An Improvement on "CryptCloud+: Secure and Expressive Data Access Control for Cloud Storage"

Recently, Ning et al. proposed the "CryptCloud(+): Secure and Expressive Data Access Control for Cloud Storage" in IEEE Transaction on Services Computing. This work provided two versatile ciphertext-policy attribute-based encryption (CP-ABE) schemes to achieve flexible access control on encrypted data, namely ATER-CP-ABE and ATIR-CP-ABE, both of which have attractive advantages, such as white-box malicious user traceability, semi-honest authority accountability, public auditing and user revocation. However, we find a bug of access control in both schemes, i.e., a non-revoked user with attribute set S can decrypt the ciphertext ct encrypted under any access policy (A, ?), regardless of whether S satisfies (A, ?) or not. This article carefully analyzes the bug, and makes an improvement on Ning's pioneering work, so as to fix it.