From RBAC To ABAC Constructing Flexible Data Access Control For Cloud Storage Services

IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO.
4, JULY/AUGUST 2015 601
From RBAC to ABAC: Constructing Flexible Data

Access Control for Cloud Storage Services
Yan Zhu, Member, IEEE, Dijiang Huang, Senior Member, IEEE, Chang-Jyun Hu, and Xin Wang
Abstract—This paper addresses how to construct an RBAC-compatible secure cloud storage service with a user-friendly and
easy-to-manage attribute-based access control (ABAC) mechanism. Similar to role hierarchies in RBAC, attribute hierarchies
(considered as partial ordering relations) are introduced into attribute-based encryption (ABE) in order to define a seniority relation
among all values of an attribute, whereby a user holding senior attribute values acquires permissions of his/her juniors. Based on these
notations, we present a new ABE scheme called attribute-based encryption with attribute hierarchies (ABE-AH) to provide an efficient
approach to implement comparison operations between attribute values on a poset derived from an attribute lattice. By using bilinear
groups of a composite order, we present a practical construction of ABE-AH based on forward and backward derivation functions.
Compared with prior solutions, our scheme offers a compact policy representation approach that can significantly reduce the size of
private-keys and ciphertexts. To demonstrate how to use the presented solution, we illustrate how to provide richer expressive access
policies to facilitate flexible access control for data access services in clouds.
Index Terms—Security, secure cloud storage, role-based access control, attribute-based encryption, data migration
1 INTRODUCTION
I NCREASINGLY, more and more enterprises and individuals

have moved their data, such as personal data and large
archive system, into cloud-based storage services because
data access policy:
ðððFaculty ¼ Prof:Þ or ðFaculty ¼ Associate Prof:Þ

they provide various attractive services such as infinite or ðFaculty ¼ Assistant Prof:ÞÞ and ðDep: ¼ CSÞÞ:
capacity on on-demand, no upfront cost, long-term archiv-
Using ABE solution, this data access policy is used as a pub-
ing, etc. Furthermore, consumers can access applications
lic constraint to encrypt a data encrypting key (DEK), and
and data without location constraints. However, several
then the data is encrypted by the DEK. If a user owns
recent surveys [1], [2] showed that 88 percent potential
the private key with the corresponding attributes: i.e.,
cloud consumers worry about the privacy of their data, and
fFaculty Prof:; Dep: CSg, he can obtain the DEK and
security is often cited as the top concern for adopting cloud-
then decrypt this encrypted data.
based storage solutions.
ABE has been proved to be a powerful data access con-
Using cloud-based storage services, it is common to cen-
trol solution that meets a variety of application require-
trally store customers’ data. Security issues arose due to the
ments for cloud-based storage services. However, ABE also
fact that cloud-based storage is outsourcing-service and there
has some implementation issues when using attributes to
may incur untrusted or honest-but-curious attacks. In order
construct the data access policies. First, data migration from
to protect the privacy of consumers’ data, attribute-based
existing IT systems to a cloud storage environment is not
encryption (ABE) [3], [4], [5] has been proposed to provide
easy to be transferred because these systems are usually not
data access control for cloud storage services. ABE is a pow-
designed for ABAC. Second, ABE as a fine-grained data
erful and flexible approach, which implements attribute-
access control requires that “objects receive their attributes
based access control (ABAC) by encrypting data with a
either directly from the data creator or as a result of automated
specified access policy over attributes [6]. By matching
scanning tools” according to NIST’s ABAC definition [7]. In
attributes of access policy on the stored data, only autho-
the former case, the data creator needs to know the data
rized users who own these attributes and corresponding
access policies in advance, which may require substantial
private keys can access and decrypt the data. For example,
background knowledge on how to construct the data access
we use ABE to encrypt a file by enforcing the following
policies. In the latter case, the deployment of effective scan-
ning tools is usually difficult when the data access policies
Y. Zhu, C.-J. Hu, and X. Wang are with the School of Computer and are required to keep consistent with diverse interpretations
Communication Engineering, University of Science and Technology of access policies from various data creators and users.
Beijing, Beijing 100083, China.
E-mail: {zhuyan, Wangxin}@ustb.edu.cn, chjyhu@163.com.
These restrictions hinder the applicability of using ABE for
D. Huang is with the School of Computing, Informatics, and Decision cloud storage services.
Systems Engineering, Arizona State University, Tempe, AZ 85287. To address the above-described issues and provide a
E-mail: dijiang@asu.edu. smooth transition for using ABAC in cloud storage service,
Manuscript received 3 Feb. 2014; revised 9 Aug. 2014; accepted 25 Sept. 2014. we first investigate into the role-based access control
Date of publication 15 Oct. 2014; date of current version 7 Aug. 2015. (RBAC) that has been widely adopted by various informa-
For information on obtaining reprints of this article, please send e-mail to:
reprints@ieee.org, and reference the Digital Object Identifier below. tion systems (such as Windows/Active Directory RBAC,
Digital Object Identifier no. 10.1109/TSC.2014.2363474 HP-UX, AIX, Oracle). Compared to ABAC, advantages of
1939-1374 ß 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded
See http://www.ieee.org/publications_standards/publications/rights/index.html on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
for more information.
602 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
It is easy to find that this approach simplifies the complexity

of deploying access policies from this instance, however
none of ABE schemes support the partial ordering relation.
Fortunately, there have been some cryptographic work [8],
[9] has been proposed to realize the hierarchical key in terms
of RBAC. The main drawback of these solutions is that they
cannot be directly utilized by ABE schemes. On the other
side, some ABE solutions support the tree-hierarchy (i.e.,
called hierarchical ABE) [10], [11], [12]. However they can-
Fig. 1. The architecture for user-friendly security cloud storage in exist-
not support full RBAC-type hierarchy [13] (i.e., a lattice with
ing RBAC system. tree, inverted tree, or general hierarchies) on all attribute val-
ues. We address the described challenges by constructing an
using RBAC include simplicity, easy-to-use, and automatic effective RBAC-compatible ABE for secure cloud storage
running without user’s intervention. To see an example of services. Our solution takes advantages of both RBAC and
this in an RBAC-based system, a role’s responsibilities and ABAC, and it is compatible with existing RBAC systems. In
relationships to other roles are usually specified by an summary, our contributions are presented as follows:
administrator or using a system default setup, and the role
assignment is usually transparent to end users. Typically, We present a practical solution to convert RBAC-
users do not need to develop access policies for their own based rules into ABAC-based policies. This conver-
resources; but if necessary, they can customize their own sion can help migrate the data from existing RBAC
policies. Based on this fact, our goal is to establish a user- systems into ABE-based secure cloud storage. This
friendly, secure, flexible, and easy-to-manage access control solution fully utilizes the highly automated feature
service by transferring the easy-use features of RBAC model of existing RBAC system, so it provides the follow-
into the ABAC model by applying ABE schemes. As a ing advantages:
result, cloud storage services can be naturally implemented - including good properties of both RBAC and
based on this kind of ABAC model. ABAC;
To illustrate the presented solution, an example of cloud - making it compatible to existing RBAC;
storage service is shown in Fig. 1, where conversion mecha- - realizing more flexible policy enforcement for
nism from RBAC to ABAC (realized by Migration Proxy) is cloud data storage due to policy expended from
introduced as a bridge that migrates automatically data from RBAC to ABAC.
existing RBAC systems to cloud-based ABAC system. In this We present an effective cryptographic method to
system, public cloud could be used to store actual data in the realize partial ordering relation (derived from hierar-
ABE-encrypted form. Users who wish to share or access the chy structure in RBAC) used by existing ABE solu-
data only need to interact with the existing RBAC systems tions. In our approach, a hierarchical hash function
(such as Windows NT and Linux); and the migration proxy (HHF) is introduced for realizing the cryptographic
should make automatically and routinely data transmission order-preserving mapping from a partial-order hier-
between two systems. At the meantime, the cloud storage archy. Based on this function, we present a new ABE
service can also provide ABAC-based security policy scheme, called ABE with Attribute Hierarchy (ABE-
enforcement directly to more advanced users. AH), for our RBAC-compatible data access control
To achieve the described system, there are many techni- for secure cloud storage services.
cal challenges to overcome. One of the most challenging We prove that our ABE-AH scheme is semantic
issues is to implement the hierarchy structure used by secure and unforgeable under the Computational
RBAC as well as cryptographic partial ordering relation in Diffie-Hellman (CDH) and extended Decisional Dif-
ABE. This means that we must provide an efficient fie-Hellman (eDDH) assumptions.
approach to support attribute hierarchy with arbitrary par- Compared with prior ABE solutions, ABE-AH
tial ordering relations, including the comparative opera- scheme provides more succinct and richer policy
tions (ai aj ) for a poset H ¼ ðA; Þ on a set of attributes representations with more flexible access control
A ¼ fa1 ; . . . ; an g. Such a partial ordering relation is very capabilities.
helpful to reduce the computation overhead of using ABE, Organization. Section 2 overviews some basic notations and
as well as to keep the compatibility with the RBAC model. frameworks. In Section 3, we present our solution from
For instance, in the previously presented example, we can RBAC to ABAC. Sections 4 and 5 provide the definitions of
define a set of attribute values as ABE-AH, security models, and cryptographic partial ordering
relations. We present the construction of ABE-AH and its
Faculty ¼ fLecture; Assistant Prof:; Associate Prof:; Prof:g security analysis in Sections 6 and 7, respectively. We evaluate
the performance of the ABE-AH scheme in Section 8. Finally,
and a partial ordering relation (called attribute hierarchy) We conclude the solution in Section 10.
Lecture Assistant Prof: Associate Prof: Prof: Then,
we can define a policy as
2 NOTATIONS AND DEFINITIONS
ððFaculty Associate Prof:Þ and ðDep: ¼ CSÞÞ: In this section, we provide the definitions of RBAC and
ABAC models, as well as some notations used in this paper.
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 603
Furthermore, the relationships between them are discussed TABLE 1

and analysed, and ABE over ABAC is introduced in the Grammar for ABAC Addresses and Policies
end. These discussions lay a foundation for our solution.
Name Symbol Description
Attribute Ai 2 a set of attributes A
2.1 RBAC Model Attribute value ai;j 2 Numerals j Strings
Delivery Policy p ::¼¼ %
In an information system, a hierarchy or lattice is used to Condition % ::¼¼ xjð% or %Þjð% and %Þ
denote the relationships and arrangements of the objects, Literal x ::¼¼ ðAi ai;j Þ
users, elements, values, and so on. Especially, in many access Relation ::¼¼ j j¼jj
control systems the users are organized in a hierarchy con-
structed with a number of classes, called security classes or
roles, according to their competencies and responsibilities. their juniors. In fact, this kind of attribute lattice has been
This hierarchy arises from the fact that some users have introduced in ABAC model [6].
more access rights than others. In order to manage large- Table 1 describes the language according to [15]. We
scale systems, the hierarchy in RBAC becomes more complex call an access control system as an ABAC system if this
than other systems. Especially, role hierarchy (RH) is a natu- system satisfies the above specifications. Here, access
ral means for structuring roles to reflect an organization’s policy can be expressed as a logical function on some
lines of authority and responsibility. We adopt the defini- attribute values. For the sake of clarity, we propose a defi-
tions from RBAC models proposed by Sandu et al. [14]: nition of policy matching (or relation matching) of attribute-
Definition 1 [Hierarchical RBAC model]. The RBAC model based access control as follows:
has the following components: Definition 2 (ABAC Model). The ABAC model has the follow-
U, R, P , and S denote users, roles, permissions and ing components:
sessions respectively; Let A ¼ fA1 ; . . . ; An g be a (finite) set of attributes. Let
PA P R is a many-to-many permission to role Ai ¼ fai;1 ; . . . ; ai;m g be a set of values correspond to
assignment relation;
an attribute Ai 2 A. Ai is called as a hierarchy, if all
UA U R is a many-to-many user to role assign-
elements in ai have a partial ordering relation . That
ment relation;
is, Hi ¼ ðAi ; Þ.
RH R R is a partial order on R called the role
Let x :¼ Ai ai;j denote a literal in terms of the rela-
hierarchy or role dominance relation, written as ;
tion between Ai and ai;j in a poset Hi . For an assign-
user : S ! U is a function mapping each session si to
ment of attribute value Ai ai;l , the relation
the single user userðsi Þ; and
Ai ai;j returns “true” if ai;l ai;j ; otherwise, it
roles : S ! 2R is a function mapping each session si
returns “false”.
to a set of roles: rolesðsi Þ fr 2 R j 9r0 2 R; r r0 :
0 Let p :¼ ]xk denote an access policy function based on
ðuserðs
S i Þ; r Þ 2 UAg and si has the permissions:
00 00 00 the Boolean function, where ] denotes either and or or
r2rolesðsi Þ fp 2 P j 9r 2 R; r r : ðp; r Þ 2 PAg. logical operation. For the assignment of attribute val-
The last component states that the system can automati- ues r :¼ ðA1 ; . . . ; An Þ ða1;j1 ; . . . ; an;jn Þ, the policy
cally run the RBAC without user’s intervention. When a matching between hp; ri (which is denoted as
user performs an operation, first of all, the system uses the Matchðp; rÞ) returns “true” if the Boolean function is
function userðsi Þ, taking as input the session si , to get the satisfied according to the results of literals, otherwise,
single user. Next, the set of the user’s roles rolesðsi Þ is it returns “false”.
known by using the user to role assignment relation UA. User has the access permission specified by p iff
W
Then, the user’s permissions are found by using the role r2S Matchðp; rÞ ¼ true for a set of attribute assign-
hierarchy RH and permission to role assignment relation ments S ¼ frg.
PA. Finally, the system determines whether the user’s oper-
In Fig. 2, we show some simple examples of university
ation is legitimate according to the permissions. We present
information system to describe the above definition. These
some terminologies in partial order. Let C ¼ hP; i be a
examples includes three attribute lattices: Departments,
(finite) partially ordered set with partial order relation on
faculty, and Clearance. For example, there exists the senior-
a (finite) set P . Two distinct elements x and y in C are said
ity relation among four basic levels of clearance: ðunclassified
to be comparable if x y or y x. Otherwise, they are
confidential secret topsecretÞ. Similarly, there also exists
incomparable, denoted by xky and ?x denotes the indepen-
the relation among three levels of faculty: ðlecture
dent set fy 2 P j xjjyg.
assistant prof: associate prof: prof:Þ. If the above defi-
nition is implemented in ABE, we can define a policy of
“Read” permission as
2.2 ABAC Model
Similar to role hierarchy in RBAC, the hierarchy is also
p :¼ ðfaculty assistant prof: or clear:
extremely useful for ABE to introduce attribute hierarchy or
attribute lattice (AH or AL), which defines a seniority rela- secretÞ and Depart: School of Engineering:
tion among all values of an attribute, whereby a user hold-
ing the senior attribute values acquires the permissions of Next, given a set of attribute assignments
Fig. 2. Some examples for attribute lattice in a management information system.
r :¼ ðDepartments; Faculty; ClearanceÞ space A1 A2 An is used to express the char-

ðElectrical Depart:; associate prof:; topsecretÞ; acteristics of a user in ABAC;
Hierarchical structure. in RBAC all roles are usually
it is easy to compute the result of matchðp; rÞ. Hence, the included in a role hierarchy, but in ABAC each attri-
attribute lattice can simplify the access policy, reduce the bute has a hierarchical structure. This does not mean
computational overheads, and decrease the size of cipher- that the expression ability of RH is weaker than that
texts and private-keys in ABE. Note that, the ABE with AH of AH because we are able to integrate multiple hier-
must have the ability to support full RBAC model with tree, archies into a hierarchy, but these attribute hierar-
inverted tree, and general hierarchies on them, as shown chies are simpler and easier to use and understand
Fig. 2. than role hierarchy.
In short, ABAC provides a more scalable and flexible Resource’s constrain specification. in both models they
access management based on powerful policy specification. are stored together with the resources. Given a cer-
Moreover, ABAC supports some new features, for example, tain resource, in RBAC they are represented as a
dynamically changing attributes, such as time of day and binary relation between roles and permissions, but
location, can be accommodated in access control decisions. in ABAC they are as an access policy on Boolean
function. Obviously, the expression ability of the lat-
2.3 RBAC versus ABAC ter is stronger than that of the former;
In this section we discuss the relationships between Permission criterion. RBAC relies on the following
RBAC and ABAC, which will be used to implement the search of permissions:
conversion from RBAC to ABAC below. First of all, it is [
easy to find that there exist some similarities between fp 2 P j9r00 2 R; r00 r : ðp; r00 Þ 2 PAg;
r2rolesðsi Þ
them. For example, both RBAC and ABAC are able to
map each user to a set of identities (roles or attributes).
the result of which is a set of permissions authorized
When the number of users is far greater than the number
to access the particular resource for the current ses-
of identities, such a mapping can help simplify authority
sion. In ABAC it relies on policy matching between
management for a large organization. Similarly, both
policy function p and attribute assignments S ¼ frg
adopted hierarchical structure (which be used to realize
as follows:
comparison operators) to further simplify authority man-
agement. Although there are these similarities between, it _
true accept
is obvious to find many differences (see Table 2), which Matchðp; rÞ ¼
false reject:
be summarized as follows: r2S
User’s authority. in RBAC we use a simple binary Observing the above comparison, it is not difficult to find
relation between users and roles, and in most cases that ABAC model has stronger ability to express complex
only one role is assigned in current session; but a set access policies than RBAC model, moreover RBAC-based
of attribute assignments included in the attribute rule can be converted and integrated into ABAC-based policy.
TABLE 2
Comparison between RBAC and ABAC
RBAC ABAC
User’s authority UA: a binary relation between U R r: multiple attribute assignments
Hierarchical structure RH: one role hierarchy Hi : multiple attribute hierarchies
Resource’s constrain specification PA: a binary relation between P R p: an access policy function
Permission criterion Relation search between user and permission Match: policy matching between p and r
Fig. 3. The framework of RBAC-Compatible ABE for secure cloud storage.
Benefited from this kind of conversion, ABAC-based cloud (as an example of line ordering relation) based on CP-ABE
storage service will provide a more secure, flexible, scalable scheme, it is not efficient enough for general partial ordering
way to share data than existing RBAC-based IT systems. relations.
2.4 ABE over ABAC 3 SOLUTION FROM RBAC TO ABAC

Attribute-based encryption is a cryptosystem built on In this section we propose a practical solution for moving
ABAC model [3], [4], [16], [17]. In ABE, attributes are used the data from RBAC system into ABE-based secure cloud
to encrypt data, such as key-policy ABE (KP-ABE) [3] or storage. We first introduce the framework of this solution.
used as credentials to decrypt data, such as ciphertext-pol- Then we propose an effective method that converts RBAC
icy ABE (CP-ABE) [17], [18]. We adopt the construction, rules into ABAC policies. Finally, a RBAC-compatible ABE
proposed by the BSW’s CP-ABE scheme [17], to realize the is defined to meet the needs of construction of this solution.
logical operations and string matching. In CP-ABE, access
policy function is used to constraint the decryption permis-
sion, that is, the decryption is authorized iff Matchðp; 3.1 System Framework
rÞ ¼ true, where the policy function p is hidden into cipher- In this paper we focus on the solution of migrating and
text and r is assigned to the user’s private key. sharing the data in existing RBAC systems into cloud. We
In order to realize the policy matching Matchð Þ, one of try to resolve two problems: 1) how to remain access con-
main techniques, cryptographic logical operations, have straints of data on RBAC to implement data sharing in
been developed in recent years. In CP-ABE, cryptographic cloud; and 2) how to ensure the security of data in public
logical operations is implemented by using an extension of cloud, especially for “honest and curious” cloud [19].
general threshold secret sharing (SS): ABAC model is considered as a suitable solution for
secure information sharing in large-scale organizations,
Definition 3 (Threshold Secret Sharing). Let t; n be positive especially for cloud computing environments. However,
integers, t n, A ðt; nÞ—threshold scheme is a method of facing with a variety of existing enterprise RBAC systems,
sharing a secret s among a set of n participants, in such a way re-establishment of such a ABAC system is not realistic.
that any t participants can compute the value of s, but no Therefore, we desire to develop a new “transparent” migra-
group of t 1 participants can do so. tion solution that existing RBAC systems are integrated into
It is easy to note that AND and OR logics can be realized the cloud to implement better data sharing. In our solution,
by the threshold secret sharing scheme, as follows: a ABAC-based system is deployed in the cloud, existing
RBAC systems are unified into this cloud ABAC system.
AND gates. considered as ðn; nÞ-threshold schemes; The openness of cloud computing means that more autho-
OR gates. considered as ð1; nÞ-threshold schemes. rized users have quick and easy access to the cloud data
Therefore, t-of-n AND gates can be constructed as they need. Furthermore, the ABE cryptosystem must be
ðt; nÞ-threshold schemes. The common scheme introduced used for data security in cloud ABAC system. Hence, our
by Shamir is based upon Lagrange interpolation, namely, it goal is to improve ABE for implementing cloud data
takes t points to define a polynomial of degree t 1 and the encryption in the existing RBAC systems.
secret s is represented as the free coefficient of polynomial. In order to achieve this goal, we expect to provide an
Further, hierarchical secret sharing is also suitable for Bool- effective method that transforms the RBAC mechanism into
ean formulas: given a logical hierarchy over AND/OR oper- an ABE-based instance. Based on this instance, data can be
ations, a logical tree can be constructed to express this encrypted by using ABE and then stored into cloud. In
hierarchy and the secret is set as the value of root of this Fig. 3 we describe the framework of our solution, where
tree, such that the values of lower nodes can be calculated a user can use the existing system with RBAC (such as
recursively by sharing the value of upper nodes in terms of Windows, Linux) to access cloud resources. The accessing
ðt; nÞ-threshold schemes. process is completely transparent to the user, at the same
However, there has been little work on studying crypto- time, data can be stored and shared by using ABE encryp-
graphic comparison mechanisms to support partial ordering tion. In this figure, an existing RBAC system is connected to
relations. Even though Bethencourt et al. [17] presented a bit- cloud storage service on ABAC model. To migrate RBAC
wise comparison method to implement integer comparison data to cloud, a new module, called migration proxy, need
to append into RBAC system. The proxy can perform the conversion method based on “one-to-many” mapping from
following functions: rule conversion between RBAC and role to attribute as follows:
ABAC, encryption/decryption processes, and key manage-
ment. The process of proxy is described as follows: The role set R is divided into n groups of set of
attributes, that is, R ¼ A1 A2 An . For each

When a “create” requestor asks to store a new data to Ai , we build a hierarchy ðAi ; Þ.
cloud, the proxy converts the role of roles corre- Map each permission p 2 P to a policy function p,
sponding to permission p1 ¼ “write”, p2 ¼ “create”, but Equation (1) also need to become
and p3 ¼ “read” into policy functions fp1 ; p2 ; p3 g !
according to Section 3.2; and then, the proxy obtains _ ^
p :¼ ðai Ai Þ :
the ABE keys escrowed by key management unit, 8r¼ða1 ;...;an Þ;ðp;rÞ2PA ai 2r
and uses the keys and fp1 ; p2 ; p3 g to encrypt the data
as ABE-ciphertext; finally, the ciphertext and its pol-
Similarly, Equation (2) becomes
icy fp1 ; p2 ; p3 g is sent to the cloud.
When a “write” requestor asks to write the existing r :¼ ðA1 ; . . . ; An Þ fða1 ; . . . ; an Þj
data to cloud, the proxy does not need to rewrite the
policy function fp1 ; p2 ; p3 g, but re-encrypts the mod- ¼ ða1 ; . . . ; an Þ 2 R : ðu; rÞ 2 UAg:
ificated parts into the cloud.
When a “read” requestor asks to read data stored in We define the partial ordering relation on the Cartesian
the cloud, the proxy first downloads the policy func- product of ordered sets as follows: ða1 ; . . . ; an Þ ða01 ; . . . ; a0n Þ
tion p3 corresponding to permission “read” and per- if and only if a1 a01 ^ ^ an a0n . This is a partial order.
forms the access authorization decision (see Section Next, we describe the process of accessing cloud resour-
3.2); if it permits, the proxy obtains the ABE keys ces. If the user wishes to access the data in the cloud, the
escrowed by key management unit, and then down- system first obtains the access policy of the resource, then
loads and decrypts the data. calculates rolesðsÞ to get the set of authorized roles, where
We will highlight the rule conversion from RBAC to rolesðsÞ fr 2 R j 9r0 2 R; r r0 : ðuserðsÞ; r0 Þ 2 UAg. Using
ABAC, as well as RBAC-compatible ABE system below. the set of authorized roles, the system can check whether
there is an effective subset of roles in rolesðsÞ which meets
3.2 Rule Conversion from RBAC to ABAC the above access policy, that is, Matchðp; rÞ ¼ true. If the
Recall the analysis in Section 2.3, it is easy to find that subset exists, the system downloads the data and decrypts
ABAC’s expression ability is stronger than that of RBAC. it locally.
This means that we might convert access constraints from We give a simple approach to implement “Access Autho-
RBAC model into ABAC model. Given a RBAC system that rization Decision”, which adopts the roles in RBAC to verify
is constructed on standard RBAC model in Definition 1. We the ABAC policy function p. In the case of simple “one-to-
present a simple conversion method based on “one-to-one” one” conversion, the verification can be checked by using
mapping from role to attribute as follows: _
true accept
Matchðp; ðA aÞÞ ¼
Map the set of roles R and its hierarchy RH to a a¼r;r2rolesðsÞ
false reject;
poset ðA; Þ ¼ ðR; RHÞ, where each roles ri 2 R W
becomes the attribute values ai 2 A and A ¼ R. This where p :¼ 9r00 ;ðp;r00 Þ2PA ðr00 RÞ. This means that there
mapping is direct and obvious. exists at least one r 2 rolesðsÞ and r00 2 R for r00 r to make
Map each permission p 2 P to a policy function p ðp; r00 Þ 2 PA if the above verificaiton is accepted. This is con-
with Boolean function sistent
S with the statement of permissions in RBAC, that
00
_ is, r2rolesðsÞ fp 2 P j 9r 2 R; r00 r : ðp; r00 Þ 2 PAg. Further-
p :¼ ðr AÞ: (1) more, in the case of “multi-attribute” composite, the above
9r;ðp;rÞ2PA equation turns into
_
Matchðp; ðA1 ; . . . ; An Þ ða1 ; . . . ; an ÞÞ
Map user’s assignments (for a certain u 2 U) to an 8r¼ða1 ;...;an Þ;
attribute assignment r as rrolesðsÞ

true accept
¼
r :¼ A fr 2 R j ðu; rÞ 2 UAg: (2) false reject:
Similarly, it is obvious that this conversion is also consistent

However, this conversion does not show the advantage with the statement of permissions RBAC. In short, the
of ABAC model. In the respect of granularity, the role in above-mentioned conversions will be used to construct our
RBAC (coarse grain) can be considered as “multi-attribute” RBAC-compatible ABE system.
composite. For example, “School Leader of Business (SLB)” In practical applications, we highlight two extra atten-
in RBAC is able to denote the composite of two attributes: tions: 1) we must clearly understand the relationship among
“School of Business” and “Leader”. Therefore, the above- roles and role hierarchy in RBAC system because we found
mentioned conversion can be performed in a more flexible that the definition of role hierarchy is not clear in some
way. So, we present a more effective multi-attribute existing RBAC systems; and 2) In the multi-attribute
The proxy writes these two policies ðpwrite ; pread Þ into

the header of Doc1 and uses pread :¼ ðSB AÞ encrypts the
file by using the Encrypt algorithm in ABE. Finally, the
encrypted file Doc1 is migrated into the cloud.
When the user Vincent expects to access this file by using
the Migration proxy, the proxy first obtains the session s (by
using command in the operation system) from RBAC sys-
tem, and then invokes the function usersðsÞ ! ðVincentÞ to
get the user’s name (see Equation (3)). Based on it, the proxy
computes all possible roles by using the following function:
rolesðsÞ fr 2 R j 9r0 2 R; r r0 : ðuserðsi Þ; r0 Þ 2 UAg

¼ fr 2 R j 9r0 2 R; r r0 : ðVincent; r0 Þ 2 UAg
Fig. 4. Attribute lattice used in our example.
¼ fr 2 R j r EcD : ðVincent; EcDÞ 2 UAg
conversion, we emphasize that the mapping from roles ¼ fEcD; SB; Ung:
to attributes must be strictly satisfy the partial ordering
Next, the proxy downloads the permission assignment PA
relation on the Cartesian product of ordered sets. It is also
of Doc1 from the cloud and checks the permission:
a good alternative for “one-to-one” mapping from role to
attribute if the above-mentioned attentions are not met. [r2rolesðsÞ fp 2 P j 9r00 2 R; r00 r : ðp; r00 Þ 2 PAg
3.3 An Example of Our Solution ¼ [r2fEcD;SB;Ung fp 2 P j 9r00 2 R; r00 r : ðp; r00 Þ 2 PAg
We assume we have a simple RBAC-based University sys- ¼ fp 2 P j 9r00 2 R; r00 EcD : ðp; r00 Þ 2 PAg
tem, in which the set of roles R and role hierarchy RH are [ fp 2 P j 9r00 2 R; r00 SB : ðp; r00 Þ 2 PAg
showed in Fig. 4 (it is the same as the Department in Fig. 2). [ fp 2 P j 9r00 2 R; r00 Un : ðp; r00 Þ 2 PAg
We assume that there exist two users Vincent and Crown
¼ fRead 2 P j 9SB 2 R; SB EcD : ðRead; SBÞ 2 PAg
in this system, that is, U :¼ ðVincent; CrownÞ. Moreover, we
assume that Vincent works at EconomicsDepartment (EcD) [ fRead 2 P j 9SB 2 R; SB SB : ðRead; SBÞ 2 PAg
and Crown is a SchoolLeaderofBusiness, namely, ¼ fReadg:
UA :¼ ððVincent; EcDÞ; ðCrown; SLBÞÞ; (3) Hence, the proxy allows to download the encrypted file
Doc1 with an encryption policy pread :¼ ðSB AÞ for
where EcD and SLB are two acronyms for name of depart- Vincent. Vincent is able to decrypt this file by using his pri-
ment. According to Equation (1) in our convention method, vate key with attribute assignment rVincent ¼ A EcD
the system manager designates the attribute assignments because the policy matching between the ciphertext’s policy
function and the user’s attribute assignment,
rVincent :¼ A fr 2 R j ðVincent; rÞ 2 UAg ¼ A EcD;
rCrown :¼ A fr 2 R j ðCrown; rÞ 2 UAg ¼ A SLB Matchðpread ; rVincent Þ
¼ MatchðSB A; A EcDÞ ¼ true
into the ABE’s private key of Vincent and Crown,
respectively. is satisfied in terms of the relation SB EcD in RH.
Next, we assume that a document (called Doc1 ) in this The “write” (or “create”) operation also executes the sim-
system has the Read and Write permissions, P :¼ ðRead; ilar process as above besides the process of file encrypting
WriteÞ, and the permission-to-role assignment is and migrating to cloud is accomplished by the migration
proxy. In this process, the proxy only needs to verify the
PA :¼ ððRead; SBÞ; ðWrite; SLBÞÞ; (4) matching between the file’s policy and the user’s attribute
where SB and SLB denotes SchoolofBusiness and assignment. For example, the user Crown tries to write the
SchoolLeaderofBusiness. According to Equation (2) in our file Doc1 , the proxy invokes userðsÞ ! ðCrownÞ and rolesðsÞ
convention method, the migration proxy can generate two fr 2 R j r SLB : ðCrown; SLBÞ 2 UAg ¼ fSLB; EcD;
policy functions AcD; SB; Ung. S Based on these values, the permission
00 00
is com-
puted as r2fSLB;EcD;AcD;SB;Ung fp 2 P j 9r 2 R; r r : ðp;
_
pwrite :¼ ðr AÞ r00 Þ 2 PAg ¼ fRead; Writeg in terms of the policy PA in
9r;ðWrite;rÞ2PA Equation (4). Hence, Crown have the authority to write the
_ document Doc1 , and the proxy re-encrypts the modification
¼ ðSLB AÞ ¼ ðSLB AÞ
parts submitted by Crown into cloud by using the escrowed
9SLB;ðWrite;SLBÞ2PA
_ ABE encryption key.
pread :¼ ðr AÞ We have the ability to achieve multi-attribute conversion
9r;ðRead;rÞ2PA at the same process as above if the roles are “one-to-many”
_
¼ ðSB AÞ ¼ ðSB AÞ: mapped to several different set of attributes. This kind
9SB;ðRead;SBÞ2PA conversion is very intuitive and can help to simplify the
role hierarchy.
It is obvious that our conversion methods are complete against chosen plaintext attacks with adaptive attribute lat-
and sound from the above examples, only if ABE can sup- tice (IND-AH-CPA), which can be transformed into the
port partial ordering relation over one or more attribute security against chosen ciphertext attacks (IND-CCA) by
sets, as well as the matching operation Matchðp; rÞ in applying a random oracle technique based on Fujisaki-Oka-
decryption. However, the existing schemes do not support moto transformation. In this kind of security, we consider
this relation. For this purpose, we will put forward such an that the adversary can query arbitrary partial ordering rela-
effective ABE construction in next section. tions (attribute hierarchies) to construct a key hierarchy.
Given an ABE-AH scheme ES, the IND-AH-CPA security is
4 RBAC-COMPATIBLE ABE evaluated by the following game:
In the previous section, the attribute hierarchy (partial Setup. The challenger B runs Setup algorithm, gives the
ordering relation on ðA; Þ) have been introduced to RBAC- adversary A the public parameters pp, and keeps the
Compatible ABE. This means that comparison operation master key msk and the encryption key ek secret;
on attribute hierarchies would be executed in the ABE. Query. The adversary A gives the challenger B an attribute
However, existing ABE schemes do not support comparison identity-poset pair ðAi ; Hi Þ, where Hi ¼ hVi ; i is an
operation on attribute hierarchies at present.1 In light of arbitrary partial ordering relation. The challenger B
the fact that the comparison operation can enhance the assist A to construct the cooperatively attribute lattice.
capacity of constraint expressions, decrease the computa- After all queries are realized, the adversary can require
tional overheads of encryption and decryption, and reduce the challenger B to generate a valid ciphertext for an
the size of ciphertexts and private-keys, in this section we arbitrary policy p and message M.
design an efficient cryptographic comparison operations for Challenge. The adversary A submits two equal length mes-
arbitrary partial orders to support the expressions of attri- sages M0 and M1 . In addition, the adversary gives a
bute lattices in ABE. challenge policy p in terms of A. The challenger B flips
a random coin b 2 f0; 1g, and encrypts Mb under a pol-
4.1 ABE with Attribute Hierarchies icy p. The correspondent ciphertext Cb is given to the
An attribute-based encryption with attribute lattice (ABE- adversary A.
AH) consists of the following five algorithms: Guess. The adversary outputs a guess b0 2 f0; 1g of b.
Setup(A; S). Takes in the parameters of cryptosystem S and In this game, the advantage of the adversary A attacking
the attribute universe description A. It outputs a master the ABE-AH scheme is defined as AdvES IND AL CPA
ðAÞ ¼

key msk, the public parameter pp and a encryption-key
1
jPr½b 0
¼ b Pr½b 0
¼
6 bj ¼ Pr½b0 ¼ b 1; where the proba-
2 2
ek; bility is taken over the random coins of A and all probabilis-
GenKey(msk; r). Takes in the manager key msk and a user’s tic algorithms in the scheme.
attribute assignments r for a certain user. It outputs a
Definition 4. A ciphertext-policy attribute-based encryption with
user’s private-key usk.
attribute lattice scheme is ðt; "Þ-adaptive attribute lattice
Encrypt (ek; p; M). Takes in the encryption key ek, the access
against chosen plaintext attacks (IND-AH-CPA), if for any
policy p over A, and the plaintext M 2 f0; 1g . It out-
polynomial time adversary with time-complexity t, there is at
puts a ciphertext C such that only users whose private
most a negligible advantage " in the above game.
keys satisfy the access policy p are able to exact M.
Decrypt (pp; usk; C). Takes in the public parameters pp, a
ciphertext C and a private key usk. If the set of attrib- 5 CRYPTOGRAPHIC PARTIAL ORDERING
utes of usk satisfies the access policy of the ciphertext, it RELATIONS
outputs the plaintext M. In this section, we propose a novel construction for integer
In this framework, the scheme must obey this rule as comparison to overcome the limitations of BSW’s CP-ABE
follows: Given the above-mentioned ðr; pÞ, we can compute scheme. We first give the background on compositing order
ðmsk; pp; ekÞ SetupðA; SÞ and gsk GenKeyðmsk; rÞ. bilinear groups. Then, we present two key constructions:
Such that, we hold forward and backward derivation functions. Finally,
2 3 we present the construction of our ABE scheme based on
Decryptðpp; usk; CÞ ¼ Mj those techniques.
Pr4 C Encryptðek; p; MÞ; 5 ¼ 1;
Matchðp; rÞ ¼ true
5.1 Our Approach
if and only if the access is granted over hp; ri according to From the discussions above, an efficient secure comparison
the policy matching criterion. mechanism is needed to express complex access policy and
realize attribute hierarchy. This motivates us to investigate
4.2 Security Definition of ABE-AH a new approach for partial ordering relation, which can be
To analyze the security of ABE-AH scheme, we first con- used to construct encryption schemes based on various
sider a new kind of security, called indistinguishability comparison relations. In the following, we present our idea
of a new approach for cryptographic comparison built on
the mathematical principles of comparison relation.
1. Note that this kind of hierarchy on posets is different from that on
the hierarchy IBE (HIBE) schemes because the latter only supports a In mathematics, the comparison relation on a partially
tree structure. ordered set (or poset) is a binary relation denoted by infix ,
property. This process can be expressed to build two func-

tions: Mapping function cð Þ converts a partial ordering set
to a new set of random numbers; and Ordering function fð Þ
sets up a new ordering relation in the new set of random
numbers. Typically, the mapping function is confidential,
but the ordering function is publicly verifiable. So, we re-
define these two functions with private/public key, as
follows:
Fig. 5. The order preserving mapping for general poset.
Mapping function c : SK H 7! V , which converts a
e.g., ða; bÞ or a b, where a binary relation on a set H is a poset H into V , where SK is a set of private keys.
collection of ordered pairs of elements in H. Strictly speak- Ordering function f : PK V 7! V , which can pub-
ing, the comparison on integer is a total order or a linear licly compute the value of other element in V from a
order which is a binary relation with the following proper- element, only if these two elements satisfies ordering
ties: for any a; b 2 U, we have relation, where PK is a set of public parameters.
We illustrate this process and the two functions in Fig. 6.
Reflexivity. a a; Note that, the randomness property of elements in V is nec-
Antisymmetric. If a b and b a then a ¼ b; essary to ensure the security of comparison relation, in par-
Transitivity. If a b and b c then a c. ticular, to prevent forgery.
For a and b are two elements of a partially ordered set H, A related technique called order-preserving encryption
if a b or b a, then a and b are comparable. Otherwise (OPE) was introduced in database community by Agrawal
they are incomparable, denoted by ajjb. et al. [20]. We say that the encryption scheme ðK; E; DÞ is an
Our objective is to develop an effective method for cryp- OPE scheme if E K ð Þ is an order-preserving function in inte-
tographic comparison relation. That is, let H ¼ fa1 ; ger. That is, E K ðiÞ > E K ðjÞ iff i > j. Note that, the comparison
a2 ; . . . ; am g be a countable set with partial ordering, we operation > between two ciphertexts is straightforward
expect to define a set of cryptographic random numbers numerical comparison, which is a tough hypothesis for
V ¼ fv1 ; v2 ; . . . ; vm g in a large space F, which can preserve designing an OPE scheme. Such that, as far as we know, “the
the order of elements in H. To do so, we can make use of a first formal cryptographic treatment of OPE did not appear
cryptographic map c : H ! V to convert H to V: 2 It is obvi- until recently” [21]. Moreover, the OPE scheme is not suit-
ous that c must be an order-preserving mapping such that if able for general partially ordered relation because the
ai aj in H, it implies there exists a partial-order relation numerical comparison just meet the totally ordered relation.
to ensure vi vj in V , where vi ¼ cðai Þ and vj ¼ cðaj Þ. In Hence, our proposed approach cannot be replaced by OPE.
Fig. 5, we describe this kind of order preserving mapping c
from U to V , where is used to represent the order relation
between vi and vj . Here, vi vj does not means the value of
vj is greater than that of vi . 5.2 Hierarchial Hash Functions
In order to ensure the security of cryptosystem, V ¼ As the above-mentioned approach, we give the crypto-
fv1 ; v2 ; . . . ; vm g is required to be a set of random values. graphic definitions of order-preserving mapping, called
Here it comes the question: how to define the partial ordering hierarchical hash function (HHF, represented as fpk; ð Þ) in
relation over a set of random values in a secure manner? By this section. Such a function implement the comparison
“secure”, we mean if ai aj , then it is easy to verify the operation on a poset ðH; Þ.
relation vi vj ; otherwise, vi vj is not provable. At first, we setup the relation over V by using a ran-
To answer this question, we turn our attention to use dom mapping function. Given a cryptographic map c :
cryptographic “one-way” property to represent the partial SK H ! V , where V ¼ fv1 ; v2 ; . . . ; vm g is a set of crypto-
ordering relation in set V . The one-way property means graphic values and vi ¼ csk ðai Þ for all i 2 ½1; m and ai is
that given the integer relation ai aj and two corre- any attribute string in f0; 1g . We require that vi is random
sponding value vi ; vj , there exists an efficient algorithm and hard-to-guess if sk is unknown.
fð Þ to obtain vj from vi , but it is hard to compute vi from Next, it is obvious that csk ð Þ must be an order-preserv-
vj . So we have ing mapping, that is a map such that if ai aj in H implies
there exists a partial-order relation to ensure vi vj in V .
ai aj , Pr½fðvi Þ ¼ vj ¼ 1; Therefore, in order to setup this kind of relation over V , we
consider the partial-order relation in V as the “one-way”
where, , denotes the equivalence relation. In fact, this property in cryptography. Therefore, we provide a defini-
means that the decision problem of ai aj converted into tion of hierarchy hash function that is used to construct pub-
computing function problem of vj ¼ fðvi Þ. lic ordering function, as follows:
In summary, our idea for cryptographic comparison rela-
Definition 5 (Hierarchial Hash Function). Given a function
tion on hH; i is to create a mapping from a partial ordering
f : PK V ! V based on a set ðH; Þ, it is called a forward
set to a new set of random numbers, and then define a new
derivation function if it satisfies the conditions:
ordering relation on the new set based on “one-way”
Easy to compute. The function fð Þ can be computed in
2. In fact, V is a small subset of set of cryptographic values. a polynomial-time, if ai aj , i.e., vj fpk;ai aj ðvi Þ;
Fig. 6. Our solution for cryptographic comparison relation.
Pre-image resistance. It is infeasible for any probabilis- HðAi jjaij Þr for all aij 2 Ai . And then, we define the random
tic polynomial time (PPT) algorithm to compute vj mapping function csk ð Þ as follows:
from vi if aj ai . Y
Second pre-image resistance. Given an input vi 2 V , it vij csk ðai;j Þ ¼ vrij ¼ wi0 wik
is infeasible for any PPT algorithm to find vj 2 V , aij 6aik
Y
ai jjaj and fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ. ¼ HðAi Þ r
HðAi jjaij Þr 2 G;
aij 6ak
The above definition follows the definition of general
hash function, but from a viewpoint of practical use, we Q
where vij ¼ wi0 aij 6aik wik . Note that, everyone can com-
did not require collision resistance, that is, it is infeasible pute HðAi Þ and HðAi jjaij Þ, but vi;j cannot be computed if
for any PPT algorithm to find two elements vi and vj 2 V the secret r is unknown. So we build the public parameter
and fpk;ai ak ðvi Þ ¼ fpk;ai ak ðvj Þ. In addition, the transitivity (or the part of ciphertext) as
property can be satisfied because fpk;ai ak ðvi Þ ¼ fpk;aj ak
ðfpk;ai aj ðvi ÞÞ. pk ¼ ðG; Hð Þ; fwik g8aik ;aij aik Þ:
We show a simple example to explain HHF in Fig. 7.
This example assume that we have a poset H ¼ ðA; Þ,
where A ¼ fa1 ; a2 ; . . . ; a7 g. Given v7 , the HHF ensures Finally, we define the HHF fpk ð Þ as
that the value of v3 ; v4 ; v1 can be obtained by using Y
fpk; ðv7 Þ. Inversely, given v3 , it is hard to guess v6 and v7 vik fpk;aij aik ðvij Þ ¼ vij wil
ail 2Gðaik ;aij Þ
according to pre-image resistance property. As the same 0 1
reason, v4 cannot be guessed because v4 jjv3 . More impor- Y Y
tantly, in the hierarchy it is easy to find the collision of ¼ @wi0 wil A wil
HHF. For example, v1 ¼ fpk;v3 v1 ðv3 Þ ¼ fpk;v4 v1 ðv4 Þ, how- aij 6ail [aik 6ail fail gn[aij 6ail fail g
ever, it is still hard to guess v4 from v3 according to Y

¼ wi0 wil ¼ vik 2 G;
second pre-image resistance property. These security aik 6ail
properties should be used to guarantee the security of
our ABE scheme. where Gðaik ; aij Þ denotes [aik 6ail fail g n [aij 6ail fail g and
ail 2 Gðaik ; aij Þ f8ail ; aij ail g. For example, let see the
example of Fig. 7. In this example we list all elements of vi
5.3 Cryptographic Construction of HHF according to partial ordering relation in Table 3. It is easy to
In this section, we will present a cryptography construction find that [aik 6ail fail g [aij 6ail fail g if aik aij . Hence, vij
of HHF, which will be used in our ABE scheme. This con- can be computed according to such a containment relation-
struction is built on a general multiplicative group G. In ship. For example, given v5 and w1 ; w2 ; w4 ; w5 , we can com-
addition, we make use of a hash function H : f0; 1g 7! G, pute its seniors v1 ; v2 ; v4 , that is, v4 ¼ v5 w5 , v1 ¼ v4 w2 w4 ,
which can map any string into a random element in G. and v2 ¼ v4 w1 w4 .
First, given a attribute hierarchy with a poset ðAi ; Þ and In this construction it is intractable to obtain vik from vij for
Ai ¼ ðai1 ; . . . ; aimi Þ, we assume that Ai and all aij can be rep- aik aij because [aik 6ail fail g [aij 6ail fail g, aik 2 [aij 6ail
resented as f0; 1g . Let wi0 ¼ HðAi Þ and wij ¼ HðAi jjaij Þ.
Next, we pick a random integer r 2 G as the private key TABLE 3
sk ¼ r. We define that wi0 ¼ wri0 ¼ HðAi Þr and wij ¼ wrij ¼ Examples for HHF Construction
vi [ai 6aj wj [ai aj wj

v1 w2 ; w3 ; w4 ; w5 ; w6 ; w7 w1
v2 w1 ; w3 ; w4 ; w5 ; w6 ; w7 w2
v3 w2 ; w4 ; w5 ; w6 ; w7 w1 ; w3
v4 w3 ; w5 ; w6 ; w7 w1 ; w2 ; w4
v5 w3 ; w6 ; w7 w1 ; w2 ; w4 ; w5
v6 w2 ; w4 ; w5 ; w7 w1 ; w3 ; w6
v7 w5 ; w6 w1 ; w2 ; w3 ; w4 ; w7
Fig. 7. An example of hierarchy hash function.
Fig. 8. Our construction of ABE-AH scheme.
fail g, and aik 62 [aik 6ail fail g. This means that vik can be system S is a tuple S ¼ hp; G1 ; G2 ; GT ; ei composed of the
obtained unless vij =wik is computed. So, vik cannot not be objects as described above. S may also include group gener-
computed because wik is not in pk. For example, it is ators in its description. In addition, there is a hash function
hard to compute v6 ¼ v3 =w6 from v3 and w1 ; w3 because H : f0; 1g ! G.
w6 is unknown for a6 a3 . Also, v4 ¼ v3 =w4 cannot be Our ABE-AH scheme is described in Fig. 8. Our scheme
computed from v3 and w1 ; w3 because w4 is unknown is constructed on BSW’s CP-ABE scheme, which makes use
for a4 jja3 . This ensures pre-image resistance and second of the hierarchy secret sharing scheme (HSSS) to realize
pre-image resistance. AND and OR operations for a access policy which be repre-
sented by Boolean function. In the description of our
6 CONSTRUCTION OF ABE-AH scheme, we omit these details. Our ABE-AH scheme has an
In this section we propose a novel construction with attri- optimum performance of storage and computation. For
bute hierarchies based on BSW’s CP-ABE scheme. This example, the length of the user’s private key usk is directly
construction enjoys the lower computation and communica- proportional to the number of attributes in AðiÞ , that is,
tion/storage costs. Moreover, we can generate a private key Oð#AðiÞ Þ, where # denotes the number of elements in a set.
with range controls, and then can implement comparisons Similarly, the length of ciphertexts is directly proportional
between two range controls from ciphertext and private to the number of literals in an access tree T corresponding
key, respectively. to p, that is, Oð#T Þ. More importantly, the length of cipher-
We set up our systems using bilinear pairings proposed texts is unrelated to the size of candidate attribute values
by Boneh and Franklin [22]. Let G1 , G2 and GT be three for a certain policy, by which we usually measure the length
cyclic groups of large prime order p using pairing-friendly of a ciphertext in the trivial equal matching way. Therefore,
curves, and e be a computable bilinear map e : G1 the shorter ciphertext commonly means the lower over-
G2 ! GT 3 with the following properties. For any G 2 G1 , heads of computation, so that the ABE-AH scheme also
H 2 G2 and all a; b 2 Zp , we have involves low computational overhead in the process of
1) Bilinearity. eðGa ; H b Þ ¼ eðG; HÞab . encryption and decryption.
2) Non-degeneracy. eðG; HÞ 6¼ 1 unless G or H ¼ 1. Next, we prove that if the decryptor’s attribute values
3) Computability. eðG; HÞ is efficiently computable. satisfy the policy p, and the decryptor can obtain the correct
Where, ½aP denotes the multiplication of a point P in message M from a ciphertext C using our ABE-AH scheme.
elliptic curve by a scalar a 2 Zp . A bilinear map group The analysis process is listed as follows:
First, if a decryptor’s attribute value aij satisfies the literal
aik Aj in the ciphertext (that is aik aij ), the decryptor
3. We require that no efficient isomorphism G2 ! G1 or G1 ! G2 is s
known, or G2 ! G1 is unknown but its inverted G1 ! G2 is known. computes fE00 ;aik aij ðviki Þ since the value vsiji ¼ fE00 ;aik aij ðvsiki Þ ¼
i i
Q Q
vsiki ail 2Gðaij ;aik Þ wsili ¼ wsi0i aij 6ail wsili 2 G can be efficiently a; b 2 Zp , it is computationally intractable to compute the
computed from ¼ Ei00
s
fwili gaik ail
and ail 2 Gðaij ; aik Þ value gab 2 G. More exactly, we define a game to measure
f8ail ; aik ail g if the condition aik aij holds. the difficulty of computing csk ðaj Þ from csk ðai Þ for aj ai .
s s That is, for any t-time PPT algorithm A and a negligible ", if
Second, given the correct value viji ¼ fE00 ;aik aij ðviki Þ, we
i
can computes the value Sj in terms of Equation (5) as follows: 2 3
8H; H 2 pk; vi csk ðai Þ;
eðDi ; Ei Þ eðgt viji ; hsi Þ
r
Pr4 ðaj ; vj Þ Ahð Þ ðpk; vi Þ; : aj ai 5 ":
Si ¼ 0 ¼ s 9aj 2R V; aj ¼ aj ^ cpk ðaj Þ ¼ vj
e Di ; fE00 ;aik aij ðEi0 Þ e hri ; fE00 ;aik aij viki
i i
eðgt viji ; hsi Þ

r
¼ r si ¼ eðg; hÞt si : We call that this problem is hard to resist the pre-image
e h i ; vij attack of HHF. Hence, we have the following theorem.
Theorem 2. Assuming that the CDH assumption holds, any
Finally, according to the aggregate algorithm in [17], the probabilistic polynomial-time PPT algorithm is hard to break
decryptor can obtain S ¼ eðg; hÞts only if the decryptor’s the pre-image resistance property.
attribute set is matching the policy tree T ; otherwise, the Proof. Assume that there exists a PPT adversary A to com-
decryptor cannot get S. When the decryptor gets S, she can pute vj from ðpk; vi Þ for ai 6 aj with a non-negligible
compute the correct message M in terms of the equation probability. By using A, we construct an algorithm B to
solve the computational DH problem as follows:
M eðg; hÞas eðg; hÞts
M 0 ¼ C1 S=eðD; C2 Þ ¼ aþt ¼ M: 1) given ai , let sk ¼ a and set B sets vi ¼ ðga Þr and
e g b ; hbs
fwk ¼ ðga Þrk g8ak ;ai ak , where r and rk are some
random integers.
Combining these two conditions, we know that if the 2) for a hash query HðAjjal Þ in al 2 Gðai ; aj Þ, the ran-
b kl
P l Þ ¼ ðg Þ for al 6¼ aj ,
decryptor can get the message M if and only if the dom Oracle returns HðAjja
decryptor’s attribute set is matching the policy tree T and kl
the decryptor’s attribute values follow the comparison con- and HðAjjaj Þ ¼ gr =ðgb Þ al 2Gðai ;aj Þ , where kl is a
straints in the access policy p. Hence, if the decryptor can random integer in Zp .
get the message M if and only if the decryptor’s attribute 3) we revoke Aðpk; vi ; fwk g8akP;ai ak Þ. If A returns vj ,
1= kl
sets satisfy the access policy of the attribute lattices. B outputs gab ¼ ððga Þr =vj Þ al 2Gðai ;aj Þ
.
According
Q to the definition of v i , we have
Q vi ¼ vj
7 SECURITY ANALYSIS ð al 2Gðai ;aj Þ wl Þ ¼ vj w0ij ¼ gar , where w0ij ¼ al 2Gðai ;aj Þ wl .
7.1 Security Analysis of HHF Also, in terms of the definition of P random Oracle, we
First, before proving the security of our HHF construction, Q kl
have w00ij ¼ al 2Gðai ;aj Þ HðAjjal Þ ¼ ðgb Þ al 2Gðai ;aj Þ . Further,
we consider the security of the random values obtained P
from HðAjjai Þ in HHF for all ai 2 A. Usually, we call colli- since sk ¼ a, this means that w0ij ¼ w00ij a ¼ ðgab Þ
k
al 2Gðai ;aj Þ l
.
sion if two group of random values are equal, i.e., for any P
Q kl
P we have vi ¼ vj ðg ÞP ¼ gar and gab ¼
al 2Gðai ;aj Þ
two different subsets W1 and W2 of A, al 2W1 HðAjjal Þ ¼ Therefore, ab
Q 1= k 1= k
al 2W2 HðAjjal Þ. Due to the reason that all vi must be chosen ðw0ij Þ al 2Gðai ;aj Þ l
¼ ððga Þr =vj Þ al 2Gðai ;aj Þ l
. This contra-
at random, this scheme do not permit the collision among dicts to the CDH assumption, thus the theorem holds. u
t
the vi (or vi 6¼ vj ) for i 6¼ j. The following theorem tells us
Finally, we prove that our HHF is secure with second
that this collision probability is negligible only if the secu-
pre-image resistance under the CDH assumption. we also
rity parameter k is large enough. Moreover, the fast sort
define a game to measure the difficulty of computing
algorithm can help us to find the collision.
csk ðaj Þ from csk ðai Þ for aj jjai and fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ.
Theorem 1. The collision probability of getting any sum among That is, for any t-time PPT algorithm A and a negligible ", if
m random integers, which are chosen in Zp from a uniform dis-
2 2 3
tribution, is less than ðmþ1Þ
4p , where p is a large prime number.
8H; H 2 pk; vi csk ðai Þ;
6 Þ 7
ðaj ; vj Þ A ðpk; vi Þ;
hð
Since the total number of roles is far less than the size of Pr6 7
4 9aj ; ak 2R V; aj ¼ aj ^ cpk ðaj Þ ¼ vj ; : aj jjai 5 ":
space of keys, this theorem means that the collision proba-
fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ
bility is neglectable for a large number of attributes m, e.g.,
given m ¼ 1; 000 and m p 2160 , the collision probability
20 We call that this problem is hard to resist the second pre-
is less than 22162 ¼ 2 142 . This means that the security of HHF
image attack of HHF. Hence, we have the following
is not related to the combination of the attributes.
theorem.
Next, we prove that our HHF is secure with pre-image
resistance under the Computational Diffie-Hellman (CDH) Theorem 3. Assuming that the CDH assumption holds, any
assumption: consider a cyclic group G of order p and a ran- probabilistic polynomial-time PPT algorithm is hard to break
domly chosen generator g, given ðga ; gb Þ for two random the second pre-image resistance property.
Proof. Assume that there exists a PPT adversary A to com- T ¼ eðG; HÞ&t . This means that if DDH problem is hard in
pute vj from ðpk; vi Þ for ai jjaj and fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ GT then eDDH problem is also hard in G and GT even if the
with a non-negligible probability. By using A, we build bilinear pairing exists here.
an algorithm B0 to solve the CDH problem as follows: More precisely, we have the following theorem accord-
ing to the intractability of distinguishing the two distribu-
1) given ai ; ak 2 H, let sk ¼ a, B0 sets vi ¼ ðga Þr and tions involved in the General Decision Diffie-Hellman
fwl ¼ ðga Þrk g8ak ;ai al , where r and rk are some ran- Exponent (GDDHE) problem [23]:
dom integers, and vk ¼ fpk;ai ak ðvi Þ.
Theorem 4 (Lower Bound of eDDH, [23]). Given an eDDH
2) for a hash query HðAÞ and HðAjjal Þ in al 6¼ aj , the
problem on S ¼ ðp; G; GT ; eð ; ÞÞ, for any PPT algorithm A
random Oracle returns HðAÞ ¼ ðgbP Þk0 and HðAjj that makes a total of at most q queries to the oracle computing
P kl
al Þ ¼ ðgb Þkl , but HðAjjaj Þ ¼ gr =ðgb Þ ai 6al ;al 6¼aj
,
k0 þ the group operations in G; GT and the bilinear pairing
2
where kl is a random integer in Zp . e : G G ! GT , we have AdveDDH ðAÞ 2ðqþ10Þ
p .
3) we revoke Aðpk; vi ; fwk g8ak ;ai ak Þ. If A returns We prove the semantic security of our scheme under the
vj for ai jjaj and aj ak , B outputs gab ¼ assumption of extended DDH problem. Since this kind of
P
1=ðk0 þ kÞ security is concerned with the plaintext, which be confi-
ðvj Þ aj 6al Þ l
. dentiality-protected rather than the validity of constraints
According to the definition of vi and ai jjaj , we have as described above, we need only to consider the adaptive
0 0 11a attribute lattice against chosen plaintext attacks. Hence, we
Y prove the Theorem 5, in which the advantage of adversary
vi ¼ @HðAÞ @ HðAjjal ÞAA is at most 4ðqþ10Þ
2
according to Theorem 4 and "0 > 2".
p
ai 6al
0 1a Theorem 5 (Semantic Security). Assume that extended Deci-
P
b k0 þ gr sion Diffie-Hellman problem on S ¼ ðp; G; GT ; eð ; ÞÞ with
¼ @ðg Þ A
k
ai 6al ;al 6¼aj l P
k0 þ k order p is ðt0 ; "0 Þ-hard, the ABE-AH construction is
ðgb Þ ai 6al ;al 6¼aj l
ðt; "Þ-adaptive attribute lattice against chosen plaintext attacks
¼ gar ; P (IND-AL-CPA), such that for any PPT algorithm A ¼ ðA1 ;
P
k0 þ
kl
A2 Þ, the success probability of A satisfies
where HðAjjaj Þ ¼ g =ðg Þ r b ai 6al ;al 6¼aj
. Also, in terms
of the definition of vj and sk ¼ a, we have vj ¼ ðH 2 3
P 8ðpk; mskÞ SetupðkÞ;
Q b k0 þ ai 6al kl a 6 A1 i ðpkÞ; 7
a OðH Þ
ðAÞ ð aj 6al HðAjjal ÞÞÞ ¼ ððg Þ Þ . This means ðM0 ; M1 Þ
P Pr6 0
4b ¼ b :
7
5 ";
k þ k b R f0; 1g;
that vj ¼ ðgab Þ 0 ai 6al l . Therefore, if A returns v , we 0
A2 ðEncryptðpk; p; Mb ÞÞ
P j b
1=ðk0 þ kÞ
have g ¼ ðvj Þ
ab aj 6al Þ l
. This contradicts to compu-
where "0 > 2", t0 t þ qA tA þ qh th , and tA ; th denotes the time
tational CDH assumption, thus the theorem holds. u
t of attribute query and hash query.
In summary, two above-mentioned cases means that it is
hard to compute the values of all elements fvj g8aj ;ai 6aj for a
given vi because we have the partial ordering ai 6
8 PERFORMANCE EVALUATION
aj ¼ ðaj ri Þ _ ðai jjaj Þ. Therefore, our construction of HHF 8.1 Performance Analysis of ABE Cryptosystem
is a secure hierarchial hash functions. Our ABE scheme is constructed on bilinear map system
from from elliptic curve pairings. For simplification, we
7.2 Security Analysis of ABE-AH Scheme give several notations to denote the time for various opera-
The analysis of HHF has showed the security of partial tions in our ABE scheme. EðGÞ and EðGT Þ are used to
ordering relation in our ABE scheme. Now, we focus on the denote the exponentiation in G and GT , respectively. B is
security of ciphertexts in this scheme. Since semantic secu- used to denote the paring e : G G ! GT . We neglect the
rity is a widely used definition for security in an asymmetric operations in Zp , the hash function H : f0; 1g ! G and the
key encryption algorithm, we will also prove the semantic multiplication in G and GT , since they are much more effi-
security of our scheme. The semantic security of our ABE cient than exponentiation and paring operation. We analyse
scheme enjoys the same security as the extension of BSW’s the computation and communication complexity for each
CP-ABE scheme [17] because our scheme is built on their phase, where jT j denotes the number of the leaf nodes in
scheme in addition to our partial ordering relation on HHF. the tree, jAj denotes the set of attributes of encryptor and
Our scheme is secure under extended Decision Diffie- decryptor, and lZp ; lG ; lGT denote the length of elements in
Hellman problem assumption, which is defined as follows: Zp ; G; GT , respectively. The security of comparison opera-
Suppose S ¼ ðp; G; GT ; eð ; ÞÞ be a cryptosystem on bilinear tions is based on two mathematical assumptions: the hard-
pairing. Given ðG; Gt Þ; ðH; H t Þ; ðeðG; HÞ& ; T Þ for two ran- ness of CDH and eDDH problem, so we define k ¼ 80 bit
dom t; & 2 Zn , it is hard to decide whether or not and p ¼ 160 bit to build a sufficiently secure system.
T ¼ eðG; HÞ&t , where g; h are two generators in G and G; GT In Tables 4 and 5, we analyse the performance of our
with order p. It is easy to see that an eDDH problem can be ABE scheme from two aspects: computation and communi-
transferred into a DDH problem in GT , that is, given cation/storage costs. In Setup, the computation and storage
ðeðG; HÞ; eðG; HÞt ; eðG; HÞ& ; T Þ in GT to decide whether costs are constant. In KeyGen, it is easy find that the
TABLE 4 TABLE 6
Complexity Analysis of Our ABE Scheme The Results of Conversion from RBAC to ABAC
Computation Complexity Our Scheme BSW’s Scheme [17]

Setup 2 EðGÞ þ 1 EðGT Þ þ 1 B Number of roles 40 40
KeyGen ð1 þ 3jAjÞ EðGÞ Number of set of attributes n 6 40
Encrypt ð2 þ 3jAjÞ EðGÞ þ 1 EðGT Þ Average size of attribute sets v 7 1
Decrypt ð1 þ 2jAjÞ B þ jAj EðGÞ þ jT j EðGT Þ Length of private key 13lG 0:5 KB 41lG 1:6 KB
Length of ciphertext 20lG 0:8 KB 62lG 2:5 KB
computation and storage of generating user’s private key is

bound up with the size of A, but for each attribute Ai the enormously. Benefited from these possible rule conversions,
user only needs two elements in G stored by himself. In our scheme provides a secure and efficient solution to cloud
Encrypt, the computation and storage costs of ciphertexts is storage in a more flexible manner.
related to the size of A and T . Finally, in Decrypt, the com-
putation of decryption is also related to the size of A and T , 8.3 Performance Evaluation of System
but the bilinear map operations will consume a large We have implemented our scheme in Qt/C++ and experi-
amount of time and memory. From the above analysis, the ments were run on a small cloud based on Openstack plat-
computation and storage of our scheme is bound up with form with six servers. All disk operations were performed
the size of A and T , but the storage size of user’s private on a 1.82TB RAID five disk array. Using GMP and PBC
key is shorter than general scheme. libraries, we have implemented a cryptosystem based on
our solution in this paper. This C library contains approxi-
8.2 Performance Analysis of Rule Conversion
mately 8,000 lines of code and has been tested on a virtual
Our solution for migrating from RBAC to ABAC enjoys an network platform based on VMware workstation, in which
optimum performance. When the “one-to-one” conversion consists of a simple medical RBAC system, a cloud storage
method is used in our solution, the generation of access pol- service, and a virtual network.
icy only requires one-time search for PA, and the mapping Our experiments employed 6 sets of attributes, that is,
process of user’s attribute assignment also requires one- A ¼ fA1 ; . . . ; A6 g. In every experiment we randomly built an
time scanning for UA. The access authorization decision attribute hierarchy for each Ai 2 A, where the size of hierar-
based on Match requires one-time function invoking of chies (the number of nodes) can be specified in accordance
rokesðsi Þ, one-time searching for RH, as well as at most with our requirements. In Fig. 9 we show the practical compu-
jRHj time searching for PA, where jRHj denotes the num- tational costs of different algorithms in our ABE scheme
ber of roles in RH. When the multi-attribute conversion under the different sizes of attribute hierarchy (from 5 to 55).
method is introduced, that is, R ¼ A1 A2 An , the From the trends of these curves, the change of computational
complexities of three above-mentioned processes are costs is not significant for different hierarchies.
increased to n ¼ jAj times, but the searching processes for In Table 7 the detail data are listed for the above experi-
RA, RH, and PA are the same as before. ments. In these experiments, the performance of Setup algo-
In Table 6 we show some comparison results of conver- rithm does not changed for all cases, but the performance of
sion between our scheme and BSW’s ABE scheme [17] from other three algorithms are increased along with the size
a RBAC-based university management system with around ascending. However, the increasing is not significant. In
40 roles, which is used for maintenance of large volumes of addition, the decryption is the most expensive algorithm
information, including student, faculty, inventory, trans- because a great amount of bilinear map operations are exe-
port, library, facility management. Our scheme divided 40 cuted. In our experiments we ignores the execution time of
roles into six groups where each group has seven attribute the other modules because their changes were not evident
values, but the BEW’s ABE without attribute hierarchy only for the different hierarchies.
achieved the same number of attributes by one-to-one map-
ping. We found that these conversions entail a substantial
attribute engineering effort: our scheme reduced the length
of private keys and ciphertexts to less than 60 percent at
average case, where lG ¼ lGT ¼ 320 bits and lZp ¼ 160 bits.
This means that the computational costs were reduced
TABLE 5
Communication/Storage Analysis of Our ABE Scheme
Communication/Storage Complexity
Public parameter (pp) 1 lZp
Encryption key (ek) 3 lG þ 1 lGT
Master key (msk) 1 lG þ 1 lZp
Private key (usk) ð1 þ 2jAjÞ lG
Ciphertext (C) ð1 þ 3jT jÞ lG þ 1 lGT
Plaintext (M) 1 lGT Fig. 9. Computational costs of our scheme under the different sizes of
attribute hierarchy (from 5 to 55).
TABLE 7 REFERENCES
Computational Consts of Our Scheme for Different Hierarchies
[1] F. R. Institute. (2010). Personal data in the cloud: A global survey
of consumer attitudes [Online]. Available: http://www.fujitsu.
Heirarchy size Setup GenKey Encrypt Decrypt com/downloads/SOL/fai/reports/fujitsu/personal-data-in-the-
5 3.38521 5.97481 7.56601 12.99482 cloud.pdf
10 3.38521 5.97481 7.56601 12.99482 [2] K. Ren, C. Wang, and Q. Wang, “Security challenges for the public
15 3.38521 5.97481 7.56601 12.99482 cloud,” IEEE Internet Comput., vol. 16, no. 1, pp. 69–73, Jan./Feb.
20 3.44761 5.97481 7.56601 12.99482 2012.
[3] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-
25 3.43201 5.89681 7.59721 13.02602 based encryption for fine-grained access control of encrypted
30 3.38521 5.91241 7.62841 13.05722 data,” in Proc. 13th ACM Conf. Comput. Commun. Security,
35 3.40081 5.89681 7.64401 13.07282 2006, pp. 89–98.
40 3.40081 6.00601 7.76881 13.16642 [4] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryp-
45 3.43201 6.06841 7.90921 13.21322 tion with non-monotonic access structures,” in Proc. 14th ACM
50 3.44761 6.08401 7.92481 13.33802 Conf. Comput. Commun. Security, 2007, pp. 195–203.
55 3.47881 6.38041 8.42402 13.55642 [5] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,
and fine-grained data access control in cloud computing,” in Proc.
IEEE Conf. Comput. Commun., 2010, pp. 534–542.
[6] R. Bobba, O. Fatemieh, F. Khan, A. Khan, C. A. Gunter, H. Khur-
9 RELATED WORK ana, and M. Prabhakaran, “Attribute-based messaging: Access
While the concept of ABAC has been around (introduced as control and confidentiality,” ACM Trans. Inf. Syst. Secur., vol. 13,
no. 4, p. 31, 2010.
early as 1996 in ISO 10181-3 and X.509 ACs), it has gained [7] V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller,
prominence in research literature with its use in trust nego- and K. Scarfone, “Guide to attribute based access control (ABAC)
tiation and credential-based access control in a distributed definition and considerations,” NIST Special Publ., vol. 800, p. 162,
system with multiple administrative domains [6], [15]. 2014.
[8] M. J. Atallah, K. B. Frikken, and M. Blanton, “Dynamic and effi-
Goyal et al. [3] first defined the two complimentary forms of cient key management for access hierarchies,” in Proc. 12th ACM
ABE, namely, key-policy ABE and Ciphertext-Policy ABE Conf. Comput. Commun. Security, Alexandria, VA, USA, 2005,
(CP-ABE), and provided a construction for KP-ABE. Then, pp. 190–202.
[9] S. D. C. di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and
Bethencourt et al. [17] gave the first construction for a CP- P. Samarati, “Over-encryption: Management of access control evo-
ABE scheme (short for BSW) in the generic group model. lution on outsourced data,” in Proc. 33rd Int. Conf. Very Large Data
These schemes supported monotonic Boolean encryption Bases, 2007, pp. 123–134.
policies. Many ABE schemes with varying properties have [10] R. Bobba, H. Khurana, and M. Prabhakaran, “Attribute-sets: A
practically motivated enhancement to attribute-based
been proposed since then, for example, schemes that sup- encryption,” in Proc. 15th Eur. Symp. Res. Comput. Security, 2009,
ported non-monotonic boolean encryption policies (e.g., pp. 587–604.
[4]), schemes that supported multiple attribute authorities [11] G. Wang, Q. Liu, and J. Wu, “Hierarchical attribute-based encryp-
(e.g., [24]), and so on. Recently, Lewko and Waters [25] pro- tion for fine-grained access control in cloud storage services,”
in Proc. ACM Conf. Comput. Commun. Secur., 2010, pp. 735–737.
posed a multi-authority ABE system, in which any party [12] J. Li, Q. Wang, C. Wang, and K. Ren, “Enhancing attribute-based
can become an authority and there is no requirement for encryption with attribute hierarchy,” in Proc. ACM Mobile Netw.
any global manager. Also, Waters [26] presented a new Appl., vol. 16, no. 5, pp. 553–561, 2011.
[13] Y. Zhu, G.-J. Ahn, H. Hu, D. Ma, and S. Wang, “Role-based cryp-
methodology for realizing CP-ABE under concrete and non- tosystem: A new cryptographic RBAC system based on role-key
interactive cryptographic assumptions in the standard hierarchy,” IEEE Trans. Inf. Forensics Secur., vol. 8, no. 12,
model. Lewko et al. [27] presented a fully secure ABE pp. 2138–2153, Dec. 2013.
scheme and attribute-hiding predicate encryption (PE) [14] R. Sandhu, E. Coyne, H. Fenstein, and C. Youman, “Role-based
access control models,” IEEE Comput., vol. 29, no. 2, pp. 38–47,
scheme for inner-product predicates by using dual system Feb. 1996.
encryption methodology. [15] R. Bobba, O. Fatemieh, F. Khan, C. A. Gunter, and H. Khurana,
“Using attribute-based access control to enable attribute-based
messaging,” in Proc. 22nd Annu. Comput. Security Appl. Conf., 2006,
10 CONCLUSION pp. 403–413.
[16] A. Sahai and B. Waters, “Fuzzy identity-based encryption,”
In this paper, we addressed the effective method to simplify in Proc. EUROCRYPT, 2005, pp. 457–473.
the policy-specified burden of cloud users in the process of [17] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attri-
bute-based encryption,” in Proc. IEEE Symp. Secur. Privacy, 2007,
using ABE. Our method is to improve ABE to support RBAC pp. 321–334.
model, the existing RBAC users, without alterations, can [18] V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded ciphertext
access their ABE-encrypted data in the cloud. Compared with policy attribute based encryption,” in Proc. Int. Colloq. Automata,
Lang. Program., 2008, pp. 579–591.
trivial equal and bit matching in prior solutions, our scheme [19] Y. Zhu, G.-J. Ahn, H. Hu, S. Yau, H. An, and C.-J. Hu, “Dynamic
enhances the expressive capacity of access policies, decreases audit services for outsourced storages in clouds,” IEEE Trans.
the computational overheads, and reduces the size of cipher- Serv. Comput., vol. 6, no. 2, pp. 227–238, Apr.-Jun. 2013.
texts and private-keys for attribute-based encryption. [20] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order preserving
encryption for numeric data,” in Proc. ACM SIGMOD Int. Conf.
Manage. Data, 2004, pp. 563–574.
ACKNOWLEDGMENTS [21] A. Boldyreva, N. Chenette, and A. O’Neill, “Order-preserving
encryption revisited: Improved security analysis and alternative
The authors are indebted to anonymous reviewers for their solutions,” in Proc. Annu. Int. Cryptol. Conf. Adv. Cryptol., 2011,
valuable suggestions. This work was supported by the pp. 578–595.
National 973 Program (Grant No. 2013CB329605) and the [22] D. Boneh and M. Franklin, “Identity-based encryption from the
weil pairing,” in Proc. 21st Annu. Int. Cryptol. Conf. Adv. Cryptol.,
National Natural Science Foundation of China (Grant Nos. 2001, pp. 213–229.
61170264 and 61472032).
[23] D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity based ChangJyun Hu received the PhD degree from
encryption with constant size ciphertext,” in Proc. 24th Annu. Int. Peking University, Beijing, China, in 2001. He is
Conf. Theory Appl. Cryptographic Tech., 2005, pp. 440–456. currently a professor at the School of Computer
[24] M. Chase and S. S. M. Chow, “Improving privacy and security in and Communication Engineering, University of
multi-authority attribute-based encryption,” in Proc. ACM Conf. Science and Technology, Beijing, China. His
Comput. Commun. Secur., 2009, pp. 121–130. main research interests include parallel comput-
[25] A. B. Lewko and B. Waters, “Decentralizing attribute-based ing, parallel compilation technology, parallel soft-
encryption,” in Proc. Annu. Int. Conf. Theory Appl. Cryptographic ware engineering, network storage system, data
Tech., 2011, pp. 568–588. engineering, and software engineering.
[26] B. Waters, “Ciphertext-policy attribute-based encryption: An
expressive, efficient, and provably secure realization,” in Public
Key Cryptography, New York, NY, USA: Springer, 2011, pp. 53–70.
[27] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, Xin Wang received the BS degree from the
“Fully secure functional encryption: Attribute-based encryption Hubei University of Technology, China, in 2012.
and (hierarchical) inner product encryption,” in Proc. Annu. Int. She is working toward master’s degree at the
Conf. Theory Appl. Cryptographic Tech., 2010, pp. 62–91. School of Computer and Communication Engi-
neering, University of Science and Technology
Yan Zhu received the PhD degree in computer Beijing, China from 2013. Her research interests
science from Harbin Engineering University, include cryptography, cloud computing, and net-
China, in 2005. He is currently a professor at the work security.
University of Science and Technology, Beijing,
China. He was an associate professor at Peking
University, China, from 2007 to 2012. He was a
visiting associate professor at the Arizona State
University, from 2008 to 2009, and a visiting
research investigator of the University of Michi-
gan-Dearborn in 2012. His research interests
include cryptography, secure computation, and
network security. He is a member of the IEEE.
Dijiang Huang received the BS degree from the

Beijing University of Posts and Telecommunica-
tions, China, in 1995, and the MS and PhD
degrees from the University of Missouri-Kansas
City, in 2001 and 2004, respectively. He is an
associate professor at the School of Computing
Informatics and Decision System Engineering,
Arizona State University. His current research
interests include computer networking, security,
and privacy. He is an associate editor of the Jour-
nal of Network and System Management and an
editor of the IEEE Communications Surveys and Tutorials. He was an
organizer for many international conferences and workshops. His
research is supported by the United States National Science Foundation
(NSF), the US Office of Naval Research (ONR), the US Army Research
Office, NATO, and the Consortium of Embedded Systems. He received
the ONR Young Investigator Program Award. He is a senior member of
the IEEE.

From RBAC To ABAC Constructing Flexible Data Access Control For Cloud Storage Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

From RBAC To ABAC Constructing Flexible Data Access Control For Cloud Storage Services

Uploaded by

Copyright:

Available Formats

IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO.

4, JULY/AUGUST 2015 601

From RBAC to ABAC: Constructing Flexible Data

I NCREASINGLY, more and more enterprises and individuals

ðððFaculty ¼ Prof:Þ or ðFaculty ¼ Associate Prof:Þ

It is easy to find that this approach simplifies the complexity

Furthermore, the relationships between them are discussed TABLE 1

Fig. 2. Some examples for attribute lattice in a management information system.

r :¼ ðDepartments; Faculty; ClearanceÞ space A1  A2   An is used to express the char-

Fig. 3. The framework of RBAC-Compatible ABE for secure cloud storage.

2.4 ABE over ABAC 3 SOLUTION FROM RBAC TO ABAC

Similarly, it is obvious that this conversion is also consistent

The proxy writes these two policies ðpwrite ; pread Þ into

rolesðsÞ  fr 2 R j 9r0 2 R; r r0 : ðuserðsi Þ; r0 Þ 2 UAg

property. This process can be expressed to build two func-

Fig. 6. Our solution for cryptographic comparison relation.

ever, it is still hard to guess v4 from v3 according to Y

vi [ai 6aj wj [ai aj wj

Fig. 8. Our construction of ABE-AH scheme.

eðgt viji ; hsi Þ

Computation Complexity Our Scheme BSW’s Scheme [17]

computation and storage of generating user’s private key is

Dijiang Huang received the BS degree from the

You might also like

r :¼ ðDepartments; Faculty; ClearanceÞ space A1 A2 An is used to express the char-

rolesðsÞ fr 2 R j 9r0 2 R; r r0 : ðuserðsi Þ; r0 Þ 2 UAg