支持云代理重加密的CP-ABE方案

doi:10.12263/DZXB.20210445

电子学报 ›› 2023, Vol. 51 ›› Issue (3): 728-735.DOI: 10.12263/DZXB.20210445

支持云代理重加密的CP-ABE方案

赵开强¹, 康萍¹(), 刘彬¹(), 郭真¹(), 冯朝胜¹^,², 卿昱³

^1.四川师范大学计算机科学学院, 四川成都 610101
^2.电子科技大学网络与数据安全四川省重点实验室, 四川成都 610054
^3.中国电子科技集团公司第30研究所, 四川成都 610041

收稿日期:2021-04-07 修回日期:2022-04-10 出版日期:2023-03-25
- 通讯作者:
- 冯朝胜
- 作者简介:
- 赵开强男， 1996年01月出生于四川省巴中市.四川师范大学在读研究生.研究方向为信息安全与云计算.E-mail: 18483621260@163.com
  康萍女， 1998年03月出生于四川省南充市.四川师范大学在读研究生.研究方向为信息安全与云计算.E-mail: iskangping@foxmail.com
  刘彬男， 1996年10月出生于四川省宜宾市.四川师范大学在读研究生.研究方向为区块链、联邦学习与信息安全.E-mail: liubin10@foxmail.com
  郭真女， 1997年09月出生于四川省成都市.四川师范大学在读研究生.研究方向为信息安全与云计算.E-mail: ssbguo@foxmail.com
  冯朝胜（通讯作者）男， 1971年01月出生于四川省广元市.教授、硕士生导师.研究方向为云计算安全.E-mail: csfenggy@163.com
  卿昱女， 1970出生于四川，中国电子科技集团公司第三十研究所研究员，硕士生导师.研究方向为网络与信息安全.
- 基金资助:
- 国家自然科学基金(61373163);国防科技重点实验室基金(6142103010709)

A CP-ABE Scheme with Cloud Proxy Re-Encryption

ZHAO Kai-qiang¹, KANG Ping¹(), LIU Bin¹(), GUO Zhen¹(), FENG Chao-sheng¹^,², QING Yu³

^1.Department of Computer Science，Sichuan Normal University，Chengdu，Sichuan 610101，China
^2.Network and Data Security Key Laboratory of Sichuan Province，University of Electronic Science and Technology of China，Chengdu，Sichuan 610054，China
^3.The No. 30 Institute of China Electronic Technology Corporation，Chengdu，Sichuan 610041，China

Received:2021-04-07 Revised:2022-04-10 Online:2023-03-25 Published:2023-04-20
- Corresponding author:
- FENG Chao-sheng
- Supported by:
- National Natural Science Foundation of China(61373163);National Defense Science and Technology Foundation of Key Laboratory(6142103010709)

摘要/Abstract

摘要：

针对现有的面向CP-ABE（Ciphertext-Policy Attribute-Based Encryption）的代理重加密方案因代理方可以解密代理重加密密文且可以任意修改访问策略而难以支持云代理重加密的问题，本文提出支持云代理重加密的CP-ABE方案即CP-ABE-CPRE（CP-ABE Scheme with Cloud Proxy Re-Encryption）方案.该方案利用版本号标识不同阶段的私钥和密文来支持属性撤销，只有在用户私钥版本号和密文版本号相匹配且用户属性满足访问策略时，用户才能解密密文.当撤销用户属性时，云服务器无需修改访问策略就可以更新被撤销属性对应的保密值.该方案还通过懒惰更新和批量更新减少密文和用户私钥更新次数，提升更新效率.理论分析和实验结果分析都表明，CP-ABE-CPRE在计算开销和存储开销上均优于相关已有方案.安全性分析表明，CP-ABE-CPRE能够对抗针对性选择明文攻击（sCPA， selective Chosen Plaintext Attack）.

关键词: 基于属性加密, 访问控制, 云代理重加密, 云计算, sCPA

Abstract:

Aiming at the problem that the existing CP-ABE (Ciphertext-Policy Attribute-Based Encryption) proxy re-encryption scheme is difficult to support cloud proxy re-encryption because the proxy can decrypt the re-encrypted ciphertext and modify the access policy arbitrarily, we propose a CP-ABE-CPRE (CP-ABE Scheme with Cloud Proxy Re-Encryption) scheme. CP-ABE-CPRE supports attribute revocation by using version numbers to identify private key and ciphertext at different stages. Only when the user private key's edition number matches the ciphertext's and the user's attributes meet the access policy, the user can decrypt the ciphertext. When revoking an attribute, cloud can update the confidential data corresponding to the attribute needed revoking without modifying the access policy. Moreover, this scheme also reduces the number of ciphertext and user private key updates through lazy and batch updates, and improves update efficiency. Analysis of theoretical and experimental results both show that CP-ABE-CPRE is superior to related existing solutions in terms of computational and storage cost. And security analysis shows that CP-ABE-CPRE resists the selective chosen plaintext attack.

Key words: attribute-based encryption, access control, cloud proxy re-encryption, cloud computing, sCPA

中图分类号:

TP309.2

赵开强, 康萍, 刘彬, 等. 支持云代理重加密的CP-ABE方案[J]. 电子学报, 2023, 51(3): 728-735.

Kai-qiang ZHAO, Ping KANG, Bin LIU, et al. A CP-ABE Scheme with Cloud Proxy Re-Encryption[J]. Acta Electronica Sinica, 2023, 51(3): 728-735.

图/表 11

图1 系统结构图

表1 方案特性对比

方案	云代理重加密	可重复重加密	批量重加密	懒惰重加密	属性撤销	用户撤销
文献[20]	Yes	Yes	No	No	No	Yes
文献[21]	Yes	Yes	No	No	No	Yes
文献[22]	No	No	No	No	Yes	Yes
本文方案	Yes	Yes	Yes	Yes	Yes	Yes

表2 性能分析符号一览表

符号	意义
$E G 0$	群 $G 0$ 上一次指数运算时间开销
$E G T$	群 $G T$ 上一次指数运算时间开销
$B e$	双线性配对运算时间开销
$S u$	用户属性个数
$S N$	密文共享访问树中叶子节点个数
$G 0$	一个 $G 0$ 群元素大小
$G T$	一个 $G T$ 群元素大小

表2 性能分析符号一览表

符号	意义
$E G 0$	群 $G 0$ 上一次指数运算时间开销
$E G T$	群 $G T$ 上一次指数运算时间开销
$B e$	双线性配对运算时间开销
$S u$	用户属性个数
$S N$	密文共享访问树中叶子节点个数
$G 0$	一个 $G 0$ 群元素大小
$G T$	一个 $G T$ 群元素大小

表3 计算性能对比

方案	私钥生成	加密	重加密	解密
文献[20]	$(1 + 3 S u) ⋅ E G 0$	$(1 + 2 S N) ⋅ E G 0 + B e + E G T$	$E G 0 + B e$	$(2 S u + 3) ⋅ B e + (S N - 2) ⋅ E G T$
文献[21]	$2 B e + (7 + 3 S u) ⋅ E G 0$	$(4 + 2 S N) ⋅ E G 0 + 2 E G T$	$B e$	$(2 S u + S N + 5) ⋅ B e + (S N + 2) ⋅ E G T$
文献[22]	$(3 + 5 S u) ⋅ E G 0$	$(5 + 3 S N) ⋅ E G 0 + E G T$	$8 S N ⋅ E G 0$	$(3 S u + 6) ⋅ B e + (S N - 2) ⋅ E G T$
本文方案	$(1 + 3 S u) ⋅ E G 0$	$(1 + 2 S N) ⋅ E G 0 + E G T$	$S N ⋅ E G 0$	$(2 S u + 1) ⋅ B e + (S N - 2) ⋅ E G T$

表3 计算性能对比

方案	私钥生成	加密	重加密	解密
文献[20]	$(1 + 3 S u) ⋅ E G 0$	$(1 + 2 S N) ⋅ E G 0 + B e + E G T$	$E G 0 + B e$	$(2 S u + 3) ⋅ B e + (S N - 2) ⋅ E G T$
文献[21]	$2 B e + (7 + 3 S u) ⋅ E G 0$	$(4 + 2 S N) ⋅ E G 0 + 2 E G T$	$B e$	$(2 S u + S N + 5) ⋅ B e + (S N + 2) ⋅ E G T$
文献[22]	$(3 + 5 S u) ⋅ E G 0$	$(5 + 3 S N) ⋅ E G 0 + E G T$	$8 S N ⋅ E G 0$	$(3 S u + 6) ⋅ B e + (S N - 2) ⋅ E G T$
本文方案	$(1 + 3 S u) ⋅ E G 0$	$(1 + 2 S N) ⋅ E G 0 + E G T$	$S N ⋅ E G 0$	$(2 S u + 1) ⋅ B e + (S N - 2) ⋅ E G T$

表4 存储开销对比

方案	用户私钥	加密密文
文献[20]	$1 + 2 S u ⋅ G 0$	$2 + 2 S N ⋅ G 0 + G T$
文献[21]	$4 + 2 S u ⋅ G 0$	$4 + 2 S N ⋅ G 0 + G T$
文献[22]	$2 + 4 S u ⋅ G 0$	$3 + 3 S N ⋅ G 0 + G T$
本文方案	$1 + 2 S u ⋅ G 0$	$1 + 2 S N ⋅ G 0 + G T$

表4 存储开销对比

方案	用户私钥	加密密文
文献[20]	$1 + 2 S u ⋅ G 0$	$2 + 2 S N ⋅ G 0 + G T$
文献[21]	$4 + 2 S u ⋅ G 0$	$4 + 2 S N ⋅ G 0 + G T$
文献[22]	$2 + 4 S u ⋅ G 0$	$3 + 3 S N ⋅ G 0 + G T$
本文方案	$1 + 2 S u ⋅ G 0$	$1 + 2 S N ⋅ G 0 + G T$

图2 加密时间开销对比

图3 重加密时间开销对比

图4 私钥生成时间开销对比

图5 解密时间开销对比

图6 密文存储开销对比

图7 私钥存储开销对比

参考文献 22

1	SAHAI A, WATERS B. Fuzzy identity-based encryption[C]//Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques. Berlin: Springer, 2005: 457-473.
2	GOYAL V, PANDEY O, SAHAI A, et al. Attribute-based encryption for fine-grained access control of encrypted data[C]//Proceedings of the 13th ACM Conference On Computer And Communications Security. New York, ACM, 2006: 89-98.
3	BETHENCOURT J, SAHAI A, WATERS B. Ciphertext-policy attribute-based encryption[C]//2007 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2007: 321-334.
4	WATERS B. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization[C]//International Workshop on Public Key Cryptography. Berlin, Heidelberg: Springer, 2011: 53-70.
5	BALU A, KUPPUSAMY K. An expressive and provably secure ciphertext-policy attribute-based encryption[J]. Information Sciences, 2014, 276: 354-362.
6	LIANG X H, CAO Z F, LIN H, et al. Attribute based proxy re-encryption with delegating capabilities[C]//Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. New York, ACM, 2009: 276-286.
7	LUO S, HU J B, CHEN Z. Ciphertext policy attribute-based proxy re-encryption[C]//International Conference on Information and Communications Security. Berlin, Heidelberg: Springer, 2010: 401-415.
8	LI J J, LIU Z H, ZU L H. Chosen-ciphertext secure multi-use unidirectional attribute-based proxy re-encryptions[C]//2014 Ninth Asia Joint Conference on Information Security. Piscataway: IEEE, 2014: 96-103.
9	KAWAI Y. Outsourcing the re-encryption key generation: flexible ciphertext-policy attribute-based proxy re-encryption[M]//Information Security Practice and Experience. Cham: Springer International Publishing, 2015: 301-315.
10	LIANG K T, AU M H, LIU J K, et al. A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing[J]. Future Generation Computer Systems, 2015, 52: 95-108.
11	LIANG K T, FANG L M, SUSILO W, et al. A ciphertext-policy attribute-based proxy re-encryption with chosen-ciphertext security[C]//2013 5th International Conference on Intelligent Networking and Collaborative Systems. Piscataway: IEEE, 2013: 552-559.
12	杨贺昆, 冯朝胜, 晋云霞, 等. 支持可验证加解密外包的CP-ABE方案[J]. 电子学报, 2020, 48(8): 1545-1551.
	YANG H K, FENG C S, JIN Y X, et al. ACP-ABE scheme with verifiable outsourced encryption and decryption[J]. Acta Electronica Sinica, 2020, 48(8): 1545-1551. (in Chinese)
13	ZENG P, CHOO K K R. A new kind of conditional proxy re-encryption for secure cloud storage[J]. IEEE Access, 2018, 6: 70017-70024.
14	冯朝胜, 罗王平, 秦志光, 等. 支持多种特性的基于属性代理重加密方案[J]. 通信学报, 2019, 40(6): 177-189.
	FENG C S, LUO W P, QIN Z G, et al. Attribute-based proxy re-encryption scheme with multiple features[J]. Journal on Communications, 2019, 40(6): 177-189. (in Chinese)
15	DENG H, QIN Z, WU Q H, et al. Flexible attribute-based proxy re-encryption for efficient data sharing[J]. Information Sciences, 2020, 511: 94-113.
16	ZHENG D, QIN B D, LI Y N, et al. Cloud-assisted attribute-based data sharing with efficient user revocation in the Internet of Things[J]. IEEE Wireless Communications, 2020, 27(3): 18-23.
17	LIN H Y, HUNG Y M. An improved proxy re-encryption scheme for IoT-based data outsourcing services in clouds[J]. Sensors (Basel, Switzerland), 2020, 21(1): 67.
18	GUO H, ZHANG Z F, XU J, et al. Accountable proxy re-encryption for secure data sharing[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 18(1): 145-159.
19	YU S C, WANG C, REN K, et al. Achieving secure, scalable, and fine-grained data access control in cloud computing[C]//2010 Proceedings IEEE INFOCOM. Piscataway: IEEE, 2010: 1-9.
20	TYSOWSKI P K, HASAN M A. Hybrid attribute- and re-encryption-based key management for secure and scalable mobile applications in clouds[J]. IEEE Transactions on Cloud Computing, 2013, 1(2): 172-186.
21	LI J, YAO W, ZHANG Y, et al. Flexible and fine-grained attribute-based data storage in cloud computing[J]. IEEE Transactions on Services Computing, 2017, 10(5): 785-796.
22	LI L, WANG Z, LI N. Efficient attribute-based encryption outsourcing scheme with user and attribute revocation for fog-enabled IoT[J]. IEEE Access, 2020, 8: 176738-176749.

[1]	罗智勇, 朱梓豪, 谢志强, 孙广路. 面向云计算的花朵差分授粉工作流多目标优化算法研究[J]. 电子学报, 2021, 49(3): 470-476.
[2]	吴立强, 韩益亮, 杨晓元, 张敏情, 杨凯. 基于理想格的鲁棒门限代理重加密方案[J]. 电子学报, 2020, 48(9): 1786-1794.
[3]	杨贺昆, 冯朝胜, 晋云霞, 王蔺, 罗王平, 邓红辉. 支持可验证加解密外包的CP-ABE方案[J]. 电子学报, 2020, 48(8): 1545-1551.
[4]	李航, 冯朝胜, 刘帅南, 刘彬, 赵开强. 支持离线/在线加密及可验证外包解密的CP-WABE方案[J]. 电子学报, 2020, 48(11): 2146-2153.
[5]	卢晶, 段勇, 刘海波. 基于z值的分布式密度峰值聚类算法[J]. 电子学报, 2018, 46(3): 730-738.
[6]	王于丁, 杨家海. DACPCC:一种包含访问权限的云计算数据访问控制方案[J]. 电子学报, 2018, 46(1): 236-244.
[7]	丁嘉宁, 张鹏, 杨嵘, 刘俊朋, 刘庆云, 熊刚. 支持多租户的网络测试床模拟流量标记和溯源模型[J]. 电子学报, 2017, 45(8): 1947-1956.
[8]	杜思军, 徐尚书, 刘俊南, 张俊伟, 马建峰. 云计算中抗共谋攻击的数据位置验证协议[J]. 电子学报, 2017, 45(6): 1321-1326.
[9]	陈振华, 李顺东, 王道顺, 黄琼, 张卫国. 集合成员关系的安全多方计算及其应用[J]. 电子学报, 2017, 45(5): 1109-1116.
[10]	翟治年, 卢亚辉, 余法红, 周武杰, 向坚, 吴茗蔚. 工作流可满足性(≠,=)计数及其#P完全性[J]. 电子学报, 2017, 45(3): 605-611.
[11]	李焱, 郑亚松, 李婧, 朱春鸽, 刘欣然. 云环境下面向跨域作业的调度方法[J]. 电子学报, 2017, 45(10): 2416-2424.
[12]	陶晓玲, 韦毅, 王勇. 一种基于分层多代理的云计算负载均衡方法[J]. 电子学报, 2016, 44(9): 2106-2113.
[13]	陈凯, 许海铭, 徐震, 林东岱, 刘勇. 适用于移动云计算的抗中间人攻击的SSP方案[J]. 电子学报, 2016, 44(8): 1806-1813.
[14]	梁俊杰, 李凤华, 刘琼妮, 尹利. MapReduce框架下的优化高维索引与KNN查询[J]. 电子学报, 2016, 44(8): 1873-1880.
[15]	冯朝胜, 秦志光, 袁丁, 卿昱. 云计算环境下访问控制关键技术[J]. 电子学报, 2015, 43(2): 312-319.

支持云代理重加密的CP-ABE方案

A CP-ABE Scheme with Cloud Proxy Re-Encryption

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 22

相关文章 15

编辑推荐

Metrics