Skip to main content

An efficient attribute-based hierarchical data access control scheme in cloud computing

Abstract

Security issues in cloud computing have become a hot topic in academia and industry, and CP-ABE is an effective solution for managing and protecting data. When data is shared in cloud computing, they usually have multiple access structures that have hierarchical relationships. However, existing CP-ABE algorithms do not consider such relationships and just require data owners to generate multiple ciphertexts to meet the hierarchical access requirement, which would incur substantial computation overheads. To achieve fine-grained access control of multiple hierarchical files effectively, first we propose an efficient hierarchical CP-ABE algorithm whose access structure is linear secret sharing scheme. Moreover, we construct an attribute-based hierarchical access control scheme, namely AHAC. In our scheme, when a data visitor’s attributes match a part of the access control structure, he can decrypt the data that associate with this part. The experiments show that AHAC has good security and high performance. Furthermore, when the quantity of encrypted data files increases, the superiority of AHAC will be more significant.

Introduction

The advent of the mobile Internet era has brought data sharing into people’s daily life, and the relevant platforms are also widely used, like Facebook, Badoo and MySpace. In the meantime, cloud computing has become a promising technology used for massive data sharing [1]. Before sharing data, users usually choose to encrypt data to protect their security. One traditional method is to use symmetric encryption, the other is to use public key encryption [2,3,4]. Nevertheless, there are some problems with these methods. Some of them cannot achieve flexible access control [2], some schemes are poor in performance [3], and some have defects in security [4]. Therefore, attribute-based encryption (ABE) [5] was proposed to overcome these problems in unreliable storage environment. The access control strategy of ciphertext-policy ABE (CP-ABE) is encrypted into the ciphertext [6]. This feature makes it very suitable for data sharing. In CP-ABE, the time of plaintext encryption is only linearly proportional to the attribute number, so it’s efficient. Shamir secret sharing scheme [6] is the foundation of traditional CP-ABE algorithm. In 2011, a more efficient algorithm based on linear secret sharing scheme (LSSS) was proposed [7].

In actual application scenarios, shared data files usually have multiple access structures that have hierarchical relationships. This relationship is common in the health and military fields. Most CP-ABE do not consider this hierarchical relationship and just require data owners to generate multiple ciphertexts to encrypt these files, which would incur substantial computation overheads. Wang proposed a File Hierarchy ABE scheme (FH-CP-ABE) [8], which integrates multiple different access structures with hierarchical relationships into a single access structure. When a data visitor’s attributes match the partial access structure, he can decrypt the data that associate with this part. Only when the entire access structure is satisfied, all the data can be decrypted. Since the data owner does not need to generate multiple access structures and ciphertexts, the efficiency is greatly improved. However, FH-CP-ABE uses a tree access structure, so its efficiency is still low.

In this article, our contributions are as follows:

  1. (1)

    We design a hierarchical CP-ABE algorithm whose access structure is LSSS matrix. In the algorithm, multiple hierarchical access control structures of data files are integrated into a single LSSS matrix, so all the data are encrypted into an entire ciphertext.

  2. (2)

    Based on the proposed CP-ABE algorithm, we construct an Attribute-based Hierarchical data Access Control scheme (AHAC) in the cloud computing. In AHAC, we achieve efficient and flexible access control. When a data visitor’s attributes match a part of the access control structure, he can decrypt the data that associate with this part. Moreover, the scheme just requires one operation of encryption and decryption to complete the work that traditional schemes have to do multiple encryption and decryption.

  3. (3)

    We conduct security analysis and performance evaluation for AHAC. Security analysis shows that AHAC has prominent security features. Performance evaluation demonstrates that the private key production time and storage cost of our scheme are only 25 percent of FH-CP-ABE, and the encryption and decryption time and ciphertext storage cost also have advantages.

The remaining parts of this paper are organized as follows. In “Related work” section, we introduce some related work in this field. In “Preliminaries” section, we introduce preliminaries which contain some notions and definitions. Then, the detailed construction of AHAC is presented in “AHAC: attribute-based hierarchy data access control scheme” section. In “Security analysis and performance evaluation” section, we provide security analysis and performance evaluation. Finally, the conclusions are given in “Conclusions” section.

Related work

The fuzzy identity-based encryption [5] put forward by Sahai and Waters in 2005 is the prototype of ABE. The basic ABE can only represent the “threshold” operation of attributes, and the threshold parameters are set by the authorized authority rather than by the sender. Cheung realized the first CP-ABE scheme, which can just support “AND” gate access control strategy [9]. To implement a more flexible strategy, a new CP-ABE was designed by Bethencourt. His scheme applies the tree access control structure to realize the “AND”, “OR”, and “OF” strategy, and achieves fine-grained access control [6]. However, it cannot provide strong security. In 2008, Goyal and Jain put forward a CP-ABE that has selectively security in the decisional-Bilinear Diffie-Hellman (d-BDH) assumption [10]. Nevertheless, the time consumption by encryption and decryption, and the sizes of its private key and ciphertext grow up by n3.42 (n represents the attribute number associated with the access control tree), which limits its practicability. In 2011, Lewko and Waters proposed a technology which can transform an access control tree to an LSSS representation. This technique makes it possible to replace tree structure with matrix structure. Thus, in the same year, Waters designed a CP-ABE scheme using matrix structure [7]. Its time consumption by encryption and decryption, and the sizes of private key and ciphertext increase linearly with its attribute number. Besides, the scheme has selectively security in the decisional q-parallel BDH Exponent (d-Parallel BDHE) assumption [7]. Some schemes [11,12,13,14,15] have applied CP-ABE to realize file access control in the cloud. There are also some schemes to improve the algorithm itself, such as [16, 17] fix the ciphertext size to improve performance, and [18, 19] improve security through authority control or accountability, and [20,21,22] support attribute revocation to improve practicability. Scheme [23] supports proxy computing to private servers, and [24] supports hidden access policy, and [25] proposes a lightweight and efficient CP-ABE. However, none of them consider the hierarchical access relationships of multiple shared files.

Researchers also proposed some hierarchical CP-ABE based on tree or LSSS matrix structure. The schemes proposed in [26,27,28] use multiple hierarchical authorized organizations to create secret keys cooperatively for users, and alleviate the burden of a single authority center. In [29,30,31], schemes without central authority were further proposed, which improved the system security. In [32], there is a hierarchical relationship between attributes, and attributes with high permission can replace the attributes with low permission when decrypting. In [8], FH-CP-ABE is proposed for cloud data access control, and an integrated tree access structure is used for encrypting all the data. However, its efficiency is still not high. It should be noticed that in our scheme, we focus on the issue of hierarchical access relationships of multiple shared files, which is the same as [8].

Preliminaries

First of all, we present the related preliminaries of AHAC, then we describe an example of using these techniques to implement hierarchical access control, and last we give the definition of d-Parallel BDHE.

Hierarchical sccess control

In the traditional CP-ABE scheme, users’ attributes either satisfy the access control structure to obtain plaintext, or do not satisfy the access control structure to obtain plaintext. As shown in Fig. 1, only user 1 and 4 can recover the plaintext, because their attributes match the access control structure.

Fig. 1
figure1

An instance of the data access process in CP-ABE

In hierarchical access control, multiple different access structures with hierarchical relationships can be integrated into a single access structure. As shown in Fig. 2, T1, T2 represents the access structures of m1, m2 accordingly, and obviously they have hierarchical relationship, so they can be integrated into a single access structure T. As shown in Fig. 3 when a data visitor’s attributes match the partial access structure, he can decrypt the data that associate with this part (User 2). Only when the entire access structure is satisfied, all the data can be decrypted (User 1). Since the data owner does not need to generate multiple access structures and ciphertexts, the efficiency is greatly improved.

Fig. 2
figure2

An instance of the integrated access control structure

Fig. 3
figure3

An instance of the hierarchical access control process

Linear secret sharing scheme

Beimel first proposed the definition of LSSS in paper [33]: A secret sharing scheme Π over a collection of parties P is described linear on Zp when:

  1. (1)

    The shares of all the parties make up a vector on Zp.

  2. (2)

    Such a matrix M for Π is existed, which is used for producing shares. M has l rows and n columns. For \( i = 1,2, \ldots ,l \), the ith row Mi of M is marked by a party \( \rho (i) \) where function \( \rho \) satisfies: \( \{ 1,2, \ldots ,l\} \to e \). Given a column vector \( \vec{v} = (s,r_{2} , \ldots ,r_{n} ) \), in which \( s \in Z_{p} \) is the shared secret and \( r_{2} , \ldots r_{d} \in Z_{p} \) are randomly chosen, \( M\vec{v} \) is the vector constructed by m shares of s decided by Π. The share \( \lambda_{i} = (M\vec{v})_{i} \) is part of party \( \rho (i) \).

It is shown in [33] that each LSSS has the linear reconstruction feature: Assume that there exists an LSSS Π corresponding to the access structure T, and ST is an arbitrary authorized set, \( I \subset \{ 1, \ldots ,l\} \) is denoted as \( I = \{ i:\rho (i) \in S\} \). There are constants \( \{ \omega_{i} \in Z_{p} \}_{i \in I} \) that makes \( \sum\nolimits_{i \in I} {\omega_{i} \lambda_{i} } = s \), in which \( \{ \lambda_{i} \} \) are shares of arbitrary secret s decided by Π. In addition, \( \{ \omega_{i} \} \) will be found under polynomial time in the size of the share-generating matrix M.

There will exist a vector like that \( \omega \cdot (1,0, \ldots ,0) = - 1 \) and \( \omega \cdot M_{i} = 0 \) for all \( i \in I \) for any unauthorized set of rows I.

It can be obtained by mathematical derivation for a randomly selected vector \( \vec{v} = (s_{1} , \ldots ,s_{j} , \ldots ,s_{n} ) \), where \( s_{j} \in Z_{p} \) is the jth secret of the n secrets that need to be recovered, and it corresponds to a non-leaf node in the tree structure. When recovering a secret, if the set of attributes possessed can satisfy this non-leaf node, then \( \{ \omega_{i} \in Z_{p} \}_{i \in I} \) will be found under the polynomial time which satisfies \( \sum\nolimits_{i \in I} {\omega_{i,j} M_{i}^{T} } = \varepsilon_{j} \), where \( \varepsilon_{j} \) is a row vector whose length is n with the jth element is 1 and the remaining elements are 0. Then we can get \( s_{j} = \sum\nolimits_{i \in I} {\omega_{i,j} \lambda_{i} } \).

Marking method to construct LSSS matrix

Beimel proved that the access control strategy described by tree structure can be converted to matrix M in LSSS, but no specific conversion method is given in [33]. Until 2011, Lewko and Waters presented a construction method for an LSSS matrix in [34]: Given an access tree defined by a Boolean formula, it can be converted to an LSSS matrix by a marking method. And any one of the propositional paradigms can find its Boolean formula. The specific conversion method can be found in [33].

An example of hierarchical access control using LSSS matrix

There is a hierarchical access tree T which is shown in Fig. 2, and its Boolean formula is (A AND (B AND (C OR D))). We can use the above marking method to convert it to an LSSS matrix by Formula 1 as:

$$ M = \left( {\begin{array}{*{20}c} {\begin{array}{*{20}c} 1 & 1 & 0 \\ \end{array} } \\ {\begin{array}{*{20}c} 0 & { - 1} & 1 \\ \end{array} } \\ {\begin{array}{*{20}c} 0 & 0 & { - 1} \\ \end{array} } \\ {\begin{array}{*{20}c} 0 & 0 & { - 1} \\ \end{array} } \\ \end{array} } \right) $$
(1)

Next, we give an example of how to use the LSSS matrix to achieve hierarchical access control.

When encrypting, we randomly select a vector \( \vec{v} = (s_{1} ,s_{2} ,s_{3} ) = (2,5,3) \), in which \( s_{1} ,s_{2} ,s_{3} \) are secrets assigned to the non-leaf nodes in Fig. 2. Then we can calculate λ by Formula 2:

$$ \lambda = M \cdot \vec{v} = \left( {\begin{array}{*{20}c} {\begin{array}{*{20}c} 1 & 1 & 0 \\ \end{array} } \\ {\begin{array}{*{20}c} 0 & { - 1} & 1 \\ \end{array} } \\ {\begin{array}{*{20}c} 0 & 0 & { - 1} \\ \end{array} } \\ {\begin{array}{*{20}c} 0 & 0 & { - 1} \\ \end{array} } \\ \end{array} } \right) \cdot \left( {\begin{array}{*{20}c} 2 \\ 5 \\ 3 \\ \end{array} } \right) = \left( {\begin{array}{*{20}c} 7 \\ { - 2} \\ { - 3} \\ { - 3} \\ \end{array} } \right) $$
(2)

From “Linear secret sharing scheme”, we know \( s_{j} = \sum\nolimits_{i \in I} {\omega_{i,j} \lambda_{i} } \), where \( I = \{ i:\rho (i) \in S\} \),\( \rho (i) \) can convert the ith row into the attribute represented by this row, and S is the user’s attribute set. Thus, we can get Formula 3:

$$ s_{j} = \omega_{j}^{T} \lambda_{A} \quad {\text{where }}\lambda_{A} = \left( {\begin{array}{*{20}c} {\begin{array}{*{20}c} {\lambda_{1} } \\ \vdots \\ \end{array} } \\ {\lambda_{i} } \\ {\begin{array}{*{20}c} \vdots \\ {\lambda_{l} } \\ \end{array} } \\ \end{array} } \right)_{i \in I} $$
(3)

Obviously, we must get \( \omega_{j} \) if we want to get \( s_{j} \), then we make the following formula 4 derivation:

$$ s_{j} = s_{j}^{T} = \lambda_{A}^{T} \omega_{j} = (M_{A} \cdot \vec{v}^{T} )^{T} \omega_{j} = \vec{v} \cdot (M_{A}^{T} \omega_{j} )\quad {\text{where}}\;M_{A} = \left( {\begin{array}{*{20}c} {\begin{array}{*{20}c} {M_{1} } \\ \vdots \\ \end{array} } \\ {M_{i} } \\ {\begin{array}{*{20}c} \vdots \\ {M_{l} } \\ \end{array} } \\ \end{array} } \right)_{i \in I} $$
(4)

We make \( M_{A}^{T} \omega_{j} = \varepsilon_{j} \), so \( s_{j} = \vec{v} \cdot \varepsilon_{j} \). Then we can compute \( \varepsilon_{j} \) as a row vector whose length is n with the jth element is 1 and the remaining elements are 0.

When decrypting, if a decryptor only has the attributes B, C, i.e., it only satisfies the partial access structure, then he can get \( \omega_{2} ,\omega_{3} \) by Formula 5 and 6:

$$ M_{A}^{T} \omega_{3} = \left( {\begin{array}{*{20}c} {\begin{array}{*{20}c} 0 & 0 \\ \end{array} } \\ {\begin{array}{*{20}c} { - 1} & 0 \\ \end{array} } \\ {\begin{array}{*{20}c} 1 & { - 1} \\ \end{array} } \\ \end{array} } \right) \cdot \omega_{3} = \varepsilon_{3} = \left( {\begin{array}{*{20}c} 0 \\ 0 \\ 1 \\ \end{array} } \right) $$
(5)
$$ M_{A}^{T} \omega_{2} = \left( {\begin{array}{*{20}c} {\begin{array}{*{20}c} 0 & 0 \\ \end{array} } \\ {\begin{array}{*{20}c} { - 1} & 0 \\ \end{array} } \\ {\begin{array}{*{20}c} 1 & { - 1} \\ \end{array} } \\ \end{array} } \right) \cdot \omega_{2} = \varepsilon_{2} = \left( {\begin{array}{*{20}c} 0 \\ 1 \\ 0 \\ \end{array} } \right) $$
(6)

Thus, \( \omega_{3} = \left( {\begin{array}{*{20}c} 0 \\ { - 1} \\ \end{array} } \right) \), \( \omega_{2} = \left( {\begin{array}{*{20}c} { - 1} \\ { - 1} \\ \end{array} } \right) \). Finally, he can get s3 and s2 from Formulas 7 and 8:

$$ s_{3} = \omega_{3}^{T} \lambda_{A} = \left( {\begin{array}{*{20}c} 0 & { - 1} \\ \end{array} } \right) \cdot \left( {\begin{array}{*{20}c} { - 2} \\ { - 3} \\ \end{array} } \right) = 3 $$
(7)
$$ s_{2} = \omega_{2}^{T} \lambda_{A} = \left( {\begin{array}{*{20}c} { - 1} & { - 1} \\ \end{array} } \right) \cdot \left( {\begin{array}{*{20}c} { - 2} \\ { - 3} \\ \end{array} } \right) = 5 $$
(8)

Similarly, if the decryptor has the attributes A, B, and C, then he satisfies the entire access structure, and all the secrets \( s_{1} ,s_{2} ,s_{3} \) can be computed by the above steps.

AHAC: attribute-based hierarchy data access control scheme

In the chapter, first we give the overview and the security assumptions of AHAC. After that, we design the core algorithm of AHAC, namely AHAC-CP-ABE. Finally, we present the system operations of AHAC detailedly.

Scheme overview

The system framework of AHAC is shown in Fig. 4. Firstly, central authority (CA) performs the system initialization operation and generates system attributes and relevant keys. Then, double encryption mechanism are used to promote the efficiency, that is, data owner chooses n symmetric keys \( \{ ck_{1} , \ldots ,ck_{n} \} \) to encrypt the data files \( \{ f_{1} , \ldots ,f_{n} \} \) respectively using a symmetric encryption algorithm (AES, DES, etc.), and encrypts \( \{ ck_{1} , \ldots ,ck_{n} \} \) using AHAC-CP-ABE algorithm. The symmetric encryption algorithm with high efficiency is used to encrypt the files of large volume, and the CP-ABE algorithm is used to encrypt the symmetric key of small volume. Compared with the symmetric encryption algorithm, the performance of CP-ABE algorithm is relatively lower. However, the CP-ABE algorithm can bring the obvious advantage in key management, using which we can easily implement the access control of encrypted data. Thus, we utilize such double encryption method to achieve the secure, efficient and fine-grained data access control in the cloud.

Fig. 4
figure4

The system framework of AHAC

The user then transfers the two ciphertexts to cloud server (CS) and CS stores them for sharing. When a data visitor wishes to obtain the data files, he should contact CA and CA distributes corresponding private keys to him according to his attributes. Then, this data visitor obtains the ciphertexts from CS. When his attributes match partial or entire access control structure, he can decrypt the symmetric keys that associated with this part. At last, the data visitor is able to get the corresponding files using the symmetric keys. It is clear from our framework that only one encryption and decryption operation is needed to share multiple files securely, while traditional schemes have to do multiple encryption and decryption operations.

Security assumptions

In this section, we will present security assumptions for several entities in the system.

We consider that CS is honest but curious in AHAC like the related work [35] do, that is, CS will honestly perform the task of private key distribution yet it is also trying to gain the contents of the data files and symmetric keys stored in it. Besides, CS is online all the time to provide stable services.

CA is fully trusted and is online all the time. There is a security approach for CA to transfer private key to users. Users can get the services of the system at any time.

For any number of unauthorized users, they may launch collusion attacks and try to obtain the confidential data.

AHAC-CP-ABE

The AHAC-CP-ABE includes four functions: system initialization, private key production, encryption and decryption. These functions make the following cases: when a data visitor’s attributes match a part of the access control structure, he can decrypt the data that associate with this part, and when the entire access structure is satisfied, all the data can be decrypted. Here are the details of the algorithm:

  1. (1)

    System initialization

Function 1 takes an attribute set U of system and a parameter k specifying the system security as input, and produces a system master key MK and a corresponding public key PK.

figurea
  1. (2)

    Private key production

As shown in Function 2, it inputs PK, MK, and the attribute set S of a user, and produces a user private key SK that is related to S.

figureb
  1. (3)

    Encryption

As shown in Function 3, the encryption function inputs a plaintext set \( \{ m_{j} ,j \in (1,n)\} \), PK, and an LSSS matrix structure \( (M,\rho ) \), and returns a ciphertext CT. For an LSSS matrix structure \( (M,\rho ) \), the dimension of M is \( l \times n \), Mi is the ith row of M, and \( \rho (i) \) can convert Mi into the attribute represented by it.

figurec
  1. (4)

    Decryption

As shown in Function 4, CT and SK are inputs, and outputs is plaintext set \( m_{j} \). MA is a matrix composed of a set of row vectors in M that corresponds to the attribute set S associated with SK. \( \varepsilon_{j} \) is a row vector with length n, in which the jth element is 1 and the remaining elements are 0. \( I = \{ i:\rho (i) \in S\} \).

figured

The detailed operation process of AHAC

AHAC consists of six operations: System initialization, encryption of data files, encryption of symmetric keys, user authorization, decryption of symmetric keys and decryption of data files.

  1. (1)

    System setup

CA designates an attribute set U and invokes Function 1 to produce a master key MK and a public key PK, and MK is safely stored in CA.

  1. (2)

    Encryption of data files

Data owner (DO) chooses n symmetric keys \( \{ ck_{1} , \ldots ,ck_{n} \} \) to encrypt his data files \( \{ f_{1} , \ldots ,f_{n} \} \) by a symmetric encryption algorithm respectively. The data file ciphertext are denoted as: \( EF = \{ E_{{ck_{1} }} (f_{1} ), \ldots ,E_{{ck_{n} }} (f_{n} )\} \).

  1. (3)

    Encryption of symmetric keys

DO defines access trees \( \{ T_{1} , \ldots ,T_{n} \} \) for his data files \( \{ f_{1} , \ldots ,f_{n} \} \) respectively and integrates them into a single access tree T. Then, he uses marking method to converted T to LSSS matrix structure \( (M,\rho ) \). Next, he calls Function 3 to encrypt his symmetric keys \( \{ ck_{1} , \cdots ,ck_{n} \} \) and generates a symmetric key ciphertext CT. Finally, he sends CT and EF to CS and CS stores them.

  1. (4)

    User authorization

For any data visitor, CA specifies a set S of attributes and calls Function 2 to output the corresponding private key SK.

  1. (5)

    Decryption of symmetric keys

When a user wants to obtain some files from CS, CS first checks whether his attributes match partial or entire access control structure of those data files. If not, CS refuses the user’s request; otherwise, CS sends CT to the user. After obtaining CT, the user calls Function 4 to get the symmetric keys. When his attributes satisfy a part of the access tree, he can decrypt the symmetric keys that associated with this part, assuming \( \{ ck_{1} , \ldots ,ck_{n} \} \). Only when his attributes match the entire access control structure, he can obtain all the symmetric keys.

  1. (6)

    Decryption of data files

In the last step, the user downloads \( \{ E_{{ck_{1} }} (f_{1} ), \ldots ,E_{{ck_{n} }} (f_{n} )\} \) and uses \( \{ ck_{1} , \ldots ,ck_{n} \} \) to decrypt the data files \( \{ f_{1} , \ldots ,f_{n} \} \) by the symmetric decryption algorithm.

To further improve the efficiency, we make the following transformation:

$$ \begin{aligned} ck_{n}^{'} = ck_{n} , \hfill \\ ck_{n - 1}^{'} = ck_{n - 1} \cup ck_{n}^{'} , \hfill \\ ck_{1}^{'} = ck_{1} \cup ck_{2}^{'} \hfill \\ \end{aligned} $$

where \( \{ ck_{1} , \ldots ,ck_{n} \} \) are n symmetric keys. After then, we call Function 3 to encrypt \( \{ ck_{1}^{'} , \ldots ,ck_{n}^{'} \} \) and generates a symmetric key ciphertext CT. When decrypting, we call Function 4 to get the symmetric keys. In Function 4, once we successfully decrypt a \( ck_{j}^{'} \), we can stop the decryption process immediately, since \( ck_{j}^{'} \) contains all the contents of the rest symmetric keys.

Security analysis and performance evaluation

In this chapter, we give the analysis for the security and the evaluation results for the performance.

Security analysis

We give the security features of AHAC based on the security assumptions presented in chapter 4.2, containing data confidentiality, collusion defense and fine-grained access control.

  1. (1)

    Data confidentiality

AHAC-CP-ABE algorithm is designed on top of Waters’s algorithm [7]. The security of his scheme is based on d-Parallel BDHE assumption.

d-Parallel BDHE assumption: Select a bilinear group G of prime order p with generator g, and select \( \beta ,s,b_{1} , \ldots ,b_{q} \in Z_{p} \) at random. Even if the adversary gets

$$ \vec{y} = \left\{ \begin{aligned} g,g^{s} ,g^{\beta } , \ldots ,g^{{(\beta^{q} )}} ,\;,g^{{(\beta^{q + 2} )}} , \ldots g^{{(\beta^{2q} )}} \hfill \\ \forall_{1 \le j \le q} \;g^{{s \cdot b_{j} }} ,g^{{\beta /b_{j} }} , \ldots g^{{(\beta^{q} /b_{j} )}} ,\;,g^{{(\beta^{q + 2} /b_{j} )}} , \ldots g^{{(\beta^{2q} /b_{j} )}} \hfill \\ \forall_{1 \le j,k \le q,k \ne j} g^{{\beta sb_{k} /b_{j} }} , \ldots ,g^{{\beta^{q} sb_{k} /b_{j} }} \hfill \\ \end{aligned} \right\} $$

it’s hard for him to get \( e(g,g)^{{\beta^{q + 1} s}} \in G_{T} \).

There exists a main difference between AHAC-CP-ABE algorithm and his algorithm. In AHAC-CP-ABE, we use all the elements in the secret vector \( \vec{v} \) to allow multiple secrets to be carried in an access control policy, under which multiple plaintexts are encrypted. That is to say, AHAC-CP-ABE exploits all the elements in vector \( \vec{v} \), using each of them to encrypt every plaintext respectively, as shown in Function 3, whereas in Waters’s CP-ABE algorithm, just one element in the vector is used for encrypting a plaintext [7] and for multiple plaintexts, their algorithm needs to be executed multiple times. In [7], Waters’s CP-ABE algorithm has the selectively security in d-Parallel BDHE assumption. Therefore, AHAC-CP-ABE has the same security under the same assumption.

In AHAC, data files are encrypted using symmetric encryption keys, and these keys are then encrypted using AHAC-CP-ABE. In this mechanism, just the ciphertexts of the files and the ciphertexts of the keys are given to cloud servers. Since the used symmetric encryption algorithm, such as AES, is secure, the security of this mechanism merely relies on the security of AHAC-CP-ABE. In the above paragraph, we have shown that AHAC-CP-ABE is secure under d-Parallel BDHE assumption. Thus, the AHAC is secure under the same model.

  1. (2)

    Collusion defense

Any number of unauthorized users may launch collusion attacks, trying to access the confidential data files. In AHAC-CP-ABE, CA chooses an element t randomly for each user and uses t to generate a private key for each of them. When a user decrypts a ciphertext, he should compute \( e(g,g)^{{\alpha s_{j} }} \) first, which requires the components of his private key contain the same t. That is to say, different data visitors can’t integrate their private keys to strengthen their decryption power, since they have different values of t in private keys. Therefore, AHAC can resist collusion attacks effectively.

  1. (3)

    Fine-grained access control

In AHAC, the LSSS matrix access structure is transformed from an access tree which supports “AND” “OR”, and “OF” threshold operations, and it can represent any complex access control policy. Only data visitors who own the attributes matching the access control structure can obtain the plaintext successfully. Thus, AHAC realizes fine-grained access control.

Performance evaluation

We evaluate the performance of AHAC-CP-ABE from two aspects: its time costs, and the storage costs of ciphertext and private key. Both are compared with those of traditional CP-ABE [6], LSSS-based CP-ABE (hereinafter referred to as LS-CP-ABE) [7], and FH-CP-ABE [8].

We make the following access policy: assume that the plaintext \( M = (m_{1} ,m_{2} , \ldots ,m_{n} ) \), for the traditional CP-ABE and LS-CP-ABE, n policies are needed respectively for \( m_{1} ,m_{2} , \ldots ,m_{n} \) as:

Policy(1): \( \{ (att_{1} ,att_{2} , \ldots ,att_{i} ,j\;of\;i)\;AND\;att_{i + 1} \;AND\;att_{i + 2} \;AND \cdots AND\;att_{i + n - 1} \} \)

Policy(2): \( \{ (att_{1} ,att_{2} , \ldots ,att_{i} ,j\;of\;i)\;AND\;att_{i + 1} \;AND\;att_{i + 2} \;AND \cdots AND\;att_{i + n - 2} \} \)

$$ \cdots \cdots $$

Policy(n−1): \( \{ (att_{1} ,att_{2} , \ldots ,att_{i} ,j\;of\;i)\;AND\;att_{i + 1} \} \)

Policy(n): \( \{ att_{1} ,att_{2} , \ldots ,att_{i} ,j\;of\;i\} \; \)

FH-CP-ABE and AHAC-CP-ABE only need one access policy with n access structure level as:

Policy: \( \{ (att_{1} ,att_{2} , \ldots ,att_{i} ,j\;of\;i)\;AND\;att_{i + 1} \;AND\;att_{i + 2} \;AND \ldots AND\;att_{i + n - 1} \} \)

In Table 1, we compare the performance of four CP-ABE algorithms by theoretical calculation. \( \mu \) represents the global attribute set, \( \omega \in \mu \) represents the attribute information contained in the user’s private key, c represents the attribute contained in the access structure, n represents the access structure hierarchy, the power operation on the group G0 is E0, the power operation on the group GT is ET, and the multiplication calculation on the group is M. P represents the pairing operation in group G0. The element size on group G0 is represented as l0, and the element size on group GT is represented as lT. Due to the trivial time consumption of hash operation, the time consumption of hash is ignored. As shown in Table 1, AHAC-CP-ABE has high performance in all aspects.

Table 1 Compare of the performance of four algorithms

We conduct detailed experiments to simulate the complete access control process, in which all four algorithms are implemented based on JPBC [36]. In the experiments, a super singular elliptic curve \( y^{2} = x^{3} + x \) is adopted of which the group order is 160 bits on a 512-bit finite field. The experiments are performed on a computer with Pentium G4560 3.50 Hz processor, and 8.00 GB RAM. We take the average of 10 experiments as results to make them more accurate.

The private key generation time of four algorithms have been shown in Fig. 5. As the attribute number increases, the private key production time costs and the private key storage costs of AHAC-CP-ABE and LS-CP-ABE grow slower than those of the other two algorithms. This will significantly reduce the pressure of CA.

Fig. 5
figure5

Private key generation time

Figure 6 shows the encryption and decryption time costs with two fixed access structure levels as attributes increase. We can see that the time costs by encryption and decryption of AHAC-CP-ABE and FH-CP-ABE are always less than those of the other two algorithms.

Fig. 6
figure6

Encryption and decryption time when the attribute number increases

Figure 7 shows the encryption and decryption time costs with different access structure level and fixed attribute number N = 30 respectively. It’s obvious that the encryption and decryption time costs of FH-CP-ABE and AHAC-CP-ABE are constants when the number of access structure levels increases, while in traditional CP-ABE and LS-CP-ABE there are rapid linear growth in the time costs.

Fig. 7
figure7

Encryption and decryption time when the structure level increases

From Figs. 5, 6 and 7, we can conclude that the time consumptions by encryption and decryption of AHAC-CP-ABE are still less than those of FH-CP-ABE. However, in the cloud environment with big data, the gap of them will be widened. Moreover, the private key production time consumption by private key production of AHAC-CP-ABE is much less than that of FH-CP-ABE.

Figure 8 shows the storage cost of private key. As the attribute number increases, the private key storage costs of AHAC-CP-ABE and LS-CP-ABE grow slower than those of the other two algorithms.

Fig. 8
figure8

The storage cost of private key

Figure 9a shows the storage cost of ciphertext with two fixed access structure levels as attributes increase. We can see that the ciphertext storage costs of FH-CP-ABE and AHAC-CP-ABE are very close, while the costs of traditional CP-ABE and LS-CP-ABE are about twice as those of them, since in this experiment, the access structure level is set to two. Figure 9b shows the storage cost of ciphertext with different access structure level and fixed attribute number N = 30 respectively. We can see that the ciphertext storage costs of AHAC-CP-ABE and FH-CP-ABE increase slightly when the number of access structure level increases, and the ciphertext storage costs of traditional CP-ABE and LS-CP-ABE increase sharply.

Fig. 9
figure9

The storage cost of ciphertext

From Figs. 8 and 9, we can conclude that the ciphertext storage consumption of AHAC-CP-ABE is still less than that of FH-CP-ABE, and furthermore the private key storage consumption of AHAC-CP-ABE is obviously less than that of FH-CP-ABE.

Conclusions

Most of existing data access control schemes of CP-ABE do not consider the hierarchical access relationships of multiple shared data files, and just need data owners to generate multiple ciphertexts to meet the hierarchical access requirement, which would incur substantial computation overheads. To solve this problem, we first give an efficient hierarchical CP-ABE algorithm based on LSSS and furthermore, we construct AHAC, which uses an integrated access structure that makes users be able to encrypt multiple data files with hierarchical access relationships at once. When a data visitor’s attributes match a part of the access control structure, he can obtain the data that associate with this part by just one decryption. In addition, AHAC is secure, and has very low costs both in computation and storage aspects compared with related works.

In the future, we will work towards using blockchain technology to expand the single authority to multiple authorities, improve the security and stability of the authority, and support the accountability of authority.

Availability of data and materials

All data generated or analyzed during this study are included in this published article [and its supplementary information files]

Abbreviations

CP-ABE:

Ciphertext-policy attribute-based encryption

AHAC:

Attribute-based hierarchical data access control scheme

ABE:

Attribute-based encryption

LSSS:

Linear secret sharing scheme

PHR:

Personal health record

FH-CP-ABE:

File hierarchy attribute-based encryption scheme

d-BDH:

Decisional-Bilinear Diffie-Hellman

d-Parallel BDHE:

Decisional q-parallel Bilinear Diffie-Hellman Exponent

CA:

Central Authority

CS:

Cloud server

DO:

Data owner

References

  1. 1.

    Rittinghouse JW, Ransome JF (2009) Cloud computing: implementation, management, and security. CRC press, Boca Raton

    Google Scholar 

  2. 2.

    Kallahalla M, Riedel E, Swaminathan R, Wang Q, Fu K (2003) Scalable secure file sharing on untrusted storage. Paper presented at the 2nd USENIX Conference on File and Storage Technologies, San Francisco, CA, 31–31 March 2003

  3. 3.

    di Vimercati S D C, Foresti S, Jajodia S, Paraboschi S, Samarati P (2007) Over-encryption: management of access control evolution on outsourced data. Paper presented at the 33rd International Conference on Very Large Data Bases, Vienna, 23–27 September 2007

  4. 4.

    Ateniese G, Fu K, Green M, Hohenberger S (2006) Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans Inf Syst Secur 9:1–30. https://doi.org/10.1145/1127345.1127346

    Article  MATH  Google Scholar 

  5. 5.

    Sahai A, Waters B (2005) Fuzzy identity-based encryption. Paper presented at the 24th annual international conference on Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005

  6. 6.

    Bethencourt J, Sahai A, Waters B (2007) Ciphertext-policy attribute-based encryption. Paper presented at the 2007 IEEE Symposium on Security and Privacy, Washington, USA, 20–26 May 2007

  7. 7.

    Waters B (2011) Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. Paper presented at the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography, Taormina, Italy, 6–9 March 2011

  8. 8.

    Wang S, Zhou J et al (2016) An efficient file hierarchy attribute-based encryption scheme in cloud computing. IEEE Trans Inf Forensics Secur 11:1265–1277. https://doi.org/10.1109/TIFS.2016.2523941

    Article  Google Scholar 

  9. 9.

    Cheung L, Newport C (2007) Provably secure ciphertext policy ABE. Paper presented at the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, 29 October–2 November 2007

  10. 10.

    Goyal V, Jain A, Pandey O, Sahai A (2008) Bounded ciphertext policy attribute based encryption. Paper presented at the 35th International Colloquium on Automata, Languages, and Programming, Reykjavik, Iceland, 7–11 July 2008

  11. 11.

    He H, Zhang J et al (2017) A fine-grained and lightweight data access control scheme for WSN-integrated cloud computing. Cluster Comput 20:1457–1472. https://doi.org/10.1007/s10586-017-0863-y

    Article  Google Scholar 

  12. 12.

    Li J, Zhang Y et al (2018) Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 72:1–12. https://doi.org/10.1016/j.cose.2017.08.007

    Article  Google Scholar 

  13. 13.

    Li J, Yao W et al (2017) Flexible and fine-grained attribute-based data storage in cloud computing. IEEE Trans Serv Comput 10:785–796. https://doi.org/10.1109/TSC.2016.2520932

    Article  Google Scholar 

  14. 14.

    Zhang Y, Zheng D et al (2018) Security and privacy in smart health: efficient policy-hiding attribute-based access control. IEEE Internet Things J 5:2130–2145. https://doi.org/10.1109/JIOT.2018.2825289

    Article  Google Scholar 

  15. 15.

    Kumar Premkamal Praveen, Kumar Pasupuleti Syam et al (2018) A new verifiable outsourced ciphertext-policy attribute based encryption for big data privacy and access control in cloud. J Ambient Intell Hum Comput 10:2693–2707. https://doi.org/10.1007/s12652-018-0967-0

    Article  Google Scholar 

  16. 16.

    Susilo W, Yang G, Guo F et al (2018) Constant-size ciphertexts in threshold attribute-based encryption without dummy attributes. Inf Sci 429:349–360. https://doi.org/10.1016/j.ins.2017.11.037

    MathSciNet  Article  MATH  Google Scholar 

  17. 17.

    Wei T, Geng Y et al (2017) Attribute-based access control with constant-size ciphertext in cloud computing. IEEE Trans Cloud Comput 99:1–1. https://doi.org/10.1109/TCC.2015.2440247

    Article  Google Scholar 

  18. 18.

    Qiao H, Ren J et al (2018) Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing. Future Gener Comput Syst 88:107–116. https://doi.org/10.1016/j.future.2018.05.032

    Article  Google Scholar 

  19. 19.

    Yu G, Ma X et al (2017) Accountable CP-ABE with public verifiability: how to effectively protect the outsourced data in cloud. Int J Found Comput Sci 28:705–723. https://doi.org/10.1142/S0129054117400147

    MathSciNet  Article  MATH  Google Scholar 

  20. 20.

    Xue L, Yu Y et al (2018) Efficient attribute-based encryption with attribute revocation for assured data seletion. Inf Sci 479:640–650. https://doi.org/10.1016/j.ins.2018.02.015

    MathSciNet  Article  MATH  Google Scholar 

  21. 21.

    Li J, Yao W et al (2017) User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage. IEEE Syst J 99:1–11. https://doi.org/10.1109/JSYST.2017.2667679

    Article  Google Scholar 

  22. 22.

    Naruse T, Mohri M et al (2015) Provably secure attribute-based encryption with attribute revocation and grant function using proxy re-encryption and attribute key for updating. Hum Centric Comput Inf Sci 5:8. https://doi.org/10.1186/s13673-015-0027-0

    Article  Google Scholar 

  23. 23.

    Li R, Shen C, He H et al (2017) A lightweight secure data sharing scheme for mobile cloud computing. IEEE Trans Cloud Comput 99:1–1. https://doi.org/10.1109/TCC.2017.2649685

    Article  Google Scholar 

  24. 24.

    Khan F, Li H, Zhang L, et al (2017) An expressive hidden access policy CP-ABE. Paper presented at the 2017 IEEE Second International Conference on Data Science in Cyberspace, Shenzhen, China, 26–29 June 2017

  25. 25.

    He H, Li R, Dong X et al (2014) Secure, efficient and fine-grained data access control mechanism for P2P storage cloud. IEEE Trans Cloud Comput 2:471–484. https://doi.org/10.1109/tcc.2014.2378788

    Article  Google Scholar 

  26. 26.

    Chase M (2007) Multi-authority attribute based encryption. Paper presented at the 4th Theory of Cryptography Conference Amsterdam, The Netherlands, 21–24 February 2007

  27. 27.

    Bozovic V, Socek D, Steinwandt R et al (2012) Multi-authority attribute-based encryption with honest-but-curious central authority. Int J Comput Math 89:268–283. https://doi.org/10.1080/00207160.2011.555642

    MathSciNet  Article  MATH  Google Scholar 

  28. 28.

    Wang Y, Li F, et al (2015) Achieving lightweight and secure access control in multi-authority cloud. Paper presented at the Trustcom 2015, Helsinki, Finland, 20–22 Aug 2015

  29. 29.

    Lin H, Cao Z, Liang X, Shao J (2008) Secure Threshold Multi Authority Attribute Based Encryption without a Central Authority. Paper presented at the 9th International Conference on Cryptology in India, Kharagpur, India, 14–17 December 2008

  30. 30.

    Chase M, Chow S S M (2009) Improving privacy and security in multi-authority attribute-based encryption. In Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009

  31. 31.

    Jung T, Li X, Wan Z, et al (2013) Privacy preserving cloud data access with multi-authorities. Paper presented at the INFOCOM 2013, Turin, Italy, 14–19 April 2013

  32. 32.

    Liu X, Ma J, Xiong J et al (2014) Ciphertext-policy hierarchical attribute-based encryption for fine-grained access control of encryption data. Int J Netw Secur 16:437–443. https://doi.org/10.6633/IJNS.201411.16(6).05

    Article  Google Scholar 

  33. 33.

    Beimel A (1996) Secure schemes for secret sharing and key distribution. Dissertation, Israel Institute of Technology

  34. 34.

    Lewko A, Waters B (2011) Decentralizing attribute-based encryption. Paper presented at the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, 15–19 May 2011

  35. 35.

    Yu S, Wang C, Ren K, Lou W (2010) Achieving secure, scalable, and fine-grained data access control in cloud computing. In Proceedings of the 29th IEEE International Conference on Computer Communications, San Diego, California, USA, 14–19 March 2010

  36. 36.

    Caro AD, Iovino V (2011) jPBC: Java pairing based cryptography. In Proceedings of the 2011 IEEE Symposium on Computers and Communications, Kerkyra, Greece, 28 June–01 July 2011

Download references

Acknowledgements

Not applicable.

Funding

This work was supported by the National Natural Science Foundation of China under Grant Nos. 61602351, 61802286, 61502359, the Hubei Provincial Natural Science Foundation of China under Grant No. 2018CFB424.

Author information

Affiliations

Authors

Contributions

Conceptualization HH and LZ; Implementation HH, LZ, and PL; Validation LD, LH, and XC; Writing and editing HH and LZ. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Heng He.

Ethics declarations

Competing interests

The authors declare no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

He, H., Zheng, Lh., Li, P. et al. An efficient attribute-based hierarchical data access control scheme in cloud computing. Hum. Cent. Comput. Inf. Sci. 10, 49 (2020). https://doi.org/10.1186/s13673-020-00255-5

Download citation

Keywords

  • Cloud computing
  • Attribute-based encryption
  • Hierarchical access structure
  • Linear secret sharing
\