Académique Documents
Professionnel Documents
Culture Documents
ABSTRACT
In order to realize attribute-based data sharing in cloud computing, multi-authority attribute-based encryption (MA-ABE)
is extremely attractive. However, most of the existing MA-ABE schemes cannot support a fully large attribute universe
and are not suitable for resource-constrained mobile data owners in that the computation cost in secret key generation and
encryption is extremely heavy. To tackle the earlier challenges, we propose an online/offline MA-ABE scheme, which real-
izes both the online/offline secret key generation and the online/offline encryption while supporting a fully large attribute
universe. In the offline phase, one global-identity authority and multiple attribute authorities do the majority of the work
to issue attribute secret keys before knowing users’ global identity and attributes. The data owner can perform most of the
encryption computation tasks before knowing the actual message and access structure. Furthermore, the online phase can
rapidly assemble the final decryption key and ciphertexts when related specifications become known. Particularly, global-
identity authority and attribute authorities need not to cooperate in the whole process. Our online/offline MA-ABE scheme
allows the access policies encoded in linear secret sharing schemes. The formal selective security proof and extensive per-
formance analysis indicate that our scheme is very suitable for data sharing in mobile cloud computing. Copyright © 2016
John Wiley & Sons, Ltd.
KEYWORDS
data sharing; attribute-based encryption; online/offline key; online/offline encryption; multi-authority; unbounded universe
*Correspondence
Yinghui Zhang; Dong Zheng, West Chang’an Avenue, Chang’an District, Xi’an, Shaanxi 710121, China.
E-mail: yhzhaang@163.com
her attributes to related authorities. During the encryption decryption key and ciphertexts when related specifi-
phase, the data owner first specifies an access structure cations become known.
and then encrypts the message with respect to the access The technique of online/offline digital signature
structure. In both cases, a successful decryption can be (OOS) is used by AAs to efficiently generate a signa-
performed only if the attributes satisfy the access struc- ture on users’ attribute secret keys. GA further gen-
tures. We note that CP-ABE is more suitable for realizing erates users’ global-identity secret keys, and hence,
attribute-based data sharing in that it allows data owners the decryption key for users only when the online sig-
themselves to specify access structures. In recent years, nature is valid. Theoretical analysis and performance
CP-ABE schemes have found many important applications comparisons indicate that the proposed OO-MA-
for outsourced data security in cloud computing. ABDS system is extremely suitable for resource-
However, many existing ABE schemes only support a constrained users in mobile cloud computing.
single-attribute authority, which individually manages all
the attributes in the system. To realize distributed privilege 1.2. Related work
authorization, Chase [3] proposed the first multi-authority
ABE (MA-ABE) scheme, where each user has attributes In this section, we summarize the related works on ABE
issued by different attribute authorities. In a MA-ABE and online/offline cryptography.
system, there are two important performance issues to
be addressed for practical applications. For one thing, a 1.2.1. Attribute-based encryption.
desirable MA-ABE scheme should support a fully large Because the introduction of ABE in implementing fine-
attribute universe. That is, the attribute universe in the grained access control systems [1], plenty of researches
system can be an exponential scale of the security param- have been performing on flexible ABE schemes. In [2],
eter. At the same time, the attributes used in encryption Goyal et al. [2] introduced two complementary notions
should not be limited for any reasons. For another, most of ABE called KP-ABE and CP-ABE. They presented a
of the existing MA-ABE schemes suffer severe efficiency construction of KP-ABE by generating the private key
drawbacks because the computation cost in key generation, according to the monotonic access structures. However,
encryption and decryption often increases with attribute- CP-ABE is more attractive than KP-ABE in attribute-based
related parameters. Hence, in existing MA-ABE schemes, data sharing in practice in that it enables data owners to
the workload of attribute authorities is extremely heavy, specify an access structure over attributes and use it to
and these schemes are not suitable for mobile users with encrypt files based on the corresponding public attributes.
limited resources. In this paper, we tackle the earlier The first CP-ABE scheme was proposed by Bethencourt et
challenges simultaneously. al. [4], which is proven secure in the generic group model.
To improve the security proof, Cheung and Newport [5]
proposed another CP-ABE construction and proved its
1.1. Our contribution security in the standard model. The construction supports
the access structures of AND gate on different attributes.
Contributions of this paper can be summarized as follows: In order to further protect users’ attribute privacy,
anonymous ABE has been studied [6,7]. However, most of
Aiming to realize practical attribute-based data shar- the existing anonymous ABE schemes suffer a severe effi-
ing in cloud computing, we propose the notion of ciency drawback because of the direct decryption method,
online/offline multi-authority CP-ABE (OO-MA-CP- where users have to perform many computation tasks to
ABE) and present an online/offline multi-authority check whether his or her attributes match the hidden access
attribute-based data sharing system (OO-MA- policy in ciphertexts or not. In order to tackle this prob-
ABDS). The key component is an OO-MA-CP-ABE lem, Zhang et al. [7] introduced a novel technique called
scheme supporting a fully large attribute universe, match-then-decrypt into anonymous ABE where a match-
in which one global-identity authority (GA) and ing phase is added before the decryption phase to improve
multiple attribute authorities (AAs) are involved to the decryption efficiency. It is noted that the revocation
decentralize the privilege authorization. issue is essential and difficult in ABE systems, because
In the proposed system, the computation required users may change their attributes frequently in practice
for the generation of user global-identity secret keys, and each attribute is conceivably shared by multiple users.
the generation of user attribute secret keys and the Yu et al. [8] proposed a CP-ABE scheme supporting indi-
encryption of messages are split into an offline phase rect revocation. Directly revocable CP-ABE and KP-ABE
and an online phase. In the offline phase, GA and schemes are considered by Zhang et al. [9,10] and Shi et al.
AAs do the majority of the work to issue attribute [11], respectively. For communication overhead savings,
secret keys before knowing users’ global identity ABE with constant-size ciphertexts [12–14] are necessary.
and attributes. The data owner can perform most Attribute-based access control systems based on ABE were
of the encryption computation tasks before knowing proposed in [15,16] for secure cloud storage. There are also
the actual message and the access structure. Further- many works proposed to make further improvements on
more, the online phase can rapidly assemble the final ABE, such as ABE with user accountability [17–19] and
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Y. Zhang et al. Online/offline multi-authority ABE for data sharing in mobile cloud computing
expressive ABE [20]. Although having various attractive proposed a paradigm called hash-sign-switch based on
features, most of the earlier CP-ABE schemes only support Chameleon hashing functions to design online/offline sig-
a single attribute authority, which is not desirable in that nature schemes. An online/offline signature scheme con-
users’ attributes often are issued by different authorities sists of two phases, and it can efficiently enable handover
in practice. authentication in wireless networks [39]. Before the mes-
In order to fill the earlier gap, Chase [3] proposed sage to be signed is known, the first offline phase is
several MA-ABE schemes, where each user can apply
performed. The second online phase is performed once
for secret keys from different attribute authorities. Since
then, many researches have been performing on MA-ABE the message is known, and it is supposed to be very
[21–26]. In MA-ABE system, an important issue of sup- fast. In the online/offline signature schemes based on the
porting large attribute universe has to be considered. In hash-sign-switch paradigm [38], one security flaw is the
[22], Lewko et al. taken this issue into account and classi- key exposure problem of Chameleon hashing. To solve
fied the ABE into two flavors: the small attribute universe this problem, a special double-trapdoor hash family was
and the large attribute universe. In ABE systems supporting proposed by Chen et al. [40,41], and they applied the hash-
the small attribute universe, the system public parame- sign-switch paradigm to propose a much more efficient
ter size often depends on the amount of attributes in the generic online/offline signature scheme.
system; and hence, the scale of the attribute universe is The technique of online/offline encryption was intro-
polynomially bounded in security parameters. In the case duced by Guo et al. [42], where they proposed an identity-
of large universe, the attribute universe scale can be an
based online/offline encryption (IBOOE) scheme. Note
exponential level. However, some large universe ABE con-
structions [23,27], which are called semi-large ABE, have that IBOOE has been used to realize secure and effi-
a limitation that the attributes used in encryption cannot cient handover authentication in wireless networks [43].
be chosen arbitrarily. To eliminate this restriction, Lewko In [42], the encryption process is split into two phases:
et al. [22] proposed the first unbounded KP-ABE scheme. the offline phase and the online phase. The offline phase
The scheme can support a fully large attribute universe does the vast majority of the work to encrypt a message,
in composite order groups. Furthermore, Rouselakis et al. and it does not require the knowledge of the message
[28] proposed both KP-ABE and CP-ABE in groups of to be encrypted and the receiver’s identity. This division
prime orders, where the attribute universe is unbounded. of computational tasks makes encryption affordable by
It is noted that the schemes [22,28] only allow a sin- mobile devices with limited computation power in that
gle authority. Recently, a MA-KP-ABE scheme [25] and most of the works can be executed offline. A more effi-
a MA-CP-ABE [26] were constructed, and both schemes cient IBOOE scheme was proposed by Liu et al. [44]. Very
allow unbounded attribute universe. recently, an improved IBOOE scheme has been proposed
Besides the large universe issue, efficiency concerns are by Lai et al. [45]. They proposed an efficient transforma-
also important in practical MA-ABDS. In fact, in most of tion to obtain an online/offline encryption scheme from a
the existing ABE schemes, the computation cost is very traditional identity-based encryption scheme. Especially,
high and increases with the attribute-related parameters. Hohenberger et al. [36] proposed several online/offline
In MA-ABE, the result is even more serious. ABE suit- ABE schemes. The first fully secure online/offline predi-
able for mobile cloud computing was proposed by Zhang cate encryption and ABE schemes have recently been pre-
et al. [14], which features constant computation cost and
sented by Datta et al. [27], in which only the online/offline
constant-size ciphertexts. The scheme has been used to
encryption is considered.
realize attribute-based data sharing in mobile computing in
[16]. To reduce the computation cost of ABE decryption at
the user side, Green et al. [29] proposed an ABE scheme, 1.3. Organization
which allows users to outsource most of the computation
tasks in decryption to cloud servers. In the outsourced ABE
The remaining of this paper is organized as follows. Some
[30], the authors considered the validity of computation
results from cloud servers. Outsourced ABE schemes in preliminaries are reviewed in Section 2. We then present
[31,32] can support outsourced encryption and decryption the definition and security model of OO-MA-ABE in
simultaneously. Recently, Li et al. [33] further considered Section 3. The architecture of the proposed online/offline
the outsourcing of key generation computation besides the multi-authority attribute-based data sharing system and its
outsourced encryption and decryption. For computation concrete construction together with security results are pre-
cost savings in basic cryptographic operations, Chen et sented in Section 4. Performance comparisons are made in
al. [34,35] realized secure outsourcing of modular expo- Section 5. Finally, we conclude this paper in Section 6.
nentiations. Especially, online/offline ABE schemes have
recently been presented in [27,36]. However, all these
schemes cannot support multiple AAs. 2. PRELIMINARIES
1.2.2. Online/offline cryptography. In this section, we first give some notations used through-
The idea of online/offline was initiated by Even et out the paper and then briefly review some cryptographic
al. [37] for digital signatures. Later, Shamir et al. [38] backgrounds, access structures, and the notion of OOS.
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Online/offline multi-authority ABE for data sharing in mobile cloud computing Y. Zhang et al.
Symbol Description
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Y. Zhang et al. Online/offline multi-authority ABE for data sharing in mobile cloud computing
Reconstruction(1 , : : : , ` , (M, )): This algorithm attribute authority public key APKk and the corre-
is used to reconstruct s from secret shares. Let S 2 sponding master secret key AMKk .
A be any authorized set and I = {i|(i) 2 S} Encryptoff (GP, GPK, APK) ! CToff : Mobile data
{1, 2, : : : , `}.
P Then there exists coefficients {!i }i2I (MD) takes GP, GPK and APK as inputs and runs
such that E
i2I !i Mi = (1, 0, : : : , 0), thus we have this algorithm Sto generate an offline ciphertext CToff ,
P
i2I !i i = s. where APK = k2[K] APKk .
Encrypton (GP, APKA , m, A, CToff ) ! CTA : In
2.4. Online/offline digital signature order to encrypt a message m under a specified access
policy A, MD takes GP, the set APKA of attribute
An OOS scheme †sign comprises five algorithms as authority public keys involved in A, m, A, and an
follows: offline ciphertext CToff as inputs, and runs this algo-
rithm to generate the final ciphertext CTA .
SigSetup(1 ) ! (SP): The signature setup algorithm AAKeyGenoff (GP, AMKk ) ! uaskoff : AAk takes
is run by a user. It outputs the signature parameters SP GP and AMKk as inputs and runs this algorithm to
by taking a security parameter as inputs. Note that generate an offline user-attribute secret key uaskoff .
SP is published by the user so that the other entities AAKeyGenon (GP, GID, APKk , SGID,k , uaskoff ) !
can obtain it. uaskon,SGID,k : Whenever a user GID applies for a
SigKeyGen(SP) ! (SK, VK): This algorithm can be secret key for attribute set SGID,k from AAk , AAk
performed by any user based on SP to generate a takes GP, GID, APKk , SGID,k , and uaskoff as inputs,
matching signing and verification keys (SK, VK). and runs this algorithm to generate a partial online
OffSign(SP, VK, SK) ! †off : Before knowing the user-attribute secret key uaskon,SGID,k . It is noted
message to be signed, a signer takes SP, VK, and SK that the user GID’s
S online attribute secret key is
as inputs and runs this algorithm to generate an offline uask
S on,S GID = k2[K] uaskon,SGID,k , where SGID =
signature †off . k2[K] SGID,k .
OnSign(SP, m, SK, †off ) ! †on : When a message m GAKeyGenoff (GP, GMK) ! ugskoff : GA takes GP
is specified to be signed, the signer takes SP, m, SK, and GMK as inputs and runs this algorithm to gener-
and †off as inputs and runs this algorithm to rapidly ate an offline user-global-identity secret key ugskoff .
assemble the final online signature †on of m. It is GAKeyGenon (GP, uaskon,SGID , ugskoff )
noted that m is included in †on . ! SK SGID : Whenever a user GID applies for a
Verify(SP, VK, †on ) ! (true or false): Upon decryption key from GA, GA takes GP, uaskon,SGID
receiving a signature †on , the verifier checks its valid- and ugskoff as inputs, and runs this algorithm to
ity based on SP and VK. If valid, it outputs true, generate the user GID’s final user-global-identity
otherwise is returned false. secret key ugskGID and the final user-attribute
secret key uaskSGID . Then the decryption key is
SK SGID = (ugskGID , uaskSGID ).
Decrypt(GP, CTA , SKSGID ) ! m or ?: DC takes
3. DEFINITION AND SECURITY GP, a ciphertext CTA of a message m under A, and
MODEL a decryption key SKSGID associated with SGID as
inputs, and runs this algorithm to output the message
In this section, we give the definition and formalized
m if SGID is an authorized set of A. Otherwise, the
security model of online/offline multi-authority CP-ABE.
symbol ? is returned.
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Online/offline multi-authority ABE for data sharing in mobile cloud computing Y. Zhang et al.
Then B gives GP, SP, GPK, and {APKk }k2[K] to (5) MD runs Encrypton to generate online ciphertexts
A. Besides, A specifies a corrupted set Kc K of CTA and outsource CTA to CSP.
AAs, and {AMKk }k2[|Kc |] are returned to A. (6) AA runs AAKeyGenoff and OffSign to generate
(3) Phase 1: The adversary A issues a polynomially uaskoff and †off , respectively.
bounded number of queries to the following oracles (7) Upon receiving GID and SGID,k from MD, AA
with a restriction that SGID does not satisfy A . returns uaskon,SGID and †on by respectively running
AAKeyGenon and OnSign.
AAKeyGen Oracle OAAK : The adversary A (8) GA runs GAKeyGenoff to generate ugskoff .
submits a GID and an attribute list SGID . For (9) Upon receiving †on and uaskon,SGID from MD, GA
k 2 K\Kc , B returns uaskon,SGID and †on to A. runs Verify to check the validity of †on . If and only
GAKeyGen Oracle OGAK : Upon receiving if †on is valid, GA runs GAKeyGenon to return
uaskon,SGID and †on from A, B checks SK SGID .
its validity based on Verify. Note that B (10) DC downloads CTA from CSP, and runs Decrypt to
returns SKSGID = (ugskGID , uaskSGID ) only if get a plaintext messages if SGID,k matches A.
uaskon,SGID is valid.
It is noted that the algorithms have not to be performed in
(4) Challenge: Once A decides that Phase 1 is over, it the earlier sequence.
outputs two messages m0 and m1 of the same length
on which it wishes to be challenged under A . The
challenger B flips a random coin b 2 {0, 1}, com-
putes CTA = Encrypton (GP, APKA , m, A, CToff ) 4.2. The proposed online/offline
and sends CTA to A, where CToff = multi-authority attribute-based data sharing
Encryptoff (GP, GPK, APK). system
(5) Phase 2: The same as Phase 1.
(6) Guess: The adversary A outputs a guess bit b0 2 (1) Global initialization phase. In the system initial-
{0, 1} for b and wins the game if b0 = b. The advan- ization phase, GA chooses a security parameter
tage of A in the earlier game with security parameter and describes a tuple (G, GT , p, eO ), where G and
is defined as follows: GT are two cyclic multiplicative groups of large
prime order p and eO : G G ! GT is a bilin-
ˇ ˇ
AdvOO-MA-CP-ABE
A () = ˇPr[ b0 = b ] – 1/2ˇ . ear map. Let g be a generator of G. Also, GA
specifies an online/offline signature scheme †sign =
(SigSetup, SigKeyGen, OffSign, OnSign, Verify).
Then GA generates global system parameters based
4. ONLINE/OFFLINE MULTI- on the following procedures:
AUTHORITY ATTRIBUTE-BASED
ENCRYPTION FOR DATA SHARING GA runs the algorithm GlobalSetup(1 ): GA
IN MOBILE CLOUD COMPUTING selects h, u, v, ! 2R G and sets global system
parameters as GP = (g, h, u, v, !).
In this section, we first propose the system architecture of GA runs the algorithm SigSetup(1 ) of †sign
online/offline multi-authority attribute-based data sharing, to obtain a signature parameter SP.
then give the concrete system and security results.
(2) Global-identity authority initialization phase. In
4.1. System architecture the GA initialization phase, GA performs the
GASetup algorithm with GP as inputs
As shown in Figure 1, the system architecture of OO-
MA-ABDS system consists of one GA, multiple AAs, GASetup(GP): GA selects an exponent ˛ 2R
cloud service provider (CSP), MD owner and data Zp and computes GPK = eO (g, g)˛ . Then it
consumer (DC). publishes GPK and keeps GMK = ˛ secret.
Subsequently, we describe the system architecture of
OO-MA-ABDS system in detail. (3) Attribute authorities initialization phase. In the
AA initialization phase, for each k 2 [K], AAk
(1) GA runs GlobalSetup and SigSetup to generate takes as inputs GP, k, Uk , and does the following
global system parameters. procedures:
(2) GA runs GASetup to join the system.
(3) AA runs AASetup and SigKeyGen to join AAk performs the algorithm AASetup
the system. (GP, k, Uk ): AAk selects an exponent ˛k 2R Zp
(4) MD runs Encryptoff to generate offline ciphertexts and computes APKk = (u˛k , h˛k ) and
CToff and make preparation for file outsourcing. AMKk = ˛k .
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Y. Zhang et al. Online/offline multi-authority ABE for data sharing in mobile cloud computing
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Online/offline multi-authority ABE for data sharing in mobile cloud computing Y. Zhang et al.
note that CToff constitutes an immediate offline OnSign with SP, ASKk and †off as inputs in the
ciphertext pool and it can be updated by MD 0 , K0 }
following, where uaskoff = {ri , xQ i , Ki,1 i,2 i2[|Uk |] .
if necessary.
AAKeyGenon (GP, GID, APKk , SGID,k , uaskoff ):
(5) Online file outsourcing phase. Before outsourcing For i 2 [|SGID,k |], AAk computes Ki,1 = Ki,1 0 ,
a file m 2 GT to CSP, MD can specify an access 0 Q
Ki,2 = Ki,2 and Ki,2 = ri (atti – xQ i ), then sets
policy A, encrypt m with respect to A, and then ˚
upload the ciphertext to CSP. Therefore, in the online uaskon,SGID,k = Ki,1 , Ki,2 , KQ i,2 i2[|S . It is
GID,k |]
file outsourcing phase, MD chooses related offline noted that the user GID’s
S online attribute secret
modules from the CToff pool. Besides, MD takes key is uaskon,SGID = k2[K] uaskon,SGID,k .
GP, the set APKA of attribute authority public keys AAk firstly sets msig = GID k APKk k
involved in A, m, and A as inputs, and runs the SGID,k k uaskon,SGID k †off , and
algorithm Encrypton to generate the final ciphertext then runs the online signing algorithm
CTA . Note that A = (M, ) is encoded in an LSSS OnSign(SP, msig , ASKk , †off ) to get signature
policy, where M 2 Z`n
p and : [`] ! Zp . †on . It is default that the signature message
msig is contained in †on .
Encrypton (GP, APKA , m, A, CToff ): MD
(8) Offline user GAKeyGen phase. In the offline phase
chooses any one offline main module
of user’s global identity secret key generation, to gen-
ITmain = (s, Km , C00 ) = (s, eO (g, g)˛s , gs ).
erate an offline global-identity secret key ugskoff ,
Then MD chooses y2 , , yn 2R Zp , sets
GA runs GAKeyGenoff algorithm with GP and
Ey = (s, y2 , , yn )T and computes the share
GMK as inputs in the following:
vector E = (1 , 2 , , )T = MEy. In addition,
`
for j 2 [`], suppose (j) corresponds to an GAKeyGenoff (GP, GMK): GA chooses r 2R
attribute controlled by AAk , MD chooses some Zp , computes K00 = g˛ ! r , K30 = gr and D = v–r .
offline attribute modules ITatt,j from the CToff Then GA sets ugskoff = (K00 , K30 , D).
pool, where ITatt,j = 0j , xj , tj , Cj,1
0 , C0 , C0
j,2 j,3
0
–t 0 (9) Online user GAKeyGen phase. In the online phase
with Cj,1 = (u˛k )xj h˛k j , Cj,2 = gtj
of user’s global identity secret key generation, to gen-
0 0
and Cj,3 = ! j vtj . MD sets C = m Km , erate a decryption key SK SGID for the user GID with
C0 = C00 , Cj,1 = Cj,1 0 ,C 0
j,2 = Cj,2 , Cj,3 = Cj,3 ,
0 attributes SGID , GA runs Verify with SP, AVKk ,
0
Cj,4 = j – j and Cj,5 = –tj ((j) – xj ). and †on as inputs for each AAk involved in SGID ,
Finally, the ciphertext of m under A is CTA = and runs GAKeyGenon with GP, uaskon,SGID and
(A, C, C0 , {Cj,1 , Cj,2 , Cj,3 , Cj,4 , Cj,5 }j2[`] ), ugskoff as inputs as follows:
which is outsourced to CSP by MD.
If and only if Verify(SP, AVKk , †on ) = true,
that is, †on is a valid signature, GA proceeds.
(6) Offline user AAKeyGen phase. In the offline phase GAKeyGenon (GP, uaskon,SGID , ugskoff ): GA
of user’s attribute secret key generation, to gener- firstly chooses i 2R Zp for i 2 [|SGID |],
ate an offline user-attribute secret key uaskoff , each suppose atti 2 Uk , sets K0 = K00 = g˛ ! r ,
AAk runs AAKeyGenoff algorithm with GP and ri i
AMKk as inputs, and runs OffSign with SP, ASKk Ki,1 = (Ki,1 )i = g ˛k , Ki,2 = (Ki,2 uKQ i,2 )i
and AVKk as inputs in the following. D = (uatti h)ri i v–r and K3 = K30 = gr , then
sets the user GID’s final user-global-identity
AAKeyGenoff (GP, AMKk ): At first, each AAk secret key as ugskGID = (K0 , K3 ) and the
final user-attribute secret key is uaskSGID =
chooses ri , xQ i 2R Zp for i 2 [|Uk |], com-
ri {Ki,1 , Ki,2 }i2[|SGID |] . Finally, the decryption key
0 = g ˛k and K 0 = (uxQi h)ri , then sets
putes Ki,1 i,2o is SK SGID = (GID, SGID , ugskGID , uaskSGID ).
n
0 , K0
uaskoff = ri , xQ i , Ki,1 .
i,2 i2[|Uk |] (10) File access phase. Data consumer downloads a
AAk runs OffSign(SP, AVKk , ASKk ) to get ciphertext CTA from CSP and runs the algorithm
†off . Decrypt with GP, CTA , and SKSGID as inputs to
recover the corresponding plaintext message.
(7) Online user AAKeyGen phase. In the online phase
of user’s attribute secret key generation, to gener- Decrypt(GP, CTA , SKSGID ): If SGID is not an
ate an online user-attribute secret key uaskon,SGID , authorized set of A, DC aborts, and it returns
each AAk runs AAKeyGenon algorithm with GP, ?. Otherwise, DC computes constants {!j 2
P
GID, APKk SGID,k , and uaskoff as inputs, and runs Zp }j2I such that E
j2I !j Mj = (1, 0, : : : , 0),
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Y. Zhang et al. Online/offline multi-authority ABE for data sharing in mobile cloud computing
E j denotes Y M
where I = {j|(j) 2 SGID } [`] and M 0 ak /b2j j,k
the j-th row of M. It is noted that these constants u = gu g ,
exist in that SGID is authorized by A. Then DC (j,k)2[`,n]
computes 0 Y k
M
j,k
v = gv ga /bj
eO (K0 , C0 ) (j,k)2[`,n]
˛s
B= Q !j = eO (g, g)
T
j2I j Also, an existentially unforgeable OOS scheme
†oos is adopted. B sets GP = (g, h, u, v, !).
SigSetup(1 ): B generates an online/offline
where
signature parameter SP.
Tj = eO Ki,1 , Cj,1 (u˛k )Cj,5 GASetup(GP): B picks ˛ 0 2R Zp and implic-
itly sets GMK = ˛ = aq+1 + ˛ 0 . Then GPK =
eO Ki,2 , Cj,2 eO K3 , Cj,3 ! Cj,4 0 q
e(g, g)˛ = e(g, g)˛ e(ga , ga ) is given to A.
AASetup(GP, k, Uk ): For each AAk , B chooses
and the index of the attribute (j) in SGID is i and ˛k 2R Zp and sets AMKk = ˛k and
k indicates that (j) is issued by the k-th attribute APKk = u˛k , h˛k . AAk runs the algorithm
authority AAk . Finally, DC gets M = C/B. SigKeyGen(SP) of †oos to obtain a signing-
verification key pair (ASKk , AVKk ).
4.3. Security results Finally, B gives GP, SP, GPK, and {APKk }k2[K] to
A. Besides, A specifies a corrupted set Kc K of
The security of the proposed OO-MA-ABDS system is AAs, and {AMKk }k2[|Kc |] are returned to A.
given by the Theorem 1 as follows: (3) Phase: 1 A makes queries to the following oracles
with a restriction that SGID is not authorized by A .
Theorem 1. If the adopted OOS scheme is existentially
unforgeable, then our OO-MA-ABDS system is secure in AAKeyGen Oracle OAAK : A submits a GID
the standard model against the selective access structures and an attribute list SGID . For AAk 2 Kc ,
and chosen messages attackers in the proposed security A generates uaskon,SGID,k , and †off itself and
model under the q-type assumption in G. sends them to B. Note that B can also generates
uaskon,SGID,k and †off itself. Subsequently, B
Proof. The proposed OO-MA-ABDS system is based on generates uaskon,SGID , and †on for A based on
a potential OO-MA-CP-ABE scheme, which is denoted by attribute authority master secret keys.
…. In the following, we will show that any PPT attacker A GAKeyGen Oracle OGAK : Upon receiving
with a non-negligible advantage in the proposed security GID, uaskon,SGID , and †on from A, B checks
model against … can be used to design a PPT simulator B, its validity based on Verify(SP, AVKk , †on ).
which can break the q-type assumption with advantage . If each value is true, B returns SKSGID =
The simulator B plays the challenger and interacts with A. (ugskGID , uaskSGID ) to A by performing the
The simulation proceeds as follows: following procedures. Because SGID is not
authorized by A = (A , ), B can find a vector
(1) Init: The challenger B obtains the given terms of !E = (!1 , !2 , : : : , !n )> 2 Znp such that !1 = –1
the q-type assumption. In addition, the adversary A and hMj , !i
E = 0 for all j 2 I = {j| (j) 2
gives a challenge access structure A = (M , ) to SGID ^ j 2 [`]}. Then B selects r0 2 Zp and
B. We note that the index of the ` n matrix M implicitly sets
satisfies `, n q and : [`] ! Zp .
(2) Setup: The challenger B chooses a sufficiently large
security parameter , and does r = r0 + !1 aq + !2 aq–1 + : : : + !n aq+1–n
X
= r0 + !i aq+1–i
GlobalSetup(1 ): B sets g = g and ! = ga .
i2[n]
Then B chooses h0 , u0 , v0 2R Zp , and returns
to the parameters as follows based on the given
terms in the assumption. Then B calculates the final user-global-identity
secret key as ugskGID = (K0 , K3 ) as follows:
Y – (j)M
0 ak /b2j j,k q+1 +˛ 0 0 Y q+2–i
h = gh g K0 = g˛ ! r = ga gar g!i a
(j,k)2[`,n] i2[n]
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Online/offline multi-authority ABE for data sharing in mobile cloud computing Y. Zhang et al.
n
Y ak b
r0 (atti – (j))Mj,k
0 0 q+2–i !i j0
= g˛ (ga )r ga , Y (atti – (j0 ))b2j
i=2
g
0 Y
q+1–i !i (j0 ,j,k)2[`,`,n],
K3 = gr = gr ga (j0 )…SGID
i2[n] aq+1+k–i0 b
!i0 (atti – (j))Mj,k j0
Y (atti – (j0 ))b2j
In addition, aiming to answer the final g
user-attribute secret key uaskSGID = (i0 ,j0 ,j,k)2[n,`,`,n],
{Ki,1 , Ki,2 }i2[|SGID |] , for each atti 2 SGID , B (j0 )…SGID
chooses Qi 2 Zp and sets i = ri–1 i0 , where 0 0
!i0 (atti – (j))M 0 aq+1+i –i bj
j,i
ri 2 Zp is chosen by B in OAAK in terms 4 Y (atti – (j))b2j
of the proposed scheme and i0 is implicitly = 1 g
computed as (i0 ,j)2[n,`],
(j)…SGID
Y E j iaq+1 /bj
X bj0 = 1 g
h!,M
i0 = Qi + r
atti – (j0 ) j2[`],
j0 2[`], (j)…SGID
(j0 )…SGID
4
X bj0 = 1
= Qi + r0
atti – (j0 ) Q
j0 2[`], E j iaq+1 /bj
h!,M
(j0 )…SGID
where = g cannot be
j2[`],
X !j bj0 aq+1–j (j)…SGID
+ directly obtained by B. Note that 1 includes
atti – (j0 ) the remaining part of the product and it can be
(j,j0 )2[n,`],
(j0 )…SGID obtained by B.
On the other hand, v–r can be computed as
Obviously, i0 (and hence i ) is well defined for 0 1– P !i aq+1–i
attributes in SGID . Then, for each atti 2 SGID , Y
0 0 M ak /bj A i2[n]
suppose atti is managed by AAk , B calculates v–r = v–r @gv g j,k
Ki,1 as follows: (j,k)2[`,n]
0 Y 0
q+1–i –v !i
0 = v–r ga
Ki,1 = gri i /˛k = gi /˛k i2[n]
Q Y r0 /˛k (atti – (j0 )) Y –!i M
bj0
gi /˛k q+1+k–i /b j,k
= g ga j
j0 2[`], (i,j,k)2[n,`,n]
(j0 )…SGID Y aq+1 /b
4 –!i Mj,k j
!j /˛k (atti – (j0 )) = 2 g
Y bj0 aq+1–j
g (i,j)2[n,`]
(j0 ,j)2[`,n],
Y E j iaq+1 /bj
–h!,M
= 2 g
(j0 )…SGID
j2[`],
(j)…SGID
As for Ki,2 , we know that the valid form is
= 2 –1
(uatti h)ri i v–r . In the following, we show that
although B cannot directly compute v–r because
where 2 includes the remaining part of the
of an unknown multiplication factor, it still can
product and it can be obtained by B.
generate a valid Ki,2 for each atti 2 SGID , which
Therefore, B computes Ki,2 =
is ensured by the choose of i . That is, a factor in att ri i
att ri i u h i v –r = 1 2 , and sets
u ih due to i and the unknown factor in
v–r cancel each other in multiplication. In fact, uaskSGID = {Ki,1 , Ki,2 }i2[|SGID |] . Finally, B
returns SKSGID = (ugskGID , uaskSGID ) to the
adversary A.
att ri i att 0
u ih = u ih i
u0 atti +h0 (4) Challenge: A submits two messages m0 and m1
Q ˛ Q
= uatti h i Ki,1k /gi of the same length on which it wishes to be chal-
lenged under A . B flips a random coin b 2 {0, 1},
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Y. Zhang et al. Online/offline multi-authority ABE for data sharing in mobile cloud computing
˚
computes CTA in the following and sends it to A. CTA = A, C, C0 , Cj,1 , Cj,2 , Cj,3 , Cj,4 , Cj,5 j2[`]
0
Firstly, B sets C = mb T e(gs , g)˛ , C0 = gs . to the adversary A.
Then B chooses {i 2R Zp }i2[2,n] and sets E = (5) Phase 2: The same as Phase 1.
>
E0 =
s, sa + 2 , sa2 + 3 , : : : , san–1 + n . Then (6) Guess: A outputs a guess bit b0 2 {0, 1} of b. If
and only if b0 = b, B outputs 0, that is, it claims that
M ,
E for each j 2 [`], it follows that q+1
T = eO (g, g)sa . Therefore, if A breaks the proposed
X n
X system with a non-negligible advantage , B obtains
0j = sai–1 +
Mj,i
Mj,i i probability in breaking the q-type assumption in G.
i2[n] i=2
X
= sai–1
Mj,i + Q j
i2[n]
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Online/offline multi-authority ABE for data sharing in mobile cloud computing Y. Zhang et al.
Schemes Policy Expressiveness Security Group Attribute universe Multi-authority OO KeyGen OO Encrypt
p
[3,21] KP Tree Selective (S) Prime Semi-large
p
[22] CP LSSS Full (R) Composite Small
p
[23] CP LSSS Full (S) Composite Semi-large
p
[26] CP LSSS Selective (S) Prime Fully large
p p
[36] CP LSSS Selective (S) Prime Fully large
p
[27] CP LSSS Full (S) Prime Semi-large
p p p
Ours CP LSSS Selective (S) Prime Fully large
[]The other schemes in [3,21] support threshold policies and small attribute universe. []The CP-ABE scheme in [36] does not simultaneously realize
online/offline key generation and encryption with provable security. [ ]The other schemes in [36] support key polices.
Table III. Computation cost comparisons between fully large universe constructions.
[26] 1P + (2K + 1)E (5|S| + 4)E + (1|S| + 2)M (5` + 2)E + (2` + 1)M (3|I| + 1)P + |I|E + (3|I| + 1)M
[36] 1P + 1E |S|M 1M (3|I| + 2)P + (2|I| + 1)E + (4|I| + 2)M
Ours 1P + (2K + 1)E 3|S|E + |S|M 1M (3|I| + 1)P + 3|I|E + (5|I| + 1)M
Figure 2. Online computation cost comparisons between fully large universe constructions.
which, however, only our scheme allows multiple AAs. with that of ours in Figure 2. Note that the vertical axis
The scheme [27] does not support online/offline key gen- is log scale. In Figure 2(a), our simulation experiments
eration and the scheme [36] fails to realize offline key are based on the Stanford Pairing-Based Cryptography
generation and offline encryption with provable security Library (PBC) and a Linux machine with Intel Core
simultaneously. 2 processors running at 2.40 GHz and 2G memory. In
Consider the support of fully large attribute universe, Figure 2(b), our simulation experiments are based on the
Table III just compares the schemes [26,36] and our Java Pairing-Based Cryptography Library and a Lenovo
scheme, where the related online key generation and online P780 smartphone with Android OS 4.2 operation system.
encryption computation cost is considered in the scheme In our experiments, type A pairings are adopted. We con-
[36] and ours. We can see from Table III that the proposed sider the worst case of access structures, which ensures that
OO-MA-CP-ABE scheme and the scheme [36] require all the ciphertext components are involved in decryption.
the same online encryption cost, which is much less than Specifically, we generate 100 distinct access structures
that of the scheme [26]. Our scheme can support mul- in the form of (A1 ^ A2 ^ ^ Ak ) with k increasing
tiple attribute authorities and the number of pairings in from 1 to 100, where each component Ai is not wild-
decryption phase is one less than that of the scheme [36]. card. In each case, a corresponding secret key that contains
In order to precisely evaluate the performance, we exact k attributes is generated. For each access structure,
implement and compare the computation cost of the Li the experiment is repeated 100 times on the PC and 50
et al. scheme [26], the Hohenberger et al. scheme [36] times on the smartphone, and the average values are used
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Y. Zhang et al. Online/offline multi-authority ABE for data sharing in mobile cloud computing
as the final experimental results. Obviously, the experi- 2. Goyal V, Pandey O, Sahai A, Waters B. Attribute-
ment results indicate that the proposed OO-MA-CP-ABE based encryption for fine-grained access control of
scheme is very efficient considering its desirable features encrypted data. Proceedings of the 13th ACM Con-
in Table II. ference on Computer and Communications Security,
In general, the proposed OO-MA-CP-ABE scheme is CCS’06, ACM: New York, 2006; 89–98.
the first online/offline multi-authority CP-ABE scheme.
3. Chase M. Multi-authority attribute based encryption.
We argue that the proposed scheme is suitable for data
In Theory of Cryptography, Lecture Notes in Com-
sharing in mobile cloud data sharing.
puter Science, Vol. 4392, Vadhan S (ed). Springer:
Berlin-Heidelberg, 2007; 515–534.
6. CONCLUSIONS AND 4. Bethencourt J, Sahai A, Waters B. Ciphertext-policy
FUTURE WORK attribute-based encryption. IEEE Symposium on Secu-
rity and Privacy, SP’07, IEEE: Oakland, 2007;
Aiming at tackling the challenging issues of large universe 321–334.
and computation overheads in multi-authority attribute- 5. Cheung L, Newport C. Provably secure ciphertext pol-
based data sharing, we first introduce the notion and for- icy abe. Proceedings of the 14th ACM Conference
malized security model of OO-MA-ABE, and then give a on Computer and Communications Security, CCS’07,
concrete OO-MA-ABDS system. The key component is an ACM: New York, 2007; 456–465.
OO-MA-CP-ABE scheme supporting a fully large attribute
6. Nishide T, Yoneyama K, Ohta K. Abe with partially
universe, in which one GA and multiple AAs are involved
hidden encryptor-specified access structure. In Pro-
to decentralize the privilege authorization. In particular,
GA and AAs need not to cooperate in the whole process. ceedings of Applied Cryptography and Network Secu-
The proposed OO-MA-CP-ABE scheme allows the access rity. ACNS’08, Lecture Notes in Computer Science,
policies encoded in linear secret sharing schemes. The- Vol. 5037, Bellovin S, Gennaro R, Keromytis A, Yung
oretical analysis and extensive performance comparisons M (eds). Springer: Berlin-Heidelberg, 2008; 111–129.
indicate that the proposed data sharing scheme is suitable 7. Zhang Y, Chen X, Li J, Wong D S, Li H. Anonymous
for mobile cloud computing. attribute-based encryption supporting efficient decryp-
It would be interesting to construct OO-MA-CP- tion test. In Proceedings of the 8th ACM SIGSAC
ABE schemes supporting offline key generation, offline Symposium on Information, Computer and Communi-
encryption and offline decryption simultaneously. Another cations Security, ACM: New York, 2013; 511–516.
possible goal for future research would be to find OO-MA-
8. Yu S, Wang C, Ren K, Lou W. Attribute-based data
CP-ABE schemes proven secure under static assumptions.
sharing with attribute revocation. Proceedings of the
5th ACM Symposium on Information, Computer and
ACKNOWLEDGEMENTS Communications Security, ASIACCS’10, ACM: New
York, 2010; 261–270.
This work is supported by National Natural Sci- 9. Zhang Y, Chen X, Li J, Li H, Li F. FDR-ABE:
ence Foundation of China (nos. 61402366, 61272037, attribute-based encryption with flexible and direct
61502248, 61472472, and 61272457), Natural Sci- revocation. The 5th International Conference on Intel-
ence Basic Research Plan in Shaanxi Province (no. ligent Networking and Collaborative Systems (INCos),
2015JQ6236), and Scientific Research Program funded by IEEE: Oakland, 2013; 38–45.
Shaanxi Provincial Education Department (no. 15JK1686).
10. Zhang Y, Chen X, Li J, Li H, Li F. Attribute-based
Also, Yinghui Zhang is supported by New Star Team
data sharing with flexible and direct revocation in
of Xi’an University of Posts and Telecommunications,
Jin Li is sponsored by a project funded by the Prior- cloud computing. KSII Transactions on Internet &
ity Academic Program Development of Jiangsu Higer Information Systems 2014; 8(11): 4028–4049.
Education Institutions and the Jiangsu Collaborative 11. Shi Y, Zheng Q, Liu J, Han Z. Directly revocable
Innovation Center on Atmospheric Environment and key-policy attribute-based encryption with verifiable
Equipment Technology, and Qi Li is sponsored by ciphertext delegation. Information Sciences 2015; 295:
NUPTSF (no. NY215008). 221–231.
12. Herranz J, Laguillaumie F, Ràfols C. Constant size
ciphertexts in threshold attribute-based encryption. In
REFERENCES Public Key Cryptography-PKC 2010, Lecture Notes in
1. Sahai A, Waters B. Fuzzy identity-based encryption. Computer Science, Vol. 6056, Nguyen P, Pointcheval
In Advances in Cryptology-EUROCRYPT’05 Lecture D (eds). Springer: Berlin-Heidelberg, 2010; 19–34.
Notes in Computer Science, Vol. 3494, Cramer R (ed). 13. Takashima K. Expressive attribute-based encryption
Springer: Berlin-Heidelberg, 2005; 557–557. with constant-size ciphertexts from the decisional lin-
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Online/offline multi-authority ABE for data sharing in mobile cloud computing Y. Zhang et al.
ear assumption. In Security and Cryptography for Net- 25. Li Q, Ma J, Li R, Xiong J, Liu X. Large universe
works. Springer: Berlin-Heidelberg, 2014; 298–317. decentralized key-policy attribute-based encryption.
14. Zhang Y, Zheng D, Chen X, Li J, Li H. Com- Security and Communication Networks 2015; 8 (3):
putationally efficient ciphertext-policy attribute-based 501–509.
encryption with constant-size ciphertexts. In Provable 26. Li Q, Ma J, Li R, Xiong J, Liu X. Provably secure
Security. Springer: Berlin-Heidelberg, 2014; 259–273. unbounded multi-authority ciphertext-policy attribute-
15. Liu Q, Wang G, Wu J. Time-based proxy re-encryption based encryption. Security and Communication Net-
scheme for secure data sharing in a cloud environment. works 2015; 8(18): 4098–4109.
Information Sciences 2014; 258: 355–370. 27. Datta P, Dutta R, Mukhopadhyay S. Fully secure,
16. Zhang Y, Zheng D, Chen X, Li J, Li H. Efficient online/offline predicate and attribute-based encryp-
attribute-based data sharing in mobile clouds. Perva- tion. In Information Security Practice and Experience.
sive and Mobile Computing 2016; 28: 135–149. Springer: Berlin-Heidelberg, 2015; 331–345.
17. Li J, Ren K, Zhu B, Wan Z. Privacy-aware attribute- 28. Rouselakis Y, Waters B. Practical constructions and
based encryption with user accountability. In Pro- new proof methods for large universe attribute-based
ceedings of the International Information Security encryption. Proceedings of the 2013 ACM SIGSAC
Conference. ISC’09, Lecture Notes in Computer Sci- Conference on Computer & Communications Security,
ence, Vol. 5735, Samarati P, Yung M, Martinelli F, ACM: New York, 2013; 463–474.
Ardagna C (eds). Springer: Berlin-Heidelberg, 2009; 29. Green M, Hohenberger S, Waters B. Outsourcing the
347–362. decryption of abe ciphertexts. Proceedings of the 20th
18. Liu Z, Cao Z, Wong DS. Blackbox traceable cp-abe: USENIX Conference on Security, SEC’11, USENIX
how to catch people leaking their keys by selling Association: Berkeley, CA, USA, 2011; 34–34.
decryption devices on ebay. Proceedings of the 2013 30. Li J, Huang X, Li J, Chen X, Xiang Y. Securely
ACM SIGSAC Conference on Computer & Communi- outsourcing attribute-based encryption with checka-
cations Security, ACM: New York, 2013; 475–486. bility. IEEE Transactions on Parallel and Distributed
19. Xhafa F, Feng J, Zhang Y, Chen X, Li J. Privacy-aware Systems 2014; 25(8): 2201–2210.
attribute-based phr sharing with user accountability 31. Zhou Z, Huang D. Efficient and secure data storage
in cloud computing. The Journal of Supercomputing operations for mobile cloud computing. Proceedings
2015; 71(5): 1607–1619. of the 8th International Conference on Network and
20. Balu A, Kuppusamy K. An expressive and provably Service Management, ACM: New York, 2012; 37–45.
secure ciphertext-policy attribute-based encryption. 32. Li J, Jia C, Li J, Chen X. Outsourcing encryption of
Information Sciences 2014; 276: 354–362. attribute-based encryption with mapreduce. The 14-th
21. Chase M, Chow SS. Improving privacy and security International Conference on Information and Commu-
in multi-authority attribute-based encryption. Proceed- nications Security, Springer: Berlin Heidelberg, 2012;
ings of the 16th ACM Conference on Computer and 191–201.
Communications Security, CCS ’09, ACM: New York, 33. Li J, Chen X, Li J, Jia C, Ma J, Lou W. Fine-grained
2009; 121–130. access control system based on outsourced attribute-
22. Lewko A, Waters B. Decentralizing attribute-based based encryption. In Computer Security – ESORICS
encryption. In Advances in cryptology–EUROCRYPT 2013, Lecture Notes in Computer Science, Vol. 8134,
2011, Lecture Notes in Computer Science, Vol. 6632. Crampton J, Jajodia S, Mayes K (eds). Springer: Berlin
Springer: Berlin-Heidelberg, 2011; 568–588. Heidelberg, 2013; 592–609.
23. Liu Z, Cao Z, Huang Q, Wong DS, Yuen TH. Fully 34. Chen X, Li J, Ma J, Tang Q, Lou W. New algorithms
secure multi-authority ciphertext-policy attribute- for secure outsourcing of modular exponentiations. In
based encryption without random oracles. In Com- Computer Security–ESORICS 2012. Springer: Berlin-
puter security–ESORICS 2011. Springer: Berlin- Heidelberg, 2012; 541–556.
Heidelberg, 2011; 278–297. 35. Chen X, Li J, Ma J, Tang Q, Lou W. New algo-
24. Li J, Huang Q, Chen X, Chow SSM, Wong DS, Xie rithms for secure outsourcing of modular exponentia-
D. Multi-authority ciphertext-policy attribute-based tions. IEEE Transactions on Parallel and Distributed
encryption with accountability. Proceedings of the 6th Systems 2014; 25(9): 2386–2396.
ACM Symposium on Information, Computer and Com- 36. Hohenberger S, Waters B. Online/offline attribute-
munications Security, ASIACCS’11, ACM: New York, based encryption. In Public-Key Cryptography–PKC
2011; 386–390. 2014. Springer: Berlin-Heidelberg, 2014; 293–310.
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Y. Zhang et al. Online/offline multi-authority ABE for data sharing in mobile cloud computing
37. Even S, Goldreich O, Micali S. On-line/off-line digital 43. Zhang Y, Chen X, Li H, Cao J. Identity-based con-
signatures. Journal of Cryptology 1996; 9(1): 35–67. struction for secure and efficient handoff authenti-
38. Shamir A, Tauman Y. Improved Online/offline sig- cation schemes in wireless networks. Security and
nature schemes. In Advances in Cryptology-CRYPTO Communication Networks 2012; 5(10): 1121–1130.
2001. Springer: Berlin-Heidelberg, 2001; 355–367. 44. Liu JK, Zhou J. An identity-based online/offline
39. Zhang Y, Chen X, Li J, Li H. Generic construction encryption scheme. In Applied Cryptography and Net-
for secure and efficient handoff authentication schemes work Security. Springer: Berlin-Heidelberg, 2009;
in eap-based wireless networks. Computer Networks 156–167.
2014; 75: 192–211. 45. Lai J, Mu Y, Guo F, Susilo W. Improved identity-
40. Chen X, Zhang F, Susilo W, Mu Y. Efficient based online/offline encryption. In Information Secu-
generic on-line/off-line signatures without key expo- rity and Privacy. Springer: Berlin-Heidelberg, 2015;
sure. In Applied Cryptography and Network Security. 160–173.
Springer: Berlin-Heidelberg, 2007; 18–30. 46. Beimel A. Secure schemes for secret sharing and key
41. Chen X, Zhang F, Tian H, Wei B, Susilo W, Mu Y, Lee distribution. PhD Thesis, Technion-Israel Institute of
H, Kim K. Efficient generic on-line/off-line (threshold) Technology Faculty of Computer Science, 1996.
signatures without key exposure. Information Sciences
2008; 178(21): 4192–4203.
42. Guo F, Mu Y, Chen Z. Identity-based online/offline
encryption. In Financial Cryptography and Data Secu-
rity. Springer: Berlin-Heidelberg, 2008; 247–261.
Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.
DOI: 10.1002/sec