Future Generation Computer Systems 97 (2019) 453–461
Contents lists available at ScienceDirect
Future Generation Computer Systems
journal homepage: www.elsevier.com/locate/fgcs
Partially policy-hidden attribute-based broadcast encryption with
secure delegation in edge computing
Hu Xiong a , Yanan Zhao a , Li Peng a , Hao Zhang a , Kuo-Hui Yeh b ,
a
b
∗
School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu, 610054, PR China
Department of Information Management, National Dong Hwa University, Hualien 97401, Taiwan, ROC
highlights
• Our paper achieves partially hidden policy, direct revocation, outsourced decryption.
• Our paper utilizes partially hidden policy to protect private information.
• Our paper is proved security under the DDH assumption and the DBDH assumption.
article
info
Article history:
Received 4 January 2019
Received in revised form 15 February 2019
Accepted 5 March 2019
Available online 8 March 2019
Keywords:
Edge computing
Attribute-based encryption
Direct revocation
Partially hidden policy
Outsourced encryption
a b s t r a c t
The rapid growth of data has successfully promoted the development of edge computing, which is used
for processing the data at the edge of network. The emergence of edge computing compensates for the
network delay caused by massive data uploads to the cloud. However, the issues of data security and
privacy protection still need to be resolved. In this paper, we propose an efficient ciphertext-policy
attribute-based encryption (CP-ABE) scheme that for the first time simultaneously achieves partially
hidden policy, direct revocation, and verifiable outsourced decryption. Specifically, in our scheme, the
concept of partially hidden policy is introduced to protect private information in an access policy. In
addition, after a revocation is successfully executed, the revoked users will not be able to access the
message without affecting any other non-revoked users. Our new scheme leverages the outsourcing
technique to minimize the overhead required of the user. We demonstrate that our scheme is secure
under the Decisional (q − 1) Diffie–Hellman assumption and the Decisional Bilinear Diffie–Hellman
assumption, as well as evaluating its performance using simulations.
© 2019 Elsevier B.V. All rights reserved.
1. Introduction
privacy protection still need to be resolved [2]. A naive solution is to deploy encryption for access control, so that only
The emergence of cloud computing has a tremendous impact
on our lives. More and more enterprises or individuals choose
to upload their data to the cloud servers to alleviate the problem of device resource constraints. However, uploading massive
amounts of data generated by millions of devices to the cloud
server will inevitably cause transmission delays, which will have
a huge influence on performance. This problem promotes the
development of edge computing [1]. Edge computing is considered to be a promising method by which data can be processed
near the point where it is generated (the edge) to reduce network bandwidth. Unfortunately, the issues of data security and
user who meets the data owner’s requirements can access the
data. Examples include attribute-based encryption (ABE) [3] that
provides one-to-many encryption for sensitive information and
realizes fine-grained access control by associating the attributes
to a ciphertext and a user’s secret key. There are two broad ABE
variants, namely: Key-Policy ABE (KP-ABE) [4] and CiphertextPolicy ABE (CP-ABE) [5]. In a typical KP-ABE scheme, a user’s
secret key is associated with an access policy and an attribute
set is embedded in a ciphertext. For a typical CP-ABE scheme, an
attribute set is embedded in a user’s secret key and a ciphertext is
associated with an access policy. Only if the attribute set satisfies
the access policy, the corresponding ciphertext can be decrypted.
∗ Corresponding author.
E-mail address: khyeh@gms.ndhu.edu.tw (K.-H. Yeh).
https://doi.org/10.1016/j.future.2019.03.008
0167-739X/© 2019 Elsevier B.V. All rights reserved.
In this paper, we focus on CP-ABE because it is more flexible than
a KP-ABE scheme.
454
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
In conventional CP-ABE schemes, the access policy is attached
to the encrypted data in a clear-text form. Thus, anyone can analyze the access policy to infer some private information such as
the identity information of data owners and data sharers. Therefore, Nishide et al. [6] introduced a policy-hidden CP-ABE and
proposed two concrete schemes which support AND-gates with
wildcards. A fully secure policy-hidden CP-ABE scheme under
AND-gates was also proposed by Lai et al. [7], and a year later the
authors presented a more expressive policy-hidden scheme that
supports the Linear Secret Share Scheme (LSSS) [8]. However, the
commutation size and the computation cost of the scheme in [8]
increases with the attribute number. In addition, it is constructed
from pairings over the composite-order groups, which results
in slower computations (e.g. approximately 50 times compared
with its prime-order counterpart). Cui et al. [9] presented a new
partially policy-hidden CP-ABE scheme with high efficiency and
expression, in the sense that the scheme supports LSSS with
unbounded attribute names and is constructed in the prime-order
groups. Although there already exists efficient CP-ABE schemes
that also provide privacy protection, there are a number of research challenges that have not been addressed, such as the
following:
1. When some users’ secret keys are compromised, how can
we revoke these users without affecting other non-revoked
users?
2. How can we minimize communication and computation
overheads so that the scheme is sufficiently lightweight for
resource constrained devices, such as wearable devices and
Internet of Things (IoT) devices?
Therefore, in this paper, we introduce a new scheme, hereafter
referred to as partially policy-hidden attribute-based broadcast
encryption scheme with secure delegation. The proposed scheme
is the scheme in the literature to achieve partially hidden policy,
direct revocation, and verifiable outsourced decryption. Specifically, we incorporate broadcast encryption technique to realize
direct revocation (due to the technique’s inherent property of
direct revocation), and combine a verified outsourcing technique
that outsources complex computations to the cloud and only
constant modular exponentiation operations are performed at the
user’s device (i.e. minimal consumption). We also remark that the
proposed scheme is developed from the scheme in [9], so our
scheme inherits the partially policy-hidden property. In addition,
we give every single user a unique ID that is embedded in the
corresponding private key. When a data owner encrypts the data,
she/he needs to assign a user ID set S and executes the encryption
algorithm. The encryption algorithm embeds S in the ciphertext.
Therefore, a user can decrypt encrypted data, iff his/her ID and
attributes satisfy the set S and the access policy respectively.
When some users are revoked, the data owner simply removes
the user IDs in S, and executes the encryption again. In other
words, the revoked users are not able to obtain the underlying data in the new ciphertext. Moreover, we use the verifiable
outsourcing technique in [10] to minimize the communication
and computation costs at the user’s side. Our construction is also
presented in Fig. 1.
In the next two sections, we will briefly review related literature and background materials, respectively. In Section 4, we
present the proposed scheme. The security proof and performance evaluation are respectively presented in Sections 5 and 6.
The paper is summarized in the last section.
2. Related work
Sahai and Waters [3] suggested the first ABE scheme, but
Goyal et al. [4] formally defined ABE and presented the first
Fig. 1. Overview of our construction.
concrete KP-ABE scheme. Then, Bethencourt et al. [5] presented
a concrete CP-ABE scheme based on the generic group model. In
order to provide a higher level of security, Cheung and Newport
proposed another CP-ABE scheme under the standard model,
but it only supports AND-gates. Waters [11] suggested a more
expressive ABE scheme, which expresses the access policy via
LSSS.
2.1. Attribute based broadcast encryption
Berkovits [12] introduced the concept of Broadcast Encryption
(BE), which forms the basis in a number of other seminal developments such as those reported in [13,14]. In these works, BE is
defined as a cryptographic scheme that sends encrypted data over
a broadcast channel, where only users within a user set specified
by the broadcaster can obtain the plaintext. In other words, the BE
schemes have the property of direct revocation. Unsurprisingly,
the scheme has been applied in a number of ABE schemes, also
known as Attribute Based Broadcast Encryption (ABBE) [15].
Although CP-ABE schemes that support AND-gates can realize direct revocation by conjunctively adding the revoked user
identities in a negated format, such an approach is efficient in
terms of bandwidth requirements and expressiveness particularly
in complex settings. Lubicz and Sirvent [16] proposed an ABBE
scheme supporting AND-gates, OR-gates, and NOT-gates. Then,
Attrapadung and Imai [17] proposed ciphertext-policy and keypolicy ABBE schemes, which support LSSS as access policy. In
both approaches, only non-revoked users can obtain the plaintext,
even if the revoked receivers have all requisite attributes. A key
limitation in these schemes is low efficiency.
For improved efficiency, Phuong et al. [18] proposed ABBE
schemes with short ciphertext and decryption key. However,
these schemes only support AND-gates with wildcards and the
computation cost is very high. Another efficient privacypreserving ABBE scheme based on AND-gates with wildcards
was proposed by Zhou et al. [19]. However, the latter scheme
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
supports only revocation based on attributes. While these discussed schemes have improved efficiency, the computing requirements at the user meant that these schemes are not suitable for
deployment on resourced constrained devices.
2.2. Outsourced attribute-based encryption
Cloud computing has often been seen as a solution to reduce computation at client devices by outsourcing computationally intensive activities to the cloud server. For example, Green
et al. [20] suggested to outsource main decryption computation
to a cloud. Specifically, their schemes allow a cloud to transform a complex ciphertext generated from an ABE scheme into
a (constant-size) ciphertext with an ElGamal-style. The cloud
performing the translation operation is not able to read any
part of messages and the users’ private keys. To outsource the
decryption computation to a cloud, a user needs to split his/her
private key into a blind key (BK), and a recovery key (RK). The
user gives the BK to the cloud, so that the cloud is able to
translate the ABE ciphertext into an ElGamal-style ciphertext and
returns it to the sender. Finally, the user utilizes RK to obtain
the encrypted message. However, in their schemes, a malicious
cloud could return a wrong result by changing the ciphertext
and its validate tag simultaneously. Thus, it does not strictly
guarantee the correctness of transformed ciphertext. To solve this
problem, Lai et al. [21] suggested a new scheme that provides
verification for the transformed ciphertext. However, this nearly
doubles the costs due to increased ciphertext size and decryption
computations.
To increase the efficiency of the scheme in [21], Qin et al. [22]
and Lin et al. [23] independently introduced a key encapsulated
mechanism (KEM). Their approaches reduce the communication
and computation costs nearly by half compared with the scheme
in [21]. Similarly, Mao et al. [24] introduced a scheme that encrypts a message and a random number together and uses the
random number to realize verifiability. To avoid the significant
computation overheads at the attribute authority, a new outsourced ABE scheme that outsources (as the name of the scheme
suggested) key-issuing and decryption to different clouds was
presented by Li et al. [25]. While this construction provides checkability, the scheme is vulnerable to the same attack affecting
schemes based on the scheme in [20]. Ning et al. [26] proposed
a auditable σ -time outsourced CP-ABE scheme that can achieve
secure decryption outsourcing, auditability of decryption, limited
and anonymous fine-grained access control, key-leakage resistance and light decryption cost on user side in the same time.
Similarly, an outsourced ABE scheme with anti-fraud function
was proposed by Xu et al. [27]. Their scheme prevents the cloud
server from deceiving the users that the encrypted data cannot
be transformed due to lack of permits. The schemes of Zhang
et al. [28] and Wang et al. [29] outsource the main computations of key-issuing, encryption and decryption to the clouds
simultaneously.
Outsourced ABE schemes are increasingly important and a
number of schemes with different properties for different applications have been proposed. For instance, Li et al. [30] applied
the outsourced key generation and outsourced decryption to an
ABE system which provides keyword search. In [31], Li et al.
combined the ABE scheme which possesses the property of constant ciphertext length and the verifiable outsourced decryption
technique. In [32], Li et al. realized efficient user revocation by
outsourcing the main cost of encryption decryption to cloud
servers. In [33], Wang et al. achieved user anonymity and multiauthority efficiently by introducing the outsourced decryption
technique. Zuo et al. [34] presented a new ABE scheme with
outsourced decryption which first achieved CCA secure.
455
3. Background materials
3.1. Preliminaries
In bilinear pairing, G is a group whose order is a prime p and
one of its generators is g. If the bilinear map ê : G × G → GT is
true, then it has the following properties [35]:
1. Bilinear: for ∀g ∈ G and x, y ∈ Zp , ê(g x , g y ) = ê(g , g)xy is
true;
2. Non-degenerate: ê(g , g) ̸ = 1 is satisfied.
The Decisional (q − 1) assumption [36] is as follows: a probabilistic polynomial-time algorithm inputs v
⃗=
g, gε,
g a , g bk , g εbk , g a bk , g a /bk
i
i
g
g
i
ai /bk
∀(i, k) ∈ [q, q]
∀(i, k) ∈ [2q, q] with i ̸= q + 1,
ai /bk /b2′
∀(i, k, k′ ) ∈ [2q, q, q] with k ̸= k′ ,
k
g εa bk /bk′ , g
i
2
ε ai bk /b2′
k
∀(i, k, k′ ) ∈ [q, q, q] with k ̸= k′ ,
The algorithm seeks to successfully distinguish (v
⃗ , ê(g , g)a ε )
from (v
⃗ , X ), where g ∈ G, X ∈ GT , a, ε, b1 , . . . , bq ∈ Zp are chosen
randomly. According to the assumption, the algorithm cannot win
with a non-negligible advantage.
The Decisional Linear Assumption [37] is as follows: a probabilistic polynomial-time algorithm inputs g , g x1 , g x2 , g x1 y1 , g x2 y2 ,
it
distinguishes
(g , g x1 , g x2 , g x1 y1 , g x2 y2 , g y1 +y2 )
from
(g , g x1 , g x2 , g x1 y1 , g x2 y2 , Z ) where g , Z ∈ G, x1 , x2 , y1 , y2 ∈ Zp
chosen randomly. According to the assumption, the algorithm
cannot win with a non-negligible advantage.
The access structure is as follows. We let the symbols
{W1 , . . . , Wn } denote a set of parties. If a collection A ⊆ 2{W1 ,...,Wn }
is monotone, then it should satisfy ∀P , Y : if P ∈ A and P ⊆ Y ,
then Y ⊆ A. A is a (monotone) collection of non-empty subsets
of {W1 , . . . , Wn } (i.e. A ⊆ 2{W1 ,...,Wn } \{φ}). If the sets are in A,
then they can be called authorized sets. And unauthorized sets
are defined for the sets not in A.
We will now describe the LSSS. Here, we use W to denote a set
of parties and M a matrix of size ℓ× n. We also use ρ to represent
a function that associates a row of ℓ × n to a party. The scheme
that is denoted by Π is a LSSS over Zp if:
q +1
1. The shares of the secret data for each party described as
above can form a vector over Zp ;
2. A matrix M is generated for the shares in Π , and ρ associates the k − th row of matrix M to an associated party
(i.e. ρ (k) → Wk where k ∈ {1, . . . , ℓ}). When sharing a
secret µ for others, we first generate a column vector v =
(µ, x2 , . . . , xn ), where µ ∈ Zp and the symbols x2 , . . . , xn ∈
Zp are randomly chosen. Then, we use Mv to denote the
vector of ℓ shares. (Mv )k in this scheme belongs to party
ρ (k).
3.2. Threat model and security goals
1. Confidentiality: Only the user who has enough attributes
to satisfy the access policy could access the corresponding
messages. Any other entities including the cloud server are
not able to get any information about the messages.
2. Anonymity: In the traditional CP-ABE scheme, the access
policy is attached to the encrypted data in clear text. Anyone can infer some private information, such as the identity
information of the data owner and data sharer, by analyzing the access policy. Therefore, it is necessary to protect
456
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
the access policy to prevent the user’s privacy from being
exposed.
3. Collusion resistance: If multiple users collude, even if each
user cannot decrypt the ciphertext alone, they can decrypt
the ciphertext by piecing their attributes. Collusion resistance is an important security property in ABE system. In
this paper, we assume that trusted authority, cloud server
and storage proxy are honest, regardless of their collusion
attacks with the revoked users.
3.3. System model
A partially policy-hidden ABBE with secure delegation scheme
is constructed by the following algorithms:
1. Setup(λ). Create the public parameters PK and the master
secret key MSK upon receiving the security parameter λ as
input.
2. KeyGen(MSK , PK , A, ID). Return a secret key SK for a user
after receiving the following inputs: public parameters PK ,
the corresponding MSK , a user ID ID, and a user’s attribute
set A.
3. Encrypt(PK , M , (M, ρ, {Aρ (i) })). Generate a ciphertext CT
upon receiving the public parameters PK , a message M, an
access policy (M, ρ, {Aρ (i) }) and a set of user IDs S, where ρ
maps the rows of M to the names of attributes and {Aρ (i) }
are defined as the values of the attributes.
4. Decrypt(PK , SK , CT )). Return the message M when it inputs PK , a ciphertext CT , and the corresponding SK , if the
attribute set A and the user ID embedded in SK satisfy the
access policy (M, ρ, {Aρ (i) }) and the set of IDs S embedded
in CT respectively.
5. KeyGen.out(SK ). Generate a blind key BK and the corresponding recovery key RK based on a user secret key SK .
6. Decrypt.out(PK , CT , BK ). Return a transformed ciphertext
CT ′ when it inputs PK , a ciphertext CT and the corresponding blind key BK .
7. Decrypt.user(PK , RK , CT , CT ′ )). This algorithm outputs the
message M when it receives as input PK , a ciphertext
CT , the corresponding transformed ciphertext CT ′ and the
corresponding recovery key RK .
3.4. Security model
Here, we use a security game to describe the security model,
where C , A are respectively a challenger and an adversary.
1. Setup. C first obtains PK and the corresponding MSK by
running the algorithm Setup(λ). Then, it sends PK to A and
retains MSK .
2. Phase 1. A can make any of the four queries in these
phases: Key Query, Blind Key Query, Decryption Query, User
Decryption Query. The challenger C first creates an empty
list L, an empty set R, and an empty set I .
(a) Key Query: If A queries a secret key SK based on an
attribute set A and a user ID ID, then A will send A
to C and obtain a secret key RKA . In addition,
C will
⋃
set R = R ∪ A, I = I ∪ ID and K = K S.
(b) Blind Key Query: When A queries a blind key BK
based on an attribute set A and a user ID ID, C
searches the tuple ⟨A, ID, SKA , TKA , RKA ⟩ in list L. If
there exists such a tuple, then C sends TKA to A as the
answer. Otherwise, C will run the Key Generation Algorithm to obtain its private key SKA and KeyGen.out
Algorithm to generate a blind key TKA based on SKA ,
before returning TKA to A. Finally, C stores the tuple
⟨A, ID, SKA , TKA , RKA ⟩ into the list L.
3. Challenge. Two messages M0 , M1 with equal length for
access structure A0 , A1 and user ID set S0 , S1 respectively
will be sent to C by A. Note that none of attribute sets in
L satisfy A0 and A1 or none of the user IDs in L satisfy S0
and S1 . C randomly chooses a number u ∈ {0, 1}, encrypts
Mu under Au and Su with the Encryption Algorithm, and
returns the result to A.
4. Phase 2. A continues making above mentioned queries and
it should be noted that none of the attribute sets satisfy A0
and A1 or none of the user ID sets satisfy S0 and S1 .
5. Output. A generates a bit γ . A wins the game, if and only,
if γ = u.
The advantage of adversary A winning is defined as AdvA =
|Pr {γ = u} − 1/2|.
Remark 1. The security of the proposed scheme can be guaranteed if no polynomial time adversaries can win the above security
game with a non-negligible advantage.
4. Proposed scheme
In this section, we present the proposed scheme that combines
the scheme in [9], the broadcast encryption scheme in [38], and
the outsourcing approach in [10]. Specifically, in the scheme, we
use a symmetric encryption scheme that can be defined as SE =
(SE.Enc(KSE , M), SE.Dec(KSE , CSE )), where SE.Enc(KSE , M) is the
encryption algorithm and SE.Dec(KSE , CSE ) is the decryption algorithm. SE.Enc(KSE , M) inputs the symmetric encryption key KSE
and a message M, and returns a ciphertext CSE . On the contrary,
SE.Dec(KSE , CSE ) inputs the symmetric encryption key KSE and a
ciphertext CSE , and returns the corresponding message M. Here,
we let a tuple (G, GT , q, g , ê) be the bilinear map parameters.
Setup(λ). This algorithm selects a security parameter λ as input and chooses randomly u, h, ω, v, v ′ , u′ ∈ G, d1 , d2 , d3 , d4 , α, θ
∈ Zp before computing h1 = g d1 , h2 = g d2 , h3 = g d3 , h4 =
g d4 , τ = g θ . Then, it adopts a key derivation function KDF and
uses L = |key| + |p| to denote the length of the output of the
function. SE = (SE.Enc, SE.Dec) denotes a symmetric encryption
i
scheme, which generates gi = g α where i ∈ [1, m] ∪ (m + 2, 2m)
and m is the maximum user number. H : G1 → {0, 1}t is a hash
function that maps an element in GT to an element in {0, 1}∗ ,
which denotes the symmetric encryption key space. Finally, the
following public parameters are produced:
PK =[{hi }4i=1 , τ , {gi }2m
i=1,i̸ =m+1 , u, h,
ω, v, v ′ , u′ , H , KDF , L, SE]
and the master secret key as
MSK = (d1 , d2 , d3 , d4 , α, θ ).
KeyGen(MSK , PK , A, ID). Here, we let A1 , . . . , Ak ∈ Zp be the
attribute values in an attribute set A. This algorithm inputs PK ,
the corresponding MSK , an attribute set A, and a user ID ID,
and chooses the random numbers r , r ′ , r1 , . . . , rk , r1′ , . . . , rk′ ∈ Zp ,
where k is the size of the attribute set A. It generates the user
secret key SK as
SK = (K1 , K2 , {Ki,1 , Ki,2 , Ki,3 , Ki,4 , Ki,5 }i∈[1,k] ),
where
K1 = g α
ID θ
′
ωd1 d2 r +d3 d4 r ,
K2 = g d1 d2 r +d3 d4 r
′
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
Ki,1 = ((uAi h)ri v −r )d2 ,
Ki,3 = g
d1 d2 ri +d3 d4 ri′
ri′
Ki,5 = ((u h) v
Ai
Ki,2 = ((uAi h)ri v −r )d1
,
ri′
Ki,4 = ((u h) v
Ai
−r ′ d4
)
−r ′ d3
) .
Encrypt(PK , M , (M, ρ, {Aρ (i) })). This algorithm takes PK , a
message M, a LSSS access policy (M, ρ, {Aρ (i) }) and a user ID set
S ∈ {1, . . . , m} as input. It then randomly chooses a vector v
⃗ =
(µ, b2 , . . . , bm ) ∈ Zpm , which are used to share µ. For i = 1 to ℓ, it
will calculate vi = v
⃗ Mi , where Mi is the ith row of M. Then, it will
again randomly select si,1 , . . . , si,ℓ , s1,2 , . . . , sℓ,2 , z1 , . . . , zℓ ∈ Zp .
It generates the encapsulated key = ê(g1 , gm )−µ and computes
KDF (key, L) = SSK ∥d, Ĉ = u′H(SSK ) v ′H(d) , KSE = H(key), CSE =
SE.Enc(KSE , M), before generating the ciphertext as
CT =
(M, ρ ), Ĉ , D, CSE , F , {(Ci , Di,1 ,
(
Di,2 , Ei,1 , Ei,2 , Fi )}i∈[1,ℓ]
D = g µ,
CSE = SE.Enc(H(ê(g1 , gm )−µ ), M),
F = (τ
gm+1−j )µ = (g θ
∏
∏
j∈ S
Ei,2 =
si,2
h4
,
si,1
Ei,1 = h2 ,
Fi = (uAρ (i) h)−zi ,
Di,1 =
zi −si,1
h1
,
Di,2 =
Qi′ = ê(Fi , Ki′,3 )ê(Di,2 , Ki′,4 )ê(Ei,2 , Ki′,5 ),
ê(D, K1′ )
µθ/δ
T1′ = ∏
,
′ ′ ωi = ê(g , gID )
i∈I (Pi Qi )
T2′ =
ê(D,
∏
j∈S ,j̸ =ID
gm+1−j+ID )
ê(gID , F )
1
ê(gID , g θµ )ê(g1 , gm )µ
.
responding transformed ciphertext CT ′ = (T1′ , T2′ , T3′ ). If Ĉ ̸ = T3′ ,
then it outputs ⊥. Otherwise, it computes the encapsulated key
and the session SSK as follows:
gm+1−j )µ ,
j∈ S
Ci = ωvi v zi ,
Pi′ = ê(Ci , K2′ )ê(Di,1 , Ki′,1 )ê(Ei,1 , Ki′,2 ),
Finally, it outputs CT ′ = (T1′ , T2′ , T3′ ), where T3′ = Ĉ .
Decrypt.user(RK , CT , CT ′ ). This algorithm inputs the recovery
key
RK
=
(PK , δ ), a ciphertext) CT
=
(
(M, ρ ), Ĉ , D, E , F , {(Ci , Di,1 , Di,2 , Ei,1 , Ei,2 , Fi )}i∈[1,ℓ] and the cor-
and their descriptions are as follows:
Ĉ = u′H(SSK ) v ′H(d) ,
Decrypt.out(PK
, CT , BK ). This algorithm inputs PK , a cipher-)
(
text CT = (M, ρ ), Ĉ , D, CSE , F , {(Ci , Di,1 , Di,2 , Ei,1 , Ei,2 , Fi )}i∈[1,ℓ]
and a blind key BK based on an attribute set A and a user ID ID. It
computes I = {i : ρ (i) ∈ A} and the constants {ωi ∈ Zp }i∈I . Then,
it computes
=
)
457
zi −si,2
h3
key = (T1′ )δ (T2′ )
.
=
Here, the message M is encrypted by SE with the encapsulated
symmetric key key. A Pederson commitment is introduced to
achieve the verification of key.
Decrypt(PK
, SK , CT ). This algorithm inputs PK , a ciphertext
)
(
CT = (M, ρ ), Ĉ , D, CSE , F , {(Ci , Di,1 , Di,2 , Ei,1 , Ei,2 , Fi )}i∈[1,ℓ] , and
a user secret key SK based on an attribute set A and a user ID ID.
It computes I = {i : ρ (i) ∈ A} and the constants {ωi ∈ Zp }i∈I such
that Σi∈I ωi vi = µ, if {vi }. Then, it computes
Pi = ê(Ci , K2 )ê(Di,1 , Ki,1 )ê(Ei,1 , Ki,2 ),
(ê(g , gID )µθ/δ )δ
ê(gID , g θµ )ê(g1 , gm )µ
= ê(g1 , gm )−µ ,
KDF (key, L) = SSK ∥d.
If T3′ ̸ = u′H(SSK ) v ′H(d) , then it outputs ⊥. Otherwise, it will compute
the symmetric encryption key KSE = H(key) and the message
M = SE.Dec(H(key), CSE ). Finally, it outputs the message M.
5. Security proof
Qi = ê(Fi , Ki,3 )ê(Di,2 , Ki,4 )ê(Ei,2 , Ki,5 ),
key =
ê(D, K1 )ê(D,
∏
j∈S ,j̸ =ID
gm+1−j+ID )
ωi
i∈I (Pi Qi ) ê(gID , F )
−µ
∏
= ê(g1 , gm )
,
KDF (key, L) = SSK ∥d.
If Ĉ ̸ = u′H(SSK ) v ′H(d) , then it outputs ⊥. Otherwise, it will compute
the symmetric encryption key KSE = H(key) and the message
M = SE.Dec(H(key), CSE ). Finally, it returns the message M.
KeyGen.out(SK ). This algorithm inputs a user’s SK , and
chooses a random δ ∈ Zp∗ , then computes
1/δ
= g (α
1/δ
= g (d1 d2 r +d3 d4 r )/δ .
K1′ = K1
K2′ = K2
ID θ )/δ
ω(d1 d2 r +d3 d4 r )/δ ,
′
′
For i = 1 to k, it computes
1/δ
Ki′,1 = Ki,1 = ((uAi h)ri v −r )d2 /δ ,
Theorem 1. Suppose the security of Cui’s scheme in [9] is guaranteed, then the proposed scheme is secure.
1/δ
Ki′,2 = Ki,2 = ((uAi h)ri v −r )d1 /δ ,
1/δ
Ki′,3 = Ki,3 = g
Ki′,4
Ki′,5
=
=
1/δ
Ki,4
1/δ
Ki,5
(d1 d2 ri +d3 d4 ri′ )/δ
,
ri′
−r ′ d4 /δ
)
,
r′
−r ′ d3 /δ
.
= ((u h) v
Ai
= ((uAi h) i v
)
Proof. A is an adversary with a non-negligible advantage, and
we assume that if this adversary can violate the security of
our scheme, then the scheme in [9] can also be broken by an
algorithm S . Now, we assume a challenger C interacts with S , and
S runs A as follows:
Finally, it outputs the blind key as
(
BK = K1′ , K2′ , Ki′,1 , Ki′,2 , Ki′,3 , Ki′,4 , Ki′,5
{
Recently, provable security is widely recognized as indispensable and popular methodology to provide formal security for
cryptographic protocols by almost all researchers/engineers in
the cryptographic community. The core idea of provable security
is to demonstrate that breaking a specific protocol is equivalent to
solving a well-established problem. Concretely, the security of the
protocol is simulated by a well-defined security game between
a challenger C and an adversary A, where the former entity
denotes a hard problem attacker and the latter entity models an
attacker to defeat the protocol. To achieve provable security of the
protocol, C is shown to solve the given hard problem by using A
as a sub-algorithm in the given security model. Following the idea
of provable security, the security of our scheme has been formally
proved.
The security of the scheme presented in the preceding section
is described in Theorem 1.
}
and the recovery key as RK = (PK , δ ).
i∈[1,k]
)
,
1. Init. A sends S the challenge access policy A
(M, ρ, {Aρ (i) }), and S gives A to C .
=
458
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
2. Setup. C executes Setup in [9] to obtain the public parameters PK ′ = (g , u, h, ω, v, {hi }4i=1 , ê(g , g)α , H) and sends it
to S . Then, S runs Setup in this paper to obtain PK =
′
′
[{hi }4i=1 , τ , {gi }2m
i=1,i̸ =m+1 , u, h, ω, v, v , u , H , KDF , L, SE] and
replaces the components in PK with the corresponding
components in PK ′ . Finally, it gives PK to A.
3. Phase 1. At first, S creates an empty list L and an empty set
R, then A can start issuing the key query and/or the blind
key query.
(a) Key Query. If A makes a key query over an attributes
set A as well as a user ID ID, then S sends A to C and
retrieves⋃the⋃
user secret key SK . S will also replace
R by R
A ID and send SK to A.
(b) Blind Key Query. If A makes a blind key query over
attributes set A and a user ID ID, then S will search
the tuple ⟨A, ID, SK , BK , RK ⟩ in L. If the tuple that
satisfies the query exits, then S returns BK . Otherwise, S (chooses a random exponent δ ∈ Zp and sets
)
K ′ 1 , K ′ 2 , K ′ i,1 , K ′ i,2 , K ′ i,3 , K ′ i,4 , K ′ i,5
{
BK =
}
Fig. 2. Computational time of encryption.
.
i∈[1,k]
Let (α θ )/δ = a , ri = ri , −r = r , d2 /δ = d2 ,
−r = r ∗ , d1 /δ = d∗1 , (d1 d2 ri + d3 d4 ri′ )/δ = b∗i ,
d4 /δ = d∗4 , d3 /δ = d∗3 , then BK can be another type
of SK . So, in the view of the data owner, it is similar
between cloud computing center and the users. S
will insert the tuple ⟨A, ID, ∗, SKA′ , ∗⟩ in L and returns
BK to A.
ID
∗
∗
′
∗′
∗
4. Challenge. A sends S the challenge access policy A =
(M, ρ, {Aρ (i) }), then S picks two messages M0 , M1 with
equal length and sends them to C , and receives a challenge ciphertext CT = ((M, ρ ), C , D, E , {(Ci , Di,1 , Di,2 , Ei,1 ,
E
i,2 , Fi )}i∈[1,ℓ] ) by running Encrypt in [9]. Here, C = (M ∥σ )
⨁
H(ê(g , g)αµ ), E = g M hσ where σ is randomly chosen.
We can use the symmetric encryption algorithm SE.Enc
with key key = ê(g1 , gm )−µ and Ĉ = u′H(SSK ) v ′H(d) , D = g µ
replace C and E respectively. Then, S picks random x ∈
Zp , e ∈ {0, 1} and calculates the ciphertext CT followed by
Fig. 3. Computational time of decryption.
Ĉ = u′H(SSK ) v ′H(d) ,
CSE = SE.Enc(H(ê(g1 , gm )−µ ), Mb ),
F = g x.
Finally, S returns CT to A.
5. Phase 2. A queries secret keys and blind keys with the
limitation that none of attributes set in R satisfies A, and
S returns the answer as Phase 1.
6. Output. A generates γ as its guess to e.
As we discussed above, if A can break our scheme, then A can
break the scheme in [9]. Thus, this concludes this proof. □
Theorem 2. In a prime order bilinear group, if the discrete logarithm
(DL) assumption still holds, then our proposed scheme is verifiable.
Proof. Suppose a probabilistic polynomial-time (PPT) algorithm
A who can break verification with a non-negligible advantage
exists, then we can build a simulator S to solve the DL problem
in the prime order bilinear group system with a non-negligible
advantage.
A tuple (p, G, GT , ê, g , β = g x ) is given to S , and S wishes to
obtain x by computing x = logβg . S interacts with A as follows:
∗
1. Setup. S chooses {ai }4i=1 , b, {ci }2n
i=1,i̸ =n+1 , e, f , m, n, x, y ∈ Zp
and picks a key derivation function KDF and a deterministic
collision-resistant hash function H : {0, 1}∗ → Zp∗ . Then, S
Fig. 4. Communication cost of ciphertext.
sets the public parameters as: PK = [{hi = g di ai }4i=1 , τ =
e
f
m
g θ b , {gi = g αi ci }2n
i=1,i̸ =n+1 , u = g , h = g , ω = g , v =
g n , u′ = g x , v ′ = g y , KDF , L, SE, H ]. The master secret key
is MSK = (d1 , d2 , d3 , d4 , α, θ ). S sends PK to A.
2. Challenge. S runs KeyGen(MSK , PK , A, ID) to obtain the
user secret key SKA based on an attribute set A and a user
ID ID, and sends it to A.
3. Output. A outputs an access structure A, where A satisfies
A and a tuple (CT ∗ , BK ∗ , RK ∗ , CT1∗′ , CT2∗′ ).
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
459
Table 1
A comparative summary between schemes.
Scheme
PK
MK
SK
CT
[32]
[19]
[17]
[15]
[9]
Our scheme
3LG + LGT
(6N + 1)LG
(2m + 2N + 1)LG
(2m + 8n + 3)LG
9LG + LGT
(11 + 2m)LG
LZp + LG
2LZp
2LZp
(6 + 8n)LZp
4LZp + LG
6LZp
(4 + 2n)LG
(2N + 1)LG
(2 + n)LG
(2 + 4n)LG
(2 + 5n)LG
(2 + 5n)LG
(5 + n)LG + LGT
2LG + LGT
(2 + l)LG + LGT
(3 + 4n − 4l)LG + LGT
(3 + 5l)LG + LGT
(3 + 6l)LG
LZp , LG and LGT denote the length of an element in Zp , G and GT , respectively. l, n, m and N indicate
the number of the rows of the matrix M, the number of a user attribute set, and the maximum
number of users and the maximum number of attributes in the system, respectively. Here, we
assume the encryption system supports up to 20 attributes and 200 users, that is, N = 20 and
m = 200.
Table 2
Functions and computational costs: A comparative summary.
Scheme
Hidden policy Direct revocation Outsourced decryption Access policy Enc .
[32]
#
[19]
Full
[17]
#
[15]
Full
[9]
Partially
Our scheme Partially
Dec .
√
√
And-gates
P + (5 + n)Te + Tê
#
#
And-gates
P + 2Te + Tê
2nP + 4nTe + 3nTê
√
#
√
LSSS
P + (2n + 2)Te + Tê
(2n + 2)P + 2nTê
And-gates
5Te
2P + 2Te + Tê
#
#
LSSS
(48n + 3)Te + Tê
(6n + 1)P + nTê
LSSS
P + (48n + 4)Te + Te
3P + 3Tê
√
√
√
2P
P represents a pairing computation, Tê represents a modular exponentiation computation in G and Te represents a modular
exponentiation computation in GT .
Table 3
The runtime of computation operation.
Operation
Te
Tê
P
Runtime (ms)
66
13
647
S obtains key∗ = (T1′ ,1 )δ (T1′ ,2 ) as well as key∗′ = (T2′ ,1 )δ (T2′ ,2 ),
where δ is RK ∗ , then computes KDF (key∗ , L) = SSK ∗ ∥d∗ ,
KDF (key∗′ , L) = SSK ∗′ ∥d∗′ . If A wins the game (means H(SSK ∗ ) ̸ =
∗
∗
∗
∗
H(SSK ∗′ )), then S computes g xH(SSK )+yH(d ) = u′H(SSK ) v ′H(d ) =
∗′
∗′
∗′
∗′
T3′ = u′H(SSK ) v ′H(d ) = g xH(SSK )+yH(d ) .
Now we know that SSK ∗ ̸ = SSK ∗′ and H(SSK ∗ ) ̸ = H(SSK ∗′ ).
SSK ∗ , d∗ , SSK ∗′ , d∗′ , y, H are known to S . S computes
y(H(d∗′ )−H(d∗′ ))
x = H(SSK ∗ )−H(SSK ∗′ ) to solve the DL instance. □
6. Performance evaluations
In this section, we evaluate the performance of the proposed
scheme as well as several other ABE schemes in terms of communication and computation costs. By considering the characteristics of our scheme satisfied, we have only selected typical ABE
schemes [9,15,17,19,32] that are strongly relevant to our scheme
for comparison.
We denote the public parameters as PK , the master secret key
as MK , and the user secret key as SK . The length of ciphertext
CT , excluding the access structure, for these schemes is presented
in Table 1. Enc. and Dec. denote the time required in executing
the encryption algorithm and decryption algorithm of the various
ABE schemes. Based on findings reported in Table 2, we observe
that our scheme is the only scheme to achieve partially hidden policy, direct revocation and outsourced decryption function
simultaneously. A comparative summary of the computational
costs is presented in Table 2.
The accuracy and complexity of the computation are largely
dependent on the type of processor and the relative efficiency of
the pairings operation, as well as the exponentiation in G, GT .
So, we implement the simulation experiment on a smartphone
HUAWEI Honor 8 equipped with a Kirin 950 2.3 GHz processor and 3 GB memory. Kirin 950 is a very powerful embedded
processor and has a very rich expansion interface, simultaneously,
its energy consumption is also very low. And the experiment
is implemented in VC++ 6.0 with PBC library. For the overall
security of our scheme, we use SHA-3 as the hash function.
Furthermore, to offer the security level equal to 2048-bits RSA,
we use the Tate pairing defined over the supersingular elliptic
curve E /Fp : y2 = x3 + x with embedding degrees 2, where
q is a 160-bits Solinas prime q = 2159 + 217 + 1 and p is a
512-bits prime satisfying p + 1 = 12qr. The running times of
each cryptographic operation are listed in Table 3. The evaluation
results are presented in Figs. 2 and 3. And the communication cost
of ciphertext is shown in Fig. 4.
From Figs. 2 and 3, we can see that the encryption time
of our scheme grows linearly with the number of attributes.
Compared with other schemes [9,15,17,19,32], the encryption
time of our scheme increases at a lower rate. In the meanwhile,
our decryption time is constant and does not change as attributes
increase. This is not surprising since majority of the complex
calculations are performed in the cloud server. Therefore, our
scheme is more suitable for deployment on lightweight devices
such as device with limited computing power and/or battery life.
In Fig. 4, we can observe that the communication cost of our
construction is slightly less efficient than others. This may be a
reasonable price to pay for the characteristics that our scheme
satisfied at the same time.
7. Conclusion
In this paper, we studied policy-hidden CP-ABE due to its
capability to preserve the privacy of user identity information
while sharing private data (e.g. medical records). However, it is
challenging to design conventional fully policy-hidden CP-ABE
schemes to provide more expressive access policy, particularly
in complex real-world scenarios. Thus, researchers have focused
on designing partial policy-hidden CP-ABE with more expressive
access policy (somewhat similar to the current state of play
for fully homomorphic encryption and partially homomorphic
encryption [39]). However, no existing scheme provides all three
partial policy-hidden, direct revocation of compromised users,
460
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
lightweightness properties. Our proposed partially policy-hidden
ABBE scheme, in this paper, combines broadcast encryption technique and outsourcing technique to realize partial policy-hide,
direct revocation and secure delegation simultaneously. The proposed scheme was also proven secure and we evaluated its
performance.
[19] Z. Zhou, D. Huang, Z. Wang, Efficient privacy-preserving ciphertext-policy
attribute based-encryption and broadcast encryption, IEEE Trans. Comput.
64 (1) (2015) 126–138.
Acknowledgments
[22] B. Qin, R.H. Deng, S. Liu, S. Ma, Attribute-based encryption with efficient
verifiable outsourced decryption, IEEE Trans. Inf. Forensics Secur. 10 (7)
(2015) 1384–1393.
This work was supported in part by the 13th Five-Year Plan of
National Cryptography Development Fund for Cryptographic Theory of China under Grant MMJJ20170204, in part by the Fundamental Research Funds for the Central Universities, China under
Grant ZYGX2016J091, the Guangxi Colleges and Universities Key
Laboratory of Cloud Computing and Complex Systems, China, and
in part by the Natural Science Foundation of China under Grants
U1401257, 61472064 and 61602096.
References
[1] W. Shi, J. Cao, Q. Zhang, Y. Li, L. Xu, Edge computing: Vision and challenges,
IEEE Internet Things J. 3 (5) (2016) 637–646.
[2] R. Roman, J. Lopez, M. Mambo, Mobile edge computing, fog et al.: A survey
and analysis of security threats and challenges, Future Gener. Comput. Syst.
78 (2018) 680–698.
[3] A. Sahai, B. Waters, Fuzzy identity-based encryption, in: Annual International Conference on the Theory and Applications of Cryptographic
Techniques, Springer, 2005, pp. 457–473.
[4] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for
fine-grained access control of encrypted data, in: Proceedings of the 13th
ACM conference on Computer and communications security, Acm, 2006,
pp. 89–98.
[5] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-based encryption, in: Security and Privacy, 2007. SP’07. IEEE Symposium on, IEEE,
2007, pp. 321–334.
[6] T. Nishide, K. Yoneyama, K. Ohta, Attribute-based encryption with partially
hidden encryptor-specified access structures, in: International Conference
on Applied Cryptography and Network Security, Springer, 2008, pp.
111–129.
[7] J. Lai, R.H. Deng, Y. Li, Fully secure cipertext-policy hiding CP-ABE, in:
International Conference on Information Security Practice and Experience,
Springer, 2011, pp. 24–39.
[8] J. Lai, R.H. Deng, Y. Li, Expressive CP-ABE with partially hidden access
structures, in: Proceedings of the 7th ACM Symposium on Information,
Computer and Communications Security, ACM, 2012, pp. 18–19.
[9] H. Cui, R.H. Deng, G. Wu, J. Lai, An efficient and expressive ciphertextpolicy attribute-based encryption scheme with partially hidden access
structures, in: International Conference on Provable Security, Springer,
2016, pp. 19–38.
[10] H. Ma, R. Zhang, Z. Wan, Y. Lu, S. Lin, Verifiable and exculpable outsourced
attribute-based encryption for access control in cloud computing, IEEE
Trans. Dependable Secure Comput. 14 (6) (2017) 679–692.
[11] B. Waters, Ciphertext-policy attribute-based encryption: An expressive,
efficient, and provably secure realization, in: International Workshop on
Public Key Cryptography, Springer, 2011, pp. 53–70.
[12] S. Berkovits, How to broadcast a secret, in: Workshop on the Theory and
Application of of Cryptographic Techniques, Springer, 1991, pp. 535–541.
[13] A. Fiat, M. Naor, Broadcast encryption, in: Advances in Cryptology–Crypto
93, Springer, 1994, pp. 480–491.
[14] D. Boneh, B. Waters, A fully collusion resistant broadcast, trace, and revoke
system, in: Proceedings of the 13th ACM conference on Computer and
communications security, ACM, 2006, pp. 211–220.
[15] H. Xiong, H. Zhang, J. Sun, Attribute-based privacy-preserving data sharing
for dynamic groups in cloud computing, IEEE Syst. J. (2018) http://dx.doi.
org/10.1109/JSYST.2018.2865221.
[16] D. Lubicz, T. Sirvent, Attribute-based broadcast encryption scheme made
efficient, in: International Conference on Cryptology in Africa, Springer,
2008, pp. 325–342.
[17] N. Attrapadung, H. Imai, Conjunctive broadcast and attribute-based encryption, in: International Conference on Pairing-Based Cryptography, Springer,
2009, pp. 248–265.
[18] T.V.X. Phuong, G. Yang, W. Susilo, X. Chen, Attribute based broadcast encryption with short ciphertext and decryption key, in: European
Symposium on Research in Computer Security, Springer, 2015, pp.
252–269.
[20] M. Green, S. Hohenberger, B. Waters, Outsourcing the decryption of ABE
ciphertexts, in: Usenix Conference on Security, 2011, 2011, pp. 34–34,
[21] J. Lai, R.H. Deng, C. Guan, J. Weng, Attribute-based encryption with
verifiable outsourced decryption, IEEE Trans. Inf. Forensics Secur. 8 (8)
(2013) 1343–1354.
[23] S. Lin, R. Zhang, H. Ma, M. Wang, Revisiting attribute-based encryption
with verifiable outsourced decryption, IEEE Trans. Inf. Forensics Secur. 10
(10) (2015) 2119–2130.
[24] X. Mao, J. Lai, Q. Mei, K. Chen, J. Weng, Generic and efficient constructions
of attribute-based encryption with verifiable outsourced decryption, IEEE
Trans. Dependable Secure Comput. 13 (5) (2016) 533–546.
[25] J. Li, X. Huang, J. Li, X. Chen, Y. Xiang, Securely outsourcing attribute-based
encryption with checkability, IEEE Trans. Parallel Distrib. Syst. 25 (8) (2014)
2201–2210.
[26] J. Ning, Z. Cao, X. Dong, K. Liang, H. Ma, L. Wei, Auditable σ -time outsourced attribute-based encryption for access control in cloud computing,
IEEE Trans. Inf. Forensics Secur. 13 (1) (2018) 94–105.
[27] J. Xu, Q. Wen, W. Li, Z. Jin, Circuit ciphertext-policy attribute-based hybrid
encryption with verifiable delegation in cloud computing, IEEE Trans.
Parallel Distrib. Syst. 27 (1) (2016) 119–129.
[28] R. Zhang, H. Ma, Y. Lu, Fine-grained access control system based on fully
outsourced attribute-based encryption, J. Syst. Softw. 125 (2017) 344–353.
[29] H. Wang, D. He, J. Shen, Z. Zheng, C. Zhao, M. Zhao, Verifiable outsourced ciphertext-policy attribute-based encryption in cloud computing,
Soft Comput. (2016) 1–11.
[30] J. Li, X. Lin, Y. Zhang, J. Han, KSF-OABE: outsourced attribute-based
encryption with keyword search function for cloud storage, IEEE Trans.
Serv. Comput. 10 (5) (2017) 715–725.
[31] F. Sha, Y. Wei, X. Lin, Q. Zhang, H. Wang, Verifiable outsourced decryption
of attribute-based encryption with constant ciphertext length, Inf. Technol.
2017 (2) (2016) 1–11.
[32] J. Li, W. Yao, Y. Zhang, H. Qian, J. Han, Flexible and fine-grained attributebased data storage in cloud computing, IEEE Trans. Serv. Comput. 10 (5)
(2017) 785–796.
[33] H. Wang, D. He, J. Han, VOD-ADAC: Anonymous distributed fine-grained
access control protocol with verifiable outsourced decryption in public
cloud, IEEE Trans. Serv. Comput. (2017) http://dx.doi.org/10.1109/TSC.2017.
2687459.
[34] C. Zuo, J. Shao, G. Wei, M. Xie, M. Ji, CCA-secure ABE with outsourced
decryption for fog computing, Future Gener. Comput. Syst. 78 (2018)
730–738.
[35] D. Boneh, M.K. Franklin, Identity based encryption from the weil pairing,
SIAM J. Comput. 32 (3) (2001) 213–229.
[36] N. Kogan, Y. Shavitt, A. Wool, A practical revocation scheme for broadcast
encryption using smart cards, in: Security and Privacy, 2003. Proceedings.
2003 Symposium on, 2003, pp. 225–235.
[37] D. Boneh, X. Boyen, Secure identity based encryption without random
oracles, in: Annual International Cryptology Conference, Springer, 2004,
pp. 443–459.
[38] D. Boneh, C. Gentry, B. Waters, Collusion resistant broadcast encryption with short ciphertexts and private keys, in: Annual International
Cryptology Conference, Springer, 2005, pp. 258–275.
[39] G.S. Poh, J. Chin, W. Yau, K.R. Choo, M.S. Mohamad, Searchable symmetric
encryption: Designs and challenges, ACM Comput. Surv. 50 (3) (2017)
Article 40 (37 pages).
Hu Xiong received his Ph.D. degrees from University
of Electronic Science and Technology of China (UESTC)
in 2009. He is now a full professor in the UESTC. His
research interests include public key cryptography and
networks security.
H. Xiong, Y. Zhao, L. Peng et al. / Future Generation Computer Systems 97 (2019) 453–461
461
Yanan Zhao is currently pursuing her M.S. degree
from the School of Information and Software Engineering, University of Electronic Science and Technology
of China. She received her B.S. degree from Jiangxi
University of Science and Technology in 2017. Her
research interests include identity-based public key
cryptography.
Hao Zhang received the B.S. degree from Sichuan Normal University, Chengdu, China, in 2015. He is currently
working toward the M.S. degree with the School of
Information and Software Engineering, University of
Electronic Science and Technology of China, Chengdu,
China. His research interests include attribute-based
encryption and malicious code detection.
Li Peng is currently pursuing his M.S. degree from
the School of Information and Software Engineering,
University of Electronic Science and Technology of
China. He received his B.S. degree from Guangxi University. His research interests include attribute-based
encryption and malicious code detection.
Kuo-Hui Yeh (SM’16) is a Professor with the Department of Information Management, National Dong Hwa
University, Hualien, Taiwan. He received M.S. and Ph.D.
degrees in Information Management from the National
Taiwan University of Science and Technology, Taipei,
Taiwan, in 2005 and 2010, respectively. Dr. Yeh has
authored over 100 articles in international journals and
conference proceedings. His research interests include
IoT security, Blockchain, mobile security, NFC/RFID security, authentication, digital signature, data privacy
and network security. Dr. Yeh is currently an associate/academic editor of IEEE Access, Journal of Internet Technology (JIT), Journal
of Information Security and Applications (JISA), Security and Communication
Networks (SCN) and Data in Brief (DIB), and has served as a guest editor
for Future Generation Computer Systems (FGCS), IEEE Access, Mathematical
Biosciences and Engineering (MBE), International Journal of Information Security
(IJIS), JIT, Sensors and Cryptography. In addition, Dr. Yeh has participated in the
organization committee of DSC 2018, SPCPS 2017, NSS 2016, RFIDsec’14 Asia
and RFIDsec’12 Asia, and he has served as a TPC member of 30 international
conferences/workshops on information security. He is a Senior Member of the
IEEE.