Attribute-Based Lightweight Encryption Framework for Securing a Voter Database

The rapid growth in digital data, driven by the rise of cloud technologies and the Internet of Things (IoT), requires finding secure and effective encryption systems. Traditional cryptography algorithms, though very strong, might not provide a balance among security, scalability, and computational efficiency in contemporary distributed systems [1-3]. Users, companies, and governmental organizations need security solutions to store their sensitive documents and data in cloud platforms [4]. Thus, the researchers have already thought of the existence of hybrid and lightweight cryptography schemes, the combination of symmetric and asymmetric approaches to the establishment of the confidentiality and performance levels [5-7]. Meanwhile, chaotic maps and pseudorandom generators are also proposed as an effective method for key generation that is both secure and reliable, owing to their high sensitivity to initial conditions and unpredictability [8]. The properties of the chaotic maps, such as the logistic map, piecewise linear chaotic maps, and higher-dimensional chaotic systems, are appropriate for generating complex keystreams [9]. Biometric methods have reduced user-centric authentication compared to chaotic systems, thereby increasing predictability. Biometric techniques, in particular, fingerprint minutiae extraction, have been more useful for identity verification, thereby providing value to cryptographic keys [10-12]. Multi-biometric fusion has been analyzed to enhance higher accuracy in authentication [2, 13]. At the same time, the mechanism of ABE has been developed as a paramount control of access rights when considering attributes (e.g., name, email, organizational role) of users directly inside the encryption methodology [14]. This paradigm ensures that the decryption process does not purely depend on cryptographic keys but also on attribute policies, which makes it particularly successful with cloud and FinTech applications, where multi-user access is a characteristic feature [15-17]. Despite these improvements, the existing knowledge tends to discuss biometric authentication and ABE separately. Some studies combine the use of passwords with biometrics in the generation of keys based on Rivest Shamir Adelman (RSA) [18, 19] or utilize hybrid cryptography for cloud storage [20, 21]. Nevertheless, an active combination of user attributes, biometrics, and chaos-based key generation is not studied properly. Furthermore, lightweight frameworks are needed to support resource-constrained devices [1, 2]. It rarely deals with the dynamic properties of the session-specific secret keys that change with each transaction. The current literature in election data security tends to focus on ABE, biometric authentication, chaos-based or hash-based generation of keys as individual tools, but does not offer a cohesive framework of how cryptographic keys are tied to the identity of the user and to the attributes of the session. Specifically, the joint operation of fine-grained access control and dynamically generated biometric-based session keys is even under-investigated, particularly in the lightweight and large-scale database models. In a bid to fill this gap, this paper proposes a hybrid security model that incorporates ABE with fingerprint biometrics and hash-based key derivation involving the use of the SHA-512 hash algorithm to generate dynamic and secure keys. The suggested scheme binds the secret keys to user features and biometric minutiae, hence, session-related and identity-related encryption. A suggested mechanism based on RSA is used to perform safe key exchange, whereas lightweight ciphers are used to ensure efficient data encryption. The integrated design offers a scalable and viable solution to the security of sensitive voter data on cloud- and IoT-assisted elections. The remainder of this paper is organized as follows. Section 2 summarizes related work. Section 3 explains the proposed method for the framework and its primary elements. Section 4 will present the experimental results. Lastly, Section 5 presented the conclusion of the paper.

The proposed method aims at developing a secure and light hybrid cryptographic architecture that integrates biometric authentication and multi-level encryption. The system combines user identifications and characteristics based on fingerprinting to dynamically create distinct encryption keys every session. This combination ensures the balance between computability and cryptographic capability. The model uses the RC5 block cipher and a ChaCha-based stream cipher to protect biometric information and uses an RSA-based approach that is enhanced with a six-dimensional hyperchaotic system to exchange keys safely, as shown in Figure 1. It is a multi-tiered architecture that enhances confidentiality, integrity, and resistance to brute-force and replay assaults, which makes it suitable in current IoT and cloud-assisted environments where security and efficiency are the most crucial factors.

Figure 1. General framework for the proposed method

The formal key-policy attribute-based encryption (KP-ABE) component is used in the proposed system, which includes a set of universal attributes $\mathcal{U}$, a finite set of attributes $\mathcal{A}$, which are attributes describing user-related and system-related values, user role, affiliation to an organization, identity parameter, and biometric-derived credentials, where $\mathcal{A} \subseteq \mathcal{U}$. The policy access $\mathcal{P}$ is established over the attribute set space using a Boolean structure with only those attribute sets satisfying the policy implemented within the secret key of the user to be decrypted. The KP-ABE scheme used in this work is composed of the following 4 polynomial-time algorithms:

• Setup $(\lambda)$: The setup algorithm takes a security parameter $\lambda$ and constructs the system by creating the public parameters PK and a master secret key MSK.

• Key Generation (MSK, $\mathcal{P}$): The key generation algorithm generates an attribute secret key SK with the help of master secret key MSK and access policy $\mathcal{P}$. This key is safely authorized to a certified user.

• Encrypt (PK, M, $\mathcal{A}$): With the public parameters PK, message M (in this case represented as a dynamically generated session key) is encrypted with respect to attribute set $\mathcal{A}$, then the ciphertext CT is obtained.

• Decrypt (SK, CT): The decryption algorithm can successfully extract the message M out of CT only when the attribute set satisfies the access policy that comes with the secret key SK.

In comparison to traditional KP-ABE systems, where it is often assumed that big data objects are simply encrypted, the framework proposed modifies KP-ABE to secure dynamically generated session keys. where user attributes such as the hashed credentials and a secured biometric template are calculated to produce the session key. These session keys are then employed together with the lightweight symmetric encryption algorithms to encrypt the voter registration database. The design option maintains computational efficiency and allows fine-grained, attribute-based access control, where the policy of access is outlined as a conjunctive attribute rule, where the session key will be created only in the case of all the requirements being met. The KP-ABE component security is taken to be in the standard model of indistinguishability under chosen-plaintext attack (IND-CPA) model. Informally, an adversary who lacks a secret key with an access policy that meets the corresponding attribute set is unable to differentiate between encryptions of two randomly chosen session keys with non-negligible advantage. Because the session keys are calculated based on biometric measurements and cryptographic hash message-digest algorithms, and the underlying construction of the KP-ABE is based on time-tested IND-CPA secure designs, the framework of the proposed construction inherits its confidentiality properties. Any attack on the ABE-protected session keys would hence connote the violation of the underlying KP-ABE security assumption.

A combination of multi-tiered encryption algorithms, including the RC5 method, which is inspired by ChaCha, and RSA with chaotic key generation, generates a strong hybrid framework. Such a framework aimed to ensure significant entropy in key generation, instant modification, and enhanced resistance to both the differential and statistical attacks.

3.1 Proposed attribute secret key generation scheme

The suggested key-generating scheme incorporates user attributes with biometrics to generate dynamic and secure session keys. The password is first hashed with SHA-512, and then it is combined with the hexadecimal form of the username. This combination is rehashed to create a given length Master Key. Simultaneously, fingerprint minutiae are extracted, such as x-y coordinates, the type of ends of the ridges, as well as their bifurcation, and their angle. All features are normalized and transformed into a hexadecimal value. Minutiae features with a pseudo-random selection are sampled.

Each communication session has a seeding value of the Master Key and the session identifier, making it unpredictable and varying as illustrated in Figure 2. The chosen features are then combined with the Master Key and digested with the SHA-512 to obtain the final Session Key. Such dynamic keys are subsequently used in a hybrid cryptographic architecture, a mixture of RC5 and ChaCha, to obtain both a lightweight property and resistance to cryptographic attacks.

Figure 2. Proposed attribute secret key generation scheme

3.1.1 Fingerprint feature extraction (minutia)

The extraction of fingerprint features is a crucial step in biometric-based security systems, which aim to produce stable and reliable data for further processing. Images of raw fingerprints are initially processed in several stages, which include noise elimination, histogram equalization, image scaling, binarization, and thinning to promote clarity of ridges and valleys and to increase uniformity of the images. Figure 3 indicates the block diagram of the preprocessing step.

Figure 3. Fingerprint preprocessing stages

Noise reduction will reduce the artifact added in the acquisition phase, but histogram equalization will redistribute pixel values to increase contrast and show ridge lines. The scaling process normalizes image ratios in an appropriate way, whereas the thinning process removes ridges to a single pixel line without reducing their structural integrity, hence allowing accurate minutiae recognition. After the preprocessing, the crossing number (CN) method is used to detect the unique fingerprint features, which include ridge ends and bifurcations expressed via x and y coordinates, orientation angles, and types. The method of CN is grounded on the analysis of pixel distribution of the fingerprint and assists in categorizing the minutiae as shown in Eq. (1).

$C N=\frac{1}{2} \sum_{i=1}^8\left|P_i-P_{i-1}\right|$             (1)

where, $P_{\mathrm{i}}$ is the current pixel, while $P_{\mathrm{i}-1}$ is the neighboring pixel. Each feature extracted is then translated into a hexadecimal and joined together into one string. To achieve diversity in security, a dynamically chosen set of these minutiae features is used during each session to produce a session-specific secret key, thus increasing the system's resistance to replay and key-compromise attacks. Figure 4 shows the outcome of the preprocessing and extraction of features of the fingerprint image.

Figure 4. Preprocessing and feature extraction result

3.1.2 Master key generation

The integration of the user attributes and a password generates the master key. The user-provided password is first fetched from the input field and converted to a hexadecimal form. This string is hashed with SHA-512. Simultaneously, the user attributes typed by the user are also converted to their hexadecimal value in the same way. The user attributes string is finally concatenated with the hashed password to create a unique master key used to securely perform cryptographic operations.

3.1.3 Secret key generation

The last step involves the generation of the secret key by the proposed system using the fingerprint feature that has been extracted, together with the master key that was obtained earlier. The two parts are then joined into a single string and fed into a modified version of the SHA-512 hashing algorithm. The product of this hashing algorithm is the final secret key, which is unique, resistant, and immutable to cryptanalytic attacks. The resulting secret key is then shown in the system interface and used as the main component in securing further cryptographic operations.

3.2 Key exchange using Rivest Shamir Adelman

To guarantee the safety of the communication process, the suggested system makes use of the RSA algorithm to exchange the keys, which is supplemented with a six-dimensional hyperchaotic system to increase the level of randomness in the parameters generation.

$\dot{x}_1=\alpha\left(1-\beta\left|x_6\right|\right) x_2-a x_1$                (2)

$\dot{x}_2=c x_1+d x_2-x_1 x_3+x_5$                (3)

$\dot{x}_3=-b x_1+x_1^2$                (4)

$\dot{x}_4=e x_2+f x_4$                (5)

$\dot{x}_5=-r x_1-k x_5$                (6)

$\dot{x}_6=-x_2$                (7)

The mentioned chaotic system consists of six equations, namely, Eqs. (2)-(7), which contain state variables ( $x_1, x_2, x_3$, $x_4, x_5$, and $x_6$ ) and system parameters ( $\alpha, \beta, a, b, c, d, e, f, r$, and $k)$ [23].

Firstly, the 6D system is used to generate chaotic sequences based on the initial conditions and control parameters provided. These sequences are then normalized, rounded, and converted to integers. Next, the prime numbers among these generated numbers are identified, and RSA key components are created using these primes. Specifically, two prime pairs are selected to generate the public and private key parameters. Each pair is used to compute the Euler totient function, which helps determine the correct modular inverse. After setting the RSA parameters, the secret key from the previous step is encrypted using the public key. All parts of the secret key are converted into hexadecimal and decimal formats, and modular exponentiation is applied to secure the key exchange. The encrypted segments become the RSA ciphertext, which is stored and transmitted, while the private key parameters are securely kept at the receiver's end, as shown in Figure 5, This approach combines the predictability of chaotic systems with the strength of RSA to enhance resistance against cryptanalytic and brute-force attacks.

Figure 5. Proposed key exchange

3.3 Premutation step (confusion step)

At this point, the redistribution of bits is done through a 6D hyper-chaotic system, in which the rows of the database are not correlated, thus disconnecting the connection between the data, which are frequently repeated because of the repetition of the data elements (names and numbers).

3.4 Encryption algorithm

Two fundamental algorithms are used in the stream cipher as part of the encryption technique. The RC5 algorithm is used in the first technique, and the ChaCha algorithm is used in the second. With respect to cryptographic parameters, the RC5 algorithm was set at 12 rounds, a relatively standard setting in lightweight cryptography implementation that offers a realistic tradeoff between the level of security and the cost of computation. In the same fashion, the ChaCha parameters were chosen according to typical literature recommendations so that there is enough diffusion and resistance against all known cryptanalytic attacks, and low computational overhead, such that encryption of large databases is feasible.

3.4.1 RC5 stream cipher (diffusion step)

Sensitive data is encrypted, and the encrypted data is obtained by using the secret key that is supplied from the server as a seed to create a sequence of keys.

The RC5 symmetric block cipher algorithm was used to provide a secure and computationally efficient encryption layer for biometric data. The encryption process begins with initializing the RC5 parameters, where the word size (w) is defined as 32 bits, the number of rounds is 12, and the key length is 16 bytes. The constants P and Q are derived from the mathematical values of the natural logarithm base (e = 2.718281828) and the golden ratio ($\phi$ = 1.618033988), respectively, to enhance randomness during the key expansion phase. A sub-key array is generated, producing a table of 26 words that serves as the foundation for the round-based encryption process. The algorithm works on files with loaded data of 512 bits of hexadecimal type. The plaintext pair input of encryption is broken down into two 64-bit words that make up each segment. The encryption algorithm employs modular arithmetic, XOR, and circular shift bits by processing the two-word blocks in each round (twelve rounds) to guarantee a high level of diffusion and confusion. All the encryption and decryption procedures are implemented with 64-bit unsigned integer arithmetic to provide numerical accuracy and consistency. This encryption module is an RC5-based block that is used as a part of the proposed hybrid cryptographic architecture, in which features derived with the help of biometrics are used to create and dynamically manage encryption keys. The proposed framework, which integrates symmetric encryptions using RC5 with a biometric-based key generation, is lightweight and highly secure, and thus it would be ideal in secure communication and protection of data in the resource-constrained setting, including IoT and cloud-assisted systems.

3.4.2 ChaCha stream cipher (diffusion step)

The secret key dispatched by the server is used as a seed to create a sequence of keys, which is used in encrypting the existing database.

3.5 Saved encryption data

At this level, the encrypted information will be stored by assigning certain symbols, which will be the order of the record in the database. Using a 6D Hyperchaotic System, it is produced in a way that makes this data encrypted and does not have the same order as the database being original.

These experimental findings validate the fact that user attributes combined with fingerprint-derived minutiae allow the creation of session-specific cryptographic keys that have high randomness and diversity characteristics. The results of the observed entropy and statistical randomness demonstrate that derived keys are unpredictable enough to resist brute-force attack and exploitation of key patterns. Moreover, the inconsistency of the Hamming distance of the generated keys shows successful key diversity that will mitigate key reuse and improve resistance to replay and key-compromise attacks.

System-wise, the proposed hybrid solution has a tradeoff between the level of security and the level of computational efficiency. Lightweight symmetric encryption to protect large voter records has significantly lower computational costs than the case of fully asymmetric encryption of bulk data, and the suggested key exchange protocol allows secure distribution of session keys with minimal introduction of latency overhead. These features facilitate the extension of the framework to large voter databases where responsiveness and data confidentiality are very important. As per the comparative analysis conducted in Table 10, most of the current techniques consider isolated features of data security, like biometric authentication, ABE, without providing a solution to an integrated solution, which is a combination of fine-grained access control with dynamic identity-bound key generation. The suggested framework, on the other hand, combines attribute-based policy enforcement, biometric-generated session keys, and lightweight encryption algorithms in one architecture. This combination renders it more scalable and practically applicable than other related works, especially in election database security, where access control, authentication, and useful bulk encryption have to co-exist. In spite of such positive outcomes, there are several limitations to be considered. The biometric data set was sampled locally and might not be quite representative of the variations in large public datasets. As well, the existing testing is on database protection and key management, as opposed to end-to-end deployment over a full election infrastructure. Although the empirical randomness and attack-oriented analysis support the security analysis, the theoretical basis should be enhanced in the future by offering more formal security arguments to the component of ABE and the key exchange mechanism. Regarding its practical implication, the suggested framework can be implemented as a protection layer to cloud- and IoT-assisted election settings, voter registration databases. The attribute-based policy element aids role-based management and auditing, whereas biometric binding enhances identity assurance of the privileged access. Future research can involve assessment using larger, more heterogeneous biometric data, exploration of privacy-preserving template protection schemes, and practical research in experimental election systems to further confirm the viability of deploying the systems in the real world.