1 Introduction

Nowadays, personal and sensitive informations are stored in a remote data

storage server and the same can be accessed by the users from anywhere and at
anytime. Inappropriate disclosure of such data may lead to serious problems to the
owners of the data. So, it is mandatory to keep the data secure and also to disclose
the data, only to the appropriate person. It can be accomplished by dening a secure
and ecient Access Control(AC) mechanism for these data.

Access Control Mechanism

AC mechanism will authenticate and authorize the individual persons to
access data. There are two ways to enforce the AC Mechanism. The rst one is
Server Mediated Access Control and the other is Cryptographically Enforced Access
Control. In Server Mediated Access Control, the data owner has to dene the AC
policy, which will specify who are all the eligible persons to access the data. The
server uses the AC policy to enforce the specied policy. When the user requests the
data, AC checks whether the user credentials satisfy the AC policy before they are
allowed to access the owner's data. This method is an appropriate way to protect
the data as long as the data owner fully trust the server. There are some limitations
in this method, rst of all if the server gets compromised by some Intruder, then the
Intruder can change AC policy, it may lead to inappropriate disclosure of the sensitive
1
data to others. Second, the data owner is not possible to bind the AC policy along
with the data. To overcome these limitations, recent contributions in the literature
specify that do not rely on the fully trusted server to enforce the AC policies.

Cryptographically Enforced Access Control Mechanism

In Cryptographically Enforced Access Control method the user protects his
data as follows. The user maps an AC policy to a key and the data can be encrypted
using the key such that the data becomes self-protected. After that, the user sends
his encrypted data to the server. Since the data is encrypted, every user can get
the encrypted data, however, only the eligible persons who have the right secret key
can decrypt the data. Note that under this approach the server does not obtain the
key. In Cryptographically Enforced Access Control method, encryption can be made
through Symmetric Key or Asymmetric key mode. If it is a Symmetric key encryption
and the decryption key are the same. So the key must be secret, managing those keys
is one of the challenges.
If we adapt Asymmetric Key mode or Public Key Cryptography, the encryption
key is public and is mathematically related to the decryption key which is secret. If
a user publishes the public key then anyone can run the encryption algorithm to
convert the plaintext into a ciphertext. Those who are having the decryption key
can convert the ciphertext into a plaintext. If the encryptor wants to allow the same
2
data to be accessed by n users, then the encryptor has to encrypt the same data
n times under n dierent public keys. Moreover, the encryptor needs to know the
identity of the recipients and also their public keys. PKC is not ecient to handle
more expressive type of encrypted access control mechanism. So, we prefer a more
advanced asymmetric-key encryption scheme such as Attribute-Based Encryption to
handle this situation eciently.
Attribute Based Encryption
In 2005, Sahai and Waters [59] introduced the concept of Attribute-Based
Encryption. In an ABE system, a user is identied by a set of attributes. A secret
key based on a set of attributes ω, can decrypt a ciphertext encrypted with a public
key based on a set of attributes ω , only if the sets ω and ω overlap suciently
0 0

as determined by a threshold value t. A party could encrypt and send a document

to all users who have a certain set of attributes drawn from a pre-dened attribute
universe. For example, one can encrypt and send a recruitment related document to
all recruitment committee members in the University. In this case the document would
be encrypted to the attribute subset " Head CS Dept", "Recruitment Committee" ,
"`Registrar"', and only users with all of these three attributes in the university can
hold the corresponding private keys and thus decrypt the document, while others
cannot. There are two variants of ABE: Key-Policy based ABE (KP-ABE) and
Ciphertext-Policy based ABE(CP-ABE)[5].

3
CP-ABE and KP-ABE
In CP-ABE the ciphertext is associated with AC policy, the encrypting party
determines the AC policy under which the data can be decrypted, while the secret
key is associated with a set of attributes. The secret key can decrypt a ciphertext
only if the attribute set of the secret keys satises the AC policy of the ciphertext.
For example, if the recruitment related document is encrypted with AC policy
V W
((RecruitmentCommitteeM ember Head, CSDept) (Registrar))

Attribute Authority will distribute the secret keys to the corresponding attribute
holder. The document can be decrypted by the Head of the CS department while
acting as recruitment committee member or by the Registrar of that University with
their secret keys. In KP-ABE, the ciphertext is associated with a set of attributes and
the secret key is associated with the access policy. The encryptor denes the set of
descriptive attributes necessary to decrypt the ciphertext. The trusted authority who
generates user's secret key denes the combination of attributes for which the secret
key can be used. The recruitment related document is encrypted with the attributes
"`Head CS Dept", "Recruitment Committee" , "`Registrar"'. Secret keys are created
for the access policies (RecruitmentCommitteeM ember V Head, CSDept) and Registrar.
The rst ciphertext policy ABE was proposed by Bethencourt et al. [5] uses threshold
secret sharing to enforce the policy in the encryption phase.

4
1.1 Motivation
Storing the data in an untrusted server with Cryptographically Enforced
Access Control Mechanism needs a suitable Public Key Cryptography technique. It
is evident that the Ciphertext-Policy Attribute-Based Encryption is the appropriate
technique to provide the ne grained access control over the untrusted storage server.
In CP-ABE, it is possible to send an encrypted document to many persons only with
their attributes. These advantages motivates us to construct a CP-ABE scheme to
provide a secure access control mechanism for the untrusted storage server. In the
literature, there is no CP-ABE scheme which provides anonymous access policy and
direct revocation of users in a single scheme. This motivate us to construct a CP-ABE
scheme which provides both of these features in a single scheme.
While fetching the data from the server, after satisfying the access policy,
sometimes a user may not reveal the data as well his identity to the server, such
provision will be made through OTAC protocol. In OTAC protocol, while enforcing
the access policy through Disjunctive form, the database provider should replicate
the records. This problem leads us to construct a OTAC protocol without increasing
the database size as well as with single time encryption of record. A record may
be owned by several authorities, and the authorities grant access to their records to
self-approved parties. A person wants to retrieve the record with all access grant
provided by the authorizers as well as without the database server being able to

5
learn the identity of the authorizers. This is possible through an ASPIR protocol[50].
Consider a scenario, if a user possess the access grant from few dominant owners of
the record, then the user expect to access the record with these grants. This situation
motivate us to construct an ASPIR protocol with threshold access grant facility.
1.2 Research Contributions
1. We have constructed a new CP-ABE, named as BK-CP-ABE, with a recent
secret sharing scheme LISS, which exhibits the expressive representation of the
access policy and also provably secure under the standard complexity assumption.
2. We enhanced the BK-CP-ABE scheme to a Privacy Aware CP-ABE (PA-CP-
ABE) construction that can hide the access policy, . This is possible by restricting
the access policy to possess AND operators alone and by allowing each attribute
to take multiple values.
3. The BK-CP-ABE scheme has been extended with the capability to revoke the
users in CP-ABE-UR construction. To achieve this, we assign a unique ID to
all users and the revoked users are collected in a set S. Decryption is possible
only if a user satisfy the access policy and also not a member of the revoked
set.
4. A novel CP-ABE with Hidden Access Policy and User Revocation(CP-ABE-
HAPUR) scheme that will accomplish revocation of users as well as policy

6
 hiding in a single scheme has been framed by combining the PA-CP-ABE and
CP-ABE-UR schemes.
5. We have constructed a Oblivious Transfer Attribute Based Access Control(OT-
ABAC) protocol by using the BK-CP-ABE scheme, in which the access policy
can be expressed in Disjunctive form without duplication of records.
6. We build the BK-ASPIR protocol with BK-CP-ABE scheme to allow a receiver
to retrieve a record if he has authorizations from k-out-of n owners of the record.
1.3 Roadmap of the Thesis
The organization of the Thesis is as follows.
In Chapter 2, we present relevant background material and technical preliminaries
pertaining to this Thesis. In particular, we give a brief introduction to relevant
notions from mathematics and complexity theory. We also review the Linear Integer
Secret Sharing Scheme as well as Linear Secret Sharing Scheme. Finally we formalize
Ciphertext-Policy Attribute-Based Encryption, Oblivious Transfer, Proof of Knowledge
and SPIR protocols.
Chapter 3 proposes a new CP-ABE scheme namely BK-CP-ABE based on a
Linear Integer Secret Sharing method. To achieve this we describe the denitions
and security model for the BK-CP-ABE scheme. Subsequently we presents our
construction of BK-CP-ABE, and provide security analysis of the new under Decisional
7
Bilinear Die-Hellman assumption. Finally, we discuss the implementation details ,
eciency analysis and also we list out the applications of BK-CP-ABE scheme.
In Chapter 4, we present a Privacy Aware CP-ABE scheme with hidden access
policy capability. We describe the denition and the security model of the Privacy
Aware CP-ABE scheme and then we construct this scheme and provide the security
analysis.We made the comparative analysis of this scheme with the other existing
scheme.
Chapter 5 proposes a CP-ABE-UR scheme with user revocation support. We
describe the structure of the scheme and the security model of the scheme in the
subsequent section. Next, we present the main construction of CP-ABE-UR and also
provide the security proof for this construction.
In Chapter 6, we present a new scheme CP-ABE-HAPUR, which has the
hidden access policy capability and user revocation ability in a single scheme. Next
we describe the denition of this scheme as well as the security model for the CP-
ABE-HAPUR scheme. Subsequently we propose the detail of construction of the
CP-ABE-HAPUR scheme with the necessary security analysis.
In Chapter 7, we present a OTAC construction with our BK- CP-ABE scheme,
named as OT-ABAC. We dene the structure of OT-ABAC and also the security
model for this new scheme. Next,we present the OT-ABAC construction followed by

8
the security and eciency analysis.
In Chapter 8, we propose a ASPIR protocol with our BK-CP-ABE scheme,
named as BK-ASPIR. We describe the algorithm and the security model for BK-
ASPIR scheme. We propose the BK-ASPIR construction with security and eciency
analysis.
Chapter 9 concludes this Thesis and presents several directions for future
work.