2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC)

K-anonymous Location-based Fine-grained Access

Control for Mobile Cloud
Yaser Baseri Abdelhakim Hafid Soumaya Cherkaoui
Department of Computer Science Department of Computer Science INTERLAB Research Laboratory
and Operations Research and Operations Research Universite de Sherbrooke, Canada
Universite de Montreal, Canada Universite de Montreal, Canada Email: Soumaya.cherkaoui@usherbrooke.ca
Email: yaser.baseri@umontreal.ca Email: ahafid@iro.umontreal.ca

Abstract—Mobile cloud computing is a revolutionary comput- convenient services for mobile users based on their positions
ing paradigm for mobile application which enables storage and (e.g. social networking as an entertainment service which uses
computation migration from mobile users to resources rich and information on the geographical position of the mobile device).
powerful cloud servers, but emerges various privacy concerns.
Attribute based encryption is a public key encryption that ensures The main challenge of location based access control is the
the security of stored data in the cloud and provides fine grained release of information only to authorized parties satisfying
access control using defined policies and constraints. Location predefined conditions; this is called fine-grain access control.
of a device is one of the contextual policies which is used to Attribute-based encryption (ABE) technique is a promising
improve data security, authenticate users and provide access to approach to achieve fine-grained access control [10], [3]. ABE
services and useful information for mobile users. However, unlike
other policies and attributes used in attribute based encryption, provides access control over encrypted data using access poli-
location of mobile users are dynamic. In this paper, we investigate cies and assigned set of attributes embedded in ciphertexts and
providing Location Based Services (LBS) for attribute based private keys. In particular, ciphertext policy ABE (CP-ABE)
access control in mobile cloud. More specifically, we propose provides access such that encrypted data can be decrypted
a multi-authority attribute based access control scheme and only by a user possessing a set of attributes. Thus, based
protect users privacy against malicious authorities. The proposed
scheme uses dynamic location of a mobile user as contextual on policy embedded in ciphertext, different users are able to
information about that user, employs coarse location as an access different pieces of information based on the attributes
attribute in attribute based encryption to achieve 𝐾−anonymity, they are assigned.
and filters the returned results for more accuracy. The attribute Providing fine grained access control for attribute based
based encryption is integrated with proxy re-encryption to encryption requires issuing different attributes for each user.
outsource the computation to a cloud server with ”unlimited”
computational power. The proposed scheme achieves efficiency Since each authority issues a bunch of attributes for each user,
by reducing computational cost on resource-constrained mobile the employed ABE (CP-ABE) should support coexistence of
users. multi-authorities. Multi-authorities CP-ABE [6], [15], [4] is
Keywords: Location Based Services, Dynamic Location, Key more appropriate for location-based access control for cloud,
Revocation, Attribute Based Encryption, Outsourcing. as users hold attributes issued by different authorities.
Using CP-ABE in the context of LBS introduces several
I. I NTRODUCTION
challenges including (1) location anonymity: mobile users
In some applications of mobile cloud computing, Location should not be traceable while using LBS; (2) dynamic location:
Based Services (LBS) are popular services provided by mobile location of mobile users are changing over time; CP-ABE
devices and remote servers, in which users can use the geo- should support dynamic update of location and key related
graphical information for gaining access features (e.g. health, to that location attribute; and (3) computational cost on mo-
indoor object search, entertainment, work, personal life). LBS bile devices (users): the execution of the scheme should not
adopts Data as a Service (DaaS) model; it is accessible by impose high computational cost on mobile users with limited
mobile devices, through the mobile network, and makes use resources.
of the geographic positions of these devices. In this paper, we propose a new location based service
In location based services, the location of a device repre- scheme for attribute based access control in mobile cloud
sents one of the most important contextual information about to support location privacy, confidentiality of stored data
a device and its owner; it is exploited to improve data security, and dynamic location update without imposing significant
and to support access to the services and information provided computational cost on mobile devices.
by the cloud for mobile users. Indeed, by integrating access
control mechanisms with conditions based on the physical A. Related Work
position of users, we can improve data security and immune Only a few privacy preserving techniques have been pro-
it against unauthorized accesses and disclosures. Furthermore, posed for location-based access control. In [1], the authors
in some applications, we need this information to provide proposed a scheme based on the traditional access control in

978-1-4673-9292-1/16/$31.00 ©2016 IEEE

 2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC)

which the servers are trusted. The scheme uses onion encryp- II. S YSTEM AND S ECURITY M ODELS
tion to increase the security of their scheme and decrease trust In this section, we first present the system model and its
level on servers; it also adds an encryption layer to model the architecture. Then, we describe the security assumptions about
time. To provide fine-grained access control, the data owner different entities in that architecture.
should encrypt data for each user imposing high computational
cost on their scheme. In [11], the authors used ciphertext A. System Model
policy anonymous attribute based encryption [7] to provide
In this paper, we propose a new system model for mobile
location privacy, confidentiality of location based service data
cloud computing (see Figure 1), which introduces Anonymizer
and defined access policy. They assumed unlimited computa-
to preserve location privacy in location based access control.
tional capacity for cloud server and imposed high computa-
We define a system, which has at least three entities in its
tional overhead on the server (exhaustive search on key space
architecture: Anonymizer, Location Service Provider (LSP)
corresponding to a given location range). Moreover, in [11],
and Cloud Service Provider (CSP). Anonymizer defines grid
the location of a device is declared by that device, while a
cells or cloaking areas and broadcasts them in predefined
malicious user may cheat the location to get more services.
time intervals. LSP issues contextual attributes for each user
In [18], the authors proposed a scheme, based on comparison
including unforgeable exact location information 𝑙 for that
based encryption[17], to construct a special-temporal predicate
user, expanded location to a cloaking area (as an estimation
based encryption by means of secure integer comparison.
of exact location) and time of access. This expansion is per-
Although the authors globally reduced the computational cost,
formed by mapping location points to intervals and changing
the mobile user on the base comparison based encryption still
the two-dimensional coordinate points to a grid cell using
does some bilinear pairing. Thus, their work still imposes high
comparison based encryption defined in [14]. User sends its
level of computational load on mobile users. Moreover, if the
query including the expanded location and time of access
coarse location is not sufficiently dense, the scheme will not
provided by LSP to Anonymizer. Upon receiving K requests
support required level of anonymity. Finally, since the location
for a grid cell, Anonymizer generates an Anonymizing Spatial
of a device is declared by that device, a malicious user can
Region (ASR), a grid cell which contains at least K users and
cheat the location and get more services. None of the existing
satisfies anonymity requirement, and performs K-anonymity
schemes supports dynamic location update for mobile users.
cloaking to protect location privacy of the user. It sends the
To conclude, we can summarize the limitations of existing
clustered requests of an ASR to CSP. CSP defines real-time
schemes as follows: (1) high computation overhead on mobile
access time. Then, it partially decrypts data based on that time
users [1], [18]; (2) declaring fake location by malicious user
and other access policies to outsource computation cost of
and getting ineligible access to services and information [11],
decryption. Finally, it generates responses to these K queries
[18]; and (3) breaking the location privacy of user when the
and sends them back to Anonymizer. Anonymizer filters and
coarse location is not sufficiently dense [18].
sends the responses back to users. Finally, the authorized users
will be able to decrypt the received data. In this way, we
In this paper, we propose a scheme that supports (1)
provide 𝐾-anonymity for users and security for queries.
low computation overhead on mobile users by outsourcing
the heavy computations from mobile users (with restricted
computational capabilities) to the server (with ”unlimited” 2-expanded location,
time,
grid size 𝐷𝑎𝑡𝑎
computational power); (2) efficient dynamic location updating 𝐿𝑆𝑃 decryption key for
distribution attribute based 𝑂𝑤𝑛𝑒𝑟
exact location encrypted data
of mobile user in without changing the entire private key of 6-filtered
outsourced 5-outsourced
that user; (3) efficient and anonymous location based services results results

for mobile users of cloud storage; and (4) protecting the 1-location
request
identity of users against each single authority and even against 𝑈 𝑠𝑒𝑟 𝐴𝑛𝑜𝑛𝑦𝑚𝑖𝑧𝑒𝑟 𝐶𝑆𝑃

compromising up to (𝒦 −2) out of 𝒦 authorities. Note that, to

3-expanded location 4-K clustered
provide location privacy, we use comparison based encryption other
attributes
to a grid cell, requests
other attributes
[14] as a kind of CP-ABE; it models interval as an estimation
of exact location and proposes a way to hide the exact location Figure 1. Architecture of the system
of users from cloud server. To provide anonymity of users, we
also adapt AnonyControl [5] in the scheme and propose a way
to protect the identity of users against each authority.
B. Threat Model
The rest of this paper is organized as follows. Section II In the threat model used in LBS, CSPs are assumed to
discusses the system and security models of the proposed be honest but curious in practice [16]. That means that
scheme. Section III, presents some preliminaries. Section IV CSPs will faithfully follow the proposed scheme, but can
describes the proposed scheme. Section V presents the analysis launch passive attacks to get as much secret information as
and evaluation of the proposed scheme. Finally, Section VI possible. Hence, the data stored in the cloud should remain
concludes the paper and presents future work. encrypted all the time and any required transformation should
 2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC)

not reveal the plaintext in the process. Users who want to easy to compute 𝑣{𝑡′𝑖,𝑗 ,𝑡′𝑖,𝑘 } from 𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 } , while the reverse
receive 𝐿𝐵𝑆, while keeping their location information secret, is hard [14].
may be malicious, forge their real locations and collude to Let 𝔾𝑛′ be a multiplicative group of composite order 𝑛′ =
′
escalate access rights to get services not entitled to. Attribute 𝑝 𝑞 , 𝜑 be a random generator in group 𝔾𝑛′ , where 𝜑𝑛 =
′ ′

authorities 𝐴𝐴𝑖 (1 ≤ 𝑖 ≤ 𝒦) are assumed to be semi-honest in 1, {𝜆𝑖 , 𝜇𝑖 }𝐴𝑖 ∈𝔸 be the set of large random elements 𝜆𝑖 and
the sense that they will not collude all together and the system 𝜇𝑖 in ℤ∗𝑛′ , which are relatively prime to other elements in
can tolerate compromising at most (𝒦−2) of them. Each 𝐴𝐴𝑖 {𝜆𝑖 , 𝜇𝑖 }𝐴𝑖 ∈𝔸 , 𝑈 = {𝑡𝑖,𝑗 , 𝑡𝑖,𝑘 }𝐴𝑖 ∈𝔸 be the set of all upper
is in charge of a subset of the whole attribute set and for each and lower bounds for each attribute 𝐴𝑖 ∈ 𝔸, 𝜓 : 𝑈 → 𝑉
attribute that is in charge of, it knows the exact information of be an order-preserving cryptographic mapping of 𝑈 to a set
the key requester. Hence, by aggregating these information of cryptographic values 𝑉 of the form of 𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 }𝐴𝑖 ∈𝔸 (a
from all authorities, the complete attribute set of the key cryptographical value reflecting the integer values of range
requester is recovered and thus his identity will be disclosed bounds over each attribute 𝐴𝑖 ∈ 𝔸) and 𝑍 be a maximum
to all authorities. LSP, which provides location access right integer value that an element in 𝑈 can have. Then, we define
for each user, knows ASR and location information for each the mapping function 𝜓(.) to map the integer set 𝑈 into 𝑉 as
user, is assumed to be honest. Anonymizer is responsible follows:
for defining cloaking areas, collecting all messages as an
intermediate tier between user and CSP and constructing
ASRs. Hence, it may become a target for adversary, and 𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 }𝐴𝑖 ∈𝔸 ← 𝜓({𝑡𝑖,𝑗 , 𝑡𝑖,𝑘 }𝐴𝑖 ∈𝔸 )
∏
may reveal the cloaking procedure. We assume, as in [9], 𝑡
𝜆𝑖𝑖,𝑗 𝜇𝑍−𝑡𝑖,𝑘
=𝜑 𝐴𝑖 ∈𝔸
∈ 𝔾𝑛′
[8], that Anonymizer will not collude with other entities. We
also assume that the communication channels are secure and Accordingly, multi-dimensional range derivation function is
packets are untraceable when queries and information are defined as follows:
transmitted on these channels. This assumption can be realized
using Secure Socket Layer (SSL) or some other techniques Definition 2 (Multi-Dimensional Range Derivation
[13], [12]. Function[14]). A function 𝐹 : 𝑉 → 𝑉 based on set 𝑈
is defined as a multi-dimension range derivation function if it
III. P RELIMINARIES satisfies the following conditions:
In this section, we briefly introduce composite order bilinear ∙ Easy to compute: the function 𝐹 can be com-

group. Then, we present Multi-Dimensional Range Derivation puted in a polynomial-time, i.e. if 𝑡𝑖,𝑗 ≤ 𝑡′𝑖,𝑗 and
Functions (MDRDF). 𝑡𝑖,𝑘 ≥ 𝑡′𝑖,𝑘 , ∀𝐴𝑖 ∈ 𝔸, then 𝑣{𝑡′𝑖,𝑗 ,𝑡′𝑖,𝑘 }∀𝐴𝑖 ∈𝔸 =
𝐹{𝑡𝑖,𝑗 ≤𝑡′𝑖,𝑗 ,𝑡𝑖,𝑘 ≥𝑡′𝑖,𝑘 }∀𝐴𝑖 ∈𝔸 (𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 }∀𝐴𝑖 ∈𝔸 );
A. Composite Order Bilinear Map ∙ Hard to invert: it is infeasible for any probabilistic

Definition 1 (Composite Order Bilinear Groups). Let 𝑝 and polynomial (PPT) algorithm to compute 𝑣{𝑡′𝑖,𝑗 ,𝑡′𝑖,𝑘 } from
𝑞 be two large primes, 𝑁 = 𝑝𝑞 be the 𝑅𝑆𝐴 modulus, 𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 } if 𝑡𝑖,𝑗 > 𝑡′𝑖,𝑗 or 𝑡𝑖,𝑘 < 𝑡′𝑖,𝑘 .
𝑠1 , 𝑠2 , 𝑝′ , 𝑞 ′ , 𝑝, 𝑞 be secret large primes, 𝑠 = 𝑠1 𝑠2 , 𝑛′ = 𝑝′ 𝑞 ′ , Specifically, 𝐹 (.) can be expressed as follows:
𝔾 and 𝔾𝑇 be two cyclic bilinear groups of composite order
𝑛 = 𝑠𝑛′ , 𝛼 and 𝛽 be two random exponents in ℤ, and 𝑣{𝑡′𝑖,𝑗 ,𝑡′𝑖,𝑘 } ← 𝐹{𝑡𝑖,𝑗 ≤𝑡′𝑖,𝑗 ,𝑡𝑖,𝑘 ≥𝑡′𝑖,𝑘 } (𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 } )
𝑒 : 𝔾 × 𝔾 → 𝔾𝑇 be a bilinear map with the following ∏ 𝑡′ −𝑡𝑖,𝑗 𝑡𝑖,𝑘 −𝑡′𝑖,𝑘
𝜆𝑖𝑖,𝑗 𝜇𝑖
properties: = (𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 } )
𝛼 𝛽 ∏ ∏ 𝑡′ 𝑡𝑖,𝑘 −𝑡′𝑖,𝑘
∙ Bilinearity: ∀𝑔0 , 𝑔1 ∈ 𝔾 : 𝑒(𝑔0 , 𝑔1 ) = 𝑒(𝑔0 , 𝑔1 )
−𝑡𝑖,𝑗
𝛼𝛽
. = (𝜑
𝑡
𝜆𝑖𝑖,𝑗 𝜇𝑍−𝑡𝑖,𝑘
) 𝜆𝑖𝑖,𝑗 𝜇𝑖
∙ Non-degeneracy: 𝑒(𝑔0 , 𝑔1 ) ∕= 1.
∏ 𝑡′ 𝑍−𝑡′𝑖,𝑘
∙ Computability: ∀𝑔0 , 𝑔1 ∈ 𝔾, there is an efficient algo- 𝜆𝑖𝑖,𝑗 𝜇
=𝜑 ∈ 𝔾𝑛′ .
rithm to compute 𝑒(𝑔0 , 𝑔1 ).
IV. P ROPOSED S CHEME
where 𝑁 is public and 𝑛, 𝑠, 𝑝′ , 𝑞 ′ are secret. We refer to the
tuple 𝕊 = (𝑁 = 𝑝𝑞, 𝔾, 𝔾𝑇 , 𝑒) as a composite order bilinear There are five entities in the scheme: 𝒦 Attribute Authorities
group. Not that for two subgroups 𝔾𝑠 and 𝔾𝑛′ of order 𝑠 and (𝐴𝐴𝑖 ) including LSP, User (U), Anonymizer, Cloud Service
𝑛′ = 𝑝′ 𝑞 ′ in 𝔾, if 𝑔 ∈ 𝔾𝑠 and ℎ ∈ 𝔾𝑛′ , then 𝑒(𝑔, ℎ) is the Provider (CSP) and Data Owner (DO). The scheme consists of
identity element in 𝔾𝑇 . five phases: setup, key generation, encryption, access request
and cloaking, and decryption.
B. Multi-Dimensional Range Derivation Functions
The idea of multi-dimensional derivation functions is using A. Setup Phase
”one-way” property, to represent the total ordering relation In the setup phase, which is performed by the central Trust
of integers; this means that for two upper and lower bound Authority (TA), some parameters are fixed. It is assumed that
integer values (𝑡𝑖,𝑗 , 𝑡𝑖,𝑘 ) and (𝑡′𝑖,𝑗 , 𝑡′𝑖,𝑘 ), if we know the value the public keys corresponding to attribute authorities 𝐴𝐴𝑖 (1 ≤
of 𝑣{𝑡𝑖,𝑗 ,𝑡𝑖,𝑘 } , and if 𝑡𝑖,𝑗 ≤ 𝑡′𝑖,𝑗 and 𝑡𝑖,𝑘 ≥ 𝑡′𝑖,𝑘 , then, it is 𝑖 ≤ 𝐾) are certified by TA, i.e. each authenticated participant
 2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC)

should be able to provide its digital certificate if asked. The 2) Location Key Generation: It is performed by LSP to is-
setup algorithm consists of three steps. sue dynamic contextual attributes including expanded location,
Step 1. central trust authority TA time of access and an unforgeable exact location information 𝑙,
∙ Chooses a bilinear map system 𝑆 = (𝑁 = while requesting to access the data stored on the cloud server.
𝑝𝑞, 𝔾, 𝔾𝑇 , 𝑒(., .)) of composite order 𝑛 = 𝑠𝑛′ . This is done in one step.
∙ Chooses two subgroups 𝔾𝑠 with order 𝑠 and 𝔾𝑛′ with Step 1. The location service provider LSP
composite order 𝑛′ = 𝑝′ 𝑞 ′ of 𝔾, where 𝑝′ and 𝑞 ′ are ∙ Constructs location range 𝐿𝑈 = {[𝑙𝑖,𝑎 , 𝑙𝑖,𝑏 ]}𝑙𝑜𝑐𝑖 ∈𝔸 for
two large prime numbers. user U (𝑙𝑜𝑐 = (𝑙𝑜𝑐1 ∥ ... ∥ 𝑙𝑜𝑐𝑚 ), where 𝑙𝑜𝑐𝑖 is the
∙ Selects random generators 𝜔 ∈ 𝔾, 𝑔 ∈ 𝔾𝑠 and 𝜑 ∈ 𝔾𝑛′ 𝑖-th dimension of location defined by Anonymizer to
such that there exists 𝑒(𝑔, 𝜑) = 1 but 𝑒(𝑔, 𝜔) ∕= 1. construct a grid cell in 𝑚 dimensions.).
∙ Selects public hash functions 𝐻 : {0, 1} → 𝔾 to map
∗
∙ Chooses two random numbers 𝑟𝑙𝑜𝑐 ∈𝑟 ℤ𝑛 and 𝑟𝑡𝑖𝑚𝑒 ∈𝑟
∗

each binary attribute string into a group element in 𝔾. ℤ𝑛 .

∗

∙ Chooses 𝜆𝑖 , 𝜇𝑖 ∈ ℤ𝑛 for each attribute 𝑙𝑜𝑐𝑖 ( 𝑖-th

∗ ′
∙ Computes 𝐷𝑙𝑜𝑐 = 𝑔 (𝐻(𝑙𝑜𝑐)) 𝑙𝑜𝑐 , 𝐷𝑙𝑜𝑐 = 𝜔 𝑙𝑜𝑐 ,
𝑟 𝑟 𝑟

dimension of location 1 ≤ 𝑖 ≤ 𝑚) in location attribute 𝑟

𝐷𝑡𝑖𝑚𝑒 = 𝑔 (𝐻(𝑡𝑖𝑚𝑒)) 𝑟𝑡𝑖𝑚𝑒 ′
, 𝐷𝑡𝑖𝑚𝑒 = 𝜔 𝑟𝑡𝑖𝑚𝑒
.
set 𝔸 and ensures that 𝜆𝑖 , 𝜇𝑖 are relatively prime to all ∙ Computes 𝐷𝐾𝑈 = (𝑣𝐿𝑈 )𝑟𝑙𝑜𝑐 =
∏ 𝑙𝑖,𝑎 𝑧−𝑙𝑖,𝑎
other elements in {𝜆𝑖 , 𝜇𝑖 }𝑙𝑜𝑐𝑖 ∈𝔸 . 𝜑𝑟𝑙𝑜𝑐 𝑙𝑜𝑐𝑖 ∈𝔸 𝜆𝑖 𝜇𝑖 as the delegation key
∙ Chooses random exponents 𝛼, 𝛽 ∈ ℤ𝑛 and generates
∗
′
of user U, where 𝑣𝐿𝑈 = 𝑣{[𝑙𝑖,𝑎 ,𝑙𝑖,𝑏 ]}𝑙𝑜𝑐𝑖 ∈𝑙𝑜𝑐 =
master key 𝑀 𝐾 = (𝑝, 𝑞, 𝑛 , 𝛼, 𝛽). ∏ 𝑙𝑖,𝑎 𝑧−𝑙𝑖,𝑎

∙ Publishes the global parameters 𝐺𝑃 = (𝑆, 𝑔, 𝜔, ℎ = 𝜑 𝑙𝑜𝑐𝑖 ∈𝔸 𝜆𝑖 𝜇𝑖 ∈ 𝐺𝑛′ .

′ ′
𝜔 𝛽 , 𝜂 = 𝑔 1/𝛽 , 𝑒(𝑔, 𝜔)𝛼 , 𝜑, {𝜆𝑖 , 𝜇𝑖 }𝑙𝑖 ∈𝐿𝑜𝑐 , 𝐻(.)). ∙ Sends 𝐷𝑙𝑜𝑐 , 𝐷𝑙𝑜𝑐 , 𝐷𝑡𝑖𝑚𝑒 , 𝐷𝑡𝑖𝑚𝑒 , 𝐷𝐾𝑈 and exact

Step 2. Attribute authority 𝐴𝐴𝑘 location information 𝑙 to user 𝑈 .

∙ Selects randomly 𝒦 − 1 integers 𝑠𝑘𝑗 ∈ ℤ𝑛 (𝑗 ∈
∗ After receiving 𝐷, 𝐷𝑗 , 𝐷𝑗′ (∀𝑗 ∈ main attributes), 𝐷𝑙𝑜𝑐 ,
′ ′
{1, ..., 𝒦} ∖ {𝑘}) and computes 𝑔 𝑠𝑘𝑗
to share with each 𝐷𝑙𝑜𝑐 , 𝐷𝑡𝑖𝑚𝑒 , and 𝐷𝑡𝑖𝑚𝑒 , user U aggregates all as his
′ ′
other authority 𝐴𝐴𝑗 . private key: 𝑆𝐾𝑈 = (𝐷, 𝐷𝑙𝑜𝑐 , 𝐷𝑙𝑜𝑐 , 𝐷𝑡𝑖𝑚𝑒 , 𝐷𝑡𝑖𝑚𝑒 , ∀𝑗 ∈
′
∙ Receives 𝒦 − 1 pieces of 𝑔 𝑗𝑘 generated by 𝐴𝐴𝑗 .
𝑠 𝑚𝑎𝑖𝑛 𝑎𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒𝑠 𝐷𝑗 , 𝐷𝑗 ).
∙ Computes secret parameter 𝑥𝑘 ∈ ℤ𝑛 as follows:
∗

( ∏ )/ ( ∏ ) C. Encryption Phase
𝑥𝑘 = 𝑔 𝑠𝑘𝑗 𝑔 𝑠𝑗𝑘 During the encryption phase, the data owner DO should
𝑗∈{1,...,𝒦}∖{𝑘}
(
𝑗∈{1,...,𝒦}∖{𝑘}
) interact with CSP to define dynamic access policy and encrypt
∑
𝑔 𝑠𝑘𝑗 −
∑
𝑔 𝑠𝑗𝑘 data based on that policy. This phase consists of two rounds:
=𝑔 𝑗∈{1,...,𝒦}∖{𝑘} 𝑗∈{1,...,𝒦}∖{𝑘}
The first round is performed while uploading the file to the
cloud and the second round is performed while receiving
It is∏ clear that these randomly produced integers satisfy access request by CSP.
𝑥𝑘 = 1 𝑚𝑜𝑑 𝑛.
𝑘∈{1,...,𝒦}
1) Data Uploading (First Round Encryption): This round
is performed by DO and CSP while uploading information to
B. Key Generation Phase the server. It consists of 3 steps.
When a new user U wants to access the system, he requests Step 1. The data owner DO
from each authority to issue a secret key. This is performed ∙ Defines access control policy for all attributes. More
in two sub-phases: especially, 𝐷𝑂 defines location constraints 𝐿𝑃 =
1) Attribute Key Generation: Attribute authorities {[𝜌𝑖 , 𝜌¯𝑖 ]}𝑙𝑜𝑐𝑖 ∈𝔸 , where 𝑙𝑜𝑐𝑖 is the 𝑖-th dimension of
𝐴𝐴𝑖 (1 ≤ 𝑖 ≤ 𝐾, including LSP) collaborate to issue secret those constraints. Note that [𝜌𝑖 , 𝜌¯𝑖 ] corresponds to
keys for each user, just one time during registration. This attribute constraint [𝑡𝑖,𝑗 , 𝑡𝑖,𝑘 ], if the policy does not
process consists of 2 steps. designate negative attributes or wildcards over 𝑙𝑜𝑐𝑖 . For
step 1. Attribute authority 𝐴𝐴𝑘 negative attributes or wildcards, the reader can refer to
∙ Selects a random number 𝛾𝑘 ∈ ℤ𝑛 , computes 𝑥𝑘 𝑔 𝑘
∗ 𝛾 [14]. ∏ 𝜌 𝑧−𝜌
¯𝑖
𝜆 𝑖𝜇
and shares it with other authorities. ∙ Computes 𝑣𝐿𝑃 = 𝑣{𝜌𝑖 ,𝜌¯𝑖 }𝑙𝑜𝑐 ∈𝔸 = 𝜑 𝑙𝑜𝑐𝑖 ∈𝔸 𝑖 𝑖
𝑖
∙ Selects random numbers 𝑠𝑙𝑜𝑐 ∈𝑟 ℤ𝑛 and 𝑠𝑚𝑎𝑖𝑛 ∈𝑟
∗
∙ Computes 𝐷𝑟 = Π𝑥𝑖 𝑔 𝑖 = 𝑔 𝑖 = 𝑔 and 𝐷 = (𝑔 ∗
𝛾 Σ𝛾 𝑟 𝛼
𝛼+𝑟
ℤ𝑛 for location and main attributes (i.e. all attributes,
∗
1
𝐷𝑟 ) 𝛽 = 𝑔 𝛽 (let 𝑟 = Σ𝛾𝑖 ).
∙ Sends 𝐷 to user U. except contextual attributes).
∙ Computes 𝑒𝑘𝐷𝑂 = 𝑒(𝑔, 𝜔) .
𝛼(𝑠𝑙𝑜𝑐 +𝑠𝑚𝑎𝑖𝑛 )
Step 2. Attribute authority 𝐴𝐴𝑘 (𝐴𝐴𝑘 ∕= 𝐿𝑆𝑃 )
∙ Chooses a random number 𝑟𝑗 ∈𝑟 ℤ𝑛 for any attribute
∗ Step 2. The cloud service provider CSP
∙ Selects random number 𝑠𝑡𝑖𝑚𝑒 ∈𝑟 ℤ𝑛 , computes
∗
𝑗.
′
∙ Computes 𝐷𝑗 = 𝑔 (𝐻(𝑎𝑡𝑡(𝑗))) 𝑗 and 𝐷𝑗 = 𝜔 𝑗 and
𝑟 𝑟 𝑟 𝑒𝑘𝐶𝑆𝑃 = 𝑒(𝑔, 𝜔) 𝛼(𝑠𝑡𝑖𝑚𝑒 )
and sends it to DO.
sends them to user 𝑈 . Step 3. The data owner DO
 2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC)

∙ Computes 𝑒𝑘 = 𝑒𝑘𝐷𝑂 ∗ 𝑒𝑘𝐶𝑆𝑃 = 1) Decryption Delegation: This sub-phase is done by 𝐶𝑆𝑃

𝑒(𝑔, 𝜔)𝛼(𝑠𝑙𝑜𝑐 +𝑠𝑚𝑎𝑖𝑛 +𝑠𝑡𝑖𝑚𝑒 ) = 𝑒(𝑔, 𝜔)𝛼𝑠 , generates to compute blind delegation key corresponding to location
a random key 𝑎𝑘 to encrypt the target file (i.e., the privilege 𝐿𝑃 in one step.
file we want to encrypt and for which we define Step 1. Upon receiving a request, CSP
access control), and uses that session key 𝑒𝑘 and exact ∙ Checks whether user location range 𝐿𝑈 satisfies loca-
location information 𝑙 as key to encrypt the random tion privilege 𝐿𝑃 over all location dimensions.
key 𝑎𝑘 with symmetric encryption 𝐸𝑁 𝐶𝑒𝑘,𝑙 (.). ∙ Computes (𝑣𝐿𝑃 ) 𝑙𝑜𝑐
𝑟 /𝑏
from (𝑣𝐿𝑈 )𝑟𝑙𝑜𝑐 /𝑏 as follows:
∙ Shares the secret 𝑠𝑚𝑎𝑖𝑛 in the tree access structure 𝑇
with root 𝑅 as described in [2]. Indeed, it chooses a (𝑣𝐿𝑃 )𝑟𝑙𝑜𝑐 /𝑏
polynomial 𝑞𝑥 for each node 𝑥 in 𝑇 , and sets 𝑞𝑅 (0) = = (𝑣{𝜌𝑖 ,𝜌¯𝑖 }𝑙𝑜𝑐𝑖 ∈𝔸 )𝑟𝑙𝑜𝑐 /𝑏
𝑠𝑚𝑎𝑖𝑛 for the root node 𝑅 and shares that secret in the
tree access structure 𝑇 . Note that the set of leaf nodes = 𝐹{𝑡𝑖,𝑎 ≤𝜌𝑖 ,𝑡𝑖,𝑏 ≥𝜌¯𝑖 }𝑙𝑜𝑐𝑖 ∈𝔸 ((𝑣𝐿𝑈 )𝑟𝑙𝑜𝑐 )
𝑦 assigned atomic attribute 𝑎𝑡𝑡(𝑦) in the set of main = 𝐹{𝑡𝑖,𝑎 ≤𝜌𝑖 ,𝑡𝑖,𝑏 ≥𝜌¯𝑖 }𝑙𝑜𝑐𝑖 ∈𝔸 ((𝑣{𝑡𝑖,𝑎 ,𝑡𝑖,𝑏 }𝑙𝑜𝑐𝑖 ∈𝔸 )𝑟𝑙𝑜𝑐 )
attributes. ∏ 𝜌 𝑧−𝜌
𝜆 𝑖 𝑖 𝜇𝑖
¯𝑖

∙ Uploads the initial ciphertext 𝐶𝑇𝑖𝑛𝑖𝑡 = (𝐸𝑁 𝐶𝑒𝑘,𝑙 (𝑎𝑘),

= (𝜑 𝑙𝑜𝑐𝑖 ∈𝔸
)𝑟𝑙𝑜𝑐 /𝑏 ∈ 𝐺𝑛′ .
′
𝐶𝐷𝑂 = ℎ(𝑠𝑚𝑎𝑖𝑛 +𝑠𝑙𝑜𝑐 ) , 𝐶𝑙𝑜𝑐 = (𝑣𝐿𝑃 𝜔)𝑠𝑙𝑜𝑐 , 𝐶𝑙𝑜𝑐 = 2) Decryption: This sub-phase is performed by 𝐶𝑆𝑃 to
(𝐻(𝑙𝑜𝑐)) , ∀𝑦 ∈ 𝑚𝑎𝑖𝑛 𝑎𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒𝑠 𝐶𝑦 = 𝜔 𝑞𝑦 (0) ,
𝑠𝑙𝑜𝑐
compute blind session key 𝑒𝑘 1/𝑏 and transfer it to the user in
𝐶𝑦′ = (𝐻(𝑎𝑡𝑡(𝑦))𝑞𝑦 (0) ) to 𝐶𝑆𝑃 . just one step.
2) Access Time Encryption (Second Round Encryption): Step 1. The cloud service provider CSP
This round is performed, upon receipt of access request by 1/𝑏
𝑒(𝐷𝑡𝑖𝑚𝑒 ,𝐶𝑡𝑖𝑚𝑒 )
CSP, to set the current time and solve dynamic location update. ∙ Computes 𝐷𝑒𝑐𝑡𝑖𝑚𝑒 = ′1/𝑏 ′
=
𝑒(𝐷𝑡𝑖𝑚𝑒 ,𝐶𝑡𝑖𝑚𝑒 )
This round is performed in one step. 𝑒(𝑔, 𝜔) (𝑟𝑠𝑡𝑖𝑚𝑒 )/𝑏
for contextual attribute 𝑡𝑖𝑚𝑒
1/𝑏
Step 1. The cloud service provider CSP ∙ Computes 𝐷𝑒𝑐𝑙𝑜𝑐 =
𝑒(𝐷𝑙𝑜𝑐 ,𝐶𝑙𝑜𝑐 )
𝑟𝑙𝑜𝑐/𝑏 ′1/𝑏 =
𝑒((𝑣𝐿𝑃 ) ′ )
𝐷𝑙𝑜𝑐 ,𝐶𝑙𝑜𝑐
′
∙ Computes 𝐶𝑡𝑖𝑚𝑒 = 𝜔 𝑡𝑖𝑚𝑒 , 𝐶𝑡𝑖𝑚𝑒 = (𝐻(𝑡𝑖𝑚𝑒)) 𝑡𝑖𝑚𝑒 ,
𝑠 𝑠
𝑒(𝑔, 𝜔) (𝑟𝑠𝑙𝑜𝑐 )/𝑏
for contextual attribute 𝑙𝑜𝑐.
𝐶𝐶𝑆𝑃 = ℎ 𝑠𝑡𝑖𝑚𝑒
and 𝐶 = 𝐶𝐶𝑆𝑃 ∗ 𝐶𝐷𝑂 = 𝑒(𝐷𝑦1/𝑏 ,𝐶𝑦 )
ℎ(𝑠𝑚𝑎𝑖𝑛 +𝑠𝑙𝑜𝑐 +𝑠𝑡𝑖𝑚𝑒 ) = ℎ𝑠 . ∙ Computes 𝐷𝑒𝑐𝑁 𝑜𝑑𝑒𝑦 = ′1/𝑏 =
𝑒(𝐷𝑦 ,𝐶𝑦′ )
The final ciphertext would be 𝐶𝑇 = (𝐸𝑁 𝐶𝑒𝑘,𝑙 (𝑎𝑘), 𝑒(𝑔, 𝜔)(𝑟𝑞𝑦 (0))/𝑏 for each main attribute 𝑦. Then, it
′ ′
𝐶, 𝐶𝑙𝑜𝑐 , 𝐶𝑙𝑜𝑐 , 𝐶𝑡𝑖𝑚𝑒 , 𝐶𝑡𝑖𝑚𝑒 , ∀𝑦 ∈ 𝑚𝑎𝑖𝑛 𝑎𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒𝑠 𝐶𝑦 , 𝐶𝑦′ ). recursively computes 𝐷𝑒𝑐𝑚𝑎𝑖𝑛 = 𝑒(𝑔, 𝜔)(𝑟𝑞𝑅 (0))/𝑏 =
D. Access Request and Cloaking Phase 𝑒(𝑔, 𝜔)(𝑟𝑠𝑚𝑎𝑖𝑛 )/𝑏 as described in [2].
∙ Computes 𝐴 = 𝐷𝑒𝑐𝑡𝑖𝑚𝑒 ∗ 𝐷𝑒𝑐𝑙𝑜𝑐 ∗ 𝐷𝑒𝑐𝑚𝑎𝑖𝑛 =
During this phase, authorized user 𝑈 sends his access 𝑒(𝑔, 𝜔)𝑟(𝑠𝑡𝑖𝑚𝑒 +𝑠𝑙𝑜𝑐 +𝑠𝑚𝑎𝑖𝑛 )/𝑏 = 𝑒(𝑔, 𝜔)(𝑟𝑠)/𝑏 .
request for the target file via Anonymizer to 𝐶𝑆𝑃 . This phase 1/𝑏 (𝛼+𝑟)𝑠/𝑏
∙ Computes 𝑒𝑘
1/𝑏
= 𝑒(𝐶,𝐷 )
= 𝑒(𝑔,𝜔) =
consists of two steps. 𝐴 𝑒(𝑔,𝜔)(𝑟𝑠)/𝑏

Step 1. Access request: Upon receiving keys, user U 𝑒(𝑔, 𝜔) (𝛼𝑠)/𝑏

and sends it to Anonymizer.
∙ Chooses a random number 𝑏 ∈ ℤ𝑛 , and raises all
∗ 3) Data Access: This sub-phase is performed by
components of 𝑆𝐾𝑈 and 𝐷𝐾𝑈 to the power 1/𝑏 Anonymizer and user to find the symmetric key 𝑎𝑘 and
1/𝑏 1/𝑏 ′
1/𝑏 1/𝑏 ′
1/𝑏 access the file encrypted by that symmetric key. It consists of
(i.e., 𝑆𝐾𝑈 = (𝐷1/𝑏 , 𝐷𝑙𝑜𝑐 , 𝐷𝑙𝑜𝑐 , 𝐷𝑡𝑖𝑚𝑒 , 𝐷𝑡𝑖𝑚𝑒 ,
1/𝑏 ′
1/𝑏 1/𝑏 2 steps.
∀𝑗 ∈ 𝑚𝑎𝑖𝑛 𝑎𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒𝑠 𝐷𝑗 , 𝐷𝑗 ) and 𝐷𝐾𝑈 =
Step 1. Upon receiving the responses from 𝐶𝑆𝑃 , Anonymizer
(𝑣𝐿𝑈 ) 𝑟𝑙𝑜𝑐 /𝑏
).
1/𝑏 filters the responses to send them back to their related
∙ Sends his request to access the target file, 𝑆𝐾𝑈 ,
1/𝑏 users.
𝐷𝐾𝑈 and his own location range 𝐿𝑈 (corresponding Step 2. Each user 𝑈
to a grid cell) to Anonymizer.
∙ Computes the session key 𝑒𝑘 by raising 𝑒𝑘 to the
1/𝑏
Step 2. Cloaking: Upon receiving K requests for a grid cell, power 𝑏 received in key generation phase.
Anonymizer ∙ Decrypts 𝐸𝑁 𝐶𝑒𝑘,𝑙 (𝑎𝑘) and computes 𝑎𝑘, using its
∙ Removes identifiers of users, generates an ASR corre- own exact location information 𝑙 received in key gen-
sponding to the location range, clusters requests and eration phase and computed session key 𝑒𝑘.
performs K-anonymity cloaking to protect location ∙ Decrypts the file using key 𝑎𝑘.
privacy of the users.
∙ Sends the clustered requests of an ASR to CSP.

E. Decryption Phase V. A NALYSIS AND E VALUATION D ISCUSSION

When the access request is received by 𝐶𝑆𝑃 , the eligibility The security analysis discusses and provides proofs on how
of user to access the target file should be checked. This pro- the proposed scheme supports location privacy and is immune
cess is performed in three sub-phases: decryption delegation, against authorities collision attacks, user collision attacks and
decryption and data access. chosen plaintext attacks. Due to space constraints, the analysis
 2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC)

𝑈 𝑠𝑒𝑟 𝐷𝑂 𝐿𝑆𝑃

Computation Cost Communication Cost Computation Cost Communication Cost Computation Cost Communication Cost

Setup 0 0 0 0 (2K-2)(𝑇𝑀 +𝑇𝐸 ) (2K-2)𝑙G

𝑛′
Key Gen. (dynamic) 0 0 0 0 (K+4)𝑇𝑀 +(17 +2m)𝑇𝐸 (K+7)𝑙G
𝑛′
Encryption 0 0 𝒪(𝒯 )𝑇𝑃 𝑙𝐸𝑁 𝐶(𝑎𝑘) +(3+2𝒯 )𝑙G 0 0
𝑛′
Acc. Req. & Cloaking (6+2𝒯 )𝑇𝐸 (6+2𝒯 )𝑙G 0 0 0 0
𝑛′
Decryption 𝑇𝐸 +𝑇𝐸𝑁 𝐶(𝑎𝑘) 𝑙G + 𝑙𝐸𝑁 𝐶(𝑎𝑘) 0 0 0 0
𝑛′
Table I
C OMPUTATION AND C OMMUNICATION C OST ON DIFFERENT PARTS IN THE PROPOSED SCHEME (𝒯 : NUMBER OF LEAVES IN THE ACCESS TREE , 𝑇𝑀 : TIME
FOR MULTIPLICATION , 𝑇𝐸 : TIME FOR EXPONENTIATION , AND 𝑇𝑃 : TIME FOR PAIRING )

is not included in the paper; it will be made available for [3] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-
interested readers and will be included in an extended version based encryption for fine-grained access control of encrypted data. In
Proceedings of the 13th ACM conference on Computer and communi-
of this paper to be submitted soon. cations security, pages 89–98. Acm, 2006.
In this section, we analyze the computation and communica- [4] Taeho Jung, Xiang-Yang Li, Zhiguo Wan, and Meng Wan. Control cloud
tion cost of the proposed scheme on parties involved in the sys- data access privilege and anonymity with fully anonymous attribute-
based encryption. Information Forensics and Security, IEEE Transac-
tem. The analysis concerns the most significant computations, tions on, 10(1):190–199, Jan 2015.
in the scheme, namely multiplication (M), exponentiation (E), [5] Taeho Jung, Xiang-Yang Li, Zhiguo Wan, and Meng Wan. Control cloud
and pairing (P). Let us remember that 𝐶𝑆𝑃 has unlimited data access privilege and anonymity with fully anonymous attribute-
based encryption. Information Forensics and Security, IEEE Transac-
computational power, while mobile users have limited com- tions on, 10(1):190–199, 2015.
putation and communication resources. Hence, the aim of [6] Allison Lewko and Brent Waters. Decentralizing attribute-based encryp-
the system is to reduce the communication and computation tion. In Advances in Cryptology–EUROCRYPT 2011, pages 568–588.
Springer, 2011.
cost on mobile users. Table I shows that the computation and [7] Jin Li, Kui Ren, Bo Zhu, and Zhiguo Wan. Privacy-aware attribute-based
communication cost on mobile users is minimum which makes encryption with user accountability. In Information Security, pages 347–
the proposed scheme suitable for mobile devices. Moreover, 362. Springer, 2009.
[8] Qin Liu, Chiu C Tan, Jie Wu, and Guojun Wang. Cooperative private
each attribute authority 𝐴𝐴𝑖 (except 𝐿𝑆𝑃 ) is involved in the searching in clouds. Journal of Parallel and Distributed Computing,
system just one time during the registration. Hence, it does not 72(8):1019–1031, 2012.
have impact on the scheme efficiency. However, 𝐿𝐵𝑆 assigns [9] T. Peng, Q. Liu, and G. Wang. Enhanced location privacy preserving
scheme in location-based services. Systems Journal, IEEE, PP(99):1–12,
dynamic attributes location and time for each user anytime 2014.
the user wants to access the system. Hence, we just consider [10] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In
communication and communication cost for 𝐿𝐵𝑆 in Table I. Advances in Cryptology–EUROCRYPT 2005, pages 457–473. Springer,
2005.
Anonymizer does not have any role except an intermediary [11] Jun Shao, Rongxing Lu, and Xiaodong Lin. Fine: A fine-grained privacy-
which gathers, clusters and delivers 𝐾 clustered requests to preserving location-based service framework for mobile devices. In
𝐶𝑆𝑃 , and returns back the responses to intended users. Hence, INFOCOM, 2014 Proceedings IEEE, pages 244–252. IEEE, 2014.
[12] Guojun Wang, Qiushuang Du, Wei Zhou, and Qin Liu. A scalable
it does not have any communication and computation overhead encryption scheme for multi-privileged group communications. The
on the system. Journal of Supercomputing, 64(3):1075–1091, 2013.
[13] Guojun Wang, Fengshun Yue, and Qin Liu. A secure self-destructing
VI. C ONCLUSION scheme for electronic data. Journal of Computer and System Sciences,
79(2):279–290, 2013.
In this paper, we presented location based service for [14] Z. Wang, D. Huang, Y. Zhu, B. Li, and C. Chung. Efficient attribute-
attribute based access control in mobile cloud. The proposed based comparable data access control. Computers, IEEE Transactions
on, PP(99):1–1, 2015.
scheme supports dynamic location for mobile devices, and [15] Kan Yang and Xiaohua Jia. Expressive, efficient, and revocable data
minimizes the computation and communication overhead on access control for multi-authority cloud storage. Parallel and Distributed
these devices with limited resources. It investigates providing Systems, IEEE Transactions on, 25(7):1735–1744, 2014.
[16] Shucheng Yu, Cong Wang, Kui Ren, and Wenjing Lou. Achieving
𝐾-anonymous location based services for mobile users and secure, scalable, and fine-grained data access control in cloud computing.
supporting multi-authorities in a way that privacy of each In INFOCOM, 2010 Proceedings IEEE, pages 1–9. Ieee, 2010.
user is protected against authorities and 𝐶𝑆𝑃 . In our future [17] Yan Zhu, Hongxin Hu, Gail-Joon Ahn, Mengyang Yu, and Hongjia
Zhao. Comparison-based encryption for fine-grained access control in
work, we will design and run experiments to evaluate the clouds. In Proceedings of the second ACM conference on Data and
performance of our work in real environments. Application Security and Privacy, pages 105–116. ACM, 2012.
[18] Yan Zhu, Di Ma, Dijiang Huang, and Changjun Hu. Enabling secure
R EFERENCES location-based services in mobile cloud computing. In Proceedings of
the second ACM SIGCOMM workshop on Mobile cloud computing,
[1] E. Androulaki, C. Soriente, L. Malisa, and S. Capkun. Enforcing location pages 27–32. ACM, 2013.
and time-based access control on cloud-stored data. In Distributed
Computing Systems (ICDCS), 2014 IEEE 34th International Conference
on, pages 637–648, June 2014.
[2] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy
attribute-based encryption. In Security and Privacy, 2007. SP’07. IEEE
Symposium on, pages 321–334. IEEE, 2007.