Research Article | Open Access
A CP-ABE Scheme Supporting Arithmetic Span Programs
Attribute-based encryption achieves fine-grained access control, especially in a cloud computing environment. In a ciphertext-policy attribute-based encryption (CP-ABE) scheme, the ciphertexts are associated with the access policies, while the secret keys are determined by the attributes. In recent years, people have tried to find more effective access structures to improve the efficiency of encryption systems. This paper presents a ciphertext-policy attribute-based encryption scheme that supports arithmetic span programs. On the composite-order bilinear group, the security of the scheme is proven by experimental sequence based on the combination of composite-order bilinear entropy expansion lemma and subgroup decision (SD) assumption. And, it is an adaptively secure scheme with constant-size public parameters.
In the cloud computing environment, the traditional public key encryption system cannot meet the realistic needs due to the feature that it only achieves one-to-one encrypted data sharing. In 2006, Goyal et al.  proposed attribute-based encryption (ABE), which can achieve one-to-many encryption, making the sharing of encrypted data more convenient. Besides, the encrypter does no need to know the specific identifying information of the visitors but only needs to use the access structure to complete the access control of the user’s identity on the fine-grained level, which provides a new idea for data sharing. ABE is divided into two types based on ciphertexts or keys being marked as attributes. For example, in a CP-ABE scheme, keys are marked as attributes and the ciphertexts are linked with access policies. Conversely, the key-policy ABE (KP-ABE) means that keys are linked with access policies and the ciphertexts are marked as a series of attributes.
In 2006, Goyal et al.  came up with a KP-ABE scheme that supports an access tree. The size of the public parameters is linearly related to the size of the attributes, that is, the size is not constant. In 2008, Katz et al.  put forward the first KP-ABE scheme based on the inner product on the composite-order bilinear group. It is a selectively secure scheme, and the length of the ciphertext increases linearly with the vector’s dimension. In 2010, Herranz et al.  proposed a CP-ABE scheme with a constant-size ciphertext, but it only supports the threshold access control. In 2011, based on dual pairing vector space, Okamoto and Takashima  presented a zero-inner product encryption scheme and a nonzero inner product encryption scheme which are fully secure under the standard model, in which the ciphertext’s length or the key’s length can reach a constant. In 2011, Attrapadung et al.  first proposed a KP-ABE scheme that supports the nonmonotonic access control. The scheme has a constant-size ciphertext, but it can only be proved under the selective model. In 2013, Chen et al.  gave a general construction method from inner product encryption to ABE and presented an ABE scheme supporting threshold access control based on inner product encryption. This scheme achieves adaptive security with constant-size ciphertext. In 2014, Wee  first proposed an ABE scheme supporting the arithmetic span programs , but did not give a specific scheme (just a framework). In 2015, Attrapadung et al.  proposed a general conversion between the ABE scheme supporting the arithmetic span programs and the KP-ABE scheme when we do not limit the size of the span programs, but the size of the attributes is limited. This scheme achieves adaptive security with a constant-size ciphertext, but the length of the public parameters is still not constant. In 2017, Chen et al.  first proposed a KP-ABE scheme supporting arithmetic span programs via bilinear entropy expansion, and the scheme is adaptive security with constant-size parameters. In particular, Table 1 illustrates the development of ABE about the access structure. Besides, the existing ABE scheme can be converted into a scheme supporting the arithmetic span program. Compared with the ABE scheme achieved by the Boolean circuit, the computational complexity and parameter size of the scheme supporting the arithmetic span program are relatively small. Therefore, based on the fact that the composite-order bilinear group has fewer algorithm components and the algorithm represents simple and clear advantages, we naturally think of the following question about ABE:
“Can we design a CP-ABE scheme that supports arithmetic span program on a bilinear group?”
①: the security of the scheme against selectively chosen plaintext attacks can be proven in the standard model; ②: this paper did not give a specific scheme (just a framework).
1.1. Our Contribution
Although CP-ABE and KP-ABE have many similarities in structure, even a dual relationship, the application scenarios are very different. In the CP-ABE scheme, because the policy is embedded in ciphertext, the data owner can set policies to determine which properties can access the ciphertext. That is, encrypted access control for this data can be refined to the attribute level. The application scenario of CP-ABE is usually data encryption storage and fine-grained sharing on the public cloud, while the application scenario of KP-ABE is more inclined to pay video websites, log encryption management, and so on. Inspired by , we consider designing an adaptively secure CP-ABE scheme. There are some schemes supporting arithmetic span programs [10, 11], where [10, 11] are KP-ABE schemes. However, considering that the composite-order group has fewer algorithm components and the algorithm represents simple and clear advantages, it is meaningful to construct a CP-ABE scheme on composite-order groups. Specifically, to reduce the parameter size, we first give the composite-order bilinear entropy expansion lemma, which contains the specific form of public parameters, ciphertext, and the key. In the setup, we use some random numbers as the master secret key and use the master secret key to calculate the master public key. In the Enc, we subtly embed the strategy into certain components of the ciphertext in combination with the public parameters and the bilinear entropy extension vector. In the KeyGen, we combine the attribute vector, the public parameter, and the bilinear entropy extension vector to generate the secret key. In the Dec, the arithmetic span program is used as a standard for decryption and the user can decrypt normally. Finally, based on SD assumption and composite-order bilinear entropy expansion lemma, the scheme is proved to have adaptive security.
We first list some relevant knowledge in Section 2. Then, we present the formal definition of our scheme in Section 3.1 and propose the adaptive security model in Section 3.2. Specifically, we present our scheme in Section 3.3 and verify its correctness in Section 3.4. Finally, we prove its adaptive security by a series of experiments in Section 3.5.
Notation. We let denote a ring of algebraic integers modules a prime number and denote an m-dimension vector in . and represent a group of order and a bilinear map, respectively. We denote as the set and n-dimensional vector as the bold letter .
2.1. Bilinear Maps
Definition 1 (see [12, 13] bilinear maps). Let , , and be bilinear groups of order , where are primes. Let be the generator of and the generators of , respectively. Let be the generator of , and are the generators of , respectively.
is a bilinear map, if it satisfies the following three properties:(1)Bilinearity: for all .(2)Nondegeneracy: there exists , such that the order of is .(3)Computability: for all , there is an efficient algorithm to compute .Also, the composite-order bilinear map satisfies the orthogonality , for all .
2.2. Arithmetic Span Program
Definition 2 (arithmetic span program ). An arithmetic span program is a map , and a collection of row vectors , for , satisfies iff there exists constants , such thatwhere .
Like in paper , we limit to be an identity map and .
2.3. Computational Assumptions
Assumption 1 ( [12, 13]). We define the subgroup decision assumption (denoted by ) holds if for all probability polynomial time (PPT) adversaries , and the following advantage function is negligible in :where
Assumption 2. ()The p2-DDH assumption (denoted by ), holds if for all probability polynomial time (PPT) adversaries , and the following advantage function is negligible in :where
2.4. Bilinear Entropy Expansion Lemma
For an adversary , the advantage of distinguishing the following two distributions in any polynomial time is negligible:where
See Appendix for details about the proof of this lemma.
3. CP-ABE Supporting Arithmetic Span Programs
3.1. Formal Definition of the CP-ABE Scheme Supporting Arithmetic Span Program
: input security parameters and output the master public key and the master secret key . : input access structure and plaintext and output ciphertext . : input the vector and output the secret key . : input and and output if satisfies .
3.2. Adaptively Security Model for CP-ABE Schemes Supporting Arithmetic Span Programs
We present an adaptive security model of the CP-ABE scheme that supports the arithmetic span program through the games about the challenger and adversary . : challenger runs the initialization algorithm and sends to adversary . : adversary chooses to perform multiple secret key queries. Challenger runs the and sends the secret key to the adversary . : adversary sends two equal-length plaintexts ( and ) and the challenge access structure to challenger (any query vector and the challenge access structure do not satisfy ). Challenger chooses randomly and computes . Then, Challenger sends the challenge ciphertext to the adversary . : same as . : adversary outputs the guess about .
We say adversary wins this game iff , and the advantage of adversary is
The encryption scheme is adaptively secure if the advantages of winning the above games are negligible, for all PPT adversaries.
3.3. Our Construction
: input the number of security parameters and attributes and select . Pick random generators , , and of , , and , respectively. Sample and output the master public key and the master secret key : input the access structure and the message . Select for all . Compute and output : input the master secret key and vector . Select for all and output : input secret key and ciphertext . If satisfies , then compute where
For all satisfies , we compute
The proof of the security relies on a series of games that cannot be distinguished. We first define the ciphertext and secret key distributions that are needed in the process of the proof.
3.5.1. Ciphertext Distributions
Standard ciphertext: generated by the encryption algorithm: Entropy expansion ciphertext: the difference between it and standard ciphertext is given as follows:
3.5.2. Secret Key Distributions
Standard secret key: it is generated by the secret key generation algorithm: Entropy expansion secret key: compared to the standard secret key, we make a copy of in : Pseudostandard secret key: compared to the entropy expansion secret key, we make a copy of in : Pseudosemi-functional secret key: compared to the pseudostandard secret key, we sample : Semifunctional secret key: compared to the pseudosemi-functional secret key, we remove :
Assume that an adversary makes at most Q secret key queries. Let the advantage of in be denoted by . In the following, we describe in detail the specific details of the games, and the comparison of is given in Table 2. : the challenge ciphertext and secret keys are generated by and , respectively. : compared to , all challenge ciphertext and secret keys are entropy expansion. : compared to , the first secret keys are semifunctional and the last are entropy expansion. : compared to , modify the key to the pseudostandard key. : compared to , modify the key to the pseudo-semifunctional key. : compared to , modify the key to the semifunctional key. : challenge ciphertext is the entropy expansion ciphertext about a random message, while the secret keys are semifunctional.
Lemma 1 (). There exists a challenger who can distinguish the left and right distributions in the bilinear entropy expansion lemma with a non-negligible advantage if , that is, .
Proof. Challenger obtains the following distribution: needs to distinguish whether it is left distribution or right in the bilinear entropy expansion lemma. : pick a random generator of . Sample and output : adversary queries the secret key corresponding to the vector . Challenger simulates the secret key generation algorithm and picks for all . Output : adversary sends two equal-length plaintexts ( and ) and the challenge access structure to challenger (any query vector in and the challenge access structure do not satisfy ). Challenger picks and and outputs the challenge ciphertext: : same as . : adversary outputs the guess about . Note: the output is the standard secret key and the standard challenge ciphertext if obtains the left distribution. Conversely, the output is the entropy expansion secret key and the entropy expansion challenge ciphertext if obtains the right distribution. Challenger also distinguishes the left and right distributions of the entropy expansion lemma with a non-negligible advantage if . and cannot be distinguished due to the indistinguishability of the left and right distributions.
Lemma 2 (). We know it in Table 2 easily.
Lemma 3 (). There exists a challenger who can solve with a non-negligible advantage if , that is, .
Proof. Firstly, from the assumption, sample for all and we have given
Challenger samples for all and obtains with . Then, needs to distinguish whether is the left distribution or right. : pick random generator of . Sample and output : adversary queries the secret key corresponding to vector . Challenger simulates the secret key generation algorithm and samples for all and outputs : adversary sends two equal-length plaintexts ( and ) and the challenge access structure to challenger (any query vector in and the challenge access structure do not satisfy ). Challenger picks and and outputs the challenge ciphertext: : same as . : adversary outputs the guess about . Note: the output is the entropy expansion secret key if obtains the left distribution, which is The output is the entropy pseudostandard secret key if obtains the right distribution, which is . Challenger also solves with a non-negligible advantage if . Therefore, and cannot be distinguished due to .
Lemma 4 (). The advantage in and satisfies for any adversaries .
Proof. Challenger samples for all . The difference between and is only the secret key query. The following shows that the challenger cannot distinguish these two games. : pick random generator of . Sample and output : adversary queries the secret key corresponding to vector . Challenger simulates the secret key generation algorithm and samples for all . outputs and outputs Adversary observes that the only difference between and is secret key query in . Firstly, and have the same distribution due to the random number . Secondly, the output of the decryption algorithm in and is the same because . Therefore, the adversary cannot distinguish these two secret keys. Challenge: and have the same distribution because their outputs are entropy expansion challenge ciphertext.Obtained from the above analysis, we have .
Lemma 5 (). There exists a challenger who can solve with a non-negligible advantage if