Abstract

There is an acceleration of adoption of cloud computing among enterprises. However, moving the infrastructure and sensitive data from trusted domain of the data owner to public cloud will pose severe security and privacy risks. Attribute-based encryption (ABE) is a new cryptographic primitive which provides a promising tool for addressing the problem of secure and fine-grained data sharing and decentralized access control. Key-policy attribute-based encryption (KP-ABE) is an important type of ABE, which enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most existing KP-ABE scheme, the ciphertext size grows linearly with the number of attributes embedded in ciphertext. In this paper, we propose a new KP-ABE construction with constant ciphertext size. In our construction, the access policy can be expressed as any monotone access structure. Meanwhile, the ciphertext size is independent of the number of ciphertext attributes, and the number of bilinear pairing evaluations is reduced to a constant. We prove that our scheme is semantically secure in the selective-set model based on the general Diffie-Hellman exponent assumption.

1. Introduction

Cloud computing is a model for enabling ubiquitous, convenient, and on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1]. There are two main categories of cloud infrastructure: public cloud and private cloud. To take advantage of public clouds, data owners must upload their data to commercial cloud service providers which are usually considered to be semitrusted, that is, honest but curious [2]. That means the cloud service providers will try to find out as much secret information in the users’ outsourced data as possible, but they will honestly follow the protocol in general.

Traditional access control techniques are based on the assumption that the server is in the trusted domain of the data owner, and therefore an omniscient reference monitor can be used to enforce access policies against authenticated users. However, in the cloud computing paradigm this assumption usually does not hold, and therefore these solutions are not applicable. There is a need for a decentralized, scalable, and flexible way to control access to cloud data without fully relying on the cloud service providers.

Data encryption is the most effective in regard to preventing sensitive data from unauthorized access. In traditional public key encryption or identity-based encryption systems, encrypted data is targeted for decryption by a single known user. Unfortunately, this functionality lacks the expressiveness needed for more advanced data sharing. To address these emerging needs, Sahai and Waters [3] introduced the concept of attribute-based encryption (ABE). Instead of encrypting to individual users, in ABE system, one can embed an access policy into the ciphertext or decryption key. Thus, data access is self-enforcing from the cryptography, requiring no trusted mediator.

ABE can be viewed as an extension of the notion of identity-based encryption in which user identity is generalized to a set of descriptive attributes instead of a single string specifying the user identity. Compared with identity-based encryption [4], ABE has significant advantage as it achieves flexible one-to-many encryption instead of one-to-one; it is envisioned as a promising tool for addressing the problem of secure and fine-grained data sharing and decentralized access control.

There are two types of ABE depending on which of private keys or ciphertexts that access policies are associated with.

In a key-policy attribute-based encryption (KP-ABE) system, ciphertexts are labeled by the sender with a set of descriptive attributes, while user's private key is issued by the trusted attribute authority captures an policy (also called the access structure) that specifies which type of ciphertexts the key can decrypt. KP-ABE schemes are suitable for structured organizations with rules about who may read particular documents. Typical applications of KP-ABE include secure forensic analysis and target broadcast [5]. For example, in a secure forensic analysis system, audit log entries could be annotated with attributes such as the name of the user, the date and time of the user action, and the type of data modified or accessed by the user action. While a forensic analyst charged with some investigation would be issued a private key that associated with a particular access structure. The private key would only open audit log records whose attributes satisfied the access policy associated with the private key. The first KP-ABE construction was provided by Goyal et al. [5], which was very expressive in that it allowed the access policies to be expressed by any monotonic formula over encrypted data. The system was proved selectively secure under the Bilinear Diffie-Hellman assumption. Later, Ostrovsky et al. [6] proposed a KP-ABE scheme where private keys can represent any access formula over attributes, including nonmonotone ones, by integrating revocation schemes into the Goyal et al. KP-ABE scheme.

In a ciphertext-policy attribute-based encryption (CP-ABE) system, when a sender encrypts a message, they specify a specific access policy in terms of access structure over attributes in the ciphertext, stating what kind of receivers will be able to decrypt the ciphertext. Users possess sets of attributes and obtain corresponding secret attribute keys from the attribute authority. Such a user can decrypt a ciphertext if his/her attributes satisfy the access policy associated with the ciphertext. Thus, CP-ABE mechanism is conceptually closer to traditional role-based access control method. The first CP-ABE scheme was proposed by Bethencourt et al. in [7], but its security was proved in the generic group model. Cheung and Newport [8] gave a CP-ABE construction under the Bilinear Diffie-Hellman assumption, but policies are restricted to a single AND gate. Later, Goyal et al. proposed a generic transformational approach to transform a KP-ABE scheme into a CP-ABE scheme using universal access tree in [9]. Their construction can support access structures which can be represented by a bounded size access tree with threshold gates as its nodes, and its security proof is based on the standard Decisional Bilinear Diffie-Hellman assumption. Unfortunately, in general this methodology would yield a ciphertext blowup of group elements for a Boolean formula of size , which limits its usefulness in practice. The most efficient CP-ABE schemes in terms of ciphertext size and expressivity were proposed by Waters in [10], the size of a ciphertext depending linearly on the number of attributes involved in the specific policy for that ciphertext.

ABE has drawn extensive attention from both academia and industry, many ABE schemes have been proposed, and several cloud-based secure systems using ABE schemes have been developed [11, 12]. Most research work on ABE has focused on the design of expressive schemes, where access structures can implement as complex Boolean formulas as possible. Almost all existing ABE schemes that admit reasonably expressive decryption policies produce ciphertexts whose size depends at least linearly on the number of attributes involved in the policy. Emura et al. [13] proposed the first CP-ABE scheme with constant-size ciphertext, but policies are restricted to a single AND gate. Later, Herranz et al. [14] proposed the first CP-ABE scheme supporting threshold access structure with constant-size ciphertext. Recently, Attrapadung et al. [15] proposed a CP-ABE scheme with constant-size ciphertext for threshold access policies and where private keys remain as short as in previous systems. They also showed that a class of identity-based broadcast encryption schemes with linearity property generically yields monotonic KP-ABE systems in the selective-set model, at the expense of longer private keys of size elements, where denotes the maximal number of attributes embedded in the ciphertext and is the number of attributes in the access structure. Thus, this transformation provides us with monotonic KP-ABE schemes with constant-size ciphertexts by using identity-based broadcast encryption schemes with linearity property and constant ciphertext size. However, we notice that most of existing identity-based broadcast encryption schemes with constant-size ciphertext do not satisfy the linearity property, and it is not a necessary condition for constructing a KP-ABE schemes with constant-size ciphertext. In this paper, we propose a new KP-ABE construction with constant ciphertext size by adopting the idea of the Delerablee identity-based broadcast encryption scheme [16]. In our construction, the access policy can be expressed as any monotone access structure. Meanwhile, the ciphertext size is independent of the number of ciphertext attributes, and the number of bilinear pairing evaluations is reduced to a constant. We prove that our scheme is semantically secure in the selective-set model based on the general Diffie-Hellman exponent assumption.

The rest of this paper is organized as follows. Some necessary background knowledge about bilinear pairings, access structure and linear secret sharing scheme, and Delerablee identity-based broadcast encryption scheme are introduced in Section 2. The syntax and security notions of KP-ABE are given in Section 3. A concrete KP-ABE construction with constant-size ciphertext and its security argument will be presented in Section 4. We conclude our work and present our future work in Section 5.

2. Preliminary Works

We first introduce some notations. If is a set, then denotes the operation of picking an element uniformly random from . For a set , we define its power set as . Let and be two row vectors; we denote the standard inner product by . A function is negligible if for every , there exists a , such that for all .

2.1. Bilinear Pairings and the General Decisional Diffie-Hellman Exponent Assumption

Let , , and be three cyclic groups of prime order . Let a generator of and be a generator of . A bilinear pairing satisfies the following properties.(i)Bilinearity: for ,  , and , we have . (ii)Nondegeneracy: , where is the identity element of . (iii)Computability: there is an efficient algorithm to compute for and .

Let (, , , , , and ) be defined as above with . Let be a generator of , and set . Let and be positive integers; let and be two -tuples of -variant polynomials over . We write and and impose that . For any function and vector , stands for . We use a similar notation for the -tuple . Let . It is said that depends on , which we denote by , when there exists a linear decomposition:

As in [16], we make use of the General Decisional Diffie-Hellman Exponent (GDDHE) assumption.

Definition 1. Given the tuple as above and , the -GDDHE problem is to decide whether is equal to or to some random element of .

2.2. Access Structure and Linear Secret Sharing Scheme

Definition 2. Let be a set of parties. A collection is monotone if, for two sets and , and , then . An access structure (resp., monotone access structure) is a collection (resp., monotone collection) of nonempty subsets of . The sets in are called the authorized sets, and the sets not in are called the unauthorized sets.

Definition 3. Let be a set of parties, an matrix, and a function that maps a row to a party for labeling. A secret sharing scheme for access structure over a set of parties is a linear secret sharing scheme (LSSS) in and is represented by if it consists of two efficient algorithms.(i): the share algorithm takes as input which is to be shared. The dealer randomly chooses , and defines . It outputs as the vectors of shares. The share belongs to party , where is the th row of . (ii): the reconstruction algorithm takes as input an access set . Let . It outputs a set of constants such that .

In our context, the role of the parties is taken by the attributes. Thus, the access structure will contain the authorized sets of attributes. As in most relevant literatures [5, 6, 10], we will restrict ourselves to monotone access structures. In general, access policies can be described in terms of the monotonic Boolean formulas. There are standard techniques to convert any monotonic Boolean formula into a corresponding LSSS matrix [17].

2.3. The Delerablee Identity-Based Broadcast Encryption Scheme

Delerablee proposed the first identity-based broadcast encryption scheme with constant-size ciphertexts and private keys [16], which is described as follows.(i): given the security parameter and an integer , the algorithm generates a bilinear map group system (, , , , , , and ) as above and chooses a secret value and a cryptographic hash function . The master secret key is defined as , and the public system parameters are defined as , where and . (ii): given and the identity , it outputs (iii): assume for notational simplicity that , with . Given , the broadcaster randomly picks and computes and , where (iv): in order to retrieve the message encryption key encapsulated in the header , user with identity and the corresponding private key (with ) computes   with

Lemma 4. The Delerablee identity-based broadcast encryption scheme is IND-sID-CPA secure under -GDDHE assumption.

3. Syntax and Security Notions for KP-ABE Scheme

Let be the universe of possible attributes, where each denotes an attribute and is the total number of attributes. A KP-ABE scheme is parameterized by a universe of possible attributes and consists of the following four polynomial-time algorithms.(i): this probabilistic algorithm is run by the trusted attribute authority, which takes as input the security parameter and the attribute universe . It outputs some public parameters and the master secret key . The trusted attribute authority publishes and keeps secret. (ii): this probabilistic algorithm is run by the trusted attribute authority, which takes as input the public parameters , the master secret key , and an access structure which is assigned by the trusted attribute authority to the user. It outputs a decryption key . (iii): this probabilistic algorithm is run by the sender, which takes as input the public parameters , a set of descriptive attributes , and a message . It outputs the ciphertext . (iv): this deterministic algorithm is run by the recipient, which takes as input the public parameters , the ciphertext that was encrypted under the set of attributes , and the decryption key for access structure . It outputs the message if .

Definition 5. A KP-ABE scheme is correct if, for any , any sets of attributes , any message , and any with , one has with probability over the randomness of all the algorithms.

The property of indistinguishability for KP-ABE scheme under chosen plaintext and attribute-set attack is called selective-set model [5], which is defined in the following game between a challenger and an adversary.(i)Initialization: the adversary declares the set of attributes that he wishes to be challenged on. (ii)Setup: the challenger runs the Setup algorithm of KP-ABE scheme and gives the public parameters to the adversary. (iii)Phase 1: the adversary is allowed to issue queries for private keys with access structure at most times with the restriction that for all . (iv)Challenge: the adversary submits two messages and with equal length. The challenger flips a random coin and encrypts message with . The ciphertext is then sent to the adversary. (v)Phase 2: the same as Phase 1. (vi)Guess: the adversary outputs his guess of . The advantage of an adversary in the above game is defined as .

Definition 6. A KP-ABE scheme is secure in the selective-set model if all polynomial-time adversaries have at most a negligible advantage in the selective-set game.

The model can easily be extended to handle chosen ciphertext attacks by allowing for decryption queries in Phase 1 and Phase 2.

4. Our Construction

In this section, we present a new KP-ABE scheme with constant-size ciphertexts by adopting the idea of the Delerablee identity-based broadcast encryption scheme. The proposed KP-ABE construction is described as follows. (i): given the security parameter , the trusted attribute authority chooses three cyclic groups , , and of prime order with a bilinear pairing . Then the trusted attribute authority chooses two generators and as well as a secret value and a cryptographic hash function . The security analysis will view as a random oracle. The master secret key is defined as . The public parameters are , where and . (ii): the algorithm computes a private key for an access structure that is associated with LSSS scheme as follows. First, it generates shares of with the LSSS . Namely, it chooses a column vector with and . Then for each from to , it calculates and sets as follows: (iii): let be the number of attributes included in the set of attributes , and denote to be . The sender chooses and computes the ciphertext , where (iv): the ciphertext labeled with the set of attributes is parsed as . The recipient first sets and calculates the reconstruction constants . The recipient’s decryption key corresponding to the LSSS scheme is parsed as . Then the recipient computes  It is obvious that is a polynomial on the variable with degree . The decrypting party can calculate according to . Then the decrypting party computes  At last, the decrypting party calculates

Theorem 7. The proposed KP-ABE scheme is correct.

Proof. Assume is well formed, which means is encrypted under the set of attributes ; thus
So we have This ends the proof.

Theorem 8. The proposed KP-ABE scheme is secure in the selective-set model under the -GDDHE assumption.

Proof. Suppose that there exists a polynomial-time adversary that can attack the above KP-ABE scheme in the selective-set model with nonnegligible advantage. Then we can build a simulator that can attack the Delerablee identity-based broadcast encryption scheme in the selective-ID model with nonnegligible advantage. The simulation proceeds as follows.(i)Initialization: the adversary chooses the set of attributes which it wants to be challenged upon and sends to the simulator . Then the simulator sends this challenged attributes to the challenger in the selective-ID model for the Delerablee identity-based broadcast encryption scheme. They treat each attribute as an ID in the Delerablee identity-based broadcast encryption. (ii)Setup: the challenger generates and and sends to the simulator ; then transfers them to the adversary . (iii)Phase 1: the adversary adaptively makes queries for private keys for access structure that cannot be satisfied by . The simulator picks vector at random and calculates . (1)If , then the simulator picks and submits the private key query to the challenger . The challenger will computes and returns the private key corresponding to to . Finally, the simulator sets the private key part . (2)If , then the simulator submits the private key query to the challenger . After the simulator obtains the private key corresponding to from the challenger , the simulator sets the private key part . (3)At last, returns to the adversary . (iv)Challenge: the adversary randomly chooses two messages and with equal length and sends them to the simulator . The simulator then sends them to the challenger . The challenger randomly encrypts with the attributes set and returns to the simulator . Finally, the simulator sends it to the adversary . (v)Guess: the adversary returns the guess to the simulator , and then the simulator sends it to the challenger .
According to the observation of the attacker , the private keys he obtained from the simulator are indistinguishable to those of obtained from the KeyGen algorithm. Thus, if the adversary can attack the proposed KP-ABE scheme in the selective-set model with nonnegligible advantage, then the simulator can attack the Delerablee identity-based broadcast encryption scheme in the selective-ID model with nonnegligible advantage. According to Lemma 4, we can draw the conclusion that the proposed KP-ABE scheme is secure in the selective-set model under the -GDDHE assumption.
This ends the proof.

Table 1 compares efficiency among available ABE schemes with constant-size ciphertext. Attrapadung et al. [15] proposed a CP-ABE and KP-ABE scheme with constant-size ciphertexts, respectively; we denote them as [15]-1 scheme and [15]-2 scheme, respectively.

Comparisons are made in terms of private key size, ciphertext size, and the number of pairing evaluations upon encryption and decryption. In the table, we denote by the number of attributes in the attributes universe, the number of attributes in the access structure that describe the private key for KP-ABE scheme, the number of attributes that describe the private key for CP-ABE scheme, and the number of pairing evaluations.

5. Conclusion

In this paper, we have constructed a new KP-ABE scheme supporting any monotonic access structure with constant-size ciphertext and proved that the proposed scheme is semantically secure in selective-set model based on the general Diffie-Hellman exponent assumption. The downside of the proposed KP-ABE scheme is that private keys have multiple size growths in the number of attributes in the access structure. One interesting open problem would be to construct a KP-ABE scheme with constant-size ciphertexts that is secure under a more standard assumption or which achieves a stronger full security notion. Another challenging problem is to construct a KP-ABE scheme with constant ciphertext size and constant private key size.

Acknowledgments

This research is jointly funded by the National Natural Science Foundation of China (Grant no. 61173189) and the Guangdong Province Information Security Key Laboratory Project.