Research On Efficient Construction And Application Of Fine-grained Access Control

Data access control technology is one of the key technologies in the field of network and information security which ensures that only authorized users have the right to access shared data.Symmetric encryption and traditional public key encryption technologies serve as the main means of access control.Although these primitives enable authorized data access,they cannot realize one-to-many access control to the encrypted data due to the lack of flexibility and scalability.Hence,they are actually inappropriate for var-ious real-world applications.With the advancement of access control research,distinct one-to-many fine-grained access control mechanisms,such as identity-based broadcast encryption(IBBE)and attribute-based encryption(ABE),have been proposed.Although the IBBE-based access control mechanism can achieve one-to-many fine-grained access control to some degree,their expressiveness is largely limited and the ciphertext size in-creases linearly with the increase in the number of users' identities in the access control list.To further enhance the expressiveness of one-to-many fine-grained access control,ABE-based access control was proposed.With ABE,the ciphertext size is only related to the complexity of access control or the number of attributes and is not dependent on the number of authorized users.Once the attributes of a user match the access control,the user is granted access to the data.However,the existing fine-grained access control schemes have the following problems to be resolved urgently.Firstly,the high complexity of ac-cess control results in high computational and communication overhead of the designed schemes.Secondly,the single functionality of ABE limits its real deployments in various scenarios.Thirdly,the privacy leakage of access control violates the privacy of users.Aiming at solving the above problems and designing flexible,efficient and secure fine-grained access control schemes,this dissertation makes detailed studies on the privacy,efficiency,functionality and application of the fine-grained access control schemes:(1)This dissertation proposes an identity-based proxy re-encryption scheme with outsourced equality test(IBPRE-ET)for heterogeneous systems.This scheme allows a data owner to encrypt their data via identity-based(broadcast)encryption(IB(B)E)system to generate IBE-type ciphertext or IBBE-type ciphertext,and then uploads the generated ciphertexts to the cloud server.By delegating the trapdoor to the cloud server,the data receiver can perform the equality test operation on the IBE-type ciphertext or IBBE-type ciphertext under different public keys,so as to determine whether the same plaintext is hid-den in the compared ciphertexts.The IBPRE-ET scheme can also achieve secure access delegation in heterogeneous systems.Expressly,the cloud server that delegates the data receiver can convert an IBBE-type ciphertext into a simple IBE-type ciphertext,thus real-izing lightweight access across systems.In addition,based on the general Diffie-Hellman Exponent(GDHE)assumption,the proposed IBPRE-ET scheme is proven to be secure under chosen plaintext attacks in the random oracle model.This dissertation also com-pares the proposed IBPRE-ET scheme to other similar schemes in terms of functionality and performance.Our results indicate that the IBPRE-ET scheme achieves the tradeoff between desirable functions and lower computation and storage costs.(2)This dissertation proposes a verifiable key-aggregate searchable encryption(VKA-SE)scheme for vehicle social networks,which empowers a data owner to simultaneously encrypt multiple data and keywords with different public keys to produce ciphertexts,and then uploads them to the cloud server.Data receiver uses his/her aggregate retrieval key to generate a trapdoor,which will be delegated to the cloud server for searching for the tar-get ciphertexts and transforming the complex ciphertexts into simple ones.After receiving the search results and transformed ciphertexts,the data receiver first checks the correct-ness of retrieved and transformed results.Once verification passes,the data receiver then uses his/her aggregate secret key to decipher the ciphertext.The proposed VKASE is proven secure against the chosen plaintext & keyword attacks under the decisional bilin-ear Diffie-Hellman exponent(DBHE)assumption and multi-sequence of exponents de-cisional Diffie-Hellman(MSE-DDH)assumption in the random oracle model.It is also proved to achieve verifiability and unforgeability.Besides,this dissertation compares the VKASE scheme to other similar schemes in terms of functionality and performance.The results demonstrate that the proposed VKASE scheme realizes more desirable features and better performance in computation and computation costs.(3)This dissertation proposes a lightweight and privacy-aware fine-grained access control(LPAC)scheme for Io T-oriented smart health systems.In this LPAC scheme,an optimized vector transformation approach is first proposed to efficiently transform the ac-cess policy and user attribute set into respective access vector and attribute vector,which is used for the corresponding ciphertext and secret key generation.Compared to the pre-vious vector transformation method,the vector length produced by our approach is ob-viously shorter.In addition,under the assumption of parallel decisional Diffie-Hellman assumption(P-DBDH),it is proved that the LPAC scheme can achieve the security under the chosen plaintext attacks in the standard model.Finally,this dissertation evaluates the functionality and performance of the LPAC scheme and compares it to related schemes.The results of theoretical evaluation and experimental simulation reveal that the LPAC scheme achieves lightweight fine-grained data access and the desirable property of at-tribute privacy protection.(4)This dissertation proposes a lightweight attribute-based keyword search encryp-tion with privacy-preserving access policy(LABKS-PP)that supports fine granularity and privacy protection in the context of Io T scenarios.In the proposed LABKS-PP scheme,through online/offline computation,inner product encryption and searchable encryption technology,data users can realize efficient retrieval and fine-grained access over en-crypted data without leaking any sensitive attribute information.Under the decisional bilinear Diffie-Hellman(DBDH)assumption,this dissertation proves that the proposed LABKS-PP scheme can achieve the security of chosen plaintext & keyword attacks in the standard model.In addition,the experimental analysis of this LABKS-PP scheme under different security levels demonstrates that this scheme can also achieve high computational efficiency under different security levels.(5)This dissertation proposes an attribute-hiding predicate encryption with equality test(AHPE-ET)scheme in cloud computing.This scheme allows a data owner to inde-pendently choose access control and encrypt his/her data,and then uploads the generated ciphertext to the cloud server.A data receiver uses his/her private keys to generate a trapdoor and delegates it to the cloud server for searching for ciphertexts encrypted with different public keys.During the entire search process,the access control cannot leak any attribute privacy to unauthorized users or cloud server.Besides,the proposed AHPE-ET scheme is proven secure against chosen plaintext attacks under the decisional bilinear Diffie-Hellman assumption in the standard model.Also,this dissertation conducts theo-retical analysis and experimental simulations on the AHPE-ET scheme and other ABE-based equality test schemes to indicate the feasibility and practicability of the AHPE-ET scheme.