Privacy preserving fine-grainedlocation-based access control for mobile cloud

Yaser Baseri a,*, Abdelhakim Hafid a, Soumaya Cherkaoui b

a Department of Computer Science and Operations Research, Universite de Montreal, Canadab INTERLAB Research Laboratory, Universite de Sherbrooke, Canada

A R T I C L E I N F O

Article history:

Received 16 February 2017

Accepted 30 October 2017

Available online 21 November 2017

A B S T R A C T

Mobile cloud computing is a revolutionary computing paradigm for mobile applications, which

enables storage and computation migration from mobile users to resource-rich and pow-

erful cloud servers.This migration causes some privacy issues in providing secure data storage,

fine-grained access control and anonymity of users. Attribute-based encryption is an end-

to-end public key encryption mechanism that ensures security of stored data in the cloud

and provides fine-grained access control using defined policies and constraints. Location

of a device is one of the contextual policies, which is used to improve data security, au-

thenticate user and provide access to services and useful information. However, unlike other

policies and attributes used in attribute-based encryption, location attribute is an intrinsic

dynamic attribute. In this paper, we investigate providing Location-Based Services (LBSs) for

attribute-based access control in mobile cloud. More specifically, we propose a multi-

authority attribute-based access control scheme to support coexistence of authorities, provide

anonymity of users and protect their identity against malicious authorities. The proposed

scheme uses dynamic location of mobile users as contextual information about those users,

employs location range constraints as a policy in attribute-based encryption and autho-

rizes users with dynamic locations satisfying access policies. The proposed attribute-

based encryption is integrated with proxy re-encryption to (a) transform secret information

received from different authorities and protect users’ identities from disclosure to cloud

server, and (b) outsource the computation to a cloud server with unlimited computational

power. This results in achieving more efficiency and reducing the computation cost on

resource-constrained mobile users.

© 2017 Elsevier Ltd. All rights reserved.

Keywords:

Location-based services

Dynamic location

Location anonymity

Attribute-based encryption

Outsourcing

1. Introduction

In some applications of mobile cloud, Location-Based Services(LBSs) are popular services provided by mobile devices andremote servers, in which users gain access to features (e.g.health, indoor object search, entertainment, work, personal life(Guo et al., 2008, 2012)) depending on their geographic loca-tion. LBSs adopt Data as a Service (DaaS) model (Hu et al., 2013);

they are accessible by mobile devices, through the mobilenetwork, and make use of the geographic positions of thesedevices.

In location-based services, location of a device representsone of the most important contextual information about thatdevice and its owner; it is exploited to improve data security,and to support access to services and information provided bythe cloud for mobile users. Indeed, by integrating access controlmechanisms with conditions based on the physical position

* Corresponding author.E-mail address: yaser.baseri@umontreal.ca (Y. Baseri).

https://doi.org/10.1016/j.cose.2017.10.0140167-4048/© 2017 Elsevier Ltd. All rights reserved.

c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/ locate /cose

ScienceDirect

of users, we can improve data security and immune users dataagainst unauthorized accesses and disclosures. Furthermore,in some applications, we need this information to provide con-venient services for mobile users based on their positions (e.g.social networking as an entertainment service which uses in-formation on the geographical position of the mobile device).

The main challenge of location-based access control is therelease of information only to authorized users satisfying pre-defined conditions; this is called fine-grain access control. Intraditional access control approaches, to provide secure fine-grained access control and limit the release of information toauthorized users, data owners should encrypt data for eachuser, which imposes high computational overhead. Attribute-Based Encryption (ABE) technique is a promising approach toachieve fine-grained access control (Goyal et al., 2006; Sahaiand Waters, 2005). It provides access control over encrypteddata using defined access policies and assigned set of attri-butes embedded in ciphertexts and secret keys. In particular,Ciphertext Policy ABE (CP-ABE) provides access such that en-crypted data can be decrypted only by a user possessing a setof attributes. Thus, based on access policy embedded in ci-phertext, different users are able to access different pieces ofinformation based on the attributes they are assigned. SinceABE encrypts data without exact knowledge of receivers, it issuitable for large-scale systems.

Providing fine-grained access control for attribute-based en-cryption requires issuing different attributes for each user. Sinceeach authority issues a bunch of attributes for each user, theemployed ABE (CP-ABE) should support coexistence of mul-tiple authorities. Multi-Authority ABE (MA-ABE) (Jiang et al., 2016;Jung et al., 2015; Lewko and Waters, 2011; Li et al., 2016; Yangand Jia, 2014) is more appropriate for location-based accesscontrol for cloud, as users hold attributes issued by differentauthorities. Moreover, in MA-ABE, instead of issuing a secretkey by a single authority, each authority issues part of the keycorresponding to a bunch of attributes it is responsible for.Hence, it can protect identity and provide anonymity of users.

Using MA-ABE in the context of LBSs introduces several chal-lenges including (1) location anonymity: mobile users shouldnot be traceable while using LBSs; (2) dynamic location update:locations of mobile users change over time; MA-ABE shouldsupport the dynamic update of location and key related to thatlocation attribute; and (3) computational overhead on mobiledevices (users): the execution of the scheme should not imposehigh computation cost on mobile users with limited resources.

1.1. Contributions

In this paper, aiming to address the above challenges, wepropose a new Privacy Preserving Location-Based Access Control(PPLBAC) scheme for mobile clouds. The proposed PPLBAC pro-vides the following properties:

• Confidentiality of stored data: We propose a fine-grainedaccess control mechanism which provides access to en-crypted data for authorized users satisfying predefined staticand dynamic conditions.

• User anonymity protection against authorities: The pro-posed PPLBAC exploits secret sharing mechanism to sharesecret between authorities and provides a novel approach

to support coexistence of multiple authorities, protect theidentity of users against each authority and reduce the com-putation overhead on resource-constrained mobile users.

• Dynamic location updating of mobile users: Since the loca-tion is an attribute which should be dynamically updated,each time the location of a mobile user changes, the entiresecret key of that user must be changed. Hence, we proposean efficient location updating method for mobile userswithout changing their entire secret keys.

• Location privacy for mobile users: To provide location privacy,we incorporate MA-ABE with comparative attribute-basedencryption (Wang et al., 2015)1 and proxy re-encryption to(a) simultaneously support location constraint (modeled asrange policies) as well as other constraints (modeled asregular policies) in MA-ABE, and (b) transform secret infor-mation received from authorities such that cloud serverwould not be able to recognize users and their locations(even if all authorities collaborate).

• Low computational overhead on mobile users: Due to com-putation overhead, imposed by pairing operations in thedecryption, ABE is not suitable for mobile cloud. To solvethis problem, the proposed PPLBAC integrates MA-ABE withproxy re-encryption (Lai et al., 2013; Tysowski and Hasan,2013) and offline big data processing mechanism (Fernandezet al., 2015; Rathore et al., 2015) and provides a new methodto (a) outsource costly computational pairing operations inthe decryption of MA-ABE to cloud server, (b) perform (offlinejust one time) the static part of computations at registra-tion time and (c) perform the dynamic part of computationsat access time.

To the best of our knowledge, this is the first work suit-able for dynamic location-based access control in mobile cloudto achieve multi-authority and fine-grained access control,provide dynamic anonymous and unforgeable location andsupport confidentiality of users without imposing significantcomputational overhead on mobile devices. We also formallydefine and prove selective security of the proposed PPLBACagainst chosen plaintext attacks. Finally, we evaluate PPLBACto show its feasibility for location-based access control in mobilecloud.

1.2. Organization

The remainder of this paper is organized as follows. Section2 presents the literature review related to our work. Section 3presents some preliminaries. Section 4 discusses the systemand security models. Section 5 describes the proposed scheme.Section 6 analyzes the security of the proposed PPLBAC andSection 7 evaluates its performance. Finally, Section 8 con-cludes the whole paper.

1 The Boolean formulas that Wang et al. (2015) support has morerestrictive format (conjunctions of atomic formulas). Further-more, it cannot support range attributes and regular attributessimultaneously.

250 c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

2. Related work

Providing privacy preserving location-based services for mobileusers while interacting with Location Service Provider (LSP), hastwo different aspects: (a) query privacy, which concerns the dis-closure of sensitive information about the service query and(b) location privacy, which concerns the disclosure and misuseof location information of users (Pan et al., 2012). Locationprivacy is achieved using two approaches: (a) adding noise tolocation (e.g. expanding user’s location (Domingo-Ferrer, 2006)or generating multiple decoys at different locations (Yiu et al.,2008)); and (b) using the intermediate Trusted Third Party (TTP)between users and LSP (Lien et al., 2013; Shin et al., 2010). Thefirst approach, which is TTP-free approach, causes redun-dancy while adding noise to location (Peng et al., 2014). In thesecond approach, which is based on TTP, an anonymizer, actingas an intermediary between the users and LSP, deletes the per-sonal information of the users from the queries, hides thelocations of the users, and filters false answers from LSP. Inparticular, it replaces the real location of each user by a cloak-ing area, in which, at least K users are located. Thus, the user’slocation is indistinguishable from K − 1 other users’ loca-tions (K-anonymity). This approach has some drawbacksincluding the exposure of exact locations of users by a mali-cious anonymizer, the continuous update of exact locations ofusers to compute cloaking area by anonymizer, and the re-vealing of the approximate location of users specially for low-dense areas (Schlegel et al., 2015).

Only a few privacy preserving techniques have been pro-posed for location-based access control in mobile cloud. In(Androulaki et al., 2014), the authors proposed a scheme basedon the traditional access control in which the servers aretrusted. The scheme uses onion encryption to increase the se-curity and decrease trust level on servers; it also adds anencryption layer to model the time. To provide fine-grainedaccess control, the data owner should encrypt data for eachuser causing high computation cost. Moreover, to supportdynamic location update, a data owner should encrypt datacorresponding to different eligible locations and times of access,causing further computation cost. In (Shao et al., 2014), theauthors used ciphertext policy anonymous attribute-based en-cryption (Li et al., 2009) to provide location privacy,confidentiality of location-based service data and defined accesspolicy. They assumed unlimited computational capacity for acloud server and imposed high computational overhead on theserver (exhaustive search on key space corresponding to a givenlocation range). In their scheme, the location of a user is de-clared by that user, while a malicious user may cheat thelocation to get access to services he is not authorized to. More-over, the authors assume that LSP, which provides locationservices, plays also the role of data owner that defines accesspolicy and encrypts data. In (Zhu et al., 2013), the authors pro-posed a scheme, based on comparison-based encryption (Zhuet al., 2012), to construct a special-temporal predicate-basedencryption by means of secure integer comparison. In theirscheme, if a coarse location is not sufficiently dense, the schemewill not support required level of anonymity. Moreover, sincethe location of a device is declared by that device, a mali-cious user can cheat the location and get access to services

he is not authorized to. Similar to (Shao et al., 2014), this schemeassumes that LSP plays also the role of data owner.

Therefore, existing location-based access control schemessuffer from several drawbacks: (1) high computational over-head on data owners to enforce access policies and encryptdata for each user (Androulaki et al., 2014); (2) declaring fakelocation by malicious users and getting ineligible access to ser-vices and information (Shao et al., 2014; Zhu et al., 2013); (3)breaking the location privacy of mobile users when the coarselocations are not sufficiently dense (Zhu et al., 2013); and (4)giving the role of data owner, that defines access policy andencrypts data, and LSP, that provides location services, to thesame entity (Shao et al., 2014; Zhu et al., 2013).

To address the above mentioned issues, we propose a newPrivacy Preserving Location-Based Access Control (PPLBAC) scheme.The proposed PPLBAC supports location privacy, locationunforgeability, confidentiality of stored data, users’ anonym-ity against authorities and dynamic location update withoutimposing significant computational and communication over-head on mobile devices.

3. Preliminaries

In this section, first we briefly introduce composite order bi-linear group. Next, we present Multi-Dimensional Range DerivationFunctions (MDRDF). Finally, we give background information ontree access structure used to design the scheme.

3.1. Composite order bilinear map

Definition 1. (Composite Order Bilinear Map Group System(Boneh and Franklin, 2001; Boneh et al., 2005)). Let p, q, p′, q′,s1 and s2 be secret large primes, N = pq be the public RSAmodulus, s = s1s2, n′ = p′q′ and n = sn′ be secret, G and GT betwo cyclic bilinear groups of composite order n = sn′, α and βbe two random exponents in Z, and e : G G G× → T be a bilin-ear map with the following properties:

• Bilinearity: ∀ ∈ ( ) = ( )g g e g g e g g0 1 0 1 0 1, : , ,G α β αβ .• Non-degeneracy: e g g0 1 1,( ) ≠ .• Computability: ∀ ∈g g0 1, G, there is an efficient algorithm to

compute e(g0, g1).

We refer to the tuple S G GN TN pq e= =( ), , , as RSA-type bi-linear map group system of composite order n = sn′.

Proposition 1. Let Gs and G ′n denote subgroups of order s andn′ = p′q′ in G respectively. For g s∈G and h n∈ ′G , e(g, h) is the iden-tity element in GT .

Proof. Let ω be a generator for G. ωn′ and ωs are generatorsfor Gs and G ′n respectively. Hence, there exist k1 and k2, suchthat g n k= ( )′ω 1 and h s k= ( )ω 2 . Thus,

e g h e en k s k k k sn, , ,( ) = ( ) ( )( ) = ( ) =′ ′ω ω ω ω1 2 1 2 1

□

251c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

3.2. Multi-dimensional range derivation functions

The idea of multi-dimensional derivation functions is using“one-way” property, to represent the total ordering relation ofintegers; this means that for the two upper and lower boundinteger values l li j i k, ,,( ) and ( , ), ,l li j i k′ ′ of possible attribute rangesover attribute Ai ∈A and two corressponding cryptographicvalues v l li j i k, ,,{ } and v

l li j i k{ , }, ,′ ′ , if l li j i j, ,≤ ′ and l li k i k, ,≥ ′ , then it is easyto compute v

l li j i k{ , }, ,′ ′ from v l li j i k, ,,{ }, while the reverse is hard (Wanget al., 2015).

Let G ′n be a multiplicative group of composite order n′ = p′q′,φ be a random generator in group G ′n , where φn′ = 1, λ μi i Ai

,{ } ∈A

be the set of large random elements λi and µi in Z ′n* , which arerelatively prime to other elements in λ μi i Ai

,{ } ∈A, U l li j i k Ai= { } ∈, ,, A

be the set of all lower and upper bounds for each attributeAi ∈A , ψ : U→V be an order-preserving cryptographicmapping of U to a set of cryptographic values V of the formv l li j i k Ai, ,,{ } ∈A

(a cryptographical value reflecting the integervalues of range bounds over each attribute Ai ∈A ) and z be amaximum integer value that an element in U can have. Then,we define the mapping function ψ(.) to map the integer set Uinto V as follows:

v l ll l i j i k A

il

iz l

i j i k Ai i

i j i kAi

, ,

, ,

, , ,,{ } ∈

−

∈

∈

= { }( )= ∏⎛⎝

A

A

Aψ

ϕλ μ

⎜⎜⎞⎠⎟∈ ′Gn

Accordingly, multi-dimensional range derivation functionis defined as follows:

Definition 2. (Multi-Dimensional Range Derivation Function(Wang et al., 2015)). A function F : V → V based on set U isdefined as a multi-dimension range derivation function if itsatisfies the following conditions:

• Easy to compute: the function F can be computed in apolynomial-time, i.e. if l li j i j, ,≤ ′ and l li k i k, ,≥ ′ , ∀ ∈Ai A, then

v F vl l A l l l l A l li j i k i i j i j i k i k i i j i{ , } { , } ,, , , , , , , ,′ ′ ′ ′∀ ∈ ≤ ≥ ∀ ∈=A A kk iA{ }∀ ∈( )A ;

• Hard to invert: it is infeasible for any Probabilistic Polyno-mial Time (PPT) algorithm to compute v

l li j i k{ , }, ,′ ′ from v l li j i k{ , }, , ifl li j i j, ,> ′ or l li k i k, ,< ′ .

Specifically, F(.) can be expressed as follows:

v F v

v

l l l l l l l l

l

i j i k i j i j i k i k i j i k

i

{ , } { , } ,, , , , , , , ,

,

′ ′ ′ ′= ( )=

≤ ≥ { }

jj i k

i j i j i k i k

i j i k

lil l

il l

il

iz l

, ,

, , , ,

, ,

{ }− −

−

( )∏

= ∏⎛⎝⎜

⎞⎠

λ μ

λ μϕ

′ ′

⎟⎟∏

= ∏ ∈

− −

−

′

λ μ

λ μϕ

il l

il l

il

iz l

n

i j i j i k i k

i j i k

, , , ,

, ,

.

′ ′

′ ′

G

Fig. 1 shows that the function F maps v l li j i k Ai, ,,{ } ∈Ato v

l li j i k Ai{ , }, ,′ ′ ∈A,

if range relation l l l li j i k i j i k, , , ,, ( , )( ) ⊆ ′ ′ is designated. In the case that

range relation ( , ) ,, , , ,l l l li j i k i j i k′ ′ ⊆ ( ) is designated, we just need to

use v l li k i j Ai, ,,{ } ∈Aand v

l li k i j Ai{ , }, ,′ ′ ∈A instead of v l li j i k Ai, ,,{ } ∈Aand v

l li j i k Ai{ , }, ,′ ′ ∈A

respectively (see Fig. 2).

3.3. Tree access structure

To enforce fine-grained access control and describe encryp-tion policy, we adapt a tree access structure, definded in(Bethencourt et al., 2007), to our scheme. Let Au be a user’sset of attributes, T be a tree with root R representing an accessstructure, Tx be a sub-tree of T rooted at node x, att(x) denotesthe attribute associated with the leaf node x, numx be thenumber of child nodes of non-leaf node x, kx be a thresholdvalue 0 ≤ kx ≤ numx. Then, node x is assigned a true value if atleast kx child nodes of x have been assigned true value. Par-ticularly, the node becomes an OR gate when kx = 1 and an ANDgate when kx = numx.

Definition 3. (Satisfying a Tree Access Structure). If user’s at-tribute set Au satisfies the tree access structure T or the nodex, we denote it as T Au( ) = 1 or Tx uA( ) = 1 respectively. Tx uA( )can be calculated recursively as follows: If x is a leaf node, thenTx uA( ) is equal to 1 if and only if att x u( ) ∈A . If x is a non-leafnode, then Tx uA( ) is equal to 1 when at least kx child nodesof x returns 1. T Au( ) = 1 if and only if TR uA( ) = 1.

4. System and security models

In this section, we first present the system model and its ar-chitecture. Then, we describe the threat model and securityassumptions about the entities in that architecture. Next, wedescribe the framework of the scheme and its functional model.Finally, we define the security model used for security analy-sis of our scheme.

4.1. System model

In the architecture used in PPLBAC, there are four entities (seeFig. 3): K Attribute Authorities (AAi) including Location Service Pro-vider (LSP), User (U), Cloud Service Provider (CSP) and Data Owner(DO). Attribute authorities AAi (1 ≤ ≤i K , including LSP) collabo-rate to issue a set of public parameters and generate sets ofsecret keys and delegation keys for mobile users according totheir attributes. DO defines access policy containing locationrange constraints, encrypts data based on that policy anduploads it to CSP. Each attribute authority AAi, independent ofother authorities, is responsible for managing a set of attri-butes for mobile users in its domain. More specifically, LSP is

Fig. 1 – F v vl l l li j i k i j i k{ , } { , }, , , ,

( ) = ′ ′ , if l l l li j i k i j i k, , , ,, ( , )( ) ⊆ ′ ′ .

Fig. 2 – F v vl l l li k i j i k i j{ , } { , }, , , ,

( ) = ′ ′ , if ( , ) ,, , , ,l l l li j i k i j i k′ ′ ⊆ ( ).

252 c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

responsible for managing dynamic contextual attributes formobile users including location and time of access attempt.Users send their query including location and time of accessattempt provided by LSP beside other attributes, issued by otherattribute authorities, to CSP. CSP defines real-time time of access.If time of access attempt falls in the same slot as time of access,CSP will be able to partially decrypt data (based on attributesembedded in access request and access policy associated withciphertext) to outsource computation cost of decryption. It gen-erates responses and sends them back to users. Finally,authorized users will be able to decrypt the received data.

4.2. Threat model

In the threat model used in LBSs, CSPs are assumed to be honestbut curious in practice (Yu et al., 2010). That means that CSPswill faithfully follow the proposed scheme, but can launchpassive attacks to get as much secret information as pos-sible. Hence, the data stored in the cloud should remainencrypted all the time and any required transformation shouldnot reveal the plaintext in the process. Users who want toreceive LBSs, while keeping their location information secret,may be malicious, forge their real locations and collude to es-calate access rights to get services not entitled to them. Attributeauthorities AA ii 1 ≤ ≤( )K are assumed to be semi-honest in thesense that they will not collude all together and the systemcan tolerate compromising at most (K − 2) of them. Each AAi

is in charge of a subset of the whole attribute set and, for eachattribute that it is in charge of, it knows the exact informa-tion of the key requester. Hence, by aggregating this informationfrom all authorities, the complete attribute set of the key re-quester is recovered and thus his identity will be disclosed toall authorities. LSP, which provides location access right for eachuser and knows location information of each user, is assumedto be honest. We assume that the communication channels aresecure and packets are untraceable when queries and infor-mation are transmitted on these channels. This assumption

can be realized using Secure Socket Layer (SSL) or some othertechniques (Wang et al., 2013a, 2013b).

4.3. Framework

The framework of PPLBAC contains seven algorithms and is per-formed in five phases: setup, key generation, encryption, accessrequest, and decryption.

Setup Phase. It consists of executing Setup algorithm by atrusted Certificate Authority (CA) in collaboration with attri-bute authorities AA ii 1 ≤ ≤( )K :• Setup GPP MKa iiU, , 1Λ( )→ ( )≤ ≤( )K : The setup algorithm

takes as input an attribute universe U and an im-plicit security parameter Λ. It sets global publicparameters GPP as well as a master secret key MKai

for each attribute authority AAi.Key Generation Phase. It consists of executing KeyGenerationalgorithm to assign secret keys and delegation keys to mobileusers in two round: the first round is attribute key genera-tion, which is performed by attribute authorities includingLSP during registration, and the second round is locationkey generation, which is performed by LSP while attempt-ing to access the cloud.

• KeyGeneration GPP MK SK DKa i u U Ui, , ,1≤ ≤( )( )→ ( )K A : Foruser U, the key generation algorithm takes the globalpublic parameters GPP, AAi’s master secret key MKai

and user’s attribute set Au as input. It generates asecret key SKU and a delegation key DKU correspond-ing to the input attribute set Au .

Encryption Phase. In this phase, data owner first encryptsthe target file with a content key ak by using symmetric en-cryption methods. Then, it collaborates with CSP to encryptthe content key ak by running the following Encryptionalgorithm:

• Encryption GPP ak CT CT, , ,T( )→ ( )1 2 : The encryption al-gorithm takes as input the global public parameters

Fig. 3 – Architecture of the system (LSP: Location Service Provider, U: User, AAi: i-th Attribute Authority, CSP: Cloud ServiceProvider, DO: Data Owner).

253c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

GPP, a tree access structure T determiningaccess policy and a content key ak. It calculatesCT ENC akek1 = ( ) using a predefined symmetric encryp-tion function ENC.(.), the content key ak and the sessionkey ek embedded in CT2 and publishes the ciphertextCT CT CT= ( )1 2, as output.

Access Request Phase. In access request phase, autho-rized users send their access requests, for target files, inaddition to blinded versions of their secret keys and del-egation keys to CSP. In this phase, KeyGenOut algorithm isexecuted to transform the assigned secret and delegationkeys in two rounds: (1) attribute key transformation duringregistration and (2) location key transformation while at-tempting to access the cloud.

• KeyGenOut GPP SK DK SK DK bU U Ub

Ub, , , ,( ) ( )→ 1 1 : The algo-

rithm takes as input the global public parameters GPP,secret key SKU and delegation key DKU of user U. Itreturns as outputs blinded versions of its secret key(i.e. SKU

b1 ) and delegation key (i.e. DKUb1 ), which will be

sent to CSP, and a secret retrieving key (i.e. b), whichis known only by that user.

Decryption Phase. In the decryption phase, CSP checks theeligibility of user U to access the target file. If the accesspolicy defined for the target file is satisfied by U, CSP willcompute a blinded session key ek1/b and send it to U.Unblinding the blinded session key ek1/b, U computes thecontent key ak and accesses the encrypted target file. Thisprocess consists of the following three algorithms:

• DecDeligation DK DKUb

P Pb1 1, L( )→ ( ): The algorithm takes

as input a blinded delegation key DKUb1 correspond-

ing to mobile user’s location LU and a specified set ofattributes LP determining location range privilege. Itreturns a blinded delegation key DKP

b1 correspondingto location range privilege LP.

• DecryptionOut SK DK CT ekUb

Pb b1 1 1, ,( )→ ( ) : The algorithm

takes as input a blinded secret key SKUb1 , a blinded deri-

vation key DKPb1 and a ciphertext CT. It computes a

blinded session key ek1/b.• DataAccessOut ek b CT akb1 , ,( )→ ( ) : The algorithm

takes as input a blinded session key ek1/b, a retrievingkey b and a ciphertext CT. It returns a content key ak.

In the framework mentioned above, instead of computingthe session key ek, calculating the content key ak and decrypt-ing the target file by a mobile user in decryption process, theuser outsources the decryption process to the cloud server withunlimited computational capability: (1) The user sends blindedversions of its secret key (SKU

b1 ) and dedication key (i.e. DKUb1 )

to CSP; (2) In response, CSP computes blinded version of sessionkey ek (i.e. ek1/b) and sends it back to the user; (3) the userunblinds the blinded key ek1/b by rising it to the secret retriev-ing key b, known only by that user, and determines ek. In asimilar way, the framework of PPLBAC without outsourced de-cryption consists of the following six algorithms:

• Setup GPP MKa iiU, ,Λ( )→ ( )≤ ≤( )1 K takes as input an attributeuniverse U and an implicit security parameter Λ. It outputsglobal public parameters GPP and a master secret key MKai

for each attribute authority AAi.

• KeyGeneration GPP MK SK DKa i u U Ui, , ,1≤ ≤( )( ) ( )→K A takes asinput the global public parameters GPP, the AAi’s mastersecret key MKai and a user’s attribute set Au. It outputs asecret key SKU and a decryption delegation key DKU corre-sponding to the input attribute set Au.

• Encryption GPP ak CT CT, , ,T( )→ ( )1 2 takes as input the globalpublic parameters GPP, a tree access structure T , and acontent key ak. It calculates CT ENC akek1 = ( ) using pre-defined symmetric encryption function ENC.(.), the contentkey ak and a session key ek embedded in CT2. It returns theciphertext CT CT CT= ( )1 2, as output.

• DecDeligation DK DKU P P, L( )→ ( ) takes as input a delegationkey DKU corresponding to mobile user’s location LU and aspecified set of attributes LP determining location rangeprivilege and returns as output a delegation key DKP cor-responding to location range privilege LP. The functionalityof this algorithm is exactly similar to DecDeligation algo-rithm defined earlier, but with different input andcorresponding output.

• Decryption SK DK CT ekU P, ,( )→ ( ) takes as input a secret keySKU, a derivation key DKP and a ciphertext CT. It returns asession key ek as output.

• DataAccess ek CT ak,( )→ ( ) takes as input a session key ek,and a ciphertext CT. It returns a content key ak as output.

4.4. Security model

In this section, we formally define the security of the pro-posed scheme against chosen plaintext attacks.We define Game1 and Game 2 to describe selective security under chosen plain-text attacks for PPLBAC without/with outsourced decryptionrespectively. We will use Game 1 and Game 2 in Section 6 toprove the security of the proposed scheme. Without loss of gen-erality, we assume that symmetric encryption function ENCek .( ) ,used to encrypt the content key ak, is secure and we prove se-lective security and indistinguishability against chosen plaintextattacks for ciphertext header, we assume that two chosenplaintexts are M0 = ak0 and M1 = ak1.

Game 1. The selective security and indistinguishabilityagainst chosen plaintext attacks (IND-CPA) for PPLBACwithout outsourced decryption is defined by the followinggame:

Initialization. The adversary A declares the set of at most(K − 2) compromised authorities AAi that are under hiscontrol. The remaining authorities are controlled by thechallenger C. A also commits a tree access structureT for the game.Setup. C and A jointly run Setup algorithm to obtain thevalid parameters.Learning 1. A is able to query for an arbitrary number(i.e. q) of secret keys and delegation keys correspond-ing to chosen attribute sets A Au uq1, ,… for a selectednumber of users U Uq1, ,…{ } . These attribute sets aredisjointly issued by all authorities AA ii ∈{ }( )1, ,… K , butnone of them satisfies the tree access structure T . A

is also allowed to query the challenger C by invokingDecDelegation algorithm for an arbitrary number of del-egation keys DKU, locations LU and location range

254 c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

privileges LP over all location dimensions. Further-more, A can conduct an arbitrary number ofcomputations, using its own (or compromised) secretkeys, delegation keys and public keys.Challenge. A sends two distinct chosen plaintexts M0

and M1 to the challenger C. The challenger selects a bitϖ ∈ {0, 1} uniformly at random, encrypts Mϖ with respectto tree access structure T and returns the result to A.Learning 2. A continues to repeat learning 1 adaptively.Response. A outputs a guess ϖ′ of ϖ.

Definition 4. PPLBAC without outsourced decryption is selec-tive secure and indistinguishable against chosen plaintextattacks (IND-CPA), if all probabilistic polynomial time adver-saries have only a negligible advantage in the above game. Anadversary is said to have the advantage ε, if it wins the game

with probability Pr ′ =[ ] = +⎛⎝⎜

⎞⎠⎟ϖ ϖ ε1

2

Game 2. The selective security and indistinguishabilityagainst chosen plaintext attacks (IND-CPA) for PPLBACwith outsourced decryption is defined by the followinggame:

Initialization. The adversary A declares the set of at most(K − 2) compromised authorities AAi that are under hiscontrol. The remaining authorities are controlled by thechallenger C. A also commits a tree access structureT for the game.Setup. C and A jointly run Setup algorithm to obtain thevalid parameters.Learning 1. A is able to query for an arbitrary number(i.e. p) of secret keys and delegation keys correspond-ing to chosen attribute sets A Au up1, ,… for a selectednumber of users U Up1, ,…{ }. It is also allowed to queryfor an arbitrary number (i.e. q − p) of blinded secret keysand blinded delegation keys corresponding to attributesets A Au up q+1, ,… for selected number of usersU Up q+{ }1, ,… . These attribute sets are disjointly issued

by all authorities AA ii ∈{ }( )1, ,… K , but none of them sat-isfies the tree access structure T . A is also allowed toquery the challenger C by invoking DecDelegation algo-rithm for an arbitrary number of delegation keys DKU (andalso blinded delegation keys DKU

b1 ), locations LU and lo-cation range privileges LP over all location dimensions.Furthermore, A can conduct an arbitrary number of com-putations, using its own (or compromised) secret keys(or blinded secret keys), delegation keys (or blinded del-egation keys) and public keys.Challenge. A sends two distinct chosen plaintexts M0

and M1 to the challenger C. The challenger selects a bitϖ ∈ {0, 1} uniformly at random, encrypts Mϖ with respectto tree access structure T and returns the result to A.Learning 2. A continues to repeat learning 1 adaptively.Response. A outputs a guess ϖ′ of ϖ.

Definition 5. PPLBAC with outsourced decryption is selectivesecure and indistinguishable against chosen plaintext attacks(IND-CPA), if all probabilistic polynomial time adversaries haveonly a negligible advantage in the above game. An adversary

is said to have the advantage ε, if it wins the game with prob-

ability Pr ′ =[ ] = +⎛⎝⎜

⎞⎠⎟ϖ ϖ ε1

2

5. The proposed scheme: a detaileddescription

There are five entities in the scheme: K Attribute Authorities(AAi) including LSP, User (U), Cloud Service Provider (CSP) and DataOwner (DO).The scheme consists of five phases: setup, key gen-eration, encryption, access request, and decryption.

5.1. Setup phase

In the setup phase, which is performed by a trusted Certifi-cate Authority (CA) and attribute authorities AA ii 1 ≤ ≤( )K , someparameters are fixed. It is assumed that the public keys cor-responding to attribute authorities AA ii 1 ≤ ≤( )K are certifiedby CA, i.e. each authenticated participant should be able toprovide its digital certificate if asked. The setup algorithm con-sists of two steps.

Step 1. The certificate authority CA• Chooses a bilinear map group system S N pq= =( , ,G

eT ( )), .,.G of composite order n = sn′.• Chooses two subgroups Gs with order s and G ′n with com-

posite order n′ = p′q′ of G, where p′ and q′ are two largeprime numbers.

• Selects random generators ω ∈G, g s∈G and ϕ ∈ ′Gn suchthat there exists e(g, φ) = 1 but e(g, ω) ≠ 1.

• Selects public hash functions H : ,0 1{ } →* G to map eachbinary attribute string into a group element inG.

• Chooses λ μi i n, *∈ ′� for each attribute loci (i-th dimensionof location in coordinate system, 1 ≤ i ≤ m) in location at-tribute set A and ensures that λi, µi are relatively primeto all other elements λj, µj (loc locj i∈ { }A \ ).

• Generates global master key GMK p q n= ′( ), , and sends itto each attribute authority AA ii 1 ≤ ≤( )K .

• Chooses a random exponent β ∈�n*, computesh g= =ω ηβ β, 1 and publishes (S g h g, , , , , ,ω ω η ϕβ β= = 1

i i loci,λ μ{ } ∈A, H(.)) as public parameters.

Step 2. Each Attribute authority AAk

• Chooses a random secret parameter α i n∈Z*, computese g i,ω α( ) and sends it to all other authorities.

• Selects randomly K − 1 integers s jkj n∈ ∈{ }(� …* , ,1 K

k{ })\ , computes gskj and shares it with all other authori-ties AA j kj ∈{ } { }( )1, , \… K .

• Receives K − 1 pieces of gsjk and e g j,ω α( ) generated byAA j kj ∈{ } { }( )1, , \… K , computes ζ ω α= ( ) =

∈{ }∏e g

j

,, ,1 … K

ω α( )e g i, (let α α= ∑ =Ki

i1 ) and publishes it as authorities’

public parameter.• Chooses a random exponent τk n∈�* and publishesϑ ωτ

kk= as authority’s public parameter. Aggregating

the already published public parameters (by CA)along with authorities’ public parameters con-structs the global public parameters GPP = (S, g, ω,

255c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

ζ ω ω ηα β β= ( ) = =e g h g, , , ,1 ϑ ωτi

i i= ≤ ≤( )1 K , λ μi i loci,{ } ∈A,

H(.)).• Computes authority secret key SKa nk ∈�* as follows:

SK g g

g

as

j k

s

j k

g

kkj jk=

⎛⎝⎜

⎞⎠⎟

⎛⎝⎜

⎞⎠⎟

=

∈{ } { } ∈{ } { }∏ ∏

1 1,..., \ , , \K K…

ss gskj

j k

jk

j k∈{ } { } ∈{ } { }∑ − ∑

⎛

⎝⎜⎜

⎞

⎠⎟⎟1 1, , \ , , \… …K K

It is clear that these randomly produced integers satisfySK mod nak k∈{ }∏ =

11

, ,… K. Aggregating global master key along

with authority’s secret parameters αk, τk and SKak constructsmaster secret key for attribute authority AAk (i.e.MK p q n SKa k k ak k= ′( ), , , , ,α τ ).

5.2. Key generation phase

When a new user U wants to access the system, he requestsattribute authorities to issue a secret key.The process of issuingsecret key is performed in two sub-phases: (1) Attribute Key Gen-eration to issue the static part of secret key during registrationand (2) Location Key Generation to issue the dynamic contex-tual part of secret key, while attempting to access the cloud.To reduce the access time overhead and achieve better per-formance, the static part of computations (i.e. attribute keygeneration) is performed offline (just one time) during regis-tration. Then, the results of these computations (performed atregistration time) are used to perform the dynamic part of thecomputations (i.e. location key generation).

5.2.1. Attribute key generationAttribute authorities AAi (1 ≤ ≤i K , including LSP) collaborateto issue the static part of secret key for each user, just one timeduring registration (in offline mode). This process consists oftwo steps.

Step 1. Each Attribute authority AAk

• Selects a random number γ k n∈Z* , computes SK gakk. γ and

SKakk k.η α γ+( ) , and shares them with all other authorities

AA i ki ∈{ } { }( )1, , \… K .• Receives K − 1 pieces of SK gak

k. γ and SKaii i.η α γ+( ) gener-

ated by AA i ki ∈{ } { }( )1, , \… K .

• Computes D SK g g gr ai r

ii i

i

= = ∑ ==∏=

. γ γ

KK

1 1

and D SKai i==∏ 1

K

gr

i i i ii= ∑ =+( ) +( )+

=.η ηα γ α γαβ1

K

(let r ii=

=∑ γ1

K ).

• Sends D to user U.Step 2. Each Attribute authority AAk (AAk ≠ LSP)• Chooses a random number rj r n∈ �* for each attribute

att j u( ) ∈A , it is responsible for.• Computes Computes D D H att j g H attj r

r rk j k= ( )( )( ) ((( ) ( )1 =τ τ

j rj( ))) and Djrj′ =ω and sends them to user U.

5.2.2. Location key generationIt is performed by LSP to issue dynamic contextual attributesincluding location information and time of access while re-questing access to the data stored on the cloud server. This isdone in one step.

Step 1. The location service provider LSP• Constructs location LU i u i u locl l

i= [ ]{ } ∈, ,, A for user U

( loc loc locm= ( )1 … ), where loci is the i-th dimension of lo-cation in m dimensional coordinate system.

• Chooses two random numbers rloc r n∈ �* and rtime r n∈ �* .• Computes D g H locloc

r rLSP loc= ( )( )( )τ , Dlocrloc′ = ω , D gtime

r LSP= ( )τ

H time Urtime( )( )L , Dtime

rtime′ = ω .

• Computes DK vU Lr r

liz l

Uloc loc i

i u i uloci= ( ) = ∏ −

∈ϕλ μ, ,

A as the delega-tion key of user U, where v vL l l locU i u i u

i= [ ]{ } ∈, ,, A

.

• Sends Dloc , Dloc′ , Dtime, Dtime′ , DKU and LU to user U.

After receiving D, Dj, Dj′ (∀ ∈j static attributes), Dloc, Dloc′ ,Dtime and Dtime′ , user U aggregates all as his secret key:SK D D D D D j static attributes D DU loc loc time time j j= ∀ ∈( , , , , , : , )′ ′ ′ .

5.3. Encryption phase

During the encryption phase, the data owner DO should in-teract with CSP to define dynamic access policy and encryptdata based on that policy. This process consists of two rounds:The first round is performed, while uploading the file to thecloud and the second round is performed, while receiving accessrequest by CSP.

5.3.1. Data uploading (first round encryption)This round is performed by DO and CSP while uploading in-formation to the server. It consists of three steps.

Step 1. The data owner DO• Defines access control policy for all attrib-

utes. Particularly, DO defines location constraintsLP i i loci

= [ ]{ } ∈ρ ρ, A , where loci is the i-th dimension oflocation in m dimensional coordination system, andρ ρi i,[ ] corresponds to attribute constraint l li j i k, ,,[ ]

defined on loci.

• Computes v vLi i

z

P i i loci

i iloci= =ρ ρ

λρ μ ρ

ϕ,{ }−

∈∈∏

AA

• Selects random numbers sloc r n∈ �* and sstatic r n∈ �* for con-textual location attribute and static attributes respectively.

• Computes ek e gDOs sloc static= ( ) +( ),ω α .

Step 2. The cloud service provider CSP• Selects random number stime r n∈ �* for time attribute, com-

putes ek e gCSPstime= ( ) ( ),ω α and sends it to DO.

Step 3. The data owner DO• Computes ek ek ek e gDO CSP

s s sloc static time= ∗ = ( ) + +( ),ω α , generates arandom content key ak to encrypt the target file (i.e., thefile we want to encrypt and for which we define accesscontrol), and uses that session key ek to encrypt thecontent key ak with symmetric encryption ENCek .( ).This type of implementation is used to adopt the key en-capsulation mechanism and reduce the size of ciphertextwithout scarifying security (Green et al.; Lai et al., 2013).

• Shares the secret sstatic in the tree access structure T withroot R. In a top-down manner, it chooses a polynomial qx

for each node x in the tree access structure T in the fol-lowing way: For each node x, the algorithm sets degreedx of polynomial qx as one less than threshold value kx

of that node. Starting from root node R, the algorithm setsq sR static0( ) = and randomly chooses dR other coefficients

256 c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

to define qR completely. For any other node x, it setsq q index xx parent x0( ) = ( )( )( )

2 and chooses dx other coeffi-cients for qx randomly to completely define qx. Note thateach leaf node y is associated with atomic attribute att(y)in the set of static attributes.

• Uploads the initial ciphertext CTinit = ENC akek ( ) CDO

h s sstatic loc= +( ), C vloc L LSPs

Ploc= ( ) =ϑ vL

s sPloc LSP locω τ( ), C H locloc

sloc′ = ( )( ) ,∀ ∈y static attributes : Cy iss y

q qy iss y y= =( )( ) ( )( )( )ϑ ω τ0 0 ,3 C H atty′ = ((

y qy( )) )( )0 to CSP.

5.3.2. Access time encryption (second round encryption)This round is performed, upon receipt of access request by CSP,to set the current time and solve dynamic location update.Thisround is performed in one step.

Step 1. After receiving a request, CSP• Computes Ctime LSP

s stime LSP time= = ( )ϑ ω τ , C H timetime Ustime′ = L( )( ) ,

C hCSPstime= and C C C h hCSP DO

s s s sstatic loc time= ∗ = =+ +( ) .

The final ciphertext would be CT ENC ak C C Cek loc loc= ( )( , , , ,′C C y static attributetime time ∀ ∈, ,′ ss C Cy y: ), ′ .

5.4. Access request phase

In this phase, eligible user U sends his access request for a targetfile to CSP. Similar to key generation phase, to achieve betterperformance, this phase is executed in two rounds: The firstround is performed just one time during the registration andthe second round is performed at each access attempt:

5.4.1. Attribute key transformation (first round)It is performed by the user to anonymize the static part of hissecret key issued by attribute authorities. This process is donein one step.

Step 1. Upon receiving the static part of secret key from at-tribute authorities, user U• Chooses a random number b n∈�* as secret retrieving key.• Transforms the static part of secret key to its

blinded version. This is performed by raising staticcomponents of SKU to the power 1/b (i.e. D b1 ,∀ ∈j static attributes : Dj

b1 , Djb′1 ).

5.4.2. Location key transformation and access request(second round)At each access attempt, user U anonymizes the dynamic partof his secret and delegation keys issued by LSP and sends hisaccess request for the target file to CSP. This process is per-formed in one step.

Step 1. Upon receiving the dynamic part of secret key anddelegation key, user U• Transforms the dynamic part of secret key and delega-

tion key to their blinded versions. This is performed byraising the dynamic components of SKU (i.e. Dloc, Dloc′ , Dtime,

Dtime′ ) and DKU to the power 1/b (using the already se-lected retrieving key b). Thus, the blinded secret anddelegation keys will be SKU

b1 = ( D b1 , Dlocb1 , Dloc

b′1 , Dtimeb1 , Dtime

b′1 ,

∀ ∈j static attributes D Djb

jb: ,1 1′ ) and DK vU

bL

r bU

loc1 = ( ) .• Sends his request to access the target file, in addition to

blinded secret key SKUb1 , blinded delegation key DKU

b1 andhis own location information LU to CSP.

5.5. Decryption phase

When the access request is received by CSP, the eligibility ofuser to have access the target file should be checked. Thisprocess is performed in three sub-phases: (1) Decryption Del-egation, (2) Decryption and (3) Data Access.

5.5.1. Decryption delegationThis sub-phase is performed by CSP to compute blindeddelegation key corresponding to location range privilege LP inone step.

Step 1. The cloud service provider CSP• Checks whether user’s location LU satisfies location range

privilege LP over all location dimensions (see Fig. 4).• Computes blinded delegation key DKP

b1 corresponding tolocation range privilege LP i i loci

= [ ]{ } ∈ρ ρ, A as follows:

DK v

v

F

Pb

Lr b

r b

l l

Ploc

i i loci

loc

i u i i u i l

1 = ( )

= ( )=

{ }

≤ ≥{ }

∈ρ ρ

ρ ρ

,

,, ,

A

ooci

i u i i u ii

Uloc

i u

DK

F v

F

Ub

l l locL

r b

l

∈( )

= ( )( )=

≤ ≥{ } ∈

≤

A

A

1

, ,

,

,ρ ρ

{ ρρ ρ

λρ μ ρ

ϕ

i i u i loci i u i u loci

loc

i

l l l

r b

i iz

v, , ≥{ } { }

−

∈ ∈( )( )=

} ,, ,A A

iiloci

locr b∈∏⎛

⎝⎜⎞⎠⎟

A .

5.5.2. DecryptionThis sub-phase is performed by CSP to compute blinded sessionkey ek b1 and transfer it to the user in one step.

Step 1. The cloud service provider CSP•

Computes Dece D C

e D Ce gtime

timeb

time

timeb

time

rs btime=( )

= ( )( )1

1

,

( , ),

′ ′ω for contex-

tual attribute time.•

Computes Dece D C

e DK D Ce gloc

locb

loc

Pb

locb

loc

rs bloc=( )

= ( )( )1

1 1

,

( , ),

′ ′ω for con-

textual attribute loc. Note that due to Proposition 1,e g vL

rs bP

loc,( )( ) in the computation will be replaced by 1.

• Computes DecNode ye D C

e D Ce gy

by

yb

y

rq by( ) = ( ) = ( ) ( )( )1

1

0,

( , ),

′ ′ω for each

static attribute y. Then, it recursively computes Decstatic as

2 parent(x) is the node x’s parent node and index(x) is a numberassociated with each node x ranging from 1 to numparent(x).

3 iss(y) is the authority responsible for issuing att(y). Fig. 4 – The location range relation on loci (li u, ,∈( )ρ ρ ).

257c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

DecNode(R) for root node R of the tree access structureT in the following way: For each non-leaf x, the algo-rithm calls DecNode(z) for all child nodes z of x and storesthe output as Fz. Let Sx be an arbitrary kx-sized set of childnodes z; we can compute DecNode(x) as follows:

F F wherei index zS index z z Sx z S z

x xx

i Sx== ( )= ( ) ∈{ }

⎧⎨⎩

=

∈( )

′

′Π Δ , ,:

0

ΠΠ

Π

Δz S

r q b

z Sr q i

xz i Sx

xparent z

e g

e g

∈( )( ) ( )

∈

( )( )= ( )

′

( )

,

,

.

.

,ω

ω

0 0

nndex z b

z Sr q i b

i Sx

xx i Sxe g

e g

( )( )( ) ( )

∈( ) ( )( )

( )= ( )=

′

′

Δ

ΔΠ

,

,, .

0

0ω

,,ω( ) ( )rq bx 0

where Δ i Sx, 0′ ( ) is the Lagrange coefficient which is defined

as Δ Πi S j S j ix xx ji j

, ,′ ( ) = −−∈ ≠ (Bethencourt et al., 2007). The al-

gorithm begins by simply calling the function for root nodeR of the tree access structure T . If the tree access struc-ture is satisfied by Au , then Decstatic will be equal toe g e grq b rs bR static, ,ω ω( ) = ( )( )) ( )0 .

• Computes A Dec Dec Dectime loc static= ∗ ∗ =.

• Computes eke C D

Ae g

e ge gb

b r s b

rs bs b1

1

= ( ) = ( )( )

= ( )+( )

( )( ), ,

,,

ωω

ωα

α and

sends it to the user.

5.5.3. Data accessThis sub-phase is performed by the user to determine thecontent key ak and access the target file encrypted by that sym-metric key in one step.

Step 1. Upon receiving the responses from CSP, user U• Computes the session key ek by raising ek1/b to the power

b received in key generation phase.• Decrypts ENCek(ak) using computed session key ek and cal-

culates the content key ak,• Decrypts the encrypted target file using content key ak.

6. Security analysis

In this section, we analyze the security of the proposed scheme.First, we present the assumptions used to prove the securityof PPLBAC. Next, we discuss how PPLBAC supports locationprivacy, user anonymity and location unforgeability, and howit is immune against authorities collusion attacks and chosenplaintext attacks.

6.1. Security assumptions

Assumption 1. (Discrete Logarithm (DL) Assumption). Giveng ga,( ) ∈G2, where a is a random in Z ′n* , for any Probabilistic Poly-

nomial Time (PPT) algorithm A and negligible advantage ε, wehave Pr g g aaA ,( ) =[ ] ≤ ε.

Assumption 2. (Decisional Bilinear Diffie–Hellman (DBDH) As-sumption). Given g g g ga b c, , ,( ) ∈G4 and T T∈G , where a, b, c are

three random numbers in Z ′n* and e is a bilinear mapG G G× → T , there is no PPT algorithm A with non-negligibleadvantage ε to determine whether T is equal to e(g, g)abc or isa random number.

6.2. Location privacy

Theorem 1. PPLBAC supports location anonymity, even if the ad-versary compromises all authorities.

Proof. Assume that the adversary compromises all authori-ties AAi (1 ≤ ≤i K , AAi ≠ LSP). Then, it can identify user from hissecret key SKU. On the other hand, CSP has access to SKU

b1 , DKUb1

and location information LU . Furthermore, it is intractable tocompute SKU from SKU

b1 and DKUb1 without knowing secret re-

trieving key b. Consequently, CSP cannot relate locationinformation LU to SKU and deduce the corresponding user’sidentity.

6.3. User anonymity

Theorem 2. PPLBAC supports user anonymity, even if the adver-sary compromises all authorities.

Proof. Assume that an adversary compromises all authori-ties AAi (1 ≤ ≤i K , AAi ≠ LSP); thus, it can identify user from hissecret key SKU (worst case scenario). CSP has access to onlyblinded secret key SKU

b1 , blinded delegation key DKUb1 and lo-

cation information LU . Based on DL assumption, it is intractableto compute SKU from SKU

b1 and DKUb1 without knowing secret

retrieving key b, which is known only by that user. Thus, evenby collaboration between authorities and CSP, the adversarycannot identify the user who did access the data (via CSP); inthis way, user anonymity is supported.

6.4. Location unforgeability

Theorem 3. PPLBAC supports unforgeability of location.

Proof. Assume that a malicious user’s location informationLU1, provided by LSP, does not comply with the locationpolicy defined for a target file. Moreover, assume that he triesto forge location information L′U1 and escalate his right toaccess the target file. According to the security of MDRDF provedin (Wang et al., 2015), it is intractable for user U1 to derive L′U1

using multi-dimensional range derivation function F(.) from hisown authorized location information LU1 (i.e. his current lo-cation). Moreover, since the value of location information isbounded to the time of access in Dtime, it is infeasible for ma-licious user U1 to use his former location as current location(i.e. immunity to reply attack). Finally, due to the fact that eachuser is associated with different random element r/τLSP, it is in-feasible for authorized malicious users U1 and U2 to pool theresponses received from LSP, combine them and generate a newvalid secret/delegation key for user U1 corresponding to loca-tion information L′U1. Thus, it is intractable for malicious userto forge a new valid location even by collaborating with otherusers. □

258 c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

6.5. Security against authorities collusion attacks

Theorem 4. PPLBAC is secure against authorities collusion attacksunder DL assumption, even if the adversary compromises at most(K − 2) authorities.

Proof. Each attribute authority AAk generates (K − 1) randomintegers skj, shares gskj with other authorities AAj and gener-ates secret parameter SKak based on received shares. Based onDL assumption, it is intractable to compute skj from gskj. Evenif the adversary compromises (K − 2) authorities, there are stilltwo more unknown parameters. Thus, the adversary cannotgenerate valid parameters gα and gr. Moreover, associating dif-ferent secret random elements τi with different authorities andconstructing separate g r iτ( ) for each authority prevent apply-ing one authority’s secret share to the others. Thus, theadversary cannot ignore the role of each authority in con-structing valid secret key for users.We conclude that the schemeis secure against compromising up to (K − 2) authorities. □

6.6. Security against chosen plaintext attacks

Theorem 5. PPLBAC without outsourced decryption is selective secureand indistinguishable against chosen plaintext attacks (IND-CPA) underDBDH assumption.

Proof. Let A be a PPT algorithm that can break the securityof the proposed PPLBAC without outsourced decryptionin selective secure CPA model (i.e. Game 1). LetG G G G e G Ga b c abc, , , ,( )→ ( ) be a DBDH problem. We show that if

the adversary A has non-negligible advantage ε in the abovegame, then, we can construct PPT algorithm B to solve the

DBDH problem with non-negligible advantageε2

as follows:

Let C be a challenger corresponding to DBDH problem. C

flips coin Θ. if Θ = 0, it sets g A B C Z g g g g e g ga b c abc, , , , , , , , ,( ) = ( )( ) ,where a, b, c are chosen randomly; otherwise, it sets Z ran-domly. Next, the challenger C gives g A B C Z, , , ,( ) to thesimulator B. The simulator B plays the role of challenger inthe following game:

Initialization. A controls the set of compromised authoritiesAAik ( k∈{ }1, ,… K ) containing at most K − 2 authorities. Theremaining authorities AAik ( k∈ +{ }K K1, ,… ) are controlled byB . A also commits a tree access structure T wanted to bechallenged in which some attributes are issued by ′A s au-thorities and the remaining by B .Setup. B sets a = r, b = αι/r and c = s, and computes

ζ ω α= ( ) = ( )e A B e g, , , where r, α and s are three randomelements4 and ι = loggω. It also sets β = θ/ι, where θ is

randomly chosen, h = ωβ = gθ, η β= g1 , ϕ = ωρ where s|ρ. Mean-while, B selects random elements τi K K+ ≤ ≤( )1 i and setsϑ τ

i g ii= + ≤ ≤( )K K1 . Then, it sends the public parameters S,g, ω, ζ, h, η, ϑ ϕ λ μi i i l Loci

i1 ≤ ≤( ) { } ∈K , , , and H(.) to A.

Learning 1. A is allowed to have access to an arbitrary number(i.e. q) of secret keys and delegation keys corresponding tochosen attribute sets A Au uq1, ,… for a selected number of usersU Uq1, ,…{ } . These attribute sets are disjointly issued by all au-

thorities AA ii ∈{ }( )1, ,… K , but none of them satisfies the treeaccess structure T . Upon receipt of a query, B computes itsown components of secret key and delegation key to respondto the query. For each attribute j issued by uncompromised au-thorities AAik ( k∈ +{ }K K1, ,… ), B randomly picks rj andcomputes D A H att jj

riss j j= ( )( )( )( )( )1 τ and Djrj′ = ω and sends them

to A . The adversary A is also allowed to query Decryption Del-egation algorithm for an arbitrary number of delegation keysDKU, locations LU i a i b locl l

i= [ ]{ } ∈, ,, A , and location range privileges

LP i i loci= [ ]{ } ∈ρ ρ, A over all location dimensions. In response, B

returns DK vP Lr i i

z r

Ploc

i iloci

loc

= ( ) = ∏⎛⎝⎜

⎞⎠⎟

−∈ϕ

λρ μ ρA to A . It also can

conduct an arbitrary number of computations, using itsown (or compromised) secret keys, delegation keys and publickeys.Challenge. A sends two distinct chosen plaintexts M0 and M1

to the challenger. The challenger selects bit ϖ ∈ {0,1} uni-formly at random, and returns the following ciphertext to A :

CT ENC M C C C C C

y static attribute

Z loc loc time time* = ( )∀ ∈

( , , , , , ,ϖ ′ ′

ss C Cy y: , )′

If Θ = 0, Z e g g abc= ( ), , where a = r, b = αι/r, c = s. Therefore,Z e g s= ( ),ω α and CT* is a valid ciphertext of Mϖ. Otherwise, ifΘ = 1, Z is a random element and ENCZ(Mϖ) does not containany information about Mϖ.Learning 2. A continues to repeat learning 1 adaptively.Response. A submits the guess ϖ′ of ϖ. If ϖ′ = ϖ, B outputsΘ′ = 0 indicating that A returned back a valid DBDH-tuple

g A B C Z g g g g e gr r s s, , , , = , , , , ,( ) ( )( )αι αω . Otherwise, B outputsΘ′ = 1 indicating that A returned back a random tupleg A B C Z, , , ,( ) .

When Θ = 0, A gets a valid ciphertext of Mϖ. Since theadvantage of adversary A is ε by definition, the probability

of correctly guessing ϖ′ of ϖ is Pr ′ = =[ ] = +ϖ ϖ ε|Θ 012

.

When ϖ′ = ϖ, B outputs Θ′ = 0. Thus, we have Pr ′ =[Θ Θ Θ|

Pr= ] = ′ = =[ ] = +Θ|0 012

ϖ ϖ ε . When Θ = 1, A has no informa-

tion about ϖ. In this case, we have Pr ′ ≠ =[ ]ϖ ϖ |Θ 1

Pr= ′ = =[ ] =ϖ ϖ |Θ 112

. When ϖ′ ≠ ϖ, B outputs Θ′ = 1. So, we

have Pr Pr′ = =[ ] = ′ ≠ =[ ] =Θ Θ Θ Θ| |1 112

ϖ ϖ . Hence, the overall

advantage in this game is:

Pr

Pr Pr

[ ]

| |

′ = −

= ′ = =[ ] + ′ = =[ ] −

= × +⎛⎝

⎞⎠ + ×

Θ Θ

Θ Θ Θ Θ Θ Θ

12

1 012

12

12

12

12

ε −− =12 2

ε

4 In r ri i k i k ik k= ∑ = ∑ + ∑= = = +1 1 1K K

KKγ γ , the term ∑ = +k ikK

K1 γ is assigned

by the collaboration of uncompromised authorities AAik

( k∈ +{ }K K1, ,… ), which are under the control of B . Since

∑ = − ∑= + =k i k ik krKK K

1 1γ γ , considering r as random element does notaffect the duty of compromised authorities AAik ( k∈{ }1, ,… K ) toassign γ ik ( k∈{ }1, ,… K ), which are under the control of A . In asimilar way to r, considering α as random element does not affectthe duty of compromised authorities AAik ( k∈{ }1, ,… K ) to assignα ik ( k∈{ }1, ,… K ), which are under the control of A .

259c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

Thus, we are able to construct a PPT algorithm B that can

solve the DBDH problem with advantage ε2

.

Theorem 6. If the proposed PPLBAC without outsourced decryp-tion is selective secure and indistinguishable against chosen plaintextattacks (IND-CPA), then the outsourced version of that is also selec-tive secure and indistinguishable against chosen plaintext attacks(IND-CPA).

Proof. Let A be a PPT algorithm that can break the securityof the proposed scheme with outsourced decryption in selec-tive secure CPA model (i.e. Game 2). We show that if theadversary A has non-negligible advantage in the above game,we can construct the PPT algorithm B that can break the se-curity of the scheme without outsourced decryption in selectivesecure CPA model (i.e. Game 1) with non-negligible advan-tage. Let C be a challenger corresponding to B. The simulatorB runs A executing the following steps:

Initialization. A controls the set of at most ( K − 2) compro-mised authorities AAi and the remaining authorities arecontrolled by the simulator B. A also commits and gives B

a tree access structure T wanted to be challenged in whichsome attributes are issued by A’s authorities and the remain-ing by B.Setup. B sends the tree access structure T to the challengerC and gets its own public parameters GPP S g h i= ( , , , , , ,ω ζ η ϑ

i Hi i i l Loci)≤ ≤( ) { } ( )∈, , , , .ϕ λ μ1 K (i.e. the public parameters rela-

ted to the scheme without outsourced decryption).Then, B for-wards it to A .Learning 1. A is allowed to query for an arbitrary number (i.e.p) of secret keys and delegation keys corresponding to chosenattribute sets A Au up1, ,… for a selected number of users

U Up1, ,…{ }. It is also allowed to query for an arbitrarynumber (i.e. q − p) of blinded secret keys and blinded delega-tion keys corresponding to attribute sets A Au up q+1, ,… forselected number of users U Up q+{ }1, ,… .These attribute sets aredisjointly issued by all authorities AA ii ∈{ }( )1, ,… K , but noneof them satisfies the tree access structure T . In response toa query for secret key and delegation key corresponding to at-tribute set Aui , B calls the key generation oracle of challengerC to return the corresponding secret key SKUi and delega-tion key DKUi . In response to a query for blinded secret keyand blinded delegation key for attribute set Aui , B choosesrandom components Z, r, τi ∀ ∈{ }i 1, ,… K , rj ∀ ∈j attributes, and

sets SK D g g D g H loc DUb b Z r

locb r r

locb r

iLSP loc loc1 1 1 1= = = ( )( ) =( )β τ ω, , ′ ,, Dtime

b1(, ,g H time D j star

Ur

timeb rLSP time time1= ( )( ) = ∀ ∈( )τ ω� L ′ ttic attributes Dj

b: 1

g H att j Dr rj

b riss j j j, 1= ( )( )( ) = )( )( )τ ω′ and DK vUb

Lr

i Ui

loc1 = ( ) .5 Then, it

returns to A blinded secret key SKUbi

1 , blinded delegation keyDKU

bi

1 and location information LU . Note that B does notknow the actual retrieving key b = α/(βZ). Besides that, if B hasalready received the same query for the same attribute set, itdoes not compute secret key, delegation key, blinded secret key

and blinded delegation key repeatedly; but, instead it uses theprevious computation. The adversary is also allowed to queryDecryption Delegation algorithm for an arbitrary number of del-egation keys DKU (and also blinded delegation keys DKU

b1 ),locations LU i a i b locl l

i= { }[ ] ∈, ,, A and location range privileges

LP i i loci= { }[ ] ∈ρ ρ, A over all location dimensions. In response, C

computes DKP (respectively DKPb1 ) and returns it via B to A .

In addition, A can conduct an arbitrary number of computa-tions, using its own (or compromised) secret keys (or blindedsecret keys), delegation keys (or blinded delegation keys) andpublic keys.Challenge. A sends two distinct chosen plaintexts M0 and M1

to the challenger C via B. The challenger selects bit ϖ ∈ {0, 1}uniformly at random, and encrypts Mϖ with respect to treeaccess structure T ; then, it returns the ciphertext to A .Learning 2. A continues to repeat learning 1 adaptively.Response. A outputs a guess ϖ′ of ϖ.

Thus, we will be able to construct a PPT algorithm B thatcan attack the original version of the scheme without out-sourced decryption in selective secure CPA model with non-negligible advantage, if A can attack the outsourced versionof the scheme in selective secure CPA model with non-negligibleadvantage. □

7. Performance evaluation

In this section, we evaluate the performance of PPLBAC. At first,we present the complexity analysis of PPLBAC from two aspects:computation overhead and communication overhead. We alsocompare our proposed scheme with the state of the art in-cluding (Jung et al., 2015; Li et al., 2016; Shao et al., 2014; Zhuet al., 2013). Finally, we exploit the experimental results to evalu-ate its performance.

7.1. Complexity analysis

The complexity analysis evaluates the computation and com-munication overhead caused by different entities involved inthe proposed scheme. Let T be the number of leaves in thetree access structure, EG and E TG denote the exponentiationoperation in groups G and GT respectively, P indicates the bi-linear pairing operation in G GT , TO represents the time takento perform one operation O , Au be the user’s set of attri-butes involved in encryption and decryption, Asu be the staticsubset of Au , U be the number of users in the system, lG andl TG denote the length of elements in groups G and GT re-spectively, and lENC indicates the length of encrypted contentkey ENCek(ak). Similar to (Wang et al., 2015) (Yeh et al., 2015),and (Shao et al., 2014), we only consider the most significanttime overhead caused by operations, namely time overheadtaken for exponentiation operation (i.e. TEG and TE TG ), andpairing operation (i.e. TP). The analysis concerns the compu-tation and communication overhead of the proposed schemefrom two aspects: (1) static overhead, which is caused by at-tribute authorities to provide multi-authority; and (2) dynamicoverhead, which is caused by LSP to provide location-based ser-vices. In particular, if we ignore supporting multi-authority and

5 In this part, SKUbi

1 and DKUbi

1 are just symbols for blinded secretkey and blinded delegation key and do not mean raising SKUi andDKUi to 1/b.

260 c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

consider just LSP as the only authority, we can eliminate allstatic overhead on attribute authorities and users (withoutprejudice to users’ anonymity).

More specifically, we first analyze the static computationswhich are performed just one time by attribute authorities andmobile users in key generation and access request phases; thesecomputations can be executed and distributed during the reg-istration. Hence, they do not impact the scheme efficiency.Table 1 shows the static computation and communication over-head of the proposed scheme.

Moreover, to analyze the dynamic overhead generated ateach access attempt, we assumed that CSP has unlimited com-putation power, while mobile users have limited one. Hence,the aim of the scheme is to reduce the computation over-head on mobile users. In the proposed scheme, the static partof computations is performed just one time at registration. Fur-thermore, heavy pairing computations are outsourced to CSP.Therefore, our scheme can significantly reduce dynamic com-putation overhead for mobile users. Moreover, each attributeauthority AAi is involved in the scheme just one time duringregistration. Hence, it does not impact the scheme efficiency.However, LSP is involved in the system at each access attemptas well as registration to assign dynamic attributes “loca-tion” and “time” for each user. Hence, the dynamic computationand communication overhead is generated by LSP. Table 2 showsthe dynamic computation and communication overhead of theproposed scheme.

Finally, DO is involved in the scheme just one time whileuploading information to CSP, defining access policy and en-crypting data based on that policy. Independent of the numberof users, it performs its duty one time while uploading. Table 3shows the uploading computation and communication over-head of the proposed scheme.

7.2. Performance comparison

We compare (a) static overhead of the proposed scheme with(Jung et al., 2015; Li et al., 2016) as two recent multi-authority

ABE schemes and (b) dynamic overhead of the proposed schemewith (Shao et al., 2014; Zhu et al., 2013) as two existing location-based access control schemes in the literature, which useattribute-based encryption. We show that the proposed schemecould achieve more functionalities with comparable perfor-mance in both aspects for mobile users.

Table 4 shows the comparison of the computation over-head related to static attributes in the proposed scheme (Li et al.,2016), and (Jung et al., 2015) in terms of Key Generation, Encryp-tion and Decryption. We observe that our scheme removes costlypairing operations in decryption process on mobile users withlimited computational power.

Table 5 shows the differences of computation overheadbetween PPLBAC and two other existing location-based accesscontrol schemes for mobile cloud (Shao et al., 2014; Zhu et al.,2013).These schemes use attribute-based encryption to providelocation-based access control for mobile cloud. In theseschemes, the authors assume that data owner, who definesaccess policy and encrypts data, is the same one as LSP. More-over, they assume LSP as the only authority in theirarchitectures.These assumptions (a) render those schemes moresecurity threats (as LSP is too powerful and it becomes a vul-nerable point for security attacks); (b) reduce the flexibility ofthe schemes to support different data owners, which defineaccess policy, encrypt data and upload it to CSP (as LSP is theonly one who can define access policy, encrypt data and uploadit to CSP). Table 5 also depicts the features of our scheme. Com-pared to other schemes, PPLBAC supports several functionalityfeatures including location anonymity, location unforgeability,multi-authority and non-spatial-temporal attributes. Despitesupporting more functionality features, our scheme has com-parable efficiency with the other schemes in the literature.

7.3. Experimental results

To evaluate the performance of PPLBAC, we make use of (a) alarge instance Amazon EC2 with 7.5 GB RAM, 4 EC2 computeunits, 850 GB instance storage and 64-bit platform (Shankar,2009) as CSP, (b) an Apple iMac with Intel Core 2 Duo at 2.66GHz and 4 GB RAM running MacOSX 10.10.5 as DO, LSP andother attribute authorities, and (c) a Samsung Galaxy S5 smart-phone with a Quad-core 2.5 GHz Krait 400 processor and 2 GBRAM running Android 5.0 as user. Our evaluation is based on

Table 1 – Static registration overhead of PPLBAC.

U AAi

Comp. Cost Comm. Cost Compu. Cost Comm. Cost

Key Gen. 0 2 2Asu Gl+( ) 2 2Asu ET GK +( ) 2 2 1K + −( )Asu Gl

Acc. Req. 2 1Asu ET G+( ) 0 0 0

Table 2 – Dynamic data access overhead of PPLBAC.

U LSP

Comp. Cost Comm. Cost Compu. Cost Comm. Cost

Key Gen. 0 5lG 5 2+( )m TEG 6lGAcc. Req. 5TEG 6 2+( )Au Gl 0 0Dec. TEGT

l lENC GT+ 0 0

Table 3 – Uploading overhead of DO in PPLBAC.

Comp. Cost Comm. Cost

Encryption 1 2 2+ +( ) +m T TE EG GTT l l lENC G GT+ +( ) +2 2 T

261c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

Table 4 – Computation overhead related to static attributes in Jung et al. (2015), Li et al. (2016) and PPLBAC (tv: threshold value representing minimum number ofattribute authorities required to generate users’ secret key).

Scheme Phase Computation Overhead in Process

Key Gen. (U) Key Gen. (AAi) Enc. (DO) Dec. (U)

Li et al., 2016 Key Gen. 0 3 2 1+ + ( )+( )tv t Tsu EGK A 0 0Enc. – – 3 1T + +( )T TE EG GT –Dec. – – 0 2 1 2A Asu P su ET T GT

+ + ( )( )Jung et al., 2015 Key Gen. 0 2 2Asu ET GK +( ) 0 0

Enc. – – 2 2T + +( )T TE EG GT –Dec. – – 0 4 1Asu PT+( )

PPLBAC Key Gen. 0 2 2Asu ET GK +( ) – 0Enc. – – 1 2 2+ + +( )m T TE EG GT

T –Acc. Req. 2 1Asu ET G+( ) 0 – 0Dec. – – – TEGT

Table 5 – Comparison between location-based access control schemes (Ni: Number of attribute values for i-th attribute, LA: Location Anonymity, LU: LocationUnforgeability by users, MA: Multi-Authority, NSTA: Non-Spatial-Temporal Attributes).

Scheme Phase Computation Overhead in Process Supporting

KeyGen. (U)

KeyGen. (LSP)

Enc. (DO) Enc. (LSP) Dec. (U) Dec.(LSP)

LA LU MA NSTA

Shao et al.,2014

Service Data Creation – – – 2 8 2 41

T N T TP ii E EG GT+ +( ) +

=∑ T – – ✓ × × ✓

User Grant 0 16 21N Tii EG=∑ +( )T – – – –

Location-based Service 2TEG 0 – – TEGT –Zhu et al.,

2013Key Generation 0 1 5+( )Au ET G – – – – × × × ×Service Authentication – – – 9T TE EG GT

+ 8 9 2T T TP E EG GT+ + –

Obfuscation and Query – – – – – 0LBS Info. Transmission – – – 4 7T − +( )T TE EG GT

4 7 7 12 2A Au P u E ET T TG GT− + −( ) + −( )( ) T –

PPLBAC Key Gen. (dynamic) 0 5 2+( )m TEG – – – – ✓ ✓ ✓ ✓

Enc. – – 1 2 2+ + +( )m T TE EG GTT 0 – –

Acc. Req. (dynamic) 5TEG 0 – – – –Dec. – – – – TEGT 0

262computers

&securit

y73

(2018)249–265

Java realization for CP-ABE toolkit (Wang, 2013) and uses JavaPairing-Based Cryptography (JPBC) library (De Caro and Iovino,2011a, 2011b) (i.e. A Port of the Pairing-Based Cryptography (PBC)library (Lynn, 2007), to perform the mathematical operationsunderlying pairing-based cryptosystems directly in Java). Similarto (Wang et al., 2015), we use the bilinear map system SN ofcomposite order n where n s s p q= ′ ′1 2 , and ′ = ′ =p q 256 bits.The implementation makes use of supersingular pairing tomodel elliptic curve group over 1024 bits finite field. We assumetwo dimensional coordination for the location of the user (i.e.m = 2), where the location range is fixed at 24 × 24.

Fig. 5 shows the computation time overhead incurred in dif-ferent phases of the proposed scheme. First, we evaluate thestatic computation time overhead imposed by attribute

authorities in setup and key generation phases. Fig. 5a dem-onstrates the impact of the number of authorities, where eachauthority issues five attributes for each user, on the compu-tation time overhead. Fig. 5b shows that the static computationtime overhead on mobile users increases almost linearly whilethe number of attributes for each user increases from 2 to 20(loc and time are two default attributes); in this case, we assume5 attribute authorities. Fig. 5c illustrates the impact of thenumber of attributes in location key generation, location keytransformation, encryption and decryption overhead, wherethere are three attribute authorities. We observe that the com-putation time overhead of key generation (performed by LSP)is almost constant as the number of attributes increases from1 to 20. In the first round of encryption, which is performed

Fig. 5 – Computation time analysis of PPLBAC: (a) the impact of number of authorities in setup and attribute key generationoverhead, (b) the impact of number of attributes for each user in attribute key generation and attribute key transformationoverhead, (c) The impact of number of attributes in location key generation, location key transformation, encryption anddecryption overhead.

263c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

by DO and CSP, the computation time overhead of DO in-creases almost linearly with the number of attributes.Meanwhile, the computation time overhead of CSP in bothrounds of encryption is almost negligible. We observe that thecomputation time of decryption (performed by CSP) increases,almost linearly, with the number of attributes. Fig. 5c also showsthat the computation time overhead of access request whichis performed by user is a small constant. More importantly, weobserve that the decryption (performed by user) stays almostconstant irrespective of the number of attributes. This clearlyshows that our proposed scheme is more suitable mobile users.

Since the attribute-based solution in (Zhu et al., 2013) doesnot support functionalities supported by PPLBAC (e.g. loca-tion unforgeability and location privacy; see Table 5), we onlycompare the performance, in terms of computation time over-head, of PPLBAC against the attribute-based solution in (Shaoet al., 2014). Similar to our scheme, we consider two dimen-sional coordination for the location, where the location rangeis fixed at 24 × 24 ( Nloci = 24 ). We assume that any other attri-bute att can be assigned 100 different values (i.e. Natt = 100). Theexperiment uses supersingular elliptic curve with the same se-curity level. Fig. 6 compares the computation time overheadfor different entities in PPLBAC and (Shao et al., 2014) in KeyGeneration, Encryption and Decryption processes, while the numberof attributes for each user increases from 2 to 20. The resultsshow that although (Shao et al., 2014) reduces the computa-tion time overhead of mobile users in both Key Generation andDecryption processes to a negligible value, it imposes high com-putation time overhead on LSP in both Key Generation andEncryption processes which makes it infeasible to apply forlocation-based services.

8. Conclusion

In this paper, we have investigated providing location-basedservice for attribute-based access control in mobile cloud. We

have developed a multi-authority attribute-based access controlscheme to simultaneously support static and dynamic attri-butes for mobile devices. Moreover, we have provided a wayto outsource the heavy computations from resource-constrainedmobile devices and reduce their computational overhead tosmall constant. In the proposed scheme, we transform secretinformation received from different authorities. This results inproviding anonymous location-based services for mobile usersand protecting privacy of each user against authorities and CSP.The security analysis and performance evaluation results showthat our proposed scheme is a promising approach to provideprivacy preserving location-based access control for mobilecloud.

R E F E R E N C E S

Androulaki E, Soriente C, Malisa L, Capkun S. Enforcing locationand time-based access control on cloud-stored data. In:Distributed Computing Systems (ICDCS), 2014 IEEE 34thInternational Conference on. 2014. p. 637–48 doi:10.1109/ICDCS.2014.71.

Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption. In: Security and Privacy, 2007. SP’07. IEEEsymposium on. IEEE; 2007. p. 321–34.

Boneh D, Franklin M. Identity-based encryption from the Weilpairing. In: Advances in Cryptology – CRYPTO 2001. Springer;2001. p. 213–29.

Boneh D, Goh E-J, Nissim K. Evaluating 2-DNF formulas onciphertexts. In: Theory of Cryptography. Springer; 2005. p.325–41.

De Caro A, Iovino V. JPBC library–the Java realization for pairing-based cryptography. 2011a. Available from:http://gas.dia.unisa.it/projects/jpbc/.

De Caro A, Iovino V. JPBC: Java pairing based cryptography. In:Proceedings of the 16th IEEE Symposium on Computers andCommunications, ISCC 2011, IEEE, Kerkyra, Corfu, Greece,June 28–July 1. 2011b. p. 850–5.

Domingo-Ferrer J. Microaggregation for database and locationprivacy. In: Next Generation Information Technologies andSystems. Springer; 2006. p. 106–16.

Fernandez RC, Pietzuch P, Kreps J, Narkhede N, Rao J, Koshy J,et al. Liquid: unifying nearline and offline big dataintegration. In: CIDR. 2015.

Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryptionfor fine-grained access control of encrypted data. In:Proceedings of the 13th ACM Conference on Computer andCommunications Security. ACM; 2006. p. 89–98.

Green M, Akinyele A, Rushanan M. Libfenc: the functionalencryption library. Baodong Qin received the B. Sc. degree.Available from: http://code.google.com/p/libfenc.

Guo B, Satake S, Imai M. Home-explorer: ontology-based physicalartifact search and hidden object detection system. Mobile InfSyst 2008;4(2):81–103.

Guo B, Fujimura R, Zhang D, Imai M. Design-in-play: improvingthe variability of indoor pervasive games. Multimed ToolsAppl 2012;59(1):259–77.

Hu H, Chen Q, Xu J. Verdict: privacy-preserving authentication ofrange queries in location-based services. In: Data Engineering(ICDE), 2013 IEEE 29th International Conference on. IEEE; 2013.p. 1312–15.

Jiang R, Wu X, Bhargava B. SDSS-MAC: secure data sharingscheme in multi-authority cloud storage systems. ComputSecur 2016;62:193–212.

Jung T, Li X-Y, Wan Z, Wan M. Control cloud data accessprivilege and anonymity with fully anonymous

Fig. 6 – Computation time overhead of PPLBAC comparedwith that of Shao et al. (2014) in (a) key generation,(b) encryption and (c) decryption.

264 c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5

attribute-based encryption. IEEE Trans Inf Forens Secur2015;10(1):190–9.

Lai J, Deng R, Guan C, Weng J. Attribute-based encryption withverifiable outsourced decryption. IEEE Trans Inf Forens Secur2013;8(8):1343–54. doi:10.1109/TIFS.2013.2271848.

Lai J, Deng RH, Guan C, Weng J. Attribute-based encryption withverifiable outsourced decryption. IEEE Trans Inf Forens Secur2013;8(8):1343–54.

Lewko A, Waters B. Decentralizing attribute-based encryption. In:Advances in Cryptology–EUROCRYPT 2011. Springer; 2011. p.568–88.

Li J, Ren K, Zhu B, Wan Z. Privacy-aware attribute-basedencryption with user accountability. In: Information Security.Springer; 2009. p. 347–62.

Li W, Xue K, Xue Y, Hong J. TMACS: a robust and verifiablethreshold multi-authority access control system in publiccloud storage. IEEE Trans Parallel Distrib Syst 2016;27(5):1484–96. doi:10.1109/TPDS.2015.2448095.

Lien I-T, Lin Y-H, Shieh J-R, Wu J-L. A novel privacy preservinglocation-based service protocol with secret circular shift forK-NN search. IEEE Trans Inf Forens Secur 2013;8(6):863–73.doi:10.1109/TIFS.2013.2252011.

Lynn B. PBC library–the pairing-based cryptography library; 2007.Available from: https://crypto.stanford.edu/pbc.

Pan X, Xu J, Meng X. Protecting location privacy against location-dependent attacks in mobile services. IEEE Trans Knowl DataEng 2012;24(8):1506–19.

Peng T, Liu Q, Wang G. Enhanced location privacy preservingscheme in location-based services. IEEE Syst J 2014;219–30.doi:10.1109/JSYST.2014.2354235.

Rathore MMU, Paul A, Ahmad A, Chen B-W, Huang B, Ji W. Real-time big data analytical architecture for remote sensingapplication. IEEE J Sel Top Appl Earth Obs Remote Sens2015;8(10):4610–21.

Sahai A, Waters B. Fuzzy identity-based encryption. In: Advancesin Cryptology–EUROCRYPT 2005. Springer; 2005. p. 457–73.

Schlegel R, Chow CY, Huang Q, Wong DS. User-defined privacygrid system for continuous location-based services. IEEETrans Mobile Comput 2015;14(10):2158–72. doi:10.1109/TMC.2015.2388488.

Shankar S. Amazon elastic compute cloud; 2009. Available from:http://aws.amazon.com/ec2/2009.

Shao J, Lu R, Lin X. Fine: a fine-grained privacy-preservinglocation-based service framework for mobile devices. In:INFOCOM, 2014 Proceedings IEEE. IEEE; 2014. p. 244–52.

Shin H, Vaidya J, Atluri V. Anonymization models for directionallocation based service environments. Comput Secur2010;29(1):59–73.

Tysowski PK, Hasan MA. Hybrid attribute- and re-encryption-based key management for secure and scalable mobileapplications in clouds. IEEE Trans Cloud Comput2013;1(2):172–86.

Wang G, Yue F, Liu Q. A secure self-destructing scheme forelectronic data. J Comput Syst Sci 2013a;79(2):279–90.

Wang G, Du Q, Zhou W, Liu Q. A scalable encryption scheme formulti-privileged group communications. J Supercomput2013b;64(3):1075–91.

Wang J. Java realization for ciphertext-policy attribute basedencryption (CP-ABE); 2013. Available from: http://junwei-wang.github.io/cpabe/.

Wang Z, Huang D, Zhu Y, Li B, Chung C. Efficient attribute-basedcomparable data access control. IEEE Trans Comput2015;3430–43. doi:10.1109/TC.2015.2401033.

Yang K, Jia X. Expressive, efficient, and revocable data accesscontrol for multi-authority cloud storage. IEEE Trans ParallelDistrib Syst 2014;25(7):1735–44.

Yeh LY, Chiang PY, Tsai YL, Huang JL. Cloud-based fine-grainedhealth information access control framework for lightweightIoT devices with dynamic auditing and attribute revocation.IEEE Trans Cloud Comput 2015;99:doi:10.1109/TCC.2015.2485199.

Yiu ML, Jensen CS, Huang X, Lu H. SpaceTwist: managing thetrade-offs among location privacy, query performance, andquery accuracy in mobile services. In: Data Engineering, 2008.ICDE 2008. IEEE 24th International Conference on. IEEE; 2008.p. 366–75.

Yu S, Wang C, Ren K, Lou W. Achieving secure, scalable, and fine-grained data access control in cloud computing. In: INFOCOM,2010 Proceedings IEEE. IEEE; 2010. p. 1–9.

Zhu Y, Hu H, Ahn G-J, Yu M, Zhao H. Comparison-basedencryption for fine-grained access control in clouds. In:Proceedings of the Second ACM Conference on Data andApplication Security and Privacy. ACM; 2012. p. 105–16.

Zhu Y, Ma D, Huang D, Hu C. Enabling secure location-basedservices in mobile cloud computing. In: Proceedings of theSecond ACM SIGCOMM Workshop on Mobile CloudComputing. ACM; 2013. p. 27–32.

Yaser Baseri received his B.S. degree from Shahid Beheshti Uni-versity, Tehran, Iran, in 2005 and his MS degree in ComputerScience from Sharif University of Technology, Tehran, Iran, in2007. He was also a research assistant at Institute of ElectronicsResearch, Sharif University of Technology, Tehran, Iran.Currently, he is pursuing the Ph.D. degree in Computer Science atNetwork Research Lab (NRL), Department of Computer Scienceand Operations Research, Universite de Montreal, Montreal, QC,Canada. He is also a Research Fellow at CIRRELT. His researchinterests include cloud computing, cryptography and networksecurity.

Abdelhakim Hafid was as a Senior Research Scientist atTelcordia Technologies, NJ, USA, for several years, focused onmajor research projects on the management of next generationnetworks. He was also a Visiting Professor at the University ofEvry, France, an Assistant Professor at Western University, Canada,a Research Director at the Advance Communication EngineeringCenter (venture established by WU, Bell Canada, and Bay Net-works), Canada, a Researcher at CRIM, Canada, and a VisitingScientist at GMD-Fokus, Berlin, Germany. He is a Full Professor atthe University of Montreal, where he founded the Network Re-search Laboratory in 2005. He is also a Research Fellow at CIRRELT.He has extensive academic and industrial research experience inthe area of the management and design of next generation net-works.

Soumaya Cherkaoui is a Full Professor at the Electrical and Com-puter Engineering Dept. at Universite Sherbrooke, Canada, whereshe is the Director of INTERLAB. In the past, she worked forseveral years in industry leading major projects targeted at theAerospace Industry. She has held invited visiting positions atseveral universities and research centers, including U. Toronto,Monash University, Bell Laboratories, UC Berkeley, and U. Mon-treal. She has over 200 publications in reputable journals,conferences, has served as a General Chair, and TPC chair ofnumerous conferences and workshops, and as Associate or GuestEditor of several reputable journals.

265c om pu t e r s & s e cu r i t y 7 3 ( 2 0 1 8 ) 2 4 9 – 2 6 5