RAAC: Robust and Auditable Access Control with...

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2647222, IEEETransactions on Information Forensics and Security

1

RAAC: Robust and Auditable Access Control with MultipleAttribute Authorities for Public Cloud Storage

Kaiping Xue, Senior Member, IEEE, Yingjie Xue, Jianan Hong, Wei Li, Hao Yue, Member, IEEE,David S.L. Wei, Senior Member, IEEE, and Peilin Hong

Abstract—Data access control is a challenging issue in publiccloud storage systems. Ciphertext-Policy Attribute-Based En-cryption (CP-ABE) has been adopted as a promising techniqueto provide flexible, fine-grained and secure data access controlfor cloud storage with honest-but-curious cloud servers. However,in the existing CP-ABE schemes, the single attribute authoritymust execute the time-consuming user legitimacy verification andsecret key distribution, and hence it results in a single-pointperformance bottleneck when a CP-ABE scheme is adopted ina large-scale cloud storage system. Users may be stuck in thewaiting queue for a long period to obtain their secret keys,thereby resulting in low-efficiency of the system. Although multi-authority access control schemes have been proposed, theseschemes still cannot overcome the drawbacks of single-pointbottleneck and low efficiency, due to the fact that each of theauthorities still independently manages a disjoint attribute set.

In this paper, we propose a novel heterogeneous framework toremove the problem of single-point performance bottleneck andprovide a more efficient access control scheme with an auditingmechanism. Our framework employs multiple attribute authori-ties to share the load of user legitimacy verification. Meanwhile,in our scheme, a CA (Central Authority) is introduced to generatesecret keys for legitimacy verified users. Unlike other multi-authority access control schemes, each of the authorities in ourscheme manages the whole attribute set individually. To enhancesecurity, we also propose an auditing mechanism to detectwhich AA (Attribute Authority) has incorrectly or maliciouslyperformed the legitimacy verification procedure. Analysis showsthat our system not only guarantees the security requirements butalso makes great performance improvement on key generation.

Index Terms—Cloud storage, Access control, Auditing, CP-ABE.

I. INTRODUCTION

Cloud storage is a promising and important service paradig-m in cloud computing[1–4]. Benefits of using cloud storageinclude greater accessibility, higher reliability, rapid deploy-ment and stronger protection, to name just a few. Despitethe mentioned benefits, this paradigm also brings forth newchallenges on data access control, which is a critical issue toensure data security. Since cloud storage is operated by cloudservice providers, who are usually outside the trusted domainof data owners, the traditional access control methods in the

K. Xue, Y. Xue, J. Hong, W. Li, P. Hong are with Department of ElectronicEngineering and Information Science, University of Science and Technol-ogy of China, Hefei 230027, China. (Email: {kpxue@, xyj1108@mail.,hongjn@mail., lwz159@mail., plhong@}ustc.edu.cn).

H. Yue is with Department of Computer Science, San Francisco StateUniversity, San Francisco, CA 94132, USA (Email: [email protected]).

D. Wei is with the Computer and Information Science Department, FordhamUniversity, New York, NY. (Email: [email protected]).

K. Xue is also with State Key Laboratory of Information Security (Instituteof Information Engineering), Chinese Academy of Sciences, Beijing 100093,China.

Client/Server model are not suitable in cloud storage environ-ment. The data access control in cloud storage environmenthas thus become a challenging issue.

To address the issue of data access control in cloud storage,there have been quite a few schemes proposed, among whichCiphertext-Policy Attribute-Based Encryption (CP-ABE) is re-garded as one of the most promising techniques. A salientfeature of CP-ABE is that it grants data owners direct controlpower based on access policies, to provide flexible, fine-grained and secure access control for cloud storage systems.In CP-ABE schemes, the access control is achieved by usingcryptography, where an owner’s data is encrypted with an ac-cess structure over attributes, and a user’s secret key is labelledwith his/her own attributes. Only if the attributes associatedwith the user’s secret key satisfy the access structure, canthe user decrypt the corresponding ciphertext to obtain theplaintext. So far, the CP-ABE based access control schemesfor cloud storage have been developed into two complementarycategories, namely, single-authority scenario [5–9], and multi-authority scenario [10–12].

Although existing CP-ABE access control schemes have alot of attractive features, they are neither robust nor efficient inkey generation. Since there is only one authority in charge ofall attributes in single-authority schemes, offline/crash of thisauthority makes all secret key requests unavailable during thatperiod. The similar problem exists in multi-authority schemes,since each of multiple authorities manages a disjoint attributeset.

In single-authority schemes, the only authority must verifythe legitimacy of users’ attributes before generating secretkeys for them. As the access control system is associatedwith data security, and the only credential a user possessis his/her secret key associated with his/her attributes, theprocess of key issuing must be cautious. However, in thereal world, the attributes are diverse. For example, to verifywhether a user is able to drive may need an authority to givehim/her a test to prove that he/she can drive. Thus he/she canget an attribute key associated with driving ability [13]. Todeal with the verification of various attributes, the user maybe required to be present to confirm them. Furthermore, theprocess to verify/assign attributes to users is usually difficultso that it normally employs administrators to manually handlethe verification, as [14] has mentioned, that the authenticityof registered data must be achieved by out-of-band (mostlymanual) means. To make a careful decision, the unavoidableparticipation of human beings makes the verification time-consuming, which causes a single-point bottleneck. Especially,for a large system, there are always large numbers of users



2

requesting secret keys. The inefficiency of the authority’sservice results in single-point performance bottleneck, whichwill cause system congestion such that users often cannotobtain their secret keys quickly, and have to wait in the systemqueue. This will significantly reduce the satisfaction of usersexperience to enjoy real-time services. On the other hand, ifthere is only one authority that issues secret keys for someparticular attributes, and if the verification enforces users’presence, it will bring about the other type of long servicedelay for users, since the authority maybe too far away fromhis/her home/workplace. As a result, single-point performancebottleneck problem affects the efficiency of secret key genera-tion service and immensely degrades the utility of the existingschemes to conduct access control in large cloud storagesystems. Furthermore, in multi-authority schemes, the sameproblem also exists due to the fact that multiple authoritiesseparately maintain disjoint attribute subsets and issue secretkeys associated with users’ attributes within their own admin-istration domain. Each authority performs the verification andsecret key generation as a whole in the secret key distributionprocess, just like what the single authority does in single-authority schemes. Therefore, the single-point performancebottleneck still exists in such multi-authority schemes.

A straightforward idea to remove the single-point bottleneckis to allow multiple authorities to jointly manage the universalattribute set, in such a way that each of them is able todistribute secret keys to users independently. By adoptingmultiple authorities to share the load, the influence of thesingle-point bottleneck can be reduced to a certain extent.However, this solution will bring forth threats on securityissues. Since there are multiple functionally identical author-ities performing the same procedure, it is hard to find theresponsible authority if mistakes have been made or maliciousbehaviors have been implemented in the process of secret keygeneration and distribution. For example, an authority mayfalsely distribute secret keys beyond user’s legitimate attributeset. Such weak point on security makes this straightforwardidea hard to meet the security requirement of access controlfor public cloud storage. Our recent work, TMACS [15], is athreshold multi-authority CP-ABE access control scheme forpublic cloud storage, where multiple authorities jointly managea uniform attribute set. Actually it addresses the single-pointbottleneck of performance and security, but introduces someadditional overhead. Therefore, in this paper, we present afeasible solution which not only promotes efficiency androbustness, but also guarantees that the new solution is assecure as the original single-authority schemes.

The similar problem has been considered and partly tackledin other related areas, such as public key infrastructure (PKI)for e-commerce [16]. To reduce the certificate authority (CA)’sload, one or more registration authorities (RAs) are introducedto perform some of administration tasks on behalf of CA.Each RA is able to verify a user’s legitimacy and determinewhether the user is entitled to have a valid certificate. Afterthe verification, it validates the credentials and forwards thecertificate request to CA. Then, CA will generate a certificatefor the user. Since the most heavy work of verification isperformed by a selected RA, the load of CA can be largely

reduced. However, the security of the scheme with single-CA/multi-RAs partly depends on the trustiness of multipleRAs. In order to achieve traceability, CA should store someinformation to confirm which RA has been responsible forverifying the legitimacy of a specific user.

In this paper, inspired by the heterogeneous architecturewith single CA and multiple RAs, we propose a robust andauditable access control scheme (named RAAC) for publiccloud storage to promote the performance while keeping theflexibility and fine granularity features of the existing CP-ABEschemes. In our scheme, we seperate the procedure of user le-gitimacy verification from the secret key generation, and assignthese two sub-procedures to two different kinds of authorities.There are multiple authorities (named attribute authorities,AAs), each of which is in charge of the whole attribute setand can conduct user legitimacy verification independently.Meanwhile, there is only one global trusted authority (referredas Central Authority, CA) in charge of secret key generationand distribution. Before performing a secret key generationand distribution process, one of the AAs is selected to verifythe legitimacy of the user’s attributes and then it generatesan intermediate key to send to CA. CA generates the secretkey for the user on the basis of the received intermediatekey, with no need of any more verification. In this way,multiple AAs can work in parallel to share the load of the time-consuming legitimacy verification and standby for each otherso as to remove the single-point bottleneck on performance.Meanwhile, the selected AA doesn’t take the responsibilityof generating final secret keys to users. Instead, it generatesintermediate keys that associate with users’ attributes andimplicitly associate with its own identity, and sends them toCA. With the help of intermediate keys, CA is able to notonly generate secret keys for legitimacy verified users moreefficiently but also trace an AA’s mistake or malicious behaviorto enhance the security.

The main contributions of this work can be summarized asfollows.

1) To address the single-point performance bottleneck of keydistribution existed in the existing schemes, we propose arobust and efficient heterogeneous framework with singleCA(Central Authority) and multiple AAs (Attribute Au-thorities) for public cloud storage. The heavy load of userlegitimacy verification is shared by multiple AAs, each ofwhich manages the universal attribute set and is able toindependently complete the user legitimacy verification,while CA is only responsible for computational tasks.To the best of our knowledge, this is the first work thatproposes the heterogeneous access control framework toaddress the low efficiency and single-point performancebottleneck for cloud storage.

2) We reconstruct the CP-ABE scheme to fit our proposedframework and propose a robust and high-efficient accesscontrol scheme, meanwhile the scheme still preserves thefine granularity, flexibility and security features of CP-ABE.

3) Our scheme includes an auditing mechanism that helpsthe system trace an AA’s misbehavior on user’s legitimacyverification.



3

The rest of this paper is organized as follows. In Section II,we brief some related works about CP-ABE and some existingextension schemes for cloud storage access control. In SectionIII, technical preliminaries are presented. Following the def-inition of system model and security assumptions in SectionIV, we introduce our proposed heterogeneous framework withsingle-CA/multi-AAs and relative access control scheme forpublic cloud storage in Section V. In Section VI and SectionVII, we analyze our proposed scheme in terms of security andperformance, respectively. In Section VIII we briefly introducethe construction of a hybrid multi-authority system. Finally,the conclusion is given in Section IX.

II. RELATED WORK

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)has so far been regarded as one of the most promisingtechniques for data access control in cloud storage systems.This technology offers users flexible, fine-grained and secureaccess control of outsourced data. It was first formulated byGoyal et al. in [17]. Then the first CP-ABE scheme wasproposed by Benthencourt et al. in [18], but this scheme wasproved secure only in the generic group model. Subsequently,some cryptographically stronger CP-ABE constructions [19–21] were proposed, but these schemes imposed some restric-tions that the original CP-ABE does not have. In [22], Watersproposed three efficient and practical CP-ABE schemes understronger cryptographic assumptions as expressive as [18]. Toimprove efficiency of this encryption technique, Emura et al.[23] proposed a CP-ABE scheme with a constant ciphertextlength. Unlike the above schemes which are only limited toexpress monotonic access structures, Obtrovsky et al. [24] pro-posed a more expressive CP-ABE scheme which can supportnon-monotonic access structures. Recently, Hohenberger andWaters [25] proposed an online/offline ABE technique for CP-ABE which enables the user to do as much pre-computation aspossible to save online computation. It’s a promising techniquefor resource-limited devices.

In general, there are two categories of CP-ABE schemesclassified by the number of participating authorities in keydistribution process. One category is the single-authorityscheme, the other is multi-authority scheme. In single-authority schemes [5–7, 26–29], only one authority is in-volved to manage the universal attribute set, generate anddistribute secret keys for all users. In [7, 26], the authorsrespectively proposed CP-ABE schemes with efficient attributerevocation capability for data outsourcing systems. Wu etal. [5] proposed a Multi-message Ciphertext-Policy Attribute-Based Encryption(MCP-ABE) which encrypts multiple mes-sages within one ciphertext so as to enforce flexible attribute-based access control on scalable media. The literatures [27–29]took the efficiency issue into consideration, but they mainlyconsidered the computation complexity inside the cryptog-raphy algorithms rather than interaction protocols betweendifferent entities in the real world, such as the procedure ofuser legitimacy verification. To sum up, in single-authorityschemes, the single-point performance bottleneck has not beenwidely addressed so far.

To meet some scenarios where users’ attributes come frommultiple authorities, some multi-authority schemes have beenproposed. Based on the basic ABE [30] scheme, Chase et al.[31] proposed the first multi-authority scheme which allowsmultiple independent authorities to monitor attributes and dis-tribute corresponding secret keys, but involves a central author-ity (CA). Subsequently, some multi-authority ABE schemeswithout CA have been proposed, such as [13, 32]. Sincethe first construction of CP-ABE [18], a great many multi-authority schemes have been conducted over CP-ABE. Mulleret al. [33] proposed the first multi-authority CP-ABE schemein which a user’s secret key was issued by an arbitrary numberof attribute authorities and a master authority. Then Lewkoet al. [10] proposed a decentralized CP-ABE scheme wherethe secret keys can be generated fully by multiple authoritieswithout a central authority. Ruj et al. [34] applied Lewko’swork [10] for access control in cloud storage systems, andalso proposed a revocation method. Lin et al. [35] proposeda decentralized access control scheme based on thresholdmechanism. In [11, 36], the authors proposed two efficientmulti-authority CP-ABE schemes for data access control incloud storage systems, where a central authority is only neededin system initialization phase. Based on the basic multi-authority architecture, some other literatures tried to addressthe user identity privacy issue [37, 38], policy update [39], andthe accountability to prevent key abusing [40, 41]. However, inabove multi-authority schemes, multiple authorities separatelymanage disjoint attribute sets. That is to say, for each attribute,only one authority could issue secret keys associated with it.Therefore, in large-scale systems, the single-point performancebottleneck still exists in multi-authority schemes due to theproperty that each of the multiple authorities maintains onlya disjoint subset of attributes.

Recently, we considered the single-point performance bot-tleneck of CP-ABE based schemes and devised a thresholdmulti-authority CP-ABE access control scheme in our anotherwork [15]. Different from other multi-authority schemes, in[15], multiple authorities jointly manage a uniform attributeset. Taking advantage of (t, n) threshold secret sharing, themaster secret key can be shared among multiple authorities,and a legal user can generate his/her secret key by interactingwith any t authorities. This scheme actually addressed thesingle-point bottleneck on both security and performance inCP-ABE based access control in public cloud storage. How-ever, it is not efficient, because a user has to interact withat least t authorities, and thus introduces higher interactionoverhead.

In this paper, we present an efficient heterogeneous frame-work with single CA/multiple AAs to address the problem ofsingle-point performance bottleneck. The novel idea of ourproposed scheme is that the complicated and time-consuminguser legitimacy verification is executed only once by oneselected AA. Furthermore, an auditing mechanism is proposedto ensure the traceability of malicious AAs. Thus our schemecan not only remove the single-point performance bottleneckbut also be able to provide a robust, high-efficient, and secureaccess control for public cloud storage.



4

III. PRELIMINARIES AND DEFINITIONS

In this section, we first give a brief review of backgroundinformation on bilinear maps and the security assumptionsdefined on it. Then we briefly introduce CP-ABE and LSSSwhich are the constituents in our scheme.

A. Bilinear MapsLet G, GT be two multiplicative cyclic groups with the

same prime order p, and g be a generator of G. A bilinearmap e : G × G → GT defined on G has the following threeproperties:

1) Bilinearity: ∀a, b ∈ Zp and g1, g2 ∈ G, we havee(ga1 , g

b2) = e(g1, g2)

ab.2) Non-degeneracy: ∀g1, g2 ∈ G such that e(g1, g2) = 1,

which means the map does not send all pairs in G × Gto the identity in GT .

3) Computability: There is an efficient algorithm to computee(g1, g2) for all g1, g2 ∈ G.

Definition 1. Decisional q-parallel Bilinear Diffie-HellmanExponent Assumption(decisional q-BDHE): The decisional q-BDHE problem is that, in a group G of prime order p, givea, s, b1, b2, . . . , bq ∈ Zp, if an adversary is given:

y = (g, gs, ga, . . . , g(aq), g(a

q+2), . . . , g(a2q)

∀1≤j≤q,gs·bj , ga/bj , . . . , g(a

q/bj), g(aq+2/bj), . . . , g(a

2q/bj)

∀1≤j,l≤q,l =j , ga·s·bl/bj , . . . , ga

q·s·bl/bj ),

it must remain hard to distinguish e(g, g)aq+1s ∈ GT from a

random element R in GT .

B. Ciphertext-Policy Attribute-Based Encryption (CP-ABE)Although the definitions and constructions of different CP-

ABE schemes are not always consistent, the uses of the accessstructure in Encrypt and Decrypt algorithms are nearly thesame. Here we adopt the definition and construction from [18,22].

A CP-ABE scheme consists of four algorithms: Setup,Encrypt, Key Generation (KeyGen), and Decrypt.Setup(λ,U ) → (PK,MSK). The setup algorithm takes thesecurity parameter λ and the attribute universe description Uas the input. It outputs the public parameters PK and a mastersecret key MSK.Encrypt(PK,M,A) → CT . The encryption algorithm takesthe public parameters PK, a message M , and an access struc-ture A as input. The algorithm will encrypt M and produce aciphertext CT such that only a user whose attributes satisfiesthe access structure will be able to decrypt the message. Wewill assume that the ciphertext implicitly contains A.KeyGen(MSK,S) → SK. The key generation algorithmtakes the master secret key MSK and a set of attributes S asinput. It outputs a secret key SK.Decrypt(PK,CT, SK) →M . The decryption algorithm takesthe public parameters PK, a ciphertext CT which contains anaccess policy A, and a secret key SK as input, where SK isa secret key for a set S of attributes. If the set S of attributessatisfies the access structure A, the algorithm will decrypt theciphertext and return a message M .

C. Access Structures and Linear Secret Sharing Schemes

Definition 2. Access Structure: Let {P1, P2, ..., Pn} be a setof parties. A collection A ⊆ 2{P1,P2,...,Pn} is monotonicif ∀B, C: if B ∈ A and B ⊆ C, then C ∈ A. Anaccess structure (respectively, monotonic access structure) is acollection (respectively, monotonic collection) A of non-emptysubsets of {P1, P2, ..., Pn}, i.e., A ⊆ 2{P1,P2,...,Pn}\{∅}. Thesets in A are called authorized ones, and the sets not in A arecalled unauthorized ones.

Observing the constructions in [17, 18, 22], an LSSS accessstructure can be used to denote the access policy A. Followingthe method defined in [42], any monotonic boolean formulacan be converted into an LSSS representation. The descriptionof LSSS is presented as follows.

Definition 3. Linear Secret Sharing Schemes (LSSS): A secret-sharing scheme Π over a set of parties P is called linear (overZp) if:

1) The shares for each party form a vector over Zp.2) There exists a matrix an M with l rows and n columns,

which is called the sharing-generating matrix for Π.For all i = 1, ..., l, the i-th row of M is labeled bya party ρ(i), where ρ is the function associating rowsof M to parties in P . When we consider the vectorv = (s, r2, ..., rn) ∈ Zn

p , where r2, ..., rn are randomlychosen and s is the secret to be shared, then λ = M×v⊤

is the vector of l shares of the secret s according to Π.The share λi belongs to the party ρ(i).

Every linear secret sharing-scheme based on the abovedefinition enjoys the linear reconstruction property, definedas follows: Suppose that Π is an LSSS structure for accessstructure A. Let S ∈ A be any authorized set, and letI ⊂ {1, 2, ..., l} be defined as I = {i : ρ(i) ∈ S}. Then,there exist constants {ωi ∈ Zp}i∈I such that, if {λi} are validshares of any secret s according to Π, then Σi∈Iωiλi = s.These constants {ωi} can be found in time polynomial inthe size of the share-generating matrix M. Note that, for anyunauthorized set S ∈ A, no such constants {ωi} exist.

IV. SYSTEM MODEL AND SECURITY ASSUMPTIONS

In this section, we give the definitions of the system model,the security assumptions and requirements of our public cloudstorage access control.

A. System Model

The system model of our design is shown in Fig. 1, whichinvolves five entities: a central authority (CA), multiple at-tribute authorities (AAs), many data owners (Owners), manydata consumers (Users), and a cloud service provider withmultiple cloud servers(here, we mention it as cloud server.).

• The central authority (CA) is the administrator of theentire system. It is responsible for the system constructionby setting up the system parameters and generating publickey for each attribute of the universal attribute set. In thesystem initialization phase, it assigns each user a uniqueUid and each attribute authority a unique Aid. For a



5

Owner

Cloud

ServerCT CT

AAs

CA

User

Inte

racti

ons

Fig. 1. System model

key request from a user, CA is responsible for generatingsecret keys for the user on the basis of the receivedintermediate key associated with the user’s legitimateattributes verified by an AA. As an administrator of theentire system, CA has the capacity to trace which AA hasincorrectly or maliciously verified a user and has grantedillegitimate attribute sets.

• The attribute authorities (AAs) are responsible forperforming user legitimacy verification and generatingintermediate keys for legitimacy verified users. Unlikemost of the existing multi-authority schemes where eachAA manages a disjoint attribute set respectively, ourproposed scheme involves multiple authorities to sharethe responsibility of user legitimacy verification and eachAA can perform this process for any user independently.When an AA is selected, it will verify the users’ legitimateattributes by manual labor or authentication protocols,and generate an intermediate key associated with theattributes that it has legitimacy-verified. Intermediate keyis a new concept to assist CA to generate keys.

• The data owner (Owner) defines the access policy aboutwho can get access to each file, and encrypts the fileunder the defined policy. First of all, each owner encryptshis/her data with a symmetric encryption algorithm. Then,the owner formulates access policy over an attributeset and encrypts the symmetric key under the policyaccording to public keys obtained from CA. After that, theowner sends the whole encrypted data and the encryptedsymmetric key (denoted as ciphertext CT ) to the cloudserver to be stored in the cloud.

• The data consumer (User) is assigned a global useridentity Uid by CA. The user possesses a set of attributesand is equipped with a secret key associated with his/herattribute set. The user can freely get any interestedencrypted data from the cloud server. However, the usercan decrypt the encrypted data if and only if his/herattribute set satisfies the access policy embedded in theencrypted data.

• The cloud server provides a public platform for ownersto store and share their encrypted data. The cloud server

doesn’t conduct data access control for owners. The en-crypted data stored in the cloud server can be downloadedfreely by any user.

B. Security Assumptions and Requirements

In our proposed scheme, the security assumptions of thefive roles are given as follows. The cloud server is alwaysonline and managed by the cloud provider. Usually, the cloudserver and its provider are assumed to be “honest-but-curious”,which means that they will correctly execute the tasks assignedto them for profits, but they would try to find out as muchsecret information as possible based on data owners’ inputsand uploaded files. CA is the administrator of the entiresystem, which is always online and can be assumed to befully trusted. It will not collude with any entity to acquiredata contents. AAs are responsible for conducting legitimacyverification of users and judging whether the users have theclaimed attributes. We assume that AA can be compromisedand cannot be fully trusted. Furthermore, since the user legiti-macy verification is conducted by manual labor, mis-operationcaused by carelessness may also happen. Thus, we need anauditing mechanism to trace an AA’s misbehavior. Although auser can freely get any encrypted data from the cloud server,he/she cannot decrypt it unless the user has attributes satisfyingthe access policy embedded inside the data. Therefore, someusers may be dishonest and curious, and may collude witheach other to gain unauthorized access or try to collude with(or even compromise) any AA to obtain the access permissionbeyond their privileges. Owners have access control over theiruploaded data, which are protected by specific access policiesthey defined.

To guarantee secure access control in public cloud storage,we claim that an access control scheme needs to meet thefollowing four basic security requirements:

• Data confidentiality. Data content must be kept confi-dential to unauthorized users as well as the curious cloudserver.

• Collusion-resistance. Malicious users colluding with eachother would not be able to combine their attributes todecrypt a ciphertext which each of them cannot decryptalone.

• AA accountability. An auditing mechanism must bedevised to ensure that an AA’s misbehavior can be de-tected to prevent AAs’ abusing their power without beingdetected.

• No ultra vires for any AA. An AA should not haveunauthorized power to directly generate secret keys forusers. This security requirement is newly introducedbased on our proposed hierarchical framework.

V. OUR PROPOSED ACCESS CONTROL SCHEME

This section first gives an overview of our proposed scheme,and then describes the scheme in detail. Our scheme consistsof five phases, namely System Initialization, Encryption, KeyGeneration, Decryption, and Auditing & Tracing.



6

A. Overview of our scheme

To achieve a robust and efficient access control for publiccloud storage, we propose a hierarchical framework with sin-gle CA and multiple AAs to remove the problem of single-pointperformance bottleneck and enhance the system efficiency. Inour proposed RAAC scheme, the procedure of key generationis divided into two sub-procedures: 1) the procedure of user le-gitimacy verification; 2) the procedure of secret key generationand distribution. The user legitimacy verification is assignedto multiple AAs, each of which takes responsibility for theuniversal attribute set and is able to verify all of the user’sattributes independently. After the successful verification, thisAA will generate an intermediate key and send it to CA. Theprocedure of secret key generation and distribution is executedby the CA that generates the secret key associated with user’sattribute set without any more verification. The secret key isgenerated using the intermediate key securely transmitted froman AA and the master secret key.

In our one-CA/multiple-AAs construction, CA participatesin the key generation and distribution for security reasons:To enhance auditability of corrupted AAs, one AA cannotobtain the system’s master secret key in case it can optionallygenerate secret keys without any supervision. Meanwhile, theintroduction of CA for key generation and distribution isacceptable, since for a large-scale system, the most time-consuming workload of legitimacy verification is offloadedand shared among the multiple AAs, and the computationworkload for key generation is very light. The procedure ofkey generation and distribution would be more efficient thanother existing schemes.

To trace an AA’s misbehavior in the procedure of user legit-imacy verification, we first find the suspected data consumerbased on abnormal behavior detection, which is similar to themechanisms used in [40, 41]. For a suspected user, our schemecan trace the responsible AA who has falsely verified this user’sattributes and illegitimately assigned secret keys to him/her.

B. Details of Our Proposed RAAC scheme

1) System Initialization: Firstly, CA chooses two multi-plicative cyclic groups G(the parameter g is a generator ofG) and GT with the same prime order p, and defines a binarymap e : G × G → GT on G. CA randomly chooses α, β, aand b ∈ Zp as the master secret key. CA also randomly gen-erates public keys for each attribute Atti, (i = 1, 2, . . . , U):h1, h2, . . . , hU ∈ G. Besides, let H : (0, 1)∗ → Zp be a hashfunction. The published public key is:

PK = GT ,G,H, g, ga, e(g, g)α, h1, ..., hU

and the master secret key is:

MSK = α, β, a, b

which implicitly exists in the system, and doesn’t need to beobtained by any other entity.

Another task for CA in this operation is handling AAs’and users’ registration. Here, CA generates a pair of keys(skCA, vkCA) to sign and verify, in which, vkCA is publiclyknown by each entity in the system. Each AA sends a

registration request to CA during the System Initialization.For each legal AA, CA assigns a unique identity Aid ∈ Zp,randomly chooses a private key kAid ∈ Zp, and computes itscorresponding public key PKAid = gkAid . Furthermore, CAgenerates a certificate CertAid which includes the public keyPKAid, and sends it with the corresponding private key kAid

to the AA with the identity Aid. Meanwhile, each user getshis/her Uid, private key kUid and CertUid from CA.

2) Encryption: The procedure of Encryption is performedby the data owner himself/herself. To improve the system’sperformance, the owner first chooses a random number κ ∈GT as the symmetric key and encrypts the plaintext messageM using κ with the symmetric encryption algorithm. Theencrypted data can be denoted as Eκ(M). Then the ownerencrypts the symmetric key κ using CP-ABE under the accesspolicy A defined by himself/herself. The owner defines aneasy expressed monotonic boolean formula. Following themethod defined in [42], the owner can turn it to an LSSSaccess structure, which can be denoted as (M, ρ). Here,M is an l × n matrix, where l is the scale of a specificattribute set associated with a specific access policy and nis a variable that is dependent on the monotonic booleanformula definition and the LSSS turning method. The functionρ maps each row of M to a specific attribute, marked asρ(i) ∈ {Att1, Att2, . . . , AttU}. A random secret parameters is chosen to encrypt the symmetric key κ. To hide theparameter s, a random vector v = (s, y2, y3, . . . , yn) ∈ Zn

p isselected, where y2, y3, . . . , yn are randomly chosen and usedto share the parameter s. Each λi = Miv

⊤ is computed fori = 1, 2, . . . , l, where Mi denotes the i-th row of the matrixM. Owner randomly selects r1, r2, . . . , rl ∈ Zp and uses thepublic key generated by CA to compute:

(C = κe(g, g)αs, C ′ = gs,

∀i = 1 to l, Ci = (ga)λi · hρ(i)−ri , Di = gri).

The ciphertext CT can be denoted as the format shown inFig. 2. Finally, the owner sends CT to the cloud server.

� �E MN ^ `'

1, , ,i i i to l

C C C D

Description

Fig. 2. Format of owners’ data in the cloud server

3) Key Generation and Distribution: This procedure istotally different from those existing CP-ABE schemes. Itinvolves the given user, a selected AA and CA. We divide theprocedure into the following 4 steps.

◦ STEP 1: Uj→ AAi. When a user Uj with the identity Uidjmakes a secret key request, the user selects an AA(AAi withthe identity Aidi) by a certain scheduling algorithm andsends the CertUid to show the validity of his/her identity,along with some proofs to show that he/she has the attributeset that he/she claims to have.

◦ STEP 2: AAi → CA. The user legitimacy verificationprocess may involve manual labor or verification proto-cols performed by AAi. After successful verification, AAi

obtains the current timestamp value TS, computes t1 =



7

H(Uidj ||TS||0) and t2 = H(Uidj ||TS||1), and generatesan intermediate key ICAidi,Uidj as follows:

ICAidi,Uidj = {Kx = hkAidi

t1x , Jx = ht2

x }∀x∈Sj

where Sj is the verified legitimate attribute set for the userwith the identity Uidj . Finally this AA securely sends thefollowing message to CA:

{Uidj , Aidi, Sj , ICAidi,Uidj , TS}

◦ STEP 3&STEP 4: CA → AAi → Uj . After receivingthe message from the AA, CA first uses Aidi to obtain thecorresponding stored public key PKAidi . Then CA checkswhether the transmission delay is within the allowed timeinterval △ T . We assume that the current time is T ′. IfT ′ − TS >△ T , CA stops here and sends REJ to the AA.Otherwise, CA continues to compute t1 = H(Uidj ||TS||0),t2 = H(Uidj ||TS||1), and makes sure t1 and t2 haven’t yetbeen re-used from the same user. This can prevent AA’scollusion attack (We will discuss the collusion attack inSection VI.). CA continues to use its master secret keyMSK to generate a secret key SKj for the user as follows:

K = gα(PKAidi)aβt1gaαt2 = gα(gkAidi )aβt1gaαt2 ,

L = (PKAidi)βt1gαt2 = (gkAidi )βt1gαt2 ,

∀x ∈ Sj ,K′x = Kβ

x · gb(t1+t2) = hkAidi

βt1x · gb(t1+t2),

K ′′x = Jα

x · g−b(t1+t2) = hαt2x · g−b(t1+t2).

To simplify the formulas, a parameter d is introduced:

d = kAidiβt1 + αt2 (1)

Therefore, the formulas of the user’s secret key SKj canbe simply denoted as:

K = gα · gad, L = gd,

∀x ∈ Sj : K′x = Kβ

x · gb(t1+t2) = hkAidi

βt1x · gb(t1+t2),

K ′′x = Jα

x · g−b(t1+t2) = hαt2x · g−b(t1+t2).

With the relay of AAi, CA securely sends SKj and TS tothe user.4) Decryption: The procedure of Decryption is performed

by the user. A user can freely query and download any inter-ested encrypted data from the public cloud storage. However,he/she cannot decrypt data unless his/her attribute set satisfiesthe access structure embedded in the ciphertext. For the userU , let MU be a sub-matrix of M, where each row of MU

corresponds to a specific attribute in U ’s attribute set SU . LetI ⊂ {1, 2, . . . , l} denote {i : ρ(i) ∈ SU}, and Mi denote thei-th row of M.

If the user U ’s attribute set SU satisfies the access structure(M, ρ), the vector e = (1, 0, . . . , 0) is in the span of matrixMU , which means an appropriate parameter {ωi ∈ Zp}i∈I

can be found to satisfy e = (ω1, ω2, . . . , ω|I|)MU .The parameter {ωi}i∈I can further help the user to find the

hidden secret parameter s:

s = (1, 0, . . . , 0) · (s, y2, . . . , yn)⊤

= e · v⊤ = (ω1, ω2, . . . , ω|I|)MU · v⊤

= (ω1, ω2, . . . , ω|I|) · λI

⊤=∑i∈I

ωi · λi. (2)

where, λI denotes the sub-vector of (λ1, λ2, . . . , λl).For any x ∈ SU , the user computes

KKx = K ′x ·K ′′

x

=(hkAidi

βt1x · gb(t1+t2)

)·(hαt2x · g−b(t1+t2)

)= hd

x, (3)

and stores it. Using the parameter {ωi}i∈I , the user furthercomputes:

CU =e(C ′,K)∏

i∈I

(e(Ci, L) · e(Di,KKρ(i)))ωi

=e(gs, gα · gad)∏

i∈I

(e((ga)λi · hρ(i)−ri , gd) · e(gri , hρ(i)

d))ωi

=e(g, g)α·s · e(g, g)a·s·d∏

i∈I

e(g, g)d·a·λi·ωi

=e(g, g)α·s · e(g, g)a·s·d

e(g, g)d·a·

∑i∈I

(λi·ωi)= e(g, g)αs. (4)

The user can further compute the symmetric key κ asfollows:

κ = C/CU = C/e(g, g)αs. (5)

With the computed symmetric key κ, the user can furtherdecrypt the ciphertext CT to obtain the final plaintext data M .

5) Auditing & Tracing: Each AA may generate an interme-diate key for any attribute set associated with a specific user,and then CA can generate the secret key for this user withoutany more verification. However, AAs can be compromisedand cannot be fully trusted. Meanwhile, the user legitimacyverification is conducted by manual labor, and therefore AAsmay maliciously or incorrectly generate an intermediate keyfor an unverified attribute set. A malicious user will try anypossible means to gain the secret key associated with thespecific attribute set to obtain the data access permission.Under this assumption, the user would often show abnormalbehaviors. Usually, we need to hold the accountability ofAAs to prevent the compromised or misbehaved ones fromfreely generating secret keys for malicious users. Like useraccountability addressed in [40, 41, 43], we assume thatwe have appropriate techniques to detect users’ abnormalbehaviors.

The procedure of Auditing & Tracing is periodically per-formed or event-triggered by CA to mandatorily ask a sus-pected user to securely submit K ′

x of a given attribute, L andTS in his/her gained secret key. In order to continue to obtaindata, users have to cooperate to perform the process correctly.However, in order to deceive CA, a suspected user still hasthe motivation to submit a secret key component that doesn’tbelong to him/her. Thus, to implement an effective tracing, CAmust confirm the received secret key components really belongto the given user. Based on the reasons mentioned above, thetracing method should be executed as the following two sub-procedures.◦ Secret key ownership confirming. This procedure is execut-

ed to confirm that the received secret key component really



8

belongs to the user who has submitted it. We assume thatthe user is Uj with the identity Uidj . CA randomly selects asuspected attribute x in Sj , and asks Uj to securely submithis/her secret key components K ′

x, L and TS. Then CAcomputes t1 = H(Uidj ||TS||0), t2 = H(Uidj ||TS||1) andK△

x = hαt2x ·g−b(t1+t2), and confirms whether the following

equation holds:

e(hx, L) = e(g,K ′xK

△x ).

If it holds, CA will further continue to execute the nextsub-procedure. Otherwise, it indicates that the suspecteduser doesn’t correctly submitted his/her own secret keycomponents and the user will receive a severe punishment,such as kicking the user out of the system.

◦ AA Tracing. This procedure is executed to trace andconfirm which AA has generated the suspected user’s secretkey. CA takes its master secret key MSK to recover thepublic key associated with a specific AA as follows:

PK = (L · g−αt2)1/βt1 = gkAidi

βt1/βt1 = gkAidi . (6)

CA uses PK as an index to search its storage for the respon-sible AA. If some AA with the identity Aidi owns a publickey that is equal to PK, it means that AA has maliciouslyor incorrectly verified the legitimacy of this user. The foundAA should implement security enhancement or be kickedout of the system as a severe punishment.

VI. SECURITY ANALYSIS

A. Data confidentiality

To prove the data confidentiality of RAAC, we use thefollowing theorem:

Theorem 1. When the decisional q-parallel BDHE assump-tion holds, no adversary can use a polynomial-time algorithmto selectively break RAAC with a challenge matrix of sizel∗ × n∗, where l∗, n∗ ≤ q.

Proof. When kAidiβt1 + αt2 is simplified as d, and K ′x and

K ′′x are combined by a multiplication operation, the user’s

secret key can be simplified as:

K = gα · gad, L = gd, ∀x ∈ Sj ,KKx = K ′x ·K ′′

x = hdx,

where d can be seen as a random number based on different t1and t2. Then the proof of Theorem 1 is similar to that in [22].Interested readers are referred to read [22] for more detailsabout the proof.

If the cloud server is curious about the plaintext, it would nothave any advantages compared with outside malicious users,as the cloud server doesn’t participate in any user’s secret keygeneration. All it does is storing the ciphertext, and it thusfind no way to obtain the plaintext.

B. User collusion resistance

Like the technique proposed in [22] which could preventuser collusion attack, each user in our system is assigned aglobal unique identity Uid, and each time when performingthe procedure of key generation and distribution, all the secret

key components are associated with a unique value d, whicha user is not able to compute. Thus, it is impossible for twoor more users to collude and decrypt the ciphertext.

Moreover, it’s important to note that, in order to introducethe auditing and tracing mechanism, we divide the originalKKx into two parts, namely K ′

x and K ′′x . If there is no

gb(t1+t2) in K ′x and no g−b(t1+t2) in K ′′

x , the malicious usercan easily gain h

kAidiβ

x and hαx . Then, this internal attacker can

gather the two secret key components about the other attributesdifferent from his/her own set. If the attacker obtains K andL from the same AA with gathered information, he/she canfurther use his/her own t1 and t2 to compute K ′

x = (hkAidi

βx )t1

and K ′′x = (hα

x)t2 . In this way, colluded with other users, the

malicious user can easily obtain additional access privilege thathe/she is not supposed to have. However, because b and gb arekept secure, and there is gb(t1+t2) in K ′

x and g−b(t1+t2) in K ′′x ,

malicious users find no way to realize the above mentionedmalicious action.

C. No ultra vires for AAAs AAs cannot be fully trusted, it’s possible that two or

more AAs collude with each other to gain more informationin the system. If two AAs collude to respectively generateintermediate keys for the same user at the same time, they canhave the same t1 and t2. We assume that these two colludedAAs are AAi1 with Aidi1 and AAi2 with Aidi2, and the useris Uj with the identity Uidj . In STEP 3 of the procedure ofkey generation and distribution, if AAi1 is chosen, the secretkey can be computed as follows:

K1 = gα · ga(kAidi1βt1+αt2), (7a)

L1 = gkAidi1βt1+αt2 , (7b)

∀x ∈ Sj ,KKx1 = hkAidi1

βt1+αt2x , (7c)

and if AAi2 is chosen, the secret key can be computed asfollows:

K2 = gα · ga(kAidi2βt1+αt2), (8a)

L2 = gkAidi2βt1+αt2 , (8b)

∀x ∈ Sj ,KKx2 = hkAidi2

βt1+αt2x , (8c)

If CA has no verification to check whether TS is in anallowed time interval, meanwhile, t1 and t2 are different andhaven’t yet been reused in the same time, these two secretkeys can both be issued. Combining these two secret keysusing the division operation, AAi1 and AAi2 can collude toobtain as follows:

K1/K2 = ga(kAidi1−kAidi2

)βt1 , (9a)

L1/L2 = g(kAidi1−kAidi2

)βt1 , (9b)

∀x ∈ Sj ,KKx1/KKx2 = h(kAidi1

−kAidi2)βt1

x , (9c)

Furthermore, based on Equation 9b and Equation 7b, thecolluded AAs can compute gα as follows:(

L1/ (L1/L2)kAidi1

kAidi1−kAidi2

) 1t2

.



9

Based on the above method, colluded AAs can obtain gα. Also,based on similar methods, colluded AAs can obtain gaβ , gaα,hαx and hβ

x(∀x ∈ S). Now the malicious AA can masqueradeas another AA with a random private key k, and issues anykey for a user with any attribute set. Thus, the two colludedAAs can illegally obtain CA’s privilege. However, based onthe analysis above, if CA maintains the state of used t1 andt2 for the same user in a given time interval, the secret keysfrom different AAs will have different t1 and t2, and the aboveattack method can be thwarted.

D. Assurance of AAs’ auditablity

In the heterogeneous single-CA/multi-AAs framework, wemust ensure that each AA can be audited so that when auser’s abnormal behavior happens, we can trace which AAhas verified this user’s legitimacy and issued intermediate keyfor him/her. In our scheme, we enforce this assurance by theconstruction of the intermediate key. For user Uj , when he/sheis legitimacy verified by an AA(e.g., AAi with the identityAidi), the intermediate key {Kx = h

kAidit1

x , Jx = ht2x }∀x∈Sj

contains both attributes that AAi has verified and AAi’s identityimplicitly. Here, kAidi is a private key securely owned by AAi,and other AAs can only generate this intermediate key withhis/her own private key.

To generate a secret key, using Aidi as an index to getthe public key PKAidi , CA generates K and L to match theK ′

x, x ∈ Sj , where K ′x = Kβ

x · gb(t1+t2), x ∈ Sj . Thus,the issued secret key implicitly contains AAi’s private keykAidi , which can be regarded as a signature when CA conductsauditing.

If AAi tries to get rid of the responsibility by sendingAidj , i = j to CA, the CA will generate K and L ofSK according to the elements associated with PKAidj . Thegenerated K and L are related to kAidj , but K ′

x, which isgenerated on the intermediate key, is related to kAidi . Thesecret key made by their combination cannot be used todecrypt any ciphertexts, unless AAi knows kAidj and generatesan intermediate key with kAidj . Unless AAj is compromised,the private key kAidj would not be leaked to AAi. Therefore,no AA can evade its responsibility by faking to be someoneelse.

VII. PERFORMANCE ANALYSIS

As we have mentioned, in reality, the tedious procedure ofuser legitimacy verification is much more complicated thansecret key generation. In our scheme, the load of legitimacyverification is shared among multiple AAs, while a muchlighter computational task is assigned to the single CA. Thus,the efficiency of key distribution is improved. More Specifical-ly, multiple AAs are standby for the legitimacy verification inthe system. When there is a key request, an idle AA is selectedby a scheduling algorithm to perform the verification and otherAAs are standby to serve the subsequent user requests.

We give the theoretical performance analysis as the follow-ing steps. Firstly, we model our system in queueing theory,and then we analyze the state probabilities to obtain thetwo important factors, the mean failure probability and the

average waiting time for users. Finally, to show the signifi-cant performance improvement of our proposed RAAC, wecompares it with single-AA system. It’s important to note that,the comparison between RAAC and multi-authority systems[11, 31] is similar, since each authority independently managesa disjoint attribute subset. When a user requests secret keyswith regard to one certain attribute subset, he/she has to go tothe only and exclusive authority that issues secret keys withthat attribute subset. The queue condition is just the same asthe one in single- authority schemes.

A. Modeling in Queuing Theory

For simplicity, we assume there is a central coordinatorwhich assigns users’ key requests to AAs. The coordinatormaintains each AA’s state with the boolean value of 0/1, wherestate 0 indicates that the AA is available to conduct verification,and state 1 indicates the AA is occupied and is not availableright now. Each time the coordinator assigns a key request toan AA with the state 0. If all AAs are busy, the new userswho are requesting the secret keys will wait in a queue to beserved. The coordinator can adopt First Come First Service(FCFS) algorithm to serve the arriving users.

It’s important to note that some other strategies can also beadopted in our architecture, such as a user arriving at a nearestAA according to his/her knowledge and decision. Thus, eachAA may separately maintain a queue of its own. However,this model may not achieve load balance as some AAs maybe unoccupied while other AAs are always busy in servingusers’ requests. Therefore, we introduce a central coordinatorand adopt a single arrival queue as our strategy. The queueingmodel of our system is shown in Fig. 3, and can be treated asa Markov process.

The central coordinator is deployed at the entrance of thesystem to monitor each AA’s state (occupied/unoccupied) andassign each arriving users to an unoccupied AA. Furthermore,we model our system as follows. On AAs’ side, the queueingmodel can be described as M/M/C/N/∞, where C is thenumber of AAs, N is the capacity of our system and N =C + K (K is the queue length that indicates the maximumnumber of the queued users.). Here, the first M describes thatarrivals of key requests follow a Poisson process in the system,and the second M means the verification service times areexponentially distributed. ∞ means the source of key requestsis infinite.

When there are N users in the system, other new arrivalsof users’ requests will be rejected. This property can ensurethat a user will not wait in the queue for an irrationally longtime. On CA’s side, the queueing model can be described asM/M/1.

The following assumptions are made to describe our system.1) Assumption 1. The instant user request arrival event con-

stitutes a stationary Poisson process with the parameterλ.

2) Assumption 2. For each AA, the service time of differentindividual users are independent and identically distribut-ed exponential random variables, in which the mean valueis 1/µ1.



10

3) Assumption 3. For CA, the service time of individualusers are independent and identically distributed exponen-tial random variables, in which the mean value is 1/µ2.

l

1m

1m

1m

1m

2m

Fig. 3. The queue model with single-CA/multi-AAs

B. State Probabilities

AAs’ side is the most influential part of our system’sperformance, so we mainly analyze its state probabilities.

The state transition of the queueing model with multipleAAs is shown in Fig. 4. Arrivals occur at rate λ according toa Poisson process and move the process from state i to i+1.For each AA, the service time of different individual users areindependent, and follow negative exponential distribution withparameter µ1. Therefore we can get:

λn =

{λ, n ∈ [0, N − 1]

0, n ≥ N(10)

and

µ1n =

{nµ1, n ∈ [0, C)

Cµ1, n ∈ [C,N − 1](11)

0 1 2 · · · · C − 1 C C + 1 · · · · N − 1 N

λ

µ1

λ

2µ1

λ

3µ1

λ

(C − 1)µ1

λ

Cµ1

λ

Cµ1

λ

Cµ1

λ

Cµ1

λ

Cµ1

Fig. 4. M/M/C/N/∞ state transition diagram

Since our queueing system is Markovian, the state probabil-ities can be described by a set of Chapman-Kolmogorov differ-ence equations in the steady state using standard techniques.Let ρ = λ/(µ1) and ρC = ρ/C, we obtain the steady-stateprobability distribution as follows:

pn =

ρn

n!p0, n ∈ [0, C)

ρn

C!Cn−Cp0, n ∈ [C,N ]

(12)

where

p0 =

(C−1∑n=0

ρn

n!+

CC

C!

N−1∑n=C

ρnC

)−1

(13)

Then we can get the mean queue length at multi-AAs’ sideas:

Lq =N+C−1∑j=C

(j − C)pj

=N+C−1∑j=C

j · pj −N+C−1∑j=C

C · pj

=N+C−1∑

j=0

j · pj −C−1∑j=0

j · pj −N+C−1∑j=C

C · pj

= L−C−1∑j=0

j · pj − C · (1−C−1∑j=0

pj)

= L− C −C−1∑j=0

(j − C) · pj

= L− C − p0 ·C−1∑j=0

(j − C) · ρn

j!(14)

Meanwhile, because the system can only accommodate Nusers at anytime, we can compute the effective arrival rate asfollows:

λeff = λ(1− pN ) (15)

By Little’s law, we can compute the average sojourn timeand the average waiting time for users at multi-AAs’ side asfollows:

W = L/λe,Wq = Lq/λe = W − 1/µ1 (16)

To sum up with the average waiting time at the single-CA’sside, the average waiting time W ′

q of users is:

W ′q = Wq +

λeff

µ2

µ2 · (1− λeff

µ2)

(17)

C. Numerical Evaluation

As we described above, when the queue model with multi-AAs is filled with N users, which means that K users arewaiting in the queue and all C AAs are occupied, the newlyarriving users are rejected. This means those new users wouldfail to get the secret keys. We analyze the probability offailure to show how to lower this failure rate with more AAs.Meanwhile, we analyze the average waiting time W ′

q of usersin our system.

Based on the emulation of the scheme in [18], the averagetime of generating a secret key for an attribute is about35ms (on 64-bit AMD 3.7 GHz workstation). Furthermore,we assume that users possess 10 attributes on average andthe verification takes tenfold amount of time of that of thekey generation. The parameters are set as: µ1 = 20/min,µ2 = 200/min, and K = 30. The performance analysis interms of the average failure rate and the average waiting timeis shown in Fig. 5 and Fig. 6, respectively.

Fig. 5 shows the failure rate versus the arrival rate andthe number of AAs. From Fig. 5, we can see that when theaverage failure rate of single-authority scheme is less than 5%,



11

it can only support an arrival rate of less than 20/min. Withincreasing the number of AAs, the system can greatly increaseits service capacity with the support of a greater arrival rateat the same failure rate. If we employ 7 AAs, the system cansupport the arrival rate of up to 150/min, with the failure rateof less than 5%. It is easy to infer that we can build our systembased on the observation of key request rate, and then use anappropriate number of AAs to provide high equality service.

0 20 40 60 80 100 120 140 160 180 2000.0

0.2

0.4

0.6

0.8

1.0

Rate of Key Request (#/min)

Pro

babi

lity

of R

eque

st F

ailu

re

Number of AA 1 authority 2 authorities 3 authorities 5 authorities 7 authorities

Fig. 5. The failure rate in RAAC with µ1 = 20/min, µ2 = 200/min andK = 30

Fig. 6 shows the average waiting time versus the arrivalrate and the number of AAs when µ1 = 20/min, µ2 =200/min,K = 30. From the figure, we can see that theaverage waiting time increases rapidly with the increase ofarrival rate when the arrival rates are low. But later the averagewaiting time will become steady because newly arrival userswill be rejected by the system due to the limit length ofwaiting queue. More specifically, with single AA, the averagewaiting time increases rapidly and reaches 1.5 min, which isunbearable.

Whereas, with 7 AAs, the average waiting time is about15s. Moreover, from Fig. 5, with the arrival rate less than150, the failure rate is less than 5%. Although using moreworking AAs brings larger configuration cost, by combiningthe failure rate and the average waiting time, we can assurethat the configuration of multiple AAs can provide secret keygeneration service with high quality as well as low cost.

D. Storage, Communication and Computation OverheadAnalysis

In this section, we conduct performance analysis in termsof storage, communication and computation overhead in eachprocess, among our proposed RAAC, Waters’ scheme [22],DAC-MACS [11] and TMACS [15]. Waters’ scheme involvesonly one AA in charge of key generation and distribution. InDAC-MACS, each of the multiple AAs manages a disjointattribute set, and in TMACS, all AAs manage the universalattribute set as our RAAC.

For clarity of description, we have the following definitions:Let |p| be the size of element in the groups with prime orderp, and U be the number of attributes. Nu denotes the number

0 20 40 60 80 100 120 140 160 180 2000.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4 Number of AA 1 authority 2 authorities 3 authorities 5 authorities 7 authorities

Rate of Key Request (#/min)

Exp

ecta

tion

of W

aitin

g Ti

me

(min

)

Fig. 6. The average waiting time in RAAC with µ1 = 20/min, µ2 =200/min and K = 30

of users in the system. NUid denotes the average number ofattributes owned by users, and Nc denotes the average numberof attributes inside ciphertexts. Let NA be the number of AAs.|Cu| denotes the average size of a user’s certificate, and |Ca|denotes the average size of an AA’s certificate. In addition, forDAC-MACS, UAidi (

∑NA

i=1 UAidi = U) denotes the numberof attributes the AA (with the Aidi) manages, and NUid,Aidi

(NUid,Aidi ≤ NUid) means the average number of attributesthe user has in AA with the Aidi. kmax denotes that the usermay have attribute sets from at most kmax (kmax ≤ NA) AAson average. NA,c denotes the average number of AAs relatedto ciphertexts.

1) Storage Overhead: The storage overhead analysis oneach entity is shown in TABLE I. Compared with otherschemes, in RAAC, CA has an extra overhead of 2NA|p|,which is caused by the storage of public keys PKAid andAid of each AA. That extra storage is used for key generationand auditing. Since NA will not be very large, the additionalcost is affordable. From the perspective of AA, TMACS andRAAC both store one more certificate than Waters’ scheme,since TMACS and RAAC explicitly take the distribution ofAA’s certificate into account when AA registers at CA. Tobe noted, for a fair comparison, we do not count in thestorage of attribute version keys in DAC-MACS. In RAAC,each user’s storage overhead is larger, mainly because theuser needs to store a copy of K ′

x for potential auditing. Theadditional storage will not consume too much, thus we thinkit is acceptable for users.

TABLE ISTORAGE OVERHEAD

Entity CA AA Owner User[22] Not exist 2|p| (U + 4)|p| (NUid + 2)|p| + |Cu|

[11] 2|p| 3|p| (U + 3NA + 5)|p| (NUid + 3kmax + 1)|p|+|Cu|

[15] 2|p| |p| + |Ca| (U + 7)|p| (NUid + 2)|p| + |Cu|

Ours (2NA + 5)|p| |p| + |Ca| (U + 6)|p| (2NUid + 2)|p|+|Cu| + |TS|

2) Communication Overhead: Table II shows comparisonresult about communication overhead on CA, each AA, owner,



12

TABLE IICOMMUNICATION OVERHEAD

Process System Initialization Key Generation &Distribution Encryption/Decryption Auditing&TracingEntity CA AA User CA AA User Owner/User CA/ User

[22] Not exist Nu|Cu| |Cu| Not exist(NUid + 2)|p|

+|Cu|(NUid + 2)|p|

+|Cu|(2Nc + 2)|p| N/A

[11](3Nu +NA)|p|

+Nu|Cu||p| 3|p| + |Cu| N/A

(NUid,Aidi + 3)|p|+|Cu|

(NUid + 3kmax)|p|+kmax|Cu|

(3Nc +NA,c + 2)|p| N/A

[15](Nu +NA)|p|

+Nu|Cu| +NA|Ca|(2NA − 1)|p|

+|Ca||p| + |Cu| N/A

(NUid + 2)|p|+|Cu|

(NUid + 2)t|p|+t|Cu|

(2Nc + 2)|p| N/A

Ours(Nu +NA)|p|

+Nu|Cu| +NA|Ca||p| + |Ca| |p| + |Cu| (4NUid + 5)|p| + |TS| (7NUid + 6)|p|

+2|TS| + |Cu|(2NUid + 2)|p|+|TS| + |Cu|

(2Nc + 2)|p| 2|p| + |TS|

and user of RAAC, Waters’ scheme, DAC-MACS and T-MACS. During System Initialization phase, all multi-authorityschemes introduce more communication overhead in CA, butit is a necessary sacrifice for AA’s registration. Besides theregistration overhead, RAAC does not introduce much extracost, compared with other multi-authority schemes. In KeyGeneration&Distribution phase of RAAC, the communicationoverhead on CA and AA is obviously larger than others dueto the fact that CA must participate in the key generationand AA must communicate with CA. The extra overhead isintroduced to guarantee the auditability of AAs, which is worth.Furthermore, from the view of users, RAAC gets a betterperformance than TMACS in Key Generation&Distributionphase because the latter one enforces users to communicatewith t authorities. Our RAAC also shows an advantage overDAC-MACS in Encryption and Decryption phase, because theciphertext length of RAAC is smaller.

3) Computation Overhead: The computation overhead isanalyzed as shown in Table III. As we have mentioned inSection VII-D2, in System Initialization phase, multi-authoritysettings inevitably introduce some overhead for AA registra-tion, which is acceptable. In Key Generation&Distributionphase, after receiving secret keys from AAs, users in TMACSand RAAC need to recompute their secret keys to decrypt.However, the recomputation can be done once and then userscan store them. To decrypt a ciphertext, RAAC is as efficientas Waters’ scheme. In Decryption phase, it seems that DAC-MACS is more efficient for users. However, the reason is thatDAC-MACS adopts the outsourcing technique to let the cloudserver do most decryption for users. If we look at the totalcomputation overhead of the cloud server and the user, RAACis at least as efficient as DAC-MACS.

VIII. DISCUSSION OF A HYBRID MODEL CONSTRUCTION

This paper has presented RAAC scheme based on a single-authority algorithm, where the authority is replaced by oneCA and multiple AAs (we rename the combination as CA/AAsunit). Practically, RAAC can also be built in many traditionalmulti-authority settings, e.g., [11, 31], where the attribute au-thorities (referred to as TAAs to distinguish AAs of traditionalmulti-authority settings from AAs in CA/AAs unit of RAAC)manage disjoint attribute subsets. In what follows, we showhow our proposed scheme works with DAC-MACS [11].

At a high level, the CA/AAs unit acts as an individual TAAto manage a disjoint attribute subsets. Besides, there is a

root central authority to play the role of CA in DAC-MACS(denoted as RCA for distinction). Fig. 7 briefly depicts thehybrid architecture. The secret key of user j from a certainCA/AAs unit k (SKj,k) is:

Kj,k = gαk · gauj · gatj,k/βk , Lj,k = gβktj,k , Rj,k = gatj,k ,

∀xk ∈ Sj,k : Kj,xk= gβkγktj,k ·H(xk)

γkβkuj ,

where αk, βk and γk are master secret keys of CA. It is notedthat the components for decryption outsource and attributerevocation, zj and vxk

, respectively, are omitted in our discus-sion. The remaining will discuss how we generate the samesecret key format as DAC-MACS with CA/AAs unit, whilepreserve the auditability of AAs.

To output SKj,k, an AA in CA/AAs k generates an interme-diate key as:

ICAidi,Uidj ,k = {Kxk= h

kAidit1

xk , Jxk= ht2

xk}∀xk∈Sj,k

,

where, hxk= g ·H(xk)

uj acts the same role of hx in RAAC.After receiving the intermediate key, CA computes:

∀xk ∈ Sj,k,

K ′xk

=(hkAidi

θkt1xk · gϕk(t1+t2)

)γkβk

,

K ′′xk

=(hφkt2xk

·H(xk)uj(1−(kAidi

θkt1+φkt2))g−ϕk(t1+t2))γkβk

,

where, φk, θk and ϕk are the master secret keys maintained bythat CA in CA/AAs unit k). Then, the user recomputes secretkey for each attribute in the set:

∀xk ∈ Sj,k : Kj,xk= K ′

xk·K ′′

xk= gβkγkdk ·H(xk)

γkβkuj .

where, dk = (kAidiθkt1 + φkt2), which acts as tj,k inDAC-MACS. Other parts of secret key Kj,k, Lj,k, Rj,k arecomputed by CA in the same way as DAC-MACS does.

The above output SKj,k has the same format as DAC-MACS, which shows the construction can realize a traditionalmulti-authority structure. Furthermore, as g · H(xk)

uj playsthe same role as hx for every attribute x in CA’s managementdomain, and Lj,k plays the similar role of L in RAAC, theAuditing&Tracing mechanism can be preserved.



13

TABLE IIICOMPUTATION OVERHEAD

Phase System Initialization Key Generation&Distribution Encryption Decryption AuditingEntity CA AA CA AA User Owner User CA User[22] Not exist O(U) Not exist O(NUid) O(1) O(Nc) O(Nc) N/A N/A[11] O(Nu +NA) O(UAidi ) N/A O(NUid,Aidi ) O(1) O(Nc +NA,c) O(1)∗ N/A N/A

[15] O(U +Nu +NA + t) O(NA) N/A O(NUid)O(tNUid) O(Nc) O(Nc) N/A N/A(Only once)

Ours O(U +Nu +NA) O(1) O(NUid) O(NUid)O(NUid) O(Nc) O(Nc) O(1) O(1)(Only once)

∗ There are the computation overhead of O(Nc +NA,c) on Cloud Server.

1 Nuj

k NA1

Fig. 7. A hybrid architecture

IX. CONCLUSION

In this paper, we proposed a new framework, named RAAC,to eliminate the single-point performance bottleneck of theexisting CP-ABE schemes. By effectively reformulating CP-ABE cryptographic technique into our novel framework, ourproposed scheme provides a fine-grained, robust and efficientaccess control with one-CA/multi-AAs for public cloud storage.Our scheme employs multiple AAs to share the load ofthe time-consuming legitimacy verification and standby forserving new arrivals of users’ requests.

We also proposed an auditing method to trace an attributeauthority’s potential misbehavior. We conducted detailed secu-rity and performance analysis to verify that our scheme is se-cure and efficient. The security analysis shows that our schemecould effectively resist to individual and colluded malicioususers, as well as the honest-but-curious cloud servers. Besides,with the proposed auditing & tracing scheme, no AA coulddeny its misbehaved key distribution. Further performanceanalysis based on queuing theory showed the superiority ofour scheme over the traditional CP-ABE based access controlschemes for public cloud storage.

ACKNOWLEDGMENT

This work is supported by the National Natural ScienceFoundation of China under Grant No. 61379129, Youth In-novation Promotion Association CAS, and the FundamentalResearch Funds for the Central Universities.

REFERENCES

[1] P. Mell and T. Grance, “The NIST definition of cloudcomputing,” National Institute of Standards and Tech-nology Gaithersburg, 2011.

[2] Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enablingpersonalized search over encrypted outsourced data withefficiency improvement,” IEEE Transactions on Parallel& Distributed Systems, vol. 27, no. 9, pp. 2546–2559,2016.

[3] Z. Fu, X. Sun, S. Ji, and G. Xie, “Towards efficientcontent-aware search over encrypted outsourced data incloud,” in in Proceedings of 2016 IEEE Conference onComputer Communications (INFOCOM 2016). IEEE,2016, pp. 1–9.

[4] K. Xue and P. Hong, “A dynamic secure group sharingframework in public cloud computing,” IEEE Transac-tions on Cloud Computing, vol. 2, no. 4, pp. 459–470,2014.

[5] Y. Wu, Z. Wei, and H. Deng, “Attribute-based access toscalable media in cloud-assisted content sharing,” IEEETransactions on Multimedia, vol. 15, no. 4, pp. 778–788,2013.

[6] J. Hur, “Improving security and efficiency in attribute-based data sharing,” IEEE Transactions on Knowledgeand Data Engineering, vol. 25, no. 10, pp. 2271–2282,2013.

[7] J. Hur and D. K. Noh, “Attribute-based access controlwith efficient revocation in data outsourcing systems,”IEEE Transactions on Parallel and Distributed Systems,vol. 22, no. 7, pp. 1214–1221, 2011.

[8] J. Hong, K. Xue, W. Li, and Y. Xue, “TAFC: Timeand attribute factors combined access control on time-sensitive data in public cloud,” in Proceedings of 2015IEEE Global Communications Conference (GLOBECOM2015). IEEE, 2015, pp. 1–6.

[9] Y. Xue, J. Hong, W. Li, K. Xue, and P. Hong, “LABAC:A location-aware attribute-based access control schemefor cloud storage,” in Proceedings of 2016 IEEE Glob-al Communications Conference (GLOBECOM 2016).IEEE, 2016, pp. 1–6.

[10] A. Lewko and B. Waters, “Decentralizing attribute-basedencryption,” in Advances in Cryptology–EUROCRYPT2011. Springer, 2011, pp. 568–588.

[11] K. Yang, X. Jia, K. Ren, and B. Zhang, “DAC-MACS:Effective data access control for multi-authority cloud



14

storage systems,” in Proceedings of 2013 IEEE Confer-ence on Computer Communications (INFOCOM 2013).IEEE, 2013, pp. 2895–2903.

[12] J. Chen and H. Ma, “Efficient decentralized attribute-based access control for cloud storage with user re-vocation,” in Proceedings of 2014 IEEE InternationalConference on Communications (ICC 2014). IEEE,2014, pp. 3782–3787.

[13] M. Chase and S. S. Chow, “Improving privacy andsecurity in multi-authority attribute-based encryption,” inProceedings of the 16th ACM conference on Computerand Communications Security (CCS 2009). ACM, 2009,pp. 121–130.

[14] M. Lippert, E. G. Karatsiolis, A. Wiesmaier, and J. A.Buchmann, “Directory based registration in public keyinfrastructures.” in Proceedings of the 4th InternationalWorkshop for Applied PKI (IWAP 2005), 2005, pp. 17–32.

[15] W. Li, K. Xue, Y. Xue, and J. Hong, “TMACS: A robustand verifiable threshold multi-authority access controlsystem in public cloud storage,” IEEE Transactions onParallel & Distributed Systems, vol. 27, no. 5, pp. 1484–1496, 2016.

[16] S. Chokhani, W. Ford, R. Sabett, C. Merrill, and S. Wu,“Internet x.509 public key infrastructure certificate pol-icy and certification practices framework,” IETF RFC,RFC3647, 2003.

[17] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of en-crypted data,” in Proceedings of the 13th ACM Confer-ence on Computer and Communications Security (CCS2006). ACM, 2006, pp. 89–98.

[18] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings ofIEEE Symposium on Security and Privacy (S&P 2007).IEEE, 2007, pp. 321–334.

[19] V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Boundedciphertext policy attribute based encryption,” in Automa-ta, languages and programming. Springer, 2008, pp.579–591.

[20] L. Cheung and C. Newport, “Provably secure ciphertextpolicy abe,” in Proceedings of the 14th ACM Conferenceon Computer and Communications Security (CCS 2007).ACM, 2007, pp. 456–465.

[21] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, andB. Waters, “Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryp-tion,” in Advances in Cryptology–EUROCRYPT 2010.Springer, 2010, pp. 62–91.

[22] B. Waters, “Ciphertext-policy attribute-based encryption:An expressive, efficient, and provably secure realization,”in International Workshop on Public Key Cryptography.Springer, 2011, pp. 53–70.

[23] K. Emura, A. Miyaji, A. Nomura, K. Omote, andM. Soshi, “A ciphertext-policy attribute-based encryptionscheme with constant ciphertext length,” in InformationSecurity Practice and Experience. Springer, 2009, pp.13–23.

[24] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-basedencryption with non-monotonic access structures,” inProceedings of the 14th ACM Conference on Computerand Communications Security (CCS 2007). ACM, 2007,pp. 195–203.

[25] S. Hohenberger and B. Waters, “Online/offline attribute-based encryption,” in Public-Key Cryptography–PKC2014. Springer, 2014, pp. 293–310.

[26] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute baseddata sharing with attribute revocation,” in Proceedingsof the 5th ACM Symposium on Information, Computerand Communications Security (ASIACCS 2010). ACM,2010, pp. 261–270.

[27] M. Green, S. Hohenberger, and B. Waters, “Outsourcingthe decryption of abe ciphertexts.” in USENIX SecuritySymposium, vol. 2011, no. 3, 2011.

[28] J. Shao, R. Lu, and X. Lin, “Fine-grained data sharingin cloud computing for mobile devices,” in Proceedingsof 2015 IEEE Conference on Computer Communications(INFOCOM 2015). IEEE, 2015, pp. 2677–2685.

[29] J. Li, X. Huang, J. Li, X. Chen, and Y. Xiang, “Securelyoutsourcing attribute-based encryption with checkabili-ty,” IEEE Transactions on Parallel and Distributed Sys-tems, vol. 25, no. 8, pp. 2201–2210, 2014.

[30] A. Sahai and B. Waters, “Fuzzy identity-based encryp-tion,” in Advances in Cryptology–EUROCRYPT 2005.Springer, 2005, pp. 457–473.

[31] M. Chase, “Multi-authority attribute based encryption,”in Proceedings of the 4th Theory of Cryptography Con-ference (TCC 2007). Springer, 2007, pp. 515–534.

[32] H. Lin, Z. Cao, X. Liang, and J. Shao, “Secure thresh-old multi-authority attribute based encryption without acentral authority,” Information Sciences, vol. 180, no. 13,pp. 2618–2632, 2010.

[33] S. Muller, S. Katzenbeisser, and C. Eckert, “Distributedattribute-based encryption,” in Information Security andCryptology–ICISC 2008. Springer, 2009, pp. 20–36.

[34] S. Ruj, A. Nayak, and I. Stojmenovic, “DACC: Distribut-ed access control in clouds,” in Proceedings of the 10thInternational Conference on Trust, Security and Privacyin Computing and Communications (TrustCom 2011).IEEE, 2011, pp. 91–98.

[35] H. Lin, Z. Cao, X. Liang, and J. Shao, “Secure thresh-old multi authority attribute based encryption without acentral authority,” Information Sciences, vol. 180, no. 13,pp. 2618–2632, 2010.

[36] K. Yang and X. Jia, “Expressive, efficient and revocabledata access control for multi-authority cloud storage,”IEEE Transactions on Parallel and Distributed Systems,vol. 25, no. 7, 2013.

[37] J. Han, W. Susilo, Y. Mu, J. Zhou, and M. H. A. Au, “Im-proving privacy and security in decentralized ciphertext-policy attribute-based encryption,” IEEE Transactions onInformation Forensics and Security, vol. 10, no. 3, pp.665–678, 2015.

[38] T. Jung, X.-Y. Li, Z. Wan, and M. Wan, “Control clouddata access privilege and anonymity with fully anony-mous attribute-based encryption,” IEEE Transactions on



15

Information Forensics and Security, vol. 10, no. 1, pp.190–199, 2015.

[39] K. Yang, X. Jia, and K. Ren, “Secure and verifiablepolicy update outsourcing for big data access control inthe cloud,” IEEE Transactions on Parallel & DistributedSystems, vol. 26, no. 12, pp. 3461–3470, 2015.

[40] J. Li, K. Ren, B. Zhu, and Z. Wan, “Privacy-awareattribute-based encryption with user accountability,” inInformation Security. Springer, 2009, pp. 347–362.

[41] J. Li, Q. Huang, X. Chen, S. S. Chow, D. S. Wong,and D. Xie, “Multi-authority ciphertext-policy attribute-based encryption with accountability,” in Proceedingsof the 6th ACM Symposium on Information, Computerand Communications Security (ASIACCS 2011). ACM,2011, pp. 386–390.

[42] Z. Liu and Z. Cao, “On efficiently transferring thelinear secret-sharing scheme matrix in ciphertext-policyattribute-based encryption,” IACR Cryptology ePrintArchive, vol. 2010, p. 374, 2010.

[43] J. Li, K. Ren, and K. Kim, “A2BE: Accountable attribute-based encryption for abuse free access control,” IACRCryptology ePrint Archive, vol. 2009, p. 118, 2009.

Kaiping Xue (M’09-SM’15) received his B.S. de-gree from the Department of Information Security,University of Science and Technology of China(USTC), in 2003 and received his Ph.D. degree fromthe Department of Electronic Engineering and Infor-mation Science (EEIS), USTC, in 2007. Currently,he is an Associate Professor in the Department of In-formation Security and Department of EEIS, USTC.His research interests include next-generation Inter-net, distributed networks and network security.

Yingjie Xue received her B.S. degree from thedepartment of Information Security, University ofScience and Technology of China (USTC) in July,2015. She is currently a graduated student in Com-munication and Information System from the De-partment of Electronic Engineering and InformationScience(EEIS), USTC. Her research interests includeNetwork security and Cryptography.

Jianan Hong received the B.S. degree from thedepartment of Information Security, University ofScience and Technology of China (USTC), in 2012.He is currently working toward the Ph.D. degree inInformation Security from the Department of Elec-tronic Engineering and Information Science(EEIS),USTC. His research interests include secure cloudcomputing and mobile network security.

Wei Li received the B.S. degree from the Depart-ment of Information Security, University of Scienceand Technology of China(USTC), in 2014. He iscurrently a graduated student in Communication andInformation System from the Department of Elec-tronic Engineering and Information Science(EEIS),USTC. His research interests include network secu-rity protocol design and analysis.

Hao Yue received his B.Eng. degree in Telecommu-nication Engineering from Xidian University, Xi’an,China, in 2009, and Ph.D degree in Electrical andComputer Engineering from University of Florida,Gainesville, FL, USA, in 2015. He is now anAssistant Processor with the Department of Com-puter Science, San Francisco State University, SanFrancisco, CA, USA. His research interests includecyber-physical systems, cybersecurity, wireless net-working, and mobile computing.

David S.L. Wei (SM’07) received his Ph.D. degreein Computer and Information Science from the U-niversity of Pennsylvania in 1991. He is currentlya Professor of Computer and Information ScienceDepartment at Fordham University. From May 1993to August 1997 he was on the Faculty of ComputerScience and Engineering at the University of Aizu,Japan (as an Associate Professor and then a Pro-fessor). He has authored and co-authored more than100 technical papers in the areas of distributed andparallel processing, wireless networks and mobile

computing, optical networks, peer-to-peer communications, cognitive radionetworks, big data, and cloud computing in various archival journals andconference proceedings. He served on the program committee and was asession chair for several reputed international conferences. He was a leadguest editor of IEEE Journal on Selected Areas in Communications for thespecial issue on Mobile Computing and Networking, a lead guest editor ofIEEE Journal on Selected Areas in Communications for the special issueon Networking Challenges in Cloud Computing Systems and Applications,a guest editor of IEEE Journal on Selected Areas in Communications forthe special issue on Peer-to-Peer Communications and Applications, and alead guest editor of IEEE Transactions on Cloud Computing for the specialissue on Cloud Security. He was the chair of Intelligent TransportationForum of Globecom 2010, the general chair of Intelligent TransportationWorkshop of ICC 2011, and the chair of Cloud Security Forum and IntelligentTransportation Forum of Globecom 2011. He is currently an Associate Editorof IEEE Transactions on Cloud Computing, an Associate Editor of Journal ofCircuits, Systems and Computers, and a guest editor of IEEE Transactionson Big Data for the special issue on Trustworthiness in Big Data andCloud Computing Systems. Currently, His research interests include cloudcomputing, big data, IoT, and cognitive radio networks.

Peilin Hong received her B.S. and M.S. degreesfrom the Department of Electronic Engineering andInformation Science (EEIS), University of Scienceand Technology of China (USTC), in 1983 and 1986.Currently, she is a Professor and Advisor for Ph.D.candidates in the Department of EEIS, USTC. Herresearch interests include next-generation Internet,policy control, IP QoS, and information security. Shehas published 2 books and over 150 academic papersin several journals and conference proceedings.

RAAC: Robust and Auditable Access Control with...

Documents

Transcript of RAAC: Robust and Auditable Access Control with...