A Generic Construction of Ciphertext-Policy Attribute- Based Encryption Supporting Attribute Revocation

Attribute-based encryption is drawing more attention with its inherent attractive properties which are potential to be widely used in the newly developing cloud computing. However, one of the main obstacles for its application is how to revoke the attributes of the users, though some ABE schemes have realized revocation, they mostly focused on the user revocation that revokes the user＇s whole attributes, or attribute revocation under the indirect revocation model such that all the users＇ private keys will be affected by the revocation. In this paper, we define the model of CP-ABE supporting the attribute revocation under the direct revocation model, in which the revocation list is embed in the ciphertext and none of the users＇ private keys will be affected by the revocation process. Then we propose a generic construction, and prove its security with the decision q-BDHE assumption.

Attribute-Based Re-Encryption Scheme in the Standard Model

In this paper, we propose a new attribute-based proxy re-encryption scheme, where a semi-trusted proxy, with some additional information, can transform a ciphertext under a set of attributes into a new ciphertext under another set of attributes on the same message, but not vice versa, furthermore, its security was proved in the standard model based on decisional bilinear Diffie-Hellman assumption. This scheme can be used to realize fine-grained selectively sharing of encrypted data, but the general proxy rencryption scheme severely can not do it, so the proposed schemecan be thought as an improvement of general traditional proxy re-encryption scheme.

General Attribute Based RBAC Model for Web Services

Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships of resource attributes to user attributes based on access policies for Web services, and proposes a general attribute based role-based access control（GARBAC） model. The model introduces the notions of single attribute expression, composite attribute expression, and composition permission, defines a set of elements and relations among its elements and makes a set of rules, assigns roles to user by inputing user＇s attributes values. The model is a general access control model, can support more granularity resource information and rich access control policies, also can be used to wider application for services. The paper also describes how to use the GARBAC model in Web services environments.

A Survey of Identity-based and Attribute-based Cryptography

We survey the state of research on identity-based cryptography and attribute-based cryptography.We firstly review the basic concepts of identity-based cryptographic schemes in which users' identifier information such as email or IP addresses instead of digital certificates can be used as public key for encryption or signature verification,and subsequently review some important identity-based encryption,signature and signcryption schemes.Then we give our research on Identity-Based Encryption-Signature(IBES) method.We also survey the attribute-based cryptographic schemes in which the identity of user is viewed as a set of descriptive attributes,including some important attribute-based encryption and signature schemes.We subsequently give our research on Attribute-Based Encryption and Identity-Based Signature (ABE-IBS) method.Both methods aim at efficiently improving the security of wireless sensor network.Finally,we propose a few interesting open problems concerning with practical and theoretical aspects of identity-based cryptography and attribute-based cryptography.

A General Attribute and Rule Based Role-Based Access Control Model

Growing numbers of users and many access control policies which involve many different resource attributes in service-oriented environments bring various problems in protecting resource.This paper analyzes the relationships of resource attributes to user attributes in all policies, and propose a general attribute and rule based role-based access control(GAR-RBAC) model to meet the security needs. The model can dynamically assign users to roles via rules to meet the need of growing numbers of users. These rules use different attribute expression and permission as a part of authorization constraints, and are defined by analyzing relations of resource attributes to user attributes in many access policies that are defined by the enterprise. The model is a general access control model, and can support many access control policies, and also can be used to wider application for service. The paper also describes how to use the GAR-RBAC model in Web service environments.

Enabling Privacy Preservation and Decentralization for Attribute-Based Task Assignment in Crowdsourcing

Crowdsourcing allows people who are endowed with certain skills to accomplish special tasks with incentive. Despite the state-of-art crowdsourcing schemes have guaranteed low overhead and considerable quality, most of them expose task content and user’s attribute information to a centralized server. These servers are vulnerable to single points of failure, the leakage of user’s privacy information, and lacking of transparency. We therefore explored an alternative design for task assignment based on the emerging decentralized blockchain technology. While enabling the advantages of the public blockchain, changing to open operations requires some additional technology and design to preserve the privacy of user’s information. To mitigate this issue, we proposed a secure task assignment scheme, which enables task content preservation and anonymous attribute requirement checking. Specifically, by adopting the cryptographic techniques, the proposed scheme enables task requester to safely place his task in a transparent blockchain. Furthermore, the proposed scheme divides the attribute verification process into public pre-verification and requester verification, so that the requester can check only the identity of the worker, instead of verifying the attributes one by one, thereby preserving the identity of worker while significantly reducing the requester’s calculation burden. Additionally, security analysis demonstrated unrelated entities cannot learn about the task content and identity information from all data uploaded by requester and worker. Performance evaluation showed the low computational overhead of our scheme.

Attribute-Based Secure Data Sharing with Efficient Revocation in Fog Computing

Fog computing is a concept that extends the paradigm of cloud computing to the network edge. The goal of fog computing is to situate resources in the vicinity of end users. As with cloud computing, fog computing provides storage services. The data owners can store their confidential data in many fog nodes, which could cause more challenges for data sharing security. In this paper, we present a novel architecture for data sharing in a fog environment. We explore the benefits of fog computing in addressing one-to-many data sharing applications. This architecture sought to outperform the cloud-based architecture and to ensure further enhancements to system performance, especially from the perspective of security. We will address the security challenges of data sharing, such as fine-grained access control, data confidentiality, collusion resistance, scalability, and the issue of user revocation. Keeping these issues in mind, we will secure data sharing in fog computing by combining attributebased encryption and proxy re-encryption techniques. Findings of this study indicate that our system has the response and processing time faster than classical cloud systems. Further, experimental results show that our system has an efficient user revocation mechanism, and that it provides high scalability and sharing of data in real time with low latency.

基于属性相似性的Item-based协同过滤算法

通过分析传统Item-based协同过滤推荐中的稀疏性问题以及新项目的冷开始问题,提出了一个基于属性相似性的Item-based协同过滤算法。该算法利用项目属性的相似性来修正原始相似性计算,综合考虑项目属性和用户评价对推荐的影响,改进了传统相似性度量方法在评价数据稀疏和新项目推荐中测量结果不够准确的问题。

一种改进的Item-based协同过滤推荐算法

分析了协同过滤推荐系统中存在的用户多兴趣和项目多内容问题,提出了一种基于项的协同过滤改进算法,算法综合考虑了项目自身属性和用户评价的影响.试验表明该算法有效的解决了用户的多兴趣和项目的多内容问题,并且在用户评分数据比较稀疏的情况下也能有较好的推荐精度.

Improved Rough Set Algorithms for Optimal Attribute Reduct

Feature selection（FS） aims to determine a minimal feature（attribute） subset from a problem domain while retaining a suitably high accuracy in representing the original features. Rough set theory（RST） has been used as such a tool with much success. RST enables the discovery of data dependencies and the reduction of the number of attributes contained in a dataset using the data alone,requiring no additional information. This paper describes the fundamental ideas behind RST-based approaches,reviews related FS methods built on these ideas,and analyses more frequently used RST-based traditional FS algorithms such as Quickreduct algorithm,entropy based reduct algorithm,and relative reduct algorithm. It is found that some of the drawbacks in the existing algorithms and our proposed improved algorithms can overcome these drawbacks. The experimental analyses have been carried out in order to achieve the efficiency of the proposed algorithms.

Multi-authority proxy re-encryption based on CPABE for cloud storage systems

The dissociation between data management and data ownership makes it difficult to protect data security and privacy in cloud storage systems.Traditional encryption technologies are not suitable for data protection in cloud storage systems.A novel multi-authority proxy re-encryption mechanism based on ciphertext-policy attribute-based encryption（MPRE-CPABE） is proposed for cloud storage systems.MPRE-CPABE requires data owner to split each file into two blocks,one big block and one small block.The small block is used to encrypt the big one as the private key,and then the encrypted big block will be uploaded to the cloud storage system.Even if the uploaded big block of file is stolen,illegal users cannot get the complete information of the file easily.Ciphertext-policy attribute-based encryption（CPABE）is always criticized for its heavy overload and insecure issues when distributing keys or revoking user＇s access right.MPRE-CPABE applies CPABE to the multi-authority cloud storage system,and solves the above issues.The weighted access structure（WAS） is proposed to support a variety of fine-grained threshold access control policy in multi-authority environments,and reduce the computational cost of key distribution.Meanwhile,MPRE-CPABE uses proxy re-encryption to reduce the computational cost of access revocation.Experiments are implemented on platforms of Ubuntu and CloudSim.Experimental results show that MPRE-CPABE can greatly reduce the computational cost of the generation of key components and the revocation of user＇s access right.MPRE-CPABE is also proved secure under the security model of decisional bilinear Diffie-Hellman（DBDH）.

Hybrid Cloud Security by Revocable KUNodes-Storage with Identity-Based Encryption

Cloud storage is a service involving cloud service providers providingstorage space to customers. Cloud storage services have numerous advantages,including convenience, high computation, and capacity, thereby attracting usersto outsource data in the cloud. However, users outsource data directly via cloudstage services that are unsafe when outsourcing data is sensitive for users. Therefore, cipher text-policy attribute-based encryption is a promising cryptographicsolution in a cloud environment, and can be drawn up for access control by dataowners (DO) to define access policy. Unfortunately, an outsourced architectureapplied with attribute-based encryption introduces numerous challenges, including revocation. This issue is a threat to the data security of DO. Furthermore,highly secure and flexible cipher text-based attribute access control with role hierarchy user grouping in cloud storage is implemented by extending the KUNodes(revocation) storage identity-based encryption. Result is evaluated using Cloudsim, and our algorithm outperforms in terms of computational cost by consuming32 MB for 150-MB files.

Fog-Based Secure Framework for Personal Health Records Systems

The rapid development of personal health records(PHR)systems enables an individual to collect,create,store and share his PHR to authorized entities.Health care systems within the smart city environment require a patient to share his PRH data with a multitude of institutions’repositories located in the cloud.The cloud computing paradigm cannot meet such a massive transformative healthcare systems due to drawbacks including network latency,scalability and bandwidth.Fog computing relieves the load of conventional cloud computing by availing intermediate fog nodes between the end users and the remote servers.Assuming a massive demand of PHR data within a ubiquitous smart city,we propose a secure and fog assisted framework for PHR systems to address security,access control and privacy concerns.Built under a fog-based architecture,the proposed framework makes use of efficient key exchange protocol coupled with ciphertext attribute based encryption(CP-ABE)to guarantee confidentiality and fine-grained access control within the system respectively.We also make use of digital signature combined with CP-ABE to ensure the system authentication and users privacy.We provide the analysis of the proposed framework in terms of security and performance.

Attribute-Based Encryption for Circuits on Lattices

In the previous construction of attributed-based encryption for circuits on lattices, the secret key size was exponential to the number of AND gates of the circuit. Therefore, it was suitable for the shallow circuits whose depth is bounded. For decreasing the key size of previous scheme, combining the techniques of Two-to-One Recoding （TOR）, and sampling on lattices, we propose a new Key-Policy Attribute-Based Encryption （KP-ABE） scheme for circuits of any arbitrary polynomial on lattices, and prove that the scheme is secure against chosen plaintext attack in the selective model under the Learning With Errors （LWE） assumptions. In our scheme, the key size is proportional to the number of gates or wires in the circuits.

Fully Secure Revocable Attribute-Based Encryption

Distributed information systems require complex access control which depends upon attributes of protected data and access policies.Traditionally,to enforce the access control,a file server is used to store all data and act as a reference to check the user.Apparently,the drawback of this system is that the security is based on the file server and the data are stored in plaintext.Attribute-based encryption(ABE) is introduced first by Sahai and Waters and can enable an access control mechanism over encrypted data by specifying the users’ attributes. According to this mechanism,even though the file server is compromised,we can still keep the security of the data. Besides the access control,user may be deprived of the ability in some situation,for example paying TV.More previous ABE constructions are proven secure in the selective model of security that attacker must announce the target he intends to attack before seeing the public parameters.And few of previous ABE constructions realize revocation of the users’ key.This paper presents an ABE scheme that supports revocation and has full security in adaptive model.We adapt the dual system encryption technique recently introduced by Waters to ABE to realize full security.

Attribute-Based Signature on Lattices

Attribute-based signature is a versatile class of digital signatures. In attribute-based signature, a signer obtains his private key corresponding to the set of his attributes from a trusted authority, and then he can sign a message with any predicate that is satisfied by his attributes set. Unfortunately, there does not exist an attributebased signature which is resistance to the quantum attacks. This means we do not have secure attribute-based signature schemes in a post-quantum world. Based on this consideration, an attribute-based signature on lattices,which could resist quantum attacks, is proposed. This scheme employs "bonsai tree" techniques, and could be proved secure under the hardness assumption of small integer solution problem.

Generic attribute revocation systems for attribute-based encryption in cloud storage

Attribute-based encryption(ABE) has been a preferred encryption technology to solve the problems of data protection and access control, especially when the cloud storage is provided by third-party service providers.ABE can put data access under control at each data item level. However, ABE schemes have practical limitations on dynamic attribute revocation. We propose a generic attribute revocation system for ABE with user privacy protection. The attribute revocation ABE(AR-ABE) system can work with any type of ABE scheme to dynamically revoke any number of attributes.

A Hierarchical Attribute-Based Encryption Scheme

According to the relation of an attribute set and its subset,the author presents a hierarchical attribute-based encryption scheme in which a secret key is associated with an attribute set.A user can delegate the private key corresponding to any subset of an attribute set while he has the private key corresponding to the attribute set.Moreover,the size of the ciphertext is constant,but the size of private key is linear with the order of the attribute set in the hierarchical attribute-based encryption scheme.Lastly,we can also prove that this encryption scheme meets the security of IND-sSETCPA in the standard model.

Ciphertext-Policy Attribute-Based Encryption for General Circuits from Bilinear Maps

In this paper, we present the first ciphertext-policy attribute-based encryption （CP-ABE） scheme for polynomial-size general circuits based on bilinear maps which is more suitable for practical use and more efficient than multilinear maps. Our scheme uses a top-down secret sharing and FANOUT gate to resist the ＂backtracking attack＂ which is the main barrier expending access tree to general circuit. In the standard model, selective security of our scheme is proved. Comparing with current scheme for general circuits from bilinear maps, our work is more efficient.

Generic user revocation systems for attribute-based encryption in cloud storage

Cloud-based storage is a service model for businesses and individual users that involves paid or free storage resources. This service model enables on-demand storage capacity and management to users anywhere via the Internet. Because most cloud storage is provided by third-party service providers, the trust required for the cloud storage providers and the shared multi-tenant environment present special challenges for data protection and access control. Attribute-based encryption(ABE) not only protects data secrecy, but also has ciphertexts or decryption keys associated with fine-grained access policies that are automatically enforced during the decryption process. This enforcement puts data access under control at each data item level. However, ABE schemes have practical limitations on dynamic user revocation. In this paper, we propose two generic user revocation systems for ABE with user privacy protection, user revocation via ciphertext re-encryption(UR-CRE) and user revocation via cloud storage providers(UR-CSP), which work with any type of ABE scheme to dynamically revoke users.