Abstract: To research the security and efficiency of the access control mechanism, this paper proposes an access control scheme based on the ATP-ABE（Access Tree Pruning Attribute Based Encryption）. When the ATP-ABE algorithm requires its access tree structure of the access policy, it prunes the access tree’s branch which contains the user ID attribute node. It can not only improve the DO’s efficiency of attribute management and control, but also be easy to realize data sharing. Meanwhile it designs the permission access attribute for access tree structure. The DO still retains the key attributes of shared data and can control their shared data completely. The DBDH（Decisional Bilinear Diffie-Hellman） assumption analyzes the security of the ATP-ABE scheme. The results show that compared with the two classical ABE scheme, the ATP-ABE can reduce the system settings, the private key generation, the ciphertext size, the user attribute revocation, the encryption and decryption in the computational overhead, and it gives a quantitative conclusion of the algorithm.

Key words: access control, attribute encryption, Ciphertext-Police Attribute Based Encryption（CP-ABE）, attribute revocation

摘要： 对访问控制机制中存在的安全性和有效性的问题进行了研究，提出了基于访问树剪枝的属性加密ATP-ABE（Access Tree Pruning Attribute Based Encryption）的访问控制方案。当ATP-ABE算法需要访问它的树型结构访问策略时，通过剪枝处理访问树结构中包含用户ID属性节点的分支，提高了用户所有者DO（Data Owner）管理和控制属性的效率，更加有效地实现了数据共享。还为访问树结构设计了许可访问属性，使DO仍保留共享数据的关键属性，并且能够完全控制它们的共享数据。基于决策双线性密钥交换算法DBDH（Decisional Bilinear Diffie-Hellman）假设分析了ATP-ABE方案的安全性，研究结果表明与两种经典ABE方案比较，ATP-ABE更加有效地减少了算法的系统设置、私钥生成、密文大小、用户属性撤销以及加解密过程中的计算开销，并给出了定量结论。

关键词: 访问控制, 属性加密, 密文策略基于属性加密（CP-ABE）, 属性撤销