A CP-ABE Scheme Supporting Arithmetic Span Programs

Ma, Chao; Gao, Haiying; Wei, Duo

doi:https://doi.org/10.1155/2020/3265871

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 3265871 | https://doi.org/10.1155/2020/3265871

A CP-ABE Scheme Supporting Arithmetic Span Programs

Chao Ma,¹Haiying Gao,¹and Duo Wei¹

Academic Editor: Bruce M. Kapron

Received18 Sept 2019

Revised25 Jan 2020

Accepted03 Feb 2020

Published16 Mar 2020

Abstract

Attribute-based encryption achieves fine-grained access control, especially in a cloud computing environment. In a ciphertext-policy attribute-based encryption (CP-ABE) scheme, the ciphertexts are associated with the access policies, while the secret keys are determined by the attributes. In recent years, people have tried to find more effective access structures to improve the efficiency of encryption systems. This paper presents a ciphertext-policy attribute-based encryption scheme that supports arithmetic span programs. On the composite-order bilinear group, the security of the scheme is proven by experimental sequence based on the combination of composite-order bilinear entropy expansion lemma and subgroup decision (SD) assumption. And, it is an adaptively secure scheme with constant-size public parameters.

1. Introduction

In the cloud computing environment, the traditional public key encryption system cannot meet the realistic needs due to the feature that it only achieves one-to-one encrypted data sharing. In 2006, Goyal et al. [1] proposed attribute-based encryption (ABE), which can achieve one-to-many encryption, making the sharing of encrypted data more convenient. Besides, the encrypter does no need to know the specific identifying information of the visitors but only needs to use the access structure to complete the access control of the user’s identity on the fine-grained level, which provides a new idea for data sharing. ABE is divided into two types based on ciphertexts or keys being marked as attributes. For example, in a CP-ABE scheme, keys are marked as attributes and the ciphertexts are linked with access policies. Conversely, the key-policy ABE (KP-ABE) means that keys are linked with access policies and the ciphertexts are marked as a series of attributes.

In 2006, Goyal et al. [1] came up with a KP-ABE scheme that supports an access tree. The size of the public parameters is linearly related to the size of the attributes, that is, the size is not constant. In 2008, Katz et al. [2] put forward the first KP-ABE scheme based on the inner product on the composite-order bilinear group. It is a selectively secure scheme, and the length of the ciphertext increases linearly with the vector’s dimension. In 2010, Herranz et al. [3] proposed a CP-ABE scheme with a constant-size ciphertext, but it only supports the threshold access control. In 2011, based on dual pairing vector space, Okamoto and Takashima [4] presented a zero-inner product encryption scheme and a nonzero inner product encryption scheme which are fully secure under the standard model, in which the ciphertext’s length or the key’s length can reach a constant. In 2011, Attrapadung et al. [5] first proposed a KP-ABE scheme that supports the nonmonotonic access control. The scheme has a constant-size ciphertext, but it can only be proved under the selective model. In 2013, Chen et al. [6] gave a general construction method from inner product encryption to ABE and presented an ABE scheme supporting threshold access control based on inner product encryption. This scheme achieves adaptive security with constant-size ciphertext. In 2014, Wee [7] first proposed an ABE scheme supporting the arithmetic span programs [8], but did not give a specific scheme (just a framework). In 2015, Attrapadung et al. [9] proposed a general conversion between the ABE scheme supporting the arithmetic span programs and the KP-ABE scheme when we do not limit the size of the span programs, but the size of the attributes is limited. This scheme achieves adaptive security with a constant-size ciphertext, but the length of the public parameters is still not constant. In 2017, Chen et al. [10] first proposed a KP-ABE scheme supporting arithmetic span programs via bilinear entropy expansion, and the scheme is adaptive security with constant-size parameters. In particular, Table 1 illustrates the development of ABE about the access structure. Besides, the existing ABE scheme can be converted into a scheme supporting the arithmetic span program. Compared with the ABE scheme achieved by the Boolean circuit, the computational complexity and parameter size of the scheme supporting the arithmetic span program are relatively small. Therefore, based on the fact that the composite-order bilinear group has fewer algorithm components and the algorithm represents simple and clear advantages, we naturally think of the following question about ABE:

“Can we design a CP-ABE scheme that supports arithmetic span program on a bilinear group?”

1.1. Our Contribution

Although CP-ABE and KP-ABE have many similarities in structure, even a dual relationship, the application scenarios are very different. In the CP-ABE scheme, because the policy is embedded in ciphertext, the data owner can set policies to determine which properties can access the ciphertext. That is, encrypted access control for this data can be refined to the attribute level. The application scenario of CP-ABE is usually data encryption storage and fine-grained sharing on the public cloud, while the application scenario of KP-ABE is more inclined to pay video websites, log encryption management, and so on. Inspired by [10], we consider designing an adaptively secure CP-ABE scheme. There are some schemes supporting arithmetic span programs [10, 11], where [10, 11] are KP-ABE schemes. However, considering that the composite-order group has fewer algorithm components and the algorithm represents simple and clear advantages, it is meaningful to construct a CP-ABE scheme on composite-order groups. Specifically, to reduce the parameter size, we first give the composite-order bilinear entropy expansion lemma, which contains the specific form of public parameters, ciphertext, and the key. In the setup, we use some random numbers as the master secret key and use the master secret key to calculate the master public key. In the Enc, we subtly embed the strategy into certain components of the ciphertext in combination with the public parameters and the bilinear entropy extension vector. In the KeyGen, we combine the attribute vector, the public parameter, and the bilinear entropy extension vector to generate the secret key. In the Dec, the arithmetic span program is used as a standard for decryption and the user can decrypt normally. Finally, based on SD assumption and composite-order bilinear entropy expansion lemma, the scheme is proved to have adaptive security.

1.2. Organization

We first list some relevant knowledge in Section 2. Then, we present the formal definition of our scheme in Section 3.1 and propose the adaptive security model in Section 3.2. Specifically, we present our scheme in Section 3.3 and verify its correctness in Section 3.4. Finally, we prove its adaptive security by a series of experiments in Section 3.5.

2. Preliminaries

Notation. We let denote a ring of algebraic integers modules a prime number and denote an m-dimension vector in . and represent a group of order and a bilinear map, respectively. We denote as the set and n-dimensional vector as the bold letter .

2.1. Bilinear Maps

Definition 1 (see [12, 13] bilinear maps). Let , , and be bilinear groups of order , where are primes. Let be the generator of and the generators of , respectively. Let be the generator of , and are the generators of , respectively.
is a bilinear map, if it satisfies the following three properties:(1)Bilinearity: for all .(2)Nondegeneracy: there exists , such that the order of is .(3)Computability: for all , there is an efficient algorithm to compute .Also, the composite-order bilinear map satisfies the orthogonality , for all .

2.2. Arithmetic Span Program

Definition 2 (arithmetic span program [8]). An arithmetic span program is a map , and a collection of row vectors , for , satisfies iff there exists constants , such thatwhere .
Like in paper [9], we limit to be an identity map and .

2.3. Computational Assumptions

Assumption 1 ( [12, 13]). We define the subgroup decision assumption (denoted by ) holds if for all probability polynomial time (PPT) adversaries , and the following advantage function is negligible in :where

Assumption 2. ()The p₂-DDH assumption (denoted by ), holds if for all probability polynomial time (PPT) adversaries , and the following advantage function is negligible in :where

2.4. Bilinear Entropy Expansion Lemma

For an adversary , the advantage of distinguishing the following two distributions in any polynomial time is negligible:where

See Appendix for details about the proof of this lemma.

3. CP-ABE Supporting Arithmetic Span Programs

3.1. Formal Definition of the CP-ABE Scheme Supporting Arithmetic Span Program

: input security parameters and output the master public key and the master secret key . : input access structure and plaintext and output ciphertext . : input the vector and output the secret key . : input and and output if satisfies .

3.2. Adaptively Security Model for CP-ABE Schemes Supporting Arithmetic Span Programs

We present an adaptive security model of the CP-ABE scheme that supports the arithmetic span program through the games about the challenger and adversary . : challenger runs the initialization algorithm and sends to adversary . : adversary chooses to perform multiple secret key queries. Challenger runs the and sends the secret key to the adversary . : adversary sends two equal-length plaintexts ( and ) and the challenge access structure to challenger (any query vector and the challenge access structure do not satisfy ). Challenger chooses randomly and computes . Then, Challenger sends the challenge ciphertext to the adversary . : same as . : adversary outputs the guess about .

We say adversary wins this game iff , and the advantage of adversary is

The encryption scheme is adaptively secure if the advantages of winning the above games are negligible, for all PPT adversaries.

3.3. Our Construction

: input the number of security parameters and attributes and select . Pick random generators , , and of , , and , respectively. Sample and output the master public key and the master secret key : input the access structure and the message . Select for all . Compute and output : input the master secret key and vector . Select for all and output : input secret key and ciphertext . If satisfies , then compute where

3.4. Correctness

For all satisfies , we compute

3.5. Security

The proof of the security relies on a series of games that cannot be distinguished. We first define the ciphertext and secret key distributions that are needed in the process of the proof.

3.5.1. Ciphertext Distributions

Standard ciphertext: generated by the encryption algorithm: Entropy expansion ciphertext: the difference between it and standard ciphertext is given as follows:

3.5.2. Secret Key Distributions

Standard secret key: it is generated by the secret key generation algorithm: Entropy expansion secret key: compared to the standard secret key, we make a copy of in : Pseudostandard secret key: compared to the entropy expansion secret key, we make a copy of in : Pseudosemi-functional secret key: compared to the pseudostandard secret key, we sample : Semifunctional secret key: compared to the pseudosemi-functional secret key, we remove :

3.5.3. Games

Assume that an adversary makes at most Q secret key queries. Let the advantage of in be denoted by . In the following, we describe in detail the specific details of the games, and the comparison of is given in Table 2. : the challenge ciphertext and secret keys are generated by and , respectively. : compared to , all challenge ciphertext and secret keys are entropy expansion. : compared to , the first secret keys are semifunctional and the last are entropy expansion. : compared to , modify the key to the pseudostandard key. : compared to , modify the key to the pseudo-semifunctional key. : compared to , modify the key to the semifunctional key. : challenge ciphertext is the entropy expansion ciphertext about a random message, while the secret keys are semifunctional.

Lemma 1 (). There exists a challenger who can distinguish the left and right distributions in the bilinear entropy expansion lemma with a non-negligible advantage if , that is, .

Proof. Challenger obtains the following distribution: needs to distinguish whether it is left distribution or right in the bilinear entropy expansion lemma. : pick a random generator of . Sample and output : adversary queries the secret key corresponding to the vector . Challenger simulates the secret key generation algorithm and picks for all . Output : adversary sends two equal-length plaintexts ( and ) and the challenge access structure to challenger (any query vector in and the challenge access structure do not satisfy ). Challenger picks and and outputs the challenge ciphertext: : same as . : adversary outputs the guess about . Note: the output is the standard secret key and the standard challenge ciphertext if obtains the left distribution. Conversely, the output is the entropy expansion secret key and the entropy expansion challenge ciphertext if obtains the right distribution. Challenger also distinguishes the left and right distributions of the entropy expansion lemma with a non-negligible advantage if . and cannot be distinguished due to the indistinguishability of the left and right distributions.

Lemma 2 (). We know it in Table 2 easily.

Lemma 3 (). There exists a challenger who can solve with a non-negligible advantage if , that is, .

Proof. Firstly, from the assumption, sample for all and we have given
Challenger samples for all and obtains with . Then, needs to distinguish whether is the left distribution or right. : pick random generator of . Sample and output : adversary queries the secret key corresponding to vector . Challenger simulates the secret key generation algorithm and samples for all and outputs : adversary sends two equal-length plaintexts ( and ) and the challenge access structure to challenger (any query vector in and the challenge access structure do not satisfy ). Challenger picks and and outputs the challenge ciphertext: : same as . : adversary outputs the guess about . Note: the output is the entropy expansion secret key if obtains the left distribution, which is The output is the entropy pseudostandard secret key if obtains the right distribution, which is . Challenger also solves with a non-negligible advantage if . Therefore, and cannot be distinguished due to .

Lemma 4 (). The advantage in and satisfies for any adversaries .

Proof. Challenger samples for all . The difference between and is only the secret key query. The following shows that the challenger cannot distinguish these two games. : pick random generator of . Sample and output : adversary queries the secret key corresponding to vector . Challenger simulates the secret key generation algorithm and samples for all . outputs and outputs Adversary observes that the only difference between and is secret key query in . Firstly, and have the same distribution due to the random number . Secondly, the output of the decryption algorithm in and is the same because . Therefore, the adversary cannot distinguish these two secret keys. Challenge: and have the same distribution because their outputs are entropy expansion challenge ciphertext.Obtained from the above analysis, we have .

Lemma 5 (). There exists a challenger who can solve with a non-negligible advantage if . That is, .

Proof. Same as Lemma 3, challenger samples for all and obtains with . Then, needs to distinguish whether is the left distribution or right. And challenger outputsThe output is a pseudo-semifunctional secret key if obtains the left distribution, which is . The output is an entropy semifunctional secret key if obtains the right distribution, which is . Challenger also solves with a non-negligible advantage if . Therefore, and cannot be distinguished due to .

Lemma 6 (). We know it in Table 2 easily (in fact, they have the same secret key and challenge ciphertext).

Lemma 7. ()

Proof. Challenger samples for all . The difference between these two games is the challenge ciphertext. In , the challenge ciphertext is obtained by , while the challenge ciphertext in is obtained by a random message. Let us prove that the two games are indistinguishable. Pick random generator and of and , respectively. Select and define . We simulate as follows: : pick random generator of . Sample and output We can remove because . : adversary queries the secret key corresponding to vector . Challenger simulates the secret key generation algorithm and picks for all . Output Challenge: adversary sends two equal-length plaintexts ( and ) and the challenge access structure to challenger (any query vector in and the challenge access structure do not satisfy ). Challenger picks and , and the outputs challenge the ciphertext: : adversary outputs the guess about .We have in the entropy expansion challenge ciphertext. The distribution of in is a uniform distribution due to the random number , that is, the ciphertext which encrypted from a random number and the ciphertext which encrypted from have the same distribution. Therefore, adversary cannot distinguish these two entropy expansion ciphertexts.
Obtained from the above analysis, we have

Theorem 1. Our CP-ABE scheme supporting arithmetic span programs is adaptively secure under the entropy expansion lemma and subgroup decision assumption decision. Also,

Proof. The advantage of adversary in our scheme is equivalent to the advantage in under the adaptively secure model. By Lemmas 1∼7, we obtainBy Lemma 1, we knowBy Lemma 2, we knowThe indistinguishability between and is due toBy Lemma 3∼6, we knowBy Lemma 7, we knowObviously, we have .
In summary, the advantage of the adversary in isThat is, our scheme is adaptively secure under the entropy expansion lemma and subgroup decision assumption.

3.6. Performance Analysis

At last, we show the difference between our scheme and the existing schemes that support arithmetic span programs in Table 3 (where “T” represents the operation time of the bilinear mapping). Compared with [11], the size of the public parameters of our scheme is smaller (from O (n) to O (1)) and adaptive security is achieved. Compared with [10], our scheme chooses the CP-ABE suitable for more flexible application scenarios and is based on the SD assumption to prove its adaptive security.

4. Conclusion

In this paper, we present a ciphertext-policy attribute-based encryption scheme that supports arithmetic span programs on composite-order bilinear groups. Firstly, we prove our entropy expansion lemma with a sequence of games and seven lemmas. Secondly, we prove that our scheme is adaptively secure under the conditions that entropy expansion lemma and subgroup decision assumption are true.

Appendix

Proof for the Bilinear Entropy Expansion Lemma

We first list the proof frame through a series of indistinguishable distributions:

The following highlights the proof of Lemmas A.1 and A.2.

Lemma A.1. Under the , , , and assumptions, we have

Proof. The proof is similar to Lemma 3 in paper [10], and we first modify the game sequence in Lemma 3. : it is the same as the left distribution in Lemma A.1: : modify sk as follows: Now, we briefly explain that . Under the assumption, we have where , and set . : modify ct as follows: It is easy to know that . Then, we will prove that through the following game sequence. : modify ct_i as follows: Now, we briefly explain that . Under the assumption, we have : modify sk_j as follows: Now, we briefly explain that . Under the assumption, we have where , and set , where : modify sk_i and ct_i as follows: It is easy to know that based on the fact and . : modify ct_i as follows: Now, we briefly explain that . Under the assumption, we have : modify sk_i and ct_i as follows: It is easy to know that based on the fact . : modify sk_j as follows: It is easy to know that based on the fact . : modify ct_i as follows:It is easy to know that based on the fact :The rough proof of Lemma A.1 is as above. For more details, please refer to Lemma 22∼29 which are in paper [10].

Lemma A.2. Sample , and we have

Proof. Under the assumption, we haveSuppose the adversary inputs and sets , where . Then, the system outputsNow, we observe the above output and use this to illustrate the correctness of Lemma A.2.(1)If and we write and , we get and the left distribution.(2)If and we write and , we get and the right distribution.That is, if we can determine , then the problem will be solved.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was supported by the National Natural Science Foundation of China (nos. 61702548 and 61601515) and the Fundamental and Frontier Technology Research of Henan Province (no. 162300410192).

References

V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of 13th ACM Conference on Computer and Communications Security, pp. 89–98, ACM, Alexandria, VA, USA, November 2006.
View at: Publisher Site | Google Scholar
J. Katz, A. Sahai, and B. Waters, “Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in Proceedings of EUROCRYPT 2008, vol. 4965, pp. 146–162, Springer-Verlag, Istanbul, Turkey, April 2008.
View at: Publisher Site | Google Scholar
J. Herranz, F. Laguillaumie, and C. Ràfols, “Constant size ciphertexts in threshold attribute-based encryption,” in Proceedings of Public Key Cryptography, PKC 2010, pp. 19–34, Springer, Paris, France, May 2010.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption,” in Proceedings of CANS 2011, vol. 7092, pp. 138–159, Springer-Verlag, Sanya, China, Decemeber 2011.
View at: Publisher Site | Google Scholar
N. Attrapadung, B. Libert, and E. de Panafieu, “Expressive key-policy attribute-based encryption with constant-size ciphertexts,” in Proceedings of Public Key Cryptography, PKC 2011, pp. 90–108, Springer, Taormina, Italy, March 2011.
View at: Publisher Site | Google Scholar
C. Chen, J. Chen, H. W. Lim et al., “Fully secure attribute-based systems with short ciphertexts/signatures and threshold access structures,” in Proceedings of Cryptology CT-RSA 2013, pp. 50–67, Springer, San Francisco, CA, USA, February 2013.
View at: Publisher Site | Google Scholar
H. Wee, “Dual system encryption via predicate encodings,” in Proceedings of TCC 2014, vol. 8349, pp. 616–637, Springer, San Diego, CA, USA, February 2014.
View at: Publisher Site | Google Scholar
M. Karchmer and A. Wigderson, “On span programs,” in Proceedings of the 8th Annual IEEE Computer Society, pp. 102–111, IEEE, San Diego, CA, USA, May 1993.
View at: Publisher Site | Google Scholar
N. Attrapadung, G. Hanaoka, and S. Yamada, “Conversions among several classes of predicate encryption and applications to ABE with various compactness tradeoffs,” in Proceedings of Cryptology-ASIACRYPT 2015, International Conference on the Theory and Application of Cryptology and Information Security, pp. 575–601, Springer, Auckland, New Zealand, November 2015.
View at: Publisher Site | Google Scholar
J. Chen, J. Gong, L. Kowalczyk, and H. Wee, “Unbounded ABE via bilinear entropy expansion, revisited,” in Proceedings of Cryptology-EUROCRYPT 2018, Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 503–534, Springer, Tel Aviv, Israel, April 2018.
View at: Publisher Site | Google Scholar
Y. Ishai and H. Wee, “Partial garbling schemes and their applications,” in Proceedings of ICALP 2014, vol. 8572, pp. 650–662, Springer, Copenhagen, Denmark, July 2014.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, “New techniques for dual system encryption and fully secure HIBE with short ciphertexts,” in Proceedings of TCC 2010, vol. 5978, pp. 455–479, Springer, Zurich, Switzerland, February 2010.
View at: Publisher Site | Google Scholar
D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-DNF formulas on ciphertexts,” in Proceedings of TCC 2005, vol. 3378, pp. 325–341, Springer, Cambridge, MA, USA, February 2005.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Chao Ma et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

485

Downloads

779

Citations