PAbAC : a privacy preserving attribute based framework for fine grained access 

control in cloudsBelguith, S, Kaaniche, N, Jemai, A, Laurent, M and Attia, R

http://dx.doi.org/10.5220/0005968201330146

Title PAbAC : a privacy preserving attribute based framework for fine grained access control in clouds

Authors Belguith, S, Kaaniche, N, Jemai, A, Laurent, M and Attia, R

Type Conference or Workshop Item

URL This version is available at: http://usir.salford.ac.uk/id/eprint/51365/

Published Date 2016

USIR is a digital collection of the research output of the University of Salford. Where copyright permits, full text material held in the repository is made freely available online and can be read, downloaded and copied for non­commercial private study or research purposes. Please check the manuscript for any further copyright restrictions.

For more information, including our policy and submission procedure, pleasecontact the Repository Team at: usir@salford.ac.uk.

HAL Id: hal-01391253https://hal.archives-ouvertes.fr/hal-01391253

Submitted on 3 Nov 2016

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

PAbAC: a Privacy preserving Attribute basedframework for fine grained Access Control in cloudsSana Belguith, Nesrine Kaaniche, Abderrazak Jemai, Maryline Laurent,

Rabah Attia

To cite this version:Sana Belguith, Nesrine Kaaniche, Abderrazak Jemai, Maryline Laurent, Rabah Attia. PAbAC: a Pri-vacy preserving Attribute based framework for fine grained Access Control in clouds. SECRYPT 2016 :13th International Conference on Security and Cryptography, Jul 2016, Lisbon, Portugal. pp.133 -146, �10.5220/0005968201330146�. �hal-01391253�

PAbAC: a Privacy preserving Attribute based framework for finegrained Access Control in clouds

Sana Belguith1,2, Nesrine Kaaniche3, Abderrazak Jemai4, Maryline Laurent3 and Rabah Attia2

1Laboratory of Electronic Systems and Communication Network, Tunisia Polytechnic School2Telnet Innovation Labs, Telnet Holding

3SAMOVAR, CNRS, Telecom SudParis, University Paris-Saclay4Laboratory LIP2, University of Sciences of Tunis, Tunisia

sana.belguith@telnet-consulting.com,{Nesrine.Kaaniche, Maryline.Laurent}@telecom-sudparis.eu

Keywords: Cloud storage systems, Attribute-based encryption, Attribute-based signature, Data confidentiality, Privacy.

Abstract: Several existing access control solutions mainly focus on preserving confidentiality of stored data from unau-thorized access and the storage provider. Moreover, to keep sensitive user data confidential against untrustedservers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to au-thorized users. However, these solutions inevitably introduce a heavy computation overhead on the data ownerfor key distribution and data management when fine-grained data access control is desired. In addition, accesscontrol policies as well as users’ access patterns are also considered as sensitive information that should beprotected from the cloud. In this paper, we propose PAbAC, a novel privacy preserving Attribute-based frame-work, that combines attribute-based encryption and attribute-based signature mechanisms for securely sharingoutsourced data via the public cloud. Our proposal is multifold. First, it ensures fine-grained cryptographic ac-cess control enforced at the data owner’s side, while providing the desired expressiveness of the access controlpolicies. Second, PAbAC preserves users’ privacy, while hiding any identifying information used to satisfythe access control. Third, PAbAC is proven to be highly scalable and efficient for sharing outsourced data inremote servers, at both the client and the cloud provider side.

1 INTRODUCTION

Data security and privacy are major challenges in theadoption of cloud storage applications, mainly due tothe loss of data control. It is commonly agreed thatdata encryption at the client side is a good alterna-tive to mitigate data secrecy concerns. As such, theclient preserves the decrypting keys out of reach of thecloud. Although encryption assures the confidential-ity against curious cloud service providers, the use ofconventional encryption approaches is not sufficientto support the enforcement of fine-grained access con-trol policies. That is, data confidentiality preserva-tion becomes more complicated, considering flexibledata sharing among dynamic groups of users. First,access control policies should be flexible and distin-guishable among users with different privileges. Sec-ond, dynamic groups require efficient sharing of de-ciphering keys between different authorized users. Infact, the subscription of a new group member shouldnot require updating the secret keys of the remainingusers. So that, the complexity of key management is

minimized. Thus, the challenge is to define a com-prehensive access control mechanism for outsourceddata while both ensuring data confidentiality and pro-tecting users’ privacy.For instance, with the involvement of a third-partycloud provider, a crucial issue is that access patternsmay reveal privacy-sensitive information about usersand potentially leak confidential information aboutthe content. The confidentiality of outsourced dataand the privacy of users are thus not assured if thesesensitive data are not protected.In this paper, we propose PAbAC, a novel privacypreserving Attribute-based framework, that com-bines Attribute Based Encryption (ABE) and At-tribute Based Signature (ABS) mechanisms for se-curely sharing outsourced data via public clouds.PAbAC introduces a two-level access control modelthat combines fine-grained access control which en-sures a comprehensive granularity for access rules,and anonymous data access, which allows the stor-age server to manage access requests with no need tolearn the user identity nor his attributes. The original-

ity of PAbAC is multifold. First, PAbAC introduces aprivacy preserving authentication scheme, based ona novel use of attribute-based signatures.The iden-tity of the requesting entity client remains protectedagainst the certifying authorities as well as the cloudservice provider. Moreover, the combination betweenattribute based encryption mechanisms and attributebased signature scheme allows the cloud provider tocontrol the bandwidth consumption, and then, the sys-tem’s availability. In fact, the authentication of re-questing users permits to mitigate Flooding attackswhich exploit the bandwidth under provisioning vul-nerability (Zunnurhain, 2012). Thus, only authorizedusers can download encrypted data.Second, as a designed decentralised multi-authorityattribute based framework, PAbAC reduces the bottle-neck of maintaining a central authority for managingsecret parameters. Additionally, it supports issuing aset of attributes from each attribute authority unlikeother access control schemes which rely on issuingonly one attribute per authority.Third, the original use of attribute based encryptionand the related attribute based signature guaranteesfine grained access control to outsourced data andprovides an effective key management in sharing sce-narios. For instance, the PAbAC framework is highlyscalable and offers interesting performances such aslow computation and communication cost, at both theclient and the cloud provider side.Paper Organisation – The remainder of this work isas follows: Section 2 presents security considerationsand design goals. Then, Section 3 reviews relatedwork and introduces attribute based mechanisms. InSection 4, we describe the system model and reviewsome preliminaries and cryptographic primitives. Af-terwards, we detail the framework design and de-scribe the prototype and its different procedures inSection 5. In Section 6, rigorous security discussionsare given. Finally, theoretical performances analysisis provided in Section 7, before concluding in Sec-tion 8.

2 PROBLEM STATEMENT

Let us consider the following example, where a hospi-tal supports fine-grained access control on ElectronicHealth Records (EHRs) and makes these recordsavailable to hospital employees through a publiccloud. In accordance with regulations such as theHealth Insurance Portability and Accountability Act(HIPAA) (HIP, ), the hospital policies must specifywhich users can access which data item(s). In fact,a health-care information system based on cloud ser-

vices is required to restrict access of protected medi-cal records to eligible doctors while a client relationmanagement system running on a cloud may allow ac-cess of patients’ information to high-level executivesof the hospital only. In many cases, hospital employ-ees, mainly doctors, have to share patients’ health in-formation, in order to properly prescript treatments.Thus, they usually form dynamic sharing groups withdifferent granted privileges. Therefore, it is notewor-thy that data confidentiality preservation is not theonly security concern. It is crucial to support flexiblesharing of encrypted outsourced data among dynamicgroup of users, while protecting users’ privacy. In areal e-health scenario, different medical organisationscan be involved such as hospitals, research laborato-ries, pharmacies, health ministry as well as doctorsand patients. Let us consider that a doctor shares hispatients’ EHR in a public cloud. On one hand, theshared data have to be protected from unauthorizedaccess while ensuring fine grained access control fordifferent authorized actors. Moreover, the data confi-dentiality must be preserved against a malicious cloudservice provider. Thus, encryption on the client sideshould be applied while supporting flexible sharing ofoutsourced data among dynamic group of users.On the other hand, the private identifying informationof the involved cloud users, such as doctors and pa-tients, must not be revealed to the remote server. Forinstance, the system should not reveal any private in-formation related to a doctor, such as his professionalcard or its speciality, as well as his patients’ data. Thatis, the disclosure of such information may be used toproduce targeted advertisement related to the healthcondition of the patients, or to run statistical surveys.Thus, the design of PAbAC is motivated by providingthe support of both robustness and efficiency whilefulfilling the following properties:

• data confidentiality – PAbAC has to protect thesecrecy of outsourced and encrypted data contentsagainst both curious cloud service providers andmalicious users.

• flexible access control – our proposal should en-sure flexible security policies among dynamicgroups of users with different granted privileges,belonging to different groups.

• privacy – PAbAC must protect group members’access patterns privacy, while requesting access tooutsourced data. That is, the cloud server mustbe able to grant access with no need to additionalidentifying information of the requesting users.

• low computation overhead – on one hand, forscalability reasons, the amount of computation atthe cloud storage server should be minimized, as

the server may be involved in concurrent interac-tions. On the other hand, the proposed algorithmsshould also have low processing complexity, at theclient side.

• low storage cost – PAbAC should provide accept-able storage cost at the client side.

3 RELATED WORK

Several research works have been proposed in the lit-erature in order to securely share data among groupsof users while protecting their privacy (Horvath,2015),(Kaaniche et al., 2014),(Wan et al., 2012),(Yuet al., 2010a), (Raykova et al., 2012), (Di Vimer-cati et al., 2010b). In order to prevent untrustedservers from accessing outsourced data, several so-lutions apply encryption mechanisms at the clientside while disclosing the decryption keys to autho-rized users only (Benaloh et al., 2009),(Di Vimer-cati et al., 2010a), (Kaaniche et al., 2013), (Benalohet al., 2009), (Di Vimercati et al., 2015). Althoughthese methods ensure secure data access control, thekey distribution remains a bottleneck. For instance,it becomes more complicated with the increase of thenumber of users. To deal with this concern, Wanget al. (Wang et al., 2009) propose to deliver the keymanagement to the remote server while assuming thatthis latter is trusted. Moreover, in order to enforce au-thorization policies, De Vimercati et al. (Di Vimercatiet al., 2007) proposed a novel solution aiming to en-force the access control to the outsourcing systems.De Vimercati et al. proposal is based on the appli-cation of selective encryption as a means to enforceauthorizations while applying hierarchical key assign-ment schemes.Recently, Attribute-based Cryptography appears asa promising technique, designed for ensuring finegrained access control for outsourced data. This cryp-tographic mechanism was introduced by Sahai andWaters in 2005 (Sahai and Waters, 2005).In the following, we present Attribute based Encryp-tion mechanisms (ABE) and their application in cloudenvironments in Section 3.1. Then, we introduce At-tribute based Signature schemes (ABS) and review re-lated work applying ABS for protecting access to out-sourced data in cloud servers.

3.1 Attribute based Encryption (ABE)

In 2005, Sahai and Waters introduced the concept ofAttribute Based Encryption (ABE), as a new mean forencrypted access control (Sahai and Waters, 2005).In ABE, ciphertexts are not necessarily encrypted to

one particular user as in traditional public key cryp-tography. Instead both users’ private keys and ci-phertexts are associated with a set of attributes or astructure over attributes (Bethencourt et al., 2007).The user is able to decrypt a ciphertext if there is amatch between his private key and the ciphertext. Forinstance, Goyal et al. distinguishes two ABE cate-gories, namely: Key-Policy ABE (KP-ABE) (Goyalet al., 2006) and Ciphertext-Policy ABE (CP-ABE)(Bethencourt et al., 2007). Several works rely on ABEto provide fine grained access control for outsourceddata (Hur and Noh, 2011),(Yu et al., 2010b),(Jahidet al., 2011). Although these schemes proposed effi-cient solutions to protect outsourced data, they requirethe use of a central trusted authority to manage allthe attributes and issue the related secret keys to usersin the system. Thus, this central authority is able toachieve a key escrow attack, due to its knowledge ofthe users’ private keys.Wang et al. (Wang et al., 2010) propose a hierarchicalaccess control mechanism for cloud storage. Theirscheme is based on the Bethencourt et al. CP-ABEscheme (Bethencourt et al., 2007) and hierarchicalIdentity based Encryption (IBE) (Horwitz and Lynn,2002). This scheme relies on the use of several au-thorities arranged in a hierarchical way. However, itstill relies on the trusted authority and fails, if the lat-ter is compromised.Recently, Lewko and Waters (Lewko and Waters,2011) proposed a decentralized ABE scheme, whereusers could obtain their private keys from differentattribute authorities. Each attribute authority is incharge for deriving a private key associated to a oneattribute. The proposal (Lewko and Waters, 2011)did not require a central trusted server, which mustremain active and uncorrupted throughout the life-time of the system. Based on this decentralized ar-chitecture, there is no need for absolute trust in asingle designated entity. However, Lewko and Wa-ters (Lewko and Waters, 2011) assume that each at-tribute authority is responsible for issuing only oneattribute. Moreover, in order to prevent collusion insuch a setting, this scheme requires that each userhas a unique global identifier (GID), which they mustpresent to each authority. Unfortunately, due to theuse of GID, the users cannot preserve their privacyagainst attribute authorities. In fact, while a user mustpresent the same GID to each authority, colluding au-thorities can pool their data and build a complete pro-file of all of the attributes corresponding to each GID.However, this might be undesirable, particularly if theuser uses the ABE system in many different settingsand wants to keep information about some of thosesettings private. Based on the Lewko and Waters pro-

posal (Lewko and Waters, 2011), Ruj et al. (Rujet al., 2011) proposed a distributed sharing schemein cloud environments scheme with an attribute revo-cation extension (DACC). The DACC solution con-sists of using one or several key distribution centersresponsible for issuing keys to data owners and usersrelated to their attributes. The data owner encryptsdata under an access structure and stores them in thecloud. The users, while matching their set of at-tributes to the access structure, can retrieve the datafrom the cloud. We must note that the DACC proposalalso supports revocation of users, without redistribut-ing keys to all the users of cloud services. In 2015,Horva (Horvath, 2015) proposed a decentralized ABEscheme for securely sharing data in cloud computingsystems based on the use of the decentralized Lewkoand Waters scheme (Lewko and Waters, 2011). Inorder to achieve an efficient revocation scheme, thisproposal relies on the use of an identity based user re-vocation mechanism to manage access rights for out-sourced data. This proposed extension supports mul-tiple independent attribute authorities in which revo-cation of specific users (e.g. based on users’ identi-ties) from the system is possible without updates ofattribute public and secret keys.Most of the mentioned approaches do not propose amechanism to authenticate requesting users. More-over, these schemes are based on the use of Lewkoet al. decentralised ABE scheme (Lewko and Waters,2011) which requires the use of the users’ global iden-tifiers GIDs. Thus, the privacy of the user is not pro-tected against the attribute authorities.

3.2 Attribute based Signature (ABS)

Attribute-Based Signatures (ABS) (Maji et al., 2011)is a flexible primitive that enables a user to sign amessage with fine grained access control over iden-tifying information. In ABS, the user possesses a setof attributes, obtained from a trusted authority. Thislatter can sign a message with respect to a predicatesatisfied by his attributes. The signature reveals nomore that the fact that a single user with some setof attributes satisfying the predicate has attested tothe message. Maji et al. presented a comparison ofABS with other signature-related-notions (Maji et al.,2011), such that ring signatures (Rivest et al., 2001)and group signatures (Chaum and Van Heyst, 1991)that can be considered as particular categories of at-tribute based signatures (El Kaafarani et al., 2014a).In (Maji et al., 2011), Maji et al. also introduced dif-ferent applications of ABS including attribute-basedmessaging (Bobba et al., 2006), trust negotiation(Frikken et al., 2006) and leaking secrets. Some

constructions of ABS consider multiple authoritieswhile others only support a single attribute authority.Okamoto et al. (Okamoto and Takashima, 2013) andEl Kaafarani et al. (El Kaafarani et al., 2014b) haveproposed the first fully decentralized attribute basedsignatures schemes. These schemes consist of involv-ing multiple attribute authorities in the system, withno reliance on a central authority. The security of at-tribute based signatures requires users’ privacy andunforgeability. On one hand, users’ anonymity re-quires that signatures reveal neither users’ identitiesnor the attributes used in the signing algorithm. Onthe other hand, unforgeability requires that a user can-not forge a signature with respect to a signing predi-cate that the user attributes do not satisfy, even if thisuser colludes with other users (Ghadafi, 2015).Several works rely on the attribute based signatureto ensure the authentication of data owners and finegrained access control to outsourced data in the cloud.Indeed, Ruj et al. (Ruj et al., 2012) presented a pri-vacy preserving authenticated access control schemefor securing data in clouds based on an attribute basedsignature scheme. In the proposed scheme, the cloudprovider verifies the authenticity of the data ownerwithout knowing the user’s identity before storing in-formation. To do so, this scheme uses a combina-tion of the decentralized attribute based encryption(Lewko and Waters, 2011) and the multi-authority at-tribute based signature proposed by Maji et al. (Majiet al., 2011). This proposal relies on the use of aglobal identifier GID in order to issue private keysfrom attribute authorities to users, thus the attributeauthorities can reveal the user’s identity. Finally, theproposed authentication scheme is used to authenti-cate the data owner and there is no way to authenticatethe requesting users. In (Zhao et al., 2011), Zhao etal. applied the ciphertext-policy attribute based en-cryption (CP-ABE) proposed by Bethencourt et al.(Bethencourt et al., 2007) combined with the Majiet al. (Maji et al., 2011) attribute based signature toensure fine grained access control to outsourced datain the cloud. This proposal does not take interest inauthenticating the requesting users. Moreover, it isbased on a centralized ABE and ABS schemes, thusit relies on a central trusted authority to issue secretkeys to all the users.

4 PABAC SYSTEM

In this section, we present our system model in sec-tion 4.1 and the mathematical background is pre-sented in section 4.2.

Figure 1: The main architecture entities and their interac-tion

4.1 System Model

Figure 1 presents the different entities involved inPAbAC and defined as follows:Cloud Service Provider (CSP): the CSP is assumedto have abundant storage capacity and computationresources in order to manage data storage service.The cloud provider consists of data servers and a dataservice manager. Data servers are responsible forstoring data outsourced by the data owner while thedata manager is in charge of controlling the accessesfrom requesting users to outsourced data and provid-ing corresponding contents services.Data Owner (O): the data owner is responsible foroutsourcing data into the remote cloud servers andgranting access privileges to other cloud users, byspecifying an attribute-based access policy for eachdata file.Users (U): a user is a cloud client that may access tooutsourced content by data owners. In a nutshell, ifa user has the set of attributes satisfying the accessstructure of the encrypted data file, he then may haveaccess to data.Trusted Authority (TA): TA is a trusted third partyin our system which is responsible for generating andmanaging public parameters for both used mecha-nisms: attribute based encryption and attribute basedsignature.Attribute Authority (AA): AA is a party responsi-ble for deriving a public keys and issuing private keysto different users that are assigned to their attributes.The Attribute Authority can be considered as an Iden-tity Provider. In PAbAC, any trusted party can be-come an attribute authority and there is no require-ment for any global coordination other than the cre-ation of an initial set of common public parameters.

4.2 Mathematical Background

In this section, we first introduce the access structurein section 4.2.1. Then, in section 4.2.2, we presentthe bilinear maps. Finally, we introduce our securityassumptions.

4.2.1 Access policies

Access policies can be represented by one of the fol-lowing formats: i) Boolean functions of attributes, ii)Linear Secret Sharing Scheme (LSSS) matrix, or iii)Monotone span programs (Lewko and Waters, 2011).Definition 1. Access Structure

Let {P1, · · · ,Pn} be a set of parties. A collectionA⊆ 2{P1,··· ,Pn} is monotone if ∀B,C if B∈ A and B⊆Cthen C ∈ A (Lewko and Waters, 2011).An access structure is a collection A of non-emptysubsets of {P1, · · · ,Pn}, such as A⊆ 2{P1,··· ,Pn}\ /0.We note that any access structure can be convertedinto a Boolean function. Boolean functions canbe represented by an access tree, where the leavespresent the attributes while the intermediate and theroot nodes are the logical operators AND (∧) and OR(∨).Definition 2. Linear Secret Sharing Schemes (LSSS)

A Linear Secret Sharing Scheme LSSS over a setof parties P (Lewko and Waters, 2011) is defined asfollows:1. the shares of each party form a vector over Zp.

2. there exists a matrix A with n rows and l columnscalled the share-generating matrix for LSSS. ∀i ∈[1, · · · ,n], the ith row of A is labeled by a party ρ(i)( where ρ is function from {1, · · · ,n} to P). Whenwe consider the column vector ~v = [s,r2, · · · ,rn],where s ∈ Zp is the secret to be shared, andr2, · · · ,rn ∈ Zp are randomly chosen, then A.~v =~λis the vector n shares of the secret s according toLSSS.

In (Beimel, 1996), Beimel presents the algorithm thatconverts a boolean function (in the form of accesstree) as a LSSS matrix.Definition 3. Monotone Span Programs

For a field F and a variable set S = {a1, ...,an}, aMonotone Span Program (Karchmer and Wigderson,1993) is defined by a α× β matrix A along with alabeling map ρ which associates each row in A withan element ai ∈ S. The span program accepts a setγ if 1 ∈ Span(Aγ), where (Aγ) is the sub-matrix ofA containing only rows with labels a1 ∈ γ. In otherwords, the span program only accepts the set γ if thereexists a vector s such that s ·Aγ = [1,0, ...,0].

4.2.2 Bilinear maps

An admissible symmetric pairing function e fromG1 ×G1 in GT has to be bilinear, non degenerateand efficiently computable. G1 and GT are two mul-tiplicative subgroups of a finite field. G1 and GT havethe same order N.

4.2.3 Complexity Assumptions

Our proposal is based on three cryptographic assump-tions detailed as follows:

Definition 1. Discrete Logarithm Problem (DLP)Given a generator g of a multiplicative cyclic

group G of order N, and given the public elementy = gx ∈G, the problem of finding x is called the Dis-crete Logarithm Problem.

Definition 2. Computational Diffie Hellman prob-lem (CDH)

Given a generator g of a multiplicative cyclicgroup G of order N, and given two group elementsga ∈ G and gb ∈ G where a,b ∈ ZN are two secrets,the problem of calculating gab from ga and gb is calledthe Computational Diffie Hellman problem.

Definition 3. Decisional Diffie Hellman problem(DDH)

Given a generator g of a multiplicative cyclicgroup G of order N, and given two group elementsga ∈G and gb ∈G where a,b∈ Z∗N are two secrets, theproblem of distinguishing between tuples of the form(ga,gb,gab) and (ga,gb,gc) for some random integerc, is called the Decisional Diffie Hellman problem.

5 PABAC: PROPOSED SOLUTION

5.1 Motivation

In order to achieve fine grained and privacy preserv-ing access control to outsourced data in cloud storage,we combine two latest cryptographic techniques, CP-ABE and ABS. The choice of attribute based cryptog-raphy (ABC) is motivated by several reasons. First,we benefit from an easier key management system,thanks to the certificate-free feature of ABC. Second,ABC permits deriving public keys with no need forprevious computation of corresponding private keys.That is, contrary to traditional public key derivationschemes, ABC does not require to generate the privatekey before the public key. Indeed, users have only togenerate access structure and the related encipheringkey to encrypt data before storage.

CP-ABE is much more appropriate to data outsourc-ing, since it enables the data owner to generate an ac-cess tree over selected attributes. Thanks to its flex-ibility in specifying different access rights for eachindividual user, ABE is considered as one of the mostpublic key primitive which is appropriate for one-to-many communications. That is, data are encryptedunder a set of attributes so that multiple users whopossess proper keys can decrypt. This potentiallymakes encryption and key management more effi-cient. Moreover, the enciphering entity is not requiredto know the access control list.In order to protect the requesting entity’s privacy,PAbAC relies on using Attribute based Signature(ABS). In ABS, messages are signed with respect toan access structure. Thus, the CSP verifies that therequesting user having a set of attributes satisfyingthe access tree has indeed authenticated the messagewithout revealing his identity or the set of attributesused in the signing procedure.Our PAbAC framework is based on an original useof the identity based signature scheme presented byWaters (Waters, 2005) combined with the decen-tralized Attribute Based Encryption introduced byLewko and Waters (Lewko and Waters, 2011) toachieve an extension of waters’ scheme to a multi-authority attribute based encryption. This novel en-cryption scheme presented by PAbAC supports the is-suance of a set of attribute obtained from the sameauthority. Moreover, PAbAC introduces an origi-nal multi-authority attribute based signature schemebased on an extension of Waters’ identity based sig-nature adapted to the multi-authority ABE encryption.Thus, PAbAC presents lower computation costs espe-cially at the client side compared with the other accesscontrol schemes. The different notations used in thispaper are listed in Table 1.

Table 1: The different notations used in this paper

Notation DescriptionSU Set of users’ attributesS j Set of attributes certified by the at-

tribute authority AA jSkS j Secret keys related the set of at-

tributes S j obtained from the at-tribute authority AA j

AA Attribute AuthorityDF Data fileO Data OwnerU UserED Encrypted data fileψ Access policy

5.2 Overview

In PAbAC, there are two main actors: a data owner(O) and data users (U). The data owner first definesan access structure ψ that points out who can accessthe outsourced data with respect to a set of attributes.Then, the data file is encrypted under the access struc-ture ψ, based on an attribute based encryption algo-rithm. Then, the data owner stores the encrypted datain the cloud. When a user wants to access the out-sourced data file, he has first to authenticate with thecloud. For this purpose, he has to sign a randommessage, obtained from the cloud, under the accessstructure ψ associated with the outsourced data file.Afterwards, the cloud verifies the correctness of thereceived signature in order to send the requested ele-ments, namely the encrypted data file.We suppose that each cloud user has already obtainedthe private keys related to his attributes from the cor-responding attribute authorities. For an e-health usecase, an attribute authority may be the hospital ad-ministration issuing the affiliation card of each doctor(i.e the professional card contains a set of attributessuch as the name of the doctor, his affiliation, his se-rial number, · · · ).Based on the required attributes, specified in the ac-cess structure ψ, the requesting user selects relatedprivate keys in order to decrypt the encrypted data file.Our PAbAC proposal is defined upon the followingseven algorithms. It involves three procedures on thebasis of two phases. During the first phase, the systeminitialisation procedure SYS INIT is executed. Thesecond phase occurs when the data owner wants toshare data files with other cloud users, based on boththe data storage procedure STORE and the data re-trieval procedure BACKUP.The SYS INIT procedure consists of three random-ized algorithms for the generation of public param-eters related to the involved attribute authorities re-ferred to as setup and setupauth, and the generationof users’ private keys denoted by keygen.The STORE procedure presents the data storage sce-nario. It consists of the encdata algorithm for theencryption of data files.For the data retrieval scenario, the BACKUP proceduredeals with the user’ authentication, namely sign andverif and the data decryption algorithms referred toas decdata.

5.3 System Initialisation Procedure

The SYS INIT procedure consists of three random-ized algorithms, defined as follows:

• setup – this randomized algorithm takes as in-

put the security parameter λ. It outputs the globalpublic parameters PP defined as follows:

PP= {G1,GT ,N,h, e,u0, · · · ,un}

where G and G1 are two multiplicative groups oforder N, e : G1×G1→GT is a bilinear map, g,hare generators of G1 and {u0 = g, · · · ,un} are gen-erators of G1 randomly chosen such as ui = gri

.

• setupauth – the setupauth algorithm is executedby an attribute authority AA. The setupauth al-gorithm takes as inputs the public parameters PPand outputs the pair of private and public keys(skA, pkA), where skA correspond to a random val-ues α, and the related public key pkA is defined asfollows:

pkA = {e(g1,g1)α}

• keygen – this algorithm is performed by an at-tribute authority AA j. It takes as input the globalparameters PP, the attribute authority’s secret key{skA}, a random value t where t ∈ Zp and a setof attributes S j = {a1, · · · ,an j}, where n j is thenumber of attributes of S j. It outputs the secretkey skS j related to the set of attributes S j, as de-picted by Algorithm 1.

Algorithm 1 keygen procedure

1: Input: the global parameters PP, the attribute au-thority’s secret key {skA j} and a set of attributesS j

2: Output: the secret key skS j related to the set ofattributes S j

3: K← g1α ·ht ;

4: L← g1t ;

5: skS j ←{K,L};6: for all i ∈ [1 . . .n j] do7: Ki← ui

t ;8: skS j ← skS j ∪Ki;9: end for

10: return skS j

5.4 Data Storage Procedure

To outsource a data file (DF ) to the cloud, the dataowner (O) performs the STORE procedure. For thispurpose, he first defines an access policy ψ and ob-viously selects the attribute needed to satisfy it. Wenote that the access policy ψ is described in termsof a monotonic boolean formula. We represent theboolean formula as an access tree where the interior

nodes are AND and OR gates, and the leaf nodes cor-respond to attributes as detailed in Section 4.2.Thus, the access policy corresponds to the couple(A,ρ) where A is an n× l access matrix and ρ is thefunction that maps the matrix rows to the required at-tributes. These attributes have to be obtained from acertified Attribute authority (AA) that is responsibleof issuing the required attributes.After defining the access structure (A,ρ), the dataowner encrypts the data file DF , based on theencdata algorithm. We note that our encryption al-gorithm relies on the decentralized Lewko and Wa-ters ABE scheme (Lewko and Waters, 2011). That is,we extend the (Lewko and Waters, 2011) proposal tosupport deriving a set of private keys related a set ofattributes from each single attribute authority, whilepreserving users’ privacy with respect to the involvedattribute authorities.The STORE procedure consists of the encdata algo-rithms, defined as follows:

• encdata – the encryption algorithm encdatais executed by the data owner. It takes as in-put the attribute authorities’ public keys {pkA},the data file DF , the public parameters PP andthe access policy (A,ρ). The encdata algo-rithm outputs the ciphertext as a tuple ED =(C0,C1,i,C2,i,C3,i)i∈{1,n} (where i presents a ma-trix row corresponding to attribute i) defined asfollows:

C0 = DF e(g1,g1)s (1)

C1,i = e(g1,g1)λi (2)

C2,i = g1pi (3)

C3,i = g1pig1

wiuipi (4)

Where pi,s ∈ ZN are random values selected bythe data owner, λi = ~Ai ·~v where~v ∈ ZN

l is a ran-dom vector with s as its first entry and wi = ~Ai ·~τsuch as~τ ∈ ZN

l is a random vector with 0 as itsfirst entry.

Figure 2 depicts the storage procedure STORE of thePAbAC framework.

5.5 Data Backup Procedure

For the data retrieval scenario, the BACKUP proce-dure starts with the user’ authentication, with respectto the sign and verif algorithms and is achieved bythe data decryption algorithm referred to as decdata.The figure 3 presents different interactions betweenthe cloud provider and the requesting user for thedata access procedure. We detail, in Section 5.5.1,the different algorithms for user authentication with

Figure 2: PAbAC data storage procedure STORE

Figure 3: PAbAC data backup procedure BACKUP

the cloud provider upon requesting access to an out-sourced data file ED. Then, we present, in Sec-tion 5.5.2, the algorithm needed for decrypting theoutsourced data file.

5.5.1 Anonymous User Authentication

When a user (U) wants to access to the encrypted datafile (ED) outsourced by the data owner, the CSP hasto first authenticate the user, with respect to the ac-cess tree ψ associated with the encrypted data file. Sothat, the cloud provider sends a random value m whichconsists of the cloud provider identity concatenatedwith the current time (i.e. m is assumed to be differentfor each authentication session). The requesting userhas then to sign the received value m with respect tothe signing predicate ψ, and sends his signature to thecloud provider. We note that if the verification fails,the user cannot access to data and the cloud providerdoes not send the encrypted data file. The anonymousauthentication procedure consists of two algorithms,defined as follows:

• sign – this algorithm takes as input the globalpublic parameters PP, a random token m, a sign-ing policy ψ and the set of attributes’ secret keys{skS j} that satisfies the signing predicate. It out-puts a signature σ.In fact, the user first selects the sub-set of his at-tributes SU that satisfies the signing predicate ψ,such as: ψ(SU ) = 1 and signs the received value

m. The user finally sends the signature σ to thecloud provider who checks the resulting signature.Thus, the user first converts ψ to its correspondingmonotone span program A which is an n× l accessmatrix, with respect to the row labeling functionρ : [n]→ SU . In addition, he computes the vector~y such as ψ(SU ) = 1 and ~y ·~A = [1,0, · · · ,0]. Inorder to sign the random token m, the data ownerfirst randomizes his secret key skS j as follows:

K′ = Kht ′ = g1αht+t ′ (5)

L′ = Lg1t ′ = g1

t+t ′ (6)

K′i = Kiuit ′ = ui

t+t ′ ,∀i ∈ SU (7)

In the sequel, the requesting user’s new pri-vate key is defined by {sk′S j

} such as {sk′S j} =

{(K′,L′,K′i )}.Then, for each i ∈ [1,n], the signer computes xi =(L′)yi and sets z = ∏

ni=1((K

′ρ(i))

yi . Afterwards, thesigner generates a random r ∈ ZN and computes:

σ1 = zK′g1mr (8)

σ2 = g1r (9)

Finally, the signature for the message m gener-ated by the user with respect to the signing policy(A,ρ) is set as follows:

σ = (x1, · · · ,xn,σ1,σ2) (10)

• verif – this algorithm is a deterministic algo-rithm which takes as input an ordered list of at-tribute authorities’ public keys {pkA}, a randomtoken m, a signature σ and a signing predicateψ corresponding to (A,ρ) and outputs accept ifσ is valid on m using the access policy (A,ρ) orreject otherwise. Afterwards, the CSP com-putes the vector ~β = [β1 = 1,β2, · · · ,βn], suchthat {βi}i∈[2,n] are randomly chosen and computesµi = ∑ j=1

lβ jAi, j. The cloud server accepts the

signature if the following equation holds.

e(g1,σ1)?= pkAe(g1

m,σ2)n

∏i=1

e(hµiuρ(i),xi) (11)

The correctness of the signature algorithm is detailedin the Section 6.4.

5.5.2 Data Retrieval

The data retrieval procedure consists of decdata al-gorithm, defined as follows:

• decdata – this algorithm takes as input the usersecret decryption key {skS j}, the public parame-ters PP and the ciphertext ED and outputs the orig-inal data file DF . If the requesting user has the re-quired private keys {skS j} for a subset of rows Ai

of A such that [1,0, · · · ,0] is in the span of theserows, then the user proceeds as follows.For each matrix row i, the user computes:

C1,i.e(L,C3,i)

e(LKi,C2,i)= e(g1,g1)

λi e(g1t ,g1)

wi (12)

∏i(e(g1,g1)

λi e(g1t ,g1)

wi)ci = e(g1,g1)s (13)

Where ci ∈ ZN are constants such that ∑i ci~Ai =[1,0, · · · ,0].Then, the data file DF can then be obtained as fol-lows:

DF =C0/e(g1,g1)s (14)

The proof of correctness of the decryption algo-rithm is detailed in the Section 6.4.

6 SECURITY DISCUSSION

In this section, we discuss the resistance of PAbACagainst two adversaries, based on two realistic threatmodels, defined hereafter in Section 6.1. We provethe security of our proposed scheme with respect tothe security requirements introduced in Section 2.

6.1 Threat model

For designing the most suitable security solutions forcloud sharing scenarios, we consider two adversaries:malicious cloud user and honest but curious cloudserver.Honest but curious cloud server adversary – thisstorage server honestly performs the operations de-fined by our proposed scheme, but it may actively at-tempt to gain knowledge of the outsourced sensitivedata, such as access patterns.Malicious user adversary – this attacker can be anunauthorized user. As such, he targets to get access tothe outsourced shared data. The objective of a mali-cious user is to convince the cloud server that he is alegitimate cloud user.

6.2 Confidentiality

In our proposed PAbAC scheme, data files are storedon an encrypted form in cloud servers relying on anattribute based encryption scheme, in order to ensure

efficient access control. As such, the data confiden-tiality preservation is tightly related to security of theused attribute based encryption scheme.

Theorem 1. PAbAC guarantees data confidentialityof the outsourced data.

Proof. The proposed PAbAC framework is designedto ensure data confidentiality against both malicioususers and curious cloud provider.In PAbAC, the data owner is in charge of encryptinghis data before outsourcing them to the cloud stor-age server. He is also responsible for defining anaccess structure that points out who can access theoutsourced data with respect to a set of attributes.Then, the cloud provider is responsible for sendingdata to requesting users after authenticating them, re-lying on the access policy defined by the data owner.As such, only the authorized users having the accessstructure’s satisfying attributes can generate the deci-phering keys.In addition, while considering a curious cloud ser-vice provider who tries to gain knowledge about out-sourced data file, this latter cannot access the out-sourced data. As detailed in Section 5, our encryptionalgorithm relies on the Lewko and Waters proposal.That is, PAbAC inherits the security properties from(Lewko and Waters, 2011). In addition, data confi-dentiality preservation against malicious users and acurious cloud provider is ensured based on the secu-rity of our proposed access control scheme detailed inthe Section 6.4 and the security level of the appliedencryption scheme (c.f. Lemma 1).

Lemma 1. Unauthorized users cannot decrypt the en-crypted data.

Proof. The proof of this lemma is equivalent to thesecurity of the data decryption algorithm. The cor-rectness of our decryption algorithm is as follows:A user can decrypt data if and only if it has a match-ing set of attributes. In fact, access structure ψ (andhence matrix A) is constructed if and only if there ex-ists a set of rows Ai in A, and linear constants ci ∈ ZNsuch that ∑i ciAi = [1,0, · · · ,0].We note that

C1,ie(L,C3,i)

e(LKi,C2,i)(15)

=e(g1,g1)

λi e(g1t ,g1

pi)e(g1t ,g1

wi)e(g1t ,ui

pi)

e(uit ,g1 pi)e(g1t ,g1 pi)(16)

Thus

∏i(e(g1,g1)

λi e(g1,g1)twi)ci = e(g1,g1)

s (17)

We note that Equation (17) holds because λi =~Ai ·~v, wi = ~Ai ·~τ, where ~v · [1,0, · · · ,0] = s and ~τ ·

[1,0, · · · ,0] = 0. In the sequel, an authorized user canobtain the data DF as follows:

DF =C0/e(g1,g1)s (18)

For an unauthorized user who does not possess thesecret keys related to the set of attributes required forsatisfying the access policy, it is impossible to com-pute ∑i ci~Ai = [1,0, · · · ,0] (Lewko and Waters, 2011).Thus, e(g1,g1)

s cannot be calculated and the adver-sary cannot recover the data file DF .

6.3 Privacy

Based on an attribute based signature scheme, PAbACensures users’ privacy against curious cloud provider.In our proposed scheme, the requesting data user hasto authenticate with the cloud provider. As such, (U)has to sign a message received from the cloud serviceprovider with respect to the access structure definedby the data owner. The CSP is responsible for verify-ing the user’s access rights without knowing neitherhis identity nor the attributes used to sign the mes-sage. But, beyond the ABS properties, our PAbACscheme ensures the protection of the users identities’( non traceability property). In fact, the ABE schemeused does not reveal the encryptor identity neitherthe users’ attributes used in the backup phase. ThePAbAC inherits the non traceability property from theLewko encryption scheme (Lewko and Waters, 2011).

Theorem 2. PAbAC signature scheme is a privacypreserving signature.

Proof. The PAbAC signature scheme does not revealneither the identity of the signer nor the set of at-tributes used in the signing. Our signature schemerequires that the identity of the signer remains anony-mous. Thus, PAbAC ensures that a signature does notreveal more information other than what can be al-ready inferred from the signing predicate itself. Thedemonstration of this state is derived from the follow-ing lemmas.

Lemma 2. PAbAC protects user’s anonymity

Proof. In the authentication procedure, the user hasto sign a random message received from the CSP.Based on the signature scheme introduced in PAbAC,the user signs the message using his private keyswhich have already been randomized. Thus, the gen-erated signature does not reveal the attributes usedneither the user’s private keys. Based on the hard-ness of the Computational Diffie Hellman problem(CDH), the CSP can not deduce the user’s privatekeys related to the used attributes from the signatureσ = (x1, · · · ,xn,σ1,σ2) received.

In addition, let us consider a curious cloud provideradversary that chooses a message m, a signing policyand two requesting users with two, possibly different,sets of attributes with the condition that both sets haveto satisfy the signing policy. The adversary gets a sig-nature by either signer and wins if it correctly guessesthe signer. The curious provider has a negligible ad-vantage to win the previous game. That is, the PAbACsignature scheme is based on the randomization of thesigner secret keys.

Lemma 3. PAbAC’s signature scheme is unlinkable

Proof. Let us consider that a curious cloud provideraims to deduce identifying information about a re-questing user by running different authentication ses-sions. In the PAbAC sign algorithm, the user ran-domises the attributes’ secret keys received from theattributes authorities as follows:

K′ = Kht ′ (19)

L′ = Lg1t ′ (20)

K′i = Kiuit ′∀i ∈ SU (21)

Then, in every authentication session, the user gen-erates a new signature σ = (x1, · · · ,xn,σ1,σ2) thanksto the selected random value t ′. Moreover, the CSPsends a random value m which consists of the cloudprovider identity concatenated with the current time(i.e. m is assumed to be different for each authen-tication session). As such, while authenticating thesame user based on different authentication sessions,a curious cloud service provider cannot identify therequesting user.

6.4 Access Control to Data

PAbAC introduces two-level access control modelthat combines the authentication of the requestingusers and the attribute based decryption algorithm. Inthe following, we demonstrate that our PAbAC accesscontrol enforcement is resistant against both mali-cious data users and a curious cloud service provider.

Theorem 3. Authorized users can successfully au-thenticate and decrypt enciphered data files.

We recall that cloud users have to collect their cer-tified attributes and the related secret keys from at-tribute authorities AAs. As such, in PAbAC, onlyusers, having valid private keys related to their at-tributes, are able to access data stored in the cloudwhile successfully authentication with the cloudserver. This is due to the correctness of our encryp-tion and signature algorithms and the compliance ofthe unforgeability property of the PAbAC signaturescheme inherited from (Waters, 2005).

Lemma 4. Data Decryption Correctness.

Proof. After receiving his attributes’ secret keys{skS j}, the authorized user first computes:

C1,ie(L,C3,i)

e(LKi,C2,i)= (e(g1,g1)

λi e(g1,g1)twi)ci (22)

Then, he computes the constants ci ∈ ZN such that∑i ci ·~Ai = [1,0, · · · ,0]. Then, e(g1,g1)

s could be ob-tained as follows:

∏i(e(g1,g1)

λi e(g1,g1)twi)ci (23)

= e(g1,g1)∑i λici e(g1,g1)

∑i twici = e(g1,g1)s (24)

Note that λi = ~Ai ·~v where~v = [s,v2, · · · ,vn] and wi =~Ai ·~τ such as~τ= [0,τ2, · · · ,τn]. Consequently, we notethat ∑i λici = s and ∑ twici = 0.Afterwards, the user can recover the data file DF asfollows:

DF =C0 /e(g1,g1)s

Lemma 5. Data signature correctness

Proof. When an authorized user wants to access out-sourced data, he has to provide a correct signature,with respect to the access policy defined by the dataowner, that can be verified by the CSP in an anony-mous way. If σ = (x1, · · · ,xl ,σ1,σ2) is a valid signa-ture of the message m for the predicate ψ, then

σ1 = zK′gmr (25)

= g1mrht+t ′g1

αn

∏i=1

(ui(t+t ′))yi (26)

Thus

e(g1,σ1) = e(g1,g1mrht+t ′g1

αn

∏i=1

(ui(t+t ′))yi) (27)

= pkAe(g1,g1r)me(g1,ht+t ′)

n

∏i=1

e(g1,ui(t+t ′))yi)

(28)

= pkAe(g1,σ2)m

n

∏i=1

e(xi,hµiui) (29)

Note that µi =∑lj=1 β jAi, j, the last equality is obtained

by:n

∑i=1

µiyit = tn

∑i=1

µiyi = t.1 = t (30)

Theorem 4. Unauthorized entities are unable to ac-cess the outsourced data files

Lemma 6. PAbAC is secure against the collusion at-tack.

Proof. We recall that the unforgeability property en-sures that even if requesting users collude and com-bine their attributes together, they cannot forge a sig-nature that opens to a signer whose attributes donot satisfy the access policy. It also covers non-frameability and ensures that even if requesting userscollude, they cannot frame a user who did not producethe signature. Similarly, malicious users cannot col-lude to decipher an encrypted data file if the attributesof each individual user do not satisfy the access pol-icy, defined by the data owner.Let us consider two malicious users UA and UB hav-ing each a set of attributes XA and XB such as XA∪XBsatisfy the access structure. Suppose that UA getsskS1 = (K1,L1,Ki1) = (g1

α ·ht1 ,g1t1 ,ui1

t1) and UB getsskS2 = (K2,L2,Ki2) = (g1

α ·ht2 ,g1t2 ,ui2

t2). The userscollude to create a valid set of attributes and derive asecret key skS1∪2 = skS1 ∪ skS2 from the combinationof the two user’s keys. Then, the colluded malicioususers try to decrypt the data as follows:

C1,ie(L,C3,i)

e(LKi,C2,i)= (31)

e(g1,g1)λi e(g1

t1+t2 ,g1pi)e(g1

t1+t2 ,g1wi)e(g1

t1+t2 ,u1pi)

e(ui1t1ui2

t2 ,g1 pi)e(g1t1+t2 ,g1 pi)(32)

Afterwards, the equation (12) cannot be resolved asdetailed in (32). Thus, the malicious users can notrecover the original data.

Lemma 7. The CSP is unable to access the encrypteddata files

Proof. The CSP cannot decipher encrypted data be-cause it does not possess the secret keys {skS j}, re-quired for satisfying the access policy defined by thedata owner. Even if the cloud provider colludes withother unauthorized users, it cannot decrypt data, sincethe PAbAC scheme is collusion resistant as detailedin Section 6.4. Moreover, we suppose that the at-tribute authorities AAs are not hosted by the CSP.Thus, even if some attribute authorities are compro-mised, the CSP cannot decipher data.

Lemma 8. PAbAC is resistant to replay attacks.

Proof. In our proposed PAbAC signature scheme, themessage m, sent by the CSP to the requesting user,is assumed to be different in each authentication ses-sion (i.e; m presents the cloud provider’s identity con-catenated with the current time). In fact, for twodifferent authentication sessions α and β, the CSP

produces two different messages mα and mβ respec-tively. Consequently, a malicious user cannot gen-erate a valid signature if he attempts a replay attackbased on collected data from two different authenti-cation sessions.

7 PERFORMANCE ANALYSIS

In this section, we present the computation and stor-age complexities of the PAbAC protocol at both theclient and cloud provider sides. For this purpose,we are interested by the computations performed atthe data owner side in order to execute the STOREprocedure. Moreover, we will consider the compu-tation cost related to the execution of the BACKUPprocedure by both the user (U) and the cloud serviceprovider (CSP).In the following, we denote by:

• E1 : exponentiation in G1

• E : exponentiation in GT

• τP : computation of a pairing function e

Table 2 details the performance comparison with mostclosely related data sharing schemes in cloud environ-ments.

The STORE procedure consists of performing theencryption algorithm encdata. During this proce-dure, the data owner has to encrypt the data file.As such, he calculates one pairing function e(g1,g1)and nE exponentiations in G to compute each of C1,iwhere n is the number of attributes. In addition, thedata owner executes 4n exponentiations in G1 to cal-culate C2,i and C3,i.The BACKUP procedure is made up three algorithmsverif executed by the CSP and sign and decdatarunned by the data user (U). The user first signs a ran-dom message in order to authenticate with the cloud.To sign the message, the user performs 2(n+1) expo-nentiations in G1. Then, this latter executes 2n pairingto calculate e(L),C3,i) and e(Ki ·L,C2,i) to decrypt thedata file. In the verification phase, the CSP executesthe verif algorithm. As such, the cloud providerperforms (n+2) pairing functions’ computations andn+1 exponentiations in G1.The existent access control schemes (Ruj et al., 2012),(Ruj et al., 2011), (Ruj et al., 2014) are based onthe Lewko’s decentralized attribute based encryptionscheme (Lewko and Waters, 2011). During the en-cryption phase, the data owner has to perform onepairing function e(g1,g1) and 2n exponentiations inGT to calculate each of C1,i. In addition, to calculateC2,i and C3,i, the data owner performs 3n in G1. In the

Table 2: Performances Comparison for Different Access Control Mechanisms in Cloud Data Storage Environments

Scheme Data Owner Comp. CSP Comp. User comp.(Zhao et al., 2011) E +(2n+1)E1 τP(3+2n)+(2nl +1)E1 (2 + 3n + 2nl)E1 + (2n +

1)τP +(n+1)E(Ruj et al., 2012) 3nE1 +(2n+1)E + τP τP(3+2n)+(2nl +1)E1 (2+3n+2nl)E1 +2nτP +

nE(Ruj et al., 2011) 3nE1 +(2n+1)E + τP −− 2nτP +nE(Ruj et al., 2014) 3nE1 +(2n+1)E + τP τP(3+2n)+(2nl +1)E1 (2+3n+2nl)E1 +2nτP +

nEPAbAC (n+1)E +4nE1 + τP (2+n)τP +(n+1)E1 2(n+1)E1 +2nτP +nE

data decryption phase, the data user performs n expo-nentiations in GT and 2n pairing functions.The zhao et al.’s proposal (Zhao et al., 2011) isbased on the use of the CP-ABE scheme proposedby Bethencourt et al. (Bethencourt et al., 2007).To encrypt the data file, the data owner performs(2n+ 1) exponentiations in G1 and one exponentia-tion in GT . The user while decrypting data performsn+1 exponentiations in GT and 2n+1 pairing func-tions. The proposals (Ruj et al., 2012),(Zhao et al.,2011), (Ruj et al., 2014) are based on the use of theattribute based signature scheme proposed by (Majiet al., 2011). In order to sign the message, the userperforms 2+ 3n+ 2nl exponentiations in G1, wheren is the number of rows of the access matrix A and lpresents the number of columns of A. In the verifi-cation phase, the CSP has to perform 3+ 2n pairingfunction and 2nl +1 exponentiations in G1.

8 CONCLUSIONS

The growing need for secure cloud sharing servicesand the attractive properties of the Attribute basedCryptography lead us to combine them, thus, definingan innovative solution to the data outsourcing securityand efficiency issues.In this paper, we design a privacy preserving attributebased framework for fine grained access control, fordynamic groups in untrusted cloud storage environ-ments. Our approach ensures the confidentiality ofoutsourced data in public untrusted cloud servers anddefines efficient data sharing in dynamic groups. Thatis, flexible access control policies are enforced amongusers belonging to separate groups with different priv-ileges. Our theoretical performances analysis showsthe efficiency of PAbAC in scalable data sharing,while considering the impact of the cryptographic op-erations at both the client and the cloud provider side.

ACKNOWLEDGEMENTS

This work is a part of the MOBIDOC project achievedunder the PASRI program, funded by the EuropeanUnion and administered by the ANPR.

REFERENCES

Health Insurance Portability and Accountability Act(HIPAA). https://www.hipaa.com/about/.

Beimel, A. (1996). Secure schemes for secret sharing andkey distribution. PhD thesis, Technion-Israel Instituteof technology, Faculty of computer science.

Benaloh, J., Chase, M., Horvitz, E., and Lauter, K. (2009).Patient controlled encryption: ensuring privacy ofelectronic medical records. In The 2009 ACM work-shop on Cloud computing security, pages 103–114.ACM.

Bethencourt, J., Sahai, A., and Waters, B. (2007).Ciphertext-policy attribute-based encryption. In IEEESymposium on Security and Privacy, 2007., pages321–334.

Bobba, R., Fatemieh, O., Khan, F., Gunter, C., Khurana,H., et al. (2006). Using attribute-based access con-trol to enable attribute-based messaging. In The 22ndAnnual Computer Security Applications Conference,pages 403–413. IEEE.

Chaum, D. and Van Heyst, E. (1991). Group signatures. InAdvances in CryptologyEUROCRYPT91, pages 257–265. Springer.

Di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi,S., Pelosi, G., and Samarati, P. (2010a). Encryption-based policy enforcement for cloud storage. In Dis-tributed Computing Systems Workshops (ICDCSW),2010 IEEE 30th International Conference on, pages42–51. IEEE.

Di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi,S., and Samarati, P. (2007). Over-encryption: man-agement of access control evolution on outsourceddata. In Proceedings of the 33rd international confer-ence on Very large data bases, pages 123–134. VLDBendowment.

Di Vimercati, S. D. C., Foresti, S., Livraga, G., and Sama-rati, P. (2015). Selective and private access to out-

sourced data centers. In Handbook on Data Centers,pages 997–1027. Springer.

Di Vimercati, S. D. C. D., Foresti, S., Jajodia, S., Para-boschi, S., and Samarati, P. (2010b). Encryption poli-cies for regulating access to outsourced data. ACMTransactions on Database Systems (TODS), 35(2):12.

El Kaafarani, A., Chen, L., Ghadafi, E., and Davenport,J. (2014a). Attribute-based signatures with user-controlled linkability. In Cryptology and Network Se-curity, pages 256–269. Springer.

El Kaafarani, A., Ghadafi, E., and Khader, D. (2014b).Decentralized traceable attribute-based signatures. InTopics in Cryptology–CT-RSA 2014, pages 327–348.Springer.

Frikken, K. B., Li, J., and Atallah, M. J. (2006). Trust ne-gotiation with hidden credentials, hidden policies, andpolicy cycles. In NDSS. Citeseer.

Ghadafi, E. (2015). Stronger security notions for decen-tralized traceable attribute-based signatures and moreefficient constructions. In Topics in Cryptology—CT-RSA 2015, pages 391–409. Springer.

Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006).Attribute-based encryption for fine-grained accesscontrol of encrypted data. In The 13th ACM con-ference on Computer and communications security,pages 89–98.

Horvath, M. (2015). Attribute-based encryption optimizedfor cloud computing. In SOFSEM 2015: Theoryand Practice of Computer Science, pages 566–577.Springer.

Horwitz, J. and Lynn, B. (2002). Toward hierarchicalidentity-based encryption. In Advances in Cryptolo-gyEUROCRYPT 2002, pages 466–481. Springer.

Hur, J. and Noh, D. K. (2011). Attribute-based access con-trol with efficient revocation in data outsourcing sys-tems. IEEE Transactions on Parallel and DistributedSystems, 22(7):1214–1221.

Jahid, S., Mittal, P., and Borisov, N. (2011). Easier:Encryption-based access control in social networkswith efficient revocation. In The 6th ACM Symposiumon Information, Computer and Communications Se-curity, pages 411–415. ACM.

Kaaniche, N., Boudguiga, A., and Laurent, M. (2013). Idbased cryptography for cloud data storage. In 2013IEEE Sixth International Conference on Cloud Com-puting, pages 375–382. IEEE.

Kaaniche, N., Laurent, M., and El Barbori, M. (2014).Cloudasec: A novel publickey based framework tohandle data sharing security in clouds. In 11th IEEEInternational Conference on Security and Cryptogra-phy(Secrypt).

Karchmer, M. and Wigderson, A. (1993). On span pro-grams. In Structure in Complexity Theory Conference,pages 102–111.

Lewko, A. and Waters, B. (2011). Decentralizing attribute-based encryption. In Advances in Cryptology–EUROCRYPT 2011, pages 568–588. Springer.

Maji, H. K., Prabhakaran, M., and Rosulek, M. (2011).Attribute-based signatures. In Topics in Cryptology–CT-RSA 2011, pages 376–392. Springer.

Okamoto, T. and Takashima, K. (2013). Decen-tralized attribute-based signatures. In Public-KeyCryptography–PKC 2013, pages 125–142. Springer.

Raykova, M., Zhao, H., and Bellovin, S. (2012). Privacyenhanced access control for outsourced data sharing.In Financial Cryptography and Data Security, volume7397, pages 223–238.

Rivest, R. L., Shamir, A., and Tauman, Y. (2001). How toleak a secret. In Advances in CryptologyASIACRYPT2001, pages 552–565. Springer.

Ruj, S., Nayak, A., and Stojmenovic, I. (2011). Dacc: Dis-tributed access control in clouds. In IEEE 10th Inter-national Conference on Trust, Security and Privacy inComputing and Communications (TrustCom), pages91–98.

Ruj, S., Stojmenovic, M., and Nayak, A. (2012). Privacypreserving access control with authentication for se-curing data in clouds. In The 12th IEEE/ACM Inter-national Symposium on Cluster, Cloud and Grid Com-puting (CCGrid), 2012, pages 556–563. IEEE.

Ruj, S., Stojmenovic, M., and Nayak, A. (2014). Decentral-ized access control with anonymous authentication ofdata stored in clouds. IEEE Transactions on Paralleland Distributed Systems, 25(2):384–394.

Sahai, A. and Waters, B. (2005). Fuzzy identity-basedencryption. In EUROCRYPT 2005, pages 457–473.Springer.

Wan, Z., Liu, J. E., and Deng, R. H. (2012). Hasbe: a hierar-chical attribute-based solution for flexible and scalableaccess control in cloud computing. IEEE Transactionson Information Forensics and Security, 7(2):743–754.

Wang, G., Liu, Q., and Wu, J. (2010). Hierarchical attribute-based encryption for fine-grained access control incloud storage services. In The 17th ACM conferenceon Computer and communications security, pages735–737. ACM.

Wang, W., Li, Z., Owens, R., and Bhargava, B. (2009). Se-cure and efficient access to outsourced data. In The2009 ACM workshop on Cloud computing security,pages 55–66. ACM.

Waters, B. (2005). Efficient identity-based encryption with-out random oracles. In Advances in Cryptology–EUROCRYPT 2005, pages 114–127. Springer.

Yu, S., Wang, C., Ren, K., and Lou, W. (2010a). Achievingsecure, scalable, and fine-grained data access controlin cloud computing. In INFOCOM IEEE Proceedings2010, pages 1–9.

Yu, S., Wang, C., Ren, K., and Lou, W. (2010b). Attributebased data sharing with attribute revocation. In The5th ACM Symposium on Information, Computer andCommunications Security, pages 261–270.

Zhao, F., Nishide, T., and Sakurai, K. (2011). Realizingfine-grained and flexible access control to outsourceddata with attribute-based cryptosystems. In Informa-tion Security Practice and Experience, pages 83–97.Springer.

Zunnurhain, K. (2012). Fapa: a model to prevent floodingattacks in clouds. In The 50th Annual Southeast Re-gional Conference, pages 395–396. ACM.