 Research
 Open access
 Published:
An efficient traceable access control scheme with reliable key delegation in mobile cloud computing
EURASIP Journal on Wireless Communications and Networking volumeÂ 2016, ArticleÂ number:Â 208 (2016)
Abstract
With the increasing number of mobile applications and the popularity of cloud computing, the combination of these two techniques that named mobile cloud computing (MCC) attracts great attention in recent years. However, due to the risks associated with security and privacy, mobility security protection in MCC has become an important issue. In this paper, we propose an efficient traceable access control scheme with reliable key delegation named KDTABE in MCC. Firstly, we present a traceable CPABE system and realize key delegation without loss of traceability. Secondly, a new type of reencryption method is proposed, which is based on an intuitive method that supports any monotonic access tree instead of the reencryption key. Lastly, to reduce trust on authority, we separate the authority into three parts, and each authority is responsible for generating different components of the key. The analysis shows that the proposed scheme can meet the security requirement of MCC. In addition, it cost less compared with the other popular models.
1 Introduction
With the increasing number of mobile applications and the popularity of cloud computing, the combination of these two techniques that named mobile cloud computing (MCC) attracts great attention listed by in recent years [1, 2]. MCC is a service that allows mobile users constrained with resources to adaptively adjust processing and storing capabilities by transparently partitioning and offloading the computationally intensive and storage demanding jobs on traditional cloud resources by providing ubiquitous wireless access [2]. In the former mobile computing paradigm, there are some problems such as resource scarcity, frequent disconnections, and mobility. With the support of MCC, the aforementioned problems can be addressed and the mobile users can achieve seamless access and handover for services, since mobile applications are executed on resource providers external to the mobile device.
However, the concerns with data privacy and security threats have become an obstacle to hinder MCC from being widely used [3]. According to the recent survey conducted by the International Data Corporation, most IT Executives and CEOs are not interested in adopting such services due to the risks associated with security and privacy [4, 5]. Therefore, it is necessary to eliminate the potential security threats in MCC.
Lots of researchers devote to security issues in MCC, such as secure MCC framework [4], access control [6â€“8], authentication [9], trust [10], and so on. The abovementioned works all focus on protecting MCC from external security threats. In [11], Liu et al. take insider threats into consideration and propose a solution named traceable ciphertextpolicy attributebased encryption (CPABE), which can trace the malicious users or traitors who intentionally leak the partial or modified decryption keys for profits. While, in traceable CPABE, key delegation is not supported, as they consider that key delegation will prevent most of the expressive ABE systems and their variants from being traceable [11]. Without key delegation, each new user has to apply to the authority for his own unique key. The overhead will be very heavy due to the large number of mobile users in MCC. In this paper, we propose an efficient traceable access control scheme with reliable key delegation named Key DelegationTraceable Attributed Based Encryption (KDTABE) to tackle with the aforementioned problems. And, the main contributions of this paper can be summarized as follows:

We construct a traceable CPABE system with the access tree and realize the key delegation at servers without loss of traceability. We encrypt some components of the key to prevent the key from being maliciously delegated by malicious users or traitors.

We propose a new type of reencryption method, which is based on an intuitive method that supports any monotonic access tree, instead of the reencryption key.

To reduce trust on authority, we separate the authority into three parts, and each authority is responsible for generating different components of the key. One is trusted and responsible for user identity management; the other two are semitrusted and responsible for generating temporary parameters.
The rest of this paper is organized as follows. Section 2 introduces the related work. Then, in Section 3, some preliminaries have been given. Our scheme is stated in Section 4. In Section 5, security analysis has been provided. In Section 6, we evaluate the performance of the proposed schema. Finally, the paper is concluded in Section 7.
2 Related work
Attributebased encryption (ABE) is firstly proposed by Sahai and Brent in [12]. A userâ€™s identity is viewed as a set of descriptive attributes, the attributes are taken as public key, and the ciphertext will be decrypted as long as the number of userâ€™s attributes reaches a certain value which is set in the encryption process. Since then, ABE has become a research focus of the public key encryption field. Very soon afterwards, two ABE variants are proposed: keypolicy attributebased encryption (KPABE) and CPABE. In KPABE scheme [13], the data access policy (denoted as Au_KP) is specified by data users; the ciphertext is labeled by a set of attributes (denoted as A_o). The data user can decrypt the ciphertext only if A_o satisfies A_KP. While, in CPABE scheme [14], the data access policy (denoted as Ao_CP) is specified by data owners; the key is relevant to the attribute set A_u (A_u is holded by the data user). Only if A_u satisfies A_CP can the ciphertext be decrypted. Both KPABE and CPABE can achieve data confidentiality and finegrained access control.
However, ABE allows users to share the same sets of attributes, and the decryption keys are generated with attributes sets without any identification information, which cause a problem: once the malicious key delegation happens, we cannot determine the ownerâ€™s identification of the given key. To address this problem, there are two main ideas: one is to prevent the key from being cloned and misused, just like [15â€“19], the other one is to provide traceability, proposed and improved in [20â€“25]. In [20], the scheme proposes methods to trace the source of leaks and traitors in broadcast encryption; an index identifying a user is the foundation of realizing traceability. In [25], Ma et al. propose a new notion called multiauthority attributebased traitor tracing. A pair of elements is introduced to describe a user, one represents its attribute set while the other one indicates its identity information. Based on the white box traceable CPABE [11], Liu et al. propose the black box traceable CPABE in 2015 [26]. In [11], the traceability is added to the CPABE scheme without weakening its security. Although the length of the ciphertext and decryption key is changed, the overhead is not increased significantly. In [27], the whitebox traceable CPABE in large universe is realized and the storage for traitor tracing is constant. Katz et al. introduce the traceability into predicate encryption schemes in [28], which has the general applicability. Ning et al. firstly propose an accountable authority CPABE scheme that supports white box traceability in [29], which solved two types of key abuse problems simultaneously.
There are several studies on ciphertext delegation, and one of the approaches is to utilize proxy reencryption. The proxy reencryption(PRE) technique encrypts the ciphertexts with reencryption keys and makes it possible for users to decrypt the reencrypted ciphertexts with their own original decryption keys without changing. In [30], Luo et al. realize proxy reencryption in CPABE scheme, with ANDgates that support multivalue attributes, negative attributes, and wildcards, the encryptor could choose any ciphertext to reencrypt as they like. Lai et al. formalize a new cryptographic primitive called adaptable ciphertextpolicy attributebased encryption, which allows a semitrusted proxy to modify a ciphertext under one access policy into another one of the same plaintext under any other access policies [31]. In [32, 33], Kaitai Liang et al. further optimize the system security and integrate the dual system encryption technology to realize the adaptively CCA secure in the standard model.
Table 1 shows the comparison between our work and other related works.
3 Preliminaries
3.1 Bilinear maps and complexity assumptions
Let G _{0} and G _{1} be two multiplicative cyclic groups of prime order p and g be the generator of G _{0.}
The bilinear map e is, e:G _{0}â€‰Ã—â€‰G _{0}â€‰â†’â€‰G _{1},â€‰for all a,â€‰bâ€‰âˆˆâ€‰â„¤ _{ p }:

1.
Bilinearity: âˆ€u,â€‰vâ€‰âˆŠâ€‰G _{1},â€‰e(u ^{a},â€‰v ^{b})â€‰=â€‰e(u,â€‰v)^{ab}

2.
Nondegeneracy: e(g,â€‰g)â€‰â‰ â€‰1

3.
Symmetric: e(g ^{a},â€‰g ^{b})â€‰=â€‰e(g,â€‰g)^{ab}â€‰=â€‰e(g ^{b},â€‰g ^{a})
Definition 1 Discrete logarithm (DL) problem:
Let G be a multiplicative cyclic group of prime order p and g be its generator, given yâ€‰âˆŠâ€‰_{ R } G as input, try to get xâ€‰âˆˆâ€‰â„¤ _{ p } that yâ€‰=â€‰g ^{x}.
The DL assumption holds in G if it is computationally infeasible to solve DL problem in G.
3.2 Access structure
Let Pâ€‰=â€‰{P _{1}, P _{2},â€¦, P _{n}} be a set of participants, let Uâ€‰=â€‰2^{{P1,P2,â€¦, Pn}} be the universal set. If âˆƒâ€‰ASâ€‰âŠ†â€‰U\{âˆ…}, then AS can be viewed as an access structure.
If Aâ€‰âˆŠâ€‰AS,â€‰âˆ€Bâ€‰âˆŠâ€‰U,â€‰Aâ€‰âŠ†â€‰B,â€‰and Bâ€‰âˆŠâ€‰AS, then AS is monotonic.
If AS is an access structure, then the sets in it are called the authorized sets, and the sets not in it are called the unauthorized sets.
The access structure in our system is an access tree, which is the same as in [14]. The tree includes a root node, some interior nodes and some leaf nodes. The leaf nodes are associated with descriptive attributes while the interior nodes represent the logic operation, such as AND (n of n), OR (1 of n), n of m (mâ€‰>â€‰n). A user can decrypt the ciphertext correctly only if the access tree is satisfied by his attributes set.
3.3 Notations
In Table 2, the notations used in this paper are listed. DO and DR are cloud users. DR1, DR2, and DR3 denote different data receivers. IA, RA, and AA are responsible for generating essential components of SK. KDS plays a role of generating new SK for new coming users based on the given SK if and only if new userâ€™s attribute set is the subset of the attribute set of the data owner that owns the given SK. CDS supports the user to reencrypt his ciphertext with his own new access structure (AS) without the need to decrypt it.
4 Our system
We construct a new traceable CPABE system with access tree and focus on how to realize the key delegation and the ciphertext delegation based on our system. In order to achieve all this, our system is composed of the following parties: a Data Owner, some Data Receivers, and three authorities, the Key Delegation Servers, the Ciphertext Delegation Servers, the Cloud Server and two Decryption Servers.
DO sends his ciphertext to CS. We list three users in Fig. 1, which are viewed as the different participants in three functions. DR1 applies to authorities for decryption key, and the three authorities (IA, RA, AA) collaborate to generate a complete decryption key. Different authority outputs different key components. DR2 is a new user whose attributes set is a subset of DR1. KDS can be viewed as a substitute for AA, which is used for generating attributerelated components according to the DR1â€™s key and finally outputs a DSK for DR2. There are some ciphertexts that can be decrypted by DR1, but DR1 wants some other users who belong to some attributes sets to decrypt them without changing the usersâ€™ decryption keys. At this point, the CDS will handle the request and finally outputs a DCT for DR3 (DR3 denotes the eligible).
We use an access tree \( \tilde{T} \) to express the access policy specified by data owners. We introduce a hash function H:{0,â€‰1}^{*}â€‰â†’â€‰G _{0} and view it as a random oracle, which maps any attribute described as a binary string to a random group element.
4.1 Setup
When the system starts up, the setup algorithm will choose a multiplicative cyclic group G _{0} of prime order p with generator g and three random numbers a,â€‰Î±,â€‰Î²â€‰âˆˆâ€‰â„¤ _{ P }.
The public key is:
The master key is:
This paper uses the Shamirâ€™ \( \left(\overline{t},\overline{n}\right) \) threshold gates scheme to store tracing information that proposed in [27].
IA receives all MK components and keeps f(x)^{7} and \( \overline{t}1 \) points \( \left\{\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}1}\;{y}_{\overline{t}1}\right)\right\} \) as secret [27], while AA and RA get one of the MK component a, which is used to protect the parameters transmitted between them.
A symmetric encryption algorithm is introduced into the three authorities to encrypt the components of a secret key. The symmetric encryption keys are assigned to the three authorities, IA receives K _{1} and K _{2}, RA receives K _{3}, and AA receives K _{4}. KDS receives K _{4}, TDS receives K _{2}, and SDS receives K _{3} and K _{4}. CDS acquires the Hash function.
4.2 Encrypt (PK, M, T)
The encryption algorithm receives message M and access structure T (denoted by an access tree) from DO. First, the algorithm chooses a random number sâ€‰âˆˆâ€‰â„¤ _{ P } for root node R polynomial, which means q _{ R } (0)â€‰=â€‰s. Then, it chooses a polynomial q _{ x } for each node x (leaf or noneleaf node) in top down manner, with the same method to construct the polynomials proposed in [25].
Let Y be the set of leaf nodes in T. The structure of the ciphertext is as follows:
4.3 Key generation (MK, PK, id, S)
As shown in Fig. 2, to reduce trust on authority, we split the authority into three: IA, RA, and AA. They generate different decryption key components respectively: encrypted random number r, encrypted id, and attributerelated components. Assume that collusion is prohibited, none of them will get complete key information.
When a user DR1 submits his id and attributes set to IA and AA, both of them run the algorithm to compute the id and attributes. RA chooses a random number râ€‰âˆˆâ€‰â„¤ _{ P } and transmits to DR1 after encrypting it:
Recording and encrypting the random number r aim to prevent the decryption key from being rerandomized at the user side. u2 will be decrypted when the decryption starts, and the random number r got from u _{2} is used for decrypting. If the rerandomization occurs, the random number in keys will be changed, it will differ from r. Thus, decryption will be failed.
The parameter g ^{rÏ‰} will be received at IA, and IA computes as follows:
u _{1} and D will be sent to DR1, and k ^{rc} will be sent to AA.
AA gets the parameters from IA, chooses random numbers r _{ j }â€‰âˆˆâ€‰â„¤ _{ P },â€‰âˆ€â€‰jâ€‰âˆˆâ€‰S, and computes as follows:
DR1 merges the key components from IA, RA, and AA:
4.4 Key trace (SK)
The trace algorithm reference the method proposed in [27]. First, the algorithm decrypts u _{1} to get (x,y) from D _{0} in userâ€™s key, and then, it checks whether SK is issued by system.
If \( \left(x\;y\right)\in \left\{\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}1}\;{y}_{\overline{t}1}\right)\right\}, \) the algorithm decrypts x to get id of the user. Otherwise, the algorithm computes the secret of INS \( \left(\overline{t},\overline{n}\right) \) by interpolating with \( \overline{t} \) points \( \left\{\left(x\;y\right),\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}1}\;{y}_{\overline{t}1}\right)\right\}. \) If the recovered secret is equal to f(0), the algorithm decrypts x to get id of the user. If not, SK is not issued by the system and cannot be traced.
IA stores the f(x) when system sets up, and it holds the symmetric keys K _{1} and K _{2} that can decrypt x. So, IA runs the algorithm when a key needs to be traced.
4.5 Key delegation (SK, idâ€™)
As shown in Fig. 3, KDS runs this algorithm when a new userâ€™s attribute set is a subset of the given keyâ€™s owner. Let us assume that DR1 is the given keyâ€™s owner and DR2 is the new user whose set is a subset of DR1.
IA and RA can decrypt u _{1} and u _{2}, respectively; the former will compute new (x,y) according new userâ€™s id, and the latter will rerandomize the random number.
The parameter generation and transmission process of this section is similar to the key generation. RA gets the random number r from the given key SK and chooses a new random number râ€‰'â€‰âˆˆâ€‰â„¤ _{ P } for DR2, passing g ^{(r+râ€™)Ï‰}, g ^{rÏ‰} to IA.
IA gets the parameter from RA, gets c from the given key SK, and computes as follows: (idâ€™ denotes the DR2â€™s id)
KDS receives D, u _{2}, u _{1}, k ^{rc}, ^{k(r+râ€™)câ€™} and chooses r _{ j }â€‰'â€‰âˆˆâ€‰â„¤ _{ P }, then computes as follows:
We assume that KDS does not keep any information about the Hash function, so Dk cannot be calculated like this:
The new delegation key is:
4.6 Ciphertext delegation (CT, PK, AS, D _{0}, D _{j}, D _{j}â€™)
CDS is a trusted server, it stores the Hash function Hâ€‰:â€‰{0,â€‰1}*â€‰â†’â€‰G _{0} to generate new access tree according the given access structure. It receives some decryption key components and a new access structure AS from DR1, while D _{0} includes the ownerâ€™s identity information and random number, which can be used for decrypting.
We first decrypt the access tree embedded in the ciphertext and get two expressions. Next, the ciphertext will be reencrypted with AS. Then, D _{0}, the expressions, and reencrypted ciphertext make up the new delegated ciphertext.
When x is a leaf node, let iâ€‰=â€‰att(x). Function att(x) denotes the attribute associated with the leaf node x in the tree. The ciphertext is not required to be decrypted completely, the components D _{0}, D _{j}, D _{j}â€™ are enough. Both of DecryptNodeL_Aâ€™ DecryptNodeL_A_{0} and DecryptNodeNL are run in SDS. It can decrypt u _{2} to get r.
Otherwise,
iâ€‰âˆ‰â€‰S,â€‰DecryptNodeL_Aâ€™(CT,â€‰PK,â€‰SK,â€‰x)â€‰=â€‰âŠ¥ When x is an interior node, call the algorithm DecryptNodeNL(CT,D_{0},D_{i},D_{i}â€™,x).
For all nodes z that are children of x, it calls DecryptNodeL_Aâ€™(CT,PK,D_{0},D_{i},D_{i}â€™,z) and stores the output as Fz. Let S _{ x } be a k _{ x } (the threshold value of interior node) random set and let F _{ z }â€‰â‰ â€‰âŠ¥. If no such set exists, the function outputs âŠ¥.
Otherwise, compute as follows and return the result:
For root node R,
Repeat the steps described above, however, DecryptNodeL_Aâ€™ algorithm is changed to DecryptNodeL_A0:
For root node R,
Then, \( {A}_1=\frac{A\hbox{'}}{A_0}=e{\left(g,g\right)}^{\omega sra} \)
A _{0} and A _{1} are the expressions mentioned above; they will become the components of the delegated ciphertext with D _{0}.
Next, CDS reencrypts the other CT components as the Encrypt algorithm does. It constructs an access tree \( \tilde{T} \) for AS specified by DR1 and chooses a new random number sâ€‰'â€‰âˆˆâ€‰â„¤ _{ p }:
We get the delegated ciphertext as follows:
4.7 Decrypt (PK, CT, SK)
In fact, decryption can be viewed as two parts: satisfying the access tree and decrypting the ciphertext.
We introduce two servers to carry on the process respectively. SDS possesses symmetric key K _{4} and K _{3} so that it can get random number and verify whether his set satisfies the access tree or not and run the algorithms: DecryptNodeL_Aâ€™, DecryptNodeL_A_{0}, DecryptNodeNL. TDS possesses symmetric key K _{2} so that it can decrypt u _{1}.
The general decryption process is described as follows:
When x is a leaf node, let iâ€‰=â€‰att(x). Function att(x) denotes the attribute associated with the leaf node x in the tree. SDS decrypts u _{2} to get random number r.
Otherwise, iâ€‰âˆ‰â€‰S DecryptNodeL_Aâ€™(CT,â€‰PK,â€‰SK,â€‰x)â€‰=â€‰âŠ¥
When x is an interior node, call the algorithm DecryptNodeNL(CT,SK,x).
For all nodes z that are children of x, it calls DecryptNodeL_Aâ€™(CT,PK,SK,z) and stores the output as Fz. Let S _{ x } be a k _{ x } (the threshold value of interior node) random set and let F _{ z }â€‰â‰ â€‰âŠ¥. If no such set exists, the function outputs âŠ¥.
Otherwise, compute as follows and return the result:
For root node R,
Then, TDS decrypts u _{1} and computes as follows:
The user gets Aâ€™ from SDS and gets B from TDS:
When a user DR3 try to decrypt a delegated ciphertext from DR1, the structure of the ciphertext is as follows: râ€™ and câ€™ denote DR1â€™s random number and identity information and r and c denote DR3â€™s random number and identity information.
Compared with the original ciphertext, the massage M is encrypted with (sâ€‰+â€‰sâ€™) instead of s, and the access structure is replaced by AS. DR3 decrypts the access tree and get an expression related to sâ€™, which can be used for decrypting correctly with Câ€™ and C0 in DCT.
We can get Äˆ from CTâ€™: Äˆâ€‰=â€‰A _{0}A _{1}D _{0},â€‰
SDS computes (we only consider when the userâ€™s set satisfies the access tree):
For root node Râ€™, the intermediate calculation process is omitted.
All of them are transferred to SDS:
A and B _{3} will be sent to TDS:
The user will get Mâ€™ from TDS and B _{4} from SDS; thus, the message can be calculated as follows:
5 Security analysis
5.1 Traceability
In [22], the access structure is a sharegenerating matrix, while in our system, the access structure is an access tree.
Theorem 1 The security of traceability in our system is no weaker than that of [ 22 ].
Proof The decryption key in our system has partially similar structure with the key in [22]. \( D={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r \) includes master keys Î², g ^{Î±}, a, Ï‰, a random number r, and a parameter c that denotes the userâ€™s identity information. \( K={g}^{\frac{\alpha }{\left(a+c\right)}}{h}^tR \) includes master keys Î±, a, public key h, random numbers t and R, and a parameter c that denotes the userâ€™s identity information. Compared with K in [22], we construct D with extra master keys Î² and Ï‰, without any public keys. It is pretty difficult to get anyone of \( {g}^{\frac{\alpha }{\beta }},{g}^r,{g}^{\frac{\left(a+c\right)}{\beta }}. \)
According to security proof in [22], the design of the decryption key is secure. Thus, \( D={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r \) in our system is secure.
Theorem 2 The security of the traceable decryption key in our system is no weaker than that of [ 25 ].
Proof In \( {D}_j={k}^{rc}H{(j)}^{r_j}, \) we add master key Ï‰ and the parameter c to D _{ j } in [25] \( \left({D}_j={g}^rH{(j)}^{r_j}\right). \) Additionally, the other components are protected by symmetric encryption. Thus, the security in this component is no weaker than that of [25].
5.2 Key delegation
This part of function is realized by KDS, IA and RA, which means AA is replaced by KDS to some extent. SKâ€‰=â€‰(D, D _{0}, D _{ k }, D _{ k }â€™), D and D _{0} are generated by IA and RA, and D _{k} and D _{k}â€™ will be calculated by KDS according to the given keyâ€™s information.
Theorem 3 It is computationally infeasible to attack the calculation of KDS.
Proof KDS receives another two parameters k ^{rc}, k ^{(r+râ€™)câ€™} from IA, which can be used for calculating and rerandomizing attributerelated components of the key. The values all of those KDS receives and retrieves are \( {k}^{rc},{k}^{\left(r+r\hbox{'}\right)c\hbox{'}},{k}^{rc}H{(j)}^{r_j},{g}^{r_j},H{(j)}^{r_j} \)
According to DL problem, it is computationally infeasible to retrieve r _{ j } , rc and (râ€‰+â€‰râ€™)câ€™, let alone r or c. Thus, a semitrusted server can be designated as KDS, which is competent in this work.
5.3 Ciphertext delegation
It can be considered as two parts: decrypting the access tree and reencrypting with another specified access tree. Decrypting the access tree in our system is analogous to the decrypt algorithm in [25]. And, reencryption is analogous to the encrypt algorithm in [25].
Theorem 4 The security in ciphertext delegation is no weaker than that in [ 25 ].
Aâ€™â€‰=â€‰e(g, g)^{Ï‰sr(c+a)}, A _{1}â€‰=â€‰e(g, g)^{Ï‰sra}, A _{0}â€‰=â€‰e(g, g)^{Ï‰src} are intermediate results in our system, compared with Aâ€‰=â€‰e(g,â€‰g)^{sr} in [14], the extra master key Î², a is introduced to further protect the random number s.
We reencrypt with a new sâ€‰'â€‰âˆˆâ€‰â„¤ _{ p } chosen by CDS, \( \tilde{C},C \) have been proved to be secure in [25]. Thus, by that analogy, \( \tilde{C}\hbox{'},C\hbox{'} \) in our system is secure.
6 Performance evaluation
6.1 Setup
The Setup procedure includes defining multiplicative cyclic group and generating PK and MK that will be used in encryption and key generation. There are three exponentiation operations and one pairing operation; three random numbers are chosen in Setup procedure. Time complexity of the procedure is O(1).
6.2 Encrypt
Plaintext and access tree are encrypted in this procedure, the computation cost is proportional to the number of attributes in the tree. If the universal attributes set in T is I (I denotes the total number of attribute in set I), for each element in I, it needs two exponentiation operations, totally, the computation complexity is O (I). Compared with CPABE, we add an exponentiation operation in this algorithm, and the added operation has no obvious influence on computation cost as shown in Fig. 4a.
6.3 Key generation
This algorithm includes three parts: RA tackles the random number computation; IA computes the id information; AA generates the attributerelated key components. The time complexity of RA and IA is O(1) as shown in Fig. 4b. Computation cost of AA is proportional to the number of attributes is DRâ€™s set, when the attribute number is m, the time complexity is O(m) as shown in Fig. 4c.
We add the severe RA and IA to achieve the id embedding in SK, RA needs to store the computation result of u _{2}, IA stores results of u _{1}, D, k ^{arc}, the total storage cost is proportional to the number of DR. If each result needs 2 bytes, the storage cost of RA and IA is shown in Fig. 4d.
6.4 Key delegation
For each DR, KDS computes the unique SK. The computation process and cost are similar to RA. The total cost is proportional to the number of DR.
6.5 Decrypt
This algorithm also includes three parts: SDS decrypts the access tree in CT, TDS decrypts the rest part, and DR retrieves the final message. Thus, computation cost of SDS is proportional to the attributes number in DRâ€™s set, and computation cost of TDS is constant as shown in Fig. 4e.
In brief, our system costs no more than CPABE by analysis but achieves more functions compared with existing works [22, 25].
7 Conclusions
Traceable CPABE is an important branch of CPABE, retaining the characteristics of CPABE. However, it cannot trace the owner with a decryption key. In contrast, key delegation is not supported in traceable CPABE. Without key delegation, the overhead will be very heavy due to the large number of new coming mobile users in MCC. Therefore, we reconstructed a new traceable CPABE system that supported key delegation and ciphertext delegation. We realized key delegation without loss of the traceability with the same computation overhead. To realize ciphertext delegation, we abandoned the reencryption key and tried to decrypt the access tree first and reencrypt the ciphertext with any monotonic access tree specified by the user next. In the future, we will study on making our system work under large universe and support more functions such as revocation.
References
N Fernando, SW Loke, W Rahayu, Mobile cloud computing: a survey[J]. Future Generation Comput. Syst 29(1), 84â€“106 (2013)
AN Khan, MLM Kiah, SU Khan, SA Madani, Towards secure mobile cloud computing: a survey[J]. Future Generation Comput. Syst 29(5), 1278â€“1299 (2013)
D Zissis, D Lekkas, Addressing cloud computing security issues[J]. Future Generation Comput. Syst 28(3), 583â€“592 (2012)
S Subashini, V Kavitha, A survey on security issues in service delivery models of cloud computing[J]. J. Netw. Comput. Appl 34(1), 1â€“11 (2011)
R Buyya, CS Yeo, S Venugopal, J Broberg, L Brandic, Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility[J]. Future Generation Comput. Syst 25(6), 599â€“616 (2009)
Z Guan, T Yang, X Du, Achieving secure and efficient data access control for cloudintegrated body sensor networks[J]. Int. J. Distributed Sensor Netw 2015, 142 (2015)
F Li, Y Rahulamathavan, M Conti, M Rajarajan, Robust access control framework for mobile cloud computing network[J]. Comput. Communicat 68, 61â€“72 (2015)
YA Younis, K Kifayat, M Merabti, An access control model for cloud computing[J]. J. Inf. Secur. Appl 19(1), 45â€“60 (2014)
Alizadeh M, Abolfazli S, Zamani M, et al. Authentication in mobile cloud computing: A survey[J]. J. Netw. Comput. Appl 29(1), 84106 (2016)
Lin H, Xu L, Mu Y, et al. A reliable recommendation and privacypreserving based crosslayer reputation mechanism for mobile cloud computing[J]. Future. Generation. Comput. Syst 52(C), 125136 (2014)
Z Liu, Z Cao, D Wong, Whitebox traceable ciphertextpolicy attributebased encryption supporting any monotone access structures[J]. Inf. Forensics Secur. IEEE Trans 8(1), 76â€“88 (2013)
A Sahai, B Waters, Fuzzy identitybased encryption[M]//Advances in Cryptologyâ€“EUROCRYPT 2005 (Springer, Berlin Heidelberg, 2005), pp. 457â€“473
Goyal V, Pandey O, Sahai A, Waters B. Attributebased encryption for finegrained access control of encrypted data[C]// ACM Conference on Computer and Communications Security, CCS 2006. (Alexandria, 2006), p. 8998
Bethencourt J, Sahai A, Waters B. Ciphertextpolicy attributebased encryption[C]//Security and Privacy, 2007. SPâ€™07. IEEE Symposium on. (Oakland, IEEE, 2007), p. 321334
MJ Hinek, S Jiang, R SafaviNaini, SF Shahandashti, Attributebased encryption with key cloning protection[J]. IACR Cryptol. ePrint Arch 2008, 478 (2008)
J Li, K Ren, K Kim, A2BE: accountable attributebased encryption for abuse free access control[J]. IACR Cryptol. ePrint Arch 2009, 118 (2009)
J Li, K Ren, B Zhu, Z Wan, Privacyaware attributebased encryption with user accountability[M]//Information Security (Springer, Berlin Heidelberg, 2009), pp. 347â€“362
MJ Hinek, S Jiang, R SafaviNaini, SF Shahandashti, Attributebased encryption without key cloning[J]. Int. J. Appl. Cryptography 2(3), 250â€“270 (2012)
Chen C, Anada H, Kawamoto J, Sakurai K. Hybrid encryption scheme using terminal fingerprint and its application to attributebased encryption without key misuse[M]//Information and Communication Technology. Springer International Publishing (Springer, Berlin Heidelberg, 2015), pp. 255264.
B Chor, A Fiat, M Naor, Tracing traitors[C]//Advances in cryptologyâ€”CRYPTOâ€™94 (Springer, Berlin Heidelberg, 1994), pp. 257â€“270
S Mitsunari, R Sakai, M Kasahara, A new traitor tracing[J]. IEICE Trans. Fundamentals Electron. Commun. Comput. Sci 85(2), 481â€“484 (2002)
R SafaviNaini, Y Wang, Sequential traitor tracing[C]//Advances in Cryptologyâ€”CRYPTO 2000 (Springer, Berlin Heidelberg, 2000), pp. 316â€“332
H Chabanne, DH Phan, D Pointcheval, Public traceability in traitor tracing schemes[M]//Advances in Cryptologyâ€“EUROCRYPT 2005 (Springer, Berlin Heidelberg, 2005), pp. 542â€“558
D Boneh, A Sahai, B Waters, Fully collusion resistant traitor tracing with short ciphertexts and private keys[M]//Advances in CryptologyEUROCRYPT 2006 (Springer, Berlin Heidelberg, 2006), pp. 573â€“592
H Ma, G Zeng, Z Wang, J Xu, Fully secure multiauthority attributebased traitor tracing[J]. J. Comput. Inf. Syst 9(7), 2793â€“2800 (2013)
Z Liu, Z Cao, DS Wong, Traceable CPABE: how to trace decryption devices found in the wild[J]. Inf. Forensics Secur. IEEE Trans 10(1), 55â€“68 (2015)
J Ning, X Dong, Z Cao, L Wei, X Lin, Whitebox traceable ciphertextpolicy attributebased encryption supporting flexible attributes[J]. Inf. Forensics Secur. IEEE Trans 10(6), 1274â€“1288 (2015)
J Katz, D SchrÃ¶der, Tracing insider attacks in the context of predicate encryption schemes, 2011
Ning, Jianting, et al. Accountable authority ciphertextpolicy attributebased encryption with whitebox traceability and public auditing in the cloud. Computer Security  ESORICS 2015. Springer International Publishing (Springer, Berlin Heidelberg, 2015)
S Luo, J Hu, Z Chen, Ciphertext policy attributebased proxy reencryption[M]//Information and Communications Security (Springer, Berlin Heidelberg, 2010), pp. 401â€“415
Lai J, Deng R H, Yang Y, Weng J. Adaptable ciphertextpolicy attributebased encryption[M]//PairingBased Cryptographyâ€“Pairing 2013. Springer International Publishing (Springer, Berlin Heidelberg, 2013), pp. 199214.
Liang K, Fang L, Susilo W, Wong DS. A CiphertextPolicy AttributeBased Proxy Reencryption with ChosenCiphertext Security[C]// International Conference on Intelligent NETWORKING and Collaborative Systems. (Xi'an, IEEE, 2013), pp. 552559
Liang K, Au M H, Susilo W, Wong D S, Yang G, Yu Y. An adaptively CCAsecure ciphertextpolicy attributebased proxy reencryption for cloud data sharing[M]//Information Security Practice and Experience. Springer International Publishing (Springer, Berlin Heidelberg, 2014), pp. 448461
Acknowledgements
This work was jointly supported by the National Natural Science Foundation of China (No. 61402171, No. 61305056, and No. 61300132), Beijing Higher Education Young Elite Teacher Project (No. YETP0702), and the Fundamental Research Funds for the Central Universities (Nos. 2015MS35 and 2016MS29).
Competing interests
The authors declare that they have no competing interests.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Guan, Z., Li, J., Zhang, Y. et al. An efficient traceable access control scheme with reliable key delegation in mobile cloud computing. J Wireless Com Network 2016, 208 (2016). https://doi.org/10.1186/s1363801607052
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s1363801607052