Enabling comparable data access control for lightweight mobile devices in clouds
First Claim
1. A method for encrypting data in a computer based processing system using a trust authority with a public key PK and a master key MK, the method comprising:
- sending a request for a partially encrypted header {tilde over (H)} to the trust authority with a specified access control policy Ps;
receiving a partially encrypted header computed by the trust authority, wherein the partially encrypted header {tilde over (H)} is based on the public key PK, the master key MK, and the specified access control policy Ps;
encrypting data using the partially encrypted header {tilde over (H)};
wherein the data is encrypted according to the following algorithm;
Encrypt(Ĥ
)→
(H, Ks);
Given the partially encrypted header, the algorithm produces the session key Ks and ciphertext H={S, C, ES, ES, Ê
S, Ê
S} to cloud storage; and
further wherein each part of H is generated as follows;
1) randomly choosing two secrets s1, s2 ∈
n,2) computing the main secret s=s1+s2 ∈
n and deriving
C=sW∈
, 3) producing the session key Ks=e(G, W)α
s and using Ks to encrypt the data,4) computing ES=s1T and ES=s2T, and5) computing each of Ê
S=s1{right arrow over (ψ
)}ST·
s1W=s1{right arrow over (ψ
)}Sλ
W·
s1W=s1(λ
{right arrow over (ψ
)}S+1)W and Ê
S=s2ST·
s2W=s2Sλ
W·
s2W=s2(λ
S+1)W.
2 Assignments
0 Petitions
Accused Products
Abstract
A new efficient framework based on a Constant-size Ciphertext Policy Comparative Attribute-Based Encryption (CCP-CABE) approach. CCP-CABE assists lightweight mobile devices and storing privacy-sensitive sensitive data into cloudbased storage by offloading major cryptography-computation overhead into the cloud without exposing data content to the cloud. CCP-CABE extends existing attribute-based data access control solutions by incorporating comparable attributes to incorporate more flexible security access control policies. CCP-CABE generates constant-size ciphertext regardless of the number of involved attributes, which is suitable for mobile devices considering their limited communication and storage capacities.
11 Citations
12 Claims
-
1. A method for encrypting data in a computer based processing system using a trust authority with a public key PK and a master key MK, the method comprising:
-
sending a request for a partially encrypted header {tilde over (H)} to the trust authority with a specified access control policy Ps; receiving a partially encrypted header computed by the trust authority, wherein the partially encrypted header {tilde over (H)} is based on the public key PK, the master key MK, and the specified access control policy Ps; encrypting data using the partially encrypted header {tilde over (H)}; wherein the data is encrypted according to the following algorithm; Encrypt(Ĥ
)→
(H, Ks);
Given the partially encrypted header, the algorithm produces the session key Ks and ciphertext H={S, C, ES , ES, ÊS , Ê
S} to cloud storage; andfurther wherein each part of H is generated as follows; 1) randomly choosing two secrets s1, s2 ∈
n,2) computing the main secret s=s1+s2 ∈
n and deriving
C=sW∈
,3) producing the session key Ks=e(G, W)α
s and using Ks to encrypt the data,4) computing E S =s1T and ES=s2T, and5) computing each of Ê S =s1{right arrow over (ψ
)}S T·
s1W=s1{right arrow over (ψ
)}S λ
W·
s1W=s1(λ
{right arrow over (ψ
)}S +1)W and Ê
S=s2ST·
s2W=s2Sλ
W·
s2W=s2(λ
S+1)W. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of decrypting data, wherein the method comprises:
-
storing the data in a computer based processing system, wherein the data includes an encrypted header H and encrypted target data; receiving a request for access to the data, wherein the request includes a user identity; partially decrypting an encrypted header H when the user is entitled to access the data based on the user'"'"'s public key PKLU, privilege LU and access control policy Ps; sending the partially decrypted header {tilde over (H)} to the user; wherein partially decrypting the header H is performed according to the following algorithm; DecDelegate(H, PK u , u, S)→
Ĥ
;
Given the user'"'"'s public key PKu and privilege u along with the access control policy s, the algorithm outputs {right arrow over (ψ
)}S and Swhen [ν
i,j, ν
i,k]∩
[ν
i,a, ν
i,b]≠
Ø
for all Ai∈
;
({right arrow over (ψ
)}U)=({right arrow over (ψ
)}U)w U, =({right arrow over (πs
)}Π1≤ {right arrow over (w)}
i≤
mi,a )Π1≤ (
i≤
mw i,(a,k) )={right arrow over (ψ
)}S (mod n)
(Ū
)=(Ū
)w s,Ū =(Π1≤
i≤
mi,b )Π1≤ (
i≤
mw i,(j,b) )=s(mod n);where {right arrow over (w)}U, s =Π
1≤
i≤
m(w i,(a,k)) andw S,Ū
=Π
1≤
i≤
m(w i,(j,b));and further wherein the algorithm outputs {tilde over (H)}={H,{right arrow over (ψ
)}U−
{right arrow over (ψ
)}S , Ū
−
S} as the partially decrypted header. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
Specification