Search Results (62)

Addressing the challenges of privacy leakage, fragmented data silos, and high computational overhead in traditional ciphertext-policy attribute-based encryption (CP-ABE) for medical data sharing, this paper proposes an improved CP-ABE framework with outsourced decryption, integrated with consortium blockchain and the InterPlanetary File System (IPFS). The framework introduces a medical-scenario-adapted CP-ABE architecture based on a lightweight FAME design, optimizing attribute key generation and transformation key design to accommodate resource-constrained medical terminals. A hybrid encryption system is employed, combining symmetric encryption for high-efficiency processing of large medical data and CP-ABE for fine-grained access control of symmetric keys. To reduce user computational burden, a proxy-assisted secure decryption architecture is implemented, where the proxy server handles most decryption tasks while ensuring resistance to malicious proxy behavior. Furthermore, the framework provides rigorous formal security verification, achieving IND-CPA security and resilience against collusion and malicious proxy attacks. Comprehensive performance evaluations demonstrate significant improvements in key generation, encryption, and decryption efficiency, offering a better balance between security and efficiency for practical medical data sharing applications. Full article

With the rapid development of cloud-based data sharing technologies, enterprises and organizations tend to outsource their local data to cloud servers. They adopt searchable encryption (SE) techniques to access and search encrypted data. However, most existing SE schemes use static ranking strategies based on query–index similarity. These strategies fail to capture users’ personalized retrieval preferences and often result in suboptimal search performance. In this article, we present a privacy-preserving data sharing framework with personalized encrypted retrieval (PP-PER) that combines SE technology with federated learning. PP-PER trains user interest models locally on user devices by utilizing historical query behavior. Only encrypted model parameters are uploaded for aggregation, which avoids the centralized collection of users’ private data. In addition, we design an attention-based user query update algorithm. The learned personalized features are integrated into the ciphertext query process. This design enables personalized ranking results and improves the user retrieval experience. Furthermore, PP-PER combines matrix factorization with ciphertext-policy attribute-based encryption (CP-ABE). This mechanism ensures secure document key distribution and supports fine-grained access control. Finally, we formalize the security model under a practical threat and leakage setting and provide a theoretical analysis of the proposed scheme. Experimental results on real-world datasets further validated its practicality and effectiveness. Full article

Organizations usually rely on stringent access control mechanisms where access policies are an important asset. Their storage or transmission in plaintext can compromise sensitive access rules. It is important in dynamic environments where access decisions are made in real time such as Zero Trust (ZT). Existing ZT approaches were found to oversee the aspect of securing these policies. This investigation presents a Multi-layer Access Policy Encryption System for ZT systems (MAPE-ZT). The first stage uses the trapdoor index to generate a secure index to find the applicable access policies. Advanced Encryption Standard-256 is used in counter mode for the encryption of the policies. They are re-encrypted using the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) to allow decryption based on a matching set of attributes. Various experiments using quantitative metrics, including comparison with baseline access control systems simulation, scalability evaluation, storage overhead, etc., highlight the efficacy of the MAPE-ZT and establish new benchmarks. The result count entropy for the policies ranged 3.84–4.21 for different scales of policies. The evaluation in different scales of systems shows that the MAPE-ZT reduces various observable patterns even if the deployment size grows. Its unique design of securing policies makes this approach scalable for multi-domain integration. Full article

In cloud computing, ciphertext-policy attribute-based encryption (CP-ABE) is widely adopted for secure data storage and flexible fine-grained access control. For collaborative scenarios involving hierarchical file structures, file hierarchy CP-ABE (FH-CPABE) schemes have been proposed. However, existing file hierarchy CP-ABE schemes rely on computationally intensive bilinear pairing operations, resulting in high overhead. To address this issue, this paper proposes ECC-FH-CPABE, a lightweight and efficient file hierarchy CP-ABE scheme based on elliptic curve cryptography (ECC). By replacing bilinear pairings with scalar multiplication on elliptic curve points, our scheme achieves superior computational efficiency while reducing communication overhead. To ensure strong security while maintaining lightweight performance, this scheme introduces ECC-based data noise to resist user collusion attacks. In addition, ECC-FH-CPABE supports cross-domain data sharing with efficient batch operations, relieving performance bottlenecks. Security analysis proves that the scheme is secure against chosen-plaintext attacks. Extensive simulation results show that ECC-FH-CPABE significantly improves both computational efficiency and communication efficiency compared to existing schemes. Full article

Due to the rapid proliferation and evolution of the Internet of Things (IoT) in industrial and smart city applications, concerns over sensitive data security have become increasingly prominent. This is especially true in resource-constrained “cloud–terminal” centralized architectures, where ensuring privacy protection for downlink data and implementing fine-grained access control have become critical. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) serves as an effective solution due to its fine-grained access control capability. Nevertheless, conventional CP-ABE approaches face notable limitations when deployed in these practical settings, including the lack of an efficient and lightweight client-side revocation mechanism, excessive decryption overhead on terminal devices, and the practical difficulty in balancing security with performance. To address these issues, this paper proposes LOR-A2ABE, a Lightweight, Outsourced, and Revocable Anonymous Attribute-Based Encryption scheme. The scheme achieves lightweight client-side revocation through partial updates by embedding version numbers and timestamps into keys and ciphertexts via hash mapping. Furthermore, it employs outsourcing to offload the majority of computations to the cloud, allowing client-side decryption with only constant, low-complexity operations, thereby significantly reducing the computational burden on resource-constrained terminals. Considering the practical context where client devices are typically resource-limited sensors or microcontrollers and downlink data often require real-time processing, our scheme adopts a practical security model optimized for IoT constraints. This model prioritizes forward security and efficient revocation—the most critical requirements for operational IoT systems—while maintaining provable security under the Decisional Linear (DLIN) assumption within a bounded collusion model, achieving IND-CPA security and anonymity. Theoretical analysis and experimental simulations show that LOR-A2ABE incurs acceptable and controllable overhead in the key issuance and encryption phases, while outperforming most existing schemes in decryption and revocation efficiency, making it particularly suitable for “cloud–terminal” centralized IoT environments where terminal devices are resource-constrained and require frequent decryption operations. Full article

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) technology provides fine-grained access control capabilities for P2P networks. However, its long-term development has been constrained by three major challenges: the trade-off between computational efficiency and functional completeness, decentralized trust security issues, and the problems of attribute revocation and traceability. This paper proposes a decentralized CP-ABE scheme based on multiple authorities (R-T-D-ABE). By leveraging three core techniques, including threshold distributed key generation, versioned attribute revocation, and identity-key binding verification, the scheme efficiently achieves both revocation and accountability while ensuring resistance against collusion attacks and forward/backward security. Security analysis demonstrates that the proposed scheme satisfies IND-CPA security under the Generic Group Model (GGM). Experimental results indicate that it not only guarantees efficient decentralized encryption and decryption but also realizes the dual functions of revocation and accountability, thereby providing a functionally complete and efficient access control solution for P2P networks. Full article

The Health Data Space (HDS) is a promising platform for the secure health data sharing among entities including patients and healthcare providers. However, health data is highly sensitive and critical for diagnosis, and unauthorized access or destruction by malicious users can lead to serious privacy leaks or medical negligence. Thus, robust access control, privacy preservation, and data integrity are essential for HDS. Although Ciphertext-Policy Attribute-Based Encryption (CP-ABE) supports secure sharing, it has limitations when directly applied to HDS. Many current schemes cannot simultaneously handle data integrity violations, trace and revoke malicious users, and protect against privacy leaks from plaintext access policies, with key escrow being another major risk. To overcome these issues, we put forward a Traceable and Revocable Privacy-Preserving Data Sharing (TRPPDS) scheme. Our solution uses a novel distributed CP-ABE with a large universe alongside data auditing to provide fine-grained, key-escrow-resistant access control over unbounded attributes and guarantee data integrity. It also features tracing-then-revocation and full policy hiding to thwart malicious users and protect policy privacy. Formal security analysis is presented for our proposal, with thorough performance assessment also demonstrates its feasibility in HDS. Full article

The control instructions of industrial control systems are prone to threats such as unauthorized access and tampering during transmission and interaction, and access control is a fundamental method to protect data security. Due to the cyber-physical integration and availability constraints in industrial control systems, existing access control methods cannot be directly applied. In this paper, we propose an access control policy for control instructions based on the ciphertext policy attribute-based encryption (CP-ABE) under the availability constraints in industrial control systems. First, we analyze the abnormal behaviors of control instructions in process industrial monitoring systems, and model the attributes associated with field control business and integrate them into CP-ABE to achieve fine-grained access control and avoid non-compliant operations. Second, we adopt a trusted computing mechanism to protect the identity trustworthiness of the transmission node; the confidentiality of the transmitted control instruction is guaranteed by the negotiated symmetric key and the key authorization is realized by the CP-ABE. We further optimize the measuring frequency of the trusted measurement and the deployment policy of the access control method to guarantee business availability. Finally, we conduct formal analysis and experimental validation of the proposed method, and the results show that the proposed access control policy can prevent unauthorized access and non-compliant tampering by industrial control devices and achieve trustworthy delivery of control instructions with controlled computational complexity. Full article

Safeguarding data confidentiality and enforcing precise access regulation in cloud platforms continue to be major research concerns. Attribute-based encryption (ABE) offers a versatile framework for policy-driven control, whereas public key encryption with keyword search (PEKS) supports efficient querying of encrypted datasets. However, ABE lacks keyword search support, and PEKS offers limited control over access policies. To overcome these limitations, attribute-based keyword search (ABKS) schemes have been proposed, with recent advances such as ciphertext-policy decryptable ABKS (CP-DABKS) enabling secure channel-free keyword search. Nevertheless, the existing CP-DABKS schemes still face important challenges: the master public key grows linearly with the attribute universe, secure channels are often required to deliver trapdoors, and many designs remain vulnerable to keyword guessing attacks. This work introduces an efficient CP-DABKS scheme built upon a Type-3 pairing framework to directly overcome these limitations. The proposed design employs a commit-to-point mechanism that prevents linear key growth, eliminates the need for secure trapdoor transmission, and resists keyword guessing attacks. We implement and evaluate the proposed scheme using real-world data from the Enron Email dataset and demonstrate its practicality for secure and searchable cloud-based storage. We also discuss implementation considerations and outline directions for future enhancement of privacy-preserving searchable encryption systems. Full article

As an asymmetric encryption method capable of performing one-to-many encryption, the ciphertext-policy attribute-based encryption (CP-ABE) is widely recognized as an ideal cryptographic tool for cloud-based applications. It can empower data owners to independently and flexibly define and enforce access control policies for cloud-stored data. However, the practical implementation of CP-ABE-based cryptographic access control remains hindered by critical challenges. Firstly, malicious users may engage in key abuse by delegating attribute keys to unauthorized parties or exploiting their keys to construct decryption black-boxes for providing illegal decryption services. Consequently, a secure CP-ABE scheme must incorporate the capability to trace such malicious users who misuse their privileges. Secondly, for resource-constrained IoT devices, the substantial computational overhead of CP-ABE becomes prohibitive, making its deployment in scenarios like IoT-cloud services particularly challenging. In this paper, we propose a new CP-ABE scheme with black-box traceability and computational outsourcing capabilities. Our scheme can improve the tracing efficiency from $O\left(N^3\right)$ or $O\left(rlogN\right)$ (as seen in traditional schemes) to $O\left(1\right)$, where N is the number of system users. Furthermore, the proposed scheme features compulsory traceability and maintains outstanding performance in the aspects of encryption, decryption, and tracing operations. Full article

We introduce TrustShare, a novel blockchain-based framework designed to enable secure, privacy-preserving, and trust-aware cyber threat intelligence (CTI) sharing across organizational boundaries. Leveraging Hyperledger Fabric, the architecture supports fine-grained access control and immutability through smart contract-enforced trust policies. The system combines Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with temporal, spatial, and controlled revelation constraints to grant data owners precise control over shared intelligence. To ensure scalable decentralized storage, encrypted CTI is distributed via the IPFS, with blockchain-anchored references ensuring verifiability and traceability. Using STIX for structuring and TAXII for exchange, the framework complies with the GDPR requirements, embedding revocation and the right to be forgotten through certificate authorities. The experimental validation demonstrates that TrustShare achieves low-latency retrieval, efficient encryption performance, and robust scalability in containerized deployments. By unifying decentralized technologies with cryptographic enforcement and regulatory compliance, TrustShare sets a foundation for the next generation of sovereign and trustworthy threat intelligence collaboration. Full article

This study presents a decentralised ciphertext-policy attribute-based encryption (CP-ABE) scheme designed for secure and efficient access control in resource-constrained Internet-of-Things (IoT) environments. By utilising multi-authority architecture and outsourced computation, the scheme enhances scalability, simplifies key management by eliminating reliance on a certificate authority (CA), and ensures data confidentiality through randomised proxy keys. It is particularly suited for multi-scenario IoT applications involving information sharing, such as smart cities or industrial automation in strategic alliances or conglomerates. Demonstrating security against chosen-plaintext attacks under the decisional bilinear Diffie–Hellman assumption, the scheme offers a practical and scalable solution for decentralised access control. Full article

With the continuous development of UAV technology, the application of UAV swarm has gradually become the focus of research all over the world. Although UAV swarm provides some advantages in terms of autonomous collaboration, the traditional UAV management technology suffers from security challenges, including the risk of single points of failure due to centralized control, which makes UAV swarm susceptible to hacker attacks. Due to some advantages of blockchain, such as decentralization, tamper-proof characteristics, and traceability, it is applied to the drone swarm to solve some security challenges brought about by centralized management. However, blockchain cannot achieve secure access control on the data it stores, which may leak some crucial data. Therefore, a secure and efficient access-control model based on blockchain and ciphertext-policy attribute-based encryption (CP-ABE) is proposed, and a secure data-access scheme is designed under this model, which can not only prevent the leakage of critical data but also realize lightweight access control. Moreover, to improve the decryption efficiency of the data user, an outsourcing-based data decryption scheme is also studied, in which the complex calculations are completed by the data user agency. The experiments show that when the number of attributes is 60, the computation cost of the proposed scheme is 0.404 s, which is much lower than the existing research, and is more suitable for the UAV swarm with limited computing power. Moreover, the communication cost of the proposed scheme is reduced by about 30% compared with the existing scheme under the same conditions. The security analysis also shows that the proposed scheme is secure and reliable, and can resist a variety of attacks such as collusion attacks, man-in-the-middle attacks, and forgery attacks. Full article

In smart grids, power monitoring equipment produces large volumes of data that are exchanged between microgrids and the main grid. This data exchange can potentially expose users’ private information, including their living habits and economic status. Therefore, implementing secure and effective data access control mechanisms is crucial. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a widely used encryption scheme in distributed systems, offering fine-grained access control. However, in CP-ABE systems, malicious users might leak decryption keys to third parties, creating a significant security threat. Thus, there is an urgent need for tracing mechanisms to identify and track these malicious users. Moreover, tracing and user revocation are complementary processes. Although using a binary tree for user revocation is efficient, it limits the number of users. This paper suggests an access control scheme that combines CP-ABE with blockchain to overcome these limitations, leveraging blockchain’s tamper-resistant features. This scheme enables user revocation, tracing, partial policy hiding, and ciphertext searchability, and it has been proven secure. Simulation results show that our approach reduces time overhead by 24% to 68%, compared to other solutions. While some solutions are similar in efficiency to ours, our approach offers more comprehensive functionality and better meets the security requirements of smart grids. Full article

Searchable encryption (SE) allows users to efficiently retrieve data from encrypted cloud data, but most of the existing SE solutions only support precise keyword search. Fuzzy searchable encryption agrees with practical situations well in the cloud environment, as search keywords that are misspelled to some extent can still generate search trapdoors that are as effective as correct keywords. In scenarios where multiple users can search for ciphertext, most fuzzy searchable encryption schemes ignore the security issues associated with malicious cloud services and are inflexible in multi-user scenarios. For example, in medical application scenarios where malicious cloud servers may exist, diverse types of files need to correspond to doctors in the corresponding departments, and there is a lack of fine-grained access control for sharing decryption keys for different types of files. In the application of medical cloud storage, malicious cloud servers may return incorrect ciphertext files. Since diverse types of files need to be guaranteed to be accessible by doctors in the corresponding departments, sharing decryption keys with the corresponding doctors for different types of files is an issue. To solve these problems, a verifiable fuzzy searchable encryption with blockchain-assisted multi-user scenarios is proposed. Locality-sensitive hashing and bloom filters are used to realize multi-keyword fuzzy search, and the bigram segmentation algorithm is optimized for keyword conversion to improve search accuracy. To realize fine-grained access control in multi-user scenarios, ciphertext-policy attribute-based encryption (CP-ABE) is used to distribute the shared keys. In response to the possibility of malicious servers tampering with or falsifying users’ search results, the scheme leverages the blockchain’s technical features of decentralization, non-tamperability, and traceability, and uses smart contracts as a trusted third party to carry out the search work, which not only prevents keyword-guessing attacks within the cloud server, but also solves the verification work of search results. The security analysis leads to the conclusion that the scheme is secure under the adaptively chosen-keyword attack. Full article