Shorter Decentralized Attribute-Based Encryption via Extended Dual System Groups

Zhang, Jie; Chen, Jie; Ge, Aijun; Ma, Chuangui

doi:https://doi.org/10.1155/2017/7323158

Security and Communication Networks

On this page

Abstract Introduction Related Works Preliminaries Conclusions Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 7323158 | https://doi.org/10.1155/2017/7323158

Shorter Decentralized Attribute-Based Encryption via Extended Dual System Groups

Jie Zhang,^1,2Jie Chen,²Aijun Ge,¹and Chuangui Ma^1,3

Academic Editor: Zonghua Zhang

Received10 Apr 2017

Revised14 Jul 2017

Accepted06 Aug 2017

Published18 Oct 2017

Abstract

Decentralized attribute-based encryption (ABE) is a special form of multiauthority ABE systems, in which no central authority and global coordination are required other than creating the common reference parameters. In this paper, we propose a new decentralized ABE in prime-order groups by using extended dual system groups. We formulate some assumptions used to prove the security of our scheme. Our proposed scheme is fully secure under the standard -Lin assumption in random oracle model and can support any monotone access structures. Compared with existing fully secure decentralized ABE systems, our construction has shorter ciphertexts and secret keys. Moreover, fast decryption is achieved in our system, in which ciphertexts can be decrypted with a constant number of pairings.

1. Introduction

Attribute-based encryption (ABE), which enables fine-grained access control, was first introduced by Sahai and Waters [1]. Subsequently, Goyal et al. [2] classified ABE as key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In KP-ABE, ciphertexts are associated with a set of attributes and secret keys are associated with access policies, while the opposite is true for CP-ABE. The ciphertext can be decrypted by secret keys if and only if the attributes satisfy the access policy.

Over the past decade, there have been a number of ABE schemes [3–9] proposed for supporting fairly expressive policies. However, the classical ABE system has only a single authority, which manages all attributes and issues private keys for all users. This may be unable to meet the requirements of some applications due to the lack of flexibility. There are three major aspects that impact the application value of single authority ABE systems. First, the single authority system failed to achieve the collaboration between different institutions since it cannot verify attributes across different organizations. Second, there exists key escrow problem in single authority system. The authority must be highly trustworthy as it can decrypt any ciphertext. Finally, key generation for all users that relied on a single authority is a huge workload and can easily become a performance bottleneck in the system. Furthermore, failure of the authority affects the whole system.

Multiauthority or decentralized ABE [10, 11] systems are put forward to address this issue. Lewko and Waters [11] provided the first fully secure decentralized ABE system. In their system, any party can become an authority by creating a public key. Authorities can issue private keys independently, and some authorities that go wrong will only affect the attributes in their domain and not the system as a whole. In addition, the scheme in [11] supports any monotone access structures.

Though the Lewko-Waters decentralized ABE scheme is expressive, the construction is based on composite-order bilinear group. The current research [12] showed that prime-order bilinear groups outperform composite-order groups in terms of both time efficiency and space efficiency. To be specific, elements with 3072 or 3248 bits are required for a 128-bit security level in composite-order groups according to NIST or ECRYPT II recommendations, while elements with 256 bits are sufficient in prime-order groups for the same security level. As for the time efficiency, [12] indicated that a pairing over an elliptic curve of composite order is 254 times slower than over a prime-order elliptic curve for the 128-bit security level. For the above reasons, it is preferable to design schemes on prime-order groups. In a subsequent work by Okamoto and Takashima [13], a decentralized ABE system on prime-order groups was presented by using dual pairing vector spaces [5]. The construction improves the efficiency of decentralized ABE systems, but there is still a significant performance penalty due to the required size of the vectors. Hence, it is worth constructing a more compact decentralized ABE system in prime-order setting.

We present a new construction of decentralized ABE by using extended dual system group (EDSG). Our proposed scheme is built on prime-order groups with better space and time efficiency and can be proved fully secure under standard -Lin assumption in the random oracle model.

To prove that full security of decentralized ABE system is a challenging job, even using the powerful dual system encryption methodology [14, 15], [11] used two subgroups for semifunctional space. The first subgroup is used to hide nominal semifunctionality from the attacker’s view by appending blinding factors to each key at a time. The second subgroup is used to avoid leakage of information about the first one by switching the semifunctional components from the first subgroup to it.

Dual system groups (DSG) [16] are an attractive tool for simulating composite-order groups in the prime-order setting. In contrast to prior works [17–19], which attempted to maximize the properties satisfied by both composite-order and prime-order groups, the dual system groups seek to investigate the minimal properties needed for the application to dual system encryption. The benefit is that we can obtain more efficient and compact schemes, and that is why our scheme can reduce the size of ciphertext compared with previous work [13]. Unfortunately, we observe that dual system groups in [16] are insufficient for constructing fully secure decentralized ABE since it only has one semifunctional space. To overcome this, we extend the basis of dual system groups from matrix to matrix inspired by [20]. The first -dimension subspace is the normal space, the next -dimension subspace is used to construct type 1 semifunctional secret keys, and the last -dimension subspace is used to construct type 2 semifunctional secret keys. In addition, we also realize the left subgroup indistinguishability, right subgroup indistinguishability 1, and right subgroup indistinguishability 2. These assumptions are used to mimic the effect of the subgroup decision assumption in composite-order groups.

The paper is organized as follows. In Section 2, we introduced the related works. In Section 3, a brief summary of the relevant concepts in multiauthority CP-ABE and prime-order bilinear groups was presented. In Section 4, we gave our revised definition of dual system groups and realized it in the prime-order setting in Section 5. In Section 6, we gave our decentralized CP-ABE system, outlined the security proof, and discussed its efficiency. In Section 7, we concluded the paper.

Attribute-based encryption was introduced by Sahai and Waters [1], which can encrypt a message for multiple receivers by their attributes, rather than designating recipient in advance. Subsequently, Goyal et al. [2] extended this idea and classified ABE system into two categories: key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). The first fully secure ABE system was presented by Lewko et al. [4]; all ABE systems can only be proved to be selective secure ones before that. In addition, several variants of ABE have been proposed. Ostrovsky et al. [21] showed how to realize negation by incorporating specific revocation schemes into the construction of [2]. Lewko et al. [22] provided a fully secure ABE system which is resilient to continual leakage. With regard to the public parameter optimization problems, large universe ABE system, in which the size of the attribute universe can be exponentially large, was proposed in [23, 24]. The first multiauthority ABE system was introduced in [10] by Chase, which has one central authority (CA) and multiple attribute authorities (AAs). Subsequently, Chase and Chow [25] removed the CA by using a distributed pseudorandom function. Both of [10, 25] can only support AND-gates policy. A multiauthority ABE that supports threshold policy was provided by Lin et al. [26]. CA is not required for their system. However, the authorities are fixed and they must interact with each other during setup. The multiauthority ABE proposed in [10, 25, 26] looked only at the KP-ABE setting. Müller et al. [27] proposed the first multiauthority CP-ABE supported policies written in disjunctive normal form (DNF) with one CA and multiple AAs. The system can be only proved to be secure in generic group model. In addition, all these above systems can only defend selective attacks; that is, the attacker must commit to a target access structure before setup phase. Lewko and Waters [11] first obtained a fully secure multiauthority CP-ABE by using dual system encryption technique [14, 15]. Their system is decentralized; that is, the authorities are equal and with no need for CA and can support any monotone access structures. They proved security under static assumptions in the random oracle model. Liu et al. [28] proposed a multiauthority CP-ABE where there are multiple CAs and AAs. In their system, all of the CAs must work together to issue an identity-related key to the user. They used threshold policy to distribute the master secret to prevent the authority decrypting ciphertexts independently. The system can be proved fully secure in the standard model. Scheme [11] is built on the composite-order group, which resulted in low efficiency of the systems. An improvement design was carried out in prime-order bilinear groups in [13]. Recently, Rouselakis and Waters [29] proposed an efficient large universe decentralized ABE system. However, the scheme only achieved static security, in which all queries (about both ciphertexts and secret keys) done by the attacker should be sent to the challenger immediately after seeing the global parameters.

In addition, some extension researches on multiauthority ABE have been proposed. Ma et al. [30] presented a multiauthority ABE with traitor tracing. The system is not practical due to infeasible large sizes of public key and ciphertext. Li et al. [31] proposed a multiauthority CP-ABE scheme with accountability, which allows tracing the identity of a misbehaving user who leaked the decryption key to others. The system supported AND-gates policy. A large universe decentralized KP-ABE scheme was proposed in [32]. The system supported any monotone access policy and can be proved as selectively secure in the standard model. Gorasia et al. [33] presented a multiauthority CP-ABE with fast decryption, which only supports threshold policy. Zhong et al. [34] proposed a decentralized CP-ABE scheme with hidden policy. It also supported user revocation but only achieved selective security. An adaptively secure multiauthority CP-ABE scheme with verifiable outsourced decryption was given in [35].

3. Preliminaries

Notation. We use to denote that is picked randomly from a set . We denote probabilistic polynomial-time by PPT. denotes the set for any .

3.1. Prime-Order Bilinear Groups and Computational Assumptions

Prime-Order Bilinear Groups. The asymmetric prime-order group generator takes a security parameter as input and outputs , where , , and are cyclic groups of prime order , , are generators of , , respectively, is an effective computable nondegenerate bilinear pairing, that is, , and .

Assumption 1 (-Lin: the -linear assumption in ). For any PPT adversary , the advantage of is negligible in : where

Assumption 2 (-LLin: the -lifted linear assumption in ). For any PPT adversary , the advantage of is negligible in : where

Lemma 3 (see [20]). For any PPT adversary , there exists an adversary such that

3.2. Multiauthority CP-ABE

3.2.1. Definition

In this paper, we used the definition of multiauthority CP-ABE and security model presented in [11]. We let denote the attribute set managed by and denote the universe of attributes. For , we assume that . A multiauthority CP-ABE system consists of the following five algorithms:

GlobalSetup. This algorithm takes as input a security parameter and outputs the global public parameters GP.

Authority Setup. This algorithm is run by attribute authority . It takes as input global parameters GP and outputs its own public key and secret key .

KeyGen. This algorithm is run by . It takes as input GP, , an identity GID, and an attribute belonging to and returns a secret key .

Enc. This algorithm takes as input GP, an access matrix , the set of public keys for relevant authorities, and a message and outputs a ciphertext CT.

Dec. This algorithm takes as input GP, , and CT. If the collection of attributes satisfies the access policy, it outputs the message ; otherwise, it outputs .

3.2.2. Security Model

The security of multiauthority CP-ABE is defined by the following game run between a challenger and an adversary .

Setup. The challenger executes GlobalSetup and Authority Setup algorithm. It gives GP and to the adversary . For corrupt authorities, also gives the corresponding to .

Key Query Phase 1. In this phase, makes key queries by submitting to , where belonged to uncorrupted authorities. returns to .

Challenge. submits two equal-length messages , and an access policy with the following constraint. We let denote the subset of attributes controlled by corrupt AAs. For each identity GID, denotes the subset of attributes which has queried. For each GID, we require that cannot satisfy . randomly chooses and encrypts under . It sends the ciphertext to .

Key Query Phase 2. continually queries as in phase 1 in the same constraint.

Guess. outputs a guess for .

The adversary’s advantage is defined to be .

Definition 4. A multiauthority CP-ABE scheme is secure if, for all PPT adversaries, the advantage is negligible in the above security game.

4. Extended Dual System Groups

(i)SampP: output:(a)Public parameter, pp, contains group description(), a nondegenerate bilinear map , a linear map defined on , and some additional parameters for SampG and SampH.(b)Secret parameter, sp, contains (where ), and some parameters for , , , and .(ii)SampGT: Im() .(iii)SampG: output .(iv)SampH: output .(v): output .(vi): output .(vii): output .(viii): output .The first four algorithms are used for normal ciphertexts and secret keys in the real system, while the remaining are only used for semifunctional ones in the security proof. We use to indicate the first element of , that is, .

Correctness. It needs to meet the following conditions.

(Projective). For and a random variable , .

(Associative). For all and ,

Security. It needs to meet the following conditions.

(Orthogonality)(i).(ii).(iii).

(Nondegeneracy). For all and , and are distributed uniformly over .

(). The output of is distributed uniformly over a subgroup of .

(Left Subgroup Indistinguishability). For any PPT adversary , the advantage of is negligible in : where

(Right Subgroup Indistinguishability 1). For any PPT adversary , the advantage of is negligible in : where

(Right Subgroup Indistinguishability 2). For any PPT adversary , the advantage of is negligible in : where

(Parameter Hiding). The following two distributions are identical: where

5. Instantiating EDSG

We let and be functions mapping from a matrix to its left-most columns, the middle columns, and the right-most columns, respectively.

SampP(i)Run .(ii)Define .(iii)Sample , and set , ; is a random full-rank diagonal matrix in whose bottom-right entry is a -dimensional unit matrix; define (iv)define for all .

Output

SampGT. Pick and output .

SampG. Pick and output

SampH. Pick and output

. Pick and output

. Pick and output Set , .

Correctness. We check correctness properties as follows.

(Projective). For all , :

(Associative). For all , , :

Security. We check the following security properties.

(Orthogonality)(i).(ii).(iii).

(Nondegeneracy)(i).(ii).With overwhelming probability, the inner product is distributed uniformly over and therefore is distributed uniformly over , and the same is true for .

(). This follows from the fact that is an additive group.

Lemma 5 (left subgroup indistinguishability). For any PPT adversary , there exists an adversary such that

We may rewrite the LS advantage function as follows: where

Proof. Given an instance of ()-LLin problem (i.e., ), as input, where all are either or uniformly chosen from . implicitly sets Define as Sample , , , set , and implicitly set Then we can compute Simulating ppSimulating the Challenge. simulates the challenge as If , , that is, , the output is ; otherwise, the output is .

Lemma 6 (right subgroup indistinguishability 1). For any PPT adversary , there exists an adversary such that

We may rewrite the RS1 advantage function as follows: where

Proof. Given an instance of ()-LLin problem (i.e., ) as input, where all are either or uniformly chosen from . samples and implicitly sets Define as Sample , , set , and implicitly set Then we can compute Simulating ppSimulating . Sample and implicitly set Then we can compute Simulating the Challenge. simulates the challenge as If , , that is, , the output is ; otherwise, the output is .

Lemma 7 (right subgroup indistinguishability 2′). For any PPT adversary , there exists an adversary such that

The RS2′ advantage function: where

Proof. Given an instance of ()-LLin problem (i.e., ) as input, where all are either or uniformly chosen from . samples and implicitly sets Define as Sample , , set , and implicitly set Then we can compute Simulating ppSimulating Sample and implicitly set Then we can compute Simulating the Challenge. simulates the challenge as If , , that is, , the output is ; otherwise, the output is .

Similarly, we can proof Hence, right subgroup indistinguishability 2 is true.

Lemma 8 (parameter hiding). The following are identically distributed: where and .

Proof. Sample , and set , ; is a random full-rank diagonal matrix in whose bottom-right entry is a -dimensional unit matrix: Define , , and . Then Observe that Hence, (i)If , then we obtain the first distribution.(ii)If , then we obtain the second distribution.

6. Our Scheme

This section presents our decentralized CP-ABE system. Recall that , , and are functions mapping from a matrix to its left columns, middle columns, and right columns, respectively. We use the left -dimension subspaces to generate the normal ciphertexts and secret keys. The next two ones are only used in the security proof. The hash function maps global identities to random elements in , which is used as a random oracle in the security proof.

6.1. Construction

GlobalSetup Sample and set . Output

Authority Setup. For each attribute belonging to the authority, the authority samples , and outputs

Enc. Input a message , a matrix with (in our system, we restrict the fact that is injective) mapping its rows to attributes, the global parameters, and the public keys of the relevant authorities. Pick , , . We let denote row of , and . The ciphertext is

KeyGen. Compute a key for GID for attribute belonging to authority as follows:

Dec. The secret keys correspond to a subset of rows of . If is in the span of , then is computed such thatThen, compute

6.2. Security Proof

We define the semifunctional ciphertext and secret key as follows.

Semifunctional Ciphertext. We let , , , denote the normal ciphertext. The semifunctional ciphertext takes the following form: where , .

Semifunctional Secret Key. There are two types of semifunctional keys. Type 1 semifunctional key takes the following form: Type 2 semifunctional key takes the following form: When a semifunctional key is used to decrypt a semifunctional ciphertext, the additional terms (i)type 1 semifunctional key: ,(ii)type 2 semifunctional key: prevent decryption.

Game Sequence. We let denote the advantage of in .(i): it is the real security game.(ii): there is no difference with except that challenge ciphertext becomes semifunctional.(iii) for : there is no difference with except that the first keys revealed to become semifunctional of type 2, and the th key becomes semifunctional of type 1.(iv) for : there is no difference with except that the first keys revealed to become semifunctional of type 2. We let denote .(v): there is no difference with except that we generate a semifunctional ciphertext of a random message as the challenge ciphertext.

Lemma 9 (from to ). For any PPT adversary , there exists an adversary such that .

Proof. The adversary gets input where is or .
Setup. Pick and output Key Queries. When queries the random oracle for , chooses , sets , and stores this value. creates secret keys as follows: Challenge. Upon receiving , , and , can compute the ciphertext by using . We note that the ciphertext is properly distributed except , which take the following forms: where , . We must argue that there is no difference in ’s view.
By parameter hiding, it suffices to show that are identically distributed. This follows readily from the fact that (i)the space spanned by rows of whose corresponding attributes belong to corrupt authorities cannot include the vector ; it reveals no information about and ;(ii)rows of whose corresponding attributes belong to good authorities are masked by and , respectively.If , properly simulates ; if , properly simulates . Hence, can determine the distribution of by using adversary .

Lemma 10 (from to ). For any PPT adversary , there exists an adversary such that .

Proof. The adversary gets input where is or .
Setup. Pick and output Key Queries. We let denote the th identity queried by . (i): chooses and sets .(ii): chooses and sets .(iii): , where is the first element in . creates secret keys as follows: Challenge. Upon receiving , , and , computes the ciphertext by using , as follows: where , . The ciphertext is properly distributed except that the second components of are shares of . We must argue that there is no difference in ’s view.
By parameter hiding, it suffices to show that are identically distributed. This follows readily from the fact that (i)for and , have nothing to do with ;(ii)the space spanned by rows of whose corresponding attributes belong to corrupted authorities or queried with cannot include the vector ; it reveals no information about ;(iii)the remaining rows of are masked by .If , properly simulates ; if , properly simulates . Hence, can determine the distribution of by using adversary .

Lemma 11 (from to ). For any PPT adversary , there exists an adversary such that .

Proof. The adversary gets input where is or .
Setup. Pick and output Key Queries. We let denote the th identity queried by . (i): chooses and sets .(ii): chooses and sets .(iii): , where is the first element in . creates secret keys as follows: Challenge. Upon receiving , , and , computes the ciphertext as follows: where , , , and we implicitly set .
If , properly simulates ; if , properly simulates . Hence, can determine the distribution of by using adversary .

Lemma 12 (from to ). For any PPT adversary , there exists an adversary such that

Proof.
Setup. samples and sets . Output also samples , for each attribute and sets Key Queries. In both games, the secret keys take the following form: which means they leak no information whatsoever about .
Challenge. Upon receiving , , and , computes the semifunctional ciphertext of or . Observe that and the quantity is uniformly distributed over . This implies the challenge ciphertext is identically distributed to a semifunctional encryption of a random message in , as in .

6.3. Performance Discussions

In this section, we provided analysis regarding the space and computation cost of the proposed scheme by comparing it with existing decentralized ABE schemes.

As shown in Table 1, [11] is built on composite-order groups. We recall that composite-order elements are 12 times larger than prime-order ones and pairing is 250 times slower in composite-order groups than in prime-order ones [12]. Though [29] is efficient, the scheme can be only proved static security under a -type assumption. Both [13] and ours are based on prime-order groups; the secret key size and the ciphertext size in ours are reduced by about compared with [13] under the same assumption (DLIN). We will see further improvement if we instantiate our construction under the SXDH assumption. In addition, the ciphertexts in our setting can be decrypted with a constant number of pairings at the cost of increasing some exponentiations. We believe that this is a good deal since pairing is about 5 times slower than group exponentiation according to [29]. The advantage of decryption performance in our scheme will become more and more obvious as the number of attributes used for decryption increases.

Table 1

Comparing among existing decentralized CP-ABE schemes. , , and represent the size of authority’s public keys, user’s secret keys, and ciphertexts. is the number of attributes present in authority or secret keys. is number of rows in the access matrix. represents decryption cost, “Pair” and “Exp” represent the number of pairings and exponentiations in groups. is the number of attributes used during decryption. indicates the group order, “P” is for prime, and “C” is for composite order, respectively. “Assu.” and “Secu.” are abbreviation of assumption and security, respectively.

7. Conclusions

In this paper, we presented a fully secure decentralized CP-ABE scheme under the standard -Lin assumptions in prime-order groups. To prove the security of our scheme, we extended the basis of dual system groups from matrix to matrix and realized some assumptions to mimic the effect of the subgroup decision assumption in composite-order groups. Our scheme achieved lower computational cost thanks to decryption which only needs constant number of pairing operations. We discussed the performance of our scheme from the theoretical points of view. Compared with other existing decentralized CP-ABE schemes, our scheme is more compact to implement and can provide better efficiency in terms of the communication and computation cost.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work is supported in part by the National Natural Science Foundation of China (nos. 61502529, 61379150, 61472142, and 61602512) and the Science and Technology Commission of Shanghai Municipality (no. 14YF1404200).

References

A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology—EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 457–473, Springer, Berlin, Heidelberg, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, New York, NY, USA, November 2006.
View at: Publisher Site | Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, Oakland, Calif, USA, May 2007.
View at: Publisher Site | Google Scholar
A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption,” in Advances in Cryptology—EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 62–91, Springer, Berlin, Heidelberg, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
T. Okamoto and K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption,” in Advances in Cryptology—CRYPTO 2010, vol. 6223 of Lecture Notes in Computer Science, pp. 191–208, Springer, Berlin, Heidelberg, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
K. Emura, A. Miyaji, K. Omote, A. Nomura, and M. Soshi, “A ciphertext-policy attribute-based encryption scheme with constant ciphertext length,” International Journal of Applied Cryptography, vol. 2, no. 1, pp. 46–59, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
C. Guo, R. Zhuang, Y. Jie, Y. Ren, T. Wu, and K.-K. R. Choo, “Fine-grained Database Field Search Using Attribute-Based Encryption for E-Healthcare Clouds,” Journal of Medical Systems, vol. 40, no. 11, article 235, 2016.
View at: Publisher Site | Google Scholar
L. Liu, J. Lai, R. H. Deng, and Y. Li, “Ciphertext-policy attribute-based encryption with partially hidden access structure and its application to privacy-preserving electronic medical record system in cloud environment,” Security and Communication Networks, vol. 9, no. 18, pp. 4897–4913, 2016.
View at: Publisher Site | Google Scholar
S. Wang, J. Zhou, J. K. Liu, J. Yu, J. Chen, and W. Xie, “An efficient file hierarchy attribute-based encryption scheme in cloud computing,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 6, pp. 1265–1277, 2016.
View at: Publisher Site | Google Scholar
M. Chase, “Multi-authority attribute based encryption,” in Theory of Cryptography, vol. 4392 of Lecture Notes in Computer Science, pp. 515–534, Springer, Berlin, Germany, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in Advances in Cryptology—EUROCRYPT 2011, vol. 6632 of Lecture Notes in Computer Science, pp. 568–588, Springer, Berlin, Heidelberg, Germany, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
A. Guillevic, “Comparing the pairing efficiency over composite-order and prime-order elliptic curves,” in Proceedings of the Applied Cryptography and Network Security: 11th International Conference (ACNS '13), vol. 7954 of Lecture Notes in Computer Science, pp. 357–372, Springer, Berlin, Heidelberg, Germany, 2013.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Decentralized attribute-based signatures,” in Public-Key Cryptography—PKC 2013, vol. 7778 of Lecture Notes in Computer Science, pp. 125–142, Springer, Berlin, Heidelberg, Germany, 2013.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, “New techniques for dual system encryption and fully secure HIBE with short ciphertexts,” in Proceedings of the Theory of Cryptography Conference (TCC '10), vol. 5978 of Lecture Notes in Computer Science, pp. 455–479, Springer, Berlin, Heidelberg, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
B. Waters, “Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions,” in Advances in Cryptology—CRYPTO 2009, vol. 5677 of Lecture Notes in Computer Science, pp. 619–636, Springer, Berlin, Heidelberg, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
J. Chen and H. Wee, “Fully, (almost) tightly secure IBE and dual system groups,” in Advances in Cryptology—CRYPTO 2013. Part II, vol. 8043 of Lecture Notes in Computer Science, pp. 435–460, Springer, Berlin, Heidelberg, Germany, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
D. M. Freeman, “Converting pairing-based cryptosystems from composite-order groups to prime-order groups,” in Advances in Cryptology—EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 44–61, Springer, Berlin, Heidelberg, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
A. Lewko, “Tools for simulating features of composite order bilinear groups in the prime order setting,” in Advances in Cryptology—EUROCRYPT 2012, vol. 7237 of Lecture Notes in Computer Science, pp. 318–335, Springer, Berlin, Heidelberg, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
T. Okamoto and K. Takashima, “Hierarchical predicate encryption for inner-products,” in Advances in Cryptology—ASIACRYPT 2009, vol. 5912 of Lecture Notes in Computer Science, pp. 214–231, Springer, Berlin, Heidelberg, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
J. Gong, J. Chen, X. Dong, Z. Cao, and S. Tang, “Extended nested dual system groups, revisited,” in Public-Key Cryptography—PKC 2016. Part I, vol. 9614 of Lecture Notes in Computer Science, pp. 133–163, Springer, Berlin, Heidelberg, Germany, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonic access structures,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 195–203, November 2007.
View at: Publisher Site | Google Scholar
A. Lewko, Y. Rouselakis, and B. Waters, “Achieving leakage resilience through dual system encryption,” in Theory of Cryptography—TCC 2011, vol. 6597 of Lecture Notes in Computer Science, pp. 70–88, Springer, Berlin, Heidelberg, Germany, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
A. Lewko and B. Waters, “Unbounded HIBE and attribute-based encryption,” in Advances in Cryptology—EUROCRYPT 2011, vol. 6632 of Lecture Notes in Computer Science, pp. 547–567, Springer, Berlin, Heidelberg, Germany, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
T. Okamoto and K. Takashima, “Fully secure unbounded inner-product and attribute-based encryption,” in Advances in Cryptology—ASIACRYPT 2012, vol. 7658 of Lecture Notes in Computer Science, pp. 349–366, Springer, Berlin, Heidelberg, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
M. Chase and S. S. M. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09), pp. 121–130, New York, NY, USA, November 2009.
View at: Publisher Site | Google Scholar
H. Lin, Z. Cao, X. Liang, and J. Shao, “Secure threshold multi authority attribute based encryption without a central authority,” Information Sciences, vol. 180, no. 13, pp. 2618–2632, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
S. Müller, S. Katzenbeisser, and C. Eckert, “On multi-authority ciphertext-policy attribute-based encryption,” Bulletin of the Korean Mathematical Society, vol. 46, no. 4, pp. 803–819, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Liu, Z. Cao, Q. Huang, D. S. Wong, and T. H. Yuen, “Fully secure multi-authority ciphertext-policy attribute-based encryption without random oracles,” in Computer Security—ESORICS 2011, vol. 6879 of Lecture Notes in Computer Science, pp. 278–297, Springer, Berlin, Heidelberg, Germany, 2011.
View at: Publisher Site | Google Scholar
Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” in Financial Cryptography And Data Security, vol. 8975 of Lecture Notes in Computer Science, pp. 315–332, Springer, Berlin, Heidelberg, Germany, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
H. Ma, G. Zeng, Z. Wang, and J. Xu, “Fully secure multi-authority attribute-based traitor tracing,” Journal of Computational Information Systems, vol. 9, no. 7, pp. 2792–2800, 2013.
View at: Google Scholar
J. Li, Q. Huang, X. Chen, S. S. M. Chow, D. S. Wong, and D. Xie, “Multi-authority ciphertext-policy attribute-based encryption with accountability,” in Proceedings of the 6th International Symposium on Information, Computer and Communications Security (ASIACCS '11), pp. 386–390, New York, NY, USA, March 2011.
View at: Publisher Site | Google Scholar
Q. Li, J. Ma, R. Li, J. Xiong, and X. Liu, “Large universe decentralized key-policy attribute-based encryption,” Security and Communication Networks, vol. 8, no. 3, pp. 501–509, 2015.
View at: Publisher Site | Google Scholar
N. Gorasia, R. R. Srikanth, N. Doshi, and J. Rupareliya, “Improving security in multi authority attribute based encryption with fast decryption,” Procedia Computer Science, vol. 79, pp. 632–639, 2016.
View at: Publisher Site | Google Scholar
H. Zhong, W. Zhu, Y. Xu, and J. Cui, “Multi-authority attribute-based encryption access control scheme with policy hidden for cloud storage,” Soft Computing, pp. 1–9, 2016.
View at: Publisher Site | Google Scholar
K. Zhang, J. Ma, J. Liu, and H. Li, “Adaptively secure multi-authority attribute-based encryption with verifiable outsourced decryption,” Science China Information Sciences, vol. 59, no. 9, pp. 99–105, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2017 Jie Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1356

Downloads

838

Citations

Security and Communication Networks

Shorter Decentralized Attribute-Based Encryption via Extended Dual System Groups

Abstract

1. Introduction

2. Related Works

3. Preliminaries

3.1. Prime-Order Bilinear Groups and Computational Assumptions

3.2. Multiauthority CP-ABE

3.2.1. Definition

3.2.2. Security Model

4. Extended Dual System Groups

5. Instantiating EDSG

6. Our Scheme

6.1. Construction

6.2. Security Proof

6.3. Performance Discussions

7. Conclusions

Conflicts of Interest

Acknowledgments

References

Copyright