Wireless Netw (2011) 17:1235–1249
DOI 10.1007/s11276-011-0345-8
Fine-grained data access control for distributed sensor networks
Junbeom Hur
Published online: 24 April 2011
Ó Springer Science+Business Media, LLC 2011
Abstract Distributed sensor networks are becoming a
robust solution that allows users to directly access data
generated by individual sensors. In many practical sce-
narios, fine-grained access control is a pivotal security
requirement to enhance usability and protect sensitive
sensor information from unauthorized access. Recently,
there have been proposed many schemes to adapt public
key cryptosystems into sensor systems consisting of high-
end sensor nodes in order to enforce security policy effi-
ciently. However, the drawback of these approaches is that
the complexity of computation increases linear to the
expressiveness of the access policy. Key-policy attribute-
based encryption is a promising cryptographic solution to
enforce fine-grained access policies on the sensor data.
However, the problem of applying it to distributed sensor
networks introduces several challenges with regard to the
attribute and user revocation. In this paper, we propose an
access control scheme using KP-ABE with efficient attri-
bute and user revocation capability for distributed sensor
networks that are composed of high-end sensor devices.
They can be achieved by the proxy encryption mechanism
which takes advantage of attribute-based encryption and
selective group key distribution. The analysis results indi-
cate that the proposed scheme achieves efficient user
access control while requiring the same computation
overhead at each sensor as the previous schemes.
Keywords Distributed sensor networks  Attribute-based
encryption  Revocation  Access control
J. Hur (&)
Department of Computer Science, University of Illinois
at Urbana-Champaign, 201 N. Goodwin Ave.,
Urbana, IL 61801, USA
e-mail: nsd0923@gmail.com
1 Introduction
Wireless sensor networks and sensor systems have been
areas of great interest in various fields in recent years [1].
Sensor systems and networks suggest a promising solution
to collect data from target areas and exploit them effi-
ciently in many applications such as building automation
system, e-healthcare, battlefield, and so on. In general,
sensor systems consist of a lot of sensor nodes deployed in
terrains of interest with an aim of sensing the environment.
They could be connected each other through wireless net-
works and perform in-network process on the sensing data
for enhancing efficiency or energy saving. In a data-centric
point of view, one of the most challenging issues in sensor
systems is how to store the large amount of highly sensitive
sensing data and control the access to them from inside or
outside users [2–4].
Data storage and access architectures in data-centric
sensor systems or networks are mainly classified into two
approaches [2]: centralized and distributed approaches. In
centralized approaches, sensing data collected from indi-
vidual sensor nodes are transmitted to a centralized base
station using some routing protocols (sometimes through in-
network aggregation or computation for cost saving) [5–7].
Then, the centralized base station, sometimes called a sink,
stores the data and locks them by some access policy of its
own. On the other hand, in distributed approaches, each
sensor node stores collected sensing data locally [3], or stores
them at some designated nodes in the system [4] instead of
forwarding them to the centralized base station. Then, the
data can be access directly by users in the system in a dis-
tributed way. The distributed system has advantages in
several aspects compared to the centralized approach. First,
it suggests more robust and fault-tolerant mechanisms which
mitigate the single point of failure problem in the system.
123
1236
Second, it eliminates the communication cost (which is the
most battery consuming operation in a sensor system) that is
required to transmit generated data to the central base station.
It implies that the distributed sensor system is more energy-
efficient. In addition, the recent advances in manufacturing
energy-efficient storage and high-end sensor devices such as
iMote2 accelerate the employment of distributed sensor
systems in modern applications [8].
As the sensing data is stored and managed in a distrib-
uted way, access control to the data in distributed sensor
systems is more complicated than in centralized sensor
systems where a trusted central server has a whole privi-
lege of defining and enforcing access policy on the col-
lected sensing data. In many practical applications, such as
e-healthcare or battlefield, it is desirable to provide dif-
ferentiated access services such that data access policies
are defined over user attributes or roles. For example, some
sensitive data such as personal health records generated
from sensors of a patient should be accessed only by a
‘‘surgeon at A hospital’’ or a ‘‘anesthesiologist at B hos-
pital’’ who is authorized to access the data for security and
privacy. The distributed sensor systems challenge the
approaches of conventional access control architectures
such as an access control list (ACL), where access rights
are granted to users only if they are in the list. However,
these schemes are vulnerable to a physical node compro-
mise attack and lack scalability. In order to realize a
fine-grained access control in distributed sensor systems,
cryptographic approaches could be more efficient and
secure solutions than conventional approaches.
Cryptographic approaches reduce the risk of loss of
confidential information deriving from low-level access to
the sensor devices. Indeed, the advantages of the use of
cryptography for stored data increase as the size of the data
is increasing and they are distributed in different trust
domains [9]. Recently proposed access control models,
such as attribute-based access control, define access control
policies based on different attributes of the requester,
environment, or the data object. In addition, the current
trend of storage and access in distributed sensor systems
requires increased protection of data including access
control methods that are cryptographically enforced
[3, 10].
The concept of attribute-based encryption (ABE) is a
promising approach that fulfills the fine-grained access
control [11–14]. ABE features a mechanism that enables an
access control over encrypted data using access policies
and ascribed attributes among private keys and ciphertexts.
Especially, key-policy ABE (KP-ABE) provides a scalable
way of encrypting data in sensor systems. In KP-ABE, user
secret keys are associated with an access structure that
specifies which type of ciphertexts the key can decrypt
[12]. A user can decrypt a ciphertext if and only if the
123
Wireless Netw (2011) 17:1235–1249
attributes associated with a ciphertext satisfy the access
structure embedded in the key. Thus, different users are
allowed to decrypt different pieces of data per the security
policy. Especially in sensor systems, it is very easy to
specify each sensor and its data through a set of attributes,
such as event type, sensor owner, sensing time, value, and
so forth. This is a desirable property in sensor systems
since each sensor can encrypt data with predefined attri-
butes without any exact a priori knowledge of a set of
receivers who might join the system in the future. Recently,
Yu et al. [3] demonstrated that the ABE can be embedded
successfully in current high-end sensor devices such as
iMote2 in consideration of cryptographic computation and
communication costs.
However, the problem of applying ABE to the distrib-
uted sensor architecture introduces several challenges with
regard to the attribute and user revocation. Revocation is
one of the important and open issues in public key cryp-
tography including ABE. Since some users may change
their associated attributes at some point, or some private
keys might be compromised, key revocation (or update) for
each attribute is necessary in order to make sensor systems
using ABE as a cryptographic primitive secure. However,
this issue is even more difficult especially in ABE-based
systems, since each attribute is conceivably shared by
multiple users (henceforth, we refer to such a collection of
users as an attribute group). This implies that revocation of
any attribute or any single user in an attribute group would
affect the other users in the group. It may result in bot-
tleneck during rekeying procedure, or security degradation
in the system.
1.1 Related work
ABE was introduced in [11] in the context of a general-
ization of ID-based encryption called Fuzzy IBE. ABE
comes in two flavors called key-policy ABE (KP-ABE) and
ciphertext-policy ABE (CP-ABE). In KP-ABE, attributes
are used to describe the encrypted data and policies are
built into user’s keys; while in CP-ABE, the attributes are
used to describe a user’s credential, and an encryptor
determines a policy on who can decrypt the data.
Among the two approaches, KP-ABE seems more
appropriate to the data storage architecture in distributed
sensor systems. In ABE algorithms, the computation and
communication costs increase linear to the number of
attributes. While KP-ABE can specify each sensor node
and its data via a small number of attributes, CP-ABE
requires sensor nodes to define a complicated access
structure consisting of a large number of attributes (for the
expressiveness purpose) and maintains it. Thus, CP-ABE
may burden sensor nodes with more computation and
storage overhead than KP-ABE.
Wireless Netw (2011) 17:1235–1249
1.1.1 Attribute revocation
In CP-ABE setting, Bethencourt et al. [13] suggested a first
key revocation mechanism. Their solution is to append to
each attributes an expiration date (or time) and distribute a
new set of keys to valid users after the expiration. Bold-
yreva et al. [15] also recently proposed a revocable KP-
ABE scheme. This scheme enables a key revocation by
encrypting the message to the attribute set with its vali-
dation time. Thus, the key authority periodically announces
the key updating material at each time slot so that only
non-revoked users can update their attribute keys.
These attribute revocable ABE schemes [13, 15, 16]
have a security degradation problem in terms of the
backward and forward secrecy [17]. They realize revoca-
tion by revoking attribute itself using timed rekeying
mechanism, which is implemented by setting expiration
time on each attribute. We call this a coarse-grained rev-
ocation because the immediate rekeying on any member
change could not be possible. An attribute is supposed to be
shared by a group of users in the ABE systems by nature.
Then, it is a considerable scenario that membership may
change frequently in the group that shares an attribute, e.g.,
position move or promotion/resignation in a department of
a company, or new registration for or drop of some courses
in a university. Then, a new employee or a new student
might be able to access the previous data encrypted before
his joining until the data is re-encrypted with the newly
updated attribute keys by periodic rekeying (backward
secrecy). On the other hand, a revoked user would still
be able to access the encrypted data even if he does not
hold the attribute any more until the next expiration time
(forward secrecy). Such an uncontrolled period is called the
window of vulnerability [18].
1.1.2 User revocation
The importance of user revocation have been taken notice
of in recent ABE-based systems. There have been proposed
several user revocation mechanisms [14, 19], however,
they have a limitation with regard to the availability. This
is related to the granularity of the user access control
between attribute-level or system-level revocation. When a
user is revoked even from a single attribute group in the
previous schemes [14, 19], he loses all the access rights to
the data sharing system, which is not a desirable require-
ments in many pragmatic scenarios. For example, a user
with attributes {‘‘faculty’’, ‘‘computer science depart-
ment’’, ‘‘A university’’} may still have to access the con-
tents encrypted under an access policy ‘‘faculty AND A
university’’, even if he moves to another department in the
same university. However, the previous schemes realized
user revocation on system-level, which means that when a
1237
user is revoked even from a single attribute group, he is
destined to be revoked from the whole system. Such a
scenario is not as desirable as the attribute-level user access
control in many practical sensor system scenarios, although
they realized immediate user revocation.
Recently Yu et al. [3] suggested another system-level
user-revocable ABE scheme in distributed wireless sensor
networks. In this scheme, access control to the sensing data
is enforced by KP-ABE. The user revocation is realized by
sending updated ciphertext components to valid users
excluding revoked ones with CP-ABE algorithm. However,
the authors did not address how to build such a combined
cryptosystem between KP-ABE and CP-ABE in an efficient
way. A user is required to store the access structure and
comparably large number of secret keys associated with the
structure (for data decryption in a KP-ABE setting). Addi-
tionally, in order to revoke a user with CP-ABE, users are
also needed to keep additional attribute keys of which size
is various according to their associated attributes (in a
CP-ABE setting). Even worse, because the ABE alone is not
suitable to the fine-grained user revocation as we mentioned
above, CP-ABE for distributing rekeying materials to valid
users would be an inefficient solution in sensor systems [3].
Thus, we argue that it is still a very pivotal open problem to
design a scalable and fine-grained access control with effi-
cient user revocation in distributed sensor systems, and this
is the problem we will attempt to solve in this study.
1.2 Contribution
In this study, we propose an attribute-based data access
control scheme using KP-ABE with efficient attribute and
user revocation capability for distributed sensor networks
that are composed of high-end sensor devices. We assume
that sensing data are stored at a designated node, called a
data aggregator, using some distributed sensor data col-
lection protocols such as TTDD [4], instead of storing them
locally at each sensor node [3]. A data aggregator is more
powerful than ordinary sensor nodes and can move in the
field of interest where sensor nodes are deployed and col-
lect data from individual sensor nodes. This architecture
suggests a practical approach in many applications in that
users are more convenient to access to a few designated
node rather than to a lot of distributed sensor nodes indi-
vidually. Each sensor node is not required to trust the data
aggregator to keep private data secret. The proposed
scheme achieves fine-grained user access control by
exploiting a stateless group key management mechanism
in each attribute group. It has following advantages with
regard to the security and scalability compared to the
previous revocable schemes.
First, enabling user access control enhances the back-
ward/forward secrecy of sensor data on any membership
123
1238
changes in attribute groups. Second, the user access control
can be done on each attribute level rather than on system
level, so that more fine-grained user access control can be
possible. In practical scenarios, users may miss many key
update messages so that they cannot sometimes keep their
key states up-to-date. This is called stateless receiver
problem. In the proposed scheme, rekeying in the attribute
group is done with a stateless group key distribution
mechanism using a binary tree. This alleviates the scala-
bility problem and also resolves the stateless receiver
problem. Third, sensor nodes need not be concerned about
any access policy for users, but just need to specify the
attributes associated with its sensing data. The membership
management for each user can be done by the semi-trusted
data aggregator in distributed sensor systems. The pro-
posed scheme enables the system controller to delegate
most laborious tasks of user revocation to the data aggre-
gator without leaking any confidential information to it.
1.3 Organization
The remainder of the paper is organized as follows. Section
2 reviews cryptographic background and defines the
KP-ABE with user revocation. Section 3 describes the
distributed sensor data architecture. In Sect. 4, we propose a
fine-grained KP-ABE scheme with user access control
capability for secure distributed sensor systems. We analyze
the efficiency and security of the proposed scheme in
Sects. 5 and 6, respectively. In Sect. 7, we conclude our paper.
2 Preliminaries and definition
2.1 Cryptographic background
We first provide a formal definition for access structure
recapitulating the definition in [12, 13]. Then we will
briefly review the necessary facts about the bilinear map
and its security assumption.
2.1.1 Access structure
Definition 1 (Access Structure) Let fP1 ; P2 ; . . .; Pn g be
a set of parties. A collection A  2fP1 ;P2 ;...;Pn g is monotone if
VB, C : if B 2 A and B  C then C 2 A: An access structure
(respectively, monotone access structure) is a collection
(respectively, monotone collection) A of non-empty subsets
of fP1 ; P2 ; . . .; Pn g; i.e., A  2fP1 ;P2 ;...;Pn g n f;g: The sets in
A are called the authorized sets, and the sets not in A are
called the unauthorized sets.
In the proposed scheme, the role of the parties is taken
by the attributes. Thus, the access structure A will contain
123
Wireless Netw (2011) 17:1235–1249
the authorized sets of attributes. From now on, by an access
structure we mean a monotone access structure.
2.1.2 Bilinear pairings
Let G1 ; G2 ; and GT be three cyclic groups of prime order p.
A bilinear map e is a map e : G1  G2 ! GT with the
following properties.
1. Bilinearity: For all g1 2 G1 ; g2 2 G2 ; and a; b 2 Zp ;
eðga1 ; gb2 Þ ¼ eðg1 ; g2 Þab :
2. Non-degeneracy: e(g1,g2) = 1.
3. Computability: There is an efficient algorithm to
compute e(g1,g2) for any g1 2 G1 and g2 2 G2 :
Like many pairing-based cryptographic protocols, our
protocol uses a special form of bilinear map called a symmetric
pairing where G1 ¼ G2 : In the rest of the paper, all bilinear
pairings are symmetric, and we denote G1 ¼ G2 by G:
2.1.3 Bilinear Diffie-Hellman assumption
Using the above notations, the Bilinear Diffie-Hellman
(BDH) problem is to compute eðg; gÞabc 2 GT given a
generator g of G and elements ga, gb, gc for a; b; c 2 Zp :
An equivalent formulation of the BDH problem is to
compute e(A, B)c given a generator g of G; and elements
A, B and gc in G:
An algorithm A has advantage ðjÞ in solving the BDH
problem for a bilinear map group hp; G; GT ; ei; where j
is the security parameter (the bit length of p), if
Pr½Aðp; G; GT ; A; B; gc Þ ¼ eðA; BÞc   ðjÞ: If for every
polynomial-time algorithm (in the security parameter j) to
solve the BDH problem on hp; G; GT ; ei; the advantage
ðjÞ is a negligible function, then hp; G; GT ; ei is said to
satisfy the BDH assumption.
2.2 Definitions
Let U ¼ fu1 ; . . .; un g be the universe of users. Let L ¼
fk1 ; . . .; kp g be the universe of descriptive attributes in the
system. Let Gi  U be a set of users that hold the attribute
ki, which is referred to as an attribute group. Gi will be
used as a user access (or revocation) list to ki. Let G ¼
fG1 ; . . .; Gp g be the universe of such attribute groups. Let
Kk_i be the attribute group key that is shared among the
non-revoked users in Gi 2 G: The attribute group key is
generated by the data aggregator. It is used to prevent
revoked users from accessing sensor data. Thus, when a
membership change occurs in any attribute group, the data
aggregator will update it and re-encrypt the data with the
updated group key such that only the non-revoked users in
the group can decrypt it.
Wireless Netw (2011) 17:1235–1249 1239

2.2.1 Key-policy attribute-based encryption with user

revocation

In this section, we define the KP-ABE with user revocation

capability scheme. The scheme consists of the following six
algorithms: Setup, AttrKeyGen, KEKGen, Encrypt,
ReEncrypt, and Decrypt.
Setup: The setup algorithm is a randomized algorithm
that takes no input other than the implicit security
parameter. It outputs the public key PK and a master key Fig. 1 Architecture of the distributed sensor system
MK.
AttrKeyGen(MK, A; U): The attribute key generation
1. System controller: It is a key authority that generates
algorithm takes as input the master key MK, an access
public and secret parameters for the system. It is in
structure A over the universe of attributes, and a set of
charge of issuing, revoking, and updating attribute
user indices U  U: It outputs a set of private attribute
keys for users. It defines an access policy for each user
keys SK for users in U.
and embeds it into a user’s secret key. Thus, it grants
KEKGen(U): The key encrypting key (KEK) generation
differential access rights to individual users based on
algorithm takes as input a set of user indices U  U; and
their access policies. It is the only party that is fully
outputs KEKs for each user in U, which will be used to
trusted by all entities participating in the distributed
encrypt attribute group keys Kk_i for all Gi 2 G:
sensor system.
Encrypt(PK; M; K): The encryption algorithm is a
2. Sensor: Sensor nodes collect specific types of data in
randomized algorithm that takes as input the public
the deployed area, which can be specified through a set
parameter PK, a message M, and a set of attributes K 
of predefined attributes. For example, in e-healthcare
L: It outputs a ciphertext CT.
systems, the attributes could be owner, data type,
ReEncrypt(CT, G): The re-encryption algorithm is a
department, primary doctor, and so forth. Each sensor
randomized algorithm that takes as input the ciphretext
node is responsible for encrypting the data under its
CT and a set of attribute groups G. If the attributes in G
(pre-defined) associated attributes before storing it at
appear in CT, it re-encrypts CT for the attributes; else,
the data aggregator. In this paper, we assume sensor
returns ?: Specifically, it outputs a re-encrypted cipher-
nodes are high-end devices such as iMote2 with
text CT0 such that only a user whose access structure is
greater processing capability and larger memory than
satisfied by a set of attributes in CT and has a valid
conventional sensor nodes.
membership for each attribute group at the same time
3. User: This is an entity who wants to access the sensing
will be able to decrypt the message.
data. If a set of attributes in the ciphertext satisfies the
Decrypt(CT 0 ; SK; KK ): The decryption algorithm takes
access policy in his secret key, and he is not revoked in
as input the ciphertext CT0 encrypted under a set of
any of his associated attribute groups, then he will be
attributes K; a private key SK which contains an access
able to decrypt the ciphertext and obtain the sensor
structure A; and a set of attribute group keys KK : The
data.
decryption can be done iff K satisfies A and KK is not
4. Data aggregator: It is a mobile entity that collects data
revoked for any k 2 K:
from each sensor node and stores them. In the
proposed scheme, we assume that there is a single
data aggregator for simplicity, but it can be easily
3 Distributed sensor data architecture extended to multiple data aggregators environment in
the distributed sensor system [4]. The data aggregator
In this section, we describe the system architecture and has unlimited processing and memory capability and is
define the security model. in charge of controlling the access from outside users
to the storing data. Similar to the previous architec-
3.1 System description and assumptions tures [20–22], we assume the data aggregator to be
honest-but-curious. That is, it will honestly execute the
Figure 1 shows the architecture of the distributed sensor tasks assigned by legitimate parties in the system.
system. As shown in Fig. 1, the architecture consists of the However, it would like to learn information of
following system entities: encrypted contents as much as possible.

123
1240
3.2 Threat model and security requirements
1. Data confidentiality: Unauthorized user whose access
policy is not satisfied with the attributes associated
with a ciphertext should be prevented from accessing
the plaintext of the data. In addition, unauthorized
access from the honest-but-curious data aggregator to
the plaintext of the encrypted data that it stores should
be also prevented. This also implies the security
against the data aggregator compromise attack.
2. Collusion-resistance: If multiple users collude, they
may be able to decrypt a ciphertext by combining their
attributes keys even if each of them cannot decrypt the
ciphertext alone. For example, suppose there exist a
user with an access policy {‘‘staff’’ AND ‘‘A hospi-
tal’’}, and another user with an access policy {‘‘doc-
tor’’ AND ‘‘B hospital’’}. They may succeed in
decrypting a ciphertext encrypted under the attributes
of {‘‘doctor’’, ‘‘A hospital’’}, even if each of them
cannot decrypt it individually. We do not want these
colluders to be able to decrypt the secret personal
health records of patients by combining their attribute
keys. Since we assume the data aggregator is honest,
we do not consider active attacks from it by colluding
with revoked users as in [20, 21].
3. Backward and forward Secrecy: In the context of
attribute-based encryption, backward secrecy means
that any user who comes to hold an attribute key
should be prevented from accessing the plaintext of the
previous data exchanged before he holds it. On the
other hand, forward secrecy means that any user who
drops an attribute key should be prevented from
accessing the plaintext of the subsequent data
exchanged after he drops it, unless the other attributes
in the ciphertext satisfy the access policy in his key.
3.3 Trust and key management model
Given the security requirements discussed above, the pro-
posed scheme bases its design on the following trust and
key management model.
In the trust and key management model, there are
mainly two key managers: the system controller and the
data aggregator. While the system controller is fully trusted
by all entities in the system, the data aggregator is semi-
trusted (that is, honest-but-curious) so that it should be
prevented from accessing the plaintext of the storing data
even if it is honest. One simple way to realize the user
access control in the distributed sensor system is to intro-
duce additional user-level access control parameters as
well as the ABE parameters, and grant all credentials
of managing them to a single manager such as the data
123
Wireless Netw (2011) 17:1235–1249
aggregator. This approach has the effect of combining the
abilities of attribute-level and user-level access control
mechanisms. However, it raises the trusting third party
problem [23], which states that the confidentiality of
communications is totally dependent on the trustworthiness
of the data aggregator. This violates the trust assumption
and security requirement discussed above.
Hence, we propose a proxy encryption algorithm fol-
lowing the least privilege principle [24]. It divides the
privileges of enforcing user access control and attribute
based access control. More specifically, by introducing
attribute group keys (which are for user access control) for
each attribute group and giving the ability of managing
them to the data aggregator, the user-level access control
can be achieved through the whole system together with
the existing ABE mechanism managed by the system
controller. The system controller is responsible for man-
aging attribute-related keys to enforce attribute-based
access policy on the encrypted data. On the other hand, the
data aggregator manages the group keys for each attribute
group on the basis of the membership information received
from the system controller. Therefore, we can say that the
system controller is in charge of enforcing attribute-level
access control; while the data aggregator is in charge of
enforcing user-level access control. Only users who obtain
all credentials (attribute keys and corresponding attribute
group keys) from both of the key managers can decrypt the
sensing data successfully.
4 Attribute-based access control with efficient
revocation
In this section, we provide the construction of our scheme.
The proposed scheme adapts a proxy encryption approach
to overcome the user access control problem in ABE-based
sensor system. When a sensor transmits its data to the data
aggregator, the sensor node is urged to encrypt the data
under its pre-defined attributes using the KP-ABE algo-
rithm. Then, the data aggregator re-encrypts the ciphertext
with attribute group keys for each attribute in the cipher-
text. To deal with the stateless receiver problem, the
attribute group keys are delivered to the only valid users in
a stateless way.
To handle the fine-grained user revocation, the data
aggregator must obtain the access control list (or revoca-
tion list) for each attribute group, since otherwise revo-
cation cannot take effect after all. This setting where the
data aggregator knows the revocation list does not violate
the security requirements, because it is only allowed to
re-encrypt the storing ciphertexts and can by no means
obtain any information about the attribute keys. Compared
to the previous work, our solution places minimal load on
Wireless Netw (2011) 17:1235–1249
the system controller since most of the laborious tasks are
delegated to the data aggregator.
Instead of building a new KP-ABE scheme from scratch,
we develop a variation of the KP-ABE algorithm partially
based on but not limited to Goyal et al.’s construction [12]
in order to enhance the expressiveness of the access control
policy in the system. The proposed scheme modifies its key
generation procedure for our purpose. The proposed
scheme is then built on this new KP-ABE variation by
further integrating it into the re-encryption protocol.
4.1 Access tree
Since the proposed access control scheme is designed on
the basis of KP-ABE, ciphertexts are labeled with a set of
descriptive attributes. Private keys are identified by an
access tree structure. For example in battlefield, the sensor
data can be encrypted under a set of attributes such as
location, data type, owner, and so on. Then, we may des-
ignate the access structure of a user as {(location = DMZ)
AND (data type = vibration OR smoke) AND (at least
owned by two of the followings: colonel, communication
officer, scout)}.
4.1.1 Description
Let T be a tree representing an access structure. Each non-
leaf node of the tree represents a threshold gate. If numx is
the number of children of a node x and kx is its threshold
value, then 0 B kx B numx. Each leaf node x is described
by an attribute and a threshold value kx = 1. kx denotes the
attribute associated with the leaf node x, and p(x) repre-
sents the parent of the node x in the tree. The children of
every node are numbered from 1 to num. The function
index(x) returns such a number associated with the node x.
The index values are uniquely assigned to nodes in the
access structure for a given key in an arbitrary manner.
4.1.2 Satisfying an access tree
Let T x be the subtree of T rooted at the node x. If a set of
attributes c satisfies the access tree T x ; we denote it as
T x ðcÞ ¼ 1: We compute T x ðcÞ recursively as follows. If x
is a non-leaf node, evaluate T x0 ðcÞ for all children x0 of
node x:T x ðcÞ returns 1 iff at least kx children return 1. If x
is a leaf node, then T x ðcÞ returns 1 iff kx 2 c:
4.2 Scheme construction
Let G be a bilinear group of prime order p, and let g be a
generator of G: Let e : G  G ! GT denote the bilinear
map. A security parameter, j, will determine the size of the
groups. We will also make use of Lagrange coefficients
1241
Di;K for any i 2 Zp and a set, K; of elements in Zp : define
Q
Di;K ðxÞ ¼ j2K;j6¼i x j
i j :
4.2.1 System setup
At the initial system setup phase, the system controller runs
Setup algorithm. It chooses a bilinear group G of order p
with generator g. Then, it chooses a random ti 2 Zp for
each attribute ki 2 L; and also chooses a random y 2 Zp :
The public parameters PK are
ðG; g; Y ¼ eðg; gÞy ; T1 ¼ gt1 ; . . .; TjLj ¼ gtjLj Þ
and the master key MK is ðt1 ; . . .; tjLj ; yÞ:
4.2.2 Key generation
Key generation phase consists of the attribute key gener-
ation by the system controller and the KEK generation by
the data aggregator.
Attribute Key Generation. After setting up the system
public and secret parameters, the system controller defines
the tree access structure T over the universe of attributes
L; and generates attribute keys for a set of users U by
running AttrKeyGen(MK, T ; U) algorithm.
The algorithm chooses a polynomial qx for each node x
in the tree T : These polynomials are chosen in a top-down
manner, starting from the root node r. For each node x in
the tree, the algorithm sets the degree dx of the polynomial
qx as dx = kx - 1 where kx is the threshold value of that
node. For the root node r, it sets qr(0) = y and other points
of the polynomial qr randomly to define it completely. For
any other node x, set qx(0) = qp(x)(index(x)) and choose dx
other points randomly to completely define qx.
Then, it gives the following secret value to the user
ut 2 U for each leaf node x, where ki assigned:
qx ð0Þ
SKt ¼ fDx ¼ g ti
gx2T :
The system controller gives the attribute groups Gj for
each kj 2 T to the data aggregator. For example, if
u1, u2, u3 are associated with { k1, k2, k3 }, { k2, k3 },
{ k1, k3 } respectively, the system controller gives G1 =
{ u1, u3 }, G2 = { u1, u2 }, G3 = { u1, u2, u3 } to the data
aggregator.
KEK Generation. Next the data aggregator runs KEK-
Gen(U) and generates KEKs for users in U. First, the data
aggregator sets a binary KEK tree for the universe of users
U as in Fig. 2, which will be used to distribute the attribute
group keys to users in U  U: Each node vj of the tree
holds a KEK, denoted by KEKj. A user is represented by a
leaf, and each user maintains the KEKs on the path nodes
from its leaf to the root. These are called path keys. For
instance, u2 stores KEK9, KEK4, KEK2, and KEK1 as its
123
1242
Fig. 2 KEK tree for attribute group key distribution
path keys PK2 in Fig. 2. For ut 2 U; PKt denotes a set of
the path keys of ut.
The KEK tree is constructed by the data aggregator as
follows:
1. Every member in U is assigned to the leaf nodes of the
tree. Random keys are generated and assigned to each
leaf node and internal node.
2. Each member ut 2 U receives the path keys PKt
securely.
Then, the path keys will be used as KEKs to encrypt the
attribute group keys by the data aggregator in the data re-
encryption phase. The key assignment in this method is
information theoretic, that is keys are assigned randomly
and independently from each other.
4.2.3 Data encryption
When a sensor node transmits its sensing data M to the data
aggregator, it encrypts the data under its associated set of
attributes K by running Encrypt(PK, M, K) algorithm.
The algorithm enforces attribute-based access control on
the sensing data.
The algorithm chooses a random s 2 Zp and constructs a
ciphertext as:
CT ¼ ðK; MY s ; fEi ¼ Tis gki 2K Þ:
After the construction of CT, the sensor node transmits it to
the data aggregator.
It is important to note that the message M could be a
symmetric key, for example AES key, that will be used to
encrypt a sensing data. This key encryption mechanism
(KEM) is capable of reducing the computation overhead by
replacing several public key computations to symmetric
ones. The proposed scheme can be also extended to this
hybrid encryption mechanism to reduce computation
overhead very simply. However, we do not address it
because it is not a problem we are focusing on in this paper.
123
Wireless Netw (2011) 17:1235–1249
4.2.4 Data re-encryption
Before distributing sensor data, CT, the data aggregator re-
encrypts it by running ReEncrypt(CT, G) using a set
G  G of the membership information for each attribute
group associated with K in CT. The re-encryption algo-
rithm enforces user-level access control per each attribute
group on top of the sensing data, which was once encrypted
to enforce the attribute-level access control policy.
The algorithm progresses as follows:
1. For all Gi 2 G associated with ki 2 K; chooses a
random Kki 2 Zp : Then, re-encrypts CT and generates
CT 0 ¼ ðK; MY s ; fEi0 ¼ ðTis ÞKki gki 2K Þ:
2. Selects root nodes of the minimum cover sets in the
KEK tree that can cover all leaf nodes associated with
users in Gi, for all Gi 2 G: We denote a set of KEKs
that such root nodes of subtrees for Gi hold by
KEK(Gi). For example, if Gi = {u1, u2, u3, u4, u7, u8}
in Fig. 2, then KEK(Gi) = {KEK2, KEK7} because v2
and v7 are the root nodes of the minimum cover sets
that can cover all members in Gi. It follows that this
collection covers all users in Gi and only them, and any
user u 62 Gi can by no means know any KEK in
KEK(Gi).
3. Generates a header message
Hdr ¼ ð8ky 2 K : fEK ðKky ÞgK2KEKðGy Þ Þ;
where EK(M) is a symmetric encryption of a message
M under a key K. This encryption is employed for a
method to deliver the attribute group keys to valid
users. The simplest implementation is to make EK:
{0, 1}k ? {0, 1}k a block cipher, where k is the length
of the key K.
On receiving any data request query from a user, the
data aggregator responds with (Hdr, CT0 ) to the user. It is
important to note that the attribute group key distribution
protocol through Hdr is a stateless approach. Thus, even if
users cannot update their key state constantly, they will be
able to decrypt the attribute group key from Hdr at any
time they receive it, as long as they are not revoked from
any of the attribute groups and authorized to decrypt it.
4.2.5 Data decryption
Data decryption phase consists of the attribute group key
decryption from Hdr, followed by the sensing data
decryption from CT0 .
Attribute Group Key Decrypt. When a user receives the
ciphertext (Hdr, CT0 ) from the data aggregator, he first
obtains the attribute group keys for all attributes in K that
Wireless Netw (2011) 17:1235–1249
he holds from Hdr. If a user ut has a valid attribute kj (that
is, ut 2 Gj ), he can decrypt the attribute group key Kk_j
from Hdr using a KEK that is common in KEK(Gj) and
PKt (that is, KEK 2 KEKðGj Þ \ PKt ). Note that there can
be only one such KEK, so the user may belong to at most
one subset rooted by one KEK in KEK(Gj). For example, if
Gj = { u1, u2, u3, u4, u7, u8 } in Fig. 2, u3 can decrypt the
Kk_j using the path key KEK2 2 PK3 : Then, ut updates its
secret key for each leaf node x in the access tree with the
attribute group keys as a follow:
 qx ð0Þ

SKt ¼ Dx ¼ gti Kki ; and return the result.
x2T
where ki denotes the attributed assigned to the leaf node x.
The key-indistinguishability property follows from the
fact that no u 62 Gj is contained in any of the subsets whose
root node is holding any KEK in KEK(Gj). It means that for
every KEK in KEK(Gj), KEK is indistinguishable from a
random key given all the information of all users that are
not in Gj [25]. Thus, it is important to note that any user
u 62 Gj can by no means decrypt Kk_j even if he colludes
with other users u0 62 Gj :
Sensing Data Decrypt. Then, the user decrypts a
ciphertext CT0 with its secret key by running
Decrypt(CT 0 ; SK; KK ). The algorithm performs in a
recursive way. We first define a recursive algorithm De-
cryptNode( CT0 , SK, x) that takes as inputs a ciphertext CT0
which is associated with a set K of attributes, a private key
SK where the access tree T is embedded, and a node x from
the tree T : It outputs a group element of G or ?:
Without loss of generality, we suppose that a user ut
performs the decryption algorithm. If x is a leaf node and ki
is associated with x, then define as follows: If ki 2 K and
ut 2 Gx ; then
DecryptNodeðCT 0 ; SK; xÞ ¼ eðDx ; Ei0 Þ
 qx ð0Þ  for the attribute. Without loss of generality, suppose there
ti K k t s Kki
¼ e g i ; ðg Þ i
¼ eðg; gÞsqx ð0Þ :
If ut 62 Gx ; ut cannot compute eðg; gÞsqx ð0Þ ; as the exponent
of Dx in SK cannot contain the inverse of the exponent
Kk_i of Ei0 . If ki 62 K or ut 62 Gx ; we define
DecryptNodeðCT; SK; xÞ ¼ ?:
We now consider the recursive case when x is a non-leaf
node. The algorithm DecryptNode(CT0 , SK, x) then pro-
ceeds as follows: For all nodes z that are children of x, it
calls DecryptNode(CT0 , SK, z) and stores the output as Fz.
Let Sx be an arbitrary kx-sized set of child nodes z such that
Fz 6¼ ?: If no such set exists then the node was not satisfied
and the function returns ?:
Otherwise, we compute
1243
Y Di;S0 ð0Þ i ¼ indexðzÞ;
Fx ¼ Fz x
; where
z2Sx S0x ¼ findexðzÞ : z 2 Sx g
Y Di;S0 ð0Þ
¼ ðeðg; gÞrqz ð0Þ Þ x
z2Sx
Y Di;S0 ð0Þ
¼ ðeðg; gÞrqpðzÞ ðindexðzÞÞ Þ x
z2Sx
Y rqx ðiÞDi;S0 ð0Þ
¼ eðg; gÞ x
z2Sx
¼ eðg; gÞrqx ð0Þ
The decryption algorithm begins by calling the function
on the root node r of the access tree. We observe that
DecryptNode(CT0 , SK, r) = e(g, g)ys if the ciphertext sat-
isfies the tree T and the user has valid memberships for
each attribute group Gi for all ki 2 K. When we set
A = DecryptNode(CT0 , SK, r) = e(g, g)ys, the algorithm
decrypts the ciphertext by computing MYs/A = M.
4.3 Key update
When a user comes to hold or drop an attribute at some
time instance, the corresponding key should be updated to
prevent the user from accessing the previous or subsequent
encrypted data for backward or forward secrecy respec-
tively. Figure 3 shows the rekeying flow.
The key update procedure is launched by sending a join
or leave request for some attribute groups from a user who
wants to hold or drop the attributes to the system controller.
On receipt of the membership change request for some
attribute groups, the system controller notifies the data
aggregator of the event and sends the updated membership
list of the attribute group to it. When the data aggregator
receives the notification, it changes the attribute group key
Fig. 3 Rekeying procedure
123
1244
is a membership change in Gi. Then, the key update pro-
cedure progresses as follows.
1. The data aggregator selects a random s 2 0
Zp ;
and a
K0 ki which is different from the previous attribute
group key Kki. Then, it re-encrypts the ciphertext CT
using the public parameters PK as
0 ðsþs0 Þ 0 K0
CT ¼ ðK; MY ; Ei0 ¼ ðTisþs Þ ki ;
0
fEj0 ¼ ðTjsþs ÞKkj gkj 2Knfki g Þ:
For the other attribute groups that are not affected by the
membership changes, the attribute group keys do not
necessarily need to be updated [2].
2. The data aggregator selects new minimum cover sets
for Gi including a new joining user who comes to hold
an attribute ki (for backward secrecy) or excluding a
leaving user who comes to drop an attribute ki (for
forward secrecy). Then, it generates a new header
message with the updated KEK(Gi) as a follow.
Hdr ¼ ðfEK ðKk0 i ÞgK2KEKðGi Þ ;
8ky 2 K n fki g : fEK ðKky ÞgK2KEKðGy Þ Þ:
When a user sends a request query for the sensing data
afterward, the data aggregator responds with the above
Hdr and ciphertext CT0 encrypted under the updated keys.
The above key update procedure guarantees the fine-grained
user-level access control such as an immediate user revocation
in each attribute group. However, it can also trivially achieve
the immediate attribute revocation by selectively sending the
updated attribute group key in Hdr. In addition, the user rev-
ocation can be done in each attribute level rather than the
system level. Thus, even if a user is revoked from some attri-
bute groups, he may still be able to access the sensing data with
the other attributes that he holds as long as the access policy is
satisfied with other attributes in the ciphertext, because the
other attributes would still be effective in the system.
5 Scheme evaluation
In this section, we first analyze and compare the efficiency
of the proposed scheme with the previous KP-ABE
schemes in theoretical aspects. Then, the efficiency of the
proposed scheme is demonstrated through the network
simulation and implementation.
5.1 Access control
Table 1 shows the access control granularity and rekeying
method of each scheme. The rekeying in the proposed
scheme can be done in an immediate way by the data
123
Wireless Netw (2011) 17:1235–1249
Table 1 Access control comparison
Scheme Granularity Rekeying
Goyal et al. [12] No revocation –
FDAC [3] System level user Immediate
revocation rekeying
Proposed Attribute level user Immediate
scheme revocation rekeying
aggregator. Therefore, an attribute or a user can be revoked
at any time even before the expiration time which might be
set to the attribute. This enhances security of the stored
sensing data in terms of the backward/forward secrecy by
reducing the windows of vulnerability that allows the
unauthorized access to the data. In addition, the proposed
scheme realizes more fine-grained user access control for
each attribute level rather than system level revocation as
opposed to FDAC [3]. Thus, even if a user comes to hold or
drop any attribute during the service in the proposed
scheme, he may still access the data as long as the other
attributes in the ciphertext satisfy his access policy.
Even if the authors in [3] claimed that their scheme is
able to revoke users by using CP-ABE in the KP-ABE based
sensor network, this is somewhat lacks efficiency to achieve
fine-grained user revocation in the sensor system. This is
because the only way to revoke individual users using only
ABE is to set each identity of users as an attribute, and
revoke the identity by adding conjunctively the AND of
negation of the identity. This scheme will pose overhead
O(R) group elements additively to the size of the ciphertext
and O(log S) multiplicatively to the size of private key over
the original CP-ABE scheme of Bethencourt et al. [13],
where S is the maximum size of revoked attributes set R.
5.2 Efficiency
The theoretical efficiency comparison results are summa-
rized in Table 2. The notations used in the table are
described as follows:
n0 Bit size of an element in G
nT Bit size of an element in GT
np Bit size of an element in Zp
nk Bit size of a KEK
na Bit size of an attribute string
nT Bit size of an access tree T in the ciphertext
u The number of attributes in the system
t The number of attributes appeared in T
M The number of users in an attribute group
N The number of all users in the system
k The number of attributes associated with a ciphertext
Wireless Netw (2011) 17:1235–1249 1245

Table 2 Efficiency comparison

System Ciphertext size Rekeying message Private key size Public key size

Goyal et al. [12] kna ? kn0 ? nT – nT þ tn0 un0 ? nT

FDAC [3] kna ? (k ? 1)n0 ? nT nT ? (N - 1)n0 nT þ ðt þ 1Þn0 (u ? 1)n0 ? nT
Proposed scheme kna ? kn0 ? nT (N - M)logN/(N - M)np nT þ tn0 þ logNnk un0 ? nT

Each scheme is compared in terms of ciphertext size, 5.3 Simulation

rekeying message size, private and public key size.
Ciphertext size represents the communication cost that a In this simulation, we consider distributed sensing data
sensor needs to send its data to the data aggregator, or retrieval applications protected by the attribute-based
that the data aggregator needs to send to users (CT0 in the encryption. Almeroth and Anmar [26] showed that the
proposed scheme). Rekeying message size represents the number of users joining a multicast group follows a Pois-
communication cost that the system controller or the data
son distribution with rate ~k; and the membership duration
aggregator needs to send to update non-revoked users’
time follows an exponential distribution with a mean
keys (Hdr in the proposed scheme). Private key size
duration 1/l in the Internet multicast backbone network.
represents the storage cost required for each user to store
Since each attribute group can be shown as an independent
attribute keys and KEKs. Public key size represents the
network multicast group where the members of the group
size of the system public parameters. In FDAC, the
share a common attribute, we show the simulation result
lifetime of sensor nodes are divided into several time
following this probabilistic behavior distribution [26].
phases and key encapsulation mechanism is adapted in
We suppose that user join and leave events are inde-
order to reduce computation overhead incurred by ABE
pendently and identically distributed in each attribute
operations. The proposed scheme also can be easily
group in G following Poisson distribution. The membership
extended to such a hybrid encryption architecture to
duration time for an attribute is assumed to follow an
replace several ABE operations with comparably light-
exponential distribution. We set the inter-arrival time
weight symmetric ones. However, in this analysis, we
between users as 20 min (~k ¼ 3) and the average mem-
analyze only the basic ABE operations for fair compar-
bership duration time as 20 h (1/l = 20). Figure 4 repre-
ison between the schemes.
sents the number of users in an attribute group during
As shown in Table 2, the proposed scheme is as effi-
300 h.
cient as Goyal et al.’s scheme [12] in terms of the
Figure 5 shows the total communication cost that a
ciphertext and public key size. The proposed scheme
sensor or the data aggregator needs to send on a mem-
requires rekeying message size of at most (N - M)logN/
bership change in the network system. It includes the
(N - M)np to handle user-level access control for each
updated ciphertext and rekeying messages for non-revoked
attribute in the system. FDAC revokes users by sending a
keying component to all valid users excluding a user to be
revoked. Although Yu et al. [3] claimed that the rekeying 90
valid users
can be done with CP-ABE in FDAC, we found that it 80 revoked users
cannot work as it is. This is due to the fact the keying
70
component to be distributed in FDAC is an element in
group G: Regardless of the efficiency issue, the compo- 60
# of users

nent should be an element in group GT for the revocation 50

to operate successfully in FDAC. Therefore, we assume
40
that the keying material is distributed to valid users by
unicasts in FDAC to guarantee the same granularity of 30
user access control as the proposed scheme. The proposed 20
scheme requires to store logN more KEKs at a user than
10
Goyal et al.’s scheme. However, it has the advantage of
reducing the size of rekeying message. The proposed 0
0 50 100 150 200 250 300
scheme guarantees a fine-grained user access control while Time (in hours)
requiring less rekeying message for a user revocation
compared to FDAC. Fig. 4 The number of users in an attribute group

123
1246
12
x 10
Goyal et al.’s
FDAC
10
Ours
Communication cost (in bits)
8
6
4
2 result. In the proposed scheme, decryption time by a user
0
0 10 20 30 40
Time (in hours)
Fig. 5 Communication cost in the system
users. It is measured in bits. For a comparison purpose, we
also simulate the communication cost of Goyal et al.’s
scheme. In this simulation, the total number of users in the
network is 5,520 and the number of attributes in the sys-
tem is 30. To achieve an 80-bit security level, we set
n0 = 512, nT = 128, np = 160, na = 160. As it is shown
in Fig. 5, the proposed scheme requires less communica-
tion cost than FDAC in the network since the rekeying
message in Hdr is comparatively less than FDAC. The
differences in communication cost between Goyal et al.’s
scheme and the other schemes indicate the pure rekeying
overhead to handle user revocation in the sensor system.
5.4 Implementation
Next, we analyze and measure the computation cost for
encrypting (by a sensor node) and decrypting (by a user) a
sensing data. We used a Type A curve (in the pairing-based
cryptography (PBC) library [27]) providing groups in
which a bilinear map e : G  G ! GT is defined. Although
such curves provide good computational efficiency (espe-
cially for pairing computation), the same does not hold
from the point of view of the space required to represent
group elements. Indeed each element of G needs 512 bits at
an 80-bit security level and 1,536 bits when 128-bit of
security are chosen.
Table 3 shows the analysis results for decrypting by a
user. For each operation, we include a benchmark timing.
Each cryptographic operation was implemented using the
PBC library ver. 0.4.18 [27] on a 3.0 GHZ processor PC.
The public key parameters were selected to provide
80-bit security level. The implementation uses a 160-bit
elliptic curve group based on the supersingular curve
123
Wireless Netw (2011) 17:1235–1249
Table 3 Computation cost at a user
Time (ms) Pairing Exp. in G Exp. in GT Computation
2.9 1.0 0.2 (ms)
Goyal et al. [12] k 0 0 2.9k
FDAC [3] k?1 0 0 2.9k ? 2.9
Proposed scheme k t 0 2.9k ? t
y2 = x3 ? x over a 512-bit finite field. The computational
cost is analyzed in terms of the pairing, exponentiation
operations in G and GT : The comparatively negligible
symmetric cryptographic operations are ignored in the time
requires t exponentiations in G more than Goyal et al.’s
scheme for attribute key update. This exponentiation
50 60 operations are to realize the fine-grained user access con-
trol for each independent attribute group. Therefore, we
can observe that there is a tradeoff between computational
overhead and user revocation capability.
Although these results are acceptable to users, they
might not be supported by low-end sensor devices such as
Tmote Sky. However, many studies [3, 28, 29] demon-
strated that high-end sensor device such as iMote2 can
accept these ABE operations when they are implemented
by TinyECC library [30]. For example, iMote2 can per-
form a point scalar multiplication operation within 35ms
when working at 416 MHz (69 ms at 208 MHz, and
139 ms at 104 MHz) on MNT curve over Fq with
embedding degree of 6, where q is a 159-bit prime number.
However, recently, Oliveira et al. [29] presented TinyPBC,
which is much more efficient implementation of PBC
primitives for common sensor processors. Especially, in the
32-bit ARM XScale PXA271 processor (which is the
iMote2 microcontroller), TinyPBC takes only 0.14 s to
compute a pairing operation and 0.157 ms to compute a
point scalar multiplication operation, which are definitely
acceptable in the sensor system. The computation cost for
encrypting by a sensor node is analyzed in Table 4. Each
operation was implemented using the TinyPBC library [29]
on the iMote2.
The encryption costs required for a sensor in each
scheme are all the same, that is k ? 1 exponentiations in
group G,1 because there is no difference in data encryption
algorithm performed by a sensor. The user revocation can
be handled after the data encryption by a sensor node in
both of the FDAC and the proposed scheme. The most
time-consuming task assigned to the data aggregator is
re-encrypting the ciphertext. It requires for the data ag-
gregator to perform k exponentiation operations in group G
without any expensive pairing operations, which is almost
1
In case that G is defined as an additive group of prime order p, it
would be scalar multiplication operations on elliptic curve.
Wireless Netw (2011) 17:1235–1249
Table 4 Computation cost at a sensor node (iMote2)
Time (ms) Pairing Exp. in G Computation (ms)
140 0.157
Goyal et al. [12] 0 k?1 0.157k ? 0.157
FDAC [3] 0 k?1 0.157k ? 0.157
Proposed scheme 0 k?1 0.157k ? 0.157
the same computation cost as that of a sensor node
encrypting data. Therefore, it is clear that the proposed
scheme is also affordable to the sensor system consisting of
high-end sensor devices as in FDAC.
Even if 128-bit security level is acceptable in PC envi-
ronments, it may cause too much computation overhead
and exhaust much battery power when adopted in sensor
devices even if it provides higher level of security. To meet
efficiency constraints, security levels are often relaxed. For
example, Perrig et al. [31] have adopted 64-bit security
level. However, NIST recommended 80-bit security level
in sensor networks [29]. Thus, like the previous schemes,
we also analyzed our computation cost on 80-bit security
level in the paper as NIST recommended. However, some
applications might want 128-bit level of security. There-
fore, developing more efficient pairing-based cryptography
for sensor devices that supports 128-bit security level with
reasonable computation overhead would be an important
future work.
6 Security
In this section, we prove the security of the proposed
scheme with regard to the security requirements discussed
in Sect. 3 .
6.1 Collusion resistance
The main challenge in designing an attribute-based
encryption algorithm is to prevent against attacks from
colluding users. In the KP-ABE, the secret sharing is
embedded into the private keys of users. Like the previous
ABE schemes [11, 12], the secret sharing in private keys
(SK) of users are randomized such that they cannot be
combined in the proposed scheme. In order to decrypt a
ciphertext, a user or a colluding attacker should recover
e(g, g)ys. To recover this, the attacker must pair Ei from the
ciphertext and Dx from some colluding user’s private key
for an attribute ki (which is assigned to node x) that the
attacker does not hold. However, this results in the value
0
eðg; gÞqx ð0Þs blinded by some random coefficients of
q0 x, which are uniquely assigned to each user, even if the
attribute group key for the attribute of the user is still
1247
valid.2 This value can be blinded out if and only if the user
has the enough key components to satisfy the secret sharing
scheme embedded in the key. Therefore, the desired value
e(g, g)ys cannot be recovered by collusion attack since the
blinding polynomial values are randomized from a partic-
ular user’s private key.
6.2 Data confidentiality
Data confidentiality on the stored data at the data aggre-
gator can be trivially guaranteed against a user who does
not hold an access policy that can be satisfied with a set of
attributes in the data. Since the set of attributes cannot
satisfy the access tree, he cannot recover the desired value
e(g, g)ys during the decryption process. On the other hand,
when a user is revoked from some attribute groups that
satisfy the access policy, he cannot decrypt the ciphertext
either unless the rest of the attributes satisfy the access
policy of him. In order to decrypt a node x for some
attribute ki, the user needs to pair Ei0 from the ciphertext
and Dx from its private key. However, this cannot result
in the value eðg; gÞsqx ð0Þ ; which is desired to generate
e(g, g)ys, since Ei0 is blinded by the updated attribute group
key that the revoked user can by no means obtain.
Another attack on the data can be launched by the data
aggregator. Since the data aggregator cannot be totally
trusted by users (suppose that the data aggregator could be
compromised or tries to exploit private sensor data mali-
ciously for its profit), the confidentiality for the stored data
against the data aggregator is another essential security
criteria for secure sensor systems. Even if the data aggre-
gator manages each attribute group key, it cannot decrypt
any of the ciphertext components because it is only
authorized to re-encrypt the ciphertext with each attribute
group key, but is not allowed to decrypt it (that is, none of
the private attribute keys are given to the data aggregator
from the system controller). Therefore, data confidentiality
against the curious data aggregator is also guaranteed.
6.3 Backward and forward secrecy
When a user comes to hold a set of attributes at some time
instance, the corresponding attribute group keys are
updated and delivered to the valid attribute group members
securely (including the user). In addition, all of the com-
ponents encrypted with a secret key s in the ciphertext are
2
Another collusion attack scenario is the collusion between users in
order to obtain the valid attribute group keys for some attributes that
they do not hold. The attribute group key distribution protocol in the
proposed scheme features key-indistinguishability as we discussed in
the Sect. 4.2.5. Thus, the colluding users can by no means obtain any
valid attribute group keys for attributes that they are not authorized to
hold.
123
1248
re-encrypted by the data aggregator with a random s0 , and
the ciphertext components corresponding to the attributes
are also re-encrypted with the updated attribute group keys.
Even if the user has stored the previous ciphertext
exchanged before he obtains the attribute keys and the
access policy is satisfied with the holding attributes, he
cannot decrypt the pervious ciphertext. This is because,
even if he can succeed in computing e(g, g)y(s?s’) from the
current ciphertext, it will not help to recover the desired
value e(g, g)ys for the previous ciphertext since it is blinded
by a random s0 . Therefore, the backward secrecy of the
stored data is guaranteed in the proposed scheme.
Likewise, when a user comes to drop a set of attributes
at some time instance, the corresponding attribute group
keys are also updated and delivered to the valid attribute
group members securely (excluding the user). Then, all of
the components encrypted with a secret key s in the
ciphertext are re-encrypted by the data aggregator with a
random s0 , and the ciphertext components corresponding to
the attributes are also re-encrypted with the updated attri-
bute group keys. Then, the user cannot decrypt any nodes
corresponding to the attributes after revocation due to the
blindness resulted from newly updated attribute group
keys. In addition, even if the user has recovered e(g, g)ys
before he was revoked from the attribute groups and stored
it, it will not help to decrypt the subsequent ciphertext
0
e(g, g)y(s?s ) re-encrypted with a new random s0 . Therefore,
the forward secrecy of the stored data is guaranteed in the
proposed scheme.
7 Conclusion
Sensor systems using distributed sensor storage suggest a
promising solution that allows users to directly access data
generated by individual sensors. Some of the most chal-
lenging issues in the distributed sensor data storing sce-
nario are the enforcement of authorization policies and the
support of policy updates. In this paper, we proposed a
cryptographic approach to enforce a fine-grained access
control on the stored sensor data, that is proxy encryption
protocol exploiting the combined features of the key-policy
attribute based encryption and group key management
algorithm. The proposed scheme allows a system controller
to define a fine-grained access control policy and enforce it
on the sensor data. It also features a mechanism that
enables an access control with efficient attribute and user
revocation capability. The user access control can be done
on each attribute group with the help of the semi-trusted
data aggregator. We demonstrated that the proposed
scheme is efficient and affordable to securely manage the
distributed sensor data.
123
Wireless Netw (2011) 17:1235–1249
References
1. Akyildiz, I. F., & Kasimoglu, I. H. (2004). Wireless sensor and
actor networks: Research challenges. Ad Hoc Networks Journal,
2(4), 351–367.
2. Thuraisingham, B. (2004). Secure sensor information manage-
ment and mining. IEEE Signal Processing Magazine, 21(3),
14–19.
3. Yu, S., Ren, K., & Lou, W. (2009). FDAC: Toward fine-grained
distributed data access control in wireless sensor networks. In
Proceeding IEEE INFOCOM, pp. 963–971.
4. Ye, F., Luo, H., Cheng, H., Lu, S., & Zhang, L. (2002). A two-tier
data dissemination model for large-scale wireless sensor net-
works. In Proceeding ACM Mobicom, pp. 148–159.
5. Przydatek, B., Song, D., & Perrig, A. (2003). SIA: Secure
information aggregation in sensor networks. In Proceeding
Sensys.
6. Hur, J., Lee, Y., Hong, S., & Yoon, H. (2006). Trust management
for resilient wireless sensor networks. In Proceeding ICISC,
LNCS, vol. 3935, pp. 56–68.
7. Deng, J., Han, R., & Mishra, S. (2003). Security support for in-
network processing in wireless sensor networks. In Proceeding
ACM workshop on security of ad hoc and sensor networks,
pp. 83–93.
8. Mathur, G., Desnoyers, P., Ganesan, D., & Shenoy, P.
(2006). Capsule: An energy-optimized object storage system
for memory-constrained sensor devices. In Proceeding ACM
Sensys.
9. Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., & Samarati,
P. (2007). A data outsourcing architecture combining cryptog-
raphy and access control. In Proceeding ACM CSAW.
10. Subramanian, N., Yang, C., & Zhang, W. (2007). Securing dis-
tributed data storage and retrieval in sensor networks. In Pro-
ceeding PerCom.
11. Sahai, A., & Waters, B. (2005). Fuzzy identity-based encryption.
In Proceeding Eurocrypt, pp. 457–473.
12. Goyal, V., Pandey, O., Sahai, A., & Waters, B. (2006). Attribute-
based encryption for fine-grained access control of encrypted
data. In Proceeding ACM conference on computer and commu-
nications security, pp. 89–98.
13. Bethencourt, J., Sahai, A., & Waters, B. (2007). Ciphertext-pol-
icy attribute-based encryption. In Proceeding IEEE symposium
on security and privacy, pp. 321–334.
14. Ostrovsky, R., Sahai, A., & Waters, B. (2007). Attribute-based
encryption with non-monotonic access structures. In Proceeding
ACM conference on computer and communications security,
pp. 195–203.
15. Boldyreva, A., Goyal, V., & Kumar, V. (2008). Identity-based
encryption with efficient revocation. In Proceeding ACM con-
ference on computer and communications security, pp. 417–426.
16. Pirretti, M., Traynor, P., McDaniel, P., & Waters, B. (2006).
Secure attribute-based systems. In Proceeding ACM conference
on computer and communications security.
17. Rafaeli, S., & Hutchison, D. (2003). A survey of key management
for secure group communication. ACM Computing Surveys,
35(3), 309–329.
18. Bobba, R., Fatemieh, O., Khan, F., Gunter, C. A., & Khurana, H.
(2006). Using attribute-based access control to enable attribute-
based messaging. In Proceeding annual computer security
applications conference.
19. Liang, X., Lu, R., Lin, X., & Shen, X. (2010). Ciphertext
policy attribute based encryption with efficient revocation.
Technical Report. University of Waterloo. http://bbcr.uwaterloo.
ca/*x27liang/papers/abe%20with%20revocation.pdf. Accessed
March 2010.
Wireless Netw (2011) 17:1235–1249 1249

20. Ibraimi, L., Petkovic, M., Nikova, S., Hartel, P., & Jonker, W. 30. TinyECC Library. http://discovery.csc.ncsu.edu/software/Tiny
(2009). Mediated ciphertext-policy attribute-based encryption ECC/index.html. Accessed June 2010.
and its application. In Proceeding WISA, LNCS, vol. 5932, 31. Perrig, A., Szewczyk, R., Wen, V., Culler, D., & Tygar, J. D.
pp. 309–323. (2002). SPINS: Security protocols for sensor networks. Wireless
21. Yu, S., Wang, C., Ren, K., & Lou, W. (2010). Attribute based Networks, 8, 521–534.
data sharing with attribute revocation. In Proceeding ASIACCS.
22. Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi, S., &
Samarati, P. (2007). Over-encryption: Management of access
control evolution on outsourced data. In Proceeding VLDB. Author Biography
23. Mittra, S. (1997) Iolus: A framework for scalable secure multi-
casting. In Proceeding ACM SIGCOMM, pp. 277–288. Junbeom Hur received the B.S.
24. Dondeti, L., Mukherjee, S., & Samal, A. (1999). Scalable secure degree in Computer Science
one-to-many group communication using dual encryption. Com- from Korea University in 2001,
puter Communication, 23, 1681–1701. the M.S. and Ph.D. degrees in
25. Naor, D., Naor, M., & Lotspiech, J. (2001). Revocation and Computer Science from KAIST
tracing schemes for stateless receivers. In Proceeding CRYPTO, in 2005 and 2009, respectively.
LNCS, vol. 2139, pp. 41–62. He is currently a postdoctoral
26. Almeroth, K.C., Ammar, M.H. (1997). Multicast group behavior researcher of Computer Science
in the Internet’s multicast backbone (MBone). IEEE Communi- in University of Illinois at
cation Magazine, 35, 124–129. Urbana-Champaign. His research
27. The Pairing-Based Cryptography Library. http://crypto.stanford. interests include information
edu/pbc/. Accessed June 2010. security, network security, and
28. Xiong, X., Wong, d. S., & Deng. X. (2010). TinyPairing: A fast computing security.
and lightweight pairing-based cryptographic library for wireless
sensor networks. In Proceeding IEEE WCNC 2010.
29. Oliveira, L. B., Aranha, D. F., Gouvea, C. P. L., Scott, M.,
Camara, D. F., Lopez, J., & Dahab, R. (2011). TinyPBC: Pairings
for authenticated identity-based non-interactive key distribution
in sensor networks. Computer Communications, 34, 485–493.

123