This study compared a parkinsonian neurotoxin 1-methyl-4-phenylpyridinium (MPP+) response in two distinct phenotypes of human neuroblastoma cell lines: neuronal N-type SH-SY5Y cells and flat substrate-adherent S-type SH-EP cells. SH-SY5Y and SH-EP cells shared only 14% of their own MPP+ response genes, and their gene ontology (GO) analysis revealed significant endoplasmic reticulum (ER) stress by misfolded proteins. Gene modules, which are groups of transcriptionally co-expressed genes with similar biological functions, were identified for SH-SY5Y and SH-EP cells by using time-series microarray data with the state space model (SSM). All modules of SH-SY5Y and SH-EP cells showed strong positive auto-regulation that was often mediated via signal molecules and may cause bi-stability. Interactions in gene levels were calculated by using SSM parameters obtained in the process of module identification. Gene networks that were constructed from the gene interaction matrix showed different hub genes with high node degrees between SH-SY5Y and SH-EP cells. That is, key hub genes of SH-SY5Y cells were DCN, HIST1H2BK, and C5orf40, whereas those of SH-EP cells were MSH6, RBCK1, MTHFD2, ZNF26, CTH, and CARS. These results suggest that inhibition of the mitochondrial complex I by MPP+ might induce different downstream processes that are cell type dependent.
1.
Introduction
With the prevalence of mobile devices and the development of wide networks, all kinds of remote access applications are coming out. In a typical client-server paradigm [1,2], a remote user can request many networking services from the server which must verify the membership of the former for ensuring the data confidentiality [3] and integrity [4]. For the sake of secure communication, user authentication [5] is a commonly adopted approach. Generally speaking, user authentication can be based on passwords, biometrics and physical objects such as smart cards, tokens, keys, etc. In each authentication type, a user must register to the remote server first, which is referred to as enrollment. Then the user could login to the server for accessing various data and services.
In 1981, Lamport [6] introduced an authentication scheme in which the user has to provide his/her passwords for gaining the access privilege. Their scheme relied on a public channel, rather than a secure one to authenticate users. In addition, the user passwords stored in the server database are in the form of hashed ones, so as to improve the confidentiality. Although the adversary can still plot the password guessing attack, the computational complexity is increased. However, their protocol was later proved to be insecure by [7].
Considering the static user identity is easily compromised during the remote login process, Das et al. [8] addressed a user authentication scheme by employing the dynamic ID. That is, a user first generates a pseudo identity before performing the login process. Even if the pseudo identity is intercepted by any eavesdropper, he/she cannot invert it to the original one. It is thus can be seen that their scheme offers better protection of user anonymity. Nevertheless, their scheme is vulnerable to some active attacks pointed by [9].
In the most existing authentication mechanisms using passwords, the remote server often keeps a so-called hashed password table for verifying users. Although these passwords are stored in the hashed form, it still has high possibility of leaking out. In particular, an adversary learning the hashed password table can launch the offline brute-force attack to break some weak passwords. To deal with this issue, in 2011, Khan et al. [10] presented a variant of remote user authentication protocols that removes the necessity of maintaining a password table. Still, any password-based authentication scheme faces a big challenge in practice, as the human beings are incapable of remembering strong passwords
For the recent years, the attribute-based cryptography [11,12,13,14,15,16,17,18] has received much attention due to its flexibility and is suitable for the fine-grained access control. In 2014, Zhu et al. [19] realized the notion of so-called fuzzy attribute-based authentication. In precise, each user owns a set of descriptive attributes which are regarded as the identity associated with the user. The private keys of the user are also related to his/her attributes. When a user has sufficient attribute (keys), he/she is able to recover the constant value of a secret polynomial and then decrypts the corresponding ciphertext. However, a later research [20] showed that their system cannot resist the notorious collusion and impersonation attacks. To solve the above security problems, Yun et al. [20] prepared different polynomials for different users such that the attribute keys of more than one user cannot be jointly integrated.
Extending from Yun et al.'s work, in 2019, Lin et al. [21] further proposed a new user authentication protocol achieving mutual authentication and supporting time-bounded keys. The property of time-bounded keys can limit the ability of users to decrypt ciphertexts after the validation period has expired. However, their scheme does not support the functionality of cloud storage using attribute-based mechanisms. In the same year, Hao et al. [22] proposed an attribute-based access control with authorized search in cloud storage. In particular, their scheme combines the technique of key delegation with key-policy attribute-based encryption to allow users to customize search policies. Xie et al. [23] designed a three-layer structure for securely accessing data in the mobile clouds using the modified hierarchical attribute-based encryption. Considering the applications of cloud-based multi-server data, Roy et al. [24] provided a fine-grained data access control mechanism. Their scheme is provably secure in the real-or-random model. However, their work does not support attribute-based mechanisms.
In 2020, Hong et al. [25] integrated time-release encryption with ciphertext-policy attribute-based encryption to access time-sensitive data in public clouds. Specifically, the data owner can grant the access right to various users according to different release time. In 2022, Ma et al. [26] introduced a server-aided fine-grained access control mechanism supporting robust revocation. With the assistance of the structure of cloud computing, their scheme could outsource the decryption overheads to the public cloud server. Consequently, the data user only performs one exponentiation computation. Nevertheless, most of previous works cannot support the functionality of key-update and hence fail to deal with the issue of key-compromise. Table 1 summarizes the limitations of current related works.
Based on Lin et al.'s authentication protocol [21], in this paper, the authors introduce a fuzzy identity-based access control system consisting of an attribute-based mutual authentication and an attribute-based encryption. Both of the two attribute-based mechanisms support the superior characteristic of updateable attribute keys, which could provide more application flexibility in practice.
We arrange the remaining sections as follows. In the next preliminary section, we will first introduce the essential mathematical backgrounds along with the utilized cryptographic assumption. The proposed access control system will be formally described in Section 3. We analyze and prove the security of the proposed system in Section 4. At last, a conclusion remark of this work is stated in Section 5.
2.
Preliminaries
We introduce the Lagrange interpolation [27,28] and the bilinear pairing [29,30,31] as described below:
Lagrange Interpolation
Let f(x) be a polynomial of the degree (t − 1). Given any t points, say (xi, yi = f(xi)) for i ∈ [1, t] and xi ∈ Zp*, we could reconstruct the polynomial f(x) as:
The Lagrange coefficient Δi, S can be expressed as
Bilinear Pairing
Let G1 and G2 separately be a multiplicative group of the same prime order p. The symbol g is a generator of G1. A bilinear pairing written as e: G1 × G1 → G2 satisfying the following characteristics:
(i) Bilinearity:
Given ga, gb, gc ∈ G13 and two integers i, j ∈ Zp*, we can obtain
(ii) Non-degeneracy:
There is a generator g ∈ G1 fulfilling that e(g1, g1) ≠ 1.
(iii) Computability:
For any element ga and gb of the group G1, e(ga, gb) could be efficiently computed by a polynomial-time algorithm.
Decisional Modified Bilinear Diffie-Hellman (DMBDH) Problem
Given gf, gs, gk ∈ G13 for some positive f, s, k ∈ Zp*, and ($ e{(g, g)}^{\frac{fs}{k}} $, δ) ∈ G22, the decisional modified bilinear Diffie-Hellman (DMBDH) problem is to determine if $ e{(g, g)}^{\frac{fs}{k}} $ equals to δ or not.
Decisional Modified Bilinear Diffie-Hellman (DMBDH) Assumption
The DMBDH assumption states that for any polynomial-time adversary, the advantage to solve the DMBDH problem is negligible.
3.
The proposed scheme
On the basis of the work [21], we introduce a fuzzy identity-based access control mechanism with dynamically updateable keys in this section.
3.1. Algorithms
The proposed access control system consists of six algorithms including Setup, KeyExtract, Authentication, Encryption, Decryption and Key-update. We describe each algorithm as follows:
Setup: Taking as input a security parameter, the cloud server first chooses necessary system parameters including the public values, master secret keys (msk) along with a time key.
KeyExtract: Each user can request his/her attribute keys from the cloud server.
Authentication: It is an interactive process between the user and the cloud server. That is, a user can login to the cloud server if the authentication result is successful.
Encryption: An authenticated user can encrypt the data and then upload the ciphertext to the cloud server.
Decryption: A user can request the ciphertext from the cloud server and then decrypt it with his/her attribute keys.
Key-update: Any legitimate user is able to renew his/her private keys for the coming time periods by the assistance of the cloud server.
3.2. Construction
The authors present a concrete construction according to the above algorithms. Details of each algorithm are shown as follows:
Setup: Given a security parameter l, the cloud server first determines two multiplicative groups G1 and G2 with the same prime order p. Let g be a generator of the group G1 and e: G1 × G1 → G2 a bilinear map. There is also a secure hash function H which accepts a variable-length input and returns a fixed-length output. Let W = {w1, w2, …, wn} be the universe of all attributes. Then the cloud server executes the following initialization steps:
1) Randomly select k1, k2, …, kn ∈R Zp* to compute
2) Determine a1, a2, …, an ∈{0, 1}. Specifically, when wi is authorized by the cloud server, ai = 1; else, ai = 0. Define the set A= {ai}i∈[1, n] and compute
3) Randomly select z ∈ Zp* to compute
4) Announce the public key PK = ({Ki}i∈[1, n], Z, A};
5) Define the master secret key msk = ({ki}i∈[1, n], z};
6) Randomly select v ∈R Zp* and define it as the time key mtk.
KeyExtract: A user idu owning the attribute set Wu ⊆ W such that | Wu | = t is able to request his/her attribute keys from the cloud server. The cloud server first determines a t − 1 polynomial fidu(x) in which the constant is z and then derives the attribute keys as
The user idu will receive the attribute keys {Si}i∈Wu via secure communication.
Authentication: To login the cloud server, a user idu executes the following processes with the cloud server interactively:
i. The user first delivers (idu, Wu) to the cloud server.
ii. When receiving it, the cloud server randomly selects R ∈ G2 and r ∈ Zp* to compute
Then (Q0, {Qi}i∈Wu) are sent back to idu.
iii. When receiving it, idu computes
where TS is a timestamp. The message (C2', TS) is transmitted the cloud server.
iv. The cloud server verifies whether | TS' − TS | ≤ ΔT where TS' is the current time and ΔT is a predefined time interval. If it holds, the cloud server proceeds to the next step; else, it rejects the login request.
v. Compute
If C2' = C2, the cloud server continues to derive
and sends (C3, TS') to idu.
vi. If | TS'' − TS' | ≤ ΔT, idu derives
and checks if C3' = C3. When the equality holds, the interactive authentication process is viewed as successful. We illustrate the above processes in Figure 1.
Encryption: To encrypt a message M for storing in the cloud server, an authenticated user idu executes the following processes:
a) Randomly select d ∈ Zp* to compute
b) Upload the ciphertext (idu, CTindex, CT, {CTi}i∈Wu) to the cloud server. Here, CTindex is the category name of the ciphertext.
Decryption: To decrypt a ciphertext (CT, {CTi}i∈Wu) which is downloaded from the cloud server, idu utilizes his/her attribute keys to compute
Key-update: To periodically update the attribute keys, the cloud server first chooses v' ∈R Zp* as the new mtk, and then computes
The parameter h is delivered to idu. Consequently, idu is able to renew his/her attribute keys as
4.
Algorithm and security analyses
In this section, we first show that the proposed access control mechanism is correct and then formally prove the fuzzy selective-ID security of our protocol.
4.1. Correctness
We demonstrate that a valid user can successfully login to the cloud server and decrypt the corresponding ciphertext with his/her attribute keys.
Theorem 1. A valid user idu can be authenticated by the cloud server if R' = R.
Proof: Derived from Eq (7), we have
Theorem 2. A valid user idu can decrypt the cloud ciphertext with Eq (15).
Proof: Derived from the right side of Eq (15), we have
4.2. Security proofs
To prove that our system achieves the fuzzy selective-ID security, we first give the corresponding definition below.
Definition 1. (Fuzzy Selective-ID) An identity-based encryption (IBE) scheme achieves the fuzzy selective-ID security if in the following game, there is no probabilistic adversary $\mathcal{A}$ who is able to defeat a polynomial-time challenger $\mathcal{B}$ with non-negligible advantage:
Setup: In the beginning, the adversary $\mathcal{A}$ determines the target identity id*. Then the challenger $\mathcal{B}$ performs the Setup(1l) algorithm to initialize public parameters and the master secret key msk. Then the public parameters are sent to $\mathcal{A}$.
Phase 1: The adversary $\mathcal{A}$ can adaptively make the queries for any id such that | Wid ∩ Wid* | < t:
KeyExtract (KE) Queries: In this query, the adversary $\mathcal{A}$ will provide an identity id for the challenger $\mathcal{B}$ who then calls the KeyExtract algorithm to get the corresponding private key Sid and returns it.
Authentication (AU) Queries: In this query, the adversary $\mathcal{A}$ will provide an identity id for the challenger $\mathcal{B}$ who then calls the authentication algorithm and returns an authentication token (Q0, {Qi}i∈Wid).
Challenge: The adversary $\mathcal{A}$ determines two messages (M0, M1) of the same length. Next, the challenger $\mathcal{B}$ takes the input of (id*, Mλ) where λ ∈R {0, 1} to produce a ciphertext (id*, CT*index, CT*, {CTi*}i∈Wid*) as the challenge for $\mathcal{A}$.
Phase 2: Upon receiving the challenge, the adversary $\mathcal{A}$ is allowed to further make queries defined as those in phase 1.
Guess: When phase 2 terminates, the adversary $\mathcal{A}$ outputs a bit λ′. If λ′ = λ, $\mathcal{A}$ is the winner of the game. Consequently, the advantage of $\mathcal{A}$ is defined as Adv($\mathcal{A}$) = | Pr[λ′ = λ] − 1/2 |.
Theorem 3. (Proof of Fuzzy Selective-ID) The proposed scheme achieves the fuzzy selective-ID security under the Decisional Modified Bilinear Diffie-Hellman (DMBDH) assumption. In particular, if a probabilistic polynomial-time adversary A breaks the fuzzy selective-ID security of our mechanism with the non-negligible advantage ε, a simulator B playing the DMBDH game with the non-negligible advantage (1/2)ε can be constructed.
Proof: Let (g, gf, gs, gk, $ e{(g, g)}^{\frac{fs}{k}} $, δ) be a problem instance of DMBDH for $\mathcal{B}$ whose purpose is to decide if e(g, g)fsk equals to δ or not by utilizing the advantage of $\mathcal{A}$.
Setup: In the beginning, the adversary $\mathcal{A}$ determines the target identity id* and the challenger performs the Setup (1l) function to initialize public parameters {G1, G2, e, g, p}. The challenger also chooses a bit b which $\mathcal{B}$ does not know. If b = 0, the challenger sets δ = $ e{(g, g)}^{\frac{fs}{k}} $; else, it lets δ = e(g, g)τ for a random τ. Then $\mathcal{B}$ sets Z = e(gf, g), $\mathcal{A}$ = {ai}i∈[1, n], $ I = {\sum }_{i = 1, {a}_{i}\ne 0}^{n}\left({g}^{{w}_{i}}{a}_{i}\right) $ for all authorized ai's and mtk = v for v ∈R Zp*. Additionally, $\mathcal{B}$ sets Ki = (gk)ri where ri ∈ Zp* for i ∈ Wid*. If i ∈ W − Wid*, $\mathcal{B}$ sets Ki = gki where ki ∈ Zp*. Then the parameters (Z, {Ki}i∈[1, n], I) are sent to the adversary $\mathcal{A}$.
Phase 1: $\mathcal{B}$ responds to the queries made by $\mathcal{A}$ as follows:
KeyExtract (KE) Queries: For the KE query of any id such that | Wid ∩ Wid* | < t, we first let the set Wc = Wid ∩ Wid*, Wd be any set satisfying that Wc ⊆ Wd ⊆ Wid and | Wd | = t − 1, and Ws = Wd ∪ {0}. Now we define the key component i ∈ Wd as follows.
1) When i ∈ Wc, $\mathcal{B}$ sets $ {S}_{i} = {g}^{\frac{{z}_{i}}{(id+v~~)}} $ where zi ∈R Zp*.
2) When i ∈ Wd − Wc, $\mathcal{B}$ sets $ {S}_{i} = {g}^{\frac{{h}_{i}}{{k}_{i}(id+v~~)}} $ where hi ∈R Zp*.
Specifically, we implicitly define a t − 1 degree polynomial fID(x) with fID(0) = f and t − 1 points which are calculated as the above. That is, fid(i) = k ⋅ ri ⋅ zi for i ∈ Wc and fid(i) = hi for i ∈ Wd − Wc. Still, when i ∉ Wd, $\mathcal{B}$ can also use the Lagrange interpolation for computing the private key Si as
Consequently, it can be seen that the simulator $\mathcal{B}$ is able to respond to any PK query submitted by $\mathcal{A}$ and the returned private keys have the same distribution as those in the real scheme.
Authentication (AU) Queries: For the AU query of any id, $\mathcal{B}$ first chooses R ∈ G2, r ∈ Zp* to compute Q0 = RZ r and {Qi = Kir(idu + v)}i∈Wid. Then $\mathcal{B}$ returns (Q0, {Qi}i∈Wid) to $\mathcal{A}$.
Challenge: The adversary $\mathcal{A}$ determines two messages (M0, M1) of the same length. Next, the challenger $\mathcal{B}$ takes the input of (ID*, Mλ) where λ ∈R {0, 1} to produce a ciphertext (id*, CT*index, CT*, {CTi*}i∈Wid*) in which CT* = Mλ ⋅ δ and {CTi* = (gs)ri(id* + v)}i∈Wid*.
When b = 0, we know that δ = $ e{(g, g)}^{\frac{fs}{k}} $. That is,
It is thus can be seen that the simulated challenge is a valid ciphertext for Mλ and the target identity id*. Nevertheless, when b = 1, we have δ = e(g, g)τ for a random τ, meaning that the ciphertext component CT* is a random element of G2 and the adversary $\mathcal{A}$ has no better advantage in guessing λ'.
Phase 2: When receiving the challenge, $\mathcal{A}$ is allowed to further make queries as those in phase 1.
Guess: When phase 2 terminates, the adversary $\mathcal{A}$ returns a bit λ′. If λ′ = λ, $\mathcal{B}$ will output b' = 0 meaning that δ = $ e{(g, g)}^{\frac{fs}{k}} $. Otherwise, $\mathcal{B}$ outputs b' = 1 to indicate that δ = e(g, g)τ for a random τ.
Analysis: Let us consider two cases of the bit b. When b = 1, the adversary $\mathcal{A}$ has no better advantage in guessing λ'. Therefore, we have Pr[λ′ ≠ λ | b = 1] = 1/2. If λ′ ≠ λ, $\mathcal{B}$ will output 1. In this case, it is obvious that Pr[b' = b| b = 1] = 1/2. When b = 0, the challenge ciphertext is valid. Hence, we have Pr[λ′ = λ | b = 0] = 1/2 + ε where ε is the advantage of the adversary $\mathcal{A}$ by our definition. If λ′ = λ, $\mathcal{B}$ will output 0. That is, Pr[b' = b | b = 0] = 1/2 + ε. Consequently, we can derive the advantage of $\mathcal{B}$ to solve the DMBDH problem as
4.3. Comparison
In this subsection, we evaluate the functionality and performance among the proposed and related schemes including Zhu et al.'s (ZZQ+ for short) [19], Yun et al.'s (YKL for short) [20] and Lin et al.'s (LTW for short) [21]. The results of functionality comparisons are summarized in Table 2. It is obvious that both the ZZQ+ and YKL schemes are vulnerable to several known attacks and fail to satisfy the evaluated functionalities. Although the LTW scheme is secure against all known attacks, it cannot support the functionality of cloud storage using the mechanism of asymmetric encryption/decryption.
For better understanding of the results of performance evaluation, we first define some utilized symbols below:
n: the number of all attributes in the system;
|Wu|: the number of attributes of the user idu;
B: a bilinear pairing computation;
E: an exponentiation computation;
H: a collision-resistant hash function;
We summarize the detailed performance evaluation in Table 3. From this table, one can see that the proposed scheme still maintains the same computational complexity compared with related works. Although the authentication algorithm of our scheme has to take an additional hash function, it is a worthy trade-off to achieve the characteristic of mutual authentication.
5.
Conclusions
Elaborating on the merits of attribute-based cryptography, in this paper, the authors come up with a provably secure fuzzy identity-based access control system supporting updateable attribute keys. In particular, the proposed system consists of both the fuzzy identity-based mutual authentication and the fuzzy identity-based encryption. That is, the former mechanism allows a user to login the remote server via his/her attribute keys while the latter further enables the authenticated user to decrypt the server ciphertext if his/her attribute keys satisfy the ciphertext access policy. Our access control system permits the users to update their attribute keys periodically, so as to solve the key-compromise problem. When compared with most existing attribute-based schemes which do not support key update, our system is more appealing the practical environments. Additionally, we also demonstrate that our scheme is provably secure in the notion of fuzzy selective-ID security under the DMBDH assumption.
Acknowledgements
This work was supported in part by the Ministry of Science and Technology of Republic of China under the contract numbers MOST 110-2221-E-019-041-MY3 and MOST 110-2222-E-019-001-MY2.
Conflict of interest
The authors declare there is no conflict of interest.