efficient attribute-based encryption with privacy ... · proposed the concept of fuzzy identity...

Research ArticleEfficient Attribute-Based Encryption with Privacy-PreservingKey Generation and Its Application in Industrial Cloud

Yujiao Song,1 Hao Wang ,1,2 Xiaochao Wei,1 and Lei Wu 1,3

1School of Information Science and Engineering, Shandong Normal University, China2School of Computing and Information Technology, University of Wollongong, Australia3Shandong Provincial Key Laboratory of Software Engineering, China

Correspondence should be addressed to Hao Wang; [email protected]

Received 9 March 2019; Accepted 30 April 2019; Published 23 May 2019

Guest Editor: Mingwu Zhang

Copyright © 2019 Yujiao Song et al. This is an open access article distributed under the Creative Commons Attribution License,which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Due to the rapid development of new technologies such as cloud computing, Internet ofThings (IoT), andmobile Internet, the datavolumes are exploding. Particularly, in the industrial field, a large amount of data is generated every day. How to manage and useindustrial Big Data primely is a thorny challenge for every industrial enterprise manager. As an emerging form of service, cloudcomputing technology provides a good solution. It receives more and more attention and support due to its flexible configuration,on-demand purchase, and easy maintenance. Using cloud technology, enterprises get rid of the heavy data management workand concentrate on their main business. Although cloud technology has many advantages, there are still many problems in termsof security and privacy. To protect the confidentiality of the data, the mainstream solution is encrypting data before uploading. Inorder to achieve flexible access control to encrypted data, attribute-based encryption (ABE) is an outstanding candidate. At present,more andmore applications are using ABE to ensure data security.However, the privacy protection issues during the key generationphase are not considered in the current ABE systems. That is to say, the key generation center (KGC) knows both of attributes andcorresponding keys of each user. This problem is especially serious in the industrial big data scenario, because it will cause greatdamage to the business secrets of industrial enterprises. In this paper, we design a new ABE scheme that protects user’s privacyduring key issuing. In our new scheme, we separate the functionality of attribute auditing and key generating to ensure that theKGC cannot know user’s attributes and that the attribute auditing center (AAC) cannot obtain the user’s secret key.This is ideal formany privacy-sensitive scenarios, such as industrial big data scenario.

1. Introduction

Due to the rapid development of new technologies suchas cloud computing, Internet of Things (IoT), and mobileInternet, the data volumes are exploding, and we havetruly entered the era of “Big Data.” Big Data technologyhas been focused and applied to almost every industry,retail, healthcare, financial services, government, and so on.Particularly, in the field of industrial production, a largeamount of data is generated every day, and it includesbusiness data from information systems, machine data fromindustrial IoT systems, and some other data from relatedwebsites, etc. For a manufacturing enterprise, Big Data cannot only be used to improve the efficiency of the business,but more importantly change the manufacturing process and

business model. Industrial Big Data is the core of intelligentmanufacturing and industrial IoT and provides the mostfavorable support for the development of Industry 4.0. Howto manage and use industrial Big Data efficiently is a greatchallenge for every enterprise manager.

Cloud computing technology canprovide better solutionsto the above challenge. Using cloud technology, enterprisesget rid of the heavy data management work and concen-trate on their main business. Nowadays, large cloud ser-vice providers, such as Amazon, Microsoft, IBM, etc., havelaunched industrial cloud platforms, and more and moreindustrial enterprises migrate their data to these platforms.However, hosting data to third-party platforms will createnew problems, because the security and privacy of thedata have to depend on the credibility of the third-party.

HindawiSecurity and Communication NetworksVolume 2019, Article ID 3249726, 9 pageshttps://doi.org/10.1155/2019/3249726

http://orcid.org/0000-0003-3472-3699http://orcid.org/0000-0002-2691-0243https://creativecommons.org/licenses/by/4.0/https://doi.org/10.1155/2019/3249726

2 Security and Communication Networks

For businesses, the biggest concern is the confidentialityof industrial data. The main solution to this problem is touse encrypting methods to protect data before uploading it.However, traditional symmetric and asymmetric encryptionschemes are not appropriate for providing fine-grained accesscontrol. Therefore, the above problems have brought newchallenges to data encryption, and numerous studies havefocused on these issues [1–3].

Among various solutions, attribute-based encryption(ABE) [4, 5] has become an excellent candidate because ofits ability to provide data confidentiality and fine-grainedaccess control for cloud storage. Currently, more and moreindustrial enterprises are using ABE. In an industrial alliance,enterprises can share encrypted data based on the attributes.Only those enterprises whose attributes meet the access pol-icy can decrypt the encrypted data. Although much researchhas been done on ABE [6–8], there are still some problemsthat have not been solved well. The current ABE systems donot consider privacy protection during the key generationphase. That is to say, the key generation center (KGC) knowsthe attributes and corresponding keys of each user in thissystem. This causes great damage to the user’s privacy anddata confidentiality. Particularly, in the application scenariosof industrial big data, the attributes of enterprise users maybe related to the business secrets of enterprises.

1.1. Our Contribution. In order to solve the privacy protectionproblem in key generation phase, we propose a new ABEsystem, in which we separate the functionality of attributeauditing and key extracting to ensure that the KGC does notknow the specific attributes of the user and that the attributeauditing center (AAC) does not obtain the user’s key. In thissystem, when user applies its private key, it authenticates itsattributes to AAC first and gets a blind token, which onlycertificates its attributes blindly and reveals nothing aboutspecific attributes. The user presents the blind token to theKGC to obtain the corresponding blind key, from which usercan extract the final private key. During this process, noinformation about the user’s attributes is leaked to the KGC,and no information about the private key is leaked to theAAC. We implicitly use the oblivious transfer (OT) protocolto solve this problem. This protects the user’s privacy duringkey generation phase.

Our ABE is suitable for privacy sensitive scenarios.Particularly, in the encryption system of industrial cloud, theattributes often involve business secrets of industrial enter-prises. KGC, as a technology department, should not knowthese types of secret information. Therefore, we expresslyintroduce an application of our new scheme in the industrialcloud.

1.2. Related Work

1.2.1. Attribute-Based Encryption. Attribute-based encryp-tion is a one-to-many public key encryption. Only the user,whose attributes satisfy the access policy set by the encryptor,can decrypt the ciphertext. This concept originates fromidentity-based encryption [9]. In 2005, Sahai and Waters [4]proposed the concept of fuzzy identity encryption, which

became a precedent for attribute-based encryption. In 2006,Goyal et al. [5] first proposed the formal definition ofattribute-based encryption (ABE), which classifies as key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE).They also constructed the first KP-ABE scheme. In the nextyear, Bethencourt et al. [10] gave the CP-ABE constructionfor the first time. In a CP-ABE scheme, the encryptor setsan access policy in the ciphertext to determine which kindof users can decrypt the data. This is very consistent with thesecurity requirements of cloud storage. In recent years, moreandmore researches focus onCP-ABE [11–13].However, noneof the aforementioned works deals with privacy protectionproblem in the key generation phase.

1.2.2. Oblivious Transfer. The concept of oblivious transfer(OT) is originally proposed by Rabin [14] in 1981, andthen it became an important basic primitive in the field ofcryptography. In an OT protocol, the sender delivers part ofmessages to the receiver and is still unaware of which parts (ifany) are delivered. In other words, a secure OT protocol mustsatisfy two security features: (1) the sender cannot obtain theselection information of the receiver; (2) the receiver cannotobtain any information about other messages except for itschoice.

In 1985, Even et al. [15] presented a specific 1-out-of-2 OT protocol (𝑂𝑇12 ), in which the sender 𝑆 has 2 values,and receiver 𝑅 only gets one of them. Then, Brassard etal. [16] extended 𝑂𝑇12 to 𝑂𝑇1𝑛 . In 1998, Stern [17] gave ageneralized construction of OT protocol based on public keyencryption. In 2001, Naor and Pinkas [18] gave a 2-round𝑂𝑇1𝑛 protocol based on Diffie-Hellman assumption withoutrandom oracle. In the same year, Aiello et al. [19] constructeda 2-round 𝑂𝑇1𝑛 protocol based on homomorphic public-key encryption. In 2002, Tzeng [20] gave an 𝑂𝑇1𝑛 protocolwith better round complexity and better communicationcomplexity. In 2003, Ishai et al. [21] proposed OT extension,from which a large number of OTs can be performedusing only cheap symmetric-key operations. In the pastdecades, OT protocol has been fully studied and widely used[22–25].

1.3. Organization. In Section 2, we introduce the preliminar-ies of this paper. In Section 3, we introduce the concept ofattribute-based encryption with privacy preserving key gen-eration (PPKG-ABE) and its security definition. In Section 4,we propose a specific PPKG-ABE scheme and analyze itssecurity in Section 5. In Section 6, we introduce the appli-cation of PPKG-ABE in industrial cloud environment forprotecting the security of industrial Big Data.

2. Preliminaries

2.1. CP-ABE. In CP-ABE system, there are three types ofentities, i.e., key generation center (KGC), encryptor, anddecryptor. The KGC issues secret key according to users’attributes. The encryptor encrypts the messages accordingto a designated access policy. The decryptor can decryptthe ciphertext successfully only if its attributes satisfy thecorresponding access policy.

Security and Communication Networks 3

There are four algorithms in a CP-ABE scheme:(1) Setup: it takes security parameters as input andoutputs public parameters 𝑃𝑃 and master secret key 𝑀𝑆𝐾.(2) KeyGen: it takes public parameters 𝑃𝑃, master secretkey𝑀𝑆𝐾, and a set of attributes 𝑆 as input and outputs secretkey 𝑆𝐾𝑆 corresponding to 𝑆.(3) Encryption: it takes public parameters 𝑃𝑃, accesspolicyW, and message𝑀 as input and outputs the ciphertext𝐶𝑇W.(4) Decryption: it takes public parameters 𝑃𝑃, ciphertext𝐶𝑇W, and secret key 𝑆𝐾𝑆 as input and outputs the message𝑀,if and only if the attributes 𝑆 satisfy the access policy W; i.e.,𝑆 ⊨ W.2.2. Oblivious Transfer. The oblivious transfer (OT) protocolis a two-party computation protocol in which one party is thesender (S) and the other is the recipient (R). The protocolensures the following: S sends a group of messages toR. Rcan get a subset of thesemessages, butS does not knowwhichmessages thatR received.

In this paper, we draw on a classic (𝑂𝑇12 ) protocol [26]:Party S has two elements 𝛿0, 𝛿1 of group G and party R

has a bit 𝑏 ∈ {0, 1}. The descriptions of group G are known toboth parties, where |G| = 𝑞 and 𝑔 is a generator.(1) R randomly chooses 𝛼, 𝛽, 𝛾 ∈ [1, 𝑞] and sets 𝜏 asfollows:

(a) If 𝜎 = 0, then 𝜏 = (𝑔𝛼, 𝑔𝛽, 𝑔𝛼𝛽, 𝑔𝛾).(b) If 𝜎 = 1, then 𝜏 = (𝑔𝛼, 𝑔𝛽, 𝑔𝛾, 𝑔𝛼𝛽).R sends 𝜏 to S.(2) S receives 𝜏 = (𝑥, 𝑦, 𝑧0, 𝑧1). Then, S checks 𝑧0 ̸= 𝑧1.

If not, it outputs ⊥, and aborts.In addition,S chooses 𝑢0 , 𝑢1, V0, V1 ∈ [1, 𝑞] randomly and

computes the following 4 values:

𝜔0 = 𝑥𝑢0 ⋅ 𝑔V0 ,𝑘0 = (𝑧0)𝑢0 ⋅ 𝑦V0𝜔1 = 𝑥𝑢1 ⋅ 𝑔V1 ,𝑘1 = (𝑧1)𝑢1 ⋅ 𝑦V1

(1)

Then, S calculates 𝑐0 = 𝑥0 ⋅ 𝑘0, 𝑐1 = 𝑥1 ⋅ 𝑘1 and sends(𝜔0, 𝑐0) and (𝜔1, 𝑐1) toR.Finally, R calculates 𝑘𝜎 = (𝜔0)𝛽 and obtains 𝛿𝜎 = 𝑐𝜎 ⋅(𝑘𝜎)−1.

2.3. BilinearMaps. LetG1,G2, andG𝑇 be three 𝑞 order cyclicgroups. The bilinear pairing operation 𝑒 is a bilinear map, 𝑒 :G1 × G2 → G𝑇, and satisfies the following properties:(1) ∀𝑔 ∈ G1, ∀ℎ ∈ G2, ∀𝑥, 𝑦 ∈ 𝑍∗𝑞 , there is 𝑒(𝑔𝑥, ℎ𝑦) =𝑒(𝑔, ℎ)𝑥𝑦(2) ∃𝑔0 ∈ G1, ∃ℎ0 ∈ G2, 𝑒(𝑔0, ℎ0) ̸= 1(3) ∀𝑔 ∈ G1,∀ℎ ∈ G2, 𝑒(𝑔, ℎ) can be computed in polynomial time

In this paper, we use asymmetric bilinear groups; that is,G1 ̸= G2.2.4. Security Assumption

Definition 1. Let G1, G2, and G𝑇 form bilinear groups, let𝑔 be a generator of G1, and let ℎ be a generator of G2. For

Attribute Audit Center(AAC)

User

(1)

Key Generation Center(KGC)

(3)

(2) (4)

(5)

Figure 1: System model.

some unknown 𝛼 ∈ Z∗𝑝, define 𝑔𝑖 = 𝑔𝛼𝑖 , and set →𝑦𝑔,𝛼,𝑛 =(𝑔1, . . . , 𝑔𝑛, 𝑔𝑛+2, . . . , 𝑔2𝑛). We say an algorithm B solves 𝑛-BDHE problem with advantage 𝜖, if on input 𝑔, ℎ, →𝑦𝑔,𝛼,𝑛,

𝑃𝑟 [B (𝑒 (𝑔𝑛+1, ℎ)) = 1] − 𝑃𝑟 [B (𝑍) = 1] ≥ 𝜖, (2)where 𝑍 is a random element of G∗𝑇.

The decision 𝑛-BDHE assumption holds if 𝜖 is negligiblefor any polynomial algorithm.

3. Attribute-Based Encryption with PrivacyPreserving Key Generation

In the key generation phase of traditional ABE, KGC alwaysknows the attribute information of each user.This has greatlydamaged the privacy of users. In order to solve this problem,we separate the two functions of attribute auditing and keyextracting. We introduce an attribute audit center (AAC)in ABE system to authenticate the attributes of users andto make blind token for them. KGC, as a simple technicalsupport institution, is only responsible for generating keys,but it does not know the corresponding attributes of thesekeys.

3.1. System Model. In the key generation phase (as shownin Figure 1), there are three types of entities: attribute auditcenter (AAC), key generation center (KGC), and data user. Inthis system, user submits its attributes and relevant evidenceto AAC. The AAC audits the user’s attributes and returns ablind token with the signature of AAC to user. In practicalapplications, AAC is often carried out by the institutions thatprovide certification for user’s attributes, such as governmentoffices, because they know the attributes of users themselvesand do not cause extra leaks. In other words, the blindtoken is the evidence for users owning some attributes. Thistoken does not reveal any information of user’s attributes andonly ensures the authenticity. When user needs to obtain itsattributes key, it will submit the blind token to KGC, which isa technical institution. The KGC first checks the legitimacy ofthe token; if the token is invalid, it aborts; otherwise, it runsthe key generation algorithm on the token and returns a blind


key. After user obtains the blind key, it extracts the secret keylocally.

The specific process is as follows:(1) The user shows its attributes and relevant evidence tothe attribute audit center (AAC).(2) The AAC audits the user’s attributes and returns ablind token to the user with its signature.(3) When a user needs to obtain its attributes key, itwill submit its blind token to the key generation center(KGC).The KGC cannot get any information about the user’sattributes. It only can confirm that the user truly has relatedattributes.(4) The key generation center (KGC) first checks thelegitimacy of the token, and if the signature is illegal, it aborts;otherwise, it runs the key generation algorithm and outputs ablind key.(5)Theuser receives the blind key fromKGCand extractsthe private key.

3.2. Syntax. In detail, an attribute-based encryption withprivacy preserving key generation scheme (PPKG-ABE)includes seven fundamental algorithms: Setup, UserTemKey-Gen, BlindTokenGen, BlindKenGen, KeyExtra, Encrypt, andDecrypt. The specific algorithms are described as follows:

Setup(𝜅)→ 𝑃𝑃,𝑀𝐾: the setup algorithm is run byKGC, it inputs security parameter 𝜅, and it outputs publicparameters 𝑃𝑃 and master secret key 𝑀𝑆𝐾.

UserTemKeyGen(𝑃𝑃, 𝜅)→ 𝑇𝑃𝐾𝑈𝑠𝑒𝑟, 𝑇𝑆𝐾𝑈𝑠𝑒𝑟: the user’stemporary-key generation algorithm is run by user. It takes𝑃𝑃 and security parameters 𝜅 as input and outputs user’stemporary public key 𝑇𝑃𝐾𝑈𝑠𝑒𝑟 and user’s temporary secretkey 𝑇𝑆𝐾𝑈𝑠𝑒𝑟.

BlindTokenGen(𝑃𝑃, 𝑆, 𝑇𝑃𝐾𝑈𝑠𝑒𝑟)→ 𝑇𝑆: the blind tokengeneration algorithm is run by AAC. It takes 𝑃𝑃, user’sattributes set 𝑆, and user’s temporary public key 𝑇𝑃𝐾𝑈𝑠𝑒𝑟 asinput and outputs a blind token 𝑇 for attributes set 𝑆.

BlindKenGen(𝑃𝑃, 𝑀𝑆𝐾, 𝑇𝑆)→ 𝐵𝑆𝐾: the blind keygeneration algorithm is runbyKGC. It takes𝑃𝑃, master secretkey𝑀𝑆𝐾, and user’s blind token𝑇𝑆 as input and outputs blindsecret key 𝐵𝑆𝐾 for attributes set 𝑆.

KeyExtra(𝐵𝑆𝐾𝑆 , 𝑇𝑆𝐾𝑈𝑠𝑒𝑟)→ 𝑆𝐾𝑆: the key extract algo-rithm is run by user locally. It takes blind secret key 𝐵𝑆𝐾𝑆 anduser’s temporary secret key 𝑇𝑆𝐾𝑈𝑠𝑒𝑟 as input and outputs thefinal secret key 𝑆𝐾 for attributes set 𝑆.

Encrypt(𝑃𝑃, 𝑀, W)→ 𝐶𝑇: the encryption algorithmis run by encryptor. It takes 𝑃𝑃, message 𝑀, and accessstructureW as input and outputs ciphertext 𝐶𝑇.

Decrypt(𝐶𝑇W, 𝑆𝐾𝑆)→ 𝑀: the decryption algorithm isrun by decryptor. It takes ciphertext 𝐶𝑇W and secret key 𝑆𝐾𝑆as input and outputs message 𝑀, if 𝑆 ⊨ W.

We note, in PPKG-ABE scheme, that AAC is responsiblefor auditing user’s attributes and issuing blind token 𝑇𝑆 touser.The blind token includes a description of the authentic-ity of user’s attributes, along with the signature of AAC, andreveals on information about specific attributes.

3.3. Security Model. We define the security in two aspects:confidentiality and privacy. Specifically, in this securitymodel, we do not allow AAC and KGC to collude.

3.3.1. Confidentiality. We introduce the selective securitymodel of choosing plaintext attacks for the PPKG-ABEscheme. The specific process is working between adversaryA and challenger C:

Init. A specifies an access structureW∗ for challenge.

Setup. C calls the Setup algorithm and returns 𝑃𝑃 toA.Phase 2. A queries secret key on any attributes set 𝑆 ⊭ W∗.C returns the secret key 𝑆𝐾 for 𝑆.Challenge. A submits two messages 𝑀∗0 and 𝑀∗1 , where|𝑀∗0 | = |𝑀∗1 |. C chooses 𝑏 ∈ 0, 1 randomly and encrypts𝑀∗𝑏 underW∗. Then, it returns 𝐶𝑇∗ toA.Phase 3. Repeats as Phase 2.

Guess.A guesses 𝑏 for 𝑏.The advantage 𝐴𝑑V forA is definedas 𝑃𝑟[𝑏 = 𝑏] - 1/2.Definition 4. The PPKG-ABE scheme is selectively IND-CPA secure if 𝐴𝑑V is negligible for any polynomial timeadversaries.

3.3.2. Privacy. We introduce a new security game for definingprivacy. In this game, we define the following two oracles.

Blind TokenOracleO𝐵𝑇(𝑆): it takes attributes set 𝑆 as inputand outputs corresponding blind token 𝑇𝑆.

Blind Key Oracle O𝐵𝐾(𝑇𝑆): it takes blind token 𝑇𝑆 as inputand outputs corresponding blind key 𝐵𝑆𝐾𝑆.

The specific process is working between adversary A andchallenger C:

Setup. C calls the Setup algorithm and returns 𝑃𝑃 toA.Phase 5. A queries blind token oracle O𝐵𝑇 and blind keyoracle freely.

Challenge. A submits two attributes sets 𝑆∗0 and 𝑆∗1 , where|𝑆∗0 | = |𝑆∗1 |. C chooses 𝑏 ∈ {0, 1} randomly and queries blindtoken oracleO𝐵𝑇 on input 𝑆∗𝑏 . It returns blind token 𝑇𝑆∗𝑏 toA.Phase 6. Repeats as Phase 5.

Guess.A guesses 𝑏 for 𝑏.The advantage 𝐴𝑑V forA is definedas 𝑃𝑟[𝑏 = 𝑏] - 1/2.Definition 7. The PPKG-ABE scheme is privacy-protected inkey generation phase, if 𝐴𝑑V is negligible for any polynomialtime adversaries.

4. A Specific PPKG-ABE Scheme

4.1. Construction. In this construction, the PPKG-ABEscheme is constructed on the basis of [27], which onlysupports AND gates. Suppose that the attribute universe is𝑈={𝑎𝑡𝑡1, 𝑎𝑡𝑡2, . . . , 𝑎𝑡𝑡𝑛}, where each 𝑎𝑡𝑡𝑖 has 2 values: “+” and“−”. The “+” denotes that user owns this attribute, while the


“−” denotes that user does not own this attribute. The specificscheme is as follows:

Setup(𝜅, 𝑈): the setup algorithm is run by KGC. It takessecurity parameters 𝜅 and attribute universe 𝑈 as input,where |𝑈| = 𝑛. The algorithm first chooses 𝑞 order bilineargroups G1, G2, and G𝑇, where 𝑔 is a generator of G1 and ℎ isa generator of G2. Let 𝐻 be a cryptographic hash function;𝐻 : G1 → G2. For 𝑖 ∈ [1, 𝑛], it chooses 𝑟𝑖, 𝑟𝑛+𝑖 ∈ Z∗𝑝,𝑠𝑖, 𝑠𝑛+𝑖 ∈ G2 randomly and sets 𝑢𝑖 = 𝑔−𝑟𝑖 and ℎ𝑖 = 𝑒(𝑔, 𝑠𝑖).It outputs

𝑃𝑃 fl {𝑔, ℎ, (𝑢𝑘, ℎ𝑘)𝑘∈[1,2𝑛] , 𝐻} ,𝑀𝑆𝐾 fl {(𝑟𝑘, 𝑠𝑘)𝑘∈[1,2𝑛]} . (3)

In general speaking, {⟨𝑢𝑖, ℎ𝑖⟩|𝑖 ∈ [1, 𝑛]} correspond to thepositive attributes and {⟨𝑢𝑛+𝑖, ℎ𝑛+𝑖⟩|𝑖 ∈ [1, 𝑛]} correspond tothe negative attributes.

UserTemKeyGen(𝑃𝑃, 𝜅): the user’s temporary-key gener-ation algorithm is run by user. It takes public parameters 𝑃𝑃and security parameters 𝜅 as input and chooses 𝛽𝑖 ← Z𝑞randomly for 𝑖 ∈ [1, 𝑛], as its temporary secret key 𝑇𝑆𝐾𝑈𝑠𝑒𝑟.Then, it calculates the temporary public key 𝑇𝑃𝐾𝑈𝑠𝑒𝑟 ={ℎ𝛽𝑖}𝑖∈[1,𝑛].

BlindTokenGen(𝑃𝑃, 𝑆, 𝑇𝑃𝐾𝑈𝑠𝑒𝑟): the blind token gener-ation algorithm is run by AAC. It takes public parameters𝑃𝑃, user’s attributes set 𝑆, and user’s temporary public key𝑇𝑃𝐾𝑈𝑠𝑒𝑟 as input. 𝑆 expresses an attributes set, which includes𝑛 signs, e.g., 𝑆 = (+, −, + . . . , +), where “+” indicates that theuser owns this attribute and “−” indicates that the user doesnot own this attribute. It selects 𝛼𝑖, 𝛾𝑖 ← Z𝑝 randomly andcalculates ℎ𝛼𝑖 , (ℎ𝛽𝑖)𝛼𝑖 , and ℎ𝛾𝑖 , for 𝑖 ∈ [1, 𝑛].

If the attribute 𝑎𝑡𝑡𝑖 =“+”∈ 𝑆, then it sets 𝑥𝑖 = ℎ𝛼𝑖 , 𝑦𝑖 = ℎ𝛽𝑖 ,𝑧𝑖,0 = ℎ𝛼𝑖𝛽𝑖 , 𝑧𝑖,1 = ℎ𝛾𝑖 . Otherwise, the attribute 𝑎𝑡𝑡𝑖 = “−” ∈ 𝑆,and it sets 𝑥𝑖 = ℎ𝛼𝑖 , 𝑦𝑖 = ℎ𝛽𝑖 , 𝑧𝑖,0 = ℎ𝛾𝑖 , 𝑧𝑖,1 = ℎ𝛼𝑖𝛽𝑖 .

𝑡𝑆 = {𝑡𝑖 = (𝑥𝑖 ‖ 𝑦𝑖 ‖ 𝑧𝑖,0 ‖ 𝑧𝑖,1)}𝑖∈[1,𝑛] . (4)Then, it runs standard signature algorithm on 𝑡𝑆 to get a

signature Σ and returns 𝑇𝑆 = (𝑡𝑆, Σ) to user.BlindKenGen(𝑃𝑃, 𝑀𝑆𝐾, 𝑇𝑆): the user submits the token𝑇𝑆 corresponding to attributes set 𝑆 to the KGC for applying

secret key. KGC first checks that all 𝑥𝑖, 𝑦𝑖, 𝑧𝑖,0, 𝑧𝑖,1 ∈ G1, 𝑧𝑖,0 ̸=𝑧𝑖,1 and that Σ is legal. If not, it aborts outputting ⊥; otherwiseit randomly chooses 𝑢𝑖,0, 𝑢𝑖,1, V𝑖,0, V𝑖,1 ← Z𝑞 for 𝑖 ∈ [1, 𝑛] andcalculates the following values:

𝑤𝑖,0 = 𝑥𝑢𝑖,0𝑖 ⋅ ℎV𝑖,0 ,𝑘𝑖,0 = (𝑧𝑖,0)𝑢𝑖,0 ⋅ 𝑦V𝑖,0𝑖𝑤𝑖,1 = 𝑥𝑢𝑖,1𝑖 ⋅ ℎV𝑖,1 ,𝑘𝑖,1 = (𝑧𝑖,1)𝑢𝑖,1 ⋅ 𝑦V𝑖,1𝑖

(5)

Then, it randomly chooses V ∈ G2 for each user andcalculates 𝜎𝑖,0 = 𝑠𝑖V𝑟𝑖 , 𝜎𝑖,1 = 𝑠𝑛+𝑖V𝑟𝑛+𝑖 , for 𝑖 ∈ [1, 𝑛]. It calculates𝑐𝑖,0 = 𝜎𝑖,0 ⋅ 𝑘𝑖,0, 𝑐𝑖,1 = 𝜎𝑖,1 ⋅ 𝑘𝑖,1, for 𝑖 ∈ [1, 𝑛].

The blind secret key

𝐵𝑆𝐾 = ⟨V, {(𝑤𝑖,0, 𝑐𝑖,0) , (𝑤𝑖,1, 𝑐𝑖,1)}𝑖∈[1,𝑛]⟩ . (6)It returns 𝐵𝑆𝐾 to user.

KeyExtra(𝑇𝑆𝐾𝑈𝑠𝑒𝑟, 𝐵𝑆𝐾): the key extract algorithm is runby user.

For 𝑖 ∈ [1, 𝑛], if 𝑎𝑡𝑡𝑖 =“+”, it sets 𝑤𝑖 = 𝑤𝑖,0, 𝑐𝑖 = 𝑐𝑖,0; else if𝑎𝑡𝑡𝑖 = “ − ”, it sets 𝑤𝑖 = 𝑤𝑖,1, 𝑐𝑖 = 𝑐𝑖,1 and calculates𝑘𝑖 = (𝑤𝑖)𝛽𝑖 ,𝜎𝑖 = 𝑐𝑖𝑘𝑖 .

(7)

It outputs

𝑆𝐾 fl ⟨V, {𝜎𝑖}𝑖∈[1,𝑛]⟩ . (8)We note, in the above key issuing procedure, that KGC

cannot obtain the specific attributes of user, and AAC cannotobtain the secret key.

Encrypt(𝑃𝐾, 𝑀, W): it takes public key 𝑃𝐾, AND gatestructureW, andmessage𝑀 as input, whereW = ⋀𝑎𝑡𝑡𝑖∈𝐴𝑎𝑡𝑡𝑖,for 𝐴 is the related attributes set, and 𝑎𝑡𝑡𝑖 ∈ {“ + ”,“ −”}. It chooses 𝑠 ∈ Z∗𝑝 randomly and sets ⟨𝑢𝐴, ℎ𝐴⟩ =⟨∏𝑎𝑡𝑡𝑖∈𝐴𝑢𝑖,∏𝑎𝑡𝑡𝑖∈𝐴ℎ𝑖⟩, where for each 𝑎𝑡𝑡𝑖 ∈ 𝐴,

if 𝑎𝑡𝑡𝑖 =“+”, ⟨𝑢𝑖, ℎ𝑖⟩ = ⟨𝑢𝑖, ℎ𝑖⟩if 𝑎𝑡𝑡𝑖 = “ − ”, ⟨𝑢𝑖, ℎ𝑖⟩ = ⟨𝑢𝑛+𝑖, ℎ𝑛+𝑖⟩Then, it computes 𝑐𝑡0 = 𝑀 ⋅ ℎ𝑠𝐴, 𝑐𝑡1 = 𝑔𝑠, 𝑐𝑡2 = 𝑢𝑠𝐴.The ciphertext is defined as 𝐶𝑇 = (W, 𝑐𝑡0, 𝑐𝑡1, 𝑐𝑡2).Decrypt(𝑃𝑃, 𝑆𝐾𝑆,𝐶𝑇): if 𝑆 ⊨ W, the decryption algorithm

computes 𝑠𝑘 = ⟨V, 𝜎 = ∏𝑎𝑡𝑡𝑖∈𝐴𝜎𝑖⟩, for related attributes set 𝐴.Then, it computes the message

𝑀 = 𝑐𝑡0𝑒 (𝑐𝑡1, 𝜎) ⋅ 𝑒 (𝑐𝑡2, V) . (9)4.2. Correctness. The correctness is guaranteed by

𝑒 (𝑐𝑡1, 𝜎) ⋅ 𝑒 (𝑐𝑡2, V) = 𝑒(𝑔𝑠, ∏𝑎𝑡𝑡𝑖∈𝐴

𝜎𝑖)𝑒( ∏𝑎𝑡𝑡𝑖∈𝐴

𝑢𝑠𝑖 , V)= ∏

𝑎𝑡𝑡𝑖∈𝐴

(𝑒 (𝑔, 𝜎𝑖) ⋅ 𝑒 (𝑢𝑖, V))𝑠= ∏


(𝑒 (𝑔, 𝑠𝑖V𝑟𝑖) ⋅ 𝑒 (𝑔−𝑟𝑖 , V))𝑠= ∏


(𝑒 (𝑔, 𝑠𝑖) ⋅ 𝑒 (𝑔, V𝑟𝑖) ⋅ 𝑒 (𝑔−𝑟𝑖 , V))𝑠= ∏


(𝑒 (𝑔, 𝑠𝑖))𝑠 = ∏𝑎𝑡𝑡𝑖∈𝐴

ℎ𝑠𝑖 = ℎ𝑠𝐴.

(10)

5. Proof of Security

5.1. Confidentiality

Theorem 8. If the decisional 𝑛−BDHE assumption holds forbilinear groups G1, G2, and G𝑇, our PPGK-ABE scheme isselectively IND-CPA secure.


Proof. If the adversary A can win above security game withnonnegligible advantage, we can construct an algorithmB tobreak the decision 𝑛−BDHEassumption.B plays the securitygame withA as follows:

Init. B receives challenge gate W∗ = ⋀𝑎𝑡𝑡𝑖𝑗∈𝐴∗𝑎𝑡𝑡𝑖𝑗 from A.We suppose |𝐴∗| = 𝑚 < 𝑛, and 𝐼∗ = {𝑖𝑗|𝑎𝑡𝑡𝑖𝑗 ∈ 𝐴∗}.Setup. B chooses 𝑗∗ ∈ [1,𝑚], 𝑟𝑘 ∈ Z∗𝑝, 𝑥𝑘 ∈ G2, 𝑟𝑖𝑗 , 𝑎𝑖𝑗 ∈ Z∗𝑝randomly, for 𝑘 ∈ [1, 2𝑛], 𝑗 ∈ [1,𝑚].

For 𝑖𝑗 ∈ 𝐼∗ − {𝑗∗}, B computes public parameters asfollows:(1) If 𝑎𝑡𝑡𝑖𝑗 = +,

(𝑢𝑖𝑗 , ℎ𝑖𝑗) = (𝑔𝑟𝑖𝑗𝑔−1𝑛+1−𝑖𝑗 , 𝑒 (𝑔, ℎ)𝑎𝑖𝑗 ) ,(𝑢𝑖𝑗+𝑛, ℎ𝑖𝑗+𝑛) = (𝑔−𝑟𝑖𝑗+𝑛 , 𝑒 (𝑔, 𝑥𝑖𝑗+𝑛)) .

(11)

(2) If 𝑎𝑡𝑡𝑖𝑗 = −,(𝑢𝑖𝑗 , ℎ𝑖𝑗) = (𝑔−𝑟𝑖𝑗 , 𝑒 (𝑔, 𝑥𝑖𝑗)) ,

(𝑢𝑖𝑗+𝑛, ℎ𝑖𝑗+𝑛) = (𝑔𝑟𝑖𝑗𝑔−1𝑛+1−𝑖𝑗 , 𝑒 (𝑔, ℎ)𝑎𝑖𝑗 ) .(12)

For 𝑎𝑡𝑡𝑖𝑗 = 𝑎𝑡𝑡𝑖𝑗∗ ,B computes as follows:(1) If 𝑎𝑡𝑡𝑖𝑗∗ = +,(𝑢𝑖𝑗∗ , ℎ𝑖𝑗∗)

= (𝑔𝑟𝑖𝑗∗ ⋅ ∏𝑘∈𝐼∗−{𝑖𝑗∗ }

𝑔𝑛+1−𝑘, 𝑒 (𝑔, ℎ)𝑎𝑖𝑗∗ 𝑒 (𝑔, ℎ)𝛼𝑛+1)(𝑢𝑖𝑗∗+𝑛 , ℎ𝑖𝑗∗+𝑛) = (𝑔−𝑟𝑖𝑗∗ +𝑛 , 𝑒 (𝑔, 𝑥𝑖𝑗∗+𝑛)) .

(13)

(2) If 𝑎𝑡𝑡𝑗∗ = −,(𝑢𝑖𝑗∗ , ℎ𝑖𝑗∗ ) = (𝑔−𝑟𝑖𝑗∗ , 𝑒 (𝑔, 𝑥𝑖𝑗∗ )) ,(𝑢𝑖𝑗∗+𝑛 , ℎ𝑖𝑗∗+𝑛)

= (𝑔𝑟𝑖𝑗∗ ⋅ ∏𝑘∈𝐼∗−{𝑖𝑗∗ }

𝑔𝑛+1−𝑘, 𝑒 (𝑔, ℎ)𝑎𝑖𝑗∗ 𝑒 (𝑔, ℎ)𝛼𝑛+1) ,(14)

For 𝑖𝑗 ∉ 𝐼∗,B computes(𝑢𝑖𝑗 , ℎ𝑖𝑗) = (𝑔−𝑟𝑖𝑗 , 𝑒 (𝑔, 𝑥𝑖𝑗)) ,

(𝑢𝑖𝑗+𝑛, ℎ𝑖𝑗+𝑛) = (𝑔−𝑟𝑖𝑗+𝑛 , 𝑒 (𝑔, 𝑥𝑖𝑗+𝑛)) .(15)

Phase 9. A queries secret key on any attributes set 𝑆 | ̸= W∗ =⋀𝑎𝑡𝑡𝑖𝑗∈𝐴∗𝑎𝑡𝑡𝑖𝑗 ; therefore, ∃𝑎𝑡𝑡𝑖𝑗 ∈ A∗, s.t. either 𝑎𝑡𝑡𝑖𝑗 ∈ 𝑆 for𝑎𝑡𝑡𝑖𝑗 = −, or 𝑎𝑡𝑡𝑖𝑗 ∉ 𝑆 for 𝑎𝑡𝑡𝑖𝑗 = +. Suppose that 𝑎𝑡𝑡𝑖𝑗 ∈ 𝑆 | ̸=W.B chooses 𝑧 ∈ Z∗𝑝 randomly and computes ] = 𝑔𝑖𝑗𝑔𝑧.

For 𝑎𝑡𝑡𝑖𝑗 ,B computes 𝜎𝑎𝑡𝑡𝑖𝑗 = 𝑥𝑖𝑗+𝑛(𝑔𝑖𝑗𝑔𝑧)𝑟𝑖𝑗+𝑛 .For 𝑎𝑡𝑡i ̸= 𝑎𝑡𝑡𝑖𝑗 , 𝜎𝑎𝑡𝑡𝑖 is computed as follows:(1) If 𝑖 = 𝑖𝑘 ∈ 𝐼∗ − {𝑗∗} (𝑘 ̸= 𝑗∗), calculate

𝜎𝑎𝑡𝑡𝑖 = 𝑔𝑎𝑖𝑘 (𝑔𝑖𝑗)𝑟𝑖𝑘 𝑔𝑛+1−𝑖𝑘+𝑖𝑗 (𝑢𝑖𝑘)−𝑧 . (16)(2) If 𝑖 = 𝑖𝑗∗ , calculate

𝜎𝑎𝑡𝑡𝑖 = 𝑔𝑎𝑖𝑗∗ (𝑔𝑖𝑗)𝑟𝑖𝑗∗ (𝑘 ̸=𝑖𝑗∏

𝑘∈𝐼∗−{𝑗∗}

)(𝑢𝑖∗𝑗 )−𝑧 . (17)(3) If 𝑖 ∉ 𝐼∗, calculate(a) 𝜎𝑎𝑡𝑡𝑖 = 𝑥𝑖(𝑔𝑖𝑗𝑔𝑧)𝑟𝑖 , if 𝑎𝑡𝑡𝑖 = +;(b) 𝜎𝑎𝑡𝑡𝑖 = 𝑥𝑖+𝑛(𝑔𝑖𝑗𝑔𝑧)𝑟𝑖+𝑛 , if 𝑎𝑡𝑡𝑖 = −.B answers secret key query for 𝑆:

𝑆𝐾 = ⟨], {𝜎𝑎𝑡𝑡𝑖 | 𝑖 ∈ [1, 𝑛]}⟩ . (18)Challenge. For 𝑎𝐼∗ = ∑𝑚𝑗=1 𝑎𝑖𝑗 , 𝑟𝐼∗ = ∑𝑚𝑗=1 𝑟𝑖𝑗 , ⟨𝑢𝐼∗ , ℎ𝐼∗⟩ iscalculated as follows:

𝑢𝐼∗ = 𝑢𝑖𝑗∗ ∏𝑘∈𝐼∗−{𝑗∗}

𝑢𝑘= (𝑔𝑟𝑖𝑗∗ ∏

𝑘∈𝐼∗−{𝑗∗}

𝑔𝑛+1−𝑘) ∏𝑘∈𝐼∗−{𝑗∗}

𝑔𝑟𝑘𝑔−1𝑛+1−𝑘 = 𝑔𝑟𝐼∗ ,ℎ𝐼∗ = ℎ𝑖𝑗∗ ∏

𝑘∈𝐼∗−{𝑗∗}

ℎ𝑘= 𝑒 (𝑔, ℎ)𝑎𝑖𝑗∗ ⋅ 𝑒 (𝑔, ℎ)𝛼𝑛+1 ∏

𝑘∈𝐼∗−{𝑗∗}

𝑒 (𝑔, ℎ)𝑎𝑘= 𝑒 (𝑔, ℎ)𝑎𝐼∗+𝛼𝑛+1 .

(19)

A submits 𝑀0 and 𝑀1 with |𝑀0| = |𝑀1|. B randomlychooses 𝑏 ∈ {0, 1}, 𝑠 ∈ Z∗𝑝 and computes

𝐶𝑇∗ = (W∗, 𝑐𝑡∗0 = 𝑀𝑏𝑇𝑒 (𝑔, ℎ)𝑠𝑎𝐼∗ , 𝑐𝑡∗1 = 𝑔𝑠 , 𝑐𝑡∗2= 𝑔𝑠𝑟𝐼∗ ) . (20)

If 𝑇 = 𝑒(𝑔𝑛+1, ℎ), 𝐶𝑇∗ is a valid ciphertext; else if 𝑇 israndom, 𝐶𝑇∗ is independent of 𝑏.Guess. If A outputs 𝑏 = 𝑏, B guesses that 𝑇 = 𝑒(𝑔𝑛+1, ℎ).Otherwise,B guesses that 𝑇 is random.

Therefore,B can break the decisional 𝑛−BDHE assump-tion with nonnegligible advantage.


. . .

Industrial Cloud

KGCIndustry Alliance Manager

(AAC)

Industry Enterprise

Scientific Research Institutions

Sales Enterprises

Manufacturing Enterprises Consultant Firms

Logistics Enterprises

①

⑤

④

③

②

Figure 2: Application in industrial cloud.

5.2. Privacy

Theorem 10. If the DDH assumption holds in G2, our PPGK-ABE scheme is privacy preserving in key generation phase.

Proof. If DDH assumption holds in G2, no probabilisticpolynomial-time adversary can distinguish following tuple:(ℎ𝛼, ℎ𝛽, ℎ𝛼𝛽, ℎ𝛾) and (ℎ𝛼, ℎ𝛽, ℎ𝛾, ℎ𝛼𝛽), where ℎ is a generatorof group G2, and 𝛼, 𝛽, 𝛾 are selected from 𝑍∗𝑝 randomly.Therefore, no probabilistic polynomial-time adversary canwin the security game for privacy.

6. Application in Industrial Cloud

Nowadays, new technological revolution represented by BigData, cloud computing, and Internet of Things is chang-ing the traditional industrial manufacturing system [28,29]. Industrial cloud provides more convenient and securecooperation model for the industrial enterprises [30–32].The ABE scheme has been gradually used in the industrialcloud environment. In these applications, the qualifications,patents, and procurement plans owned by an enterprise oftenrepresent its attributes. Using traditional ABE system, theenterprise has to disclose these attributes' information thatmay relate to business secret to the KGC for applying thecorresponding private key. Our PPGK-ABE scheme can solvethis problem correctly. In this section, we introduce howto deploy our scheme in the industrial cloud environment.Figure 2 shows the specific structure of the application usingour PPGK-ABE scheme. It consists of the following entities:

(i) Industry Enterprise: in this system, the role of indus-try enterprise is data user. They want to get usefulinformation according to their business, but they donot want to reveal their attributes information thatmay relate to their business secret to KGC.

(ii) Industry Alliance Manager: in this system, the role ofthe industry alliance manager is AAC, which issuesblind token for the attributes of industry enterprisesafter reviewing the relevant evidence.

(iii) KGC: its responsibility is to issue the correspondingkey to the attributes of industry enterprises. In thissystem, KGC cannot get these attributes.

(iv) Industrial Information Provider: in this system,industrial information providers are the membersof the industrial alliance and include manufacturingenterprises, sales enterprises, logistics enterprises,scientific research institutions, consultant firms, andso on. They will use ABE scheme to share theirencrypted data.

(v) Industrial Cloud: industrial cloud serves as datastorage center and data sharing center in this system.In order to protect security and privacy of industrialBig Data, the industrial information providers uploadtheir data in encrypted form.

The specific workflow is as follows:

(1) After checking the relevant evidence, the indus-try enterprise and the industry alliance managerrun UserTemKeyGen and BlindTokenGen algorithms,respectively. The industry enterprise gets the blindtoken corresponding to its attributes.

(2) When the industry enterprises need to ask for theirattributes keys, they will submit their blind tokensto KGC. The KGC runs BlindKenGen algorithm andreturns blind secret keys to the industry enterprises.In this process, the KGC cannot get any informationabout the enterprises’ attributes.

(3) After receiving the blind secret keys, the industryenterprises run KeyExtra algorithm to obtain their


own secret key. Even if the industry alliance managerknows the attributes of industry enterprises, it doesnot know the secret keys corresponding to theseattributes.

(4) The industrial information providers run Encryptalgorithm to encrypt the industrial data based onsome access policies. Then, they share encrypted dataon the cloud. Only the enterprises that meet thepolicies can access corresponding data.

(5) The industry enterprises acquire encrypted data fromthe cloud and run Decrypt algorithm to get plaintext.

In the above application, industrial information providerscan share industrial data according to enterprises’ attributes.Only the enterprises that meet the access policy are ableto access data. Unlike traditional ABE solutions, in thisapplication, the attributes information of enterprises will notbe known by KGC. The business secret of enterprises isprotected.

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

Thiswork is supported by theNational Natural Science Foun-dation of China (No. 61602287, No. 61802235, No. 61672330,and No. 61702168), the Primary Research & DevelopmentPlan of Shandong Province (No. 2018GGX101037), and theMajor Scientific and Technological Innovation Project ofShandong Province (No. 2018CXGC0702).

References

[1] F. Wang, J. Mickens, N. Zeldovich, and V. Vaikuntanathan,“Sieve: Cryptographically enforced access control for userdata in untrusted clouds,” in Proceedings of the13th USENIXSymposium on Networked Systems Design and Implementation,(NSDI, ’16), pp. 611–626, Santa Clara, Calif, USA, 2016.

[2] M. Zhang, Y. Zhang, Y. Jiang, and J. Shen, “Obfuscating evesalgorithm and its application in fair electronic transactions inpublic clouds,” IEEE Systems Journal, pp. 1–9, 2019.

[3] X. Li, Y. Zhu, J. Wang, Z. Liu, Y. Liu, and M. Zhang, “On thesoundness and security of privacy-preserving SVM for out-sourcing data classification,” IEEE Transactions on Dependableand Secure Computing, vol. 15, no. 5, pp. 906–912, 2018.

[4] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” inProceedings of the 24th Annual International Conference on theTheory and Applications of Cryptographic Techniques, Advancesin Cryptology - EUROCRYPT ’05, vol. 3494 of Lecture Notesin Computer Science, pp. 457–473, Springer, Aarhus, Denmark,2005.

[5] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-basedencryption for fine-grained access control of encrypted data,”in Proceedings of the 13th ACM Conference on Computer andCommunications Security, (CCS ’06), pp. 89–98, Alexandria, VA,USA, November 2006.

[6] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters,“Fully secure functional encryption: Attribute-based encryp-tion and (hierarchical) inner product encryption,” in Pro-ceedings of the 29th Annual International Conference on theTheory and Applications of Cryptographic Techniques, Advancesin Cryptology - EUROCRYPT ’10, vol. 6110 of Lecture Notes inComputer Science, pp. 62–91, Springer, Monaco, FrenchRiviera,2010.

[7] H. Wang, Z. Zheng, L. Wu, and D. He, “New large-universemulti-authority ciphertext-policy ABE scheme and its applica-tion in cloud storage systems,” Journal of High Speed Networks,vol. 22, no. 2, pp. 153–167, 2016.

[8] H.Wang, D. He, J. Shen, Z. Zheng, C. Zhao, andM. Zhao, “Ver-ifiable outsourced ciphertext-policy attribute-based encryptionin cloud computing,” Soft Computing, vol. 21, no. 24, pp. 7325–7335, 2017.

[9] A. Shamir, “Identity-based cryptosystems and signatureschemes,” inProceedings of the CRYPTO ’84Advances in Crypto-logy, vol. 196 of Lecture Notes in Computer Science, pp. 47–53,Springer, Santa Barbara, Calif, USA, 1984.

[10] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policyattribute-based encryption,” in Proceedings of the IEEE Sympo-sium on Security and Privacy (S&P ’07), pp. 321–334, Oakland ,Calif, USA, 2007.

[11] H. Wang, D. He, J. Shen, Z. Zheng, X. Yang, and M. H. Au,“Fuzzy matching and direct revocation: a new CP-ABE schemefrommultilinear maps,” Soft Computing, vol. 22, no. 7, pp. 2267–2274, 2018.

[12] H. Wang and Y. Song, “Secure cloud-based EHR systemusing attribute-based cryptosystem and blockchain,” Journal ofMedical Systems, vol. 42, no. 8, pp. 152:1–152:9, 2018.

[13] H. Wang, Z. Zheng, L. Wu, and P. Li, “New directly revocableattribute-based encryption scheme and its application in cloudstorage environment,” Cluster Computing, vol. 20, no. 3, pp.2385–2392, 2017.

[14] D. J. Lehmann and M. O. Rabin, “On the advantages of freechoice: A symmetric and fully distributed solution to thedining philosophers problem,” in Proceedings of the ConferenceRecord of the Eighth Annual ACM Symposium on Principles ofProgramming Languages, pp. 133–138, Williamsburg, Va, USA,January 1981.

[15] S. Even, O. Goldreich, and A. Lempel, “A randomized protocolfor signing contracts,”Communications of the ACM, vol. 28, no.6, pp. 637–647, 1985.

[16] G. Brassard, C. Crépeau, and J.-M. Robert, “All-or-nothingdisclosure of secrets,” in Proceedings of the CRYPTO ’86 -Advances in Cryptology, vol. 263 ofLectureNotes in Comput. Sci.,pp. 234–238, Springer, Santa Barbara, Calif, USA, 1986.

[17] J. P. Stern, “A new efficient all-or-nothing disclosure of secretsprotocol,” in Proceedings of the International Conference onthe Theory and Applications of Cryptology and InformationSecurity, Advances in Cryptology - ASIACRYPT ’98, vol. 1514of Lecture Notes in Computer Science, pp. 357–371, Springer,Beijing, China, 1998.

[18] M. Naor and B. Pinkas, “Efficient oblivious transfer protocols,”in Proceedings of the Twelfth Annual Symposium on DiscreteAlgorithms, pp. 448–457, SIAM, Washington, DC, USA, 2001.


[19] B. Aiello, Y. Ishai, and O. Reingold, “Priced oblivious transfer:How to sell digital goods,” in Proceedings of the InternationalConference on the Theory and Application of CryptographicTechniques, Advances in Cryptology - EUROCRYPT ’01, vol.2045 of Lecture Notes in Comput. Sci., pp. 119–135, Springer,Innsbruck, Austria, 2001.

[20] W.-G. Tzeng, “Efficient 1-out-of-n oblivious transfer schemeswith universally usable parameters,” IEEE Transactions onComputers, vol. 53, no. 2, pp. 232–240, 2004.

[21] Y. Ishai, J. Kilian, K. Nissim, and E. Petrank, “Extendingoblivious transfers efficiently,” in Proceedings of the 23rd AnnualInternational Cryptology Conference-Advances in Cryptology -CRYPTO ’03, vol. 2729, pp. 145–161, Springer, Santa Barbara,Calif, USA, 2003.

[22] H. Qin, H. Wang, X. Wei, L. Xue, and L. Wu, “Privacy-preserv-ing wildcards pattern matching protocol for IoT applications,”IEEE Access, vol. 7, pp. 36094–36102, 2019.

[23] Q. Wang, L. Gao, H. Wang, and X. Wei, “Face detection forprivacy protected images,” IEEE Access, vol. 7, pp. 3918–3927,2019.

[24] H. Xia, J. Yu, C.-L. Tian, Z.-K. Pan, and E. Sha, “Light-weighttrust-enhanced on-demand multi-path routing in mobile adhoc networks,” Journal of Network and Computer Applications,vol. 62, pp. 112–127, 2016.

[25] H. Xia, J. Yu, Z.-K. Pan, X.-G. Cheng, and E. H.-M. Sha,“Applying trust enhancements to reactive routing protocols inmobile ad hoc networks,” Wireless Networks, vol. 22, no. 7, pp.2239–2257, 2016.

[26] C. Hazay and Y. Lindell, Efficient Secure Two-Party Protocols,Information Security and Cryptography, Springer, Berlin, Ger-many, 2010.

[27] C. Chen, Z. Zhang, and D. Feng, “Efficient ciphertext policyattribute-based encryption with constant-size ciphertext andconstant computation-cost,” in Proceedings of the 5th Interna-tional Conferenceo on Provable Security, ProvSec ’11, vol. 6980 ofLecture Notes in Computer Science, pp. 84–101, Springer, Xi’an,China, 2011.

[28] H. Xia, S. Zhang, B. Li, L. Li, and X. Cheng, “Towards anovel trust-based multicast routing for VANETs,” Security andCommunication Networks, vol. 2018, Article ID 7608198, 12pages, 2018.

[29] H. Xia, C.Hu, F. Xiao, X. Cheng, andZ. Pan, “An efficient social-like semantic-aware service discovery mechanism for large-scale Internet of Things,” Computer Networks, vol. 152, pp. 210–220, 2019.

[30] R. Chaudhary, G. S. Aujla, S. Garg, N. Kumar, and J. J.P. C. Rodrigues, “SDN-Enabled multi-attribute-based securecommunication for smart grid in IIoT environment,” IEEETransactions on Industrial Informatics, vol. 14, no. 6, pp. 2629–2640, 2018.

[31] M. Zhang, Y. Yao, Y. Jiang, B. Li, and C. Tang, “Account-able mobile E-commerce scheme in intelligent cloud systemtransactions,” Journal of Ambient Intelligence and HumanizedComputing, vol. 9, no. 6, pp. 1889–1899, 2018.

[32] Z. Liu, X. Huang, Z. Hu, M. K. Khan, H. Seo, and L. Zhou,“On emerging family of elliptic curves to secure internet ofthings: ECC comes of age,” IEEE Transactions on Dependableand Secure Computing, vol. 14, no. 3, pp. 237–248, 2017.

International Journal of

AerospaceEngineeringHindawiwww.hindawi.com Volume 2018

RoboticsJournal of

Hindawiwww.hindawi.com Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwww.hindawi.com

Volume 2018

Hindawi Publishing Corporation http://www.hindawi.com Volume 2013Hindawiwww.hindawi.com

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of


Hindawiwww.hindawi.com

Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling &Simulationin EngineeringHindawiwww.hindawi.com Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

www.hindawi.com Volume 2018

Advances in

Multimedia

Submit your manuscripts atwww.hindawi.com
https://www.hindawi.com/journals/ijae/https://www.hindawi.com/journals/jr/https://www.hindawi.com/journals/apec/https://www.hindawi.com/journals/vlsi/https://www.hindawi.com/journals/sv/https://www.hindawi.com/journals/ace/https://www.hindawi.com/journals/aav/https://www.hindawi.com/journals/jece/https://www.hindawi.com/journals/aoe/https://www.hindawi.com/journals/tswj/https://www.hindawi.com/journals/jcse/https://www.hindawi.com/journals/je/https://www.hindawi.com/journals/js/https://www.hindawi.com/journals/ijrm/https://www.hindawi.com/journals/mse/https://www.hindawi.com/journals/ijce/https://www.hindawi.com/journals/ijap/https://www.hindawi.com/journals/ijno/https://www.hindawi.com/journals/am/https://www.hindawi.com/https://www.hindawi.com/

efficient attribute-based encryption with privacy ... · proposed the concept of fuzzy identity...

Documents