支持用户撤销的多授权机构的属性加密方案

目前多数基于属性加密的云存储访问控制研究是基于单授权机构,系统内仅有一个授权机构为用户颁发属性密钥,可信而好奇的单授权机构会凭借用户提交的属性对用户的身份、职业等隐私信息进行判断和推测,特别是在单授权机构不可信或遭受恶意攻击的情况下,可能造成密钥泄露而导致云端数据被非法解密。为了避免上述两种安全问题,结合现有的多授权机构的思想,使不同权限的授权机构管理不同属性并进行属性相关密钥分发,大大降低了单一信任机构的工作量,解决了单授权机构下的密钥泄露或滥用问题,同时提高了用户的隐私数据保护;通过访问树技术实现了AND、OR及Threshold灵活访问策略,且将用户身份标识设置在访问树中来实现用户的撤销,撤销出现后只需更新部分密文而无需更新属性密钥,因而减少了计算开销。在标准模型下证明了该方案在选择身份属性攻击模型下是安全的,其安全性规约到判定性双线性Diffie-Hellman(decisional bilinear Diffie-Hellman, DBDH)问题。

Multi-authority and revocable attribute-based encryption scheme

Most of the existing attribute-based encryption schemes are based on a single authority. That is, there is only one authority in the system to issue the key to the user. The curious authority will speculate the user's identity, occupation and other private information by the user's attributes. In particular, if the single authority suffered malicious attacks, it maybe cause the leakage of private key and the breach of cloud data confidentiality. In order to avoid the above two kinds of problems, multi-authority is introduced in this paper. The different authorities manage different attributes and distribute the attributes key to users, which greatly decreases the single authority's workload, improves the protection of user privacy data and solves the key escrow under a single or abuse authority. AND, OR and Threshold are flexible realized by using the access tree, and the user identity is set in the access tree to achieve the user's direct revocation. When the revocation occurs, the whole system only needs to update parts of the ciphertext without updating the attribute key, thus reducing the computational overhead of the cloud storage message. Finally, the proposed scheme is proved secure under the chosen identity attribute attack in the standard model, and the security of the scheme is built on the hardness assumption of decision bilinear Diffie-Hellman(DBDH)problem.