Sage Journals: Discover world-class research

Abstract

With the development of cloud computing, more and more video services are moving to the cloud. How to realize fine-grained access control of those data on cloud becomes an urgent problem. Attribute-based encryption provides a solution. However, heavy computation is still a bottleneck restricting the wider application of attribute-based encryption in cloud computing. In addition, we find that expression of the access control structure on media cloud can be further improved. To solve these problems, we propose an enhanced media ciphertext-policy attribute-based encryption algorithm and introduce its two key components, the multiple access tree and the key chain. To increase the scalability of the proposed algorithm, we discussed the issues of multi-authorization, user revocation, and 1 −n multiple access tree. Security analysis shows that enhanced media ciphertext-policy attribute-based encryption can successfully resist chosen-plaintext attacks under the decisional bilinear Diffie–Hellman assumption. Performance analysis proves both theoretically and practically that the proposed algorithm incurs less computational cost than the traditional ciphertext-policy attribute-based encryption, multi-message ciphertext-policy attribute-based encryption, and scalable ciphertext-policy attribute-based encryption by optimizing the access control structure. Our proposed algorithm has strong practical significance in media cloud.

Keywords

Access control ciphertext-policy attribute-based encryption video encryption fine-grained access structure key chain

Introduction

Media cloud provides video storage, processing, and distribution services to users. How to realize fine-grained access control of massive amounts of videos is a huge challenge for the media cloud.¹ Ciphertext-policy attribute-based encryption (CP-ABE) is an important technology to tackle this challenge in application scenarios such as personal health records (PHR)^2,3 and smart girds.^4,5

In CP-ABE, conversion from the access control policy to the access structure is an important step. However, when CP-ABE is applied in media cloud, the traditional conversion methods become inefficient. On media cloud, one video file is often available with different resolutions. The fact is that users with access to high-resolution videos are always allowed to access low-resolution versions. For example, paying users can watch a movie in all three versions: the standard definition (SD) version, the high definition (HD) version, the ultra-high definition (UHD) version; registered users can watch the movie in HD or SD versions, and guests can only watch the movie in the SD version. The corresponding access control policies (Table 1) have the following inclusion relation: $r 1 \subset r 2 \subset r 3$ . Meanwhile, these policies share some common attributes, such as video id (vid) and category. We define an attribute as a common attribute when the attribute has the same name and value in different policies.

Table 1.

Access control policies in media cloud.

r1	$〈 (user = Guest), (vid = 10010, category = story, quality = SD), play 〉$
r2	$〈 (user = Registered), (vid = 10010, category = story, quality = (SD, HD)), play 〉$
r3	$〈 (user = Paying), (vid = 10010, category = story, quality = (SD, HD, UHD)), play 〉$

SD: standard definition; HD: high definition; UHD: ultra-high definition.

In this article, we assume that the access tree is the default method to finish conversion from policy to access structure. When using the CP-ABE scheme proposed by Hong et al.,⁶ the three aforementioned policies have to be converted into three corresponding access trees. Wu et al.⁷ presented a multi-message CP-ABE (MCP-ABE) scheme in which a single access tree could be used to describe all policies. Compared with CP-ABE, MCP-ABE needs to maintain fewer and simpler access structures. Ma et al.⁸ optimized the access tree in their CP-ABE algorithm called scalable ciphertext-policy attribute-based encryption (SCP-ABE), and expanded the access control rules from one dimension to three dimensions, thereby reducing the time required for encryption and decryption. However, access trees in both MCP-ABE and SCP-ABE are efficient only when representing the access control rules with full inclusion relations. When there exists any common attribute, the efficiency of access trees reduces, because the common attributes have to be described repeatedly on different levels of the tree.

To solve this problem, we propose a new access tree called multiple access tree (MAT) and a new one-way key chain scheme. On the basis of these two components, we introduce a novel enhanced-media Ciphertext-policy attribute-based encryption (eM-CP-ABE) algorithm. Then, eM-CP-ABE is applied to media cloud for fine-grained access control. Two steps are required: first, the video is divided into segments according to resolution or time and encrypted by the advanced encryption standard (AES). Note that different segments correspond to different keys. Second, these symmetric keys are encrypted by eM-CP-ABE to achieve fine-grained access control. The contribution of our proposed algorithm is reflected in the following four aspects:

In the encryption process, eM-CP-ABE consumes less time and space than MCP-ABE; in the decryption process, when an authorized user switch from a high-level resource to a low-level resource, only two hash operations need to be performed without any new decryption operations. Compared with SCP-ABE, eM-CP-ABE has better performance both in encryption and decryption processes.

Using one $1 - n$ MAT, eM-CP-ABE can encrypt several videos with different privilege levels. It significantly reduces the cost of generating and maintaining access structures.

eM-CP-ABE has strong scalability. We have proved that both multi-authorization and user revocation are feasible when the eM-CP-ABE algorithm is used.

We have also proved security of the eM-CP-ABE algorithm. It can successfully resist chosen-plaintext attacks (CPAs) under the decisional bilinear Diffie–Hellman (DBDH) assumption.

The rest of the article is organized as follows: section “Related work” provides an overview of the related work. Section “Preliminary” presents necessary preliminary knowledge. Section “Proposed algorithm” introduces eM-CP-ABE and its extensions. Section “Security analysis” analyzes eM-CP-ABE in terms of security. Section “Performance analysis” analyzes the operation overheads of the proposed algorithm. Finally, section “Conclusion” presents the conclusion.

Related work

CP-ABE was first proposed in 2007.⁹ In CP-ABE, user keys are associated with sets of attributes, whereas ciphertexts are associated with policies. CP-ABE is widely used in fine-grained access control of data outsourced on the cloud. However, the problem is that CP-ABE entails heavy computation and complex conversion from access policy to access structure.

Heavy computation will degrade real-time performance and increase the workload of computation. To optimize real-time performance, Li et al.¹⁰ introduced online/offline ABE. A similar online/offline scheme was proposed by Cui et al.¹¹ The online/offline transfer technology allows the computation tasks to be outsourced to public cloud servers. However, the online/offline transfer technology can just transfer the workload of computation, but cannot reduce it. Expanding the single authorization center to multi-authorization centers can improve the efficiency of key generation. Han et al.¹² introduced a decentralized CP-ABE scheme, in which each authority can work on one unique attribute subset independently. The robust and auditable access control (RAAC) scheme was proposed in 2017. In RAAC, any authority can manage the whole attribute set individually and an auditing mechanism is introduced to coordinate all authorities’ work.¹³ Multi-authorization greatly improves the performance of key generation, but does not reduce the workload of encryption and decryption in CP-ABE. Xue et al.¹⁴ proposed an attribute-based controlled collaborative access control scheme, in which multiple users having different attribute sets could collaborate to gain access permission. The scheme is efficient in terms of storage and computation overhead, but user collusion is forbidden in most scenarios of the media cloud.

However, addition of many practical factors makes the access structure more expressive. The factor of time was introduced to realize time-release encryption.^6,15 In some existing studies,^16–19 user revocation was supported in their CP-ABE schemes. In studies by Ning et al.,^20,21 illegitimate access could be traced. However, the problem of complex conversion from access policy to access structure remains unsolved. Traditional access trees are inefficient when the corresponding access control policies have the inclusion relationships such as file system. In hierarchical file systems, if a user can decrypt a file corresponding to a level node in the access structure tree, he or she can decrypt all these files corresponding to the lower level nodes. To avoid repetitive description of attributes on different levels, Wang et al.²² used an integrated access structure to encrypt multiple files on different levels separately. As only one file can be encrypted on each level, the scheme proposed by Yeh et al.² is not practical. Li et al.²³ proposed an extended file hierarchy CP-ABE scheme (EFH-CP-ABE), which could encrypt several files on the same access level. To simplify the complex structure of inclusion relation among these privilege levels, Bobba et al.²⁴ introduced a ciphertext-policy attribute-set-based encryption (CP-ASBE) scheme in which the set of user attributes was extended into a recursive set structure. CP-ASBE was used in the conditional access system to resist collusion attacks.²⁵ Based on CP-ASBE, Wan et al.²⁶ proposed a hierarchical attribute-set-based encryption (HASBE) algorithm. HASBE builds a hierarchical system model and realizes the key delegation scheme and user revocation scheme. Teng et al.²⁷ improved the HASBE algorithm by keeping the length of the ciphertext and the number of bilinearity operation fixed. However, if strict mutual exclusion cannot be satisfied between different privilege levels, the common attributes will still be described repeatedly.

The same problem is faced in media cloud. CP-ABE is widely used to ensure the security of outsourced videos and support flexible video services.^7,8,28 Yang et al.²⁸ used traditional access trees that could not improve the efficiency. Access trees both in MCP-ABE⁷ and SCP-ABE⁸ can represent the access control rules with full inclusion relation efficiently. However, when there is any common attribute, these trees become less efficient because the common attributes have to be described repeatedly on different levels of the tree.

In this article, we propose a new access tree called MAT and a new one-way key chain scheme. On the basis of these two components, we introduce a novel encryption algorithm called eM-CP-ABE. In the encryption process, one $1 - n$ MAT can be flexibly used to encrypt several videos with multiple levels of privilege, thus considerably reducing the cost of generating and maintaining access structures. In the decryption process, user on the jth level will get two secret numbers, $a_{j}$ and $a_{0}$ , and the key corresponding to this level is $k_{j} = H_{2} (a_{j} | | a_{0})$ . When the user accesses the low level $i = j - 1$ , the key corresponding to the ith level is $k_{i} = H_{2} (H_{2} (a_{j} | | i) | | a_{0})$ . Only two hash operations are needed to complete the access control.

Preliminary

To ensure the independence of the article, the relevant information is given in this section.

Bilinear maps

Let $G_{0}, G_{T}$ be two multiplicative cyclic groups of prime order $p$ . Let $g$ be a generator of $G_{0}$ and $e$ be a bilinear map, $e : G_{0} \times G_{0} \to G_{T}$ . The bilinear map $e$ has the following properties:

Bilinearity: $\forall a, b \in Z_{p}$ and $g_{1}, g_{1} \in G_{0}$ , and we have $e (g_{1}^{a}, g_{2}^{b}) = e (g_{1}, g_{1})^{ab}$ .

Non-degeneracy: There exists $g_{1}, g_{1} \in G_{0}$ such that $e (g_{1}, g_{1}) \neq 1$ , which means the map does not send all pairs in $G_{0} \times G_{0}$ to the identity in $G_{T}$ .

Computability: There is an efficient algorithm to compute $e (g_{1}, g_{1})$ for all $g_{1}, g_{1} \in G_{0}$ .

Access structure

Let ${P_{1}, P_{2}, \dots, P_{n}}$ be a set of parties. A collection $A \subseteq 2^{{P_{1}, P_{2}, \dots, P_{n}}}$ is monotone if $\forall B, C$ ; if $B \in A$ and $B \subseteq C$ then $C \in A$ . An access structure is a collection $A$ of non-empty subset of ${P_{1}, P_{2}, \dots, P_{n}}$ , that is, $A \subseteq 2^{{P_{1}, P_{2}, \dots, P_{n}}} ∖ {\emptyset}$ . The sets in $A$ are called authorized sets, and the sets not in $A$ are called unauthorized sets.

In CP-ABE, a set of attributes is used as the decryption key, and an access structure is used to encrypt the plaintext. We describe the access structure in terms of an access tree. If and only if a set of attributes satisfies the access tree, the ciphertext can be decrypted correctly.

Access tree $T$

Let $T$ be a tree representing an access structure. A non-leaf node $x$ of the tree is described by its child number $nu m_{x}$ and a threshold value $k_{x}$ , where $0 \leq k_{x} \leq nu m_{x}$ . We denote the parent of the node $x$ by $parent (x)$ . The children of $x$ are numbered from 1 to $num$ . The function index (x) returns such a number associated with the node $x$ . When $x$ is a leaf node, we denote the attribute in $x$ by $attr (x)$ .

DBDH assumption

Let $a, b, c, z \in Z_{p}$ be chosen at random and $g$ be a generator of $G_{0}$ . The DBDH assumption is that no probabilistic polynomial-time algorithm $B$ can distinguish the tuple ( $A = g^{a}, B = g^{b}, C = g^{c}, e (g, g)^{abc}$ ) from the tuple ( $A = g^{a}, B = g^{b}, C = g^{c}, e (g, g)^{z}$ ) with more than a negligible advantage. The advantage of $B$ is

| \Pr [ℬ (A, B, C, e {(g, g)}^{a b c}) = 0] - \Pr [ℬ (A, B, C, e {(g, g)}^{z}) = 0] |

where the probability is taken over the random choice of the generator $g$ , the random choice of $a, b, c, z$ in $Z_{p}^{*}$ , and the random bits consumed by $B$ .

Proposed algorithm

In this section, eM-CP-ABE is described in detail. First, two important components that construct the proposed algorithm is introduced. Then, the model and implementation of eM-CP-ABE are proposed. Last, multi-authorization, user revocation, and $1 - n$ MAT are discussed.

Components

MAT

MAT is introduced to improve the expression efficiency of access control tree in eM-CP-ABE. In our article, MAT’s nodes are divided into three types: virtual nodes, attribute nodes, and ordinary nodes. A virtual node $n_{v}$ is represented by $k_{n_{v}} = 0$ and $nu m_{n_{v}} = 1$ . A subtree with a virtual node as its parent consists of one “trunk” and some “branches.” Trunk is used to describe the inclusion relation between adjacent levels. Branches are used to describe the particular rules of each level. The parent of a virtual node is represented as $y = parent (n_{v})$ . If a parent node $y$ has $nu m_{y}$ children nodes, including $nu m'_{y}$ virtual nodes, then the threshold value of $y$ satisfies $0 \leq k_{y} \leq nu m_{y} - nu m'_{y}$ . All leaf nodes are called attribute nodes. The rest of the nodes are called ordinary nodes.

We also make the following assumptions:

$nu m_{y} > nu m'_{y} :$ The inequality means that common attributes must exist.

The parent of a virtual node cannot be a virtual node.

The virtual node has one and only one child $(nu m_{n_{v}} = 1)$ , which consists of one “trunk” and some “branches.”

We define a MAT with $n$ virtual nodes as $1 - n$ MAT. Figure 1 shows a $1 - 2$ MAT.

Figure 1.

$1 - 2$ multiple access tree.

Satisfying an access tree

To clearly describe the process, MATs $T$ in Figure 1 are illustrated as an example. The process can be extended to more complex trees.

Step 1. List all hierarchical trees rooted at the virtual node. There are two qualified hierarchical trees $(T_{1}, T_{2})$ in Figure 1.

Step 2. Delete all virtual nodes and their descendants, and obtain the base tree $T_{0}$ .

Step 3. A set of attributes $γ$ satisfies $T$ , when $T (γ) = T_{1} (γ) and T_{0} (γ) = 1$ or $T (γ) = T_{2} (γ) and T_{0} (γ) = 1$ .

Key chain

Without loss of generality, we assume there is a $1 - 1$ MAT (Figure 2), which is used to encrypt one video with $l$ privilege levels and $m$ common attributes. We assume the video is divided into $l$ units and its first $j$ units are organized into an access level $L_{j}$ . The corresponding user has privilege $p_{j}, j = 0, \dots, l$ . By following the same operations in the study by Wu et al.,⁷ we define a binary dominant relation ⪯ on the set of privilege ${p_{1}, \dots, p_{l}}$ : $p_{i} ⪯ p_{j}$ if and only if $L_{i} \subseteq L_{j}$ , that is,

$L_{1} = {m_{1}}$ ;

$L_{j + 1} = L_{j} \cup {m_{j + 1}}, j = 1, 2, \dots, l - 1$ ;

$p_{1} ⪯ p_{2} ⪯ \dots ⪯ p_{l}$ .

Figure 2.

$1 - 1$ MAT structure.

The goal we need to achieve is that if the user can access the content of level $j$ , then the user should at least have the key parameters $a_{0}, a_{j}$ . Through $a_{0}, a_{j}$ , the user can deduce ${a_{i} : 1 \leq i \leq j}$ . Our design is as follows:

Step 1. Find a one-way hash function $H_{2} (*)$ , with the following characteristics:

Input data of arbitrary lengths and output data of fixed lengths.

For a given input, it is easy to calculate the output.

For a given output, it is not computationally feasible to find a correct input.

$H_{2} : {0, 1}^{*} \to Z_{p}^{*}$ .

Step 2. For the highest privilege level $l$ , we choose a number $a_{l}$ uniformly at random from $Z_{p}^{*}$ . Then, we choose $a_{0}$ uniformly at random $Z_{p}^{*}$ . The key corresponding to the level $l$ is $k_{l} = H_{2} (a_{l} | | a_{0})$ . Then, the number corresponding to the jth level is $a_{j} = H_{2} (k_{j + 1} | | j)$ , and the key corresponding to the level $j$ is $k_{j} = H_{2} (a_{j} | | a_{0})$ , where $1 \leq j < l - 1$ .

Step 3. The final key chain ${k_{1}, \dots, k_{l}}$ can be used as the keys of a symmetric encryption algorithm, such as AES, to encrypt $l$ video units separately.

When a set of attributes satisfies both the base tree constructed by the common attributes ( $a_{0}$ ) and the jth level of the hierarchical trees ( $a_{j}$ ), $k_{j}$ can be calculated by $k_{j} = H_{2} (a_{j} | | a_{0})$ . Also, using $a_{0}, a_{j}$ , $k_{i}$ can be calculated when $1 \leq i < j$ . Due to the unidirectionality of $H_{2} (*)$ , the low-level user cannot be calculated to obtain the high-level key.

Using MAT and key chain

In this part, we show how to use MAT and the key chain to convert complex policies into access trees. According to Table 1, we add the time factor to construct more complex access rules (Table 2). In this scenario, the common attributes (id, category, and duration) of the three rules must be described in each branch of CP-ABE or MCP-ABE, which considerably reduces the expression efficiency of the access control structure.

r1: Guests can only watch the SD-version videos with ID 10010 in the story category this month. (For the sake of simplicity, we consider that there are 30 days in a month.)

r2: Registered users can watch HD- and SD-version videos with ID 10010 in the story category this month.

r3: Paying users can watch UHD-, HD- and SD-version videos with ID 10010 in the story category this month.

Table 2.

Three access control rules for the video with ID=10010.

r1	$〈 (user = Guest), (vid = 10010, category = story, quality = standard), (duration < 30), play 〉$
r2	$〈 (user = Registered), (vid = 10010, category = story, quality = (standard, high)), (duration < 30), play 〉$
r3	$〈 (user = Paying), (vid = 10010, category = story, quality = (standard, high, ultra)), (duration < 30), play 〉$

The rules that conform to the ABAC format²⁹ are described in Table 2.

We assume that two bits are used to describe the user’s type (Paying: uType=11, Registered: uType=10, and Guest: uType=01). In CP-ABE, three rules will be converted into three access trees (Figure 3). We use the integer comparison technology⁹ to describe the expiration time “duration <30.”T1 is the access tree of r1 and is used to encrypt the key corresponding to the SD video. As shown in Figure 3(a), any user can access the specific SD video. T2 is the access tree of r2 and is used to encrypt the key corresponding to the HD video. As shown in Figure 3(b), only the user whose “uType” attribute value is “11” or “10” has access to the specific HD video. Similarly, in T3, the user with “uType” value of “11” can access the specific UHD video.

Figure 3.

Access trees corresponding to the three rules in CP-ABE. The access tree of (a) r1 is T1, (b) r2 is T2, and (c) r3 is T3.

In MCP-ABE, the three rules will be converted into one complex access tree (Figure 4). In MCP-ABE, a special access tree is consisted of one “trunk” and some “branches.” As shown in Figure 4, the trunk represents the inclusion relationship between the three rules, $r 1 \subset r 2 \subset r 3$ . On each level, the branches represent the details of the corresponding rule. However, the common attributes need to be described on each level repeatedly in MCP-ABE.

Figure 4.

Access tree corresponding to the three rules in MCP-ABE.

We use MAT and key chain to simplify the access tree. As shown in Figure 5, subtrees of the common attributes are extracted to form the base tree, which is then merged with the hierarchical tree through an ordinary node. The access tree described in Figure 5 has one virtual node, so we call it $1 - 1$ MAT. Four secrets, $a_{0}, a_{1}, a_{2}, a_{3}$ , need to be shared by the “branches.” Among them, $a_{0}, a_{3}$ are randomly chosen in $Z_{p}^{*}$ . The key corresponding to r3 is $k_{3} = H_{2} (a_{3} | | a_{0})$ . Then, for each of the remaining levels, there exist $a_{2} = H_{2} (k_{3} | | 2), k_{2} = H_{2} (a_{2} | | a_{0})$ , and $a_{1} = H_{2} (k_{2} | | 1), k_{1} = H_{2} (a_{1} | | a_{0})$ .

Figure 5.

Access tree corresponding to the three rules in eM-CP-ABE.

Compared with CP-ABE and MCP-ABE, the eM-CP-ABE algorithm realizes expression of the three rules with a simpler tree structure and fewer nodes.

eM-CP-ABE

eM-CP-ABE model

Figure 6 shows the model of eM-CP-ABE. The system consists of five participants. They are media cloud, video provider, video consumer, attribute authority center, and trusted encryption center.

Figure 6.

eM-CP-ABE system model.

The proposed eM-CP-ABE has five functions: Setup, Encrypt, KeyGen, Decrypt, and Delegate.

$Setup (λ)$ . Executed by the authorization center. Its input is security parameter $λ$ and output is the public key $PK$ and the master key $MK$ .

$Encrypt (PK, M, T)$ . Executed by the trusted encryption center. Its inputs are $PK$ , plaintext $M$ , MAT $T$ , and its output is ciphertext $CT$ . We assume that ciphertext $CT$ contains $T$ already.

$KeyGen (MK, S)$ . Executed by the attribute authority center. We define the universe of attributes $S$ . A video consumer provides his or her own set of attributes $S \subseteq S$ to the attribute authority center and applies his or her secret key $SK$ . Inputs of the function are $MK$ and $S$ , and its output is $SK$ .

$Decrypt (PK, CT, SK)$ . Executed by the video consumer. Its inputs are $PK$ , $CT$ , and $S K$ and its output is plaintext $M$ .

$Delegate (SK, S')$ . $SK$ is a secret key for the set of attributes $S$ . The function Delegate can generate a secret key $SK'$ for the set of attributes $S'$ when $S'$ satisfies $S' \subseteq S and S' \neq \emptyset$ . This function will be used then to extend the attribute authority center.

eM-CP-ABE algorithm

We take $1 - 1$ MAT (Figure 2) as an example to describe the eM-CP-ABE algorithm. We assume that one video has $l$ units corresponding to $l$ privilege levels. There is at least one common attribute on the $l$ privilege levels.

$Setup (λ)$ . Let $G_{0}, G_{T}$ be two multiplicative cyclic groups of prime order $p$ . Let $g$ be a generator of $G_{0}$ and $e$ be a bilinear map, and $e : G_{0} \times G_{0} \to G_{T}$ . Choose $α$ and $β$ uniformly at random from $Z_{p}^{*}, α, β \in_{R} Z_{p}^{*}$ . Then, the public key is published as $PK = (G_{0}, g, g_{1}, g_{2}, f_{1})$ , where $g_{1} = g^{β}, g_{2} = e (g, g)^{α}$ , $f_{1} = g^{1 / β}$ , and the master key $MK$ is $(β, g^{α})$ .

$Encrypt (PK, M, T)$ . The $1 - 1$ MAT $T$ is divided into a base tree $T_{0}$ and a hierarchical tree $T_{1}$ (Figure 7). For each node $N$ in trees $T_{0}$ and $T_{1}$ , we choose a polynomial $f_{N}$ randomly, set the degree $q_{N} = k_{N} - 1$ , where $k_{N}$ is the threshold of node $N$ and set $f_{N} (0) = f_{parent (N)} (index (N))$ .

Figure 7.

1–1 MAT decomposition.

We choose $a_{0}, a_{l}, s_{0}, s_{l} \in_{R} Z_{p}$ uniformly at random from $Z_{p}$ . $N_{R}$ denotes the root node of $T_{0}$ and $N_{v}$ denotes the root node of $T_{1}$ . Then, we set $f_{N_{R}} (0) = s_{0}$ and $f_{N_{v}} (0) = s_{l}$ . Using the established polynomial of each node, the secrets, $s_{0}, s_{l}$ , are shared. The set of leaf nodes in $T$ is denoted by ${\bar{N}}_{leaf}$ , where $n_{i} \in {\bar{N}}_{leaf}$ . The set of nodes in $T_{1}' s$ trunk is denoted by ${N_{1}, \dots, N_{l}}$ .

The ciphertext has two parts. In the first part, a symmetric encryption algorithm $E (m, k)$ is used to encrypt each video unit. The second part is ABE. The whole ciphertext is expressed as

\begin{matrix} CTs = EM | | CT \\ EM = {E (m_{i}, k_{i})}_{i = 1}^{l}, where k_{i} = H_{2} (a_{i} | | a_{0}) \\ CT = (B_{0}, C_{0}, B_{1}, C_{1}, {B_{N_{i}}, C_{N_{i}}}_{i = 2}^{l}, {E_{n_{i}}, E_{n_{i}}'}_{n_{i} \in {\bar{N}}_{leaf}}, T) \end{matrix}

where

\begin{matrix} B_{0} = a_{0} e (g, g)^{α s_{0}}, C_{0} = g^{β s_{0}}, B_{1} = a_{l} e (g, g)^{α s_{l}}, C_{1} = g^{β s_{l}} \\ B_{N_{i}} = a_{i} e (g, g)^{α f_{N_{i}} (0)}, a_{i} = H_{2} (k_{j + 1} | | j), C_{N_{i}} = g^{β f_{N_{i}} (0)} \\ E_{n_{i}} = g^{f_{n_{i}} (0)}, E_{n_{i}}' = H_{1} (att (n_{i}))^{f_{n_{i}} (0)} \end{matrix}

$H_{1} (*)$ is a collision-resistant hash function:³ $H_{1} : {0, 1}^{*} \to Z_{p}^{*}$ . This means it is hard to find two pre-values that can generate the same hash value.

$KeyGen (MK, S)$ . We choose $r \in_{R} Z_{p}^{*}$ uniformly at random from $Z_{p}^{*}$ . Then, we randomly choose $r_{j} \in_{R} Z_{p}^{*}$ , $\forall j \in S$ . The secret key $SK$ is

$SK = (D, {D_{j}, {D_{j}}^{'}}_{j \in S})$

where $D = g^{(α + r) / β}, D_{j} = g^{r} H_{1} (j)^{r_{j}}$ and ${D_{j}}^{'} = g^{r_{j}}$ .

$Decrypt (PK, CTs, SK)$ . The video consumer does the following operations to realize decryption.

Step 1. To determine whether the set of attributes $S$ satisfies the access tree $T : T (S) = T_{0} (S) and T_{1} (S)$ . When $T (S) = 1$ , go to Step 2; otherwise, return.

Step 2. We define $DecryptNode (CTs, SK, x)$ as a recursive algorithm, where $x$ is a node in $T_{0}$ . The following two cases are discussed.

Case 1. $x$ is a leaf node, if $i = att (x) \in S$

\begin{matrix} DecryptNode (CTs, SK, x) = \frac{e (D_{i}, E_{x})}{e ({D_{i}}^{'}, {E_{x}}^{'})} \\ = \frac{e (g^{r} H_{1} {(i)}^{r_{i}}, g^{f_{x} (0)})}{e (g^{r_{i}}, H_{1} {(att (x))}^{f_{x} (0)})} \\ = e (g, g)^{r f_{x} (0)} \end{matrix}

else $i = att (x) \notin S$ , $DecryptNode (CTs, SK, x) = ⊥$

Case 2. $x$ is a non-leaf node. Considering that all node $Z = {z_{1}, z_{2}, \dots, z_{n}}$ are children of $x$ , we set $F_{z} = {F_{z_{i}} = DecryptNode (CTs, SK, z_{i}) | z_{i} \in Z}$ . Let $S_{x}$ be an arbitrary k_x-sized set of children nodes $z_{i}$ such that $F_{z_{i}} \neq ⊥$ . If no such set exists, then the node is not satisfied and the function returns ⊥.

Otherwise, we compute

\begin{matrix} F_{x} = \underset{z \in S_{x}}{Π} F_{z}^{Δ_{i, {S'}_{x}} (0)}, {\begin{matrix} i = index (z) \\ {S'}_{x} = {index (z) : z \in S_{x}} \\ Δ_{i, S} (x) = \underset{i \in S, j \neq i}{Π} \frac{x - j}{i - j} \end{matrix} \\ = \underset{z \in S_{x}}{Π} {(e {(g, g)}^{r f_{z} (0)})}^{Δ_{i, {S'}_{x}} (0)} \\ = \underset{z \in S_{x}}{Π} {(e {(g, g)}^{r f_{parent (z)} (index (z))})}^{Δ_{i, {S'}_{x}} (0)} \\ = \underset{z \in S_{x}}{Π} e (g, g)^{r f_{x} (i) Δ_{i, {S'}_{x}} (0)} \\ = e (g, g)^{r f_{x} (0)} \end{matrix}

When $x = N_{R}$ , we obtain $A = DecryptNode (CTs, SK, N_{R}) = e (g, g)^{r s_{0}}$ after recursion. Then

\begin{matrix} \frac{B_{0}}{(e (C_{0}, D) / A)} = \frac{B_{0}}{(e (g^{β s_{0}}, g^{α + r / β}) / e {(g, g)}^{r s_{0}})} \\ = \frac{a_{0} e {(g, g)}^{α s_{0}}}{e {(g, g)}^{α s_{0}}} = a_{0} \end{matrix}

Similarly, if $x = N_{i} \in {N_{1}, \dots, N_{l}}$ in $T_{1}$ , we obtain $A = DecryptNode (CTs, SK, N_{i}) = e (g, g)^{r f_{N_{i}} (0)}$ .

Then

\begin{matrix} \frac{B_{N_{i}}}{(e (C_{N_{i}}, D) / A)} = \frac{B_{N_{i}}}{(e (g^{β f_{N_{i}} (0)}, g^{α + r / β}) / e {(g, g)}^{r f_{N_{i}} (0)})} \\ = \frac{a_{i} e {(g, g)}^{α f_{N_{i}} (0)}}{{(g, g)}^{α f_{N_{i}} (0)}} = a_{i} \end{matrix}

Step 3. The key of the ith level $k_{i} = H_{2} (a_{i} | | a_{0})$ is obtained. Using the key chain, the keys used by lower levels are generated.

Extension

Multi-authorization

In the cloud environment, when a large number of users access a hot video content in a short time, it poses a big challenge for the attribute authorization center. Extending the single authorization center to multiple centers can alleviate the pressure effectively. Using KeyGen and Delegate functions, the single authorization center is extended to authorization centers (Figure 8).

Figure 8.

Hierarchical authorization group.

We assume that each attribute authorization center can complete the authorization service independently: $A A_{ij} \to S_{ij}$ and $| S_{ij} | \geq | S_{Max} |$ . For the attribute authorization center, there exists $A A_{Center} \to S$ .

Multi-authorization is realized as follows.

Case 1. Apply for a secondary $A A_{1 (n + 1)} \to S_{1 (n + 1)}$ from $A A_{Center} \to S$ .

$A A_{Center}$ has $n$ children already, called $A A_{11}, \dots, A A_{1 n}$ , and the corresponding attribute sets are $S_{11}, \dots, S_{1 n}$ . $A A_{1 (n + 1)} \to S_{1 (n + 1)}$ , satisfying $| S_{1 (n + 1)} | \geq | S_{Max} |$ and $S_{11} \cup \dots \cup S_{1 n} \cup S_{1 (n + 1)} \subseteq S$ wants to join the secondary $AA$ .

Step 1. Check the legitimacy of $A A_{1 (n + 1)}$ .

Step 2. Choose $r \in_{R} Z_{p}^{*}$ and $r_{j} \in_{R} Z_{p}^{*}$ , $\forall j \in S_{1 (n + 1)}$ .

Step 3. $\begin{matrix} M K_{1 (n + 1)} = KeyGen (MK, S_{1 (n + 1)}) \\ = (S_{1 (n + 1)}, D, {D_{j}, {D_{j}}^{'}}_{j \in S_{1 (n + 1)}}) \end{matrix}$

where $D = g^{(α + r) / β}$ , $D_{j} = g^{r} H_{1} (j)^{r_{j}}$ , ${D_{j}}^{'} = g^{r_{j}}$ .

Step 4. $A A_{Center}$ sends $M K_{1 (n + 1)}$ to $A A_{1 (n + 1)}$ .

Case 2. Apply for an ordinary $A A_{i (n + 1)} \to S_{i (n + 1)}$ from $A A_{(i - 1) j} \neq A A_{Center} \to S$ .

Step 1. Check the legitimacy of $A A_{i (n + 1)}$ .

Step 2. Choose $\tilde{r} \in_{R} Z_{p}^{*}$ and ${\tilde{r}}_{k} \in_{R} Z_{p}^{*}$ $\forall k \in S_{i (n + 1)}$ .

Step 3. $\begin{matrix} M K_{i (n + 1)} = Delegate (M K_{(i - 1) j}, S_{i (n + 1)}) \\ = (S_{i (n + 1)}, \tilde{D}, {{\tilde{D}}_{k}, {\tilde{D}}_{k}^{'}}_{k \in S_{i (n + 1)}}) \end{matrix}$

where $\tilde{D} = D {f_{1}}^{\tilde{r}}, {\tilde{D}}_{k} = D_{k} g^{\tilde{r}} H_{1} (k)^{{\tilde{r}}_{k}} and {\tilde{D}}_{k}^{'} = {D_{k}}^{'} g^{{\tilde{r}}_{k}}$

Step 4. $A A_{(i - 1) j}$ sends $M K_{i (n + 1)}$ to $A A_{i (n + 1)}$ .

User revocation

To realize user revocation, eM-CP-ABE adds timestamps to the MAT and attribute sets separately. Compared with CP-ABE, eM-CP-ABE is more flexible when the timestamp is added in a branch, then the algorithm implements user revocation on the corresponding privilege level. When the timestamp is a set of common attributes, the algorithm implements user revocation on all privilege levels, that is, the plaintext M is encrypted under the timestamp $x$ and the expiration time $y$ labeled in a user’s attribute set. When $y \leq x$ , the user cannot decrypt the ciphertext correctly.

1−n MAT

When using ABE, different access control trees need to be established for data with different access requirements. Generation and maintenance of a large number of access trees is a tough task. A $1 - n$ MAT can describe the access structure of $n$ videos with different access rules. In $1 - n$ MAT, the base tree is designed to describe the common rules of the videos, and $n$ hierarchical trees are used to describe the private rules of different videos. This method reduces both the number of trees and the operations required for encryption.

Figure 9 shows a $1 - n$ MAT. The base tree has $m_{0}$ common attributes and $n$ hierarchical trees. We assume that the jth video has $l_{j} (1 \leq j \leq n)$ privilege levels, and the ciphertext can be obtained as follows

CTs = {C T_{j}'}_{j = 1}^{n}

where $C T'_{j}$ is the jth encrypted video.

\begin{matrix} C {T'}_{j} = E M_{j} | | C T_{j}, E M_{j} = {E (m_{j, i}, k_{j, i})}_{i = 1}^{l_{j}} \\ C T_{j} = (B_{j, 0}, C_{j, 0}, B_{j, 1}, C_{j, 1}, {B_{N_{j, i}}, C_{N_{j, i}}}_{i = 2}^{l_{j}}, {E_{n_{i}}, {E'}_{n_{i}}}_{n_{i} \in {\bar{N}}_{leaf}}, T) \end{matrix}

where $T$ is the $1 - n$ MAT.

Figure 9.

$1 - n$ MAT.

Security analysis

Selective-set model

There are four common types of attacks: ciphertext only, known plaintext, chosen plaintext, and chosen ciphertext. The CPA is the most powerful type of attack. If an algorithm can resist this attack, it can also resist other types of attack. To prove that eM-CP-ABE is secure, we first define a selective-set model based on CPAs. The model is described as follows:

Init. The adversary declares the $1 - n$ MAT, $T^{*}$ , that he wants to be challenged upon. The $T^{*}$ is sent to the challenger.

Setup. The challenger runs the Setup algorithm, and then gives the public parameters to the adversary.

Phase 1. The adversary is allowed to issue queries for private keys for many attribute sets $S_{1}, \dots, S_{q}$ , where $T^{*} (S_{i}) = 0$ for all $i \in [1, q]$ .

Challenge. The adversary submits two messages of equal length, $M_{0}$ and $M_{1}$ . The challenger flips a random coin $μ$ , and encrypts $M_{μ}$ with $T^{*}$ . The ciphertext $C T^{*}$ is passed to the adversary.

Phase 1. Phase 1 is repeated.

Guess. The adversary outputs a guess $μ'$ of $μ$ .

The advantage of an adversary in this game is defined as $\Pr [μ' = μ] - 1 / 2$ .

Definition 1. eM-CP-ABE is secure in the selective-set model if all polynomial time adversaries have at most a negligible advantage in the selective-set game.

Proof of security

We prove that the security of eM-CP-ABE in the selective-set model reduces to the hardness of the DBDH assumption.

Theorem 1. If an adversary can break our scheme in the selective-set model, then a simulator can be constructed to play the DBDH game with a non-negligible advantage.

Proof. We suppose there exists a polynomial-time adversary $A$ that can attack eM-CP-ABE in the selective-set model with advantage $ϵ$ . Then, we can build a simulator $B$ that can play the DBDH game with advantage $ϵ / 2$ . The simulation process is as follows:

First, the challenger provides two groups $G_{0}, G_{T}$ with an efficient bilinear map, $e$ and a generator $g$ . Then, the challenger throws a fair coin $μ$ out of view of $B$ . If $μ = 0$ , the challenger sets $(A, B, C, Z) = (g^{a}, g^{b}, g^{c}, e (g, g)^{abc})$ ; otherwise, the challenger sets $(A, B, C, Z) = (g^{a}, g^{b}, g^{c}, e (g, g)^{z})$ . $a, b, c, z$ are randomly chosen in $Z_{p}^{*}$ .

Init. The simulator $B$ runs a polynomial-time adversary $A$ . $A$ chooses the $1 - n$ MAT $T^{*}$ that it wishes to be challenged upon.

Setup. $B$ chooses a random $a' \in_{R} Z_{p}$ , and sets $α = a' - a + ab$ . It calculates $g_{2} = e (g, g)^{α} = e (g, g)^{a^{'} - a} e (g, g)^{ab}$ and sets $g_{1} = g^{β} = B = g^{b}$ . Then, it gives $PK$ to $A$ .

Phase 1. $A$ asks for the keys corresponding to any attributes set $S (T^{*} (s) = 0)$ from $B$ . $B$ chooses a random $r' \in_{R} Z_{p}$ and sets $r = r' + a - ab$ . There exists $D = g^{(α + r) / β} = g^{(a' + r') / β}$ . Then, we randomly choose $r_{j} \in_{R} Z_{p}^{*}$ , $\forall j \in S$ . The left part of $SK$ is $D_{j} = g^{r' + a - ab} H_{1} (j)^{r_{j}} = A g^{r' - ab} H_{1} (j)^{r_{j}}$ , ${D_{j}}^{'} = g^{r_{j}}$ . $B$ gives the $SK$ to $A$ .

Challenge. $A$ submits two messages of equal length, $M_{0}$ and $M_{1}$ , to $B$ . The challenger gets $μ$ by flipping a coin. Then, $M_{μ}$ is encrypted with $T^{*}$ . The ciphertext $C T^{*}$ is sent to $A$ . In $C T^{*}$ , there exists $B_{0} = x_{0} e (g, g)^{α s_{0}}, C_{0} = g^{β s_{0}}$ . We set $s_{0} = s + c + (c / b), s \in_{R} Z_{p}$ , then we have

\begin{matrix} C_{0} = g^{β s_{0}} = g^{b (s + c + (c / b))} = g^{b (s + c)} g^{c} = g^{b (s + c)} C \\ B_{0} = x_{0} e (g, g)^{α (s + c + (c / b))} = x_{0} Te (g, g)^{ψ} \end{matrix}

where $ψ = (a' - a) (s + c + b / c) + abs + ac$ .

Phase 2. The simulator repeats what it did in Phase 1.

Guess. $A$ submits its guess $μ'$ of $μ$ . If $μ' = μ$ , it indicates that $A$ is given a valid BDH-tuple, $(g^{a}, g^{b}, g^{c}, T = e (g, g)^{abc})$ ; otherwise, it is given a random four-tuple $(g^{a}, g^{b}, g^{c}, T = R)$ .

If $μ' = μ$ , $A$ finishes the guess game with the advantage of $ϵ$ . Thus

\Pr [B (g^{a}, g^{b}, g^{c}, T = e {(g, g)}^{abc}) = 0] = \frac{1}{2} + ϵ

Or else, the ciphertext $C T^{*}$ is completely random. It means that $A$ cannot get any information from $C T^{*}$ . Then

\Pr [B (g, g^{a}, g^{b}, g^{c}, T = R) = 0] = \frac{1}{2}

The overall advantage of the simulator $B$ in the DBDH game is

\begin{matrix} Adv = \frac{1}{2} (\Pr [B (g, g^{a}, g^{b}, g^{c}, T = e {(g, g)}^{abc}) = 0] + \Pr [B (g, g^{a}, g^{b}, g^{c}, T = R) = 0]) \\ - \frac{1}{2} = \frac{1}{2} (\frac{1}{2} + ϵ + \frac{1}{2}) - \frac{1}{2} = \frac{ϵ}{2} \end{matrix}

Above all, eM-CP-ABE can successfully resist chosen plaintext attacks under the DBDH assumption.

Performance analysis

Compared with the MCP-ABE⁷ and CP-ABE,⁹ the time and space complexity of eM-CP-ABE perform better in the following scenario. In addition, eM-CP-ABE consumes much less time than SCP-ABE⁸ for each attribute in the encryption and decryption processes.

We assume a $1 - 1$ MAT will encrypt one video with $l > 1$ privilege levels and $m_{0} > 0$ common attributes. The ith level at the hierarchical tree has $m_{i, 1}$ leaf nodes (except the trunk). We can obtain $m_{1} = \sum_{i = 1}^{l} m_{i, 1}$ . The number of all related attributes is $m = m_{1} + m_{0}$ . In Figure 10(a), the $1 - 1$ MAT has $l = 3$ , $m_{0} = 3$ , $m_{1, 1} = 3$ , $m_{2, 1} = 1$ and $m_{3, 1} = 2$ . To achieve the same access control, MCP-ABE needs a more complex tree (Figure 10(b)) and CP-ABE needs three trees (Figure 10(c)).

Figure 10.

Different access trees under the same access rules: (a) eM-CP-ABE, (b) MCP-ABE, and (c) CP-ABE.

On the basis of Figure 10, we discuss the time and space complexity of KeyGen, Encryption, and Decryption of the three algorithms. The time taken to perform an exponential operation is denoted as $E$ . The time taken to perform a bilinear operation is denoted as $P$ .

KeyGen

For the three algorithms, there is the same attributes set $S$ . The time complexity of executing $KeyGen$ is positively correlated to the cardinality of the attributes set $| S |$ , and the value is $(2 | S | + 1) E$ . The three algorithms have the same time complexity in KeyGen. Similarly, the private key lengths of the three algorithms are $(2 | S | + 1)$ . So, they have the same space complexity.

Encryption

The time needed by CP-ABE, MCP-ABE, and eM-CP-ABE to satisfy the access control (Figure 10) is shown in Table 3. Compared with MCP-ABE, eM-CP-ABE has one more $P$ , but $2 l m_{0} - 1 - 2 m_{0}$ less $E$ . In the situation that $(2 l m_{0} - 1 - 2 m_{0}) E - P > 0$ , eM-CP-ABE has better performance.

Table 3.

Time complexity of three encryption functions.

Algorithm	Time complexity
eM-CP-ABE	$(l + 1) P + (l + 1 + 2 m_{0} + 2 m_{1}) E$
MCP-ABE	$lP + (l + 2 l m_{0} + 2 m_{1}) E$
CP-ABE	$T C_{CP - ABE}$

eM-CP-ABE: enhanced media ciphertext-policy attribute-based encryption; MCP-ABE: multi-message ciphertext-policy attribute-based encryption; CP-ABE: ciphertext-policy attribute-based encryption.

$T C_{CP - ABE} = lP + lE + 2 l m_{0} E + 2 (m_{1, 1} + (m_{1, 1} + m_{2, 1}) + \dots + \sum_{i = 1}^{l} m_{i, 1}) E$

The theoretical analysis above proves that eM-CP-ABE consumes less encryption time than CP-ABE and MCP-ABE with the increase of $m_{0}$ . The same conclusion is reached from the practical experiment (Figure 11). In this experiment, we assume that a group of access control policies exist that satisfy the following conditions

$l = 3$ ;

$m_{0} = ceiling (m / 10)$ .

Note that eM-CP-ABE is used as a digital envelope to encrypt the secret keys, not the content. Therefore, the size and resolution of videos have no effect on the efficiency of eM-CP-ABE. The three elements that affect eM-CP-ABE are $l$ , $m$ , and $m_{0}$ . All experiments are implemented by C++ and run on a computer (Inter (R) Core (TM) i5-8300H CPU at 2.30 GHz, 8-GB RAM, Win-1064bit system).

Figure 11.

Encryption time of the three algorithms.

In Figure 11, when $m = 10, m_{0} = 1$ , eM-CP-ABE and MCP-ABE consume similar time for encryption, slightly better than CP-ABE. With the increase of $m$ , eM-CP-ABE has more advantages over MCP-ABE and CP-ABE in terms of the encryption time. For example, when $m = 100, m_{0} = 10$ , eM-CP-ABE consumes 87 ms less time than MCP-ABE and 114 ms less than CP-ABE. The average encryption time per attribute is 0.79 ms, which is far less than 35 ms of SCP-ABE.

There are different ciphertext lengths in the three algorithms shown in Table 4. When $m_{0} > 0 and l > 2$ , the space complexity of the proposed algorithm is lower than M-CP-ABE and the value is $2 (l - 2) m_{0}$ .

Table 4.

Space complexity of three encryption functions.

Algorithm	Space complexity
eM-CP-ABE	$2 (l + 1 + m_{0} + m_{1})$
MCP-ABE	$2 (l + 1 + (l - 1) m_{0} + m_{1})$
CP-ABE	$S C_{CP - ABE}$

eM-CP-ABE: enhanced media ciphertext-policy attribute-based encryption; MCP-ABE: multi-message ciphertext-policy attribute-based encryption; CP-ABE: ciphertext-policy attribute-based encryption.

$S C_{CP - ABE} = 2 l + 2 l m_{0} + 2 (m_{1, 1} + (m_{1, 1} + m_{2, 1}) + \dots + \sum_{i = 1}^{l} m_{i, 1})$

Decryption

We assume that the user has the second privilege in Figure 10, the MCP-ABE needs to iterate the DecryptNode function according to the access tree (Figure 12(a)), and the corresponding access structure for the eM-CP-ABE is Figure 12(b). They have the same decryption process. Let us consider another scenario. When the user wants to switch from a higher level privilege to lower level, CP-ABE needs to re-execute the decryption function. As the number of leaf nodes increases, so does the decryption time. When only one leaf node exists, the decryption time is about 15 ms, and when the number of leaf nodes is 10, the decryption time is 78 ms. The average computation time per 10 attributes of SCP-ABE is 25 ms. However, for eM-CP-ABE, the decryption time is a constant. To realize this switch of privilege, eM-CP-ABE only need to perform one and two hash operations, respectively. The hash operation takes much less time than the decryption function in ABE, about 3–8 μs, thus greatly reducing the decryption time.

Figure 12.

Different access trees in (a) MCP-ABE and (b) eM-CP-ABE.

Deployment

We deployed the streaming media system supporting HTTP live streaming (HLS) under the media framework proposed by Li et al.³⁰ The system is shown in Figure 13. The video provider in User Area sends video and the corresponding access control policy to the media cloud. In media cloud, there are two areas: work and service. In work area, the whole video is divided into several segments; then, AES is used to encrypt the video segments with different keys; last, these keys are encrypted by eM-CP-ABE. In service area, authorization center, video storage and distribution are deployed. The video consumer in user area gets the video through the following steps:

Send the ABE key request to authorization center;

Get the SK;

Get the index file including the encrypted video segments keys from the video storage and distribution;

Decrypt the video segments keys using eM-CP-ABE;

Get the encrypted video segments from the video storage and distribution;

Decrypt the video segments using AES.

Figure 13.

Deployment of eM-CP-ABE in the media cloud.

In this system, we implemented the decryption algorithm in Android version 4.2.2. After the two levels of decryption (ABE and AES), the plain-video segments are obtained. Then, the video segments are combined and played (Figure 14). In the full video playing process, the CPU consumption is stable (between 15% and 25%). It proves that the application based on our proposed algorithm can complete the video on-demand service smoothly.

Figure 14.

Encrypted video display.

Conclusion

Media cloud built by cloud providers collects the videos from video providers and provides kinds of video services with guaranteed quality to video consumers. Meanwhile, for video providers, they pay attention to whether the media cloud can provide effective copyright protection; for video consumers, they are concerned about whether the media cloud can respond to their request in real time. Therefore, how to establish a fine-grained and fast video access control scheme is a major challenge for media cloud.

In this article, eM-CP-ABE is proposed to meet the requirement of multi-level access control of massive videos in the mobile environment. Based on the MCP-ABE, the virtual node and key chain are introduced to construct a new hierarchical access control structure. In the new structure, common attributes are extracted to the root node to save the encryption cost. When the user switches from a higher level privilege to a lower level, only a few hash operations are required without re-calling decryption in ABE, which greatly saves the decryption time and computation consumption.

In addition, we discussed the extended application of the proposed algorithm. Multi-authorization can improve the scalability of the algorithm. Using integer comparison, user revocation can be realized. More important, the access tree in eM-CP-ABE can be extended to $1 - n$ MAT that improves the efficiency of the access control structure and saves the cost of tree generation and maintenance. We proved that eM-CP-ABE can successfully resist CPAs under the DBDH assumption. Performance analysis and experiment show that the proposed algorithm is better than MCP-ABE and CP-ABE in the encryption process.

Footnotes

Acknowledgements

The authors thank the anonymous reviewers for their very helpful comments which helped to improve the presentation of this article.

Handling Editor: Hongxin Hu

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The research was funded by China Postdoctoral Science Foundation 2019M663358, Fundamental Research Funds for the Central Universities of the Communication University of China (CUC2019A009), the High-quality and Cutting-edge Disciplines Construction Project for Universities in Beijing (Internet Information, Communication University of China; CUC190J054), and National Key Task Team Cultivation Project 2019 (CUC19ZD003).

ORCID iD

Hao Li

References

Chen

Bhargava

Zhongchuan

. Multilabels-based scalable access control for big data applications. IEEE T Cloud Comp 2014; 1(3): 65–71.

Yeh

L-Y

Chiang

P-Y

Tsai

Y-L

, et al. Cloud-based fine-grained health information access control framework for lightweightIoT devices with dynamic auditing andattribute revocation. IEEE T Cloud Comp 2018; 6(2): 532–544.

Liu

, et al. Unified fine-grained access control for personal health records in cloud computing. IEEE J Biomed Health 2019; 23: 1278–1289.

Chaudhary

Aujla

Garg

, et al. SDN-enabled multi-attribute-based secure communication for smart grid in IIoT environment. IEEE T Ind Inform 2018; 14(6): 2629–2640.

Guan

Zhu

, et al. Toward delay-tolerant flexible data access control for smart grid with renewable energy resources. IEEE T Ind Inform 2017; 13(6): 3216–3225.

Hong

Xue

, et al. TAFC: time and attribute factors combined access control for time-sensitive data in public cloud. IEEE T Serv Comput 2020; 13: 158–171.

Wei

Deng

. Attribute-based access to scalable media in cloud-assisted content sharing networks. IEEE T Multimedia 2013; 15(4): 778–788.

Yan

Chen

. Scalable access control for privacy-aware media sharing. IEEE T Multimedia 2019; 21: 173–183.

Bethencourt

Sahai

Waters

. Ciphertext-policy attribute-based encryption. In: Proceedings of the 2007 IEEE symposium on security and privacy (SP’07), Berkeley, CA, 20–23 May 2007, pp. 321–334. New York: IEEE.

10.

Zhang

Chen

, et al. Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 2018; 72: 1–12.

11.

Cui

Zhou

, et al. OOABKS: online/offline attribute-based encryption for keyword search in mobile cloud. Inform Sciences 2019; 489: 63–77.

12.

Han

Susilo

, et al. Improving privacy and security in decentralized ciphertext-policy attribute-based encryption. IEEE T Inf Foren Sec 2015; 10(3): 665–678.

13.

Xue

Hong

, et al. RAAC: robust and auditable access control with multiple attribute authorities for public cloud storage. IEEE T Inf Foren Sec 2017; 12(4): 953–967.

14.

Xue

Gai

, et al. An attribute-based controlled collaborative access control scheme for public cloud storage. IEEE T Inf Foren Sec 2019; 14: 2927–2942.

15.

Yuen

Liu

Man

, et al. k-times attribute-based anonymous access control for cloud computing. IEEE T Comput 2015; 64(9): 2595–2608.

16.

Yang

. Revocable attribute-based encryption with decryption key exposure resistance and ciphertext delegation. Inform Sciences 2019; 479: 116–134.

17.

Wei

Liu

. Secure and efficient attribute-based access control for multiauthority cloud storage. IEEE Systems Journal 2018; 12(2): 1731–1742.

18.

Xue

, et al. Efficient attribute-based encryption with attribute revocation for assured data deletion. Inform Sciences 2019; 479: 640–650.

19.

Yao

Zhang

, et al. Flexible and fine-grained attribute-based data storage in cloud computing. IEEE T Serv Comput 2017; 10(5): 785–796.

20.

Ning

Dong

Cao

, et al. White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes. IEEE T Inf Foren Sec 2015; 10(6): 1274–1288.

21.

Ning

Cao

Dong

, et al. White-box traceable CP-ABE for cloud storage service: how to catch people leaking their access credentials effectively. IEEE T Depend Secure 2018; 15(5): 883–897.

22.

Wang

Zhou

Liu

, et al. An efficient file hierarchy attribute-based encryption scheme in cloud computing. IEEE T Inf Foren Sec 2016; 11(6): 1265–1277.

23.

Chen

Zhang

. Extended file hierarchy access control scheme with attribute based encryption in cloud computing. IEEE T Emerg Top Comput. Epub ahead of print 12 March 2019. DOI: 10.1109/TETC.2019.2904637.

24.

Bobba

Khurana

Prabhakaran

. Attribute-sets: a practically motivated enhancement to attribute-based encryption. In: Proceedings of the European symposium on research in computer security, Luxembourg, 23–27 September 2009, pp. 587–604. Cham: Springer.

25.

Wan

Liu

Zhang

, et al. A collusion-resistant conditional access system for flexible-pay-per-channel pay-TV broadcasting. IEEE T Multimedia 2013; 15(6): 1353–1364.

26.

Wan

Liu

Deng

. HASBE: a hierarchical attribute-based solution for flexible and scalable access control in cloud computing. IEEE T Inf Foren Sec 2012; 7(2): 743–754.

27.

Teng

Yang

Xiang

, et al. Attribute-based access control with constant-size ciphertext in cloud computing. IEEE T Cloud Comp 2017; 5(4): 617–627.

28.

Yang

Liu

Jia

, et al. Time-domain attribute-based access control for cloud-based video content sharing: a cryptographic approach. IEEE T Multimedia 2016; 18: 940–950.

29.

NIST special publication 1800-3 attribute based access control, https://csrc.nist.gov/publications/detail/sp/1800-3/archive/2015-09-29

30.

Yang

Liu

. A novel security media cloud framework. Comput Electr Eng 2019; 74: 605–615.

An enhanced media ciphertext-policy attribute-based encryption algorithm on media cloud

Abstract

Keywords

Introduction

Related work

Preliminary

Bilinear maps

Access structure

Access tree T

DBDH assumption

Proposed algorithm

Components

MAT

Satisfying an access tree

Key chain

Using MAT and key chain

eM-CP-ABE

eM-CP-ABE model

eM-CP-ABE algorithm

Extension

Multi-authorization

User revocation

1−n MAT

Security analysis

Selective-set model

Proof of security

Performance analysis

KeyGen

Encryption

Decryption

Deployment

Conclusion

Footnotes

Acknowledgements

Declaration of conflicting interests

Funding

ORCID iD

References

Access tree $T$