A Traceable and Revocable Multiauthority Attribute-Based Encryption Scheme with Fast Access

Zhang, Kai; Li, Yanping; Song, Yun; Lu, Laifeng; Zhang, Tao; Jiang, Qi

doi:https://doi.org/10.1155/2020/6661243

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security, Privacy and Trust Challenges in Mobile Crowdsensing

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 6661243 | https://doi.org/10.1155/2020/6661243

A Traceable and Revocable Multiauthority Attribute-Based Encryption Scheme with Fast Access

Kai Zhang,¹Yanping Li,¹Yun Song,²Laifeng Lu,¹Tao Zhang,³and Qi Jiang^4,5

Academic Editor: Athanasios V. Vasilakos

Received26 Oct 2020

Revised23 Nov 2020

Accepted02 Dec 2020

Published22 Dec 2020

Abstract

Multiauthority ciphertext-policy attribute-based encryption (MA-CP-ABE) is a promising technique for secure data sharing in cloud storage. As multiple users with same attributes have same decryption privilege in MA-CP-ABE, the identity of the decryption key owner cannot be accurately traced by the exposed decryption key. This will lead to the key abuse problem, for example, the malicious users may sell their decryption keys to others. In this paper, we first present a traceable MA-CP-ABE scheme supporting fast access and malicious users’ accountability. Then, we prove that the proposed scheme is adaptively secure under the symmetric external Diffie–Hellman assumption and fully traceable under the -Strong Diffie–Hellman assumption. Finally, we design a traceable and revocable MA-CP-ABE system for secure and efficient cloud storage from the proposed scheme. When a malicious user leaks his decryption key, our proposed system can not only confirm his identity but also revoke his decryption privilege. Extensive efficiency analysis results indicate that our system requires only constant number of pairing operations for ciphertext data access.

1. Introduction

In recent years, the rise of the Internet of things [1] promotes the application and development of sensor technology [2–4]. As an important sensing paradigm, mobile crowdsensing [5] has been widely used in various industries due to its large coverage area and low deployment cost characteristics. One of the most significant services for mobile crowdsensing is cloud storage [6], which supports large-scale data sharing. In cloud storage, the individuals or organizations often need to share the sensitive data with the users whose attributes satisfy a specific policy. For example, a patient wants to share his medical data with nurses and doctors in neurosurgery, but he does not know the identities of the nurses and doctors. Security is a very important issue [7, 8] in the Internet, and a potential solution for achieving data security is to encrypt the sensitive data before sharing it by the cloud. Unfortunately, the traditional public key encryption [9] requires the data owner to know the receiver’s exact identity, so it is not suitable for the above scenario.

To address this issue, ciphertext-policy attribute-based encryption (CP-ABE) [10, 11] was introduced as an expansion of the traditional public key encryption. In CP-ABE, the user’s secret key is associated with his attributes, and the ciphertext is associated with an access policy, which is defined in the form of Boolean formula over a set of attributes; the user can decrypt the ciphertext only when his attributes satisfy the access policy. By using CP-ABE in the above example, the patient can encrypt the medical data with the access policy (“Doctor” AND “Neurosurgery”) OR (“Nurse” AND “Neurosurgery”) and upload the ciphertext to the cloud; then, only nurses and doctors in neurosurgery can access the medical data.

In the typical CP-ABE system, a single central authority should manage all attributes and generate all users’ decryption keys. However, many scenarios require multiple authorities to manage different attribute domains. For instance, a patient wants to share his medical document with the users with the attribute “Doctor” that is issued by a hospital and attribute “Researcher” that is issued by a medical research institute. To solve this problem, Chase [12] introduced the multiauthority attribute-based encryption (MA-ABE), in which different authorities manage different attribute sets and each authority issues secret keys only for the attributes it manages. However, before the MA-ABE being applied in practice, there exist the following issues that need to be solved.

The standard MA-ABE suffers the decryption key abuse problem. In multiauthority ciphertext-policy attribute-based encryption (MA-CP-ABE), the decryption privilege is only based on the user’s attributes and the ciphertext does not contain the user’s identity information. Hence, a ciphertext can be decrypted by multiple users with same attributes. For example, Alice and Bob have the attributes {“Researcher,” “Neurosurgery”}; then, both of them can decrypt the ciphertext associated with the access policy (“Doctor” AND “Neurosurgery”) OR (“Researcher” AND “Neurosurgery”). In the MA-CP-ABE system, if a malicious user who has same attributes with others sells his decryption key on the Internet, how to identify the malicious user?

Another major issue in MA-ABE is malicious user revocation. In the MA-CP-ABE system, the decryption keys may be compromised and the corresponding malicious users should be removed from the system. Hence, the user revocation mechanism should be designed for the MA-CP-ABE system. The user revocation mechanism was divided into direct revocation and indirect revocation. In direct revocation, the data owner encrypts the data by a specified revocation list, and the revoked users who in this list cannot decrypt the corresponding ciphertext. Unfortunately, the direct revocation mechanism requires each data owner to keep a revocation user identity list and breaks the user anonymity in the ABE system. In indirect revocation, the authorities help the nonrevoked users to update their decryption keys periodically, so the revoked users cannot decrypt the new ciphertexts. In this paper, we focus on the indirect user revocation issue in the MA-CP-ABE system.

One efficiency drawback for MA-ABE is the significant cost of data access. In the MA-CP-ABE system, the number of resource-consuming pairing operations required to decrypt a ciphertext grows linearly with the number of attributes used for decryption, which makes the data access too expensive. This drawback hinders the large-scale application of the MA-CP-ABE system in lightweight devices. For example, consider a medical cloud system based on MA-CP-ABE, the patients encrypt the data and upload the ciphertexts in cloud, and the doctor may need to real-time access the medical data by a smartphone. Due to the expensive access cost, the traditional MA-CP-ABE system is obviously unsuitable in this scenario.

1.1. Our Contributions

Seeking to address the above issues, we first give the formal definition and security model for traceable MA-CP-ABE (T-MA-CP-ABE) scheme and propose a concrete construction of T-MA-CP-ABE on prime order bilinear groups. Then, we prove the construction is adaptively secure under the symmetric external Diffie–Hellman assumption and fully traceable under the -Strong Diffie–Hellman assumption in the random oracle model. Based on the T-MA-CP-ABE construction, we further present a traceable and revocable MA-CP-ABE (TR-MA-CP-ABE) system for secure cloud storage. To the best of our knowledge, this is the first practical MA-ABE system that simultaneously supports traceability, revocation, and fast access. The major features of our TR-MA-CP-ABE system are outlined as follows:(1)Multiauthority. There exists a central authority (CA) and multiple attribute authorities in our TR-MA-CP-ABE system. Each attribute authority (AA) is responsible for generating the user secret keys for the attributes under its control, and CA is responsible for tracing and revoking the malicious users. Unlike prior MA-ABE schemes, neither CA nor AA can independently generate user decryption keys in our system, even for just one attribute. In addition, the access policies can be expressed as any monotone access structures, which make our system more practical.(2)Traceability. Our TR-MA-CP-ABE system supports white-box traceability (traceability can be divided into white-box traceability and black-box traceability. White-box traceability can catch the malicious user who leaks his decryption keys to others, while black-box traceability can catch the malicious user who leaks a decryption black-box). In our system, CA generates tracing information and user secret keys for the identity. If a malicious user leaks his decryption key to others, then CA can trace the malicious user identity from the corresponding decryption key. By adopting a full signature technique, our system does not require any identity table for tracing, which significantly reduces the storage overhead for CA.(3)Revocation. Our TR-MA-CP-ABE system supports indirect user revocation. If a malicious user was caught by CA, then CA adds his identity into a revocation list, and AAs only periodically update the attribute-based secret keys for the users whose identities do not belong to the revocation list. Hence, the malicious users cannot obtain the new decryption keys and access the new ciphertext data created in the current time period.(4)Fast access. In our TR-MA-CP-ABE system, the number of pairings for decrypt a ciphertext is only 6, rather than increases linearly with the number of attributes used during decryption. Furthermore, our decryption operation is run on prime order bilinear groups, which makes access speed significantly faster. The efficiency comparison shows that the data access in our system is more efficient than that in other related works.

Table 1 compares the specific features of our TR-MA-CP-ABE system with the existing ABE schemes [13–16] that achieve multiauthority and traceability simultaneously.

1.2. Related Works

Chase [12] introduced the notion of MA-ABE and gave the first concrete construction of MA-ABE. As CA is assumed to be able to decrypt every ciphertext in [12], Chase and Chow [17] proposed a MA-ABE scheme without any CA, which was limited to expressing a strict “AND” policy over a predetermined set of authorities. Later, Lewko and Waters [18] presented an adaptively secure MA-ABE scheme where a policy could be expressed as any monotonic Boolean formula. Based on [18], Cui and Deng [19] presented a revocable MA-ABE that achieves attribute revocation. Zhang et al. [20] presented a shorter MA-ABE where a ciphertext can be decrypted with a constant number of pairing operations. Wang et al. [21] constructed a MA-ABE scheme from the LWE assumption. More recently, Xiong et al. [22] presented a revocable MA-ABE with outsourced decryption. However, these schemes did not consider the trace problem.

Hinek et al. [23] proposed the first traceable CP-ABE, but their scheme only supports “AND gates with wildcard.” To improve the expression ability, Liu et al. [24] presented the first traceable CP-ABE that supports monotonic access structures. Later, Wang et al [25] presented a traceable CP-ABE that can catch the malicious user who leaks a black-box decryption equipment. Ning et al. [26] presented a traceable and revocable CP-ABE that supports both accountable authority and public auditing. Liu and Wong [27] proposed a traceable and revocable CP-ABE for large universe. Xu [28] constructed a traceable CP-ABE with short decryption key. Recently, Han et al. [29] presented a traceable and revocable CP-ABE with hidden policy. Unfortunately, the above schemes can only apply to the single-authority setting.

To address the key abuse problem in MA-ABE, Li et al. [13] presented a traceable MA-CP-ABE with limited access policy and security. Later, Zhou et al. [14] proposed a revocable and traceable MA-CP-ABE that achieves high expressiveness and full security. However, there exists multiple CAs in their scheme, and each CA needs to maintain a tracing identity table. Yu et al. [15] constructed a traceable MA-CP-ABE without any identity table and proved it is adaptively secure in composite order groups. Recently, Zhang et al. [16] presented a more efficient traceable MA-CP-ABE in prime order groups. Unfortunately, their scheme only achieves statically secure and does not support user revocation. In addition, the common efficiency drawback of these schemes is that the number of pairing operations required to decrypt a ciphertext increases linearly with the number of attributes satisfying the access policy, which presents significant challenges for the users who access data by mobile devices.

1.3. Organization

Section 2 introduces the relevant preliminaries, which includes the access structure, bilinear group, and complexity assumptions. Section 3 gives the system architecture, algorithm definition, and security model of TR-MA-CP-ABE. Section 4 presents the detailed constructions and formal security analysis of T-MA-CP-ABE scheme. Section 5 designs a TR-MA-CP-ABE system and compares its efficiency with other related works. Section 6 concludes the whole paper.

2. Preliminaries

2.1. Notations

For convenience, we define some notations that will be used in this paper. For a finite set S, we denote by , the fact that is chosen uniformly at random from . Let be a set , where is a prime. Let and denote the set of all -dimensional vectors and matrices ( rows and columns) in , respectively. We denote a matrix by a bold letter. For a matrix , let be the transposition of , and be the ^th (the ^th row and ^th column) element of . For group , , and matrix , we use to denote the matrix, in which its ^th element is . For matrix , we denote . For , we denote . For two vectors , we denote the inner product of and by . We can also denote the above inner product notation for row and column vectors as follows.

Note that and .

2.2. Access Structures

Definition 1 (Access structure [30]). Let be the attributes universe. An access structure is a collection of nonempty subsets of , i.e., . If for , we have ; then, we say is monotone. The sets in are called authorized sets, while the sets not in are called unauthorized sets.

Definition 2 (Linear secret-sharing schemes (LSSS) [30]). A secret-sharing scheme over the attributes universe is called linear over if(1)The shares for each attribute form a vector over (2)There exists a matrix and function satisfy the following: let the column vector , where is the secret to be shared, and ; then, is equal to the vector of shares of the secret according to . The share belongs to attribute .Let be an LSSS for the access structure and be the access policy for . According to [30], LSSS enjoys the linear reconstruction as follows. Let be an authorized set, and let . Then, there exist constants such that , where is the row of matrix .

2.3. Bilinear Groups and Assumptions

Let be an asymmetric bilinear group generator that takes as input a security parameter and outputs a tuple , where , and are the cyclic groups of prime order , (respectively, ) is a generator of (respectively, ), and is an efficiently computable bilinear map such that(1)Bilinear: (2)Nondegenerate:

For , we denote .

Definition 3 (SXDH, Symmetric External Diffie–Hellman assumption [31]). The adversary ’s advantage in SXDH assumption is defined aswhere , , , , . We say the SXDH assumption holds if for all polynomial time algorithm adversaries and both , is negligible in .

Definition 4 (-SDH, -Strong Diffie–Hellman assumption [32]). The adversary ’s advantage in -SDH assumption is defined aswhere , , and . We say the -SDH assumption holds if for all polynomial time algorithm adversaries , is negligible in .
Note that compared with the -SDH assumption in [32], and have exchanged places here. However, this will not affect the security of full signature scheme [32], that is, strong existential unforgeability under an adaptive chosen message attack based on -SDH assumption because we will also exchange the places of and in the full signature scheme. The modified full signature scheme (BB scheme) is briefly described as follows:(i)Setup . Run to obtain . Pick , set the public key , and secret key .(ii)Sign . Given a message and , pick , compute , and set the signature as (iii)Verify . If , it outputs 1 meaning that the signature is valid. Otherwise, it outputs 0 meaning that the signature is invalid.

3. Problem Formulation

In this section, we first describe the system architecture of our TR-MA-CP-ABE. Then, we give the formal algorithm definition and security model for T-MA-CP-ABE and TR-MA-CP-ABE scheme.

3.1. System Architecture

As shown in Figure 1, our TR-MA-CP-ABE system comprises the following entities: a cloud sever (CS), a central authority (CA), multiple attribute authorities (AAs), data owners (DOs), and data users (DUs). The role of each party is described as follows:

(i)CS: CS is responsible for storing the ciphertexts and processing the ciphertext upload and download requests(ii)CA: CA is not only responsible for generating the identity keys for data users but also for tracing and revoking the malicious users(iii)AA: each AA generates the attribute keys for data users and updates the attribute keys for nonrevoked users(iv)DO: each DO encrypts his own data and outsources the corresponding ciphertext to CS(v)DU: each DU downloads the ciphertext from CS and accesses the corresponding data by his decryption key

More specifically, CA generates its own public/secret key pair, publishes the CA public key, and uses the CA secret key to generate the identity keys for all DUs. Each AA generates its own public/secret key pair, publishes the AA public key, and generates the user keys corresponding to the attributes that are managed by it. Then, DU uses the identity key and attribute keys to generate his own decryption key. Next, DO encrypts the data by the public keys and an access policy and uploads the ciphertext to CS. Finally, the nonrevoked uses can decrypt the ciphertext when their attributes satisfy the access policy, and other users cannot access the data. In our system, when a malicious user sells his decryption key, CA first identifies him by a tracing algorithm and then revokes him by adding his identity to a revocation list. Since AA will not update the attribute keys for the users whose identities are in the revocation list, the malicious users cannot update their decryption keys and access new ciphertext data.

In our system, DOs are fully trusted entities who honestly execute the encryption algorithm. CS, CA, and AAs are both honest but curious, who correctly execute the algorithms in the system, but try to learn any sensitive information about the data. Our system does not allow CS to modify or delete the stored ciphertext, but allows several corrupt AAs to make an attack on the unauthorized ciphertext whose policy cannot be satisfied by the corrupt attributes. Note that the decryption key is generated by the combination of identity key and attribute keys, so neither CA nor AA can independently construct the complete decryption key in our system. DUs are untrusted entities that may not only try to access the unauthorized data but also sell their decryption keys on the Internet. To formally describe the above system and attacks, Section 3.2 defines the TR-MA-CP-ABE algorithms, and Section 3.3 presents an adaptive security model against the adversary who try to learn any information about the unauthorized data and a traceable security model against the malicious data user who leaks his decryption key.

3.2. Algorithm Definition

A T-MA-CP-ABE scheme consists of eight algorithms:(i)Global Setup . On input a security parameter , it outputs the global parameters for the system(ii)CA Setup . CA runs this algorithm with the global parameters as input, and outputs its public/secret key pair (iii)AA Setup . Each attribute authority runs this algorithm with the global parameters and its attributes set as input and outputs its public/secret key pair (iv)CA KeyGen . On input an identity , the CA secret key and the global parameters , the CA key generation algorithm outputs the user’s CA key (v)AA KeyGen . On input an identity , the global parameters , a set of attributes , a user’s CA key , and the set of AA secret keys for the relevant AAs, the AA key generation algorithm outputs the user’s decryption key (vi)Encrypt . On input the global parameters , the CA public key , the set of AA public keys for the relevant AAs, a message , and an access policy , the encryption algorithm outputs a ciphertext (vii)Decrypt . On input the global parameters , a decryption key for an attributes set , and a ciphertext for an access policy , the decryption algorithm returns either the message when the attributes set satisfies the access policy or the error symbol meaning that decryption fails(viii)Trace . On input the global parameters , the CA public key , the AA public keys , and a decryption key , the tracing algorithm returns either an identity when passes the key sanity check, or the symbol meaning that does not need to be traced. The key sanity check is a deterministic algorithm to determine whether needs to be traced Our TR-MA-CP-ABE scheme is almost the same with the T-MA-CP-ABE scheme, except for modifying CA Setup by adding a revocation list, Encrypt and Decrypt by adding a time period, and replacing AA KeyGen by AA KeyGen and KeyUpdate and Trace by Trace and Revoke. The above modified and replaced algorithms in TR-MA-CP-ABE scheme are described as follows.(ix)CA Setup . CA runs the CA setup algorithm with the global parameters as input to generate its public/secret key pair . In addition, CA initializes an empty revocation identity list .(x)AA KeyGen and KeyUpdate . It takes as input an identity , the global parameters , a set of attributes , a time period , a user’s CA key , a revocation list , and the set of AA secret keys for the relevant AAs. If , it outputs . Otherwise, it outputs the user’s decryption key .(xi)Encrypt . It takes as input the global parameters , the CA public key , the set of AA public keys for the relevant authorities, an access policy , a message , and a time period . It outputs a ciphertext .(xii)Decrypt . It takes as input the global parameters , a decryption key for an attributes set for a time period , and a ciphertext for an access policy for a time period . If and satisfies , it outputs the message . Otherwise, it outputs the error symbol .(xiii)Trace and Revoke . It takes as input the global parameters , the CA public key , the AA public keys , and a decryption key . If passes the key sanity check, it returns an identity and add it to the revocation list . Otherwise, it returns the symbol .

3.3. Security Model

We now describe the adaptive security model for T-MA-CP-ABE scheme. In our security model, an AA can manage multiple attributes, while each attribute can only be controlled by one AA. Let be the attribute authority universe and be the attribute universe. The adaptive security game between a challenger and an adversary is defined as follows.(i)Setup. The challenger runs the global setup and CA setup algorithms and then gives and to the adversary. The adversary specifies a set of corrupt AAs . For noncorrupt AAs in , the challenger runs the AA setup algorithm and provides the AA public keys to the adversary.(ii)Phase 1. The adversary can repeatedly make two types of key queries as follows(1)CA key query. The adversary sends a user’s identity to the challenger. The challenger returns the corresponding private key to the adversary.(2)AA key query. The adversary sends a pair to the challenger, where is an identity, and is a set of attributes belonging to noncorrupt AAs. The challenger returns the corresponding decryption key to the adversary. Note that the user’s AA private key is part of his decryption key in our scheme, so the challenger gives the user’s AA private key to the adversary in this query.(iii)Challenge. The adversary submits two messages and an access policy , where satisfies the following constraint. Let denote the attributes controlled by corrupt AAs, and denotes the attributes in which the adversary has queried for identity . For each , we require that does not satisfy . The challenger chooses a random coin and returns ciphertext to the adversary.(iv)Phase 2. The adversary can make the key queries as Phase 1, with the restriction of as described above(v)Guess. The adversary submits a guess and wins if . The advantage of an adversary in this game is defined as .

Definition 5. A T-MA-CP-ABE scheme is adaptively (or fully) secure if for any probabilistic polynomial time adversary, its advantage is negligible in .
A T-MA-CP-ABE scheme is called selectively secure if the adversary submits the access policy before the Setup phase. A T-MA-CP-ABE scheme is called statically secure if the adversary submits all queries immediately after seeing the global parameters. Our construction will be proved to satisfy adaptively secure without the above restrictions.
Traceability of the T-MA-CP-ABE is described by a game as follows:(i)Setup. The challenger runs the global setup, CA setup, and AA setup algorithms and then gives , , and to the adversary(ii)Key query. The adversary makes the following queries(1)CA key query. The adversary sends to the challenger, where is an identity. The challenger returns the corresponding private keys .(2)AA key query. The adversary sends to the challenger, where is an attributes set. The challenger returns the corresponding decryption keys .(iii)Key forgery. The adversary submits a decryption key and wins if .The advantage of an adversary in this game is defined as

Definition 6. A T-MA-CP-ABE scheme is fully traceable if for any probabilistic polynomial time adversary, its advantage is negligible in .
In our TR-MA-CP-ABE scheme, the AA key generation algorithm is same with the AA key update algorithm. Hence, the security model of our TR-MA-CP-ABE scheme is same with that of our T-MA-CP-ABE scheme.

4. Our T-MA-CP-ABE Scheme

In this section, we present a T-MA-CP-ABE scheme in an asymmetric bilinear group and prove it is adaptively secure and fully traceable in the random oracle model.

4.1. Construction

Inspired by [18, 20], we adopt a hash function to map user identities to the elements in group . Unlike with [18, 20], we use a CA to personalize the identity key for each user and the AAs to generate the corresponding attribute keys, so our construction can achieve multiple authorities and the AAs cannot get the user decryption key. Furthermore, we employ a full signature scheme [32] to realize traceability. More specifically, the CA injects the signature of the user identity into the user identity key and traces the user by his decryption key. We now present our T-MA-CP-ABE construction based on [18, 20], in which each attribute authority manages an attributes set .(i)Global Setup . The algorithm first runs to obtain . , and are the cyclic groups of prime order , is a generator of , is a generator of , and is a bilinear map. It then samples and sets and . It chooses a hash function and publishes as the global parameters.(ii)CA Setup . CA picks and computes , . Then, CA publishes the public key and sets as its secret key.(iii)AA Setup . For each attribute , picks and computes , and . Then, publishes the public key and sets as its secret key.(iv)CA KeyGen . For a user’s identity , CA picks and sets . Then, CA sends the private key to the user whose identity is .(v)AA KeyGen . A user submits his identity and attributes set and to the relevant authorities . For each attribute , computes and sends the private key to the corresponding user. When the user receives , he sets as his decryption key.(vi)Encrypt . On input a message and an access policy . is a matrix, and maps its rows to attributes. It first picks . For each , it computes , , where is the row of . The ciphertext is computed as Decrypt . On input a ciphertext for a policy and a decryption key for an attributes set . Let . If does not satisfy , it outputs . Otherwise, it chooses constants such that and computes Finally, the message can be recovered as (vii)Trace . If the decryption key is not in the form of , it outputs . Otherwise, it runs a key sanity check on as follows: , , s.t. and If passes the above check, it outputs the identity . Otherwise, it outputs .(viii)Correctness If the attributes set satisfies the policy , we have that . Then, Therefore, Note that , so there exists an unknown vector such that . Then, we have Hence, .

4.2. Security Analysis

In this section, we first prove that our T-MA-CP-ABE scheme is adaptively secure based on the SXDH assumption by a reduction to the underlying scheme in [20]. More specifically, we assume an adversary breaks our T-MA-CP-ABE scheme in the random oracle model with advantage ; then, we build a simulator that breaks the scheme [20] in the random oracle model with advantage . Then, we prove our T-MA-CP-ABE scheme is fully traceable based on the -SDH assumption by a reduction to a signature scheme [32]. More specifically, we assume an adversary breaks our T-MA-CP-ABE scheme in the traceability game; then, we build a simulator that breaks the signature scheme [32] under an adaptive chosen message attack.

4.2.1. Adaptive Security

Note that there are two typos (that make encryption and decryption algorithms cannot be completely executed) in the scheme [20] that should be corrected: should be corrected as , and should be corrected as . We denote the scheme [20] with as ZCGM1 scheme, which has been proved adaptively secure in [20].

Lemma 1 (see [20]). If the SXDH assumption holds, then the ZCGM1 scheme is adaptively secure in the random oracle model.

Lemma 2. Assuming that the ZCGM1 scheme [20] is adaptively secure, then our T-MA-CP-ABE scheme is adaptively secure.

Proof. Let denote the challenger corresponding to in the adaptive security game of ZCGM1 scheme.(i)Setup. When receives the global parameters from , it picks and computes , and . Then, stores and sends and to . Next, submits a corrupt AAs set to , and submits to to request the AA public keys for noncorrupt AAs. When obtains AA public keys from , it sends to .(ii)Phase 1. initializes an empty table and answers the CA key and AA key queries as follows:(1)CA key query. When submits an identity to to request the corresponding CA key, first searches the entry in table . If such entry exists, returns to . Otherwise, picks and computes . Then, sends to and stores it in .(2)AA key query. When submits a pair to to request the corresponding decryption key, first searches the entry in table . If such entry exists, can obtain from table . Otherwise, picks , computes , and stores in table . Then, calls the ZCGM1 AA key generation oracle on to obtain the private key . For each , computes . Finally, sets the corresponding decryption key as and sends it to .(iii)Challenge. The adversary submits two messages and an access policy , where satisfies the following constraint. Let denote the attributes controlled by corrupt AAs, and denotes the attributes in which the adversary has queried for identity . For each , we require that does not satisfy . The challenger sends , and to to obtain the ZCGM1 challenge ciphertext . Then, computes and sends to .(iv)Phase 2. The adversary makes the key queries as Phase 1, but with the restriction of as described above. responds the queries in the same way as Phase 1.(v)Guess. When outputs a guess , then outputs .Since perfectly simulates the ZCGM1 security game for , the advantage of breaks the ZCGM1 scheme equals to the advantage of breaks our scheme.

Theorem 1. If the SXDH assumption holds, then our T-MA-CP-ABE scheme is adaptively secure.

Proof. This proof follows directly from Lemmas 1 and 2.

4.2.2. Traceability

Now, we prove our T-MA-CP-ABE scheme is fully traceable by a reduction to BB scheme [32], which is strongly existentially unforgeable.

Lemma 3 (See [32]). If the -SDH assumption holds, then the BB scheme is strongly existentially unforgeable under an adaptive chosen message attack.

Lemma 4. Assuming that the BB scheme [32] is strongly existentially unforgeable under an adaptive chosen message attack, then our T-MA-CP-ABE scheme is fully traceable in the random oracle model.

Proof. Let be a prime order bilinear group, and be the public key of BB scheme. Let be the attributes set managed by attribute authority , and be the challenger corresponding to in the BB security game.(i)Setup. When receives public key from , it first samples , sets , , and . Then, computes , , and sets . For each attribute , picks , computes and , and sets . Finally, sends global parameters , CA public key , and AA public keys to . stores and controls the random oracle .(ii)Key query. In this phase, queries the CA keys corresponding to and AA keys corresponding to . initializes two empty tables and answers ’s queries as follows:(1)Random oracle hash query. When submits an identity to to request the corresponding random oracle hash value , first searches the entry in . If such entry exists, returns . Otherwise, picks , sends to , and stores in .(2)CA key query. When submits an identity to to request the corresponding CA key , first searches the entry in . If such entry exists, returns to . Otherwise, submits to to request the corresponding signature. When receives signature from , searches the entry in . If no such entry exists, picks and stores in . Next, obtains from table and sets as the corresponding CA private key. Finally, sends to and stores it in .(3)AA key query. When submits a pair to to request the corresponding decryption key , first searches CA key in . If no such entry exists, generates CA key as in (2) and stores it in . For each , computes . Finally, sends the corresponding decryption key to .(iii)Key forgery. returns a decryption key to . If wins this game, then . Therefore, the decryption key passes the key sanity check, and . Hence, , , s.t. , and queries the random oracle hash as in (1) and gets the record from . Then,Hence, we have . As knows the pairs , it can compute . Then, obtains from and sets .
Since , can output a valid signature on message in the BB security game. Note that , so has never queried a signature on , and then, wins the BB security game. Hence, if breaks our T-MA-CP-ABE scheme in the traceability game with advantage , then breaks the BB scheme with advantage .

Theorem 2. If the -SDH assumption holds, then our T-MA-CP-ABE scheme is fully traceable in the random oracle model.

Proof. This proof follows directly from Lemmas 3 and 4.

5. Our TR-MA-CP-ABE System

Based on our T-MA-CP-ABE scheme, we design a TR-MA-CP-ABE system for secure and flexible data access control in cloud storage. In our system, each data owner can share his data with multiple data users whose attributes satisfy the specific access policy. The malicious users who leak their decryption keys on the Internet will be caught and revoked by CA. Furthermore, we give an efficiency comparison that shows our system accesses the data significantly faster than other related works.

5.1. Concrete System

Inspired by [9, 19], we extend our construction to realize malicious user revocation by adopting a hash function and a revocation identity list . In our TR-MA-CP-ABE system, CA adds the malicious user’s to the revocation identity list in the user tracing and revocation phase, and AAs help the nonrevoked users to update their decryption keys in the key update phase. More specifically, we first use the hash function to map the time period and user attribute in , and then add into the system by embedding the element into the decryption key and ciphertext. The malicious users’ time elements will not be updated by AAs, so they cannot update their decryption keys and decrypt the new ciphertexts encrypted in new time period.

Let TMABE = (TMABE : GlobalSetup; TMABE : CASetup; TMABE : AASetup; TMABE : CAKeyGen; TMABE : AAKeyGen; TMABE : Encrypt; TMABE : Decrypt; TMABE : Trace.) be the T-MA-CP-ABE scheme in Section 4.1. Below, we give the details of our TR-MA-CP-ABE system.

5.1.1. System Initialization

In this phase, CA generates the system parameters, revocation list, and its public and secret keys. Each creates a secret key for itself and a corresponding public key for public usage.

CA first runs the algorithm TMABE : GlobalSetup to obtain and chooses a hash function . Then, CA runs the algorithm TMABE : CASetup to obtain its own public key and secret key . Next, CA publishes the system parameters and its public key . Finally, CA initializes an empty revocation identity list .

first runs the algorithm TMABE : AASetup to generate its own public key and secret key . Then, keeps secret and publishes to others.

5.1.2. User Registration

When a data user wants to join the system, he should register himself to the CA and relevant AAs. In this phase, CA issues the identity keys, and AAs issue the attribute keys to the registered users. From the identity and attribute keys, the registered users can crate their decrypt keys, which can be used for decrypting the policy-matching ciphertext.

First, the data user with identity makes a registration request to CA. CA runs the algorithm TMABE : CAKeyGen to obtain , sets as the user identity key, and sends it to the data user.

Next, the data user submits his identity and attributes set and to the relevant authorities . For each attribute , sets the corresponding user attribute key and sends it to the data user, where is a time period.

Finally, the user sets as his decryption key.

5.1.3. Data Outsource

In this phase, each data owner encrypts his data with a specific access policy and then outsources the ciphertext data in the cloud. When a data owner wants to share data with the specific data users, he should generate a ciphertext data that is composed of the body and header as follows.

First, the data owner picks a symmetric session key , uses it to encrypt the data under a symmetric encryption algorithm (such as AES), and sets the resulting ciphertext as the ciphertext body.

Then, the data owner encrypts the session key under an access policy and a time period as follows. He picks . For each , he sets , and computes

Finally, the data owner sets ciphertext head and outsources the ciphertext data to the cloud server.

5.1.4. Data Access

In our system, each data user can download any ciphertext data from the cloud server, but can only access the limited plain data by decryption of the corresponding ciphertext data successfully. In this phase, the data user has a decryption key for an attributes set for a time period and tries to access the data in the cloud.

The data user first queries an interested ciphertext data and gets the ciphertext from the cloud server. Then, the data user checks whether he has the access permission or not. If does not satisfy or , then he outputs meaning that he cannot access this data. Otherwise, the data user runs the algorithm TMABE : Decrypt and gets the session key . Finally, the data user decrypts the ciphertext body by the key and recovers the plain data .

5.1.5. Key Update

In this phase, AAs help the nonrevoked data users update their decryption keys in a new time period . When the data user wants to update his decryption key, he submits his identity and attributes set and to the relevant authorities . first checks whether the data user has been revoked or not. If , outputs meaning that the revoked data user cannot update his decryption key. Otherwise, for each attribute , computes the user attribute key . After that, sends the update attribute key to the data user. Finally, the data user sets the decryption key as , which can be used for decrypt the ciphertext data in the new time period .

5.1.6. User Tracing and Revocation

In this phase, CA traces the malicious users who leak their decryption key to others and revokes their access permissions in the system. When CA finds a decryption key is sold on the Internet, it first runs the algorithm TMABE : Trace . If the algorithm outputs , CA outputs meaning that does not need to be traced. If the algorithm outputs an identity , then CA sets as the identity of the malicious user who leaks his decryption key . Finally, CA adds into the revocation list and updates for public usage.

Alike with [9, 19], we view hash function as a random oracle, and our TR-MA-CP-ABE scheme has the same security conclusion with our T-MA-CP-ABE scheme. The correctness and security proofs are almost the same with that in Section 4.

5.2. Efficiency Comparison

In this section, we give an efficiency comparison between our TR-MA-CP-ABE system with other T-MA-CP-ABE schemes, all of which support multiauthority and traceability. In Table 2, PK represents the public key (including the CA and AA public keys) size, DK represents the decryption key size, CT represents the ciphertext size, PID represents the number of pairing operations in decryption, and GO represents the group order. Let be the number of attributes in the system, the number of AAs in the system, the number of CAs in the system, the bit length of the user identity, the number of attributes in the decryption key, the number of rows of the matrix in the access policy, and ( ) the number of attributes used for decryption.

As shown in Table 2, the number of resource-consuming pairing operations required to decrypt a ciphertext in [13–16] increases with the number of attributes used for decryption. While our TR-MA-CP-ABE system only needs to compute 6 pairings for decryption. Since an element in prime order groups is 12 times shorter than that in composite order groups [33], the storage overhead of our system is significantly smaller than that of the schemes [14, 15] which are constructed in composite order groups. Compared with our TR-MA-CP-ABE system, the schemes [13, 16] in prime order groups achieve smaller public key size, but they neither achieve adaptively secure nor support user revocation.

We evaluate our pairing operations in Python language using the PBC library [34] with type A curve. The experiment is performed on a Macbook laptop with a 2.8 GHz Intel Core i7 processor and 16 GB memory. Figure 2 illustrates the pairing costs for decryption in our TR-MA-CP-ABE system and other two T-MA-CP-ABE schemes [13, 16] in prime order groups. We set and and increase the value of from 1 to 50. It is easy to see that pairing costs for decryption in our system is a constant time and significantly shorter than that grows linearly with the number of attributes in [13, 16]. Note that a pairing operation in prime order groups is about 100 times faster than that in composite (3 primes) order groups [35], which makes the data access speed in our system is significantly faster than that in schemes [14, 15] constructed in composite order groups.

6. Conclusion and Future Work

In this work, we presented a traceable and revocable MA-CP-ABE system in the prime order groups. Specifically, the proposed system has the following advantages: (1) the ciphertext cannot be decrypted by any individual authority, and the ciphertext policy can be any monotone access structures; (2) CA can not only catch the malicious user by his decryption key but also revoke the corresponding decryption privilege; and (3) the system achieves adaptively secure and fast access.

As far as we know, our TR-MA-CP-ABE system is the first MA-CP-ABE system that supports traceability, revocation, and fast access simultaneously. However, our system only supports white-box traceability: the decryption key leaked by the malicious user is assumed to pass the key sanity check. Hence, our system is not suitable for black-box traceability scenario: the malicious user can construct a decryption black-box by his decryption key and unknown decryption algorithm and leak a decryption black-box instead of his decryption key. We leave it as our future work to obtain a black-box traceable and revocable MA-CP-ABE system with fast access.

Data Availability

No data were used to support the findings of this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Natural Science Foundation of China (Grant nos. 61802243, 11801345, and 62072352), the Natural Science Foundation of Shaanxi Province (Grant nos. 2019JQ-273, 2020JM-288, 2019JQ-472, 2020CGXNG-002, and 2019ZDLGY13-03-01), the Key Research and Development Program in Industry Field of Shaanxi Province (Grant no. 2019GY-013), the China Postdoctoral Science Foundation (Grant no. 2018M633456), the project “The Verification Platform of Multi-tier Coverage Communication Network for Oceans” (Grant no. LZC0020), Guangxi Key Laboratory of Trusted Software (Grant no. KX202035), and the Fundamental Research Funds for the Central Universities (Grant no. GK201903011).

References

L. Atzori, A. Iera, and G. Morabito, “The internet of things: a survey,” Computer Networks, vol. 54, no. 15, pp. 2787–2805, 2010.
View at: Publisher Site | Google Scholar
K. Huang, Q. Zhang, C. Zhou, N. Xiong, and Y. Qin, “An efficient intrusion detection approach for visual sensor networks based on traffic pattern learning,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 47, no. 10, pp. 2704–2713, 2017.
View at: Publisher Site | Google Scholar
Y. Yang, N. Xiong, N. Y. Chong et al., “A decentralized and adaptive flocking algorithm for autonomous mobile robots,” in Proceedings of the 3rd International Conference on Grid and Pervasive Computing, pp. 262–268, IEEE, Kunming, China, May 2008.
View at: Publisher Site | Google Scholar
W. Wu, N. Xiong, and C. Wu, “Improved clustering algorithm based on energy consumption in wireless sensor networks,” IET Networks, vol. 6, no. 3, pp. 47–53, 2017.
View at: Publisher Site | Google Scholar
R. Ganti, F. Ye, and H. Lei, “Mobile crowdsensing: current state and future challenges,” IEEE Communications Magazine, vol. 49, no. 11, pp. 32–39, 2011.
View at: Publisher Site | Google Scholar
S. Kamara and K. Lauter, “Cryptographic cloud storage,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 136–149, Springer, Tenerife, Spain, January 2010.
View at: Publisher Site | Google Scholar
A. Shahzad, M. Lee, Y.-K. Lee et al., “Real time MODBUS transmissions and cryptography security designs and enhancements of protocol sensitive information,” Symmetry, vol. 7, no. 3, pp. 1176–1210, 2015.
View at: Publisher Site | Google Scholar
Q. Zhang, C. Zhou, N. Xiong et al., “Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 46, no. 10, pp. 1429–1444, 2015.
View at: Publisher Site | Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in Proceedings of the Annual International Cryptology Conference, pp. 213–229, Springer, Santa Barbara, CA, USA, August 2001.
View at: Publisher Site | Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Aarhus, Denmark, May 2005.
View at: Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute based encryption,” in Proceedings of the 28th IEEE Symposium on Security and Privacy, pp. 321–334, Berkeley, CA, USA, May 2007.
View at: Google Scholar
M. Chase, “Multi-authority attribute based encryption,” in Proceedings of the 4th Theory of Cryptography Conference, pp. 515–534, Amsterdam, The Netherlands, February 2007.
View at: Google Scholar
J. Li, Q. Huang, X. Chen et al., “Multi-authority ciphertext-policy attribute-based encryption with accountability,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 386–390, Hong Kong, China, May 2011.
View at: Google Scholar
J. Zhou, Z. Cao, X. Dong et al., “TR-MA-CP-ABE: White-box traceable and revocable multi-authority attribute-based encryption and its applications to multi-level privacy-preserving e-healthcare cloud computing systems,” in Proceedings of the IEEE Conference on Computer Communications, pp. 2398–2406, Hong Kong, China, May 2015.
View at: Google Scholar
G. Yu, X. Ma, Z. Cao et al., “Accountable multi-authority ciphertext-policy attribute-based encryption without key escrow and key abuse,” in Proceedings of the International Symposium on Cyberspace Safety and Security, pp. 337–351, Guangzhou, China, December 2017.
View at: Google Scholar
K. Zhang, H. Li, J. Ma et al., “Efficient large-universe multi-authority ciphertext-policy attribute-based encryption with white-box traceability,” Science China Information Sciences, vol. 61, no. 3, Article ID 032102, p. 13, 2018.
View at: Publisher Site | Google Scholar
M. Chase and S. S. M. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 121–130, Chicago, IL, USA, November 2009.
View at: Google Scholar
A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” in Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 568–588, Tallinn, Estonia, May 2011.
View at: Google Scholar
H. Cui and R. H. Deng, “Revocable and decentralized attribute-based encryption,” The Computer Journal, vol. 59, no. 8, pp. 1220–1235, 2016.
View at: Publisher Site | Google Scholar
J. Zhang, J. Chen, A. Ge et al., “Shorter decentralized attribute-based encryption via extended dual system groups,” Security and Communication Networks, vol. 2017, Article ID 7323158, 19 pages, 2017.
View at: Publisher Site | Google Scholar
Z. Wang, X. Fan, and F. H. Liu, “Fe for inner products and its application to decentralized abe,” in Proceedings of the IACR International Workshop on Public Key Cryptography, pp. 97–127, Edinburgh, UK, May 2019.
View at: Google Scholar
S. Xiong, Q. Ni, L. Wang, and Q. Wang, “SEM-ACSIT: secure and efficient multiauthority access control for IoT cloud storage,” IEEE Internet of Things Journal, vol. 7, no. 4, pp. 2914–2927, 2020.
View at: Publisher Site | Google Scholar
M. J. Hinek, S. Jiang, R. Safavi-Naini et al., “Attribute-based encryption with key cloning protection,” IACR Cryptology ePrint Archive, 2008, https://eprint.iacr.org/2008/478Report 2008/478.
View at: Google Scholar
Z. Liu, Z. Cao, and D. S. Wong, “White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 76–88, 2013.
View at: Google Scholar
Z. Liu, Z. Cao, and D. S. Wong, “Traceable CP-ABE: How to trace decryption devices found in the wild,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 1, pp. 55–68, 2015.
View at: Google Scholar
J. Ning, Z. Cao, X. Dong et al., “Cryptcloud+: secure and expressive data access control for cloud storage,” IEEE Transactions on Services Computing, In press.
View at: Publisher Site | Google Scholar
Z. Liu and D. S. Wong, “Practical attribute-based encryption: traitor tracing, revocation and large universe,” The Computer Journal, vol. 59, no. 7, pp. 983–1004, 2016.
View at: Publisher Site | Google Scholar
S. Xu, J. Yuan, G. Xu et al., “Efficient ciphertext-policy attribute-based encryption with blackbox traceability,” Information Sciences, vol. 538, pp. 19–38, 2020.
View at: Publisher Site | Google Scholar
D. Han, N. Pan, and K. C. Li, “A traceable and revocable ciphertext-policy attribute-based encryption scheme based on privacy protection,” IEEE Transactions on Dependable and Secure Computing, In press.
View at: Publisher Site | Google Scholar
A. Beimel, “Secure schemes for secret sharing and key distribution,” Technion-Israel Institute of technology, Haifa, Israel, 1996, Dissertation for Ph.D. Degree.
View at: Google Scholar
L. Ballard, M. Green, B. de Medeiros et al., “Correlation-resistant storage via keyword-searchable encryption,” Tech. Rep., IACR Cryptology ePrint Archive, 2005, https://eprint.iacr.org/2005/417Report 2005/417.
View at: Google Scholar
D. Boneh and X. Boyen, “Short signatures without random oracles and the SDH assumption in bilinear groups,” Journal of Cryptology, vol. 21, no. 2, pp. 149–177, 2008.
View at: Publisher Site | Google Scholar
A. Guillevic, “Comparing the pairing efficiency over compositeorder and prime-order elliptic curves,” in Proceedings of the 11th International Conference Applied Cryptography and Network Security, pp. 357–372, Berlin, Heidelberg, Germany, June 2013.
View at: Google Scholar
B. Lynn, “The stanford pairing based crypto library,” http://crypto.stanford.edu/pbc.
View at: Google Scholar
Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 315–332, San Juan, PR, USA, January 2015.
View at: Google Scholar

Copyright

Copyright © 2020 Kai Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1209

Downloads

1046

Citations