfaces(2016).
[11] Goyal, Vipul, et al. Attribute-based encryption for fine-grained access [36] Odelu, Vanga, and Ashok Kumar Das. Design of a new CPABE
control of encrypted data. Proceedings of the 13th ACM conference on with constantsize secret keys for lightweight devices using elliptic curve
Computer and communications security. Acm, 2006. cryptography. Security and Communication Networks (2016).
[12] Lewko, Allison, et al. Fully secure functional encryption: Attribute- [37] Chatterjee, Santanu, and Ashok Kumar Das. An effective ECCbased
based encryption and (hierarchical) inner product encryption. Advances user access control scheme with attributebased encryption for wireless
in CryptologyEUROCRYPT 2010. Springer Berlin Heidelberg, 2010. 62- sensor networks. Security and Communication Networks 8.9 (2015):
91. 1752-1771.
[13] Li, Jin, et al. Privacy-aware attribute-based encryption with user ac-
countability. Information Security. Springer Berlin Heidelberg, 2009.
347-362.
[14] Lai, Junzuo, Robert H. Deng, and Yingjiu Li. Fully secure cipertext-
policy hiding CP-ABE. Information Security Practice and Experience.
Springer Berlin Heidelberg, 2011. 24-39.
[15] Doshi, Nishant, and Devesh Jinwala. Hidden access structure ciphertext Fawad Khan received his B.S. (2010) and M.S.
policy attribute based encryption with constant length ciphertext. Ad- (2014) in Electrical Engineering from UET Pe-
vanced Computing, Networking and Security. Springer Berlin Heidelberg, shawar, and CECOS University, respectively. He has
2011. 515-523. served in NUCES-FAST as Lab Engineer from 2011
[16] Li, Xiaohui, et al. Efficient ciphertext-policy attribute based encryp- to 2015. Currently he is pursuing his PhD in School
tion with hidden policy. Internet and Distributed Computing Systems. of Cyber Engineering at Xidian University. His
Springer Berlin Heidelberg, 2012. 146-159. research interests include content centric networks,
[17] Zhang, Yinghui, et al. Anonymous attribute-based encryption support- information security and machine learning.
ing efficient decryption test. Proceedings of the 8th ACM SIGSAC sym-
posium on Information, computer and communications security. ACM,
2013.
[18] Virvilis, Nikos, Stelios Dritsas, and Dimitris Gritzalis. A cloud
provider-agnostic secure storage protocol. Critical Information Infras-
tructures Security. Springer Berlin Heidelberg, 2010. 104-115.
[19] Di Vimercati, Sabrina De Capitani, et al. A data outsourcing archi-
tecture combining cryptography and access control. Proceedings of the
2007 ACM workshop on Computer security architecture. ACM, 2007. Hui Li received his B.S. (1990) from Fudan Uni-
[20] Yang, Kan, and Xiaohua Jia. Expressive, efficient, and revocable data versity, and M.S. (1993) and Ph.D (1998) from
access control for multi-authority cloud storage. Parallel and Distributed Xidian University, respectively. Currently, he is a
Systems, IEEE Transactions on 25.7 (2014): 1735-1744. professor at the School of Cyber Engineering, Xidian
[21] Miklau, Gerome, and Dan Suciu. Controlling access to published data University. In 2009, he was with Department of
using cryptography. Proceedings of the 29th international conference on Electrical and Computer Engineering (ECE), Univer-
Very large data bases-Volume 29. VLDB Endowment, 2003. sity of Waterloo, as a visiting scholar. His research
[22] Atallah, Mikhail J., et al. Dynamic and efficient key management interests include the areas of cryptography, security
for access hierarchies. ACM Transactions on Information and System of cloud computing, wireless network security, and
Security (TISSEC) 12.3 (2009): 18. information theory. He served as TPC co-chair of
[23] Ma, Tien-Yan, Ting-Wei Hou, and Shau-Yin Tseng. Hierarchical key ISPEC 2009 and IAS 2009, general cochair of E-
management of scalable video coding. Intelligent Information Hiding and Forensic 2010, ProvSec 2011 and ISC 2011. He is a member of the IEEE.
Multimedia Signal Processing, 2007. IIHMSP 2007. Third International
Conference on. Vol. 1. IEEE, 2007.
[24] Damiani, Ernesto, et al. Key management for multi-user encrypted
databases. Proceedings of the 2005 ACM workshop on Storage security
and survivability. ACM, 2005.
[25] Di Vimercati, Sabrina De Capitani, et al. Over-encryption: management Liangxuan Zhang received his B.S. (2014) in Math-
of access control evolution on outsourced data. Proceedings of the 33rd ematics from Xiangtan University. Since 2014 he
international conference on Very large data bases. VLDB endowment, is currently working towards his master degree in
2007. School of Cyber Engineering at Xidian University.
[26] Wang, Weichao, et al. Secure and efficient access to outsourced His current research interests include security and
data.Proceedings of the 2009 ACM workshop on Cloud computing privacy issues in cloud computing and applied cryp-
security. ACM, 2009. tography.
[27] Yun, Aaram, Chunhui Shi, and Yongdae Kim. On protecting in-
tegrity and confidentiality of cryptographic file system for outsourced
storage.Proceedings of the 2009 ACM workshop on Cloud computing
security. ACM, 2009.
[28] https://crypto.stanford.edu/pbc/
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.