Conditional Ciphertext-Policy Attribute-Based Encryption Scheme in Vehicular Cloud Computing

VCC (Vehicular Cloud Computing) is an emerging and promising paradigm, due to its significance in traffic management and road safety. However, it is difficult to maintain both data security and system efficiency in Vehicular Cloud, because the traffic and vehicular related data is large and complicated. In this paper, we propose a conditional ciphertext-policy attribute-based encryption (C-CP-ABE) scheme to solve this problem. Comparing with CP-ABE, this scheme enables data owner to add extra access trees and the corresponding conditions. Experimental analysis shows that our system brings a trivial amount of storage overhead and a lower amount of computation compared with CP-ABE.


Introduction
VANETs (vehicular ad hoc networks) gained great attention in recent years, which can not only improve road safety but also enhance traffic management [1,2].In VANET, the vehicles, V2V (Vehicle to Vehicle) and V2I (Vehicle to Infrastructure), generate an enormous amount of data.In order to enhance the scalability of the VANETs, some studies focus on VCC (Vehicular Cloud Computing), which combines cloud computing [3,4] and VANETs together [5,6].The illustration of VCC is shown in Figure 1.In VCC, mass data from different VANET nodes are collected and stored in cloud servers efficiently.
Meanwhile, VCC is faced with serious security and privacy challenges.For instance, the intruders can intrude the onboard infrastructure or the cloud server to get the sensitive data, which may leak the privacy of the data owner (DO), or even endanger the lives of passengers.To solve this problem, we introduce the CP-ABE [7], which also realizes the fine-grained access control on the encrypted data.However, the vehicular situation and surroundings are quite complicated; a one-off encryption under one access tree may be no longer adequate for the needs.In addition, the attributes consisted in access structure may denote more abundant information, not just descriptive information about users' identities.According to these attributes' features, we extract them from the access structure and take them as "conditions."When inserting other access trees, the conditions extracted from them can be used for identifying the corresponding tree.
Main contributions of this paper can be summarized as follows: (1) In this paper, we propose a conditional ciphertextpolicy attribute-based encryption (C-CP-ABE) scheme to allow users to add extra access trees based on the original ciphertext to their own ciphertexts.
(2) All the trees multiply by a parameter except only one tree multiplies by the message, which extends the expression compared with original CP-ABE in [7] without bringing a heavy computation and storage overhead.
(3) We further give the security analysis and performance evaluation, which prove that security and performance of our scheme are no weaker than those of traditional scheme.
The rest of this paper is organized as follows.Section 2 introduces the related work.In Section 3, some preliminaries are given.In Section 4, the definition of the condition is given.In Section 5, the proposed scheme is stated.In Section 6, security analysis is given.In Section 7, the performance of our scheme is evaluated.In Section 8, the paper is concluded.

Related Work
Cloud security has been a hot topic recently [8,9].It had developed a new field in the application and research of public key encryption since Shamir's proposed Identity Based Encryption in [10].Based on IBE, Sahai and Waters proposed a new encryption scheme called Fuzzy IBE; they thought that the users' attributes did not have to be precisely matched to the attributes that are specified by data owners.The ciphertext could be decrypted provided the threshold value of attributes was achieved [11].Chase constructed a multiauthority attribute-based encryption to compensate for the weaknesses of single authority in [12], allowing each authority to be in charge of a domain of attributes.Soon, they improved the privacy and security of their previous system by removing the central trusted authority, which had usability in practice [13].In [14], Kapadia et al. proposed a scheme to hide the policies and plaintexts from the servers.Along with the increasing number of attributes, the ciphertext size grew as well.To solve this problem, Herranz et al. gave a method to keep the size constant.In the situation of the attribute universe was certain [15].The access structure adopted in the schemes before was monotonic, so Ostrovsky et al. tried to construct an attribute-based encryption scheme which is nonmonotonic, which was proven to be secure based on Decisional Bilinear Diffie-Hellman (DBDH) assumption [16].Compared with the previous work, Lewko et al. constructed a scheme that had been proven to be fully secure rather than selectively secure in [17].
In [7,18], KP-ABE and CP-ABE are proposed, respectively.In KP-ABE, the ciphertext's encryption policy is also associated with a set of attributes, but the attributes are organized into a tree structure (named access tree).In CP-ABE, the data owner constructs the access tree using visitors' identity information.The user can decrypt the ciphertext only if attributes in his private key match the access tree.Both became the important branches of attribute-based encryption.In [19,20] Attrapadung et al. adopted the nonmonotonic access structure to realize key-policy attributebased encryption; what is more, the size of ciphertext was designed to be constant.In [21][22][23][24], the ciphertext-policy attribute-based encryption (CP-ABE) scheme with constant size ciphertexts for threshold predicates is proposed.
CP-ABE is a promising research area that attracts more and more attention from lots of researchers.Ibraimi et al. constructed a mediated CP-ABE that provided attributes revocation in [25].Similar to KP-ABE, the researches on multiauthority in CP-ABE are quite a lot.Li et al. proposed a multiauthority CP-ABE that allowed tracing the misbehaving users; although only the AND gates were supported, it extended the application of CP-ABE to some extent [26].Further improvements were made in this respect [27,28].
In [29], with the case of the personal health record, Li et al. realized the security and scalable and fine-grained access control, supporting the modification of access policies and revocation of attributes.Liu et al. assumed that each attribute had different importance and constructed schemes that supported the access structure with different weights in CP-ABE [30] and KP-ABE [31].Liu et al. added traceability to an existing expressive, efficient, and secure CP-ABE scheme without weakening its security, and change in the length of the ciphertext and decryption key does not cause too much overhead [32].Then they realized the White-Box Traceable CP-ABE in a large universe and the storage for traitor tracing is constant [33].In [34], Goyal et al. allowed the access structure to be represented by an access tree with a bounded size access tree with threshold gates as its nodes.All of these existing schemes enhance the function of the original CP-ABE [7] to adapt to different scenarios.In this paper, we will introduce a new scheme to raise the adaptability of original CP-ABE in VCC.

Preliminaries
3.1.Bilinear Maps.Let  0 and  1 be two cyclic multiplicative groups of prime order  and  be the generator of  0 .

Complexity Assumption. The Discrete Logarithm (DL)
problem is defined as follows.
Let  be a multiplicative cyclic group of prime order  and  be its generator.DL problem is to compute  ∈ Z  such that  =   , given  ∈   as input.
The DL hardness assumption holds, if no probabilistic polynomial time algorithm can solve the DL problem.
If  ∈ AS, ∀ ∈ ,  ⊆ , and  ∈ AS, then AS is monotonic.Then sets in AS are defined as authorized sets, while the other sets are regarded as unauthorized sets.
In this paper, we construct an access tree T to represent the access structure.All the leaves represent the attributes, while the interior nodes represent the threshold gates.Before encrypting the data, we randomly choose a secret  and generate a polynomial for each interior node from top to bottom to share this secret.
To retrieve the secret, we define the Lagrange coefficient Δ , .
For  ∈ Z  and for ∀ ∈ , Only the authorized sets can succeed in decryption with polynomial interpolation.

The Condition
Definition 1 (condition primitives ).The condition primitives refer to the attributes in the access tree that are not closely related to the users' identities.
Definition 2 (condition ).The condition is a set of condition primitives, by which a specific access tree can be identified.In VCC, condition primitives can be the external objective factors, such as the weather, the traffic, and the status information released by traffic control department.Comparing with the attributes related to the user's identities, we do not have to be concerned that the condition primitives may lead to user privacy disclosure.In our proposed scheme, the condition primitives will be extracted from each access tree to form the corresponding condition.In other words, a condition corresponds to a specific access tree.
Trust Center Authority (TCA) is in charge of evaluating the current conditions and sends them to data users.Condition   may consist of several components:   : {  ,   ,   , . ..}.Each element is a condition primitive, which corresponds to a specific value that is randomly generated when the system is set up.Once generated, all the values are fixed and different from each other.In our scheme, we consider the relation of these conditions that belong to the same access structure to be AND.We multiply these corresponding values to denote the current condition.
With the support of the condition, when a data owner encrypts the data, more than one access tree can be added to the original ciphertext.When a data user requests data decryption, the current condition should be checked firstly to get the corresponding access tree, and then data decryption can be continued.

The Proposed System
5.1.System Model.In our system, four entities are included, namely, cloud servers (CS), data owners (DOs), data receivers (DRs), and Trust Center Authority (TCA), as shown in Figure 2.
Generally, cloud servers are assumed to be semitrusted.We employ them to be in charge of storing our encrypted data.Data owners and data receivers are either vehicle or nonmobile users.The former ones decide the access policies and the corresponding conditions, outsourcing their storage to CS after encrypting.The latter one submits the requests to CS and obtains their secret keys that are related to the attributes from TCA.Only when their attributes satisfy the access policies of data can they correctly decrypt the ciphertext.TCA takes responsibility for evaluating DRs and assigns a set of attributes to DRs.In addition, conditions will be managed, determined, and finally transmitted to DRs by TCA.
In this paper, we allow DOs to add extra access trees and conditions to their own ciphertexts.Each access tree is related to one or several conditions.Only when its corresponding condition is satisfied can it be valid.

Security Model. The following is a security game between adversary A and challenger C.
Init.A first chooses a challenge access structure AS * and sends it to C.
Setup.C runs this algorithm and gives the public parameters PK to the adversary A.
Phase 1.A issues queries for repeated private keys corresponding to sets of attributes  1 , . . .,   1 ( and  1 are integers that are randomly chosen by A and 1 <  1 < ).
(i) If any of the sets  1 , . . .,   1 satisfies the access structure AS * , then it is aborted.(ii) Else, C generates the corresponding secret keys to the sets for A.
Challenge.A submits two equal length messages  0 and  1 to C. C randomly flips a coin  and encrypts   under the challenge access structure AS * .Then the generated ciphertext CT * will be given to A.
Guess.The adversary A outputs a guess   of .
The advantage of an adversary A in this game is defined as Adv(A) = |Pr[  = ] − 1/2|.

Our Construction.
Our construction is based on the ciphertext-policy attribute-based encryption in [7].In this section, we will describe the details of each algorithm.

Encryption.
As shown in Figure 3, the original access tree is rooted at node   ( denotes the id of the access tree), and the new root node is    .At first, DO calls the data encryption subroutine to encrypt the plaintext into ciphertexts under access policies expressed in access tree structure.Compared with [7], we add a new root node and insert an extra node that denotes condition and its signature.
(i) (, , T ,   ) → ,.The encryption subroutine takes as inputs public key PK, message , access structure T , symmetric encryption keys  1 and  2 , and condition   and then outputs ciphertext CT and its CID.In this algorithm, it requires several steps to get CT being generated properly.
A Encrypt Data.DO receives message , condition   , and one access policy.The encryption algorithm encrypts  under the access structure T .From root node    to the subtree rooted at   , this encryption algorithm is similar to that Bethencourt et al. described in [7].
First, the algorithm chooses a random number   ∈ Z  for root node    , which means     (0) =   .Then it generates polynomial for each interior node and computes (let  be the set of leaf nodes in T ) C =  (, ) B Generate CID.Simultaneously, When DO would like to add an extra access structure T+1 to his ciphertext, he first searches for the ciphertext from CS according to the CID and reencrypts it rather than reencrypting its original plaintext.What is different from before is that the part of the ciphertext associated with  is no longer involved in encryption.Thus, the computation burden is reduced.
Equally, the algorithm selects a random number  +1 ∈ Z  for the new access tree T+1 and computes according to CID: M is encrypted under only one of the access trees; we generally set C1 = (, )  1 .
C Generate a Signature and Share It.Obviously, the threshold relation of    is AND.Suppose that the polynomial of    is  ,  =  +   ( is randomly chosen by the algorithm).ESP randomly chooses a number   ∈ Z  and makes the following calculation: Sig  can be viewed as a signature from DO. Assume the threshold relation of the node   is  of ; we first share Sig  with (, ) secret sharing scheme in [35] and then generate  pairs of ( , ,  , ) 1≤≤ .
As we know, the node   holds  branches, and each branch holds several attributes.Thus, all the attributes can be divided into  disjoint sets that are shown in Figure 4.
We distribute ( , ,  , ) 1≤≤ to the sets that are shown as follows.
Distribution of the shares: We introduce a one-dimensional array   [] 1≤≤ for each access tree T and assign each attribute a unique number from 1 to .According to the shares and sets, we set D Record the Corresponding Condition.Condition   associated with this tree is {  ,   ,   , . ..}.In our system, we consider that one condition term only relates to one access tree.For each  ∈   , the algorithm computes Let   be the set of leaf nodes in T and  be the set of conditions.Finally, the complete ciphertext is as follows: ∈ , . ..) . (10)

Key Generation.
DR should legally register to the attribute authorities, which will assign some attributes to this DR.Before decryption, the authorities will generate a corresponding SK for DR based on his attributes.The algorithm is as follows.
(i) KeyGen(, , ) → .This algorithm will take a set of attributes  as input and output a key that identifies with that set.First, a random  ∈ Z  was chosen for the key and random   ∈ Z  for each attribute  ∈ .Then it computes the key as SK = ( =  (+)/ , D =   ,   =    ()  ,    =   , ∀ ∈ ) . (11)

Decryption.
When there is a DR requirement to decrypt a ciphertext, TCA will first evaluate the current condition and send the current condition term  0 = {  ,   ,   , . ..} to DR.
(a) Query Tree id( 0 , ) → ,   .DR gets condition term from TCA, according to the current conditions and CID that is requested by DR, computing as follows: This algorithm gets the corresponding access tree id  and a parameter   .
(c) Retrieve Sig(, , ) →   or ⊥.For each att  ∈ , it computes For each computation, the algorithm gets a pair of (, ) that is shown as follows.
Retrieve the shares: ( As we first share Sig  with (, ) secret sharing scheme, DR performs the polynomial interpolation and retrieves Sig  only based on no less than  different pairs of (, ).Otherwise, it outputs ⊥.
(d) (, , ,   ,   ,   ) →  or ⊥.Once   , Sig  , and Con  are retrieved, DR computes For the access tree rooted at node    , the algorithm can leverage the Lagrange interpolation and get  = (, )   .Then it computes Else, The algorithm decrypts  2 with  1 and recovers  by computing Otherwise, it outputs ⊥.

Security Analysis
We make the traditional CP-ABE more expressive by allowing DOs to add extra access trees and conditions as they like.To reduce the computation cost and storage overhead, we replace  with CID within the reencryption.And before decryption, condition values are to be computed first.
The modification of the ciphertexts and the way of decryption may affect the security of the system.Theorem 3. If hash function  is collision resistant, our system is secure against chosen plaintext attack in random oracle model.
Proof.Since ciphertexts are CID : CT, data that is exposed to the adversary is where  0 = .
We then use a random function  to replace the hash function .Therefore, the adversary A can obtain where  0 = .This scheme is named as the alternative scheme.
Finally, we construct an experiment to simulate the chosen plaintext attack here.
(1) A calls the encryption oracle to query a cipher for plaintext   in the probabilistic polynomial time; we run the alternative scheme and return (att(  )) ,  (0) , as the cipher, to the adversary.
(2) A chooses two messages  to the adversary.
(4) A continues to query some plaintexts which is the same as the first step.
There are two ways to win the experiment for the adversary.
(1)   can be recovered.This contradicts DL problem.
Above all, the adversary is negligible to win in the simulation experiment.
Furthermore, since the hash function cannot be distinguished with a random function in the random oracle model, the proposed system is secure to resist chosen plaintext attack.
The advantage of an adversary A is defined as We define negl() as a function that is negligible with a security parameter .We complete the proof.

Performance Evaluation
In this section, we analyze our proposed scheme numerically, mainly discussing the computation and storage overhead.Comparison of decryption times between CPABE and our system, when the number of access trees is different.(c) Changes in the ciphertext size of our system, when the number of access trees is different.tree is found, the following steps are similar to CP-ABE; the overhead mainly occurs during computing each attribute of the tree.Total cost is proportional to the number of attributes in the tree.Thus, the complexity is (||).

Storage Overhead.
To realize more expressive access control, more storage cost has been inevitably introduced.One ciphertext is associated with more than one access tree.Only one tree's secret multiplies by , while others multiply by a parameter.Along with the increasing number of access trees, the size of ciphertext grows.However, it is of low storage overhead compared with the component C = (, )  in CT.
In addition, we create a one-dimensional array for each access tree in CT, whose length is equal to the number of the tree's leaf nodes.The total storage cost would not be a significant burden for CS.

Experimental Results.
With the help of the CPABEtoolkit [36], we evaluate the performance of our system and compare it with CP-ABE [7].
In order to strengthen the expression of access structure, we make the ciphertext to be associated with more than one access tree.Compared with only one access tree in the traditional CPABE, introducing more trees may affect the time of encryption and decryption.However, we encrypt the message only once when it has more than one access tree; the other trees are multiplied with a parameter that includes decryption information.We set the size of the message as 1 G and the number of attributes in each tree as 100.
For the purposes of comparison, all the access trees have the same number of leaves nodes.Figure 5(a) shows the average time cost of [7] and our system within encryption. Figure 5(b) shows the average time cost of [7] and our system within decryption.From Figures 5(a) and 5(b), we can conclude that the average computation overheads in our system are lower than that in [7].
When considering that there is only one ciphertext, introducing extra access trees is bound to cause the storage overhead.In traditional CP-ABE scheme, more trees mean more ciphertexts, while in our system one ciphertext is associated with a few access trees.In this case, it is obvious that our system reduces the storage overhead since the other trees are multiplied by a parameter rather than a message.Figure 5(c) shows that along with the increasing number of access trees the ciphertext size of our system grows.
Obviously, there exists a rough linear rise for the ciphertext size with the number of access trees, but even then it does not bring a high storage overhead when compared with the original ciphertext.

Conclusion
In this paper, we propose an expressive and fine-grained access control scheme C-CP-ABE in Vehicle Cloud Computing, making it possible that one ciphertext can be able to be associated with more than one access tree, different access tree under different conditions.DOs are allowed to add new access trees and new conditions to their ciphertexts flexibly.And a parameter that is calculated by ESP using  replaces , which can reduce the computation and storage overhead when adding other access trees.The detailed security and performance analysis have been stated.There are some failings in our system, such as conditions not being flexible enough.All of them will be our future work.

Figure 3 :
Figure 3: Structure of access tree in this paper.

Figure 4 :
Figure 4: Partition of the set.

7. 1 . 4 .Figure 5 :
Figure 5: (a) Comparison of the average encryption times between CPABE and our system, when the number of access trees is different.(b)Comparison of decryption times between CPABE and our system, when the number of access trees is different.(c) Changes in the ciphertext size of our system, when the number of access trees is different.
DO first encrypts  under an access tree, and the computation cost is proportional to the number of attributes in this tree.If the universal attributes set in T is  (|| denotes the total number of attributes in set ), for each element in , we need 2 exponentiation operations.Hence, total computation complexity is (||).Additionally, in C-CP-ABE, one ciphertext is allowed to be associated with more than one access tree; if there are  access trees, for each tree, computation cost is proportional to the number of attributes, and the total computation complexity is (||).