Search Results (130)

Threshold Attribute-based Encryption has attracted significant attention due to its growing importance in practical applications, such as distributed cloud storage or anonymous access control. In a threshold attribute-based encryption scheme, a sender can select a set of attributes and a corresponding threshold t, which is referred to as an access policy, to encrypt a message. Decryption is successful if and only if a user possesses at least t attributes from the specified attribute set. Existing threshold attribute-based encryption schemes typically consider only the setting in which a single message is encrypted under a single access policy. However, in many practical applications, more flexible encryption scenarios are needed, such as encrypting a single message under multiple access policies or encrypting multiple messages under their corresponding access policies. In this work, we first formalize the notion of threshold attribute-based encryption supporting the encryption of multiple messages under multiple access policies. We then propose the first construction of a threshold attribute-based encryption scheme based on the Key Encapsulation Mechanism paradigm that supports such functionality while achieving constant-size ciphertext. Our proposed scheme relies on bilinear pairings and is proven secure in the Generic Bilinear Group Model. As a classical pairing-based construction, it does not provide post-quantum security and is therefore unsuitable for scenarios requiring long-term confidentiality or resilience against harvest-now, decrypt-later attacks. Full article

Addressing the challenges of privacy leakage, fragmented data silos, and high computational overhead in traditional ciphertext-policy attribute-based encryption (CP-ABE) for medical data sharing, this paper proposes an improved CP-ABE framework with outsourced decryption, integrated with consortium blockchain and the InterPlanetary File System (IPFS). The framework introduces a medical-scenario-adapted CP-ABE architecture based on a lightweight FAME design, optimizing attribute key generation and transformation key design to accommodate resource-constrained medical terminals. A hybrid encryption system is employed, combining symmetric encryption for high-efficiency processing of large medical data and CP-ABE for fine-grained access control of symmetric keys. To reduce user computational burden, a proxy-assisted secure decryption architecture is implemented, where the proxy server handles most decryption tasks while ensuring resistance to malicious proxy behavior. Furthermore, the framework provides rigorous formal security verification, achieving IND-CPA security and resilience against collusion and malicious proxy attacks. Comprehensive performance evaluations demonstrate significant improvements in key generation, encryption, and decryption efficiency, offering a better balance between security and efficiency for practical medical data sharing applications. Full article

In this paper, we present a system built on Hyperledger Fabric (HLF) that leverages Confidential Computing (CC) technologies to strengthen data privacy guarantees beyond those achievable through application-level mechanisms alone. While HLF natively supports data confidentiality through Private Collections (PCs), which restrict data visibility to a subset of authorized network participants, these mechanisms do not protect data at the hardware level: a privileged or compromised hosting platform can access plaintext data in memory and on the filesystem irrespective of HLF access control policies. To address this limitation, we integrate CC into HLF by adopting Intel Software Guard Extensions (SGX) in conjunction with the Gramine framework. This integration enables the execution of HLF components—peer nodes, orderers, Chaincodes and client applications—within Trusted Execution Environments (TEEs). Furthermore, to securely grant access to selected data to a trusted third-party software (TPS) external to the blockchain network, we leverage the Remote Attestation (RA) feature provided by CC, as streamlined by Gramine and enforced on a per-request basis, ensuring that only verified enclaves (or “SGX enclaves”) with expected measurements may access private data. In addition, the Sealing mechanism is employed to persistently store cryptographic material required by HLF components on the filesystem while preserving both confidentiality and integrity. Together, PCs, RA, Sealing, and enclave-based execution establish a layered privacy guarantee: PCs enforce application-level data segregation among channel participants; RA provides measurement-based access control for an external TPS; Sealing ensures that cryptographic material and blockchain state remain encrypted on the filesystem; and enclave-based execution protects data in use through hardware-level memory encryption. The proposed system has been applied and experimentally validated in a logistics use case in the Port of Genoa: benchmarks against an experimental HLF deployment demonstrate an average 95th-percentile (p95) performance overhead of approximately 1.3× attributable to SGX memory encryption and Gramine-based enclave execution, whereas an elevated memory usage footprint (33–35 GB per organization) has been measured, mainly due to the Gramine environment: this remains an open direction for future work. Full article

With the rapid development of cloud-based data sharing technologies, enterprises and organizations tend to outsource their local data to cloud servers. They adopt searchable encryption (SE) techniques to access and search encrypted data. However, most existing SE schemes use static ranking strategies based on query–index similarity. These strategies fail to capture users’ personalized retrieval preferences and often result in suboptimal search performance. In this article, we present a privacy-preserving data sharing framework with personalized encrypted retrieval (PP-PER) that combines SE technology with federated learning. PP-PER trains user interest models locally on user devices by utilizing historical query behavior. Only encrypted model parameters are uploaded for aggregation, which avoids the centralized collection of users’ private data. In addition, we design an attention-based user query update algorithm. The learned personalized features are integrated into the ciphertext query process. This design enables personalized ranking results and improves the user retrieval experience. Furthermore, PP-PER combines matrix factorization with ciphertext-policy attribute-based encryption (CP-ABE). This mechanism ensures secure document key distribution and supports fine-grained access control. Finally, we formalize the security model under a practical threat and leakage setting and provide a theoretical analysis of the proposed scheme. Experimental results on real-world datasets further validated its practicality and effectiveness. Full article

Organizations usually rely on stringent access control mechanisms where access policies are an important asset. Their storage or transmission in plaintext can compromise sensitive access rules. It is important in dynamic environments where access decisions are made in real time such as Zero Trust (ZT). Existing ZT approaches were found to oversee the aspect of securing these policies. This investigation presents a Multi-layer Access Policy Encryption System for ZT systems (MAPE-ZT). The first stage uses the trapdoor index to generate a secure index to find the applicable access policies. Advanced Encryption Standard-256 is used in counter mode for the encryption of the policies. They are re-encrypted using the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) to allow decryption based on a matching set of attributes. Various experiments using quantitative metrics, including comparison with baseline access control systems simulation, scalability evaluation, storage overhead, etc., highlight the efficacy of the MAPE-ZT and establish new benchmarks. The result count entropy for the policies ranged 3.84–4.21 for different scales of policies. The evaluation in different scales of systems shows that the MAPE-ZT reduces various observable patterns even if the deployment size grows. Its unique design of securing policies makes this approach scalable for multi-domain integration. Full article

Attribute-based encryption (ABE) provides a robust mechanism for fine-grained access control, making it an ideal candidate for secure cloud data sharing. However, existing schemes often incur significant computational overhead, hindering their large-scale deployment, especially on resource-constrained nodes. In this work, we propose a practical ABE scheme that simultaneously simplifies access policy structures and enhances overall efficiency. By introducing a weighted access policy, our scheme achieves rich expressiveness while maintaining a compact logic structure, offering enhanced flexibility through the redefinability of attribute weights. Notably, the proposed construction is pairing-free and yields small-size ciphertexts and private keys compared to traditional tree-based models. Security analysis demonstrates that our scheme is selectively secure against chosen-ciphertext attacks. Extensive simulation results show that encryption and decryption latency is reduced to nearly 10 ms when 20 attributes are involved, which is a typical requirement in cloud data sharing scenarios. This validates the efficiency of our scheme in resource-constrained environments. Full article

In cloud computing, ciphertext-policy attribute-based encryption (CP-ABE) is widely adopted for secure data storage and flexible fine-grained access control. For collaborative scenarios involving hierarchical file structures, file hierarchy CP-ABE (FH-CPABE) schemes have been proposed. However, existing file hierarchy CP-ABE schemes rely on computationally intensive bilinear pairing operations, resulting in high overhead. To address this issue, this paper proposes ECC-FH-CPABE, a lightweight and efficient file hierarchy CP-ABE scheme based on elliptic curve cryptography (ECC). By replacing bilinear pairings with scalar multiplication on elliptic curve points, our scheme achieves superior computational efficiency while reducing communication overhead. To ensure strong security while maintaining lightweight performance, this scheme introduces ECC-based data noise to resist user collusion attacks. In addition, ECC-FH-CPABE supports cross-domain data sharing with efficient batch operations, relieving performance bottlenecks. Security analysis proves that the scheme is secure against chosen-plaintext attacks. Extensive simulation results show that ECC-FH-CPABE significantly improves both computational efficiency and communication efficiency compared to existing schemes. Full article

Due to the rapid proliferation and evolution of the Internet of Things (IoT) in industrial and smart city applications, concerns over sensitive data security have become increasingly prominent. This is especially true in resource-constrained “cloud–terminal” centralized architectures, where ensuring privacy protection for downlink data and implementing fine-grained access control have become critical. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) serves as an effective solution due to its fine-grained access control capability. Nevertheless, conventional CP-ABE approaches face notable limitations when deployed in these practical settings, including the lack of an efficient and lightweight client-side revocation mechanism, excessive decryption overhead on terminal devices, and the practical difficulty in balancing security with performance. To address these issues, this paper proposes LOR-A2ABE, a Lightweight, Outsourced, and Revocable Anonymous Attribute-Based Encryption scheme. The scheme achieves lightweight client-side revocation through partial updates by embedding version numbers and timestamps into keys and ciphertexts via hash mapping. Furthermore, it employs outsourcing to offload the majority of computations to the cloud, allowing client-side decryption with only constant, low-complexity operations, thereby significantly reducing the computational burden on resource-constrained terminals. Considering the practical context where client devices are typically resource-limited sensors or microcontrollers and downlink data often require real-time processing, our scheme adopts a practical security model optimized for IoT constraints. This model prioritizes forward security and efficient revocation—the most critical requirements for operational IoT systems—while maintaining provable security under the Decisional Linear (DLIN) assumption within a bounded collusion model, achieving IND-CPA security and anonymity. Theoretical analysis and experimental simulations show that LOR-A2ABE incurs acceptable and controllable overhead in the key issuance and encryption phases, while outperforming most existing schemes in decryption and revocation efficiency, making it particularly suitable for “cloud–terminal” centralized IoT environments where terminal devices are resource-constrained and require frequent decryption operations. Full article

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) technology provides fine-grained access control capabilities for P2P networks. However, its long-term development has been constrained by three major challenges: the trade-off between computational efficiency and functional completeness, decentralized trust security issues, and the problems of attribute revocation and traceability. This paper proposes a decentralized CP-ABE scheme based on multiple authorities (R-T-D-ABE). By leveraging three core techniques, including threshold distributed key generation, versioned attribute revocation, and identity-key binding verification, the scheme efficiently achieves both revocation and accountability while ensuring resistance against collusion attacks and forward/backward security. Security analysis demonstrates that the proposed scheme satisfies IND-CPA security under the Generic Group Model (GGM). Experimental results indicate that it not only guarantees efficient decentralized encryption and decryption but also realizes the dual functions of revocation and accountability, thereby providing a functionally complete and efficient access control solution for P2P networks. Full article

The Health Data Space (HDS) is a promising platform for the secure health data sharing among entities including patients and healthcare providers. However, health data is highly sensitive and critical for diagnosis, and unauthorized access or destruction by malicious users can lead to serious privacy leaks or medical negligence. Thus, robust access control, privacy preservation, and data integrity are essential for HDS. Although Ciphertext-Policy Attribute-Based Encryption (CP-ABE) supports secure sharing, it has limitations when directly applied to HDS. Many current schemes cannot simultaneously handle data integrity violations, trace and revoke malicious users, and protect against privacy leaks from plaintext access policies, with key escrow being another major risk. To overcome these issues, we put forward a Traceable and Revocable Privacy-Preserving Data Sharing (TRPPDS) scheme. Our solution uses a novel distributed CP-ABE with a large universe alongside data auditing to provide fine-grained, key-escrow-resistant access control over unbounded attributes and guarantee data integrity. It also features tracing-then-revocation and full policy hiding to thwart malicious users and protect policy privacy. Formal security analysis is presented for our proposal, with thorough performance assessment also demonstrates its feasibility in HDS. Full article

In the past, health records were primarily on paper and were essential for recording the results of patient information and treatments. The deployment of “electronic health records” (EHRs) is a new development in healthcare that enables authenticated data storage, reliability when accessing data, and the establishment of easy communication centralized across healthcare service providers. This change enhances the quality of operations for medical environment decision-making using clinical data and patient involvement. Nevertheless, ensuring the authenticity of “EHRs” is a challenging task as a result of the weaknesses of centralized systems. We, therefore, suggest the implementation of (ABE), particularly (CP-ABE) using the blockchain technique, to overcome this problem. CP-ABE maintains data confidentiality and accuracy by encrypting access policies and smart contracts, thus allowing authorized users to decrypt information based on predetermined attributes. In this way, EHRs are ensured to be unaltered as patients’ privacy is preserved, and healthcare providers are not allowed to evaluate people records without consent. The machine learning techniques (“SVM, RF and Naïve Bayes”) used with datasets like “Cleveland Heart Disease” explain the cause risk factors for speed diagnosis and for cardiac disorders. Such a system not only fortifies the security of EHRs but also provides healthcare professionals with the necessary tools to improve patient care. The use of state-of-the-art encryption methods together with predictive analytics allows healthcare providers to protect patient privacy and at the same time make healthcare delivery more efficient through the use of a clinically informed final judgment of patient and personalized wellness plans. Full article

The control instructions of industrial control systems are prone to threats such as unauthorized access and tampering during transmission and interaction, and access control is a fundamental method to protect data security. Due to the cyber-physical integration and availability constraints in industrial control systems, existing access control methods cannot be directly applied. In this paper, we propose an access control policy for control instructions based on the ciphertext policy attribute-based encryption (CP-ABE) under the availability constraints in industrial control systems. First, we analyze the abnormal behaviors of control instructions in process industrial monitoring systems, and model the attributes associated with field control business and integrate them into CP-ABE to achieve fine-grained access control and avoid non-compliant operations. Second, we adopt a trusted computing mechanism to protect the identity trustworthiness of the transmission node; the confidentiality of the transmitted control instruction is guaranteed by the negotiated symmetric key and the key authorization is realized by the CP-ABE. We further optimize the measuring frequency of the trusted measurement and the deployment policy of the access control method to guarantee business availability. Finally, we conduct formal analysis and experimental validation of the proposed method, and the results show that the proposed access control policy can prevent unauthorized access and non-compliant tampering by industrial control devices and achieve trustworthy delivery of control instructions with controlled computational complexity. Full article

With the rapid development of geological blockchains and Internet of Things-based data acquisition technologies, massive amounts of heterogeneous data are constantly emerging. However, this data is stored in a distributed manner across different organizational or business blockchains. Data sharing among multiple geological blockchains faces numerous challenges, either exposing sensitive data during verification or lacking effective authorization mechanisms. Therefore, how to achieve fine-grained access control and privacy protection across multiple blockchains has become a critical issue that must be addressed in geological data sharing. In this paper, we propose GeoCross, a cross-chain geological data sharing framework that enables fine-grained authorization management and privacy protection. First, GeoCross provides a hierarchical hybrid encryption mechanism that uses symmetric encryption for geological data protection and ciphertext-policy attribute-based encryption to enable flexible cross-chain access policies. Second, we integrate a Groth16-based zero-knowledge proof mechanism, which allows a chain to verify the existence, integrity, and accessibility of off-chain data without revealing the content. Furthermore, we introduce a Reputation-based Non-interactive Relay node Selection protocol (RNRS), which enhances the trustworthiness and fairness of cross-chain routing. Finally, we implement GeoCross in a multi-chain Hyperledger Fabric environment and evaluate its performance under real-world workloads. Results show that Groth16 verification requires only three bilinear pairings, achieving a throughput of up to 390 tps on a single chain and 1550 tps in a concurrent multi-chain environment. Even with 50% malicious nodes, the RNRS protocol still maintains a success rate of over 91%. These results demonstrate that GeoCross provides an efficient and practical solution for secure and privacy-preserving cross-chain geological data sharing. Full article

Searchable Encryption (SE) schemes enable data users to securely search over outsourced encrypted data stored in the cloud. To support fine-grained access control, Attribute-Based Encryption with Keyword Search (ABKS) extends SE by associating access policies with user attributes. However, existing ABKS schemes often suffer from limited security and functionality, such as lack of verifiability, vulnerability to collusion, and insider keyword-guessing attacks (IKGA), or inefficiency in multi-authority and post-quantum settings, restricting their practical deployment in real-world distributed systems. In this paper, we propose a verifiable ciphertext-policy multi-authority ABKS (MA-CP-ABKS) scheme based on the Module Learning with Errors (MLWE) problem, which provides post-quantum security, verifiability, and resistance to both collusion and IKGA. Moreover, the proposed scheme supports multi-keyword searchability and forward security, enabling secure and efficient keyword search in dynamic environments. We formally prove the correctness, verifiability, completeness, and security of the scheme under the MLWE assumption against selective chosen-keyword attacks (SCKA) in the standard model and IKGA in the random oracle model. The scheme also maintains efficient computation and manageable communication overhead. Implementation results confirm its practical performance, demonstrating that the proposed MA-CP-ABKS scheme offers a secure, verifiable, and efficient solution for multi-organizational cloud environments. Full article

Frequent data sharing in Vehicular Ad Hoc Networks (VANETs) necessitates a robust foundation of secure access control to ensure data security. Existing ciphertext-policy attribute-based encryption schemes are constrained by the performance bottleneck of a single attribute authority. Furthermore, although many schemes adopt outsourced decryption, the verifiability of the decryption results is not guaranteed. Therefore, this paper proposes a Symmetrically Verifiable Outsourced Decryption Data Sharing Scheme with Privacy-Preserving for VANETs (VODDS). To balance the computational overhead across multiple authorities, VODDS introduces a distributed key distribution mechanism that organizes them into groups. Within each group, the key distribution credential is generated through a Group Key Agreement, with each round secured by a Byzantine consensus mechanism to achieve a balance between security and efficiency. User identities are converted into anonymous representations via hashing for embedding into the attribute keys. Furthermore, blockchain technology is used to record a hash commitment for the verification ciphertext. This enables the user to verify the outsourced result through a smart contract, which performs a symmetrical verification by matching the user’s locally computed hash against the on-chain record. Moreover, VODDS employs a linear secret sharing scheme to achieve policy hiding. We provide security analysis under the q-parallel Bilinear Diffie–Hellman Exponent and Decisional Diffie–Hellman assumptions, which proves the security of VODDS. In addition, VODDS exhibits higher efficiency compared to related schemes in the performance evaluation. Full article