Research On Fine Grained Access Control Mechanisms Based On Attribute Based Encryption Systems

Data outsourcing can reduce the cost of the data owner. However, when the data are stored in the remote server, the data owner will lose the control over the sensitive data which may be accessed by the untrusted parties. The traditional method employs the fully trusted server to store and to be in charge of access control over the sensitive data: if the user possesses some certificates that satisfy the access control policies, he can access the sensitive data. However, once the server storing the sensitive data is compromised, the confidentiality of the data will be compromised. Therefore, the sensitive data are required to be stored in the server in encrypted form such that even if the server is compromised, the confidentiality of the data will be guaranteed as well. However, the traditional encryption methods have the drawbacks as follows:(1). The encryption is a method through which one user can share the data with another user in a private way;(2).Access to the encrypted data is all or nothing. That is to say, they are not able to handle expressive access control over the encrypted data.In many scenarios such as the cloud storage system, the data owner wishes to selectively share the sensitive data with other users based on their attributes. It is required not to encrypt the data once for each party, but to encrypt only once for all desired parties. In recent years, the proposed attribute based encryption schemes can meet these requirements very well. Attribute based encryption scheme is a novel public key encryption paradigm, it allows the user to encrypt and decrypt the data based on the attributes,and furthermore, it is expressive in such a way that it can enforce the fine grained access control over the encrypted data. This dissertation performs the research on fine grained access control based on attribute based encryption schemes. The major research contents and originalities of this dissertation are displayed as follows:1.Black Box Accountable Authority Ciphertext Policy Attribute Based Encryption Scheme was proposed.There is a trusted central authority in the existing attribute based encryption scheme.Since the central authority has the master secret of the scheme, it can calculate the private key associated with the user’s arbitrary attributes, decrypt any ciphertext encrypted to any user, generate and distribute the private key associated with the attributes to other users. Therefore, it has to be absolutely trusted. If the private key is generated by the central authority for malicious activities, it will not be caught and prosecuted. Therefore,it is required to reduce the trust of the central authority in the attribute based encryption scheme. That is to say, the key escrow problem still exists in the attribute based encryption scheme. If this problem is not solved, it will affect the adoption of attribute based encryption scheme. In this dissertation, we proposed a black box accountable authority ciphertext policy attribute based encryption scheme where a secure private key generation protocol is constructed and the judge can decide whether the decoder is created by the malicious user or the malicious central authority. The proposed scheme is employed to reduce the trust in the central authority in such a way that the chance that the central authority is accused of abusing the trust is reduced, such that the proposed scheme can be employed to enforce fine grained access control over the encrypted data.2. Ciphertext Policy Attribute Based Proxy Re-Encryption Scheme was proposed.In attribute based encryption scheme, the user’s private key is associated with the attribute set. The user encrypts the sensitive data under the access structure over the attributes, and he can decrypt the ciphertext if and only if the attribute set satisfies the access structure associated with the ciphertext. However, on the condition that the encrypted data are not decrypted, the existing attribute based encryption scheme does not support the transformation of access structure in the attribute based encryption scheme. In this dissertation, we proposed the ciphertext policy attribute based proxy re-encryption scheme,which allows access structure associated with the original ciphertext to be transformed into another access structure without decrypting it through an honest and curious proxy such as the cloud server that re-encrypts the original ciphertext under another access structure, such that only if the users whose attributes satisfy the new access structure can decrypt the re-encrypted ciphertext. The proposed scheme better solves the problem that the access structures are transformed frequently in the attribute based encryption scheme when the attribute based encryption scheme is employed to achieve fine-grained access control over the encrypted data.3. Oblivious Transfer with Fine Grained Access Control Scheme Based on Attribute Based Encryption was proposed.In the outsourced system, the encryption techniques are employed to protect the outsourced data, whereas the database service providers are still able to collect the sensitive data such as who has accessed the outsourced data, and how he has accessed these data. In order to protect user’s privacy and to allow the database service providers to enforce finegrained access control, this dissertation proposed an oblivious transfer with fine grained access control scheme based on attribute based encryption, where the data in the database server are protected by access control policy, and only if the user’s attribute set satisfies the access policy associated with the data, he can access them, and the database service provider does not know which data items have been accessed by the user, and how he has accessed the data. The proposed scheme has the advantages as follows: first, the scheme maintains the privacy characteristics of the oblivious transfer, and provides fine-grained access control mechanism. Second, it allows the direct support of AND gates, OR gates and Threshold which are employed to enforce expressive access control policies. Third,the communication complexity of the proposed scheme is constant with the number of the records accessed by the user. Fourth, the proposed scheme is constructed under prime order bilinear group.4. Inner Product Predicate Encryption Scheme with Verifiable Outsourced Decryption Based on Prime Order Bilinear Group was proposed.In the predicate encryption scheme,i.e. attribute hiding attribute based encryption scheme which can be employed to enforce the fine grained access control over the encrypted data and to perform search on the encrypted data, the ciphertext not only hides the message, but also hides the attributes. However, the main efficiency drawback of predicate encryption scheme is that the size of the ciphertext and the time required to decrypt it scale with the complexity of the predicate. In this dissertation, we proposed a novel inner product predicate encryption scheme with verifiable outsourced decryption based on prime order bilinear group which significantly reduces the overheads of the user. In the proposed scheme, the user provides the cloud server with a transformation key with which the cloud server transforms the ciphertext associated with the attributes which satisfy the predicate for the private key into a simple and short ciphertext, and thus it significantly reduces the time for the user to decrypt the ciphertext, whereas the cloud server does not know the underlying plaintext message for any user; simultaneously, the user can check whether the transformation performed by the cloud server is correct to verify transformation correctness.