Attribute based Encryption for Multi-level Access Control Policies
Nesrine Kaaniche and Maryline Laurent
SAMOVAR, Telecom SudParis, CNRS, University Paris-Saclay,
Member of the Chair Values and Policies of Personal Information, France
Keywords:
Multi-level Access Control, Attribute-based Encryption, Flexible and Scalable Access Policies, Data Secrecy,
User Privacy.
Abstract:
The economy and security of modern society relies on increasingly remote and distributed infrastructures. This
trend increases both the complexity of access control to outsourced data and the need of privacy-preserving
mechanisms. Indeed, access control policies should be flexible and distinguishable among users with different
privileges. Also, privacy preservation should be ensured against curious storage system administrators, for
outsourced data, as well as access requestors identities if needed.
In this paper, we propose a multi-level access control mechanism based on an original use of attribute based
encryption schemes. Our construction has several advantages. First, it ensures fine-grained access control,
supporting multi-security levels with respect to different granted access rights for each outsourced data file.
Second, relying on an attribute based mechanism, key management is minimized, such that users sharing the
same access rights are not required to collaborate to extract the secret enciphering key. Third, our proposal is
proven to provide efficient processing and communication overhead, compared to classical usage of attribute
based encryption schemes.
1 INTRODUCTION
The increasing need and complexity of access con-
trol to outsourced data, along with the ever grow-
ing privacy concerns, has given rise to encryption
mechanisms that combine privacy aspects, such as
anonymity and unlinkability, with credentials that go
beyond asserting a simple identity of a user, but rather
for a full set of attributes. These mechanisms, referred
to as Attribute based Encryption (ABE) and Attribute
based Signature (ABS) mechanisms, used to encrypt
and sign data files with respect to an access policy
computed on a set of attributes. For example, in a
hospital setting, access to a patient’s records can be
provided to the patient, his doctors, nurses, or to the
administrative staff for the billing service. This can
be formalized by an access policy based on users’ at-
tributes. This access policy must restrict access of ac-
tors to a subset of patient’s records, to avoid nurses
to access to personal information of the patient (e.g.
name, address), and administrative staff to know his
disease or health condition.
In this paper, we present a novel encryption
scheme based on attribute based mechanisms for
multi-level access policies. Our scheme ensures a se-
lective access to data based on users’ granted privi-
leges. Practically, when a party encrypts a data file,
she specifies an access structure and a certain number
of security levels. Thus, a user is able to decrypt a
sub-set of data blocks related to a security level k if
that user’s private keys satisfy the sub-set of attributes
related to the k-security level.
Paper Organization the remainder of this pa-
per is organized as follows. First, section 2 discusses
related works and highlights security and functional
requirements. Then, section 3 introduces our defini-
tions and gives background on access structures and
Lagrange Interpolation. Afterwards, we introduce our
system and threat models in section 4 and detail our
concrete construction in section 5. Finally, we prove
the security of our construction in section 6 and we
evaluate the scheme performances in section 7 before
concluding in section 8.
2 RELATED WORK AND
SECURITY REQUIREMENT
ANALYSIS
Sharing sensitive data between different involved ac-
tors is often an issue, due to the complexity of ac-
Kaaniche, N. and Laurent, M.
Attribute based Encryption for Multi-level Access Control Policies.
DOI: 10.5220/0006421000670078
In Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, pages 67-78
ISBN: 978-989-758-259-2
Copyright © 2017 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
67
cess control policies’ management in remote and dis-
tributed infrastructures. Indeed, different decipher-
ing keys can be distributed to different users that
are allowed to access the corresponding data content,
with respect to their granted privileges. However, the
translation of an access control list into an equiva-
lent multi-level policy remains the main issue of these
schemes.
To forbid access to some parts of data, some pro-
cesses propose to black out or remove these parts.
These processes are referred to as redaction mecha-
nisms (Miyazaki et al., 2006) (Steinfeld et al., 2002),
(Johnson et al., 2002), (Ateniese et al., 2005).
Generally, the proposed schemes rely on mal-
leable cryptographic primitives (e.g; chameleon hash
functions instead of the usual hash functions) in order
to allow redactors having their own secret key to mod-
ify some portions of the originally signed data file.
Although these techniques permit selective access to
some parts of data, they are also still inefficient with
multi-level access privileges.
In 2010, Di Vimercati et al. (Di Vimercati et al.,
2010) present a selective authorization policy model
based on graph theory in order to ensure read priv-
ilege. In their proposal, the authors consider a dy-
namic group of users sharing data stored in remote
cloud servers and assume that each data content may
only be accessed by a subset of users. Indeed, for con-
trolling data access, (Di Vimercati et al., 2010) relies
on the use of both a key agreement algorithm and a
key derivation algorithm that enables a key to be de-
rived from another key and a public token. The com-
bination of these two algorithms is able to correctly
convert access policies defined by data owners into
encryption policies. Afterwards, in 2012, Raykova et
al. (Raykova et al., 2012) present an access control
scheme that additionally supports the modification of
the accessed data file. That is, in order to differenti-
ate between read and write privileges, a public-private
key pair for each data file is provided at the fine-
grained level. Further, two token trees are built to dis-
tribute the private and public keys, respectively used
to enforce read and write privileges. Recently, Di
Vimercati et al. (di Vimercati et al., 2013) present an-
other approach to support modification of outsourced
data files. The basic idea of this approach is to as-
sociate each content with a write tag. The remote
server allows a user to perform a write operation on a
file if he correctly shows the corresponding write tag.
A crucial concern of the (di Vimercati et al., 2013)
scheme is that the keys used to encrypt write tags
have to be shared between authorized users and the
server. Although the attractive advantages of the pro-
posed solutions (Di Vimercati et al., 2010), (di Vimer-
cati et al., 2013), (Raykova et al., 2012) to support se-
lective access control, they do not support multi-level
access structure on the same data content.
Along with the different emerging techniques sup-
porting multi-level access control to encrypted data,
Attribute based Encryption (ABE) has been often pre-
sented as a solution to provide flexible data sharing
(Sahai and Waters, 2005), (Bethencourt et al., 2007).
In 2005, Sahai and Waters introduced the concept of
ABE as a new technique for encrypted access con-
trol (Sahai and Waters, 2005). Contrary to traditional
public key encryption mechanisms, both users’ pri-
vate keys and ciphertexts are associated with a set of
attributes or a structure over attributes. The user is
able to decrypt a ciphertext if there is a match between
his private key and the ciphertext. Several works
rely on ABE to realize fine grained access control
for outsourced data (Hur and Noh, 2011),(Yu et al.,
2010),(Jahid et al., 2011), (Ruj, 2014), (Horv
´
ath,
2015), (Huang et al., 2016). Although these schemes
proposed efficient solutions to protect outsourced data
from unauthorized access, they are still inefficient
with multi-level access policies, where users have
to share the same data content with different access
rights to distinct parts of the data file.
2.1 E-health Scenario
In a real e-health scenario, different medical organi-
sations and actors can be involved such as hospitals,
research laboratories, pharmacies, health ministry as
well as doctors, nurses and patients. On one hand, the
shared data have to be protected from unauthorized
access while ensuring fine grained access control for
different authorized actors. Thus, the data confiden-
tiality must be preserved against malicious users. As
such, encryption should be applied while supporting
flexible sharing of encrypted outsourced data among
dynamic group of users, with fine-grained access con-
trol policies.
On the other hand, the private identifying infor-
mation of the involved users, such as doctors and pa-
tients, must not be revealed to unauthorized actors.
For instance, the system should not reveal any private
information related to a doctor, such as his profes-
sional card, as well as his patients’ personal data. In-
deed, the disclosure of such information may be used
to produce targeted advertisement related to the health
condition of the patients or to run statistical surveys.
Let us consider the following use case: a doctor
wants to partially share parts of the medical record
of his patient with respect to different access control
policies. For instance, he shares the health status of
his patient with other doctors working in the cardi-
SECRYPT 2017 - 14th International Conference on Security and Cryptography
68
ology or infectious diseases departments, in order to
have specialist advices on other related health prob-
lems. Similarly, he shares some attributes of the pa-
tient personal information (i.e; billing information)
with hospital administrative staff to enable efficient
billing services. The doctor also shares test blood
results with laboratory staff and hospital administra-
tive staff, to have detailed reports on blood tests. Fi-
nally, he shares care information with caregivers or
nurses as well as emergency information with emer-
gency physicians to ensure proper monitoring of the
patient.
Thus, the aforementioned group of users define
the following access control policies:
access to billing information – (hospital adminis-
trative staff and executive) and hospital Z;
access to medical information (doctor and in-
fectious diseases department) and (hospital Y or
( hospital X and cardiology));
access to care instructions – (head nurse or care-
giver) and (hospital Y or ( hospital X and cardi-
ology));
access to test blood results – laboratory staff and
(hospital administrative staff and executive) and
hospital Z;
access to emergency information emergency
physician and (hospital Y or ( hospital X and car-
diology)).
This use-case points out that in real-life scenarios
access controls lists can be overlapped by introducing
duplicated access attributes, to different parts of out-
sourced data. Hence, the management of access poli-
cies becomes more complex and the burden of enci-
phering keys’ management rises mainly with dynamic
group of users.
2.2 Naive Approach
ABE is usually considered to be the most suitable
technique if authorized users have the same access
rights to the whole data content. Nonetheless, as in-
troduced in section 2.1, for the depicted e-health use
case, authorized users do not have the same access
privileges.
To enable access to encrypted data, the available
option related to the use of ABE mechanisms is based
on naive computing. For instance, the doctor creates
an access structure for each part of the medical record
which will be then encrypted, with respect to every
group of authorized users. Hence, the major disad-
vantage of this approach is that it generates a process-
ing overhead, mainly due to redundant subtrees and
to the calculation of several secrets related to each in-
dependent access tree. Another shortcoming is that
this approach considerably raises the size of the en-
crypted data file, generating a heavy communication
overhead.
It is worthy noticeable that computation and com-
munication costs should be minimized especially for
e-health applications, where access and outsourcing
of emergency information have to be optimized.
2.3 Security and Functional
Requirements
Our objective is to design a new ABE scheme, which
ensures a multi-level access control policies for the
same data content. Our idea consists in creating an
aggregate access tree permitting a multi-level access
to the data file.
The design of our scheme is motivated by pro-
viding the support of both robustness and efficiency
while fulfilling the following properties:
data confidentiality the proposed scheme has
to protect the secrecy of encrypted data contents
against malicious users, even in case of collu-
sions.
flexible access control our proposal should en-
sure flexible security policies among dynamic
groups of users with different granted privileges.
privacy preserving users’ privacy is multifold.
First, it is useful in a context where anonymity
should be enforced to forbid any user’s iden-
tification or personal information leakages (e.g.
sex, age, address). Second, unauthorized users
should not be able to deduce information about
the redacted part of the data file, based on avail-
able parts of files or to link the encrypted content
to a specific entity. Third, access to encrypted data
should not reveal identifying information of the
requesting entity.
low processing cost the encryption algorithm
should have a low computational complexity to
minimize the impact of security on the efficiency
of e-health record processing.
low communication overhead our multi-level
encrypted data file should be short-sized as the
transmission overhead is important in the emerg-
ing infrastructure context.
3 PRELIMINARIES
In this section, we provide some prerequisites, namely
access structures and Lagrange interpolation.
Attribute based Encryption for Multi-level Access Control Policies
69
Definition 3.1. (Access Structure (Beimel, 2011))
Let P = {P
1
,P
2
,··· , P
n
} be a set of parties, and a col-
lection A 2
{P
1
,P
2
,···,P
n
}
is called monotone if B,C
2
{P
1
,P
2
,···,P
n
}
: if B A and B C then C A. An ac-
cess structure is a collection A of non-empty subsets
of {P
1
,P
2
,··· , P
n
} ; i.e. A 2
{P
1
,P
2
,···,P
n
}
\ {
/
0}. The
sets in A are called authorized sets, and the sets not
in A are called unauthorized sets.
We note that in several ABE schemes, these par-
ties are considered as the attributes. In this paper,
we consider a monotone access structure with multi-
threshold security levels. The construction of such a
access structure is detailed in section 5.1.
Definition 3.2. (Lagrange Interpolation) Given a
set of (k + 1) distinct points {(x
0
,y
0
),··· , (x
k
,y
k
)},
the Lagrange polynomial is a linear combina-
tion L(x) =
k
j=0
y
j
δ
j
(x) of Lagrange coefficients
δ
j
(x) =
0i6= jk
xx
i
x
j
x
i
.
4 OVERVIEW
Our flexible access control scheme is relying on ABE
in the sense that clients’ keys and decryption capabil-
ities are related to the attributes they possess. In our
proposal, the plaintext is comprised of a set of mes-
sages and the client’s credentials (certified attributes)
determine which subset of data blocks can be de-
crypted. More precisely, we propose to conceive a
scheme as follows: the encrypting entity expresses
an access structure with respect to n attributes, while
defining multi-security levels {k
l
}
l∈{1,c}
, where k
l
is
the k
l
-security level and c is the number of defined
security levels.
We note that each security level k
l
corresponds to
n
l
identified sub-trees that permit to reconstruct a se-
cret key v
l
needed to decrypt a subset of data blocks.
Referring to the e-health use-case, the encrypting
entity represents the doctor who wants to share the
medical record of his patient with different users. The
authorized users to decipher outsourced data based on
their granted credentials are referred to as decrypt-
ing entities or requestors. Encrypted data files are
outsourced in remote servers, such as cloud servers.
Thus, a cloud service provider is responsible for the
system management.
4.1 System Model
Our multi-level attribute-based encryption scheme for
a message space M and an access structure space G
consists of four randomized algorithms, defined as
follows:
setup this algorithm is performed by the central
authority (i.e; the master entity). It takes as input
the security parameter κ and outputs the public
parameters params and the master key msk.
encrypt this algorithm is executed by the en-
ciphering entity. It takes as input the public pa-
rameters params, an access structure Γ over the
universe of attributes S, the set of security lev-
els {k
l
}
l[1,c]
, where c is the number of security
levels and a message M = {m
l
}
l[1,c]
. This algo-
rithm encrypts the message M with respect to the
different security levels and outputs a ciphertext
CT = {Γ, k
l
: {ST
i
}
l
,CT
l
}, where l [1, c] and
{ST
i
}
l
is the set of subtrees that have to be satis-
fied by each security level k
l
. The encryption is
performed such that only a user that possesses a
set of attributes with regard to a security level k
l
that satisfies the required subtrees {ST
i
}
l
can de-
crypt the enciphered message CT
l
.
keygen the key generation algorithm is exe-
cuted by the master entity. It takes as input the
public parameters params, the master key msk
and a set of attributes S and outputs the related
secret key sk.
decrypt – this algorithm is executed by the deci-
phering entity. It takes as input the public param-
eters params, the ciphertext CT , which contains
an access policy Γ, the security level k
l
, the set
of required subtrees {ST
i
}
l
and the secret key sk
related to the set of attributes S . The set of at-
tributes has to satisfy the access structure Γ, with
respect to a security level k
l
and the related sub-
trees {ST
i
}
l
, to be able to decrypt the correspond-
ing ciphertext CT
l
and retrieve the message m
l
.
The correctness property requires that for all
security parameter κ, all universe descriptions S,
all (params,msk) setup(κ), all S S, all M
M , all Γ G, all sk keygen(params, msk,S),
all k
l
K (K is the security level space) and all
CT encrypt(params,Γ,M, {k
l
}
l[1,c]
), if S satis-
fies Γ with respect to a security level k
l
and the re-
lated subtrees {ST
i
}
l
, then the decryption algorithm
decrypt(params,CT,k
l
,{ST
i
}
l
,sk) outputs m
l
.
4.2 Security and Privacy Model
For our security and privacy model, we first assume
that authorized users know, through an application,
which policy needs to be applied on several data con-
tents. Second, we suppose that data are organized into
several categories, to which the same access rights ap-
ply. Among the category, data might be of different
SECRYPT 2017 - 14th International Conference on Security and Cryptography
70
types, but each category might at least include k dif-
ferent types of data, so in case the category is present
in a patient’s record, it is not possible to infer infor-
mation with regard to the type of information. For
increased protection against inference, there might be
interest in setting a range of possible size for each cat-
egory.
For designing the most suitable security solution,
we have to consider realistic threat models. That is,
we point out two adversaries: malicious user and hon-
est but curious server.
malicious user adversary a malicious user tries
to override his rights. That is, he may attempt
to deviate from the protocol or to provide invalid
inputs. As such, we consider the malicious user
adversary mainly against the confidentiality prop-
erty.
honest but curious server adversary this stor-
age server honestly performs the operations de-
fined by our proposed scheme, but it may actively
attempt to gain extra-knowledge about the out-
sourced sensitive data, and/or the identifying in-
formation of the requestors. Hence, we consider
the honest but curious server adversary against the
privacy property.
To prove that our scheme is secure against both
honest but curious and malicious adversaries, we
consider the security experiment Exp
A
(1
κ
) between
a challenger C and an adversary A. First, A selects
a challenge access structure Γ
, such that he can ask
for any private keys generation of a set of attributes S
as well as decryption queries of ciphertexts CT that
do not satisfy Γ
. The security game Exp
A
(1
κ
) is
formally defined as follows:
SETUP the challenger C runs the setup
algorithm and gives the public parameters to the
adversary A.
QUERY PHASE the adversary can repeatedly
make any of the following queries:
obtain : for each session j, A requests the pri-
vate key {sk
j
}
j[1,t]
associated to a set of at-
tribute {S
j
}
j[1,t]
with respect to the security lev-
els {k
l, j
}. Note that if C already extracted a pri-
vate key sk
i
for S
i
, then C returns sk
i
.
cordec : for each session, the adversary sub-
mits (CT
j
,S
j
) and asks for the decryption result
of the ciphertext CT
j
, under the private key for
S
j
. If C has not previously extracted the private
key sk
j
for S
j
, then C does the extraction based
on the obtain algorithm. Then, the adversary A
receives the output of the decryption algorithm of
CT
j
with respect to the security levels {k
l, j
}.
CHALLENGE the adversary A submits two
equal length messages M
0
and M
1
. In addition, the
adversary gives the access structure Γ
and the set of
security levels {k
l
}
, such that none of the previous
sets {S
j
}
j[1,t]
satisfies the access structure for {k
l
}
.
The challenger flips a random coin b and encrypts
M
b
under Γ
, with respect to {k
l
}
. The resulting
ciphertext CT
is given to A.
GUESS the adversary outputs a guess b
0
of b.
The output of the experiment is 1 if and only if b = b
0
.
Definition 4.1. CCA-1 security with respect to
Exp
A
(1
κ
) Our multi-level access control scheme
is selectively CCA-1 secure (i.e; selectively secure
against chosen-ciphertext attacks) for an attribute
universe S if for all probabilistic polynomial-time ad-
versaries A, there exists a negligible function ε, such
that:
Pr[Exp
A
(1
κ
) = 1] =
1
2
± ε
5 MULTI-LEVEL ATTRIBUTE
BASED ENCRYPTION
CONSTRUCTION
In this section, we detail our multi-level attribute-
based construction (subsection 5.2) after introduc-
ing the model of the considered access tree (subsec-
tion 5.1).
5.1 Access Tree Model
Let Γ be a tree representing the access structure. That
is, Γ is defined upon the following two levels:
Level 1 – the first level presents the root node and
its children. The root node is represented by the
AND ”gate and it is defined as a k
l
-out-of-c se-
curity levels. Each security level k
l
requires p
l
subsets of attributes and n
l
sub-trees of the root
node for the reconstruction of the corresponding
secret key v
l
.
Level 2 the second level corresponds to inte-
rior nodes as well as leaf nodes. Each interior
node of the tree is a threshold gate and the leaves
are associated with attributes. We note that the
second level corresponding to the different sub-
trees {{ST
i
}
l
} is generated in the same way as in
Bethencourt et al. construction(Bethencourt et al.,
2007).
Attribute based Encryption for Multi-level Access Control Policies
71
We note that we use the same notation as (Bethen-
court et al., 2007) to describe the access tree. Each
non-leaf node of Γ is described by the number of
its children num
x
and a threshold value t
x
, where
1 t
x
num
x
. If the threshold value t
x
= num
x
, then
it is an “AND ”gate, otherwise it is an “OR ”gate.
As introduced in (Bethencourt et al., 2007), three
additional functions are defined namely parent(x),
att(x) and index(x). The parent(x) function de-
notes the parent of the node x, the att(x) denotes
the attributes associated with the leaf node x and the
index(x) denotes a number associated with the node.
We denote by Γ
x
the subtree of Γ rooted at the
node x. If a set of attributes S = {a
i
}
i∈{1,l}
, where l is
the number of attributes and l t
x
, satisfies the access
tree Γ
x
, it is referred to as Γ
x
(S) = 1.
Hence, depending on the number of the attributes
l and the required subtrees rooted by the root node,
the user may decrypt the ciphertext CT
l
, with respect
to a security level k
l
and the related {ST
i
}
l
.
A user will be able to decrypt a ciphertext with a
given key if and only if there is a match of attributes
between the private key of the user and the nodes of
the tree, such that the tree Γ is satisfied.
5.2 Concrete Construction
Our multi-level attribute-based encryption scheme is
based on the following algorithms:
setup(κ) this algorithm selects a bilinear group
( ˆe,G
1
,G
2
,g), such that ˆe : G
1
×G
1
G
2
, G
1
and G
2
are two multiplicative groups of prime order p and g
is a generator of G
1
.
The setup algorithm selects two randoms α, β Z
p
,
and sets X = ˆe(g,g)
α
. The public parameters, con-
sidered as an auxiliary input to all the following algo-
rithms, are defined as follows:
params = {G
1
,G
2
, ˆe,g,h = g
β
,X}
The master key msk is the pair (β,g
α
).
encrypt(Γ,M,{k
l
}
l[1,c]
) this algorithm en-
crypts a message M = {m
l
}
l[1,c]
under an access tree
Γ, with respect to k
c
security levels. This algorithm
first chooses a polynomial q
x
for each node x and
sets the degree d
x
of each polynomial as described in
(Bethencourt et al., 2007), to be less than the thresh-
old value such that d
x
= t
x
1 (i.e; t
x
is the threshold
value of the node x).
We denote by q
r
the polynomial associated to the
root node and defined as q
r
(x) = a
0
+ a
1
x + · · · +
a
d
r
x
d
r
. We note that the degree of the root polyno-
mial has to be at least equal to the total number of the
root subtrees.
For each security level k
l
, the encrypting entity
defines the set of required subtrees {ST
i
}
l
in order
to derive the corresponding secret key v
l
, such that
v
l
=
i∈{1,···,n
l
}
q
r
(index(x
i
)).
We suppose that Y is the set of leaf nodes of the
access tree Γ. The ciphertext is then defined as fol-
lows:
CT = {Γ,k
l
: {ST
i
}
l
,
˜
C
k
l
= m
l
· X
v
l
,C
k
l
= h
v
l
,
y : C
y
= g
q
y
(0)
,C
0
y
= H (att(y))
q
y
(0)
}
where H is a hash function, such that
H : {0, 1}
G
1
.
keygen(msk, S) this algorithm generates user’s
private keys related to the set of attributes S, as de-
fined in the Bethencourt et al. construction (Bethen-
court et al., 2007). It first selects a random r Z
p
and
a set of random values {r
j
}, where j is the number
of attributes in S . The resulting key is represented as
follows:
sk = {D = g
(α+r)/β
,a
j
S : D
j
= g
r
·H ( j)
r
j
,D
0
j
= g
r
j
}
decrypt(CT,k
l
,sk) – the decryption algorithm is
based on two levels. Assume that the deciphering en-
tity satisfies the k
l
-security level with n
l
sub-trees of
Γ being satisfied. For the decryption algorithm, the
deciphering entity starts by the second level:
Level 2 – the algorithm works in a recursive man-
ner, relying on the algorithm DecryptNode as pre-
sented in (Bethencourt et al., 2007).
Level 1 for the first level, we suppose that the de-
ciphering entity satisfies the k
l
-security level. Re-
call that the security level k
l
requires having the
set {q
r
(index(x
i
))} related to {ST
i
}
l
. As such,
let S
r
be the set of a n
l
-sized set of child nodes x
of the root node (i.e; S
r
corresponds to the set of
required subtrees {ST
i
}
l
).
To extract the deciphering key, the decrypt algo-
rithm computes F
R
k
l
such as:
F
R
k
l
=
xS
r
ˆe(g,g)
rq
x
(0)
= ˆe(g,g)
xS
r
rq
x
(0)
= ˆe(g,g)
rv
l
(1)
The decrypt algorithm can now decrypt the ci-
phertext with respect to the k
l
-security level, such as:
˜
C
k
l
ˆe(C
k
l
,D)
F
R
k
=
˜
C
k
l
ˆe(h
v
l
,g
(α+r)/β
)
ˆe(g,g)
rv
l
=
˜
C
k
l
ˆe(g,g)
(α+r)v
l
ˆe(g,g)
rv
l
=
m
l
· X
v
l
X
v
l
= m
l
(2)
SECRYPT 2017 - 14th International Conference on Security and Cryptography
72
6 SECURITY ANALYSIS
In this section, we prove the security of our multi-
level attribute based encryption scheme with respect
to the threat model detailed in section 4.2. First, we
discuss that our construction ensures the confidential-
ity property in section 6.1. Then, we analyse the resis-
tance of our scheme against privacy attacks in section
6.2.
6.1 Confidentiality
To ensure efficient access control, our construction
mainly relies on the CP-ABE scheme proposed by
Bethencourt et al. (Bethencourt et al., 2007). As
such, the data confidentiality preservation is tightly
related to the security of the used attribute based
encryption algorithm.
Theorem 6.1. Our multi-level access control scheme
is secure against selective non-adaptive chosen ci-
phertext attacks in the Generic Group Model (GGM),
with respect to the Exp
A
(1
κ
) experiment.
Proof. The indistinguishability property means that if
an adversary has some information about the plain-
text, he should not learn about the ciphertext. This se-
curity notion requires the computational impossibility
to distinguish between two messages chosen by the
adversary with a probability greater than a half. In-
deed, in attribute-based encryption schemes, the ad-
versary may lead an attack against the indistinguisha-
bility property either on his own or through a collu-
sion attack.
On one hand, in order to decrypt a ciphertext with
respect to a security level k
l
, an adversary A may con-
duct an attack against the indistinguishability prop-
erty. That is, he must recover X
v
l
= ˆe(g,g)
α·v
l
, where
the secret sharing key v
l
is embedded in the cipher-
text. For this purpose, A has to retrieve the corre-
sponding
˜
C
k
and the related private key element D
from the user’s private key.
To prove that our scheme ensures the confidential-
ity property, we first consider that the adversary A is
running the Exp
con f
security game defined in Section
4.2 with an entity B. This entity B is running the
Exp
B
Bethencourt et al. security game (Bethencourt
et al., 2007), with the challenger C . The objective of
this proof is to show that the advantage of the adver-
sary A to win the Exp
A
(1
κ
) experiment is equivalent
to the advantage of the entity B to win the Bethen-
court et al. security game (Bethencourt et al., 2007).
Hereafter, A and B proceed as follows:
SETUP the challenger C runs the setup
algorithm and gives the public parameters to the
adversary B. Then, B sends params to A.
QUERY PHASE during this phase, B first ini-
tializes an empty table T . Then, the adversary can
repeatedly make any of the following queries:
obtain : for each session j, A requests the pri-
vate key {sk
j
}
j[1,t]
associated to a set of at-
tribute {S
j
}
j[1,t]
with respect to the security lev-
els {k
l, j
}. The algorithm B uses the challenger
C to generate and return the corresponding se-
cret keys to the adversary A. Recall that if C al-
ready extracted a private key sk
j
for S
j
, then C
returns sk
j
. The secret keys {sk
j
,S
j
}
j[1,t]
are re-
turned to B. Afterwards, B sets a new entry with
the pair {sk
j
,S
j
}
j[1,t]
and returns the secret keys
{sk
j,GID
}
jN
to the adversary A.
cordec : for each session, the adversary submits
(CT
j
,S
j
) and asks for the decryption result of the
ciphertext CT
j
, under the private key for S
j
. Dur-
ing this phase, B checks if an entry sk
j
for S
j
does exist in table T with respect to {Γ
,k
l, j
}. As
such, if C has not previously extracted the pri-
vate key sk
j
for S
j
, then B queries the extrac-
tion of sk
j
, such that Γ
(S
j
,k
l, j
) = 1 based on the
obtain algorithm. B receives sk
j
and deciphers
CT
j
, with respect to decryption algorithm defined
in (Bethencourt et al., 2007). Then, the adversary
A receives the output of the decryption algorithm
of CT
j
with respect to the security level k
l, j
.
CHALLENGE the adversary A submits two equal
length messages M
0
and M
1
. In addition, the ad-
versary gives the access structure Γ
and the set of
security levels {k
l
}
, such that none of the previous
sets {S
j
}
j[1,t]
satisfies the access structure for {k
l
}
.
Once receiving the challenge access Γ
, the algorithm
B first selects Γ
B
such that Γ
B
Γ
. We have to note
that all pre-identified subtrees ST
i
required to satisfy
the security level {k
l
}
have to be included in the se-
lected access structure Γ
B
.
Afterwards, B sends the access structure Γ
B
and
the two equal length messages M
0
and M
1
, defined by
the adversary A. The challenger flips a random coin
b and encrypts M
b
under Γ
B
. The resulting ciphertext
{CT
b
}
is given to A.
For our analysis, we distinguish two different
cases for the Exp
A
(1
κ
) experiment defined in section
4.2:
Case 0 we set only one security level k
l
, during
the SETUP phase. That is, we define a single secu-
rity level, such that all queried private keys are re-
lated to the set of attributes S
i
that decrypt cipher-
Attribute based Encryption for Multi-level Access Control Policies
73
texts, encrypted with respect to k
l
, for each ses-
sion i. This first case simulates a CCA game for
a CP-ABE scheme as presented in (Bethencourt
et al., 2007). In fact, the two first steps SETUP
and QUERY PHASE of the Exp
A
(1
κ
) experiment
are similar to the (Bethencourt et al., 2007) secu-
rity game. In addition, the challenge access tree
defined by the adversary A is equivalent to the ac-
cess structure selected by the algorithm B, such
that Γ
B
= Γ
, where all sub-trees of Γ
have to be
included in Γ
B
.
Case 1 – we set the maximum number of security
levels c
such as c
> 1, during the SETUP phase.
For each session i, we suppose that A has access
to CT
i
= {CT
l,i
}
l[1,c
]
, where CT
l,i
is an encrypted
data block m
l,i
under a security level k
l,i
. During
the CHALLENGE phase, A submits two different
messages M
0
and M
1
and asks the challenger C
to encipher the selected message under a security
level k
l
that has never been queried during the
QUERY PHASE. As such, the algorithm B has to
select Γ
B
where identified subtrees ST
i
required
to satisfy the security level {k
l
}
of Γ
have to be
included in Γ
B
.
First, let us make the following common consid-
eration: in the aforementioned security game, includ-
ing Case 0 and Case 1, the challenge ciphertext has
a component
˜
C
k
which is either M
0
· X
v
l
or M
1
· X
v
l
,
where v
l
is the enciphering secret. So that, we con-
sider a modified game, defined in (Bethencourt et al.,
2007), in which
˜
C
k
is either ˆe(g,g)
α·v
l
or ˆe(g,g)
θ
,
where θ is selected uniformly at random. The adver-
sary A has to determine which is the case. The adver-
sary advantage is obviously equal to ε in the original
security game. But, in the modified game, the adver-
sary advantage is at least ε/2.
In the following, we consider the adversary’s advan-
tage in the modified game.
As introduced in (Boneh et al., 2005), with re-
spect to a generic group model, each element of G
1
and G
2
is encoded as a unique random. As such, A
cannot test more than the equality property. The en-
coding properties of elements in G
i
is presented by
ξ
0
: Z
p
{0,1}
that maps all a Z
p
to the rep-
resentation ξ
0
(a) of g
a
G
1
and ξ
T
: Z
p
{0,1}
that maps all a Z
p
to the representation ξ
T
(a) of
ˆe(g,g)
a
G
2
. The adversary communicates with the
oracles to perform actions in G
1
, G
2
and ˆe based on
ξ
0
and ξ
T
representations.
For Case 0, during the SETUP phase, the chal-
lenger chooses two randoms α and β Z
p
and sends
the public parameters ξ
0
(1) = g,ξ
0
(β) = h and ξ
T
(α)
to the adversary. Afterwards, B initializes an empty
table T . And, during the QUERY PHASE, A queries
several times obtain and cordec algorithms. For
each obtain query, the challenger C simulates the H
oracle function for each string i S
j
, queried in ses-
sion j. The H oracle outputs g
t
i
for each different
queried i. Consequently, for a session j, the obtain
oracle chooses a random r
( j)
, computes D
k
= h
α/r
( j)
and for each i S
j
, it provides D
i
= g
r
( j)
+t
i
r
i
( j)
and
D
0
i
= g
r
i
( j)
. These values are then set as new entries in
T , by B and sent to the adversary A.
Then, for the cordec oracle, A sends the pair
(S
j
,CT
j
) and asks for the decryption of CT
j
, with re-
spect to the predefined security level k
l
. Thus, B
checks if an entry sk
j
for S
j
does exist in table T
with respect to {Γ
,k
l, j
}. Then, if C has not previ-
ously extracted the private key sk
j
for S
j
, then C does
the extraction based on the obtain algorithm. Sub-
sequently, B computes the decryption of a ciphertext
CT
( j)
for each session j and provides a message M
j
or
an error message if the set of attributes does not pass
the access structure with respect to the pre-defined se-
curity level.
Clearly, our multi-level access control scheme
is close to the CP-ABE construction proposed by
Bethencourt et al. in (Bethencourt et al., 2007). The
main difference consists in the derivation of the em-
bedded secret v
l
corresponding to a pre-defined secu-
rity level k
l
. Indeed, unlike the (Bethencourt et al.,
2007) scheme based on Lagrange Interpolation, in
our construction, the processing of Level 1 of the
access structure Γ, with respect to k
l
, requires the
multiplication of the different elements of S
r
, in or-
der to get v
l
, where the number of elements of S
r
is lower than the degree of the root polynomial q
r
.
More precisely, the main difference mainly consists
in X
v
l
= ˆe(g,g)
α·v
l
, where v
l
=
s
i
in the Exp
A
(1
κ
)
experiment while v
l
= s computed with respect to La-
grange Interpolation in the (Bethencourt et al., 2007)
construction.
To prove that Case 0 is close to the (Bethencourt
et al., 2007) construction, we consider an absurdum
reasoning, where A can win the Exp
A
(1
κ
) experi-
ment with a non negligible probability. Let us con-
sider that the root polynomial in Exp
B
(1
κ
) is equal to
q
r,Exp
B
(x) =
p
i=0
a
i
x
i
, where a
0
= s. Thus, we have
to verify if there exists one polynomial q
r,Exp
A
, such
that q
r,Exp
A
=
p
i=0
a
0
i
x
i
and
p
j=1
p
i=0
a
0
i
x
j
i
= s.
Let us consider p 1 random values (a
0
i
), where
i [1, p 1]. Thus, we have the following equality:
p
j=1
p
i=0
a
0
i
x
j
i
= s =
p
j=1
p1
i=0
a
0
i
x
j
i
+
p
j=1
a
0
p
x
j
p
(3)
SECRYPT 2017 - 14th International Conference on Security and Cryptography
74
In the sequel, from Equation 3, we deduce that:
a
0
p
=
s
p
j=1
p1
i=0
a
0
i
x
j
i
p
j=1
a
0
p
x
j
p
(4)
From Equation 3 and Equation 4, we deduce that
the polynomial q
r,Exp
A
exists. Consequently, the ad-
versary A receives the challenge ciphertext CT
b
=
{Γ
,k
l
,
˜
C
k
l
= M
b
· X
s
i
,C
k
l
= h
s
i
,y : C
y
,C
0
y
}.
If A can win the Exp
A
(1
κ
) experiment with a non
negligible probability, then A can guess b
0
which is
therefore sent to B. In the sequel, B can win the se-
curity game Exp
B
, introduced in (Bethencourt et al.,
2007), with a non negligible probability. This contra-
dicts our assumption that (Bethencourt et al., 2007) is
proved secure in GGM model.
In addition, noticing that for Case 0 of Exp
A
, the
SETUP, QUERY and CHALLENGE phases are based
on one single security level, where the challenge mes-
sage M
b
contains one single data block related to the
security level k
l
, such that Γ
B
= Γ
, where all sub-
trees of Γ
have to be included in Γ
B
. As such, the
advantage of the adversary is at most equal to O(
q
2
p
),
where p is the order of an additive group F
p
and q
is a bound on the total number of group elements re-
ceived by any adversary A from its interaction with
the Exp
A
security game and the different oracles.
For Case 1, the SETUP phase is executed simi-
larly as for Case 0. In fact, the challenger C sends
the public parameters ξ
0
(1) = g,ξ
0
(β) = h and ξ
T
(α)
to the adversary. For ease of presentation, we do not
show the progress of SETUP and QUERY PHASE be-
tween C , B and A, where the outputs of obtain and
cordec are closely similar to Case 0, considering c
ciphertexts related to c
security levels.
During the challenge phase, when A asks for the
encryption of the challenge message with respect to a
challenge access structure Γ
, C does the following.
C first chooses a random a
0
F
p
and uses the lin-
ear secret sharing scheme associated with the access
structure Γ
to construct the shares σ
k
and λ
i
of s for
all relevant sub-trees k and attributes i, respectively.
As explained in (Bethencourt et al., 2007), both λ
i
and σ
k
shares have to be chosen uniformly and in-
dependently at random from F
p
, in order to respect
the linear conditions imposed by the secret sharing
scheme presented in (Bethencourt et al., 2007). Af-
terwards, the simulation chooses c
randoms θ
l
F
p
,
where l [1,c
].
Finally, C outputs the encryption of the chal-
lenge message such that: for each security level k
l
,
we have
˜
C
k
l
= ˆe(h, h)
θ
l
and C
k
l
= h
v
l
, where v
l
=
i∈{1,···,n
l
}
σ
i
. (cf. section 5). For each relevant at-
tribute i, we have C
i
= g
λ
i
and C
0
i
= g
t
i
λ
i
. These values
are then sent to the adversary. We state that if A asks
for a decryption key for a set of attributes that pass
Γ
with respect to any security level, then C does not
issue the key. Similarly, if A asks for Γ
, with re-
spect to any security level, such that one of the keys
is already issued then the simulation aborts. In the se-
quel, the advantage of the adversary is at most equal
to O(c
q
2
p
), due to the randomness of the choice of
variable values in the simulation. Indeed, the adver-
sary’ view in this simulation is identically distributed
for all security levels. In fact, the encryptions of data
blocks of the challenge message M
b
are completely
independent, thanks to the use of the encoding func-
tion ξ
T
. As such, Case 1 can be considered as c
random repetitions of Case 0 simulation, with respect
to c
security levels.
On the other hand, one of the main challenge
to design our multi-level attribute based encryption
scheme was to prevent collusion attacks between
users. Hence, our scheme randomizes users’ private
keys, as introduced in (Bethencourt et al., 2007), such
that they cannot be combined. In fact, each private
key element D
j
, associated with an attribute j, con-
tains a random value r related to the user, and r
j
as-
sociated to the attribute j, which prevents colluding
users to override their rights and successfully perform
a collusion attack. In addition, as discussed in the
aforementioned Case 0 and Case 1, the Exp
A
(1
κ
)
experiment and the (Bethencourt et al., 2007) security
game are shown to provide equivalent adversaries’ ad-
vantages, with respect to selective chosen ciphertext
attacks. Consequently, our multi-level access control
mechanism is resistant against collusion attacks.
As such, we prove that our multi-level access
control construction is secure against selective non-
adaptive chosen ciphertexts attacks in the Generic
Group Model (GGM), with respect to Exp
A
(1
κ
) ex-
periment.
6.2 Privacy
As introduced in section 2.3, the privacy preserving
requirement distinguishes the privacy of contents
against malicious users and the privacy of legitimate
users against honest but curious adversaries.
Theorem 6.2. Privacy Our multi-level attribute
based encryption scheme is private, against both ma-
licious and honest but curious adversaries.
Proof. The proof of Theorem 6.2 is twofold.
Case a it considers the case of malicious users
against the privacy of contents. That is, the ad-
Attribute based Encryption for Multi-level Access Control Policies
75
versary A tries to override his rights in order to
get access to the encrypted personal information,
embedded in queried ciphertexts. In our construc-
tion, personal information, referred to as pi
l
, is
encrypted under a security level k
l
, where an ad-
versary attempts to get access to the embedded se-
cret v
l
.
Obviously, Case a joins the confidentiality re-
quirement (cf. Theorem 6.1) with respect to the
Exp
A
(1
κ
) experiment presented in section 6.1,
where encrypted messages are considered as sen-
sitive identifying information pi
l
. In fact, when an
adversary tries to override his rights in order to get
access to encrypted messages, he concretely leads
an attack either on his own or through a collusion
attack, as shown in in section 6.1. As such, as
discussed in the aforementioned Case 0 and Case
1, the Exp
A
(1
κ
) experiment and the (Bethencourt
et al., 2007) security game are shown to provide
equivalent adversaries’ advantages, with respect
to selective chosen ciphertext attacks.
In addition, let us notice that Case 1 of the
Exp
A
(1
κ
) experiment can be modeled in multi-
user setting, such that there are multiple chal-
lenge ciphertexts that can be dependent. In our
case, the challenge ciphertexts represent the dif-
ferent pieces of the challenge message M
=
{m
l
}
l[1,c
]
. Thus, this case is considered as a
generalization of selective CCA security in the
multi-user setting and the adversary A can make
multiple Left-or-Right queries. These challenge
ciphertexts have to be created with the same se-
lector b; i.e; all ciphertexts are encryption of the
left input, or all ciphertexts are encryption of the
right input.
Despite the multi-user setting, the proof of The-
orem 6.1 shows that the advantage of A, against
the indistinguishability property is negligible.
Indeed, we state that the encryption of every set
of data blocks related to any security level k
l
is completely independent, thanks to the use of
the encoding function ξ
T
. Hence, the encryption
scheme does not convey any information about
the set of data blocks that have been enciphered
for each security level.
Thus, our multi-level access control scheme en-
sures the privacy of contents, against malicious
users.
Case b – it considers the case of honest but curi-
ous adversaries against the privacy of users. That
is, the attacker A attempts to distinguish between
two legitimate requesting users u
1
and u
2
, trying
to deduce the identifying information related to
each requestor, with respect to their related at-
tributes. Note that each user u
j
possesses a set
of attributes S
u
j
, where Γ(S
u
j
) = 1, j {1, 2} and
S
u
1
6= S
u
2
.
For Case b, we set a security level k
l
, during
the SETUP phase, where all queried ciphertexts
are encrypted with respect to k
l
, under an ac-
cess tree Γ. Unless there exists an authentica-
tion procedure for managing access to cloud re-
sources, it is worthy noticeable that the adver-
sary A cannot distinguish between u
1
and u
2
, be-
cause Γ(S
u
1
) = Γ(S
u
2
) = 1. Indeed, our scheme
inherits this privacy-preserving property from the
attribute-based encryption mechanisms. Thus,
our multi-level attribute base encryption scheme
ensures the privacy of users, against honest but
curious adversaries.
Referring to the e-health use case, presented in
section 2.1, the privacy preserving property is highly
recommended, especially against curious outsiders,
where access patterns are important pieces of infor-
mation that have to be protected. For example, the
unlinkability property supported by our construction
ensures that a curious adversary cannot deduce if a
patient is followed either by doctor A or doctor B.
If a perfect privacy property is needed, our multi-
level access control construction can be extended by
considering an anonymous authentication system sup-
porting the inspection feature, based on the use of
attribute based signatures, as presented in Kaaniche
and Laurent proposal (Kaaniche and Laurent, 2016a),
(Kaaniche and Laurent, 2016b). Indeed, this enables
a user to anonymously authenticate with the cloud
provider, while providing only required information,
with respect to its access policy, before accessing to
cloud resources. Hence, this extension ensures un-
linkability between the different sessions while pre-
serving the anonymity of the requesting user. In
addition, our scheme can easily support hidden ac-
cess control structures, where access patterns are en-
crypted with Public Key Encryption with Keyword
Search scheme (PEKS) (Asghar et al., 2014) (Boneh
et al., 2004).
7 THEORETICAL
PERFORMANCES
In this section, we discuss the processing and com-
munication overhead of our proposed multi-level
attribute-based scheme ML ABE compared to the
naive approach NA introduced in section 2.2. As
such, we assess theoretical complexity where the
SECRYPT 2017 - 14th International Conference on Security and Cryptography
76
encrypting entity has to create k different access
control policies for the naive approach.
To this purpose, we define the following costs:
γ
M
: cost of two group elements’ multiplication in
a multiplicative group
γ
E
: cost of an exponentiation in a multiplicative
group
|MT| : size of an aggregate access tree, referred
to as master tree
|AT | : size of an access tree for an access policy k
Y
MT
: number of leaves of the master access tree
Y
AT
: number of leaves of an access tree, with re-
spect to an access policy k
|E| : size of a multiplicative group element
Table 1 presents detailed computation and
communication overhead comparison between our
proposed construction and the naive approach, based
on the processing cost and the size of the ciphertext.
Note that the communication and storage overhead
are both referring to the size of the ciphertext.
Table 1: Theoretical Comparisons between ML ABE and
NA.
ML ABE NA
Processing
Cost
kγ
M
+ 2(k +
Y
MT
)γ
E
kγ
M
+ 2k(1 +
Y
AT
)γ
E
Size of Ci-
phertext
{MT,2(k +
Y
MT
)|E|}
{kAT,2k(1 +
Y
AT
)|E|}
It is worthy noticeable that the size of the master ac-
cess tree, proposed in our construction ML ABE, is
lower than the size of the set of access trees related
to k access policies introduced by the naive approach
NA. This is mainly due to the involved number of at-
tributes (access tree leaves), that should be duplicated
for different access tree in NA. Obviously, the num-
ber of leaves of the master tree Y
MT
would be lower
than the sum of leaves of access trees related to k ac-
cess structures of NA, such that Y
MT
k
Y
AT
k
. Con-
sequently, the communication and storage costs in-
troduced by the ML ABE approach are considerably
optimized, compared to NA.
In addition, for the NA approach, the enciphering
entity has to create an access tree AT to each different
security level. Thus, he has to assign different poly-
nomials to each node of each access tree.
Consequently, our approach presents competitive pro-
cessing and communication costs, where the number
of polynomials, that have to be assigned to each node
of an access tree, is reduced compared to NA, thanks
to the use of an aggregate access structure.
Nonetheless, our approach is not convenient when
defining different independent access policies under
the same master access tree (i.e; there is no duplicated
attributes for each defined security level k), as well as
for dynamic environments requiring the modification
of the encryption policies. Hence, in such use-cases,
the NA approach and our multi-level access control ap-
proach introduce similar processing and communica-
tion costs.
Finally, the ML ABE approach presents interest-
ing computation, communication and storage over-
head in collaborative use cases, thanks to the defini-
tion of multiple access structures. However, it is still
inappropriate for hierarchical scenarios that require
restrictive privileges, such as in redaction use-cases
in military services. That is, these use cases often rely
on encapsulated access structures, defined by hierar-
chical levels of security, such that each higher level of
security k + 1 introduces additional attributes, com-
pared to the security level k, that have to be satisfied
with respect to the related access policy AT
k+1
.
8 CONCLUSION
In this paper, we presented a new scheme to design
multi-level access control policies for e-health appli-
cations based on an original usage of attribute based
encryption schemes.
Indeed, our proposal ensures flexible fine-grained
access control, supporting multi-security levels with
respect to different granted access rights for each out-
sourced data file.
Additionally, our multi-level access attribute-
based scheme is deliberately designed to ensure
the confidentiality and privacy preserving properties
against both malicious and honest but curious adver-
saries. As such, our construction is proven secure
against selective, non-adaptive chosen ciphertext at-
tacks in the generic group model.
Finally, a quantitative comparison of our proposal
with the naive approach shows the interesting pro-
cessing and communication cost of our multi-level ac-
cess control scheme, due to the application of aggre-
gate access policies.
REFERENCES
Asghar, M. R., Gehani, A., Crispo, B., and Russello, G.
(2014). Pidgin: Privacy-preserving interest and con-
Attribute based Encryption for Multi-level Access Control Policies
77
tent sharing in opportunistic networks. In Proceedings
of the 9th ACM Symposium on Information, Computer
and Communications Security, ASIA CCS ’14, pages
135–146. ACM.
Ateniese, G., Chou, D. H., de Medeiros, B., and Tsudik,
G. (2005). Sanitizable Signatures. Springer Berlin
Heidelberg.
Beimel, A. (2011). Secret-sharing schemes: A survey.
IWCC’11.
Bethencourt, J., Sahai, A., and Waters, B. (2007).
Ciphertext-policy attribute-based encryption. In Pro-
ceedings of the 2007 IEEE Symposium on Security
and Privacy, SP ’07, Washington, DC, USA. IEEE
Computer Society.
Boneh, D., Boyen, X., and Goh, E.-J. (2005). Hierarchical
Identity Based Encryption with Constant Size Cipher-
text. Springer Berlin Heidelberg.
Boneh, D., Crescenzo, G. D., Ostrovsky, R., and Per-
siano, G. (2004). Public key encryption with keyword
search.
Di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi,
S., Pelosi, G., and Samarati, P. (2010). Encryption-
based policy enforcement for cloud storage. In Dis-
tributed Computing Systems Workshops (ICDCSW),
2010 IEEE 30th International Conference on, pages
42–51. IEEE.
di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi,
S., and Samarati, P. (2013). On information leakage
by indexes over data fragments. In Data Engineering
Workshops (ICDEW), 2013 IEEE 29th International
Conference on, pages 94–98. IEEE.
Horv
´
ath, M. (2015). Attribute-based encryption optimized
for cloud computing. In SOFSEM 2015: Theory
and Practice of Computer Science, pages 566–577.
Springer.
Huang, Q., Yang, Y., and Shen, M. (2016). Secure and ef-
ficient data collaboration with hierarchical attribute-
based encryption in cloud computing. Future Gener-
ation Computer Systems.
Hur, J. and Noh, D. K. (2011). Attribute-based access con-
trol with efficient revocation in data outsourcing sys-
tems. IEEE Transactions on Parallel and Distributed
Systems, 22(7):1214–1221.
Jahid, S., Mittal, P., and Borisov, N. (2011). Easier:
Encryption-based access control in social networks
with efficient revocation. In The 6th ACM Symposium
on Information, Computer and Communications Se-
curity, pages 411–415. ACM.
Johnson, R., Molnar, D., Song, D., and Wagner, D. (2002).
Homomorphic Signature Schemes, pages 244–262.
Springer Berlin Heidelberg.
Kaaniche, N. and Laurent, M. (2016a). Attribute-based sig-
natures for supporting anonymous certification. In Eu-
ropean Symposium on Research in Computer Security,
pages 279–300. Springer.
Kaaniche, N. and Laurent, M. (2016b). Security analysis of
habs. In Unpublished Note, pages 1 –7.
Miyazaki, K., Hanaoka, G., and Imai, H. (2006). Digitally
signed document sanitizing scheme based on bilinear
maps. In Proceedings of the 2006 ACM Symposium
on Information, Computer and Communications Se-
curity, ASIACCS ’06, pages 343–354. ACM.
Raykova, M., Zhao, H., and Bellovin, S. M. (2012). Privacy
enhanced access control for outsourced data sharing.
In International Conference on Financial Cryptogra-
phy and Data Security, pages 223–238. Springer.
Ruj, S. (2014). Attribute based access control in clouds: A
survey. In IEEE International Conference on Signal
Processing and Communications (SPCOM), pages 1–
6.
Sahai, A. and Waters, B. (2005). Fuzzy identity-based
encryption. In EUROCRYPT 2005, pages 457–473.
Springer.
Steinfeld, R., Bull, L., and Zheng, Y. (2002). Content Ex-
traction Signatures. Springer Berlin Heidelberg.
Yu, S., Wang, C., Ren, K., and Lou, W. (2010). Attribute
based data sharing with attribute revocation. In The
5th ACM Symposium on Information, Computer and
Communications Security, pages 261–270.
SECRYPT 2017 - 14th International Conference on Security and Cryptography
78