#### Abstract

Attribute-Based Encryption (ABE) must provide an efficient revocation mechanism since a user’s private key can be compromised or expired over time. The existing revocable ABE schemes have the drawbacks of heavy computational costs on key updates and encryption operations, which make the entities for performing these operations a possible bottleneck in practice applications. In this paper, we propose an efficient Ciphertext-Policy Attribute-Based Online/Offline Encryption with user Revocation (R-CP-ABOOE). We integrate the subset difference method with ciphertext-policy ABE to significantly improve key-update efficiency on the side of the trusted party from to , where is the number of users and is the number of revoked users. To reduce the encryption burden for mobile devices, we use the online/offline technology to shift the majority of encryption work to the offline phase, and then mobile devices only need to execute a few simple computations to create a ciphertext. In addition, we exploit a novel trick to prove its selective security under the -type assumption. Performance analysis shows that our scheme greatly improves the key-update efficiency for the trusted party and the encryption efficiency for mobile devices.

#### 1. Introduction

Attribute-based encryption (ABE) is a promising alternative of encryption for achieving fine-grained access control of encrypted data. The notion of ABE is first proposed by Sahai and Waters [1], and then Goyal et al. [2] formalize two supplementary forms of ABE: ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In CP-ABE [3, 4], each user possesses a private key that corresponds to his attribute set. A ciphertext is embedded into an access policy over the possible attributes. The ciphertext can be successfully decrypted by the users whose attributes satisfy the policy. Alternatively, in KP-ABE the roles are swapped: a ciphertext is associated with an access policy and the private key is related to a set of attributes.

Any ABE system must provide an efficient method to revoke users since a user’s private key can be compromised or expired over time. As a practical solution to the problem for ABE, Boldyreva et al. [5] used the complete subtree method [6] to revoke users. In their scheme, a user can encrypt with the set of attributes and the current time attribute, e.g., “TIME: 2018. WEEK 16,” and the key generation center (KGC), who owns the latest revocation list, periodically broadcasts the key update component at each time slot such that all nonrevoked users can reconstruct their decryption key and utilize it decrypt ciphertexts. Subsequently, Attrapadung and Imai [7] proposed a revocable KP-ABE by using a similar method. However, the key-update work can be a system bottleneck since KGC requires broadcasting key-update component to all nonrevoked users at all time slots. Although their solutions [6, 7] reduce this work from to , where is the number of users and is the number of revoked users and the key-update work still is a bottleneck. Lee et al. [8] proposed an efficiently revocable identity-based encryption using subset difference methods, which has number of group elements in an update key. We note that their idea cannot be directly used to construct revocable ABE, because a user’s identity is not related to decryption in ABE systems.

At the same time, in all revocable ABE schemes, the encryption process must perform a lot of exponentiations, and the encryption cost grows with the complexity of access policy or number of attributes. If a mobile device performs the encryption task, battery power and encryption time will be a large problem. To significantly reduce the encryption cost for mobile device, a few online/offline ABE schemes [9–12] are proposed, and move the majority of encryption computations into an offline phase. Mobile device only needs to execute a few simple calculations to create a ciphertext. However, the existing online/offline ABE schemes cannot revoke users. Therefore, our goal is to integrate the subset difference method [6, 8] with ABE to significantly decrease the key update work, and use the online/offline technique to greatly improve the encryption efficiency for mobile devices.

In this work, we propose an efficient ciphertext-policy attribute-based online/offline encryption with user revocation. In particular, our contributions have three aspects as follows:

We present a novel technique that may integrate CP-ABE with the Subset Difference (SD) methodology to significantly improve the key-update efficiency for KGC. In SD scheme, an assigned key for each subset is dependent on other keys, so we may categorize all subsets into different groups. For each group in SD, we assign a random polynomial to it, where is a random value that is uniquely assigned to the group and is the master secret key. Using this linear polynomial, we split the master secret key into two shares and , where is an update time and is a greater than 1 positive integer. The share is used to build a private key which is related to user’s attribute set in CP-ABE as usual, and the other share is used to build an update key which is related to the update time . Then KGC periodically broadcasts the update keys, and any nonrevoked user can reconstruct his decryption key. Since all revoked users possess the same share , they cannot collude to reconstruct a decryption key. Therefore, our scheme may provide the security against collusion attacks.

To greatly reduce the encryption cost for mobile devices, we employ the online/offline technique of [8] to split encryption process into the offline phase and the online phase. The offline encryption first performs a majority of encryption task before the plaintext and its access policy are known. Once the specifications are given, the online encryption only executes a few simple calculations to produce a ciphertext by using the offline-ciphertexts pool that is similar to the reference [8]. Especially, the offline work can be executed by a high-performance computer, and then lightweight devices can quickly run the online encryption on the move without greatly draining the battery.

We present a new method to prove the security of our scheme. Based on the CP-ABE’s access policy and a challenge update time , we construct a new challenge access policy ,* i. e*., we may obtain by appending a well-designed vector to . Next, we can create the public parameters needed in the proof. Moreover, unlike the complete subtree method, the intersection of the covering collection of nonrevoked users and the private key of the revoked users is not empty. It leads to impossibility to construct the update key on the time . We solve this problem by reasonably assigning the users’ location in the binary tree. Our scheme is proved to be selectively secure under the* q*-*type* assumption. The above method may be of independent interest in the security proof of the revocable CP-ABE scheme. Compared with the related works, our scheme can significantly improve the key-update efficiency for the trusted party from to and the encryption efficiency for mobile devices, where is the number of users and is the number of revoked users, and greatly decrease the number of group elements in the update key.

ABE is a useful cryptographic technology to protect private data and achieve fine-grained access control simultaneously [12, 13], many variants of ABE were proposed to realize promising properties,* e*.* g*., efficient large universe ABE [4], ABE with verifiable outsourced decryption [14–16], traceable-then-revocable ABE [17, 18], CP-ABE against key-delegation abuse [19], the fully-secure ABE [11], ABE resilience against continuous auxiliary-inputs leakage [20, 21].

To reduce the encryption cost of ABE, a few works [9–12] presented the online/offline ABE by the online/offline cryptography [22–25], but their schemes cannot revoke users. To satisfy the practical requirement that users’ access rights can be revoked dynamically, many revocable ABE schemes have been proposed [10–20]. The core idea of the works [5, 7, 26–31] utilizes the complete subtree scheme of NNL [8] to revoke user’s private key. Lee et al. [8] proposed a revocable identity-based encryption to reduce the size of the update key. Sahai et al. [29] constructed a few ABE schemes of revocable storage by providing a ciphertext delegation means without any interaction with data owners. Datta et al. [32] uses the subset difference to directly revoke users in KP-ABE systems. Nevertheless, all the existing revocable ABE schemes have the drawbacks of heavy computational costs on key updates and encryption operations.

Therefore, it will be indispensable to reduce the heavy computational overhead on the key update work and the encryption task. Different from prior works, we integrate the SD method with the online/offline technique in the CP-ABE system, which not only may efficiently revoke users, but also can significantly improve the key-update efficiency and encryption efficiency.

We review some preliminaries in Section 2. The definition and security model of our scheme is defined in Section 3. We propose an efficient ciphertext-policy attribute-based online/offline encryption with user revocation and prove its selective security in Section 4. Performance analysis is given in Section 5. Finally, we conclude this work in Section 6.

#### 2. Preliminaries

In this section, we first elaborate the definitions of bilinear group and the complexity assumption for our R-CP-ABOOE scheme. Then we state a brief review of access structures and linear secret-sharing schemes (LSSS). Finally, we introduce the notions of full binary tree and the subset difference method.

##### 2.1. Bilinear Group and the Complexity Assumptions

We give some notations. For , we define , and for , . For , by we denote a set of matrices of size with elements in . A row vector is denoted as , while a column vector is denoted as , where denotes the transpose of the vector.

*Definition 1 (bilinear group). *Let , be multiplicative cyclic groups of prime order , and we define a symmetric bilinear map : with the following properties: bilinearity: for all , and , we have ; nondegeneracy: , ; computability: the bilinear map and the group operations in and are efficiently computable. Then the tuple is called a bilinear group.

*Definition 2 (-type assumption [4]). *Given a security parameter , an integer , a group generator that outputs the bilinear group description , chooses a random element and random values and computes the following terms :If any probabilistic polynomial-time (PPT) adversary obtains the bilinear group description and the above terms , it cannot distinguish the element from a random element with a nonnegligible advantage. We say that the* q-type *assumption holds in the bilinear group .

##### 2.2. Access Structures and Linear Secret Sharing Scheme (LSSS)

*Definition 3 (access structures [4]). *Let be a set of attributes. A collection is monotone if and , then . An access structure is a collection of nonempty subsets of ,* i.e*., . The authorized sets are defined as the sets in , and the unauthorized sets are the sets not in .

*Definition 4 (LSSS [4]). *Let , a function : . A secret-sharing scheme Π over a set of attributes is called linear over if the shares for each attribute form a vector over ; there is a matrix called the share-generation matrix for Π. The matrix has rows and columns. For each row , the row of is labeled by an attribute . Let the column vector , where is the shared secret and are randomly picked, then is the vector of shares of the secret according to Π. The share belongs to the attribute . Reconstruction property. Suppose the scheme Π is an LSSS for the access structure . Let be any authorized set, and is defined as . If are valid shares of any secret , there are constants that satisfy .

##### 2.3. Full Binary Tree

We follow the terminologies on the full binary tree in [8]. Let be a full binary tree with leaves. Each user is assigned to a unique leaf node . In the tree, it has 2*N*-1 nodes, for to 2*N*-1, let denote a node, and each edge is labelled as a bit 1 or 0, at the right branch corresponds to bit 1 and the left branch corresponds to bit 0. The identifier of a node is defined as the unique bitstring which is the bitstring of all edges in the path from the root to the node . For each node , its depth is the size of the path from the root to .

Let denote the set of leaves in the subtree that is rooted at the node . For any two nodes , so that is an ancestor node of , is defined as the set of all leaves that are descendants of but not ,* i*.*e*., .

Let* GT* identify a group, and a group’s tag* GT* is described as the collection of subset such that is the same node and other different nodes have the same depth, and let . In our scheme, we randomly choose and specify a polynomial once for one group* GT* to revoke users.

Let be the list of all revoked users, be the Steiner Tree induced by the root node and the set , that is, the minimal subtree of the tree connects the root node and all the leaves in .

##### 2.4. Subset Difference Method

As a general revocation methodology, Subset-Cover framework [6] includes both the complete subtree method and the subset difference (SD) method, and SD was presented as an improvement on the complete subtree scheme. The definition of SD is given as follows.

*Definition 5 (subset difference). *The SD scheme for the set of all users consists of four algorithms: Setup, Assign, Cover, Match, which are described as following:**SD.Setup**: The setup algorithm inputs all users and sets a full binary tree with at least leaves, where is the total number of users. It assigns a unique leaf of once to a user. For any two nodes such that is an ancestor node of and it gets the collection of subset . It outputs the tree and the collection .**SD.Assign**: Given the full binary tree and a user , the assignment algorithm assigns a leaf of to the user . Let denote the path from the root to the leaf* id* and a private set be an empty one. For all such that is an ancestor of and it adds all subset to . Then it outputs the user’s private collection .**SD.Cover**: Given the full binary tree and the set of revoked users, the covering algorithm gets the Steiner Tree and sets a subtree and then constructs a covering collection by iteratively removing nodes from the tree* TR* until* TR* is made up of only a single node as follows:

It derives two leaves and from the tree and then finds their least-common ancestor which does not contain any other leaf in this tree *.* Let and be two child of where is a father node of and is a father node of . If has only one leaf, it sets to be a leaf node and sets to be the root of .

If , it adds the subset to ; similarly, if , it adds the subset to .

It deletes all descendants of from* TR *and lets be a leaf.

It outputs the covering collection .**SD.Match**/⊥: Given a private collection and a covering collection , this matching algorithm searches two subsets and so that , , and the nodes and have the same depth, i.e., . If it finds two subsets, then it outputs . Otherwise, it fails.*Remark*. In the SD scheme, the revocation list cannot be empty. Let be the size of ,* i.e*., . To address the case , we may add a dummy user that is revoked so that .

#### 3. Definition and Security Model of R-CP-ABOOE

The R-CP-ABOOE scheme consists of eight algorithms: Setup, KeyGen, KeyUpdate, DecKey, , , Dec, and Rev, which are defined as follows:

**Setup**: This setup algorithm inputs a security parameter , the universe of attributes , and all users and outputs the system public key , the master secret key* msk*, the state Λ and the revocation list .

**KeyGen**: This key-generation algorithm inputs the master secret key* msk*, a user identity-attribute pair (*ID*,* ω*), the state Λ, and public key

*pk*and outputs the user’s private key .

**KeyUpdate**: This key-update algorithm inputs a time , the revocation list , the master secret key , the current state Λ, and the public key and outputs the updated state Λ and an update key .

**DecKey**⊥: This decryption-key algorithm inputs a user’s private key , an update key , and the public key* pk* and outputs a decryption key or a failure ⊥.

**Enc**^{off}: This offline-encryption algorithm can independently create an arbitrary number of main and many attribute modules by using the public key* pk* and then stores them in a pool of offline-ciphertexts. This algorithm can be performed by high-performance computer.

**Enc**^{on}: This online-encryption algorithm first picks one main module and some attribute modules from the pool of offline-ciphertexts. Then it inputs a message , an access policy , and a time and outputs a ciphertext . This algorithm is a true encryption process and is performed by the constrained-computation devices.

**Dec**⊥: This decryption algorithm inputs a ciphertext , a decryption key , and the public key* pk* and outputs a message* m* or a failure notation ⊥.

**Rev**: This revocation algorithm inputs an identity , a revocation time , the current revocation list , and the state Λ and outputs the updated revocation list .

The correctness of R-CP-ABOOE: For** Setup**,** KeyGen**,** KeyUpdate**, , it is satisfied by the two cases:

If , then** DecKey**. Otherwise** DecKey**.

If , then** Dec**(. Otherwise** Dec**.

The selective security of R-CP-ABOOE is formally described as the following game between a challenger and an adversary :

**Init**: The adversary submits the challenge policy , the challenge time , the revocation list on the challenge time to the challenger .

**Setup**: runs** Setup** and sends* pk* to .

**Phase 1**: adaptively requests a polynomial number of the following oracles simulated by :

The private Key Generation oracle . submits an identity-attribute pair to , then runs** KeyGen** and sends to .

The Key Update oracle . submits a time* T* to , then runs** KeyUpdate** and sends to .

The Revocation oracle . submits an identity-time pair to , then runs** Rev**( and sends to .

This phase must be satisfied by the restricted condition as follows: for each query , where* ω* satisfies the challenge policy and must be queried on for any . and are queried on the time which cannot be less than the time of all previous queries.

**Challenge**: submits two messages and with equal length to . picks a random bit and runs and sends to .

**Phase 2**: The same as Phase 1.

**Guess**: outputs a guess bit .

Only if , does win this game. Therefore, we define the advantage of as Adv in the above game.

*Definition 6. *Our scheme is selectively secure if any PPT adversary can break the above game with negligible advantage.

#### 4. Our Scheme and Security Proof

##### 4.1. Our Intuition

At a high level we explain how to construct our scheme. We uses the full binary tree with leaves as in the subset difference (SD) method [8]. Each user can be assigned to a leaf node* id* which is not appointed yet. In SD, all the subsets can be categorized into different groups, and each group is assigned a random secret one-degree polynomial such that , where is the master secret key. Let . Our scheme uses to encrypt a message, where is a random number.

Given the revoked users’ set on the time , the KGC utilizes the master secret key to build an update key corresponding to each subset in Cover(). Only the nonrevoked user* ID* can retrieve a subset *∈* Cover(*R*) such that , and the user* ID* can compute . Simultaneously, only the user* ID* whose attribute set* ω *satisfies the access policy associated with ciphertext can compute . Because the function is a first-order polynomial, using these two elements, we can obtain by interpolation in the exponent. Obviously, the revoked users only can obtain the same element , and then they cannot get two different elements of the one-degree polynomial . Therefore, our scheme provides security against collusion attacks.

##### 4.2. Our Construction

For and a set of indexes , a Lagrange coefficient may be defined as

Our R-CP-ABOOE scheme is described as follows:

**Setup**: This setup algorithm first runs the group generator to get bilinear groups* G*, of prime order* p*, , and randomly picks , and . Let a user list contain a tuple as an empty one, and let a function list contain a tuple for a group’s tag* GT* as an empty one. Let be the message space and the size of a message . Let a hash function : . It runs SD.Setup() to get the full binary tree . Let denote the collection of all sets of . For each , it makes and runs the following: if , then it chooses randomly and specifies a polynomial once for one group and saves into . Finally, it sets an empty revocation list , a state , and outputs a master secret key and system public key .

**KeyGen**: This key-generation algorithm inputs the master secret key* msk*, a user identity-attribute pair where the set , the state and public key . For the user , it chooses an unassigned leaf node from and stores the tuple into , and runs SD. Assign to obtain . Next, for each , it sets the group and retrieves from . Second, it chooses random values and computes , . For to , it computes , and outputsFinally, it outputs the updated state and a private key

**KeyUpdate**: This algorithm inputs an update time , the revocation list , the master secret key , the state , and the public key . First it defines the identities of revoked users on the time* T* according to , and uses to define the revoked index set . It runs SD.Cover to obtain . Second, for each , it sets and retrieves from . Then it chooses random values and computes a time-constrained update key Finally, it outputs the updated state and an update key

**DecKey**⊥: This decryption-key generation algorithm inputs a user private key , an update key and* pk*. First, if , then it calls* SD*.*Match* to get such that , , . Otherwise, it exports .

Second, it retrieves from and from . Since , , and share the same for . It sets and computes two Lagrange coefficients and . It chooses random values and computes a decryption key as For to , it computes

Finally, it outputs a decryption-key .

: This offline-encryption algorithm can construct an arbitrary number of main modules and attribute modules by using . It first choose randomly and computes and . It sets the main module . Then it picks randomly and computes , , and to obtain an attribute module ). Using the above process, it can obtain a lot of main modules and attribute modules .

: Suppose that is an access matrix, this online-encryption algorithm first picks one main module and attribute modules available from the pool. For , it sets the attribute module . It randomly chooses and sets the vector , where denotes the transpose of the vector. It computes a vector . Finally, for to , it calculates , . It computes , , and . It outputs a ciphertext .

**Dec**⊥: This algorithm takes in a ciphertext , a decryption key and the public key . If satisfies the policy , then it sets and computes constants such that where is the -th row of matrix , and it denotes , where is the index of attribute in . It recovers by computing

**Rev**: This revocation algorithm takes as inputs an identity , a revocation time , the revocation list , and the state . If , then it outputs if the private key of the pair was not generated. Otherwise, it adds to . It outputs the updated revocation list .

##### 4.3. Security Proof

Theorem 7. *Our scheme is selectively secure under chosen plaintext attacks if the q-type assumption holds. That is, all PPT adversaries have at most a negligible advantage in breaking the R-CP-ABOOE scheme.*

*Proof. *Suppose there exists a PPT adversary that breaks the R-CP-ABOOE scheme with a nonnegligible advantage, and then a simulator can solve the* q-type* assumption with a nonnegligible advantage by using the given terms of the* q-type* assumption.**Init**: receives the given terms from the* q-type* assumption, a challenge policy , a challenge time and the revocation list on the time from . The challenge matrix is an matrix and satisfies the restriction , , and the map : . Let be the message space and the size of a message . Let a hash function : . It sets an -dimensional vector that is related to the challenge time . builds a new policy , where : ,Since , we know that, for any attribute set , satisfies if and only if satisfies , and for time that satisfies if and only if .**Setup**: implicitly sets where are assigned in the assumption and a random exponent is known only to . Especially, this way is well distributed and is hidden to from information theory. Then proceeds as follows:

It calls SD.Setup to get the full binary tree with leaves and sets to be the collection of all sets of . Let and be an empty set respectively. For each user , it allocates to an unsigned leaf that belongs to the left subtree of and stores in . According to , it uses to define the revoked index set . For each , it allocates to an unsigned leaf that belongs to the right subtree of and stores in .

It calls* SD.Assign* to obtain . Then it sets Fixedsubset. It sets function list as follows: if *∈* Fixedsubset(), it chooses a random value and stores in . Otherwise, for each , it picks random value and stores in such that . Note that it employs the Lagrange interpolation method to implicitly define by two points and . Next, it sets an empty revocation list and sets . It selects random values and gives to the following public parameters:Finally, it publishes public keys .**Phases 1**: inquiries adaptively a polynomial number of private key generation, update key and user revocation oracles. If this is a private key query for , where the attribute set , then proceeds as follows.

If* ω *does not satisfy from the pair , denote , then . It executes the following steps:

It first constructs temporal private key components for the point as follows. Since , there exists a vector such that = -1 and for all , and then it picks and implicitly sets and computesIn addition, for each attribute , it randomly selects and implicitly setsThen it may compute the terms If , then it loads from . Otherwise it allocates to a unique index

*id*that is not assigned previously and stores in . Then it calls

*SD.Assign*to obtain .

For each , it retrieves from . If

*∈*Fixedsubset(), it must have from . It chooses random value and computes a private key by implicitly setting as and , and for to , it computes , . Then, it outputs the updated state Λ and a private key