coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
50953c700764be53ff8086d144af17ce73121680
opaque-lattice/papers_txt/A-CP-ABE-based-access-control-scheme-with-cryptogra_2025_Journal-of-Systems-.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

846 lines
110 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Journal of Systems Architecture 160 (2025) 103331
Contents lists available at ScienceDirect
Journal of Systems Architecture
journal homepage: www.elsevier.com/locate/sysarc
A CP-ABE-based access control scheme with cryptographic reverse firewall
for IoV
Xiaodong Yang a , Xilai Luo a ,, Zefan Liao a , Wenjia Wang a , Xiaoni Du b , Shudong Li c
a College of Computer Science and Engineering, Northwest Normal University, China
b
College of Mathematics and Statistics, Northwest Normal University, China
c
Cyberspace Institute of Advanced Technology, Guangzhou University, China
ARTICLE INFO ABSTRACT
Keywords: The convergence of AI and internet technologies has sparked significant interest in the Internet of Vehicles
Attribute-based encryption (IoV) and intelligent transportation systems (ITS). However, the vast data generated within these systems
Multi-authority poses challenges for onboard terminals and secure data sharing. To address these issues, we propose a novel
Internet of Vehicles
solution combining ciphertext policy attribute-based encryption (CP-ABE) and a cryptographic reverse firewall
Cryptographic reverse firewall
(CRF) mechanism for IoV. This approach offers several advantages, including offline encryption and outsourced
Outsource decryption
decryption to improve efficiency. The CRF mechanism adds an extra layer of security by re-randomizing
vehicle data, protecting sensitive information. While single-attribute authority schemes simplify access control,
they are not ideal for IoV environments. Therefore, we introduce a multi-authority scheme to enhance
security. Performance analysis demonstrates our schemes ability to optimize encryption and decryption while
safeguarding vehicle data confidentiality. In summary, our solution improves data management, access control,
and security in the IoV, contributing to its safe and efficient development.
1. Introduction significant concerns about data security [5]. Therefore, cloud-based
solutions alone are insufficient to meet the demands of the IoV. To
Advances in 5G technology, coupled with the growing volume of ve- mitigate these issues, edge computing [6], fog computing [7], and
hicular traffic, have intensified concerns regarding traffic safety, travel Roadside Units (RSUs) [8] have been proposed. RSUs, with their higher
efficiency, and environmental impact. In response, Intelligent Transport computational capabilities, can process data more efficiently and up-
Systems (ITS) and the IoV have emerged as critical components of load it to cloud servers in real time, addressing the challenges of latency
modern transportation infrastructure. The functionality of the IoV relies and limited onboard processing power.
on three key elements: the internal vehicle network, the vehicle-to- However, data security remains a critical issue. One potential so-
vehicle communication network, and the in-vehicle mobile internet. lution is encrypting data before transmission, which introduces chal-
These elements integrate technologies such as sensors, RFID (Radio Fre- lenges in ciphertext sharing. Traditional symmetric encryption, re-
quency Identification), and automated control systems, operating under quiring a one-to-one correspondence between keys and users, proves
established communication protocols to enable seamless, dynamic data inefficient for securing large volumes of data in IoV environments. Con-
exchange between vehicles and the broader network.
ventional asymmetric encryption algorithms also struggle with cipher-
While drivers benefit from applications like navigation and traffic
text sharing and are ill-suited for the frequent updates characteristic
information sharing, the limited computing power of onboard terminals
of IoV applications. A more appropriate approach is Attribute-Based
is insufficient for computationally intensive tasks such as autonomous
Encryption (ABE), which enables fine-grained access control, supports
driving and AI-based obstacle avoidance [1]. A potential solution is
encryption for multiple recipients, and facilitates the creation of com-
offloading data processing to cloud servers, but the large volume of
plex access policies [911]. ABE allows data owners to control who
vehicle-generated data introduces high latency in communication be-
can access their data, but the decryption process is computationally
tween the onboard terminal and the cloud, compromising real-time
decision-making [24]. This latency, coupled with the risks associated intensive, requiring numerous pairing and exponential operations. This
with data leakage and theft in semi-trusted cloud environments, raises places a significant burden on resource-constrained onboard terminals,
Corresponding author.
E-mail addresses: yangxd200888@163.com (X. Yang), 2023222208@nwnu.edu.cn (X. Luo), lzf0097@163.com (Z. Liao), neuer1130@163.com (W. Wang),
duxiaonwnu@163.com (X. Du), lishudong@gzhu.edu.cn (S. Li).
https://doi.org/10.1016/j.sysarc.2025.103331
Received 11 August 2024; Received in revised form 4 December 2024; Accepted 2 January 2025
Available online 17 January 2025
1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
hindering timely data retrieval and impeding efficient communication. Yang et al. [22] introduced a CP-ABE scheme for dynamic big data
As the number of attributes increases, the decryption complexity grows, updates, and Feng et al. [23] developed a CP-ABE scheme for industrial
leading to slower decryption times and higher resource consumption. IoT. Other schemes [24,25] have improved security and efficiency,
To address these challenges, several outsourced ABE schemes have broadening ABEs application to the Internet of Medical Things (IoMT).
been proposed [1215], which offload expensive operations to cloud CP-ABE enables fine-grained access control, making it highly appli-
servers, alleviating the computational load on onboard terminals. How- cable in sectors such as smart healthcare and intelligent transportation.
ever, even secure theoretical implementations of ABE are vulnerable to However, single-attribute authority ABE schemes are vulnerable to col-
practical attacks. Sophisticated adversaries may exploit backdoors [16], lusion attacks. To address this, it is desirable to delegate each attribute
manipulate pseudo-random number generators [17,18], or intercept to different attribute authorities. Chase [26] was the first to introduce
hardware interactions to gain unauthorized access to sensitive data. To the concept of multiple attribute authorities within the ABE framework,
counter these threats, the concept of a Cryptographic Reverse Firewall where various authorities oversee different attributes. Lewko and Wa-
(CRF) was introduced [19]. The CRF, positioned between the user and ters [27] later introduced the initial decentralized ABE framework with
the server, intercepts and alters messages to ensure data security, even multiple authorities. Following this, Chaudhary et al. [28] proposed
if the user is compromised. a multi-authority CP-ABE scheme tailored for the Internet of Vehicles
Moreover, traditional ABE schemes rely on a single attribute au- (IoV) context.
thority, which poses a risk of key leakage if the authority colludes
Considering the constrained computing capabilities of user termi-
with an adversary. To mitigate this, we propose a multi-authority
nals, Green et al. [12] introduced an ABE scheme that delegates de-
ABE scheme, integrated with a CRF, to enhance security and prevent
cryption computations to the cloud. Lai et al. [13] improved upon this
collusion attacks. The key contributions of this paper are as follows:
by achieving verifiability of outsourced decryption. Zhong et al. [29]
1. We propose a CP-ABE-based scheme that enables more granular further enhanced the efficiency of outsourced decryption ABE schemes
access control policies, enhancing the systems flexibility. This and applied them to smart healthcare scenarios.
proves particularly beneficial in IoV scenarios such as IoV com- Mironov and Stephens-Davidowitz [19] were the first to introduce
munication, where data access can be dynamically adjusted in the concept of a reverse firewall. They proposed a generic architecture
accordance with the context. to prevent user tampering, which could lead to data leakage. However,
2. The scheme integrates multiple attribute authorities to prevent the previous approach was found unsuitable for ABE schemes, prompt-
collusion attacks and guarantee secure key management. Each ing Ma et al. [30] to introduce a cryptographic reverse firewall utilizing
authority is responsible for managing vehicle attribute keys, the CP-ABE scheme. Additionally, Hong et al. [31] proposed a KP-ABE
enhancing the security and efficiency of key generation, which scheme with multiple authorities. Due to the limitations of KP-ABE in
is ideal for environments like smart cities or autonomous vehicle achieving fine-grained access control, Zhao et al. [32] proposed a CP-
fleets. ABE scheme incorporating a CRF and leveraged outsourced decryption
3. We enhance the CRF module by incorporating key parameter to alleviate computational burdens. However, these approaches suffer
re-randomization within the multi-authority ABE framework, from drawbacks, such as reliance on a single attribute authority or
strengthening security in IoV communications, even if certain excessive computational overhead. Moreover, there is a risk of sys-
parts of the system are compromised. tem compromise, which could lead to data leakage, especially in the
4. The scheme optimizes decryption efficiency through the use of context of IoV, characterized by constrained computational resources
online-offline encryption techniques and offloading decryption and stringent data privacy requirements. At the same time, the devel-
operations. Decryption time does not increase linearly with the opment of IoV places higher demands on the security and flexibility
number of attributes, making it suitable for real-time applica- of access control. Therefore, the proposed scheme combines CP-ABE,
tions like hazard detection and traffic optimization. CRF, and multi-authority models to meet the requirements for security,
5. The scheme also supports message integrity verification, which flexibility, and low computational overhead.
can be easily carried out by onboard terminals using simple hash
functions, ensuring the authenticity of IoV messages and pre-
3. System model and definitions
venting malicious tampering in safety-critical communications.
The paper is organized as follows: Section 2 reviews existing 3.1. Preliminaries
attribute-based encryption schemes and the application of CRFs. Sec-
tion 3 provides an overview of the system and security models. Sec- 1. Bilinear Maps: Involve two multiplicative cyclic groups of prime
tion 4 discusses the base scenario and the extended CRF module. order 𝑝, denoted as 𝐺 and 𝐺𝑇 , with 𝑔 representing a generator
Section 5 presents security proofs for the base scheme and the CRF- of 𝐺. A bilinear map 𝑒 𝐺 × 𝐺𝐺𝑇 must satisfies the following
enhanced scheme. Section 6 reports on experiments and results. Finally, three features:
Section 7 concludes the paper.
(a) Non-degeneracy: 𝑒(𝑔 , 𝑔) ≠ 1.
2. Related work (b) Computability: Efficient computation of 𝑒(𝑀 , 𝑁) for any el-
ements 𝑀 , 𝑁𝐺 is achievable through a polynomial-time
Sahai [10] introduced fuzzy identity-based encryption, which paved algorithm.
the way for Attribute-Based Encryption (ABE). ABE later branched (c) Bilinearity: Efficient computation of 𝑎, 𝑏𝑍𝑝 for any ele-
into two forms: Key-Policy ABE (KP-ABE) [9] and Ciphertext-Policy ments 𝑀 , 𝑁𝐺 we can acquire 𝑒(𝑀 𝑎 , 𝑁 𝑏 ) = 𝑒(𝑀 , 𝑁)𝑎𝑏 .
ABE (CP-ABE) [11]. Initially, both schemes used access trees to define
policies. However, the first CP-ABE scheme only provided security 2. Access Structure: Consider a set 𝑃 = {𝑃1 , 𝑃2 , … , 𝑃𝑛 } representing
under the random oracle model. Waters [20] introduced an LSSS-based 𝑛 users. A collection 𝑄 is deemed monotone if, for any subsets
CP-ABE scheme that encodes policies using matrices. This founda- ∀𝐾 , 𝐿: if 𝐾𝑄 and 𝐾𝐿, then 𝐿𝑄. Let 𝑄 bbe a nonempty
tional model has influenced many subsequent ABE schemes, which subset of 𝑃 that is monotonic, i.e. 𝑄 ⊆ 2{𝑃1 ,𝑃2 ,…,𝑃𝑛 } {∅}, then call
have expanded into diverse domains, particularly cloud computing. 𝑄 a monotone access structure. In the context of access control,
For example, Yu et al. [21] proposed a KP-ABE scheme enabling data sets included in 𝑄 are identified as authorized, while those that
delegation to semi-trusted cloud servers while ensuring confidentiality. are not included are referred to as unauthorized sets.
2
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
3. Linear Secret Sharing Scheme (LSSS): Let 𝐴̃ = {𝐴̃ 1 , 𝐴̃ 2 , … , 𝐴̃ 𝑁 } be
defined as the set that includes all possible attribute names. Cor-
responding to each attribute name 𝐴̃ 𝑖 ∈ 𝐴̃ within A, there is an
associated set of attribute values, denoted as 𝐴̃𝑖 = {𝐴𝑖,1 , 𝐴𝑖,2 , … ,
𝐴𝑖,𝑏𝑖 }, where 𝑏𝑖 is the order of 𝐴̃ 𝑖 . The policy for access is denoted
as 𝑇 = (𝑀 , 𝜌, 𝑉 ) Within the context of a linear secret sharing
scheme, 𝑀 denotes a matrix structured with 𝑙 row size and 𝑛
column size. 𝜌 denotes a function that associates each row of
𝑀 with an attribute name in 𝐴̃ 𝑖 . 𝑉 = {𝑣𝜌(𝑖) }𝑖∈[1,𝑙] represents
the set of attribute values associated with 𝑇 = (𝑀 , 𝜌). A LSSS
encompasses the following pair of algorithms:
(a) Distribute: Regarding the confidential value 𝑠𝑍𝑝 , arbi-
trarily choose a vector 𝑓 = (𝑠, 𝑓2 , … , 𝑓𝑛 ), where 𝑓2 , … , 𝑓𝑛
𝑍𝑝 . Calculate 𝜆𝑖 = 𝑀𝑖𝑓 , where 𝑀𝑖 is the 𝑖𝑡 row of matrix
𝑀. 𝜆𝑖 is a share of 𝑠 that corresponds to 𝜌(𝑖).
(b) Reconstruct: Let 𝑆 ∈ 𝐴̃ is permissible for any recognized Fig. 1. Leak game.
group and 𝐼 = {𝑖 𝜌(𝑖) ∈ 𝑆} ⊆ {1, 2, … , 𝑙}, then, there
is a collection of constants {𝜔𝑖 ∈ 𝑍𝑝 } satisfy 𝑖∈𝐼 𝜔𝑖 𝑀𝑖 =
(1, 0, … , 0). The secret 𝑠 could be reconstructed by us via  and a party 𝑃 form a composed party, then we call  a
calculating 𝑖∈𝐼 𝜔𝑖 𝑀𝑖 = 𝑠. cryptographic reverse firewall for 𝑃 . Next we give definitions
of three properties of CRFs:
Assume S= {𝐼𝑢 , 𝑆} represents the collection of attributes for
users. 𝐼𝑢 ⊆ 𝐴̃ represents a collection of user attribute names. (a) Function Maintaining: In the context of any given reverse
𝑆 = {𝑠𝑖 }𝑖∈𝐼𝑢 denotes a set that includes all the attribute values firewall identified by  and any given party identified by
of the user. For ∀𝑖 ∈ 𝐼, where 𝐼 = {𝑖 𝜌(𝑖) ∈ 𝑆} ⊆ {1, 2, … , 𝑙}, 𝑃 , let  1 ◦𝑃 = ◦𝑃 . For 𝑘 ≥ 2, let  𝑘 ◦𝑃 = ◦( 𝑘1 ◦𝑃 ).
if 𝑖 satisfies (𝑀 , 𝜌) and 𝑠𝜌(𝑖) = 𝑣𝜌(𝑖) , thereafter, we identify S as For a framework  that adheres to the functionality re-
matching 𝑇 . quirement  , we define the reverse firewall  maintains
4. q-BDHE problem: Suppose 𝐺 and 𝐺𝑇 represent two cyclic groups functionality if the composed party ◦𝑃 guarantees the
with multiplication as their operation, and the order of each is functionality of the party 𝑃 under the scheme  in poly-
the prime 𝑝, and 𝑔 be a generator of 𝐺. 𝐺𝑇 has a bilinear map nomial time.
𝑒 𝐺 × 𝐺𝐺𝑇 . Choose 𝑡, 𝑓𝑍𝑝 at random, and calculate (b) Weakly Security-preserving:  operates under the premise
2 𝑞 𝑞+2 2𝑞
𝐽 = (𝑔 , 𝑔 𝑡 , 𝑔 𝑓 , 𝑔 𝑓 , … , 𝑔 𝑓 , 𝑔 𝑓 , … , 𝑔 𝑓 ). In the context of the 𝑞- that it will fulfill the functionality need  and the security
BDHE problem, it is posited that no algorithm operating within need . When faced with any polynomial-time adversary
𝑞+1
polynomial time can differentiate between 𝑒(𝑔 , 𝑔)𝑓 𝑡𝐺𝑇 and 𝐵, we say that the scheme  satisfies weakly security-
𝐾𝐺𝑇 with a significant advantage. preserving if ◦𝑃 satisfies the security requirement .
5. Cryptographic Scheme: The cryptographic scheme  defines the (c) Weakly Exfiltration-resistant: The game Leak(, 𝑃𝑗 ,  , 𝜆),
interaction between parties (𝑃1 , 𝑃2 , … , 𝑃𝑙 ) with states. The pro- as depicted in the Fig. 1, is the work of designers Mironov
cess of scheme establishment is denoted by 𝑠𝑒𝑡𝑢𝑝(1𝜆 ), where 𝜆 and Stephens-Davidowitz [19]. The game is a security
refers to the security parameters. Each party enters the public game between a reverse firewall  of party 𝑃 and a
parameters 𝑃𝑔 and related messages, and then runs the sys- scheme  containing a tampering party  . The adversary
tem initialization algorithm to obtain the corresponding state may control a party by hacking into the partys algorithm
(𝜐𝑃𝑖 )𝑙𝑖=1 for each party. According to the order in which the 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒, 𝑛𝑒𝑥𝑡, 𝑜𝑢𝑡𝑝𝑢𝑡.
scheme proceeds, the parties process messages from other parties The purpose of the game is to let the adversary discern
in the scheme. Also, each party must have the corresponding whether the partys actions are honest or tampered with.
algorithms 𝑛𝑒𝑥𝑡𝑃𝑖 (𝜐𝑃𝑖 ) and 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒𝑃𝑖 (𝜐𝑃𝑖 ). 𝑛𝑒𝑥𝑡𝑃𝑖 (𝜐𝑃𝑖 ) is used to Thus, a reverse firewall with leak resistance can make it
output the updated message, 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒𝑃𝑖 (𝜐𝑃𝑖 ) is used to output the impossible for an adversary to tell if party 𝑃 has been tam-
states of the parties after the message update. After the scheme pered with, or if the party is known to have been tampered
is completed, each party has algorithm 𝑜𝑢𝑡𝑝𝑢𝑡𝑃𝑖 (𝜐𝑃𝑖 ) return the with but does not know if the operation is honest, hence
results of the scheme. We assume that the scheme  meets protecting the important privacy of the party.
functionality requirement  and security requirements . If adversary 𝐵 within the Leak(, 𝑃𝑗 ,  , 𝜆) game cannot
6. Cryptographic Reverse Firewall: , the stateful algorithm, is syn- succeed in polynomial time with a noticeable advantage
onymous with the Cryptographic Reverse Firewall. When pro- and while maintaining the partys functionality  , then we
vided with a current state and an input message, the algorithm label the reverse firewall  as weakly capable of resisting
processes them and subsequently outputs an updated state and exfiltration.
message. For ease of presentation, the state of  is not explicitly
written out in the definition. Given that 𝑃 is a party and  is a
firewall, the expression ◦𝑃 is introduced to indicate the party 3.2. System model
that emerges from their composition.
Fig. 2 depicts the four components that constitute our scheme:
◦𝑃 = 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒◦𝑃 (𝜐, )
Attribute authorities (AA), Cloud server (CS), Data user (DU), Data
= 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒𝑃 (𝜐, (𝑚)) owner (DO). In addition, the system contains three reverse firewalls.
= 𝑛𝑒𝑥𝑡◦𝑃 = (𝑛𝑒𝑥𝑡𝑃 (𝜐)) To implement data re-randomization within the RSU, three firewalls
are strategically positioned: 𝐴𝐴 , the reverse wall for AA; 𝐷𝑂 , acting
= 𝑜𝑢𝑡𝑝𝑢𝑡◦𝑃 (𝜐) = 𝑜𝑢𝑡𝑝𝑢𝑡𝑃 (𝜐) (1)
as the reverse firewall for DO; and 𝐷𝑈 , fulfilling the same role for
When the composite party participates in the scheme, the initial DU.
state of the firewall  is set as the public parameter 𝑃𝑔 . If CS is mainly deployed to store cipher text and conversion key.
3
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
algorithm 𝐾 𝑒𝑦𝐺𝑒𝑛 and obtains corresponding secret key 𝑆 𝐾𝑖 .
Then 𝐹 executes algorithm 𝐴𝐴 .𝐾 𝐺 and gets the re-randomized
private key 𝑆 𝐾𝑖 . Subsequently, 𝐹 executes 𝐾 𝑒𝑦𝐺𝑒𝑛.𝑟𝑎𝑛 to get
conversion key 𝑇 𝐾𝑖 . Then 𝐹 executes 𝐷𝑈 .𝑇 𝐾 𝑈 𝑝𝑑 𝑎𝑡𝑒 to ob-
tain re-randomized conversion key 𝑇 𝐾𝑖 . Eventually, 𝐹 sends
(𝑆 𝐾𝑖 , 𝑇 𝐾𝑖 ) to 𝐵.
4. Challenge Phase: Two equal-length plaintexts, 𝑚0 , 𝑚1 , are deliv-
ered by 𝐵 as part of the protocol. 𝐹 randomly chooses 𝑏
{0, 1} and executes Enc.Offline*, Enc.Online* to obtain challenge
ciphertext 𝐶 𝑇𝑏 . Then 𝐹 calls 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒, 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒
to get updated cipher text 𝐶 𝑇𝑏 . 𝐹 sends 𝐶 𝑇𝑏 to 𝐵.
5. Query Phase 2: Same as Query Phase 1.
6. Guess Phase: 𝐵 outputs the guess 𝑏 ∈ {0, 1} for 𝑏.
Definition 1. The criterion for the basic schemes selective CPA-secure
is met when the probability of adversary 𝐵s success in the game during
Fig. 2. System model. polynomial time is negligible.
4. System construction
AA is charged with the responsibility of establishing the public
parameters and generating the master secret keys. 4.1. Basic scheme
DU includes setting the access policy that guides the encryption
process and producing a verification credential. After these steps are The scheme contains 𝑁 attribute authorities, each attribute author-
accomplished, the DU uploads both the encrypted data and the verifi- ity managing one class of attributes 𝐴̃𝑖 = {𝐴𝑖,1 , 𝐴𝑖,2 , … , 𝐴𝑖,𝑏𝑖 }, 𝐴𝑖,1 ∈ 𝑍𝑝 ,
cation credential to the cloud server. 𝑖 = 1, 2, … , 𝑁, 𝑗 = 1, 2, … , 𝑏𝑖 .
DO initiates the process by generating a conversion key, which is
1. Global Setup: Attribute authority 𝐴𝐴1 sets commonly known
then uploaded to the cloud server. Following this, the DO retrieves the
parameters 𝑃 𝑎𝑟𝑎𝑚𝑠 = {𝑔 , 𝑢, 𝑣, 𝑤, , 𝐺, 𝐺𝑇 , 𝐻0 ()} and publishes
ciphertext and the verification credential from the cloud server to carry
them, 𝐻0 is the designated collision-resistant hash function for
out the concluding stages of decryption and integrity verification.
generating robust verification credentials within the system.
𝐴𝐴 includes the re-randomization of public parameters and the 
𝐻0 () {0, 1} → {0, 1} 𝐻0 .
secret keys that belong to users.
2. AASetup:
𝐷𝑂 is responsible to rerandomize cipher texts.
𝐷𝑈 is responsible to rerandomize conversion keys and conversion (a) For each Attribute Authority, the process involves ran-
ciphertexts. domly choosing 𝛼𝑖𝑍𝑝 , determining 𝑌𝑖 = 𝑒(𝑔 , 𝑔)𝛼𝑖 , and
then distributing 𝑌𝑖 to other attribute authorities. As the
3.3. Security model process concludes, each attribute authority carries out the
∏𝑁 ∑𝑁
calculation for 𝑌 = 𝑖=1 𝛼𝑖 = 𝑒(𝑔 , 𝑔)𝛼 ,
The DO and the DU in our system are considered completely trust- ∑𝑁 𝑖=1 𝑌𝑖 = 𝑒(𝑔 , 𝑔)
where 𝛼 = 𝑖=1 𝛼𝑖 .
worthy. However, the reverse firewalls and cloud server are deemed
honest and curious, meaning they will comply with the algorithms (b) Each attribute authority 𝐴̂ 𝑖 operates as follows:
steps but will also endeavor to discover any private information within • Randomly select 𝑁 1 elements 𝑠𝑖𝑘𝑍𝑝 (𝑘
the data. Furthermore, there is a risk of the Attribute Authority collud- {1, 2, … , 𝑁}{𝑖}), calculate 𝑔 𝑠𝑖𝑘 and send it to other
ing with an adversary. In response to this challenge, we have put in attribute authorities.
place a selective CPA security game, and the sequence of events within • After receiving 𝑁 1 components 𝑔 𝑠𝑘𝑖 from other
this game is as follows: ascribe powers 𝐴̂ 𝑘 (𝑘 ∈ {1, 2, … , 𝑁}{𝑖}), the master
key 𝑀 𝐾 𝑖 is calculated by the following formula:
1. Init Phase: The rival 𝐵 declares a set of malicious attribute ∏
authorities 𝑅 = (𝐴̂ 𝑖 )𝑖∈𝐼 and access policies (𝑀𝑖 , 𝜌𝑖 )𝑖∈𝐼 to be 𝑀𝐾𝑖 = (𝑔 𝑠𝑖𝑘 𝑔 𝑠𝑘𝑖 )
challenged, where 𝐼 ⊆ {1, 2, … , 𝑁}, 𝐼 ⊆ {1, 2, … , 𝑁}. Then 𝑘∈{1,2,…,𝑁}{𝑖}
∑ ∑
𝐵 sends algorithms 𝐺𝑙𝑜𝑏𝑎𝑙𝑠𝑒𝑡𝑢𝑝 , 𝐴𝐴𝑆 𝑒𝑡𝑢𝑝 , 𝐾 𝑒𝑦𝐺𝑒𝑛 , 𝐾 𝑒𝑦.𝑟𝑎𝑛 , ( 𝑠𝑖𝑘 𝑠𝑘𝑖 )
𝑒𝑛𝑐 .𝑜𝑓 𝑓 𝑙𝑖𝑛𝑒 , 𝑒𝑛𝑐 .𝑜𝑛𝑙𝑖𝑛𝑒 to challenger 𝐹 . = 𝑔 𝑘∈{1,2,…,𝑁}{𝑖} 𝑘∈{1,2,…,𝑁}{𝑖}
, (2)
2. Setup Phase: 𝐹 executes algorithms 𝐺𝑙𝑜𝑏𝑎𝑙𝑠𝑒𝑡𝑢𝑝 and 𝐴𝐴𝑆 𝑒𝑡𝑢𝑝 to ∏𝑁
obtain the public parameter 𝑃 𝑎𝑟𝑎𝑚𝑠, attribute authorities public where 𝑖=1 𝑀 𝐾𝑖 = 1.
key 𝑃 𝐾 and private key pairs (𝑃 𝐾𝑖 , 𝐴𝑆 𝐾 𝑖 )𝑖∈𝐼 . Subsequently, the • For each attribute 𝐴𝑖,𝑗 ∈ 𝐴̃𝑖 , calculate 𝑢𝐴𝑖,𝑗 .
reverse firewall puts the 𝑊𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 algorithm into action to
Attribution authority publishes public key 𝑃 𝐾 = (𝑔 , 𝑢, ,
generate and announce the new public key 𝑃 𝐾 , and in doing
𝑤, 𝑣, 𝑒(𝑔 , 𝑔)𝛼 , 𝐺, 𝐺𝑇 ) and keeps its own private key 𝐴𝑆 𝐾 𝑖 =
so, also retains the corresponding random number 𝑓 . 𝐵 can
{𝛼𝑖 , (𝑢𝐴𝑗 )𝐴 ∈𝐴̂ , 𝑀 𝐾𝑖 }.
receive 𝑃 𝐾𝑖 from all non-malicious attribute authorities and 𝑗 𝑖
(𝑃 𝐾𝑖 , 𝐴𝑆 𝐾 𝑖 )𝑖∈𝐼 from all malicious attribute authorities.
3. KeyGen: Each attribute authority 𝐴̂ 𝑖 execute algorithm as fol-
3. Query Phase 1: Adaptive requests for secret keys regarding at-
lows:
tribute sets 𝑆1 , 𝑆2 , … , 𝑆𝑞 can be made by 𝐵. Each time 𝐵 per-
forms a key query, when submitting a set of attributes, it is (a) Select 𝜃𝑖 ∈ 𝑍𝑝 at random, thereafter derive the elements
imperative that they do not comply with the access structure of the secret key, denoted as 𝑀 𝐾𝑖𝑔 𝜃𝑖 , 𝑀 𝐾𝑖 ⋅ 𝑣−𝜃𝑖 , 𝑀 𝐾𝑖
rules outlined by (𝑀𝑖 , 𝜌𝑖 )𝑖∈𝐼 , nor come from a malicious at- 𝑔 𝛼𝑖 ⋅ 𝑤𝜃𝑖 and subsequently convey these elements to the
tribute authority 𝑅 = (𝐴̂ 𝑖 )𝑖∈𝐼 . For every query 𝑆𝑖 , 𝐹 executes pertinent attribute authorities.
4
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
(b) Upon obtaining the components from various attribute 4.2. CRF scheme
authorities, proceed to compute the secret key utilizing
the following steps: 1. Initialization: The attribute authorities runs 𝐺𝑙𝑜𝑏𝑎𝑙𝑆 𝑒𝑡𝑢𝑝 and
∏𝑁 ∑𝑁
𝐴𝐴𝑆 𝑒𝑡𝑢𝑝, each attribute authority sends 𝛼𝑖 to 𝐴𝐴 , then 𝐴𝐴
𝐾0 = 𝑀 𝐾𝑖𝑔 𝛼𝑖 ⋅ 𝑤𝜃𝑖 = 𝑔 𝑖=1 𝛼𝑖 𝑤𝑟 (3) executes algorithms as follows:
𝑖=1 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 Upon receiving the parameters from 𝐴𝐴, the CRF
𝑁 ∑𝑁 𝐴𝐴 calculates 𝛼 = 𝑁 𝑖=1 𝛼𝑖 , then randomly chooses 𝑎, 𝑏, 𝑐 , 𝑑 , 𝑒, 𝑓
𝐾1 = 𝑀 𝐾𝑖𝑔 𝜃𝑖 = 𝑔 𝑖=1 𝜃𝑖 = 𝑔𝑟 (4) 𝑍𝑝 and calculates 𝑔 = 𝑔 𝑎 , 𝑢 = 𝑢𝑏 , = 𝑐 , 𝑤 = 𝑤𝑑 , 𝑣 =
𝑖=1 2
𝑣𝑒 , 𝛼 = 𝛼 + 𝑓 , 𝑒(𝑔 , 𝑔 )𝛼 = 𝑒(𝑔 , 𝑔)𝑎 (𝛼+𝑓 ) . 𝐴𝐴 stores 𝑓 and
∏𝑁
𝐾𝑣 = 𝑀 𝐾𝑖 ⋅ 𝑣−𝜃𝑖 = 𝑣𝑟 (5) publishes the updated 𝑃 𝐾 = (𝑔 , 𝑢 , , 𝑤 , 𝑣 , 𝑒(𝑔 , 𝑔 )𝛼 , 𝐺, 𝐺𝑇 ).
After receiving 𝑃 𝐾 , 𝐴𝐴 executes 𝐾 𝑒𝑦𝐺𝑒𝑛 to generate secret key
𝑖=1
𝑆 𝐾 = {𝐾0 , 𝐾1 , {𝐾𝑖,2 , 𝐾𝑖,3 }𝑖∈[1,𝜎] , 𝑆𝐼 𝐷 } and sends 𝑆 𝐾 to CRF 𝐴𝐴 .
(c) For each attribute 𝜎 ∈ [𝑆𝐼 𝐷 ∩ 𝐴̂ 𝑖 ], randomly choose 𝑟𝜎 ∈ 𝐴𝐴 runs the following algorithm for re-randomization.
𝑍𝑝 , where 𝜎𝑁 and 𝑆𝐼 𝐷 denotes the set of users. 𝐴𝐴 .𝐾 𝐺 Provide 𝑃 𝐾 , 𝑓 and 𝑁 as input, where 𝑁 rep-
𝑟 𝑟 resents the total number of attributes. 𝐴𝐴 randomly selects
Calculate 𝐾𝑖,2 = 𝑔 𝑟𝑖 , 𝐾𝑖,3 = (𝑢𝐴𝑖 ) 𝑖𝐾𝑣 = (𝑢𝐴𝑖 ) 𝑖 𝑣𝑟 .
𝑟 , 𝑟1 , 𝑟2 , … , 𝑟𝑁𝑍𝑝 , calculates 𝐾 ̃′ = 𝑔 𝑓 𝑤 𝑟 , 𝐾
̃′ = 𝑔 𝑟 . For
Then user gets the secret key 𝑆 𝐾 = {𝐾0 , 𝐾1 , 0 1
𝑟𝑖
{𝐾𝑖,2 , 𝐾𝑖,3 }𝑖∈[1,𝜎] , 𝑆𝐼 𝐷 }. 𝑖 = 1, 2, … , 𝑁, 𝑊 computes 𝐾 = 𝑔 , 𝐾 = 𝑣 𝑟 , 𝐾
𝐴𝐴
̃
𝑖,2
̃ =
𝑣 𝑖,3
𝑟 𝑟
(𝑢 𝐴𝑖 ) 𝑖𝐾𝑣 = (𝑢 𝐴𝑖 ) 𝑖 𝑣 𝑟 . The intermediate key 𝑍 𝑆 𝐾 =
4. KeyGen.ran: Upon inputting 𝑆 𝐾, the data user independently ̃′ , 𝐾
(𝐾 ̃′ , {𝑟 , 𝐾
̃ ̃
,𝐾 } ).
0 1 𝑖 𝑖,2 𝑖,3 𝑖∈[1,𝑁]
selects a random element from the finite field 𝜏 ∈ 𝑍𝑝 , and
Eventually, 𝐴𝐴 computes 𝐾0 = 𝐾0 ⋅ 𝐾 ̃′ = 𝑔 𝛼+𝑓 𝑤 𝑟+𝑟 =
proceeds to calculate 𝐾0 = 𝐾0 1𝜏 = 𝑔 𝛼∕𝜏 𝑤𝑟∕𝜏 , 𝐾1 = 𝐾1 1𝜏 = 𝑔 𝑟∕𝜏 .
0
= 𝐾 1𝜏 = 𝑔 𝑟𝑖 ∕𝜏 , ̃′ = 𝑔 𝑟+𝑟 . For 𝑖 = 1, 2, … , 𝜎, where
𝑔 𝛼 𝑤 𝑟+𝑟 , 𝐾 = 𝐾𝐾
For 𝑖 = 1, 2, … , 𝜎, the data user calculates 𝐾𝑖,2 𝑖,2 1 1 1
𝐾𝑖,3
𝑟 ∕𝜏
= 𝐾 1𝜏 = (𝑢𝐴𝑖 ) 𝑖 𝑣−𝑟∕𝜏 . The transformation key, desig-
𝜎𝑁, 𝐴𝐴 calculates 𝐾𝑖,2 ̃
= 𝐾𝑖,2 ⋅ 𝐾
𝑖,2
= 𝑔 𝑟𝑖 +𝑟𝑖 , 𝐾𝑖,3
=
𝑖,3
= (𝑢 𝐴𝑖 )𝑟𝑖 +𝑟𝑖 𝑣 𝑟𝑟 . 
nated as 𝑇 𝐾 = (𝑆𝐼 𝐷 , 𝐾0 , 𝐾1 , {𝐾𝑖,2 , 𝐾 } ) and the recovery ̃
𝑖,3 𝑖∈[1,𝜎] 𝐾𝑖,3 ⋅ 𝐾 𝑖,3 𝐴𝐴 sends the updated 𝑆 𝐾 =
(𝐾0 , 𝐾1 , {𝐾𝑖,2 , 𝐾𝑖,3 } , 𝑆𝐼 𝐷 ) to data user.
key, denoted as 𝑅𝐾 = 𝜏, serve distinct functions within the
𝑖∈[1,𝜎]
cryptographic framework. 2. Data Upload: The data owner invokes the 𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒
5. Enc.Offline: Enter the 𝑃 𝐾, and let 𝑁 denote the upper limit on and 𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 to obtain ciphertext 𝐶 𝑇 = ((𝑀 , 𝜌), 𝐶 , 𝐶0 ,
the count of rows within the secret sharing matrix. The data {𝐶𝑗 ,1 , 𝐶𝑗 ,2 , 𝐶𝑗 ,3 }𝑗∈[1,𝑙] ) and verification credential 𝑇 𝑜𝑘𝑒𝑛, then
owner randomly chooses 𝑠𝑍𝑝 , calculates 𝐶̂ = 𝑒(𝑔 , 𝑔)𝛼𝑠 , 𝐶̂0 = 𝑔 𝑠 . sends 𝐶 𝑇 and 𝑇 𝑜𝑘𝑒𝑛 to CRF 𝐷𝑂 , 𝐷𝑂 executes algorithm as
For 𝑗 = 1, 2, … , 𝑁 , the data owner randomly chooses 𝑑𝑗𝑍𝑝 follows:
and calculates 𝐶̂𝑗 ,1 = 𝑣𝑑𝑗 , 𝐶̂𝑗 ,2 = 𝑑𝑗 , 𝐶̂𝑗 ,3 = 𝑔 𝑑𝑗 . The intermediate 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒 Input 𝑃 𝐾 and 𝑁 , the notation 𝑁 is
ciphertext 𝑀 𝑇 = (𝑠, 𝐶̂ , 𝐶̂0 , {𝑑𝑗 , 𝐶̂𝑗 ,1 , 𝐶̂𝑗 ,2 , 𝐶̂𝑗 ,3 }𝑗∈[1,𝑁 ] ). used to represent the highest possible number of rows that are
6. Enc.Online: Input 𝑀 𝑇 , plaintext 𝑚, access structure (𝑀 , 𝜌), where allowed in the access structure. 𝐷𝑂 randomly chooses 𝑠𝑍𝑝
𝑀 is a matrix of 𝑙 rows and 𝑛 columns (𝑙𝑁 ). The data as secret value and calculates 𝐶̂ = 𝑒(𝑔 , 𝑔 )𝛼 𝑠 , 𝐶̂0 = 𝑔 𝑠 . For
𝑗 = 1, 2, … , 𝑁 , 𝐷𝑂 randomly chooses 𝑑𝑗𝑍𝑝 and calculates
owner randomly chooses vector 𝑦⃖⃗ = (𝑠, 𝑦2 , … , 𝑦𝑛 ) ∈ 𝑍𝑝𝑛×1 . The
𝑑 𝑑 𝑑
secret share is 𝜆⃖⃗ = (𝜆1 , 𝜆2 , … , 𝜆𝑙 )𝑇 = 𝑀 𝑦⃖⃗. Then the data owner 𝐶̂𝑗′,1 = 𝑣 𝑗 , 𝐶̂𝑗′,2 = 𝑗 , 𝐶̂𝑗′,3 = 𝑔 𝑗 . Enter the transitional
calculates 𝑇 𝑜𝑘𝑒𝑛 = 𝐻0 (𝑚), 𝐶 = 𝑚 ⋅ 𝐶̂ = 𝑚 ⋅ 𝑒(𝑔 , 𝑔)𝛼𝑠 , 𝐶0 = 𝐶̂0 = 𝑔 𝑠 . encryption, denoted as 𝑀 𝑇 = (𝑠 , 𝐶̂ , 𝐶̂ , {𝐶̂ , 𝐶̂ , 𝐶̂ } ). 0 𝑗 ,1 𝑗 ,2 𝑗 ,3 𝑗∈[1,𝑁 ]
For 𝑗 = 1, 2, … , 𝑙, data owner computes 𝐶𝑗 ,1 = 𝐶̂𝑗 ,1 ⋅ 𝑤𝜆𝑗 = 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 Input 𝑃 𝐾 , 𝑀 𝑇 and 𝐶 𝑇 . The CRF 𝐷𝑂
𝑑
𝑤𝜆𝑗 𝑣𝑑𝑗 , 𝐶𝑗 ,2 = 𝐶̂𝑗 ,2 ⋅ 𝑢𝜌(𝑗)𝑑𝑗 = (𝑢𝜌(𝑗) ) 𝑗 , 𝐶𝑗 ,3 = 𝐶̂𝑗 ,3 = 𝑔 𝑑𝑗 . randomly selects vector 𝑦⃖⃖⃗′ = (𝑠 , 𝑦2 , ..., 𝑦𝑛 )𝑇𝑍𝑝𝑛×1 , then secret
The ciphertext 𝐶 𝑇 = ((𝑀 , 𝜌), 𝐶 , 𝐶0 , {𝐶𝑗 ,1 , 𝐶𝑗 ,2 , 𝐶𝑗 ,3 }𝑗∈[1,𝑙] ) and the shared vectors 𝜆⃖⃖⃗′ = (𝜆′ , … , 𝜆′ )𝑇 = 𝑀 𝑦⃖⃖⃗′ . Then 
1 𝑛 computes 𝐷𝑂
verification credential is 𝑇 𝑜𝑘𝑒𝑛. 𝐶 = 𝐶 ⋅ 𝐶̂ = 𝑚 ⋅ 𝑒(𝑔 , 𝑔 )𝛼 (𝑠+𝑠 ) , 𝐶0 = 𝐶0 ⋅ 𝐶̂0 = 𝑔 𝑠+𝑠 . For
7. Dec.Out: If the users attributes set, identified by 𝑆𝐼 𝐷 , does not 𝑗 = 1, 2, … , 𝑙, where 𝑙𝑁 , 𝐷𝑂 calculates
conform to the access structure, the cloud server will return 𝜆′ 𝜆 +𝜆′𝑗 𝑑𝑗 +𝑑𝑗
𝐶𝑗,1 = 𝐶𝑗 ,1 ⋅ 𝐶̂𝑗′,1 ⋅ 𝑤 𝑗 = 𝑤 𝑗 𝑣 , (8)
a null value ⊥ and terminate the algorithm. Otherwise, cloud
server collects 𝐼 = {𝑖, 𝜌(𝑖) ∈ 𝑆𝐼 𝐷 } and calculates {𝜔𝑖 ∈ 𝑍𝑝 }𝑖∈𝐼 , 𝜌(𝑗)𝑑𝑗 𝜌(𝑗) (𝑑𝑗 +𝑑𝑗 )
𝐶𝑗,2 = 𝐶𝑗 ,2 ⋅ 𝐶̂𝑗′,2 ⋅ 𝑢 = (𝑢 ) , (9)
where 𝑖∈𝐼 𝜔𝑖 ⋅ 𝑀𝑖 = (1, 0, … , 0) and 𝑀𝑖 is the 𝑖th row of matrix
𝑑 +𝑑𝑗
𝑀. Then the cloud server calculates 𝐶𝑗,3 = 𝐶𝑗 ,3 ⋅ 𝐶̂𝑗′,3 = 𝑔 𝑗 . (10)
𝑒(𝐶0 , 𝐾0 )
𝐴= ∏ 𝜔𝑖 The 𝐷𝑂 transmits the ciphertext 𝐶 𝑇 = (𝐶 , 𝐶0 , {𝐶𝑗,1 , 𝐶𝑗,2 ,
𝑖∈𝐼 (𝑒(𝐶𝑖,1 , 𝐾1 ) ⋅ 𝑒(𝐶𝑖,2 , 𝐾𝑗 ,2 ) ⋅ 𝑒(𝐶𝑖,3 , 𝐾𝑗 ,3 ))
𝐶𝑗,3 }𝑗∈[1,𝑙] , (𝑀 , 𝜌)), which has been re-randomized, along with
= 𝑒(𝑔 , 𝑔)𝛼 𝑠∕𝜏 , (6) the 𝑇 𝑜𝑘𝑒𝑛, to the cloud server.
3. Data Download: The data user runs 𝐾 𝑒𝑛𝐺𝑒𝑛.𝑟𝑎𝑛(𝑆 𝐾 ) and sends
in the given context, 𝑗 represents the position or identifier for 𝑇 𝐾 = (𝑆𝐼 𝐷 , 𝐾0 , 𝐾1 , {𝐾𝑖,2
, 𝐾 } ) to CRF 𝐷𝑈 . Then 𝐷𝑈
𝑖,3 𝑖∈[1,𝜎]
the attribute value 𝜌(𝑖) in 𝑆𝐼 𝐷 (). executes algorithm as follows:
8. Dec.User: The data user uses the conversion key 𝑅𝐾 to decrypt 𝐷𝑈 .𝑇 𝐾 𝑈 𝑝𝑑 𝑎𝑡𝑒 𝐷𝑈 randomly chooses 𝜑 ∈ 𝑍𝑝 and calculates
as follows: 1𝜑 𝛼 ∕𝜏 𝜑 (𝑟+𝑟 )∕𝜏 𝜑
𝐶 𝑒(𝑔 , 𝑔)𝛼𝑠 𝑚 𝐾0 = 𝐾
0
= 𝑔 𝑤 , (11)
= 𝜏 = 𝑚, (7)
𝐴𝜏 (𝑒(𝑔 , 𝑔)𝛼𝑠∕𝜏 ) 1𝜑 (𝑟+𝑟 )∕𝜏 𝜑
𝐾1 = 𝐾
1
= 𝑔 , (12)
then data user uses the verification credential 𝑇 𝑜𝑘𝑒𝑛 to com- 1𝜑 (𝑟 +𝑟 )∕𝜏 𝜑
plete the ciphertext verification, if 𝐻0 (𝑚) = 𝑇 𝑜𝑘𝑒𝑛 holds, the 𝐾𝑖,2 = 𝐾
𝑖,2
= 𝑔 𝑖 𝑖 , (13)
ciphertext is correct. Otherwise, the ciphertext may have been 1𝜑 𝐴 (𝑟𝑖 +𝑟𝑖 )∕𝜏 𝜑 (𝑟+𝑟 )∕𝜏 𝜑
𝐾𝑖,3 = 𝐾
𝑖,3
= (𝑢 𝑖 ) 𝑣 . (14)
tampered with.
5
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
𝐷𝑈 stores 𝜑 ∈ 𝑍𝑝 and sends re-randomize conversion key 𝑒(𝐶0 , 𝐾0 )
𝑇 𝐾 = (𝑆𝐼 𝐷 , 𝐾0 , 𝐾1 , {𝐾𝑖,2 , 𝐾 } ) to the cloud server. 𝐴 = ∏ 𝜔𝑖
𝑖,3 𝑖∈[1,𝜎] 𝑖∈𝐼 (𝑒(𝐶𝑖,1 , 𝐾1 ) ⋅ 𝑒(𝐶𝑖,2 , 𝐾𝑗 ,2 ) ⋅ 𝑒(𝐶𝑖,3 , 𝐾𝑗 ,3 ))
When receiving a decryption request from a data user, the cloud
server performs 𝐷𝑒𝑐 .𝑂𝑢𝑡(𝑇 𝐾 , 𝐶 𝑇 ) to acquire a partially de- 𝑒(𝑔 , 𝑔 )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 𝑒(𝑔 , 𝑤 )(𝑟+𝑟 )(𝑠+𝑠 )∕𝜏 𝜑
= ∏
⋅∏
crypted ciphertext 𝑇 𝐶 𝑇 . The cloud server sends 𝑇 𝐶 𝑇 = (𝐶 , 𝐴 = (𝑟+𝑟 )(𝜆𝑖 +𝜆𝑖 )𝜔𝑖 ∕𝜏 𝜑 (𝑟+𝑟 )(𝑑𝑖 +𝑑𝑖 )𝜔𝑖 ∕𝜏 𝜑
𝑖∈𝐼 𝑒(𝑔 , 𝑤 ) 𝑖∈𝐼 𝑒(𝑔 , 𝑣 )
𝑒(𝑔 , 𝑔 )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 ) and 𝑇 𝑜𝑘𝑒𝑛 to 𝐷𝑈 , 𝐷𝑈 runs algorithms as 1
⋅∏
follows.
𝜌(𝑖)(𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 )𝜔𝑖 ∕𝜏 𝜑
𝑖∈𝐼 𝑒(𝑔 , 𝑢 )
𝐷𝑈 .𝐷𝑒𝑐 The CRF 𝐷𝑈 computes 𝐴 = 𝐴𝜑 = 𝑒(𝑔 , 𝑔 )𝛼 (𝑠+𝑠 )∕𝜏
1
and sends 𝑇 𝐶 𝑇 = (𝐶 , 𝐴 ) and 𝑇 𝑜𝑘𝑒𝑛 to the data user. ⋅∏
(15)
𝑖∈𝐼 𝑒(𝑔 , )(𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 )𝜔𝑖 ∕𝜏 𝜑
After receiving re-randomize partially decrypted ciphertext, data
user runs 𝐷𝑒𝑐 .𝑈 𝑠𝑒𝑟 to recover plaintext 𝑚. Then the data user 1
⋅∏
uses the verification credential 𝑇 𝑜𝑘𝑒𝑛 to finish the ciphertext 𝑖∈𝐼 𝑒(𝑔 , 𝑢 )𝐴𝑖 (𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 )𝜔𝑖 ∕𝜏 𝜑
verification, if 𝐻0 (𝑚) = 𝑇 𝑜𝑘𝑒𝑛 holds, the ciphertext is correct. 1 1
⋅∏
⋅∏
(𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 )𝜔𝑖 ∕𝜏 𝜑 (𝑟+𝑟 )(𝑑𝑖 +𝑑𝑖 )𝜔𝑖 ∕𝜏 𝜑
𝑖∈𝐼 𝑒(𝑔 , ) 𝑖∈𝐼 𝑒(𝑔 , 𝑣 )
5. Security analysis 𝑒(𝑔 , 𝑔 )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 𝑒(𝑔 , 𝑤 )(𝑟+𝑟 )(𝑠+𝑠 )∕𝜏 𝜑
= ∑
= 𝑒(𝑔 , 𝑔 )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 .
(𝑟+𝑟 ) 𝑖∈𝐼 (𝜆𝑖 +𝜆𝑖 )𝜔𝑖 ∕𝜏 𝜑
𝑒(𝑔 , 𝑤 )
5.1. Security proof (16)
𝛼 (𝑠+𝑠 )∕𝜏
𝐶 𝐶 𝑚 ⋅ 𝑒(𝑔 , 𝑔 )
Theorem 1. Given that the 𝑞-BDHE assumption holds true, the proposed ′𝜏
= 𝜑𝜏 =
=𝑚 (17)
𝐴 𝐴 𝑒(𝑔 , 𝑔 )𝛼 (𝑠+𝑠 )∕𝜏
scheme is deemed secure against selective CPA.
It is evident from the aforementioned equations that the message
m remains decryptable under normal circumstances even after
Proof. If a polynomial-time adversary 𝐵 can effectively compromise the the implementation of a cryptographic reverse firewall. Conse-
proposed scheme with a significant advantage, then we can develop a quently, the functionality of the cryptographic reverse firewalls
challenger 𝐹 to solve the 𝑞-BDHE problem with a significant advantage. is preserved.
The process is as follows: 2. Weakly Security-preserving and Weakly Exfiltration-resistant
Init Phase: The adversary 𝐵 submits access policies (𝑀𝑖 , 𝜌𝑖 )𝑖∈𝐼 and We assume the following security game process.
a set of malicious attribute authorities 𝑅 = (𝐴̂ 𝑖 )𝑖∈𝐼 , where 𝑀𝑖 is a 𝑙 𝑛 Game 0: Same as chapter 3 security games.
matrix. Furthermore, the attributes within the access structure must Game 1: In the init phase, attribute authorities 𝑃 𝐾 , 𝐴𝑆 𝐾 𝑖 are
originate from trusted attribute authorities and cannot be maliciously generated by algorithms GlobalSetup and AASetup of basic
manipulated. scheme, not GlobalSetup*, AASetup* and 𝐴𝐴 .SetUp. The sub-
Setup Phase: The challenger 𝐹 executes algorithms AASetup and sequent algorithms are carried over unchanged from Game
GlobalSetup to generate public parameter 𝑃 𝑎𝑟𝑎𝑚𝑠 = {𝑔 , 𝑢, 𝑣, 𝑤, , 𝐺, 𝐺𝑇 , 0.
𝐻0 ()} and private keys (𝑃 𝐾𝑖 , 𝐴𝑆 𝐾 𝑖 )𝑖∈𝐼 . The reverse firewall 𝐴𝐴 ex- Game 2: During both phase 1 and phase 2, the secret key 𝑆 𝐾 is
ecutes the algorithm 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 to re-random public key, then 𝐴𝐴 derived from the KeyGen algorithm of the foundational scheme,
publishes updated public key 𝑃 𝐾 . rather than being produced by KeyGen* or the 𝐴𝐴 .𝐾 𝐺. The
Query Phase 1: During this phase, 𝐵 can dynamically request secret 𝑇 𝐾 is produced using the KeyGen.ran function of the underlying
keys for attribute sets 𝑆1 , 𝑆2 , … , 𝑆𝑞 . For every query 𝑆𝑖 , 𝐹 executes scheme, and not through KeyGen.ran* or the 𝐷𝑈 .TKUpdate.
algorithm KeyGen to obtain corresponding secret key 𝑆 𝐾𝑖 . Then 𝐹 The subsequent algorithms mirror those utilized in Game 1.
executes algorithm 𝐴𝐴 .𝐾 𝐺 to get re-randomized secret key 𝑆 𝐾𝑖 . Game 3: During the challenge phase, the ciphertext labeled
Subsequently, 𝐹 executes KeyGen.ran to get conversion key 𝑇 𝐾𝑖 . Then as 𝐶 𝑇𝑏 is constructed through the process of encryption de-
𝐹 runs 𝐷𝑈 .𝑇 𝐾 𝑈 𝑝𝑑 𝑎𝑡𝑒 to get re-randomized conversion key 𝑇 𝐾𝑖 . 𝐶 noted by Enc.offline, Enc.online, not Enc.offline*, Enc.online*,
returns (𝑆 𝐾𝑖 , 𝑇 𝐾𝑖 ) to 𝐵. 𝐷𝑂 .Enc.offline and 𝐷𝑂 .Enc.online. Actually, Game 3 is the
Challenge Phase: 𝐵 provides two messages, 𝑚0 and 𝑚1 , of equal security game of basic scheme.
length. 𝐹 randomly selects 𝑏 ∈ {0, 1} and runs Enc.Offline* and We then proceed to demonstrate the indistinguishability be-
tween Game 0 and Game 1, followed by Game 1 and Game
Enc.Online* to get challenge ciphertext 𝐶 𝑇𝑏 = ((𝑀 , 𝜌), 𝐶 , 𝐶0 , {𝐶𝑗 ,1 , 𝐶𝑗 ,2 ,
2, and finally between Game 2 and Game 3, each in isolation.
𝐶𝑗 ,3 }𝑗∈[1,𝑙] ).
Between Game 0 and Game 1, it is observed that no matter
Then 𝐹 executes 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒 and 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 Obtain a
the modifications introduced by the tampered GlobalSetup* and,
ciphertext 𝐶 𝑇𝑏 . 𝐹 that has been re-randomized sends 𝐶 𝑇𝑏 to 𝐵.
AASetup* algorithms, after the application of re-randomization
Query Phase 2: The challenger 𝐹 proceeds as in Query Phase 1.
via the 𝑊𝐴𝐴 reverse firewall, the public parameter 𝑃 𝐾 always
Guess Phase: 𝐵 outputs a bit 𝑏 ∈ {0, 1}. If 𝑏 = 𝑏, then 𝐹 outputs 0
corresponds to the structure of the 𝑃 𝐾 that is generated by the
(meaning that 𝐵 obtains the normally generated ciphertext). If 𝑏
standard algorithm. This uniformity is due to the malleability
𝑏, then 𝐹 outputs 1(meaning that 𝐵 obtains the randomly selected
of the key in question. Consequently, there is no distinguishable
element). Hence, the adversary 𝐵 has advantage of 𝜖 security game
difference between Game 0 and Game 1.
directly correlates to the ability of function 𝐹 to resolve the 𝑞-BDHE
Given that the secret key 𝑆 𝐾 and the conversion key 𝑇 𝐾,
problem with the same level of probability.
which are produced for the user by the attribute authority, also
possess malleability, it follows that Game 1 and Game 2 are
5.2. Security analysis indistinguishable. When it comes to Game 2 and Game 3, the 𝐶 𝑇
will undergo rerandomization by the reverse firewall, resulting
The features of the proposed scheme include: in a new ciphertext 𝐶 𝑇 , a process that is a consequence of
the ciphertexts malleable nature. Thus, regardless of how the
1. Function Maintaining Enc.offline* and Enc.online* algorithms operate, the ultimate
If the collection of attributes associated with the secret key configuration of the ciphertext aligns with that of the basic
constitutes an authorized set, then the equation 𝑖∈𝐼 𝜔𝑖 ⋅ (𝜆𝑖 + schemes ciphertext structure. Consequently, there is no distin-
𝜆𝑖 ) = 𝑠 + 𝑠 holds. Thus, guishable difference between Game 2 and Game 3. In summary,
6
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
Table 1
Function comparison.
Scheme With CRFs Outsource Offline encryption Multi-authority Ciphertext verification Access structure
Guo et al. [25] ✕ ✓ ✓ ✕ ✕ Tree
Chaudhary et al. [28] ✕ ✓ ✕ ✓ ✕ LSSS
Hong et al. [31] ✓ ✕ ✕ ✓ ✕ LSSS
Zhong et al. [29] ✕ ✓ ✕ ✕ ✕ Tree
Zhao et al. [32] ✓ ✓ ✓ ✕ ✕ Tree
Jin et al. [33] ✓ ✕ ✕ ✕ ✕ LSSS
Elhabob et al. [34] ✓ ✕ ✕ ✕ ✓ Tree
Ours ✓ ✓ ✓ ✓ ✓ TREE
we deduce that Game 0 and Game 3 are equivalent in terms of By combining the above technologies, this method not only pro-
their indistinguishability. Given that the foundational scheme is tects the communication channel, but also improves the security
secure, it follows that the proposed scheme is also secure. of information.
3. Message Verification
The data user(vehicle/RSU) use parameters 𝑇 𝑜𝑘𝑒𝑛, 𝑚 and hash 6. Performance evaluation
function 𝐻0 () to check whether equation 𝐻0 (𝑚) = 𝑇 𝑜𝑘𝑒𝑛 holds
true. With the help of the verification procedure described, the 6.1. Experimental setup
data user can identify any tampering that may have occurred
with the message. Additionally, it provides assurance regarding The following outlines the hardware and software contexts utilized
the completeness and dependability of the received message. If for conducting the experiment:
the message changes, the equation will not holds. Therefore, the
proposed scheme supports the message verification. • The experimental apparatus consists of a desktop computer
4. Collusion Resistance equipped with a 3.2 GHz AMD Ryzen 5 5600x CPU, 16 GB of
RAM, and runs the Windows 11 Professional (x64) OS.
Theorem 2. Should the difficulty of the discrete logarithm problem remain • The experimental schemes are realized using Java 8 and the
uncompromised, the proposed scheme can defend against collusion attacks JPBC 2.0.0 library [32]. The prime-order bilinear pairings are
initiated by up to 𝑁 1 attribute authorities. constructed upon a 160-bit elliptic curve group, which is founded
on the equation 𝑦2 = 𝑥3 + 𝑥.
According to the encryption process, each attribute authority
randomly chooses 𝑠𝑖𝑘𝑍𝑝 and attribute authority extends 6.2. Theoretical analysis
the value 𝑔 𝑠𝑖𝑘 to all the other attribute authorities involved.
Given the difficulty inherent in the discrete logarithm problem, it Table 1 provides a side-by-side comparison to examine the function-
would be problematic for an adversary 𝐵 to deduce 𝑠𝑖𝑘 from 𝑔 𝑠𝑖𝑘 ality of our proposed scheme in relation to other schemes. Scheme [25]
alone. Hence, even with the combined efforts of 𝑁 2 attribute supports outsourced decryption and online encryption, but the rest
authorities working in tandem with the adversary, guessing a of the functionality is not realized. Scheme [28] introduced multiple
valid 𝑀 𝐾𝑖 remains an unattainable task for the adversary. Con- authorities to protect against collusion attacks. Scheme [29] only pro-
sequently, the adversary cannot devise a valid secret key 𝑆 𝐾. vides outsource decryption, thus the efficiency of encryption phase is
This renders the proposed scheme resistant to collusion attacks not good enough. Scheme [3134], add CRF modules between entities
carried out by 𝑁 1 attribute authorities. based on the above schemes. However, these schemes either do not
have outsourced decryption or do not have multiple attribute authori-
5.3. Informal security analysis ties, which has some disadvantages. Our scheme provides both of these
features, taking into account both efficiency and security. Through
1. Side channel attack defenses comparison, we can find that the proposed scheme adds cryptographic
The proposed scheme utilizes CRF technology, which signif- reverse firewalls between entities. By employing these firewalls, the
icantly reduces the computational overhead while enhancing system is fortified with a layer of defense that maintains its func-
security. By leveraging CRF, it reduces the risk of messages tional integrity against potential subversion attacks and any attempts
being attacked and complicates potential threats. In addition, to tamper with its algorithms.
multi-authorization technology maximizes the security of the The introduction of multi-attribute authorities ensures that the sys-
entire system, effectively preventing single-point leakage, while tem is resistant to collusion attacks. The proposed scheme also provides
balancing power consumption and execution time. These two outsourcing decryption as well as offline encryption, which requires
methods not only improve the efficiency, but also provide strong low computation for the users to obtain the ciphertext. Addition-
protection against side channel attacks. ally, verification credentials empower users to check and ensure the
In short, the scheme effectively combines efficiency and en- ciphertexts integrity.
hanced security, making it suitable for secure communication in The following notations are applied within Tables 2 and 3 are as
vehicular networks that are susceptible to side channels. follows: 𝐸 signifies an exponential operation, and 𝑃 denotes a bilinear
2. Man-in-the-Middle attack defense0 pairing operation. In the given context, 𝑀 signifies the number of rows
The proposed scheme uses CP-ABE technology. This technique in a matrix as well as the number of leaf nodes in an access tree. The
uses a ciphertext policy, which embeds the access policy into the symbol 𝑙 is used to denote the total number of attributes possessed by
ciphertext. This improves the security and flexibility of access users, while 𝑘 signifies the minimum number of attributes from the
control and reduces the risk of man-in-the-middle attack (MITI) access structure required to fulfill the decryption criteria.
due to identity forgery. As shown in Table 2, our scheme is in the middle of the 𝐾 𝑒𝑦𝐺𝑒𝑛
In addition, we enhance the CRF module by integrating key pa- phase. However, our scheme achieves the lowest computational over-
rameter re-randomization within the multi-authority ABE frame- head in the 𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase. In the 𝐷𝑒𝑐 .𝑂𝑢𝑡 phase, our scheme does
work. In addition, the proposed scheme also supports message not achieve significant advantages. But in 𝐷𝑒𝑐 .𝑈 𝑠𝑒𝑟 phase, our scheme
integrity verification, easily executable by onboard terminals requires only a single exponential operation, reaches a constant level
using simple hash functions. of computational overhead.
7
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
Fig. 3. Time consumption of basic scheme.
Table 2
Computation comparison.
Scheme KeyGen Encryption Outsource decryption User decryption
Offline Online
Guo et al. [25] (𝑙 + 4)𝐸 (3𝑀 + 1)𝐸 3𝐸 2𝑙𝐸 + 2𝑙𝑃 𝐸
Chaudhary et al. [28] (2𝑙 + 2)𝐸 ✕ (3𝑀 + 1)𝐸 (4𝑙 + 2)𝐸 𝐸
Zhong et al. [29] (3𝑙 + 6)𝐸 ✕ (2𝑀 + 2)𝐸 ✕ 2𝑙𝐸 + (𝑙 + 1)𝑃
Hong et al. [31] (4𝑙 + 2)𝐸 + 𝑃 ✕ (5𝑀 + 2)𝐸𝐸 + (3𝑘 + 1)𝑃
Zhao et al. [32] (2𝑙 + 4)𝐸 3𝑀 𝐸 + 𝑃 3𝐸 (3𝑙 + 1)𝐸 + (2𝑙 + 1)𝑃 2𝐸
Jin et al. [33] 𝑙𝐸 + 𝑃 ✕ 6𝑀 𝐸 + 3𝑃𝑙𝐸 + 2𝑃
Elhabob et al. [34] (2𝑙 + 2)𝐸 ✕ 4𝐸 ✕ 3𝐸
Ours (2𝑙 + 3)𝐸 (2𝑀 + 2)𝐸 3𝐸 𝑙𝐸 + 3𝑙𝑃 𝐸
Table 3 Fig. 3(a) demonstrates that our scheme has a low computational
Time consumption of CRFs.
overhead., is observed to be low. As shown in Fig. 3(b), when compar-
Scheme 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 𝐴𝐴 .𝐾 𝐺 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 ing the computational overhead of the 𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase, our scheme,
Hong et al. [31] 2𝑙𝐸 + 2𝑙𝑃 (5𝑙 + 2)𝐸 2𝑙𝐸 + 𝑃 which benefits from the preprocessing performed in the 𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒
Zhao et al. [32] 2𝐸 (2𝑙 + 3)𝐸 4𝐸
phase, has the lowest computational overhead of all the schemes eval-
Jin et al. [33] (𝑙 + 2)𝐸 (2𝑙 + 2)𝐸 𝑃
Elhabob et al. [34] 2𝐸 (2𝑙 + 3)𝐸 4𝐸 uated. In terms of Fig. 3(c), the efficiency of our scheme is in the
Ours 5𝐸 (2𝑙 + 3)𝐸 2𝐸 middle of the 𝐷𝑒𝑐 .𝑂𝑢𝑡 phase. While in the 𝐷𝑒𝑐 .𝑈 𝑠𝑒𝑟 phase, our scheme
maintains the lowest computational overhead, It is also significant to
observe that the overhead does not fluctuate with varying counts of
attributes in the system.
In terms of CRFs time consumption, our scheme achieves time con-
As depicted in Fig. 4, there is a performance comparison for the re-
sumption of constant level in 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 phase as illustrated in 3, the
randomization of secret keys by CRF 𝐴𝐴 . Our schemes computational
time overhead does not fluctuate based on the count of attributes within
overhead is similar to that of scheme [32], which is at the lower
the system. Moreover, our scheme achieves the highest efficiency in
level. Moreover, as shown in Fig. 5, the computational overhead of
terms of the 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase, and requires only two exponential
our scheme in the 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase is the most efficient and does
operations.
not escalate linearly with an increase in vehicle attributes, which is a
distinct advantage over other scheme [31]. And compared with [33,
6.3. Practical analysis 34], the proposed scheme still has an advantage in the computational
overhead of 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 phase.
In light of the hardware and software environment described within In summary, our scheme reduces resource consumption on the user
the xperimental Setup section, Fig. 3 presents a performance comparison side and improves the efficiency of data flow in vehicles with limited
of the multiple phases of our scheme. computing power.
8
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
Acknowledgments
This work was supported in part by Key project of Gansu Science
and Technology Plan (23YFGA0081), Gansu Province College Industry
Ssupport Plan (2023CYZC-09), National Natural Science Foundation of
China (No. 62362059).
Data availability
The authors do not have permission to share data.
References
Fig. 4. Time consumption of 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝.
[1] Siyi Liao, Jun Wu, Jianhua Li, Ali Kashif Bashir, Shahid Mumtaz, Alireza Jolfaei,
Nida Kvedaraite, Cognitive popularity based AI service sharing for software-
defined information-centric networks, IEEE Trans. Netw. Sci. Eng. 7 (4) (2020)
21262136.
[2] Rich Miller, Rolling zettabytes: Quantifying the data impact of connected cars,
Data Cent. Front. (2020).
[3] Kayhan Zrar Ghafoor, Linghe Kong, Sherali Zeadally, Ali Safaa Sadiq, Gre-
gory Epiphaniou, Mohammad Hammoudeh, Ali Kashif Bashir, Shahid Mumtaz,
Millimeter-wave communication for internet of vehicles: status, challenges, and
perspectives, IEEE Internet Things J. 7 (9) (2020) 85258546.
[4] Soheila Ghane, Alireza Jolfaei, Lars Kulik, Kotagiri Ramamohanarao, Deepak
Puthal, Preserving privacy in the internet of connected vehicles, IEEE Trans.
Intell. Transp. Syst. 22 (8) (2020) 50185027.
[5] Liang Zhao, Hongmei Chai, Yuan Han, Keping Yu, Shahid Mumtaz, A collabo-
rative V2X data correction method for road safety, IEEE Trans. Reliab. 71 (2)
(2022) 951962.
[6] Weisong Shi, Jie Cao, Quan Zhang, Youhuizi Li, Lanyu Xu, Edge computing:
Vision and challenges, IEEE Internet Things J. 3 (5) (2016) 637646.
Fig. 5. Time consumption of 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒. [7] Zhenyu Zhou, Haijun Liao, Bo Gu, Shahid Mumtaz, Jonathan Rodriguez, Resource
sharing and task offloading in IoT fog computing: A contract-learning approach,
IEEE Trans. Emerg. Top. Comput. Intell. 4 (3) (2019) 227240.
[8] Xingwang Li, Zhen Xie, Zheng Chu, Varun G Menon, Shahid Mumtaz, Jianhua
7. Conclusion Zhang, Exploiting benefits of IRS in wireless powered NOMA networks, IEEE
Trans. Green Commun. Netw. 6 (1) (2022) 175186.
[9] Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters, Attribute-based encryp-
In the IoV environment, securing the encryption and sharing of the tion for fine-grained access control of encrypted data, in: Proceedings of the 13th
vast amounts of data generated by vehicles, while preventing data leak- ACM Conference on Computer and Communications Security, 2006, pp. 8998.
age due to device tampering, presents significant challenges. To address [10] Amit Sahai, Brent Waters, Fuzzy identity-based encryption, in: Advances in
these challenges, we propose an advanced attribute-based encryption CryptologyEUROCRYPT 2005: 24th Annual International Conference on the
Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May
scheme, enhanced with a cryptographic reverse firewall, specifically
22-26, 2005. Proceedings 24, Springer, 2005, pp. 457473.
designed for the IoV ecosystem. This scheme is supported by multiple [11] John Bethencourt, Amit Sahai, Brent Waters, Ciphertext-policy attribute-based
attribute authorities, which not only defend against collusion attacks encryption, in: 2007 IEEE Symposium on Security and Privacy, SP07, IEEE,
but also enable offline encryption and outsourced decryption. These 2007, pp. 321334.
[12] Matthew Green, Susan Hohenberger, Brent Waters, Outsourcing the decryption
integrated features greatly improve the computational efficiency of
of {abe} ciphertexts, in: 20th USENIX Security Symposium, USENIX Security 11,
vehicular onboard units. Additionally, we deploy RSUs with CRFs 2011.
between the entities, ensuring that data remains secure even in the [13] Junzuo Lai, Robert H. Deng, Chaowen Guan, Jian Weng, Attribute-based encryp-
event of device tampering. The proposed attribute-based encryption tion with verifiable outsourced decryption, IEEE Trans. Inf. Forensics Secur. 8
scheme, combined with the reverse firewall mechanism, shows great (8) (2013) 13431354.
[14] Suqing Lin, Rui Zhang, Hui Ma, Mingsheng Wang, Revisiting attribute-based
promise in securing data transmission and storage within the IoV, while
encryption with verifiable outsourced decryption, IEEE Trans. Inf. Forensics
protecting against unauthorized access and data leakage. Secur. 10 (10) (2015) 21192130.
[15] Cong Zuo, Jun Shao, Guiyi Wei, Mande Xie, Min Ji, CCA-secure ABE with
outsourced decryption for fog computing, Future Gener. Comput. Syst. 78 (2018)
CRediT authorship contribution statement
730738.
[16] James Ball, Julian Borger, Glenn Greenwald, et al., Revealed: how US and UK
Xiaodong Yang: Writing review & editing, Writing original spy agencies defeat internet privacy and security, Know Your Neighb. (2013).
draft. Xilai Luo: Writing review & editing, Writing original draft. [17] Stephen Checkoway, Ruben Niederhagen, Adam Everspaugh, Matthew Green,
Tanja Lange, Thomas Ristenpart, Daniel J Bernstein, Jake Maskiewicz, Hovav
Zefan Liao: Writing review & editing, Writing original draft. Wenjia Shacham, Matthew Fredrikson, On the practical exploitability of dual {ec} in
Wang: Writing review & editing, Writing original draft. Xiaoni {tls} implementations, in: 23rd USENIX Security Symposium, USENIX Security
Du: Writing review & editing, Writing original draft. Shudong Li: 14, 2014, pp. 319335.
Writing review & editing, Writing original draft. [18] Yevgeniy Dodis, Chaya Ganesh, Alexander Golovnev, Ari Juels, Thomas Risten-
part, A formal treatment of backdoored pseudorandom generators, in: Advances
in CryptologyEUROCRYPT 2015: 34th Annual International Conference on the
Declaration of competing interest Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April
26-30, 2015, Proceedings, Part I 34, Springer, 2015, pp. 101126.
[19] Ilya Mironov, Noah Stephens-Davidowitz, Cryptographic reverse firewalls, in: Ad-
The authors declare that they have no known competing finan- vances in Cryptology-EUROCRYPT 2015: 34th Annual International Conference
cial interests or personal relationships that could have appeared to on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria,
influence the work reported in this paper. April 26-30, 2015, Proceedings, Part II 34, Springer, 2015, pp. 657686.
9
X. Yang et al. Journal of Systems Architecture 160 (2025) 103331
[20] Brent Waters, Ciphertext-policy attribute-based encryption: An expressive, effi- Xilai Luo is presently a masters degree candidate at the
cient, and provably secure realization, in: International Workshop on Public Key College of Computer Science and Engineering, Northwest
Cryptography, Springer, 2011, pp. 5370. Normal University, located in China. His academic pur-
[21] Shucheng Yu, Cong Wang, Kui Ren, Wenjing Lou, Achieving secure, scalable, suits are focused on the areas of artificial intelligence,
and fine-grained data access control in cloud computing, in: 2010 Proceedings information security, and cryptography.
IEEE INFOCOM, IEEE, 2010, pp. 19.
[22] Kan Yang, Xiaohua Jia, Kui Ren, Ruitao Xie, Liusheng Huang, Enabling efficient
access control with dynamic policy updating for big data in the cloud, in: IEEE
INFOCOM 2014-IEEE Conference on Computer Communications, IEEE, 2014, pp.
20132021.
[23] Jun Feng, Hu Xiong, Jinhao Chen, Yang Xiang, Kuo-Hui Yeh, Scalable and
revocable attribute-based data sharing with short revocation list for IIoT, IEEE
Internet Things J. 10 (6) (2022) 48154829. Zefan Liao is actively working towards his masters degree
[24] Qian Mei, Hu Xiong, Yeh-Cheng Chen, Chien-Ming Chen, Blockchain-enabled in the College of Computer Science and Engineering at
privacy-preserving authentication mechanism for transportation cps with Northwest Normal University, China. His areas of research
cloud-edge computing, IEEE Trans. Eng. Manage. (2022). interest include the fields of edge computing, information
[25] Rui Guo, Geng Yang, Huixian Shi, Yinghui Zhang, Dong Zheng, O 3-R-CP-ABE: An security, and cryptography.
efficient and revocable attribute-based encryption scheme in the cloud-assisted
IoMT system, IEEE Internet Things J. 8 (11) (2021) 89498963.
[26] Melissa Chase, Multi-authority attribute based encryption, in: Theory of Cryp-
tography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, the
Netherlands, February 21-24, 2007. Proceedings 4, Springer, 2007, pp. 515534.
[27] Allison Lewko, Brent Waters, Decentralizing attribute-based encryption, in: An-
nual International Conference on the Theory and Applications of Cryptographic
Techniques, Springer, 2011, pp. 568588. Wenjia Wang is pursuing her masters degree within the
[28] Chandan Kumar Chaudhary, Richa Sarma, Ferdous Ahmed Barbhuiya, RMA- College of Computer Science and Engineering at Northwest
CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT Normal University, China. Her research interests are cen-
devices, Future Gener. Comput. Syst. 138 (2023) 226242. tered on the topics of data security and network security.
[29] Hong Zhong, Yiyuan Zhou, Qingyang Zhang, Yan Xu, Jie Cui, An efficient and
outsourcing-supported attribute-based access control scheme for edge-enabled
smart healthcare, Future Gener. Comput. Syst. 115 (2021) 486496.
[30] Hui Ma, Rui Zhang, Guomin Yang, Zishuai Song, Shuzhou Sun, Yuting Xiao,
Concessive online/offline attribute based encryption with cryptographic reverse
firewalls—Secure and efficient fine-grained access control on corrupted machines,
in: Computer Security: 23rd European Symposium on Research in Computer
Security, ESORICS 2018, Barcelona, Spain, September 3-7, 2018, Proceedings, Xiaoni Du received the Ph.D. degree in cryptography from
Part II 23, Springer, 2018, pp. 507526. Xidian University, Xian, China, in 2008.
[31] Bo Hong, Jie Chen, Kai Zhang, Haifeng Qian, Multi-authority non- She worked as a Visiting Scholar with the University of
monotonic KP-ABE with cryptographic reverse firewall, IEEE Access 7 (2019) Kentucky, Lexington, KY, USA, and Hong Kong University
159002159012. of Science and Technology, Hong Kong, in 2011 and 2014,
[32] Yang Zhao, Yuwei Pang, Xingyu Ke, Bintao Wang, Guobin Zhu, Mingsheng Cao, respectively. She is currently a Professor with the College
A metaverse-oriented CP-ABE scheme with cryptographic reverse firewall, Future of Mathematics and Statistics, Northwest Normal Univer-
Gener. Comput. Syst. 147 (2023) 195206. sity, Lanzhou, China. Her main research interests include
[33] Jin C., Chen Z., Qin W., et al., Blockchain-based proxy re-encryption scheme information security, cryptography, and coding.
with cryptographic reverse firewall for IoV, Int. J. Netw. Manage. (2024) e2305.
[34] Elhabob R., Eltayieb N., Xiong H., et al., Equality test public key encryption
with cryptographic reverse firewalls for cloud-based E-commerce, IEEE Trans.
Consum. Electron. (2024). Shudong Li received the M.S. degree in applied mathe-
matics from Tongji University, Shanghai, China, in 2005,
and the Ph.D. degree in Posts and Telecommunications from
Xiaodong Yang (Member, IEEE) received the M.S. degree Beijing University, Beijing, China, in 2012.
in cryptography from Tongji University, Shanghai, China, in From 2013 to 2018, he held the position of a post-
2005, and the Ph.D. degree in cryptography from Northwest doctoral researcher at the National University of Defense
Normal University, Lanzhou, China, in 2010. Technology in Changsha, China. He now serves as a Pro-
In his role as a Postdoctoral Researcher at Chinas State fessor at the Cyberspace Institute of Advanced Technology
Key Laboratory of Cryptology in Beijing during 2016, he at Guangzhou University. His primary research interests
played a significant part in advancing the field. Today, he are in the realms of Big Data and its security, malware
holds the position of Professor at the College of Computer identification, and cloud computing.
Science and Engineering, Northwest Normal University. The
core of his research is anchored in public-key cryptogra-
phy, information security protocols, and the application of
wireless sensor networks.
10
Reference in New Issue View Git Blame Copy Permalink