International Journal of Engineering, Management & Sciences (IJEMS) ISSN-2348 –3733, Volume-2, Issue-5, May 2015
Identity Based and Attribute Based Cryptography: A Survey Meenal Jain and Manoj Singh Abstract— Changing scenario of cryptography has led to a change in paradigm of from certificate based public keys and keyrings to user-dependent keys which are based on identities of users or their attributes. This is termed as identity based cryptography or attribute based cryptography. Such encryption schemes are much relevant in current scenario of cloud computing and mobile computing where participation of user in transactions is partial, or user-based access control over an encrypted database is required. This paper presents a survey of identity based and attribute based cryptographic primitives. Index Terms— Cryptography. Cryptosystem, Signcryption
I. INTRODUCTION Identity-based cryptosystem was first conceived as an idea by Shamir[1] in 1984 as a means to get rid of public-key certificates by allowing the user’s public key to be an arbitrary string which is an information identifying the user in a non-ambiguous way (through identities like email address, social security number etc). The advantage was that cost of establishing and managing the public key authentication framework was reduced significantly. Also the system complexity public key infrastructure was reduced. The main problem here is that for every application or system a unique string identifier cannot exist. Rather users are generally identified by their attributes. Sahai et al [2] proposed attribute based encryption (ABE) as a problem to this solution. ABE views identity of any user as a set of attributes. The key-authority distributes the attributes and they are used to generate an identity. Then a scheme built on ideas from IBE [1, 3-5] can be used. In this paper we first review some important Identity based encryption, signature and signcryption schemes. Subsequently, we review a few important attribute based encryption and signature schemes. II. IDENTITY BASED CRYPTOGRAPHY Encryption keys derived from user identities are useful in avoiding trust problems which are generally faced in certificate based public key infrastructures (PKIs). This is so because there is no need of binding a public key to its owner, which is a single unique entity. These systems generally involve some trusted authorities, called private key generators,to compute users’ private key from their identity Manuscript received May 16, 2015. Meenal Jain, M.Tech. Computer Science, Department of Computer Science,Gurukul Institute of Engineering & Technology, Kota, Rajasthan, India Manoj Singh, Head of Department, Department of Computer Science, Gurukul Institute of Engineering & Technology , Kota, Rajasthan, India
88
information (users do not generate their key pairs themselves). The idea was proposed first by Shamir[1]in 1984.Many practical identity based signature schemes[6,7] have been devised since then. The problem was again brought to surface by Boneh et al [3] in 2001. They presented the first identity-based encryption scheme based on use of groups for which there was an efficiently computable bilinear map. It was proved to be secure and practical. Ever since, a rapid development of IBE and IBS has taken place, and a series of research [4,5,8-14] have proposed newer notions of security which are stronger in the standard model. The first construction of IBE, called the Selective-ID model was proposed by Canetti et al [4]. Being a slightly weaker modelin which the adversary declares the identity to be attacked before the global public parameters are generated; it is provably secure outside the random oracle model. Boneh et al [13] presented a space-efficient IBE without pairings. Gentry [15] proposed the first CCA2 secure IBE system without random oracles that has a tight reduction todecisional Bilinear Diffie-Hellman Exponent assumption. This scheme was extended as [16] to construct an adaptively-secure identity based broadcast encryption system without random oracles. Boyen [17] proposed a framework for constructing Hierarchical Identity-based Encryption (HIBE) systems from exponent-inversion IBE systems. The idea is to select pairing-based IBE systems having specific properties (also called parallel IBE and linear IBE). Authors [17] proved that an IBE system with these properties can be transformed into HIBE with comparable security. Identity based signcryption achieves the functionality of signcryption with the added advantages that IBE provides. Malone-Lee[18] proposed the first identity based signcryption scheme. Since then quite a few ID-based signcryption schemes have been proposed [19-23]. Out of these most efficient are those of Chen et al [23] and Barreto et al [22]. In 2008, Li et al [24] devised an identity based threshold signcryption scheme and proved the confidentiality of their scheme. Selvi et al [25] soon showed that in the scheme [24] the secret key of the sender is insecure in the presence of malicious insiders during signcryption. They proposed an improved scheme [25] in the same security model. Basics of IBE There are four functions in IBE: 1) setup - generates global system parameters and a master-key, 2) extract – uses the master key to generate the private key corresponding to an arbitrary public key string ID; 3) Encrypt – encrypts messages using the public key ID, 4) Decrypt – decrypts messages using the corresponding private key.
www.alliedjournals.com
Identity Based and Attribute Based Cryptography: A Survey
A map all
is called a bilinear pairing if for and all , we have . The Bilinear Diffie-Hellman problem for a bilinear map such that is primarily defined as follows : To give , compute , where g is a generator and . An algorithm A is said to solve the BDH problem with advantage ε if , where the probability is over the random choice of a,b,c,g and the random bits of A. Secret sharing scheme –Secret sharing schemes are used to divide a secret among a number of parties. The information given to a party is called the share (of the secret) for that party. Every SSS realizes access structure that defines the sets of parties who should be able to reconstruct the secret by using their schemes. Shamir and Blakley [26] were the first to propose a construction for (t,n) secret-sharing schemes where the access structure is a threshold gate. That is, if any t or more parties come together, they can reconstruct the secret by using their shares. However, any lesser number of parties does not get any information about the secret. III. ATTRIBUTE- BASED CRYPTOGRAPHY The concept of attribute-based encryption emerged from fuzzy–IBE proposed by Sahai[2]. The basic idea is user with secret key for identity ω is able to decrypt a ciphertext encrypted with identity ω’ if and only if ω and ω’ are close to each other as measured by the “set overlap” distance metric. In other words, in an ABE system, if the message is encrypted with a set of attributes ω’, a private key for a set of attribute enables decrypting that message, if and only if , where d is fixed during the setup time. Thus, ABE achieves error tolerance making it suitable for use with biometric identities. One drawback of the Sahai approach is that their initial construction was limited to handling formulas consisting of one threshold gate. Proper attribute-base schemes appeared in [27-29] as an improvement of these ideas. Further researches can be divided into two categories: key policy ABE and ciphertext policy ABE. Goyal et al[30] further clarified these concepts of attribute- based encryption. In particular, they proposed two complimentary forms of ABE. Firstly, key-policy ABE (KPABE): in this the attributes are used to annotate the ciphertexts and formula’s over these attributes are ascribed to user’s secret keys. Goyal et al[30] provided a construction for KPABE that allowed keys to be expressed in terms of a monotonic formula over encrypted data. The system has been proved to be selectively secure under the Bilinear Diffie-Hellman assumption. The second type, ciphertext–policy ABE (CPABE)is a complimentary form. In this the attributes are used to describe the user’s credentials and the formulas over these credentials are attached to the ciphertext by the encrypting party. The problem of CPABE was explicitly addressed in [31] by Bethencourt et al.The proposed system is efficient and expressive, analogous to the Goyal et al [30] construction. It allows an encryptor to express an access predicate f in terms of any monotonic formula over attributes. Cheung et al [32] proposed another CP-ABE scheme in which decryption
89
policies are restricted to a single AND gate, but attributes are allowed to be either positive or negative.Goyal et al [33] provide a “bounded” CP-ABE construction; a general approach to construct a CP-ABE scheme from a KP-ABE system. The main drawback of this approach is that it needsto build a complete tree of depth d to cover all possible access trees.A new technique to realize cipher text-policy attribute encryption(CP-ABE) was proposed by Brent[34]. The proposal considers concrete and non-interactive cryptographic assumptions that allow any encryptor to specify access control in terms of an LSSS matrix, M, over the attributes in the system. Chase[35] proposed a solution for multi-authority attribute based encryption, provided that a trusted central authority is available. Besides encryption, there have been several efforts towards constructing attribute based signatures. Yang et al. [36] proposed the notion of fuzzy identity- based signature(FIBS). In FIBS, the user can sign a message with some of its attributes. The verifier can check if the signature is signed by user with these attributes. Maji et al. [37] tried to achieve attribute-based signature with signer privacy. But the proposal suffers from weak security; the security has been proved only in non-standard hardness assumption and generic group model. Khader[38] proposed another notion which was called attribute based group signature. It allows a verifier to request a signature from a member of a group who possesses certain attributes and the signature should prove ownership of certain properties. However, what the picture is currently missing is an algorithm that combines (existing or new) ABE and signature ina practical and secure way. Access structure Let be a set of parties. A collection is monotone if . An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of , i.e. . The sets in Γ are called the authorized sets and the sets not in Γ are called the unauthorized sets. The initial ABE schemes were limited to expressing only monotonic access structures and there is no satisfactory method to represent negative constraints in a key’s access formula. Ostrovsky et al.[28] proposed the attribute-based encryption with non-monotonic access structure.Non-monotonic access structure can use the negative wordto describe every attributes in the message, but themonotonic access structure cannot.The problem with Attribute-based Encryption Scheme withNon-Monotonic Access Structures is that there are many negative attributes in the encrypted data, but they don't relate to the encrypted data. It means that each attribute adds a negative word to describe it, but these are useless for decrypting the encrypted data. It can cause the encrypted data overhead becoming huge. It is inefficient and complex each ciphertext needs to be encrypted with d attributes, where d is a system-wise constant. Hierarchical attribute-based encryption (HABE) is derived by Wang et al[39]. The HABE model consists of a root master (RM) that corresponds to the third trusted party (TTP),multiple domain masters (DMs) in which the top-level DMs correspond to multiple enterprise users, and numerous users that correspond to all personnel in an enterprise. This scheme used the property of hierarchical generation of keys in
www.alliedjournals.com
International Journal of Engineering, Management & Sciences (IJEMS) ISSN-2348 –3733, Volume-2, Issue-5, May 2015 HIBE scheme to generate keys. This scheme can satisfy the property of fine grained access control, scalability and full delegation. It can share data for users in the cloud in an enterprise environment. Furthermore, it can apply to achieve proxy re-encryption [40]. But in practice, it is unsuitable to implement. Since all attributes in one conjunctive clause in this scheme may be administered by the same domain authority, the same attribute may be administered by multiple domain authorities. Bozovic et al [41], introduce Multi-authority attribute-based encryption that involves multiple parties to distribute attributes for users.A Multi Authority ABE system is composed of K attribute authorities and one central authority. Each attribute authority is also assigned a value dk. It allows any polynomial number of independent authoritiesto monitor attributes and distribute private keys and can tolerate any number of corrupted authorities. In this model, a recipient is defined not by a single string, but by a set of attributes. Complication in multi-authority scheme required that each authority’s attribute set be disjoint. The concept of attribute-set-based encryption was extended to a hierarchical structure of users by Wan et al in Hierarchical attribute-set-based encryption(HASBE) [42].The scheme is scalable due to its hierarchical structure, and also inherits flexibility andfine-grained access control due to support of compound attributes as in ASBE. Another plus point is better user revocation, which is handled through multiple value assignments for access expiration time. The drawback in this scheme is that it applies cryptographic methods by disclosing data decryption keys only to authorized users. These solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine grained data access control is desired, and thus do not scale well. IV. REVOCATION MECHANISMS Revocation refers to unauthorizing a user key or the user itself. The associated problem is that when a user is removed, the attributes or the key might still remain valid and can be misused. Thus, in any multiuser encryption system we need mechanisms to deal with malicious users. The revocation mechanism of ABE schemes is more complicated than that of traditional public key cryptosystem or IBE schemes [43, 44 – 47]. At present, the revocation mechanisms can be broadly classified into two methods: first the indirect revocation method [31, 48–52] and the other is the direct revocation method [53, 54–56]. The indirect revocation method implements revocation through an authority who releases a key update material periodically in such a way that only non-revoked users can update their keys. In this manner, the revoked users’ keys automatically become invalid. The indirect method has an advantage that senders do not need to know the revocation list. A major drawback is that the key update phase, which requires periodic messages from the authority to all non-revoked users can become a communication bottleneck.There are several schemes [31, 48,43] which realize attribute revocation by setting expiration time on each attribute. Another drawback of these schemes is the security degradation in terms of the backward and forward security [51].
90
To reduce the burden of authority and achieve immediateattribute revocation, two CP-ABE schemes with immediate attribute revocation were proposed by Ibraimi et al. [49] and Yu et al. [50]. They employ a semi honest service provider for this purpose.However, these too have failed to achieve fine-grained user access control in the data outsourcingenvironment. For this reason, Hur and Noh [51] proposed a CP-ABE scheme with fine-grained attribute revocation with the help of the honest-but-curious proxy deployed in the data service provider. Boldyreva et al. [43] proposed an efficient revocation method that uses a binary tree to represent revocation and each revocation is followed by reencryption of ciphertext. However, this scheme cannot resist the collusion attack. Aiming at reducing the computation overhead of data service manager, Xie et al. [52] proposed new CP-ABE construction with efficient user and attribute revocation.Compared with Hur and Noh’s [51], in the key update phase, the computation overhead of the data service manager will be reduced by half. The direct revocation method enforces revocation directly by the sender who specifies the revocation list while encrypting the cipher text. A directly revocable KP-ABE scheme was first mentioned by Staddon et al. [57], but their scheme only works when the number of attributes associated with a ciphertext is exactly half of the size of the universe of real attributes. Attrapadung and Imai [54] suggested a user-revocable ABE scheme by combining broadcast encryption schemes with ABE schemes. However, the data owner should take full charge of maintaining all the membership lists for each attribute group to enable the direct user revocation. This scheme is not applicable to the data outsourcing architecture, because the data owner will no longer be directly in control of data distribution after outsourcing their data to the external data server.Liang et al. [55] proposed a CP-ABE scheme with efficient revocation. Their construction uses linear secret sharing and binary tree techniques, and can be proved secure in the standard model. In addition to the attribute set, each user is also assigned a unique identifier. Therefore, a user can beeasily revoked by using his/her unique identifier. All the above schemes [53, 54, 55] support user revocation, but they have no effect on attribute revocation. Recently, Wu and Zhang [56] first formalized the notion of adaptively secure ABE scheme supporting attribute revocation underdirect revocation mode. V. CONCLUSION Encryption mechanisms based on user identities and attributes hold a great promise for changing scenarios of computing, namely cloud computing and ubiquitous computing. These schemes relate a key with a set of attributes and thus alleviate the problem of key generation and distribution of PKI. Also, the concepts of such schemes can be used to further design trust and security mechanisms for data storage in cloud.
REFERENCES [1]A. Shamir. Identity-based cryptosystem and signature scheme. Proceedings of CRYPTO’84. Berlin: Springer, 1985,LNCS 196:47-53. [2]A Sahai, B Waters. Fuzzy identity-based encryption. Proceedings of EUROCRYPT 2005. Berlin: Springer, 2005, LNCS 3494: 457-473.
www.alliedjournals.com
Identity Based and Attribute Based Cryptography: A Survey
[3]D Boneh andM Franklin. Identity based encryption from Weil pairing.Proceedings of Crypto 2001. Berlin: Springer,2001,LNCS 2139:213-229. [4]R Canetti, S Halevi, J Katz. A forward-secure public-key encryption scheme.Proceedings of Eurocrypt 2003. Berlin: Springer. 2003, LNCS 2656: 255-271. [5]D Boneh, X Boyen. Efficient selective-id secure identity based encryption without random oracles.Proceedings of Eurocrypt’ 04. Berlin: Springer, 2004, LNCS 3027:223-238. [6]A Fiat andA Shamir. How to prove yourself: practical solutions to identification and signature problems. Proceedings of Crypto’86. Berlin: Springer, 1986, LNCS 263:186-194. [7]L Guillou andJ Quisquter. A “paradoxial” identity- based signature scheme resulting from zero-knowledge.Proceedings of Crypto’88. Berlin: Springer, 1988,LNCS 403:216-231. [8]J C Cha andJ H Cheon. An identity–based signature from gap difie-hellman groups proceedings of public key cryptography-PKC 2003. Berlin: Springer, 2003,LNCS 2567:18-30. [9]F Hess. Efficient identity based signature schemes based on pairings. Proceedings of SAC 2202. Berlin: Springer,2002,LNCS 2595:310-324. [10] X Boyen, Q Mei andB Waters. Direct chosen ciphertext security from identity- based techniques. Proceedings of ACM CCS 05. New York: ACM,2005:221-238. [11] B Waters. Efficient identity-based encryption without random oracles. Proceedings of Eurocrypt’ 05. Berlin: Springer, 2005, LNCS 3494:114-127. [12] Y Q Chen, W Susilo andY Mu. Identity based anonymous designated ring signatures. Proceedings of the 2006 International Conference on wireless communication and mobile computing. New York:ACM, 2006: 189-194. [13] D Boneh, C Gentry, M Hamburg. Space–efficient identity-based encryption without pairings. Proceedings of FOCS 2007. Piscataway: IEEE,2007,647-657. [14] E Kiltez, Y Vahlis. CCA2 secure IBE: standard model efficiency through authenticated symmetric encryption.Proceedings of CT-RSA 2008. Berlin: Springer, 2008, LNCS 4964:221-238. [15] C Gentry. Practical identity-based encryption without random oracles. Proceedings of Eurocrypt’ 06. Berlin: Springer, 2006, LNCS 4004:457-464. [16] C Gentry, B Waters. Adaptive security in broadcast encryption system. Proceedings of Eurocrypt’ 09. Berlin: Springer, 2009, LNCS 5479:171-188. [17] X Boyen. General ad hoc encryption from exponent inversion IBE. Proceedings of Eurocrypt’ 07. Berlin: Springer, 2007, LNCS 4515:394-411. [18] L J Malone. Identity-based signcryption. Proceedings of public key cryptography-PKC 2005. Berlin: Springer, 2005, LNCS 3386:362-379. [19] B Libert and J Quisquater. New identity based signcryption schemes from pairings. Proceedings of the conference IEEE ITW2003. Piscataway: IEEE, 2003:234-238. [20] X Boyen. Multipurpose identity-based signcryption: a swiss army knife for identity-based cryptography.Proceedings of Cryptology 2003. Berlin: Springer, 2003, LNCS 2729:383-399. [21] G Yang, D S Wong andX Deng. Analysis and improvement of a signcryption scheme with key privacy. Proceedings of 8th information security conference (ISC’ 05). Berlin: Springer, 2005, LNCS 3650:218-232. [22] P Barreto, B Libert, N McCullagh, et al. Efficient and provably secure identity –based signatures and signcryption from bilinear maps. Proceedings of ASIACRYPT 2005. Berlin: Springer, 2005, LNCS 3788:515-532. [23] L Chen l, L J Malone. Improved identity-based signcryption. Proceedings of Public Key Cryptography 2005. Berlin: Springer, 2005, LNCS 3386:362-379. [24] L Fagen and Yu Yong. An efficient and provably secure ID-based threshold signcryption scheme proceedings of international conference on communications, circuits and systems (ICCCAS 2008). Piscataway: IEEE, 2008:547-541. [25] S Selvi, S Vivek, N Jain. Identity-based threshold signcryption scheme.Proceedings of 2008 IEEE/IFIP international conference on embedded and ubiquitous computing. Piscataway: IEEE, 2008:127-132. [26] G R Blakley. Safeguarding cryptographic keys. Proceedings of National Computer Conference. NEW York : AFIPS press, 1979,48:313-317. [27] D Nail, C Adams, A Miri. Using threshold attribute-based encryption for practical access control. International journal of network security, 205,1(3): 173-182. [28] Ostrovsky r. sahai a, waters b. attribute-based encryption with nonmonotonic access structure. proceedings of 14th ACM conference on computer and communication security (2007). New York: ACM, 2007:195-203.
91
[29] Baek j, susilo w, zhu j. new construction of fuzzy identity based encryption proceedings of ASIACCS 2007. New York: ACM,2007: 368-370. [30] Goya v, pandey 0, sahai a, et al. attribute-based encryption for fine-grained access control of encrypted data proceedings of the 13th ACM conference on computer and communications security. New York: ACM, 2006:89-98. [31] Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption proceedings Of 2007 IEEE symposium on security and privacy(S&P 2007). piscataway: IEEE, 2007:321-334. [32] Cheung L, Newport C. Provably secure ciphertxt policy ABE. Proceedings of the 14th ACM Conference on Computer and Communications Security. New York:ACM, 2007: 456-465. [33] Goyal V, Jain A, Pandey O. Bounded ciphertext policy attribute-based encryption. Proceedings of ICALP 2008. Berlin; Springer, 2008, LNCS 5126:579-591. [34] Waters B. Ciphertext-policy attribute-based encryption: An expressive, efficient and provably secure realization. Available at http://eprint.iacr.org/2008/290. [35] Chase M. multi-authority attribute based encryption. Proceedings of Theoretical Cryptography Conference- TCC 2007. Berlin: Springer, 2007, LNCS 4392:515-534. [36] Yang Piyi, Cao Zhenfu, Dong Xiaolei. Fuzzy identity based signature. Available at http:eprint.iacr.org/2008/002. [37] Maji H, Prabhakaran M, Rosulek M. Attribute-based signatures: Achieving attribute-privacy and collusion-resistance. Available at http://eprint.iacr.org/2008/328. [38] Khader D. Attribute based group signature with revocation. Available at http:eprint.iacr.org/2007/241. [39] G Wang, Q Liu and J Wu. Hierarchical Attribute-Based Encryption for Fine-GrainedAccess Control in Cloud Storage Services. CCS’10, October 4–8, 2010, Chicago, Illinois, USA.ACM 978-1-4503-0244-9/10/10. [40] Q. Liu, G. Wang, and J. Wu, “Time based proxy re-encryption scheme for secure data sharing in a cloud environment," Information Sciences,Vol. 258, Feb 2014, Pg. 355–370. [41] V Bozovic, D Socek, R Steinwandt, and V. I. Vil-lanyi, “Multi-authority attribute-based encryption with honest-but-curious central authority" International Journal of Computer Mathematics, vol. 89,pp. 3, 2012. [42] Zhiguo Wan, Jun’e Liu, and Robert H. Deng, Senior Member, IEEE, “HASBE: A Hierarchical Attribute-Based Solution for Flexible and Scalable Access Control in Cloud Computing”in Proc.IEEE Transactions on Information Forensics and Security, vol.7, No.2, April 2012. [43] A. Boldyreva, V. Goyal, and V. Kumart, “Identity-based encryption withefficient revocation,” in Proceedings of the 15th ACM conference on Computer and Communications Security (CCS’08), pp. 417–426, October 2008. [44] S. Micali, “Efficient certificate revocation,” Tech. Rep. MIT/LCS/TM-542b, 1996. [45] W. Aiello, S. Lodha, and R. Ostrovsky, “Fast digital identity revocation (extended abstract),” in Proceedings of the 18th Annual International Cryptology Conference (CRYPTO ’98), pp. 137–152, Springer, 1998. [46] D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Advances in Cryptology—CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 41–62, Springer, Berlin, Germany, 2001. [47] B. Libert and D. Vergnaud, “Adaptive-ID secure revocable identity-based encryption,” in Topics in Cryptology—CT-RSA 2009, vol. 5473 of Lecture Notes in Computer Science, pp. 1–15, Springer, Berlin, Germany, 2009. [48] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure attribute-based systems,” Journal of Computer Security, vol. 18, no. 5, pp. 799–837, 2010. [49] L. Ibraimi, M. Petkovic, S. Nikova, P. Hartel, and W. Jonker, “Mediated ciphertext-policy attribute-based encryption and its application,” in Information Security Applications, pp. 309–323, Springer, Berlin, Germany, 2009. [50] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute revocation,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communication Security, (ASIACCS ’10), pp. 261–270, April 2010. [51] J. Hur and D. K. Noh, “Attribute-based access control with efficient revocation in data outsourcing systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 7, pp. 1214–1221, 2011. [52] X. Xie, H. Ma, J. Li, and X. F. Chen, “New ciphertext-policy attribute-based access control with efficient revocation,” in Information and Communication Technology, vol. 7804 of Lecture Notes in Computer Science, pp. 373–382, Springer, Berlin, Germany, 2013.
www.alliedjournals.com
International Journal of Engineering, Management & Sciences (IJEMS) ISSN-2348 –3733, Volume-2, Issue-5, May 2015 [53] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonic access structures,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ’07), pp. 195–203, November 2007. [54] N. Attrapadung and H. Imai, “Conjunctive broadcast and attribute-based encryption,” in Pairing-Based Cryptography (Pairing ’09), pp. 248–265, Springer, Berlin, Germany, 2009. [55] X. Liang, R. Lu, X. Lin, and X. Shen, “Ciphertext policy attribute based encryption with efficient revocation,” Tech. Rep., University of Waterloo, 2010. [56] Q. X. Wu and M. Zhang, “Adaptively secure attribute-based encryption supporting attribute revocation,” China Communications, vol. 9, no. 9, pp. 22–40, 2012. [57] J. Staddon, P. Golle, M. Gagne, and P. Rasmussen, “A content- driven access control system,” in Proceedings of the 7th Symposium on Identity and Trust on the Internet (IDtrust ’08), pp. 26–35, March 2008.
92
www.alliedjournals.com