Provably secure attribute-based encryption with attribute revocation and grant function using proxy re-encryption and attribute key for updating

Bilinear Maps

Linear Secret Sharing Scheme (LSSS)

Suppose that Π is an LSSS for the access structure \( \mathbb{A} \). Let \( \mathrm{S}\in \mathbb{A} \) be any authorized set, and let I ⊂ {1, 2, …, l}. Then, there exist constants {ω _i  ∈ Z _p } _i ∈ I such that, if {λ _i } are valid shares of any secret s according to Π, then \( {\displaystyle \sum_{i\in I}}{\omega}_i{\lambda}_i=s \). Futhermore, there these constants {ω _i } can be found in time polynomial in the size of the share-generating matrix M [6].

Decisional Parallel Bilinear Diffie-Hellman Exponent Assumption

it must remain hard to distinguish \( e{\left(P,P\right)}^{a^{q+1}}\in {G}_2 \) from a random element in R ∈ G ₂.

We say that the (decision) q-parallel BDHE assumption holds if no polytime algorithm has a non-negligible advantage in solving the decisional q-parallel BDHE problem [2].

Model

There are four entities in the proposed scheme as follows.

User: The user downloads the shared data from Cloud Server.

Data owner: The data owner encrypts the shared data then uploads to Cloud Server.

Authority: The authority manages attributes in the system and publishes the parameters used for encryption. It generates a secret key that user’s attributes are embedded and PRE keys used for re-encryption and updating secret key. The authority is trusted party.

Cloud Server: Cloud Server stores shared data. It re-encrypts encrypted shared data and update secret key by using PRE keys received from the authority. Similar to previous schemes [3,4], we assume Cloud Server to be curious-but-honest. That is, it will honestly execute the tasks assigned by legitimate parties in the system. However, it would like to learn information of encrypted shared data as much as possible.

Algorithm Definition

Our proposed scheme is composed of 8 algorithms: Auth.Setup, DO.Enc, Auth.Ext, U.Dec, Auth.ReKeyGen, C.ReEnc, C.ReKey, C.AddAtt.

Auth.Setup: The setup algorithm takes as input the security parameter and attribute universe description. It outputs the public parameters PK, master secret key MSK and the keys for granting an attribute J.

DO.Enc: The Encryption algorithm takes as input the public parameters PK, an LSSS access structure \( \mathbb{A} \), and a message ℳ. It outputs a ciphertext CT.

Auth.Ext: The key extraction algorithm takes as input the master key MK, and a set of attributes S. It outputs a secret key SK and t _ID .

U.Dec: The decryption algorithm takes as input a secret key SK for a set S and a ciphertext CT for an access structure \( \mathbb{A} \). If the set of attributes S satisfies the access structure \( \mathbb{A} \), it outputs a message ℳ.

Auth.ReKeyGen: The re-encryption key generation algorithm takes as input the master key MK and a set of attributes γ for update. It outputs the redefined master key MK′, the redefined public parameters PK′, and the PRE (Proxy Re-Encryption) keys rk.

C.ReEnc: The re-encryption algorithm takes as input an attribute y for update, the ciphertext component D _i and a PRE key list RKL _y . It outputs the re-encryption ciphertext component \( {D}_i^{\mathit{\hbox{'}}} \).

C.ReKey: The key regeneration algorithm takes as input an attribute w for update, the secret key component K _w and the PRE key list RKL _w . It outputs the updated secret key component \( {K}_w^{\hbox{'}} \).

C.GrantAtt: The attribute grant algorithm takes as input an attribute v, the key for granting an attribute J _v , t _ID and the PRE key list RKL _v . It outputs secret key component K _v and redefines the key for granting an attribute \( {J}_v^{\boldsymbol{\hbox{'}}} \).

Security Definition

We prove that unauthorized users and Cloud Server cannot decrypt ciphertext CT that was encrypted by the proposed scheme. Since we assume Cloud Server is honest, we do not consider active attacks from Cloud Server by colluding with unauthorized or revoked users. We define two attack models and security models as follows.

Overview

The proposed scheme is based on Waters’s scheme of CP-ABE [2]. Water’s scheme supports any LSSS access structure. We apply the idea of attribute revocation shown in [3] to the proposed scheme. In the proposed scheme, the attribute key is included in the ciphertext and secret key to delegate attribute revocation processes to Cloud Server. The attribute key is master key components corresponding to each attribute in the system. When user’s attributes are revoked, the authority re-defines the attribute keys, and generates PRE keys for updating the attribute keys. Cloud Server re-encrypts ciphertext and updates secret key by updating attribute key by using PRE key. Each attribute is associated with version number for updating attribute key.

Cloud Server keeps user list UL, re-encryption key list RKL and the key for granting an attribute to secret key J. UL records user’s ID, user’s attribute information, secret key components, t _ID . t _ID is a random number that randomize each secret key to prevent users’ collusion attack. t _ID should “bind” components of one user's key together so that they cannot be combined with another user's key components[2]. RKL records update history of attribute (version number) and PRE keys.

When granting attributes to users, Cloud Server generates user’s secret key components correspond to granting attribute from t _ID and J, and sends secret key component to the user. The user joins secret key component to own secret key. Thus, it is possible to grant attributes to users without generation of new secret key by the authority.

Algorithm

Auth.Setup(U) The setup algorithm takes as input the number of system attributes U. It first chooses a group G ₁ of prime order p, a generator P ∈ G ₁. It then chooses random group elements Q ₁, …, Q _U  ∈ G ₁ that are associated with the U attributes in the system. In addition, it chooses two random α, a ∈ Z _p , and random Att ₁, …, Att _U  ∈ Z _p as the attribute key.

The master key is MK : = < α, Att ₁, …, Att _U  >.

The keys for granting an attribute are J : = < {x, J _x  = 1/Att _x }_{1 ≤ x ≤ U}  >.

with (M, ρ).

U.Dec (SK, CT) The decryption algorithm takes as input a secret key SK for a set S and a ciphertext CT for access structure (M, ρ). Suppose that S satisfies the access structure and let I be defined as I = {i : ρ(i) ∈ S}. Then, let {ω _i  ∈ Z _p } _i ∈ I be as set of consistants such that if {λ _i } are valid shares of the secret s according to M, then \( {\displaystyle \sum_{i\in I}}{\omega}_i{\lambda}_i=s \).

It can then decrypt the message ℳ = C/e(P, P) ^αs .

Auth.ReKeyGen(MK, γ) The re-encryption key generation algorithm takes as input the master key MK and a set of attributes γ for update. For each x ∈ γ, it chooses random \( At{t}_x^{\mathit{\hbox{'}}}\in {Z}_p \) as the new attribute key, and computes \( {T}_x^{\hbox{'}}:=At{t}_x^{\hbox{'}}P \), \( r{k}_{x\to {x}^{\boldsymbol{\hbox{'}}}}:=\frac{At{t}_{\boldsymbol{x}}^{\boldsymbol{\hbox{'}}}}{At{t}_{\boldsymbol{x}}} \). It then replaces each Att _x of the master key component with \( At{t}_x^{\boldsymbol{\hbox{'}}} \), and each T _x of public parameter with \( {T}_x^{\boldsymbol{\hbox{'}}} \). It outputs the redefined the master key MK ', the redefined public parameters PK ', and the PRE keys rk := {x, rk _x } _x ∈ γ .

C.ReEnc( y(=ρ(i)), D _i , RKL _y ) The re-encryption algorithm takes as input an attribute y(=ρ(i)) for update, the ciphertext component D _i and a PRE key list RKL _y . It first checks version of attribute y. If y has the latest version, it outputs ⊥ and exit. Let \( At{t}_{y^{(n)}} \) be defined as an attribute key of the latest version of attribute y. It computes \( r{k}_{y\leftrightarrow {y}^{(n)}}:=r{k}_{y\leftrightarrow {y}^{\hbox{'}}}\cdot r{k}_{y^{\hbox{'}}\leftrightarrow {y}^{\hbox{'}\hbox{'}}}\cdot \cdot \cdot r{k}_{y^{\left(n-1\right)}\leftrightarrow {y}^{(n)}}=At{t}_{y^{(n)}}/At{t}_y \). Then, it outputs the re-encrypted ciphertext component \( {D}_{\boldsymbol{i}}^{\boldsymbol{\hbox{'}}}:=r{k}_{y\leftrightarrow {y}^{(n)}}\cdot {D}_i=\left(At{t}_{y^{(n)}}/At{t}_y\right) \) \( \cdot {r}_iAt{t}_yP={r}_iAt{t}_{y^{(n)}}P \) .

C.ReKey (w, K _w,ID , RKL _w ) The key regeneration algorithm takes as input an attribute w for update, the secret key component K _w and the PRE key list RKL _w . It first checks version of attribute w. If w has the latest version, it outputs ⊥ and exit. Let \( At{t}_{w^{(n)}} \) be defined as the attribute key for the latest version of attribute w. It computes \( r{k}_{w\leftrightarrow {w}^{(n)}}:=r{k}_{w\leftrightarrow {w}^{\hbox{'}}}\cdot r{k}_{w^{\hbox{'}}\leftrightarrow {w}^{\hbox{'}\hbox{'}}}\cdot \cdot \cdot r{k}_{w^{\left(n-1\right)}\leftrightarrow {w}^{(n)}}=At{t}_{w^{(n)}}/At{t}_w \). It then outputs the updated secret key component \( {K}_w^{\hbox{'}}:=r{k}_{w\leftrightarrow {w}^{(n)}}^{-1}\cdot {K}_w=\left(At{t}_w/At{t}_{w^{(n)}}\right)\cdot \left({\boldsymbol{t}}_{\boldsymbol{ID}}/At{t}_w\right){Q}_w=\left({\boldsymbol{t}}_{\boldsymbol{ID}}/At{t}_{w^{(n)}}\right){Q}_w \).

C.GrantAtt (v, J _v , t _ID , RKL _v ) The attribute grant algorithm takes as input an attribute v, the key for granting an attribute J _v , t _ID and the PRE key list RKL _v . It first checks version of attribute v. Let \( At{t}_{v^{(n)}} \) be defined as the attribute key for the latest version of attribute v. It first computes \( r{k}_{v\leftrightarrow {v}^{(n)}}:=r{k}_{v\leftrightarrow {v}^{\hbox{'}}}\cdot r{k}_{v^{\hbox{'}}\leftrightarrow {v}^{\hbox{'}\hbox{'}}}\cdot \cdot \cdot r{k}_{v^{\left(n-1\right)}\leftrightarrow {v}^{(n)}}=At{t}_{v^{(n)}}/At{t}_v \). It then outputs secret key component for \( {K}_v:={t}_{\boldsymbol{ID}}\cdot r{k}_{v\leftrightarrow {v}^{(n)}}^{-1}\cdot {J}_v= \) \( {t}_{ID}\cdot \left(At{t}_v/At{t}_{v^{(n)}}\right)\cdot \left(1/At{t}_v\right){Q}_v=\left({t}_{ID}/At{t}_{v^{(n)}}\right){Q}_v \) and redefines the key for granting an attribute \( {J}_{\boldsymbol{v}}^{\boldsymbol{\hbox{'}}}:=r{k}_{v\leftrightarrow {v}^{(n)}}^{-1}\cdot {J}_v=\left(1/At{t}_{v^{(n)}}\right){Q}_v \).

We show the flow of our scheme in Fig 1. In Fig 1, γ denotes a set of user u’s attributes which are revoked and β denotes a set of attributes that granting to user u.

Security Proof in the Attack Model 1

Theorem 1 Suppose the decisional q-parallel BDHE assumption holds and a challenge matrix of size is l* × n* where l* × n* ≤ q, our scheme is IND-CPA secure in the attack model 1.

Proof Suppose we have adversary A with non-negligible advantage ϵ against our scheme in the attack model 1. Moreover, suppose it chooses a challenge matrix M* where both dimensions are at most q. We show how to build a simulator, B, that plays the decisional q-parallel BDHE problem.

Init. The simulator takes in a q-parallel BDHE challenge \( \overrightarrow{y},T \). The adversary gives the simulator B the challenge access structure (M*, ρ*), where M* has n* columns.

Note that if X = ∅ then we have \( {Q}_x={g}^{z_x} \). Also note that the parameters are distributed randomly due to \( {g}^{z_x} \). The simulator B randomly chooses attribute keys t _x  ∈ Z _p for 1 ≤ x ≤ U and computes public parameters Τ _x  = t _x P. It gives the adversary A the public parameters PK := (P, e(P, P) ^α , aP, Q ₁, …, Q _U , T ₁, …, T _U ).

Phase1. The adversary A issues following queries:

The simulator B computes K _x ∀ _x  ∈ S as follows.

Case 1. If there is no i such that ρ*(i) = x, it computes K _x  = (1/t _x ) ⋅ z _x L.

It gives the adversary A secret key SK := (K, L, ∀ x ∈ S K _x ).

Add query : The adversary A submits a set of attributes S′ where S ∪ S′ does not satisfy the challenge access structure M*.The simulator B computes K _x ∀ _x  ∈ S′ as follows.

Case1. If there is no i such that ρ*(i) = x, it computes K _x  = (1/t _x ) ⋅ z _x L.

It gives the adversary A the secret key component \( {\left\{{K}_x\right\}}_{\forall x\in {S}^{\hbox{'}}} \).

Challenge. The adversary A submits two equal length messages ℳ₀, ℳ₁. The simulator B flips a random coin b ∈ {0, 1}. It computes C = ℳ _b T ⋅ e(sP, α ' P), C = sP. It choose random \( {y}_2^{\hbox{'}},\dots, {y}_{n^{*}}^{\hbox{'}}\in {Z}_p \) and the share the secret using the vector \( \overrightarrow{v}=\left(s,sa+{y}_2^{\hbox{'}},s{a}^2+{y}_3^{\hbox{'}},\dots, s{a}^{n-1}+{y}_{n^{*}}^{\hbox{'}}\right)\in {Z}_p^{n^{*}} \). In addition, it choose random values \( {r}_1^{\hbox{'}},\dots, {r}_l^{\hbox{'}}\in {Z}_p \).

It gives the adversary A the challenge ciphertext \( C{T}^{*}=\left(C,{C}^{\hbox{'}},\left({C}_1,{D}_1\right),\dots, \left({C}_{l^{*}},{D}_{l^{*}}\right)\right) \).

Phase2. Phase 1 is repeated.

Guess. The adversary A will eventually output a guess b′. of b. The simulator then outputs 0 to guess that \( T=e{\left(P,P\right)}^{a^{q+1}s} \) if b′. = b; otherwise, it outputs 1 to indicate that it believes T is a random group element R ∈ G ₂.

When T is a random group element the message ℳ _b is completely hidden from the adversary and we have \( \Pr =\left[\mathrm{B}\left(\overrightarrow{y},T=R\right)=0\right]=\frac{1}{2} \). Therefore, the simulator B can play the decisional q-parallel BDHE game with non-negligible advantage.

Security Proof in the Attack Model 2

Theorem 2 Suppose Waters’s scheme [2] is IND-CPA secure, our scheme is also IND-CPA secure in the attack model 2.

Proof Suppose we have adversary A with non-negligible advantage ϵ against our scheme in the attack model 2. Moreover, suppose it chooses a challenge matrix M* where both dimensions are at most q. We prove there is an simulator B which has advantage at least ϵ against Waters’s scheme simulator (Given input, it responds according to algorithms of the Waters’s scheme).

Init. The adversary A submits the challenge access structure (M*, ρ*) where M* has n* columns and version number ver* to the simulator B. The simulator B submits the challenge access structure (M*, ρ*) to the Waters’s scheme simulator.

Setup. The simulator B receives public parameters PK ^' := (P, e(P, P) ^α , aP, Q ₁, …, Q _U ) from the Waters’s scheme simulator. It randomly chooses attribute keys t _x  ∈ Z _p for 1 ≤ x ≤ U and computes public parameters Τ _x  = t _x P. It computes the key for granting an attribute J := {(1/t ₁)Q ₁, …, (1/t _U )Q _U }. Then, the simulator B computes PRE keys and public parameters T _x for each version as follows. For x (1 ≤ x ≤ U), for 1 ≤ k ≤ ver* − 1, the simulator B randomly chooses PRE keys \( r{k}_{x^{(k)}\to {x}^{\left(k+1\right)}}\in {Z}_p \) and computes public parameters \( {T}_{x^{\left(k+1\right)}}=r{k}_{x^{(k)}\leftrightarrow {x}^{\left(k+1\right)}}{T}_{x^{(k)}} \). (k + 1) and (k) denote the version number of PRE keys and public parameter. The simulator B gives the adversary A the public parameter PK := (P, e(P, P) ^α , aP, Q ₁, …, Q _U , T ₁, …, T _U ), the key for granting an attribute J and all PRE keys.

Phase1. The adversary A issues following queries:

K _x query : The adversary A submits a set of attributes S for version k, 1 ≤ k ≤ ver* − 1. we denote \( {V}_{x^{(k)}}={\displaystyle \prod_{i=2}^k}r{k}_{x^{\left(i-1\right)}\leftrightarrow {x}^{(i)}} \). The simulator B randomly chooses t _ID  ∈ Z _p and computes \( \forall x\in S\ {K}_x=\left({t}_{ID}/{t}_x \cdot {V}_{x^{(k)}}\right){Q}_x \). It gives the adversary A the secret key components {K _x }_{∀ x ∈ S} .

Challenge. The adversary A submits two equal length messages ℳ₀, ℳ₁, then the simulator B submits them to the Waters’s simulator. The Waters’s simulator flips a random coin b ∈ {0, 1} and computes ciphertest CT′ := (C, C′, (C ₁, D ₁), …, (C _l , D _l )) ← Enc(PK, (M*, ρ*), ℳ _b ). The simulator B receives the ciphertext CT ^', then it computes \( CT:=\Big(C,{C}^{\hbox{'}},\left({C}_1,{V}_{\rho {(1)}^{\left(ve{r}^{*}\right)}}{D}_1\right),\dots, \left({C}_l,{V}_{\rho {(l)}^{\left(ve{r}^{*}\right)}}{D}_l\right) \) from the ciphertext CT′. It gives the adversary A the cipertext CT.

Phase2. Phase 1 is repeated.

Guess. The adversary A outputs will eventually output a guess b′ of b. The simulator B outputs b′ as its guess.

The simulation above shows there is a simulator B that has advantage at least ϵ ageinst Waters’s scheme simulator if there is an adversary A that has advantage ϵ against our scheme.