#### Abstract

Decentralized attribute-based encryption (ABE) is a special form of multiauthority ABE systems, in which no central authority and global coordination are required other than creating the common reference parameters. In this paper, we propose a new decentralized ABE in prime-order groups by using extended dual system groups. We formulate some assumptions used to prove the security of our scheme. Our proposed scheme is fully secure under the standard -Lin assumption in random oracle model and can support any monotone access structures. Compared with existing fully secure decentralized ABE systems, our construction has shorter ciphertexts and secret keys. Moreover, fast decryption is achieved in our system, in which ciphertexts can be decrypted with a constant number of pairings.

#### 1. Introduction

Attribute-based encryption (ABE), which enables fine-grained access control, was first introduced by Sahai and Waters [1]. Subsequently, Goyal et al. [2] classified ABE as key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In KP-ABE, ciphertexts are associated with a set of attributes and secret keys are associated with access policies, while the opposite is true for CP-ABE. The ciphertext can be decrypted by secret keys if and only if the attributes satisfy the access policy.

Over the past decade, there have been a number of ABE schemes [3–9] proposed for supporting fairly expressive policies. However, the classical ABE system has only a single authority, which manages all attributes and issues private keys for all users. This may be unable to meet the requirements of some applications due to the lack of flexibility. There are three major aspects that impact the application value of single authority ABE systems. First, the single authority system failed to achieve the collaboration between different institutions since it cannot verify attributes across different organizations. Second, there exists key escrow problem in single authority system. The authority must be highly trustworthy as it can decrypt any ciphertext. Finally, key generation for all users that relied on a single authority is a huge workload and can easily become a performance bottleneck in the system. Furthermore, failure of the authority affects the whole system.

Multiauthority or decentralized ABE [10, 11] systems are put forward to address this issue. Lewko and Waters [11] provided the first fully secure decentralized ABE system. In their system, any party can become an authority by creating a public key. Authorities can issue private keys independently, and some authorities that go wrong will only affect the attributes in their domain and not the system as a whole. In addition, the scheme in [11] supports any monotone access structures.

Though the Lewko-Waters decentralized ABE scheme is expressive, the construction is based on composite-order bilinear group. The current research [12] showed that prime-order bilinear groups outperform composite-order groups in terms of both time efficiency and space efficiency. To be specific, elements with 3072 or 3248 bits are required for a 128-bit security level in composite-order groups according to NIST or ECRYPT II recommendations, while elements with 256 bits are sufficient in prime-order groups for the same security level. As for the time efficiency, [12] indicated that a pairing over an elliptic curve of composite order is 254 times slower than over a prime-order elliptic curve for the 128-bit security level. For the above reasons, it is preferable to design schemes on prime-order groups. In a subsequent work by Okamoto and Takashima [13], a decentralized ABE system on prime-order groups was presented by using dual pairing vector spaces [5]. The construction improves the efficiency of decentralized ABE systems, but there is still a significant performance penalty due to the required size of the vectors. Hence, it is worth constructing a more compact decentralized ABE system in prime-order setting.

We present a new construction of decentralized ABE by using extended dual system group (EDSG). Our proposed scheme is built on prime-order groups with better space and time efficiency and can be proved fully secure under standard -Lin assumption in the random oracle model.

To prove that full security of decentralized ABE system is a challenging job, even using the powerful dual system encryption methodology [14, 15], [11] used two subgroups for semifunctional space. The first subgroup is used to hide nominal semifunctionality from the attacker’s view by appending blinding factors to each key at a time. The second subgroup is used to avoid leakage of information about the first one by switching the semifunctional components from the first subgroup to it.

Dual system groups (DSG) [16] are an attractive tool for simulating composite-order groups in the prime-order setting. In contrast to prior works [17–19], which attempted to maximize the properties satisfied by both composite-order and prime-order groups, the dual system groups seek to investigate the minimal properties needed for the application to dual system encryption. The benefit is that we can obtain more efficient and compact schemes, and that is why our scheme can reduce the size of ciphertext compared with previous work [13]. Unfortunately, we observe that dual system groups in [16] are insufficient for constructing fully secure decentralized ABE since it only has one semifunctional space. To overcome this, we extend the basis of dual system groups from matrix to matrix inspired by [20]. The first -dimension subspace is the normal space, the next -dimension subspace is used to construct type 1 semifunctional secret keys, and the last -dimension subspace is used to construct type 2 semifunctional secret keys. In addition, we also realize the left subgroup indistinguishability, right subgroup indistinguishability 1, and right subgroup indistinguishability 2. These assumptions are used to mimic the effect of the subgroup decision assumption in composite-order groups.

The paper is organized as follows. In Section 2, we introduced the related works. In Section 3, a brief summary of the relevant concepts in multiauthority CP-ABE and prime-order bilinear groups was presented. In Section 4, we gave our revised definition of dual system groups and realized it in the prime-order setting in Section 5. In Section 6, we gave our decentralized CP-ABE system, outlined the security proof, and discussed its efficiency. In Section 7, we concluded the paper.

#### 2. Related Works

Attribute-based encryption was introduced by Sahai and Waters [1], which can encrypt a message for multiple receivers by their attributes, rather than designating recipient in advance. Subsequently, Goyal et al. [2] extended this idea and classified ABE system into two categories: key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). The first fully secure ABE system was presented by Lewko et al. [4]; all ABE systems can only be proved to be selective secure ones before that. In addition, several variants of ABE have been proposed. Ostrovsky et al. [21] showed how to realize negation by incorporating specific revocation schemes into the construction of [2]. Lewko et al. [22] provided a fully secure ABE system which is resilient to continual leakage. With regard to the public parameter optimization problems, large universe ABE system, in which the size of the attribute universe can be exponentially large, was proposed in [23, 24]. The first multiauthority ABE system was introduced in [10] by Chase, which has one central authority (CA) and multiple attribute authorities (AAs). Subsequently, Chase and Chow [25] removed the CA by using a distributed pseudorandom function. Both of [10, 25] can only support AND-gates policy. A multiauthority ABE that supports threshold policy was provided by Lin et al. [26]. CA is not required for their system. However, the authorities are fixed and they must interact with each other during setup. The multiauthority ABE proposed in [10, 25, 26] looked only at the KP-ABE setting. Müller et al. [27] proposed the first multiauthority CP-ABE supported policies written in disjunctive normal form (DNF) with one CA and multiple AAs. The system can be only proved to be secure in generic group model. In addition, all these above systems can only defend selective attacks; that is, the attacker must commit to a target access structure before setup phase. Lewko and Waters [11] first obtained a fully secure multiauthority CP-ABE by using dual system encryption technique [14, 15]. Their system is decentralized; that is, the authorities are equal and with no need for CA and can support any monotone access structures. They proved security under static assumptions in the random oracle model. Liu et al. [28] proposed a multiauthority CP-ABE where there are multiple CAs and AAs. In their system, all of the CAs must work together to issue an identity-related key to the user. They used threshold policy to distribute the master secret to prevent the authority decrypting ciphertexts independently. The system can be proved fully secure in the standard model. Scheme [11] is built on the composite-order group, which resulted in low efficiency of the systems. An improvement design was carried out in prime-order bilinear groups in [13]. Recently, Rouselakis and Waters [29] proposed an efficient large universe decentralized ABE system. However, the scheme only achieved static security, in which all queries (about both ciphertexts and secret keys) done by the attacker should be sent to the challenger immediately after seeing the global parameters.

In addition, some extension researches on multiauthority ABE have been proposed. Ma et al. [30] presented a multiauthority ABE with traitor tracing. The system is not practical due to infeasible large sizes of public key and ciphertext. Li et al. [31] proposed a multiauthority CP-ABE scheme with accountability, which allows tracing the identity of a misbehaving user who leaked the decryption key to others. The system supported AND-gates policy. A large universe decentralized KP-ABE scheme was proposed in [32]. The system supported any monotone access policy and can be proved as selectively secure in the standard model. Gorasia et al. [33] presented a multiauthority CP-ABE with fast decryption, which only supports threshold policy. Zhong et al. [34] proposed a decentralized CP-ABE scheme with hidden policy. It also supported user revocation but only achieved selective security. An adaptively secure multiauthority CP-ABE scheme with verifiable outsourced decryption was given in [35].

#### 3. Preliminaries

*Notation*. We use to denote that is picked randomly from a set . We denote probabilistic polynomial-time by PPT. denotes the set for any .

##### 3.1. Prime-Order Bilinear Groups and Computational Assumptions

*Prime-Order Bilinear Groups*. The asymmetric prime-order group generator takes a security parameter as input and outputs , where , , and are cyclic groups of prime order , , are generators of , , respectively, is an effective computable nondegenerate bilinear pairing, that is, , and .

*Assumption 1 (-Lin: the -linear assumption in ). *For any PPT adversary , the advantage of is negligible in : where

*Assumption 2 (-LLin: the -lifted linear assumption in ). *For any PPT adversary , the advantage of is negligible in : where

Lemma 3 (see [20]). *For any PPT adversary , there exists an adversary such that *

##### 3.2. Multiauthority CP-ABE

###### 3.2.1. Definition

In this paper, we used the definition of multiauthority CP-ABE and security model presented in [11]. We let denote the attribute set managed by and denote the universe of attributes. For , we assume that . A multiauthority CP-ABE system consists of the following five algorithms:

GlobalSetup. This algorithm takes as input a security parameter and outputs the global public parameters GP.

Authority Setup. This algorithm is run by attribute authority . It takes as input global parameters GP and outputs its own public key and secret key .

KeyGen. This algorithm is run by . It takes as input GP, , an identity GID, and an attribute belonging to and returns a secret key .

Enc. This algorithm takes as input GP, an access matrix , the set of public keys for relevant authorities, and a message and outputs a ciphertext CT.

Dec. This algorithm takes as input GP, , and CT. If the collection of attributes satisfies the access policy, it outputs the message ; otherwise, it outputs .

###### 3.2.2. Security Model

The security of multiauthority CP-ABE is defined by the following game run between a challenger and an adversary .

Setup. The challenger executes GlobalSetup and Authority Setup algorithm. It gives GP and to the adversary . For corrupt authorities, also gives the corresponding to .

Key Query Phase 1. In this phase, makes key queries by submitting to , where belonged to uncorrupted authorities. returns to .

Challenge. submits two equal-length messages , and an access policy with the following constraint. We let denote the subset of attributes controlled by corrupt AAs. For each identity GID, denotes the subset of attributes which has queried. For each GID, we require that cannot satisfy . randomly chooses and encrypts under . It sends the ciphertext to .

Key Query Phase 2. continually queries as in phase 1 in the same constraint.

Guess. outputs a guess for .

The adversary’s advantage is defined to be .

*Definition 4. *A multiauthority CP-ABE scheme is secure if, for all PPT adversaries, the advantage is negligible in the above security game.

#### 4. Extended Dual System Groups

(i)SampP: output:(a)Public parameter, pp, contains group description(), a nondegenerate bilinear map , a linear map defined on , and some additional parameters for SampG and SampH.(b)Secret parameter, sp, contains (where ), and some parameters for , , , and .(ii)SampGT: Im() .(iii)SampG: output .(iv)SampH: output .(v): output .(vi): output .(vii): output .(viii): output .The first four algorithms are used for normal ciphertexts and secret keys in the real system, while the remaining are only used for semifunctional ones in the security proof. We use to indicate the first element of , that is, .

*Correctness*. It needs to meet the following conditions.

*(Projective)*. For and a random variable , .

*(Associative)*. For all and ,

*Security*. It needs to meet the following conditions.

*(Orthogonality)*(i).(ii).(iii).

*(Nondegeneracy)*. For all and , and are distributed uniformly over .

*(**)*. The output of is distributed uniformly over a subgroup of .

*(Left Subgroup Indistinguishability)*. For any PPT adversary , the advantage of is negligible in : where

*(Right Subgroup Indistinguishability 1)*. For any PPT adversary , the advantage of is negligible in : where

*(Right Subgroup Indistinguishability 2)*. For any PPT adversary , the advantage of is negligible in : where

*(Parameter Hiding)*. The following two distributions are identical: where

#### 5. Instantiating EDSG

We let and be functions mapping from a matrix to its left-most columns, the middle columns, and the right-most columns, respectively.

SampP(i)Run .(ii)Define .(iii)Sample , and set , ; is a random full-rank diagonal matrix in whose bottom-right entry is a -dimensional unit matrix; define (iv)define for all .

*Output*

SampGT. Pick and output .

SampG. Pick and output

SampH. Pick and output

. Pick and output

. Pick and output

. Pick and output

. Pick and output Set , .

*Correctness*. We check correctness properties as follows.

*(Projective)*. For all , :

*(Associative)*. For all , , :

*Security*. We check the following security properties.

*(Orthogonality)*(i).(ii).(iii).

*(Nondegeneracy)*(i).(ii).With overwhelming probability, the inner product is distributed uniformly over and therefore is distributed uniformly over , and the same is true for .

*(**)*. This follows from the fact that is an additive group.

Lemma 5 (left subgroup indistinguishability). *For any PPT adversary , there exists an adversary such that *

We may rewrite the LS advantage function as follows: where

*Proof. *Given an instance of ()-LLin problem (i.e., ), as input, where all are either or uniformly chosen from . implicitly sets Define as Sample , , , set , and implicitly set Then we can compute *Simulating **pp**Simulating the Challenge*. simulates the challenge as If , , that is, , the output is ; otherwise, the output is .

Lemma 6 (right subgroup indistinguishability 1). *For any PPT adversary , there exists an adversary such that *

We may rewrite the RS1 advantage function as follows: where

*Proof. *Given an instance of ()-LLin problem (i.e., ) as input, where all are either or uniformly chosen from . samples and implicitly sets Define as Sample , , set , and implicitly set Then we can compute *Simulating **pp**Simulating *. Sample and implicitly set Then we can compute *Simulating the Challenge*. simulates the challenge as If , , that is, , the output is ; otherwise, the output is .

Lemma 7 (right subgroup indistinguishability 2′). *For any PPT adversary , there exists an adversary such that *

The RS2′ advantage function: where

*Proof. *Given an instance of ()-LLin problem (i.e., ) as input, where all are either or uniformly chosen from . samples and implicitly sets Define as