1. Introduction
Due to the high flexibility and scalability of cloud computing, many businesses and individuals rely on cloud servers to store and calculate their data [1-5]. Today, cloud computing technology is relatively mature and widely used. In this way, they can not only save money, but also improve efficiency. The cloud server is not completely trusted, so the data now placed on the cloud are all in ciphertext [2,6]. Take a PHR system as an example, patients upload their own personal medical records to the PHR system, through which doctors know the patient's medical records and make a rapid diagnosis. This method not only saves patients' time and money, but also improves the efficiency of diagnosis for doctors. A PHR system based on traditional encryption scheme is shown in Fig. 1. However, the traditional encryption scheme can not provide fine-grained access control, which greatly limits the application of PHR system [4,7]. Therefore, many secure PHR systems [8-12] are built based on attribute-based encryption (ABE). ABE is regarded as the most compelling encryption primitive that realizes fine-grained [1,13] access control, solving the problem of one-to-many secret data sharing. In ABE, users have a series of attributes to identify themselves. Only if these attributes they own meet the access policy, users can decrypt the ciphertext. In a PHR system, the patient's medical records are encrypted by ABE, and the fine-grained access control to the encrypted medical records is realized. As the PHR system has high requirements for data privacy and security, and the patient's records stored in the system is of great value, there are often illegal users maliciously divulging the data in the system for their own interests. Specifically, there are two categories of key abuse problems in CP-ABE. (1) Driven by personal interests, authorized users may reveal their private keys to illegal users [6,14]. (2) The semi-trusted authority may redistribute the private keys to unauthorized users for the same reason. In order to solve the problem of key abuse, accountable ABE is proposed. In addition, it is common for patients to exit from the system. So how to revoke the user efficiently is also a research hotspot in ABE. Revocable ABE arises at the historic moment. In this paper, we aim to implement an accountable and full secure ABE scheme in the personal health system, which can publicly audit traceable users and support the revocation of malicious users. The patient's personal health records are encrypted and placed on the cloud server. Patients make access policies to allow specific people to access their health records. If there is malicious behavior that the user leaks the patient's medical records, it can be traced according to the identity-related information contained in the ciphertext. In order to ensure the security of the system, the system access rights of malicious users are reclaimed by indirect revocation. The proposed scheme is based on the personal health medical record system, which greatly protects the privacy of patients and the security of the system.
Fig. 1. PHR System
1.1 Related Work
ABE is evolved from fuzzy identity-based encryption [15]. After that, many ABE schemes were put forward to improve performance and security. In this chapter, we mainly talk about the relevant work to handle the matters of key abuse and user revocation.
1.1.1 Accountability
Due to the matter of key abuse in CP-ABE, accountability has become one of the criteria to measure the practicability of the scheme. The first key accountable ABE scheme was put forward in [16], whereas only supports the access policy expressed by “AND gate and wildcard”. Constructing a traceable CP-ABE scheme is an adequate means to settle the matter of key abuse. There appeared two kinds of traceability: white-box traceability as well as black-box traceability. In 2013, black-box traceable CP-ABE [17] as well as white-box traceable CP-ABE [18] are put forward, and support monotonous access structure. A multi-authority CP-ABE syetem is brought forward by Li et al. [19]. Although the above two schemes are achieved under prime order groups, they only support the access structure of multi-valued “AND” gates with wildcards, and only achieve the selective security under the standard model, so the expression ability and security of access policies are relatively weak. The constructions in [17-21]only implements user traceability, but does not realize authority accountability. Ning et al. [22] proposed an attribute-based encryption scheme which supports both user traceability and authority accountability for the first time. The scheme in [23] allows the key generation center (KGC) and the attribute authority (AA) to jointly generate the user's private key, thus ensuring that KGC and AA cannot distribute the user's private key to unauthorized users. However, the scheme does not solve the problems of user key abuse and user revocation. Ning et al. [24] proposed a fully secure white-box traceable CP-ABE system for the first from non-interactive commitments. Zhao et al. [25] proposed a large universe CP-ABE with black-box traceability. In this scheme, the size of public parameters not to grow linearly with the number of attributes.
1.1.2 Revocation
In a CP-ABE system, there are often cases such as user privilege change, user exit and user private key disclosure, so it is indispensable to consider the matter of user revocation. In the system, revoked user cannot decrypt any ciphertext. Meanwhile, the system permissions of other unrevoked users in the system are not affected. In 2006, revocable attribute-based encryption (RABE) was put forward for the first time in [26]. Goyal et al. [27] put forward an ABE scheme that implements indirect attribute revocation. In their construction, each attribute has a time tag representing the validity period. When the system time exceeds the time available for an attribute, the attribute is revoked. In the construction in [28], a CP-ABE scheme for user revocation using binary tree is proposed, but its performance is not high, and greatly increases the calculation and communication burden of the key generation center. Liu et al. [29] implement user revocation by setting an effective access time to the root node of the access control tree, but the cost of key management and decryption is high. A directly RABE supporting verifiable ciphertext agents is proposed in the construction in [30]. However, if there are a lot of user attributes, direct revocation will increase the burden on the cryptographer because the system has to update the user revocation list, thus reducing the feature of the entire system. Indirect revocation is generally implemented by an authority or a third-party agent, and the computational burden is small.
However, until now, there is rarely a full secure ABE scheme that supports user traceability, authority accountability and user revocation concurrent that prevents the practical application of ABE in PHR system.
1.2 Our Construction
In this article, we concentrate on the two common matters of key abuse and user revocation in existing CP-ABE schemes and come up with a new white-box accountable ABE scheme with public auditing and user revocation.
Our scheme realizes both traceable users and accountable authority. It solves the problem of key abuse of untrusted authority, which is often ignored in the existing CP-ABE schemes. When tracing malicious users, we utilize Paillier-style encryption as an extractable commitment. Because there is no requirement to keep an identity table for traceability, there is no traceability storage, which greatly saves the storage space of the server. In addition, an auditor is used to determine whether the caught user is innocent or guilty. What's more, we adopt the revocation method based on the trust tree to realize the revocation of misbehaving users, authorities and other users who quit the system. At the same time, it is proved the scheme is full secure in the standard model.
Comparing the scheme with others on both theoretically and experimentally. Through the analysis, it can be concluded that our scheme has more complete functions and higher security. In terms of efficiency, although our scheme consumes more time than the schemes in [22,31], it is acceptable because of the supplement function of the user revocation.
2. Preliminary
2.1 Linear Secret-sharing Scheme
If it meets these requirements as below, the secret sharing scheme Π over a series of parties E is regarded as linear.
(a) The shares for all parties constitute a phasor on Zp.
(b) For Π, there is a l×n matrix A called the sharing-generating matrix. For all i = 1,…,l,δ(i) (δ is a mapping from {1, …, l} to E ) is the label for the i th row of A. We consider the column vector \(v=\left(s, r_{2}, r_{3}, \ldots, r_{n}\right)^{ú}\), where s∈Zp is the shared secret and r2,r3,… ,rn are randomly chosen from Zp. Then Av is the vector of l shares of the secret s on the basis of Π. The share (Av)i pertains to party δ(i).
2.2 Trusted Tree-based Revocation Approach
We use the subset-cover algorithm KUNode (st,rl,t) [32,33] to revoke a user, where st is the data structure of the tree, rl signifies a revocation entry with the identity of the revoked user while t signifies the most recent revocation period. The user will be distributed an identity id and an undefined leaf node when s/he joins the system. The leaf node is identified by id. The implementation of user revocation claims the user id to save secret keys in Path(id). The Path(id) represents all nodes id from the root node to the leaf node.
2.3 Composite Order Bilinear Groups
Ψ represents a group generator. Ψ inputs a security parameter ξ and outputs a group G of order N=n1n2n3, where n1n2n3 are different primes.
Let G, GT are cyclic groups of order N=n1n2n3, and e : G×G→GT is a bilinear mapping, which meets the characters as following:
(a) Non-degeneracy: e(g,g)≠1.
(b) Bilinearity : ∀x,y∈G,c,d∈Zp the equation e(xc,yd)=e(x,y)cd is true [34].
(c) Computability: the map e : G×G→GT can be effectively calculated.
Let G=Gn1Gn2Gn3, Gn1, Gn2 and Gn3 are the subgroups of order n1, n2 and n3 in G, severally. Suppose g is a generator of group G, while \(\boldsymbol{g}^{n_{2} n_{3}}\) is the generator of subgroup \(G_{n_{1}}\) accordingly. Similarly, \(\boldsymbol{g}^{n_{1} n_{3}}\) is the generator of subgroup \(G_{n_{2}}\), and \(\boldsymbol{g}^{n_{1} n_{2}}\) is the generator of subgroup \(G_{n_{3}}\). Therefore, there exists α1, α2∈ZN, such that \(f_{1}=\left(g^{n_{1} n_{2}}\right)^{\alpha_{1}}\), \(f_{2}=\left(g^{n_{1} n_{2}}\right)^{\alpha_{2}}\). At this time, there are: \(e\left(f_{1}, f_{2}\right)=e\left(g^{\alpha_{1}}, g^{n_{3} \alpha_{2}}\right)^{n_{1} n_{2} n_{3}}=1\).
If we choose i,, j, \(f_{i} \in G_{n_{i}}\), \(f_{j} \in G_{n_{j}}\), then e(fi,fj)is the unit component in the group GT. It also shows that the composite order subgroups \(G_{n_{1}}\), \(G_{n_{2}}\) and \(G_{n_{3}}\) are orthogonal to each other.
2.4 Complexity Assumptions
Assumption 1 ( Subgroup Decision Problem for 3 primes). Provided a group generator Ψ, we distribute these parameters as follows [35]:
\(\mathrm{G}=\left(G, G_{T}, N=n_{1} n_{2} n_{3}, e\right) \stackrel{r}{\longleftarrow} \psi , g \stackrel{r}{\longleftarrow} G_{n_{1}}, W_{3} \stackrel{r}{\longleftarrow} G_{n_{3}} \\ B=\left(\mathrm{G}, g, W_{3}\right), E_{1} \stackrel{r}{\longleftarrow} G_{n_{1}, n_{2}}, E_{2} \stackrel{r}{\longleftarrow} G_{n_{1}}\)
A has the following advantages in breaking this assumption. It is defined:
\(\operatorname{Adv} 1_{\psi, \mathrm{A}}(\xi)=|\operatorname{Pr}\left[\mathrm{A}\left(B, E_{1}\right)=1\right]-\operatorname{Pr}\left[\mathrm{A}\left(B, E_{2}\right)=1\right] \mid\)
Definition 1. If for any PPT algorithm A, Adv1Ψ,A(ξ) is negligible of ξ, we call Ψ meets Assumption 1.
Assumption 2. Provided a group generator Ψ, we distribute these parameters as below [35]:
\(\mathrm{G}=\left(G, G_{T}, N=n_{1} n_{2} n_{3}, e\right) \stackrel{r}{\longleftarrow} \psi, g, W_{1} \stackrel{r}{\longleftarrow} G_{n_{1}}, W_{2}, V_{2} \stackrel{r}{\longleftarrow} G_{n_{2}}, W_{3}, V_{3} \stackrel{r}{\longleftarrow} G_{n_{3}}\\ B=\left(\mathrm{G}, g, W_{1} W_{2}, W_{3}, V_{2} V_{3}\right), E_{1} \stackrel{r}{\longleftarrow} G, E_{2} \stackrel{r}{\longleftarrow} G_{n_{1}, n_{3}}\)
A has the following advantages in breaking this assumption. It is defined:
\(A d v 2_{\psi, A}(\xi)=|\operatorname{Pr}\left[A\left(B, E_{1}\right)=1\right]-\operatorname{Pr}\left[A\left(B, E_{2}\right)=1\right] \mid\)
Definition 2. If for any PPT algorithm A, Adv2Ψ,A(ξ) is negligible of ξ, we call Ψ meets Assumption 2.
Assumption 3. Provided a group generator Ψ, we distribute these parameters as follows [35]:
\(\begin{gathered} \mathbb{G}=\left(G, G_{T}, N=n_{1} n_{2} n_{3}, e\right) \stackrel{r}{\leftarrow} \psi, \alpha, s \stackrel{r}{\leftarrow} Z_{N} \\ g \stackrel{r}{\longleftarrow} G_{n_{1}}, W_{2}, V_{2}, X_{2} \stackrel{r}{\longleftarrow} G_{n_{2}}, W_{3} \stackrel{r}{\longleftarrow} G_{n_{3}}, \\ B=\left(\mathrm{G}, g, g^{\alpha} W_{2}, W_{3}, g^{s} V_{2}, X_{2}\right), E_{1}=e(g, g)^{\alpha s}, E_{2} \stackrel{r}{\longleftarrow} G_{T} \end{gathered}\)
A has the following advantages in breaking this assumption. It is defined:
\(A d v 3_{\psi, A}(\xi)=|\operatorname{Pr}\left[A\left(B, E_{1}\right)=1\right]-\operatorname{Pr}\left[A\left(B, E_{2}\right)=1\right] \mid\)
Definition 3. If for any PPT algorithm A, Adv3Ψ,A(ξ) is negligible of ξ, we call Ψ meets Assumption 3.
3. System model and security model
3.1 Entities in the System
This system includes five entities, namely, authority, PHR server, data owner, data user and auditor as represented in Fig. 2. Their functions and responsibilities are as follows:
Fig. 2. System Model
Authority. In this system, the authority ( AT ) is considered not to be trusted. AT produces public parameters pp and interacts with a data user ( DU ) to produce secret key skid. In addition, when user revocation occurs, AT is responsible for broadcasting the key update material.
PHR server. PHR server stores the beginning ciphertext BT. Moreover, the PHR server updates BT to the latest ciphertext at the current time.
Data owner. Plaintext is encrypted by the data owner ( DO ) to BT and sends it to the PHR server for storage. Furthermore, in order to implement user revocation, DO renews revocation list rl and sends it to AT. To determine whether the compromised secret key is intact, DO performs the key sanity check.
Data user. In this system, unrevoked users and revoked users are two genres of data users. If a user is unrevoked and his attributes meet the access structure, he could access. Unrevoked users updates his own decryption key and decrypt the ciphertext through the key update material broadcast by AT.
Auditor. The auditor acts as a fair adjudicator in the system. When the traced user denies disclosing the private key, the auditor executes the audit algorithm to determine whether the user has been framed or innocent.
3.2 System Model
We will elaborate specifically on our scheme with traceable user, accountable authority, public auditing, user revocation and no storage for tracing in this section. Our scheme contains a total of ten algorithms as below:
Setup (ξ,τ,V,U)→(pp,st,rl,msk). AT launches algorithm Setup and inputs security parameter ξ, system lifetime τ, the universe of attributes V as well as the amount of system users U, and outputs public parameters pp, state st, and master secret key msk. Besides, it constitutes a revocation list rl=Ø.
KeyGen(pp,st,msk,S,id)→(skid). It is executed by DU and AT together. It takes public parameters pp, state st, master secret key msk, an attribute set S, the identifier of DU id(\(i d \in Z_{N}^{*}\)) as input, and outputs a secret key skid.
Key update(I,rl,t,(idi,ti),st,msk)→(kdt,rl). This algorithm includes two sub-algorithms: Rev(rl,(idi,ti))→rl and Key update(pp,st,rl,msk)→kdi. The algorithm inputs a series of identifiers I, rl, the current revocation time t, revocation epoch (idi,ti), state st, msk, and outputs a key updating ingredient kdi as well as the updated revocation list rl corresponding to t.
Decryption key generation(pp,skid,kdi)→dkid,t/⊥. DU is responsible for executing the algorithm. It takes pp, skid, the key updating kdi as input. If DU is unrevoked user in this period t and S meets the access policy, it outputs decryption key dkid,t. Otherwise, it outputs the failure symbol ⊥ .
Encrypt((A,ρ),pp,t,m,msk)→BT. This algorithm takes access structure (A,p), public parameters pp, current time t, plaintext m, msk as input, and the beginning ciphertext BT as output.
Ciphertext update(BT,pp,t')→CT/⊥. Algorithm Ciphertext update is carried out by PHR server. The algorithm inputs the latest ciphertext BT, the public parameters pp as well as the recent revocation epoch T'∈τ. The updated ciphertext CT or ⊥ is taken as output.
Decrypt(CT,pp,dkid)→m/⊥. DU implements this algorithm. It takes the latest ciphertext CT, public parameters pp, decryption key dkid as input and plaintext m or ⊥ as output.
Key sanity check(skid,pp)→1/0. This algorithm launched by AT . And it is utilized to ensure that the key skid is in well form during the decryption course. The algorithm inputs skid, public parameters pp. If skid fails this check, it outputs 0. If not, the output is 1.
Trace(skid,pp,msk)→id/⊥. AT implements algorithm Trace. It inputs the secret key skid, pp , msk. If algorithm Key sanity check outputs 0, it indicates skid is not well-formed. It is not necessary for the Trace algorithm to continue to execute. The algorithm outputs ⊥. On the contrary, if the output is 1, it indicates skid is well-formed. Trace algorithm is executed to extract and output the user's id from skid.
Audit(pp,skid,\(s k_{i d}^{*}\))→guilty/acquitte. The algorithm is implemented by DU and the auditor together. If a user is caught by Trace algorithm, but he does not admit his crime. At this time, the Audit algorithm is used to determine whether the user has been wronged or guilty.
3.3 Security Model
To manifest the security of proposed scheme, a security game, namely, the IND-CPA game is defined. The specific description is as below:
The IND-CPA game. This is an indistinguishability under chosen-plaintext attack game. It's a standard semantic security concept that any CP-ABE scheme must meet.
Setup. The challenger C executes algorithm Setup , holds msk in private and releases pp to the adversary A.
Query 1. K key query requests with a series of attributes (id1,S1),(id2,S2)…(idk,Sk) are send to C by A. After obtaining these requests, C carries out algorithm KeyGen, Key update, Decryption key generation and delivers decryption key to A.
Challenge. A sends an access structure which isn't subject to the above k attribute sets and two messages of the same length m0,m1to C. After randomly tossing a coin λ∈{0,1}, C encrypts mλ. The ciphertext is transmitted to A.
Query 2. Identical with Query 1.
Guess. A makes a guess λ'that λ is 0 or 1.
In this process, \(A d v=\left|\operatorname{Pr}\left[\lambda^{\prime}=\lambda\right]-\frac{1}{2}\right|\) is taken as the advantage of A. We allege our scheme is full secure if A has a at the utmost negligible advantage can win the game in any PPT.
4. Construction
In this section, we propose an accountable attribute-based encryption scheme in the personal health record system. The proposed scheme realizes public auditing and user revocation. In addition, there is no storage for retro in the scenario. The details of the proposed scheme are as follows.
4.1 setup(ξ,τ,V,U)→(pp,st,rl,msk)
Get a bilinear group map G={e,G,Gn,N,ni} where g,g3 are the generator of \(G_{n_{1}}\), \(G_{n_{3}}\), N=n1n2n3,ni are the order of group G, \(G_{n_{1}}\) severally.
Then, the algorithm selects randomly \(\alpha, \beta, \gamma, u, \eta \in Z_{N}^{*}, v, u_{0}, \ldots, u_{D}(D \text { denotes the size } \text { of } \tau) \in G_{n_{1}}\) and chooses \(v_{i} \in Z_{N}^{*}\) randomly for every attribute i∈V.
Select randomly b,d two prime numbers , gcd(bd,(d-1)(b-1))=1 and |b|=|d|, b≠d. Let π=lcm(d-1,b_1),n=bd,Q=π-1 mod n and g1=(n+1).
It selects TC binary tree with more than U leaves. Finally, it returns public parameters \(p p=\left(N, n, g_{1}, v, u_{0}, \ldots, u_{D}, g, g^{\beta}, g^{\gamma}, g^{u}, e(g, g)^{\alpha}, e(g, g)^{\eta},\left\{V_{i}=g^{v_{i}}\right\}_{i \in V}\right)\), TC as state st, revocation list rl=Ø and msk=(p,q,η,α,g3) as master secret key.
4.2 KeyGen(pp,st,msk,S,id)→(skid)
First, the algorithm selects randomly an unallocated leaf node from TC. This node is utilized to keep id. The algorithm operates as below for every node θ in Path ( id ).
It retrieves ηθ from the node θ. It randomly chooses and saves \(\eta_{\theta} \in Z_{N}^{*}\) in the node θ if ηθ is unavailable.
A user DU identified by id and the authority AT interact to produce the key as the following steps. To make the whole process clearer, the flow of the domain key generation phase is shown in Fig. 3.
Fig. 3. The Flow of the Domain Key Generation Phase
For DU :
DU selects randomly \(h \in Z_{N}^{*}\) and computes RU=gh.
Then, gh, a set of attributes S as well as id are sent to AT .
Next, AT operates a ZK-POK of the discrete log of RU in relation to g.
For AT :
AT examines if the ZK-POK is available or not. If the examination succeeds, it executes the next step. If not, AT discontinues the interaction.
Then, it chooses randomly \(a \in Z_{N}^{*}\), \(r \in Z_{N}^{*}\) and \(R, R_{0}, \overline{R_{0}},\left\{R_{i}\right\}_{i \in S} \in G_{n_{3}}\).
Next, the primary secret key skpri for each user with id and S is computed as
\(\left\{S, \bar{K}=g^{\frac{\alpha}{\beta+\bar{T}}}\left(g^{h}\right)^{\frac{\gamma}{\beta+\bar{T}}} v^{a} R, \bar{T}=g_{1}^{i d} r^{n} \bmod n^{2}, \bar{L}=g^{a} R_{0}, \bar{L}_{1}=g^{\beta a} \overline{R_{0}}\right. \\ \left.\left\{\bar{K}_{i}=V_{i}^{(\beta+\bar{T}) a} R_{i}\right\}_{i \in S},\left\{g^{\eta_{\theta}}\right\}_{\theta \in \text { Path }(i d)}\right\}\)
Finally, AT sends(α,skpri) to DU.
For DU :
DU determines whether the following equations are true.
(a) \(e\left(\overline{L_{1}}, g\right)=e\left(g^{\beta}, \bar{L}\right)=e\left(g^{\beta},(g)^{a}\right)\)
(b) \(e\left(\bar{K}, g^{\beta} g^{\bar{T}}\right)=e\left(\bar{L}_{1}(\bar{L})^{\bar{T}}, v\right) e\left(R_{U}, g^{\gamma}\right) e(g, g)^{\alpha}\)
(c) \(\text { s.t. } e\left(V_{x}, \overline{L_{1}}(\bar{L})^{\bar{T}}\right)=e\left(\bar{K}_{x}, g\right), \quad \exists x \in S .\)
If all the equations hold, DU holds on the interaction and computes \(h_{i d}=\frac{a}{h}\). Then, it takes his secret key skid as below:
\(s k_{i d}=\left\{S, K=\bar{K}\left(g^{u}\right)^{h_{i d}}, T=\bar{T}, L=\bar{L}, L_{1}=\overline{L_{1}}, R_{U}, h_{i d},\left\{K_{i}=\overline{K_{i}}\right\}_{i \in S},\left\{g^{\eta_{\theta}}\right\}_{\theta_{\in \text { Path }(i d)}}\right\}\)
Otherwise, DU aborts the interaction.
4.3 Key update(I,rl,t,(idi,ti),st,msk)→(kdt,rl)
Firstly, AT operates the revocation algorithm for every identifier and revocation epoch (idi,ti). To make the whole process clearer, the flow of the domain key generation phase is shown in Fig. 4.
Fig. 4. The Flow of the Domain Key Update Phase
Rev (rl,(idi,ti))→rl. This algorithm is mainly used to update revocation lists in systems. DO launches the revocation algorithm and inputs the revocation list rl, the revocation epochs (idi,ti) and outputs the renewed rl as follows: rl∪(idi,ti)→rl. Fig. 5 shows the composition and update process of the revocation list. After obtaining the latest revocation list rl, AT executes the KeyUpdate algorithm.
Fig. 5. Renew
KeyUpdate(st,rl,msk,t)→kdt: The algorithm inputs state st, the latest revocation list rl, master secret key msk, time t∈τ, and outputs the key updating material kdt,θ. In this algorithm, firstly, the time coding method proposed in reference [36] is used to encode the time. The time t is encoded as a bit \(\tilde{t}\). Let ξ∈[D] be the set of all indexes i meeting t[i]=0. The key updating material kdt is generated as follows for every node θ∈KUNode(st,rl,t): retry ηθ. Randomly select \(\mu \in Z_{N}^{*}\) and output the key updating kdt,θ as below: \(k d_{t, \theta}=<k d_{1}, k d_{2}>=<g^{\eta-\eta_{\theta}}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu}, g^{\mu}>\).
4.4 Decryption key generation(pp,skid,kdi)→dkid,t/⊥
Let X and Y represent the sets Path (id) and KUNode(st,rl,t), eparately. If X∩Y=∅, the algorithm returns a failure symbol ⊥ . If not, we can obtain node θ∈X∩Y.
Randomly select \(\mu' \in Z_{N}^{*}\) and calculate the decryption key dkid,t as follows:
\(\begin{aligned} &D_{1}=g^{\eta_{\theta}} \cdot k d_{1} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu^{\prime}}=g^{\eta_{\theta}} \cdot g^{\eta-\eta_{\theta}}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu^{\prime}}=g^{\eta}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}} \\ &D_{2}=k d_{2} \cdot g^{\mu^{\prime}}=g^{\mu} \cdot g^{\mu^{\prime}}=g^{\mu+\mu^{\prime}} \end{aligned}\)
Finally, the algorithm outputs: \(d k_{i d, t}=\left(S, K, T, L, L_{1}, R_{U}, h_{i d},\left\{K_{i}\right\}_{i \in S}, g^{\eta_{\theta}}, D_{1}, D_{2}\right)\)
4.5 Encrypt((A,ρ),pp,t,m,msk)→BT
For the ciphertext related to attributes, the algorithm chooses randomly \(\vec{y}=\left(s, y_{2}, y_{3},\right.\left.\ldots, y_{n}\right)^{\top}\), \(r_{j} \in Z_{N}^{*}\) for each row Aj of A , where s is randomly selected as a secret value. The attribute-related ciphertext is calculated as:
\(\begin{array}{r} \left(C_{0}=g^{s}, C_{1}=\left(g^{\beta}\right)^{s}, C_{2}=\left(g^{\gamma}\right)^{s}, C_{3}=\left(g^{u}\right)^{s}, C=m \cdot e(g, g)^{\alpha s} \cdot e(g, g)^{\eta s}\right. \\ \left.\left\{C_{j, 1}=v^{A_{j}\vec{y}} V_{\rho(j)}^{-r_{j}}, C_{j, 2}=g^{r_{j}}\right\}_{j \in[l]}\right) \end{array}\)
For the ciphertext related to time, the algorithm encodes t to the bit representation \(\tilde{t}\). Then it derives the time CTEncode(\(\tilde{t}\),τ)[36] →\(\tilde{t}\) and let ξ∈[D] be the set of each index i' satisfying t[i']=0. Then, it calculates the ciphertext affiliated to time as follow:
\(C_{4}=u_{0}^{s}, C_{5, i}=u_{i}^{s}, i \in \zeta\)
Finally, it outputs the ciphertext: CT=(C0,C1,C2,C3,C,C4,{C5,i}i∈ξ,{Cj,1,Cj,2 }j∈l).
4.6 Ciphertext update(BT,pp,t')→CT/⊥
The output of this algorithm is in the following two cases. If the ciphertext is invalid or the timestamp in the latest ciphertext CT is bigger than the time t', the algorithm will discontinue and output ⊥ . If not, it will encode t' to \(\tilde{t'}\) and update ciphertext CT.
Let ξ∈[D] signify the set of each index i' satisfying the condition t[i']=0.
Next, the PHR server calculates the ciphertext related to time as below:
\(C_{t}=C_{4} \Pi_{i \in \zeta} C_{5, i}=\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s}\)
Next, the algorithm chooses randomly \(\vec{y}^{\prime}=\left(s^{\prime}, y_{2}^{\prime}, y_{3}^{\prime}, \ldots, y_{n}^{\prime}\right)^{\top} \in Z_{N}^{*}\).
Then, it calculates the ciphertext:
\(C_{0^{\prime}}=C_{0} \cdot g^{s^{\prime}}=g^{s+s^{\prime}} \quad C_{t^{\prime}}=C_{t} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s^{\prime}}=\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s+s^{\prime}}\)
Finally, it outputs:
CT=(C0,C1,C2,C3,Cj,1,Cj,2,Ct').
4.7 Decrypt(CT,pp,dkid)→m/⊥
After DU obtains the latest ciphertext from the PHR server, it inputs pp, dkid and the latest ciphertext CT. Then, if the time t in dkid,t doesn't match the time t in CT or S doesn't satisfied (A,ρ), it output is ⊥ . If not, this algorithm will output plaintext message m through the following operations.
First, it calculates the constants \(\omega_{j} \in Z_{N}^{*}\) that satisfies \(\Sigma_{\rho(j) \in S} \omega_{j} A_{j}=(1,0, \ldots, 0)\) and the part related to the attributes:
\(\begin{aligned} &H_{a}=e\left(\left(C_{0}\right)^{T} C_{1}, K\right)\left(e\left(C_{2}, R_{U}\right) e\left(C_{3},\left(g^{T} g^{\beta}\right)^{h_{i d}}\right)\right)^{-1} \\ &H_{b}=\Pi_{\rho(j) \in S}\left(e\left(C_{j, 1}, L^{T} L_{1}\right) e\left(K_{\rho(j)}, C_{j, 2}\right)\right)^{\omega_{j}} \\ &H=\frac{H_{a}}{H_{b}}=\frac{e(g, g)^{s \alpha} e(g, v)^{(T+\beta) s a}}{e(v, g)^{s a(T+\beta)}}=e(g, g)^{s a} \end{aligned}\)
Next, it acquires the hiding component in plaintext:
\(E=\frac{e\left(D_{1}, C_{0}\right)}{e\left(D_{2}, C_{t}\right)}=e(g, g)^{s \eta} \quad m=\frac{C}{H \cdot E}\)
Finally, it outputs the plaintext m.
Correctness
\(\begin{aligned} &H_{a}=e\left(g^{s T} g^{\beta s}, g^{\frac{\alpha}{T+\beta}}\left(g^{h}\right)^{\frac{\gamma}{\beta+T}} v^{a} R\left(g^{u}\right)^{h_{i} d}\right)\left(e\left(g^{\gamma s}, g^{h}\right) e\left(g^{u s},\left(g^{T} g^{\beta}\right)^{h_{i d}}\right)\right)^{-1} \\ &=e(g, g)^{s(T+\beta) u h_{i d}} e(g, g)^{s \alpha} e(g, g)^{s \gamma h} e(g, v)^{(T+\beta) s a}\left(e(g, g)^{h \gamma s} e(g, g)^{u s h_{i d}(T+\beta)}\right)^{-1} \\ &=e(g, g)^{s \alpha} e(g, v)^{(T+\beta) s a} \end{aligned}\\ \begin{aligned} &H_{b}=\prod_{\rho(j) \in S}\left(e\left(v^{A_{j} \vec{y}} V_{\rho(j)}^{-r_{j}},\left(g^{a} R_{0}\right)^{T} g^{\beta a} \bar{R}_{0}\right) e\left(V_{\rho(j)}^{(\beta+\bar{T}) a} R_{i}, g^{r_{j}}\right)\right)^{\omega_{j}} \\ &=\prod_{\rho(j) \in S}\left(e\left(v^{A_{j} \vec{y}} V_{\rho(j)}^{-r_{j}}, g^{a T} g^{\beta a}\right) e\left(V_{\rho(j)}^{(\beta+\bar{T}) a}, g^{r_{j}}\right)\right)^{\omega_{j}} \\ &=\prod_{\rho(j) \in S}\left(e\left(v^{A_{j} \vec{y}}, g^{a(T+\beta)}\right)\right)^{\omega_{j}} \\ &=e(v, g)^{a(T+\beta) \sum_{\rho_{j} \in S} A_{j} \vec{y} \omega_{j}} \\ &=e(v, g)^{s a(T+\beta)} \end{aligned}\\ E=\frac{e\left(D_{1}, C_{0}\right)}{e\left(D_{2}, C_{t}\right)}=\frac{e\left(g^{\eta}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}}, g^{s}\right)}{e\left(g^{\mu+\mu^{\prime}},\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s}\right)}=\frac{e\left(g^{s},\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}}\right) e\left(g^{s}, g^{\eta}\right)}{e\left(g^{\mu+\mu^{\prime}},\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{s}\right)}=e(g, g)^{s \eta} \)
4.8 Key sanity check(skid,pp)→1/0
The key sanity check of skid includes the following four phases.
Firstly, check whether skid is structure of \(\left(S, K, T, L, L_{1}, R_{U}, h_{i d},\left\{K_{i}\right\}, g^{\eta_{\theta}}\right)\) and \(T \in Z_{N}^{*}, K, L, L_{1}, R_{U},\left\{K_{i}\right\}_{i \in S} \in G, g^{\eta_{\theta}} \in G_{n_{1}}\).
\(-e(g,L1)=e(gβ,L).\)
-\(e\left(g^{\beta} g^{T}, K\right)=e\left(\left(g^{\beta} g^{T}\right)^{h_{d d}}, g^{u}\right) e\left(R_{U}, g^{\gamma}\right) e\left(L_{1} L^{T}, v\right) e(g, g)^{\alpha}\)
-\(\exists x \in S, \text { s.t.e }\left(V_{x}, L_{1} L^{T}\right)=e\left(K_{x}, g\right)\)
If skid passes this check, the output is 1. If not, the output is 0.
4.9 Trace(skid,pp,msk)→id/⊥
If algorithm Key sanity check output is 0, it implies that skid is not well-formed and doesn't deserve to trace. Hence, the algorithm outputs ⊥. If not, AT will perform the operations \(Q=\pi^{-1} \bmod n, T=g_{1}^{i d} r^{n} \bmod n^{2}\) to extract and output the identity id. It can obtain the result from above two equation:
\(T^{\pi Q}=g_{1}^{i d \cdot \pi Q} \cdot r^{n \cdot \pi Q}=g_{1}^{i d}=1+i d \cdot n \bmod n^{2} ; i d=\frac{\left((T)^{\pi Q} \bmod n^{2}\right)-1}{n} \bmod n .\)
4.10 Audit(pp,skid,\(s k_{i d}^{*}\))→guilty/acquitte
DU is considered as a malicious user, but it declares to be acquitted or defamed. In this case, an auditor is needed to determine if the user is guilty or not. We propose an auditing algorithm that anyone can act publicly as a auditor in the system. After the Trace algorithm outputs the traced key \(s k_{i d}^{*}\), the auditor will interact with DU as follows.
First, DU releases to his secret key skid to the auditor. If algorithm Key sanity check outputs 0, the auditor discontinues. Otherwise, the auditor proceeds to the next step.
The auditor checks whether hid is equal to \(h_{i d}^{*}\). If equal, it means that the user does reveal the secret key skid to others. Consequently, DU is guilty. The output is guilty. If not, the output is acquitted.
5. Security Analysis
5.1 IND-CPA Security
In this part, the security proof of proposed scheme will be put forward. The security of our new accountable authority, traceable user and revocable user CP-ABE scheme (referred to as AATR-ABE) is based on IND-CPA security of the ABE scheme [35] (referred to as Lewko ABE).
Lemma 1. [35] Lewko ABE is secure if Assumption 1, 2 and 3 in Subsection 2.5 are true.
Lemma 2. [35] AATR-ABE is secure in the IND-CPA game of Subsection 3.3 if Lewko ABE is secure.
Theorem 2. AATR-ABE is secure if Assumption 1, 2 and 3 in Subsection 2.5 are true.
Proof. After exploiting A who has a non-negligible advantage to win the IND-CPA game of AATR-ABE, we establish a PPT simulator algorithm T to break Lewko ABE.
Setup: Lewko ABE gives public parameters \(p p=\left(g, e(g, g)^{\alpha}, g^{\kappa}, N,\left\{V_{i}=g^{v_{i}}\right\}_{i \in V}\right)\) to T , T chooses α,γ at randomly from \(Z_{N}^{*}\) and two random primes bd, which meets |b|=|d|, b≠d, gcd(bd,(d-1)(b-1))=1. Let π=lcm(d-1,b_1),n=bd,Q=π-1 mod n and g1=(n+1). T sends \(p p=\left(N, n, g_{1}, v=g^{\kappa}, u_{0}, \ldots, u_{D}, g, g^{\beta},\right.\left.g^{\gamma}, g^{u}, e(g, g)^{\alpha}, e(g, g)^{\eta},\left\{V_{i}=g^{v_{i}}\right\}_{i \in V}\right)\) to A.
Query 1: To query a decryption key, A sends (id,S) to T. T sends S to Lewko ABE. After receiving the S from T, Lewko ABE gives decryption key as \(\mathrm{d} k=\left\{\tilde{K}=g^{\kappa \tilde{a}} g^{\alpha} R, \tilde{L}=g^{\tilde{a}} R_{0},\left\{K_{i}=V_{i}^{\tilde{a}} R_{i}\right\}_{i \in S}\right\}\) to T. In Lewko ABE, the authority independently selects and distributes decryption keys to users. On the contrary, in AATR-ABE, key generation is caused by the interaction between the authority and an user. The secret key is affected by both h produced by the user and a produced by the authority. During key generation, first, the user randomly selects h and submits RU=gh to the authority. The user runs a zero-knowledge proof about <RU,h>, which indicates the presence of a knowledge extractor E. The authority could retrieve discrete logarithm h by using E. Accordingly, in IND-CPA game, T can retrieve h from RU. T randomly selects \(r \in Z_{N}^{*}\) and calculates \(T=\bar{T}=g_{1}^{i d} r^{n} \bmod n^{2}\) and \(\frac{1}{\beta+T} \bmod N\). Let \(c=\frac{\tilde{c}}{\beta+T}\), \(h_{i d}=\frac{a}{h}\). Then T randomly selects \(\overline{R_{0}} \in G_{n_{3}}\) and calculates \(\begin{aligned} &\bar{K}=(\tilde{K})^{\frac{1}{\beta+T}}\left(g^{h}\right)^{\frac{\gamma}{\beta+T}}=g^{\frac{\alpha}{\beta+T}} v^{a} g^{\frac{\gamma h}{\beta+T}} R^{\frac{1}{\beta+T}}, K=\bar{K}\left(g^{u}\right)^{h_{d}}, \bar{L}=(\tilde{L})^{\frac{1}{\beta+T}} \\ &=g^{a}\left(R_{0}\right)^{\frac{1}{\beta+T}}, L=\bar{L}, \quad \bar{L}_{1}=(\tilde{L})^{\frac{\beta}{\beta+T}}=g^{\beta a} R_{0}^{\frac{\beta}{\beta+T}} \overline{R_{0}}, L_{1}=\bar{L}_{1},\left\{\bar{K}_{i} \quad=K_{i}=V_{i}^{(\beta+T) a} R_{i}\right\}_{i \in S}, \left\{K_{i}=K_{i}\right\}_{i \in S} \end{aligned} \). T retrieves ηθ from the node θ. It randomly chooses and saves \(\eta_{\theta} \in Z_{N}^{*}\) in the node θ if ηθ is unavailable. Finally, T gives A secret key \(s k_{i d, S}=\left(S, K, T, L, L_{1}, R_{U}, h_{i d},\left\{K_{i}\right\}_{i \in S}, g^{\eta_{\theta}}\right)\). Retry ηθ for every node θ∈KUNode(st,rl,t), and randomly select \(\mu \in Z_{N}^{*}\) and calculates \(k d_{t, \theta}=<k d_{1}, k d_{2}>=<g^{\eta-\eta_{\theta}}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu}, g^{\mu}>\). Then, randomly select \(\mu' \in Z_{N}^{*}\) and calculate the decryption key dkid,t as follows:
\(D_{1}=g^{\eta_{\theta}} \cdot k d_{1} \cdot\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu^{\prime}}=g^{\eta}\left(u_{0} \Pi_{i \in \zeta} u_{i}\right)^{\mu+\mu^{\prime}} D_{2}=k d_{2} \cdot g^{\mu^{\prime}}=g^{\mu} \cdot g^{\mu^{\prime}}=g^{\mu+\mu^{\prime}}\)
Finally, T sends the decryption key \(d k_{i d, t}=\left(S, K, T, L, L_{1}, R_{U}, h_{i d}, \quad\left\{K_{i}\right\}_{i \in S}, g^{\eta_{\theta}}, D_{1}, D_{2})\right.\) to A.
Challenge: (A,ρ) and two messages m0, m1 of the same length are sent to T by A. T sends m0, m1 and (A,ρ) to Lewko ABE. Then T gains the challenge ciphertext ct as below:
\(\left\{\tilde{C}=m_{\lambda} \cdot e(g, g)^{\alpha s}, C_{0}=g^{s},\left\{C_{j, 1}=g^{\kappa A, \vec{y}} V_{\rho(j)}-r_{j}, C_{j, 2}=g^{r}\right\}_{j \in[l]},\left(A^{*}, \rho\right)\right\}\) T makes \(\begin{array}{r} C=\tilde{C} \cdot e(g, g)^{\eta s}, C_{0}=C_{0}, C_{1}=\left(C_{0}\right)^{\beta}=g^{\beta s}, C_{2}=\left(C_{0}\right)^{\gamma}=g^{\gamma s}, C_{3}=\left(C_{0}\right)^{u}=g^{u s}, C_{4}=u_{0}^{s} \\ C_{5, i}=u_{i}^{s}, C_{j, 1}=C_{j, 1}=v^{A, \bar{y}} V_{\rho(j)}^{-r_{j}}, C_{j, 2}=C_{j, 2} \end{array}\).
The challenge ciphertext is send to A by T.
ct={C0,C1,C2,C3,C4,C5,i,{Cj,1,Cj,2}}
Query Phase 2: A and T continue the above queries and interactions.
Guess: A generates a bit λ' as the guessing of λ and send it to T. Then, T gives λ' to Lewko ABE. Because the assignment of public parameters, decryption key and challenge ciphertext in the above process is the same as in the real system, we can conclude that the advantage of A breaking AATR-ABE is equivalent to the advantage of A breaking Lewko ABE.
6. Comparison
Next, we will contrast our scheme with other relevant works [22, 24, 25, 31, 36, 37] from the aspects of functionality and efficiency.
6.1 Functionality
In Table 1, we contrast our scheme with the solutions implemented by [22, 24, 25, 31, 36, 37] . [22] realizes traceable user, accountable authority, public auditing and no storage for tracing, but it does not implement user revocation. Although [37] supports both user traceability and user revocation,it does not support accountable users and public auditing. The scheme is selective security under the standard model. The user revocation is achieved in [36] using an indirect revocation, but it can't solve the matter of key abuse. The scheme in [31] only implements traceable user and the storage overhead for traceability is linear. As mentioned earlier, a personal health record system with traceable user, accountable authority, public auditing, user revocation needs to be proposed. Obviously, only our scheme can achieve the above functionalities at the same time. [24] and [25] only implement traceable users.
Table 1. Function Comparison
6.2 Efficiency
The cost of other operations is very small compared with exponentiation operation as well as pairing operation, so we only consider exponential operation and pairing operation when comparing efficiency. We compared our scheme with others [22, 24, 25, 31, 36, 37]with respect to efficiency. The storage and transmission overhead comparison results are given in Table 2, including key length, ciphertext length. The computational complexity comparison results are given in Table 3, including the user-side overhead and authority center overhead in the key generation phase, as well as encryption and decryption costs.
Table 2. Storage and Transmission Overhead Comparison
Table 3. Computational Complexity Comparison
Let \(L_{Z_{P}}\), LG, \(L_{G_{T}}\) intend the length of a component in group \(Z_{N}^{*}\), G and GT separately. |U| represents the quantity of users in path (id). Let |S| represent the size of the user's attribute set. l represents the quantity of rows in A. n represents the size of user attribute sets. |D| represents the size of τ. During decryption and encryption, time spent on a pairing operation is expressed as P . The time overhead executing a pair operation in both GT and G is represented as \(E_{G_{T}}\) and EG respectively. From Table 2 and Table 3, we can see that compared with several other schemes, our plan has some advantages in terms of key length, ciphertext length, encryption complexity and decryption complexity. This means our scheme can achieve relatively high efficiency.
6.3 Implementation
We provide the implementation of our scheme and other relevant schemes [22, 24, 25, 31, 36, 37]. Note that our scheme is built based on composite order pairings, but we can extend our scheme to prime order setting by using the techniques introduced in [16]. So we use PBC library to realize the prime order symmetrical bilinear pairing e: G×G→GT over the security level of 80 bits to implement the algorithm of the schemes in the Table 3 in a simulation way. The hardware we used is R5-4800H with 8GB RAM. OS is windows 10 1909. As shown in Fig. 6, Fig. 7 and Fig. 8, the evaluation includes KeyGen.authority complexity, decrypt complexity and encrypt complexity mainly.
Fig. 6. KeyGen Authority Complexity
Fig. 7. Decrypt Complexity
Fig. 8. Encrypt Complexity
As can be seen from Fig. 6, Fig. 7 and Fig. 8, the computational complexity of the authority side in the KeyGen algorithm is much lower than that of schemes [36] and [25], and lower than [24], which is basically the same as [22, 31, 37]. The complexity of decryption is much lower than that of scheme [33,43], and not much different from that of other schemes [22, 24, 36, 37]. The encryption complexity is much lower than that of scheme [31, 36, 37], and not much different from that of other schemes [22, 24, 25]. Therefore, in terms of efficiency, the proposed scheme has great advantages and competitiveness.
7. Conclusion
In this paper, we dispose the matters of key abuse and user revocation by introducing a CP-ABE scheme which is traceable user, accountable authority, and supports public auditing and user revocation. Furthermore, we demonstrate the scheme is full secure. Through theoretical analysis and implementation, we find our scheme only sacrifices a little time cost to achieve user revocation, which is a worthwhile compromise and has important significance in security and performance of this system.
Acknowledgement
This work was supported by the Natural Science Foundation of China under Grant 61520106007.
References
- H. Xiong, Y. Bao, X. Nie, and Y. I. Assor, "Server-aided attribute-based signature supporting expressive access structures for industrial internet of things," IEEE Transactions on Industrial Informatics, vol. 16, no. 2, pp. 1013-1023, 2020. https://doi.org/10.1109/tii.2019.2921516
- H. Xiong, Q. Mei, and Y. Zhao, "Efficient and provably secure certificateless parallel key-insulated signature without pairing for IIOT environments," IEEE Systems Journal, vol. 14, no. 1, pp. 310-320, 2020. https://doi.org/10.1109/jsyst.2018.2890126
- T. Wu, Z. Lee, M. S. Obaidat, S. Kumari, S. Kumar, and C. Chen, "An authenticated key exchange protocol for multi-server architecture in 5g networks," IEEE Access, vol. 8, pp. 28096-28108, 2020. https://doi.org/10.1109/access.2020.2969986
- T. Wu, C. Chen, K. Wang, C. Meng, and E. K. Wang, "A provably secure certificateless public key encryption with keyword search," Journal of The Chinese Institute of Engineers, vol. 42, no. 1, pp. 20-28, 2019. https://doi.org/10.1080/02533839.2018.1537807
- H. Xiong, Y. Wu, C. Jin, and S. Kumari, "Efficient and Privacy-Preserving Authentication Protocol for Heterogeneous Systems in IIoT," IEEE Internet of Things Journal, vol. 7, no. 12, pp. 11713-11724, Dec. 2020. https://doi.org/10.1109/JIOT.2020.2999510
- C. Chen, B. Xiang, Y. Liu, and K. Wang, "A secure authentication protocol for internet of vehicles," IEEE Access, vol. 7, pp. 12047-12057, 2019. https://doi.org/10.1109/access.2019.2891105
- H. Xiong, Y. Zhao, Y. Hou, X. Huang, C. Jin, L. Wang, and S. Kumari, "Heterogeneous Signcryption with Equality Test for IIoT environment," IEEE Internet of Things Journal, p. 1, July 2020.
- H. Hong, D. Chen, and Z. Sun, "A practical application of cp-abe for mobile phr system: a study on the user accountability," SpringerPlus, vol. 1320, 2016.
- H. H. Chung, P. S. Wang, T. Ho, H. Hsiao, and F. Lai, "A secure authorization system in phr based on cp-abe," pp. 1-4, 2015.
- F. Xhafa, J. Wang, X. Chen, J. K. Liu, J. Li, and P. Krause, "An efficient phr service system supporting fuzzy keyword search and fine-grained access control," Soft computing, vol. 18, pp. 1795-1802, 2014. https://doi.org/10.1007/s00500-013-1202-8
- F. Xhafa, J. Feng, Y. Zhang, X. Chen, and J. Li, "Privacy-aware attribute-based phr sharing with user accountability in cloud computing," The Journal of Supercomputing, vol. 71, pp. 1607-1619, 2015. https://doi.org/10.1007/s11227-014-1253-3
- L. Zhang, Q. Wu, Y. Mu, and J. Zhang, "Privacy-preserving and secure sharing of phr in the cloud," Journal of Medical Systems, vol. 40, no. 267, 2016.
- Z. Qin, Y. Wang, H. Cheng, Y. Zhou, Z. Sheng, and V. C. M. Leung, "Demographic information prediction: A portrait of smartphone application users," IEEE Transactions on Emerging Topics in Computing, vol. 3494, pp. 432-444, 2018.
- H. Xiong, J. Chen, Q. Mei, and Y. Zhao, "Conditional Privacy-Preserving Authentication Protocol with Dynamic Membership Updating for VANETs," IEEE Transactions on Dependable and Secure Computing, p. 1, Dec. 2020.
- A. Sahai and B. Waters, "Fuzzy identity-based encryption," in Proc. of Annual International Conference on the Theory and Applications of Cryptographic Techniques, vol. pp. 457-473, 2005.
- J. Li, K. Ren, and K. Kim, "A2be: Accountable attribute-based encryption for abuse free access control," IACR Cryptology ePrint Archive, 2009.
- Z. Liu, Z. Cao, and D. S. Wong, "White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures," IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 76-88, 2013. https://doi.org/10.1109/TIFS.2012.2223683
- Z. Liu, Z. Cao, and D. S. Wong, "Blackbox traceable cp-abe: how to catch people leaking their keys by selling decryption devices on ebay," in Proc. of 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 475-486, 2013.
- J. Li, X. Chen, S. S. M. Chow, Q. Huang, D. S. Wong, and Z. Liu, "Multi-authority fine-grained access control with accountability and its application in cloud," Journal of Network and Computer Applications, vol. 112, no. 15, pp. 89-96, 2018. https://doi.org/10.1016/j.jnca.2018.03.006
- G. Yu, X. Ma, Z. Cao, W. Zhu, and J. Zeng, "Accountable multiauthority ciphertext-policy attribute-based encryption without key escrow and key abuse," in Proc. of International Symposium on Cyberspace Safety and Security, pp. 337-351, 2017.
- Z. Liu and D. S. Wong, "Practical attribute-based encryption: Traitor tracing, revocation and large universe," The Computer Journal, vol. 59, no. 7, pp. 983-1004, 2016. https://doi.org/10.1093/comjnl/bxv101
- J. Ning, X. Dong, Z. Cao, and L. Wei, "Accountable authority ciphertext-policy attribute-based encryption with white-box traceability and public auditing in the cloud," in Proc. of European Symposium on Research in Computer Security, pp. 270-289, 2015.
- Z. Zhang, P. Zeng, B. Pan, and K. K. R. Choo, "Large-Universe Attribute-Based Encryption With Public Traceability for Cloud Storage," IEEE Internet of Things Journal, vol. 7, no. 10, pp. 10314-10323, Oct. 2020. https://doi.org/10.1109/jiot.2020.2986303
- J. Ning, Z. Cao, X. Dong, and L. Wei, "White-Box Traceable CP-ABE for Cloud Storage Service: How to Catch People Leaking Their Access Credentials Effectively," IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 883-897, 2016. https://doi.org/10.1109/tdsc.2016.2608343
- J. Zhao and P. Zeng, "Efficient, and Large Universe Ciphertext-Policy Attribute-Based Encryption with Black-Box Traceability for eHealth," in Proc. of the International Conference on Cyber Security Intelligence and Analytics, vol. 1147, pp. 480-485, 2020.
- M. Pirretti, P. Traynor, P. Mcdaniel, and B. Waters, "Secure attribute-based systems," Journal of Computer Security, vol. 18, no. 5, pp. 799-837, 2010. https://doi.org/10.3233/JCS-2009-0383
- V. Goyal, O. Pandey, A. Sahai, and B. Waters, "Attribute-based encryption for fine-grained access control of encrypted data," in Proc. of the 13th ACM Conference on Computer and Communications Security, pp. 89-98, 2006.
- X. Liang, R. Lu, X. Lin, and X. S. Shen, "Ciphertext policy attribute-based encryption with efficient revocation," TechnicalReport, University of Waterloo, vol. 2, p. 8, 2010.
- Q. Liu, G. Wang, and J. Wu, "Time-based proxy re-encryption scheme for secure data sharing in a cloud environment," Information Sciences, vol. 258, pp. 355-370, 2014. https://doi.org/10.1016/j.ins.2012.09.034
- A. Sahai, H. Seyalioglu, and B. Waters, "Dynamic credentials and ciphertext delegation for attribute-based encryption," in Proc. of Annual Cryptology Conference, vol. 7417, pp. 199-217, 2012.
- X. Yan, X. He, J. Yu, and Y. Tang, "White-box traceable ciphertext-policy attribute-based encryption in multi-domain environment," IEEE Access, vol. 7, pp. 128298-128312, 2019. https://doi.org/10.1109/access.2019.2939413
- D. Naor, M. Naor, and J. B. Lotspiech, "Revocation and tracing schemes for stateless receivers," in Proc. of Annual International Cryptology Conference, vol. 2139, pp. 41-62, 2001.
- H. Xiong and Z. Qin, "Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks," IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1442-1455, 2015. https://doi.org/10.1109/TIFS.2015.2414399
- Q. Mei, H. Xiong, J. Chen, M. Yang, S. Kumari, and M. K. Khan, "Efficient Certificateless Aggregate Signature With Conditional Privacy Preservation in IoV," IEEE Systems Journal, pp. 1-12, Feb. 2020. https://doi.org/10.1109/JSYST.2016.2528398
- A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, "Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption," in Proc. of Annual International Conference on the Therory and Applications of Cryptographic Techniques, vol. 6110, pp. 62-91, 2010.
- S. Xu, G. Yang, Y. Mu, and X. Liu, "A secure IOT cloud storage system with fine-grained access control and decryption key exposure resistance," Future Generation Computer Systems, vol. 97, pp. 284-294, 2019. https://doi.org/10.1016/j.future.2019.02.051
- Z. Liu, S. Duan, P. Zhou, and B. Wang, "Traceable-then-revocable ciphertext-policy attribute-based encryption scheme," Future Generation Computer Systems, vol. 93, pp. 903-913, 2019. https://doi.org/10.1016/j.future.2017.09.045