Multiauthority Attribute-Based Encryption with Traceable and Dynamic Policy Updating

Ling, Jie; Chen, Junwei; Chen, Jiahui; Gan, Wensheng

doi:https://doi.org/10.1155/2021/6661450

Security and Communication Networks

On this page

Abstract Introduction Related Work Background Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security, Trust and Privacy for Cloud, Fog and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6661450 | https://doi.org/10.1155/2021/6661450

Multiauthority Attribute-Based Encryption with Traceable and Dynamic Policy Updating

Jie Ling,¹Junwei Chen,¹Jiahui Chen,¹and Wensheng Gan²

Academic Editor: Prosanta Gope

Received09 Dec 2020

Revised15 Jan 2021

Accepted10 Feb 2021

Published26 Feb 2021

Abstract

Ciphertext policy attribute-based encryption (CP-ABE) is an encryption mechanism that can provide fine-grained access control and adequate cloud storage security for Internet of Things (IoTs). In this field, the original CP-ABE scheme usually has only a single trusted authority, which will become a bottleneck in IoTs. In addition, different users may illegally share their private keys to obtain improper benefits. Besides, the data owners also require the flexibility to change their access policy. In this paper, we construct a multiauthority CP-ABE scheme on prime order groups over a large attribute universe. Our scheme can support white-box traceability along with policy updates to solve the abovementioned three problems and, thus, can fix the potential requirements of IoTs. More precisely, the proposed scheme supports multiple authority, white box traceability, large attribute domains, access policy updates, and high expressiveness. We prove that our designed scheme is static secure and traceable secure based on the state-of-the-art security models. Moreover, by theoretical comparison, our scheme has better performance than other schemes. Finally, extensive experimental comparisons show that our proposed algorithm can be better than the baseline algorithms.

1. Introduction

With the help of cloud computing technology, Internet of Things (IoTs) [1] can bridge physical devices and virtual objects, which has become a promising networking scenario in the cyber world. In IoTs, more and more companies and individuals store data in the cloud, requiring the cloud servers to provide data access services. However, cloud servers are generally considered to be untrustworthy for the reason that the data of IoTs often contain sensitive information. In order to protect the privacy of these data, one of the traditional technologies is to encrypt the data, and data owners need to be online at all times to distribute their secret keys. Although these technologies achieve access control, the management of these keys will become a bottleneck when more and more users joined the system. In addition, for each type of data, it is necessary to maintain one or more copies of the ciphertext for different users with different keys, which will cause a waste of storage overhead in an IoTs system [2]. To this end, Sahai et al. [3] firstly proposed attribute-based encryption. The concept of attribute-based encryption (ABE) is a one-to-many encryption mechanism that can provide fine-grained access control and data security. Goyal et al. [4] further proposed the key policy ABE (KP-ABE) and ciphertext policy ABE (CP-ABE). Then, Bethencourt et al. [5] studied the CP-ABE scheme with a complete description, showing that CP-ABE allows data owners to define access strategies under the user’s attributes. Once the user encrypts specific data, other users can decrypt them if and only if their attributes meet the access policy. Thanks to these characteristics, the CP-ABE scheme is considered a more suitable encryption mechanism for cloud storage access control than KP-ABE.

However, the original CP-ABE scheme only has a single, trusted authority dealing with the user’s key distribution and attribute management, which will become a bottleneck in the cloud, especially in an IoTs system. Liu et al. [6] proposed a scheme under a different hierarchy of attributes with the name of ciphertext-policy hierarchical attribute-based encryption. Deng et al. [7] elaborate on ABE and propose a new versatile cryptosystem referred to as ciphertext-policy hierarchical ABE. Wang et al. [8], based on the access structure layered model, proposed a novel access control scheme about file hierarchy by using ABE to solve the problem. Liu et al. [9] propose a novel T-CP-ABE system that gives high policies expressiveness in any monotone access structures and add traceability. Liang et al. [10] propose a CP-ABPRE to deal with the security problem by using the dual system encryption technology with the selective proof technique. But, the schemes mentioned above are all single attribute authorization (AA) ABE schemes. It is completely borne in the cloud environment, which not only brings a serious burden to the authorization center but also requires the authorization center to be completely trusted. Single-attribute authority cannot meet the development needs of practical applications because different attributes in different fields in many application scenarios are caused by different environments. For example, there is a situation that the data owner wants to share data with the researchers in the research institutes and the managers in the government departments. In this case, the attributes of researchers are determined by the research institutes. At the same time, the “government attributes” are managed by the government department. The abovementioned ABE schemes are not suitable for this situation where the attributes need to be managed by multiple agencies.

On the other side, in some CP-ABE schemes, it is easy to discover their attributes in the private key. There may be another situation that some malicious users illegally share their private keys to obtain economic benefits. Thus, the features of the CP-ABE scheme that can track leaked secret keys are particularly important. Therefore, we also need a traceability mechanism to track these malicious users. For example, attackers can access critical vulnerabilities in a wide variety of IoTs applications and devices to perform their malicious activities. This requires the design of effective security mechanisms in an IoTs-related application.

Except for the traceability, the policy update of the CP-ABE system also needs to be considered for supplying more functions. For instance, when addressing security, trust, and privacy in IoTs, the data owner may need to alter the access policy stored on the cloud. In that case, the traditional solution is to let the data owner find the cloud storage server’s relevant ciphertext and decrypt it, then encrypt the ciphertext using a new access strategy, and upload the newly encrypted ciphertext back to the cloud server. It, thus, brings much computational burden to the system. Therefore, the policy update is another important characteristic of the actual system.

To sum up, there are three major challenges in CP-ABE that we need to solve as follows:(1)How to solve the bottleneck of single authority authorization in cloud storage applications, especially in an IoTs system?(2)How to prevent some malicious users from illegally sharing their private keys?(3)How to propose an algorithm that makes the data owner’s access control more flexible in IoTs-enabled applications?

1.1. Our Contribution

This paper addresses the abovementioned challenges by proposing a scheme named T-DPU-MCP-ABE (Traceable and Dynamic Policy Updating Multiauthority Attribute-based Encryption). More precisely, we propose a T-DPU-MCP-ABE based on the prime order bilinear group, and we prove its static security and resistance to traceable attacks under two related security models. Our security assumption utilizes the -type hypothesis [11] and is based on the LRSW hypothesis [12]. As far as we know, we are the first one to support the properties of large attribute domain, policy update, white box traceability, multiauthorization, and high expressiveness and still have good performance. Especially, the features are described in detail as follows:(1)Large attribute domain: the size of public parameters is affected by the number of authorized institutions and will not increase linearly with the number of attributes. There is no need to determine the system attribute domain when the system is established.(2)Policy update: data owners may often need to modify the ciphertext access policy according to various requirements. Policy updates provide flexibility and allow data owners to adjust their encrypted data access policies to achieve fine-grained control.(3)White box Traceability: it can track malicious users who illegally share private keys. Through white box tracking that does not need to maintain a user list, the efficiency of the solution is improved, and no additional storage overhead is consumed.(4)Multiple authorized authorities: multiple authorized authorities undertake the key distribution work and, thus, reduce the workload and solve the problem of incomplete trustworthiness of the single authority.(5)High expressiveness: supports flexible access control and supports any monotonous access structure access strategy.

1.2. Organization

The rest of this paper is arranged as follows. In Section 3, we introduce the necessary background knowledge. In Section 4, we give the formal definition and security model of auditable ABE. In Section 5, we give the main constructions and security analysis. In Section 6, we provide a performance and experiment evaluation. Finally, Section 7 presents a brief conclusion and future work.

Melissa [13] proposed a ciphertext strategy-based multiagency authorization attribute-based encryption (MCP-ABE) scheme. The scheme has a central authority with the ability to decrypt each ciphertext, which reduces the security of decryption key storage. Lewko et al. [14] proposed a multiagency authorization scheme that supports arbitrary access structures based on the groups in composite order, resulting in a low efficiency. In order to improve the efficiency of the scheme, Yannis et al. [15] proposed a CP-ABE scheme based on prime order groups and made it support large attribute domains. Then, Yannis et al. [11] proposed a multiagency authorization CP-ABE scheme based on prime order groups and also support large attribute domains. In this scheme, the authors used the linear secret-sharing scheme (LSSS) to improve expression ability. However, none of the abovementioned studies support traceability.

The traceability in ABE is divided into white-box traceable and black-box traceable [16]. In this field, Ning et al. [17] proposed a white-box traceable method that enables large attribute domains and high expressive capability. Their white-box traceable scheme is based on a single authorization center. To improve this, Li et al. [18] proposed a CP-ABE scheme with multiauthorization centers. However, this scheme only supports the access strategy of the AND gate, which limits in low expressive capability. Then, Zhou et al. [19] proposed a multiagency authorization CP-ABE scheme with white-box traceable that supports high expressive capability on medical cloud systems. However, their scheme does not support large attribute domains, and each authorization center has to maintain an identification table, which increases the storage overhead for tracking.

In the study of policy update, Ying et al. [20] proposed the first CP-ABE scheme that supports the modification of any form of fine-grained access control policy, and it is proved to be adaptive and secure under the standard model, but the system’s communication overhead and storage overhead are high. After that, Liu et al. [21] proposed an ABE scheme that supports outsourcing decryption, attribute revocation, and policy update. This scheme is more flexible and practical in practice, but its privacy-protection capabilities are slightly lacking. Recently, Jing et al. [22] proposed a CP-ABE scheme that supports access policy update and rapid expansion of attributes but did not consider the application scenarios of multiauthorization agencies.

3. Background

3.1. Access Structure

We define as a set of attributes, an access structure is a collection of nonempty subsets of , that is, , and the collection contained in is called an authorization set. If the user has an authorized attribute set, the user can perform decryption, but not vice versa.

For all and , , and , if , we say that the access structure is monotonous. We restrict to a monotone access structure in this paper.

3.2. Prime-Order Bilinear Groups

Let be a big prime and and be cyclic groups with prime order ; we say that : is a computable bilinear map if it has the following properties:(1)Bilinear, i.e., for all (2)Nondegeneracy, i.e., there exists such that , namely, the map does not send all pairs in to the identity in (3)Computability, i.e., there is an efficient algorithm to compute for all

3.3. Linear Secret-Sharing Schemes

Let be the set of attributes, as shown in [23]; is a linear secret-sharing scheme (LSSS) on if it has the following properties:(1)For each attribute form of a vector over , there is a secret share .(2)The matrix for is called a share-generating matrix meaning a matrix with rows and columns for each access structure on . For , we define a function labels row of with attribute . We consider the column vector , where is the secret to be shared and are randomly chosen. Then, is the vector of shares of the secret according to .

For the LSSS scheme, it enjoys the linear reconstruction property. More precisely, let be an LSSS for the access structure , be an authorized set, and let be defined as . Then, for constants such that, for any valid shares of a secret according to , we have .

3.4. Problem Assumption

Decisional -parallel bilinear Diffie–Hellman exponent (-PBDHE) assumption: the decisional -parallel bilinear Diffie–Hellman exponent (decisional ) problem [11] is saying that, given the tuple , it satisfiesif we can distinguish from a random value in .

Formally speaking, if , we say that an algorithm has advantage in solving the abovementioned decisional problem. Then, if all probabilistic polynomial time (PPT) algorithms have, at most, a negligible advantage in solving the decisional problem, we say that the decisional assumption holds.

LRSW assumption [12]: let be the cyclic group of order , be a generator of , and two random values satisfy and . Let be the random oracle, which inputs and outputs a triplet , where . If there is no probability polynomial time algorithm that can generate satisfying , , , with probability at the least , then the LRSW assumption in group is said to be true.

4. Definition and Security Model

4.1. System Model

We show the framework of our system in Figure 1. There are six main entities, namely, cloud storage provider, attribute authorities (AAs), data owners, data users, system party, and trusted party. The system party will invoke the system setup algorithm and generate the public parameters (). The is then firstly distributed to the attribute authorities, data owners, data users, and the trusted party. Then, the AAs invoke the authority setup process to generate public keys (s) and send their public keys to the data owners, data users, and the trusted party. Also, if the data users possess valid credentials, AAs will assign the attributes to them according to their request. The data owner generates ciphertext () for the message he wants to encrypt and uploads to the cloud storage provider. Once the data owner wishes to alter the access policy over the existing , he/she sends a policy update key to the cloud storage provider. Then, in the cloud storage, the ciphertext will be updated accordingly. Subsequently, if the users’ attributes satisfy the access policy of the , they can use the components of secret key to generate their secret key and perform decryption operation. Finally, the trusted party invokes the tracing algorithm if there is dispute or suspicion and reports the suspected user’s ID () to the AAs.

4.2. Definition

Our proposed cryptosystem according to the abovedescription consists of the following eight algorithms: : on input of a security parameter , the algorithm (run by the system) outputs the global s. : we assume each authority is recognized by an identifier . On input of the global s and , the algorithm outputs the public key and the cloud secret key . : on input of the user identity (), a set of user’s attributes , and the corresponding authority’s secret keys and , the algorithm outputs the private key for user matching his/her attribute set . : this algorithm is run by a data owner who wants to share the data in the cloud. The algorithm inputs the message () concerning an access policy , a set of respective public keys and , and outputs the ciphertext . : this algorithm is run by a data user. On input of the global s, a ciphertext and a private key matching an attribute set and the algorithm outputs the message if decryption is possible. PolicyUpdateKeyGen : this algorithm is run by a data owner. On input of the global s, a set of public keys , the encryption information , the old access policy , and new access policy , the algorithm outputs the policy update key . : this algorithm is run by the cloud storage provider. On input of the ciphertext and updated key , the algorithm outputs an updated ciphertext . or : this algorithm is run by the trusted party. On input of the decryption key and the public keys for corresponding authorities and s, the algorithm outputs an authority .

4.3. Security Model

We focus on two types of adversaries as follows:(1)We consider the malicious data users as the static adversary. For static adversaries [11], we request that no unauthorized user can decrypt encrypted data stored in the cloud. In addition, we request that the collusion of a group of unauthorized malicious users is still unable to obtain unauthorized decryption privileges, which means our scheme needs to have collusion resistance.(2)We consider the “honest but curious” cloud provider as the traceable adversary. We assume that the traceable adversary [24] will follow the protocol’s specification but will collect as much information as possible, i.e., secret/private keys. The traceable adversary is not allowed to obtain more secret information than it already has. In addition, it cannot identify “who has accessed the encrypted data” and “who has requested the decryption service.” Also, it cannot link a valid decryption request to a previous decryption request.

Then, we have the following two security models.

4.3.1. Model 1: Security for Static Adversary

The security model for static adversary is based on the static security model [11]. To define the security of our scheme (satisfying the abovementioned requirements), we design the following security games: Init. The adversary selects a set of corrupted authorization agencies, records it as , and keeps it unchanged throughout the game. The normal authorized agencies are recorded as with ; knows the secret key of each corrupted organization . Setup. The challenger runs the system of the solution in this article and sends the global to the opponent. Query. requests as the relevant private key, where is the attribute set of the user with identity . All users’ identities are unique, and for arbitrary , there holds . Then, the adversary sends two messages and with the same length and a set of challenges . For each challenge, the access policy must satisfy the nonauthorization set. Finally, the ciphertext policy is requested to update any two access policies of the query challenge message and among them. Challenge. The challenger randomly selects and responds to the adversary according to the RW scheme [11], including a set of public keys of the normal authority, a satisfied user private key, and a set of verification ciphertexts used to challenge the adversary. We use the simulator to convert the adversary’s query into a form that the challenger can recognize as a RW scheme and also convert the challenger’s response to the adversary. Guess. outputs a guess for .

As can be seen in this game, the advantage of is defined as .

According to [11], we have the following definition.

Definition 1. The T-DPU-MCP-ABE scheme is static secure if all PPT adversaries have at most a negligible advantage in the abovementioned game.

4.3.2. Model 2: Security for Traceable Adversary

The security game for traceable adversary is similar to the game of the static one except the Setup, Query, and Forgery (identical to Guess) as follows: Setup. runs and and sends the and the authority public key to . Query. requests as the relevant private key, where is the attribute set of the user with identity . Then, runs KeyGen and sends to . Forgery. outputs a forgery secret key , if , and .

According to [24], we have the following definition.

Definition 2. The T-DPU-MCP-ABE scheme is traceable secure if all PPT adversaries have at most a negligible advantage in the abovementioned game.

5. Traceable and Dynamic Policy Updating Multiauthority Attribute-Based Encryption

Here, we present our attribute-based key encryption scheme. Our scheme is constructed on the bilinear group with a large prime order and utilizes the LSSS access strategy together with two random oracle hash functions and . We realize the traceability by adopting the CL (Camenisch–Lysyanskaya) signature scheme [25]. Our scheme has two domains, namely, the attribute domain and the authority domain . There is a corresponding authorized authority releasing an effective attribute set to the users for each attribute.

Then, our scheme is specifically constructed as follows.

5.1. Our Construction

: this algorithm takes as input the security parameter and gets , where is the prime order and , is the bilinear mapping . It sets the attribute universe be . It then chooses random and three cryptographic hash functions , , and , where are used to hash the identity and the attribute of a user into an element of , respectively. Also, is used to hash the attribute into the corresponding . Finally, this algorithm sets the global public parameters as output. : the algorithm chooses three random . Together with the inputs and , it then publishes the public key of the AU and sets the secret key as . : the algorithm chooses random , and computes It outputs the secret key . : on input of the message (), the s and an access policy (where is an matrix), the public key of the agency , and the public parameters , the algorithm firstly chooses a random . Then, it chooses random , sets two vectors and , and computes the vectors of shares of and 0 as and , respectively (where denotes the transpose of the matrix). Finally, it chooses random and computes The ciphertext is set as . : on input of , , , and , the algorithm sets the identification set as . For all and , the algorithm computes where and . Finally, the message is recovered by computing : is a generator matrix of , and represents the information of the two random vectors and contained in the encryption algorithm. We define the function and . First, the new access strategy and the old access strategy are used as input through the strategy comparison method in the literature [26] to generate three subset record rows indexes . Then, it picks two random vectors and and then calculates and with . When the row index satisfies (marked as module 1), the algorithm generates the update key as When the row index satisfies (marked as module 2), the algorithm randomly picks and calculates the update key as When the row index satisfies (marked as Module 3), the algorithm randomly picks and generates the update key as Finally, the data owner sends the updated key to the cloud storage service provider with . : after the cloud storage service provider receives the update key, it updates the ciphertext to . By doing so, the cloud storage service provider cannot obtain relevant information during the re-encryption process of the ciphertext. The specific updates are as follows: When the row index belongs to module 1, the update parameter is When the row index belongs to module 2, the update parameter is When the row index belongs to module 3, the update parameter is Finally, the updated ciphertext is . or : the algorithm inputs the decryption key and the public key associated with the global public parameter . If the decryption key is not in the form or cannot pass the key integrity check, the algorithm will output a special symbol to indicate that there is no need to trace . The key integrity check of this scheme is as follows:

If there is an attribute that satisfies equations (14), it is considered that the key passes the integrity check, and the identity is output as the trace identity.

5.2. Correctness

The correctness of our scheme can be obtained from the following equations. It is known that

According to the corresponding values of and , we can obtain

Then, for and , we have

Hence, we have

This proves that the message can be correctly restored to

5.3. Security Analysis

Theorem 1. Assume the CP-ABE system in [11] is statically secure; then, the T-DPU-MCP-ABE system is static secure with respect to Definition 1.

Proof. For simplicity, we use , to denote the CP-ABE system in [11] and our T-DPU-MCP-ABE system, respectively. We suppose there exists a static polynomial time attacker that breaks with a nonnegligible advantage in selectively with a challenge LSSS access policy , where is an matrix. We will build a PPT algorithm that breaks with a nonnegligible advantage. Init: gets a challenge LSSS access policy from and transmits the received to the challenger . Setup: generates the common parameter and sends it to . Query: initializes an integer counter and an empty table . Then, makes the following queries:Receiving ’s decryption key query with an attribute does not satisfy , sets the attribute as and , then sends them to the challenger, and obtains a secret key . chooses a corrupted AA and generates the corresponding public key in . Also, for each , randomly chooses and generates the system public key . Then, responses for the normal AA , the corrupted AA by interacting with as follows. requires , where is the corresponding attribute set of user . All users’ are unique and for arbitrary , we have . Then, fixes a coin , which is used to generates message or with the same length. chooses a set of challenge . Finally, sends all the chosen parameters to . Challenge: chooses two same length messages and sends to . Then, submits to the challenger, obtains a challenge common public key , and generates a ciphertext . chooses a random bit , computes , and sends the new ciphertext to . Guess: finally, after receiving the abovementioned responses, outputs a guess . If , it means that guesses that is a random key, and outputs . If , meaning that guesses that is the key from , outputs .Since the real system is the same as the distributions of the challenge ciphertext, if breaks the security of with a nonnegligible advantage, then the simulator can selectively break with the same advantage.

Theorem 2. Assume the CL signature scheme in [25] is against existing forgery, and the T-DPU-MCP-ABE system in Section 5.1 is traceable secure with respect to Definition 2.

Proof. The security proof of the T-DPU-MCP-ABE system with respect to Definition 2 (i.e., for traceable adversary) is identical to the abovementioned proof except that the adversary runs the phase instead of the phase. Here, we suppose there exists a PPT attacker that selectively breaks the scheme with a nonnegligible advantage. We can build a PPT simulator algorithm that selectively breaks with a nonnegligible advantage. It is proved that the scheme is secure against existential forgery under adaptive chosen message attack with LRSW assumption. Setup: the scheme challenger delivers each authority’s public keys to the simulator algorithm . chooses random values for each authority, runs and AuthoritySetup to generate the public key , and sends the public parameter and the authority public key to .The two hash functions and of our scheme are managed by simulator . Query. requests as the relevant private key, where means the attribute set of the user . Before forges the key, to maintain hash functions and , will set two empty tables, and , respectively, and update them according to the query of . When the queried by does not exist in the table of and , will select a random element and a random element and then record and with and , respectively. At the same time, simulator will return the hash value of or according to opponent the query of . For each , if the attribute authority , then B will submit to Challenger C according to the query of so as to obtain the signature in the CL scheme. Then, takes the random value and runs KeyGen() as well as sends to . In this step, should computes the following: Then, the final calculation is as . Forgery. in this step, already queries from simulator the value of and and obtains as and as . assumes the unknown and . Through formula (14) in Section 5.1, we could get that . Also through formula (14) in Section 5.1, we could get that .Then, calculates a legal signature according to the CL scheme, and the calculation process is as follows:Then, picks a as a message and gives as the signature of the message according to the scheme.
Finally, outputs a forgery secret key , if and . As , we know that the signature of message is not invoked by yet. Thus, the simulator breaks the scheme with the same advantage.
Since in the abovementioned game the whole system has the decryption keys, the distributions of the public parameters, and challenge ciphertext, if breaks the security of the scheme, then the simulator can selectively break with the same advantage. Hence, if the LRSW assumption holds true, the proposed cryptosystem is against forgery, meaning that our scheme is traceable secure for the adversary.

5.4. Proof of Collusion Prevention

In our scheme, we use the unique and construct the hash function value corresponding to to resist collusion attack, which has been proved to be feasible by Allison and Waters [14]. In the process of decryption, the data user needs to calculate . For a single user with the access policy satisfaction attribute set, since are the shares of secret value 0, can be eliminated, where . In case of collusion attack, two or more users will have different ; thus, the value of will also be different; with a secret value of 0 cannot be constructed, and thus, it cannot be eliminated. Therefore, two or more users cannot share their attribute key values to generate collusion attacks, which means this scheme is resistant to collusion attack.

6. Performance Evaluations

6.1. Theoretical Analysis

We first theoretically make a comparison of our scheme with others. The comparison of feature and performance of our work and related works is given in Tables 1 and 2 .

It can be seen from Table 1 that the YB scheme [11] does not realize the traceability, nor does it have the function of dynamic access policy update; although the JZXL scheme [27] has both traceability and large attribute domains, it is constructed based on composite orders and is a single authorization which will become a bottleneck. Since the QLZH scheme [28] and the YLLT scheme [29] are based on tree access structure, they do not have the functions of large attribute domain, dynamic access strategy update, and traceability. The YLMH scheme [30] can realize the dynamic access strategy update but does not support traceability; while the ZLML scheme [31] does not have the function of dynamic access policy update. Compared with the above-mentioned related schemes, our scheme not only supports traceability, large attribute domain, and dynamic access policy update at the same time under multiple authorization agencies but also is based on the prime order bilinear group structure, which is more efficient.

Let and be the size of elements in and an exponentiation in , respectively. Let be a pairing and be the maximum amounts of time to compute an exponentiation in . Let be the number of ciphertext attributes, be the size of the attribute set of a private key, and be the output size of a function. Let be the number of rows of the matrix when decrypting.

In Table 2, we show the communication cost and the computing cost comparison. Compared with other solutions, our scheme is relatively better in the process of adding multiple functions. On the one hand, for the communication cost, we can draw the following conclusions: Firstly, our scheme has the advantages in the length of the private key that our scheme supports big attribute universe. More precisely, the public key of our scheme does not increase linearly with the size of the attribute domain in an attribute authority, while that of the YLMH scheme will, and the storage occupied by our public key is smaller than that of the SPB scheme [32] and the ZLML scheme. Secondly, although the user’s private keys in the YB scheme and the YLMH scheme are relatively small, none of these schemes support traceability. In order to enhance the security of the system, the scheme in this paper supports the traceability function, and the user’s private key does not increase too much. Furthermore, compared to the YLMH scheme and the ZLML scheme, the length of the ciphertext in our scheme is optimized, which is only linearly related to the number of rows from the generator matrix. On the other hand, for the calculation cost, our scheme supports an access strategy update algorithm, while the YB scheme and the YLMH scheme do not support this function. Finally, for the decryption cost, our scheme is much smaller than that of the YLMH scheme. The decryption cost in our scheme is only related to the number of attribute organizations where the attributes belong. Although the decryption cost in our scheme is slightly higher than that of the YB scheme and the ZLML scheme, the YB scheme does not support traceability and the ZLML scheme does not support access policy update.

6.2. Experimental Analysis

In this section, we conduct a simulation experiment to evaluate the comparison of our scheme and the baseline algorithms (the simulation code is available in (https://github.com/monzxcv/ABE)). We select the scheme in [11] (YB scheme) and the scheme in [30] (YLMH scheme) as our baseline algorithms and run the experiments in five aspects: system initialization, key generation, data encryption, user decryption, and access strategy re-encryption. All the experiments are run on a 64-bit operating system of the Ubuntu 14.04 platform with a core 1.8 GHz processor and 4 GB RAM. We used Charm version 0.50 and Python version 3.7 as our program languages. We first convert the YB scheme, YLMH scheme, and our scheme into asymmetric bilinear mapping and use the famous supersingular symmetric elliptic curve group (“SS512”). Then, in the process of encryption and decryption, the YB scheme, YLMH scheme, and our scheme are only related to the number of access policy attributes. Therefore, in this experiment, we change the number of user attributes and calculate the time of system initialization and user key generation under the same condition to get our first comparison. In addition, we change the access policy and calculate the time of the user encryption and decryption to get another comparison. Finally, the time consumed for updating ciphertext under the same condition is calculated. The experimental attributes are constructed with . The strategy set is selected (). We increase the number of attributes from 5 to 50, and there are ten different access strategies. In order to ensure the accuracy of the conclusion, every experiment is run 15 times.

The system initialization cost and the average time cost of user private key generation are shown in Figures 2 and 3 when the number of attributes varies from 5 to 50. We fix the number of AAs in 8, and we also fix the number of attributes in the access policy in 8. Since both our scheme and YB scheme support large attribute domains, the system initialization process has nothing to do with the number of attributes, as is verified in Figure 2. It can be seen that as the number of attributes increases, the cost of the YLMH scheme increases, and the cost of our scheme still keeps a constant value, so the larger the number of attributes, the more the advantage in our scheme. It can be seen from Figure 3 that the cost of the user private key generation time in all the three schemes increases linearly with the increase of attributes. This is because each attribute in the user’s private key must be calculated accordingly. Finally, the generation time cost is not much different from that of the YB scheme and the YLMH scheme.

Figure 4 shows the average time cost of the encryption and decryption process when the number of attributes used in the access policy varies from 5 to 50. We fix the number of AAs in 8, and the number of attributes for each user is also fixed in 8. It can be seen from Figure 4 that the average execution time of the key generation and encryption/decryption process of the proposed scheme is equivalent to that of the YB scheme, while our scheme is more practical than the YB scheme, such as supporting traceability and dynamic access policy update. Although the YLMH scheme’s encryption cost is the smallest, its decryption cost is the largest among the three schemes and is related to the number of attributes the user has. If the user’s attributes increase, the decryption time cost of the YLMH scheme will be higher.

(a)

(b)

Figure 5 shows the algorithms’ average computing time in the YB scheme, YLMH scheme, and our scheme in policy update. Since the YB scheme does not support dynamic strategy updates, we use the traditional update method. There are three modes for updating of dynamic strategy in the YLMH scheme and our scheme. We use mode 3 (which has the highest cost) for comparison. In addition, the number of AAs is fixed in 8, and the number of attributes for each user is also fixed in 8. We vary the number of attributes by 5, 10, and 15. As it can be seen from Figure 5, our scheme and YLMH scheme can dynamically update the strategy. Thus, the time cost is less than that of the YB scheme. Although our scheme costs slightly more than the YLMH scheme, our scheme supports traceability, which is considered to be more practical.

7. Conclusions and Future Work

Regarding the three problems in the CP-ABE scheme of multiauthority, traceability, and the flexibility in changing the access policy, we propose a scheme to achieve good solutions. Our scheme supports multiple authorities, white box traceability, large attribute domains, access policy updates, and high expressiveness. Then, we prove that our scheme is static secure and traceable secure based on the state-of-the-art security models. By supporting the traceability, there is no need to maintain the authorized institution’s identity table; thus, our solution is more practical. The experimental results indicate that our scheme has efficient performance while enjoying the abovementioned features. In future work, we plan to conduct a study on computational outsourcing and hidden access strategies for CP-ABE.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was partially supported by the Key Areas Research and Development Program of Guangdong Province (Grant no. 2019B010139002), the Project of Guangzhou Science and Technology (Grant no. 202007010004), and National Natural Science Foundation of China (Grant no. 61902079 and 62002136).

References

E. K. Wang, C.-M. Chen, M. M. Hassan, and A. Almogren, “A deep learning based medical image segmentation technique in internet-of-medical-things domain,” Future Generation Computer Systems, vol. 108, pp. 135–144, 2020.
View at: Publisher Site | Google Scholar
C.-M. Chen, Y. Huang, K.-H. Wang, S. Kumari, and M.-E. Wu, “A secure authenticated and key exchange scheme for fog computing,” Enterprise Information Systems, vol. 14, pp. 1–16, 2020.
View at: Google Scholar
S. Amit and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Aarhus, Denmark, May 2005.
View at: Google Scholar
V. Goyal, O. Pandey, S. Amit, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98, Alexandria, VA, USA, November 2006.
View at: Google Scholar
J. Bethencourt, S. Amit, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 321–334, Oakland, CL, USA, September 2007.
View at: Google Scholar
X. Liu, J. Ma, J. Xiong, and G. Liu, “Ciphertext-policy hierarchical attribute-based encryption for fine-grained access control of encryption data,” IJ Network Security, vol. 16, no. 6, pp. 437–443, 2014.
View at: Google Scholar
H. Deng, Q. Wu, B. Qin et al., “Ciphertext-policy hierarchical attribute-based encryption with short ciphertexts,” Information Sciences, vol. 275, pp. 370–384, 2014.
View at: Publisher Site | Google Scholar
S. L. Wang, J. P. Yu, P. Zhang, and P. Wang, “A novel file hierarchy access control scheme using attribute-based encryption,” in Applied Mechanics and Materials, Trans Tech Publ, Stafa-Zurich, Switzerland, 2015.
View at: Google Scholar
Z. Liu, Z. Cao, and S. Duncan, “White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 76–88, 2012.
View at: Google Scholar
K. Liang, W. Susilo, D. S. Wong et al., “A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing,” Future Generation Computer Systems, vol. 52, pp. 95–108, 2015.
View at: Publisher Site | Google Scholar
Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 315–332, Juan, Puerto Rico, November 2015.
View at: Google Scholar
L. Anna, R. L. Rivest, S. Amit, and S. Wolf, “Pseudonym systems,” in International Workshop on Selected Areas in Cryptography, Springer, Berlin, Germany, 1999.
View at: Google Scholar
M. Chase, “Multi-authority attribute based encryption,” in Proceedings of the Theory of Cryptography Conference, pp. 515–534, Amsterdam, Netherland, February 2007.
View at: Google Scholar
L. Allison and B. Waters, “Decentralizing attribute-based encryption,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 568–588, Tallinn, Estonia, May 2011.
View at: Google Scholar
Y. Rouselakis and B. Waters, “Practical constructions and new proof methods for large universe attribute-based encryption,” in Proceedings of the ACM SIGSAC Conference on Computer & Communications Security, pp. 463–474, London, UK, November 2013.
View at: Google Scholar
Z. Liu and D. S. Wong, “Practical attribute-based encryption: traitor tracing, revocation and large universe,” The Computer Journal, vol. 59, no. 7, pp. 983–1004, 2016.
View at: Publisher Site | Google Scholar
J. Ning, X. Dong, Z. Cao, L. Wei, and X. Lin, “White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 6, pp. 1274–1288, 2015.
View at: Google Scholar
L. Jin, Q. Huang, X. Chen, S. M. Sherman, S. Duncan, and D. Xie, “Multi-authority ciphertext-policy attribute-based encryption with accountability,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 386–390, Hong Kong, China, March 2011.
View at: Google Scholar
J. Zhou, Z. Cao, X. Dong, and X. Lin, “White-box traceable and revocable multi-authority attribute-based encryption and its applications to multi-level privacy-preserving e-healthcare cloud computing systems,” in Proceedings of the IEEE Conference on Computer Communications, Hong Kong, China, March 2015.
View at: Google Scholar
Z. Ying, H. Li, J. Ma, J. Zhang, and J. Cui, “Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating,” Science China Information Sciences, vol. 59, no. 4, Article ID 042701, 2016.
View at: Publisher Site | Google Scholar
Z. Liu, Z. L. Jiang, X. Wang, and S. M. Yiu, “Practical attribute-based encryption: outsourcing decryption, attribute revocation and policy updating,” Journal of Network and Computer Applications, vol. 108, pp. 112–123, 2018.
View at: Publisher Site | Google Scholar
Y. Jiang, W. Susilo, Y. Mu, and F. Guo, “Ciphertext-policy attribute-based encryption supporting access policy update and its extension with preserved attributes,” International Journal of Information Security, vol. 17, no. 5, pp. 533–548, 2018.
View at: Publisher Site | Google Scholar
M. V. Dijk, “A linear construction of secret sharing schemes,” Designs, Codes and Cryptography, vol. 12, no. 2, pp. 161–201, 1997.
View at: Publisher Site | Google Scholar
J. Ning, Z. Cao, X. Dong, K. Liang, H. Ma, and L. Wei, “Auditable -time outsourced attribute-based encryption for access control in cloud computing,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 1, pp. 94–105, 2017.
View at: Google Scholar
C. Jan and L. Anna, “Signature schemes and anonymous credentials from bilinear maps,” in Proceedings of the Annual International Cryptology Conference, pp. 56–72, Santa Barbara, CA, USA, August 2004.
View at: Google Scholar
K. Yang, X. Jia, and K. Ren, “Secure and verifiable policy update outsourcing for big data access control in the cloud,” IEEE Transactions on Parallel and Distributed Systems, vol. 26, no. 12, pp. 3461–3470, 2014.
View at: Google Scholar
J. Ning, Z. Cao, X. Dong, and L. Wei, “White-box traceable cp-abe for cloud storage service: how to catch people leaking their access credentials effectively,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 883–897, 2016.
View at: Google Scholar
H. Qian, J. Li, Y. Zhang, and J. Han, “Privacy-preserving personal health record using multi-authority attribute-based encryption with revocation,” International Journal of Information Security, vol. 14, no. 6, pp. 487–497, 2015.
View at: Publisher Site | Google Scholar
X. Yan, Y. Liu, Z. Li, and Y. Tang, “Multi-authority attribute-based encryption scheme with privacy protection,” Journal of Computer Research and Development, vol. 55, no. 4, p. 846, 2018.
View at: Google Scholar
X. Yan, H. Ni, Y. Liu, and D. Han, “Privacy-preserving multi-authority attribute-based encryption with dynamic policy updating in phr,” Computer Science and Information Systems, vol. 16, no. 3, pp. 831–847, 2019.
View at: Publisher Site | Google Scholar
K. Zhang, H. Li, J. Ma, and X. Liu, “Efficient large-universe multi-authority ciphertext-policy attribute-based encryption with white-box traceability,” Science China Information Sciences, vol. 61, no. 3, Article ID 032102, 2018.
View at: Publisher Site | Google Scholar
K. Sethi, A. Pradhan, and P. Bera, “Practical traceable multi-authority cp-abe with outsourcing decryption and access policy updation,” Journal of Information Security and Applications, vol. 51, Article ID 102435, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Jie Ling et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1482

Downloads

970

Citations

Security and Communication Networks

Security, Trust and Privacy for Cloud, Fog and Internet of Things

Multiauthority Attribute-Based Encryption with Traceable and Dynamic Policy Updating

Abstract

1. Introduction

1.1. Our Contribution

1.2. Organization

2. Related Work

3. Background

3.1. Access Structure

3.2. Prime-Order Bilinear Groups

3.3. Linear Secret-Sharing Schemes

3.4. Problem Assumption

4. Definition and Security Model

4.1. System Model

4.2. Definition

4.3. Security Model

4.3.1. Model 1: Security for Static Adversary

4.3.2. Model 2: Security for Traceable Adversary

5. Traceable and Dynamic Policy Updating Multiauthority Attribute-Based Encryption

5.1. Our Construction

5.2. Correctness

5.3. Security Analysis

5.4. Proof of Collusion Prevention

6. Performance Evaluations

6.1. Theoretical Analysis

6.2. Experimental Analysis

7. Conclusions and Future Work

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright