A Fully Secure KP-ABE Scheme on Prime-Order Bilinear Groups through Selective Techniques

Obiri, Isaac Amankona; Xia, Qi; Xia, Hu; Obour Agyekum, Kwame Opuni-Boachie; Asamoah, Kwame Omono; Sifah, Emmanuel Boateng; Zhang, Xiaosong; Gao, Jianbin

doi:https://doi.org/10.1155/2020/8869057

Security and Communication Networks

On this page

Abstract Introduction Related Works Preliminaries Implementation and Evaluation Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8869057 | https://doi.org/10.1155/2020/8869057

A Fully Secure KP-ABE Scheme on Prime-Order Bilinear Groups through Selective Techniques

Isaac Amankona Obiri,^1,2,3Qi Xia,^1,2,3Hu Xia,¹Kwame Opuni-Boachie Obour Agyekum,^1,2,3Kwame Omono Asamoah,^1,2,3Emmanuel Boateng Sifah,^1,2,3Xiaosong Zhang,¹and Jianbin Gao^2,3,4

Academic Editor: Savio Sciancalepore

Received08 Mar 2020

Revised16 Sept 2020

Accepted05 Oct 2020

Published29 Nov 2020

Abstract

Key-policy attribute-based encryption (KP-ABE) is the cryptographic primitive which enables fine grained access control while still providing end-to-end encryption. Although traditional encryption schemes can provide end-to-end encryption, users have to either share the same decryption keys or the data have to be stored in multiple instances which are encrypted with different keys. Both of these options are undesirable. However, KP-ABE can provide less key overhead compared to the traditional encryption schemes. While there are a lot of KP-ABE schemes, none of them simultaneously supports multiuse of attributes, adaptive security, monotone span programs, and static security assumption. Hence, we propose a fully secure KP-ABE scheme for monotone span programs in prime-order group. This scheme uses selective security proof techniques to obtain the requisite ingredients for full security proof. This strengthens the correlation between selective and full security models and enables the transition of the best qualities in selective security models to fully secure systems. The security proof is based on decisional linear assumption and three-party Diffie–Hellman assumption.

1. Introduction

Attribute-based encryption (ABE) is a public key cryptosystem which yields fine grained access control over ciphertext. Succinctly put, the ABE system allows ciphertext and key to be linked to a set of attributes such that the decryption of a particular ciphertext is feasible only if the set of attributes of a user’s secret key satisfies the attributes of the ciphertext. In key-policy ABE (KP-ABE) construction for instance, a message is encrypted over attribute set such as “profession: nurse, sex: female, and institution: hospital A,” and keys are generated over access policy like “profession: nurse ∧ sex: female.” The decryption of a given ciphertext is feasible only if the attributes satisfy the access policy. Ciphertext-policy ABE (CP-ABE) construction is a dual version of KP-ABE scheme with the ciphertext and key attached to access policy and attributes, respectively [1–3].

ABE is useful cryptographic primitive when data are outsourced in untrusted repositories such as third-party cloud servers. ABE provides an efficient mechanism to share the outsourced data with multiple users based on the user’s roles or attributes. While traditional encryption methods can provide end-to-end encryption, users have to either share the same decryption keys or the data have to be stored in multiple instances which are encrypted with different keys. Both of these options are inappropriate. However, ABE can provide less key overhead compared to traditional encryption methods. ABE offers fine grained access control while still providing end-to-end encryption. In the public repository, a malicious user can obtain the stored encrypted data which do not match his/her attributes’ secret key; however, the user cannot access the content of the data without decipherable keys.

Suppose that a patient encrypts his or her personal health data with the attributes {Hospital A, Hospital B, doctor, nurse} and the access control policy is {{{Hospital A} and {nurse or doctor}} or {{Hospital B and {nurse or doctor}}}. With this access policy, any nurse or doctor in one of the hospitals satisfies the access policy requirement and can access the encrypted data. This example is visualized in Figure 1.

However, in this scenario, the challenge is that the attributes “nurse” and “doctor” have been used in the access policy multiple times. An ABE scheme with a single-use of attributes restriction requires that an attribute must appear only once in the access structure. [3]. One caveat way to overcome this single use of restriction is to fix multiple attributes for each use of the attributes such as nurse-1, doctor-1, nurse-2, doctor-2, and so on, in advance. However, there are two problems with this solution. The first is that the maximum number of similar attributes appearing in the access policy should be determined at the setup stage. Hence, the access policy supported by the scheme become restricted. The second one is that, in KP-ABE, for example, this solution blows up the size of ciphertext relative to the maximum number an attribute is reused, which yields reduction in performance. Conversely, in a KP-ABE construction that supports multiple attributes usage, policies are not constrained and any combination of attributes can be rendered arbitrarily to create a policy. So, in this KP-ABE construction, the size of ciphertext becomes policy-independent and compact.

The expressiveness of access policy ensures rich structure of keys and ciphertexts of ABE construction [3]. The more expressive an ABE scheme is, the more space is required for the potential access policies and attributes. This raises substantial obstacles, when proving the security of ABE schemes, since the standard notion of security should impose collusion resistance. Thus, a coalition of unqualified users must not have the ability to aggregate their secret keys to decrypt a ciphertext in which not one of them is approved to decrypt. Therefore, the security proof must consider an adversary who is capable of collecting different keys, not only the private key formally assigned to him/her. This necessitates security reductions to strike a balance between two conflicting objectives: the simulator should be sufficiently strong to provide an adversary with the numerous keys he/she requests adaptively; however, the simulator should also lack vital information about the strategies of the adversary which enables him/her to achieve success. Thus, the procedures of the adversary should be hidden from the simulator. The foremost security proof in the standard model for ABE constructions in [4, 5] adopts a strategy, known as “partitioning,” to reconcile these two objectives. The partitioning proof strategy was formerly employed in the settings of identity-based encryption (IBE) [6–10].

With the partitioning proof, the simulator configures the system in such a way that every possible private key is in one of the two spaces: keys which the simulator has the ability to create and which she/he cannot [3]. In order to guarantee that the keys that the adversary queries are within the set of keys that the simulator can produce, the previous works [4, 5, 11] resorted to a weaker security model referred to as “selective security.” Unfortunately, under this model, the adversary must announce the access structure to be attacked before giving the public parameters of the system. This does not seem to be suitable security notion in practice for the high security requirement in the real world applications. At the intermediate phase, this concept of selective security is quite useful, but unsuitable as an ultimate goal. In the settings of IBE, the drawback of selective security was eliminated by giving the simulator the ability to “guess” a partition and terminate whenever the adversary exceeds its limit [10]. Nevertheless, if this approach is used in the ABE schemes, it will lead to exponential loss of security because the ABE scheme has a highly expressive access policy, which makes it difficult to identify a partition that is consistent with the partial power ordering of each key. Moreover, CP-ABE’s selective security is still a challenge and the state-of-the-art approach in [5] introduced “q-type” assumption into the fully secure ABE constructions. The q-type assumption in [5] resulted from the need to encode small public parameters with a potentially large access policy. However, since this assumption is extremely complex to understand and also vulnerable to Cheon attack [12], it leads us to seek for KP-ABE construction which is proven fully secure under simple static assumptions such as three-party Diffie–Hellman assumption and decisional linear assumption.

Dual system of encryption was introduced by Waters [1] to solve the constraints imposed by the partitioning model. In the proof of the dual system of encryption, the simulator is incessantly configured to produce every key and the challenge ciphertext the adversary requests. The principal idea of the technique is that there are two categories of keys and ciphertexts, namely, “normal” and “semifunctional,” which the simulator can produce [1]. A ciphertext can be decrypted with a key when both the key and the ciphertext are not semifunctional. The combination of ciphertext and a key, both semifunctional, triggers failed decryption because in the semifunctional space, the hidden objects are not cancelled. The semifunctional keys and ciphertext are used in hybrid proof while the normal key and ciphertext are used in the actual system. In the hybrid proof, the adversary is given either normal or semifunctional ciphertext and the secret key that is progressively given to him/her is converted to semifunctional one after the other until it gets to a point where the simulator only issues semifunctional key in the security game. At this point, it becomes easy to prove the security.

The critical step in the hybrid proof is when a key becomes semifunctional. At this stage, depending on the proposition that the key (now semifunctional) cannot correctly decrypt the challenge ciphertext, we indicate that the adversary cannot recognize the subtle change in the key. However, since the simulator does not need a partition, she/he cannot be restricted from generating a key and testing the workability of the key by himself/herself via decrypting a semifunctional ciphertext with the key. This challenge in dual encryption proof was resolved in [13] by guaranteeing that the simulator generates only a key decipherable with a semifunctional ciphertext so that the decryption is not hindered from the perspective of the simulator irrespective of whether the semifunctional object exists or not. This type of key formed by the simulator is known as “nominal semifunctional key.” Conversely, in the perspective of the adversary who is restricted from requesting a qualified key, the decryption of the “semifunctional ciphertext” with the “nominal semifunctional key” is hindered. The correlated factor within the nominal semifunctional key and the semifunctional ciphertext which guarantees successful decryption is information-theoretic concealed from the adversary [13]. This presented the first proof of full security in the standard model.

Our dual encryption system is constructed over semifunctional and normal space. The semifunctional components of ciphertext and keys are much like the normal component of the actual system except that they are decoupled from the public parameters. This gives us the chance to obtain related parameters in the semifunctional space to create relevant variables during the course of simulation rather than to have all the parameters fixed up in the setup phase. The semifunctional space can supply fresh parameters to the simulator for key isolation mechanism; this implies that every semifunctional key should have unique distribution through the use of fresh parameters in the semifunctional space. When the simulator first issues a secret key, then the challenge access policy is known before the semifunctional parameters are defined. Based on the known access policy, the simulator can embed a difficulty in the secret key from the semifunctional space and later annul this difficulty in the ciphertext. On the other hand, if a ciphertext is first issued, then the attribute set of the challenge ciphertext is known before semifunctional parameters are specified. Based on the known attributes, the simulator can also embed a difficulty in the ciphertext from the semifunctional space and later annul this difficulty in the key. The difficulty is random variables chosen in the semifunctional space with their attachment to either the secret key or the ciphertext rendering invalid decryption unless those variables are cancelled out. The difficulty which is embedded in either the key or the ciphertext requires a complete set of key’s component to cancel it out. However, based on the restriction that the adversary cannot obtain complete components of a secret key, computationally this difficulty is unknown to him/her. Therefore, the two selective ways of embedding difficulties to prevent correct decryption of ciphertext can be combined to attain full security in the standard model.

1.1. Our Contribution

We present a KP-ABE scheme in the prime-order settings that supports monotone span program for access policies. The construction achieves full security through selective techniques. Our scheme is based on simple security assumption such as three-party Diffie–Hellman assumption and decisional linear assumption. In summary, our KP-ABE scheme simultaneously achieves the following results:(1)It enables arbitrary usage of attributes in the access policy.(2)It achieves adaptive security through selective techniques in the standard model.(3)It depends on static assumption in the standard model.(4)It supports span program matrix.(5)It has compact ciphertext size.

ABE, which evolved from IBE, was initially designed by Shamir [14] and then constructed in [6, 15]. Horwitz and Lynn [16] expanded this idea to hierarchical identity-based encryption (HIBE) which was firstly constructed by Gentry and Silverberg [17]. In the standard model, some earlier ABE constructions [8–10, 18] were proven to be selectively secure. Also, ABE construction has been proven to be secure in the generic group model [19]. Dual encryption proofing techniques were also further explored in the study of [20, 21] and applied to attain leakage resilience in [22–24] and applied directly to computational assumptions in [25]. Lewko and Waters [3] developed new methodology to prove full security by integrating selective techniques used to prove selective security for KP-ABE and CP-ABE constructions. However, they used “q-type assumption” in the security proof which is susceptible to attack [12]. From the studies in [12], it can be inferred that as “q” grows larger, the “q-type” assumption becomes stronger and the scheme which requires it becomes vulnerable, particularly if “q” scales in a predictable way. Recently, Tomida et al. [26] and Kowalczyk et al. [27] proposed ABE schemes that address the problem of one-use restriction of attributes in access policy. The schemes were built on a piecewise guessing framework developed in [28], and they proved adaptive security of the ABE constructions with some polynomial security losses. Nonetheless, these schemes do not directly support span programs (linear secret sharing scheme matrix) to express policies. Song et al. [29] proposed attribute-based encryption which enables users to request for their attribute private keys without revealing their attributes to the key generator. Even though this scheme ensures users’ attributes privacy, it is not fully secure and it does not ensure multiuse of attributes. Recently, Khan et al. [30] proposed efficient attribute-based encryption with repeated attribute optimization. The authors employed “RAO” algorithm to remove repeated redundant attribute shares in encryption operations to reduce ciphertext size and computational cost. However, the limitation of this scheme is that the security is proven in selective model. Also, the scheme is not proven secure against chosen ciphertext attacks but rather chosen plaintext attacks under generic bilinear group model. Hence, the scheme does not achieve full security.

Table 1 shows the comparison of our scheme with other KP-ABE schemes which satisfy full security (adaptive security) notion. Note that adaptive security just refers to an adversary who does not execute all the queries at once (batch queries), but rather adapts her/his queries from previous results (see Definition 10). The last row describes our scheme in Section 4. From Table 1, it can be seen that JL [26] scheme possesses most of the needed properties of ABE construction. However, this scheme inherits the problem of polynomial security losses from the “piecewise guessing framework” that was used for its construction. Also, the security of schemes JL [26] and LK [27] was proven in random oracle model. Therefore, from the authors’ point of view, there is no scheme that simultaneously achieves the properties listed in Section 1.1. and that is still able to retain the efficiency of selective security in the standard model.

2.1. Organization

In Section 3, we revise the important concepts on KP-ABE systems in prime-order bilinear groups, along with formal definitions of the complexity assumptions. In Section 4, we provide the construction of our scheme and demonstrate its correctness. Section 5 shows security proof of the scheme. In Section 6, we provide implementation and evaluation of the proposed scheme and other related schemes. Finally, in Section 7, we conclude the work.

3. Preliminaries

Definition 1. (access structure) [33]. Let be a set of parties. A collection is monotone if and imply that . An access structure (respectively, monotone access structure) is a collection of nonempty subsets of . The sets in are authorized sets, and the sets not in are nonauthorized sets.

Definition 2. (linear secret sharing scheme). A linear secret sharing scheme is made of two algorithms, share and reconstruct. To distribute a secret among parties, the share algorithm sets , randomly selects , and computes for all . The shadows or shares are distributed to distinct parties. Since the secret is the constant term , the reconstruct algorithm recovers the secret from any shares , for the attribute set and , by computing the linear function of the shares as , where each constant can be obtained efficiently in the polynomial time.

Definition 3. (monotone span program (msp)) [34]. A msp is a linear algebraic model for computing monotone functions. Let be a field and be variables. A msp is a tuple where is a matrix and is labelling function. The msp actualizes the monotone access structure where if and only if is spanned by the rows of the matrix whose labels belong to . The size of is , and the number of rows in . With regard to secret sharing, the size of the msp is the total number of shares that are given to all parties in .

Definition 4. (bilinear groups). A group generating algorithm takes a secret parameter and returns a description of a group , where is a prime number, and are cyclic groups of order , is a generator, and is a bilinear map, which has two properties:(1)Bilinearity: .(2)Nondegeneracy: for generators and h, .

Definition 5. (the decisional linear (DLIN) assumption). With a given group generating algorithm , we define the following distribution:The advantage an algorithm has in breaking this assumption isWe declare that DLIN assumption is satisfied by , if for any probabilistic polynomial time (PPT) algorithm , is negligible.

Definition 6. (the three-party Diffie–Hellman (TPDH) assumption). With a given group generating algorithm we define the following distribution:The advantage an algorithm has in breaking this assumption isWe declare that TPDH assumption is satisfied by , if for any probabilistic polynomial time (PPT) algorithm , is negligible.

Definition 7. (dual pairing vector spaces). We follow the definition of double vector pairing spaces in [35, 36]. For = and , we write to represent the n-tuple of elements of :We can execute scalar product and exponentiation in the exponent. For any and , we haveWe define a bilinear map to represent the product of the componentwise pairings:Here, the dot product is executed using modulo . We select two random sets of vectors: and of subject to the following constraints:(1)The basis with the family and dual basis with the family are dual orthonormal when , for }, whenever . Therefore, the two vectors are perpendicular to each other. As a consequence, their dot product yields zero.(2)Conversely, is orthonormal to when they have the same index, i.e., , for whenever , where denotes nonzero element of . Here, it can be seen that we have abused the terminology “orthonormal,” since is not constrained to 1.Note that the random selection of from the sets that satisfy requirements of dual orthonormality can be done by selecting a set of vectors (i.e., ) at uniformly random from . Then, each vector is determined from the orthonormality constraint such that under high probability, the vectors are linearly independent.

Definition 8. (the subspace assumption). With a given group generating algorithm , we define the subspace assumption asWe assert that for any PPT algorithm which returns a value in ,is negligible in the security parameter . The subspace assumption is the application of the DLIN assumption with vectors. The proof of this assumption can be found in pages 37-38 [3].

Definition 9. (KP-ABE scheme). Under standard definition, a key-policy attribute-based encryption scheme has a quintuple algorithm :(1): it takes attribute universe description and a security parameter . It returns a master secret key and public parameters .(2): it takes message , public parameters , and the set of attributes . It outputs the ciphertext .(3): it takes public parameters , master secret key , and an access structure . It outputs a secret key .(4): it takes public parameters , ciphertext , and secret key and returns a message or .

3.1. Correctness

KP-ABE construction is correct if it meets the following requirements. With a given ciphertext and a secret key, if the ciphertext attribute’s set matches the key’s access structure, then for any , we have

Definition 10. (KP-ABE full security model). The security game between the challenger C and adversary A proceeds as follows.
The security definition for fully secure KP-ABE depends on indistinguishable game with PPT-chosen plaintext attacker. The game proceeds as follows:(1)Setup: the challenger executes and submits to adversary .(2)Phase 1: adaptively queries for the secret keys corresponding to a set of access structures . For each time, it obtains from .(3)Challenge: sends two messages of equal size together with the set of attributes to . Then, tosses a binary coin and executes and gives to on a condition that does not satisfy any of the access structures queried in phase 1.(4)Phase 2: adaptively queries for the secret keys corresponding to the set of access structures with the condition that none of these satisfy . For each time, it obtains from .(5)At the end, returns as a guess for , and the adversary is a winner if . The advantage of for this indistinguishable game is defined as

Definition 11. A KP-ABE construction is fully secure if PPT algorithm has negligible advantage in the above security game.
Note that with the selective security game, the adversary must announce before viewing the . Henceforth, the term semifunctional will be denoted as SF.

4. Prime-Order KP-ABE Construction

We use the dual framework of data encryption proof technique in prime-order settings, where orthogonal subspaces within the exponents perform the role of both normal and SF components. Since SF vectors are never published, they can serve as “hidden parameters” which create new randomness even with a fixed size of public parameters. We provide fresh pair of vectors for each attribute to produce enough randomness to ensure an information-theoretic transition from a nominal SF key (one with SF components but still capable of correctly decrypting SF ciphertext) to a real SF one (a key which is incapable of decrypting SF ciphertext). Again, we denote the attribute universe as the complete number of attributes within the system. The scheme is constructed as follows:(1): this algorithm picks a bilinear group of prime order and a generator . It picks at random two pairs of dual orthonormal bases of dimension and pairs of dual orthonormal bases of dimension , bound to the restriction that they all hold the same value . We let denote the family vectors of , and are the basis vectors of for each from to . The setup algorithm also picks a quadruple of random exponents and another quadruple of random exponents , with the restriction that . The public parameters comprise Additionally, the master secret key is(2): the algorithm gets the public key , a master key , and access structure , and the algorithm picks randomly . Then, set and compute the shares and for all where is the vector of which corresponds to the i-th row of . It then picks randomly and outputs(3): the algorithm gets the message , attribute sets , and public parameter , picks randomly , and outputs(4): let correspond to the set of attributes associated to ciphertext and be the policy matrix. If satisfies , the decryption algorithm computes and , where each constant can be obtained efficiently in the polynomial time. It then computes

Then, the message is retrieved as

5. Security Proof

Theorem 1. Under the DLIN assumption and TPDH assumption defined in Section 3, our KP-ABE construction is fully secure (i.e., see Definition 11).

The security proof for our construction depends on hybrid argument over series of games. We will define the set of keys and ciphertext that will be used in the games. To commence the security game, first the challenger generates and as the related parameters that will be used in the security proof.

5.1. SF Ciphertext

To create this ciphertext for a set of attributes , firstly, we execute the normal encryption algorithm in equation (15). The ciphertext is made up of the following components: . Then, we pick random values and multiply by . Also, we multiply by . The other component of the ciphertext stays unaltered as shown below.

5.2. SF Keys

To generate these keys for an , we first execute the normal key generation algorithm in equation (14) to get a normal key made up of the following components of . We then pick random secret values and a random vector and set the index . We produce shares for the secret as , where is the row vector in with the label . The SF key is output as

Recall that we do not put a partition on a simulator with a nominal SF key. Therefore, the nominal SF key correlates correctly with the SF ciphertext to allow decryption, regardless of the presence or absence of SF components. This happens because the share of the secret in the SF space is zero.

5.3. Ephemeral SF Keys

These keys are indistinguishable to nominal keys, with the exception that SF components attach to either or which is now being randomized (which prevent accurate SF ciphertext decryption). Concretely, to create an ephemeral SF key for the access matrix , we first execute the normal key generation algorithm in equation (15) to get a normal key made up of the following components of , . We then pick random secret values , and a random vector and set the index Note that value of the secret in the SF space is zero. We produce shares for the secret as , where is the row vector in with the label . The SF key is output as

5.4. Proof Structure

The hybrid proof is executed over a series of games. Denoting as the total number of key requested by adversary, we define the series of games as follows: is the real security game as in Section 3 (see Definition 10). In , the ciphertext submitted to the adversary is SF, as are the first keys. The rest of the keys are normal. is similar to , besides the fact that the k-th key delivered to the adversary is nominal SF key. The first keys are SF, whereas the rest of the keys are normal. is similar to , besides the fact that the k-th key delivered to the adversary is an ephemeral SF. The first keys are SF, whereas the rest of the keys are normal. is analogous to , besides the fact that the SF ciphertext delivered to the adversary is encryption of random message.

The layout of our hybrid argument will be as follows. Firstly, we move from to , then to , next to , and so on. Eventually, we get to , where all of the keys and the ciphertext delivered to the adversary are SF. Then, we move to and this completes our security proof since any adversary in the final game has negligible advantage. The transition from to and from to is not complicated and can be done with the help of the computational assumptions. However, the transition from to is a bit complicated and requires other steps. For these steps, we will consider making transition between two phases. Phase 1 is when the adversary requests a challenge ciphertext after obtaining the secret key. In phase 2, the adversary requests a secret key after obtaining the challenge ciphertext. Therefore, in order to get from to , we will transition first from to , then to , and finally to . We let represent the number of queries in phase 1, and we will tackle this transition independently for and . The security proof for phase 1 queries and phase 2 queries is similar to the selective security proof in the KP-ABE settings and CP-ABE settings, respectively.

Lemma 1. Under the subspace assumption, no PPT adversary can achieve a non-negligible advantage in distinguishing and .

Proof:. Suppose a PPT algorithm achieves a non-negligible advantage in distinguishing from , then we will construct a PPT algorithm to break the subspace assumption. We will set the parameters , for two values of and for the remaining values of in the subspace assumption. To correctly align the assumption notation with our scheme notation, we hereby designate the bases of the assumption as and . We will exclude the term because it is not applicable here. The procedure for simulating and is described as follows :(1);(2);(3)(3.1);(3.2)(3.3);(3.4)(4);(5);(6);(7) ;(8) with;(8.1);(8.2)(8.3);(8.4) , where is the secret, ;(8.5) , where is the secret;(8.6) , where is the secret;(8.7);(8.8);(8.8.1);(8.8.2);(8.8.3)(8.8.4)write ;(8.8.5) ;(9)(10) with;(11)(12)(13);(14);(15)(15.1);(15.2)Write ;(15.3) ;(16)(17) with;(17.1);(17.2)(17.3)(17.4) , where is the secret, ;(17.5) , where is the secret;(17.6) , where is the secret;(17.7);(17.8)(17.8.1)guard ()(17.8.2);(17.8.3);(17.8.4);(17.8.5)write (17.8.6) (18)To simulate either or , Algorithm sets the bases for the construction asWe assert that these are well distributed because , etc., are chosen randomly up to sharing the same value . Implicitly, selects and sets . Then, producesIn line 1, the subspace assumption adversary is given the public parameters of the system and its challenge . In line 8, requests for its private keys, which replies correctly to. In line 10, sends two messages of the same length with the attribute to and requests for the challenge ciphertext. In response, outputs the correct ciphertext tuple to with the restriction that the attribute does not satisfy the access structure which is enforced by the guard. In line 17, requests for the private key for the second time. outputs the correct private key to with the restriction that the access structure does not satisfy the attribute set of the previously queried ciphertext. Eventually, outputs’s guess as its own guess. By analysing this game, when the terms are absent in the private key, then correctly simulates . In this instance, is used in generating the private key. When terms are present, then correctly simulates . In this case, is used in generating the private key. Therefore, can capitalize on algorithm ’s non-negligible advantage in distinguishing between these two games to obtain a non-negligible advantage against subspace assumption.

Lemma 2. Under the subspace assumption, no PPT adversary can have a non-negligible advantage in distinguishing between and for any from to .

Proof:. Suppose a PPT algorithm achieves a non-negligible advantage in distinguishing from , then we will construct a PPT algorithm to break the subspace assumption. We will set the parameters , for two values of and for the remaining values of in the subspace assumption. To correctly align the assumption notation with our scheme notation, we hereby designate the bases of the assumption as and . We will exclude the term because it is not applicable here. The procedure for simulating and is described as follows:(1);(2);(3)(3.1);(3.2);(3.3);(3.4)(4)(4.1);(4.2);(4.3);(4.4)(5);(6);(7) ;(8) with;(8.1);(8.2)(8.3);(8.4) , where is the secret, ;(8.5) , where is the secret;(8.6) , where is the secret;(8.7);(8.8)(8.8.1);(8.8.2)(8.8.3)(8.8.4)write ;(8.8.5) ;(9)(10) with;(11)(12);(13);(14);(15);(16)(16.1);(16.2)write ;(16.3) ;(17)(18) with;(18.1);(18.2)(18.3)(18.4) , where is the secret, ;(18.5) , where is the secret;(18.6) , where is the secret;(18.7);(18.8)(18.8.1)guard ()(18.8.2);(18.8.3);(18.8.4);(18.8.5)write ;(18.8.6) ;(19);To simulate either or , algorithm sets the bases for the construction asWe assert that these are well distributed because , etc., are chosen randomly up to sharing the same value . Implicitly, selects and sets . Then, producesIn line 1, the subspace assumption adversary is given the public parameters of the system and its challenge . In line 8, requests for its private keys, which replies correctly to. In line 10, sends two messages of the same length with the attribute to and requests for the challenge ciphertext. In response, outputs the correct ciphertext tuple to with the restriction that the attribute does not satisfy the access structure which is enforced by the guard. In line 18, requests for the private key for the second time. outputs the correct private key to with the restriction that the access structure does not satisfy the attribute set of the previously queried ciphertext. Eventually, outputs ’s guess as its own guess. By analysing this game, when the extra components and on and , respectively, are present, then the ciphertext is SF ciphertext (i.e., ); otherwise, it is normal ciphertext (i.e., ). Hence, is capable to simulate normal and SF ciphertext. When the terms are absent in the private key, then correctly simulates . In this instance, is used in generating the private key. When terms are present, then correctly simulates . In this case, is used in generating the private key. Therefore, can capitalize on algorithm A’s non-negligible advantage in distinguishing between these two games to obtain a non-negligible advantage against subspace assumption.

Lemma 3. Under the TPDH assumption, no PPT adversary can have a non-negligible advantage in distinguishing between and for any from to (note that these are phase 1 queries).

Proof:. Suppose a PPT algorithm achieves a non-negligible advantage in distinguishing from , then we will construct a PPT algorithm to break the TPDH assumption. gets where is either or random element of . Algorithm simulates either from based on the nature of . picks a random dual orthonormal bases of 3 dimensions and of 6 dimensions n, all with the same value . The procedure for simulating and is described as follows:(1);(2)(3)(3.1);(3.2);(3.3);(3.4);(3.5);(3.6)(4);(5);(6) ;(7) with;(7.1)(7.2);(7.3);(7.4);(7.5) , where is the secret, ;(7.6) , where is the secret, ;(7.7) , where is the secret, ;(7.8);(7.9)(7.9.1)write ;(7.9.2) ;(8)(9) with;(10)(11);(12);(13);(14)(14.1);(14.2);(14.3);(14.4) ;(15)(16)To simulate either or , algorithm sets the bases for the construction asWe assert that these are well distributed because , etc., are chosen randomly up to sharing the same value . The SF components and can supply fresh parameters to randomize the ciphertext and the private key, respectively.
In line 1, the TPDH assumption adversary is given the public parameters of the system and its challenge . In line 7, requests for its private keys, which replies correctly to. In line 9, sends two messages of the same length with the attribute to and requests for the challenge ciphertext. In response, outputs the correct ciphertext tuple to with the restriction that the attribute does not satisfy the access structure which is enforced by the guard. Eventually, outputs ’s guess as its own guess. By analysing this game, if , then the power vector becomes as needed for the nominal SF key. Alternatively, this power vector is distributed as random multiples of , which is required for an ephemeral SF key. Hence, when , then has successfully simulated , and if is a random group element, then has successfully simulated . Therefore, can capitalize on ’s non-negligible advantage in distinguishing between these two games to obtain a non-negligible advantage against the TPDH assumption.

Lemma 4. Under the TPDH assumption, no PPT adversary can have a non-negligible advantage in distinguishing between and for any (note that these are phase 2 queries).

Proof:. Suppose a PPT algorithm achieves a non-negligible advantage in distinguishing and for some such that . We will construct a PPT algorithm to break the TPDH assumption. gets where is either or a random element of . will simulate either or with algorithm based on . picks a random dual orthonormal bases of 3 dimensions and of 6 dimensions, all with the same value . The procedure for simulating and is described as follows:(1);(2);(3)(3.1)(3.2);(3.3);(3.4);(3.5);(3.6);(3.7)(4);(5);(6) (7) with;(8)(9);(10);(11);(12);(13)(13.1);(13.2);(13.3) ;(14)(15) with;(15.1)(15.2)(15.3);(15.4)Let ;(15.5);(15.6)(15.7) , where is the secret, ;(15.8) , where is the secret, ;(15.9) , where is the secret, ;(15.10);(15.11);(15.12)(15.12.1)let ;(15.12.2)write ;(15.12.3) ;(16)To simulate either or , algorithm sets the bases for the construction asWe assert that these are well distributed because , etc., are chosen randomly up to sharing the same value . The SF components and which will be set later can supply fresh parameters to randomize the ciphertext and the private key, respectively.
In line 1, the TPDH assumption adversary is given the public parameters of the system and its challenge . In line 7, sends two messages of the same length with the attribute to and requests for the challenge ciphertext. In response, outputs the correct ciphertext tuple to . In line 15, requests for the private key . outputs the correct private key to with the restriction that the access structure does not satisfy the attribute set of the previously queried ciphertext. Eventually, outputs ’s guess as its own guess. By analysing this game, if , then the power vector becomes as needed for the nominal SF key. Alternatively, this power vector is distributed as random multiples of , which is required for an ephemeral SF key. Hence, when , then has successfully simulated , and if is a random group element, then has successfully simulated . Therefore, can capitalize on ’s non-negligible advantage in distinguishing between these two games to obtain a non-negligible advantage against the TPDH assumption.

Lemma 5. Under the subspace assumption, no PPT adversary can achieve a non-negligible advantage in distinguishing between and for any from to .

Proof:. This proof is closely indistinguishable to the proof of Lemma 1, except that adds additional terms of attached to , respectively, for the k-th key (in which it picks randomly). This guarantees that if the terms are not present, the k-th key will be correctly distributed as SF key.

Lemma 6. Under the subspace assumption, no PPT adversary can have a non-negligible advantage in distinguishing between and .

Proof:. Suppose a PPT algorithm achieves a non-negligible advantage in distinguishing from , then we will construct a PPT algorithm to break the subspace assumption. We will set the parameters , for two values of and for the remaining values of in the subspace assumption. To correctly align the assumption notation with our scheme notation, we hereby designate the bases of the assumption as and . We will exclude the term because it is not applicable here. The procedure for simulating and is described as follows:(1);(2);(3)(3.1)(3.2)(3.3);(3.4)(4)(4.1);(4.2);(4.3)(4.4)(5)(6);(7) ;(8) with;(8.1);(8.2)(8.3)(8.4) , where is the secret, ;(8.5) , where is the secret, ;(8.6) , where is the secret, ;(8.7) ;(8.8) ;(8.9) ;(8.10);(8.11);(8.11.1)write ;(8.11.2) ;(9)(10) with;(11)(12);(13);(14)(15);(16)(16.1);(16.2)write ;(16.3) ;(17)(18);To simulate either or , algorithm sets the bases for the construction asWe assert that these are well distributed because , etc., are chosen randomly up to sharing the same value . Implicitly, selects and sets . Then, producesIn line 1, the subspace assumption adversary is given the public parameters of the system and its challenge . In line 8, requests for its private keys, which replies correctly to. In line 10, sends two messages of the same length with the attribute to and requests for the challenge ciphertext. In response, outputs the correct ciphertext tuple to with the restriction that the attribute set does not satisfy the access structure which is enforced by the guard. Eventually, outputs ’s guess as its own guess. By analysing this game, if the exponent of is equal to and , then we haveand hence we have a well-distributed SF encryption of , as required in . In this instance, and are used in generating the challenge ciphertext. If instead the power of , then we haveAs long as the term remains hidden in the SF ciphertext, it provides a blinding factor required for encryption of random message in the . Consequently, C can capitalize on A’s non-negligible advantage in distinguishing between these games to attain a non-negligible advantage against the subspace assumption.

6. Implementation and Evaluation

We implemented the automation proofs of our KP-ABE scheme in AutoG&P [37]. In all cases, the proof is discovered semiautomatically, with the lines of codes which involve manual hand-tuning steps. The implementation was executed on Intel i7 personal laptop with 2.2 GHz CPU and 8 GB RAM running on macOS High Sierra 10.13.6. The proof-generation time for all the hybrid games of our scheme (i.e. took 498 ms.

Additionally, we use python cryptographic library known as charm-crypto 0.43 [38] to implement our KP-ABE scheme and the ABE scheme by Lewko and Waters [3] (Lw), which are the only schemes which support dual vector subspace assumption and thus whose functionalities are close to our scheme among the known ABE schemes. We used SS512 elliptic curve with 512 bit base field and SHA-3 hash function. We set the number of attribute as 10 and increase by 10 number of attributes each time. The benchmarks of the experiments are shown in Figures 2–4.

As can be inferred from Figures 2 and 4, the computation cost for key generation and encryption algorithms increases with the increment in the size of attributes. Our scheme has less computation overhead as compared to Lw scheme. This is because our scheme has less exponentiation of computation of the group elements. Also, our scheme has less decryption computation cost which can be inferred from Figure 4. This is as a result of less number of pairing operations in decryption as compared with Lw scheme.

6.1. Theoretical Comparison

We provide theoretical comparisons with some KP-ABE schemes which are shown in Tables 2–5. To enable us to make comparison with JL [26] scheme which uses asymmetric elliptic curve, we adopted the approach in [39] to convert Lw [3], GSW [31], and our scheme from the symmetric setting unto asymmetric setting without having to compute isomorphisms between the source groups. We use “MNT159” asymmetric curve with 159 bit base field from charm-crypto python library. Table 6 gives the cost of the computation operations. The parameters are set as follows:(i): the number of attributes.(ii): the maximum of multiple use of attributes.(iii): the number of distinct labels .(iv): the number of inputs and non-negated and negated inputs to a policy, respectively .(v): the number of attributes and non-negated and negated attributes in decryption, respectively ().(vi): the number of rows of a matrix for span programs.

As can be deduced from Tables 2–4, GSW is the most efficient scheme. However, it does not support the multiuse and adaptive security properties. Although JL supports multiuse of attributes in the access policy, the computation cost of key generation increases with multiuse of attribute by the factor of . However, since our scheme and Lw use the selective technique in generation of either the ciphertext or the key, the scheme performance is not affected by the multiuse of attribute. In terms of computation cost of decryption, the number of pairing operations and exponentiation increases with the factor of in JL scheme when attributes are reused multiple times. However, our scheme and Lw scheme are not affected by multiuse of attribute. The computation cost only increases when there is an increment in the size of attributes.

From Table 6, we can infer that GSW has the least size of key and ciphertext. However, it does not support multiuse of attributes. Although JL supports multiuse of attributes, the size of the ciphertext increases by the factor of . While the key and ciphertext sizes of Lw and our scheme are not affected by multiuse of attributes, comparatively our scheme has lesser key and ciphertext sizes than Lw scheme.

7. Conclusions

In the prime-order bilinear groups, we have introduced KP-ABE scheme which is fully secure and supports arbitrary usage of attributes in the access policy. This scheme attains full security under DLIN assumption and three-party assumption. This work removes high security loss that is involved in the reuse of attributes and enables the nonrestricted use of attributes. Our key point is inspired by the idea that the information-theoretical steps of the former dual system proof give the adversary excessive ground as if the computational arguments would be enough. So, we revived the earlier selective proofing techniques within the framework of dual system of encryption to gain enough ground to achieve full security proof.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This study was partially supported by the Sichuan Science and Technology Program (2018HH0102, 2019YFH0014, 2020YFH0030, and 2020YFSY0061).

References

B. Waters, “Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions,” in Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology, pp. 619–636, Santa Barbara, CA, USA, August 2009.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, “New Techniques for dual system encryption and fully secure HIBE with short ciphertexts,” in Proceedings of the 7th Theory of Cryptography Conference TCC 2010, pp. 455–479, Zurich, Switzerland, February 2010.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques, Springer, Berlin, Germany, 2012.
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute based encryption for fine-grained access control of encrypted data,” in Proceedings of the ACM Conference on Computer and Communications Security, pp. 89–98, Alexandria, VI, USA, October 2006.
View at: Google Scholar
B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Proceedings of the Public Key Cryptography—PKC, pp. 53–70, Taormina, Italy, March 2011.
View at: Google Scholar
D. Boneh and M. Franklin, “Identity based encryption from the Weil pairing,” in Proceedings of the CRYPTO, pp. 213–229, Santa Barbara, CA, USA, August 2001.
View at: Google Scholar
R. Canetti, S. Halevi, and J. Katz, “A forward-secure public-key encryption scheme,” in Proceedings of the EUROCRYPT, pp. 255–271, Warsaw, Poland, May 2003.
View at: Google Scholar
D. Boneh and X. Boyen, “Efficient selective-id secure identity based encryption without random oracles,” in Proceedings of the EUROCRYPT, pp. 223–238, Interlaken, Switzerland, May 2004.
View at: Google Scholar
D. Boneh and X. Boyen, “Secure identity based encryption without random oracles,” in Proceedings of the CRYPTO, pp. 443–459, Santa Barbara, CA, USA, August 2004.
View at: Google Scholar
B. Waters, “Efficient identity-based encryption without random oracles,” in Proceedings of the EUROCRYPT, pp. 114–127, Aarhus, Denmark, May 2005.
View at: Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the EUROCRYPT, pp. 457–473, Aarhus, Denmark, May 2005.
View at: Google Scholar
J. H. Cheon, “Security analysis of the strong Diffie-Hellman problem,” in Proceedings of the EUROCRYPT, pp. 1–11, St. Petersburg, Russia, May 2006.
View at: Google Scholar
A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption,” in Proceedings of the EUROCRYPT, pp. 62–91, French Riviera, France, May 2010.
View at: Google Scholar
A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
View at: Publisher Site | Google Scholar
C. Cocks, “An identity based encryption scheme based on quadratic residues,” in Proceedings of the 8th IMA International Conference on Cryptography and Coding, pp. 26–28, Cirencester, UK, December 2001.
View at: Google Scholar
J. Horwitz and B. Lynn, “Toward hierarchical identity-based encryption,” in Proceedings of the EUROCRYPT, pp. 466–481, Innsbruck, Austria, May 2002.
View at: Google Scholar
C. Gentry and A. Silverberg, “Hierarchical id-based cryptography,” in Proceedings of the ASIACRYPT, pp. 548–566, Queenstown, New Zealand, December 2002.
View at: Publisher Site | Google Scholar
V. Goyal, “Bounded ciphertext policy attribute based encryption,” in Proceedings of the International Colloquium on Automata, Languages, and Programming ICALP, pp. 579–591, Reykjavik, Iceland, July 2008.
View at: Google Scholar
J. Bethencourt, S. Amit, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2007.
View at: Google Scholar
N. Attrapadung, “Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more,” in Proceedings of the EUROCRYPT, pp. 557–577, Copenhagen, Denmark, May 2014.
View at: Publisher Site | Google Scholar
A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption,” in Proceedings of the EUROCRYPT 2010, H. Gilbert, Ed., vol. 6110, pp. 62–91, Springer, French Riviera, France, May, 2010.
View at: Google Scholar
A. B. Lewko, M. Lewko, and B. Waters, “How to leak on key updates,” in Proceedings of the STOC, pp. 725–734, San Jose, CA, USA, June 2011.
View at: Google Scholar
A. Lewko, Y. Rouselakis, and B. Waters, “Achieving leakage resilience through dual system encryption,” in Proceedings of the TCC, pp. 70–88, Providence, RI, USA, March 2011.
View at: Google Scholar
Y. Dodis, A. B. Lewko, B. Waters, and D. Wichs, “Storing secrets on continually leaky devices,” in Proceedings of the FOCS, pp. 688–697, Palm Springs, CA, USA, October 2011.
View at: Google Scholar
M. Chase and S. Meiklejohn, “Déjà Q: using dual systems to revisit q-type assumptions,” in Proceedings of the EUROCRYPT, pp. 622–639, Copenhagen, Denmark, May 2014.
View at: Publisher Site | Google Scholar
J. Tomida, Y. Kawahara, and R. Nishimaki, “Fast, compact, and expressive attribute-based encryption,” in Proceedings of the Public-Key Cryptography, p. 966, Beijing, China, April 2019.
View at: Google Scholar
L. Kowalczyk and H. Wee, “Compact adaptively secure ABE for NCs 1 from k-lin,” in Proceedings of the EUROCRYPT 2019, V. Rijmen and Y. Ishai, Eds., pp. 3–33, Springer, Darmstadt, Germany, May 2019.
View at: Publisher Site | Google Scholar
Z. Jafargholi, C. Kamath, K. Klein, I. Komargodski, K. Pietrzak, and D. Wichs, “Be adaptive, avoid overcommitting,” in Proceedings of the CRYPTO 2017, J. Katz and H. Shacham, Eds., vol. 10401, pp. 133–163, Springer, Santa Barbara, CA, USA, August 2017.
View at: Google Scholar
Y. Song, H. Wang, X. Wei, and L. Wu, “Efficient attribute-based encryption with privacy-preserving key generation and its application in industrial cloud,” Security and Communication Networks, vol. 2019, Article ID 3249726, 9 pages, 2019.
View at: Publisher Site | Google Scholar
F. Khan, Y. H. Li, T. H. Zhang, H. Abbas, and T. Yaqoob, “Efficient attribute-based encryption with repeated attributes optimization,” International Journal of Information Security, pp. 1–14, 2020.
View at: Publisher Site | Google Scholar
V. Goyal, O. Pandey, S. Amit, and B. Waters, “Attribute based encryption for fine-grained access control of encrypted data,” in Proceedings of the ACM CCS 2006, A. Juels, R. N. Wright, and S. D. C. di Vimercati, Eds., pp. 89–98, ACM Press, Alexandria, VA, USA, October 2006.
View at: Google Scholar
J. Chen, J. Gong, L. Kowalczyk, and H. Wee, “Unbounded ABE via bilinear entropy expansion, revisited,” in Proceedings of the EUROCRYPT 2018, J. B. Nielsen and V. Rijmen, Eds., vol. 10820, pp. 503–534, Springer, Tel Aviv, Israel, April 2018.
View at: Google Scholar
A. Beimel, “Secure schemes for secret sharing and key distribution,” Israel Institute of Technology, Technion, Haifa, Israel, 1996, Ph.D. thesis.
View at: Google Scholar
M. Karchmer and A. Wigderson, “On span programs,” in Proceedings of the of Structure in Complexity, San Diego, CA, USA, May 1993.
View at: Google Scholar
T. Okamoto and K. Takashima, “Hierarchical predicate encryption for inner-products,” in Proceedings of the ASIACRYPT, pp. 214–231, Tokyo, Japan, December 2009.
View at: Google Scholar
T. Okamoto and K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption,” in Proceedings of the CRYPTO, pp. 191–208, Santa Barbara, CA, USA, August 2010.
View at: Google Scholar
AutoG&P tool, 2020, https://github.com/ZooCrypt/AutoGnP.
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Publisher Site | Google Scholar
M. Abe, M. J. Groth, T. Ohkubo, and T. Tango, “Converting cryptographic schemes from symmetric to asymmetric bilinear groups,” Advances in Cryptology—CRYPTO 2014, Springer, Berlin, Germany, 2014.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Isaac Amankona Obiri et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1032

Downloads

829

Citations

Security and Communication Networks

A Fully Secure KP-ABE Scheme on Prime-Order Bilinear Groups through Selective Techniques

Abstract

1. Introduction

1.1. Our Contribution

2. Related Works

2.1. Organization

3. Preliminaries

3.1. Correctness

4. Prime-Order KP-ABE Construction

5. Security Proof

5.1. SF Ciphertext

5.2. SF Keys

5.3. Ephemeral SF Keys

5.4. Proof Structure

6. Implementation and Evaluation

6.1. Theoretical Comparison

7. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright