Hierarchical Role-Based Encryption Scheme Based on Trusted Execution Environment

doi:10.3969/j.issn.1671-1122.2026.02.011

Abstract

Abstract:

This paper proposed a hierarchical role-based encryption scheme based on trusted execution environment to address the shortcomings of existing encryption technologies in data sensitivity protection and runtime security. The scheme combined hierarchical role-based encryption with trusted computing, dynamically matching data access permissions and sensitivity requirements by selecting different levels of role public keys for encryption based on data sensitivity. For general data, encryption was performed using keys from deeper-level nodes, while for highly sensitive data, keys from shallow-level nodes closer to the root were used. Furthermore, encryption operations and key management were carried out within the trusted execution environment, ensuring that encryption keys and sensitive data were not compromised or tampered with during processing, effectively addressing the shortcomings of conventional encryption schemes in runtime protection. Additionally, by leveraging the hardware isolation characteristics of trusted execution environment and hierarchical role-based encryption, the system enhanced its resistance to attacks and implemented more refined access control management. Experimental results demonstrate that the proposed scheme not only ensures data security but also offers high efficiency.

Key words: data encryption, identity-based encryption, trusted execution environment, Intel SGX

CLC Number:

TP309

ZHAO Jia, WANG Yanchun, MA Hongliang, LI Qi. Hierarchical Role-Based Encryption Scheme Based on Trusted Execution Environment[J]. Netinfo Security, 2026, 26(2): 315-324.

Figures/Tables 10

References 16

[1]	ASOKAN N, EKBERG J E, KOSTIAINEN K, et al. Mobile Trusted Computing[J]. Proceedings of the IEEE, 2014, 102(8): 1189-1206. doi: 10.1109/JPROC.2014.2332007 URL
[2]	CHANG C C, LIN I C, TSAI H M, et al. A Key Assignment Scheme for Controlling Access in Partially Ordered User Hierarchies[C]// IEEE. The 18th International Conference on Advanced Information Networking and Applications. New York: IEEE, 2004: 376-379.
[3]	AKL S G, TAYLOR P D. Cryptographic Solution to a Problem of Access Control in a Hierarchy[J]. ACM Transactions on Computer Systems, 1983, 1(3): 239-248. doi: 10.1145/357369.357372 URL
[4]	ATALLAH M J, BLANTON M, FAZIO N, et al. Dynamic and Efficient Key Management for Access Hierarchies[J]. ACM Transactions on Information and System Security, 2009, 12(3): 1-43.
[5]	LIN Yuli, HSU C L. Secure Key Management Scheme for Dynamic Hierarchical Access Control Based on ECC[J]. Journal of Systems and Software, 2011, 84(4): 679-685. doi: 10.1016/j.jss.2010.11.926 URL
[6]	TANG Shaohua, LI Xiaoyu, HUANG Xinyi, et al. Achieving Simple, Secure and Efficient Hierarchical Access Control in Cloud Computing[J]. IEEE Transactions on Computers, 2016, 65(7): 2325-2331. doi: 10.1109/TC.2015.2479609 URL
[7]	CHEN Y R, TZENG W G. Hierarchical Key Assignment with Dynamic Read-Write Privilege Enforcement and Extended KI-Security[C]// Springer. International Conference on Applied Cryptography and Network Security. Heidelberg: Springer, 2017: 165-183.
[8]	PAREEK G, PURUSHOTHAMA B R. Efficient Strong Key Indistinguishable Access Control in Dynamic Hierarchies with Constant Decryption Cost[C]// ACM. The 11th International Conference on Security of Information and Networks. New York: ACM, 2018: 1-7.
[9]	ZHOU Lan, VARADHARAJAN V, HITCHENS M. Enforcing Role-Based Access Control for Secure Data Storage in the Cloud[J]. The Computer Journal, 2011, 54(10): 1675-1687. doi: 10.1093/comjnl/bxr080 URL
[10]	ZHU Yan, AHN G J, HU Hongxin, et al. Role-Based Cryptosystem: A New Cryptographic RBAC System Based on Role-Key Hierarchy[J]. IEEE Transactions on Information Forensics and Security, 2013, 8(12): 2138-2153. doi: 10.1109/TIFS.2013.2287858 URL
[11]	MARIN-PERE J M, PEREZ G M, SKARMETA-GOMEZ A F. SecRBAC: Secure Data in the Clouds[J]. IEEE Transactions on Services Computing, 2017, 10(5): 726-740. doi: 10.1109/TSC.2016.2553668 URL
[12]	SCHWARZ M, WEISER S, GRUSS D. Practical Enclave Malware with Intel SGX[C]// Springer. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Heidelberg: Springer, 2019: 177-196.
[13]	RAN Jinhao, CAI Dongliang. Attribute Signature Identity Authentication Scheme Based on Blockchain and Trusted Execution Environment[J]. Journal of Computer Research and Development, 2023, 60(11): 2555-2566.
	冉津豪, 蔡栋梁. 基于区块链和可信执行环境的属性签名身份认证方案[J]. 计算机研究与发展, 2023, 60(11):2555-2566.
[14]	YE Jiajun. Research on Federated Learning Algorithms Based on Trusted Execution Environment[D]. Hangzhou: Zhejiang University, 2024.
	叶家俊. 基于可信执行环境的联邦学习算法研究[D]. 杭州: 浙江大学, 2024.
[15]	HE Jiahao. Research and Implementation of Data Privacy Protection Method for Fabric Consortium Chain Based on Trusted Execution Environment[D]. Nanjing: Southeast University, 2023.
	何嘉昊. 基于可信执行环境的Fabric联盟链数据隐私保护方法研究与实现[D]. 南京: 东南大学, 2023.
[16]	SULTAN N H, VARADHARAJAN V, ZHOU Lan, et al. A Role-Based Encryption(RBE) Scheme for Securing Outsourced Cloud Data in a Multi-Organization Context[J]. IEEE Transactions on Services Computing, 2022, 16(3): 1647-1661. doi: 10.1109/TSC.2022.3194252 URL

安全性	文献[16]方案	本文方案
密钥管理安全	无硬件级密钥保护，密钥易受攻击	采用SGX实现硬件级密钥保护
抗恶意攻击能力	易受软件层攻击	TEE提供隔离
用户身份认证	无强认证机制，存在假冒风险	实现安全认证
数据机密性	采用角色基加密保障数据机密性	采用SGX进一步增强机密性
数据完整性	无法有效检测数据篡改	SGX保证数据在处理过程中不被篡改
数据可用性	通过角色权限控制数据访问	可用性不变，增加了更安全的访问控制

用户数量/个	EPC占用/MB	换页次数/次	额外换页时延/ms
10	20	10	1.5
50	45	50	2.8
100	75	140	4.7
200	110	350	8.5
300	大于128	750	15.3
400	大于128	1200	21.8
500	大于128	1800	29.4

安全等级	EPC占用/MB	换页次数/次	额外换页时延/ms
L1（叶子节点）	45	50	2.8
L2（中间节点）	50	64	4.2
L3（根节点）	52	68	5.1