1 Introduction

In the last few years, the amount of data stored in the cloud server has been increasing day by day with the rapid development of the Internet in order to reduce the cost of using local storage and data sharing. However, information disclosure and trust issues arise in third party management cloud servers. Therefore, improving the security of the data stored in the cloud became a critical task. Typically, data stored in the cloud must be encrypted in order to achieve this goal of ensuring data security. Public-key cryptography is one of the methods to encrypt data, which uses a pair of keys, a secret key (SK) and a public key (PK). Although, public key encryption can enhance security, the complexity of key management is a big issue in this kind of cryptography.

Although public key cryptography can help us to protect the message, it also can be used to make illegal acts such as transferring and copying secret key unauthorized. Furthermore, it is possible to copy secret key from other users illegally. It is difficult to identify the source of leaking or the responsible entity if the secret key leaks. Various methods are proposed to utilize unique information for secret key generation to prevent this behavior, but the leakage of secret key is still a weak point of encryption waiting to be solved in the near future. Three related technologies are introduced as follows.

Hardware Certification

Physical Unclonable Function (PUF) achieved by a physical device using differential extraction of the chip manufacturing process inevitably leads to generate an infinite number, unique and unpredictable “secret key” [1]. PUF system receives a random code, and generates a unique random code as a response. Due to differences in the manufacturing process, the produced chip cannot be imitated and copied.

Kumar et al. [2] designed a system, where PUF output defines and gives a certain input, while other PUFs produce different outputs. According to the uniqueness of this chip output, it can be widely utilized in smart cards, bank cards and so on. In this way, we can protect message through the uniqueness of the secret key from copying and other illegal activities.

Biometric Authentication

Biometric technology consists of using computers and optics, acoustics, biosensors and other high-tech tools to retrieve the body’s natural physiological characteristics (such as a fingerprint, finger vein, face, iris, etc.) and behavioral characteristics (e.g. handwriting, voice, gait, etc.) to identify personal identity. Biometric technology is not easy to forget, good security performance, and not copy or stolen “portable” and can be used anywhere [3]. Furthermore, biometric can be used as a unique, unalterable secret key but the safety is still taken seriously.

Jain, Anil et al. [4] analyzed and evaluated these biometric authentication systems. Moreover, biometric authentication is also used in various fields, for example, Uludag et al. [5] proposed the biometric authentication, which can be used to construct a digital rights management system.

In fact, in the present life, the biometric authentication has been very widely utilized, such as bank card fingerprint authentication, and face authentication in customs. Although biometrics brought us convenience, biometrics privacy protection has become an important research challenge.

Terminal Fingerprint

In general, the type of font, screen resolution and network environment are different for each browser terminal that is used to receive fingerprint information. This information can be used as the feature points to identify the terminal. The various sets of features possessed by the browser in this way is referred as browser fingerprint [68]. In this paper the terminal fingerprint is assumed to be unchangeable and unextractable.

Terminal fingerprint has been applied in a variety of locations. For example, terminal fingerprint is used to track the behavior of users on the web by collecting the trend of web sites that the user has accessed. As a result, it is possible to provide advertisements tailored to the interest and favorite of the user. It has also been made applicable to the risk-based authentication. The authentication terminal fingerprints are taken at the time of login of the user, and save. The terminal fingerprints are compared with those of the previous log. If it is significant difference, it will be determined that there is a high possibility of access from another terminal, which causes a higher strength authentication.

The hardware based authentication and Biometric based authentication methods mentioned above ensure the uniqueness of the key. These still cannot guarantee the security of keys. The update of hardware based authentication requires the replacement of the hardware itself, which will increases system cost. Biometric based authentication is impossible to alter but it is possible to be copied.

In order to meet the point, this paper utilizes the terminal fingerprint information because every terminal fingerprint information is different for an attacker. Even if attacker launches a collusion attack, it still cannot be decoded. Hence, in the proposed scheme, the terminal fingerprint information of the user can be utilized as a secret key, and it is never revealed outside even once. Unless the owner leaks information, otherwise the security of the key is guaranteed. Safety of the secret key is increased in this way.

For this purpose, we propose a hybrid encryption scheme that consists of a common-key encryption scheme and two public key encryption schemes. The hash value of a terminal fingerprint will be used as a secret key in the second public key scheme. In this paper, we employ Waters’ CP-ABE [9] as the first encryption scheme, but any public key encryption scheme could be used as the first. Our scheme does not only utilize terminal fingerprint for generating unique secret key, but also updates itself according to user settings with relatively low cost to keep the freshness of the terminal fingerprint.

The rest of this paper is structured as follows. Section 2 introduces background information, formal definitions and CP-ABE scheme. Section 3 describes our encryption scheme. Section 4 discusses the security and advantage of the proposed scheme. Finally, conclusion and future work in Sect. 5.

2 Preliminaries

In this section, we give background information on bilinear maps and our cryptographic assumption.

2.1 Bilinear Maps

We present a few facts related to groups with efficiently computable bilinear maps. Let \( G_{1} \) and \( G_{2} \) be two multiplicative cyclic groups of prime order \( p \). Let \( g \) be a generator of \( G_{1} \) and \( e \) be a bilinear map \( e: G_{1} \times G_{1} \to G_{2} \). The bilinear map \( e \) has the following properties:

  1. 1.

    Bilinearity: for all \( u,v \in G_{1} \) and, \( b \in Z_{p} \), we have \( e(u^{a} ,v^{b} ) = e(u,v)^{ab} \),

  2. 2.

    Non-degeneracy: \( e(g,g) \ne 1 \).

2.2 Access Structure and Linear Secret Sharing Scheme

We will review here the definition of access structure and Linear Secret Sharing Schemes (LSSS) [10].

Definition 1

(Access Structure). Let \( P = \{ P_{1} , P_{2} , \ldots , P_{n} \} \) be a set of attributes. A collection \( \varGamma \subset 2^{P} \) is said to be monotone if \( \varGamma \) is closed under superset, i.e. if \( \forall B,C \) if \( B \in \varGamma \) and \( B \subset C \) , then \( C \in \varGamma \) . An access structure (respectively, monotone assess structures) is a collection (respectively, monotone collection) \( \varGamma \) of nonempty subsets of \( P \) , i.e., \( \varGamma \subset 2^{P} \backslash \{ \emptyset \} \) . The members of \( \varGamma \) are called authorized sets, and the sets not in \( \varGamma \) are called unauthorized sets.

Definition 2

(Linear Secret Sharing Schemes (LSSS) [10]). A secret-sharing scheme \( \prod \) over a set of parties \( {\mathbf{\mathcal{P}}} \) is called linear (over \( Z_{p} \) ) if

  1. 1.

    The shares for each party form a vector over \( Z_{p} \),

  2. 2.

    There exists a matrix M with ℓ rows and n columns called the share-generating matrix for \( \prod \) . For all i = 1, …, ℓ, the i-th row of M, we let the function ρ defined the party labeling row i as ρ(i). When we consider the column vector ɤ = (s, r 2 , …, r n ), where \( s \in Z_{p} \) is the secret to be shared, and \( r_{2} , \cdots ,r_{n} \in Z_{p} \) are randomly chosen, then Mɤ is the vector of ℓ share of the secret s according to \( \prod \) . The share (Mɤ) i belongs to party ρ(i).

Here the \( \prod \) is a Linear Secret Sharing Schemes(LSSS) composed of \( \varGamma \). Let s be any attribute set of authenticated user, and define \( {\text{I}} \subset \left\{ {1,2, \ldots ,\ell } \right\} \) as \( \{ {\text{i}}; \rho (i) \in S \} \). For \( \prod \), there exist a structure \( \{ \omega_{i} \in Z_{p} \} \) that if \( \{ \lambda_{i} \} \) are valid shares of any secret s, than \( \sum\nolimits_{i \in I} {\omega_{i} \lambda_{i} = s} \).

2.3 CP-ABE

There are a lot of studies on enhance the security of system. Cheung and Newport [11] proposed CP-ABE scheme based on DBDH problem using the CHK techniques [12], which satisfies IND-CPA secure and pioneers the achievement of IND-CCA secure. In this method, a user’s secret key is generated by calculating user attributes and system attributes. Naruse et al. [13] proposed a new CP-ABE mechanism with re-encryption. Their method is based on the CP-ABE scheme to make the cipher text and has re-encryption phase to protect the message. Li et al. [14] proposed an encryption system using trusted third party, who issues authentication information embed user key to achieve better safety in decryption phase than CP-ABE. However, it is difficult to implement due to the complexity of the computational process required from the third party. Finally, Li et al. [15] proposed encryption scheme crowded included in the ID of the user attribute, decrypts it when ID authentication is also carried out at the same time, although this scheme can improve the safety, but the public key distribution center will increase the workload. Hinek et al. [16] proposed a tk-ABE(token-based attribute-based encryption) scheme that includes a token server to issue a token for a user to decrypt the cipher text, thus making the key cloning meaningless.

Our proposal scheme aims to increase the safety of the secret key without third party. When the cipher text corresponds to an access structure and secret key corresponds to a set of attributes, only if the attributes in the set of attributes is able to fulfill the access structure.

An (Ciphertext-policy) Attribute Based Encryption scheme consists of four fundamental algorithms: Setup, Encrypt, KeyGen, and Decrypt.

Setup \( \left( {{\varvec{\uplambda}},{\mathbf{U}}} \right) \to ({\mathbf{PK}},{\mathbf{MK}}) \): The Setup algorithm takes security parameter \( \lambda \) and an attribute universe \( {\text{U}} \) as input. It outputs the public parameter PK and the system master secret key MK.

Encrypt \( \left( {{\mathbf{PK}},{\mathbf{M}},{\mathbf{W}}} \right) \to {\mathbf{CT}} \): The Encrypt algorithm takes the public parameter PK, a message M, and an access structure was input. It output a cipher text CT.

KeyGen \( \left( {{\mathbf{MK}},{\mathbf{S}}} \right) \to {\mathbf{SK}} \): The KeyGen algorithm takes the master secret key MK and a set S of attributes as input. It output a secret key SK.

Decrypt \( \left( {{\mathbf{CT}}, {\mathbf{SK}}} \right) \to {\mathbf{M}} \): The Decrypt algorithm takes as input the cipher text CT and the secret key SK. If the set S of attributes satisfies the access structure W then the system will output the message M.

3 Our System Model

In this section, we propose a hybrid encryption scheme. Then, we propose an attribute-based encryption scheme without key misuse. Finally, we provide a concrete realization of our attribute-based encryption scheme without key misuse.

Our system consists of three parts:

  • User needs to provide their attributes information and legitimate manner to use the content. They also need to manage the terminal fingerprint information that their own;

  • Data server needs to manage the attribute information, a common key and public parameter PK and issue the secret key that contains the attribute information of the user;

  • Document sender needs to issue the common key and encrypt the contents.

3.1 Our Hybrid Encryption Scheme

We propose a hybrid encryption scheme \( {\text{HybENC}} \) that uses terminal fingerprint. \( {\text{HybENC}} \) consists of a common-key encryption scheme, CKE, two public key encryption schemes, \( {\text{PKE}}1 \) and \( {\text{PKE}}2 \), and a hash function, \( H:{\text{HybENC}} = ({\text{CKE}}, {\text{PKE}}1, {\text{PKE}}2,H) \). Informally, CKE is used for fast encryption and decryption of data of large size such as pictures and movies. PKE1 is used to encrypt the common key of CKE. Later, PKE1 will be replaced with an attribute-based encryption. And Finally, PKE2 is used to re-encrypt the common key of CKE; fingerprint is used here as the secret key of PKE2 through a hash function.

Formally, our HybENC is described as follows.

\( {\mathbf{HybENC}}.{\mathbf{Key}}\left( {\varvec{\uplambda}} \right) \to {\mathbf{FK}}, \left( {{\mathbf{PK}}1,{\mathbf{SK}}1} \right),\left( {{\mathbf{PK}}2,{\mathbf{SK}}2} \right) \): The HybENC.Key algorithm takes a security parameter \( \lambda \) as input. It calculates keys as follows; \( {\text{CKE}}.{\text{Key}}\left( \lambda \right) \to {\text{FK}} \), \( {\text{PKE}}1.{\text{Key}}\left( \lambda \right) \to \left( {{\text{PK}}1,{\text{SK}}1} \right) \), \( H_{\lambda } \left( {\text{fingerprint}} \right) \to {\text{SK}}2 \), \( {\text{PKE}}2.{\text{Key}}\left( {{\text{SK}}2} \right) \to {\text{PK}}2 \). Then it outputs keys; \( {\text{FK}}, \left( {{\text{PK}}1,{\text{SK}}1} \right),\left( {{\text{PK}}2,{\text{SK}}2} \right) \).

\( {\mathbf{HybENC}}.{\mathbf{Enc}}\left( {{\mathbf{FK}},{\mathbf{PK}}1,{\mathbf{PK}}2,\varvec{m}} \right) \to {\mathbf{CT}}, {\mathbf{CT}}2 \): The HybENC.Enc algorithm takes keys \( {\text{FK}}, {\text{PK}}1, {\text{PK}}2 \) and a plaintext \( m \) as input. It calculates cipher texts as follows; \( {\text{CKE}}.{\text{Enc}}\left( {{\text{FK}},m} \right) \to {\text{CT}}, {\text{PKE}}1.{\text{Enc}}\left( {{\text{PK}}1,{\text{m}}1\text{ := }{\text{FK}}} \right) \to {\text{CT}}1 \), \( {\text{PKE}}2.{\text{Enc}}\left( {{\text{PK}}2,{\text{m}}2: = {\text{CT}}1} \right) \to {\text{CT}} \) 2. Then it outputs cipher texts; \( {\text{CT}}, {\text{CT}}2 \).

\( {\mathbf{HybENC}}.{\mathbf{Dec}}\left( {{\mathbf{FK}},{\mathbf{SK}}1,{\mathbf{SK}}2,{\mathbf{CT}},{\mathbf{CT}}2} \right) \to \varvec{m}: \) The HybENC.Dec algorithm takes keys \( {\text{FK}},{\text{SK}}1,{\text{SK}}2 \) and cipher texts \( {\text{CT}},{\text{CT}}1,{\text{CT}}2 \) as input. It executes decryption as follows; \( {\text{PKE}}2.{\text{Dec}}\left( {{\text{SK}}2,{\text{CT}}2} \right) \to {\text{m}}2 = {\text{CT}}1, {\text{PKE}}1.{\text{Dec}}\left( {{\text{SK}}1,{\text{CT}}1} \right) \to {\text{m}}1 = {\text{FK}} \), \( {\text{CKE}}.{\text{Dec}}\left( {{\text{FK}},{\text{CT}}} \right) \to m \). Then it outputs the decryption result \( m \).

3.2 Our Concrete Construction of ABE Without Key Misuse

We apply the above template of our hybrid encryption scheme to a scheme in the attribute-based setting. Plaintext is encrypted by using the attribute information and terminal fingerprint information. The advantages of this scheme, confirmation of the terminal fingerprint information is difficult to use except by authorized users.

We now give our construction by employing Water’s CP-ABE as PKE1 in our hybrid encryption in Sect. 3.1.

In our construction the set of users is \( {\text{U}} = \{ 1,2, \cdots ,n\} \) and the attribute universe is \( {\text{A}} = \{ 1,2, \cdots ,\ell \} \). A random exponent for encryption is denoted as \( s \in Z_{p} \). Note that secret keys below are randomized to avoid collusion attacks.

DO.Setup \( (\varvec{v},\varvec{w}) \to {\mathbf{FK}} \): The DO.Setup algorithm will choose a prime order \( p \) with generator \( q \) in the system. Next it will choose two random exponents \( v,w \in Z_{p} \) as input.The common key is published by the Diffie-Hellman key exchange

$$ {\text{FK}} = (q^{v} )^{w} mod\;p = (q^{w} )^{v} mod\;p $$

C.Enc \( ({\mathbf{FK}},\varvec{m}) \to {\mathbf{CT}} \): The common-key encryption, C.Enc algorithm takes FK and a plaintext m as input. It outputs a ciphertext CT.

Auth.Setup \( \left( {\varvec{\uplambda}} \right) \to {\mathbf{PK}},{\mathbf{MK}} \): The Auth.Setup algorithm will choose a bilinear group G1 of prime order \( p \) with generator \( g \), and e be a bilinear map, e: G1 × G1 → G2. It then chooses two random exponents \( a,b \in Z_{p} \) and hash function \( {\text{H}}:\{ 0,1\}^{ *} \to {\text{G}} \) as input. The Common key is published as

$$ {\text{PK}} = g,g^{b} ,e(g,g)^{a} $$

The system master secret key is published as

$$ {\text{MK}} = g^{a} $$

Auth.Ext \( ({\mathbf{MK}},\varvec{S}) \to {\mathbf{SK}} \): The Auth.Ext algorithm takes the master secret key MK and a set of attributes S as input. And algorithm chooses a random \( t \in Z_{p} \) for each user.

It creates the secret key as

$$ SK = \left( {g^{a + bt} ,g^{t} ,(K_{X} )_{X \in S} } \right),\;\;\forall_{X \in S} K_{X} = H(X)^{t} $$

U.Setup \( \left( {{\mathbf{SK}},\varvec{f}} \right) \to {\mathbf{F}},{\mathbf{D:}} \) The U.Setup algorithm takes user’s fingerprint information f. Then it calculates the hash value \( H(f) = D \) (in this paper we use the RSA encryption for our re-encryption). It chooses two primes \( p,q \). Make \( N = pq \). Next it computes E s.t. \( DE \equiv 1 {\text{mod }}\left( {p - 1} \right)\left( {q - 1} \right) \). The user’s terminal-fingerprint public key is \( F = (N,E) \). The user keeps D as the user’s terminal-fingerprint secret key.

Auth.Enc \( ({\mathbf{PK,FK,}}\varvec{W}) \to {\mathbf{FT:}} \) The Auth.Enc algorithm takes the public parameter PK, common key FK, and an access structure (W, ρ) over the all of attributes to encrypts a message M. The function ρ associates row of W to attributes.

Where W is an \( \ell \times n \) matrix. First the algorithm generates a vector ɤ = (s,y 2···,y n ) ∈ Z n p and \( r_{1} ,r_{2} , \cdots ,r_{\ell } \in Z_{p} \) randomly. The vector is made for sharing the encryption exponent s. Then \( W_{i} \) is the vector corresponding to the i-th row of W, calculates λ i =ɤ∙W i from 1 to \( \ell \).

It output a ciphertext FT as

$$ \begin{aligned} \text{FT} & = (FKe\left( {g,g} \right)^{as} ,g^{s} ,\widehat{CS}), \\ \widehat{Cs} & = \left( {g^{{b\lambda_{1} }} H\left( {X_{{\rho_{1} }} } \right)^{{r_{1} }} ,g^{{r_{1} }} } \right),\left( {g^{{b\lambda_{2} }} H\left( {X_{{\rho_{2} }} } \right)^{{r_{2} }} ,g^{{r_{2} }} } \right),,,\left( {g^{{b\lambda_{\ell } }} H\left( {X_{{\rho_{\ell } }} } \right)^{{r_{\ell } }} ,g^{{r_{\ell } }} } \right). \\ \end{aligned} $$

Auth.ReEnc \( ({\mathbf{FT}},{\mathbf{F}}) \to {\mathbf{FT}}^{'} \): The Auth.ReEnc algorithm takes the cipher text FT and user’s terminal-fingerprint public key \( {\text{F}} \) as input.

The re-cipher text is published as

$$ {\text{FT}}^{'} = ({\text{FT}})^{\text{E}} \bmod \;N, $$
$$ {\text{Where}}\;({\text{FT}})^{\text{E}} = (FKe\left( {g,g} \right)^{{as{\text{E}}}} ,g^{{s{\text{E}}}} ,(\widehat{Cs})^{\text{E}} ). $$

U.Dec \( \left( {{\mathbf{FT}}^{'} ,\varvec{D}} \right) \to {\mathbf{FT}}\text{:} \) The U.Dec algorithm takes as input the cipher text \( {\text{FT}}^{\varvec{'}} \varvec{ } \) and \( D \). The decryption algorithm first computes.

The decryption algorithm computes

$$ \left( {{\text{FT}}^{'} } \right)^{D} = ({\text{FT}}^{\text{E}} )^{D} = {\text{FT}} \bmod \;N. $$

U.ReDec \( ({\mathbf{FT}},{\mathbf{SK}}) \to {\mathbf{FK:}} \) The U.ReDec algorithm takes the cipher text FT and secret key SK as input. The secret key for an attribute set \( S \), and the cipher text FT for access structure \( \left( {W, \rho } \right) \). Suppose that S satisfies the access structure and define I as \( \{ i = \rho (i) \in s \} \), I \( \in \) {1,2,…,\( \text{ }\ell \)} for , there exist a structure \( \{ \omega_{i} \in Z_{p} \} \) that if \( \{ \lambda_{i} \} \) are valid shares of any secret s, than \( \sum\nolimits_{i \in I} {\omega_{i} \lambda_{i} = s} \). The U.ReDec algorithm will output the common key FK.

The re-decryption algorithm computes

$$ \frac{{{\text{e}}\left( {g^{s} ,g^{a + bt} } \right)}}{{\mathop \prod \nolimits_{i \in I} (e\left( {g^{{b\lambda_{i} }} H\left( {X_{{\rho_{i} }} } \right)^{{r_{i} }} ,g^{t} } \right)e\left( {H\left( {X_{{\rho_{i} }} } \right)^{t} ,g^{{r_{i} }} } \right))^{{\omega_{i} }} }} = \frac{{{\text{e}}\left( {{\text{g}},{\text{g}}} \right)^{as} {\text{e}}\left( {{\text{g}},{\text{g}}} \right)^{bts} }}{{\mathop \prod \nolimits_{i \in I} e\left( {g,g} \right)^{{bt\omega_{i} \lambda_{i} }} }} = e(g,g)^{as} $$
$$ \frac{{FKe\left( {g,g} \right)^{as} }}{{e\left( {g,g} \right)^{as} }} = FK $$

C.Dec \( ({\mathbf{FK}},{\mathbf{CT}}) \to \varvec{m}: \) The \( {\text{C}}.{\text{Dec}} \) algorithm takes the common key FK and the cipher text CT as input. It output the message m.

4 Discussion

This paper shows that confidentiality of the shared data that has been encrypted can be protected and it is difficult to reveal the secret keys in the proposed scheme. The proposed scheme is secure against chosen-plaintext attacks because the underlying ABE scheme is secure against chosen-plaintext attacks. If the encrypted data is published, our scheme also resists attacks from colluding users. If the attacker did not know the terminal fingerprint information of the legitimate user, they wouldn’t be able to get the secret key.

In this study, we proposed a cryptosystem to improve security. In the proposed method, the data server only sends re-cipher text and private information to the user, while the data server has to send both cipher text and secret key. In addition, the user creates secret key and re-encrypt key using the private information. Henceforth, user keeps the secret key and sends the re-encrypt key to the data server, and then the data server use the re-encrypt key to re-encrypt cipher text. Finally, data server sends back the re-cipher text to the user.

The proposed cryptosystem utilizes the terminal fingerprint information of the user. The terminal fingerprint is assumed to be unchangeable and unknowable. Also, only the key generation, encryption and decryption programs running on the trusted terminal can get the value of the fingerprints. The proposed scheme is built on the above-mentioned conditions. Here, the terminal fingerprint information is different for each user. It can be used as a user ID, and you can guarantee the anonymity of the user’s own information. Misuse of the terminal fingerprint, such as transfer of the secret key, is incorrect behavior and meaningless,. Since the secret key that has legitimate user includes their terminal fingerprint information, the terminal fingerprint information is different in the other terminal, and the secret key is revoked. Safety of the secret key is increased in this way.

We proposed a hybrid encryption scheme in which a public key encryption scheme can be utilized. It is also easy to add, update and delete user’s information. Then, we do not need a credible third party to guarantee the security of encryption and authenticate a user. In this scheme, the secret key is generated and stored by the user, protecting the secret key against communication channel attack.

Our scheme requires that each user provide their own encryption terminal information to key management center. If there is large number of simultaneous user application, the workload of management center can be quite heavy. So in the future we should consider decreasing the computational complexity of re-encrypted.

Finally, the system ensures that the key cannot be copied, forwarded and etc. If there the safety of the security key is provided.

5 Conclusion and Future Work

In this study, we combine user terminal fingerprint data with a public key and secret key pair. Furthermore, we proposed a cryptographic scheme to update the secret key during decryption phase using terminal fingerprint information. As a result, the secret key is protected by ensuring that it does not operate except in the generated terminal key pair, even if an attacker eavesdrops the user secret key.

The encryption and decryption time can be optimized by proposing suitable algorithm as the future work. Furthermore, the security issue of our proposed method is that if the user connects to the Internet, the terminal fingerprint can be eavesdropped by an attacker. Hence, the proper solution should be proposed to mitigate this issue.