Professional Documents
Culture Documents
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
1 Abstract—To manage outsourced encrypted data sharing in Therefore, attribute-based proxy re-encryption (ABPRE) was 40
2 clouds, attribute-based proxy re-encryption (ABPRE) has become used to enable direct transformation from a ciphertext to 41
3 an elegant primitive. In ABPRE, a cloud server can transform an another one. And all the cloud server needs to deal with is 42
4 original recipient’s ciphertext to a new one of a shared user’s.
5 As the transformation is computation consuming, a malicious the encrypted data and a re-encryption key. The ciphertext 43
6 cloud server may return an incorrect re-encrypted ciphertext under one policy would be transformed by re-encryption to 44
7 to save its computation resources. Moreover, a shared user a new ciphertext associate with another policy. During the 45
8 may accuse the cloud server of returning an incorrect re- transformation, the cloud server cannot reveal the underlying 46
9 encrypted ciphertext to refuse to pay the cost of using the cloud plaintext. In such a manner, the recipient with access policy P1 47
10 service. However, existing ABPRE schemes do not support a
11 mechanism to achieve verifiability and fairness. In this paper, is able to share its outsourced encrypted data with a shared user 48
12 a novel verifiable and fair attribute-based proxy re-encryption with access policy P2 . However, a main issue of ABPRE is 49
13 (VF-ABPRE) scheme is introduced to support verifiability and that the recipient cannot ensure the validity of the re-encrypted 50
14 fairness. The verifiability enables a shared user to verify whether ciphertext returned by the cloud server. Since the re-encryption 51
15 the re-encrypted ciphertext returned by the server is correct computation’s complexity is linear with the size of the access 52
16 and the fairness ensures a cloud server escape from malicious
17 accusation if it has indeed conducted the re-encryption operation policy, the computation can be very expensive. As a result, the 53
18 honestly. Additionally, we conduct a performance experiment cloud server may reuse a previously generated re-encrypted 54
19 to show the efficiency and practicality of the new VF-ABPRE ciphertext or even a random re-encrypted ciphertext to save 55
20 scheme. its computation resource [3]. Moreover, the current ABPRE 56
21 Index Terms—Attribute-based proxy re-encryption, Data shar- schemes cannot achieve the fairness property which prevents 57
22 ing, Cloud computing, Verifiability, Fairness.
the cloud server from a malicious accusation of returning 58
honestly. 60
LOUD computing, which provides adequate storage and
24
25
26
C computation capability, has been a prevalent information
infrastructure. Instead of managing data locally, cloud services
We use the following genome data research system to
illustrate the aforementioned problem. A volunteer uploads his
61
62
and University of Wollongong, Wollongong, Australia. gecp@nuaa.edu.cn. Incorrect genome data may lead to a disaster to the research 80
W. Susilo and J. Baek are with University of Wollongong, Wollongong, result. Another issue is that, the shared user may accuse the 81
Australia. {wsusilo, baek}@uow.edu.au.
Z. Liu is with Nanjing University of Aeronautics and Astronautics, and cloud serve of returning an incorrect re-encrypted ciphertext 82
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China. even if the re-encrypted ciphertext is correct [4]. By doing so, 83
zheliu@nuaa.edu.cn. the shared user may refuse to pay for the cloud service which 84
L. Fang is with Nanjing University of Aeronautics and Astronautics.
fangliming@nuaa.edu.cn. is a critical problem for the commercial cloud service system. 85
J. Xia is with IBM. jinyue.xia@ibm.com. At first glance, one may think this issue can be resolved 86
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
as the pay-TV system [6]. In contrast, CP-ABE fits well for the 127
䌀吀 cloud sharing system as the user can appoint the access to the 128
倀 recipients [5]. Following their work, the work on ABE have 129
䌀吀 爀
欀倀ⴀⴀ㸀倀
㈀ 䌀吀ᤠ 倀㈀
[16] and anonymity [17]–[20]. 131
倀 倀㈀
ABPRE. In proxy re-encryption [21], [22], a ciphertext is 132
爀
欀
匀栀愀爀
攀搀
甀猀攀爀 transformed to a new one of another user’s by a proxy using 133
倀ⴀ
ⴀ㸀倀
㈀
伀爀
椀最椀
渀愀氀
爀攀挀
椀瀀椀
攀渀琀 detect whether the proxy has the maliciously behaved, Ohata 136
Fig. 1. System model of ABPRE. the proxy. However, their scheme cannot provide a fine- 138
scheme, the original recipient’s public key is required for the 140
87 through verifying the re-encryption if the server publishes the verification of the re-encrypted ciphertext, which also means 141
88 re-encryption key and the original ciphertext. By doing so, the shared user must identify each re-encrypted ciphertext 142
89 everyone can repeat the re-encryption operation to verify the with the original recipient. What’s important is that it lacks a 143
90 correctness of the ciphertext returned by the server. However, mechanism to protect the proxy from malicious accusation. In 144
91 such a manner is impractical as the re-encryption operation the meanwhile, Liang et al. [24] introduced this notion to the 145
92 cost is expensive, it is not suitable for a verifier to repeat attribute-based setting and thus achieves a flexible description 146
93 this computation costly work. Another trivial solution is that on the encrypted data. Following their work, many ABPRE 147
94 a shared user can reveal his private key so that the original schemes were proposed to extend the expressiveness of the 148
95 recipient can decrypt the returned re-encrypted ciphertext access policy [25]–[27] and enhance the security model [28]– 149
96 and then he can validate the plaintext is original. However, [30]. Unfortunately, none of above ABPRE works have con- 150
97 revealing private key may result in critical security issues to sidered the verifiability and the fairness properties which are 151
98 the shared user. critical for an outsourced re-encryption system. 152
104 and fairness for ABPRE while keeping its confidentiality. encrypted data sharing in cloud computing. 157
118 ABE. In a typical ABE [2] setup, a user only can access the A verifiable and fair ciphertext-policy attribute-based proxy 170
119 plaintext from a ciphertext if his credential satisfies the access re-encryption (VF-CP-ABPRE) system includes the following 171
120 policy. According to the manner of a secret key/ciphertext entities, data owner, original recipient, a cloud server act as a 172
121 is generated, ABE is categorized into ciphertext-policy ABE proxy and shared recipients. In addition, there is an authority 173
122 (CP-ABE) [5] and key-policy ABE (KP-ABE) [6]. In CP- center that initializes the system and issues private keys for 174
123 ABE, a ciphertext is generated with an access policy and a users. 175
124 secret key is with attribute set, while KP-ABE is in contrast. • The authority center initializes the system by generating 176
125 As illustrated in [6], KP-ABE is suitable for the scenarios system parameters and issuing private keys for partici- 177
126 where the authority decides who are the authorized users, such pants. 178
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
179 • A user encrypts his personal data under an access policy • KeyGen(msk, S): KeyGen is also executed by the 231
180 and stores the resulting ciphertext on cloud. authority party. This step outputs the secret keys for 232
181 • The original recipient, who wants to share encrypted data participants. It takes the master key msk and an attribute 233
182 that originally sent to him with some other shared users, set S as the input, and generates the secret key sk for S. 234
183 generates a re-encryption key which will be used by • Enc(m, (A, ρ)): This step encrypts a message m with an 235
184 the cloud server to convert his ciphertext for the shared access policy (A, ρ) and generates an original ciphertext 236
186 • The cloud server (e.g. AWS) stores the ciphertexts, and • ReKeyGen(sk, (A, e ρe)): This algorithm uses a private 238
187 conducts the re-encryption operations. key sk of attribute set S and an access policy (A, e ρe), 239
188 • The shared user can decrypt a re-encrypted ciphertext where R(S, (A, e ρe)) = 01 and outputs a re-encryption key 240
189 as normal. Additionally, he can verify whether the re- rk. 241
190 encrypted ciphertext is correct. If it is incorrect, he is • ReEnc(rk, CT ): A re-encryption key rk and an original 242
191 able to present a proof to show that the re-encryption is ciphertext CT are the inputs, ReEnc(rk, CT ) outputs a 243
194 In our treat model, we consider the following threats: CT , outputs the plaintext m if CT is a valid ciphertext 247
195 • An adversary including the cloud server without a valid or abort ⊥ otherwise. 248
196 private key may want to reveal the plaintext from a • Decre (sk, CT 0 , CT ): The Decre algorithm is leveraged 249
197 ciphertext (including the original ciphertext and the re- to decrypt a re-encrypted ciphertext CT 0 . Inputs a secret 250
198 encrypted ciphertext). This is type of attack is viewed as key sk, an original ciphertext CT and its re-encrypted 251
199 a threat to data confidentiality. ciphertext CT 0 , outputs the plaintext m if CT 0 is a valid 252
200 • A malicious may want to return an incorrect re-encrypted re-encrypted ciphertext of CT or ⊥ otherwise. 253
201 ciphertext without been detected by the shared user. This • Claim(CT, rk, CT 0 , π): The Claim algorithm is ex- 254
202 type of attack is viewed as a threat to the verifiability. ecuted between a shared user and a public verifier. 255
203 • A shared user may want to make a wrong claim to The input of the shared user and the public verifier 256
204 accuse that the cloud server has returned an incorrect re- is (CT, rk, CT 0 ). The shared user outputs a proof π 257
205 encrypted ciphertext even if the cloud server has returned to claim that CT 0 returned by the cloud server is an 258
206 a correct one. This type of attack is viewed as a threat to incorrect re-encrypted ciphertext of CT under rk. The 259
207 the fairness. public verifier verifies the claim and outputs true if the 260
208 C. Linear secret sharing scheme encrypted ciphertext of CT . Otherwise, outputs f lase 262
209 A Linear secret sharing scheme (LSSS) Π is linear over a that indicates the claim is incorrect. 263
210 set of parties (over Zp ) if: In the above definition, there is the public parameter as part 264
211 • every party’s share is a vector over Zp . of the input for each algorithm and is omitted for simplicity. 265
223 D. VF-CP-ABPRE definition Semantic security. In a VF-CP-ABPRE scheme, there are 276
two types of ciphertexts: the original ciphertext and the re- 277
224 Definition 1: A VF-CP-ABPRE scheme is composed of the encrypted ciphertext. We will user the Semantic-Or security 278
225 following steps. game to describe the semantic security of the original cipher- 279
226 • Setup(λ, U ): A trusted authority executes Setup to text, and Semantic-Re to describe the semantic security of the 280
227 initialize the system. A security parameter λ and the re-encrypted ciphertext. 281
228 attribute universe U are the input to Setup. The system’s
229 public parameter P P and master secret key msk are 1 R(S, (A, ρ)) = 0 means the attribute set S doesn’t satisfy the access
230 generated at this phase. policy (A, ρ), and R(S, (A, ρ)) = 1 means S satisfies (A, ρ).
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
282 Game Semantic-Or. A VF-CP-ABPRE scheme is original KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)), 332
283 ciphertext semantic secure in the selective model if the advan- sends rk to A. 333
284 tage of an adversary A in the following game is negligible. During Query phase I, A cannot make the Osk (S) query 334
∗ ∗
285 • Init. The attacker A chooses (A , ρ ) as the challenge if R(S, (A∗ , ρ∗ )) = 1. 335
286 access policy. • Challenge. A chooses two plaintext (m0 , m1 ) with 336
287 • Setup. In this step, a challenger C runs the Setup to equal length and sends them to the challenger 337
288 generate P P and msk. Then, C passes public parameters C. C computes the challenge ciphertext CT 0∗ = 338
290 • Query phase I. A queries: ReKeyGen(S, (A∗ , ρ∗ )), R(S, (A, ρ)) = 1, and returns 340
292 executes sk = KeyGen(msk, S) and returns sk to • Query phase II. A queries like in Query phase I except 342
296 KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)), anyone can answer the re-encryption query by issuing a re- 346
297 returns rk to A. encryption key query first to get the relevant re-encryption 347
298 3) Ore (CT, S, (A,e ρe)): A makes a re-encryption key and then answer the re-encryption query. Hence, we omit 348
299 query on (CT, S, (A, e ρe)), C executes sk = the re-encryption query in the above game. 349
300 KeyGen(msk, S), rk = ReKeyGen(sk, (A, e ρe)) The adversary A’s advantage to win the semantic-re game
301 and CT 0 = ReEnc(CT, rk), returns CT 0 to A. is defined as
302 During Query phase I, A cannot make the following
303 queries:
Sem−Re
AdvA (λ) = |P r[σ 0 = σ] − 1/2|.
304 1) Osk (S) if R(S, (A∗ , ρ∗ )) = 1; Definition 2 (Semantic security). A VF-CP-ABPRE 350
305
e ρe)) if R(S, (A∗ , ρ∗ )) = 1 and A has
2) Ork (S, (A, scheme is semantic secure if it is Semantic-Or secure and 351
306 queried Osk (S)e where R(S, e (A,
e ρe)) = 1.
Semantic-Re secure. 352
307 • Challenge. A chooses two plaintext (m0 , m1 ) with equal 353
308 length and sends them to the challenger C. C computes the Verifiability. The verifiability of a VF-CP-ABPRE scheme 354
309 challenge ciphertext CT ∗ = Enc(mσ , (A∗ , ρ∗ )) where is captured by the following game. 355
310 σ ∈ {0, 1}, and returns it to A.
• Setup. In this step, a challenger C runs the Setup 356
311 • Query phase II. A queries like in Query phase I except:
algorithm and gets the public parameters and master 357
312 1) Osk (S) if R(S, (A∗ , ρ∗ )) = 1; secret key. Then, C passes public parameters to A. 358
313 2) Ork (S, (A, e if R(S, (A∗ , ρ∗ )) = 1 and
e ρe)) and Osk (S),
• Query phase I. A queries: 359
314 R(S,
e (A,
e ρe)) = 1.
1) Osk (S): A queries on attribute set S, challenger C 360
315 3) Ore (CT ∗ , S, (A, e if R(S, (A∗ , ρ∗ )) =
e ρe)) and Osk (S),
executes sk = KeyGen(msk, S), and sends sk to A. 361
316 1 and R(S, (A, ρe)) = 1.
e e
0
2) Ork (S, (A,e ρe)): A makes a re-encryption key query on 362
317 • Guess. A outputs its guess σ . e ρe)) = 0. C executes sk =
(S, (A, ρe)), where R(S, (A,
e 363
The adversary A’s advantage to win the semantic-or game KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)), 364
is defined as sends rk to A. 365
Sem−Or
AdvA (λ) 0
= |P r[σ = σ] − 1/2|. 3) Oclaim (CT, rk, CT 0 , π): A makes a claim key query 366
318 Game Semantic-Re. A VF-CP-ABPRE scheme is re- the adversary A and outputs the result of algorithm 368
319 encrypted ciphertext semantic secure in the selective model Claim(CT, rk, CT 0 , π). 369
323 • Setup. In this step, a challenger C runs the Setup to • Query phase II. A queries like in Query phase I. 373
324 generate P P and msk.. Then, C passes public parameters • Guess. A outputs an attribute set S ∗ where 374
328 executes sk = KeyGen(msk, S), then sends sk to The adversary A’s advantage to win the verifiability security
329 A. game is defined as
330 2) Ork (S, (A,e ρe)): A makes a re-encryption key query on
e ρe)) = 0. C executes sk = V er
331 (S, (A, ρe)), where R(S, (A,
e AdvA (λ) = |P r[A wins|V er].
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
378 Definition 3 (Verifiability). A VF-CP-ABPRE scheme is 3) the probability of finding two values a, b such that b 6= a 426
V er
379 verifiable if for all PPT adversary A, its advantage AdvA and H(a) = H(b) is negligible; 427
380 is negligible.
D. Complex assumption 428
381
382 Fairness. The Fairness of a VF-CP-ABPRE scheme is Let (e, G, GT , g, p) is a bilinear pairing and a, r ∈ Zp , g, ∈
383 captured by the following game. G are random elements, given an instance ~v =
q q+2 2q
384 • Setup. In this step, a challenger C runs the Setup g, g r , g a , · · · , g a , g a , · · · , ga ,
385 algorithm and gets the public parameters and master q q+2 2q
386 secret key. Then, C passes public parameters to A. ∀j ∈ [1, q] g r·bj , g a/bj , · · · , g a /bj
, ga /bj
, · · · , ga /bj
,
387 • Query phase I. A queries: q
·r·bt /bj
∀j, t ∈ [1, q], t 6= j, g a·r·bt /bj , · · · , g a ,
388 1) Osk (S): A queries on attribute set S, challenger C q+1
389 executes sk = KeyGen(msk, S), and sends sk to A. it is hard to distinguish e(g, g)r·a from a random value
390 2) Ork (S, (A,
e ρe)): A makes a re-encryption key query on T ∈ GT . Formally, the advantage of a PPT algorithms B
391 (S, (A, e ρe)) = 0. C executes sk =
e ρe)), where R(S, (A, q+1
|P r[B(~v , e(g, g)r·a ) = 1] − P r[B(~v , T ) = 1]|
392 KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)),
393 sends rk to A. is negligible. 429
394 3) Oclaim (CT, rk, CT 0 , π): A makes a claim key query The decisional q-parallel BDHE assumption holds if no 430
395 on (CT, rk, CT 0 , π). The challenger C interacts with polynomial probability time adversary can solve the above 431
396 the adversary A and outputs the result of algorithm problem with a non-negligible advantage. 432
The adversary A’s advantage to win the verifiability security IV. P ROPOSED VF-CP-ABPRE C ONSTRUCTION 435
game is defined as
To begin with, we describe what challenges we are facing 436
F air and then introduce our techniques that will be used in our
AdvA (λ) = |P r[A wins|F air]. 437
411 If for ∀t > 0, there exists a xt such that f (x) < 1/xt for correct one, a straightforward way is that the original recipient 443
412 ∀x > xt , the f (x) is a negligible function. and the shared user can reveal their private key. Thus, anyone 444
415
s t
• e(U , V ) = e(U, V )
st
for all U, V ∈ G and s, t ∈ Zp∗ , when generating the original ciphertext, a commitment of the 448
416 • e(U, V ) 6= 1, plaintext is also generated. This commitment with the re- 449
417 • e(U, V ) can be efficiently computed for all U, V ∈ G, encryption will be sent to the shared user. Thus, the shared 450
418 where G and GT are multiplicative cyclic groups with gener- user can first retrieve the plaintext by normal decryption and 451
419 ator g and order p. then check the plaintext against the commitment. In such a 452
manner, the shared user can verify the validity of the re- 453
420 C. Cryptographic Hash Function
encryption. However, this approach assumes the shared user’s 454
421 A hash function H is a cryptographic hash function, if: private key is available for the verification. The malicious 455
422 1) given a value y, the probability of finding a value x, attacker may issue an incorrect plaintext m and claim that 456
423 where H(x) = y is negligible; m is the underlying plaintext of the re-encrypted ciphertext. 457
424 2) given H(a), the probability of finding a value b where The problem is that a verifier cannot assure that m is indeed 458
425 b 6= a and H(b) = H(a) is negligible; the corresponding plaintext as no one else could make the 459
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
n
460 decryption except the shared user. If the shared user publishes Selects a random vector µ r, ye2 , · · · , yf
~e = (e e ) ∈ Zp . For
n
e
461 his private key, the data confidentiality will be destroyed. each row A e computes λ
e j of A, fj = µ ~e · A e j , j ∈ [1, e
l].
462 In our approach, we leverage the message-lock encryption Randomly chooses rej ∈ Zp for each j ∈ [1, e l]. Then
463 (MLE) [31] technique to prevent the shared user from reveal- computes
464 ing an unrelated m. MLE guarantees that the same plaintext
465 corresponds to the identical re-encrypted ciphertext. Thus, a rk5 = χ · e(g, g)αer , rk6 = g re,
466 plaintext m was bind with a re-encrypted ciphertext. Whenever f −re
467 a shared user returns a plaintext m, it can be publicly verified rk7,j = g aλj fρe(j)j , rk8,j = g rej ∀j ∈ [1, e
l].
468 that m is indeed the plaintext of the re-encrypted ciphertext.
Output the re-encryption as key rk = (rk0 , rk1 , rk2 , rk3 , 489
469 B. Our VF-CP-ABPRE Construction {rk4,x }x∈S , rk5 , rk6 , {rk7,j , rk8,j }j∈[1,el] , (A,
e ρe)). 490
470 • Setup(λ, U ): The authority center generates a bilin- • ReEnc(rk, CT ): On input an original ciphertext 491
471 ear pairing tuple (e, G, GT , G, p). Denote the mes- CT = ((A, ρ), C, C1 , C2 , {C3,j , C4,j }j∈[1,l] , C) and a re- 492
472 sage space as {0, 1}k . Randomly chooses α, a ∈ Zp∗ , encryption key rk = (rk0 , rk1 , rk2 , rk3 , {rk4,x }x∈S , 493
473 g, f1 , · · · , fU , φ, ϕ, Q ∈ G. The authority center also rk5 , rk6 , {rk7,j , rk8,j }j∈[1,el] , (A,
e ρe)). 494
474 chooses two cryptographic hash functions H1 : GT → If R(S, (A, ρ)) = 0, outputs ⊥. Otherwise, let J = {j :
475 {0, 1}2k , H2 : {0, 1}∗ → Zp∗ , and a message-lock ρ(j) ∈ S} ⊂ {1, · · · l}, finds elements θj ∈ Zp∗ , such that
P
476 encryption algorithm M LE. Sets msk = g α and P P = j∈J θj · Aj = (1, 0, · · · , 0). Then, computes
477 (e, G, GT , g, f1 , · · · , fU , φ, ϕ, Q, g a , e(g, g)α , H1 , H2 ,
e(rk1 , C1 ) · e(rk2 , C2 )−1
478 M LE). C00 = Q θj
.
479 Note that, the hash function H1 and H2 can be con- j∈J (e(rk3 , C3,j ) · e(rk4,ρ(j) , C4,j ))
480 structed based on the standard cryptographic hash func- 0
Sets C = C, C 0 = C, C10 = rk5 , C20 = 495
481 tions such as SHA-1. Specifically, given an element 0 0
482 x ∈ GT as the input of H1 , H1 first converts x into rk6 , C3,j = rk7,j , C4,j = rk8,j j ∈ [1, e l], 496
a string type. Then, it takes the string as input of SHA-1 C5 = rk0 . Outputs the re-encrypted ciphertext CT 0 =
0
497
483 0
484 and thus gets a fixed length output. For H2 , it first calls (C 0 , C , C00 , C10 , C20 , {C3,j
0 0
, C4,j }j∈[1,el] , C50 , (A,
e ρe)). 498
485 SHA-1 to get a fixed length string, and then converts the • Decor (sk, CT ): Inputs a secret key sk = 499
• KeyGen(msk, S): Randomly choose s ∈ Zp∗ , and sets CT = ((A, ρ), C, C1 , C2 , {C3,j , C4,j }j∈[1,l] , C). Checks 501
• Enc(m, (A, ρ)): Let (A, ρ) is an l × n matrix and θj ∈ Zp∗ , such that j∈J θj · Aj = (1, 0, · · · , 0). Then, 504
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
• Claim(CT, rk, CT 0 , π): On input an original ciphertext When CT 0 is a re-encrypted ciphertext, then 534
517 If one of the above equations in (3) does not hold, abort Here will prove the semantic security, verifiability and 536
518 and outputs ture. fairness of our proposed VF-CP-ABPRE construction. 537
Otherwise, computes r = H2 (M LE(m||R)) and check Theorem 1. Our proposed VF-CP-ABPRE scheme is se- 538
519 If (4) and (5) hold, outputs true. Otherwise, outputs Lemma 1: VF-CP-ABPRE scheme is Semantic-Or secure 543
521 Note that, equation (3) ensures that all the elements Proof : Assume a PPT adversary A can break the Semantic- 545
522 except C00 in a re-encrypted ciphertext CT 0 are cor- Or security of the proposed scheme with a non-negligible 546
523 rect. These elements are duplicated from the original probability , we can construct a simulator B that can solve 547
524 ciphertext and re-encryption key and didn’t consume the q-parallel BDHE assumption with an advantage . B 548
525 computation resources. Thus, usually, the cloud serve is given a q-parallel BDHE instance (~v , T ) as illustrate in 549
526 has no incentive to revise these elements and return subsection III-D, its goal is to decide whether T equals to 550
q+1
527 incorrect ones. Equation (4) ensures that m in the proof e(g, g)r·α or T is randomly chosen from GT . 551
528 π = (m, R) is indeed the underlying plaintext of the Initially, B maintains private key and re-encryption key lists 552
529 original ciphertext CT , and equation (5) ensures that m is which are initially empty. 553
530 not the underlying plaintext of the re-encrypted ciphertext • Listsk : stores a tuple of (S, skS ). 554
531 CT 0 , which means the part C00 is not correctly generated. • Listrk stores a tuple of (S, (A, e ρe), rk, index), where 555
532 Correctness. Next, we explain the correctness of the decryp- index ∈ {0, 1}. index = 1 indicates that rk is a correct 556
∗ ∗
• Init. A outputs a challenge access policy (A , ρ ), where 559
e(K1 , C1 ) ∗ ∗ ∗
A is a l × n matrix.
Φ= Q θj
560
j∈J (e(K2 , C3,j ) · e(Kρ(j) , C4,j )) • Setup. B chooses a random β, $ ∈ Zp , φ, ϕ ∈ G and sets
q
e(g α g as , g r ) e(g, g)α = e(g, g)β · e(g a , g a ), Q = g $ . This implicitly
=Q sets α = a q+1
+β for some unknown α. For each x ∈ U ,
s aλj f −rj ) · e(f s , g rj ))θj
j∈J (e(g , g ρ(j) ρ(j)
chooses a random value tx ∈ Zp . Denote X = {j :
e(g, g)αr · e(g as , g r ) ρ∗ (j) = x}, B computes
= P
λj θj
e(g s , g a ) j∈J Y ∗ 2 ∗ n∗ ∗
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
566 • Query phase I. A queries: • Challenge. Two plaintext (m0 , m1 ) with equal length are
1) Osk (S): A queries on attribute set S. B verifies that selected by A and then A sends them to B. B randomly
R(S, (A∗ , ρ∗ )) = 0. If not, outputs ⊥. Otherwise, B chooses σ ∈ {0, 1} and computes
first finds a vector θ~ = (θ1 , · · · , θn∗ ) such that θ1 = C = mσ · T · e(g r , g β ),
−1 and for all j where ρ∗ (j) ∈ S, then θ~ · A∗j = 0.2
C1 = g r ,
B randomly chooses s0 ∈ Zp , and computes
∗
C2 = (g r )$ = Qr .
n
s0 q+1−j ∗
Y
K2 = g (g a )θj , g s . B randomly choose y20 , · · · , yn0 ∗ ∈ Zpn −1 and 591
K1 = g α g as Then, B computes
0 Pn∗ 0
q+1
θj ·aq+2−j
= ga +β
· g as + j=1 C4,j = g −rbj g −rj , g rj ,
∗
n
a s0 q+2−j −r
C3,j =g aλj fρ∗ (j)
Y j
β
= g (g ) (g a )θj ,
j=2 r0
=fρ∗j (j) · (g r·bj )tρ∗ (j)
568 which can be easily computed.
n∗ n∗
569 For those x ∈ S and no j such that ρ∗ (j) = x exists, Y Y i ∗
a rbj /bk Ak,i
Y 0 ∗
θ~ · A∗j = 0, then Query phase II. A can query as in Query phase I under the
• 596
571 which can also be computed by the given parameters. 1]| = |1/2 + − 1/2| = , which means that B can solve the 606
572 Thus, B simulates the private key query and adds q-parallel BDHE assumption with a non-negligible advantage 607
574 2) Ork (S, (A, e ρe)): B first checks that Lemma 2: VF-CP-ABPRE scheme is Semantic-Re secure 609
2 Note that, as illustrated in [5], if R(S, (A∗ , ρ∗ )) = 0, such a vector θ ~ B computes CT 0∗ = ReEnc(CT, rk), and returns CT 0∗ 627
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
∗ 0∗
629 • Query phase II. A can query as in Query phase I under the Finally, B can compute β = δ·(H 2 (R )−H2 (R ))
H2 (m0∗ )−H2 (m∗ ) , and returns 671
630 restrictions defined in the Semantic-Re security model. β as its answer. 672
631 • Guess. A outputs a guess σ 0 . B outputs 1 that indicates Analysis. The above simulation is perfect, the advantage 673
q+1
632 T = e(g, g)r·α if σ 0 = σ. Otherwise, B outputs 0 of B to solve the discrete logarithm assumption is identical 674
633 indicates that T is a random value in GT . to the advantage of an adversary A to win in the integrity 675
636 a random value in GT , then P r[B(~v , T ) = 1] = 1/2. Thus, Theorem 3. VF-CP-ABPRE scheme is fair if H1 , H2 678
637
q+1
we have |P r[B(~v , e(g, g)r·a ) = 1] − P r[B(~v , T ) = 1]| = are cryptographic hash functions, M LE is a message-lock 679
638 |1/2+−1/2| = , which means that B can solve the q-parallel encryption scheme and the discrete logarithm assumption 680
640 Thus, the proof of Theorem 1 is completed. Proof: Assuming an adversary A can break the fairness 682
641
game with a non-negligible advantage , then we can construct 683
649 in subsection III-E, its goal is to output the value β. • Query phase I. The process is as the same as in the 691
659 • Query phase I. When A issues Osk (S), Ork (S, (A, e ρe)) Claim(CT ∗ , CT 0∗ , π) = true. Then we have 701
0∗ ∗
660
0
and Oclaim (CT, rk, CT , π), since B knows the master r = H2 (M LE(m||R)), C = C = φH2 (m) ϕH2 (R) 702
0∗ 0∗ r 0∗ r
661 secret key α, B can generate the private key and re- and C0 6= C5 . Since C0 6= C50∗ , where 703
0∗ αH2 (χ)H2 (M LE(m∗ ||R∗ )) 0∗
662 encryption key via the KeyGen, ReKeyGen and Claim C0 = e(g, g) , C5 = e(g, g)αH2 (χ) , 704
0∗ ∗
663 algorithms, and then returns the results to A. we have (m||R) 6= (m∗ ||R∗ ). Furthermore, as C = C = 705
∗ ∗
664 • Challenge. A outputs a message m∗ and access policy φH2 (m) ϕH2 (R) , we have φH2 (m ) ϕH2 (R ) = φH2 (m) ϕH2 (R) . 706
665 (A∗ , ρ∗ ) and sends them to B. B computes the CT ∗ = Denote ϕ = φη for some unknown random value η. 707
666 Enc(m∗ , (A∗ , ρ∗ )), and sends CT ∗ to A. Then we have H2 (m∗ ) = H2 (m) or H2 (R∗ = H2 (R). 708
667 • Query phase II. The simulator B answers the queries as Otherwise, anyone can use these values to compute 709
668 in query phase I. η = (H2 (m) − H2 (m∗ ))/(H2 (R∗ ) − H2 (R)) to solve 710
669 • Output. A outputs a re-encrypted ciphertext CT 0∗ = ( the discrete logarithm assumption. Thus, the simulator B 711
0∗
670 C 0∗ , C , C00∗ , C10∗ , C20∗ , {C3,j
0∗ 0∗
, C4,j }j∈[1,el] , C50∗ , (A
e ∗ , ρe∗ )). find a collision tuple of the cryptographic hash function 712
β·H2 (m0∗ )+δ·H2 (R0∗ ) β·H2 (m∗ )+δ·H2 (R∗ ) server collude with a shared user, they can get the value of χ. 723
⇔g =g
However, they cannot recover the value of Qδ from elements 724
⇔β · (H2 (m ) − H2 (m∗ )) = δ · (H2 (R∗ ) − H2 (R0∗ )).
0∗
(g, g δ , Q) which essentially is a Diffie-Hellman assumption. 725
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
TABLE I
S ECURITY AND FUNCTIONALITY COMPARISON WITH [24], [26] AND [30].
726 Thus, the original recipient’ private key part rk1 cannot be encryption phase in the ciphertext-policy setting. However the 769
727 revealed. In this manner, the proposed construction achieves scheme [26] works in the key-policy setting and the access 770
728 the collusion resistant property. policy is generated at the key generation phase. Moreover, the 771
730 A. Security and functionality comparison re-encryption key generation time and the actual encryption 774
731 We made a comparison of the proposed scheme and time in our scheme and in scheme [30] are very close and our 775
732 schemes [24], [26], [30] in terms of access structure, security, scheme performs slightly better than scheme [26]. As shown 776
733 verifiability, and fairness. Table I summarizes that [26] works in Fig. 2(e) and 2(f), the original and re-encrypted ciphertext 777
734 in the key policy setting and [24], [30] and our construction decryption time are almost the same in the three schemes. In 778
735 work in the ciphertext policy setting. Moreover, [26] and order to present the efficiency of the verifiability and fairness 779
736 [30] achieve the CCA security, and [24] and our construction in our scheme, since only our scheme achieves the verifiability 780
737 achieve the semantic security. However, only our construction and fairness property, we compare the Claim verification time 781
738 achieves the verifiability, and fairness properties. in our scheme with the time of repeating the re-encryption 782
740 We conducted an implementation to evaluate the presented our scheme is much less than other schemes [26], [30] and 785
741 VF-CP-ABPRE scheme in the perspective of computation doesn’t increase even if the access policy size grows. While the 786
742 cost, and compared our proposed scheme with the key-policy execution time of repeating the re-encryption operation in [26], 787
743 attribute-based data sharing scheme [26] and the ciphertext- [30] are much higher than that in our scheme and increase 788
744 policy [30] attribute-based data sharing scheme. linearly with the access policy. This is because that in our 789
745 In our implementation, we use a Java cryptography pack- scheme, only three exponent computation in group G and three 790
746 age [32] for pairing computation which is implemented based hash function computation are needed in the Claim algorithm. 791
747 on a C library of Pairing-based cryptography [33]. We use the The computation cost of the Claim algorithm is constant and 792
748 Y 2 = X 3 +X elliptic curve (type A ) and the group order is set doesn’t increase with the size of the access policy. However, in 793
749 as 160 bit. The hash function SHA-256 is adopted as the hash order to achieve verifiability and fairness for schemes [26] and 794
750 function H1 and H2 in our scheme. The hardware specification [30], a verifier needs to repeat the ReEnc algorithm to verify 795
751 we used in this experiment is a laptop with CPU: Intel i5- whether the output of the cloud server is correct. However, the 796
752 8520U @1.60GHZ 1.80GHZ, RAM: 8G. And the laptop runs ReEnc algorithm is linear with the access policy. 797
756 key generation and the access policy during the generation of rity requirements for attribute-based data sharing in clouds 800
757 the original ciphertext are sized varied from 10 to 100 with a and put forward a notion of verifiable and fair ciphertext- 801
758 step 10. During the re-encryption key generation, the shared policy attribute-based proxy re-encryption(VF-CP-ABPRE). 802
760 step 10. All the access policies are set as the AND gate of the validity of the re-encrypted ciphertext. Moreover, a shared user 804
761 selected attributes. Each experiment was execute 100 times to cannot make a malicious accusation to the cloud provider if 805
762 get an accurate average execution time. the cloud has indeed returned a correct re-encrypted ciphertext. 806
763 Fig. 2 shows the execution time comparison of each al- We also have proven our VF-CP-ABPRE scheme’s semantic 807
764 gorithm in our scheme with [26], [30]. Fig. 2(a) and 2(b) security, verifiability and fairness in our security model. We 808
765 show that the our scheme’s key generation time as well as the also conducted an implementation to evaluate our proposed 809
766 one in [30] performed better than the scheme in [26]. While 3 Since only our scheme achieves the verifiability and fairness property, in
767 the encryption time in our scheme and [30] is more than that the previous schemes [26], [30] a verifier can check whether the returned re-
768 in [26]. This is because the access policy is generated in the encrypted ciphertext is correct only by repeating the re-encryption operation.
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
330 200
Scheme [26] Scheme [26]
300 Scheme [30] 180 Scheme [30]
270 Our scheme Our scheme
60 40
30 20
0 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
Attribute set/Access policy size Attribute set/Access policy size
(a) KeyGen algorithm computation time (b) Enc algorithm computation time
360 300
Re-encryption key generation time (ms)
90 60
60 30
30 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
Access policy size Access policy size
(c) ReKeyGen algorithm computation time (d) ReEnc algorithm computation time
Re-encrypted ciphertext decryption time (ms)
200 200
Original ciphertext decryption time (ms)
(e) Original ciphertext decryption time (f) Re-encrypted ciphertext decryption time
300
Scheme [26]
270 Scheme [30]
240 Our scheme
Verification time (ms)
210
180
150
120
90
60
30
0
10 20 30 40 50 60 70 80 90 100
Access policy size
810 scheme, and compared the execution time between our scheme This work opens up many interesting research questions. 813
811 and previous schemes to demonstrate the efficiency of the One could be how to design a secure VF-CP-ABPRE scheme 814
812 proposed VF-CP-ABPRE scheme. that is adaptively secure. Another interesting problem is de- 815
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
816 signing a publicly verifiable CP-ABPRE scheme that supports [20] A. Kapadia, P. P. Tsang, and S. W. Smith, “Attribute-based publishing 888
817 the cloud server to generate a proof and everyone can verify with hidden credentials and hidden policies.” in NDSS, vol. 7. Citeseer, 889
2007, pp. 179–192. 890
818 the re-encrypted ciphertext efficiently without repeating the [21] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic 891
819 re-encryption operation. proxy cryptography,” in International Conference on the Theory and 892
Applications of Cryptographic Techniques. Springer, 1998, pp. 127– 893
820 R EFERENCES 144. 894
821 [1] K. Ren, C. Wang, and Q. Wang, “Security challenges for the public [22] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy 895
822 cloud,” IEEE Internet Computing, vol. 16, no. 1, pp. 69–73, 2012. re-encryption schemes with applications to secure distributed storage,” 896
823 [2] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in In- Acm Transactions on Information and System Security, vol. 9, no. 1, pp. 897
824 ternational Conference on Theory and Applications of Cryptographic 1–30, 2006. 898
825 Techniques, 2005, pp. 457–473. [23] S. Ohata, Y. Kawai, T. Matsuda, G. Hanaoka, and K. Matsuura, “Re- 899
826 [3] J. Lai, R. H. Deng, C. Guan, and J. Weng, “Attribute-based encryption encryption verifiability: How to detect malicious activities of a proxy in 900
827 with verifiable outsourced decryption,” IEEE Transactions on informa- proxy re-encryption,” in Cryptographers Track at the RSA Conference. 901
828 tion forensics and security, vol. 8, no. 8, pp. 1343–1354, 2013. Springer, 2015, pp. 410–428. 902
829 [4] H. Ma, R. Zhang, Z. Wan, Y. Lu, and S. Lin, “Verifiable and excul- [24] X. Liang, Z. Cao, H. Lin, and J. Shao, “Attribute based proxy re- 903
830 pable outsourced attribute-based encryption for access control in cloud encryption with delegating capabilities,” in International Symposium on 904
831 computing,” IEEE transactions on dependable and secure computing, Information, Computer, and Communications Security, 2009, pp. 276– 905
833 [5] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute- [25] K. Liang, M. H. Au, J. K. Liu, W. Susilo, D. S. Wong, G. Yang, 907
834 based encryption,” in IEEE Symposium on Security and Privacy, 2007, Y. Yu, and A. Yang, “A secure and efficient ciphertext-policy attribute- 908
835 pp. 321–334. based proxy re-encryption for cloud data sharing,” Future Generation 909
836 [6] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based en- Computer Systems, vol. 52, pp. 95–108, 2015. 910
837 cryption for fine-grained access control of encrypted data,” in ACM [26] K. Liang and W. Susilo, “Searchable attribute-based mechanism with 911
838 Conference on Computer and Communications Security, 2006, pp. 89– efficient data sharing for secure cloud storage,” IEEE Transactions on 912
839 98. Information Forensics and Security, vol. 10, no. 9, pp. 1981–1992, 2015. 913
840 [7] K. Emura, A. Miyaji, A. Nomura, K. Omote, and M. Soshi, “A [27] C. Ge, W. Susilo, J. Wang, Z. Huang, L. Fang, and Y. Ren, “A key- 914
841 ciphertext-policy attribute-based encryption scheme with constant ci- policy attribute-based proxy re-encryption without random oracles,” The 915
842 phertext length,” in International Conference on Information Security Computer Journal, vol. 59, no. 7, pp. 970–982, 2016. 916
843 Practice and Experience. Springer, 2009, pp. 13–23. [28] K. Liang, M. H. Au, W. Susilo, D. S. Wong, G. Yang, and Y. Yu, 917
844 [8] S. Hohenberger and B. Waters, “Attribute-based encryption with fast “An adaptively cca-secure ciphertext-policy attribute-based proxy re- 918
845 decryption,” in International Workshop on Public Key Cryptography. encryption for cloud data sharing,” in International Conference on 919
846 Springer, 2013, pp. 162–179. Information Security Practice and Experience. Springer, 2014, pp. 920
847 [9] N. Attrapadung, B. Libert, and E. De Panafieu, “Expressive key-policy 448–461. 921
848 attribute-based encryption with constant-size ciphertexts,” in Interna- [29] C. Ge, W. Susilo, L. Fang, J. Wang, and Y. Shi, “A cca-secure key-policy 922
849 tional Workshop on Public Key Cryptography. Springer, 2011, pp. attribute-based proxy re-encryption in the adaptive corruption model 923
850 90–108. for dropbox data sharing system,” Designs, Codes and Cryptography, 924
851 [10] J. Herranz, F. Laguillaumie, and C. Ràfols, “Constant size ciphertexts vol. 86, no. 11, pp. 2587–2603, 2018. 925
852 in threshold attribute-based encryption,” in International Workshop on [30] C. Ge, W. Susilo, Z. Liu, J. Xia, P. Szalachowski, and F. Liming, “Secure 926
853 Public Key Cryptography. Springer, 2010, pp. 19–34. keyword search and data sharing mechanism for cloud computing,” IEEE 927
854 [11] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert, E. De Panafieu, Transactions on Dependable and Secure Computing, 2020. 928
855 and C. Ràfols, “Attribute-based encryption schemes with constant-size [31] M. Bellare, S. Keelveedhi, and T. Ristenpart, “Message-locked encryp- 929
856 ciphertexts,” Theoretical computer science, vol. 422, pp. 15–38, 2012. tion and secure deduplication,” in Annual international conference on 930
857 [12] C. Chen, Z. Zhang, and D. Feng, “Efficient ciphertext policy the theory and applications of cryptographic techniques. Springer, 931
858 attribute-based encryption with constant-size ciphertext and constant 2013, pp. 296–312. 932
859 computation-cost,” in International Conference on Provable Security. [32] Nik-U, “Pbc package,” https://github.com/Nik-U/pbc, 2015. 933
860 Springer, 2011, pp. 84–101. [33] B. Lynn et al., “Pbc library,” Online: http://crypto.stanford.edu/pbc, 934
861 [13] A. Lewko and B. Waters, “New proof methods for attribute-based 2006. 935
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
947 Willy Susilo (Fellow’2021) received the Ph.D. de- Liming Fang (M’2017) received the Ph.D degree 1005
948 gree in computer science from the University of in Computer Science from Nanjing University of 1006
949 Wollongong, Australia. He is currently a Professor Aeronautics and Astronautics in 2012, and has been 1007
950 and the Head of the School of Computing and a postdoctor in the information security from City 1008
951 Information Technology and the Director of the In- University of Hong Kong. He is the associate pro- 1009
952 stitute of Cybersecurity and Cryptology, University fessor at the School of Computer Science, Nanjing 1010
953 of Wollongong. He has published over 400 research University of Aeronautics and Astronautics. Now, he 1011
954 papers in the area of cybersecurity and cryptology. is a visiting scholar of the Department of Electrical 1012
955 His main research interests include cybersecurity, and Computer Engineering New Jersey Institute of 1013
956 cryptography, and information security. He was a Technology. His current research interests include 1014
957 recipient of the Australian Research Council (ARC) cryptography and information security. His recent 1015
958 Future Fellow by the ARC and the Researcher of the Year Award by work has focused on the topics of public key encryption with keyword search, 1016
959 the University of Wollongong in 2016. He is the Editor-in-Chief of the proxy re-encryption, identity-based encryption. 1017
960 Information journal. He has served as a program committee member in dozens
961 of international conferences. He is currently serving as an Associate Editor in
962 several international journals, including the Computer Standards and Interface
963 (Elsevier) and the International Journal of Information Security (Springer). His
964 work has been cited over 16000 times in Google Scholar.
1004
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.