Adaptively Secure Attribute-Based Encryption Supporting Attribute Revocation

Attribute revocation is inevitable and al- so important for Attribute-Based Encryption （ABE） in practice. However, little attention has been paid to this issue, and it retrains one of the rmin obsta-cles for the application of ABE. Most of existing ABE schemes support attribute revocation work under indirect revocation model such that all the users＇ private keys will be affected when the revo-cation events occur. Though some ABE schemes have realized revocation under direct revocation model such that the revocation list is embedded in the ciphertext and none of the users＇ private keys will be affected by revocation, they mostly focused on the user revocation that revokes the user＇s whole attributes, or they can only be proven to be selectively secure. In this paper, we first define a model of adaptively secure ABE supporting the at- tribute revocation under direct revocation model. Then we propose a Key-Policy ABE （KP-ABE） scheme and a Ciphertext-Policy ABE （CP-ABE） scheme on composite order bilinear groups. Finally, we prove our schemes to be adaptively secure by employing the methodology of dual system eno cryption.

A Generic Construction of Ciphertext-Policy Attribute- Based Encryption Supporting Attribute Revocation

Attribute-based encryption is drawing more attention with its inherent attractive properties which are potential to be widely used in the newly developing cloud computing. However, one of the main obstacles for its application is how to revoke the attributes of the users, though some ABE schemes have realized revocation, they mostly focused on the user revocation that revokes the user＇s whole attributes, or attribute revocation under the indirect revocation model such that all the users＇ private keys will be affected by the revocation. In this paper, we define the model of CP-ABE supporting the attribute revocation under the direct revocation model, in which the revocation list is embed in the ciphertext and none of the users＇ private keys will be affected by the revocation process. Then we propose a generic construction, and prove its security with the decision q-BDHE assumption.

FACOR：Flexible Access Control with Outsourceable Revocation in Mobile Clouds

Access control is a key mechanism to secure outsourced data in mobile clouds. Some existing solutions are proposed to enforce flexible access control on outsourced data or reduce the computations performed by mobile devices. However, less attention has been paid to the efficiency of revocation when there are mobile devices needed to be revoked. In this paper, we put forward a new solution, referred to as flexible access control with outsourceable revocation(FACOR) for mobile clouds. The FACOR applies the attribute-based encryption to enable flexible access control on outsourced data, and allows mobile users to outsource the time-consuming encryption and decryption computations to proxies, with only requiring attributes authorization to be fully trusted. As an advantageous feature, FACOR provides an outsourceable revocation for mobile users to reduce the complicated attribute-based revocation operations. The security analysis shows that our FACOR scheme achieves data security against collusion attacks and unauthorized accesses from revoked users. Both theoretical and experimental results confirm that our proposed scheme greatly reliefs the mobile devices from heavy encryption and decryption computations, as well as the complicated revocation of access rights in mobile clouds.

Attribute-Based Access Control Scheme with Efficient Revocation in Cloud Computing

Attribute-based encryption(ABE) supports the fine-grained sharing of encrypted data.In some common designs,attributes are managed by an attribute authority that is supposed to be fully trustworthy.This concept implies that the attribute authority can access all encrypted data,which is known as the key escrow problem.In addition,because all access privileges are defined over a single attribute universe and attributes are shared among multiple data users,the revocation of users is inefficient for the existing ABE scheme.In this paper,we propose a novel scheme that solves the key escrow problem and supports efficient user revocation.First,an access controller is introduced into the existing scheme,and then,secret keys are generated corporately by the attribute authority and access controller.Second,an efficient user revocation mechanism is achieved using a version key that supports forward and backward security.The analysis proves that our scheme is secure and efficient in user authorization and revocation.

AN EFFICIENT FORWARD SECURE GROUP SIGNATURE SCHEME WITH REVOCATION

Up to now, how to construct an efficient secure group signature scheme, which needs not to reset the system when some group members' signing keys are exposed, is still a difficult problem. A construction concerning revocation of group members is an ideal one if it satisfies forward security which makes it more attractive for not sacrificing the security of past signatures of deleted members. This paper analyses the problem and gives a construction in which the group manager can be un-trustworthy. The scheme is efficient even when the number of revoked members is large.

Efficient Membership Revocation in ACJT Group Signature

How to find efficient and secure member- ship revocation algorithms is one of the most important issues standing in the way of real-world applications of group signatures. In this paper, the proof of knowledge of divisibility is given and a novel membership revocation method in ACJT group signature scheme is proposed： the group manager issues the product E of the public keys of current members in the group, when a group member wants to sign, he should not only proves that he has a membership certificate, but also proves that the public key in his certificate divides exactly the public key product E with zero knowledge. The proposed method is efficient since the group manager only needs one division and one exponentiation when a group member is deleted, while the signing and verifying procedure are independent of the number of current group members and excluded members, as well as the original group public key and membership certificates needn＇t be changed.

A Cluster-Based Random Key Revocation Protocol for Wireless Sensor Networks

In recent years,several random key pre-distribution schemes have been proposed to bootstrap keys for encryption,but the problem of key and node revocation has received relatively little attention.In this paper,based on a random key pre-distribution scheme using clustering,we present a novel random key revoca-tion protocol,which is suitable for large scale networks greatly and removes compromised information efficiently.The revocation protocol can guarantee network security by using less memory consumption and communication load,and combined by centralized and distributed revoca-tion,having virtues of timeliness and veracity for revoca-tion at the same time.

An efficient voting based decentralized revocation protocol for vehicular ad hoc networks

Vehicular Ad-hoc NETworks(VANETs)enable cooperative behaviors in vehicular environments and are seen as an integral component of Intelligent Transportation Systems(ITSs).The security of VANETs is crucial for their successful deployment and widespread adoption.A critical aspect of preserving the security and privacy of VANETs is the efficient revocation of the ability of misbehaving or malicious vehicles to participate in the network.This is usually achieved by revoking the validity of the digital certificates of the offending nodes and by maintaining and distributing an accurate Certificate Revocation List(CRL).The immediate revocation of misbehaving vehicles is of prime importance for the safety of other vehicles and users.In this paper,we present a decentralized revocation approach based on Shamir’s secret sharing to revoke misbehaving vehicles with very low delays.Besides enhancing VANETs’security,our proposed protocol limits the size of the revocation list to the number of the revoked vehicles.Consequently,the authentication process is more efficient,and the communication overhead is reduced.We experimentally evaluate our protocol to demonstrate that it provides a reliable solution to the scalability,efficiency and security of VANETs.

Public integrity verification for data sharing in cloud with asynchronous revocation

Cloud data sharing service,which allows a group of people to access and modify the shared data,is one of the most popular and efficient working styles in enterprises.Recently,there is an uprising trend that enterprises tend to move their IT service from local to cloud to ease the management and reduce the cost.Under the new cloud environment,the cloud users require the data integrity verification to inspect the data service at the cloud side.Several recent studies have focused on this application scenario.In these studies,each user within a group is required to sign a data block created or modified by him.While a user is revoked,all the data previously signed by him should be resigned.In the existing research,the resigning process is dependent on the revoked user.However,cloud users are autonomous.They may exit the system at any time without notifying the system admin and even are revoked due to misbehaviors.As the developers in the cloud-based software development platform,they are voluntary and not strictly controlled by the system.Due to this feature,cloud users may not always follow the cloud service protocol.They may not participate in generating the resigning key and may even expose their secret keys after being revoked.If the signature is not resigned in time,the subsequent verification will be affected.And if the secret key is exposed,the shared data will be maliciously modified by the attacker who grasps the key.Therefore,forcing a revoked user to participate in the revocation process will lead to efficiency and security problems.As a result,designing a practical and efficient integrity verification scheme that supports this scenario is highly desirable.In this paper,we identify this challenging problem as the asynchronous revocation,in which the revocation operations(i.e.,re-signing key generation and resigning process)and the user's revocation are asynchronous.All the revocation operations must be able to be performed without the participation of the revoked user.Even more ambitiously,the revocation process should not rely on any special entity,such as the data owner or a trusted agency.To address this problem,we propose a novel public data integrity verification mechanism in which the data blocks signed by the revoked user will be resigned by another valid user.From the perspectives of security and practicality,the revoked user does not participate in the resigning process and the re-signing key generation.Our scheme allows anyone in the cloud computing system to act as the verifier to publicly and efficiently verify the integrity of the shared data using Homomorphic Verifiable Tags(HVTs).Moreover,the proposed scheme resists the collusion attack between the cloud server and the malicious revoked users.The numerical analysis and experimental results further validate the high efficiency and scalability of the proposed scheme.The experimental results manifest that re-signing 10,000 data blocks only takes 3.815 s and a user can finish the verification in 300 ms with a 99% error detection probability.

Tree-Based Revocation for Certificateless Authentication in Vehicular Ad-Hoc Networks

This work proposes authentication based on identity as a way to increase the efficiency and security of communications in vehicular ad-hoc networks. When using identity-based cryptography to achieve certificateless authentication, membership revocation is not a trivial problem. Thus, in order to improve the performance of revocation in such networks, the use of a dynamic authenticated data structure based on perfect k-ary hash trees combined with a duplex version of the new standard SHA-3 is here presented. Efficient algorithms in the used revocation trees allow reaching a refresh rate of at most simple updates per inserted node. Consequently, the proposal is especially useful for situations with frequent revocations, which are foreseeable when vehicular ad- hoc networks are widely deployed.

Attribute-Based Secure Data Sharing with Efficient Revocation in Fog Computing

Fog computing is a concept that extends the paradigm of cloud computing to the network edge. The goal of fog computing is to situate resources in the vicinity of end users. As with cloud computing, fog computing provides storage services. The data owners can store their confidential data in many fog nodes, which could cause more challenges for data sharing security. In this paper, we present a novel architecture for data sharing in a fog environment. We explore the benefits of fog computing in addressing one-to-many data sharing applications. This architecture sought to outperform the cloud-based architecture and to ensure further enhancements to system performance, especially from the perspective of security. We will address the security challenges of data sharing, such as fine-grained access control, data confidentiality, collusion resistance, scalability, and the issue of user revocation. Keeping these issues in mind, we will secure data sharing in fog computing by combining attributebased encryption and proxy re-encryption techniques. Findings of this study indicate that our system has the response and processing time faster than classical cloud systems. Further, experimental results show that our system has an efficient user revocation mechanism, and that it provides high scalability and sharing of data in real time with low latency.

Research on the Commutation Revocation

In order to resist some prisoner who have received rewards of commutation to implement some illegal or criminal behavior in the course of imprisonment, the system of commutation revocation must be established, which can advantage imprisonment and reduce the costs of imprisonment. The system of commutation revocation can obey to the criminal policy of temper justice with mercy and the principle of ＂collecting mistakes whenever discovered＂ and obtain the penalty goal of special prevention. In order to protect some prisoner＇ s benefit, the prisoner who be revoked the rewards of commutation can take part in the course of juice, the postbox which be opened only by the NPC and committee must be installed in prison. This will be advantage of some prisoner who be revoked the rewards of commutation appealing to the NPC and committee. Because of weakness of necessarily and execution, the system of commutation revocation cannot be established when the prisoner have been released currently.

Enhanced secure medical data sharing with traceable and direct revocation

Sharing of the electronic medical records among different hospitals raises serious concern of the leakage of individual privacy for the adoption of the semi trustworthiness of the medical cloud platform.The tracking and revocation of malicious users have become urgent problems.To solve these problems,this paper proposed a traceable and directly revocable medical data sharing scheme.In the scheme,a unique identity parameter(ID),which was generated and embedded in the private key generation phase by the medical service provider(MSP),is used to identify legal authorized user and trace malicious user.Only when attributes satisfy the access policy and user’s ID is not in the revocation list can the user calculate the decryption key.Malicious user can be tracked and directly revoked by using the revocation list.Under the assumption of decision bilinear Diffie-Hellman(DBDH),this paper has proved that the scheme is able to achieve security against chosen-plaintext attack(CPA).The performance analysis demonstrates that the sizes of the public key and private key are shorter,and the time overhead is less than other schemes in the public-private key generation,data encryption and data decryption stages.

Efficient revocation in ciphertext-policy attribute-based encryption based cryptographic cloud storage

It is secure for customers to store and share their sensitive data in the cryptographic cloud storage.However,the revocation operation is a sure performance killer in the cryptographic access control system.To optimize the revocation procedure,we present a new efficient revocation scheme which is efficient,secure,and unassisted.In this scheme,the original data are first divided into a number of slices,and then published to the cloud storage.When a revocation occurs,the data owner needs only to retrieve one slice,and re-encrypt and re-publish it.Thus,the revocation process is accelerated by affecting only one slice instead of the whole data.We have applied the efficient revocation scheme to the ciphertext-policy attribute-based encryption(CP-ABE) based cryptographic cloud storage.The security analysis shows that our scheme is computationally secure.The theoretically evaluated and experimentally measured performance results show that the efficient revocation scheme can reduce the data owner's workload if the revocation occurs frequently.

Secure proxy signature scheme with fast revocation in the standard model

Proxy signature is an important cryptographic primitive and has been suggested in numerous applications, Tne revocation oI delegated rights is an essential issue of the proxy signature schemes. In this article, a security model of proxy signature schemes with fast revocation is formalized. Under the formal security framework, a proxy signature scheme with fast revocation based on bilinear pairings is proposed. A security mediator （SEM）, which is an on-line partially trusted server, is introduced to examine whether a proxy signer signs according to the warrant or he/she exists in the revocation list. Moreover, the proxy signer must cooperate with the SEM to generate a valid proxy signature, thus the proposed scheme has the property of fast revocation. The proposed scheme is provably secure based on the computational Diffie-Hellman （CDH） intractability assumption without relying on the random oracles, and satisfies all the security requirements for a secure proxy signature.

Server-aided immediate and robust user revocation mechanism for SM9

As the only approved Identity-Based Encryption scheme in China that is also standardized by ISO,SM9-IBE has been widely adopted in many real-world applications.However,similar to other IBE standard algorithms,SM9-IBE currently lacks revocation mechanism,which is vital for a real system.Worse still,we find that existing revocable techniques may not be suitable and efficient when applying to SM9-IBE.Given the widespread use of SM9-IBE,an efficient and robust user revocation mechanism becomes an urgent issue.In this work,we propose a dedicated server-aided revocation mechanism,which for the first time achieves the secure,immediate and robust user revocation for SM9-IBE.Provided with a compact system model,the proposed method leverages an existing server to perform all heavy workloads during user revocation,thus leaving no communication and computation costs for the key generation center and users.Moreover,the mechanism supports key-exposure resistance,meaning the user revocation mechanism is robust even if the revocation key leaks.We then formally define and prove the security.At last,we present theoretical comparisons and an implementation in terms of computational latency and throughput.The results indicate the efficiency and practicability of the proposed mechanism.

Generic attribute revocation systems for attribute-based encryption in cloud storage

Attribute-based encryption(ABE) has been a preferred encryption technology to solve the problems of data protection and access control, especially when the cloud storage is provided by third-party service providers.ABE can put data access under control at each data item level. However, ABE schemes have practical limitations on dynamic attribute revocation. We propose a generic attribute revocation system for ABE with user privacy protection. The attribute revocation ABE(AR-ABE) system can work with any type of ABE scheme to dynamically revoke any number of attributes.

Generic user revocation systems for attribute-based encryption in cloud storage

Cloud-based storage is a service model for businesses and individual users that involves paid or free storage resources. This service model enables on-demand storage capacity and management to users anywhere via the Internet. Because most cloud storage is provided by third-party service providers, the trust required for the cloud storage providers and the shared multi-tenant environment present special challenges for data protection and access control. Attribute-based encryption(ABE) not only protects data secrecy, but also has ciphertexts or decryption keys associated with fine-grained access policies that are automatically enforced during the decryption process. This enforcement puts data access under control at each data item level. However, ABE schemes have practical limitations on dynamic user revocation. In this paper, we propose two generic user revocation systems for ABE with user privacy protection, user revocation via ciphertext re-encryption(UR-CRE) and user revocation via cloud storage providers(UR-CSP), which work with any type of ABE scheme to dynamically revoke users.

Public Auditing for Shared Data Utilizing Backups with User Revocation in the Cloud

With the advent of cloud storage, users can share their own data in the remote cloud as a group. To ensure the security of stored data and the normal operation of public auditing, once a user is revoked from the user group, the data files he signed should be resigned by other legal users in the group. In this paper, we propose a new re-signature scheme utilizing backup files to rebuild data which can resist the collusion between the cloud and revoked users, and we use Shamir Secret Sharing Scheme to encrypt data in the multi-managers system which can separate the authority of the group managers. Moreover, our scheme is more practical because we do not need managers to be online all the time. Performance evaluation shows that our mechanism can improve the efficiency of the process of data re-signature.

Access control scheme with attribute revocation for SWIM

Access control scheme is proposed for System Wide Information Management （SWIM） to address the problem of attribute revocation in practical applications. Based on the attribute based encryption （ABE）, this scheme introduces the proxy re-encryption mechanism and key encrypting key （KEK） tree to realize fine-grained access control with attribute revocation. This paper defines the attributes according to the status quo of civil aviation. Compared with some other schemes proposed before, this scheme not only shortens the length of ciphertext （CT） and private key but also improves the efficiency of encryption and decryption. The scheme can resist collusion attacks and ensure the security of data in SWIM.