An efficient attribute‑based hierarchical data access control scheme in cloud computing

,

CP-ABE algorithm. In 2011, a more efficient algorithm based on linear secret sharing scheme (LSSS) was proposed [7].
In actual application scenarios, shared data files usually have multiple access structures that have hierarchical relationships. This relationship is common in the health and military fields. Most CP-ABE do not consider this hierarchical relationship and just require data owners to generate multiple ciphertexts to encrypt these files, which would incur substantial computation overheads. Wang proposed a File Hierarchy ABE scheme (FH-CP-ABE) [8], which integrates multiple different access structures with hierarchical relationships into a single access structure. When a data visitor's attributes match the partial access structure, he can decrypt the data that associate with this part. Only when the entire access structure is satisfied, all the data can be decrypted. Since the data owner does not need to generate multiple access structures and ciphertexts, the efficiency is greatly improved. However, FH-CP-ABE uses a tree access structure, so its efficiency is still low.
In this article, our contributions are as follows: (1) We design a hierarchical CP-ABE algorithm whose access structure is LSSS matrix.
In the algorithm, multiple hierarchical access control structures of data files are integrated into a single LSSS matrix, so all the data are encrypted into an entire ciphertext. (2) Based on the proposed CP-ABE algorithm, we construct an Attribute-based Hierarchical data Access Control scheme (AHAC) in the cloud computing. In AHAC, we achieve efficient and flexible access control. When a data visitor's attributes match a part of the access control structure, he can decrypt the data that associate with this part. Moreover, the scheme just requires one operation of encryption and decryption to complete the work that traditional schemes have to do multiple encryption and decryption. (3) We conduct security analysis and performance evaluation for AHAC. Security analysis shows that AHAC has prominent security features. Performance evaluation demonstrates that the private key production time and storage cost of our scheme are only 25 percent of FH-CP-ABE, and the encryption and decryption time and ciphertext storage cost also have advantages.
The remaining parts of this paper are organized as follows. In "Related work" section, we introduce some related work in this field. In "Preliminaries" section, we introduce preliminaries which contain some notions and definitions. Then, the detailed construction of AHAC is presented in "AHAC: attribute-based hierarchy data access control scheme" section. In "Security analysis and performance evaluation" section, we provide security analysis and performance evaluation. Finally, the conclusions are given in "Conclusions" section.

Related work
The fuzzy identity-based encryption [5] put forward by Sahai and Waters in 2005 is the prototype of ABE. The basic ABE can only represent the "threshold" operation of attributes, and the threshold parameters are set by the authorized authority rather than by the sender. Cheung realized the first CP-ABE scheme, which can just support "AND" gate access control strategy [9]. To implement a more flexible strategy, a new CP-ABE was designed by Bethencourt. His scheme applies the tree access control structure to realize the "AND", "OR", and "OF" strategy, and achieves fine-grained access control [6]. However, it cannot provide strong security. In 2008, Goyal and Jain put forward a CP-ABE that has selectively security in the decisional-Bilinear Diffie-Hellman (d-BDH) assumption [10]. Nevertheless, the time consumption by encryption and decryption, and the sizes of its private key and ciphertext grow up by n 3.42 (n represents the attribute number associated with the access control tree), which limits its practicability. In 2011, Lewko and Waters proposed a technology which can transform an access control tree to an LSSS representation. This technique makes it possible to replace tree structure with matrix structure. Thus, in the same year, Waters designed a CP-ABE scheme using matrix structure [7]. Its time consumption by encryption and decryption, and the sizes of private key and ciphertext increase linearly with its attribute number. Besides, the scheme has selectively security in the decisional q-parallel BDH Exponent (d-Parallel BDHE) assumption [7]. Some schemes [11][12][13][14][15] have applied CP-ABE to realize file access control in the cloud. There are also some schemes to improve the algorithm itself, such as [16,17] fix the ciphertext size to improve performance, and [18,19] improve security through authority control or accountability, and [20][21][22] support attribute revocation to improve practicability. Scheme [23] supports proxy computing to private servers, and [24] supports hidden access policy, and [25] proposes a lightweight and efficient CP-ABE. However, none of them consider the hierarchical access relationships of multiple shared files.
Researchers also proposed some hierarchical CP-ABE based on tree or LSSS matrix structure. The schemes proposed in [26][27][28] use multiple hierarchical authorized organizations to create secret keys cooperatively for users, and alleviate the burden of a single authority center. In [29][30][31], schemes without central authority were further proposed, which improved the system security. In [32], there is a hierarchical relationship between attributes, and attributes with high permission can replace the attributes with low permission when decrypting. In [8], FH-CP-ABE is proposed for cloud data access control, and an integrated tree access structure is used for encrypting all the data. However, its efficiency is still not high. It should be noticed that in our scheme, we focus on the issue of hierarchical access relationships of multiple shared files, which is the same as [8].

Preliminaries
First of all, we present the related preliminaries of AHAC, then we describe an example of using these techniques to implement hierarchical access control, and last we give the definition of d-Parallel BDHE.

Hierarchical sccess control
In the traditional CP-ABE scheme, users' attributes either satisfy the access control structure to obtain plaintext, or do not satisfy the access control structure to obtain plaintext. As shown in Fig. 1, only user 1 and 4 can recover the plaintext, because their attributes match the access control structure.
In hierarchical access control, multiple different access structures with hierarchical relationships can be integrated into a single access structure. As shown in Fig. 2, T 1 , T 2 represents the access structures of m 1 , m 2 accordingly, and obviously they have hierarchical relationship, so they can be integrated into a single access structure T. As shown in Fig. 3 when a data visitor's attributes match the partial access structure, he can decrypt the data that associate with this part (User 2). Only when the entire access structure is satisfied, all the data can be decrypted (User 1). Since the data owner does not need to generate multiple access structures and ciphertexts, the efficiency is greatly improved.

Linear secret sharing scheme
Beimel first proposed the definition of LSSS in paper [33]: A secret sharing scheme Π over a collection of parties P is described linear on Z p when:  (2020) 10:49 (1) The shares of all the parties make up a vector on Z p .
(2) Such a matrix M for Π is existed, which is used for producing shares. M has l rows and n columns. For i = 1, 2, . . . , l , the ith row M i of M is marked by a party ρ(i) where function ρ satisfies: {1, 2, . . . , l} → e . Given a column vector � v = (s, r 2 , . . . , r n ) , in which s ∈ Z p is the shared secret and r 2 , . . . r d ∈ Z p are randomly chosen, M v is the vector constructed by m shares of s decided by Π. The It is shown in [33] that each LSSS has the linear reconstruction feature: Assume that there exists an LSSS Π corresponding to the access structure T, and S∈T is an arbitrary authorized set, I ⊂ {1, . . . , l} is denoted as I = {i : ρ(i) ∈ S} . There are constants {ω i ∈ Z p } i∈I that makes i∈I ω i i = s , in which { i } are shares of arbitrary secret s decided by Π. In addition, {ω i } will be found under polynomial time in the size of the share-generating matrix M.
There will exist a vector like that ω · (1, 0, . . . , 0) = −1 and ω · M i = 0 for all i ∈ I for any unauthorized set of rows I.
It can be obtained by mathematical derivation for a randomly selected vector � v = (s 1 , . . . , s j , . . . , s n ) , where s j ∈ Z p is the jth secret of the n secrets that need to be recovered, and it corresponds to a non-leaf node in the tree structure. When recovering a secret, if the set of attributes possessed can satisfy this non-leaf node, then {ω i ∈ Z p } i∈I will be found under the polynomial time which satisfies i∈I ω i,j M T i = ε j , where ε j is a row vector whose length is n with the jth element is 1 and the remaining elements are 0. Then we can get s j = i∈I ω i,j i .

Marking method to construct LSSS matrix
Beimel proved that the access control strategy described by tree structure can be converted to matrix M in LSSS, but no specific conversion method is given in [33]. Until 2011, Lewko and Waters presented a construction method for an LSSS matrix in [34]: Given an access tree defined by a Boolean formula, it can be converted to an LSSS matrix by a marking method. And any one of the propositional paradigms can find its Boolean formula. The specific conversion method can be found in [33].

An example of hierarchical access control using LSSS matrix
There is a hierarchical access tree T which is shown in Fig. 2, and its Boolean formula is (A AND (B AND (C OR D))). We can use the above marking method to convert it to an LSSS matrix by Formula 1 as: Next, we give an example of how to use the LSSS matrix to achieve hierarchical access control.
When encrypting, we randomly select a vector � v = (s 1 , s 2 , s 3 ) = (2, 5, 3) , in which s 1 , s 2 , s 3 are secrets assigned to the non-leaf nodes in Fig. 2. Then we can calculate λ by Formula 2: From "Linear secret sharing scheme", we know s j = i∈I ω i,j i , where I = {i : ρ(i) ∈ S},ρ(i) can convert the ith row into the attribute represented by this row, and S is the user's attribute set. Thus, we can get Formula 3: Obviously, we must get ω j if we want to get s j , then we make the following formula 4 derivation: We make M T A ω j = ε j , so s j = � v · ε j . Then we can compute ε j as a row vector whose length is n with the jth element is 1 and the remaining elements are 0.
When decrypting, if a decryptor only has the attributes B, C, i.e., it only satisfies the partial access structure, then he can get ω 2 , ω 3 by Formula 5 and 6: Finally, he can get s 3 and s 2 from Formulas 7 and 8: Similarly, if the decryptor has the attributes A, B, and C, then he satisfies the entire access structure, and all the secrets s 1 , s 2 , s 3 can be computed by the above steps.

AHAC: attribute-based hierarchy data access control scheme
In the chapter, first we give the overview and the security assumptions of AHAC. After that, we design the core algorithm of AHAC, namely AHAC-CP-ABE. Finally, we present the system operations of AHAC detailedly.

Scheme overview
The system framework of AHAC is shown in Fig. 4. Firstly, central authority (CA) performs the system initialization operation and generates system attributes and relevant keys. Then, double encryption mechanism are used to promote the efficiency, that is, data owner chooses n symmetric keys {ck 1 , . . . , ck n } to encrypt the data files {f 1 , . . . , f n } respectively using a symmetric encryption algorithm (AES, DES, etc.), and encrypts {ck 1 , . . . , ck n } using AHAC-CP-ABE algorithm. The symmetric encryption algorithm with high efficiency is used to encrypt the files of large volume, and the CP-ABE algorithm is used to encrypt the symmetric key of small volume. Compared with the symmetric encryption algorithm, the performance of CP-ABE algorithm is relatively lower. However, the CP-ABE algorithm can bring the obvious advantage in key management, using which we can easily implement the access control of encrypted data. Thus, we utilize such double encryption method to achieve the secure, efficient and fine-grained data access control in the cloud.
The user then transfers the two ciphertexts to cloud server (CS) and CS stores them for sharing. When a data visitor wishes to obtain the data files, he should contact CA and CA distributes corresponding private keys to him according to his attributes. Then, this data visitor obtains the ciphertexts from CS. When his attributes match partial or entire access control structure, he can decrypt the symmetric keys that associated with this part. At last, the data visitor is able to get the corresponding files using the symmetric Fig. 4 The system framework of AHAC keys. It is clear from our framework that only one encryption and decryption operation is needed to share multiple files securely, while traditional schemes have to do multiple encryption and decryption operations.

Security assumptions
In this section, we will present security assumptions for several entities in the system.
We consider that CS is honest but curious in AHAC like the related work [35] do, that is, CS will honestly perform the task of private key distribution yet it is also trying to gain the contents of the data files and symmetric keys stored in it. Besides, CS is online all the time to provide stable services.
CA is fully trusted and is online all the time. There is a security approach for CA to transfer private key to users. Users can get the services of the system at any time.
For any number of unauthorized users, they may launch collusion attacks and try to obtain the confidential data.

AHAC-CP-ABE
The AHAC-CP-ABE includes four functions: system initialization, private key production, encryption and decryption. These functions make the following cases: when a data visitor's attributes match a part of the access control structure, he can decrypt the data that associate with this part, and when the entire access structure is satisfied, all the data can be decrypted. Here are the details of the algorithm: (1) System initialization Function 1 takes an attribute set U of system and a parameter k specifying the system security as input, and produces a system master key MK and a corresponding public key PK.
(2) Private key production As shown in Function 2, it inputs PK, MK, and the attribute set S of a user, and produces a user private key SK that is related to S.  (1) System setup CA designates an attribute set U and invokes Function 1 to produce a master key MK and a public key PK, and MK is safely stored in CA.
(3) Encryption of symmetric keys DO defines access trees {T 1 , . . . , T n } for his data files {f 1 , . . . , f n } respectively and integrates them into a single access tree T. Then, he uses marking method to converted T to LSSS matrix structure (M, ρ) . Next, he calls Function 3 to encrypt his symmetric keys {ck 1 , · · · , ck n } and generates a symmetric key ciphertext CT. Finally, he sends CT and EF to CS and CS stores them.

(4) User authorization
For any data visitor, CA specifies a set S of attributes and calls Function 2 to output the corresponding private key SK.

(5) Decryption of symmetric keys
When a user wants to obtain some files from CS, CS first checks whether his attributes match partial or entire access control structure of those data files. If not, CS refuses the user's request; otherwise, CS sends CT to the user. After obtaining CT, the user calls Function 4 to get the symmetric keys. When his attributes satisfy a part of the access tree, he can decrypt the symmetric keys that associated with this part, assuming {ck 1 , . . . , ck n } . Only when his attributes match the entire access control structure, he can obtain all the symmetric keys.
To further improve the efficiency, we make the following transformation: where {ck 1 , . . . , ck n } are n symmetric keys. After then, we call Function 3 to encrypt {ck ′ 1 , . . . , ck ′ n } and generates a symmetric key ciphertext CT. When decrypting, we call Function 4 to get the symmetric keys. In Function 4, once we successfully decrypt a ck ′ j , we can stop the decryption process immediately, since ck ′ j contains all the contents of the rest symmetric keys.

Security analysis and performance evaluation
In this chapter, we give the analysis for the security and the evaluation results for the performance.

Security analysis
We give the security features of AHAC based on the security assumptions presented in chapter 4.2, containing data confidentiality, collusion defense and fine-grained access control.
(1) Data confidentiality AHAC-CP-ABE algorithm is designed on top of Waters's algorithm [7]. The security of his scheme is based on d-Parallel BDHE assumption. ck ′ n = ck n , ck ′ n−1 = ck n−1 ∪ ck ′ n , ck ′ 1 = ck 1 ∪ ck ′ d-Parallel BDHE assumption: Select a bilinear group G of prime order p with generator g, and select β, s, b 1 , . . . , b q ∈ Z p at random. Even if the adversary gets it's hard for him to get e(g, g) β q+1 s ∈ G T .
There exists a main difference between AHAC-CP-ABE algorithm and his algorithm. In AHAC-CP-ABE, we use all the elements in the secret vector v to allow multiple secrets to be carried in an access control policy, under which multiple plaintexts are encrypted. That is to say, AHAC-CP-ABE exploits all the elements in vector v , using each of them to encrypt every plaintext respectively, as shown in Function 3, whereas in Waters's CP-ABE algorithm, just one element in the vector is used for encrypting a plaintext [7] and for multiple plaintexts, their algorithm needs to be executed multiple times. In [7], Waters's CP-ABE algorithm has the selectively security in d-Parallel BDHE assumption. Therefore, AHAC-CP-ABE has the same security under the same assumption.
In AHAC, data files are encrypted using symmetric encryption keys, and these keys are then encrypted using AHAC-CP-ABE. In this mechanism, just the ciphertexts of the files and the ciphertexts of the keys are given to cloud servers. Since the used symmetric encryption algorithm, such as AES, is secure, the security of this mechanism merely relies on the security of AHAC-CP-ABE. In the above paragraph, we have shown that AHAC-CP-ABE is secure under d-Parallel BDHE assumption. Thus, the AHAC is secure under the same model.

(2) Collusion defense
Any number of unauthorized users may launch collusion attacks, trying to access the confidential data files. In AHAC-CP-ABE, CA chooses an element t randomly for each user and uses t to generate a private key for each of them. When a user decrypts a ciphertext, he should compute e(g, g) αs j first, which requires the components of his private key contain the same t. That is to say, different data visitors can't integrate their private keys to strengthen their decryption power, since they have different values of t in private keys. Therefore, AHAC can resist collusion attacks effectively.

(3) Fine-grained access control
In AHAC, the LSSS matrix access structure is transformed from an access tree which supports "AND" "OR", and "OF" threshold operations, and it can represent any complex access control policy. Only data visitors who own the attributes matching the access control structure can obtain the plaintext successfully. Thus, AHAC realizes fine-grained access control.

Performance evaluation
We evaluate the performance of AHAC-CP-ABE from two aspects: its time costs, and the storage costs of ciphertext and private key. Both are compared with those of traditional CP-ABE [6], LSSS-based CP-ABE (hereinafter referred to as LS-CP-ABE) [7], and FH-CP-ABE [8].
We make the following access policy: assume that the plaintext M = (m 1 , m 2 , . . . , m n ) , for the traditional CP-ABE and LS-CP-ABE, n policies are needed respectively for m 1 , m 2 , . . . , m n as: Policy (1) Table 1, we compare the performance of four CP-ABE algorithms by theoretical calculation. µ represents the global attribute set, ω ∈ µ represents the attribute information contained in the user's private key, c represents the attribute contained in the access structure, n represents the access structure hierarchy, the power operation on the group G 0 is E 0 , the power operation on the group G T is E T , and the multiplication calculation on the group is M. P represents the pairing operation in group G 0 . The element size on group G 0 is represented as l 0 , and the element size on group G T is represented as l T . Due to the trivial time consumption of hash operation, the time consumption of hash is ignored. As shown in Table 1, AHAC-CP-ABE has high performance in all aspects.
We conduct detailed experiments to simulate the complete access control process, in which all four algorithms are implemented based on JPBC [36]. In the experiments, a super singular elliptic curve y 2 = x 3 + x is adopted of which the group order is 160 bits on a 512-bit finite field. The experiments are performed on a computer with Pentium G4560 3.50 Hz processor, and 8.00 GB RAM. We take the average of 10 experiments as results to make them more accurate.
· · · · · · Table 1 Compare of the performance of four algorithms

CP-ABE [6] FH-CP-ABE [8] LS-CP-ABE [7] AHAC-CP-ABE
Private key generation time Decryption time cnE T + nM+ (2c + 1)nP cE T + nM+ (2c + 1)P cnE T + nM+ (2c + 1)nP Private key storage (2ω + 1)l 0 (2ω + 1)l 0 (2 + ω)l 0 (2 + ω)l 0 Ciphertext storage (2c + 1)nl 0 + nl T (2c + n)l 0 + (n + c)l T (2c + 1)nl 0 + nl T (2c + n)l 0 + nl T The private key generation time of four algorithms have been shown in Fig. 5. As the attribute number increases, the private key production time costs and the private key storage costs of AHAC-CP-ABE and LS-CP-ABE grow slower than those of the other two algorithms. This will significantly reduce the pressure of CA. Figure 6 shows the encryption and decryption time costs with two fixed access structure levels as attributes increase. We can see that the time costs by encryption and decryption of AHAC-CP-ABE and FH-CP-ABE are always less than those of the other two algorithms. Figure 7 shows the encryption and decryption time costs with different access structure level and fixed attribute number N = 30 respectively. It's obvious that the encryption and decryption time costs of FH-CP-ABE and AHAC-CP-ABE are constants when the number of access structure levels increases, while in traditional CP-ABE and LS-CP-ABE there are rapid linear growth in the time costs.
From Figs. 5, 6 and 7, we can conclude that the time consumptions by encryption and decryption of AHAC-CP-ABE are still less than those of FH-CP-ABE. However, in the cloud environment with big data, the gap of them will be widened. Moreover, the private key production time consumption by private key production of AHAC-CP-ABE is much less than that of FH-CP-ABE. Figure 8 shows the storage cost of private key. As the attribute number increases, the private key storage costs of AHAC-CP-ABE and LS-CP-ABE grow slower than those of the other two algorithms. Figure 9a shows the storage cost of ciphertext with two fixed access structure levels as attributes increase. We can see that the ciphertext storage costs of FH-CP-ABE and AHAC-CP-ABE are very close, while the costs of traditional CP-ABE and LS-CP-ABE are about twice as those of them, since in this experiment, the access structure level is set to two. Figure 9b shows the storage cost of ciphertext with different access structure level and fixed attribute number N = 30 respectively. We can see that the ciphertext storage costs of AHAC-CP-ABE and FH-CP-ABE increase slightly when From Figs. 8 and 9, we can conclude that the ciphertext storage consumption of AHAC-CP-ABE is still less than that of FH-CP-ABE, and furthermore the private key storage consumption of AHAC-CP-ABE is obviously less than that of FH-CP-ABE.

Conclusions
Most of existing data access control schemes of CP-ABE do not consider the hierarchical access relationships of multiple shared data files, and just need data owners to generate multiple ciphertexts to meet the hierarchical access requirement, which would incur substantial computation overheads. To solve this problem, we first give an efficient hierarchical CP-ABE algorithm based on LSSS and furthermore, we construct AHAC, which uses an integrated access structure that makes users be able to encrypt multiple data files with hierarchical access relationships at once. When a data visitor's attributes match a part of the access control structure, he can obtain the data that associate with this part by just one decryption. In addition, AHAC is secure, and has very low costs both in computation and storage aspects compared with related works. In the future, we will work towards using blockchain technology to expand the single authority to multiple authorities, improve the security and stability of the authority, and support the accountability of authority.