Fine-Grained and Lightweight Quantum-Resistant Access Control System With Efficient Revocation for IoT Cloud

Abstract

The proliferation of Internet of Things (IoT) devices in cloud-assisted environments raises urgent concerns regarding fine-grained access control, policy privacy, and resilience against quantum adversaries. To address these challenges, we propose a lightweight and quantum-resistant access control framework that combines Ring-LWE-based Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with a fog-assisted split-path partial encryption architecture. In our scheme, IoT devices encrypt raw data using AES-256-GCM, while fog nodes perform the RLWE-CP-ABE encapsulation of session keys, thereby reducing device-side computation while ensuring that neither plaintext nor session keys are exposed to semi-trusted fog nodes. To preserve policy confidentiality, we integrate a salted attribute-hashing mechanism into the Linear Secret Sharing Scheme (LSSS) matrices, concealing access policies even during fog-side processing. Furthermore, we design an epoch-based and blacklist-based revocation mechanism that supports both user-level and attribute-level revocation without requiring ciphertext re-encryption. Security is guaranteed through CRYSTALS-Dilithium signatures and Poly1305 message authentication, which provide post-quantum authenticity and integrity. Experimental results confirm that our framework significantly reduces computational and communication overhead while achieving scalable, verifiable, and post-quantum-secure access control–outperforming existing lattice-based CP-ABE schemes in both efficiency and security.