Research on Ciphertext-Policy Attribute-Based Encryption with Attribute Level User Revocation in Cloud Storage

Wang, Guangbo; Wang, Jianhua

doi:https://doi.org/10.1155/2017/4070616

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Analysis Conclusion Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy Protection of Social Networks in Big Data Era

View this Special Issue

Research Article | Open Access

Volume 2017 | Article ID 4070616 | https://doi.org/10.1155/2017/4070616

Research on Ciphertext-Policy Attribute-Based Encryption with Attribute Level User Revocation in Cloud Storage

Guangbo Wang¹and Jianhua Wang¹

Academic Editor: Liu Yuhong

Received17 Feb 2017

Revised01 Apr 2017

Accepted05 Apr 2017

Published23 May 2017

Abstract

Attribute-based encryption (ABE) scheme is more and more widely used in the cloud storage, which can achieve fine-grained access control. However, it is an important challenge to solve dynamic user and attribute revocation in the original scheme. In order to solve this problem, this paper proposes a ciphertext-policy ABE (CP-ABE) scheme which can achieve attribute level user attribution. In this scheme, if some attribute is revoked, then the ciphertext corresponding to this attribute will be updated so that only the individuals whose attributes meet the access control policy and have not been revoked will be able to carry out the key updating and decrypt the ciphertext successfully. This scheme is proved selective-structure secure based on the -Parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption in the standard model. Finally, the performance analysis and experimental verification have been carried out in this paper, and the experimental results show that, compared with the existing revocation schemes, although our scheme increases the computational load of storage service provider (CSP) in order to achieve the attribute revocation, it does not need the participation of attribute authority (AA), which reduces the computational load of AA. Moreover, the user does not need any additional parameters to achieve the attribute revocation except for the private key, thus saving the storage space greatly.

1. Introduction

With the advent of big data era, there is an increasing number of user data. In order to achieve the sharing of data and reduce the cost at the same time, using the third party, namely, cloud storage provider (CSP), will be an excellent priority. The cloud storage, which emerged as the extension and development of cloud computing, achieves the function that the users can access the data conveniently at any time and at any place by any networking equipment; therefore, it has been more and more extensively used. However, the users’ data are stored in the CSP and got rid of the users’ actual control; therefore, how to guarantee the users privacy and data security as much as possible without reducing the quality of service has become a key problem of secure cloud storage.

Sahai and Waters in 2005 proposed the notation of attribute-based encryption (ABE) [1] in which the ciphertext and key are, respectively, associated with a series of attributes, and an access structure is specified to define the attribute set that can be used to decrypt the ciphertext successfully. ABE can achieve fine-grained access control by using the flexible access structure, so it has been widely used in the cloud storage. The initial ABE schemes can only achieve the threshold operations so that the policy expression is not rich enough. To solve this problem, some scholars have proposed the ciphertext-policy ABE (CP-ABE) mechanism [2–4] and key-policy ABE (KP-ABE) mechanism [5, 6], which can realize rich attribute operations so as to support flexible access control policy.

However, the application of ABE in cloud storage also brings serious security challenges. There are a large number of users in the cloud storage environment, and different users may share the same attribute in the application of ABE. Therefore, if some attribute of a user is revoked, how to recall the user’s corresponding access permissions without affecting the normal access of other legitimate users and posing a large load on the system has become an urgent problem to be solved. Therefore, this paper mainly pursues the relative research on this issue.

Recently, individuals pay more and more attention to the problem of user revocation in the practical application of ABE. Ostrovsky et al. proposed an ABE scheme with system level user revocation [7]. In this scheme, the revocation is carried out by implementing the “NOT” operation on “AND” gates; however, the efficiency is rather low.

Subsequently, Staddon et al. proposed a KP-ABE scheme [8] which can achieve the revocation of users; however, this scheme is limited to be used if and only if the number of attributes associated with ciphertext is just half of the whole attributes in the system; therefore, the limit is too high which impedes its actual application. Liang et al. proposed a CP-ABE scheme [9] which achieved the revocation by using a binary tree. In this scheme, an attribute authority is responsible for generating the updating key for implementing the revocation; however, the efficiency is also very low. Moreover, it increases the computation and communication burden on the attribute authority greatly which may become the bottleneck. In addition, all the above schemes can only achieve the system level user revocation; namely, once some attribute of a user is revoked, he will lose not only the access permission corresponding to the revoked attribute but also the access permissions corresponding to the other legitimate attributes.

In the aspect of attribute revocation, individuals in the literatures [10–12] strove to achieve the revocation by setting the validity period for each attribute. This method is called coarse-grained revocation because it cannot realize the timely revocation. To solve this problem, Hur and Noh proposed a novel CP-ABE scheme in the literature [13] to realize the revocation by using a key encryption key tree, which can also achieve attribute level user revocation; namely, the revocation to some attribute of a user cannot affect the normal access of other legitimate attributes. In this scheme, if an attribute is revoked, then the CSP will generate a new key encryption key and reencrypts the ciphertext. However, each user needs to store key encryption keys additionally, where denotes the number of all the users in this scheme. Moreover, the scheme is proved to be secure in the generic group model which possesses heuristic security rather than provable security; therefore, some schemes proved secure in the generic group model are found to be unsafe in practical application. Subsequently, Yang et al. proposed a CP-ABE scheme [14] in the environment of cloud storage. In this scheme, the attribute authority generates two corresponding public parameters for each attribute, and once the revocation is implemented, the attribute authority needs to update the public parameters for the revoked attribute and the secret key for the user, which increases not only the computation load on the attribute authority but also the communication load between the attribute authority and the user.

In this paper, we propose a CP-ABE scheme that combines proxy reencryption methods to achieve the revocation. In this scheme, we achieve the revocation with the help of CSP, which offloads most of revocation operations for the attribute authority that has limited resources. If some attribute is revoked, then the ciphertext corresponding to this attribute will be updated by the CSP so that only the users whose attributes meet the access control policy and have not been revoked will be able to carry out the key updating and decrypt the ciphertext successfully. Additionally, in this scheme, we achieve the fine-grained attribute level user revocation; namely, the revocation to an attribute of some user cannot affect the normal access of this user’s other legitimate attributes. Finally, we carry out the performance analysis and experimental verification to demonstrate the characteristics, which shows that, compared with the existing revocation schemes, although our scheme increases the computational load of CSP in order to achieve the attribute revocation, it does not need the participation of AA. Moreover, the user does not need any additional parameters to achieve the attribute revocation except of the private key, thus saving the storage space greatly.

2. Preliminaries

Before proposing the concrete scheme in this paper, we first introduce the related technologies that will be used including bilinear group, linear secret-sharing scheme (LSSS), and deterministic -Parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption.

2.1. Bilinear Map

In this part, we will briefly take a view to several facts related to the bilinear group as follows.

Definition 1 (bilinear map). The bilinear group has been widely used in various cryptographic systems after it was proposed for the first time. Let be a group parameters generation algorithm which takes as input the security parameter and outputs the group parameters . In these group parameters, denotes a big prime whose size is determined by the security parameter , and are two multiplicative cyclic groups with order , and is a bilinear map satisfying the following properties: (1)Bilinearity: , we have .(2)Nondegeneracy: satisfying that has order in .(3)Computability: there exists an efficient algorithm to compute the bilinear pairing.

2.2. Linear Secret-Sharing Scheme

Definition 2 (linear secret-sharing scheme (LSSS) [15]). A secret-sharing scheme over a set of parties is a LSSS (over ) if it satisfies the following properties:
(1) The secret share of each party constitutes a vector over .
(2) For each secret-sharing scheme , there exists a share-generation matrix where, for each row of the matrix , we define a function : that maps it to the corresponding party . Considering a vector , where is the sharing secret and parameters are chosen randomly to conceal the secret, then is a vector that is composed of shares of the secret . Moreover, denotes the secret share possessed by the party .
Suppose is a LSSS for the access structure and denotes any authorized set for . We define the set as ; then, the constants can be computed in polynomial time such that if are valid shares of any secret according to , then we have .

2.3. Decisional -Parallel Bilinear Diffie-Hellman Exponent Assumption

Definition 3 (-parallel BDHE assumption [16]). Let denote the bilinear group with prime order , the parameters are chosen randomly in , and is a generator of . Then, the decisional -Parallel BDHE assumption is that if there is an attacker who is given the parametersthen, it is hard for to distinguish from a random element in . In addition, a polynomial time algorithm will use the output of to make a guess, and we define the advantage of to solve the -Parallel BDHE assumption in and as If there is no polynomial time algorithm to solve the -Parallel BDHE assumption with a nonnegligible advantage, then we can say that the assumption holds in and .

3. Attribute-Based Encryption

In this part, we will first give the system model for our proposed CP-ABE scheme with attribute level user revocation, and then we give a selectively secure model in terms of the ciphertext indistinguishability under a chosen plaintext attack (IND-CPA) [17] which is defined between a polynomial time attacker and challenger . Finally, we will give the detailed construction.

3.1. System Model

The concrete system model of our proposed CP-ABE scheme is shown as in Figure 1, which mainly consists of four entities as follows.

(1) Attribute Authority (AA). It is responsible for implementing the system setup algorithm to generate the system parameters and implementing the key generating algorithm to generate the secret key for the data user.

(2) Data Owner (DO). He is responsible for implementing the data encryption algorithm on the plaintext data and sends the generated ciphertext to the CSP. If the DO decides that some attribute needs to be revoked, he will first designate the responding revoked users list and then send the list to the CSP.

(3) Data User (DU). He is responsible for implementing the decryption algorithm. If the DU wants to access the data in the CSP, he will first send his transformation key to the CSP for partial decryption. Once the DU receives the partially decrypted ciphertext, he will use his secret key to implement the final decryption.

(4) Cloud Storage Provider (CSP). He is responsible for implementing the data reencryption algorithm to achieve the ciphertext updating and implementing the partial decryption algorithm for the DU. Here, we assume that the CSP is curious but honest; namely, he will honestly execute the tasks assigned by other legitimate entities in the system; however, he has the incentive to learn the contents of encrypted data as much as possible.

3.2. Selectively Secure Model

This security model mainly draws lessons from the technique proposed by Tu et al. in the literature [18]. In this model, the attacker firstly needs to submit a challenge access structure and a revocation list, and as a response he will obtain the corresponding public key parameters. Subsequently, begins to make a series of secret key queries and ciphertext reencryption queries. In the challenge phase, will give two messages with the equal length, and then the challenger chooses to encrypt one of these two messages based on the random sampling. Next, continues to make the secret key query and ciphertext reencryption query and finally outputs a random guess. If the guess is correct, then we can say wins the game. The specific definition of this security model is given as follows.

Init. The attacker initially chooses the challenge access control structure and the revocation users list of attribute .

Setup. The challenger runs the algorithm Setup to obtain the public key and the master key . Finally, gives to the attacker and keeps private to itself.

Query Phase 1. The attacker adaptively makes a series of secret key queries corresponding to the identity-attribute tuple, namely, ; if , then we set ; otherwise, we set . Note that it must satisfy the restriction that any attributes set cannot satisfy the challenge access control structure in this phase. In addition, can also make a series of ciphertext reencryption queries associated with the revocation users list of some attribute and the ciphertext.

Challenge. The attacker outputs two messages and with the equal length to the challenger . Then, chooses a random bit and encrypts the message under the access control structure to generate the ciphertext . Finally, sends to as the challenge ciphertext.

Query Phase 2. The attacker continues to make a series of secret key queries and ciphertext reencryption queries as in Query Phase 1 with the same restriction.

Guess. The attacker outputs its guess for , and if , then wins the game. In addition, the advantage of in this game is defined as .

If there is no polynomial time algorithm to break the security model above with a nonnegligible advantage, then we can say that our proposed CP-ABE scheme with attribute level user revocation is secure.

3.3. Construction

In this part, we will give the concrete construction of our proposed CP-ABE scheme. In our scheme, the attribute authority will first generate the system parameters that will be used in the subsequent algorithms. If the data owner DO wants to store his data on the CSP, he will first encrypt the data with some access control policy to generate the corresponding ciphertext, then he will send the ciphertext to the CSP. Once the DO decides that an attribute of some users list needs to be revoked, he will send the users list to the CSP. Then, the CSP will implement the reencryption on the ciphertext so that only the users whose attributes meet the access control policy associated with the ciphertext and have not been revoked will be able to carry out the key updating and decrypt the ciphertext successfully. In addition, we use the outsourcing decryption to improve the efficiency; namely, the data user (DU) can send his transformation key to the CSP for partial decryption, which makes full use of the computing resources in the CSP. Once the DU gets the partially decrypted ciphertext, he will implement the final decryption faster with less computing resources.

3.3.1. System Setup

In this phase, the attribute authority will generate the corresponding system parameters including the public key and the master key. The public key is accessible by all the entities in the system and the master key is kept private to the attribute authority.

(1) Setup . The setup algorithm takes as input the security parameter , the attributes set , and the number of users in the system; then, it runs the group parameters generation function to obtain , where denotes a big prime, and are two cyclic groups with order , and is a bilinear map. Let be the generator of . Then, the algorithm chooses random exponents and sets , where . Next, it chooses a random exponent and sets . For each attribute , the algorithm chooses random parameters . Finally, the system public key is set as and the master key is set as .

3.3.2. Data Encryption

If the data owner wants to store his data on the CSP, then he will first define an access control policy where is a matrix, and the function maps each row of to one corresponding attribute with the restriction that cannot map two distinct rows to one attribute just as in literature [19]. Next, the data encryption algorithm runs to encrypt the data . Note that the encryption on the data needs to multiply it with some group element in ; therefore, is also defined as an element in . If we want to encrypt some arbitrary data, then we can define a hash function: which maps the arbitrary data to an element in the group .

(2) Encrypt . The encryption algorithm takes as input the public key , the plaintext message , and an access control policy ; then, it chooses random parameters and defines the vector . For each row of , the algorithm computes the inner product , and then it chooses a random exponent and outputs the ciphertext as follows:

3.3.3. Data Reencryption

If the DO decides that the attribute of users list needs to be revoked, then he will send to the CSP. Once the CSP receives , he will use the broadcast encryption to update the ciphertext for the purpose of revoking the access permission corresponding to attribute without affecting the normal access of other legitimate attributes for the users in .

(3) Re-Encrypt . The reencryption algorithm takes as input the public key , the ciphertext , and the revocation users list , and then it chooses a random exponent and outputs the reencrypted ciphertext as follows:

Next, the algorithm chooses random parameters and defines the vector . Note that the reencryption algorithm will use the same access control policy as in the Encrypt algorithm. For each row of the matrix , it computes the inner product and chooses a random exponent . Then, the algorithm defines a broadcast users set and outputs the ciphertext header generated by encrypting the exponent as follows:

Finally, it returns the ciphertext as .

3.3.4. Key Generation

In order to improve the decryption efficiency, we outsource the decryption of ciphertext to the CSP that has plenty of computing resources. The concrete key generation algorithm is given as follows.

(4) KeyGen . The key generation algorithm takes as input the public key , the master key , a user’s identity , and the attributes set , and then it chooses a random exponent and generates the corresponding key , where

Next, the algorithm continues to choose a random exponent and computes

Let ; then, we have

Finally, we set the outsourced transformation key as and the secret key as .

3.3.5. Partial Decryption

In order to achieve the outsourced decryption, the user needs to send his transformation key to the CSP. Note that the transformation key cannot leak any useful information associated with the secret key and the plaintext data . The concrete partial decryption algorithm is given as follows.

(5) Transform . The transformation algorithm takes as input the transformation key and the ciphertext .

(1) If there is no attribute revoked, namely, , then we have the following.

Here, we have , and if the attributes set associated with satisfies the access control policy included in , then the CSP computes the values satisfying in polynomial time. Next, it computes

Once the partial decryption is over, the CSP sends to the corresponding user for the final decryption.

(2) If the attribute of users list is revoked, namely, , then we have the following.

Here, we have and , and if the attributes set satisfies the access control policy and , then the CSP implements the partial decryption on the ciphertext header . It also computes the values satisfying and then continues to compute

Therefore, the partially decrypted ciphertext header is set as .

Next, the CSP implements the partial decryption on the ciphertext as follows:

Therefore, the partially decrypted ciphertext is set as

Once the partial decryption is over, the CSP sends to the corresponding user for the final decryption.

3.3.6. Decryption

Once the user gets the partially decrypted ciphertext, he will use his secret key to implement the final decryption for obtaining the plaintext message as follows.

(6) Decrypt . The decryption algorithm takes as input the partially decrypted ciphertext and the user’s secret key . Then, it decrypts the ciphertext as follows:

(1) If there is no attribute revoked, namely, , then the user computes

(2) If the attribute of users list is revoked, namely, , then we have the following.

Here, we have and , and then the user computes

If the attributes set satisfies the access control policy , then the CSP computes the values satisfying in polynomial time and continues to compute

3.4. Security Proof

Theorem 4. If the decisional -Parallel BDHE assumption holds in and , then there exists no polynomial time attacker to break our proposed CP-ABE scheme with attribute level user revocation selectively, where the challenge matrix is with .

Proof. If there exists an attacker who can selectively break our proposed CP-ABE scheme with a nonnegligible advantage , where the challenge matrix is with , then we can construct a challenger to break the decisional -Parallel BDHE assumption successfully.

Init. The challenger takes as input a -Parallel BDHE challenge . In addition, the attacker gives the challenge access control policy and the revocation users list of attribute where the matrix has columns.

Setup. The challenger chooses a random exponent and computes , where it implicitly sets . In addition, it sets the broadcast users set as

Then, selects a random exponent and sets .

Next, sets the group parameters , and for each , selects a random exponent . Let denote the set of satisfying ; then, is set as

Note that if , then we have . In addition, we can say that is distributed randomly because of the randomness of .

Finally, sends to the public key as

Query Phase 1. makes to a series of queries including the key generation query and the ciphertext reencryption query .

(i) makes to a key generation query associated with the identity and the attributes set ; if , then we set the attributes set ; otherwise, we set . In addition, if satisfies the challenge access control policy , then outputs ; otherwise, it generates the secret key as follows.

first computes the vector , where , and for all , it satisfies . Note that the vector can be found in polynomial time according to the definition of LSSS.

Then, chooses a random parameter and defines the exponent as

Next, computes the key component as

According to the definition of and , we know that includes the item . Although is not given in the assumption, it can be canceled by multiplying with , because we implicitly set when generating the key component . In detail, it is constructed as follows:

Then, will compute the key component . For each attribute , if there exists no row satisfying , then we set ; otherwise, let denote the set of all the rows satisfying , and then we set as

Next, will set the key component for the user . Similarly, includes the item that is not given in the assumption. However, we set the value as and we have . Moreover, because , namely, , includes the term that can be canceled by the term included in :

Once the key components are all generated, the challenger will select a random exponent and set the outsourced transformation key as

Therefore, the secret key is set as . Finally, sends the transformation key to the attacker .

(ii) makes to a ciphertext reencryption query associated with the revocation users list of attribute and the ciphertext . Then, generates the reencrypted ciphertext as follows.

first selects a random exponent and computes

Next, selects random parameters and defines the vector . For each row of the matrix , computes the inner product . Then, selects a random exponent and defines the broadcast users set as . Finally, it encrypts the exponent to generate the ciphertext header as follows:

Note that is a correctly distributed ciphertext component which is demonstrated as follows:

Therefore, the final reencrypted ciphertext is set as .

Challenge. The attacker submits to the challenger two messages and with the equal length. Then, selects a random coin and generates the challenge ciphertext components as

Next, selects random parameters and then sets the vector to implicitly share the key . For , defines as the set of all satisfying . Finally, selects random exponents and sets the challenge ciphertext components and as follows:

Query Phase 2. continues to make to a series of queries including the key generation query and the ciphertext reencryption query as in Query Phase 1.

Guess. The attacker outputs its guess for . If , then outputs 0 denoting ; otherwise, it outputs 1 denoting is a random parameter in .

If , then plays the proper security game, so we have

Otherwise, is a random element in ; namely, is completely random in the view of , so we have

4. Analysis

In this part, we will compare our proposed CP-ABE scheme with several existing revocation schemes in terms of functionality, storage cost, communication cost, and computation efficiency. The notations that will be used are described as follows: denotes the bit size of an element in ; denotes the bit size of an element in ; denotes the bit size of an element in ; denotes the size of access control matrix associated with the ciphertext; denotes the bit size of the key encryption key in Hur’s scheme [13]; denotes the number of attributes associated with the ciphertext; denotes the number of attributes associated with the secret key of a user; denotes the number of all attributes in the system; denotes the number of all users in the system.

4.1. Functionality

The functionality comparison is demonstrated in Table 1, from which we can see that Liang’s scheme achieve the system level user revocation; namely, once an attribute of some user is revoked, he will lose all the access permissions in the system, which is impractical in the normal application. However, our scheme, Hur’s scheme, and Yang’s scheme achieve the attribute level user revocation; namely, the revocation of some attribute has no effect on the access permissions of other legitimate attributes. In addition, compared with the generic group model of Hur’s scheme and the random oracle model of Yang’s scheme, only our scheme is provably secure based on -Parallel BDHE assumption in the standard model, which has stronger security.

4.2. Storage Cost

The storage cost comparison is demonstrated in Table 2. The storage cost of attribute authority (AA) is mainly generated by the master key . Our scheme and Hur’s scheme have short and constant master key; however, the master key in Liang’s scheme grows linearly with the number of all users in the system and in Yang’s scheme grows linearly with the number of all attributes in the system. The storage cost of data owner (DO) is mainly generated by the public key . Hur’s scheme has the shortest public key which is constant. The public key in Yang’s scheme grows linearly with the number of all attributes in the system and in Liang’s scheme grows linearly with the number of all attributes and the column vector of access control matrix with each other as the slope and in our scheme grows linearly with the number of all attributes and the number of all users, however, with constant slope compared with Liang’s scheme. The storage cost of cloud service provider (CSP) is mainly generated by the ciphertext and ciphertext header. Liang’s scheme only achieves user revocation in which the key updating is implemented by using the method of subset cover and the ciphertext needs not to be updated; therefore, the ciphertext grows linearly with the size of the access control matrix. Yang’s scheme updates the key through the interaction between the AA and the data user (DU) and also updates the corresponding ciphertext associated with the revoked attribute; therefore, the ciphertext grows linearly with the number of attributes associated with the ciphertext. In Hur’s scheme, once the DO sends the ciphertext to the CSP, the CSP generates the corresponding ciphertext header for each attribute group. Therefore, the storage cost includes the ciphertext and ciphertext header; moreover, the ciphertext grows linearly with the number of attributes associated with the ciphertext, and the ciphertext header grows linearly with the number of attributes and the number of all users in the system with each other as the slope. In our scheme, if some attribute is revoked, then the CSP selects a new exponent to update the ciphertext corresponding to the revoked attribute and then encrypts the exponent to generate the corresponding ciphertext header. Therefore, the storage cost also includes the ciphertext and ciphertext header; moreover, the ciphertext and ciphertext header both grow linearly with the number of attributes associated with the ciphertext. The storage cost of the DU is mainly generated by the secret key. Our scheme and Yang’s scheme have shorter secret key which grows linearly with the number of attributes associated with the secret key. In Liang’s scheme, the secret key is generated by using a binary tree; therefore, the size of secret key is associated with the number of attributes, the column vector of access control matrix, and the number of all users in the system. In addition, in Liang’s scheme, the key updating is implemented by using the method of subset cover, so the storage cost also includes the updating key that grows linearly with the smallest cover set. In Hur’s scheme, every user needs to store a plenty of key encryption keys to decrypt the corresponding exponents for key updating; therefore, the size of secret key not only grows linearly with the number of attributes but only grows logarithmically with the number of all users in the system.

4.3. Communication Cost

The communication cost comparison is demonstrated in Table 3. The communication cost is mainly generated by the key and the ciphertext. The communication cost between the attribute authority (AA) and the data user (DU) is mainly generated by the secret key of user. In Liang’s scheme, for every revocation, the AA needs to generate a new updating key which then is sent to the DU; therefore, it causes size communication cost additionally. In Yang’s scheme, for every revocation, the AA needs to communicate with the DU for updating the key; therefore, it causes size communication cost additionally between the AA and DU. In addition, the communication cost between the AA and data owner (DO) is mainly generated by the public key, and in Yang’s scheme, the AA needs to update the public key for every attribute revocation; therefore, it generates size communication cost also. The communication cost between the cloud service provider (CSP) and the DU is generated by the ciphertext, and in Hur’s scheme, the CSP needs not only to send the ciphertext but also to generate the key encryption keys, which causes size communication cost; in addition, it also needs to send size ciphertext header. In our proposed CP-ABE scheme, for every revoked attribute, the CSP selects a new exponent to implement the ciphertext updating and then encrypts the exponent to generate the ciphertext header, which causes size communication size additionally. However, because we outsource the decryption to the CSP, the DU needs to send size transformation key to the CSP for partial decryption. If there is no attribute revoked, then the CSP generates only two elements in ; otherwise, the CSP generates elements in and two elements in corresponding to the ciphertext and three elements in corresponding to the ciphertext header. In addition, the communication cost between the CSP and the DO is mainly generated by the ciphertext.

4.4. Computation Efficiency

In order to evaluate the computation efficiency of our proposed CP-ABE scheme with attribute level user revocation, we implement our scheme on a 3.4 GHZ processor PC with 64-bit Ubuntu 14.04 operating system, Intel® Core™ i7-3770CPU and 4 G memory. The public key is selected to provide a 128-bit security level. In addition, the experiment uses a 160-bit elliptic curve group based on the pairing-based cryptography library (PBC-0.5.14) [20] and cpabe-0.11 [21] which selects the supersingular curve over 512-bit finite field. The experimental data are obtained by computing the average value for 20 times. In this experiment, the time of PBC library computing a pairing operation is approximately 5.3 ms, and the time of computing an exponent operation in and is approximately 6.2 ms and 0.6 ms, respectively. In addition, the selection time of a random element in and is approximately 14 ms and 1.4 ms, respectively, by using the operation/dev/urandom in Ubuntu 14.04 operating system.

In this paper, we compare our scheme with several related schemes in terms of key generation time, encryption time, decryption time, and reencryption time; moreover, we set .

From Figure 2, we can see that the key generation time grows linearly with the number of attributes, and our key generation time is slightly higher than that of Yang’s scheme; however, it is better than that of Hur’s scheme and Liang’s scheme. In particular, the key generation time in Liang’s scheme is associated with not only the number of attributes but also the column vector of access control matrix and the number of all users in the system; therefore, its key generation time is much larger than the other three schemes.

From Figure 3, we can see that the encryption time grows linearly with the number of attributes associated with the access control policy. Our encryption time is slightly higher than that of Hur’s scheme and, however, is better than that of Yang’s scheme and Liang’s scheme. Note that the encryption in Hur’s scheme involves some polynomial operations; however, the running time is very short which is omitted here. The encryption time in Liang’s scheme is not only associated with the number of attributes corresponding to the access control policy but also associated with the column vector of access control matrix; therefore, the encryption time is much larger than the other three schemes.

In the decryption experiment, the computation time is mainly influenced by the number of attributes used in decryption. In order to demonstrate the experimental results better, we suppose that all the intermediate nodes in the binary tree use the -threshold gates. In addition, our scheme is demonstrated under two circumstances; namely, no attribute is revoked and 50% attributes are revoked. From Figure 4, we can see that the decryption time in our scheme with 50% attributes revoked, Liang’s scheme, Hur’s scheme, and Yang’s scheme grows linearly with the number of attributes used in decryption. Moreover, our scheme with no attribute revoked uses outsourced decryption, so the user needs only one exponent operation in . In addition, the decryption time of our scheme with 50% attributes revoked is a quadratic function for the attributes used in decryption; however, we also uses outsourced decryption which decreases the decryption time of user greatly. From Figure 4, we can see that when the number of attributes used in decryption locates in a certain range, the decryption time of our scheme with 50% attributes revoked is smaller than the other three schemes, and as the number of attributes used to decrypt increases, the decryption time goes over Yang’s scheme and Hur’s scheme successively, however, within acceptable range.

In addition, the comparison of reencryption times is shown in Figure 5. If there exists some attribute to be revoked, then the key or the ciphertext should be updated. Yang’s scheme and Liang’s scheme mainly implement the key updating while Hur’s scheme and our scheme mainly implement the ciphertext updating. Therefore, from Figure 5, we can see that the reencryption time in Hur’s scheme and our scheme is larger and grows linearly with the number of attributes associated with access control policy. However, all these computations are implemented by the CSP that has a plenty of computing resources. Although the reencryption time in Yang’s scheme and Liang’s scheme is shorter, it requires AA to implement the key updating. As we all know, the computation resources of AA are limited, which may be the bottleneck in the system.

5. Conclusion

In this paper, we propose a CP-ABE scheme which can achieve the attribute level user revocation. In this scheme, if some attribute of a user is revoked, then the ciphertext corresponding to the revoked attribute is updated so that only the user, whose attributes set satisfies the access control policy and has not been revoked, can carry out the key updating to decrypt the ciphertext successfully. The security of our scheme is proved secure based on the -Parallel BDHE assumption in the standard model. Finally, the performance analysis and experimental verification are carried out, and the experimental results show that although our scheme increases the computation cost of the CSP in order to achieve the attribute revocation, it does not require the participation of the AA, which decreases the computation cost of the AA. Moreover, the user does not need to store additional parameters to carry out the attribute revocation; thus, it greatly saves the storage space.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The authors acknowledge the important comments given by the instructors and colleagues. This study acquired support from National Key Research Program of China “Collaborative Precision Position Project” (Grant no. 2016YFB0501900).

References

A. Sahai and B. Waters, “Fuzzy identity-based Encryption,” in Advances in cryptology---{EUROCRYPT} 2005, vol. 3494 of Lecture Notes in Computer Sci., pp. 457–473, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
U. C. Yadav, “Ciphertext-policy attribute-based encryption with hiding access structure,” in Proceedings of the 2015 5th IEEE International Advance Computing Conference, (IACC '15), pp. 6–10, India, June 2015.
View at: Publisher Site | Google Scholar
T. Naruse, M. Mohri, and Y. Shiraishi, “Provably secure attribute-based encryption with attribute revocation and grant function using proxy re-encryption and attribute key for updating,” Human-centric Computing and Information Sciences, vol. 5, no. 1, pp. 1–13, 2015.
View at: Publisher Site | Google Scholar
H. Wang, B. Yang, and Y. Wang, “Server aided ciphertext-policy attribute-based encryption,” in proceedings of the IEEE International Conference on Advanced Information Networking Applications Workshops, pp. 440–444, Gwangju, Korea, 2015.
View at: Google Scholar
Q. Li, J. Ma, R. Li, J. Xiong, and X. Liu, “Large universe decentralized key-policy attribute-based encryption,” Security and Communication Networks, vol. 8, no. 3, pp. 501–509, 2015.
View at: Publisher Site | Google Scholar
X. Wang, J. Zhang, E. M. Schooler, and M. Ion, “Performance evaluation of Attribute-Based Encryption: toward data privacy in the IoT,” in proceedings of the 2014 1st IEEE International Conference on Communications (ICC '14), pp. 725–730, Sydney, Australia, June 2014.
View at: Publisher Site | Google Scholar
R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonic access structures,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 195–203, November 2007.
View at: Publisher Site | Google Scholar
J. Staddon, P. Golle, M. Gagne, and P. Rasmussen, “A content-driven access control system,” in Proceedings of the 7th Symposium on Identity and Trust on the Internet (IDtrust '08), pp. 26–35, Gaithersburg, Maryland, USA, March 2008.
View at: Publisher Site | Google Scholar
X. Liang, R. Lu, and X. Lin, “Ciphertext policy attribute based encryption with efficient revocation,” in Proceedings of the IEEE Symposium on Security Privacy, vol. 2008, pp. 321–334, 2010.
View at: Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, Oakland, California, USA, May 2007.
View at: Publisher Site | Google Scholar
A. Boldyreva, V. Goyal, and V. Kumart, “Identity-based encryption with efficient revocation,” in Proceedings of the 15th ACM conference on Computer and Communications Security (CCS '08), pp. 417–426, Alexandria, VA, USA, October 2008.
View at: Publisher Site | Google Scholar
M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure attribute-based systems,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 99–112, Alexandria, Va, USA, October-November 2006.
View at: Publisher Site | Google Scholar
J. Hur and D. K. Noh, “Attribute-based access control with efficient revocation in data outsourcing systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 7, pp. 1214–1221, 2011.
View at: Publisher Site | Google Scholar
K. Yang, X. Jia, and K. Ren, “Attribute-based fine-grained access control with efficient revocation in cloud storage systems,” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS '13), pp. 523–528, May 2013.
View at: Publisher Site | Google Scholar
E. Zavattoni, L. J. Perez, S. Mitsunari et al., “Software implementation of an attribute-based encryption scheme,” IEEE Transactions on Computers, vol. 64, no. 5, pp. 1429–1441, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” Lecture Notes in Computer Science, vol. 2008, pp. 321–334, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
L. Cheung and C. Newport, “Provably secure ciphertext policy ABE,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 456–465, NY, USA, November 2007.
View at: Publisher Site | Google Scholar
S. S. Tu, S. Z. Niu, and H. Li, “A fine-grained access control and revocation scheme on clouds,” Concurrency & Computation Practice & Experience, vol. 28, no. 6, 2012.
View at: Google Scholar
A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption,” in Advances in cryptology---{EUROCRYPT} 2010, vol. 6110 of Lecture Notes in Comput. Sci., pp. 62–91, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
B. Lynn, “The pairing-based cryptography (PBC) library[OL],” 2006, http://crypto.stanford.edu/pbc.
View at: Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Advanced crypto software collection: the cpabetoolkit[OL],” 2001, http://acsc.cs.utexas.edu/cpabe.
View at: Google Scholar

Copyright

Copyright © 2017 Guangbo Wang and Jianhua Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2101

Downloads

989

Citations