A Scheme to Secure Instant Community Data Access ...

A Scheme to Secure Instant Community Data Access Based on Trust and Contexts Zheng Yan

Mingjun Wang

Peng Zhang

The State Key Lab of ISN, Xidian University, China Department of Comnet, Aalto University, Espoo, Finland [email protected]

The State Key Lab of ISN Xidian University Xi’an, China [email protected]

The Institute of Mobile Internet Xian University of Posts and Telecommunications Xi’an, China [email protected]

Abstract— Mobile Ad Hoc Networks provides a generic platform for instant social networking (ISN), such as instant community (IC). For a crucial talk in an instant community, it is important to set up a secure communication channel among trustworthy members in order to avoid malicious eavesdropping or narrow down member communication scope. Previous work hasn’t yet considered how to control social communication data access based on trust and other attributes and suffered from a weakness in terms of complexity. In this paper, we propose a scheme to secure instant community data access based on trust levels, contexts and time clock in a fine-grained control manner by applying Attribute-Based Encryption. Any community member can select other members with at least a minimum level of trust for secure ISN communications. The advantages, security and performance of the proposed scheme are evaluated and justified through extensive analysis, security proof and implementation. The results show the efficiency and effectiveness of our scheme. Index Terms—Trust; reputation; access control; social networking.

I. INTRODUCTION Nowadays, A Mobile Ad Hoc Network (MANET) has a good prospect of becoming a practical platform for instant social activities. This kind of instant social networking (ISN) is an essential compensation of Internet social networks, thus very valuable for mobile users, especially when fixed networks (e.g., the Internet) or mobile cellular networks are temporarily unavailable or costly to access. It also provides a good way to extend our social behaviors to strangers, more advanced than traditional on-line social networking systems, e.g., facebook, WeChat. Trust plays an important role in social networking. It helps people overcome uncertainty and risk and engages in "good social behaviors" [1, 2]. However, how to secure instant community data access has not been seriously discussed. Various instant social activities can be supported by MANET. Instant community (IC) is one of them. One important social scenario is a group of people (e.g., familiar strangers [3]) who have similar interests joint together for social communications. In such a situation, various people could join an open community and discuss with each other. In order to avoid malicious eavesdropping in the IC, it is critical to secure IC communications. For a crucial talk, it is essential to set up a secure communication channel among trustworthy members. Non-community members should not read/access the

community communication data. In addition, low reputable/trusted community members should be excluded from the discussion or disallowed to see crucial chatting contents. Notably, due to the dynamic changes of community topology (new members’ joining and old ones’ leaving), and the frequent changes of each participant’s trust level, the encryption key used for securing IC communications need to be frequently changed and the decryption keys should be distributed to each of eligible community members. This introduces a heavy traffic and processing load, which may cause a serious performance bottleneck. How to automatically control IC data access in a secure and efficient way is a challenge. In this paper, we propose a scheme to secure IC data access based on trust levels, contexts and time clock in a fine-grained control manner. Any community member can select other members with at least a minimum level of trust for secure communications. The members with a lower trust level cannot access the data sent from him/her. The keys used for data encryption/decryption are issued by a trusted server (TS) based on the member’s current trust level and context situation since the TS can evaluate the trust level of each community member based on their past social behaviors [1, 2]. Based on a registered community time clock, new keys will be automatically issued by the TS to eligible community members according to the specified valid time period before the old keys are expired. Particularly, an IC communication message can be controlled by context attributes, such as location, communication interest group, local environment, which can be detected and verified by the TS. The corresponding secret keys of attributes can be generated to control access. Specifically, the contribution of this paper can be summarized as below: 1) We motivate securing instant social community by controlling its communication access and mitigating access risk based on trust, contexts and time, as well as IC policies. 2) We prove the security and justify the performance of our proposed scheme through extensive analysis, security proof and implementation. The results show its advantage regarding complexity and efficiency.

The rest of the paper is organized as follows. Section II gives a brief overview of related work. Section III introduces a system model, a threat model and our design goals. Then we provide the detailed description of our scheme in Section IV. Section V gives the security analysis and performance evaluation, followed by a conclusion presented in the last section. II. RELATED WORK Several research groups have focused on social activities based on mobile ad-hoc networks. Stanford MobiSocial Group has developed Junction, a mobile ad hoc and multiparty platform for MANET applications [5]. Micro-blog [6], developed by SyNRG in Duke University, helps users to post micro-blogs tagged with locations. AdSocial [7], developed by ETHz Systems Group, offered a pervasive social communication platform. However, trust and reputation aspects and data protection are not considered in these projects. Traditional centralized social networking systems (e.g., Facebook) have not taken instant community data protection into account. They cannot support securing ISN in an efficient and economic way. Most existing work didn’t consider how to control social communication data access based on trust and context information, especially in instant community scenarios [12]. In our previous work, we proposed a reputation system for pervasive chatting by applying a usable trust management methodology [1] and a reputation system for pervasive content services based on MANETs [2]. In both systems, reputation/trust can be evaluated based on user instant social activities and behaviors. But they didn’t consider the problem of protecting instant social communication data. Access control on encrypted data means that the encrypted data can only be decrypted by users with permissions. The ideal approach is to encrypt each data once, and distribute appropriate keys to users once, so that each user can only decrypt his/her authorized data. As mentioned already, in IC, due to membership change or trust relationship change, the decryption key should be frequently changed in order to achieve an expected security level. Past key management solutions in instant social networking didn’t consider applying both the trust level of user and context attributes as control conditions for data access, thus they are not context-aware and effective in practice [4]. Attribute-based encryption (ABE) [8-11] is a new cryptographic technique. In the ABE system, users are identified by a set of attributes rather than an exact identity. Each data is encrypted with an attribute-based access structure, such that only the users whose attributes satisfy the access structure can decrypt the data. In our previous work, we proposed utilizing two dimensions of trust levels either evaluated by a trusted server or individual social networking nodes or both to control social network data access in a heterogeneous manner on the basis of ABE [4]. But this approach is complicated in terms of key management and trust management. The requirement on the capability of ISN user devices is high. Practically, it is complicated to assign an end

user device to conduct key management for protecting social communication data, especially for user revocation. User revocation means the data owner withdraws access rights from a user who no longer belongs to a group or due to other reasons, e.g., the user is not trustworthy enough. Since the revoked user still retains the keys issued earlier, and thus can still decrypt data. The data owner needs to encrypt its data with new keys, so that the revoked user cannot decrypt the recent data any more using its old keys. In addition, the owner should redistribute the new keys to the remaining authorized users, so that they can still access posterior data. For example, when ABE is adopted to encrypt data, the work in reference [13] proposed to require the data owner to periodically reencrypt the data, and re-distribute new keys to authorized users. This approach is very inefficient due to the heavy workload introduced to the data owner. A better solution is to let the data owner delegate a third party to execute some computational intensive tasks, e.g., re-encryption, while leaking the least information. Proxy re-encryption (PRE) [14, 15] is a good choice, where a semi-trusted proxy is able to convert a ciphertext that can be decrypted by Alice into another ciphertext that can be decrypted by Bob, without knowing the underlying data and user secret keys. But setting up a proxy increases the communication cost of a system, which is hard in a distributed environment like MANET. III. PROBLEM STATEMENT A. System and Threat Model We consider an ISN system involving two different kinds of entities, as illustrated in Fig.1: the nodes that interact with each other for instant social communications, they can group an IC for social networking; a trusted server (TS) that has functions and capability that the nodes do not have and is trusted to provide identity and key management, as well as trust management. It can collect sufficient information to conduct accurate trust evaluation [1, 2]. As integrity and/or confidentiality of some instant social community communications are crucial, it is important to ensure IC data security in ISN. To save computation resources and processing burdens, PSN nodes resort to the TS through the mobile Internet to manage identities, keys and trust relationships for ensuring secure ISN communications in various situations. To be able to provide integrity and privacy in ISN communications, nodes should be able to authenticate with each other using pseudonyms. We assume that the TS is reliable and trustworthy for preserving the private data of nodes by deploying secure data protection technologies [13]. This assumption is based on the business incentives of TS. The TS is assumed to have abundant storage capacity and computation power. It is available for an ISN node to register itself into the system although its availability is not essential during ISN. The communications between the nodes and TS is secure by applying an existing security protocol. Each node registers at the TS with a unique identifier and the TS can map it with its current pseudonym used in ISN [1, 2]. The nodes may not trust with each other. Some nodes may maliciously eavesdrop in ISN

communications to pursue personal benefits. Secure communications among trustworthy nodes in an IC are expected. In addition, each node is issued with a long-term public/secret key pair by the TS during node registration. An one-off public key (e.g., made by the nodes based on its current pseudonym) is shared with other nodes if needed for authentication and secure communications. Delegation is not allowed among PSN nodes since they are mostly strangers. B. Design Goals Our design should achieve the following security and performance goals: security and safety; context-awareness; lightweight. IV. THE PROPOSED SCHEME A. Notations and Scheme TABLE I. NOTATIONS USED IN THE PROPOSED SCHEME Notation 𝑃𝐾 𝑀𝐾 𝑆!"#$ 𝑆!""_!" 𝑃𝐾! 𝑆𝐾! 𝑆𝐾!" 𝑃𝐿!" 𝑃𝐾! 𝑆𝐾 !,! 𝐷𝐸𝐾

Description System public key System master key Universal set of attributes Attribute subset in IC Public key of user u Secret key of user u Secret key of IC Access control policy of IC Public key of attribute A Secret key of attribute A for user u Symmetric data encryption key

Based on the notations described in TABLE I, we introduce the main operations, i.e., System Setup, Instant Community Grant, Initiate User, Secure IC Communication, and KeyUpdate, and fundamental algorithms, i.e., Setup(k), AttPK, CreateUser, UsrAttSK, Encrypt and Decrypt, of our proposed scheme. System Setup: In this operation, the TS chooses a security parameter 1k and calls the Setup(k) algorithm, which outputs the system public parameter 𝑃𝐾 and master key 𝑀𝐾. 𝑃𝐾 is available to every party in the system, whereas 𝑀𝐾 is only known to the TS. Meanwhile, the universal set of attributes 𝑆!"#$ is generated in this process. The TS initializes all attributes used in the system and defines them in the universal set 𝑆!"#$ = 𝐴! , 𝐴! , ⋯ , 𝐴! . For example, the most commonly used attributes in our scheme are user trust level, location information and some other context contents. Setup(k). The algorithm selects a bilinear group 𝔾 of prime order 𝑝 with generator 𝑔 and a pairing 𝑒: 𝔾×𝔾 → 𝔾 ! . Then it chooses a random point 𝑃 ∈ 𝔾 and a random exponents 𝛼   ∈   ℤ! . This algorithm sets the public key and master key as follows: 𝑃𝐾 = 𝔾, 𝔾 ! , 𝑔, 𝑃,  e(g, g)! ; MK = g ! . Instant Community Grant: In respond to the request of an IC initiator (e.g., a ISN user), the TS generates an instant community by setting up IC identity and registering an IC time clock. Then it chooses a random 𝑟  ∈  ℤ! as the secret key of IC, which is denoted as 𝑆𝐾!" = 𝑟, and a random hash function 𝐻!"!" ∶   0,1 ∗   →   ℤ! from a finite family of hash functions.

After that, TS chooses an attribute subset 𝑆!""_!" , where 𝑆!""_!" ⊆ 𝑆!"#$ , for this IC and generates public key for each attribute in 𝑆!""_!" . The attribute public key can be issued by calling AttPK(𝑃𝐾, 𝐴, 𝑆𝐾!" ) successively. AttPK(𝑃𝐾, 𝐴, 𝑆𝐾!" ). This algorithm uses the public key 𝑃𝐾, attribute 𝐴, the IC secret key 𝑆𝐾!" to generate the public key of attribute A as follows: ! !! 𝑃𝐾! = 𝑃𝐾!! = 𝑔 !"!" ! ,    𝑃𝐾!!! =  e(g, g) !"!" ! . Finally, the IC access control policy 𝑃𝐿!" is formed based on 𝑆!""_!" by TS. Herein, the IC access control policy 𝑃𝐿!" is described in Conjunctive Normal Form (CNF) and can be written as 𝑃𝐿!" = !∈!!""_!" 𝐴. Initiate User: When a new user wants to join the IC, TS assigns the new user a unique identity 𝑢 and calls CreateUser(𝑃𝐾, 𝑀𝐾, 𝑢) to generate the public 𝑃𝐾! and secret key 𝑆𝐾! for 𝑢. Then it determines the attributes for which user is eligible, such as initializing the trust level and extracting the context attributes from 𝑢 (e.g., location, communication interests, and so on). After that, TS verifies whether the attributes (e.g., trust level and context attributes) of 𝑢 satisfy 𝑃𝐿!" . For the eligible attributes, TS calls UsrAttSK 𝑃𝐾, 𝐴, 𝑆𝐾!" , 𝑃𝐾! to generate the secret key 𝑆𝐾 !,! of attribute A for user 𝑢. CreateUser(𝑃𝐾, 𝑀𝐾, 𝑢). This algorithm randomly chooses a secret 𝑚𝑘! ∈  ℤ! and outputs the public key 𝑃𝐾! = 𝑔!"! and the secret key 𝑆𝐾! = 𝑀𝐾 ⋅ 𝑃 !"! . UsrAttSK 𝑃𝐾, 𝐴, 𝑆𝐾!" , 𝑃𝐾! . This algorithm uses 𝑃𝐾 , attribute 𝐴 , 𝑆𝐾!" and user public key 𝑃𝐾! , then it outputs secret key 𝑆𝐾 !,! of attribute A for user 𝑢 as follow: 𝑆𝐾 !,! = 𝑃𝐾! !!"!" ! = 𝑔!"!⋅!!"!" ! . Secure IC Communication: To protect communication security, a user gets the IC access control policy 𝐴𝑃!" from TS firstly. Then it encrypts each message with a symmetric data encryption key DEK, which is in turn encrypted with the algorithm Encrypt 𝑃𝐾, 𝑀, 𝑃𝐿!" , 𝑃𝐾!! , … , 𝑃𝐾!! , where the input parameter M is DEK herein. Finally, the user combines the encrypted blocks and its pseudonym to generate a ciphertext frame, which is shown in Table II. Then the user sends the ciphertext to others with whom he wants to communicate or broadcasts the frame to neighbors. After receiving the ciphertext from the source, a user 𝑢 ! decrypts it by calling Decrypt (𝑃𝐾, 𝐶𝑇, 𝑃𝐿!" , 𝑆𝐾 !!,! , … , 𝑆𝐾 !!,! ) to obtain DEK firstly and then decrypts the message using DEK. TABLE II. FORMAT OF CIPHERTEXT Pseudonym

a) CT=Encrypt 𝑃𝐾, 𝐷𝐸𝐾, 𝑃𝐿!" , 𝑃𝐾!! , … , 𝑃𝐾!!

{Message}DEK

Encrypt 𝑃𝐾, 𝑀, 𝑃𝐿!" , 𝑃𝐾!! , … , 𝑃𝐾!! . This Encrypt algorithm takes as input the public key 𝑃𝐾, a plaintext data M, IC access control policy 𝑃𝐿!" and a set of attribute public keys. The attributes used here are the ones occurring in 𝑃𝐿!" . It chooses a random value R and constructs CT as: 𝐶𝑇 = 𝐸 = 𝑀 ∙ ! ! !∈!"!" 𝑃𝐾!

.

" ! !∈!"!" 𝑃𝐾! ,

𝐸 ! = 𝑃! , 𝐸 " =

Decrypt (𝑃𝐾, 𝐶𝑇, 𝐴𝑃!" , 𝑆𝐾! , 𝑆𝐾 !!,! , … , 𝑆𝐾 !!,! ) . The Decrypt algorithm takes as input the portion of ciphertext CT, the policy 𝐴𝑃!" , 𝑢’s secret key 𝑆𝐾! and the attribute secret key tuple 𝑆𝐾 !!,! , … , 𝑆𝐾 !!,! user 𝑢 has. In order to decrypt CT, the algorithm first checks whether the policy 𝐴𝑃!" can be satisfied by the attributes associated with the provided key tuple. If this is not the case, the algorithm outputs NULL, otherwise 𝑀 = 𝐸 ⋅

! ! ! , !! ∈!"!" !" ! ,! ! ! ! !! ,!"!

.

Key Update: In order to solve the security problem caused by user revocation and attribute changes (e.g., variation of user trust levels and locations), the TS checks the IC time clock periodically and updates the attributes and secret keys as fellow: • Check whether there have users be revoked, if so, stop updating its keys and sending keys to them; • For other users, re-evaluate the attributes associated with them (e.g., re-evaluate the trust level and re-extract other context attributes); • Update the IC secret key 𝑆𝐾!" by re-selecting 𝑟  ∈  ℤ! and reset the hash function 𝐻!"!" ∶   0,1 ∗   →   ℤ! . Then, call AttPK( 𝑃𝐾, 𝐴, 𝑆𝐾!" ) and UsrAttSK 𝑃𝐾, 𝐴, 𝑆𝐾!" , 𝑃𝐾! algorithm to re-generate the attribute public keys and attribute secret keys for eligible users based on their new evaluated attributes. • Send the new keys to the eligible users. The users continue secure IC communication with the new keys while the old keys expire. V. DISCUSSIONS, SECURITY ANALYSIS & PERFORMANCE EVALUATION In this section, we first discuss the technical superiority of the proposed scheme. Then we analyze two aspects of security on access control and data confidentiality. Finally, we analyze theoretic computation complexity in each operation and evaluate the performance of our scheme by implementation. A. Discussions on Advantages The security goal of our scheme is to guarantee that only the users whose attributes (e.g., trust and context conditions) satisfy with the access control policy of the instant community can access the communication data in IC. Flexibility: It is flexible for the proposed scheme to involve new access conditions in the policy to secure instant community communications. It is possible to add more access control conditions, e.g., related to context, community activity and other attributes. The only requirement is the TS can extend universal set of attributes and verify if the IC member satisfies those conditions, thus it can issue corresponding 𝑆𝐾 !,! to the eligible IC members. The proposed scheme supports various instant social networking activities (e.g., chatting, recommending, etc.) that need trust management support. 𝑆𝐾 !,! is linked to the member’s community attributes that could support different social activities. For different communities and for different activities, TS can extend various attributes and generate different 𝑆𝐾 !,! for IC members, thus enlarge the applicability

of the scheme. Applying a powerful TS to handle the management of keys, identities and trust relationships can greatly release the computation burden of ISN nodes, thus improve their efficiency for secure social networking. Low transmission load: The keys issued by the TS are based on the IC time clock registered at the TS. The IC clock is synchronized when new member joins the community. At the time of previous key expiration, the TS will re-evaluate the trust level of IC members and verify other policy attributes in order to issue new keys automatically without specific requests from a node. Thus our scheme reduces the transmission load needed in other solutions that issue new keys based on user request. The scheme also avoid transmission cost among ISN nodes for key management. Security: The security of our scheme is ensured by the attributed-based encryption theory. The security is further ensured by a fine-grained encryption mechanism controlled by community time clock, trust level and other attributes related to contexts. The new encryption keys will be applied when specified valid time starts. The TS is also responsible for handling specific cases to solve any trouble. E.g., the user can request TS to decrypt a message if the new key has not been received. The TS decides the valid period of keys according to the security requirements of a community, e.g., the crucial level of community activities. The device of a node needs to ensure the usage of new keys when its valid time starts. Efficient user revocation: In the case that some member leaves the community, he can’t access the community data after the new keys are issued. The user revocation issues can be addressed by periodically key updating, which means the IC withdraw request is automatically accepted at the time when new keys are issued. B. Security Proofs Fine-Grained Access Control Our scheme can achieve fine-grained access control. Various access policies can be defined and enforced. We remove the complexity of hierarchical attribute-based finegrained access control [10] by replacing it with simplified CNF. We can evaluate the trust levels according to many factors and extract context information for IC members. This design not only reduces the complexity of the access policy description, but also keeps its expressivity. The computation complexity can be greatly reduced since trust level evaluation has no heavy exponentiation operations [1, 2]. The proposed scheme can be flexibly applied into many scenarios by cooperating with a trust management framework. Data confidentiality In our proposed scheme, the IC data are firstly encrypted by symmetric encryption algorithm with DEKs, and then the DEKs are encrypted using the Encrypt algorithm. Assumed that the symmetric key algorithm is secure, e.g., using a standard algorithm such as AES, the data confidentiality of our proposed scheme merely relies on the security of the Encrypt algorithm. In our scheme, we use ABE as our encryption algorithm to preserve the symmetric DEKs. A security proof has been given under the attribute-based Selective-Set module in our previous

work [4]. Therefore, our scheme is secure under the same model. C. Performance Analysis This section analyzes the performance of our proposed scheme in terms of computation complexity, communication cost and scalability. Computation Complexity We analyze the computation complexity for the following general operations: setup, community grant, user key generation, encryption and decryption. For the algorithms Setup(k) and CreateUser, each contains a constant number of exponentiation operations on group 𝔾. So the computation complexity of both setup and user creation processes is 𝒪 1 . For the algorithm AttPK( 𝑃𝐾, 𝐴, 𝑆𝐾!" ), it contains two exponentiation operations on 𝔾 for each attribute in 𝑆!""_!" . So the computation complexity of community grant is 𝒪 2|𝑆!""_!" | . For the algorithm UsrAttSK 𝑃𝐾, 𝐴, 𝑆𝐾!" , 𝑃𝐾! , it contains one exponentiation operation on 𝔾 for each valid attribute owned by a user in 𝑆!""_!" that satisfies the access policy. So the maximum computation complexity of secret key generation for a user is 𝒪 |𝑆!""_!" | . The main computation overhead of operations is the encryption of the message using the symmetric key DEK as well as the encryption of the DEK using the Encrypt algorithm. The complexity of the former depends on the size of the underlying message and is inevitable for any cryptographic method. The algorithm Encrypt requires three exponentiation operations on group 𝔾 constantly for whatever kind of IC access control policy 𝑃𝐿!" . So the computation complexity of the encryption operation is 𝒪 1 . Decrypt contains 2 bilinear pairings The same as the above analysis, the computation complexity of this algorithm is 𝒪 1 . Table III summarizes the computation complexity of each system operation in our proposed scheme and compares it with our previous work [4], The performance is improved in encryption operation. Because of the improvement of the access control policy expression, the encryption operation only contains three exponentiation operations, much efficient than our previous work, in which access control policy consists of n conjunctions and each of conjunction needs 3 exponentiation operations [4].

which is a group elements on 𝔾 no matter how complicated PL!" is. The structure of the ciphertext is pretty simple and the size is also reasonable. Additionally, we apply the access policy and trust evaluation to assist decisions on the need of communications for key generation in order to minimize communication cost in various situations. Scalability In our proposed scheme, the data access control policy is as simple as related to trust level and contexts. Thus, the computation complexity of encryption and decryption is greatly reduced. Our scheme is scalable for supporting various access control demands in PSN with trust management support. We reduce the complexity of cryptographic computation by integrating trust evaluation into fine-grained access control. Any complicated attributes that should be considered in the access control policy can be taken into account during the process of trust evaluation, which can also be linked to a context. The goal of scalability can be further achieved since the complexity of each operation of our scheme, shown in Table III, is no longer dependent to the number of nodes in the system, our scheme is scalable and efficient. Therefore, it can serve as an ideal candidate solution for securing ISN environment. D. Performance Evaluation We implemented our scheme in C Language using a Pairing Based Cryptography (PBC) library (http://crypto.stanford.edu/pbc/) for the algebraic operations. The implementation used a 160-bit elliptic curve group based on the supersingular curve y ! = x ! + x over a base 512-bit finite field. In our test machine, the pairings in PBC library can be computed in approximately 3.8ms (without preprocessing), the exponentiation computations in 𝔾 and 𝔾! take about 3.4ms and 0.5ms respectively. Randomly selecting an element is also a significant operation, which takes about 4.5ms for 𝔾 and 2.2ms for 𝔾! .

TABLE III. COMPARISON OF COMPUTATION COMPLEXITY Operation Setup Attribute PK generation User Key Generation Encryption Decryption

Our previous work [4] 𝒪 1 𝒪(2I) 𝒪 1 𝒪 3𝑛 𝒪 1

Our scheme

Fig.1: Attribute public keys’ generation time in IC

𝒪 1 𝒪 2|S!""_!" |   𝒪 |𝑆!""_!" | (maximum) 𝒪 1 𝒪 1

Note: n is the number of conjunctions in data access policy; I represents the total number of trust level. S!""_!" is the number of attributes in IC.

Communication Cost Ciphertext size is an essential aspect with regard to communication cost. In our scheme, Frame={pseudonym, CT, {Message}DEK}. CT is only composed of three tuples ,each of

Fig.2: Attribute secret keys’ generation time for a user

In our test, we estimate the four major operations in our scheme: key public generation, secret key generation, encryption and decryption. As shown in Fig.1 and Fig.2, both attribute public keys’ generation and attribute secret keys’ generation for a user are precisely linear with respect to the number of attributes in IC and the number of valid attributes owned by the user, respectively.

VI. CONCLUSION In this paper, we introduced a scheme to control IC data access in ISN based on trust and contexts. The proposed scheme seamlessly incorporates a trust management framework for securing ISN data by applying ABE. Our scheme can flexibly support controlling IC data by applying attributes like trust and contexts with the support of a trusted server according to IC time clock. We formally proved the security and performance of the proposed scheme based on the security of ABE and scheme implementation. Extensive analysis, evaluation and comparison with existing work show that our scheme is highly efficient, scalable, and provably secure under the existing security model. ACKNOWLEDGMENT

Fig.3: Encryption time

For the encryption operation, shown in Fig.3, the encryption time, about 48 ms, is constant approximately. In our scheme, the ciphertext is a triple, and each element of it is computed by an exponentiations in group and has limited times of multiplication. Since the number of attributes in PL!" is limited in a real scenario, and the cost of multiplication operation in a group is light, the increase of number of attributes in PL!" almost has no impact on the encryption time. This feature ensures the scalability of our scheme.

This work is sponsored by the PhD grant (JY0300130104) of Chinese Educational Ministry, the initial grant of Chinese Educational Ministry for researchers from abroad (JY0600132901), and the grant of Shaanxi Province for excellent researchers from abroad (680F1303).

REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9]

Fig.4: Decryption time

Finally, we evaluated the computation cost spent in decryption operation. Fig.4 shows the variation of decryption time with the number of attributes in access control policy PL!" . For all the cases, the time spending in decryption is almost constant. According to the complexity analysis, the most expensive operation in decryption is to compute two bilinear pairings, of which the time consumption of one bilinear pairing is about 3.8ms in our test machine. Thus, the test result is consistent with the theoretic analysis. In summary, by considering a real scenario, the number of attributes in an IC, an attribute set in the access control policy 𝑃𝐿!" are relatively limited, therefore, the cost of operations in our scheme is acceptable in real applications. All of above performance test results imply effectiveness and scalability of our scheme for practical adoption.

[10] [11] [12]

[13]

[14]

[15] [16]

Z. Yan, Y. Chen, and Y. Shen, “A practical reputation system for pervasive social chatting”, Journal of Computer and System Sciences, vol. 79, no. 5, pp. 556-572, Aug. 2012. Z. Yan, Y. Chen, and Y. Shen, “PerContRep: A Practical Reputation System for Pervasive Content Services”, The Journal of Superomputing, Springer, Feb. 2014. DOI: 10.1007/s11227-014-1116-y Familiar Stranger. http://www.paulos.net/research/intel/familiarstranger/index.htm. Z. Yan, M. Wang, V. Niemi, R. Kantola, “Secure Pervasive Social Networking based on Multi-Dimensional Trust Levels”, IEEE CNS, Washington D.C., USA, pp. 100-108, 2013. Junction. Harvard MobiSocial Group. http://openjunction.org/ MicroBlog, http://synrg.ee.duke.edu/microblog.html Stuedi, P., Riva, O., and Alonso, G. Demo abstract ad hoc social networking using MAND. http://www.iks.inf.ethz.ch/publications/files/mobicom08_demo.pdf J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute based encryption”, in Proc. IEEE SP, Berkeley, CA, USA, 2007 , pp. 321–334. V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data”, in Proc. ACM CCS, New York, USA, 2006 , pp. 89–98. S. Müller, S. Katzenbeisser, and C. Eckert, “Distributed attribute-based encryption”, in Proc. ICISC, Seoul, Korea, 2008, pp. 20–36. A. Sahai and B. Waters, “Fuzzy identity-based encryption”, in Proc. EUROCRYPT, Aarhus, Denmark, 2005, pp. 457–473. A. Ahtiainen, K. Kalliojarvi, M. Kasslin, K. Leppanen, A. Richter, P. Ruuska, and C. Wijting. Awareness networking in wireless environments: Means of exchanging information. IEEE Vehicular Technology Magazine, vol. 4, issue. 3, pp 48-54, Sept. 2009. M. Pirretti, P. Traynor, P. McDaniel, B. Waters, “Secure attribute based systems”, Journal of Computer Security, vol. 18, no. 5, pp 799–837, 2010 M. Blaze, G. Bleumer, M. Strauss, “Divertible protocols and atomic proxy cryptography”, Proc. of EUROCRYPT, Espoo, Finland, pp. 127–144, 1998. M. Green, G. Ateniese, “Identity-based proxy re-encryption”, Proc. of ACNS, Zhuhai, China, pp. 288–306, 2007. Z. Yan, Trust Management in Mobile Environments – Usable and Autonomic Models, IGI Global, 2013.