I Introduction
Cloud storage is an emerging network storage technology with the features of convenience and low cost. Recently, more and more users are willing to store personal data in cloud servers, in which some sensitive information might be involved[1]. Therefore, data access control in cloud storage has become critical challenge. Produced by Sahai and Waters [2] in 2005, attribute based encryption (ABE) scheme can effectively solve the data security and access control issues simultaneously. This allows users to encrypt and decrypt data based on different attributes. Following the original work, in order to provide a more complicated access control policy, CPABE appeared successfully. In CPABE, the access policy is devised by the data owner, and it is especially suitable for the designing of access control in cloud storage systems, as shown in Fig. 1.
With the fast development of cloud storage technology, the CPABE schemes with a single central authority are no longer suitable for some scenarios, because all attributes of a user are not always managed by one authority. To solve this problem, Muller et al. [3] proposed a multiauthority CPABE system firstly in 2009, in which different attribute sets are managed by multiple authorities. Their scheme has distributed requirements by removing central authority with each attribute authority having equal status. However, most of similar schemes have the disadvantage of low efficiency. So researchers introduced online/offline mechanism and computing outsourcing technique to improve the efficiency of CPABE. In 2008, Guo et al. [4] came up with an idea of identity based online/offline encryption, in which the encryption stage was split in an online phase, where only several simple operations are involved to generate the final ciphertext, and an offline phase. Since then, some schemes [5, 6, 7, 8, 9, 10, 11] were proposed that effectively reduced the computation burden of users.
Furthermore, the access policy associated with ciphertext may reveal some user sensitive information. In 2007, Kapadia et al. [12] protected users’ privacy with hidden policy, but there were security flaws. In the next year, Nishide et al. [13] proposed two CPABE constructions to achieve hidden policy, but only partial policy was hidden. In [14], a securityenhanced ABE algorithm of hidden policy was proposed in the composite order group, which proved to be completely safe under the bilinear Diffie Hellman assumption. However, the operation efficiency of bilinear pair in composite order group is lower than that of prime order group. Later, Lewko and Waters [15] studied the security of ABE schemes in the prime order group.
Recently, there has been a lot of research on hidden policy, computational outsourcing, attribute revocation and traitor tracing according to different functional extensions. In 2015, Rouselakis et al. [16] introduced a multiauthority ABE scheme supporting large universe, which meant that any string, as a new attribute, could be added to the system. Moreover, the number of attributes is not relevant to the public system parameters any more. In 2017, Zhang Kai et al. [17] solved the key escrow problem using the separate cloud server and user’s private keys. At present, the latest revocation mechanisms for multiauthority ABE [18, 19, 20, 21, 22, 23] have been more flexible and can satisfy forward security, but they do not meet the feature of large universe.
In this paper, we propose a finegrained access control scheme with versatility for cloud storage. It provides more features of online/offline mechanism, hidden policy, and verifiability than the existing schemes [16, 17]. The proposed vFAC is proved to satisfy static security under the random oracle model. In addition, through performance analyses, vFAC is more comprehensive and scalable.
The rest of this paper is organized as follows: Section II reviews the related preliminaries and gives a formal definition. Section III describes the specific process of vFAC in detail. Then, section IV analyzes the security and performance through the comparison with other schemes. Finally, section V concludes the paper.
Ii Preliminaries
Iia qDecisional Parallel Bilinear DiffieHellman Exponent 2 (qDPBDHE2) Assumption
It is a deformation based on the qDPBDHE assumption. We assume that is a prime number, and are multiplicative cyclic groups of order , is a generator of , and is a bilinear map. The following process describes the qDPBDHE2 assumption in detail. where are unknown, distinguishing R from and . Assuming that an attacker can successfully solve the qDPBDHE2
problem with the probability at least
in polynomial time, that is .It can be claimed that the advantage of solving qDPBDHE2 problem is .
IiB Formal Definition
Let represent attribute space, and each attribute authority manages its own attribute domain . For , , then . This scheme contains eight formal algorithms.
GlobalSetup: The algorithm inputs the security parameter and outputs global parameters .
AuthoritySetup: This algorithm only inputs and attribute authority , and generates its public/secret key pair .
KeyGen: The algorithm inputs , user’s , secret key of the relevant attribute authorities and a set of the user’s attributes . It outputs user’s public key , the private key of the corresponding cloud server and user’s secret key .
Offline.Enc: The algorithm inputs and outputs intermediate ciphertext .
Online.Enc: This algorithm inputs , message , intermediate ciphertext , access policy and public key of the relevant attribute authorities. It outputs ciphertext .
CS.Dec or : The algorithm inputs , secret key of cloud server, public key of the user, and ciphertext . Then, it outputs partial decrypted ciphertext or a symbol which represents ciphertext cannot be decrypted successfully.
User.Dec or : The algorithm inputs user’s public key and partial decrypted ciphertext . It outputs the recovered message or .
Revoke: This algorithm inputs a user’s and a key list , and outputs the key list after revocation.
Iii FineGrained Access Control with Versatility for Cloud Storage
Iiia System Model
In Fig.2, we can see that the system contains four participants: Attribute Authority (AA), Cloud Server (CS), Data Owner (DO), and Data User (DU).
AA: It is in charge of managing the DU’s attribute set, and generating the corresponding CS’s private key for these attributes.
CS: It stores encrypted data and manages the CS’s private keys corresponding to users.
DO: DO encrypts data based on the access policy, then uploads the encrypted data to CS.
DU: DU can request data from CS. If the attributes of DU satisfy the access structure, CS will return the corresponding partial decrypted ciphertext, then DU restores the cipher with his/her own private key.
IiiB Security Model
First, we define a static security model which requires queryresponse phase to be completed before the challenge phase. During the query phase, an attacker can query the private key of DU and CS, and control some attribute authorities. The specific description is as follows:
Setup: A challenger generates by algorithm and sends it to .
Queryresponse Phase: Assume is the set of attribute authorities, is the set of partial attribute authorities controlled by , and is the set of other attribute authorities that are not controlled by .

submits an uncontrolled attribute authority , then runs the algorithm and returns the public key of .

submits the DU’s global identifier , then executes the algorithm and returns the DU’s public and private key pair .

submits the DU’s global identifier and the corresponding attribute set , then executes the algorithm and returns the private key of the CS.
Challenge: submits the challenge access structure and the challenge ciphertext , . randomly selects , and executes and algorithms in turns and returns the challenge ciphertext . Note that for any user who has queried for a private key, the attribute set cannot satisfy the challenge access structure .
Guess: outputs a bit .
The attacker’s winning advantage can be defined as .
IiiC Our Scheme
Based on the system model and formal definition, vFAC is described as follows.
1) System Initialization
GlobalSetup: In this algorithm, a bilinear map is chosen firstly, where the orders of and are both large prime number , and is a generator of . Next, select a symmetric algorithm , where is the encryption algorithm, is the decryption algorithm, and represents the length of the secret key. Then, choose five strong collisionresistant hash functions: . Finally, publish global parameters : .
AuthoritySetup: Each attribute authority randomly selects , then sets its own secret key as and public key as .
2) Key Generation
KeyGen: The user chooses a random number , then sets his/her public key as . For each attribute , if it is managed by the attribute authority , needs to choose randomly, calculate , and set the CS’s private key corresponding to the as . Then, the attribute authority adds to the key list and sends to the user through a secure channel.
On receiving the , the user sets his/her secret key as .
3) Offline/Online Data Encryption
Offline.Enc: For each attribute , DO randomly selects , precomputes the ciphertext , and outputs the intermediate ciphertext: .
Online.Enc: Suppose that DO’s attribute domain for creating access policy is . In this phase, DO randomly selects , calculates for each attribute , and replaces with , where represents the authority who manages the attribute . DO uses the replaced attributes to generate the access policy , where A is a matrix and is a map from the row of matrix A to . Then, DO generates the ciphertext by doing the following:

Compute , , where represents the row vector in the matrix A that corresponds to .

Randomly select , and compute , , , , , , , .
Finally, the ciphertext is uploaded to the CS.
4) Data Decryption
CS.Dec: When DU requests the CS to decrypt the ciphertext , s/he first downloads securely from , then computes for each attribute and replaces with . If satisfies the access structure , the CS must be able to find a set of constants to make it satisfy . Next, the CS calculates , and returns the partial decrypted ciphertext . Otherwise, CS returns to DU if does not satisfy the access structure .
User.Dec: Upon receiving , DU calculates , , . Then, DO verifies if the equation holds. If it does, DU continues to calculate , , and returns . Otherwise, it returns .
5) User Revocation
Revoke: To revoke the user , the CS can find the corresponding entry from the key list and delete it.
Iv Security and Performance Analyses
Iva Correctness Analysis
If a DU’s attributes satisfy the access structure, the equations and will hold. Then, we can have the following formulas:
(1) 
(2)  
(3) 
(4) 
If we can restore , the plaintext will be decrypted correctly.
IvB Security Analysis
In this subsection, we analyze the security properties of the vFAC in the following respects.
IvB1 Static Security
Here, we analyze the security of vFAC based on security model in Section III.
Lemma 1.
If the scheme in [16], named RW, satisfies the static security under the random oracle model, vFAC can also satisfy the static security.
Proof. Assume that, under the static security model, an attacker can break vFAC in polynomial time by the advantage . So, there must be a simulator can break RW with the same advantage. The following specifically describes how a simulator breaks RW with the help of and the challenger of RW.
Setup. executes algorithm in RW and sends to . According to the algorithm of vFAC, generates the global parameters and sends it to .
Queryresponse Phase. In this phase, we assume that the set of attribute authorities is , the set of corrupted authorities controlled by is , and the set of uncontrolled authorities is , besides, , . For a corrupted attribute authority , first generates the corresponding public key of and sends it to . Then, sends to . Next, does the following queries to , and gives the corresponding responses.

submits an uncontrolled attribute authority , then asks for the corresponding public key of . executes the algorithm of RW, generates the corresponding public key , and sends it to . Then updates the public key to and sends to according to the algorithm of vFAC.

submits a user’s identifier to , then executes the algorithm to generate the corresponding private key , public key , and sends to .

submits a user’s identifier and the user’s attribute set to , then returns the corresponding CS’s private key and user’s private key to . If , then for each , chooses randomly, and computes , , ; If , then chooses randomly, and computes , , . Finally, sends the corresponding private keys of CS and user.
Challenge. submits the challenge access structure , challenge plaintext , to . randomly selects , executes and algorithms, and returns the challenge ciphertext to . Note that for all users who have queried the private key, and the attribute set cannot satisfy the challenge access structure .
Guess. outputs a bit , also outputs .
In the above game, perfectly simulates the challenger of vFAC under real conditions, and the CS’s private key generated by matches the user’s private key generated by the algorithm of RW. In addition, can determine the selected R in the algorithm of vFAC from the .
R is equivalent to the message that needs to be encrypted in the algorithm of RW. Therefore, if the attacker can break vFAC with the advantage in polynomial time, can also break RW, which contradicts with the premise that RW satisfies static security.
Lemma 2.
If the qDPBDHE2 assumption holds, RW satisfies the static security under the random oracle model.
Proof. Lemma 2 has been proven in [16].
Theorem 1.
Our proposed vFAC satisfies the static security under the random oracle model.
Proof. According to Lemma 1 and Lemma 2, Theorem 1 can be proven.
IvB2 Hidden Policy
In the phase, replaces all attributes of with , and only the user with the corresponding key can recover for each attribute . The access policy of the ciphertext stored on the CS does not provide any useful information about user attributes, so privacy protection for user attributes can be achieved.
IvB3 No Key Escrow Problem
DU’s public key is used as a generating parameter when AA generates the corresponding private key of CS for the user . Therefore, whether AA or CS can only partially decrypt the ciphertext, and only the user can restore the corresponding plaintext with his/her private key . If AA and CS attempt to decrypt partial ciphertext, they will have to solve the discrete logarithm problem.
IvB4 Verifiability
Our vFAC encrypts a random key R using access policy, while the real message is hidden by symmetric algorithm and symmetric key . Therefore, the verification of ensures the correctness of the random key , which is to ensure the correctness of the ciphertext decrypted by the CS.
IvC Performance Analyses
IvC1 Comparison of Features
Table I shows the comparison on features among the selected schemes. YMCZZ in [18] is accountable, but its method of solving the key escrow problem will cause the waste of resources, which is difficult to implement under actual conditions. Besides, the schemes in [18], [20], [22] may have the problem of system construction if too many attributes are added to attribute authorities due to lack in the feature of large universe. Because our proposed vFAC provides all the features listed in table I, it is more comprehensive than other schemes.
IvC2 Comparison of Computation Overhead
We make a comparison on the phases of offline/online encryption and user decryption between vFAC and the selected schemes in TABLE II. Let denote the number of rows of the access matrix, denote the number of rows used for decryption in the access matrix, denote bilinear pair operation, and denote exponential operation.
Schemes 
Encryption  Decryption.user  


Offline.Enc  Online.Enc  
RW[16] 

MZL[17] 

YMCZZ[18] 

LLL[20]  
NMSM[22]  
vFAC 


In TABLE II, we found that the schemes in [16, 17, 18, 22] have no offline encryption mechanism, which cause the number of operations in encryption phase linearly increasing with . In [16, 18, 22], the user directly decrypts the original ciphertext, so the exponential operations and the number of bilinear pair operations also linearly increase with in the decryption phase, leading to high computational complexity. In the decryption process of vFAC, only one exponent operation is involved. Although, in [20], the user also only needs one decryption operation, it is achieved by outsourcing decryption and cannot solve the key escrow problem. For all the above, vFAC has high computational efficiency on the user side.
IvC3 Comparison of Storage Cost
Schemes 
Secret key of AA  Public key of AA  Private key of user  Ciphertext size 

RW[16]  
MZL[17] 

YMCZZ[18] 

LLL[20] 

NMSM[22] 

vFAC 


Denote and as the length of element in and , as the number of attributes managed by AA, as the number of user’s attributes, as the length of the ciphertext after symmetric encryption, and as the length of the verification key. The Table III shows the comparison result of storage cost. The length of ciphertext is linearly related to because the ciphertext corresponds to the access policy. The storage capacity of the CS is actually stronger than that of users. Therefore, the storage cost of ciphertext on the CS can be omitted. Here, we mainly focus on the user’s storage cost.
In [20, 22], the length of the public/private key of each AA is linearly related to the number of its attributes. Therefore, the length of public/private key of AA is linearly related to . The users private key in [16, 18, 20, 22] is directly generated by AA based on the user’s attributes, so the length of private key is linearly related to . When the number of attributes increases, the user’s storage cost increases too. In vFAC, the length of AA’s public/private key is a fixed value because it is independent of the number of attributes. Although the whole storage cost in [18] is lower than vFAC, it does not meet the property of large universe. In conclusion, vFAC is more suited for data access control because of its comprehensive features.
V Conclusion
In order to solve the finegrained data access control problem in cloud storage, this paper proposes a finegrained access control scheme for cloud storage based on multiauthority CPABE. The proposed vFAC not only realizes online/offline encryption mechanism, but also satisfy the feature of hidden policy. Furthermore, vFAC allows the user to verify the decrypted ciphertext to ensure that the CS decrypts ciphers correctly. The static security of vFAC is also proved under the random oracle model. In particular, the analyses of features, computation overhead, and storage cost with the other existing schemes show that the vFAC has a more comprehensive advantage for cloud storage.
Acknowledgements
This work is supported by the Key Program of NSFCTongyong Union Foundation under Grant U1636209, the 111 Project (B08038) and Collaborative Innovation Center of Information Sensing and Understanding at Xidian University.
References
 [1] Z. Zhou, H. Zhang, X. Du, P. Li, and X. Yu, “Prometheus: Privacyaware data retrieval on hybrid cloud,” in Proc. of INFOCOM’13, 2013, pp. 2643–2651.
 [2] A. Sahai and B. Waters, “Fuzzy identitybased encryption,” in Proc. of Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2005, pp. 457–473.
 [3] S. Muller, S. Katzenbeisser, and C. Eckert, “On multiauthority ciphertextpolicy attributebased encryption,” Bulletin of the Korean Mathematical Society, vol. 46, no. 4, pp. 803–819, 2009.
 [4] F. Guo, Y. Mu, and Z. Chen, “Identitybased online/offline encryption,” in Proc. of International Conference on Financial Cryptography and Data Security, 2008, pp. 247–261.
 [5] S. S. Chow, J. K. Liu, and J. Zhou, “Identitybased online/offline key encapsulation and encryption,” in Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, pp. 52–60.
 [6] X. Du, Y. Xiao, M. Guizani, and H.H. Chen, “An effective key management scheme for heterogeneous sensor networks,” Ad Hoc Networks, vol. 5, no. 1, pp. 24–34, 2007.
 [7] X. Hei, X. Du, S. Lin, and I. Lee, “Pipac: Patient infusion pattern based access control scheme for wireless insulin pump system,” in Proc. of INFOCOM’13, 2013, pp. 3030–3038.
 [8] J. Lai, R. H. Deng, C. Guan, and J. Weng, “Attributebased encryption with verifiable outsourced decryption,” IEEE Transactions on information forensics and security, vol. 8, no. 8, pp. 1343–1354, 2013.
 [9] B. Qin, R. H. Deng, S. Liu, and S. Ma, “Attributebased encryption with efficient verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1384–1393, 2015.
 [10] Y. Cheng, X. Fu, X. Du, B. Luo, and M. Guizani, “A lightweight live memory forensic approach based on hardware virtualization,” Information Sciences, vol. 379, pp. 23–41, 2017.
 [11] Y. Xiao, X. Du, J. Zhang, F. Hu, and S. Guizani, “Internet protocol television (iptv): The killer application for the nextgeneration internet,” IEEE Communications Magazine, vol. 45, no. 11, pp. 126–134, 2007.
 [12] A. Kapadia, P. P. Tsang, and S. W. Smith, “Attributebased publishing with hidden credentials and hidden policies,” in Proc. of NDSS’07, vol. 7, 2007, pp. 179–192.
 [13] T. Nishide, K. Yoneyama, and K. Ohta, “Attributebased encryption with partially hidden encryptorspecified access structures,” in Proc. of International Conference on Applied Cryptography and Network Security, 2008, pp. 111–129.
 [14] J. Lai, R. H. Deng, and Y. Li, “Fully secure cipertextpolicy hiding cpabe,” in Proc. of International Conference on Information Security Practice and Experience, 2011, pp. 24–39.
 [15] A. Lewko and B. Waters, “New proof methods for attributebased encryption: Achieving full security through selective techniques,” in Proc. of Advances in Cryptology–CRYPTO’12, 2012, pp. 180–198.
 [16] Y. Rouselakis and B. Waters, “Efficient staticallysecure largeuniverse multiauthority attributebased encryption,” in Proc. of International Conference on Financial Cryptography and Data Security, 2015, pp. 315–332.
 [17] K. Zhang, J. Ma, H. Li, J. Zhang, and T. Zhang, “Multiauthority attributebased encryption with efficient revocation,” Journal on Communications, vol. 38, no. 3, 2017.
 [18] G. Yu, X. Ma, Z. Cao, W. Zhu, and J. Zeng, “Accountable multiauthority ciphertextpolicy attributebased encryption without key escrow and key abuse,” in Proc. of International Symposium on Cyberspace Safety and Security, 2017, pp. 337–351.
 [19] L. Wu, X. Du, and J. Wu, “Effective defense schemes for phishing attacks on mobile computing platforms,” IEEE Transactions on Vehicular Technology, vol. 65, no. 8, pp. 6678–6691, 2016.

[20]
M. Lyu, X. Li, and H. Li, “Efficient, verifiable and privacy preserving
decentralized attributebased encryption for mobile cloud computing,” in
Proc. of the 2nd IEEE International Conference on Data Science in Cyberspace (DSC)
, 2017, pp. 195–204.  [21] H. Zhang, Q. Zhang, and X. Du, “Toward vehicleassisted cloud computing for smartphones,” IEEE Transactions on Vehicular Technology, vol. 64, no. 12, pp. 5610–5618, 2015.
 [22] K. Nomura, M. Mohri, Y. Shiraishi, and M. Morii, “Attribute revocable multiauthority attributebased encryption with forward secrecy for cloud storage,” IEICE Transactions on Information and Systems, vol. 100, no. 10, pp. 2420–2431, 2017.
 [23] Z. Xia, L. Zhang, and D. Liu, “Attributebased access control scheme with efficient revocation in cloud computing,” China Communications, vol. 13, no. 7, pp. 92–99, 2016.
Comments
There are no comments yet.