Abstract
Leakage-resilient ciphertext-policy attribute-based encryption (LR-CP-ABE) is an important tool to achieve fine-grained access control of data and resist side-channel attacks. Privacy protection and user revocation are two practical problems it faces. However, most of the existing schemes fail to achieve user revocation while protecting user’s privacy at present. To address the above problems, we propose an anonymous LR-CP-ABE scheme with user revocation in this paper, which is proven to be adaptively secure in the standard model under four static assumptions over composite order group. Furthermore, we also show the proposed scheme achieves the receivers anonymity which protects the users’ privacy. The performance analyses confirm the feasibility of the proposed scheme.
Supported by the National Cryptography Development Fund under grant (MMJJ20180209).
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
ABE was first proposed by Sahai and Waters [1], which is an important tool for solving security and fine-grained data sharing and access control problems. It has become a research hotspot in recent years. The ABE systems can be divided into two categories: one is CP-ABE [2] and the other is key-policy ABE (KP-ABE) [3]. The most obvious difference between them is whether the private keys are related to the attribute set. In CP-ABE, a private key is associated with an attribute list, a ciphertext is related to an access structure. The users can decrypt the ciphertexts if and only if the user’s attribute set satisfies the corresponding access structure. While in KP-ABE, the situation is reversed.
Revocation is a challenge problem in the CP-ABE setting because there has opportunities to dynamically change attributes or users. Therefore, the revocation mechanism can be divided into two types, namely, attribute revocation and user revocation. So far, there are two ways to solve this problem: direct revocation and indirect revocation. Indirect method means revocation mechanism by authority, which updates the private keys of a user who has not revoked an attribute periodically or dynamically. While direct method means revocation is performed by the date owner who specified the revoked user list during the encryption process. Although direct method has less flexibility in revoking users, it has an advantage in revoking costs. Revocable ABE was first proposed in [4, 5], so far, it has made great progress, such as [6,7,8,9] and so on.
Although ABE can be directly applied to the design of secure access control, for the purpose of better protecting user’s privacy and data security, anonymous ABE was proposed in [10, 11] and further improved by [12, 13]. More related works can refer to [14,15,16,17,18,19]. In anonymous ABE, the adversary cannot obtain some meaningful information about the corresponding attributes in the access policies.
However, studies have shown that these schemes can not resist various forms of attacks, such as side-channel attacks. Because the security of these schemes is based on an idealized assumption that the adversary cannot get any information of the private keys and internal state. In fact, this assumption is actually unrealistic. The adversary can learn meaningful information about the keys by using some of the physical information that the algorithm outputs. So the adversary can easily break the security of these schemes. In order to characterize the leaked information that the adversary available and protect the security of these schemes, ABE based on various leakage models are proposed in [20,21,22,23,24,25,26,27].
Zhang et al. [22] focused on the above three issues and designed a leakage-resilient secure ABE with fine-grained attribute revocation to achieve the semantic security in the continual key leakage model. Users need to pay a big price in decryption. Subsequently, Yu et al. [25] introduced a leakage-resilient CP-ABE supporting indirect revocation which can tolerate the leakage of the private keys and the master secret keys. The security of the scheme is proved by using dual system encryption.
While above schemes cannot achieve leakage-resilience, anonymity and user revocation at the same time. Therefore, it is worthwhile to study an efficient scheme that can realize the above three performances.
1.1 Our Contribution
In this paper, an CP-ABE scheme under the continuous leakage model is constructed whose leakage bound achieves \(\lambda \le (\omega -1-2c)\log p_{2}\) during two updates, which is proved to be adaptively secure in the standard model under four static assumptions over composite order bilinear group. Moreover, this scheme can achieve the user’s direct revocation by embedding the revocation list in the ciphertexts. We also give an analysis of how the scheme achieves anonymity (Table 1).
2 Preliminaries
2.1 Linear Secret Sharing
A secret sharing scheme \(\varLambda \) over a set of attributes S is called linear on the two conditions that:
-
(1)
The shares for each attributes form a vector from \(\mathbb {Z}_{p}\).
-
(2)
There exists a \(l\times n\) matrix \(\varvec{A}\) called sharing-generating matrix for \(\varLambda \). The function \(\rho \) maps the \(x^{th}\) row of \(\varvec{A}\) to an attribute value labeling \(\rho (x)\) for all \(x\in [l]\). Then we selects a vector \(\varvec{v}=(s, v_{2},...,v_{n})\in _{R}\mathbb {Z}_{p}^{n}\), where s is the secret to be shared, and \(\varvec{A}\cdot \varvec{v}\) is the vector of l shares of the secret s according to \(\varLambda \). The shares \((\varvec{A}\varvec{v})_{x}\) belongs to the attribute value \(\rho (x)\).
Linear Reconstruction. Let \(C\in \varLambda \) be any authorized set, and let \(I\subset \{1,2,...,l\}\) be defined as \(I=\{x'| \rho (x')\in C\}\). Then, there exists constants \(\{\mu _{x'}\in \mathbb {Z}_{p}\}_{x'\in I}\) such that, if \(\{\lambda _{x'}\}\) are valid shares of any s in \(\varLambda \), then \(\sum _{x'\in I}\mu _{x'}\lambda _{x'}=s\). This collection \(\{\mu _{x'}\}_{x'\in I}\) can be found in polynomial time.
2.2 Complexity Assumptions
Assumption 1
Given a instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4},T)\), where \(g_{\check{i}}\in _{R}\mathbb {G}_{p_{\check{i}}}\) for \(\check{i}=1, 3, 4\), the advantage of \(\mathcal {A}\) distinguish \(T\in _{R}\mathbb {G}_{p_{1}p_{4}}\) from \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{4}}\) is negligible.
Assumption 2
Given instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4}, U_{1}U_{2}, W_{2}W_{3},T)\), where \(g_{1},U_{1}\in _{R}\mathbb {G}_{p_{1}}\), \(U_{2},W_{2}\in _{R}\mathbb {G}_{p_{2}}\), \(g_{3},W_{3}\in _{R}\mathbb {G}_{p_{3}}\) and \(g_{4}\in _{R}\mathbb {G}_{p_{4}}\), the advantage of \(\mathcal {A}\) distinguish \(T\in _{R}\mathbb {G}_{p_{1}p_{3}}\) from \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{3}}\) is negligible.
Assumption 3
Given a instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4} ,\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{2},g_{3},g_{4}, g_{1}^{\alpha }U_{2},g_{1}^{s}W_{2},g_{2}^{r},U_{2}^{r},T)\), where \(s,\alpha ,r\in _{R}\mathbb {Z}_{N}\), \(g_{1}\in _{R}\mathbb {G}_{p_{1}}\), \(g_{2},U_{2},W_{2}\in _{R}\mathbb {G}_{p_{2}}\) and \(g_{3}\in _{R}\mathbb {G}_{p_{3}}\), the advantage of \(\mathcal {A}\) distinguish \(T=\hat{e}(g,g)^{\alpha s}\) from \(T\in _{R}\mathbb {G}_{T}\) is negligible.
Assumption 4
Given a instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{2},g_{3},g_{4}, U_{1}U_{4},U_{1}^{\hat{r}}U_{2},g_{1}^{\hat{r}}W_{2},g_{1}^{s}W_{24},U_{1}g_{3}^{\hat{s}},T)\), where \(s,\hat{r},\hat{s}\in _{R}\mathbb {Z}_{N}\), \(g_{1},U_{1}\in _{R}\mathbb {G}_{p_{1}}\), \(g_{2},U_{2}, W_{2}\in _{R}\mathbb {G}_{p_{2}}\), \(g_{3}\in _{R}\mathbb {G}_{p_{3}}\), \(g_{4},U_{4}\in _{R}\mathbb {G}_{p_{4}}\) and \(W_{24},D_{24}\in _{R}\mathbb {G}_{p_{2}p_{4}}\), the advantage of \(\mathcal {A}\) distinguish \(T\in _{R}U_{1}^{s}D_{24}\) from \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{4}}\) is negligible.
2.3 Random Subspaces for Leakage Resilience over Arbitrary Functions
Theorem 1
For any function \(f:\mathbb {Z}_{p}^{m'\times d'}\rightarrow \phi \), there exists
where \(m',l',d'\in _{R}\mathbb {N}\), \(2d'\le l'\le m'\), \(\varvec{X}_{1}\in _{R}\mathbb {Z}_{p}^{m'\times l'}\),\(\varvec{X}_{2}\in _{R}\mathbb {Z}_{p}^{m'\times d'}\), \(\varvec{T}\in _{R}Rank_{d'}(\mathbb {Z}_{p}^{l'\times d'}),|\phi |\le 4(1-\frac{1}{p})\cdot p_{2}^{l'-2d'+1}\cdot \epsilon ^{2}\).
Claim
For any function \(f:\mathbb {Z}_{p}^{m'}\rightarrow \{0,1\}^{l'}\), there exists
where \(\varDelta ,\varvec{\mu }\in _{R}\mathbb {Z}_{p}^{m'},\varvec{\mu '}\cdot \varDelta =0 \mod p, l'\le 4p^{m'-3}(p-1)\cdot \epsilon ^{2}\).
3 LR-CP-ABE Supporting Direct Revocation
3.1 Model of LR-CP-ABE with Direct Revocation
Three entities are included in our construction: attribute authority (AA), data owners (DO) and users.
-
Setup\((\kappa ,\varSigma ,\lambda )\): AA takes the security parameter \(\kappa \), universe attribute set \(\varSigma \) and leakage bound \(\lambda \) as input, outputs the public keys pk and master secret keys msk.
-
KeyGen(pk, msk, S, id): AA inputs the public keys pk, master secret keys msk, attribute list S for the user with id, outputs the private keys \(sk_{S}\).
-
UpdateUsk\((pk,sk_{S})\): AA takes the public keys pk and the secret keys \(sk_{S}\) as input, outputs the new private keys \(sk_{S}'\).
-
Encrypt\((pk,m,\varLambda ,\mathcal {R})\): DO takes the public keys pk, a message m, access structure \(\varLambda \) and revocation list \(\mathcal {R}\) as input, then outputs the ciphertexts CT.
-
Decrypt\((CT,sk_{S})\): The users inputs the ciphertexts CT and the private keys \(sk_{S}\), and outputs the message m.
3.2 Security Properties of the ANON-LR-CP-ABE with Direct Revocation
This game is played by the interaction between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\), the concrete process is described as follows:
-
Setup: \(\mathcal {C}\) inputs the security parameter \(\kappa \) and the leakage upper bound \(\lambda \), generates the public keys pk and the master secret keys msk. Then \(\mathcal {C}\) sends pk to \(\mathcal {A}\) while keeps msk. At the same time, \(\mathcal {C}\) creates an initial empty lists: \(\mathcal {L}=(hd,S,sk_{S},L_{sk})\), where \(L_{sk}\) means the total leakage bits.
-
Phase 1: \(\mathcal {A}\) adaptively performs the following queries:
-
KeyGen queries: \(\mathcal {A}\) sends an identity id and an attribute list S to \(\mathcal {C}\), then \(\mathcal {C}\) runs the algorithm \(\mathbf {KeyGen}\) to generate the private keys \(sk_{S}\). Finally, \(\mathcal {C}\) updates \(hd=hd+1\) and adds the item \((hd,S,sk_{S},0)\) to the list \(\mathcal {L}\).
-
Leakage queries: \(\mathcal {A}\) gives a polynomial-time computable arbitrary function \(f:\{0,1\}^{*}\rightarrow \{0,1\}^{*}\) to \(\mathcal {C}\). Assume that the set is \((hd,S,sk_{S},L_{sk_{S}})\), then \(\mathcal {C}\) checks whether \(|f(sk_{S})|+L_{sk_{S}}\le \lambda \). If this is true, it returns \(f(sk_{S})\) to \(\mathcal {A}\). Otherwise, outputs the symbol \(\bot \).
-
UpdateUsk queries: \(\mathcal {A}\) queries the new updated secret keys for hd. If there is no \((hd,S,sk_{S},L_{sk_{S}})\) found in set \(\mathcal {L}\). Then \(\mathcal {C}\) runs the algorithm KeyGen to get the private keys \(sk_{S}\) and sets \(L_{sk_{S}}=0\). Otherwise, \(\mathcal {C}\) returns re-randomized private keys \(sk_{S}'\) with UpdatedUsk and updates the corresponding \(L_{sk_{S}}=0\).
-
-
Challenge: \(\mathcal {A}\) outputs two messages of the same length \(m_{0},m_{1}\), revocation list \(\mathcal {R}\) and two challenge access structures \(\varLambda _{0}(\varvec{A}_{0},\rho _{0})\), \(\varLambda _{1}(\varvec{A}_{1},\rho _{1})\) to \(\mathcal {C}\), then \(\mathcal {C}\) selects \(b\in \{0,1\}\) randomly and encrypts the message \(m_{b}\) under the access structure \(\varLambda _{b}(\varvec{A}_{b},\rho _{b})\). Finally, it outputs the ciphertexts \(CT^{*}\) to \(\mathcal {A}\).
-
Phase 2: The phase is similar to \(\mathbf {Phase 1}\) except that \(\mathcal {A}\) cannot execute the Leakage queries and the KeyGen queries that the corresponding attribute set satisfies the challenge access structure.
-
Guess: \(\mathcal {A}\) outputs the guess \(b'\) of b and wins the game if \(b'=b\).
If the advantage of \(\mathcal {A}\) in the above game is negligible, then it is said that the anonymous CP-ABE scheme which supporting direct revocation is indistinguishable under the chosen plaintext attack (ANON-IND-CPA-REVO) and it is \(\lambda \) leakage-resilient, where the advantage of \(\mathcal {A}\) is defined as
4 Construction
4.1 Concrete Construction
-
Setup\((\kappa ,\varSigma ,\lambda )\): AA takes a security parameter \(\kappa \) and the attribute universe description \(\varSigma \) and a leakage bound \(\lambda \) as input. Then it runs the bilinear group generator to produce \(\varTheta =(N=p_{1}p_{2}p_{3}p_{4}, \mathbb {G},\mathbb {G}_{T},\hat{e})\), defines \(negl=p_{2}^{-c}\) as the allowable maximum probability in succeeding in leakage guess and computes \(\omega =\lceil 1+2c+\frac{\lambda }{\log p_{2}}\rceil \), where c is a positive constant. Then the algorithm generates the public keys as follows. First, it selects \(g_{1},h\in \mathbb {G}_{p_{1}}\), \(g_{3}\in \mathbb {G}_{p_{3}}\) and \(a,\alpha \in \mathbb {Z}_{N}\) at random. Second, it selects \(\varvec{\rho }\in _{R} \mathbb {Z}_{N}^{\omega }\) and selects \(t_{i,j}\in _{R}\mathbb {Z}_{N}\), \(g_{4},w_{0},w_{i,j}\in _{R}\mathbb {G}_{p_{4}}\) for each \(i\in [n],j\in [n_{i}]\), the public keys are
$$pk=\bigg (N, a_{0}, h, u, g_{3}, g_{1}^{\varvec{\rho }}, y, T_{i,j};\forall i\in [n],j\in [n_{i}] \bigg )$$where \(a_{0}=g_{1}w_{0}, u=g_{1}^{a}g_{4}, y=e(g_{1},g_{1})^{\alpha }, T_{i,j}=g_{1}^{t_{i,j}}w_{i,j}\).
The master secret keys are
$$msk=(a,\alpha ,t_{i,j},g_{1}).$$ -
KeyGen(pk, msk, S, id): On input the public keys pk, the master keys msk, an attribute set S and users identity id, AA outputs the secret keys \(sk_{S}=\bigg (S,sk_{S,1},sk_{S,2}\bigg )=\bigg (S,\{\varvec{k}_{0},k_{1}\},\{k_{2,i},k_{3,i},k_{4,i}\}_{i\in S}\bigg )\) and sends them to users. AA selects \(r_{id},y_{1}\in _{R}\mathbb {Z}_{N}\), \(\varvec{y}_{0},\varvec{\sigma }\in _{R}\mathbb {Z}_{N}^{\omega }\) and picks \(r_{i,j}, y_{i,j,2}\), \(y_{i,j,3}, y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), calculates and outputs the secret keys as follows.
$$\begin{aligned} \begin{aligned} sk_{S}&=\bigg (S,sk_{S,1},sk_{S,2}\bigg )\\&=\bigg (S,\{\varvec{k}_{0},k_{1}\},\{k_{i,j,2},k_{i,j,3},k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\\&=\bigg (S,\{g_{1}^{\varvec{\sigma }}*g_{3}^{\varvec{y}_{0}},g_{1}^{\alpha +ar_{id}+\langle \varvec{\sigma },\varvec{\rho }\rangle }g_{3}^{y_{1}}\},\{g_{1}^{\alpha r_{id}+t_{i,j}r_{i,j}+ar_{i,j}}g_{3}^{y_{i,j,2}},g_{1}^{r_{i,j}}g_{3}^{y_{i,j,3}},\\ {}&(g_{1}^{aid}h)^{r_{i,j}}g_{3}^{y_{i,j,4}}\}_{v_{i,j}\in S}\bigg ) \end{aligned} \end{aligned}$$(1) -
UpdateSk\((sk_{S},S)\): AA selects \(\varDelta r_{id},\varDelta y_{1}\in _{R}\mathbb {Z}_{N}\), \(\varDelta \varvec{\sigma },\varDelta \varvec{y}_{0}\in _{R}\mathbb {Z}_{N}^{\omega }\) and \(\varDelta r_{i,j},\varDelta y_{i,j,2},\varDelta y_{i,j,3},\varDelta y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), outputs the re-randomized keys \(sk_{S}'\):
$$\begin{aligned} \begin{aligned} sk_{S}'&=\bigg (S,sk_{S,1}',sk_{S,2}'\bigg )\\&=\bigg (S,\{\varvec{k}_{0}',k_{1}'\},\{k_{i,j,2}',k_{i,j,3}',k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\\&=\bigg (S,\{\varvec{k}_{0}*g_{1}^{\varDelta \varvec{\sigma }}*g_{3}^{\varDelta \varvec{y}_{0}},k_{1}g_{1}^{a\varDelta r_{id}+\langle \varvec{\rho },\varDelta \varvec{\sigma }\rangle }g_{3}^{\varDelta y_{1}}\},\{k_{i,j,2}g_{1}^{\alpha \varDelta r_{id}+t_{i,j}\varDelta r_{i,j}+a\varDelta r_{i,j}}\\ {}&g_{3}^{\varDelta y_{i,j,2}},k_{i,j,3}g_{1}^{\varDelta r_{i,j}}g_{3}^{\varDelta y_{i,j,3}},k_{i,j,4}(g_{1}^{aid}h)^{\varDelta r_{i,j}}g_{3}^{\varDelta y_{i,j,4}}\}_{v_{i,j}\in S}\bigg ) \end{aligned} \end{aligned}$$(2) -
Encrypt\((pk,m,\varLambda )\): \(\varvec{A}\) in \(\varLambda (\varvec{A},\rho )\) is a secret sharing matrix of \(l\times n\), where \(\rho \) maps rows of \(\varvec{A}\) into attribute values. \(\mathcal {R} = \{R_{\rho (x)}\}_{x\in [l]}\) be an attribute revocation list. DO selects \(\varvec{v}=(s,v_{2},...,v_{n})\in \mathbb {Z}_{N}^{n}\) at random. The revocation list of attribute \(\rho (x)\) is \(R_{\rho (x)}=\{id_{1},id_{2},...,id_{l_{x}}\}\), where \(l_{x}\) is a variable number of revocation users. Then the algorithm selects \(s_{x,i'}\in _{R}\mathbb {Z}_{N}\) for each \(id_{i'}\in R_{\rho (x)}\) with the restriction that \(\sum _{i'=1}^{l_{x}}s_{x,i'}=\lambda _{x}\) where \(\lambda _{x}=\varvec{A}_{x}\cdot \varvec{v}\), \(g_{4},w_{1},w_{\lambda _{x},1},w_{\lambda _{x},2},w_{x,i',1},w_{x,i',2}\in _{R}\mathbb {G}_{p_{4}}\), \(\varvec{A}_{x}\) is the \(x^{th}\) row of \(\varvec{A}\). Finally, the algorithm outputs the ciphertexts CT as follows:
$$\begin{aligned} \begin{aligned} CT&=\bigg (\varvec{A},\{I_{x}\}_{x\in [l]},\mathcal {R},c_{0},\varvec{c}_{1},c_{2},\{c_{x,0},c_{x,1},\{c_{x,i'}^{1},c_{x,i'}^{2}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\\&=\bigg (\varvec{A},\{I_{x}\}_{x\in [l]},\mathcal {R}, my^{s},a_{0}^{-s\varvec{\rho }}*g_{4}^{\varvec{\mu }},a_{0}^{s}\cdot w_{1},\{a_{0}^{\lambda _{x}}\cdot w_{\lambda _{x},1} ,T_{\rho (x)}^{\lambda _{x}}\cdot w_{\lambda _{x},2} ,\\ {}&\{a_{0}^{s_{x,i'}}\cdot w_{x,i',1},(u^{id_{i'}}h)^{s_{x,i'}}\cdot w_{x,i',2}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg ) \end{aligned} \end{aligned}$$(3)where \(\varvec{\mu }\in _{R}\mathbb {Z}_{N}^{\omega }\), \(\{I_{x}\}_{x\in [l]}\subset \{1,2,...,n\}\) is the index set of corresponding attribute name.
-
Decrypt\((CT,sk_{S})\): This algorithm takes the public keys pk, users identity id, the ciphertexts CT and the secret keys \(sk_{S}\) as input. If \(id\in R_{\rho (x)}\), then the algorithm aborts. Otherwise, suppose \(\mathcal {H}=\{x|\rho (x)\in S, id\not \in R_{\rho (x)}\}\). If \(S'=\{\rho (x)|x\in \mathcal {H}\}\) satisfies the access structure, then users computes \(d_{x,1},d_{x,2}\) for every \(x\in \mathcal {H}\) at first.
$$\begin{aligned} \begin{aligned} d_{x,1}&=\prod _{i'=1}^{l_{x}}\bigg (\frac{\hat{e}(k_{\rho (x),3},c_{x,i'}^{2})}{\hat{e}(k_{\rho (x),4},c_{x,i'}^{1})}\bigg )^{\frac{1}{id-id_{i'}}}\\&=\prod _{i'=1}^{l_{x}}\bigg (\frac{\hat{e}(g_{1}^{r_{\rho (x)}}g_{3}^{y_{\rho (x),3}},(u^{id_{i'}}h)^{s_{x,i'}})}{\hat{e}((g^{a id}h)^{r_{\rho (x)}}g_{3}^{y_{\rho (x),4}},g_{1}^{s_{x,i'}})}\bigg )^{\frac{1}{id-id_{i'}}}\\&=\prod _{i'=1}^{l_{x}}\hat{e}(g_{1},g_{1})^{-ar_{\rho (x)}s_{x,i'}}\\&=\hat{e}(g_{1},g_{1})^{-a \lambda _{x}r_{\rho (x)}} \end{aligned} \end{aligned}$$(4)$$\begin{aligned} \begin{aligned} d_{x,2}&=\frac{\hat{e}(k_{\rho (x),2},c_{x,0})}{\hat{e}(k_{\rho (x),3},c_{x,1})}\\&=\frac{\hat{e}(g_{1}^{\alpha r_{id}+t_{\rho (x)}r_{\rho (x)}+ar_{\rho (x)}}g_{3}^{y_{\rho (x),2}},g^{\lambda _{x}})}{\hat{e}(g_{1}^{r_{\rho (x)}}g_{3}^{y_{\rho (x),3}},T_{\rho (x)}^{\lambda _{x}})}\\&=\hat{e}(g_{1},g_{1})^{\alpha r_{id}\lambda _{x}+a\lambda _{x}r_{\rho (x)}} \end{aligned} \end{aligned}$$(5)Obvious, there are
$$d_{x}=d_{x,1}d_{x,2}=\hat{e}(g_{1},g_{1})^{\alpha r_{id}\lambda _{x}}$$$$\begin{aligned} CT'=\prod _{x\in \mathcal {H}}d_{x}^{\mu _{x}}=\hat{e}(g_{1},g_{1})^{\alpha r_{id}s} \end{aligned}$$(6)where \(\sum _{x\in \mathcal {H}}\mu _{x}\varvec{A}_{x}=(1,0,0,..,0)\). Finally, it computes the \(m=\frac{c_{0}}{\hat{e_{\omega }}(\varvec{c}_{1},\varvec{k}_{0})\hat{e}(c_{2},k_{1})}CT'.\)
4.2 Security Proof
The security proof is based on dual system encryption, so we define the semi-functional keys and semi-functional ciphertexts as follows:
Semi-functional Keys: There are two types of semi-functional keys in our proof. Firstly, we run the KeyGen to get normal private keys as: \(sk_{S}=\bigg (S,sk_{S,1}, sk_{S,2}\bigg )=\bigg (S,\{\varvec{k}_{0}',k_{1}'\},\{k_{i,j,2}',k_{i,j,3}',k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\). Then it selects \(\varvec{d}_{0}\in _{R}\mathbb {Z}_{N}^{\omega },d_{1}\in _{R}\mathbb {Z}_{N}\) and \(d_{i,j,2},d_{i,j,3},d_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\) and compute two types of semi-functional private keys components as follows.
Type 1.
Type 2.
Semi-functional Ciphertexts: For an access structure \(\varLambda (\varvec{A},\rho )\) and a revocation list \(\mathcal {R}\) , we first run the encryption algorithm Encrypt to obtain normal ciphertexts \(CT=\bigg (\varvec{A},\{I_{x}\}_{x\in [l]},\mathcal {R},c_{0},\varvec{c}_{1}',c_{2}',\{c_{x,0}',c_{x,1}',\{c_{x,i'}^{1'},c_{x,i'}^{2'}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\) and choose some random elements \(\varvec{e}_{1}\in \mathbb {Z}_{N}^{\omega }\) and \(e_{2},e_{x,0},e_{x,1},e_{x,i',1},e_{x,i',2} \in \mathbb {Z}_{N}\). The semi-functional ciphertexts are computed as follows:
The security of the program is proved by a series of indistinguishable games. The specific game definitions are described below:
-
\(Game_{real}\): This is a real game that the private keys and ciphertexts are in normal form.
-
\(Game_{0}\): The game is similar to the \(Game_{real}\) except that the ciphertexts are semi-functional.
-
\(Game_{k-1,2}\): The first \(k-1\) private keys are semi-functional of Type 2, the rest of private keys are normal.
-
\(Game_{k,1}\): The game is similar to the \(Game_{k-1,2}\) except the \(k^{th}\) private key is semi-functional of Type 1.
-
\(Game_{k,2}\): The game is similar to the \(Game_{k,1}\) except the \(k^{th}\) private key is semi-functional of Type 2.
-
\(Game_{q,2}\): All of private keys are semi-functional of Type 2 and the ciphertexts are semi-functional, where q is the number of queries.
-
\(Game_{final,0}\): The ciphertext component \(c_{0}\) is the encryption of a random message.
-
\(Game_{final,1}\): The component \(c_{x,i',2}\) is a random element in subgroup \(\mathbb {G}_{p_{1}p_{2}p_{4}}\).
Lemma 1
Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{real}\) and \(Game_{0}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 1 with same advantage.
Proof
\(\mathcal {B}\) receives the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3}, g_{4},T)\) from the challenge \(\mathcal {C}\) and simulates the \(Game_{real}\) or \(Game_{0}\).
Setup: After receiving the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}), g_{1},g_{3},g_{4},T)\), \(\mathcal {B}\) generates the public keys as follows: \(pk=\bigg (N,a_{0}=g_{1}g_{4}^{a'},h=g_{1}^{t},u=g_{1}^{a}g_{4},g_{3},g_{1}^{\varvec{\rho }},y=e(g_{1},g_{1})^{\alpha },T_{i,j}=g_{1}^{t_{i,j}}g_{4}^{a_{i,j}};\forall i\in [n],j\in [n_{i}] \bigg ),\) where \(t,a,a',\alpha ,t_{i,j},a_{i,j}\in _{R}\mathbb {Z}_{N},\varvec{\rho }\in _{R}\mathbb {Z}_{N}^{\omega }\).
Phase 1: Because \(\mathcal {B}\) knows the master keys, so it can answer all the KeyGen queries and Leakage queries.
Challenge: \(\mathcal {A}\) sends two challenge access structure \(\varLambda _{0}^{*}(\varvec{A}_{0}^{*},\rho _{0}^{*}),\varLambda _{1}^{*}(\varvec{A}_{1}^{*},\rho _{1}^{*})\), two messages \(m_{0},m_{1}\) of equal length and a revocation list \(\mathcal {R} = \{R_{\rho (x)}\}_{x\in [l]}\) to \(\mathcal {B}\), then \(\mathcal {B}\) selects \(b\in \{0,1\}\) at random and computes the ciphertexts as follows: \(CT=\bigg (\varvec{A}_{b}^{*},\{I_{b,x}\}_{x\in [l]},\mathcal {R},c_{0}=m_{b}\hat{e}(T,g)^{\alpha },\varvec{c}_{1}'=T^{-\varvec{\rho }}g_{4}^{\varvec{u}},c_{2}'=Tg_{4}^{w_{1}'},\{c_{x,0}'=\) \(T^{\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},1}'},c_{x,1}'=T^{t_{\rho (x)}\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},2}'},\{c_{x,i'}^{1'}=T^{s_{x,i'}}g_{4}^{w_{x,i',1}'},c_{x,i'}^{2'}=T^{(aid'+t)s_{x,i'}} g_{4}^{w_{x,i',2}'}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\), where \(\lambda _{b,x}=\varvec{A}^{*}_{b,x}\cdot \varvec{v}' ,\varvec{u},\varvec{v}'=(1,v_{2}',\)\(v_{3}',...,v_{n}')\in _{R}\mathbb {Z}_{N}^{\omega }\), \(\sum _{i'=1}^{l_{x}}s_{x,i'}=\lambda _{b,x}\), \(w_{1}',w_{\lambda _{b,x},1}',w_{\lambda _{b,x},2}',w_{x,i',1}',w_{x,i',2}',s_{x,i'}\in _{R}\mathbb {Z}_{N}\), \(\{I_{x}\}_{x\in [l]}\) is the index set of corresponding attribute name.
Phase 2: Same as Phase 1 except that \(\mathcal {A}\) cannot execute the Leakage queries and KeyGen queries that the corresponding attribute set satisfies the challenge access structure.
Guess: \(\mathcal {A}\) outputs the guess of \(b'\) of b. If \(b'=b\), \(\mathcal {A}\) wins the game.
If \(T\in _{R}\mathbb {G}_{p_{1}p_{4}}\), then \(\mathcal {B}\) simulates the \(Game_{real}\). Otherwise, \(\mathcal {B}\) simulates the \(Game_{0}\). Therefore, if \(\mathcal {A}\) can distinguish these two games with a non-negligible advantage, then \(\mathcal {B}\) can break the Assumption 1 with same advantage.
Lemma 2
Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{k-1,2}\) and \(Game_{k,1}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 2 with same advantage.
Proof
\(\mathcal {B}\) receives the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4}, U_{1}U_{2},W_{2}W_{3},T)\) from the challenge \(\mathcal {C}\) and simulates the \(Game_{k-1,2}\) or \(Game_{k,1}\).
Setup: The algorithm of Setup is same as that in Lemma 1.
KeyGen queries in Phase 1: To generate the first \(k-1\) semi-functional keys, \(\mathcal {B}\) chooses \(r_{id},y_{1}\in \mathbb {Z}_{N}\) at random, \(\varvec{y}_{0},\varvec{\sigma }\in _{R}\mathbb {Z}_{N}^{\omega }\) and \(r_{i,j},y_{i,j,2},y_{i,j,3},y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), calculates and outputs the secret keys of Type 1 as follows.
To generate the \(k^{th}\) private key, \(\mathcal {B}\) picks \(r_{id},y_{1}\in \mathbb {Z}_{N}\) randomly, \(\varvec{y}_{0},\varvec{\sigma }'\in _{R}\mathbb {Z}_{N}^{\omega }\) and \(r_{i,j},y_{i,j,2},y_{i,j,3},y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), outputs the following secret keys .
The rest of private keys are normal keys.
Challenge: \(\mathcal {A}\) sends two challenge access structure \(\varLambda _{0}^{*}(\varvec{A}_{0}^{*},\rho _{0}^{*}),\varLambda _{1}^{*}(\varvec{A}_{1}^{*},\rho _{1}^{*})\), two message \(m_{0},m_{1}\) of equal length and a revocation list \(\mathcal {R} = \{R_{\rho (x)}\}_{x\in [l]}\) to \(\mathcal {B}\), then \(\mathcal {B}\) selects \(b\in \{0,1\}\) at random and calculates the ciphertexts as follows: \(CT=\bigg (\varvec{A}_{b}^{*},\{I_{b,x}\}_{x\in [l]},\mathcal {R},c_{0}=m_{b}\hat{e}(U_{1}U_{2},g)^{\alpha },\varvec{c}_{1}'=(U_{1}U_{2})^{-\varvec{\rho }}g_{4}^{\varvec{u}},c_{2}'=\) \((U_{1}U_{2})g_{4}^{w_{1}'},\{c_{x,0}'=(U_{1}U_{2})^{\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},1}'},c_{x,1}'=(U_{1}U_{2})^{t_{\rho (x)}\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},2}'},\{c_{x,i'}^{1'}=(U_{1} U_{2})^{s_{x,i}}g_{4}^{w_{x,i',1}'},c_{x,i'}^{2'}=((U_{1}U_{2})^{(a id_{i'}+t)s_{x,i'}}g_{4}^{w_{x,i',2}'}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\), where \(\lambda _{b,x}=\varvec{A}^{*}_{x}\cdot \varvec{v}', \varvec{u},\varvec{v}'=(1,v_{2}',v_{3}',...,v_{n}')\in _{R}\mathbb {Z}_{N}^{\omega }\), \(\sum _{i'=1}^{l_{x}}s_{x,i'}=\lambda _{b,x}\), \(w_{1}',w_{\lambda _{b,x},1}',w_{\lambda _{b,x},2}', w_{x,i',1}',w_{x,i',2}',s_{x,i'}\in _{R}\mathbb {Z}_{N}\), \(\{I_{x}\}_{x\in [l]}\) is the index set of corresponding attribute name.
Phase 2: Same as Phase 2 in Lemma 1.
Guess: \(\mathcal {A}\) outputs the guess of \(b'\) of b. If \(b'=b\), \(\mathcal {A}\) wins the game.
It can be learn from the analysis above that \(\mathcal {B}\) simulates the \(Game_{k-1,2}\) if \(T\in _{R}\mathbb {G}_{p_{1}p_{3}}\). Vice versa. So if \(\mathcal {A}\) distinguish these two games with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) break the Assumption 2 with same advantage.
Lemma 3
Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{k,1}\) and \(Game_{k,2}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 2 with same advantage.
Proof
\(\mathcal {B}\) receives the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4}, U_{1}U_{2},W_{2}W_{3},T)\) from the challenge \(\mathcal {C}\) and simulates the \(Game_{k,1}\) or \(Game_{k,2}\).
The proof of Lemma 3 is similar to that of Lemma 2 except the construction of \(k^{th}\) private key.
If \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{3}}\), then \(\mathcal {B}\) simulates the \(Game_{k,1}\). Otherwise, \(\mathcal {B}\) simulates the \(Game_{k,2}\). So if \(\mathcal {A}\) can distinguish these two schemes with a non-negligible advantage, then there is a simulator \(\mathcal {B}\) breaks the Assumption 2 with same advantage.
Lemma 4
Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{q,2}\) and \(Game_{final,0}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 3 with same advantage.
Lemma 5
Suppose that there is an adversary \(\mathcal {A}\) distinguish the \(Game_{final,0}\) and \(Game_{final,1}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 4 with same advantage.
We omitted the proof of Lemmas 4 and 5 because the space limitation.
Theorem 2
If the Assumptions 1, 2, 3 and 4 hold, then our scheme is \(\lambda \)-leakage-resilient and anonymous for \(\lambda \le (\omega -1-2c)\log p_{2}\), where c is a fixed positive constant.
Proof
If these four assumptions hold, then from the Lemmas 1, 2, 3, 4 and 5, our scheme is \(\lambda \)-leakage-resilient and anonymous for \(\lambda \le (\omega -1-2c)\log p_{2}\), where c is a fixed positive constant.
4.3 Leakage Performance
In this part, we give a concrete analysis of leakage resilience. The scheme has the same leakage bound \(\lambda \le (\omega -1-2c)\log p_{2}\) with schemes [20,21,22] and the allowable probability \(negl=p_{2}^{-c}\). Thus, the leakage rate of our scheme is \(\gamma =\frac{\omega -1-2c}{(1+c_{1}+c_{3})(\omega +1+3|S|)}\), where \(p_{\mathbbm {i}}(\mathbbm {i}\in [4])\) is large primes of \(d_{\mathbbm {i}}=c_{\mathbbm {i}}\kappa \) bits respectively. \(c_{\mathbbm {i}}\) is a positive constant.
4.4 Anonymity Analysis
To achieve the anonymity, we add the random elements in \(\mathbb {G}_{p_{4}}\) to components of public keys and the ciphertexts which has no effect on the decryption process because orthogonality. Next, we will give a concrete process to explain how to achieve anonymity.
In this case, we cannot decide the attribute value \(\rho (x)\) in the access policy from the DDH-test even if \(v_{i,j}=\rho (x)\), where \(v_{i,j}\) is the attribute value for testing.
5 Performance Analysis
In this section, we will give a detailed analysis of the different schemes in terms of performance and efficiency in Tables 2 and 3, respectively.
As shown in Table 2, we compare these schemes [9, 22, 25, 27] with our construction in terms of revoidability, leakage-resilient and anonymity. [9, 22, 25] can support revocation, but all of them are not anonymous. In addition, [9] is not leakage-resilient. [27] cannot support revocation. However, our construction can achieve these three goals simultaneously.
Let \(\Vert \mathbb {G}\Vert , \Vert \mathbb {G}_{T}\Vert \) represent the size of the group \(\mathbb {G}\) and \(\mathbb {G}_{T}\) respectively. n is the number of attributes in universe attribute set, |S| is the number of attributes in an attribute list S, l is the number of rows in \(\varvec{A}\), \(n'\) is the maximum number of users in the system. \(\omega \) is the leakage parameter and P is the time of pairing operation.
6 Conclusions
In this paper, a leakage-resilient CP-ABE scheme is proposed, which supports direct revocation and achieves adaptive security under four static assumptions in the standard model. Additionally, we show the proposed scheme achieves the anonymity based on the dual system encryption and composite order group. The performance analyses confirm the feasibility of our scheme. However, the proposed scheme relies on the composite order group, which issues a higher computation cost than a scheme in a prime order group under the same security standard. Designing a scheme with the same properties which is based on prime order bilinear group will be our future work.
References
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473. ACM, Aarhus (2005)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, pp. 321–334. IEEE, Berkeley (2007)
Goyal, V., Pandey, O., Sahai, A., et al.: Attribute-based encryption for fine grained access control of encrypted data. In: 13th ACM Conference on Computer and Communications Security, pp. 89–98. ACM, Alexandria (2006)
Yu, S., Wang, C., Ren, K., et al.: Attribute based data sharing with attribute revocation. In: 5th ACM Symposium on Information, Computer and Communications Security, pp. 261–270. ACM, Beijing (2010)
Liang, X., Lu, R., Lin, X., et al.: Ciphertext policy attribute based encryption with efficient revocation (2010)
Hur, J., Noh, D.K.: Attribute-based access control with efficient revocation in data outsourcing systems. IEEE Trans. Parallel Distrib. Syst. 22(7), 1214–1221 (2011)
Zhang, Y., Chen, X., Li, J., et al.: FDR-ABE: attribute-Based encryption with flexible and direct revocation. In: 5th International Conference on Intelligent Networking and Collaborative Systems, pp. 38–45. IEEE, Xi’an (2013)
Xie, X., Ma, H., Li, J., et al.: An efficient ciphertext-policy attribute-based access control towards revocation in cloud computing. J. UCS 19(16), 2349–2367 (2013)
Naruse, T., Mohri, M., Shiraishi, Y.: Provably secure attribute-based encryption with attribute revocation and grant function using proxy re-encryption and attribute key for updating. Hum.-Centric Comput. Inf. Sci. 5(1), 1–13 (2015)
Kapadia, A., Tsang, P., Smith, S.M.: Attribute-based publishing with hidden credentials and hidden policies. NDSS 7, 179–192 (2007)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: 27th Annual International Conference on Advances in Cryptology, pp. 146–162. ACM, Istanbul (2008)
Nishide, T., Yoneyama, K., Ohta, K.: Attribute-based encryption with partially hidden encryptor-specified access structures. In: 6th International Conference on Applied Cryptography and Network Security, pp. 111–129. ACM, New York (2008)
Li, J., Ren, K., Zhu, B., et al.: Privacy-aware attribute-based encryption with user accountability. In: 12th International Conference on Information Security, pp. 347–362. ACM, Pisa (2009)
Han, F., Qin, J., Zhao, H., et al.: A general transformation from KP-ABE to searchable encryption. Future Gener. Comput. Syst. 30(1), 107–115 (2014)
Zhang, Y., Chen, X., Li, J., et al.: Anonymous attribute-based encryption supporting efficient decryption test. In: 8th ACM SIGSAC symposium on Information, Computer and Communications Security, pp. 511–516. ACM, Hangzhou (2013)
Chaudhari, P., Das, M.L., Mathuria, A.: On anonymous attribute based encryption. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2015. LNCS, vol. 9478, pp. 378–392. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26961-0_23
Zhang, Y., Zheng, D.: Anonymous attribute-based encryption with large universe and threshold access structures. In: IEEE International Conference on Computational Science and Engineering and IEEE International Conference on Embedded and Ubiquitous Computing, pp. 870–874. IEEE, Guangzhou (2017)
Zhang, L., Cui, Y., Mu, Y.: Improving privacy-preserving CP-ABE with hidden access policy. In: Sun, X., Pan, Z., Bertino, E. (eds.) ICCCS 2018. LNCS, vol. 11065, pp. 596–605. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00012-7_54
Zhang, L., Hu, G., Mu, Y., et al.: Hidden ciphertext policy attribute-based encryption with fast decryption for personal health record system. IEEE Access 7, 33202–33213 (2019)
Lewko, A., Rouselakis, Y., Waters, B.: Achieving leakage resilience through dual system encryption. In: 8th Conference on Theory of Cryptography, pp. 70–88. ACM (2011)
Zhang, M., Shi, W., Wang, C., Chen, Z., Mu, Y.: Leakage-resilient attribute-based encryption with fast decryption: models, analysis and constructions. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 75–90. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38033-4_6
Zhang, M.: New model and construction of ABE: achieving key resilient-leakage and attribute direct-revocation. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 192–208. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_13
Wang, Z., Yiu, S.M.: Attribute-based encryption resilient to auxiliary input. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 371–390. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26059-4_21
Zhang, L., Zhang, J., Hu, Y.: Attribute-based encryption resilient to continual auxiliary leakage with constant size ciphertexts. J. China Univ. Posts Telecommun. 23(3), 18–28 (2016)
Yu, Q., Li, J.: Continuous leakage resilient ciphertext-policy attribute-based encryption supporting attribute revocation. Comput. Eng. Appl. 52(20), 29–38 (2016)
Zhang, L., Zhang, J., Mu, Y.: Novel leakage-resilient attribute-based encryption from hash proof system. Comput. J. 60(4), 541–554 (2017)
Zhang, J., Zhang, L.: Anonymous CP-ABE against side-channel attacks in cloud computing. J. Inf. Sci. Eng. 33(3), 789–805 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Gao, X., Zhang, L., Hu, G. (2019). Anonymous Leakage-Resilient Ciphertext-Policy Attribute-Based Encryption Supporting Direct Revocation. In: Shen, B., Wang, B., Han, J., Yu, Y. (eds) Frontiers in Cyber Security. FCS 2019. Communications in Computer and Information Science, vol 1105. Springer, Singapore. https://doi.org/10.1007/978-981-15-0818-9_2
Download citation
DOI: https://doi.org/10.1007/978-981-15-0818-9_2
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-0817-2
Online ISBN: 978-981-15-0818-9
eBook Packages: Computer ScienceComputer Science (R0)