Efficient Ciphertext-Policy Attribute-Based Online/Offline Encryption with User Revocation

Ma, Haiying; Wang, Zhanjun; Guan, Zhijin

doi:https://doi.org/10.1155/2019/8093578

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 8093578 | https://doi.org/10.1155/2019/8093578

Efficient Ciphertext-Policy Attribute-Based Online/Offline Encryption with User Revocation

Haiying Ma,¹Zhanjun Wang,²and Zhijin Guan¹

Academic Editor: Petros Nicopolitidis

Received09 Sept 2018

Accepted05 Jan 2019

Published14 Feb 2019

Abstract

Attribute-Based Encryption (ABE) must provide an efficient revocation mechanism since a user’s private key can be compromised or expired over time. The existing revocable ABE schemes have the drawbacks of heavy computational costs on key updates and encryption operations, which make the entities for performing these operations a possible bottleneck in practice applications. In this paper, we propose an efficient Ciphertext-Policy Attribute-Based Online/Offline Encryption with user Revocation (R-CP-ABOOE). We integrate the subset difference method with ciphertext-policy ABE to significantly improve key-update efficiency on the side of the trusted party from to , where is the number of users and is the number of revoked users. To reduce the encryption burden for mobile devices, we use the online/offline technology to shift the majority of encryption work to the offline phase, and then mobile devices only need to execute a few simple computations to create a ciphertext. In addition, we exploit a novel trick to prove its selective security under the -type assumption. Performance analysis shows that our scheme greatly improves the key-update efficiency for the trusted party and the encryption efficiency for mobile devices.

1. Introduction

Attribute-based encryption (ABE) is a promising alternative of encryption for achieving fine-grained access control of encrypted data. The notion of ABE is first proposed by Sahai and Waters [1], and then Goyal et al. [2] formalize two supplementary forms of ABE: ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In CP-ABE [3, 4], each user possesses a private key that corresponds to his attribute set. A ciphertext is embedded into an access policy over the possible attributes. The ciphertext can be successfully decrypted by the users whose attributes satisfy the policy. Alternatively, in KP-ABE the roles are swapped: a ciphertext is associated with an access policy and the private key is related to a set of attributes.

Any ABE system must provide an efficient method to revoke users since a user’s private key can be compromised or expired over time. As a practical solution to the problem for ABE, Boldyreva et al. [5] used the complete subtree method [6] to revoke users. In their scheme, a user can encrypt with the set of attributes and the current time attribute, e.g., “TIME: 2018. WEEK 16,” and the key generation center (KGC), who owns the latest revocation list, periodically broadcasts the key update component at each time slot such that all nonrevoked users can reconstruct their decryption key and utilize it decrypt ciphertexts. Subsequently, Attrapadung and Imai [7] proposed a revocable KP-ABE by using a similar method. However, the key-update work can be a system bottleneck since KGC requires broadcasting key-update component to all nonrevoked users at all time slots. Although their solutions [6, 7] reduce this work from to , where is the number of users and is the number of revoked users and the key-update work still is a bottleneck. Lee et al. [8] proposed an efficiently revocable identity-based encryption using subset difference methods, which has number of group elements in an update key. We note that their idea cannot be directly used to construct revocable ABE, because a user’s identity is not related to decryption in ABE systems.

At the same time, in all revocable ABE schemes, the encryption process must perform a lot of exponentiations, and the encryption cost grows with the complexity of access policy or number of attributes. If a mobile device performs the encryption task, battery power and encryption time will be a large problem. To significantly reduce the encryption cost for mobile device, a few online/offline ABE schemes [9–12] are proposed, and move the majority of encryption computations into an offline phase. Mobile device only needs to execute a few simple calculations to create a ciphertext. However, the existing online/offline ABE schemes cannot revoke users. Therefore, our goal is to integrate the subset difference method [6, 8] with ABE to significantly decrease the key update work, and use the online/offline technique to greatly improve the encryption efficiency for mobile devices.

In this work, we propose an efficient ciphertext-policy attribute-based online/offline encryption with user revocation. In particular, our contributions have three aspects as follows:

We present a novel technique that may integrate CP-ABE with the Subset Difference (SD) methodology to significantly improve the key-update efficiency for KGC. In SD scheme, an assigned key for each subset is dependent on other keys, so we may categorize all subsets into different groups. For each group in SD, we assign a random polynomial to it, where is a random value that is uniquely assigned to the group and is the master secret key. Using this linear polynomial, we split the master secret key into two shares and , where is an update time and is a greater than 1 positive integer. The share is used to build a private key which is related to user’s attribute set in CP-ABE as usual, and the other share is used to build an update key which is related to the update time . Then KGC periodically broadcasts the update keys, and any nonrevoked user can reconstruct his decryption key. Since all revoked users possess the same share , they cannot collude to reconstruct a decryption key. Therefore, our scheme may provide the security against collusion attacks.

To greatly reduce the encryption cost for mobile devices, we employ the online/offline technique of [8] to split encryption process into the offline phase and the online phase. The offline encryption first performs a majority of encryption task before the plaintext and its access policy are known. Once the specifications are given, the online encryption only executes a few simple calculations to produce a ciphertext by using the offline-ciphertexts pool that is similar to the reference [8]. Especially, the offline work can be executed by a high-performance computer, and then lightweight devices can quickly run the online encryption on the move without greatly draining the battery.

We present a new method to prove the security of our scheme. Based on the CP-ABE’s access policy and a challenge update time , we construct a new challenge access policy , i. e., we may obtain by appending a well-designed vector to . Next, we can create the public parameters needed in the proof. Moreover, unlike the complete subtree method, the intersection of the covering collection of nonrevoked users and the private key of the revoked users is not empty. It leads to impossibility to construct the update key on the time . We solve this problem by reasonably assigning the users’ location in the binary tree. Our scheme is proved to be selectively secure under the q-type assumption. The above method may be of independent interest in the security proof of the revocable CP-ABE scheme. Compared with the related works, our scheme can significantly improve the key-update efficiency for the trusted party from to and the encryption efficiency for mobile devices, where is the number of users and is the number of revoked users, and greatly decrease the number of group elements in the update key.

ABE is a useful cryptographic technology to protect private data and achieve fine-grained access control simultaneously [12, 13], many variants of ABE were proposed to realize promising properties, e. g., efficient large universe ABE [4], ABE with verifiable outsourced decryption [14–16], traceable-then-revocable ABE [17, 18], CP-ABE against key-delegation abuse [19], the fully-secure ABE [11], ABE resilience against continuous auxiliary-inputs leakage [20, 21].

To reduce the encryption cost of ABE, a few works [9–12] presented the online/offline ABE by the online/offline cryptography [22–25], but their schemes cannot revoke users. To satisfy the practical requirement that users’ access rights can be revoked dynamically, many revocable ABE schemes have been proposed [10–20]. The core idea of the works [5, 7, 26–31] utilizes the complete subtree scheme of NNL [8] to revoke user’s private key. Lee et al. [8] proposed a revocable identity-based encryption to reduce the size of the update key. Sahai et al. [29] constructed a few ABE schemes of revocable storage by providing a ciphertext delegation means without any interaction with data owners. Datta et al. [32] uses the subset difference to directly revoke users in KP-ABE systems. Nevertheless, all the existing revocable ABE schemes have the drawbacks of heavy computational costs on key updates and encryption operations.

Therefore, it will be indispensable to reduce the heavy computational overhead on the key update work and the encryption task. Different from prior works, we integrate the SD method with the online/offline technique in the CP-ABE system, which not only may efficiently revoke users, but also can significantly improve the key-update efficiency and encryption efficiency.

We review some preliminaries in Section 2. The definition and security model of our scheme is defined in Section 3. We propose an efficient ciphertext-policy attribute-based online/offline encryption with user revocation and prove its selective security in Section 4. Performance analysis is given in Section 5. Finally, we conclude this work in Section 6.

2. Preliminaries

In this section, we first elaborate the definitions of bilinear group and the complexity assumption for our R-CP-ABOOE scheme. Then we state a brief review of access structures and linear secret-sharing schemes (LSSS). Finally, we introduce the notions of full binary tree and the subset difference method.

2.1. Bilinear Group and the Complexity Assumptions

We give some notations. For , we define , and for , . For , by we denote a set of matrices of size with elements in . A row vector is denoted as , while a column vector is denoted as , where denotes the transpose of the vector.

Definition 1 (bilinear group). Let , be multiplicative cyclic groups of prime order , and we define a symmetric bilinear map : with the following properties: bilinearity: for all , and , we have ; nondegeneracy: , ; computability: the bilinear map and the group operations in and are efficiently computable. Then the tuple is called a bilinear group.

Definition 2 (-type assumption [4]). Given a security parameter , an integer , a group generator that outputs the bilinear group description , chooses a random element and random values and computes the following terms :If any probabilistic polynomial-time (PPT) adversary obtains the bilinear group description and the above terms , it cannot distinguish the element from a random element with a nonnegligible advantage. We say that the q-type assumption holds in the bilinear group .

2.2. Access Structures and Linear Secret Sharing Scheme (LSSS)

Definition 3 (access structures [4]). Let be a set of attributes. A collection is monotone if and , then . An access structure is a collection of nonempty subsets of , i.e., . The authorized sets are defined as the sets in , and the unauthorized sets are the sets not in .

Definition 4 (LSSS [4]). Let , a function : . A secret-sharing scheme Π over a set of attributes is called linear over if the shares for each attribute form a vector over ; there is a matrix called the share-generation matrix for Π. The matrix has rows and columns. For each row , the row of is labeled by an attribute . Let the column vector , where is the shared secret and are randomly picked, then is the vector of shares of the secret according to Π. The share belongs to the attribute . Reconstruction property. Suppose the scheme Π is an LSSS for the access structure . Let be any authorized set, and is defined as . If are valid shares of any secret , there are constants that satisfy .

2.3. Full Binary Tree

We follow the terminologies on the full binary tree in [8]. Let be a full binary tree with leaves. Each user is assigned to a unique leaf node . In the tree, it has 2N-1 nodes, for to 2N-1, let denote a node, and each edge is labelled as a bit 1 or 0, at the right branch corresponds to bit 1 and the left branch corresponds to bit 0. The identifier of a node is defined as the unique bitstring which is the bitstring of all edges in the path from the root to the node . For each node , its depth is the size of the path from the root to .

Let denote the set of leaves in the subtree that is rooted at the node . For any two nodes , so that is an ancestor node of , is defined as the set of all leaves that are descendants of but not , i.e., .

Let GT identify a group, and a group’s tag GT is described as the collection of subset such that is the same node and other different nodes have the same depth, and let . In our scheme, we randomly choose and specify a polynomial once for one group GT to revoke users.

Let be the list of all revoked users, be the Steiner Tree induced by the root node and the set , that is, the minimal subtree of the tree connects the root node and all the leaves in .

2.4. Subset Difference Method

As a general revocation methodology, Subset-Cover framework [6] includes both the complete subtree method and the subset difference (SD) method, and SD was presented as an improvement on the complete subtree scheme. The definition of SD is given as follows.

Definition 5 (subset difference). The SD scheme for the set of all users consists of four algorithms: Setup, Assign, Cover, Match, which are described as following:
SD.Setup: The setup algorithm inputs all users and sets a full binary tree with at least leaves, where is the total number of users. It assigns a unique leaf of once to a user. For any two nodes such that is an ancestor node of and it gets the collection of subset . It outputs the tree and the collection .
SD.Assign: Given the full binary tree and a user , the assignment algorithm assigns a leaf of to the user . Let denote the path from the root to the leaf id and a private set be an empty one. For all such that is an ancestor of and it adds all subset to . Then it outputs the user’s private collection .
SD.Cover: Given the full binary tree and the set of revoked users, the covering algorithm gets the Steiner Tree and sets a subtree and then constructs a covering collection by iteratively removing nodes from the tree TR until TR is made up of only a single node as follows:
It derives two leaves and from the tree and then finds their least-common ancestor which does not contain any other leaf in this tree . Let and be two child of where is a father node of and is a father node of . If has only one leaf, it sets to be a leaf node and sets to be the root of .
If , it adds the subset to ; similarly, if , it adds the subset to .
It deletes all descendants of from TR and lets be a leaf.
It outputs the covering collection .
SD.Match/⊥: Given a private collection and a covering collection , this matching algorithm searches two subsets and so that , , and the nodes and have the same depth, i.e., . If it finds two subsets, then it outputs . Otherwise, it fails.
Remark. In the SD scheme, the revocation list cannot be empty. Let be the size of , i.e., . To address the case , we may add a dummy user that is revoked so that .

3. Definition and Security Model of R-CP-ABOOE

The R-CP-ABOOE scheme consists of eight algorithms: Setup, KeyGen, KeyUpdate, DecKey, , , Dec, and Rev, which are defined as follows:

Setup: This setup algorithm inputs a security parameter , the universe of attributes , and all users and outputs the system public key , the master secret key msk, the state Λ and the revocation list .

KeyGen: This key-generation algorithm inputs the master secret key msk, a user identity-attribute pair (ID, ω), the state Λ, and public key pk and outputs the user’s private key .

KeyUpdate: This key-update algorithm inputs a time , the revocation list , the master secret key , the current state Λ, and the public key and outputs the updated state Λ and an update key .

DecKey⊥: This decryption-key algorithm inputs a user’s private key , an update key , and the public key pk and outputs a decryption key or a failure ⊥.

Enc^off: This offline-encryption algorithm can independently create an arbitrary number of main and many attribute modules by using the public key pk and then stores them in a pool of offline-ciphertexts. This algorithm can be performed by high-performance computer.

Enc^on: This online-encryption algorithm first picks one main module and some attribute modules from the pool of offline-ciphertexts. Then it inputs a message , an access policy , and a time and outputs a ciphertext . This algorithm is a true encryption process and is performed by the constrained-computation devices.

Dec⊥: This decryption algorithm inputs a ciphertext , a decryption key , and the public key pk and outputs a message m or a failure notation ⊥.

Rev: This revocation algorithm inputs an identity , a revocation time , the current revocation list , and the state Λ and outputs the updated revocation list .

The correctness of R-CP-ABOOE: For Setup, KeyGen, KeyUpdate, , it is satisfied by the two cases:

If , then DecKey. Otherwise DecKey.

If , then Dec(. Otherwise Dec.

The selective security of R-CP-ABOOE is formally described as the following game between a challenger and an adversary :

Init: The adversary submits the challenge policy , the challenge time , the revocation list on the challenge time to the challenger .

Setup: runs Setup and sends pk to .

Phase 1: adaptively requests a polynomial number of the following oracles simulated by :

The private Key Generation oracle . submits an identity-attribute pair to , then runs KeyGen and sends to .

The Key Update oracle . submits a time T to , then runs KeyUpdate and sends to .

The Revocation oracle . submits an identity-time pair to , then runs Rev( and sends to .

This phase must be satisfied by the restricted condition as follows: for each query , where ω satisfies the challenge policy and must be queried on for any . and are queried on the time which cannot be less than the time of all previous queries.

Challenge: submits two messages and with equal length to . picks a random bit and runs and sends to .

Phase 2: The same as Phase 1.

Guess: outputs a guess bit .

Only if , does win this game. Therefore, we define the advantage of as Adv in the above game.

Definition 6. Our scheme is selectively secure if any PPT adversary can break the above game with negligible advantage.

4. Our Scheme and Security Proof

4.1. Our Intuition

At a high level we explain how to construct our scheme. We uses the full binary tree with leaves as in the subset difference (SD) method [8]. Each user can be assigned to a leaf node id which is not appointed yet. In SD, all the subsets can be categorized into different groups, and each group is assigned a random secret one-degree polynomial such that , where is the master secret key. Let . Our scheme uses to encrypt a message, where is a random number.

Given the revoked users’ set on the time , the KGC utilizes the master secret key to build an update key corresponding to each subset in Cover(). Only the nonrevoked user ID can retrieve a subset ∈ Cover(R) such that , and the user ID can compute . Simultaneously, only the user ID whose attribute set ω satisfies the access policy associated with ciphertext can compute . Because the function is a first-order polynomial, using these two elements, we can obtain by interpolation in the exponent. Obviously, the revoked users only can obtain the same element , and then they cannot get two different elements of the one-degree polynomial . Therefore, our scheme provides security against collusion attacks.

4.2. Our Construction

For and a set of indexes , a Lagrange coefficient may be defined as

Our R-CP-ABOOE scheme is described as follows:

Setup: This setup algorithm first runs the group generator to get bilinear groups G, of prime order p, , and randomly picks , and . Let a user list contain a tuple as an empty one, and let a function list contain a tuple for a group’s tag GT as an empty one. Let be the message space and the size of a message . Let a hash function : . It runs SD.Setup() to get the full binary tree . Let denote the collection of all sets of . For each , it makes and runs the following: if , then it chooses randomly and specifies a polynomial once for one group and saves into . Finally, it sets an empty revocation list , a state , and outputs a master secret key and system public key .

KeyGen: This key-generation algorithm inputs the master secret key msk, a user identity-attribute pair where the set , the state and public key . For the user , it chooses an unassigned leaf node from and stores the tuple into , and runs SD. Assign to obtain . Next, for each , it sets the group and retrieves from . Second, it chooses random values and computes , . For to , it computes , and outputsFinally, it outputs the updated state and a private key

KeyUpdate: This algorithm inputs an update time , the revocation list , the master secret key , the state , and the public key . First it defines the identities of revoked users on the time T according to , and uses to define the revoked index set . It runs SD.Cover to obtain . Second, for each , it sets and retrieves from . Then it chooses random values and computes a time-constrained update key Finally, it outputs the updated state and an update key

DecKey⊥: This decryption-key generation algorithm inputs a user private key , an update key and pk. First, if , then it calls SD.Match to get such that , , . Otherwise, it exports .

Second, it retrieves from and from . Since , , and share the same for . It sets and computes two Lagrange coefficients and . It chooses random values and computes a decryption key as For to , it computes

Finally, it outputs a decryption-key .

: This offline-encryption algorithm can construct an arbitrary number of main modules and attribute modules by using . It first choose randomly and computes and . It sets the main module . Then it picks randomly and computes , , and to obtain an attribute module ). Using the above process, it can obtain a lot of main modules and attribute modules .

: Suppose that is an access matrix, this online-encryption algorithm first picks one main module and attribute modules available from the pool. For , it sets the attribute module . It randomly chooses and sets the vector , where denotes the transpose of the vector. It computes a vector . Finally, for to , it calculates , . It computes , , and . It outputs a ciphertext .

Dec⊥: This algorithm takes in a ciphertext , a decryption key and the public key . If satisfies the policy , then it sets and computes constants such that where is the -th row of matrix , and it denotes , where is the index of attribute in . It recovers by computing

Rev: This revocation algorithm takes as inputs an identity , a revocation time , the revocation list , and the state . If , then it outputs if the private key of the pair was not generated. Otherwise, it adds to . It outputs the updated revocation list .

4.3. Security Proof

Theorem 7. Our scheme is selectively secure under chosen plaintext attacks if the q-type assumption holds. That is, all PPT adversaries have at most a negligible advantage in breaking the R-CP-ABOOE scheme.

Proof. Suppose there exists a PPT adversary that breaks the R-CP-ABOOE scheme with a nonnegligible advantage, and then a simulator can solve the q-type assumption with a nonnegligible advantage by using the given terms of the q-type assumption.
Init: receives the given terms from the q-type assumption, a challenge policy , a challenge time and the revocation list on the time from . The challenge matrix is an matrix and satisfies the restriction , , and the map : . Let be the message space and the size of a message . Let a hash function : . It sets an -dimensional vector that is related to the challenge time . builds a new policy , where : ,Since , we know that, for any attribute set , satisfies if and only if satisfies , and for time that satisfies if and only if .
Setup: implicitly sets where are assigned in the assumption and a random exponent is known only to . Especially, this way is well distributed and is hidden to from information theory. Then proceeds as follows:
It calls SD.Setup to get the full binary tree with leaves and sets to be the collection of all sets of . Let and be an empty set respectively. For each user , it allocates to an unsigned leaf that belongs to the left subtree of and stores in . According to , it uses to define the revoked index set . For each , it allocates to an unsigned leaf that belongs to the right subtree of and stores in .
It calls SD.Assign to obtain . Then it sets Fixedsubset. It sets function list as follows: if ∈ Fixedsubset(), it chooses a random value and stores in . Otherwise, for each , it picks random value and stores in such that . Note that it employs the Lagrange interpolation method to implicitly define by two points and . Next, it sets an empty revocation list and sets . It selects random values and gives to the following public parameters:Finally, it publishes public keys .
Phases 1: inquiries adaptively a polynomial number of private key generation, update key and user revocation oracles. If this is a private key query for , where the attribute set , then proceeds as follows.
If ω does not satisfy from the pair , denote , then . It executes the following steps:
It first constructs temporal private key components for the point as follows. Since , there exists a vector such that = -1 and for all , and then it picks and implicitly sets and computesIn addition, for each attribute , it randomly selects and implicitly setsThen it may compute the terms If , then it loads from . Otherwise it allocates to a unique index id that is not assigned previously and stores in . Then it calls SD.Assign to obtain .
For each , it retrieves from . If ∈ Fixedsubset(), it must have from . It chooses random value and computes a private key by implicitly setting as and , and for to , it computes , . Then, it outputs the updated state Λ and a private key Otherwise, for each , since is a random value, then it has . Let , it computes two Lagrange coefficients and . Then it chooses random exponents and computes a private key as and , and for to , it computes , and . Then, it outputs the updated state and a private key If satisfies , it must set and executes the following steps:
It loads from . Then it calls SD.Assign to obtain .
For each , it retrieves from . Since ∈ Fixedsubset, it must have from .. It chooses random value and computes a private key by implicitly setting as , , and for to , , and . Then, it outputs the updated state Λ and a private key If requests the update key query for time and , then . performs the four steps:
Since , there exists a vector , for all , and then it picks and implicitly sets and computesIn addition, it randomly selects and implicitly setsThen it may compute the terms It defines the revocation set on the time from , and uses to define the revoked index set . It runs SD.Cover to obtain .
For each , it retrieves from and sets . For each ∈ Fixedsubset, it chooses random values and computes a time-constrained update key by implicitly setting as For each ∉ Fixedsubset, it sets and computes two Lagrange coefficients and . It chooses random values and computes a time-constrained update key as Finally, it outputs the updated state Λ and an update key If , it executes the following three steps:
It sets and obtains the revoked index set of the revocation list by . It does not run SD.Cover to obtain but assigns all the nonrevoked users to the right subtree of ; i.e., can be described as the set is the root node of the right subtree of , is the descendant node of . Thus, Fixedsubset.
For each , it sets and retrieves from . Then it chooses random values and computes a time-constrained update key by implicitly setting as Finally, it outputs the updated state Λ and an update key Challenge: The adversary submits a pair of messages with the same length to the simulator . Then flips a random bit and constructs: , , where is the challenge term and is the appropriate term of the assumption.
implicitly sets a vector , where are chosen uniformly at random from . Therefore, the secret and the vector are uniformly distributed. Especially is hidden for from information theory. Let . For each row , it implicitly setsLet the terms be known to . For each row of , implicitly sets . Since ’s are hidden for from information theory, the terms are uniformly distributed as well. also picks random values and implicitly sets , , and . As a result, computesFor , implicitly sets and also picks random values and implicitly sets , , and . As a result, computesFinally, submits the ciphertext , to .
Phase 2: it is the same as Phase 1.
Guess: outputs a guess for the challenge ciphertext . If , outputs 0, it means that the challenge term is . Otherwise, it outputs 1.
If , played the real security game, since , , and . Otherwise, if is a random value of , then the advantage of is 0. Therefore, if wins the above security game with a nonnegligible advantage, then can solve the q-type assumption with a nonnegligible advantage by using the given terms of the q- type assumption.

5. Performance Analysis

This section elaborates the comparisons between our R-CP-ABOOE and some related ABE schemes on the functionalities and efficiency respects. We summarized the comparison results in Table 1, where , M and E, respectively, denote a modular operation in , a multiplication, and an exponentiation in the groups or . Let be the number of rows in the matrix and be the number of revoked users in . Let , , , , , and represent the number of attributes in the collection , the total number of users, the number of all attributes, the size of an element in , the size of an element in , and the size of a message in the space , respectively.

In Table 1, the revocable ABE schemes [5, 17, 32] and our R-CP-ABOOE scheme support user revocation. However, the real (online) encryption algorithms in the schemes [5, 17, 32] must perform many exponentiation operations, which is unsuitable for mobile devices with limited-computation power. Fortunately, in our scheme, first the offline-encryption phase can be executed by high performance computer in a trusted environment. Then our real (or online) encryption only requires modular operations and does not require any exponentiation. Modular operation is much faster than the exponentiation operation. Thus, our real encryption algorithm is the fastest among these schemes [5, 17, 32].

In addition, compared with the indirectly revocable ABE [5], our scheme may significantly reduce the key-update cost and the size of update key from to , which is important since the update keys should be periodically broadcasted to all nonrevoked users. Compared with the directly revocable ABE [17, 32] that cannot be integrated with the online/offline technology, our encryption algorithm and ciphertext size are not related to the number of revoked users. Therefore, our scheme has less encryption overhead and shorter ciphertext length than the directly revocable ABE [17, 32], which is suitable for data owners with resource-limited devices. Although our scheme need store additional update key and small amount of offline ciphertexts, current mobile devices are perfectly capable. The online/offline ABE scheme [9] cannot provide the user revocation, whereas our scheme achieves the user revocation mechanism without excessive computational and storage costs. In general, our R-CP-ABOOE scheme is the first CP-ABE scheme, which can simultaneously support the user revocation and the online/offline encryption mode, and it has desirable features of very little encryption overhead for mobile device and less the number of group elements in a ciphertext and update key. Performance analysis shows that our scheme greatly improves the key-update efficiency for the trusted party and the encryption efficiency for mobile devices.

6. Conclusions

In this work, we deal with the key-update efficiency and the encryption efficiency issues in revocable CP-ABE systems and propose an efficient ciphertext-policy attribute-based online/offline encryption with user revocation (R-CP-ABOOE), which is proven to be selectively secure under the q-type assumption. Our R-CP-ABOOE scheme simultaneously supports user revocation and online/offline encryption mode and significantly improves the key-update efficiency from to . Moreover, our scheme has desirable features of very little encryption overhead for mobile device and less group elements in the update key. Performance analysis shows that our scheme greatly improves the key-update efficiency for the trusted party and the encryption efficiency for mobile devices. Furthermore, we can employ the outsourcing decryption technology [10, 16, 33] to reduce the decryption cost.

Data Availability

“No data were used to support this study.”

Conflicts of Interest

The three authors confirm that they have no conflicts of interest.

Acknowledgments

This work is supported by Jiangsu Overseas Visiting Scholar Program for University Prominent Young and Middle-aged Teachers and Presidents, the National Natural Science Foundation of China (Nos. 61402244, 11371207, and 61762044), Nantong City Application Basic Research Project (No. GY12017024), and the Zhejiang Natural Science Foundation (LY15F020010).

References

A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology – EUROCRYPT, pp. 457–473, Aarhus, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, November 2006.
View at: Publisher Site | Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, Berkeley, May 2007.
View at: Publisher Site | Google Scholar
Y. Rouselakis and B. Waters, “Practical constructions and new proof methods for large universe attribute-based encryption,” in Proceedings of the ACM SIGSAC conference on Computer and communications security, ACM '13, pp. 463–474, 2013.
View at: Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in Proceedings of the 14th ACM Conference on Computer and Communications Security. Cryptology ePrint Archive, 2008, https://eprint.iacr.org/2012/052.pdf.
View at: Google Scholar
D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Advances in Cryptology—CRYPTO, vol. 2139 of Lecture Notes in Computer Science, pp. 41–62, Springer, Berlin, Germany, 2001.
View at: Publisher Site | Google Scholar | MathSciNet
N. Attrapadung and H. Imai, “Attribute-based encryption supporting direct/indirect revocation modes,” in Proceedings of the 12th IMA International Conference Cryptography and Coding, pp. 278–300, 2009.
View at: Google Scholar | MathSciNet
K. Lee, D. H. Lee, and J. H. Park, “Efficient revocable identity-based encryption via subset difference methods,” Designs, Codes and Cryptography, vol. 85, no. 1, pp. 39–76, 2017.
View at: Publisher Site | Google Scholar
S. Hohenberger and B. Waters, “Online/offline attribute-based encryption,” in Public-key cryptography (PKC), vol. 8383 of Lecture Notes in Comput. Sci., pp. 293–310, Springer, Heidelberg, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
Z.-J. Wang, H.-Y. Ma, and J.-H. Wang, “Attribute-based online/offline encryption with outsourcing decryption,” Journal of Information Science and Engineering, vol. 32, no. 6, pp. 1595–1611, 2016.
View at: Google Scholar | MathSciNet
P. Datta, R. Dutta, and S. Mukhopadhyay, “Fully Secure Online/Offline Predicate and Attribute-Based Encryption,” in Information Security Practice and Experience, vol. 9065 of Lecture Notes in Computer Science, pp. 331–345, Springer International Publishing, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
J. Li, Y. Zhang, X. Chen, and Y. Xiang, “Secure attribute-based data sharing for resource-limited users in cloud computing,” Computers & Security, vol. 72, pp. 1–12, 2018.
View at: Publisher Site | Google Scholar
J. G. Li, W. Yao, Y. C. Zhang, H. L. Qian, and J. G. Han, “Flexible and fine-grained attribute-based data storage in cloud computing,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 785–796, 2017.
View at: Publisher Site | Google Scholar
J. Li, Y. Wang, Y. Zhang, and J. Han, “Full Verifiability for Outsourced Decryption in Attribute Based Encryption,” IEEE Transactions on Services Computing, 2017.
View at: Publisher Site | Google Scholar
J. Li, X. Y. Huang, J. W. Li, X. F. Chen, and Y. Xiang, “Securely outsourcing attribute-based encryption with checkability,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 8, pp. 2201–2210, 2014.
View at: Publisher Site | Google Scholar
S. Lin, R. Zhang, H. Ma, and M. Wang, “Revisiting attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 10, pp. 2119–2130, 2015.
View at: Publisher Site | Google Scholar
Z. Liu, S. Duan, P. Zhou et al., “Traceable-then-revocable ciphertext-policy attribute-based encryption scheme,” Future Generation Computer Systems, 2017, https://doi.org/10.1016/j.future.2017.09.045.
View at: Google Scholar
H. Y. Ma and G. S. Zeng, “An attribute-based encryption scheme for traitor tracing and revoking,” Chinese Journal of Computers. Jisuanji Xuebao, vol. 35, no. 9, pp. 1845–1855, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Jiang, W. Susilo, Y. Mu, and F. Guo, “Ciphertext-policy attribute-based encryption against key-delegation abuse in fog computing,” Future Generation Computer Systems, vol. 78, pp. 720–729, 2018.
View at: Publisher Site | Google Scholar
H. Ma, G. Zeng, Z. Bao, J. Chen, J. Wang, and Z. Wang, “Attribute-based encryption scheme resilient against continuous auxiliary-inputs leakage,” Jisuanji Yanjiu yu Fazhan/Computer Research and Development, vol. 53, no. 8, pp. 1867–1878, 2016.
View at: Google Scholar
J. Li, Q. Yu, Y. Zhang, and J. Shen, “Key-Policy Attribute-Based Encryption against Continual Auxiliary Input Leakag,” Information Sciences, vol. 470, pp. 175–188, 2019.
View at: Publisher Site | Google Scholar
S. Even, O. Goldreich, S. Micali et al., “On-line/off-line digital signatures,” Journal of Cryptology, vol. 9, no. 1, pp. 35–67, 1996.
View at: Publisher Site | Google Scholar
F. Guo C, Y. Mu, and Z. Chen, “Identity-based online/offline encryption,” in Financial Cryptography, pp. 247–261, Springer, Berlin, 2008.
View at: Google Scholar
S. S. Chow, J. K. Liu, and J. Zhou, “Identity-based online/offline key encapsulation and encryption,” in Proceedings of the ASIACCS, pp. 52–60, Springer, Berlin, 2011.
View at: Publisher Site | Google Scholar
J. K. Liu and J. Zhou, “An efficient identity-based online/offline encryption scheme,” in Proceedings of ACNS, pp. 156–167, Springer, Berlin, 2009.
View at: Google Scholar
N. Attrapadung and H. Imai, “Conjunctive broadcast and attribute-based encryption,” in Pairing-Based Cryptography (Pairing '09), pp. 248–265, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
Q. Li, H. Xiong, and F. Zhang, “Broadcast revocation scheme in composite-order bilinear group and its application to attribute-based encryption,” International Journal of Security and Networks, vol. 8, no. 1, pp. 1–12, 2013.
View at: Publisher Site | Google Scholar
Y. Shi, Q. Zheng, J. Liu, and Z. Han, “Directly revocable key-policy attribute-based encryption with verifiable ciphertext delegation,” Information Sciences, vol. 295, pp. 221–231, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
A. Sahai, H. Seyalioglu, and B. Waters, “Dynamic credentials and ciphertext delegation for attribute-based encryption,” in Advances in cryptology-CRYPTO, vol. 7417 of Lecture Notes in Comput. Sci., pp. 199–217, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
T. Ishiguro, S. Kiyomoto, and Y. Miyake, “A key-revocable attribute-based encryption for mobile cloud environments,” in Proceedings of IEEE Symposium on Security Cryptography, pp. 1–11, Iceland, 2015.
View at: Google Scholar
H. Cui, R. Deng H, X. Ding et al., “Attribute-based encryption with granular revocation,” in Proceedings of the Conference on Security and Privacy in Communication Systems, pp. 165–181, Springer, Berlin, Germany, 2016.
View at: Google Scholar
P. Datta, R. Dutta, and S. Mukhopadhyay, “Adaptively secure unrestricted attribute-based encryption with subset difference revocation in bilinear groups of prime order,” in Progress in cryptology-AFRICACRYPT, vol. 9646 of Lecture Notes in Comput. Sci., pp. 325–345, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
B. Qin, R. H. Deng, S. Liu, and S. Ma, “Attribute-based encryption with efficient verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1384–1393, 2015.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2019 Haiying Ma et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1132

Downloads

985

Citations