1 Ciphertext policy attribute based encryption with efficient...
Transcript of 1 Ciphertext policy attribute based encryption with efficient...
1
Ciphertext policy attribute based encryption
with efficient revocation
Xiaohui Liang†, Rongxing Lu†, Xiaodong Lin‡, and Xuemin (Sherman) Shen†
Abstract
Ciphertext Policy Attribute Based Encryption (CPABE) enables users’ encryption with an access
structure while assigning decryption capability in accordance with attribute sets. In this paper, we study
central-control revocation in CPABE environment, where the proposed key generation, encryption and
decryption algorithms closely comply with CPABE model [1], and key update algorithm is developed.
In addition, we inherit the most efficient revocation techniques [2] to improve the efficiency of our key
update algorithm. With our scheme, users can stay attribute anonymous while being associated with a
unique identifier in system manager’s view, therefore revoking malicious users’ decryption capabilities
according to their unique identifiers would not affect honest users’ decryption. Our scheme can be
proved chosen plaintext secure based on Decisional Bilinear Diffie-Hellman (DBDH) assumption in the
standard model. We also provide efficiency analysis and some extensions including delegation capability
and chosen ciphertext security.
keyword: Central-control revocation, Ciphertext policy attribute based encryption, DBDH
assumption, Standard model
I. INTRODUCTION
Ciphertext Policy Attribute Based Encryption (CPABE), similar to role-based access control,
can be widely applied as an access control mechanism in many applications such as Electronic
Health Records (EHR) management systems and education systems [3]. For example, the sen-
sitive medical records, tightly related to patients’ privacy, must be accessed only if doctors are
consented by patients; standard solutions of final exams for online education system should be
only read by professors or specified teaching assistants. Recently, CPABE has been demonstrated
to efficiently deal with those situations, by encrypting the sensitive information with expressive
access structures, such as “Speciality: Medicine” OR “Position: Physician”, “Position: Professor”
October 22, 2012 DRAFT
2
OR (“Department: Computer Science” AND “Position: Teaching Assistant”). This preferable
measure (because it benefits to access control system in terms of efficient distributing, expressive
access control and data confidentiality) has attracted a great attention. [1], [4]–[12]
The first CPABE model was introduced by Bethencourt et al. [1], where a universal set of
attributes are public input to its algorithms. Key Generation algorithm takes an attribute set
from a user as input, and outputs a secret key for this user. Encryption algorithm takes an
access structure and a plaintext M as inputs, and outputs a ciphertext C corresponding to the
access structure. Decryption algorithm takes a ciphertext C and a secret key K as inputs, and
finishes a successful decryption only if the attribute set of K satisfies the access structure of
C. Compared to classical Identity Based Encryption (IBE), this CPABE design enables system
manager to assign secret keys according to attributes instead of users’ identities, and has a
significant improvement of IBE in terms of efficient encryption and anonymous decryption (not
explicitly revealing users’ identifiers). However, we notice that since users’ decryption is not
related with unique identifiers, to revoke and eliminate the attacks from malicious decryptors
becomes more difficult. For example, a physician P with attribute “Position: Physician” is able to
decrypt the encrypted PHI with access structure “Position: Physician” OR “Speciality: Stroke”.
P behaves honest and obtains a valid secret key in the initialization phase, and then launches
malicious attacks which has been detected by system manager later. If using any cryptographical
scheme designed in the above CPABE model, system manager would be trapped in a dilemma,
i.e., revoking attribute “Position: Physician” also disables the decryption capability of other
honest users; keeping attribute “Position: Physician” can not exclude P ’s misbehavior.
Revocation, as a vital component of CPABE, should be designed into the system from the
beginning rather than being added after the other issues are addressed, as it requires careful
planning on where functionality should be placed and how to reduce the computational and
communication costs. The paradigm of revocation can be categorized into two designs called,
central-control and user-control. In a central-control design, system manager or a trusted third
parties T centrally maintains revocation lists. Encrypters runs encryption algorithms without
being aware of those revocation lists, while decryptors need to keep updating their secret keys
with additional update information periodically outputted by T , which would cost more for
decryption. In a user-control design, system manager is only involved in the initialization phase
while revocation mechanism is implemented in encryption algorithms by encrypters. But for a
October 22, 2012 DRAFT
3
large-scale system, it is unrealistic and impossible to require each user encrypting a message
while considering the identities of malicious decryptors he has never heard of. Therefore, our
scheme is constructed in complying with the central-control design.
Contribution. At first, we modify the traditional CPABE model [1] to a Revocable Ciphertext
Policy Attribute Based Encryption (RCPABE) model as follows:
• Key update algorithm is enrolled for respectively enabling and disabling the decryption
capability of non-revoked users and revoked users.
• Encryption algorithm has an additional input, time t, indicating the output ciphertext can
be only decrypted by non-revoked users at time t.
• Decryption algorithm has an additional input, update information UI , only assisting non-
revoked users’ decryption.
In particular, system manager publishes the update information according to a series of time
stamps, such as “Jan. 25th, 2010” to “Feb. 5th, 2010” and every ciphertext would be encrypted
with one of those time stamps. The successful decryption on the ciphertext with time t only
happens if users with sufficient attributes can retrieve the useful update information at time t.
We propose RCPABE schemes, where each user is assigned with a unique identifier which
makes central-control revocation possible. Meanwhile, encryption and decryption algorithms
are not affected by those unique identifiers, and continue providing efficient and expressive
operations. System manager generates the update information for distinguishing the identifiers
of revoked users from the rest, therefore the revocation of malicious users would not affect others’
decryption. Intuitionally, each secret key is constructed in a format mixed with two personalized
factors which are independent and different with other users’ for resisting collusion attacks. As
shown in Fig. 1, if there exists a ciphertext C with an access structure AS and a time t, attribute-
related personalized factor fa can be canceled by the access structure related information of C if
user’s attribute set satisfies AS, while revocation-related personalized factor fr can be canceled
by the update information if user is non-revoked at time t. Then, the recovered secret key k can
be used for successfully decrypting the plaintext M.
In addition, the adopted binary tree technique [2] can further reduce communication and
computational costs of the update information. Specifically, the update information is generated
in the form of a bunch of leaf nodes in a binary tree, where each leaf node corresponds to a
user. With the structure, system manager only needs to broadcast the update information of a
October 22, 2012 DRAFT
4
Attribute-relatedPersonalized Factor
fa
Revocation-related Personalized Factor
fr
Secret Key k
Access Structure AS
Time Stamp
Ciphertext
Time Stamp
Update Information
Canceled
Canceled
Canceled
Equal
Fig. 1. Decryption Description
minimum cover set of the leaf nodes.
We give a complete proof of our scheme under chosen plaintext security notion, and also
provide the intuition of delegating algorithm and chosen ciphertext security. To the best of our
knowledge, this revocable ciphertext policy attribute based encryption scheme is the first one
with central-control revocation towards users’ behaviors, where elaborate construction and formal
security proof are provided.
A. Related Works
The paradigm of Attribute Based Encryption (ABE) is generally divided into Ciphertext Policy
Attribute Based Encryption (CPABE) [1], [6], [8]–[11], [13], [14] and Key Policy Attribute Based
Encryption (KPABE) [4], [7], [14], [15]. Intuitively, CPABE allows a secret key with an attribute
set can decrypt a ciphertext with an access structure while KPABE allows a secret key with an
access structure can decrypt a ciphertext with an attribute set. Recently, Attrapadung and Imai
[16] introduced a dual policy attribute based encryption, conjunctively combining CPABE and
KPABE schemes.
Revocation as an indispensable function in public key encryption realm has been well studied
in [17]–[21]. As the development of ABE, a lot more revocation techniques are invented and
applied into such new primitive [6], [13]–[15], [22], [23].
October 22, 2012 DRAFT
5
ABE scheme supporting direct/indirect revocation modes, similar with our user/central-control
designs, are developed by Attrapadung and Imai [15]. They summarized two modes which are
helpful for designing revocation in ABE, and gave two complete and secure direct/indirect
revocation schemes in KPABE setting, where the indirect part is straightforward with the hints
in [2].
User-Control. User-control design are widely discussed due to its easy implementation, e.g.,
Cheung and Newport [6] indicated that the negative attribute could be used for distinguishing
any subset of users from the rest. Later on, Lewko et al. [24] proposed KPABE that support
negative clauses, with improved efficiency over Ostrovsky et al. scheme [7]. Attrapadung and
Imai [14], [23], further advanced the user-control design, by combining the broadcast encryption
and ABE scheme to implement revocation in CPABE, KPABE and multi-authority settings.
However, regarding to their schemes, to revoke malicious users’ decryption capabilities while
not affecting others’, decryptors’ identities are needed to complete an encryption operation and
this requirement basically deviates the original purpose of ABE design.
Central-Control. Compared to user-control, the central authority’s involvement provides more
easiness for encryption, but requires more complex structures and elaborate considerations.
Ibraimi et al. [13] explored central-control revocation in ABE by using mediated cryptography
[25], [26], where a central mediator must be involved in decrypting each ciphertext. Yu et al.
[27] extended the KPABE scheme [4] with a revocation which requires a sustaining secure
channel between system manger and decryptors, and they also proposed a CPABE scheme
with attribute revocation [22] in which a semi-trusted online proxy server would do a re-
encryption operation for each ciphertext. However, either multiple secure channels or on-line
proxy servers adopted in above schemes would result in obstruction of their implementations in
real application. On the other hand, Boldyreva et al. [2] proposed an IBE with efficient central-
control revocation and Attrapadung et al. [15] implement their idea in KPABE setting. These
two central-control revocation schemes only require a broadcast channel through which system
manager periodically publishes update information. We regard this assumption of an offline
(only involved in revocation) central authority as the most natural and realistic one, and propose
a CPABE scheme with central-control revocation, which can be proved secure in the standard
model.
October 22, 2012 DRAFT
6
B. Paper Organization
Section 2 gives a brief review of linear secret sharing scheme, then designs the algorithms
in RCPABE model and its corresponding security model. In Sections 3 and 4, we propose a
ciphertext policy attribute based encryption scheme with central-control revocation and provide
its complete security proof in the standard model. The discussions on efficiency, delegating
capability and chosen ciphertext security of our scheme are presented in Section 5, and we
conclude our paper in Section 6.
II. PRELIMINARIES
A. Linear Secret Sharing Scheme
Linear Secret Sharing Scheme (LSSS) [28] is a useful technique in constructing attribute based
crypto-systems [10], [15], [16], [29]. It can be summarized as follows:
Definition 1 (Linear Secret Sharing Scheme): A secret-sharing scheme Π over a set of parties
P is called linear (over Zp) if
1) The shares for each party form a vector over Zp.
2) There exists a matrix M called the share-generating matrix for π. The matrix M has l
rows and n columns. For all i = 1, · · · , l, the i’th row of M we let the function ρ defined
the party labeling row i as ρ(i). When we consider the column vector v = (s, r2, · · · , rn),
where s ∈ Zp is the secret to be shared, and r2, · · · , rn ∈ Zp are randomly chosen, then
Mv is the vector of l shares of the secret s according to π. The share (Mv)i belongs to
party ρ(i).
Suppose that π is an LSSS for access structure A1. Let S ∈ A2 be any authorized set, and
let I ⊂ {1, 2, · · · , l} be defined as I = {i : ρ(i) ∈ S}. Then, there exist constants {ω ∈ Zp}i∈Isuch that if {λi} are valid shares of any secret s according to π, then
∑i∈I
ωiλi = s, where ωi
can be found in time polynomial in the size of the share-generating matrix M .
B. RCPABE Scheme
A RCPABE scheme includes a tuple of Probabilistic Polynomial-Time (PPT) algorithms.
1A can be related to an access structure consisting of (OR, AND) gates between attributes.2S ∈ A: The attribute set S satisfies the access structure A.
October 22, 2012 DRAFT
7
• Setup(U , nmax) The setup algorithm takes the universal attribute set U and the maximum
index nmax of columns in an access structure as inputs. It outputs the public parameters
PP and a master key MK.
• KGen(uid,S,MK) The key generation algorithm takes a unique identifier uid, an attribute
set S ⊆ U and the master key MK as inputs. It outputs a secret key (uid,SK) to the user.
• KUpd(rl, t,MK) The key update algorithm takes a revocation list rl, a time stamp t and
the master key MK as inputs. It outputs the update information UI.
• Enc(PP , (M,ρ),M, t) The encryption algorithm takes the public parameters PP , an access
structure (M,ρ), a message M and a time stamp t as inputs. It outputs the ciphertext C
with (M,ρ).
• Dec(C, (M,ρ),SK,UI) The decryption algorithm takes the ciphertext C with (M,ρ), the
secret key SK and the update information UI. If the attribute set related with SK satisfies
the access structure (M,ρ) and the unique identifier associated with SK has not been
revoked in update information UI, it decrypts the ciphertext and returns a message M;
else, it returns ⊥.
C. Security Model for RCPABE
Selective Access Structure Model Selective Access Structure (SAS) Model is widely used
in analyzing ciphertext policy attribute based encryption schemes [6], [8]–[10]. Note that, the
RCPABE scheme is secure in the SAS model if no probabilistic polynomial time adversary A
has a non-negligible advantage in winning the following game.
Init A chooses an access structure (M∗, ρ∗), a set of unique identifier u∗ and a time stamp t∗
that it wishes to be challenged upon, where the index of columns in M∗ is no larger than nmax.
The queries of key generation oracle for S ∈ (M∗, ρ∗) are associated with the unique identifiers
in u∗. The challenger runs Setup algorithm and gives A the resulting public parameters PP . It
keeps the corresponding master key MK for itself.
Phase 1 A issues several queries to key generation oracle, revoke oracle and key update oracle.
• Key generation oracle: A issues queries for secret keys related to several tuples (uid,S).
October 22, 2012 DRAFT
8
• Revoke oracle: A inputs several revoked unique identifiers uid and a time stamp t, Sim
adds uid to the revocation list rl at time t.
• Key update oracle: for any time stamp t, the update information is generated according to
the revocation list collected in revoke oracle.
Challenge Once A decides that Phase 1 is over, it generates two messages M0 and M1 of
equal length from the message space. The challenger chooses µ ∈ {0, 1} at random and encrypts
Mµ with (M∗, ρ∗). Then, the ciphertext C∗ is given to A.
Phase 2 The same as Phase 1.
Guess A outputs a guess µ′ ∈ {0, 1} and wins the game if µ′ = µ.
The following conditions must always hold:
1) In the key generation oracle, once (S, uid) is queried, the adversary will not query any
other tuples (S ′, uid), where S ′ = S.
2) In the key update oracle, at time t, the key update oracle outputs UI based on the
information collected from revocation oracle before t.
3) In the key generation oracle, if the adversary queries on uid ∈ u∗, then for all uid ∈ u∗,
revocation oracle must be queried on (uid, t∗).
We define A’s advantage in this game as |Pr[µ′ = µ]− 12|.
III. CONSTRUCTION
Our scheme supports an encryption with LSSS access structure (M,ρ), where the column
index of M is no larger than nmax and ρ is an injective function with row indexes of M as its
domain.
Let G and GT be two (multiplicative) cyclic groups with the same order p, where p is a large
prime. Suppose G and GT are equipped with a pairing, i.e., a non-degenerated and efficiently
computable bilinear map e : G×G → GT such that e(ga1 , gb2) = e(g1, g2)
ab ∈ GT for all a, b ∈ Z∗p
and any (g1, g2) ∈ G2 [30].
Setup(U , nmax) The setup algorithm takes the universal attribute set U in the system and the
October 22, 2012 DRAFT
9
maximum size nmax of columns in access structures as inputs. It first chooses a group G of
prime order p and a generator g. In addition, it chooses random exponents α, a, b, d ∈ Zp,
random elements hj,x ∈ G and a function H : Zp → G.
Define H(x) = gbx2
3∏i=1
h△i,3(x)i , where (hi)1≤i≤3 ∈ G and the lagrange coefficient △i,3(x)
def=
3∏j=1,j =i
(x−ji−j
).
The system public parameters are
PP = ⟨g, e(g, g)α, A = ga, B = gb, (hj,x)1≤j≤nmax,x∈U , d,H⟩
For revoking users’ decryption capabilities after key generation phase, system manager builds
up a binary tree first, denoted as T in Fig. 2. The figure shows an example of binary tree with
height 3. Each leaf node is associated with identifier uid of a revoked user. Path(uid) (red nodes)
records all the nodes along the path from the leaf node C to the root R. KUN(rl, t) (green
nodes) records all the nodes that covers the leaf nodes associated with non-revoked users, where
rl is the revocation list at time t. Generally, system manager would adopt a binary tree with
height n and the maximum users is up to 2n.
For each node y in the binary tree, it selects a random number ay ∈ Z∗p and denotes AY = {ay}
as a set of all such values.
Key Update NodesKUN(rl,t)
Revoked Nodes: Path(uid)
uid
Time: trevocation list (rl): uid
R
A
B
C
D
E
F
Fig. 2. Binary Tree T
The system master key is
MK = ⟨gα, a, b, AY ⟩
KGen(uid,S,MK) The key generation algorithm takes a unique identifier uid, an attribute set
S and the master key MK as inputs.
October 22, 2012 DRAFT
10
Firstly, the algorithm checks the unique identifier uid whether it has been registered before.
If the answer is yes, S must be the same with the one in the previous query and the algorithm
outputs the same secret key; if not, the algorithm chooses a vacant leaf node and bind it with
uid. Path(uid) can be generated as the red nodes shown in Figure 2.
Then, the algorithm chooses ty, (tj,y)1≤j≤nmax , rd,y ∈ Zp for y ∈ Path(uid), 1 ≤ j ≤ nmax,
and outputs the secret key SK =
⟨{(Lj,y)1≤j≤nmax , (Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)⟩ = ⟨{(gtj,y)1≤j≤nmax ,
(∏
1≤j≤nmax
htj,yj,x )x∈S , g
αgat1,ygbty , Bayd+tyH(d)rd,y , grd,y}y∈Path(uid)⟩
Notice that, for different users, ay remains the same while ty, tj,y, rd,y are with different values.
KUpd(rl, t, T ) The key update algorithm takes a revocation list rl, a current time t and a binary
tree T as inputs.
Firstly, the algorithm marks all the nodes red along Path(uid), where uid ∈ rl. KUN(rl, t)
can be generated as the minimum cover set (green) of rest uncolored nodes. Then, the algorithm
chooses t, rt,y ∈ Zp, and outputs the update information
UI = ⟨{Ey, ey}y∈KUN(rl,t)⟩ = ⟨{BaytH(t)rt,y , grt,y}y∈KUN(rl,t)⟩
where rt,y ∈ Zp are random numbers.
Notice that, for different time stamp t, ay are the same while rt,y are with different values.
Encrypt(PP , (M,ρ),M, t) The encryption algorithm takes system public parameters PP , an
access structure (M,ρ), a message M and current time t as inputs.
If M is a matrix with size l×n, we expand M to a l×nmax matrix by filling element 0 into
the columns from (n+1)-th to nmax-th. Note that, such conversion does not affect the satisfying
logic of an access structure. The algorithm first chooses a random vector v = (s, y2, · · · , ynmax) ∈
Znmaxp . Denote Mi,j as the ith row, jth column element of M . Then, the algorithm outputs the
ciphertext C along with with (M,ρ).
C = ⟨CM, Cs, (Ci,j)1≤i≤l,1≤j≤nmax , Cd, Ct⟩ =
⟨M · e(g, g)αs, gs, (gaMi,jvjh−sj,ρ(i))1≤i≤l,1≤j≤nmax , H(d)s, H(t)s⟩
October 22, 2012 DRAFT
11
Decrypt(C,SK,UI) The decryption algorithm takes the ciphertext C, a secret key SK and the
published update information UI as inputs.
If the user is non-revoked, according to the definition of Path(uid) and KUN(rl, t), it is able
to find y ∈ Path(uid) ∩KUN(rl, t),
Extract two sets of elements from SK and UI:
⟨(Lj,y)1≤j≤nmax , (Kx,y)x∈S , Ky, Dy, dy⟩ and ⟨Ey, ey⟩
1) The user obtains e(g, g)at1,ys as follows: if the attribute set S of SK satisfies the access
structure (M,ρ) in the ciphertext C, it is able to find set I = {i|ρ(i) ∈ S}, and then
calculates its weight (ωj)j∈I so that∏i∈I
Mi,1ωi = 1 and for 2 ≤ j ≤ nmax,∏i∈I
Mi,jωi = 0.
Thus, we have ∏1≤j≤nmax
e(∏i∈I
Cωii,j , Lj,y) · e(
∏i∈I
Kωi
ρ(i),y, Cs)
=∏
1≤j≤nmax
∏i∈I
e(gaMi,jωivj , gtj,y)
=∏i∈I
e(gaMi,1ωiv1 , gt1,y) = e(g, g)at1,ys
2) The user obtains e(g, g)tybs as follows:
e(Dy, Cs)/e(dy, Cd) = e(g, g)(ayd+ty)bs
e(Ey, Cs)/e(ey, Ct) = e(g, g)(ayt+by)bs
using lagrange interpolation ⇒ e(g, g)tybs
3) Finally, The user decrypts as follows:
e(Cs, Ky) = e(g, g)αse(g, g)at1,yse(g, g)tybs
using steps 1&2’s results to obtain ⇒ e(g, g)αs ⇒ M
October 22, 2012 DRAFT
12
IV. SECURITY ANALYSIS OF RCPABE
A. Complexity Assumption
The security of our construction can be reduced to Decisional Bilinear Diffie-Hellman (DBDH)
assumption. In the following, we introduce the DBDH problem and its corresponding assumption.
Decisional Bilinear Diffie-Hellman Problem. An algorithm S is a ε′-solver of the DBDH
problem if it distinguishes with probability at least 12+ ε′ between the two following probability
distributions:
Dbdh = (g, ga, gb, gc, e(g, g)abc), where a, b, c are chosen randomly in Zp, g is a generator of
group G and e is a bilinear mapping from G×G → GT ,
Drand = (g, ga, gb, gc, Z), where a, b, c are chosen randomly in Zp and Z is chosen randomly
in GT .
Definition 2: The DBDH assumption holds in G and GT if no any probabilistic polynomial-
time ε′-solver of the DBDH problem for non-negligible values of ε′.
B. Security Analysis
Theorem 1: If the DBDH assumption holds in (G,GT ), then the proposed RCPABE scheme
is chosen plaintext secure in the SAS model.
Proof: Suppose there exists a polynomial-time adversary A who can win the game described
in Section 2.3 with non-negligible advantage ϵ. We construct a simulator Sim who can distinguish
the DBDH tuple from a random tuple with non-negligible advantage 12ϵ.
We first let the challenger set the groups G and GT with an efficient bilinear map e and two
generators g, h of G. The challenger flips a fair binary coin ν, outside of S’s view. If ν = 1,
the challenger sets (g, A,B,C, Z) ∈ Dbdh; otherwise, (g, A,B,C, Z) ∈ Drand.
Init Sim runs A. A chooses a challenge access structure (M∗, ρ∗), a set of unique identifier u∗
and a time stamp t∗ to be challenged upon, where M∗ is l∗ × n∗ matrix. M∗ is a l∗ × nmax
matrix filled with element 0 from (n∗ + 1)-th to nmax-th columns. Sim executes the following
steps:
• Sim randomly selects α′ ∈ Z∗p, and implicitly sets α = ab + α′. Therefore, e(g, g)α =
e(g, g)α′ · e(A,B).
October 22, 2012 DRAFT
13
• For each (j, x) pair where x ∈ U and 1 ≤ j ≤ nmax, Sim chooses a random value zx,j ∈ Zp.
The group elements hj,x with (x ∈ U , 1 ≤ j ≤ nmax) can be generated: for 1 ≤ j ≤ n∗ and
x = ρ∗(i) for some 1 ≤ i ≤ l∗, hj,x = gzx,jgaM∗i,j ; otherwise, hj,x = gzx,j .
• Sim randomly selects d ∈ Zp.
• Sim picks random second-degree polynomials f(x), u(x) with coefficients in Zp, s.t. u(x) =
−x2 for x = d, t∗, o.w. u(x) = −x2. For 1 ≤ i ≤ 3, hi = Bu(i)gf(i). Thus, H(x) =
Bx2+u(x)gf(x).
Finally, Sim publishes the public parameters
PP = ⟨g, e(g, g)α, A,B, (hj,x)1≤j≤nmax,x∈U , d,H⟩
Sim randomly selects tp ∈ {0, 1}. If [tp = 0], Sim does not output the secret keys for
(S ∈ (M∗, ρ∗), uid ∈ u∗), but outputs the update information for any (rl, t); otherwise [tp = 1],
Sim outputs the secret keys for (S ∈ (M∗, ρ∗), uid ∈ u∗) and also outputs the update information
only for the tuple (rl, t∗) with u∗ ⊆ rl.
Sim randomly associates some leaf nodes of T to each uid ∈ u∗ and denotes Path(u∗) =∪uid∈u∗
Path(u∗id). Then, Sim sets AY in two ways: if [tp = 0] Sim randomly chooses ay ∈ Zp
for all the nodes in T ; otherwise [tp = 1] Sim randomly chooses ly ∈ Zp for y ∈ Path(u∗) by
implicitly setting ly = ayd− a and randomly chooses ay ∈ Zp for the rest nodes y /∈ Path(u∗).
Notice that the master key is kept by system manager only in the real environment and thus
it is unnecessary for Sim to obtain them.
Phase 1 A is allowed to adaptively make queries to the following oracles.
⋄ Key generation oracle: A issues queries for secret keys related with several tuples (uid,S).
Sim does follows:
If [tp = 0], if (uid ∈ u∗,S ∈ (M∗, ρ∗)), Sim outputs ⊥; otherwise, (uid /∈ u∗,S /∈ (M∗, ρ∗)),
Sim executes following KG1 with input ay, where ay is known for y ∈ Path(uid).
KG1(ay): Sim randomly selects ri ∈ Zp for 1 ≤ i ≤ nmax. Then, as S /∈ (M∗, ρ∗), it
is able to find a vector ω = (ω1, · · · , ωnmax) ∈ Znmaxp so that ω1 = −1 and for all i where
ρ∗(i) ∈ S we have that ω ·M∗i = 0. Due to the definition of LSSS, such a vector ω exists. (for
n∗ < j ≤ nmax, since M∗i,j = 0, we could simply let ωj = 0). For 1 ≤ j ≤ nmax, Sim implicitly
October 22, 2012 DRAFT
14
sets tj,y = t′j,y + ωj · b and then calculate Lj,y = gtj,y = gt′j,yBωj . Notice that, t1,y = t′1,y − b.
Therefore, gat1,y includes the component g−ab. Sim also sets α = α′ + ab and randomly selects
ty ∈ Zp, so gab can be canceled by:
Ky = gαgat1,ygbty = gα′At′1,yBty
If there is no i such that ρ∗(i) = x ∈ S, we have Kx,y =nmax∏j=1
Lzx,jj,y ; otherwise, there exists i
such that ρ∗(i) = x ∈ S , and we have
Kx,y =nmax∏j=1
(gzx,jgaM∗i,j)tj,y =
nmax∏j=1
gzx,jt′j,yBzx,jωjAM∗
i,jt′j,y
Finally, Sim randomly selects rd,y ∈ Zp and calculates:
(Dy, dy) = (Bayd+tyH(d)rd,y , grd,y)
KG1 outputs ⟨(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy⟩.
Sim repeats KG1 with input ay for all y ∈ Path(uid) and outputs the secret key as
⟨{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)⟩
[tp = 1] Sim outputs the secret key for any (uid,S) and separately takes two cases into
consideration,
1) If (uid ∈ u∗,S ∈ (M∗, ρ∗)), for y ∈ Path(uid) ⊆ Path(u∗), where ay is unknown and
ly = ayd− a is known, Sim executes following KG2 with input ly.
KG2(ly): Sim randomly selects t′y, rd,y ∈ Zp and implicitly set ty = −a+t′y, where random
number t′y ∈ Zp. Therefore, gbty includes the component g−ab. Sim also sets α = α′ + ab
and randomly selects tj,y ∈ Zp for 1 ≤ j ≤ nmax, now gab can be canceled as
Ky = gαgat1,ygbty = gα′At1,yBt′y
For 1 ≤ j ≤ nmax, Sim calculates Lj,y = gtj,y , and if there is no i such that ρ∗(i) = x ∈ S,
we have
Kx,y =nmax∏j=1
Lzx,jj,y
Otherwise, there exists i such that ρ∗(i) = x ∈ S , and we have
Kx,y =nmax∏j=1
(gzx,jgaM∗i,j)tj,y =
nmax∏j=1
(gzx,jAM∗i,j)tj,y
October 22, 2012 DRAFT
15
Finally, Sim randomly selects rd,y ∈ Zp and calculates:
(Dy, dy) = (BlyBt′yH(d)rd,y , grd,y)
KG2 outputs ⟨(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy⟩.
Sim repeats KG2 with input ly for all y ∈ Path(uid) and outputs the secret key as
{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)
2) If (uid /∈ u∗,S /∈ (M∗, ρ∗)), for y ∈ Path(uid),
a) If y ∈ Path(u∗), where ly is known, Sim repeatedly executes KG2(ly) and obtains
part of the secret key for y ∈ Path(uid) ∩ Path(u∗)
{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}
b) If y /∈ Path(u∗), where ay is known, Sim repeatedly executes KG1(ay) and obtains
part of the secret key for y ∈ Path(uid) \ Path(u∗)
{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}
c) Finally, it integrates all the parts of (a)(b) and outputs:
{(Lj,y)1≤j≤nmax(Kx,y)x∈S , Ky, Dy, dy}y∈Path(uid)
⋄ Revoke oracle: A inputs several revoked unique identifiers uid and a time stamp t, and Sim
adds uid to the revocation list at time t.
⋄ Key update oracle: A issues queries for update information with several tuples (rl, t). De-
pending on the value tp, Sim separates the simulation into two cases.
If [tp = 0], Sim outputs update information for any (rl, t).
In this case, ay for all the nodes y ∈ T is known to Sim. Therefore, Sim calculates the update
information as follows:
{Ey, ey}y∈KUN(rl,t) = {BaytH(t)rt,y , grt,y}y∈KUN(rl,t)
If [tp = 1], Sim calculates update information for any (rl, t) except the case (t = t∗, u∗∩rl = ∅).
1) For the case t = t∗, revocation list can be any subset of queried unique identifiers.
October 22, 2012 DRAFT
16
a) For y ∈ KUN(rl, t)∩Path(u∗), ly = ayd+ a is known to Sim. It randomly selects
r′y ∈ Zp and implicitly sets
ry = (r′y +a
t2 + u(t)) · td−1
Now, we have:
Ey = BaytH(t)ry = Blytd−1−atd−1
H(t)(r′y+
at2+u(t)
)td−1
= Blytd−1
(Bt2+u(t)gf(t))r′yA
f(t)
t2+u(t)td−1
ey = gry = g(r′y+
at2+u(t)
)td−1
= gr′yA
td−1
t2+u(t)
Sim obtains {Ey, ey}y∈KUN(rl,t)∩Path(u∗).
b) For y ∈ KUN(rl, t) \ Path(u∗), ay is known to Sim. Sim computes
{Ey = BaytH(t)rt,y , ey = grt,y}y∈KUN(rl,t)\Path(u∗).
c) Finally, Sim integrates the results from steps (a)(b) and outputs update information
{Ey, ey}y∈KUN(rl,t).
2) For the case t = t∗, if KUN(rl, t)∩Path(u∗) = ∅, Sim outputs ⊥; otherwise, Sim knows
ay for y ∈ KUN(rl, t). Therefore, Sim outputs update information as follows:
{Ey, ey}y∈KUN(rl,t) = {BaytH(t)rt,y , grt,y}y∈KUN(rl,t)
Challenge In this phase, Sim builds the challenge ciphertext. A generates two messages M0
and M1 of the equal length from the message space. Then, the challenger chooses µ ∈ {0, 1}
randomly and outputs the challenge ciphertext Mµ with the access structure (M∗, ρ∗) and the
time stamp t∗ as follows:
1) Sim implicitly sets s = c, we have C∗M = M· e(g, g)αs = M· e(g, C)α
′ ·Z and C∗s = C.
2) Sim randomly selects yj ∈ Zp for 2 ≤ j ≤ nmax and implicitly sets
v = (s, s+ y′2, s+ y′3, · · · , s+ y′nmax)
3) Sim calculates {C∗i,j}1≤i≤l,1≤j≤nmax , C
∗d , C
∗t∗ as follows,
C∗i,j = gaM
∗i,jvjh−s
j,ρ∗(i) = gaM∗i,j(s+y′j)(gzρ∗(i),jgaM
∗i,j)−s = AM∗
i,j(y′j)C−zρ∗(i),j
C∗d = H(d)s = (Bd2+u(d)gf(d))s = Cf(d)
October 22, 2012 DRAFT
17
C∗t∗ = H(t∗)s = (Bt∗2+u(t∗)gf(t
∗))s = Cf(t∗)
Finally, Sim outputs the challenged ciphertext
C∗ = ⟨C∗M, C∗
s , (C∗i,j)1≤i≤l,1≤j≤nmax , C
∗d , C
∗t∗⟩
Phase 2 Sim acts exactly the same as in Phase 1
Guess The adversary outputs a guess µ′ of µ. If any abort happens, Sim outputs 0; otherwise,
it then outputs 1 to guess Z = e(g, g)abc if µ′ = µ and outputs 0 to guess that Z is a random
group element in GT if µ′ = µ.
Probability Analysis. Denote Exp as the experiment describe above, “abort” as the case of ⊥
output by in Exp, “real” as the case that input of Exp is a tuple selected from Dbdh, ”rand” as the
case that input of Exp is a tuple selected from Drand. We assume Pr[tp = 0] = Pr[tp = 1] = 12.
From the Guess phase, we have:
1) If ν = 1, the challenger sets (g, A,B,C, Z) ∈ Dbdh, Sim gives a perfect simulation if no
“abort” happens,
AdvA = Pr[Exp = 1|real ∧ abort]− 1/2
2) If ν = 0, the challenger sets (g, A,B,C, Z) ∈ Drand, so Mµ is completely hidden from
the adversary,
Pr[Exp = 1|rand ∧ abort] = 1/2
Notice that the probability for “abort” cases depends on the behavior of adversary and tp which
are both irrelevant with the tuple chosen from Dbdh or Drand. Therefore, we have the following
from Guess phase:
Pr[Exp = 1|real ∧ abort] = 0 and Pr[Exp = 1|rand ∧ abort] = 0
From the key generation oracle, the abort only happens when tp = 0∧“any uid ∈ u∗ is queried”∧
S ∈ (M∗, ρ∗) or tp = 1 ∧ t = t∗ ∧ (u∗ \ rl = ∅).
According to the restrictions mentioned in Section 2.3, the uid ∈ u∗ is only allowed to be
queried when u∗ is added to the revocation list rl at time t∗.
Pr[any uid ∈ u∗ is queried] ≤ Pr[u∗ \ rl = ∅|t = t∗]
October 22, 2012 DRAFT
18
The probability of “abort” is
Pr[abort] = Pr[tp = 0 ∧ any uid ∈ u∗ is queried] + Pr[tp = 1 ∧ u∗ \ rl = ∅|t = t∗]
= 1/2Pr[any uid ∈ u∗ is queried] + 1/2Pr[u∗ \ rl = ∅|t = t∗]
≤ 1/2Pr[u∗ \ rl = ∅|t = t∗] + 1/2Pr[u∗ \ rl = ∅|t = t∗] = 1/2
Thus, Pr[abort] ≥ 1/2. Finally, we have
AdvC = Pr[Exp = 1|real]− Pr[Exp = 1|rand]
= Pr[abort] · Pr[Exp = 1|real ∧ abort] + Pr[abort] · Pr[Exp = 1|real ∧ abort]
− Pr[abort] · Pr[Exp = 1|rand ∧ abort]− Pr[abort] · Pr[Exp = 1|rand ∧ abort]
= Pr[abort] · (Pr[Exp = 1|real ∧ abort]− Pr[Exp = 1|rand ∧ abort])
≥ 1/2 · AdvA
V. DISCUSSION
A. Efficiency
In the proposed RCPABE scheme, each secret key consists of (nmax + |S|+ 3) · logn group
elements, where nmax is the maximum value of column index in the access structure (M,ρ), S is
the attribute set corresponding to the secret key and n is the total user number. In comparison with
the scheme [10], secret key size is increased by multiplying logn. logn is the height of the binary
tree, i.e., the total number of nodes along the path from the root to a leaf node in the binary tree.
Intuitionally, since users are associated with different paths in the binary tree, it is necessary for
such an expansion to eliminate the uniqueness in functional encryption. In decryption algorithm,
the non-revoked user links the update information and secret key together to find an overlapped
node which can be used for decrypting the ciphertext. Thus, the computational cost of encryption
and decryption algorithms are independent with the height of the binary tree.
Waters [10] presents several variants of ciphertext policy attribute based encryption by making
a tradeoff between efficiency and security assumption. Besides the one based on DBDH assump-
tion, the rest constructions can be also extended to the one in RCPABE model with improved
efficiency by adopting the same technique introduced in this paper, however the complexity
assumption becomes more complicated.
October 22, 2012 DRAFT
19
In Table I, we compare the proposed RCPABE scheme with Waters’ scheme [10] in terms
of public parameters size (PP), secret key size (SK), ciphertext size (CT), encryption time
(EN), decryption time (DE) and revocation (RE). Denote Texp and Tpair as the time for one
modular exponentiation and one bilinear pairing computation, respectively. Notice that, though
the proposed scheme consumes more storage space for each secret key, according to Moore’s
law, the cost of storing data on to a flash device will continue to decrease.
Waters [10] RCPABE
Assumption DBDH & Standard Model DBDH & Standard Model
PP (nmax|U|+ 2)× |G|+ |GT | (nmax|U|+ 6)× |G|+ |GT |+ |Zp|
SK (nmax + |S|+ 1)× |G| (nmax + |S|+ 3)× |G| × logn
CT (lnmax + 1)× |G|+ |GT | (lnmax + 3)× |G|+ |GT |
EN (lnmax + 2)×Texp (lnmax + 4)×Texp
DE (nmax + 2)×Tpair+ (nmax + 6)×Tpair+
(nmax|I|+ |I|)×Texp (nmax|I|+ |I|+ 2)×Texp
RE No Yes
TABLE I
COMPARISON OF DIFFERENT SCHEMES
B. Delegating capability and Chosen Ciphertext Security
To derive the delegating capability in traditional CPABE scheme is straightforward since
secret keys are related with fuzzy identities instead of personalized identities. Therefore, as
long as the secret keys can be re-randomized, users are with the delegating capability to enroll
new valid users whose secret key is associated with the same attribute set. Furthermore, users
can delegate part of their decryption capabilities to others, e.g., the professor with attribute
set “Position: Professor” and “Department: Computer Science” may delegate a user with the
decryption capability corresponding to a subset “Position: Professor”. In the proposed scheme,
we implicitly assign each user with a unique identifier which can be represented as a unique
path in the binary tree. Though each component of secret key can be re-randomized, the unique
identifier will never change, i.e., the delegatees’ decryption capabilities would be revoked once
the original delegator’s identifier is not involved in the update information. Notice that, the
October 22, 2012 DRAFT
20
delegated secret keys are easily generated in the simulation, therefore the security proof of the
RCPABE scheme with delegation is essentially unaffected. In addition, chosen ciphertext security
can be realized in the standard model by using the technique of one-time signature [31]. Some
similar conversion methods can be found in the paper [2], [6].
VI. CONCLUSION
In this paper, we proposed a RCPABE scheme with central-control revocation, which is more
suitable for large-scaled access control system. The improvement of secret key with binary
tree structure can reduce the communication and computational costs in key update algorithm.
Moreover, we demonstrated that the delegating capability can be easily provided in the proposed
scheme, but all the delegatees are restricted by their original delegators’ unique identifiers. The
security proof in the standard model and the efficiency comparison with previous CPABE scheme
have also been given.
For our future work, the efficiency of RCPABE schemes will be improved, such as short-
ening the size of secret key, reducing the amount of update information, and developing faster
encryption/decryption algorithms.
REFERENCES
[1] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in IEEE Symposium on Security
and Privacy, 2007, pp. 321–334.
[2] A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in ACM Conference on
Computer and Communications Security, 2008, pp. 417–426.
[3] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure attribute-based systems,” in ACM Conference on Computer
and Communications Security, 2006, pp. 99–112.
[4] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted
data,” in ACM Conference on Computer and Communications Security, 2006, pp. 89–98.
[5] M. Chase, “Multi-authority attribute based encryption,” in TCC, 2007, pp. 515–534.
[6] L. Cheung and C. Newport, “Provably secure ciphertext policy abe,” in ACM Conference on Computer and Communications
Security, 2007, pp. 456–465.
[7] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonic access structures,” in ACM
Conference on Computer and Communications Security, 2007, pp. 195–203.
[8] V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded ciphertext policy attribute based encryption,” in ICALP (2), 2008,
pp. 579–591.
[9] X. Liang, Z. Cao, H. Lin, and D. Xing, “Provably secure and efficient bounded ciphertext policy attribute based encryption,”
in ASIACCS, 2009, pp. 343–352.
October 22, 2012 DRAFT
21
[10] B. Waters, “Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization,” in
Cryptology ePrint Archive: Report 2008/290, 2008.
[11] L. Ibraimi, Q. Tang, P. H. Hartel, and W. Jonker, “Efficient and provable secure ciphertext-policy attribute-based encryption
schemes,” in ISPEC, 2009, pp. 1–12.
[12] M. Chase and S. S. M. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in ACM
Conference on Computer and Communications Security, 2009, pp. 121–130.
[13] L. Ibraimi, M. Petkovic, S. Nikova, P. H. Hartel, and W. Jonker, “Mediated ciphertext-policy attribute-based encryption
and its application,” in WISA, 2009, pp. 309–323.
[14] N. Attrapadung and H. Imai, “Conjunctive broadcast and attribute-based encryption,” in Pairing, 2009, pp. 248–265.
[15] M. G. Parker, Ed., Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009,
Cirencester, UK, December 15-17, 2009. Proceedings, ser. Lecture Notes in Computer Science, vol. 5921. Springer,
2009.
[16] N. Attrapadung and H. Imai, “Dual-policy attribute based encryption,” in ACNS, 2009, pp. 168–185.
[17] D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in CRYPTO, 2001, pp.
41–62.
[18] M. Naor and B. Pinkas, “Efficient trace and revoke schemes,” in Financial Cryptography, 2000, pp. 1–20.
[19] V. Goyal, “Certificate revocation using fine grained certificate space partitioning,” in Financial Cryptography, 2007, pp.
247–259.
[20] M. Naor and K. Nissim, “Certificate revocation and certificate update,” in USENIX Security Symposium, 1998.
[21] C. Gentry, “Certificate-based encryption and the certificate revocation problem,” in EUROCRYPT, 2003, pp. 272–293.
[22] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharing with attribute revocation,” in ASIACCS, 2010.
[23] N. Attrapadung, “Revocation scheme for attribute-based encryption,” in RCIS Workshop, 2008.
[24] A. Lewko, A. Sahai, and B. Waters, “Revocation systems with very small private keys,” in Cryptology ePrint Archive:
Report 2008/309, 2008.
[25] D. Boneh, X. Ding, and G. Tsudik, “Fine-grained control of security capabilities,” ACM Trans. Internet Techn., vol. 4,
no. 1, pp. 60–82, 2004.
[26] D. Boneh, X. Ding, G. Tsudik, and C. Wong, “A method for fast revocation of public key certificates and security
capabilities,” in Proceedings of the 10th conference on USENIX Security Symposium-Volume 10. USENIX Association,
2001, p. 22.
[27] S. Yu, K. Ren, and W. Lou, “Fdac: Toward fine-grained distributed data access control in wireless sensor networks,” in
IEEE INFOCOM, 2009.
[28] A. Beimel, “Secure schemes for secret sharing and key distribution,” in PhD thesis, 1996.
[29] H. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures: Achieving attribute-privacy and collusion-
resistance,” in Cryptology ePrint Archive: Report 2008/328, 2008.
[30] D. Boneh and M. K. Franklin, “Identity-based encryption from the weil pairing,” in CRYPTO, 2001, pp. 213–229.
[31] R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from identity-based encryption,” in EUROCRYPT, 2004,
pp. 207–222.
October 22, 2012 DRAFT