1

Ciphertext policy attribute based encryption

with efficient revocation

Xiaohui Liang†, Rongxing Lu†, Xiaodong Lin‡, and Xuemin (Sherman) Shen†

Abstract

Ciphertext Policy Attribute Based Encryption (CPABE) enables users’ encryption with an access

structure while assigning decryption capability in accordance with attribute sets. In this paper, we study

central-control revocation in CPABE environment, where the proposed key generation, encryption and

decryption algorithms closely comply with CPABE model [1], and key update algorithm is developed.

In addition, we inherit the most efficient revocation techniques [2] to improve the efficiency of our key

update algorithm. With our scheme, users can stay attribute anonymous while being associated with a

unique identifier in system manager’s view, therefore revoking malicious users’ decryption capabilities

according to their unique identifiers would not affect honest users’ decryption. Our scheme can be

proved chosen plaintext secure based on Decisional Bilinear Diffie-Hellman (DBDH) assumption in the

standard model. We also provide efficiency analysis and some extensions including delegation capability

and chosen ciphertext security.

keyword: Central-control revocation, Ciphertext policy attribute based encryption, DBDH

assumption, Standard model

I. INTRODUCTION

Ciphertext Policy Attribute Based Encryption (CPABE), similar to role-based access control,

can be widely applied as an access control mechanism in many applications such as Electronic

Health Records (EHR) management systems and education systems [3]. For example, the sen-

sitive medical records, tightly related to patients’ privacy, must be accessed only if doctors are

consented by patients; standard solutions of final exams for online education system should be

only read by professors or specified teaching assistants. Recently, CPABE has been demonstrated

to efficiently deal with those situations, by encrypting the sensitive information with expressive

access structures, such as “Speciality: Medicine” OR “Position: Physician”, “Position: Professor”

October 22, 2012 DRAFT

2

OR (“Department: Computer Science” AND “Position: Teaching Assistant”). This preferable

measure (because it benefits to access control system in terms of efficient distributing, expressive

access control and data confidentiality) has attracted a great attention. [1], [4]–[12]

The first CPABE model was introduced by Bethencourt et al. [1], where a universal set of

attributes are public input to its algorithms. Key Generation algorithm takes an attribute set

from a user as input, and outputs a secret key for this user. Encryption algorithm takes an

access structure and a plaintext M as inputs, and outputs a ciphertext C corresponding to the

access structure. Decryption algorithm takes a ciphertext C and a secret key K as inputs, and

finishes a successful decryption only if the attribute set of K satisfies the access structure of

C. Compared to classical Identity Based Encryption (IBE), this CPABE design enables system

manager to assign secret keys according to attributes instead of users’ identities, and has a

significant improvement of IBE in terms of efficient encryption and anonymous decryption (not

explicitly revealing users’ identifiers). However, we notice that since users’ decryption is not

related with unique identifiers, to revoke and eliminate the attacks from malicious decryptors

becomes more difficult. For example, a physician P with attribute “Position: Physician” is able to

decrypt the encrypted PHI with access structure “Position: Physician” OR “Speciality: Stroke”.

P behaves honest and obtains a valid secret key in the initialization phase, and then launches

malicious attacks which has been detected by system manager later. If using any cryptographical

scheme designed in the above CPABE model, system manager would be trapped in a dilemma,

i.e., revoking attribute “Position: Physician” also disables the decryption capability of other

honest users; keeping attribute “Position: Physician” can not exclude P ’s misbehavior.

Revocation, as a vital component of CPABE, should be designed into the system from the

beginning rather than being added after the other issues are addressed, as it requires careful

planning on where functionality should be placed and how to reduce the computational and

communication costs. The paradigm of revocation can be categorized into two designs called,

central-control and user-control. In a central-control design, system manager or a trusted third

parties T centrally maintains revocation lists. Encrypters runs encryption algorithms without

being aware of those revocation lists, while decryptors need to keep updating their secret keys

with additional update information periodically outputted by T , which would cost more for

decryption. In a user-control design, system manager is only involved in the initialization phase

while revocation mechanism is implemented in encryption algorithms by encrypters. But for a

October 22, 2012 DRAFT

3

large-scale system, it is unrealistic and impossible to require each user encrypting a message

while considering the identities of malicious decryptors he has never heard of. Therefore, our

scheme is constructed in complying with the central-control design.

Contribution. At first, we modify the traditional CPABE model [1] to a Revocable Ciphertext

Policy Attribute Based Encryption (RCPABE) model as follows:

• Key update algorithm is enrolled for respectively enabling and disabling the decryption

capability of non-revoked users and revoked users.

• Encryption algorithm has an additional input, time t, indicating the output ciphertext can

be only decrypted by non-revoked users at time t.

• Decryption algorithm has an additional input, update information UI , only assisting non-

revoked users’ decryption.

In particular, system manager publishes the update information according to a series of time

stamps, such as “Jan. 25th, 2010” to “Feb. 5th, 2010” and every ciphertext would be encrypted

with one of those time stamps. The successful decryption on the ciphertext with time t only

happens if users with sufficient attributes can retrieve the useful update information at time t.

We propose RCPABE schemes, where each user is assigned with a unique identifier which

makes central-control revocation possible. Meanwhile, encryption and decryption algorithms

are not affected by those unique identifiers, and continue providing efficient and expressive

operations. System manager generates the update information for distinguishing the identifiers

of revoked users from the rest, therefore the revocation of malicious users would not affect others’

decryption. Intuitionally, each secret key is constructed in a format mixed with two personalized

factors which are independent and different with other users’ for resisting collusion attacks. As

shown in Fig. 1, if there exists a ciphertext C with an access structure AS and a time t, attribute-

related personalized factor fa can be canceled by the access structure related information of C if

user’s attribute set satisfies AS, while revocation-related personalized factor fr can be canceled

by the update information if user is non-revoked at time t. Then, the recovered secret key k can

be used for successfully decrypting the plaintext M.

In addition, the adopted binary tree technique [2] can further reduce communication and

computational costs of the update information. Specifically, the update information is generated

in the form of a bunch of leaf nodes in a binary tree, where each leaf node corresponds to a

user. With the structure, system manager only needs to broadcast the update information of a

October 22, 2012 DRAFT

4

Attribute-relatedPersonalized Factor

fa

Revocation-related Personalized Factor

fr

Secret Key k

Access Structure AS

Time Stamp

Ciphertext

Time Stamp

Update Information

Canceled

Canceled

Canceled

Equal

Fig. 1. Decryption Description

minimum cover set of the leaf nodes.

We give a complete proof of our scheme under chosen plaintext security notion, and also

provide the intuition of delegating algorithm and chosen ciphertext security. To the best of our

knowledge, this revocable ciphertext policy attribute based encryption scheme is the first one

with central-control revocation towards users’ behaviors, where elaborate construction and formal

security proof are provided.

A. Related Works

The paradigm of Attribute Based Encryption (ABE) is generally divided into Ciphertext Policy

Attribute Based Encryption (CPABE) [1], [6], [8]–[11], [13], [14] and Key Policy Attribute Based

Encryption (KPABE) [4], [7], [14], [15]. Intuitively, CPABE allows a secret key with an attribute

set can decrypt a ciphertext with an access structure while KPABE allows a secret key with an

access structure can decrypt a ciphertext with an attribute set. Recently, Attrapadung and Imai

[16] introduced a dual policy attribute based encryption, conjunctively combining CPABE and

KPABE schemes.

Revocation as an indispensable function in public key encryption realm has been well studied

in [17]–[21]. As the development of ABE, a lot more revocation techniques are invented and

applied into such new primitive [6], [13]–[15], [22], [23].

October 22, 2012 DRAFT

5

ABE scheme supporting direct/indirect revocation modes, similar with our user/central-control

designs, are developed by Attrapadung and Imai [15]. They summarized two modes which are

helpful for designing revocation in ABE, and gave two complete and secure direct/indirect

revocation schemes in KPABE setting, where the indirect part is straightforward with the hints

in [2].

User-Control. User-control design are widely discussed due to its easy implementation, e.g.,

Cheung and Newport [6] indicated that the negative attribute could be used for distinguishing

any subset of users from the rest. Later on, Lewko et al. [24] proposed KPABE that support

negative clauses, with improved efficiency over Ostrovsky et al. scheme [7]. Attrapadung and

Imai [14], [23], further advanced the user-control design, by combining the broadcast encryption

and ABE scheme to implement revocation in CPABE, KPABE and multi-authority settings.

However, regarding to their schemes, to revoke malicious users’ decryption capabilities while

not affecting others’, decryptors’ identities are needed to complete an encryption operation and

this requirement basically deviates the original purpose of ABE design.

Central-Control. Compared to user-control, the central authority’s involvement provides more

easiness for encryption, but requires more complex structures and elaborate considerations.

Ibraimi et al. [13] explored central-control revocation in ABE by using mediated cryptography

[25], [26], where a central mediator must be involved in decrypting each ciphertext. Yu et al.

[27] extended the KPABE scheme [4] with a revocation which requires a sustaining secure

channel between system manger and decryptors, and they also proposed a CPABE scheme

with attribute revocation [22] in which a semi-trusted online proxy server would do a re-

encryption operation for each ciphertext. However, either multiple secure channels or on-line

proxy servers adopted in above schemes would result in obstruction of their implementations in

real application. On the other hand, Boldyreva et al. [2] proposed an IBE with efficient central-

control revocation and Attrapadung et al. [15] implement their idea in KPABE setting. These

two central-control revocation schemes only require a broadcast channel through which system

manager periodically publishes update information. We regard this assumption of an offline

(only involved in revocation) central authority as the most natural and realistic one, and propose

a CPABE scheme with central-control revocation, which can be proved secure in the standard

model.

October 22, 2012 DRAFT

6

B. Paper Organization

Section 2 gives a brief review of linear secret sharing scheme, then designs the algorithms

in RCPABE model and its corresponding security model. In Sections 3 and 4, we propose a

ciphertext policy attribute based encryption scheme with central-control revocation and provide

its complete security proof in the standard model. The discussions on efficiency, delegating

capability and chosen ciphertext security of our scheme are presented in Section 5, and we

conclude our paper in Section 6.

II. PRELIMINARIES

A. Linear Secret Sharing Scheme

Linear Secret Sharing Scheme (LSSS) [28] is a useful technique in constructing attribute based

crypto-systems [10], [15], [16], [29]. It can be summarized as follows:

Definition 1 (Linear Secret Sharing Scheme): A secret-sharing scheme Π over a set of parties

P is called linear (over Zp) if

1) The shares for each party form a vector over Zp.

2) There exists a matrix M called the share-generating matrix for π. The matrix M has l

rows and n columns. For all i = 1, · · · , l, the i’th row of M we let the function ρ defined

the party labeling row i as ρ(i). When we consider the column vector v = (s, r2, · · · , rn),

where s ∈ Zp is the secret to be shared, and r2, · · · , rn ∈ Zp are randomly chosen, then

Mv is the vector of l shares of the secret s according to π. The share (Mv)i belongs to

party ρ(i).

Suppose that π is an LSSS for access structure A1. Let S ∈ A2 be any authorized set, and

let I ⊂ {1, 2, · · · , l} be defined as I = {i : ρ(i) ∈ S}. Then, there exist constants {ω ∈ Zp}i∈Isuch that if {λi} are valid shares of any secret s according to π, then

∑i∈I

ωiλi = s, where ωi

can be found in time polynomial in the size of the share-generating matrix M .

B. RCPABE Scheme

A RCPABE scheme includes a tuple of Probabilistic Polynomial-Time (PPT) algorithms.

1A can be related to an access structure consisting of (OR, AND) gates between attributes.2S ∈ A: The attribute set S satisfies the access structure A.

October 22, 2012 DRAFT

7

• Setup(U , nmax) The setup algorithm takes the universal attribute set U and the maximum

index nmax of columns in an access structure as inputs. It outputs the public parameters

PP and a master key MK.

• KGen(uid,S,MK) The key generation algorithm takes a unique identifier uid, an attribute

set S ⊆ U and the master key MK as inputs. It outputs a secret key (uid,SK) to the user.

• KUpd(rl, t,MK) The key update algorithm takes a revocation list rl, a time stamp t and

the master key MK as inputs. It outputs the update information UI.

• Enc(PP , (M,ρ),M, t) The encryption algorithm takes the public parameters PP , an access

structure (M,ρ), a message M and a time stamp t as inputs. It outputs the ciphertext C

with (M,ρ).

• Dec(C, (M,ρ),SK,UI) The decryption algorithm takes the ciphertext C with (M,ρ), the

secret key SK and the update information UI. If the attribute set related with SK satisfies

the access structure (M,ρ) and the unique identifier associated with SK has not been

revoked in update information UI, it decrypts the ciphertext and returns a message M;

else, it returns ⊥.

C. Security Model for RCPABE

Selective Access Structure Model Selective Access Structure (SAS) Model is widely used

in analyzing ciphertext policy attribute based encryption schemes [6], [8]–[10]. Note that, the

RCPABE scheme is secure in the SAS model if no probabilistic polynomial time adversary A

has a non-negligible advantage in winning the following game.

Init A chooses an access structure (M∗, ρ∗), a set of unique identifier u∗ and a time stamp t∗

that it wishes to be challenged upon, where the index of columns in M∗ is no larger than nmax.

The queries of key generation oracle for S ∈ (M∗, ρ∗) are associated with the unique identifiers

in u∗. The challenger runs Setup algorithm and gives A the resulting public parameters PP . It

keeps the corresponding master key MK for itself.

Phase 1 A issues several queries to key generation oracle, revoke oracle and key update oracle.

• Key generation oracle: A issues queries for secret keys related to several tuples (uid,S).

October 22, 2012 DRAFT

8

• Revoke oracle: A inputs several revoked unique identifiers uid and a time stamp t, Sim

adds uid to the revocation list rl at time t.

• Key update oracle: for any time stamp t, the update information is generated according to

the revocation list collected in revoke oracle.

Challenge Once A decides that Phase 1 is over, it generates two messages M0 and M1 of

equal length from the message space. The challenger chooses µ ∈ {0, 1} at random and encrypts

Mµ with (M∗, ρ∗). Then, the ciphertext C∗ is given to A.

Phase 2 The same as Phase 1.

Guess A outputs a guess µ′ ∈ {0, 1} and wins the game if µ′ = µ.

The following conditions must always hold:

1) In the key generation oracle, once (S, uid) is queried, the adversary will not query any

other tuples (S ′, uid), where S ′ = S.

2) In the key update oracle, at time t, the key update oracle outputs UI based on the

information collected from revocation oracle before t.

3) In the key generation oracle, if the adversary queries on uid ∈ u∗, then for all uid ∈ u∗,

revocation oracle must be queried on (uid, t∗).

We define A’s advantage in this game as |Pr[µ′ = µ]− 12|.

III. CONSTRUCTION

Our scheme supports an encryption with LSSS access structure (M,ρ), where the column

index of M is no larger than nmax and ρ is an injective function with row indexes of M as its

domain.

Let G and GT be two (multiplicative) cyclic groups with the same order p, where p is a large

prime. Suppose G and GT are equipped with a pairing, i.e., a non-degenerated and efficiently

computable bilinear map e : G×G → GT such that e(ga1 , gb2) = e(g1, g2)

ab ∈ GT for all a, b ∈ Z∗p

and any (g1, g2) ∈ G2 [30].

Setup(U , nmax) The setup algorithm takes the universal attribute set U in the system and the

October 22, 2012 DRAFT

9

maximum size nmax of columns in access structures as inputs. It first chooses a group G of

prime order p and a generator g. In addition, it chooses random exponents α, a, b, d ∈ Zp,

random elements hj,x ∈ G and a function H : Zp → G.

Define H(x) = gbx2

3∏i=1

h△i,3(x)i , where (hi)1≤i≤3 ∈ G and the lagrange coefficient △i,3(x)

def=

3∏j=1,j =i

(x−ji−j

).

The system public parameters are

PP = ⟨g, e(g, g)α, A = ga, B = gb, (hj,x)1≤j≤nmax,x∈U , d,H⟩

For revoking users’ decryption capabilities after key generation phase, system manager builds

up a binary tree first, denoted as T in Fig. 2. The figure shows an example of binary tree with

height 3. Each leaf node is associated with identifier uid of a revoked user. Path(uid) (red nodes)

records all the nodes along the path from the leaf node C to the root R. KUN(rl, t) (green

nodes) records all the nodes that covers the leaf nodes associated with non-revoked users, where

rl is the revocation list at time t. Generally, system manager would adopt a binary tree with

height n and the maximum users is up to 2n.

For each node y in the binary tree, it selects a random number ay ∈ Z∗p and denotes AY = {ay}

as a set of all such values.

Key Update NodesKUN(rl,t)

Revoked Nodes: Path(uid)

uid

Time: trevocation list (rl): uid

R

A

B

C

D

E

F

Fig. 2. Binary Tree T

The system master key is

MK = ⟨gα, a, b, AY ⟩

KGen(uid,S,MK) The key generation algorithm takes a unique identifier uid, an attribute set

S and the master key MK as inputs.

October 22, 2012 DRAFT

10

Firstly, the algorithm checks the unique identifier uid whether it has been registered before.

If the answer is yes, S must be the same with the one in the previous query and the algorithm

outputs the same secret key; if not, the algorithm chooses a vacant leaf node and bind it with

uid. Path(uid) can be generated as the red nodes shown in Figure 2.

Then, the algorithm chooses ty, (tj,y)1≤j≤nmax , rd,y ∈ Zp for y ∈ Path(uid), 1 ≤ j ≤ nmax,

and outputs the secret key SK =

⟨{(Lj,y)1≤j≤nmax , (Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)⟩ = ⟨{(gtj,y)1≤j≤nmax ,

(∏

1≤j≤nmax

htj,yj,x )x∈S , g

αgat1,ygbty , Bayd+tyH(d)rd,y , grd,y}y∈Path(uid)⟩

Notice that, for different users, ay remains the same while ty, tj,y, rd,y are with different values.

KUpd(rl, t, T ) The key update algorithm takes a revocation list rl, a current time t and a binary

tree T as inputs.

Firstly, the algorithm marks all the nodes red along Path(uid), where uid ∈ rl. KUN(rl, t)

can be generated as the minimum cover set (green) of rest uncolored nodes. Then, the algorithm

chooses t, rt,y ∈ Zp, and outputs the update information

UI = ⟨{Ey, ey}y∈KUN(rl,t)⟩ = ⟨{BaytH(t)rt,y , grt,y}y∈KUN(rl,t)⟩

where rt,y ∈ Zp are random numbers.

Notice that, for different time stamp t, ay are the same while rt,y are with different values.

Encrypt(PP , (M,ρ),M, t) The encryption algorithm takes system public parameters PP , an

access structure (M,ρ), a message M and current time t as inputs.

If M is a matrix with size l×n, we expand M to a l×nmax matrix by filling element 0 into

the columns from (n+1)-th to nmax-th. Note that, such conversion does not affect the satisfying

logic of an access structure. The algorithm first chooses a random vector v = (s, y2, · · · , ynmax) ∈

Znmaxp . Denote Mi,j as the ith row, jth column element of M . Then, the algorithm outputs the

ciphertext C along with with (M,ρ).

C = ⟨CM, Cs, (Ci,j)1≤i≤l,1≤j≤nmax , Cd, Ct⟩ =

⟨M · e(g, g)αs, gs, (gaMi,jvjh−sj,ρ(i))1≤i≤l,1≤j≤nmax , H(d)s, H(t)s⟩

October 22, 2012 DRAFT

11

Decrypt(C,SK,UI) The decryption algorithm takes the ciphertext C, a secret key SK and the

published update information UI as inputs.

If the user is non-revoked, according to the definition of Path(uid) and KUN(rl, t), it is able

to find y ∈ Path(uid) ∩KUN(rl, t),

Extract two sets of elements from SK and UI:

⟨(Lj,y)1≤j≤nmax , (Kx,y)x∈S , Ky, Dy, dy⟩ and ⟨Ey, ey⟩

1) The user obtains e(g, g)at1,ys as follows: if the attribute set S of SK satisfies the access

structure (M,ρ) in the ciphertext C, it is able to find set I = {i|ρ(i) ∈ S}, and then

calculates its weight (ωj)j∈I so that∏i∈I

Mi,1ωi = 1 and for 2 ≤ j ≤ nmax,∏i∈I

Mi,jωi = 0.

Thus, we have ∏1≤j≤nmax

e(∏i∈I

Cωii,j , Lj,y) · e(

∏i∈I

Kωi

ρ(i),y, Cs)

=∏

1≤j≤nmax

∏i∈I

e(gaMi,jωivj , gtj,y)

=∏i∈I

e(gaMi,1ωiv1 , gt1,y) = e(g, g)at1,ys

2) The user obtains e(g, g)tybs as follows:

e(Dy, Cs)/e(dy, Cd) = e(g, g)(ayd+ty)bs

e(Ey, Cs)/e(ey, Ct) = e(g, g)(ayt+by)bs

using lagrange interpolation ⇒ e(g, g)tybs

3) Finally, The user decrypts as follows:

e(Cs, Ky) = e(g, g)αse(g, g)at1,yse(g, g)tybs

using steps 1&2’s results to obtain ⇒ e(g, g)αs ⇒ M

October 22, 2012 DRAFT

12

IV. SECURITY ANALYSIS OF RCPABE

A. Complexity Assumption

The security of our construction can be reduced to Decisional Bilinear Diffie-Hellman (DBDH)

assumption. In the following, we introduce the DBDH problem and its corresponding assumption.

Decisional Bilinear Diffie-Hellman Problem. An algorithm S is a ε′-solver of the DBDH

problem if it distinguishes with probability at least 12+ ε′ between the two following probability

distributions:

Dbdh = (g, ga, gb, gc, e(g, g)abc), where a, b, c are chosen randomly in Zp, g is a generator of

group G and e is a bilinear mapping from G×G → GT ,

Drand = (g, ga, gb, gc, Z), where a, b, c are chosen randomly in Zp and Z is chosen randomly

in GT .

Definition 2: The DBDH assumption holds in G and GT if no any probabilistic polynomial-

time ε′-solver of the DBDH problem for non-negligible values of ε′.

B. Security Analysis

Theorem 1: If the DBDH assumption holds in (G,GT ), then the proposed RCPABE scheme

is chosen plaintext secure in the SAS model.

Proof: Suppose there exists a polynomial-time adversary A who can win the game described

in Section 2.3 with non-negligible advantage ϵ. We construct a simulator Sim who can distinguish

the DBDH tuple from a random tuple with non-negligible advantage 12ϵ.

We first let the challenger set the groups G and GT with an efficient bilinear map e and two

generators g, h of G. The challenger flips a fair binary coin ν, outside of S’s view. If ν = 1,

the challenger sets (g, A,B,C, Z) ∈ Dbdh; otherwise, (g, A,B,C, Z) ∈ Drand.

Init Sim runs A. A chooses a challenge access structure (M∗, ρ∗), a set of unique identifier u∗

and a time stamp t∗ to be challenged upon, where M∗ is l∗ × n∗ matrix. M∗ is a l∗ × nmax

matrix filled with element 0 from (n∗ + 1)-th to nmax-th columns. Sim executes the following

steps:

• Sim randomly selects α′ ∈ Z∗p, and implicitly sets α = ab + α′. Therefore, e(g, g)α =

e(g, g)α′ · e(A,B).

October 22, 2012 DRAFT

13

• For each (j, x) pair where x ∈ U and 1 ≤ j ≤ nmax, Sim chooses a random value zx,j ∈ Zp.

The group elements hj,x with (x ∈ U , 1 ≤ j ≤ nmax) can be generated: for 1 ≤ j ≤ n∗ and

x = ρ∗(i) for some 1 ≤ i ≤ l∗, hj,x = gzx,jgaM∗i,j ; otherwise, hj,x = gzx,j .

• Sim randomly selects d ∈ Zp.

• Sim picks random second-degree polynomials f(x), u(x) with coefficients in Zp, s.t. u(x) =

−x2 for x = d, t∗, o.w. u(x) = −x2. For 1 ≤ i ≤ 3, hi = Bu(i)gf(i). Thus, H(x) =

Bx2+u(x)gf(x).

Finally, Sim publishes the public parameters

PP = ⟨g, e(g, g)α, A,B, (hj,x)1≤j≤nmax,x∈U , d,H⟩

Sim randomly selects tp ∈ {0, 1}. If [tp = 0], Sim does not output the secret keys for

(S ∈ (M∗, ρ∗), uid ∈ u∗), but outputs the update information for any (rl, t); otherwise [tp = 1],

Sim outputs the secret keys for (S ∈ (M∗, ρ∗), uid ∈ u∗) and also outputs the update information

only for the tuple (rl, t∗) with u∗ ⊆ rl.

Sim randomly associates some leaf nodes of T to each uid ∈ u∗ and denotes Path(u∗) =∪uid∈u∗

Path(u∗id). Then, Sim sets AY in two ways: if [tp = 0] Sim randomly chooses ay ∈ Zp

for all the nodes in T ; otherwise [tp = 1] Sim randomly chooses ly ∈ Zp for y ∈ Path(u∗) by

implicitly setting ly = ayd− a and randomly chooses ay ∈ Zp for the rest nodes y /∈ Path(u∗).

Notice that the master key is kept by system manager only in the real environment and thus

it is unnecessary for Sim to obtain them.

Phase 1 A is allowed to adaptively make queries to the following oracles.

⋄ Key generation oracle: A issues queries for secret keys related with several tuples (uid,S).

Sim does follows:

If [tp = 0], if (uid ∈ u∗,S ∈ (M∗, ρ∗)), Sim outputs ⊥; otherwise, (uid /∈ u∗,S /∈ (M∗, ρ∗)),

Sim executes following KG1 with input ay, where ay is known for y ∈ Path(uid).

KG1(ay): Sim randomly selects ri ∈ Zp for 1 ≤ i ≤ nmax. Then, as S /∈ (M∗, ρ∗), it

is able to find a vector ω = (ω1, · · · , ωnmax) ∈ Znmaxp so that ω1 = −1 and for all i where

ρ∗(i) ∈ S we have that ω ·M∗i = 0. Due to the definition of LSSS, such a vector ω exists. (for

n∗ < j ≤ nmax, since M∗i,j = 0, we could simply let ωj = 0). For 1 ≤ j ≤ nmax, Sim implicitly

October 22, 2012 DRAFT

14

sets tj,y = t′j,y + ωj · b and then calculate Lj,y = gtj,y = gt′j,yBωj . Notice that, t1,y = t′1,y − b.

Therefore, gat1,y includes the component g−ab. Sim also sets α = α′ + ab and randomly selects

ty ∈ Zp, so gab can be canceled by:

Ky = gαgat1,ygbty = gα′At′1,yBty

If there is no i such that ρ∗(i) = x ∈ S, we have Kx,y =nmax∏j=1

Lzx,jj,y ; otherwise, there exists i

such that ρ∗(i) = x ∈ S , and we have

Kx,y =nmax∏j=1

(gzx,jgaM∗i,j)tj,y =

nmax∏j=1

gzx,jt′j,yBzx,jωjAM∗

i,jt′j,y

Finally, Sim randomly selects rd,y ∈ Zp and calculates:

(Dy, dy) = (Bayd+tyH(d)rd,y , grd,y)

KG1 outputs ⟨(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy⟩.

Sim repeats KG1 with input ay for all y ∈ Path(uid) and outputs the secret key as

⟨{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)⟩

[tp = 1] Sim outputs the secret key for any (uid,S) and separately takes two cases into

consideration,

1) If (uid ∈ u∗,S ∈ (M∗, ρ∗)), for y ∈ Path(uid) ⊆ Path(u∗), where ay is unknown and

ly = ayd− a is known, Sim executes following KG2 with input ly.

KG2(ly): Sim randomly selects t′y, rd,y ∈ Zp and implicitly set ty = −a+t′y, where random

number t′y ∈ Zp. Therefore, gbty includes the component g−ab. Sim also sets α = α′ + ab

and randomly selects tj,y ∈ Zp for 1 ≤ j ≤ nmax, now gab can be canceled as

Ky = gαgat1,ygbty = gα′At1,yBt′y

For 1 ≤ j ≤ nmax, Sim calculates Lj,y = gtj,y , and if there is no i such that ρ∗(i) = x ∈ S,

we have

Kx,y =nmax∏j=1

Lzx,jj,y

Otherwise, there exists i such that ρ∗(i) = x ∈ S , and we have

Kx,y =nmax∏j=1

(gzx,jgaM∗i,j)tj,y =

nmax∏j=1

(gzx,jAM∗i,j)tj,y

October 22, 2012 DRAFT

15

Finally, Sim randomly selects rd,y ∈ Zp and calculates:

(Dy, dy) = (BlyBt′yH(d)rd,y , grd,y)

KG2 outputs ⟨(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy⟩.

Sim repeats KG2 with input ly for all y ∈ Path(uid) and outputs the secret key as

{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)

2) If (uid /∈ u∗,S /∈ (M∗, ρ∗)), for y ∈ Path(uid),

a) If y ∈ Path(u∗), where ly is known, Sim repeatedly executes KG2(ly) and obtains

part of the secret key for y ∈ Path(uid) ∩ Path(u∗)

{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}

b) If y /∈ Path(u∗), where ay is known, Sim repeatedly executes KG1(ay) and obtains

part of the secret key for y ∈ Path(uid) \ Path(u∗)

{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}

c) Finally, it integrates all the parts of (a)(b) and outputs:

{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)

⋄ Revoke oracle: A inputs several revoked unique identifiers uid and a time stamp t, and Sim

adds uid to the revocation list at time t.

⋄ Key update oracle: A issues queries for update information with several tuples (rl, t). De-

pending on the value tp, Sim separates the simulation into two cases.

If [tp = 0], Sim outputs update information for any (rl, t).

In this case, ay for all the nodes y ∈ T is known to Sim. Therefore, Sim calculates the update

information as follows:

{Ey, ey}y∈KUN(rl,t) = {BaytH(t)rt,y , grt,y}y∈KUN(rl,t)

If [tp = 1], Sim calculates update information for any (rl, t) except the case (t = t∗, u∗∩rl = ∅).

1) For the case t = t∗, revocation list can be any subset of queried unique identifiers.

October 22, 2012 DRAFT

16

a) For y ∈ KUN(rl, t)∩Path(u∗), ly = ayd+ a is known to Sim. It randomly selects

r′y ∈ Zp and implicitly sets

ry = (r′y +a

t2 + u(t)) · td−1

Now, we have:

Ey = BaytH(t)ry = Blytd−1−atd−1

H(t)(r′y+

at2+u(t)

)td−1

= Blytd−1

(Bt2+u(t)gf(t))r′yA

f(t)

t2+u(t)td−1

ey = gry = g(r′y+

at2+u(t)

)td−1

= gr′yA

td−1

t2+u(t)

Sim obtains {Ey, ey}y∈KUN(rl,t)∩Path(u∗).

b) For y ∈ KUN(rl, t) \ Path(u∗), ay is known to Sim. Sim computes

{Ey = BaytH(t)rt,y , ey = grt,y}y∈KUN(rl,t)\Path(u∗).

c) Finally, Sim integrates the results from steps (a)(b) and outputs update information

{Ey, ey}y∈KUN(rl,t).

2) For the case t = t∗, if KUN(rl, t)∩Path(u∗) = ∅, Sim outputs ⊥; otherwise, Sim knows

ay for y ∈ KUN(rl, t). Therefore, Sim outputs update information as follows:

{Ey, ey}y∈KUN(rl,t) = {BaytH(t)rt,y , grt,y}y∈KUN(rl,t)

Challenge In this phase, Sim builds the challenge ciphertext. A generates two messages M0

and M1 of the equal length from the message space. Then, the challenger chooses µ ∈ {0, 1}

randomly and outputs the challenge ciphertext Mµ with the access structure (M∗, ρ∗) and the

time stamp t∗ as follows:

1) Sim implicitly sets s = c, we have C∗M = M· e(g, g)αs = M· e(g, C)α

′ ·Z and C∗s = C.

2) Sim randomly selects yj ∈ Zp for 2 ≤ j ≤ nmax and implicitly sets

v = (s, s+ y′2, s+ y′3, · · · , s+ y′nmax)

3) Sim calculates {C∗i,j}1≤i≤l,1≤j≤nmax , C

∗d , C

∗t∗ as follows,

C∗i,j = gaM

∗i,jvjh−s

j,ρ∗(i) = gaM∗i,j(s+y′j)(gzρ∗(i),jgaM

∗i,j)−s = AM∗

i,j(y′j)C−zρ∗(i),j

C∗d = H(d)s = (Bd2+u(d)gf(d))s = Cf(d)

October 22, 2012 DRAFT

17

C∗t∗ = H(t∗)s = (Bt∗2+u(t∗)gf(t

∗))s = Cf(t∗)

Finally, Sim outputs the challenged ciphertext

C∗ = ⟨C∗M, C∗

s , (C∗i,j)1≤i≤l,1≤j≤nmax , C

∗d , C

∗t∗⟩

Phase 2 Sim acts exactly the same as in Phase 1

Guess The adversary outputs a guess µ′ of µ. If any abort happens, Sim outputs 0; otherwise,

it then outputs 1 to guess Z = e(g, g)abc if µ′ = µ and outputs 0 to guess that Z is a random

group element in GT if µ′ = µ.

Probability Analysis. Denote Exp as the experiment describe above, “abort” as the case of ⊥

output by in Exp, “real” as the case that input of Exp is a tuple selected from Dbdh, ”rand” as the

case that input of Exp is a tuple selected from Drand. We assume Pr[tp = 0] = Pr[tp = 1] = 12.

From the Guess phase, we have:

1) If ν = 1, the challenger sets (g, A,B,C, Z) ∈ Dbdh, Sim gives a perfect simulation if no

“abort” happens,

AdvA = Pr[Exp = 1|real ∧ abort]− 1/2

2) If ν = 0, the challenger sets (g, A,B,C, Z) ∈ Drand, so Mµ is completely hidden from

the adversary,

Pr[Exp = 1|rand ∧ abort] = 1/2

Notice that the probability for “abort” cases depends on the behavior of adversary and tp which

are both irrelevant with the tuple chosen from Dbdh or Drand. Therefore, we have the following

from Guess phase:

Pr[Exp = 1|real ∧ abort] = 0 and Pr[Exp = 1|rand ∧ abort] = 0

From the key generation oracle, the abort only happens when tp = 0∧“any uid ∈ u∗ is queried”∧

S ∈ (M∗, ρ∗) or tp = 1 ∧ t = t∗ ∧ (u∗ \ rl = ∅).

According to the restrictions mentioned in Section 2.3, the uid ∈ u∗ is only allowed to be

queried when u∗ is added to the revocation list rl at time t∗.

Pr[any uid ∈ u∗ is queried] ≤ Pr[u∗ \ rl = ∅|t = t∗]

October 22, 2012 DRAFT

18

The probability of “abort” is

Pr[abort] = Pr[tp = 0 ∧ any uid ∈ u∗ is queried] + Pr[tp = 1 ∧ u∗ \ rl = ∅|t = t∗]

= 1/2Pr[any uid ∈ u∗ is queried] + 1/2Pr[u∗ \ rl = ∅|t = t∗]

≤ 1/2Pr[u∗ \ rl = ∅|t = t∗] + 1/2Pr[u∗ \ rl = ∅|t = t∗] = 1/2

Thus, Pr[abort] ≥ 1/2. Finally, we have

AdvC = Pr[Exp = 1|real]− Pr[Exp = 1|rand]

= Pr[abort] · Pr[Exp = 1|real ∧ abort] + Pr[abort] · Pr[Exp = 1|real ∧ abort]

− Pr[abort] · Pr[Exp = 1|rand ∧ abort]− Pr[abort] · Pr[Exp = 1|rand ∧ abort]

= Pr[abort] · (Pr[Exp = 1|real ∧ abort]− Pr[Exp = 1|rand ∧ abort])

≥ 1/2 · AdvA

V. DISCUSSION

A. Efficiency

In the proposed RCPABE scheme, each secret key consists of (nmax + |S|+ 3) · logn group

elements, where nmax is the maximum value of column index in the access structure (M,ρ), S is

the attribute set corresponding to the secret key and n is the total user number. In comparison with

the scheme [10], secret key size is increased by multiplying logn. logn is the height of the binary

tree, i.e., the total number of nodes along the path from the root to a leaf node in the binary tree.

Intuitionally, since users are associated with different paths in the binary tree, it is necessary for

such an expansion to eliminate the uniqueness in functional encryption. In decryption algorithm,

the non-revoked user links the update information and secret key together to find an overlapped

node which can be used for decrypting the ciphertext. Thus, the computational cost of encryption

and decryption algorithms are independent with the height of the binary tree.

Waters [10] presents several variants of ciphertext policy attribute based encryption by making

a tradeoff between efficiency and security assumption. Besides the one based on DBDH assump-

tion, the rest constructions can be also extended to the one in RCPABE model with improved

efficiency by adopting the same technique introduced in this paper, however the complexity

assumption becomes more complicated.

October 22, 2012 DRAFT

19

In Table I, we compare the proposed RCPABE scheme with Waters’ scheme [10] in terms

of public parameters size (PP), secret key size (SK), ciphertext size (CT), encryption time

(EN), decryption time (DE) and revocation (RE). Denote Texp and Tpair as the time for one

modular exponentiation and one bilinear pairing computation, respectively. Notice that, though

the proposed scheme consumes more storage space for each secret key, according to Moore’s

law, the cost of storing data on to a flash device will continue to decrease.

Waters [10] RCPABE

Assumption DBDH & Standard Model DBDH & Standard Model

PP (nmax|U|+ 2)× |G|+ |GT | (nmax|U|+ 6)× |G|+ |GT |+ |Zp|

SK (nmax + |S|+ 1)× |G| (nmax + |S|+ 3)× |G| × logn

CT (lnmax + 1)× |G|+ |GT | (lnmax + 3)× |G|+ |GT |

EN (lnmax + 2)×Texp (lnmax + 4)×Texp

DE (nmax + 2)×Tpair+ (nmax + 6)×Tpair+

(nmax|I|+ |I|)×Texp (nmax|I|+ |I|+ 2)×Texp

RE No Yes

TABLE I

COMPARISON OF DIFFERENT SCHEMES

B. Delegating capability and Chosen Ciphertext Security

To derive the delegating capability in traditional CPABE scheme is straightforward since

secret keys are related with fuzzy identities instead of personalized identities. Therefore, as

long as the secret keys can be re-randomized, users are with the delegating capability to enroll

new valid users whose secret key is associated with the same attribute set. Furthermore, users

can delegate part of their decryption capabilities to others, e.g., the professor with attribute

set “Position: Professor” and “Department: Computer Science” may delegate a user with the

decryption capability corresponding to a subset “Position: Professor”. In the proposed scheme,

we implicitly assign each user with a unique identifier which can be represented as a unique

path in the binary tree. Though each component of secret key can be re-randomized, the unique

identifier will never change, i.e., the delegatees’ decryption capabilities would be revoked once

the original delegator’s identifier is not involved in the update information. Notice that, the

October 22, 2012 DRAFT

20

delegated secret keys are easily generated in the simulation, therefore the security proof of the

RCPABE scheme with delegation is essentially unaffected. In addition, chosen ciphertext security

can be realized in the standard model by using the technique of one-time signature [31]. Some

similar conversion methods can be found in the paper [2], [6].

VI. CONCLUSION

In this paper, we proposed a RCPABE scheme with central-control revocation, which is more

suitable for large-scaled access control system. The improvement of secret key with binary

tree structure can reduce the communication and computational costs in key update algorithm.

Moreover, we demonstrated that the delegating capability can be easily provided in the proposed

scheme, but all the delegatees are restricted by their original delegators’ unique identifiers. The

security proof in the standard model and the efficiency comparison with previous CPABE scheme

have also been given.

For our future work, the efficiency of RCPABE schemes will be improved, such as short-

ening the size of secret key, reducing the amount of update information, and developing faster

encryption/decryption algorithms.

REFERENCES

[1] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in IEEE Symposium on Security

and Privacy, 2007, pp. 321–334.

[2] A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in ACM Conference on

Computer and Communications Security, 2008, pp. 417–426.

[3] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure attribute-based systems,” in ACM Conference on Computer

and Communications Security, 2006, pp. 99–112.

[4] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted

data,” in ACM Conference on Computer and Communications Security, 2006, pp. 89–98.

[5] M. Chase, “Multi-authority attribute based encryption,” in TCC, 2007, pp. 515–534.

[6] L. Cheung and C. Newport, “Provably secure ciphertext policy abe,” in ACM Conference on Computer and Communications

Security, 2007, pp. 456–465.

[7] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonic access structures,” in ACM

Conference on Computer and Communications Security, 2007, pp. 195–203.

[8] V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded ciphertext policy attribute based encryption,” in ICALP (2), 2008,

pp. 579–591.

[9] X. Liang, Z. Cao, H. Lin, and D. Xing, “Provably secure and efficient bounded ciphertext policy attribute based encryption,”

in ASIACCS, 2009, pp. 343–352.

October 22, 2012 DRAFT

21

[10] B. Waters, “Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization,” in

Cryptology ePrint Archive: Report 2008/290, 2008.

[11] L. Ibraimi, Q. Tang, P. H. Hartel, and W. Jonker, “Efficient and provable secure ciphertext-policy attribute-based encryption

schemes,” in ISPEC, 2009, pp. 1–12.

[12] M. Chase and S. S. M. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in ACM

Conference on Computer and Communications Security, 2009, pp. 121–130.

[13] L. Ibraimi, M. Petkovic, S. Nikova, P. H. Hartel, and W. Jonker, “Mediated ciphertext-policy attribute-based encryption

and its application,” in WISA, 2009, pp. 309–323.

[14] N. Attrapadung and H. Imai, “Conjunctive broadcast and attribute-based encryption,” in Pairing, 2009, pp. 248–265.

[15] M. G. Parker, Ed., Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009,

Cirencester, UK, December 15-17, 2009. Proceedings, ser. Lecture Notes in Computer Science, vol. 5921. Springer,

2009.

[16] N. Attrapadung and H. Imai, “Dual-policy attribute based encryption,” in ACNS, 2009, pp. 168–185.

[17] D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in CRYPTO, 2001, pp.

41–62.

[18] M. Naor and B. Pinkas, “Efficient trace and revoke schemes,” in Financial Cryptography, 2000, pp. 1–20.

[19] V. Goyal, “Certificate revocation using fine grained certificate space partitioning,” in Financial Cryptography, 2007, pp.

247–259.

[20] M. Naor and K. Nissim, “Certificate revocation and certificate update,” in USENIX Security Symposium, 1998.

[21] C. Gentry, “Certificate-based encryption and the certificate revocation problem,” in EUROCRYPT, 2003, pp. 272–293.

[22] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute revocation,” in ASIACCS, 2010.

[23] N. Attrapadung, “Revocation scheme for attribute-based encryption,” in RCIS Workshop, 2008.

[24] A. Lewko, A. Sahai, and B. Waters, “Revocation systems with very small private keys,” in Cryptology ePrint Archive:

Report 2008/309, 2008.

[25] D. Boneh, X. Ding, and G. Tsudik, “Fine-grained control of security capabilities,” ACM Trans. Internet Techn., vol. 4,

no. 1, pp. 60–82, 2004.

[26] D. Boneh, X. Ding, G. Tsudik, and C. Wong, “A method for fast revocation of public key certificates and security

capabilities,” in Proceedings of the 10th conference on USENIX Security Symposium-Volume 10. USENIX Association,

2001, p. 22.

[27] S. Yu, K. Ren, and W. Lou, “Fdac: Toward fine-grained distributed data access control in wireless sensor networks,” in

IEEE INFOCOM, 2009.

[28] A. Beimel, “Secure schemes for secret sharing and key distribution,” in PhD thesis, 1996.

[29] H. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures: Achieving attribute-privacy and collusion-

resistance,” in Cryptology ePrint Archive: Report 2008/328, 2008.

[30] D. Boneh and M. K. Franklin, “Identity-based encryption from the weil pairing,” in CRYPTO, 2001, pp. 213–229.

[31] R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from identity-based encryption,” in EUROCRYPT, 2004,

pp. 207–222.

October 22, 2012 DRAFT