© 2023 IIETA. This article is published by IIETA and is licensed under the CC BY 4.0 license (http://creativecommons.org/licenses/by/4.0/).
OPEN ACCESS
The presence of multiple authorities in multiauthority ciphertext policy attribute based encryption (CPABE) schemes hinders an adversary's ability to compromise security. As each authority is responsible to provide secret keys to the users, thus enforcement of finegrained access control should be carefully designed to ensure data confidentiality. The current study critically reviews the methodologies employed to address userlevel and attributelevel revocation in the existing studies. The study has focused on the revocation methodology of those CPABE schemes that are implemented using bilinear pairing cryptography for the encryption and Linear Secret Sharing Scheme (LSSS) for the access structure. It has been observed that the approaches implemented in the existing schemes are computationally expensive and are vulnerable to collusion attacks caused by the cloud and revoked users. Thus, an efficient proxybased and collusion resistant multiauthority revocable CPABE framework (PCMRCPABE) is proposed in the current study. The proposed framework is decentralized, dynamic, scalable, and ensures forward/backward secrecy. Additionally, the proposed framework is computationally efficient and is practical to implement as it does not require secret key or group secret key and ciphertext update to address revocation. Furthermore, the incorporation of time and identitybased components allows the proposed framework to resist collusion attacks efficiently.
multiauthority, CPABE, decentralized, user revocation, attributelevel revocation, LSSS, collusion resistant, forward and backward secrecy
Since cloud computing has become the “buzzword” in the information technology industry, researchers are looking into and identifying a number of solutions to the security challenges encountered by cloud users. The key security concerns of cloud users included enforcement of data confidentiality and finegrained access control. Goyal et al. [1] have introduced attributebased encryption (ABE) scheme to address and restrict unauthorized access to the cloud resident sensitive data and realized onetomany encryption in the scheme. Ciphertext policy attribute based encryption (CPABE) is a class of ABE and has been introduced by Brethencourt et al. [2]. CPABE allowed onetomany encryptions along with the enforcement of finegrained access control. CPABE recommended that a data owner shall formulate an access policy and embed it with the encrypted sensitive files before outsourcing to the cloud. Additionally, the scheme states that any data user who wants to access the encrypted file should hold certain attributes such as name, pan card number, driving license, etc. These possessed attributes are used by a data user to obtain a secret key from the attribute authority. The attribute authority is the entity that manages attributes and distributes secret keys to the users. The obtained secret key is used by the data user to decrypt the ciphertext. Furthermore, the secret key of the data user should satisfy the defined access policy to successfully decrypt the ciphertext. For example, (Branch=CS AND (Profile=Faculty OR (Profile=Student AND Batch=2023))) is an access policy defined by the data owner of encrypted file. The access policy says a data user who is faculty of CS Branch or a student studying in CS Branch in 2023 can only satisfy the access policy. Only the data users whose secret key possess sufficient attributes could successfully decrypt the ciphertext. Existing studies have implemented CPABE either using singleauthority or multiauthority systems.
In the singleauthority CPABE scheme, the responsibility of generating and distributing the secret key to data users has been delegated to a single authority. Such an approach turns into an impractical approach if the attributes possessed by a data user are issued by distinct authorities. In the real world, attributes included in the access policy are issued by several authorities. For example, the income tax authority issues pan card, driving licences are issued by transport authorities, and so on. In such cases, the attributes possessed by a data user can be verified only by the issuing authorities. The multiauthority CPABE concept was therefore designed to satisfy the aforementioned need. Additionally, the threat of data loss escalates with the single authority. It is because the entire system could get affected if it were compromised by any attacker. The presence of multiple attribute authorities in the multiauthority CPABE scheme makes it challenging for the attackers to breach security.
The existing studies have proposed majorly two implementations in the different versions of the multiauthority CPABE scheme viz: centralized multiauthority CPABE scheme and decentralized multiauthority CPABE scheme [3, 4]. The former says that the central authority controls the distribution of the secret key of the user apart from handling users’ and attributes authorities’ registration. Whilst the latter implementation provides distributed control and the attribute authorities independently manage the attributes held by the data user as depicted in Figure 1.
Figure 1. Decentralized approach
Figure 1 exhibits the communication and data flow between various entities involved in the multiauthority CPABE scheme employing distributed control. The encrypted file uploaded by a data owner has a defined access policy. A user whose secret key satisfies the access policy can only decrypt the file successfully. For example, the access policy in Figure 1 states that the encrypted file shall be accessible to the user only if the data user possesses an aadhar card and pan card along with a driving licence or if he only possesses a driving licence and passport. It is demonstrated in Figure 1 that all the attributes are issued by distinct authorities and are independently controlled.
The researchers found numerous challenges with the base CPABE approach, including policing hiding, traceability, singleauthority, revocability, etc. In this paper, the revocability challenge within the multiauthority CPABE scheme has been studied. Data users of the system in an organization leave or are denied access if traced as malicious users. It has remained a major challenge for researchers to provide an effective method for dynamically revoking such users with an effective computing capability. Apart from systemlevel revocation of a user, an efficient solution to attributelevel revocation has also remained a challenge amongst researchers. This paper contributes the solution to the revocation issue in multiauthority CPABE framework. The proposed framework of revocable decentralized multiauthority CPABE framework based on bilinear pairing cryptography contributes the following properties:
1. User and Attributelevel Revocation – the proposed PCMRCPABE framework provide solutions to the user as well as attributelevel revocation. The proposed framework has employed a trusted proxy server to enforce finegrained access control. The secret decryption key of a data user has two parts: secret key and proxy key. The secret keys are issued by the associated attribute authority to the data user and the proxy key is issued by the proxy server. The proxy key is time bound and is invalidated by the proxy server whenever the access privileges of the data user changes. The design of the framework allows dynamic revocation of access rights of a user if found malicious or if he exits the system. Many a time, users lose certain attributes however, are still a member of the system. Thus, the design of the framework dynamically allows the revocation of lost attributes and the data user shall be allowed to access only those files which are accessible with the remaining attributes.
2. Collusion Resistant – The proposed PCMRCPABE framework's design makes it harder for the revoked users to collude in an attack as well as for the cloud service provider to collude with the revoked users. The research that currently exists paid little attention to collusion attacks carried on by dishonest cloud service providers. The proposed PCMRCPABE framework gave minimal privileges to cloud service provider. The cloud service provider has been delegated no role in key distribution and decryption unlike existing schemes. Thus, the provider has no means to access or store the secret key or proxy key of data user. The proposed framework contributes an efficient collusionresistant design of a multiauthority CPABE scheme.
3. Computationally Efficient – the proposed PCMRCPABE framework is computationally efficient as it does not require an update of nonrevoked users’ secret keys or ciphertext updates to enforce revocation. The design of the proposed framework employed a proxy server to control unauthorized access. Therefore, it has improved computational efficiency in comparison to the existing literature.
4. Dynamic and Scalable – as users in an organization leave and join frequently, thus their access privileges should be immediately updated to avoid unauthorized access. Similarly, the job roles of users keep changing in an organization and so as their access privileges. Additionally, these changes ought to be made immediately to prevent unauthorized access. The design of the proposed PCMRCPABE framework ensures instant and scalable revocation as it only requires updating of the proxy key of revoked user to deny access.
The rest of the paper is organized as follows: the second section critically reviews the methodology adopted by the existing revocable multiauthority CPABE schemes, the third section discusses the mathematical background required for the proposed implementation, the fourth section proposes an efficient framework of revocable multiauthority CPABE scheme based on bilinear pairing cryptography, the fifth section assesses the strength of proposed framework against security attacks, the sixth section discusses and compares the performance of proposed framework with the existing schemes, the seventh section presents the implementation results. The ninth section serves as the conclusion of the study.
An efficient CPABE scheme should address revocation effectively. In this section, the methodologies adopted to employ revocation by the existing multiauthority CPABE schemes, based on bilinear pairing cryptography with LSSS, have been critically reviewed to identify the research challenges. Studied schemes included either the centralized or decentralized approach. CPABE scheme enforces authorized access by allowing a data user to decrypt the ciphertext only if his secret key, based on his attributes, could satisfy the access policy. Apart from this, the scheme should also revoke unauthorized access privileges instantaneously. Moreover, the access privileges should be controlled both at the system level and attribute level. Existing schemes have provided the solution to either user revocation or attributelevel revocation. Very few studies have addressed both the level of access rights revocation.
Table 1. Comparitive review of studied literature
S.No. 
Scheme 
Contribution 
Research Gaps 
1. 
[5] 


2. 
[6] 


3. 
[7] 


4. 
[8] 


5. 
[9] 


6. 
[10] 


7. 
[11] 


8. 
[12] 


9. 
[13] 


10. 
[14] 


11. 
[15] 


12. 
[16] 


13. 
[17] 


14. 
[18] 


15. 
[19] 


16. 
[20] 


17. 
[21] 


18. 
[22] 


19. 
[23] 


2.1 User revocation
Whenever a user is identified as malicious or is leaving the organization, his access privileges should be instantly revoked. It has been identified that the existing multiauthority CPABE schemes mainly advocated updating of nonrevoked users’ key and ciphertext update or reencryption as the solution to enforce access control on revoked users from accessing the ciphertext. Employing this approach on each user’s revocation increases computational cost. Therefore, existing schemes outsourced ciphertext reencryption to the proxy server or cloud service provider to enforce revocation and reduce computational cost. Additionally, the studied literature assumed cloud service providers as semitrusted servers and thus, the possibility of collusion between the cloud service providers and the revoked users have received the least attention [512].
2.2 Attributelevel revocation
Many times a user is not revoked, however, his role has changed. Such changes cause changes in the attributes held by the user. For example, an employee shifted from the accounts department to the sales department. In such cases, it is the responsibility of the scheme to deny access to data users on encrypted files that were earlier accessible by the revoked attributes unless the remaining attributes still satisfy the access policy. Revoking rights at the attributelevel helps to update the access permissions of the data users. An update of the attribute group key has been employed by the studied schemes to address attributelevel revocation. Furthermore, the ciphertext is reencrypted to control unauthorized access. It has been observed that if a user loses any attribute, the existing schemes approach lead to updates of ciphertext and subsequent update of nonrevoked users’ key to achieve forward and backward secrecy. Consequently, instantaneous revocation caused increased computational overhead [1320].
The study of existing multiauthority CPABE schemes based on bilinear pairing cryptography exhibits that very few schemes have addressed both levels of revocation however, the approaches implemented to restrict the access privileges of the revoked users have not considered the potentiality of the cloud service provider to collude with the revoked users [2123]. Huang [23] too updated users’ key and reencrypted ciphertext to enforce user and attributelevel revocation. All attributes held by the user have been revoked by the involved attribute authorities in the proposed approach to address user revocation.
The approach used to revoke users [13, 22] has been implemented using temporalbased access control. Although, the temporalbased approach has not updated the ciphertext, however, the schemes lacked dynamicity.
Table 1 exhibits the comparative study on contribution and research gaps identified in the existing studies. It has been identified in the existing studies, instantaneous revocation of access rights caused increased computational overhead and very little attention has been given to the possibility of the cloud turning malicious and its capability to collude with the revoked users. The existing techniques are also computationally expensive because they update nonrevoked users' keys or attribute group keys and reencrypt ciphertext with each addressed revocation. An efficient revocable multiauthority CPABE scheme using a centralized or decentralized approach based on bilinear pairing cryptography must include the following properties:
The proposed PCMRCPABE framework aims to eliminate all the research gaps and design an efficient multiauthority revocable CPABE framework.
This section discusses the basic definitions of bilinear pairing cryptography and access structure, which serves as the foundation for the suggested framework.
3.1 Bilinear pairing
Definition 1. Suppose $G_1, G_2$ and $G_T$ are three multiplicative cyclic groups of prime order $p, g_1$ and $g_2$ be generator of $G_1$ and $G_2$ respectively, and e is a bilinear map such that e: $G_1 \times G_2 \rightarrow G_T$ [24]. The bilinear map e should satisfy the following properties:
3.2 Access structure
Definition 2. Suppose $P=\left\{P_1, P_2, P_3 \ldots \ldots \ldots P_n\right\}$ be a set. A collection $\mathbb{A} \subseteq 2^{\left\{P_1, P_2, P_3 \ldots \ldots . . . P_n\right\}}$ of non empty subsets of $\left\{P_1, P_2, P_3 \ldots \ldots \ldots P_n\right\}$ is called as monotone access structure if for any $C$ and $D$ : if $C \in \mathbb{A}$ and $C \subseteq D$, then $D \in \mathbb{A}$.The sets belonging to $\mathbb{A}$ are termed as authorized sets, and the sets which are not belonging to $\mathbb{A}$ are termed as unauthorized sets [25].
Figure 2. PCMRCPABE framework
This section proposes an efficient revocable proxybased decentralized multiauthority CPABE framework, constructed using bilinear pairing cryptography. The proposed PCMRCPABE framework consists of five entities, each of which is responsible for carrying out one of the seven modules, as shown in the Figure 2. Each entity has its designated responsibility.
As depicted in Figure 2, the entities participating in the proposed framework are:
The following modules are run by the entities in the proposed PCMRCPABE framework:
Step 1:
Global_Setup() $\rightarrow$ (MPK, MSK)
This module initializes the base setup parameters of the framework. The Global_Setup module generates the master public key $M P K$ and master secret key $M S K$. The module chooses a bilinear cyclic group $G$ of prime order $p$ where $g$ is generator of $G$ and $\alpha, v \in Z_p$ are randomly chosen elements.
$M P K=\left\{g, p, q=g^\alpha, e(g, g)^\alpha, Z=g^v\right\}, M S K=\{\alpha, v\}$ （1）
Step 2:
UserReg $\left(\mathrm{ID}_{\mathrm{u}}\right) \rightarrow P K_u$
Let $S_u$ denotes set of users in the system. UserReg module registers the new joining user $u$ to the system. It reads identity of user $I D_u$ and generates the private key $P K_u$ for the user. The generated private key is stored at system level and also shared to user $\mathrm{u}$, where $u \in S_u$. In this module three random components $\left(q_u, a_u, b_u\right) \in Z_p$ are generated to compute private key components. The private key of the user is unique and used as identity component of user in other modules.
$P K_u=\left(\left(q_u, a_u, b_u\right) \in Z_p, U 0=q_u\left(a_u+b_u\right), U 1=q_u \cdot a_u \cdot b_u, U 2=q_u \cdot a_u\right)$ (2)
The generated $P K_u$ is shared with the data user through secure channel.
Step 3:
$\operatorname{AAReg}\left(\mathrm{ID}_{\mathrm{k}}, \mathrm{MPK}, S_{A_k}\right) \rightarrow\left(\mathrm{PK}_{\mathrm{k}}, \mathrm{SK}_{\mathrm{k}}\right)$
Let $S_A$ and $S_{A_k}$ denotes set of authorities and set of attributes managed by the attribute authority $A A_k$ (where $k \in S_A$ ) in the system respectively. AAReg module registers the new joining attribute authority $A A_k$ to the system and generates a public key $P K_k$ and secret key $S K_k$, where $k \in S_A$, for the attribute authority. The module requires identity of attribute authority $I D_k, S_{A_k}$ and $M P K$ to generate $P K_k$ and $S K_k$. Furthermore, $\left\{t_1, t_2, \ldots \ldots \ldots \ldots, t_{A_k}\right\} \in Z_p$ are randomly chosen values for the attributes controlled by the authorities $A A_k$. The $P K_k$ and $S K_k$ are distributed to the attribute authority through secure channel. As decpicted in Figure 2, it is assumed in the framework that each authority manages disjoint set of attributes.
$\begin{gathered}S K_k=\left(\delta_{\mathrm{k}}, \beta_{\mathrm{k}}, \gamma_{\mathrm{k}}\right) \in Z_p, P K_k=\left(A A 1_k=\right. \left.Z^{\delta_{\mathrm{k}} \cdot \beta_{\mathrm{k}}}, A A 2_k=g^{\delta_{\mathrm{k}} \cdot \beta_{\mathrm{k}}}, Y_i=g^{t_i} \text { where i} \epsilon \in S_{A_k}\right)\end{gathered}$ (3)
Step 4:
$\operatorname{Encrypt}\left(\mathrm{MPK}, \mathrm{PK}_{\mathrm{k}}, \mathcal{M},(\mathrm{W}, \rho)\right) \rightarrow \mathrm{CT}$
The encrypt module is run by the data owner to encrypt message $\mathcal{M}$ before uploading to the cloud. Let $I_A$ denotes the attribute authorities who control the attributes that are comprised in the access policy. The encrypt module processes a master public key $M P K$, set of public key $P K_k$ of involved attribute authorities, where $k \in I_A$ and linear secret sharing scheme (LSSS) based access structure along with the Message $\mathcal{M}$. The access structure $\mathbb{A}=(W, \rho)$ with $m$ rows and $n$ cols helps to generate the ciphertext. The algorithm of Linear Secret Sharing Scheme (LSSS) matrix is widely used to express monotone access structure. According to the algorithm, for realizing an access structure $\mathbb{A}$ and to be considered as linear over $Z_p$ a secret sharing scheme $\Pi$ for a set of parties $P$ should satisfy the following properties [26]:
$\begin{gathered}C T=C=\mathcal{M} \cdot e(g, g)^S, C 0=g^s, C 1_{i_k}=g^{\lambda_{i_k}}, C 2_{i_k}= g^{r_{i_k}}, C 3_{i_k}=g^{\lambda_{i_k}} \cdot Y_{i_k}^{r_{i_k}}, C 4_{i_k}=Z^{r_{i_k}}\end{gathered}$ (4)
Step 5:
$\operatorname{KeyGen}\left(\mathrm{ID}_{\mathrm{u}}, \mathrm{S}_{\mathrm{x}}, P K_u, \mathrm{PK}_k, M P K\right) \rightarrow\left(\mathrm{SK}_{\mathrm{u}_k}\right)$
The data user needs a secret decryption key to decrypt ciphertext. The secret decryption key has two parts  the secret key and the proxy key. The module for key generation is invoked by the data user to acquire the secret key. This module reads master public key $M P K$, unique identification $I D_u$ of the user $u$, sets of attributes $S_x$ owned by user $u$, private key $P K_u$ of user $u$, and public key $P K_k$ of authority managing attribute $x$, where $x \in S_x$ and $k \in S_A$.
The generated secret keys from all the involved attribute authorities are distributed to the data user through secure channel. All the received secret keys along with proxy key are submitted to decrypt module to acquire plain text.
$\begin{gathered}S K_{u_k}=\left(K 0_k=\left(g^{U 0} \cdot g^{U 1}\right), K 1_k=g^{q_u}, K 2_{x_k}=Y_{x_k}^{U 2} \cdot A A 1_k, K 3_k\right. \\ \left.=g^{U 2}, \quad K 4_k=A A 2_k\right)\end{gathered}$ (5)
Step 6:
$\operatorname{ProxKeyGen}\left(\mathrm{CT}, \mathrm{PK}_{\mathrm{u}}, \mathrm{SK}_{\mathrm{u}_k}\right) \rightarrow \mathrm{PXK}_{\mathrm{u}}$
To successfully decrypt the ciphertext, a data user also needs a second part of the secret decryption key. The proxy server invokes the ProxKeyGen module and communicates the proxy key to the data user. The input parameters of this module are private key $P K_u$ of user u, secret keys $S K_{u_k}$ of user u and the requested ciphertext by the data user. The proxy key expires after a certain timeperiod to prevent collusion between the cloud service provider and the revoked users. A proxy key issued to a user is found to be timed out after its expiry. As a result, even if the revoked user attempts decryption with the proxy key issued prior to revocation, the decryption process fails due to the expired proxy key. Subsequently, the newly requested proxy key by the revoked users denies them access to the ciphertext and imposes finegrained access control. For imposing time out on the proxy key, the module calculates a time component $t_e$ for the proxy key.
For the user u,
$P X K_u=\left(\right.$ For each attribute $i$ of ciphertext, $C_{} 1_i=C 1_i{ }^{\left(b_u\right)}$, For $x$ attributes of user $u$, managed by authority $k$ )
$K \_2_{x_k}=\left(K 2_{x_k}, T_s=C 0^{t_e}\right)$ (6)
The proxy key enables enforcement of finegrained access control. Proxy key controls revocation both at systemlevel and attribute level as explained below:
User Revocation  For revoking a malicious user, the proxy server invalidates the value of $b_u$. Thus, the received proxy key leads to the failure of the decryption process.
Attributelevel Revocation – For revoking a user at attribute level, the revoked attributes are negated by the proxy server. Consequently, the files that were earlier accessible with the revoked attributes of the user will be accessible only if the rest of the attributes satisfy the access policy else the decryption process fails.
For nonrevoked attributes l of user u,
$P X K_u=\left(\right.$ For each attribute $i$ of ciphertext, $C_{1_i}=C 1_i{ }^{\left(b_u\right)}$, For non revoked attributes)
For nonrevoked attributes l managed by attribute authority k,
$K \_2_{l_k}=\left(K 2_{l_k}, T_s=C 0^{t_e}\right)$ (7)
Step 7:
$\operatorname{Decrypt}\left(\mathrm{CT}, \mathrm{SK}_{\mathrm{u}}, \mathrm{PXK}_u\right) \rightarrow \mathcal{M}$
The decrypt module reads a secret key $S K_u$ and proxy key $P X K_u$ of the user to decrypt the ciphertext $C T$ to message $\mathcal{M}$. In the first place, the module calculates the current time component $t_c$ valid timeperiod $V$ for the proxy key to examine the validity of proxy key. Subsequently, if the proxy key has been proven valid and the secret decryption key satisfies the access policy, the ciphertext gets successfully decrypted. The proxy key causes unsuccessful decryption for the revoked user. Let $I=\left\{I_{A_k}\right\}_{k \in I_A}$ represents a set of all attributes included in ciphertext from different attribute authorities $k$. Furthermore, for successful decryption, the module also incorporates the linear reconstruction property and calculates $w_i \in Z_p$ where $i \in I$. Consequently $s=$ $\sum_{i \in I} w_i \cdot \lambda_i$ is reconstructed to determine valid shares $\lambda_i$. The decryption module computes $\mathcal{M}$ as follows:
$\left\{\right.$ if $\leftC 0^{t_c}T_s\right<V \mid \mathcal{M}=\frac{C}{B}$, otherwise $\left.\mathcal{M}=\perp\right\}$
where $C=\mathcal{M} \cdot e(g, g)^{\alpha s}$ and
$B=\frac{\prod_{k \in K} e\left(C 0, K 0_k\right)}{\prod_{i_k \in I_{A_k}}\left(e\left(C_{} 1_i, K 1_k\right) \cdot e\left(C 2_i, K_{} 2_{i_k}\right) \cdot e\left(K 3_k, C 3_i\right) \cdot e\left(K 4_k, C 4_i\right)\right)\quad^{w_i}}$ (8)
$\begin{gathered}B=e(g, g)^{U 1 . s} \\ M=C /(B)^{U 1}\end{gathered}$ (9)
The proposed framework efficiently decrypts the ciphertext and the proxy server addresses revocation both at the system and attributes level. The construction of 7 modules makes the framework dynamic, collusion resistant, and computationally efficient. The strength of the framework in terms of security is discussed in the following section.
Security analysis aims to overview and assess the security threats against the proposed framework. In this section, security against data confidentiality and collusion attack has been proven. In addition, the realization of forward and backward secrecy in the framework has been assessed in the following propositions:
5.1 Proposition 1
If the decisional qparallel BDHE assumption is true, then the adversaries’ algorithms that run in polynomial time and have LSSS share matrix of $m^* \times n^*$ where $m^*, n^* \leq q$ as achallenge, will have a negligible advantage when trying to selectively compromise the security of the proposed framework.
Provability:
Init: The challenger $C$ accepts qparallel BDHE challenge $\vec{y}, T$ and receives the challenge access matrix $\left(M^*, \rho^*\right)$ by adversary $A$, where $M^*$ is a matrix of $m$ rows and $n$ cols with $m^*, n^* \leq q$ and $\rho^*$ functions as mapping function. Here, $\vec{y}=$ $\left(g, g^s, g^a, \ldots \ldots, g^{\left(a^q\right)}, g^{a^{q+1}}, \ldots \ldots \ldots \ldots g^{a^{2 q}}\right)$ and if the message stays secret from the adversary then a random element will be generated through group $G_T$ and assigned to $T$, otherwise $T=e(g, g)^{a^{q+1} v}$.
Setup: The challenger in the first place chooses a random parameter $v \in Z_p$ and sets $s=v a^{q+1}$ and then runs two modules Global_Setup() and AAReg() and shares $g$ with the adversary. The adversary then chooses a set of compromised authorities $S_A^{\prime}$ and shares with the challenger. The challenger then chooses three random parameters $\left(\delta_{\mathrm{k}}, \beta_{\mathrm{k}}, \gamma_{\mathrm{k}}\right) \in Z_p$ for each uncompromised authorities $A A_k$, where $k \in S_AS_A^{\prime}$.
Furthermore, the challenger computes a random oracle $y_{x_k}$ and chooses random parameter $z_{x_k} \in Z_p$ for each attribute $x$ in the system of $k$ attribute authority and $I$ represents the set of indices such that
$y_{x_k}=g^{x_k} \prod_{i \in I} g^{a . \mathcal{M}_{i, 1} / b_i} \cdot g^{a^2 \mathcal{M}_{i, 2} / b_i} \ldots \ldots \ldots \ldots g^{a^n \mathcal{M}_{i, n} / b_i}$
If $I=0$, such that there does not exist any $i$ for $\rho^*(i)=x$, then $y_{x_k}=g^{z_x}$.
Thereafter, the challenger computes the public key $P K_k$ using the above mentioned $S K_k=\left(\delta_{\mathrm{k}}, \beta_{\mathrm{k}}, \gamma_{\mathrm{k}}\right) \in Z_p$ for all uncorrupted authorities such that
$P K_k=\left(A A 1_k=Z^{\delta_{\mathrm{k}} \cdot \beta_{\mathrm{k}}}, A A 2_k=g^{\delta_{\mathrm{k}} \cdot \beta_{\mathrm{k}}}, \quad Y_i=g^{t_i}\right.$ where $\left.i \epsilon S_{A_k}\right)$
Moreover, adversary is distributed a unique user ID $P K_u$ by the challenger such that,
$P K_u=\left(\left(g_u, a_u, b_u\right) \epsilon Z_p, U 0=g_u\left(a_u+b_u\right), U 1=g_u \cdot a_u \cdot b_u, U 2=g_u \cdot a_u\right)$
where, $\left(g_u, a_u, b_u\right) \in Z_p$ are randomly chosen parameters.
Phase 1: In the phase 1, the challenger responds to multiple queries issued by the adversary on secret key and the proxy key where each query has two inputs $I D_u$ and $S_k$, user id and set of attributes respectively. It is assumed that $S_k$ belongs to uncorrupted authorities. Subsequently, the revocation list $R_1^*=\left\{u_0^*, u_1^*, \ldots \ldots . u_k^*\right\}$ is shared to challenger and the challenger updates its list $R^*$. The challenger returns null value on the condition that the $S_k$ shared by the adversary satisfies the access matrix $\left(M^*, \rho^*\right)$ however, $\left\{u_j^*\right\} \notin R^*$. Otherwise, following conditions holds true:
$q_u=t 1_u=x^{\prime}+w_1 \cdot a^q+w_2 \cdot a^{q1} \ldots \ldots+w_n \cdot a^{qn^*+1}$ (10)
$a_u=t 2_u=y^{\prime}+w_1 \cdot a^q+w_2 \cdot a^{q1} \ldots \ldots .+w_n \cdot a^{qn^*+1}$ (11)
$b_u=t 3_u=z^{\prime}+w_1 \cdot a^q+w_2 \cdot a^{q1} \ldots \ldots .+w_n \cdot a^{qn^*+1}$ (12)
and further computes
$K 1_k=g^{g_u}=g^{t 1_u}=g^{x^{\prime} \cdot \prod_{i=1, n^*}\left(g^{a^{qi+1}}\right)\quad^{w_i}}$ (14)
For each $x_k$ in the access structure, $K 2_{x_k}$ computation turns harder as the term $g^{a^{q+1 / b_i}}$ is hard to compute.
Challenge: In the challenge phase, the adversary shares two equallength messages $M_0, M_1 \in G_T$ along with the access policy $\left(M^*, \rho^*\right)$ to the challenger, such that either $u_i^* \in R^*$ or $S_k$ do not satisfy access matrix. At this phase, challenger has to flip a coin $c$ to select one of the acquired messages $M_c$ (where $\left.c \in 0,1\right) . M_c$ is used to generate the ciphertext.
The challenger computes the ciphertext as follows:
$C=\mathcal{M} \cdot e(g, g)^s=C=\mathcal{M} \cdot e(g, g)^{v a^{q+1}}, C 0=g^{v a^{q+1} s}$ (17)
In addition, a vector $\quad \vec{v}=\left(s, s a+\overline{y_2}, s a^2+\right.$ $\left.\overline{y_3}, \ldots \ldots . s a^{n1}+\overline{y_n}\right) \in Z_p^{n^*}$ is computed, where $\mathrm{s}$ is secret that has to be shared and $\overline{y_2}, \ldots \ldots \ldots \overline{y_n}$ are randomly chosen. Furthermore, the challenger randomly chooses $r_1^{\prime}, r_2^{\prime}, \ldots \ldots . r_l^{\prime}$. Subsequently, it generates $R_i$ for $1, \ldots, n^*$. $R_i$ includes all $k \neq i$, where $\rho^*(k)=\rho^*(i)$. Thus, the ciphertext components are computed as follows:
$C 1_{i_k}=g^{\lambda_{i_k}}=\prod_{j=2, \ldots, n^*} g^{M_{i, j}^* \cdot y_j^{\prime}}$ (18)
$C 2_{i_k}=g^{r_{i_k}}=g^{r_{i_k}^{\prime}} \cdot g^{s b_{i_k}}$ (19)
$\begin{gathered}C 3_{i_k}=g^{\lambda_{i_k}} \cdot y_{i_k}^{r_{i_k}}=y_{i_k}^{r_i^{\prime}}\left(\prod_{j=2, \ldots, n^*} g^{M_{i, j}^* \cdot y_j^{\prime}}\right) \cdot\left(g^{s b_i}\right)^{z_{i_k}} \cdot\left(\prod_{k \in R_i} \prod_{j=1, \ldots n^*}\left(g^{s \cdot\left(b_i / b_k\right)}\right)^{M_{k, j}^*}\right) \\ C 4_{i_k}=g^{u \cdot r_{i_k}}=g^{r_{i_k}^{\prime}} \cdot g^{s b_{i_k}}u\end{gathered}$ (20)
Phase 2: Same as phase 1
Guess: In phase 2, the adversary has to guess $c^{\prime}$. If $c^{\prime}=c$, and the challenger returns 0 which means $T=e(g, g)^{a^{q+1} s}$ and, 1 indicates $T$ is some random element in $G_T$ and message secrecy is maintained. If $T=e(g, g)^{a^{q+1} s}$, then we get $\operatorname{Pr}\left[B\left(\vec{y}, T=e(g, g)^{a^{q+1} s}\right)=0\right]=\frac{1}{2}+A d v_A$, and if $\mathrm{T}$ is random element, we have $\operatorname{Pr}[B(\vec{y}, T=R)=0]=$ $\frac{1}{2}$. Consecutively, it can be stated that the adversary has nontrivial advantage in qparallel BDHE security game and the proposed framework has been proven secure.
5.2 Proposition 2
The proposed framework is secured against unauthorized access and ensures traceability and data confidentiality.
Provability: In the proposed framework each user is assigned a unique identity component $P K_u=(U 0, U 1, U 2)$. Additionally, the identity component is incorporated in the secret key and the proxy key of the user. Thus, no two users who possess similar attributes can have identical keys. Consequently, the framework allows quick traceability of the malicious user. Moreover, the secret decryption key decrypts the ciphertext only if the key satisfies the access policy. The access policy in the proposed framework has been defined using a linear secret sharing scheme (LSSS) and every LSSS scheme holds linear reconstruction property [25]. The share matrix $W$ of the secret sharing scheme $\Pi$ has $m$ rows and $n$ cols. Each row of $W$ is mapped to the associated attribute through a mapping function $\rho$. Thus, $\forall i=$ $1, \ldots \ldots, m, \rho(i)$ is the attribute that labels row $i$. For generating secret shares a vector $\vec{v}=\left(s, r_2, r_3, \ldots \ldots \ldots, r_n\right)$ is defined, where $s \in Z_p$ represents shared secret and $r_2, r_3, \ldots \ldots \ldots, r_n \in Z_p$ are randomly chosen numbers, then according to $\Pi, W . \vec{v}$ is a vector of $l$ shares of secret. Each share $W \cdot \overrightarrow{v_l}$ belongs to attribute $\rho(i)$.
For the access structure $\mathbb{A}$, let $S \in \mathbb{A}$ be any authorized set, and for the access matrix $M$ with $m$ rows and $n$ cols, let $I \subset$ $\{1,2, \ldots \ldots \ldots . . m\}$ where, $I=\{i: \rho(i) \in S\}$, there exists constants $w_i \in Z_p$ where $i \in m$. Thus, for valid shares $\lambda_i$, $\sum_{i \in I} w_i \lambda_i=s$. Additionally, it is also proved in [25] that the constants $w_i \in Z_p$, where $i \in I$, can be found in polynomial time and for any unauthorized sets, no such $w$ exists.
Thus, the LSSS employability for access structure in the proposed framework ensures data confidentiality and avoids unauthorized access.
5.3 Proposition 3
The proposed framework is resilience to collusion attacks.
Provability: The proposed framework has addressed the possibility of revoked users colluding with each other as well as the capability of the cloud service provider to collude with the revoked users. As in the proposed framework, each user has been assigned a unique identity component $P K_u$, thus no two users with insufficient attributes can collude. As the users’ ID has been embedded in the secret key of the user, thus users cannot combine their attributes in decryption. Furthermore, in the encryption algorithm, the message $\mathcal{M}$ has been blinded while generating ciphertext component $C=\mathcal{M} \cdot e(g, g)^s$. As explained in proposition 2, for the valid value of s, $\sum_{i \in I} w_i \lambda_i=s$. Thus, any user who wants to access the encrypted file and recover $\mathcal{M}$ must recover the component $B=e(g, g)^{U 1 . s}$ in decrypt module by pairing secret key, proxy key and ciphertext components. If the users possess matching keys, this term will cancel out and message $\mathcal{M}$ is retrieved else the term cannot be canceled. Thus, if two revoked users attempt to conspire and collude together, while using different IDs, this term do not get cancelled. Consequently, the decryption process fails.
Furthermore, the secret keys and the proxy key are directly distributed to the data user by the authorities. Since the cloud do not participate in any module and do not have any information of the secret key, they cannot collude with the revoked users. Even if they attempt to collude, the time bound proxy key fails the collusion. The proxy key has an associated expiry time with it and thus, the older version of the proxy key is not useful for the revoked user to decrypt the ciphertext. Consequently, the cloud service provider has no means to aid in unauthorized access by colluding with the revoked user. Therefore, our proposed framework achieves full collusion resistance
5.4 Proposition 4
The proposed framework ensures forward and backward secrecy.
Provability: The proxy server ensures forward and backward secrecy in the proposed framework. Backward secrecy implies that the revoked user cannot decrypt files that were earlier accessible. In the proposed framework, to successfully execute the decryption process, the data user is required to acquire proxy key PXK from the proxy server. The generated proxy key is associated to ciphertext as it calculates $C \_1_i=C 1_i{ }^{\left(b_u\right)}$ where C1 is the component of requested ciphertext and b is the component of private key of user. When the user’s access privileges are revoked, the proxy key generated by the proxy server invalidates the component b while calculating the $C \_1_i$ term. The generated proxy key causes the failure of decryption process and thus, denies revoked user’s access to the files which were earlier accessible. Moreover, the proxy key is time bound. Once it is expired, it cannot be reused. The user has to again request for the new proxy key to access encrypted file. Consequently, the proxy key helps to enforce finegrained access control.
Similarly, the forward secrecy implies denial of access of newly uploaded files to revoked user. Here also the requested proxy key imposes finegrained access control by causing the failure of decryption process and thus, refraining the revoked users. Consequently, the proposed framework makes it harder for the revoked user to breach security.
In this section, the performance of the proposed PCMRCPABE framework has been analyzed by comparing the functional specifications with the framework proposed in SEMACSIT [19]. Additionally, a comparison of the computational overhead of the two frameworks has been carried out.
Table 2 exhibits that the proposed PCMRCPABE framework has implemented a decentralized multiauthority CPABE framework, whilst the SEMACSIT framework is a centralized multiauthority CPABE framework. Additionally, only the proposed PCMRCPABE framework addressed revocation both at the system and attribute level and is fully resilient to collusion attacks, whilst the SEMACSIT framework did not give attention to the possibility of cloud server turning dishonest and colluding with the revoked user by keeping the older version of ciphertext or key in store. Furthermore, the proposed PCMRCPABE framework is more computationally efficient than the SEMACSIT framework while addressing revocation. The proposed PCMRCPABE framework has been implemented using the proxy server that controls unauthorized access by revoked or malicious users. In order to prevent revoked users from accessing the ciphertext, the proxy server does not update the ciphertext or the key of nonrevoked users. Consequently, it can be stated that the proposed PCMRCPABE framework is functionally efficient in comparison to the SEMACSIT framework.
Table 2. Functionality comparison
Parameters 
SEMACSIT [19] 
PCMRCPABE 
Approach 
Centralized 
Decentralized 
Type of Revocation 
Attributelevel Revocation 
User and Attributelevel Revocation 
Collusion Resistance 
Partial 
Full 
Ciphertext Update 
Yes 
No 
Key update of NonRevoked Users 
Yes 
No 
Forward and Backward Secrecy 
Yes 
Yes 
Table 3. Comparison of computation overhead
Modules 
SEMACSIT [19] 
PCMRCPABE 
Encryption 
$N_kP+\left(1+5 N_{c x_k}\right)E+2 N_{c x_k}M$ 
$P+\left(1+5 N_{c x_k}\right)E+N_{c x_k}M$ 
Decryption 
$\left(N_k+4 N_{u x_k}\right)P+\left(2+3 N_{u x_k}\right)M+\left(N_{u x_k}+1\right)E$ 
$\left(N_k+4 N_{u x_k}\right)P+\left(2+3 N_{u x_k}\right)M+\left(N_{u x_k}+1\right)E$ 
Key Generation 
$\left(N_k+4 N_{u x_k}\right)P+\left(2+3 N_{u x_k}\right)M+\left(N_{u x_k}+1\right)E$ 
$\left(5 N_k+N_{u x_k}\right)E+\left(N_k+N_{u x_k}\right)M$ 
Revocation 
Attributelevel Revocation 1. Ciphertext Update $N_{c y_k}(E+2M)$ 2. Key Update $2E+\left(N_{u y_k}+1\right)M$ 
Proxy Key Generation 1. No Revocation $\left(1+N_{c x_k}\right)E$ 2. User Revocation $\left(1+N_{c x_k}\right)E$ 3. Attributelevel Revocation $\left(1+N_{c x_k}\right)E$ 
$N_{c x_k}$: number of attributes in an access policy embedded in the ciphertext. $N_k$: number of attribute authorities. $N_{u x_k}$: number of attributes held by a user. $N_{c y_k}$: number of ciphertext containing revoked attribute $y_k$. $N_{u y_k}$: number of non revoked users holding revoked attribute $y_k$. P: Number of pairing operation. E: Number of exponential operation. M: Number of multiplication operation.
The computational efficiency of the modules of both frameworks has been compared in Table 3. The computational cost of modules has been calculated in terms of the number of pairing operations, the number of exponential operations, and the number of multiplication operations required for providing a solution to the problem. The encryption module of both framework varies with $N_{c x_k}$ and the encryption module of SEMACSIT framework also varies with $N_k$. The comparison illustrates that the encryption module of the proposed PCMRCPABE framework requires fewer exponential and multiplication operations to generate ciphertext than SEMACSIT framework. In addition, the proposed PCMRCPABE framework's and the SEMACSIT framework's computation costs for the decryption module are equal. Both the modules vary with $N_{u x_k}$ and $N_k$.
Furthermore, the secret key generation module of both framework varies in terms of $N_k$ and $N_{u x_k}$. Although the proposed PCMRCPABE framework requires more exponential operations in comparison to the SEMACSIT framework, the computational cost for the key generation module of the SEMACSIT framework increases more than the proposed PCMRCPABE framework as the number of user attributes $N_{u x_k}$ shows an upward trend. Moreover, a solution only to attributelevel revocation has been proposed by the SEMACSIT framework, whilst the PCMRCPABE framework proposed solution to both the system level and attributelevel revocation. The computational overhead incurred by the revocation module addressing attributelevel revocation in the PCMRCPABE framework is very low in comparison to the SEMACSIT framework as depicted in Table 3. Consequently, it can be stated that the all modules proposed in the PCMRCPABE framework are more computationally efficient than those of SEMACSIT framework.
The Stanford Pairingbased Crypto Library from the CharmCrypto framework has been employed to construct the proposed framework [27]. CharmCrypto framework is a python based framework that provides libraries to support implementation of pairing based cryptography. The proposed framework has employed Toolbox modules from the CharmCrypto architecture. The CharmCrypto architecture is based on OpenSSL, GMP and PBC libraries to efficiently construct attribute based encryption schemes. The Toolbox module is a library of various python or C based submodules such as pairinggroup, integergroup, Hash, secretutil, msp, etc. These modules help in pairing parameters generation, parsing access policy and implementing attribute based encryption schemes.
The proposed implementation is based on a singular symmetric elliptic curve group (“SS512”) of 160bit order. All the experimental trials have been conducted using Python 3.7.13 over the Oracle Virtual Box 6.1. The virtual platform operates on a Windows 11 machine with an Intel Core i3 processor running at 1.20 GHz and 8 GB of RAM to run Ubuntu 22.04.
The experimental results delineate the computing time required by all the algorithms of the proposed framework on various criteria. Stable experimental results have been obtained by an average of 15 experimental trials. The algorithms of the proposed framework are mainly based on pairing, multiplication and exponentiation operation. The framework has employed randomly selected attribute sets of equal size for keygen module and a text file of 12 kb size for encryption and decryption module to perform experiments. Figure 3 exhibits the computing time consumed by the KeyGen, Encrypt, Decrypt, and ProxKeyGen algorithm when the number of attribute authorities is varied from 2 to 20 against the number of attributes owned by the attribute authorities is fixed to 5. It has been observed that the increase in the number of attribute authorities linearly increases the execution time of algorithms. However, increase in the number of attribute authorities has little impact on the ProxKeyGen algorithm, whilst the encryption and decryption algorithm’s computing time grows linearly with the increasing number of attribute authorities. Thus, the observations exhibit the computational efficiency of the proposed framework and conclude that the framework stays computationally efficient even when the load increases in the form of increasing number of attribute authorities.
In addition, Figure 4 expresses the computing time consumed by the Keygen algorithm when attribute authorities are fixed to 5 and user attributes are varied from 5 to 20. The execution time of the KeyGen algorithm grows linearly with the increasing number of user attributes. After comparing Figures 3 and 4, it has been observed that changing the number of attribute authorities has a significant impact on the keygen algorithm's execution time. Figures 5 and 6 depict the execution time of the Encryption and Decryption algorithm. Both the algorithms are dependent on the number of policy attributes. A linear relationship exists between the number of policy attributes and algorithmic computation time. To calculate the experimental findings, policy attributes, in this case were varied from 5 to 20. Since the decryption algorithm varies with the matched user attributes, thus the decryption algorithm consumes less computing time than the encryption algorithm. Furthermore, the Proxkeygen algorithm computing time result has been considered in all the cases viz: no revocation, user revocation, and attributelevel revocation. Figure 7 demonstrates the impact of policy attributes on the computing time of the Proxkeygen algorithm in case of no revocation and user revocation. Both algorithms consume an equivalent amount of computing time. In the same way, Figure 8 depicts the execution time consumed during the attributelevel revocation. In this experiment it has been demonstrated that the execution time of the proxkeygen algorithm increases linearly with the increasing number of revoked attributes. Consequently, it can be stated that the proposed framework avoids heavy computation costs and is efficiently implementable.
Every experimental operation depicts that the increase in the load in terms of number of attributes, number of policy attributes or number of attribute authorities in the algorithm add minimal increase in computational cost due to the presence of proxy server. The incorporation of proxy server eliminated the need of ciphertext reencryption or key update of nonrevoked users with every change in access privileges. The proposed framework also eliminated the need to outsource partial decryption to cloud service provider.
Figure 3. Execution time
Figure 4. Key generation algorithm
Figure 5. Encryption algorithm
Figure 6. Decryption algorithm
Figure 7. Proxy key generation algorithm (1)
Figure 8. Proxy key generation algorithm (2)
In the current study challenges pertaining to revoking access rights at the system and attribute level in multiauthority CPABE schemes have been considered. The paper has outlined the research gaps observed in the existing schemes toward addressing collusion attacks, and incorporating dynamicity, and scalability along with forward and backward secrecy. The proposed framework has contributed an efficient proxy based solution to address the revocation of malicious users dynamically. In addition, the proposed framework also suggested a solution to attributelevel revocation. The proxy server in the proposed framework controls the generation of proxy key, and the incorporation of time and identity components in the algorithm allowed the framework to enforce finegrained access control.
Furthermore, the security analysis of the proposed framework outlined the strength of algorithms in avoiding collusion attacks; both conspired by revoked users or by cloud service providers. The security analysis also presented the strength of the algorithm against unauthorized access and in maintaining forward and backward secrecy. Security analysis has also proved that the proposed framework is secure against qparallel BDHE assumption.
Moreover, the performance analysis of the proposed framework delineated in detail the computational efficiency of the algorithms in terms of running time. The execution time has been calculated by varying number of attributes, number of attribute authorities and no. of policy attributes. Unlike existing schemes, the proposed framework does not update nonrevoked user’s or attribute group key to refrain revoked users. It also does not require reencryption of ciphertext to prevent revoked users from accessing the sensitive data. Consequently, the framework has been proven to be better in terms of computational efficiency and practicability in comparison to the exiting schemes in addressing research challenges pertaining to the enforcement of stringent access control.
In distrustful cloud computing environment, an efficient revocable multiauthority CPABE framework ensures data confidentiality to the data owner and data users. However, pairingbased cryptography is vulnerable to quantum computing. The effective solution to quantum threat is latticebased cryptography. The proposed framework can be expanded to latticebased cryptography in the upcoming research work, satisfying all the criteria mentioned in the current study for a successful revocable CPABE scheme.
[1] Goyal, V., Pandey, O., Sahai, A., Waters, B. (2006). Attributebased encryption for finegrained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 8998. https://doi.org/10.1145/1180405.1180418
[2] Bethencourt, J., Sahai, A., Waters, B. (2007). Ciphertextpolicy attributebased encryption. In 2007 IEEE Symposium on Security and Privacy (SP'07), Berkeley, CA, USA, pp. 321334. https://doi.org/10.1109/SP.2007.11
[3] Chase, M. (2007). Multiauthority attribute based encryption. In: Vadhan, S.P. (eds) Theory of Cryptography. TCC 2007. Lecture Notes in Computer Science, vol 4392. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783540709367_28
[4] Lewko, A., Waters, B. (2011). Decentralizing attributebased encryption. In: Paterson, K.G. (eds) Advances in Cryptology – EUROCRYPT 2011. EUROCRYPT 2011. Lecture Notes in Computer Science, vol 6632. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642204654_31
[5] Xu, X., Zhou, J., Wang, X., Zhang, Y. (2016). Multiauthority proxy reencryption based on CPABE for cloud storage systems. Journal of Systems Engineering and Electronics, 27(1): 211223.
[6] AlDahhan, R.R., Shi, Q., Lee, G.M., Kifayat, K. (2018). Revocable, decentralized multiAuthority access control system. In 2018 IEEE/ACM International Conference on Utility and Cloud Computing Companion (UCC Companion), Zurich, Switzerland, pp. 220225. https://doi.org/10.1109/UCCCompanion.2018.00088
[7] Zhong, H., Zhu, W., Xu, Y., Cui, J. (2018). Multiauthority attributebased encryption access control scheme with policy hidden for cloud storage. Soft Computing, 22: 243251. https://doi.org/10.1007/s0050001623308
[8] Zhang, X., Wu, F., Yao, W., Wang, Z., Wang, W. (2019). Multiauthority attributebased encryption scheme with constantsize ciphertexts and user revocation. Concurrency and Computation: Practice and Experience, 31(21): e4678. https://doi.org/10.1002/cpe.4678
[9] Wu, Z., Zhang, Y., Xu, E. (2020). Multiauthority revocable access control method based on CPABE in NDN. Future Internet, 12(1): 15. https://doi.org/10.3390/fi12010015
[10] Vaanchig, N., Xiong, H., Chen, W., Qin, Z. (2018). Achieving collaborative cloud data storage by scheme with dualrevocation. International Journal of Network Security, 20(1): 95109. https://doi.org/10.6633/IJNS.201801.20(1).11
[11] Zhang, X., Chen, Y., Yan, X., Jia, H. (2019). Multiauthority attributebased encryption with user revocation and outsourcing decryption. Journal of Physics: Conference Series, 1302(2): 022026. https://doi.org/10.1088/17426596/1302/2/022026
[12] Sethi, K., Pradhan, A., Bera, P. (2021). PMTERABE: A practical multiauthority CPABE with traceability, revocation and outsourcing decryption for secure access control in cloud systems. Cluster Computing, 24: 15251550. https://doi.org/10.1007/s10586020032022
[13] Li, Q., Ma, J., Li, R., Liu, X., Xiong, J., Chen, D. (2016). Secure, efficient and revocable multiauthority access control system in cloud storage. Computers & Security, 59: 4559. https://doi.org/10.1016/j.cose.2016.02.002
[14] Yang, K., Liu, Z., Cao, Z., Jia, X., Wong, D.S., Ren, K. (2012). TAAC: Temporal attributebased access control for multiauthority cloud storage systems. Cryptology ePrint Archive. Cryptol. ePrint Arch.
[15] Kalmani, V.H., Goyal, D., Singla, S. (2015). An efficient and secure solution for attribute revocation problem utilizing CPABE scheme in mobile cloud computing. International Journal of Computer Applications, 129(1): 1621. https://doi.org/10.5120/ijca2015906807
[16] Yang, K., Jia, X., Ren, K., Zhang, B., Xie, R. (2013). DACMACS: Effective data access control for multiauthority cloud storage systems. IEEE Transactions on Information Forensics and Security, 8(11): 17901801. https://doi.org/10.1109/TIFS.2013.2279531
[17] Liu, Z., Jiang, Z.L., Wang, X., Yiu, S.M. (2018). Practical attributebased encryption: Outsourcing decryption, attribute revocation and policy updating. Journal of Network and Computer Applications, 108: 112123. https://doi.org/10.1016/j.jnca.2018.01.016
[18] Tu, S., Waqas, M., Huang, F., Abbas, G., Abbas, Z.H. (2021). A revocable and outsourced multiauthority attributebased encryption scheme in fog computing. Computer Networks, 195: 108196. https://doi.org/10.1016/j.comnet.2021.108196
[19] Xiong, S., Ni, Q., Wang, L., Wang, Q. (2020). SEMACSIT: Secure and efficient multiauthority access control for IoT cloud storage. IEEE Internet of Things Journal, 7(4): 29142927. https://doi.org/10.1109/JIOT.2020.2963899
[20] Ramu, G., Reddy, B.E., Jayanthi, A., Prasad, L.N. (2019). Finegrained access control of EHRs in cloud using CPABE with user revocation. Health and Technology, 9(4): 487496. https://doi.org/10.1007/s12553019003049
[21] Li, L., Wang, Z., Li, N. (2020). Efficient attributebased encryption outsourcing scheme with user and attribute revocation for fogenabled IoT. IEEE Access, 8: 176738176749. https://doi.org/10.1109/ACCESS.2020.3025140
[22] Zhang, Z., Zhang, W., Qin, Z. (2020). Multiauthority CPABE with dynamical revocation in spaceairground integrated network. In 2020 International Conference on SpaceAirGround Computing (SAGC), Beijing, China, pp. 7681. https://doi.org/10.1109/SAGC50777.2020.00026
[23] Huang, K. (2021). Accountable and revocable large universe decentralized multiauthority attributebased encryption for cloudaided IoT. IEEE Access, 9: 123786123804. https://doi.org/10.1109/ACCESS.2021.3110824
[24] Waters, B. (2011). Ciphertextpolicy attributebased encryption: An expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds) Public Key Cryptography – PKC 2011. PKC 2011. Lecture Notes in Computer Science, vol 6571. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642193798_4
[25] Beimel, A. (1996). Secure schemes for secret sharing and key distribution. PhD. Thesis, the Senate of the Technion { Israel Institute of Technology.
[26] Lewko, A., Waters, B. (2011). Unbounded HIBE and AttributeBased Encryption. In: Paterson, K.G. (eds) Advances in Cryptology – EUROCRYPT 2011. EUROCRYPT 2011. Lecture Notes in Computer Science, vol 6632. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642204654_30
[27] Akinyele, J.A., Garman, C., Miers, I., Pagano, M.W., Rushanan, M., Green, M., Rubin, A.D. (2013). Charm: A framework for rapidly prototyping cryptosystems. Journal of Cryptographic Engineering, 3: 111128. https://doi.org/10.1007/s1338901300573