An Improved Ciphertext-Policy Attribute-Based Encryption Scheme in Power Cloud Access Control

Abstract

In power cloud environment, the existing Ciphertext-Policy Attribute-Based Encryption (CP-ABE) access control schemes, do not consider the generation of access structure and the existence of malicious users. To tackle these problems, a power cloud access control (PCAC) scheme is proposed, which improves the traditional CP-ABE access control model. Considering the heavy time consumption of CP-ABE, PCAC encrypts the symmetric key, instead of the raw data. PCAC combines the access tree and linear secret-sharing scheme (LSSS) to achieve the automatic generation and efficient operation of access structure. Additionally, an action audit phase, based on zero-knowledge verification was designed to defend against malicious users. The experiments proved that PCAC meets the requirement of fine-grained access control, in a power cloud. Compared with existing CP-ABE schemes, the PCAC scheme reduced about half of the time consumption, in the action audit phase and costs about one-third the time, in the data obtainment stage.

1. Introduction

With the fast development of cloud computing, it is economic for individuals and companies to save their data in cloud. However, the safety of outsourced data, in cloud storage, has always been a big issue. Power cloud contains a large number of users with complex system structure and different data security requirements, which needs an automatic, fine-gained access control scheme. National Institute of Standards and Technology (NIST) specifies the role-based access control (RBAC) requirements for a smart grid access control [1]. In this study, we focus on the attribute-based access control (ABAC), which is more fine-gained than RBAC.

CP-ABE is an ABAC scheme and was first proposed by Beyhencourt [2], who defined the basic algorithms. In the model of CP-ABE, the ciphertext corresponds to access structure, while the key corresponds to the attribute set. If, and only if, the user’s attribute set satisfies the access structure, the user can decrypt the data. This scheme can meet the fine-grained access control requirement of power clouds, but it is difficult to meet the security requirement. The recent research on CP-ABE focuses on the improvement of access structures [3,4,5,6,7,8,9,10] and the generation and distribution of the secret key [11,12,13,14,15,16,17,18,19]. Li [3] combined the access tree with an Ordered Binary Decision Diagram, and employed a Boolean function in the leaf node, to finish the generation of the secret key and the attribute-based encryption, with less time complexity, which reduced the computing cost. Wang [4] proposed a hierarchical access structure which was based on access trees, in order to save the storage space of the access tree. However, this scheme only achieved the deduplication of access structures, rather than improve the structure of access tree. Xue [5] solved the problem of a single-point performance bottleneck and the security problem of multi-agency access control. In their scheme, the verification of the attribute set, and the access structure was shared by multiple semi-trusted third-part attribute authorities. They refined the steps of the generation and distribution of the secret key, confirmed, and traced malicious users by monitoring the key generation and the distribution process. Wang [6] improved the key generation phase and proposed a new scheme in which he changed the traditional single authority model. In this model he introduced the multi-agency idea where different agencies managed different trapdoors. Users could obtain the shared secret key from multiple agencies, so it can protect the user’s identifier and attribute set, to achieve the purpose of privacy protection. Alrawais [7] applied a subset difference algorithm in the environment of fog computing, which is similar to cloud computing, in order to update the access tree after the attribute is revoked. Xue [8] proposed the generation and management of the sub-attributes with 0-encoding and 1-encoding, in order to achieve the attribute comparison. Zhang [9] proposed a secure scheme which achieve revocation and traceability requirement with the use of a subset cover algorithm. Zhou [10] proposed a Privacy Preserving Constant CP-ABE (PPC-CP-ABE) scheme that reduces the ciphertext to a constant size with any given number of attributes. PPCCP-ABE applies a hidden policy construction so that the recipients’ privacy is preserved efficiently.

Many improvements have been made in key generation and distribution processes [11,12,13,14,15,16,17,18,19]. Yan [11] proposed a scheme based on trust evaluated by the data owner or reputations generated by a number of reputation centers through the CP-ABE and Proxy Re-Encryption. Waters [12] and Balu [19] proposed a new way using the linear secret-sharing scheme (LSSS). They described a specific access structure by constructing an LSSS matrix from which the secret key was generated. Only when all the attribute sets satisfy the requirement of the trap doors, the secret key can be generated correctly. Calculations of this scheme is simplified with the matrix operation. Han [13] proposed a privacy-preserving decentralized CP-ABE (PPDCP-ABE) to reduce the trust on the central authority and protect the users’ privacy. Each authority can work independently without any collaboration to initial the system and issue secret keys to users. Users can obtain secret keys from multiple authorities without them knowing anything about himself/herself. Since CP-ABE uses a long-key and computational time for the encryption, and the decryption algorithm increases with the grow of attributes number, Guo [14] made improvements in the encryption algorithm. The algorithm they designed is independent of the number of attributes and the minimum secret key length. It is shortened to 672 bits, which greatly reduced the time for decryption. Lin [15] proposed a collaborative key management protocol in CP-ABE to realize the distributed generation, issue, and storage of private keys, without adding any extra infrastructure. Experiments prove that Lin’s scheme has better performance in mobile devices. Ning [16] proposed an auditable σ-time outsourced CP-ABE, which provides σ-time fine-grained access control and audits the correctness of the operation. Liu [17] proposed a fine-grained two-factor authentication (2FA) access control system for web-based cloud computing services. The cloud server has no idea on the exact identity of the user, to protect the user’s privacy. Li [18] proposed a new scheme called outsourcing attribute-based encryption with keywords search function(KSF-OABE).Cloud service privader perform search encrypted keywords instead of the keywords embedded in trapdoor.

However, the existing CP-ABE schemes have not considered the security issue of the data source and the generation of the access structure. On one hand, the data sources in power cloud are not only collectors but also sensors which cannot judge who has access to the data, so there should be an administrator to generate the access structure. If an agent is responsible for generating the access structure, it is difficult to adapt to the high-frequency data storage, and the administrator may make some mistakes. If an entity undertakes the task of a human administrator, some security issues may be discovered. On the other hand, there may be malicious users on both data source-side and user-side, who could make the power cloud create a wrong access structure, by forging or tampering identification. In order to meet the high-frequency data storage requirements of the power cloud and prevent possible attacks, the access control scheme must contain both the data collection stage and the data obtainment stage.

This paper proposes a Power Cloud Access Control (PCAC) scheme. PCAC improves the traditional CP-ABE system model, including outsourcing the generation of access structures and the verification of attribute sets to a third party, to reduce the computational complexity. Considering the heavy computation overhead in an access tree, PCAC generates an access structure with the access tree, and shares a secret key with the LSSS. In addition, our scheme achieves the action auditing of users and data sources. In previous research studies, private keys did not work for the decryption process, therefore, authentication is a must to protect data saved in the power cloud. The user’s and the data source’s action is audited with zero-knowledge proofs, which prevents malicious users from attacking the system from both the source side and the user side. The contribution of this paper can be summarized as follows:

(1)

A power cloud access control scheme based on a CP-ABE has been proposed. Considering the generation of the access structure and the heavy computation required for an access tree, PCAC achieves the automatic generation of access structures and effective sharing of the secret key.

(2)

In order to resist possible attacks that could come from the data source side and the user side, an action audit phase has been designed, in which the user’s identity is verified without obtaining the user’s private key.

(3)

The data confidentiality and the operation efficiency of our PCAC scheme have been analyzed with theory and experiments. The experiments show that our scheme satisfies the requirement of fine-grained access control.

The rest of this paper are organized as follow: In Section 2, some definitions in CP-ABE are presented. In Section 3, we build a system model of the program and make some security assumptions about the agencies in the model. In Section 4, the phases designed in the paper are described in detail. In Section 5, the security analysis and efficiency analysis of our PCAC scheme are given with theory. In Section 6, our scheme is compared with Waters’ scheme [12] and the Robust and Auditable Access Control (RAAC) [5] scheme to test the time consumption and storage consumption of PCAC. Finally, in Section 7, we summarize the work of this paper.

2. Preliminaries and Definitions

2.1. Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

CP-ABE, first proposed by Beyhencourt, is an access control scheme wildly used in cloud storage. It mainly contains four algorithms:

$\mathbf{Setup}\mathbf{\to }\mathbf{(}\mathbf{PK}\mathbf{,}\mathbf{MSK}\mathbf{)}$: This algorithm is run by the authority in the system, to generate the system public key (PK) and the master secret key (MSK), with the system parameters.

$\mathbf{Encrypt}\mathbf{(}\mathbf{M}\mathbf{,}\mathbf{T}\mathbf{,}\mathbf{PK}\mathbf{)}\mathbf{\to }\mathbf{CT}$: This algorithm is executed by the owner of the data. The message M is encrypted by the system public key PK and the access structure T.

$\mathbf{Key}\mathbf{\_}\mathbf{Gen}\mathbf{(}\mathbf{MSK}\mathbf{,}\mathbf{S}\mathbf{)}\mathbf{\to }\mathbf{SK}$: This algorithm is performed by the authority, to generate the secret key SK through the user’s attribute set S and the master secret key MSK.

$\mathbf{Decrypt}\mathbf{(}\mathbf{CT}\mathbf{,}\mathbf{SK}\mathbf{)}\mathbf{\to }{\mathbf{M}}^{\mathbf{\prime }}$: This algorithm is executed by the user, to decrypt the ciphertext CT by the secret key SK, and recover the message M’.

2.2. Attributes and Access Structures

Our access structure is similar to Waters [12]. Let $P=\{P_1,P_2,\cdots ,P_n\}$ be a set of parties. A collection $\mathbb{A}\subseteq 2^{{\{P}_1,P_2,\cdots ,P_n\}}$ is monotone if $\forall \mathrm{B},\mathrm{C}$: if $\mathrm{B}\in \mathrm{A}$ and $\mathrm{B}\subseteq \mathrm{C}$ then $\mathrm{C}\in \mathbb{A}$. An access structure (monotone access structure) is a collection (monotone collection) $\mathbb{A}$ of non-empty subsets of $\{P_1,P_2,\cdots ,P_n\}$, i.e., $\mathbb{A}\subseteq 2^{\left\{P_1,P_2,\cdots ,P_n\right\}}\backslash \{\varphi \}$. The sets in $\mathbb{A}$ are called the authorized sets, and the sets not in $\mathbb{A}$ are called the unauthorized sets.

In our PCAC scheme, the role of the parties is taken by the attributes. Different from most access control scheme, the access structure adopted in this paper is composed of two parts, one is the static general access structure, denoted as T₁, and the other is the dynamic restrictive access structure, denoted as T₂, while the final access structure is ${T=T}_1\mathit{and}{T}_2$. A detailed description will be given in Section 4.

2.3. Bilinear Pairing

Let $\mathbb{G}$ and ${\mathbb{G}}_{\mathrm{T}}$ be two multiplicative cyclic groups of prime order p. let g be a generator of $\mathbb{G}$ and e be a bilinear map, $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$. The bilinear map e has the follow properties:

• Bilinearity: for all $u,v\in \mathbb{G}$ and $\mathrm{a},\mathrm{b}\in {\mathrm{Z}}_{\mathrm{p}}$, we have ${e(u,v)}^{\mathrm{ab}}={e(u,v)}^{\mathrm{ab}}$.
• Non-degeneracy: $e(g,g)\ne 1$.
• Computability: to compute the pairing e is efficient.

2.4. Linear Secret-Sharing Schemes

A secret-sharing scheme II over a set of parties P is called linear (over ${\mathbb{Z}}_p$) if:

(1) 

The shares for each party form a vector over${\mathbb{Z}}_p$.

(2) 

There exists a matrix M with l rows and n columns called the sharing-generating matrix for II. For all $i=1,2,\cdots ,l$, the i’th row of M, we let the function $\rho$ define the party labeling row i as $\rho \left(i\right)$. When we consider the column vector $v=(s,r_2,\cdots {,r}_n)$, where $s\in {\mathbb{Z}}_p$ is the secret to be shared, and $r_2,\cdots {,r}_n\in {\mathbb{Z}}_p$ are randomly chosen, then $M·v$ is the vector of l shares of the secret s according to II. The share ${(M·v)}_i$ belongs to party $\rho \left(i\right)$.

Every linear secret-sharing scheme based on the above definition enjoys the linear reconstruction property, defined as follow: Suppose that II is an LSSS for access structure $\mathbb{A}$. Let $S\in \mathbb{A}$ be any authorized set, and let $i\subset \{1,2,\cdots ,l\}$ be defined as $I=\{i:\rho (i)\in S\}$. Then, there exist constants ${\left\{w_i\in {\mathbb{Z}}_p\right\}}_{i\in I}$, if $\left\{{\lambda }_i\right\}$ are valid shares of any secret s according to II, then ${{\displaystyle \sum }}_{i\in I}{w}_i{\lambda }_i=s$. These constants $\left\{w_i\right\}$ can be found in a time polynomial, in the size of the share-generating matrix M.

2.5. Access Tree Structure

The access tree is used to describe an access structure. Each leaf node in the tree represents an attribute. Each non-leaf node represents a relational function. The relational function can be AND (n of n), OR (1 of n), n of m (m > n) threshold, and so on. As can be seen in Figure 1.

Our PCAC scheme achieves secret-sharing about “AND” door and “OR” door, where “AND” door is expressed as (n, n), and “OR” door is expressed as (1, n). Our scheme needs to achieve the transformation from the access tree structure to the LSSS sharing-generating matrix, and this step will be given in Section 4.

3. Our Proposed Scheme Model

3.1. System Model

Our PCAC scheme builds the system model which is shown in Figure 2. The model contains a total of five agencies: Power Cloud (PC), Central Key Authority (CKA), Key Share (KS), Data Source (DS), and User (U).

PC: PC provides storage service to DSs and Us. A great deal of raw data is saved in the PC which needs fine-grained access control, like power transmission data, electricity data, account information, etc. PC is also an authority of the system. However, PC is not fully trusted, because there is a risk of being attacked. Therefore, the PC stores the ciphertext C_T of all collected data. PC also needs to save some of the ciphertext of the symmetric key k, which is distributed by CKA. PC is responsible for managing and coordinating the work of all agencies. When the system is initializing, the PC selects the system parameters k’. k’ is used to generate the attribute sets S and the pair of public key and private key (Pk, Sk), for each agency. The encrypt and decrypt algorithms are also constructed by these parameters. When the secret key SK is generated, PC needs to audit the user’s action and prevent our system from giving access to malicious users.

CKA: CKA is responsible for the distribution and coordination of KSs’ tasks. CKA shares the computation overhead of PC. CKA also stores the users’ attribute sets and DSs’ static general access structure which has been generated when PC initializes the system. When uploading the data, CKA is responsible for generating the LSSS sharing matrix M_LSSS through the access tree, and distributing the ciphertext CT to KSs, according to some policies. The ciphertext is part of the secret key SK and it will work in a decrypt algorithm, which is executed by U. During the user’s action audit phase, CKA needs to interact with the user and send the result to the PC for audit. If the audit is successful, CKA will generate secret key SK and send it to the user.

KS: KS is responsible for storing a part of the ciphertext CT assigned by CKA, in order to prevent PC from being attacked and revealing all CT. For an access structure, there are multiple KSs involved in key sharing. Every KS does not know the other KSs who take part in the same access structure, and the data the KS saved does not contain other KSs’ information. U cannot communicate with KSs directly. Only CKA is accessible to the data saved in KSs.

U: U is user of power cloud service, and U can’t upload the data to PC. Each U has his/her own attribute set, and CKA will determine whether the user has the file access with it. When a U enters the system, the PC distributes a specific public-private key pair (Pk_U, Sk_U) to U, for identity verification, key generation, and file decryption. The request for data requires to be verified twice (attribute set verification led by CKA and action auditing performed by the PC). If U does not pass these verifications at the same time, U will not be able to gain access to the file.

DS: DSs are collectors of data. In the power cloud, the DSs may be smart meters, cameras, and other electronic equipment or some collectors. All the data C_T saved in PC comes from DSs, but DSs can’t download data from the PC. The PC distributes an identity DS_id to each DS when the system is initialized. DS’s action should be verified to prevent any attack which comes from the DS’s side.

3.2. Security Assumption

In our PCAC scheme, the following assumptions are built: The network in a smart grid is a local area network with perfect security architecture, so the communication network is safe. PC, CKA, and KSs are always online after the system is initialized, and the determined system parameters do not change while the system is running. PC is the administrator in the system, managing and supervising the operation of the system. All the data stored in the PC comes from the DS, and all Us can obtain the ciphertext of the data in the way defined by the system. Our scheme assumes that CKA is “honest-and-curious”, which means that CKA will properly execute the task assigned to it, by following the rules. But CKA may be tricked by malicious users from either DS or U, so it is not fully trusted. Therefore, the PC is required to audit the action of DS and U to verify the identification of DS and U. Our PCAC scheme assumes that DS can only encrypt the data with a symmetric encryption algorithm, the data itself is secure, and there is no security risk. During the generation and validation of access structures, CKA is the distributor and collector of tasks and does not modify the data. Therefore, CKA can correctly reflect the operation of U and DS.

In PCAC model, there is a risk that a malicious user may attack while DSs upload data or Us request data. When DS uploads data, DS should send its public key to show its identification. However, a large number of smart meters are outdoor, and lack strong supervision. These meters’ parameters may be modified with other DS’s public key which is open to every agency. As a result, CKA will generate incorrect access structure, and the data has a risk of being revealed. Therefore, the attacker can download the data with his attribute sets. On the other hand, there also exists risk on the user side. When U requests data, he is asked to send his public key to show his identification. However, an attacker may send another user’s public key to forge identification and get access to the data.

4. Our Proposed PCAC Scheme

4.1. Overview

Our paper proposes an automatic, fast, and effective access control model both in the data collection stage and the data obtainment stage. The flow chart of access control is shown in Figure 3. DS encrypts the collected data with symmetric encryption algorithm, and sends the ciphertext to PC for storage, while the symmetric key is sent to CKA for encryption in the encrypt phase. Since attribute-based encryption consumes a large amount of time, this encrypt phase reduces the computational burden by encrypting the symmetric key instead of the full file. CKA will distinguish each DS by the proof of identification, and then construct an interaction to generate evidence for an action audit, which will be executed by the PC. After the audit, CKA will generate the corresponding access structure, and exchange the access structure into the LSSS-shared matrix for an easy operation. When passing the audit, CKA will generate the DS’s access structure and transform the access structure into the sharing-generating matrix, which is easy to calculate. After that, CKA will execute the encrypt algorithm and distribute the ciphertext to KSs and PC. This marks the end of the data collection stage. If U wants to get the data saved in PC, U needs to send his/her own identification proof to CKA, and CKA will find the attribute set of U and verify it with access structure. After passing the verification, CKA will construct an interaction to generate evidence for action audit, which is like the data collection stage. After the audit is passed, CKA will communicate with the KSs and the PC to obtain the secret key and send it to U. The ciphertext of the data saved in PC is accessible to every U. This marks the end of the data obtainment stage.

4.2. Detail Procedures in PCAC

4.2.1. Init Phase

Init: The initialization phase of the system is executed by PC, where the public key PK and the master secret key MSK are obtained through the system parameter k’. Firstly, the PC determines a large prime p by the system parameter k’. Then, it chooses two linear groups $G_0$ and $G_T$, with prime order p and g as the generator of the linear group $G_0$. Then, a pairing is chosen, $\hat{e}:G_0\times G_0\to G_T$, and a collection of attributes is defined, $S=\{s_1,s_2,\cdots ,s_m\}\in Z_p$, where all attributes existing in the system are contained by S. A unique public key is chosen $\{{Sn}_1,{Sn}_2,\cdots ,{Sn}_n\}\in G_0$ for each KS, which is used in secret-sharing. Finally, the PC chooses $\alpha ,\beta \in Z_p$, randomly, to generate the PK and MSK. PK is:

$$\mathit{PK}=\{G_T,G_0{,g,g}^{\beta }{,e(g,g)}^{\alpha }{,S,Sn}_1{,Sn}_2,\cdots {,Sn}_n\}$$

And MSK is:

$$\mathit{MSK}=\{\alpha ,\beta \}$$

All agencies in the system can get the PK, but the MSK needs to be kept confidential to the other agencies in the system.

In the initialization phase, in order to distinguish between the different DSs, the PC needs to send a pair of public key and private key ${(\mathit{Pk}}_{\mathit{DS}}{,\mathit{Sk}}_{\mathit{DS}})$ to each DS. PC randomly chooses ${\mathit{DS}}_{\mathit{id}}\in Z_p$ as the identification of DS, and ${\mathit{Pk}}_{\mathit{DS}}=g^{{\mathit{DS}}_{\mathit{id}}},\mathit{Sk}={\mathit{DS}}_{\mathit{id}}$. All agencies in the PCAC model can achieve the DS’s public key, and DS’s private key is only owned by the DS itself, which is used to verify the DS’s identity. Like DS, for each U, the PC generates a pair of public key and private key $({\mathit{Pk}}_U{,\mathit{Sk}}_U)$, and ${\mathit{Pk}}_U{=g}^{U_{\mathit{id}}}{,\mathit{Sk}=U}_{\mathit{id}}$, where $U_{\mathit{id}}\in Z_p$ is randomly chosen. In general, during initialization phase, all DSs and Us can obtain a pair of public key and private key $(\mathit{Pk},\mathit{Sk})$ from the PC, and the proof of identification of every DS and U is ${\mathit{Pro}=g}^{\mathit{id}}$.

4.2.2. Data Collection Stage

Data collection stage shows the flow when the DS uploads the collected data to the PC. There are three phases. First of all, DS,s identity should be audited by the PC. And then, the CKA generates the access structure for the data. At last, the collected data is encrypted with a symmetric encryption and the symmetric key is encrypted with CP-ABE.

Act_Audit: An action audit phase in the data collection stage is executed by three parties, the CKA, the DS, and the PC. CKA may be cheated with other DS’s identity information. Our action audit phase is aimed to ensure that the DS catches the private key associated with the identification that he/she has sent to the CKA. Different from the RAAC scheme [5], the phase in our PCAC scheme is executed before the Gen_key phase. If the audit fails, Gen_key phase is not executed and the computation overhead is reduced. Since the DS’s private key must be kept absolutely secret, our action audit phase proves the identity of the DS with zero-knowledge proof, protecting the privacy of the DS. This phase is based on the chameleon hash, and a specific interaction is designed between the CKA and the DS. First of all, when the DS uploads data, Pro needs to be uploaded to show its identification. In addition, DS also needs to select a random number $r\in Z_p$ and upload ${R=g}^r$ to the CKA. So the message that the DS needs to send to the CKA, when the data is uploaded, is $\{k,\mathit{Pro},R\}$ (k is a symmetric key chosen by DS, which is used in the encrypt phase). Then, the CKA randomly chooses $r^{\prime }$ and sends it to the DS. DS gets $r^{\prime }$ and calculates $m=\frac{r-r^{\prime }}{{\mathit{DS}}_{\mathit{id}}}$. Since r is a random number for CKA (as it is hard to discover r with g^r), DS_id can be kept secret with r. DS generates the time stamp TS and sends a message, which contains m and TS, to CKA. CKA sends an audit message $\mathit{AM}=\{\mathit{Pro},R,m,\mathit{TS},r^{\prime }\}$ to the PC for audit. The PC may set a transmission delay threshold $\Delta \mathit{TS}$. Upon receiving AM sent by the CKA, the PC first determines whether the transmission delay is within this threshold. Suppose the time that PC receives AM is ${\mathit{TS}}^{\prime }$. If ${\mathit{TS}}^{\prime }-\mathit{TS}>\Delta \mathit{TS}$, PC will send CKA a REJ audit results. This means there may be some trouble with this DS, and it requires an overhaul. In addition, the audit is operated according to Equation (1):

$$e(g^m,Pro)=e(R/g^{r^{\prime }},g)$$

(1)

If the audit is passed, it means that DS catches the identification associated to itself. And then, the CKA generates the access structure for the DS.

Gen_Stru: In this phase, there are two tasks: generate the access tree and convert access tree to LSSS-sharing matrix.

The access structure generation phase generates a specific access structure based on the DS’s ID and is executed by CKA. The static general access structure T₁ and the dynamic restrictive access structure T₂ are stored in the CKA, in the form of access trees. As the data’s access structure may change according to different situations, the access structure is divided into two parts T₁ and T₂. T₁ is static access structure that gives the limitation, which should be met in all situations. It means that any U with attribute sets that do not satisfy T₁ can’t get access to the data, at all times. T₁ should be saved in the CKA, in advance, and does not change when the system is running. T₂ does change in different situations, it further restricts the attribute set. When T₂ changes, there should be a time limit {Time₁,Time₂|Time₁ < Time₂}, and it means that when Time₁ < Time < Time₂, the T₂ changes. The access tree should combine the T₁’s limitations and T₂’s, so T = T₁ and T₂.

After the access tree is generated, it is converted to an LSSS-sharing matrix. Every attribute a can be denoted as $M_a\in Z^{1\times 1}$, and $M_a=\left[1\right]$. Every access structure A_i can be denoted as a matrix $M_i\in Z^{d_i\times e_i}$. C_i is denoted as the first column of M_i; R_i is denoted as all other columns of M_i. To handle access structures with “OR” door, denoted as A_c = A_b∨A_c, the generated matrix M_c is denoted as Equation (2):

$${\mathrm{M}}_{\mathrm{c}}=\begin{array}{c}\begin{array}{ccc}{\mathrm{C}}_{\mathrm{a}}& {\mathrm{R}}_{\mathrm{a}}& 0\end{array}\\ \begin{array}{ccc}{\mathrm{C}}_{\mathrm{b}}& 0& {\mathrm{R}}_{\mathrm{b}}\end{array}\end{array}$$

(2)

To handle access structure with “AND” door, denoted as A_c = A_b ∧ A_c, the generated matrix M_c is denoted as Equation (3):

$${\mathrm{M}}_{\mathrm{c}}=\begin{array}{c}\begin{array}{cccc}{\mathrm{C}}_{\mathrm{a}}& {\mathrm{C}}_{\mathrm{a}}& {\mathrm{R}}_{\mathrm{a}}& 0\end{array}\\ \begin{array}{cccc}0& {\mathrm{C}}_{\mathrm{b}}& 0& {\mathrm{R}}_{\mathrm{b}}\end{array}\end{array}$$

(3)

Therefore, in an LSSS share-generating matrix $M_{\mathit{LSSS}}$ with $l\times n$, the number of specific attributes associated with the access structure, is l and n is a value related to the trapped function-parameters. Each row of M_LSSS is associated with every attribute in the access structure. Therefore, when T₂ changes, the rows associated to attributes, which exist in T₂, must change, as shown in Figure 4. $T_1=\{\left\{A,B,C\right\},D\}$ and $T_2=\{E,F,G\}$, and the final access tree generated in this phase is $T=\left\{T_{1,}{T}_2\right\}=\left\{\right\{A,B,C\},D,E,F,G\}$. Each row of matrix is associated to attribute {A,B,C,D,E,F,G}.

Encrypt: Encryption algorithm is executed by CKA. Due to the heavy computation overhead of CP-ABE, our PCAC scheme uses symmetric encryption to encrypt the plaintext data $M_T$, and then uses CP-ABE to encrypt the key used to encrypt symmetrically. The DS randomly selects the symmetric key k and encrypts the data $M_T$ with it, and then sends the ciphertext C_T and k to the PC and the CKA, respectively. CKA encrypts k with CP-ABE and shares the secret s with LSSS. An LSSS scheme can be expressed as ${(M}_{\mathit{LSSS}},\rho )$, where ρ is a specific hash function and it maps each row in the M matrix to a specific KS, denoted as $\rho \left[i\right]$ (it can be understood that CKA distributes trapdoors to different KS, for storage by function ρ). CKA randomly selects a secret s for encrypting the symmetric key k, denoted as ${C=\mathit{ke}(g,g)}^{s\alpha }$. In order to hide and share the secret s, we randomly select $y_2{,y}_3,\cdots {,y}_l\in Z_p$ and construct vector $\overrightarrow{v}=(s,y_2,y_3,\in ,y_l)$. Same as the commonly used LSSS scheme, we share the secret s and send them to specific KSs for storage, denoted as ${\lambda }_i=M_{{LSSS}_i}·\overrightarrow{v}$ ($M_{\mathit{LSSS}}{}_i$ is the $i^{\mathit{th}}$ row of sharing-generating $M_{\mathit{LSSS}}$ and $i=1,2,\cdots ,l$). Finally, we add a random factor $r_1{,r}_2,\cdots {,r}_l\in Z_p$ as part of the ciphertext. Therefore, our scheme finally calculates the ciphertext CT, as shown in Equation (4).

$$CT=\{\begin{array}{l}CK=k{(e{(g,g)}^{\alpha })}^s\hfill \\ C^{\prime }=g^s\hfill \\ C_i={(g^{\beta })}^{{\lambda }_i}\cdot S{n}_{{\rho }_i}^{-r_i},i=1,2,\dots ,l\hfill \\ {C_i}^{″}=g^{r_i},i=1,2,\dots ,l\hfill \end{array}$$

(4)

In Equation (4), CK is used to hide the symmetric key k, and $C^{\prime }$, $C_i$, and ${C_i}^{″}$ are used for decryption. $C_i$ is distributed stored by KSs. After this algorithm, CKA does not hold any part of ciphertext CT, nor does it save the shared secret s. KS only stores part of $C_i$, and single KS cannot recover the secret s.

4.2.3. Data Obtainment Stage

The data obtainment stage shows the flow when U requests data from PC. There are three phases. First of all, U’s identity should be audited by PC and then, CKA generates a secret key for U. At last, U can decrypt the data with a secret key.

Act_Audit: Action audit phase in the data obtainment stage is executed by three parties, CKA, U, and PC. This phase is similar to the Act_Audit phase in the data collection stage. First of all, U needs to uploaded Pro, to prove its identity. In addition, U also needs to select a random number $r\in Z_p$ and upload ${R=g}^r$ to CKA. And the message U needs to send to CKA is $\{\mathit{Pro},R\}$. Then, CKA randomly chooses $r^{\prime }$ and sends it to U. U gets r’ and calculates $m=\frac{r-r^{\prime }}{U_{\mathit{id}}}$. U generates the time stamp TS and sends a message, which contains m and TS, to CKA. CKA sends an audit message $\mathit{AM}=\{\mathit{Pro},R,m,\mathit{TS},r\prime \}$ to PC for audit. PC may judge if the U’s action is in overtime. In addition, the audit is operated according to Equation (1).

If the audit is passed, it means that U has caught the identification associated to himself/herself. Then, the CKA generates a secret key for U. The communication network between U and CKA is a wide area network, which has a risk of being wiretapped, so our Act_Audit phase contains randomness r’ and U_id, which is difficult to be discovered by the listener, in multiple communications.

Gen_key: The secret key generation phase is executed by the CKA, aimed to generate the secret key, based on the CT. When U requests files, he/she needs to upload ${\mathit{Pro}}_U$, as long as some proof of his/her attribute set is obtained, in order to express their identity. CKA receives the message from U and verifies the attribute set. If the verification is passed, CKA constructs an interaction to achieve specific message for Act_Audit phase. After passing the action audit, the PC calculates the SK with Equation (5), otherwise the PC sends REJ to the CKA. CKA makes further calculations to generate a secret key, which is used to decrypt the symmetric key. In order to resist replay attacks, the PCAC scheme introduces a random factor to further hide the shared secret s. CKA selects a random number d∈Z, and combines d with the time stamp TS and the user’s ${\mathit{Pro}}_U$ to generate a random factor A in the secret key, denoted as ${A=H\left(d\right|\left|\mathrm{TS}\right||\mathit{Pro}}_U)$. The secret key is calculated with Equation (5).

$$SK=\{\begin{array}{l}K={(g^{\beta })}^A\cdot g^{\alpha }\hfill \\ K^{\prime }=g^A\hfill \\ K^{″}=S{n}_{{\rho }_i}^A,i=1,2,\dots ,l\hfill \end{array}$$

(5)

After this, CKA asks the KSs and the PC for the CT. Then, CKA sends the SK and the CT to U for decryption.

Decrypt: The decrypt phase is executed by U. U is free to get the ciphertext from PC, and decrypt the symmetric key k with SK and CT, so that U is able to get the data he/she wants. If U’s attribute set does not satisfy the access structure, U cannot get the secret key SK and cannot decrypt the data. For a U, holding an attribute set $S_U{=\{S}_{I_1}{,S}_{I_2}{,S}_{I_i}{|I}_i\in U\}$, if $S_U$ satisfies the access structure, it is able to construct a matrix $M_U$ ($M_U$ is a sub-matrix of $M_{\mathit{LSSS}}$, and it is combined with the rows in M_LSSS, which is associated to the attributes that exist in S_U). Then, ${\lambda }_{U_i}=M_U·{\overrightarrow{v}}^{\mathrm{T}}$ and ${\lambda }_U$ is calculated, which are sub-vectors of vector $\lambda$. There exists a vector $\overrightarrow{e}=(1,0,\cdots ,0)$, and a new vector $\overrightarrow{v}=(w_1,w_2,\cdots ,w_i)(w_i\in Z_p)$ can be constructed, which satisfies $\overrightarrow{e}=\overrightarrow{w}·M_U$. The secret key s can be recovered from vector $\overrightarrow{w}$ and $\overrightarrow{{\lambda }_U}$, as shown in Equation (6).

$$\begin{array}{ll}s& =(1,0,0,\dots ,0)\cdot (s,y_1,y_2,\dots ,y_i)\\ & =\overrightarrow{e}\cdot {\overrightarrow{v}}^{\mathrm{T}}\\ & =\overrightarrow{w}\cdot M_U\cdot {\overrightarrow{v}}^{\mathrm{T}}\\ & =\overrightarrow{w}\cdot {\overrightarrow{{\lambda }_U}}^{\mathrm{T}}\\ & ={\displaystyle \sum _{i\in I}{w}_i\cdot {\lambda }_{U_i}}\end{array}$$

(6)

Then, the further calculations are based on Equations (4)–(6).

$$\begin{array}{ll}{C}_k& =\frac{e(C^{\prime },K)}{{\displaystyle \prod _{i\in I}{(e(C_i,K^{\prime })\cdot e({C_i}^{″},{K_i}^{″}))}^{w_i}}}\\ & =\frac{e(g^s,g^{\beta A+\alpha })}{{\displaystyle \prod _{i\in I}{(e(g^{\beta {\lambda }_i}\cdot S{n}_{{\rho }_i}^{{-r}_i},g^A)\cdot e(g^{r_i},S{n}_{{\rho }_i}^A))}^{w_i}}}\\ & =\frac{e{(g,g)}^{s(\beta A+\alpha )}}{{\displaystyle \prod _{i\in I}{(e(g,g^{\beta A{\lambda }_i}\cdot S{n}_{{\rho }_i}^{-r_{i}A})\cdot e(g,S{n}_{{\rho }_i}^{r_{i}A}))}^{w_i}}}\\ & =\frac{e{(g,g)}^{s(\beta A+\alpha )}}{e{(g,g)}^{\beta A{\displaystyle \sum _{i\in I}{w}_i\cdot {\lambda }_i}}}=e{(g,g)}^{\alpha s}\end{array}$$

(7)

Finally, U can get symmetric key k:

$$CK/C_k=\mathit{ke}{(g,g)}^{\alpha s}/e{(g,g)}^{\alpha s}=k$$

(8)

So, U can use the symmetric key k to decrypt the ciphertext that C_T got from PC.

5. Security Analysis and Performance Analysis

5.1. Data Confidentiality and Resist Collusion Attack

Our PCAC scheme is improved from the CP-ABE scheme, and also has CP-ABE’s security properties: data confidentiality and resist collusion attack.

Data confidentiality: File data must be kept confidential to users who do not have access. Additionally, our scheme must be able to defend Chose Plaintext Attack (CPA).

The proof of our PCAC scheme is similar to Waters [12]. The power cloud only saves ciphertext encrypted by the symmetric key and the encrypted symmetric key, in the encrypt phase. PC does not take part in generation of the secret key. It is hard to recover the plaintext without the secret key. It means that the data saved in power cloud is safe from an outside attacker.

Resist collusion attack: Multiple malicious users cannot combine with each other to decrypt the file ciphertext which a single user cannot decrypt.

Our PCAC scheme is able to effectively resist collusion attacks. In our scheme, the user does not need to upload his\her own attribute set and only needs to upload his own proof of identity. Therefore, the PC cannot be attacked by forging the attribute set. Additioanlly, in order to prevent to an attacked by forging proof of identity, our PCAC scheme designs Act_Audit phase based on zero-knowledge proof, and is executed before the Gen_key phase, so that malicious users cannot obtain the secret key generated by the CKA.

5.2. Storage Overhead

In this section, our PCAC scheme is compared with the scheme proposed by Waters [12] and the RAAC scheme [5], to test the storage overhead on each agency in our PCAC scheme. The comparison results are shown in

Table 1. The Storage Overhead of Our PCAC, the Waters Scheme, and the RAAC model.

Agencies	PC	CKA	KS	U	DS/Owner
Waters [12]	N/A	2Lp	N/A	(|SU| + 3)Lp + LZp	(|S| + 3)Lp + LZp
RAAC [5]	(6 + 2|S|)Lp + 4LZp	N/A	N/A	(|SU| + 5)Lp + LZp	(|S| + 5)Lp + LZp
PCAC	(3 + |NKS|)Lp + 2LZp	3Lp + |S|Lp	Lp	4Lp + LZp	LZp + Lp

. In the table, |*| is the number of elements in the group *, L_p is the average element length in the linear group of order p. N_KS is the number of KSs, S is the collection of attributes, which is defined at initialization, S_U is the attribute set held by the user. To make the comparison fair, a little change needed to be made on the RAAC model. There exists several attribute authorities (AAs) in the model of RAAC, and we assumed that the number of AAs is the same as the number of KSs in our PCAC scheme.

As can be seen in Table 1, the PC only stores the symmetric encrypted data, while the symmetric key is encrypted by CKA and distributed stored by KSs. Besides, the PC is only responsible for initializing all the attributes in the system and does not participate in the validation of the attribute set, so the attribute data does not need to be stored in PC. Therefore, the data complexity of our PCAC scheme is less than the RAAC. Since CKA is not completely trusted, SK needs to be assigned to different KSs for distributed storage. At the same time, the storage overhead on CKA is reduced. U and DS in the PCAC scheme only saves a pair of public key and private keys, which are assigned by the PC. This reduces the storage of the attribute set.

5.3. Computation Overhead

In this section, our PCAC scheme is compared with the Waters’ scheme [12] and the RAAC scheme [5]. The computation overhead of them is analyzed. The result is shown in

Table 2. The Computation Overhead of Our PCAC, the Waters Scheme, and the RAAC model.

Phases	Init		Gen Stru	Encrypt		Gen_key			Decrypt	Act_Audit
agencies	PC	CKA	CKA	CKA	DS	CKA	KS	PC	U	PC	CKA	U
Waters [12]	N/A	O(NU)	N/A	N/A	O(NSK)	N/A	N/A	O(Nas)	O(NSK)	N/A	N/A	N/A
RAAC [5]	O(NS + NDS + NU)	N/A	N/A	N/A	O(NSK)	O(Nas)	N/A	O(Nas)	O(NSK)	O(1)	O(1)	O(1)
PCAC	O(NS + NDS + NU)	N/A	O(1)	O(NSK)	O(1)	O(Nas)	O(1)	O(1)	O(NSK)	O(1)	O(1)	O(1)

. In the table, N_U is the number of users, N_S is the number of attributes in the system, and N_as is the average number of attributes in the user’s attribute set (these attributes are also contained in the access structure). O(1) means that the computation overhead is the same irrespective of the number of times the input data is increased.

As can be seen in the table, the computation overhead of the encryption and decryption phases is the same as that in the Waters scheme and the RAAC scheme. The Gen_Stru phase consumes low computational complexity. The computation overhead of Act_Audit phase in the PCAC is the same as that in the RAAC. However, in RAAC it needs to be executed after the key-generation phase, so that if the audit fails, the computation overhead is wasted. Our audit phase is executed before the key-generation phase, so the PCAC can reduce some unnecessary computation overhead.

6. Experiment Analysis

In this section, our scheme has been experimentally compared with that of the RAAC, to test the operational efficiency of our PCAC scheme. The experiments were implemented in an environment of Windows 10 (in a PC with Core i7-7500U and 2.7 GHz) and programmed with JPBC [20]. The algorithm in the RAAC scheme was programmed by the description in the reference [5]. As the RAAC scheme was the first to propose the audit and tracking phase based on the CP-ABE, we chose it for the comparison experiments. Therefore, the computational efficiency of our Act_Audit phase could be tested as a comparison with the RAAC scheme.

6.1. Time Consumption in the Data Collection Stage and the Data Obtainment Stage

In this experiment, our PCAC scheme was compared with the RAAC when the DSs uploaded the data and Us requested the data. When the DSs uploaded the data, our PCAC scheme counted the Encrypt and Act_Audit phase, while RAAC counted the Encrypt phase. When requesting the data, PCAC counted the Act_Audit, the Gen_key, and the Decrypt phase, while RAAC counted the Gen_key, the Decrypt, and the Audit phase. As the Init phase was executed once the system was running, it has not been counted here. The RAAC scheme does not take the generation of the access structure into consideration, so the performance of Gen_Stru phase was not analyzed here. Instead, the time consumption of the Gen_Stru phase was counted alone, and it was found to be at least 2 ms. This experiment ignored the influence of network communication. The results are shown in Figure 5 and Figure 6.

As can be seen from the comparison, the time consumption of our PCAC scheme increased with the increase of the number of secret-sharing parties (the number of KSs), in both stages. The number of secret-sharing parties was determined by the row number of the sharing matrix, and the row number of the matrix determined the number of C_i in CT. Therefore, the time consumption of the PCAC was proportional to the number of KSs. As can be seen from Figure 6, in the data obtainment stage, the time consumption in the PCAC was almost half of that in the RAAC.

6.2. Time Consumption of the Encrypt and the Decrypt Phase

In this section, the PCAC scheme has been compared with RAAC in the Encrypt and the Decrypt phase. The result is shown in Figure 7.

As can be seen in the figure, the time cost in the Encrypt and the Decrypt phase increased with the increase of the number of secret-sharing parties. In the Encrypt phase, the secret-sharing parties were mapped to the SKs directly, instead of using other elements to mark the KSs. Therefore, the Decrypt phase of the PCAC scheme consumed relatively less time.

6.3. Time Consumption of the Act_Audit Phase

The comparison results of the Act_Audit phase is shown in Figure 8. In this phase, the RAAC scheme used zero-knowledge proof, on the basis of the chameleon hash algorithm to verify the user’s identity. To make the comparison fair, the time consumption of the trace phase in RAAC scheme was not counted. The Act_Audit phase in the PCAC was less burdensome than that in the RAAC. In the PCAC, the Act_Audit phase took about 30 ms, in average, while it cost more than 60 ms in the RAAC scheme.

6.4. Storage Consumption of CKA

In the data obtainment stage, U needed to send his/her Pk, and CKA was the first to verify the attribute set with his/her Pk, so the CKA needs to save Us’ Pk and Us’ attribute sets. In this section, the experiment on the storage consumption of CKA has been discussed, and the results are shown in

Table 3. Data Size Saved in the CKA.

	Number of Us	100,000	300,000	500,000	1,000,000
Number of Attributes
10		122 MB	366 MB	615 MB	1.18 GB
15		168 MB	505 MB	842 MB	1.65 GB
20		216 MB	644 MB	1.04 GB	2.07 GB
25		260 MB	789 MB	1.28 GB	2.57 GB
30		309 MB	930 MB	1.51 GB	2.99 GB

.

As can be seen from the table, the data size saved in CKA was proportional to the number of U. When there were 30 attributes and 1 million Us, the data size CKA needed to be save was less than 3 GB. This was easy to meet with the storage technology today.

7. Conclusions

In this paper, we proposed a PCAC access control scheme that is suitable for power cloud environment. The PCAC scheme achieved access control from the data collection to data obtainment. A new action audit phase based on zero-knowledge proof, was also proposed, which verifies the user’s identity without infringing on the privacy of Us. Finally, the storage and computation overhead of the PCAC were analyzed through both theoretical and experimental analyses. Compared to the existing CP-ABE access control schemes, the length of the master secret key in our scheme was shorter and the storage pressure of the power cloud was lower, and the time occupied by action audit was relatively low. Therefore, the PCAC scheme could satisfy high-frequency access control requirement in the power cloud. However, there were still some shortcomings in our scheme. In the access structure generation phase, our trapdoor also had a lot of limitations. Our access structure could not achieve “NOT” door and comparable attributes. Therefore, our future work will focus on the construction of these access structure.