#### Abstract

Based on mutual authentication, the session key is established for communication nodes on the open network. In order to satisfy fine-grained access control for cloud storage, the two-party attribute-based key agreement protocol (TP-AB-KA) was proposed. However, the existing TP-AB-KA protocol is high in the cost of computation and communication and is not unfit for application in a mobile cloud setting because mobile devices are generally resource constrained. To solve the above issue, we propose a TP-AB-KA protocol with constant-size ciphertext and key. Our TP-AB-KA protocol is provable security in the standard model. The concrete proof is given under the augmented multisequence of exponents' decisional Diffie-Hellman (aMSE-DDH) hypothesis in the attribute-based BJM model (AB-BJM). Compared with the existing TP-AB-KA protocols, the computation cost and communication cost of our protocol are largely reduced.

#### 1. Introduction

Key agreement (KA) protocol is an important component in cryptography. By establishing a session key, KA protocol provides security services of confidentiality, integrity, and availability for open communication on the network node. Recently, the two-party attribute-based key agreement protocol (TP-AB-KA) was first proposed in [1]. In TP-AB-KA protocol, the attribute-based encryption (ABE) was adopted for exchanging secret messages from two participants. This kind of protocol carries out negotiating session key based on the mutual authentication of participants’ attribute information. Sahai and Waters [2] first proposed ABE, which was used for fine-grained access control for cloud storage. User identity is determined by his/her attributes. ABE is often applied in a one-to-many encryption situation, where data encrypted with certain attributes policy is correctly decrypted by any users whose attributes satisfy that access structure. TP-AB-KA protocol inherits the advantages of ABE schemes, such as using attributes to describe one user and realize the protection of user’s identity. This also enables the TP-AB-KA protocols to meet the needs of some specific application scenarios where participants’ attributes act as critical factor for mutual authentication.

For example, in an electronic project review system, a reviewer wants to make inquiries for some bidders. Suppose there are attribute characters in this scene. The role information is described with certain attribute sequence , which includes elements in total. The subscripts stand for the corresponding locations in the sequence, where we use location to denote “reviewer” role and location to denote “bidder” role. If a role is a reviewer, its attribute sequence is instantiated with , where “0” shows “having” certain attribute character and “1” shows “not having”. So shows that is a reviewer and not a bidder. obtains the corresponding private key generated by the trusted authority (TA) according to ’s attribute sequence. In the same way, the authentication policy based on attributes is also described in such way. For instance, there are some qualifications about bidders, such as “: more than 2 grade enterprise qualification”, “: more than 10 years warranty”, etc. Those qualifications are written into a sequence form, that is, (). locations stand for and qualifications, respectively. If wants to talk with a bidder with and qualifications, gives out the corresponding authentication policy . Two “0” show having and qualifications together.

Based on above attribute description, the inquiry procedure of electronic review system is done as follows: Before voting, the reviewers need to ask some inquiry for some related bidders without revealing their real identities. Suppose that a reviewer with attribute sequence wants to inquire for bidders, such as with “: more than 2 grade enterprise qualification” and “: more than 10 years warranty” qualifications. If satisfies and satisfies specified by , then can consult a session key with to achieve secure communication by using a TP-AB-KA protocol.

With the increasing popularity and application of mobile devices, more and more applications are migrated from PCs to mobile devices, such as smart phones. Above example also happens in mobile environment. Since most mobile devices are resource constrained, it is more important to improve the performance of TP-AB-KA protocol by reducing computation cost and communication cost. However, the existing TP-AB-KA protocols are not so good in performance because the length of ciphertext and key grows linearly with the number of related attributes.

##### 1.1. Our Motivation and Contribution

ABE scheme has fine-grained data access control, which can be well applied to many scenes where KA protocols are used. As shown in above example, ABE scheme was adopted for attribute authentication between the participants in the protocol and did not reveal their identities. More and more KA protocols introduce ABE schemes to construct TP-AB-KA protocols. However, the length of key and ciphertext in those TP-AB-KA protocols grows linearly with the number of attributes which participants own or are embedded in access policies. Obviously, those TP-AB-KA protocols are unfit for the lightweight applications. For example, mobile devices have become the primary devices in open cloud setting, which are resource constrained and require the protocols with high performance. In order to solve above problem, we first propose a two-party attribute-based key agreement protocol with constant-size ciphertext and key based on the CP-ABE scheme [3].

Our protocol adopts an AND-gate access structure based on the whole attribute universe. A polynomial function embedded in the exponent location of a group element is defined to express the attribute character of one participant. One factor in is one secret value, which reflects the th attribute of the participant, where is a hash function. The polynomial function is used to describe all attributes of the participant, where is the index set of the corresponding items in attribute sequence. Similarly, one data access policy is also described with polynomial function. When in is substituted with the master key of the trusted authority (), the polynomial functions is computed into a constant-size value, based on which both the key and the ciphertext in our protocol can be calculated into some values, respectively, which are irrelevant to the number of corresponding attributes. By using this method, we can generate the constant-size key and ciphertext.

The proposed protocol is proved secure in AB-BJM model [4] based on the difficult problem of the augmented multisequence of exponents decisional Diffie-Hellman (aMSE-DDH) hypothesis [5] in standard model. The public key parameters and specific oracle queries are simulated successfully. The challenge task of aMSE-DDH hypothesis is embedded in the communication ciphertexts. Compared with the existed TP-AB-KA protocols, our protocol’s computation and communication costs are largely reduced. The constant-size key and chipertext improve the implementation efficiency and make our protocol be more suitable for the application of lightweight level.

##### 1.2. Organization

The related work is introduced in Section 2. The preliminaries are introduced in Section 3. In Section 4, a TP-AB-KA protocol is proposed. TP-AB-KA protocol is proved to be secure in Section 5. Subsequently, we give the performance comparison between the protocol [4] and our protocol in Section 6. We conclude our paper in Section 7.

#### 2. Related Work

The key agreement (KA) protocol is used to establish secure communication between two or more parties and authenticate entities in an open environment. With the emerging of identity-based cryptography, Smart [6] presented the first two-party identity-based key agreement protocol (ID-KA) which adopted the IBE scheme [7]. Since then, lots of ID-KA protocols have successively been put forward [1, 8–11]. Those ID-KA protocols were proved security in various models, respectively, such as the BJM model [12], the BR4 model, the CK model, etc. Huang and Cao [13] provided the first ID-AK protocol which was provable security in eCK [14] model. Based on the BJM model [12], Chen* et al.* [9] proposed the ID-BJM model and constructed identity-based key agreement protocols. In order to implement fine-grained access control, session keys are negotiated based on mutual authentication of participants’ attribute information. many attribute-based key agreement (AB-KA) protocols [15–20] are presented. In AB-KA protocols, attribute-based encryption (ABE) plays important role in protecting secret messages used to generate session keys. ABE [21] was mainly divided into two categories called ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In CP-ABE, data owner chooses an access structure on attributes and encrypts data with the corresponding attribute public key. Access structure is embedded in the ciphertext, while the secret key is produced according to the attribute set of data user. If the attributes held by a user satisfy access structure embedded in the ciphertext, then he/she decrypts such ciphertext [22]. KP-ABE scheme is inverse. The encryptor selects the descriptive attributes to encrypt data. Recently, Li* et al.* [23, 24] presented two CP-ABE schemes with efficient attribute revocation, which resists the user collusion attack and supports fine-grained access control. There are some privacy-preserving decentralized CP-ABE [25–27] schemes, in which the size of the ciphertext grows linearly with the number of attributes embedded in access policy. In order to improve efficiency, Emura* et al.* [28] presented a CP-ABE scheme with constant ciphertext size. Many ABE schemes [29–38] were presented in various application domains, such as ABE with outsourced data decryption [29, 30, 37], ABE with efficient attribute revocation [31], ABE with full verifiability [30], ABE with keyword search function [29, 31], traceable ABE [32, 33], ABE with leakage resilience [34–36], auditable ABE [38], etc. In order to solve key escrow problem, Li* et al.* [39, 40] presented two certificate-based encryption schemes with leakage resilience. ABE schemes have wide application in cloud storage [41, 42], mobile social networks [43] and smart grid [44]. The original AB-AK protocol [1] gave a secret handshake mechanism based on attributes. Later, lots of AB-KA protocols [15–20] were presented. Wang* et al.* [18] presented a variant of AB-KA protocol based on ABE scheme. But this protocol did not realize mutual authentication on the basis of participants’ attributes. Yoneyama [20] put forward two rounds of AB-KA protocol by using a design technique of the NAXOS protocol and gave the security proof in the modified eCK model. Recently, Wei* et al.* [4] proposed an AB-KA protocol which is proved secure in the modified BJM model under the decisional bilinear Diffie-Hellman assumption in the standard model. But the length of communication messages and decryption key in [4] increased linearly with the number of attributes and was unsuitable for the resource constrained application.

#### 3. Preliminaries

##### 3.1. Access Structure

Suppose that includes attributes in our system. An access structure is a nonempty subset . In particular, for a collection is monotone if and , then *∀*. If a user with a set in then he/she is authorized to access some resources.

##### 3.2. Bilinear Maps

, are two multiplicative cyclic groups with prime order . is the generator of and is bilinear map . The bilinear map satisfies the following properties:(1)Bilinearity: for all , .(2)Nondegeneracy: .(3)Computability: there is an efficient algorithm to compute for .

##### 3.3. aMSE-DDH Assumption [5]

The aMSE-DDH assumption is defined as follows. Let be the pairing group, and let be polynomials with coprimes. Let be the generators of , respectively. is a random element of and is selected randomly in . Given a tuple , >, if no probabilistic polynomial time adversary makes a distinction between and , then we claim that the aMSE-DDH assumption holds with the advantage , where is a negligible function.

##### 3.4. Outline of Our TP-AB-KA Protocol

We give a two-party attribute-based key agreement (TP-AB-KA) protocol. There are 3 roles, trusted authority () and two participants (initiator and responder ). is a trusted role who monitors the participants’ attributes and issue private keys for them. Two participants, and , make key agreement as Figure 1.

. This algorithm takes as input a security parameter and outputs master secret key and public parameters .

. This algorithm is implemented by trusted authority (). It takes as input attribute sequence of a participant and outputs ’s private key . Similarly, for another participant with the attribute sequence , outputs his/her private key by calling algorithm.

. This algorithm takes as input the plaintext and the data access policy , which is proposed by and the attributes of the participant can satisfy. This algorithm outputs the ciphertext according to . Similarly, selects data access policy of which ’s attributes can satisfy and encrypts plaintext into the ciphertext according to by calling this algorithm.

. This algorithm takes as input the ciphertext and ’s private key and outputs the message . By calling this algorithm, decrypts into by using the private key .

. This is an interactive procedure. Firstly, sends to and sends to , respectively. Secondly, decrypts and decrypts by using algorithm, respectively. Thirdly, and compute the session key and , respectively, where .

##### 3.5. AB-BJM Model [4]

We employ the attribute-based BJM model to prove the security of our TP-AB-KA protocol. There are many protocol participants, which are all formalized as oracles. An attacker can access those oracles by issuing some specified queries: . An oracle represents the -th instance of a participant involved with another participant in a session. , have the corresponding attribute sequences and the private keys, respectively. Some key messages in AB-KA protocol are encrypted or decrypted based on a certain kind of ABE scheme.

The security of the protocol is described via a game with two phases.

*(1) The First Phase*. is allowed to launch the below queries in any order.

. initiates a session or sends messages to the participants. On receiving the message , oracle implements the protocol and responds with an outgoing message , or a decision to indicate accepting or rejecting the session. If does not exit, it is created as an initiator if (the security parameter), or as a responder otherwise.

. The participant responds with its private key.

. If the oracle accepts, it reveals the session key; otherwise, it returns* ⊥*.

*(2) The Second Phase*. Once finishes the first phase works, it begins the second phase by selecting a fresh oracle and launching the query. The fresh oracle and query are defined as below.

*Definition 1 (fresh oracle). *An oracle is fresh if (1) has been accepted; (2) is not opened (not being submitted the query); (3) is not corrupted (not being submitted the query); (4) There is no opened oracle , which has matched a conversation to .

. If is fresh, randomly chooses . It responds with the session key if , otherwise, a random sample from the distribution of the session keys.

continues to query the oracles except that it does not reveal the test oracle or its session participant (if it exists), and it does not corrupt the participant .

At last the adversary outputs a guess for . If , we claim that the adversary wins. The advantage of the adversary is defined as .

A secure key agreement protocol is defined as below.

*Definition 2. *Protocol is a secure key agreement protocol if (1) the adversary faithfully conveys messages. Both and are always accepted and hold the same session key which is distributed uniformly on ; (2) is negligible.

#### 4. TP-AB-KA Protocol

A TP-AB-KA protocol with constant-size key and ciphertext is first given in this paper. We embed the ABE scheme [3] into the key agreement protocol. Two parties in our protocol make agreement of the session key based on the exchanged secret messages. Suppose that two participants , encrypt their own secret messages into the ciphertexts according to the access policies proposed by each other, respectively. acts as an initiator and acts as a responder. So long as the attributes of , satisfy mutual access policies, they can obtain the partner's secret messages, respectively. , use the corresponding secret messages to calculate the same session key. The protocol is showed in Figure 2. Our TP-AB-KA protocol includes three stages: , and . The concrete construction is described as below.

. Suppose that is the security parameter. Let and be multiplicative cyclic groups with prime order . A trusted authority () selects generators , from and keeps secret. Suppose that there is an attribute universe including attributes. For each attribute , randomly selects and calculates , , , . keeps secret. This algorithm chooses 3 cryptographic hash functions: , , . For the attribute sequence of one participant , we define a polynomial function to describe ’s attribute character. Here, “” denotes “having the th attribute value” and “” denotes “not having the th attribute value”. We use to denote the attribute sequence which the attributes of can satisfy. Any participant can compute a polynomial function to describe a kind of data access policy. Here, has the same definition as . The algorithm finally outputs the public parameters .

. For a participant with attribute sequence , calculates , which is a polynomial formula with -degree at most. randomly selects and computes . computes ’s private key .

For another participant with , randomly selects and computes by using the similar approach. computes ’s private key .

. chooses a data access policy which ’s attributes can satisfy. generates the corresponding . Let be the coefficient of in . randomly selects and computes , , , , . generates . Similarly, completes the following work successively by using the same way. chooses a data access policy which ’s attributes can satisfy. generates the corresponding . Let be the coefficient of in . Then randomly selects and computes , , , and . generates .

. Assume that has the attribute sequence and the corresponding private key , with has . generates the share secret by using the following calculation steps after receiving . For and , computes , and . satisfies , is the -degree at most polynomial function, where the coefficient of and . computes , , , , . At last, obtains secret . By using the similar approach, computes and . is the -degree at most polynomial function, where is denoted by the coefficient of and . obtains from the received ciphertext .

. Firstly, sends to and sends to , respectively. Secondly, , decrypt , by calling algorithms, respectively. Thirdly, and compute the session key and , respectively.

#### 5. Security Analysis

Theorem 3. *Provided that the augmented multisequence of exponents decisional Diffie-Hellman (aMSE-DDH) [5] assumption holds, our protocol TP-AB-KA protocol is secure in the AB-BJM model. In detail, if there is an adversary who attacks our protocol successfully at the advantage under the condition involving participants and sessions, a simulator can be constructed to solve the aMSE-DDH problem at the advantage .*

*Proof. *Suppose an adversary involves participants in the protocol and establishes sessions. chooses and two participants arbitrarily. guesses that launches the query to the participant . provides the access policies =. Let where denotes “having the th attribute value” and denotes “not having the th attribute value”. sets , . Here, is -degree polynomial and is -degree polynomial. Let be the coefficient of in . denotes the number of nonzero items in . is randomly selected in . Let , . receives the challenge () and the task of is to differentiate from .

. implicitly sets as the master key which is used in the aMSE-DDH challenge instance. simulates the public parameters as below. randomly chooses and implicitly sets . Then sets , , , , , . , , is computed from the challenge instance . is calculated from and . That is, . obtains public parameter set from .

. Assume there is a participant with , where does not satisfy and , is the same definition as . sets . randomly chooses and implicitly sets and . computes . Without loss of generality, for , generates , where , . is a polynomial with at most degree since does not satisfy . So, computes from , and sets . At last, obtains from .

. This enquiry denotes that after receiving a message , oracle executes the protocol and responds with an outgoing message . If is the initiator of this session, we stipulate that the received message is the security parameter . establishes a initialized list as empty list, where mean empty values. In our protocol, maintains a list that saves the following information . Here, is a random value selected by . is generated by in response when receives the message . is the secret share from and is the session key. When receives the message , the following works are done in turn.

(1) If is the security parameter , is the initiator of this session. There are 2 cases listed as follows:

(a) If , then does the following works. According to the challenging access structure , implicitly sets and , , , and . creates the record in list . Here, denotes with in since does not know .

(b) If , then carries out according to the specification of the protocol and updates the list .

(2) If is not the security parameter , there are 3 cases listed as follows.

(a) If there is no record in list , where is an arbitrary value belonged to , is the responder of the protocol. selects one random value , and computes according to the protocol and updates the list .

(b) If there is the record in list , is just the object for test query and . For the received , computes and the session key according to the protocol. Then updates the list .

(c) If there is the record in list , where is an arbitrary value belonged to , is the sponsor. carries out according to the specification of the protocol and updates the list .

. selects a fresh protocol participant for test query.

If is not the protocol participant guessed by during the initialization phase, then terminates the simulation. Otherwise, returns the session key .

. If or the matched protocol participants having sessions with participant do not be issued the query to, terminates simulation. Otherwise, returns the corresponding session key value through accessing the query list .*Output*. when completes all inquiries in Phase 1, continues to ask the 3 inquiries: , , , which are not allowed to break the freshness of participants receiving the test inquiry. Once decides to complete the inquiry, outputs a bit as the stochastic value of the session key which is a conjecture and is used by to distinguish from .*Analysis*. In the whole simulation process, the simulator does not terminate the simulation with the probability of at least . When the simulation of is not terminated, does not distinguish the security game simulated by from the real security game. Therefore, if the advantage of guessing for is , then that of guessing for in the simulated security game is .

If , the security game simulated by is perfect. We get .

According to the above analysis, we construct a simulator solving aMSE-DDH problem with a nonnegligible advantage , if an attacker wins the security game with advantage . Since it is inconsistent with the hypothesis of aMSE-DDH, our protocol satisfies the conditions shown in Definition 2 (2).

Besides, we suppose there exists a benign adversary who faithfully conveys messages. If execute the protocol in accordance with the protocol, they correctly receive messages from each other. Therefore, the two participants in the protocol finally calculate the same session key distributed over the key space uniformly. So it satisfies the conditions shown in Definition 2 (1).

#### 6. Efficiency Analysis

##### 6.1. Theoretical Analysis

We give a performance comparison between attribute-based key agreement protocols in [4] and our protocol. Some symbols are defined as follow: is denoted by the number of the attributes, which are involved in the system. , are exponentiation operation time on an element in group and that in group , respectively. is the pairing operation time. is the number of the related attributes in the data access policy. is the number of the related attributes in the private key. The comparison of computation cost is given in Table 1.

Our protocol has better performance in the algorithm than that of [34]. The comparison of communication cost is given in Table 2.

In the protocols, we denote as the length of all data access structures, which are supposed to be 16 bits for every protocol. If , our protocol has better performance in communication cost than that of [4].

##### 6.2. Experimental Simulation

We conduct a simulation experiments on Windows 7 system with Intel(R) Core(TM) i7 CPU at 2.3GHZ and 4 GB RAM. The protocol is implemented by using the pairing-based cryptography library(PBC) library [45]. We use a symmetric elliptic curve a-curve, where the base field size is 512-bit. The a-curve has a 160-bit group order, i.e., is a 160-bit length prime.

To compare above protocol in actual operation, we run each protocol ten times, respectively, and compute the average values. We code all the algorithms by using c language under the default condition that each protocol contains 100 attributes in total, 50 attributes in access policy, 50 attributes in participants’ attribute set. The running results are shown in Figure 3, from which we find out that the computation performance of our protocol being better than that of protocol in [4] overall. From Figure 4, our protocol has obvious advantage in the performance of communication if the number of attributes in data access structure is bigger than 3 (demarcation point). Our protocol is more practical in the resource constrained smart media and mobile environments. The theoretical analysis and simulation results are consistent, and our protocol achieves a high performance with good properties.

#### 7. Conclusion

Compared with protocol [4], our protocol has advantages in security and efficiency. The constant-size key and ciphertext make our protocol be more suitable for the application of lightweight level. We design the key agreement protocol between two principals based on attribute-based encryption. We prove its security under the AB-BJM model in the standard model. Our protocol has better computation and communication performance than that of existed protocols.

A future research is trying to weaken the security assumption that the attacker is passive in AB-BJM model. Namely, one attacker does not have to execute the protocol faithfully to provide the messages for satisfying the requirement of the honest participator in a running of protocol. Such scene is closer to the true environment. In addition, it is an interesting topic to research the relation between the ABE and broadcast encryption [46, 47].

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This research was supported by the National Natural Science Foundation of China (U1736112, 61772009, and 61672207), Jiangsu Provincial Natural Science Foundation of China (BK20161511), the Fundamental Research Funds for the Central Universities (2016B10114), Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, NJUPT, the Key Research and Development Project of Science Department in Jiangxi Province (20171BBE50065), and Anhui University of Natural Science Research Project (KJ2018A0398).