Comments on “Attribute-Based Data Sharing Scheme Revisited in Cloud Computing”

In this letter, we discuss the security weakness of Wang et al. ’s attribute-based data sharing scheme, in IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY (TIFS) (DOI: 10.1109/TIFS.2016.2549004). Through designing two concrete attacks, we identify two serious security flaws in their scheme. 1) First, we show that their scheme is insecure because in their scheme any authenticated user can freely tamper with the weight of his own attribute to gain higher level decryption privilege to arbitrarily decrypt the ciphertext belonging to another user with higher weight of attribute. 2) Second, we further demonstrate that their scheme is trivial insecure because in their scheme even any malicious authenticated user’s attribute does not match the access policy of a ciphertext, he/she still has the power to decrypt the ciphertext, i.e., the decryption power is independent of attributes, thus, their scheme is not a rigorous attribute-based scheme. The two weaknesses discovered may hinder their scheme infeasible for practical deployment. Accordingly, we present a remedy solution to the issues while preserving all the security features of the original scheme. We hope that our cryptoanalysis and remedy scheme may contribute to avoiding similar design flaws in future designs.