Efficient Attribute-Based Encryption with Privacy-Preserving Key Generation and Its Application in Industrial Cloud

Due to the rapid development of new technologies such as cloud computing, Internet of Things (IoT), and mobile Internet, the data volumes are exploding. Particularly, in the industrial field, a large amount of data is generated every day. How to manage and use industrial Big Data primely is a thorny challenge for every industrial enterprise manager. As an emerging form of service, cloud computing technology provides a good solution. It receives more and more attention and support due to its flexible configuration, on-demand purchase, and easy maintenance. Using cloud technology, enterprises get rid of the heavy data management work and concentrate on their main business. Although cloud technology has many advantages, there are still many problems in terms of security and privacy. To protect the confidentiality of the data, the mainstream solution is encrypting data before uploading. In order to achieve flexible access control to encrypted data, attribute-based encryption (ABE) is an outstanding candidate. At present, more and more applications are using ABE to ensure data security. However, the privacy protection issues during the key generation phase are not considered in the current ABE systems. That is to say, the key generation center (KGC) knows both of attributes and corresponding keys of each user. This problem is especially serious in the industrial big data scenario, because it will cause great damage to the business secrets of industrial enterprises. In this paper, we design a new ABE scheme that protects user’s privacy during key issuing. In our new scheme, we separate the functionality of attribute auditing and key generating to ensure that the KGC cannot know user’s attributes and that the attribute auditing center (AAC) cannot obtain the user’s secret key. This is ideal for many privacy-sensitive scenarios, such as industrial big data scenario.


Introduction
Due to the rapid development of new technologies such as cloud computing, Internet of Things (IoT), and mobile Internet, the data volumes are exploding, and we have truly entered the era of "Big Data." Big Data technology has been focused and applied to almost every industry, retail, healthcare, financial services, government, and so on. Particularly, in the field of industrial production, a large amount of data is generated every day, and it includes business data from information systems, machine data from industrial IoT systems, and some other data from related websites, etc. For a manufacturing enterprise, Big Data can not only be used to improve the efficiency of the business, but more importantly change the manufacturing process and business model. Industrial Big Data is the core of intelligent manufacturing and industrial IoT and provides the most favorable support for the development of Industry 4.0. How to manage and use industrial Big Data efficiently is a great challenge for every enterprise manager.
Cloud computing technology can provide better solutions to the above challenge. Using cloud technology, enterprises get rid of the heavy data management work and concentrate on their main business. Nowadays, large cloud service providers, such as Amazon, Microsoft, IBM, etc., have launched industrial cloud platforms, and more and more industrial enterprises migrate their data to these platforms. However, hosting data to third-party platforms will create new problems, because the security and privacy of the data have to depend on the credibility of the third-party.
For businesses, the biggest concern is the confidentiality of industrial data. The main solution to this problem is to use encrypting methods to protect data before uploading it. However, traditional symmetric and asymmetric encryption schemes are not appropriate for providing fine-grained access control. Therefore, the above problems have brought new challenges to data encryption, and numerous studies have focused on these issues [1][2][3].
Among various solutions, attribute-based encryption (ABE) [4,5] has become an excellent candidate because of its ability to provide data confidentiality and fine-grained access control for cloud storage. Currently, more and more industrial enterprises are using ABE. In an industrial alliance, enterprises can share encrypted data based on the attributes. Only those enterprises whose attributes meet the access policy can decrypt the encrypted data. Although much research has been done on ABE [6][7][8], there are still some problems that have not been solved well. The current ABE systems do not consider privacy protection during the key generation phase. That is to say, the key generation center (KGC) knows the attributes and corresponding keys of each user in this system. This causes great damage to the user's privacy and data confidentiality. Particularly, in the application scenarios of industrial big data, the attributes of enterprise users may be related to the business secrets of enterprises.

Our Contribution.
In order to solve the privacy protection problem in key generation phase, we propose a new ABE system, in which we separate the functionality of attribute auditing and key extracting to ensure that the KGC does not know the specific attributes of the user and that the attribute auditing center (AAC) does not obtain the user's key. In this system, when user applies its private key, it authenticates its attributes to AAC first and gets a blind token, which only certificates its attributes blindly and reveals nothing about specific attributes. The user presents the blind token to the KGC to obtain the corresponding blind key, from which user can extract the final private key. During this process, no information about the user's attributes is leaked to the KGC, and no information about the private key is leaked to the AAC. We implicitly use the oblivious transfer (OT) protocol to solve this problem. This protects the user's privacy during key generation phase.
Our ABE is suitable for privacy sensitive scenarios. Particularly, in the encryption system of industrial cloud, the attributes often involve business secrets of industrial enterprises. KGC, as a technology department, should not know these types of secret information. Therefore, we expressly introduce an application of our new scheme in the industrial cloud.

Attribute-Based Encryption.
Attribute-based encryption is a one-to-many public key encryption. Only the user, whose attributes satisfy the access policy set by the encryptor, can decrypt the ciphertext. This concept originates from identity-based encryption [9]. In 2005, Sahai and Waters [4] proposed the concept of fuzzy identity encryption, which became a precedent for attribute-based encryption. In 2006, Goyal et al. [5] first proposed the formal definition of attribute-based encryption (ABE), which classifies as keypolicy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). They also constructed the first KP-ABE scheme. In the next year, Bethencourt et al. [10] gave the CP-ABE construction for the first time. In a CP-ABE scheme, the encryptor sets an access policy in the ciphertext to determine which kind of users can decrypt the data. This is very consistent with the security requirements of cloud storage. In recent years, more and more researches focus on CP-ABE [11][12][13]. However, none of the aforementioned works deals with privacy protection problem in the key generation phase.

Oblivious
Transfer. The concept of oblivious transfer (OT) is originally proposed by Rabin [14] in 1981, and then it became an important basic primitive in the field of cryptography. In an OT protocol, the sender delivers part of messages to the receiver and is still unaware of which parts (if any) are delivered. In other words, a secure OT protocol must satisfy two security features: (1) the sender cannot obtain the selection information of the receiver; (2) the receiver cannot obtain any information about other messages except for its choice.
In 1985, Even et al. [15] presented a specific 1-out-of-2 OT protocol ( 1 2 ), in which the sender has 2 values, and receiver only gets one of them. Then, Brassard et al. [ [20] gave an 1 protocol with better round complexity and better communication complexity. In 2003, Ishai et al. [21] proposed OT extension, from which a large number of OTs can be performed using only cheap symmetric-key operations. In the past decades, OT protocol has been fully studied and widely used [22][23][24][25].

Organization.
In Section 2, we introduce the preliminaries of this paper. In Section 3, we introduce the concept of attribute-based encryption with privacy preserving key generation (PPKG-ABE) and its security definition. In Section 4, we propose a specific PPKG-ABE scheme and analyze its security in Section 5. In Section 6, we introduce the application of PPKG-ABE in industrial cloud environment for protecting the security of industrial Big Data.

CP-ABE.
In CP-ABE system, there are three types of entities, i.e., key generation center (KGC), encryptor, and decryptor. The KGC issues secret key according to users' attributes. The encryptor encrypts the messages according to a designated access policy. The decryptor can decrypt the ciphertext successfully only if its attributes satisfy the corresponding access policy.
There are four algorithms in a CP-ABE scheme: (1) Setup: it takes security parameters as input and outputs public parameters and master secret key .
(2) KeyGen: it takes public parameters , master secret key , and a set of attributes as input and outputs secret key corresponding to . (3) Encryption: it takes public parameters , access policy W, and message as input and outputs the ciphertext W .
(4) Decryption: it takes public parameters , ciphertext W , and secret key as input and outputs the message , if and only if the attributes satisfy the access policy W; i.e., ⊨ W.

Oblivious
Transfer. The oblivious transfer (OT) protocol is a two-party computation protocol in which one party is the sender (S) and the other is the recipient (R). The protocol ensures the following: S sends a group of messages to R. R can get a subset of these messages, but S does not know which messages that R received.
In this paper, we draw on a classic ( 1 2 ) protocol [26]: Party S has two elements 0 , 1 of group G and party R has a bit ∈ {0, 1}. The descriptions of group G are known to both parties, where |G| = and is a generator.
). R sends to S.

Bilinear Maps.
Let G 1 , G 2 , and G be three order cyclic groups. The bilinear pairing operation is a bilinear map, : G 1 × G 2 → G , and satisfies the following properties: In this paper, we use asymmetric bilinear groups; that is,

Attribute-Based Encryption with Privacy Preserving Key Generation
In the key generation phase of traditional ABE, KGC always knows the attribute information of each user. This has greatly damaged the privacy of users. In order to solve this problem, we separate the two functions of attribute auditing and key extracting. We introduce an attribute audit center (AAC) in ABE system to authenticate the attributes of users and to make blind token for them. KGC, as a simple technical support institution, is only responsible for generating keys, but it does not know the corresponding attributes of these keys.

System Model.
In the key generation phase (as shown in Figure 1), there are three types of entities: attribute audit center (AAC), key generation center (KGC), and data user. In this system, user submits its attributes and relevant evidence to AAC. The AAC audits the user's attributes and returns a blind token with the signature of AAC to user. In practical applications, AAC is often carried out by the institutions that provide certification for user's attributes, such as government offices, because they know the attributes of users themselves and do not cause extra leaks. In other words, the blind token is the evidence for users owning some attributes. This token does not reveal any information of user's attributes and only ensures the authenticity. When user needs to obtain its attributes key, it will submit the blind token to KGC, which is a technical institution. The KGC first checks the legitimacy of the token; if the token is invalid, it aborts; otherwise, it runs the key generation algorithm on the token and returns a blind key. After user obtains the blind key, it extracts the secret key locally. The specific process is as follows: (1) The user shows its attributes and relevant evidence to the attribute audit center (AAC).
(2) The AAC audits the user's attributes and returns a blind token to the user with its signature.
(3) When a user needs to obtain its attributes key, it will submit its blind token to the key generation center (KGC). The KGC cannot get any information about the user's attributes. It only can confirm that the user truly has related attributes.
(4) The key generation center (KGC) first checks the legitimacy of the token, and if the signature is illegal, it aborts; otherwise, it runs the key generation algorithm and outputs a blind key.
(5) The user receives the blind key from KGC and extracts the private key.

Syntax.
In detail, an attribute-based encryption with privacy preserving key generation scheme (PPKG-ABE) includes seven fundamental algorithms: Setup, UserTemKey-Gen, BlindTokenGen, BlindKenGen, KeyExtra, Encrypt, and Decrypt. The specific algorithms are described as follows: Setup( ) → , : the setup algorithm is run by KGC, it inputs security parameter , and it outputs public parameters and master secret key . UserTemKeyGen( , ) → , : the user's temporary-key generation algorithm is run by user. It takes and security parameters as input and outputs user's temporary public key and user's temporary secret key . BlindTokenGen( , , ) → : the blind token generation algorithm is run by AAC. It takes , user's attributes set , and user's temporary public key as input and outputs a blind token for attributes set .
BlindKenGen( , , ) → : the blind key generation algorithm is run by KGC. It takes , master secret key , and user's blind token as input and outputs blind secret key for attributes set . KeyExtra( , ) → : the key extract algorithm is run by user locally. It takes blind secret key and user's temporary secret key as input and outputs the final secret key for attributes set . Encrypt( , , W) → : the encryption algorithm is run by encryptor. It takes , message , and access structure W as input and outputs ciphertext . Decrypt( W , ) → : the decryption algorithm is run by decryptor. It takes ciphertext W and secret key as input and outputs message , if ⊨ W.
We note, in PPKG-ABE scheme, that AAC is responsible for auditing user's attributes and issuing blind token to user. The blind token includes a description of the authenticity of user's attributes, along with the signature of AAC, and reveals on information about specific attributes.

Security Model.
We define the security in two aspects: confidentiality and privacy. Specifically, in this security model, we do not allow AAC and KGC to collude.

Confidentiality.
We introduce the selective security model of choosing plaintext attacks for the PPKG-ABE scheme. The specific process is working between adversary A and challenger C:

Init.
A specifies an access structure W * for challenge.
Setup. C calls the Setup algorithm and returns to A.

Phase 2.
A queries secret key on any attributes set ⊭ W * . C returns the secret key for .

Privacy.
We introduce a new security game for defining privacy. In this game, we define the following two oracles.
Blind Token Oracle O ( ): it takes attributes set as input and outputs corresponding blind token .
Blind Key Oracle O ( ): it takes blind token as input and outputs corresponding blind key . The specific process is working between adversary A and challenger C: Setup. C calls the Setup algorithm and returns to A.

Phase 5.
A queries blind token oracle O and blind key oracle freely.

Guess.
A guesses for . The advantage V for A is defined as

Construction.
In this construction, the PPKG-ABE scheme is constructed on the basis of [27], which only supports AND gates. Suppose that the attribute universe is ={ 1 , 2 , . . . , }, where each has 2 values: "+" and "−". The "+" denotes that user owns this attribute, while the Security and Communication Networks 5 "−" denotes that user does not own this attribute. The specific scheme is as follows: Setup( , ): the setup algorithm is run by KGC. It takes security parameters and attribute universe as input, where | | = . The algorithm first chooses order bilinear groups G 1 , G 2 , and G , where is a generator of G 1 and ℎ is a generator of G 2 . Let be a cryptographic hash function; :  UserTemKeyGen( , ): the user's temporary-key generation algorithm is run by user. It takes public parameters and security parameters as input and chooses ← Z randomly for ∈ [1, ], as its temporary secret key . Then, it calculates the temporary public key = {ℎ } ∈ [1, ] .
Then, it runs standard signature algorithm on to get a signature Σ and returns = ( , Σ) to user.
It outputs We note, in the above key issuing procedure, that KGC cannot obtain the specific attributes of user, and AAC cannot obtain the secret key.

Confidentiality
Theorem 8. If the decisional −BDHE assumption holds for bilinear groups G 1 , G 2 , and G , our PPGK-ABE scheme is selectively IND-CPA secure.
Proof. If the adversary A can win above security game with nonnegligible advantage, we can construct an algorithm B to break the decision −BDHE assumption. B plays the security game with A as follows: Init. B receives challenge gate W * = ⋀ ∈ * from A.
Therefore, B can break the decisional −BDHE assumption with nonnegligible advantage.

Privacy
Theorem 10. If the DDH assumption holds in G 2 , our PPGK-ABE scheme is privacy preserving in key generation phase.
Proof. If DDH assumption holds in G 2 , no probabilistic polynomial-time adversary can distinguish following tuple: (ℎ , ℎ , ℎ , ℎ ) and (ℎ , ℎ , ℎ , ℎ ), where ℎ is a generator of group G 2 , and , , are selected from * randomly. Therefore, no probabilistic polynomial-time adversary can win the security game for privacy.

Application in Industrial Cloud
Nowadays, new technological revolution represented by Big Data, cloud computing, and Internet of Things is changing the traditional industrial manufacturing system [28,29]. Industrial cloud provides more convenient and secure cooperation model for the industrial enterprises [30][31][32].
The ABE scheme has been gradually used in the industrial cloud environment. In these applications, the qualifications, patents, and procurement plans owned by an enterprise often represent its attributes. Using traditional ABE system, the enterprise has to disclose these attributes' information that may relate to business secret to the KGC for applying the corresponding private key. Our PPGK-ABE scheme can solve this problem correctly. In this section, we introduce how to deploy our scheme in the industrial cloud environment. Figure 2 shows the specific structure of the application using our PPGK-ABE scheme. It consists of the following entities: (i) Industry Enterprise: in this system, the role of industry enterprise is data user. They want to get useful information according to their business, but they do not want to reveal their attributes information that may relate to their business secret to KGC.
(ii) Industry Alliance Manager: in this system, the role of the industry alliance manager is AAC, which issues blind token for the attributes of industry enterprises after reviewing the relevant evidence. (iii) KGC: its responsibility is to issue the corresponding key to the attributes of industry enterprises. In this system, KGC cannot get these attributes. (iv) Industrial Information Provider: in this system, industrial information providers are the members of the industrial alliance and include manufacturing enterprises, sales enterprises, logistics enterprises, scientific research institutions, consultant firms, and so on. They will use ABE scheme to share their encrypted data. (v) Industrial Cloud: industrial cloud serves as data storage center and data sharing center in this system. In order to protect security and privacy of industrial Big Data, the industrial information providers upload their data in encrypted form.
The specific workflow is as follows: (1) After checking the relevant evidence, the industry enterprise and the industry alliance manager run UserTemKeyGen and BlindTokenGen algorithms, respectively. The industry enterprise gets the blind token corresponding to its attributes. (2) When the industry enterprises need to ask for their attributes keys, they will submit their blind tokens to KGC. The KGC runs BlindKenGen algorithm and returns blind secret keys to the industry enterprises. In this process, the KGC cannot get any information about the enterprises' attributes. (3) After receiving the blind secret keys, the industry enterprises run KeyExtra algorithm to obtain their own secret key. Even if the industry alliance manager knows the attributes of industry enterprises, it does not know the secret keys corresponding to these attributes.
(4) The industrial information providers run Encrypt algorithm to encrypt the industrial data based on some access policies. Then, they share encrypted data on the cloud. Only the enterprises that meet the policies can access corresponding data.
(5) The industry enterprises acquire encrypted data from the cloud and run Decrypt algorithm to get plaintext.
In the above application, industrial information providers can share industrial data according to enterprises' attributes. Only the enterprises that meet the access policy are able to access data. Unlike traditional ABE solutions, in this application, the attributes information of enterprises will not be known by KGC. The business secret of enterprises is protected.

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.