A Hierarchical Attribute-Based Access Control Scheme with Traceability over Ciphertext

doi:10.19678/j.issn.1000-3428.0260085

Abstract

Abstract: Cloud computing offers efficient data storage and management, facilitating convenient data sharing and access. However, ensuring data security and user privacy in open cloud environments remains a critical challenge. Ciphertext-policy attribute-based encryption (CP-ABE) has been widely adopted to enforce fine-grained access control over data stored in cloud servers. Nevertheless, existing schemes still face limitations in handling hierarchical data and tracing malicious ciphertexts, making it difficult to simultaneously achieve efficient multilevel access and data provenance assurance. To address these challenges, this paper proposes a hierarchical attribute-based access control scheme with traceability over ciphertext. First, a hierarchical CP-ABE framework is employed to construct an efficient multilevel access mechanism. By integrating multiple hierarchical access trees into a unified structure, the scheme enables encryption and decryption of data at different levels under a single policy, significantly reducing computational overhead. Second, a zero-knowledge proof-based signature mechanism is introduced to securely bind ciphertexts with their creators while preserving data owner anonymity, enabling accurate tracing of malicious ciphertext sources. Finally, security analysis demonstrates that the proposed scheme can effectively resist chosen-plaintext attacks. Experimental evaluation shows that, compared with existing approaches, the scheme achieves lower encryption and decryption overhead, making it well suited for secure, efficient, and traceable data sharing in cloud environments.

摘要： 云计算因其高效的数据存储与管理能力，使数据共享和访问变得更加便捷，而如何在开放的云环境中保障数据安全与用户隐私成为关键问题。为了对存储在云服务器上的数据进行细粒度的访问控制，密文策略属性基加密（CP-ABE）得到了广泛的应用。然而，现有方案在处理层次化数据和追溯恶意密文方面仍存在不足，难以同时满足高效分级访问和数据来源可信性的需求。为解决这一问题，本文提出一种支持密文可追溯的分层属性基访问控制方案。首先，基于分层CP-ABE框架构建高效的分级访问机制，通过统一具有层次关系的访问策略树，实现不同级别数据在统一访问结构下的加密与解密，显著降低加解密过程中的计算开销。其次，引入基于零知识证明的签名机制，在保障数据拥有者匿名性的前提下，保证密文与其生成者身份进行安全绑定，从而能够准确恢复恶意密文的真实来源。最后，安全性分析表明本方案能有效抵抗选择明文攻击。实验评估表明本方案与现有方案相比具有较低的加解密计算开销，更适用于云环境下安全、高效且可追溯的数据共享场景。

HE Ruiying, TIAN Youliang, XIANG Axin, ZHOU Feng, LIU Kaiqi. A Hierarchical Attribute-Based Access Control Scheme with Traceability over Ciphertext[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0260085.

何睿颖, 田有亮, 向阿新, 周凤, 刘开祺. 支持密文可追溯的分层属性基访问控制方案[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0260085.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0260085

References

[1] 范运东, 吴晓平. 基于策略隐藏属性加密的云存储访问控制方案[J]. 计算机工程, 2018, 44(7): 139-144. FANG Y D, WU X P. Cloud storage access control scheme based on policy hiding attribute encryption[J]. Computer Engineering, 2018, 44(7): 139-144.
[2] Roy S, Agrawal J, Kumar A, et al. Mh-abe: multi-authority and hierarchical attribute based encryption scheme for secure electronic health record sharing[J]. Cluster Computing, 2024, 27(5): 6013-6038.
[3] Wei J, Chen X, Wang J, et al. Securing fine-grained data sharing and erasure in outsourced storage systems[J]. IEEE Transactions on Parallel and Distributed Systems, 2022, 34(2): 552-566.
[4] Li J, Wang S, Li Y, et al. An efficient attribute-based encryption scheme with policy update and file update in cloud computing[J]. IEEE Transactions on Industrial Informatics, 2019, 15(12): 6500-6509.
[5] 韩志翔, 田野, 张虹. 具有抗共谋攻击的可扩展分层属性基加密[J]. 计算机应用研究, 2025, 42(5): 1532-1540. HAN Z X, TIAN Y, ZHANG H. Scalable hierarchical attribute-based encryption resistant to collusion attacks[J]. Application Research of Computers, 2025 42(5): 1532-1540.
[6] Li J, Wang Q, Wang C, et al. Enhancing attribute-based encryption with attribute hierarchy[J]. Mobile networks and applications, 2011, 16(5): 553-561.
[7] SARPONG S. Confidential File Sharing between Untrusted Databases[J]. International Journal of Computer Science and Information Security (IJCSIS), 2024, 22(3).
[8] Zeng P, Zhang Z, Lu R, et al. Efficient policy-hiding and large universe attribute-based encryption with public traceability for internet of medical things[J]. IEEE Internet of Things Journal, 2021, 8(13): 10963-10972.
[9] Zhang W, Wu Y, Xiong H, et al. Accountable Attribute-based Encryption with Public Auditing and User Revocation in the Personal Health Record System[J]. KSII Transactions on Internet & Information Systems, 2021, 15(1): 302-322.
[10] Li P, Lai J, Yang Y, et al. Attribute-based anonymous credential: Delegation, traceability, and revocation[J]. Computer Networks, 2023, 237: 110086.
[11] Sahai A, Waters B. Fuzzy identity-based encryption[C]//Annual international conference on the theory and applications of cryptographic techniques. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005: 457-473.
[12] Goyal V, Pandey O, Sahai A, et al. Attribute-based encryption for fine-grained access control of encrypted data[C]//Proceedings of the 13th ACM conference on Computer and communications security. 2006: 89-98.
[13] Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption[C]//2007 IEEE symposium on security and privacy (SP'07). IEEE, 2007: 321-334.
[14] Wang S L, Yu J P, Zhang P, et al. A novel file hierarchy access control scheme using attribute-based encryption[J]. Applied mechanics and materials, 2015, 701: 911-918.
[15] Wang S, Zhou J, Liu J K, et al. An efficient file hierarchy attribute-based encryption scheme in cloud computing[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(6): 1265-1277.
[16] Wei J, Chen X, Huang X, et al. RS-HABE: Revocable-storage and hierarchical attribute-based access scheme for secure sharing of e-health records in public cloud[J]. IEEE Transactions on Dependable and Secure Computing, 2019, 18(5): 2301-2315.
[17] He H, Zheng L, Li P, et al. An efficient attribute-based hierarchical data access control scheme in cloud computing[J]. Human-centric computing and information sciences, 2020, 10(1): 49.
[18] Li J, Chen N, Zhang Y. Extended file hierarchy access control scheme with attribute-based encryption in cloud computing[J]. IEEE Transactions on Emerging Topics in Computing, 2019, 9(2): 983-993.
[19] Bai Y, Fan K, Zhang K, et al. CR-fh-CPABE: Secure file hierarchy attribute-based encryption scheme supporting user collusion resistance in cloud computing[J]. IEEE Internet of Things Journal, 2024, 11(10): 17727-17739.
[20] Yang G, Li P, Xin Y, et al. An efficient hierarchical attribute-based encryption scheme with cross-domain data sharing[J]. Computer Networks, 2024, 255: 110863.
[21] Hasan R, Sion R, Winslett M. Introducing secure provenance: problems and challenges[C]//Proceedings of the 2007 ACM workshop on Storage security and survivability. 2007: 13-18.
[22] Lu R, Lin X, Liang X, et al. Secure provenance: the essential of bread and butter of data forensics in cloud computing[C]//Proceedings of the 5th ACM symposium on information, computer and communications security. 2010: 282-292.
[23] Chow S S M, Chu C K, Huang X, et al. Dynamic secure cloud storage with provenance[M]//Cryptography and Security: From Theory to Applications: Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012: 442-464.
[24] Li J, Chen X, Huang Q, et al. Digital provenance: Enabling secure data forensics in cloud computing[J]. Future Generation Computer Systems, 2014, 37: 259-266.
[25] Cui H, Deng R H, Li Y. Attribute-based cloud storage with secure provenance over encrypted data[J]. Future Generation Computer Systems, 2018, 79: 461-472.
[26] Yang Y, Deng R H, Guo W, et al. Dual traceable distributed attribute-based searchable encryption and ownership transfer[J]. IEEE Transactions on Cloud Computing, 2021, 11(1): 247-262.
[27] 张凯, 马建峰, 李辉, 等. 支持高效撤销的多机构属性加密方案[J]. 通信学报, 2024, 38(3): 83-91. ZHANG K, MA J F, LI H, et al. Multi-authority attribute-based encryption with efficient revocation[J]. Journal of Communications, 2024, 38(3): 83-91.
[28] Cramer R, Shoup V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack[J]. SIAM Journal on Computing, 2003, 33(1): 167-226.
[29] Chase M, Lysyanskaya A. On signatures of knowledge[C]//Annual International Cryptology Conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006: 78-96.
[30] Li X, Wang H, Ma S. An efficient ciphertext-policy weighted attribute-based encryption with collaborative access for cloud storage[J]. Computer Standards & Interfaces, 2025, 91: 103872.

Please choose a citation manager

Content to export