TY - JOUR
AB - Abstract With the progress of cloud computing, many users hope in time to upload their data into cloud for sharing. For sensitive data, the owner must encrypt it before sending it to cloud server. The state of the art method for fine-grained access control on encrypted data is attribute-based encryption (ABE). Though ABE is believed to be an outstanding technique for secure data sharing, it has many efficiency drawbacks. For example, its ciphertext size and decryption time increase linearly with the number of attributes used during encryption and decryption, and it is hard to revoke a user’s access ability. In this paper, we propose a method to outsource the decryption of ABE via public cloud computing, and to control a user’s decryption capacity through a bounded revocation technique. The public cloud server can transform any user’s ABE ciphertexts into short ElGamal-type ciphertexts via the user’s public transformation key. The transformed ciphertexts are actually ElGamal-type identity-based ciphertexts obtained through a bounded-collision identity-based encryption scheme, and the decryption time only requires one exponentiation. Our scheme can revoke user’s decryption ability. But it limits to scenario with bounded number of revocation. 1. INTRODUCTION Cloud computing allows users conveniently acquiring shared system resources and higher-level services. With the progress of this information technique, many users hope to upload their files into cloud storage. It can save both computing and storage resources for users with resource-constrained devices, such as mobile phone. Many companies, including Facebook, trend toward to store their big data in a third-party cloud system. However, personal and company data both contain much sensitive information, such as personal photos and salary information. Especially, the cloud system can easily collect or leak these sensitive information. To alleviate this security issue, a simple method is to encrypt the data. However, traditional encryption schemes only allow one-to-one encryption and do not scale well, as the number of users increases, the ciphertext size becomes a bottleneck. An ideal solution is to encrypt the data according to an access policy, like in the traditional role-based access control approach. For example, the data owner encrypts his/her photos by defining an access policy (Friendsor (ColleagueandProfessor)), as that only the users whose attributes satisfy this policy can decrypt the photos. To date, attribute-based encryption (ABE) [1] is the best candidate method that can fulfill the aforementioned requirement. Specifically, many ABE schemes support fine-grained access control on encrypted data so that only the users with attributes satisfy the access policy embedded in the ciphertext can decrypt the ciphertext. There are two types of attribute-based encryption schemes: key-policy ABE (KP-ABE) [2] and ciphertext-policy ABE (CP-ABE) [3]. In KP-ABE, a user’s secret key is embedded with a policy e.g. P = (Friendsor (ColleagueandProfessor)), and the ciphertext is encrypted under a set of attributes, e.g. S = {Friends, Lecturer}. In CP-ABE, the situation is just on the contrary. In both cases, to decrypt a ciphertext, the set of attributes S must satisfy the access policy P, denoted by S∈P. If a user, associated with an attribute set S such that S∉P, cannot decrypt that ciphertext. In the above example, the user’s attribute Friends satisfies the access policy P and hence he can access the data owner’s photos encrypted under the policy P. However, if the user only has attribute Lecturer, then cannot access. ABE has been considered in many cloud storage applications for fine-grained access control on encrypted data. However, many ABE schemes have efficiency drawbacks. One is that ABE ciphertext size and decryption time increase linearly with the number of attributes or the complexity of the access policy used during encryption and decryption. The other is that there is no efficient mechanism to revoke users. Unlike in PKI-based setting [4], user revocation is very hard to achieve in ABE setting, as there is no certification authority to inform senders about expired or revoked keys of users. 1.1. Our contribution In this paper, we propose a method to outsource ABE decryption with bounded number of user revocation. The framework of this method is depicted in Fig. 1. Figure 1. View largeDownload slide System framework. Figure 1. View largeDownload slide System framework. In this framework, a data owner encrypts these data and sends the ciphertext into a public cloud server. The cloud server holds a set of user’s time-based transformation keys. In each time period, the cloud server can help a user partially decrypting his/her ABE ciphertexts via the corresponding time-based transformation key. To revoke a user’s decryption ability, the user’s final decryption key consists of two parts: one part is the private key pre-distributed by the key generation center (KGC) and the other part is key updates generated by the KGC according to the list of non-revoked users. So, the KGC can control which users having the ability to decrypt the transformed ABE ciphertexts. To achieve such system, we first use the standard Waters CP-ABE scheme [5] to encapsulate a group element, and then use an identity-based encryption (IBE) scheme to encrypt the real message under the current time period t (as identity). The IBE ciphertexts consists of two parts, denoted by (c1,c2). The key technique is that the above encapsulated group element is consistent with c1. In other words, c1 is hidden by the ABE ciphertexts. The cloud server holds the user’s ABE decryption key 𝖲𝖪id,S as transformation key. For each time period t, the KGC will generate the corresponding IBE decryption key skt as public key update to all users. Clearly, such system cannot prevent revoked users to decrypt new ciphertexts. To solve this security problem, we extract an exponent zid,t from the ABE decryption key 𝖲𝖪id,S for different time periods. So, the transformation key now becomes 𝖲𝖪S1/zid,t. Applying such transformation key to the user’s ABE ciphertext, the resulting decapsulated key is now c11/zid,t. This implicitly indicates that the IBE decryption key for that user should be zid,t·skt. So, for different users, their local decryption keys are not the same. To support revocation, we further randomly split zid,t as zid,t=xid,t·yid,t and send xid,t to local user as the pre-distributed private key. For each time period, the KGC sends the key update yid,t·skt to the corresponding non-revoked user. So, without the key update information yid,t·skt, a revoked user cannot generate the corresponding local decryption key zid,t·skt. Note that almost all IBE and ABE schemes are designed in a bilinear group G such that there exits a bilinear map e mapping G×G to a finite group GT. However, the ABE encapsulated key belongs to the right finite group GT. This requires our IBE scheme being designed over GT. To date, there are no good candidate IBE schemes over GT without limiting the number of users. Due to this, we constructed a bounded-collision IBE scheme over group GT. That is, the number of users in the IBE system is bounded by some integer N. Applying such IBE scheme to our ABE system requires that the time of key updates (equaling to the number of revoked users) is also bounded by the number N. So, our system can be used in a scenario that has few users being revoked. This does not limit the number of all users in our system, though the size of some parameters may be large (see the efficiency discussion in Section 4). 1.2. Related work Attribute-based encryption is an extension of identity-based encryption [6]. It encrypts a message or generates a user’s key using multiple identities (formally called attributes), rather than a single identity in identity-based encryption. Since the conception of ABE was proposed, many ABE schemes were invented. Most of them support very expressive access structures, such as LSSS structure [5] and any circuits [7]. Normally, the size of the ABE ciphertext and the decryption time both are proportional to the number of attributes associated with the ciphertext or used during decryption. Only a small number of ABE schemes have compact ciphertext size [8, 9] and/or fast decryption [10], at the cost of large secret key sizes and restricted access policy. 1.2.1. Outsourcing technique In ABE implementation, Green et al. [11] first involved a third-party server (cloud server) to reduce local users’ storage and computing burden. The cloud server can partially decrypt a user’s ABE ciphertexts into short ElGamal-type ciphertexts using a transformation key provided by the user, without revealing any sensitive information about the encrypted message. Li et al. [12] proposed an ABE scheme with outsourced key issuing and decryption. Zhang et al. [13] proposed a fully outsourced ABE, supporting key issuing, encryption and decryption outsourcing simultaneously. Yu et al. introduced secure outsourcing of key updates into cloud storage auditing [14] for resolving the key exposure problem [15]. 1.2.2. Revocation technique In ABE as well as IBE settings, Boldyreva et al. [16] proposed the first efficient solution to revoke users’ decryption keys by a binary-tree based key update technique. Specifically, each user is pre-distributed a series of long-term secret keys, while the key generation center periodically generates a time-based key update information so that only non-revoked users can combine them to generate the current period decryption keys. Following this seminal method, many revocable IBE/ABE schemes were proposed by applying the binary-tree based key update techniques [17–20] or other techniques [21, 22]. To alleviate the efficiency drawbacks in revocable ABE schemes, there are some works applying the aforementioned outsourcing technique to construct revocable ABE schemes [23–25]. In [23, 24], the ABE systems involve a cloud storage server to re-encrypt an ABE ciphertext according to information of non-revoked users. It seems that such method requires the storage server being semi-trust and cannot collude with revoked users. In [25], the key update information is periodically distributed to an untrusted cloud servers (not the local user), so that the cloud server can generate any non-revoked user’s time-based transformation key and apply it to partially decrypt that user’s ABE ciphertexts without obtaining any part of the user’s messages. 2. REVOCABLE AND OUTSOURCEABLE ABE In this section, we give a general definition of Revocable and Outsourceable ABE scheme (RO-ABE as short) and then define a security model for it. Before that, we give a short explanation of the notations in Table 1. Definition 2.1 (RO-ABE) A revocable and outsourceable ABE scheme consists of the following (probabilistic) polynomial-time algorithms: 𝖲𝖾𝗍𝗎𝗉(1κ,U)→(𝖬𝖯𝖪,𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳). The setup algorithm takes as input the security parameter κand the attribute universe description U. It outputs the master public key 𝖬𝖯𝖪, the master secret key 𝖬𝖲𝖪, an empty revocation list 𝖱𝖫and an initial state 𝖲𝖳. 𝖪𝖾𝗒𝖦𝖾𝗇(𝖬𝖲𝖪,id,S,𝖲𝖳)→(𝖳𝖪id,S,𝖲𝖪id,S). The key generation algorithm takes as input the master secret key 𝖬𝖲𝖪, an attribute set (resp. access policy) S, an unique user identity id∈IDand state 𝖲𝖳. It outputs a transformation key 𝖳𝖪id,S, a private key 𝖲𝖪id,Sand an updated state 𝖲𝖳. 𝖪𝖾𝗒𝖴𝗉(𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳,t)→𝖪𝖴t. The key update algorithm takes as input the master secret key 𝖬𝖲𝖪, revocation list 𝖱𝖫, state 𝖲𝖳and time stamp t∈T. It outputs the current key update 𝖪𝖴t. 𝖣𝖪𝖦(𝖬𝖯𝖪,id,𝖲𝖪id,S,𝖪𝖴t)→𝖣𝖪id,S,t. The decryption key generation algorithm takes as input the master public key 𝖬𝖯𝖪, the unique identity id, the private key 𝖲𝖪id,Sassociated with idand the key update 𝖪𝖴t. It outputs a decryption key 𝖣𝖪id,S,tor ⊥if id∈𝖱𝖫. 𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝖬𝖯𝖪,M,P,t)→𝖢𝖳P,t. The encryption algorithm takes as input the master public key 𝖬𝖯𝖪, a message M, an access policy (resp. attribute set) Pand time stamp t∈T. It outputs a ciphertext 𝖢𝖳P,t. 𝖳𝗋𝖺𝗇𝗌𝖿𝗈𝗋𝗆(𝖳𝖪id,S,𝖢𝖳P,t)→𝖢𝖳P,t′/⊥. The ciphertext transformation algorithm takes as input a transformation key 𝖳𝖪id,Sand a ciphertext 𝖢𝖳P,t. It outputs the partially decrypted ciphertext 𝖢𝖳P,t′if P(S)=1or ⊥otherwise. 𝖣𝖾𝖼𝗋𝗒𝗉𝗍out(𝖣𝖪id,S,t,𝖢𝖳P,t′)→M/⊥. The decryption algorithm takes as input a decryption key 𝖣𝖪id,S,tand a partially decrypted ciphertext 𝖢𝖳P,t′. It outputs the message Mif S∈Pand id∉𝖱𝖫or ⊥otherwise. 𝖱𝖾𝗏𝗈𝖼𝖺𝗍𝗂𝗈𝗇(id,t,𝖱𝖫,𝖲𝖳)→𝖱𝖫. The identity revocation algorithm takes as input an identity id∈ID, a time t∈Tand a revocation list 𝖱𝖫. It outputs an updated revocation list 𝖱𝖫. Table 1. Notations. Notation Description 𝖬𝖯𝖪 is the master public key, generated by the KGC and shared by all parties 𝖬𝖲𝖪 is the master secret key, generated by the KGC 𝖱𝖫 is the revocation list, maintained by the KGC 𝖲𝖳 is a secret state, maintained by the KGC 𝖳𝖪id,S is a transformation key associated with user id and attribute set S. It is generated by the KGC and is given to the cloud server 𝖲𝖪id,S is a user’s (long-term) private key, generated by the KGC 𝖪𝖴t is a key update information associated with time period t. It is generated by the KGC and is given to all (non-revoked) users 𝖣𝖪id,S,t dkid,t is a short-term decryption key associated with user id and time period t. It is generated by the user using his long-term secret key skid Notation Description 𝖬𝖯𝖪 is the master public key, generated by the KGC and shared by all parties 𝖬𝖲𝖪 is the master secret key, generated by the KGC 𝖱𝖫 is the revocation list, maintained by the KGC 𝖲𝖳 is a secret state, maintained by the KGC 𝖳𝖪id,S is a transformation key associated with user id and attribute set S. It is generated by the KGC and is given to the cloud server 𝖲𝖪id,S is a user’s (long-term) private key, generated by the KGC 𝖪𝖴t is a key update information associated with time period t. It is generated by the KGC and is given to all (non-revoked) users 𝖣𝖪id,S,t dkid,t is a short-term decryption key associated with user id and time period t. It is generated by the user using his long-term secret key skid View Large Table 1. Notations. Notation Description 𝖬𝖯𝖪 is the master public key, generated by the KGC and shared by all parties 𝖬𝖲𝖪 is the master secret key, generated by the KGC 𝖱𝖫 is the revocation list, maintained by the KGC 𝖲𝖳 is a secret state, maintained by the KGC 𝖳𝖪id,S is a transformation key associated with user id and attribute set S. It is generated by the KGC and is given to the cloud server 𝖲𝖪id,S is a user’s (long-term) private key, generated by the KGC 𝖪𝖴t is a key update information associated with time period t. It is generated by the KGC and is given to all (non-revoked) users 𝖣𝖪id,S,t dkid,t is a short-term decryption key associated with user id and time period t. It is generated by the user using his long-term secret key skid Notation Description 𝖬𝖯𝖪 is the master public key, generated by the KGC and shared by all parties 𝖬𝖲𝖪 is the master secret key, generated by the KGC 𝖱𝖫 is the revocation list, maintained by the KGC 𝖲𝖳 is a secret state, maintained by the KGC 𝖳𝖪id,S is a transformation key associated with user id and attribute set S. It is generated by the KGC and is given to the cloud server 𝖲𝖪id,S is a user’s (long-term) private key, generated by the KGC 𝖪𝖴t is a key update information associated with time period t. It is generated by the KGC and is given to all (non-revoked) users 𝖣𝖪id,S,t dkid,t is a short-term decryption key associated with user id and time period t. It is generated by the user using his long-term secret key skid View Large For consistency, it is required that for all κ∈N and U, all possible 𝖬𝖯𝖪 and 𝖬𝖲𝖪 output by 𝖲𝖾𝗍𝗎𝗉(1κ,U), all M∈M, t∈T, id∈ID, access policy P and attribute set S and all possible revocation list 𝖱𝖫, if id∉𝖱𝖫 at time t and S∈P, then PrM′=M:(𝖳𝖪id,S,𝖲𝖪id,S,𝖲𝖳)←𝖪𝖾𝗒𝖦𝖾𝗇(𝖬𝖲𝖪,id,S,𝖲𝖳);𝖪𝖴t←𝖪𝖾𝗒𝖴𝗉(𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳,t);𝖣𝖪id,S,t←𝖣𝖪𝖦(𝖬𝖯𝖪,id,𝖲𝖪id,S,𝖪𝖴t);𝖢𝖳P,t←𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝖬𝖯𝖪,M,P,t);𝖢𝖳P,t′←𝖳𝗋𝖺𝗇𝗌𝖿𝗈𝗋𝗆(𝖳𝖪id,S,𝖢𝖳P,t);𝖣𝖾𝖼𝗋𝗒𝗉𝗍out(𝖣𝖪id,S,t,𝖢𝖳P,t′)=M′;=1. Remark 1 In the above definition, id is just an identifier (index) of an attribute set S, not exactly be a user’s identity. If a user has multiple attribute sets, we can use id[i] to indicate the user’s ith attribute set. Hence, without lossy of generality, we assume that for any id∈ID, there is at most one attribute set associated with id, i.e. for any two pairs (id,S) and (id′,S′), if id=id′, then S=S′. 2.1. Security model The security model for RO-ABE is defined through a game (see experiment 𝖤𝗑𝗉ABE,ACPA(κ)) played between a challenger C and an adversary A. During the experiment, A may access to the following oracles: O𝖳𝖪,𝖲𝖪(id,S): This is the transformation key and private key generation oracle. The challenger runs 𝖪𝖾𝗒𝖦𝖾𝗇(𝖬𝖲𝖪,id,S,𝖲𝖳) to obtain (𝖳𝖪id,S,𝖲𝖪id,S,𝖲𝖳). It returns 𝖳𝖪id,S and 𝖲𝖪id,S to A. O𝖪𝖴(t): This is the key update oracle. It takes as input a time stamp t∈T and runs 𝖪𝖾𝗒𝖴𝗉(𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳,t) to obtain 𝖪𝖴t. The challenger returns 𝖪𝖴t to A. O𝖱𝖫(id,t): This is the revocation oracle. It takes as input identity id (associated with an attribute set S) and a time t, and runs 𝖱𝖾𝗏𝗈𝖼𝖺𝗍𝗂𝗈𝗇(id,t,𝖱𝖫,𝖲𝖳) to update 𝖱𝖫. In experiment 𝖤𝗑𝗉ABE,ACPA(κ), the following conditions always hold: for all key generation queries (id,S), if the attributes set S such that P*(S)=1, then this id must have been revoked at time period t* (i.e. id∈𝖱𝖫 when t≥t*). Experiment. 𝖤𝗑𝗉ABE,ACPA(κ): Setup. The challenger runs (𝖬𝖯𝖪,𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳)←𝖲𝖾𝗍𝗎𝗉(1κ,U) and returns 𝖬𝖯𝖪 to A. Phase 1. A is given oracle access to the three oracles O𝖳𝖪,𝖲𝖪(·,·), O𝖪𝖴(·) and O𝖱𝖫(·,·). Challenge. The adversary submits two equal-length messages (M0,M1) and (P*,t*,id*) to C. Then, the challenger picks a random bit b∈{0,1} and returns to A the ciphertext 𝖢𝖳P*,t*←𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝖬𝖯𝖪,Mb,P*,t*) Phase 2. A is once again given oracle access to the above four oracles. Guess. A returns a bit b′ as a guess of b. The experiment returns 1 if and only if b′=b. Setup. The challenger runs (𝖬𝖯𝖪,𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳)←𝖲𝖾𝗍𝗎𝗉(1κ,U) and returns 𝖬𝖯𝖪 to A. Phase 1. A is given oracle access to the three oracles O𝖳𝖪,𝖲𝖪(·,·), O𝖪𝖴(·) and O𝖱𝖫(·,·). Challenge. The adversary submits two equal-length messages (M0,M1) and (P*,t*,id*) to C. Then, the challenger picks a random bit b∈{0,1} and returns to A the ciphertext 𝖢𝖳P*,t*←𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝖬𝖯𝖪,Mb,P*,t*) Phase 2. A is once again given oracle access to the above four oracles. Guess. A returns a bit b′ as a guess of b. The experiment returns 1 if and only if b′=b. Setup. The challenger runs (𝖬𝖯𝖪,𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳)←𝖲𝖾𝗍𝗎𝗉(1κ,U) and returns 𝖬𝖯𝖪 to A. Phase 1. A is given oracle access to the three oracles O𝖳𝖪,𝖲𝖪(·,·), O𝖪𝖴(·) and O𝖱𝖫(·,·). Challenge. The adversary submits two equal-length messages (M0,M1) and (P*,t*,id*) to C. Then, the challenger picks a random bit b∈{0,1} and returns to A the ciphertext 𝖢𝖳P*,t*←𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝖬𝖯𝖪,Mb,P*,t*) Phase 2. A is once again given oracle access to the above four oracles. Guess. A returns a bit b′ as a guess of b. The experiment returns 1 if and only if b′=b. Setup. The challenger runs (𝖬𝖯𝖪,𝖬𝖲𝖪,𝖱𝖫,𝖲𝖳)←𝖲𝖾𝗍𝗎𝗉(1κ,U) and returns 𝖬𝖯𝖪 to A. Phase 1. A is given oracle access to the three oracles O𝖳𝖪,𝖲𝖪(·,·), O𝖪𝖴(·) and O𝖱𝖫(·,·). Challenge. The adversary submits two equal-length messages (M0,M1) and (P*,t*,id*) to C. Then, the challenger picks a random bit b∈{0,1} and returns to A the ciphertext 𝖢𝖳P*,t*←𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝖬𝖯𝖪,Mb,P*,t*) Phase 2. A is once again given oracle access to the above four oracles. Guess. A returns a bit b′ as a guess of b. The experiment returns 1 if and only if b′=b. Definition 2.2 (CPA-secure RO-ABE) An ABE scheme ABEwith revocation and outsourced decryption is CPA-secure (or indistinguishability against chosen plaintext attacks) if for any PPT adversary A, the following advantage function 𝖠𝖽𝗏ABE,ACPA(κ)≔Pr[𝖤𝗑𝗉ABE,ACPA(κ)=1]−12is negligible in κ. Selective security: We say that an RO-ABE is selectively secure, if we add an Initial stage before Setup where the adversary commits the values (P*,t*,id*) to the challenger. 3. CONSTRUCTION OF REVOCABLE AND OUTSOURCEABLE CP-ABE Our revocable and outsourceable CP-ABE scheme involves two cryptographic components: one is the Waters CP-ABE scheme working in KEM setting and the other is a bounded-collusion IBE (BC-IBE) scheme. We denote by ABEW =( 𝖲𝖾𝗍𝗎𝗉W, 𝖤𝗇𝖼𝗋𝗒𝗉𝗍W, 𝖪𝖾𝗒𝖦𝖾𝗇W, 𝖣𝖾𝖼𝗋𝗒𝗉𝗍W) the Waters CP-ABE scheme and recall it in Appendix A. The underlying BC-IBE scheme is a variant of the DDH-based BC-IBE scheme from [26, 27] over bilinear groups (e,G,GT). We introduce it in Appendix B. We present our main construction in Fig. 2 and show its security in Section 3.1. Figure 2. View largeDownload slide Bounded revocable ABE scheme with outsourced decryption. Figure 2. View largeDownload slide Bounded revocable ABE scheme with outsourced decryption. Correctness: Suppose that 𝖢𝖳P,t = ( (A,ρ), C′, (C1,D1),…,(Cℓ,Dℓ)) is a ciphertext of message M encrypted under policy P=(A,ρ) and time period t∈T. Also suppose that 𝖳𝖪id,S is the transformation key of user id generated by 𝖪𝖾𝗒𝖦𝖾𝗇(𝖬𝖲𝖪,id,S,𝖲𝖳). Let 𝖳𝖪id,S,t=𝖲𝖪S1/zid,t be the tth transformation key of identity id contained in 𝖳𝖪id,S. If S satisfies the access structure (A,ρ), then there exists a set of coefficient {ωi∈Zp}i∈I such that ωiAi=(1,0,…,0). According to Equation (A.1) of the Waters decryption algorithm, we have 𝖣𝖾𝖼𝗋𝗒𝗉𝗍W(𝖳𝖪id,S,t,𝖢𝖳P,t)=e(C′,K1/zid,t)Πi∈I(e(Ci,L1/zid,t)·e(Di,Kρ(i)1/zid,t))ωi=e(g,g)αs/zid,t·e(g,g1)rs/zid,te(g,g1)r/zid,t·∑i∈Iωiλi=e(g,g)αs/zid,t. So, the output of 𝖳𝗋𝖺𝗇𝗌𝖿𝗈𝗋𝗆(𝖳𝖪id,S,𝖢𝖳P,t) is an ElGamal-like ciphertext (c1′,c2′)=(Gs,M·Gd·s) where G=e(g,g)α/zid,t and d=zid,t·skt (where skt←𝖨𝖡𝖤𝖤𝗑𝗍(sk,t)). If the user id is not revoked at time t, then there exists 𝖪𝖴id,t=yid,t·skt and 𝖲𝖪id,S,t=xid,t so that 𝖣𝖪𝖦id,S,t=𝖪𝖴id,t·𝖲𝖪id,S,t=zid,t·skt=d. Therefore, 𝖨𝖡𝖤𝖣𝖾𝖼(𝖣𝖪id,S,t,t,(c1′,c2′))=c2′·c1′−𝖣𝖪𝖦id,S,t=M as desired. 3.1. Security The security of RO-ABE scheme as given in Fig. 2 is established by the following theorem. Theorem 3.1 Suppose that the Waters CP-ABE scheme is selectively CPA-secure and the BC-IBE scheme is Nselectively CPA-secure. Then, our CP-ABE scheme is selectively CPA-secure and supports decryption outsourcing and Ntimes user revocation. Proof Fixed a PPT adversary A that aims to break the selective CPA-security of the RO-ABE scheme as presented in Fig. 2. Let P*=(A*,ρ*), id* and t* be the challenge access structure, identity and time stamp, respectively. We define two games. 𝖦𝖺𝗆𝖾0 is the original selective security game of RO-ABE as in 𝖤𝗑𝗉ABE,ACPA(κ). Hence, we have 𝖠𝖽𝗏ABE,ACPA(κ)≔Pr[𝖤𝗑𝗉ABE,ACPA(κ)=1]−12. 𝖦𝖺𝗆𝖾1 is the same as 𝖦𝖺𝗆𝖾0, except that in the challenge ciphertext the encapsulated key 𝗄𝖾𝗒* is replaced by a random element of group GT and c2* is computed by Mb·(𝗄𝖾𝗒*)skt* where skt*←𝖨𝖡𝖤𝖤𝗑𝗍(sk,t*). To show Theorem 3.1, it suffices to prove the following two lemmas. Lemma 3.1 𝖦𝖺𝗆𝖾0and 𝖦𝖺𝗆𝖾1are indistinguishable under the assumption that the Waters CP-ABE scheme is selectively CPA-secure. Lemma 3.2 The adversary has negligible advantage in 𝖦𝖺𝗆𝖾1under the assumption that the BC-IBE is Nselectively CPA-secure. Taking the above two lemmas together yields Theorem 3.1.□ It remains to prove the above two lemmas. Proof of Lemma 3.1 Given the challenge values (P*=(A*,ρ*),t*,id*), S forwards (A*,ρ*) to his challenger C, and receives the challenge master public key 𝖬𝖯𝖪W*=(D,g,e(g,g)α,g1,h1,…,hU) of the Waters CP-ABE scheme. It simulates 𝖦𝖺𝗆𝖾0 or 𝖦𝖺𝗆𝖾1 as follows.□ Setup. S sets pp≔(D,gT=e(g,g)α). Let Θ*={i:ϕ(t*)[i]=1}. According to Theorem B.1 of cover-free set, we have ∣Θ*∣=k=4Nlog∣T∣ and n=16N2log∣T∣ (the number of BC-IBE public key elements). The simulator S picks i*←RΘ*. Since ϕ(t*)⧹∪t∈[N⧹t*]ϕ(t)≠∅, for all t≠t*, with probability at least 1/k, sk[i*]∉ϕ(t). We assume that the simulator correctly guesses the i*. This will lead to a reduction loss of factor k. For all i∈[n], the simulator chooses vi←RZp. For i∈[n⧹i*], it implicitly sets sk[i]=vi/α. While for i=i*, it implicitly sets sk[i*]=vi*−∑i∈Θ*⧹{i*}sk[i]. For i∈[n⧹i*], S computes pk[i]=e(g,g)vi and for i=i*, S computes pk[i*]=gTvi*·(Πj∈Θ*⧹{i*}pk[i])−1. Clearly, all secret keys sk[i] are distributed as in 𝖦𝖺𝗆𝖾0. Moreover, pk[i]=gTsk[i]. Finally, the simulator returns 𝖬𝖯𝖪=(𝖬𝖯𝖪W,pk) to A. S also sets 𝖱𝖫=∅, 𝖲𝖳=∅ and holds the secrets (v1,…,vN). Answering key generation: For all key generation queries (id,S), the simulator chooses N random exponents xid,1,…,xid,N∈Zp and sets 𝖲𝖪id,S={xid,t}t∈[N]. For t∈[N], S chooses αid,t←RZp. If P*(S)≠1, the simulator queries the Waters key generation oracle 𝖪𝖾𝗒𝖦𝖾𝗇W(𝖬𝖲𝖪,S) to obtain the secret key 𝖲𝖪S=(K,L,{Kτ}τ∈[N]). It sets the transformation keys as follows: 𝖳𝖪id,S,t=(gαid,t·g1r,gr,){hτr}τ∈S)ift≠t*(gαid,t*·g1r,gr,){hτr}τ∈S)ift=t*andP*(S)=1𝖲𝖪S1/αid,t*ift=t*andP*(S)≠1 where r←RZp. This implicitly sets zid,t=α/αid,tift≠t*α/αid,t*ift=t*andP*(S)=1αid,t*ift=t*andP*(S)≠1 yid,t=α/(αid,t·xid,t)ift≠t*α/(αid,t*·xid,t*)ift=t*andP*(S)=1αid,t*/xid,t*ift=t*andP*(S)≠1 Finally, the simulator returns 𝖳𝖪id,S={𝖳𝖪id,S,t}t∈[N] and 𝖲𝖪id,S to A. Answering key update: For key update query at time t, the simulator calculates the key update 𝖪𝖴t={𝖪𝖴id,t}id∉𝖱𝖫 as follows: 𝖪𝖴id,t=1αid,t·xid,t·∑i=1nvi·ϕ(t)[i]ift≠t*αid,t*xid,t*·vi*ift=t* Recall that if t≠t*, we have ∑i=1nsk[i]·ϕ(t)[i]=1α·∑i=1nvi·ϕ(t)[i]; if t=t* and P*(S)=1, the identity id associated with S must have been revoked and thereby id∈𝖱𝖫; if t=t* and P*(S)≠1, we have ∑i=1nsk[i]·ϕ(t*)[i]=sk[i*]+∑i∈Θ*⧹{i*}sk[i]=vi*. Hence, for all id and t∈[N], 𝖪𝖴id,t=yid,t·skt is distributed as in the real game, i.e., 𝖦𝖺𝗆𝖾0. Finally, the simulator returns 𝖪𝖴t to A. Answering identity revocation: For a key revocation query (id,t), the simulator adds (id,t) to 𝖱𝖫 and returns it. Answering challenge ciphertext: Once A submits the challenge ciphertext query (M0,M1), the simulator first queries the Waters encryption oracle to get a challenge ciphertext 𝖢𝖳W,P** and an encapsulated key 𝗄𝖾𝗒*, where 𝖢𝖳W,P**←𝖤𝗇𝖼𝗋𝗒𝗉𝗍W(𝖬𝖯𝖪,(A*,ρ*)) and 𝗄𝖾𝗒*=gTs (for some shared secret s) or a random element of group GT. Then, the simulator chooses b←R{0,1} and computes c2*=Mb·(𝗄𝖾𝗒*)vi*. Finally, the simulator returns 𝖢𝖳P*,t**=(𝖢𝖳W,P**,c2*) to A. Since skt*=∑i=1nsk[i]ϕ(t*)[i]=vi*, we have c2*=Mb·(𝗄𝖾𝗒*)skt*. So, if 𝗄𝖾𝗒*=gTs, the challenge ciphertext 𝖢𝖳P*,t** is distributed as in 𝖦𝖺𝗆𝖾0. Otherwise, it is distributed as in 𝖦𝖺𝗆𝖾1. Guess: The simulator continues to answer A’s queries as before. Finally, the simulator returns what A outputs. From the above discussion, the simulator perfectly simulates A’s environment in 𝖦𝖺𝗆𝖾0 if 𝗄𝖾𝗒*=gTs or in 𝖦𝖺𝗆𝖾1 if 𝗄𝖾𝗒* is a random element of group GT. Hence, under the assumption that the Waters CP-ABE scheme is selectively CPA-secure, 𝖦𝖺𝗆𝖾0 and 𝖦𝖺𝗆𝖾1 are distinguishable for any PPT adversary A.□ Proof of Lemma 3.2 We will construct a simulator S to attack the N selective CPA-security of BC-IBE scheme by involving the adversary A as a subroute. Given challenge values (P*=(A*,ρ*),t*,id*), S simulates A’s environment as follows. Setup: The simulator sends t* to the BC-IBE challenger, and receives a public parameter pp*=(D,gT,gα) and public key pk*, where D is a description of bilinear groups, gT=e(g,gα) and pk*[i]=gTsk*[i] for some unknown secret keys sk*[i] and i∈[n]. Let Φ* and i* be defined as in the proof of Lemma 3.1. We again assume that the simulator correctly guesses the index i*, which will lead to a reduction loss of factor ∣Θ*∣=4Nlog∣T∣. The simulator chooses sk*[i*]′←RZp and computes pk*[i*]′=gTsk*[i*]′·(Πi∈Θ*⧹{i*}pk*[i])−1. It sets pk=(pk*[1],…,pk*[i−1],pk*[i*]′,pk*[i*+1],…,pk*[n]), i.e. for all i∈[n], pk[i]=pk*[i], except that pk[i*]=pk*[i*]′. Next, the simulator sets 𝖬𝖲𝖪W=gα, 𝖱𝖫=∅ and 𝖲𝖳=∅. It also chooses the master public key 𝖬𝖯𝖪W of the Waters CP-ABE as in 𝖦𝖺𝗆𝖾1. Finally, the simulator returns 𝖬𝖯𝖪=(𝖬𝖯𝖪W,pk) to A. S holds gα and sk*[i*]′. Answering key generation and key update: For all t≠t*, the simulator queries the key extractor oracle of the BC-IBE to get skt←𝖨𝖡𝖤𝖤𝗑𝗍(sk,t). For t=t*, the simulator sets skt*=sk*[i*]′, since ∑i=1nsk[i]ϕ(t*)[i]=sk[i*]+∑i∈Θ*⧹{i*}sk*[i]=sk*[i*]′. In other words, for all time stamp t, the simulator knows the corresponding secret keys skt, related to public key pk. Recall that, the simulator knows the master secret key 𝖬𝖲𝖪W of the Waters CP-ABE scheme. Hence, S can answer the adversary’s key generation queries and key update queries as in 𝖦𝖺𝗆𝖾1. Answering identity revocation: For a key revocation query (id,t), the simulator adds (id,t) to 𝖱𝖫 and returns it. Answering challenge ciphertext: Once A submits the challenge ciphertext query (M0,M1), the simulator first runs 𝖤𝗇𝖼𝗋𝗒𝗉𝗍W(𝖬𝖯𝖪W,(A*,ρ*)) to obtain 𝖢𝖳W,P*. Then, it sends (M0,M1) to the BC-IBE encryption oracle and obtains the BC-IBE challenge ciphertext (c1*,c2*). Finally, the simulator returns 𝖢𝖳P*,t**=(𝖢𝖳W,P**,c2*) to A. Guess: The simulator continues to answer A’s queries as before. Finally, the simulator returns what A outputs. Now, we show that the challenge ciphertext 𝖢𝖳P*,t** is distributed as in 𝖦𝖺𝗆𝖾2. Suppose that c2*=Mb·(Πi∈Θ*pk*[i])r for some r←RZp. Since with overwhelming probability sk*[i*]′≠0, we can rewrite c2* as c2*=Mb·(Πi∈Θ*pk[i])r′ where r′=r·∑i∈Θ*sk*[i]sk*(i*)′. Since r is independent of the challenge ciphertext 𝖢𝖳W,P* of Waters CP-ABE, so is r′. This implies that 𝗄𝖾𝗒*=gTr′ is random and independent of 𝖢𝖳W,P*. Moreover, c2*=(𝗄𝖾𝗒*)skt*. So, the challenge ciphertext has the same distribution as in 𝖦𝖺𝗆𝖾1. From the above analysis, the simulator perfectly simulates 𝖦𝖺𝗆𝖾1 with overwhelming probability (at least 1−1/p). Since the BC-IBE is N-selectively CPA-secure, A has negligible advantage in 𝖦𝖺𝗆𝖾1. This completes the proof of Lemma 3.2.□ 4. EFFICIENCY COMPARISON In this section, we give a theoretical efficiency comparison among the Waters CP-ABE scheme [5] and its variants with outsourced decryption [11], or with user revocation [16], or with both outsourced decryption and revocation of our scheme. The revocable Waters CP-ABE scheme can be viewed as the result applying the binary-tree revocation technique of [16] to the standard Waters CP-ABE scheme. The comparison results are shown in Tables 2 and 3. Table 2. The number of operations during transformation and final decryption. Scheme Transformation [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Final decryption [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Outsourcing Revocation Waters [5] – [2I+1,I] ✗ ✗ GHW [11] [2I+1,I] [0,1] ✓ ✗ BGK [16] – [2I+2,I] ✗ ✓ Ours [2I+1,I] [0,1] ✓ ✓ Scheme Transformation [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Final decryption [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Outsourcing Revocation Waters [5] – [2I+1,I] ✗ ✗ GHW [11] [2I+1,I] [0,1] ✓ ✗ BGK [16] – [2I+2,I] ✗ ✓ Ours [2I+1,I] [0,1] ✓ ✓ View Large Table 2. The number of operations during transformation and final decryption. Scheme Transformation [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Final decryption [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Outsourcing Revocation Waters [5] – [2I+1,I] ✗ ✗ GHW [11] [2I+1,I] [0,1] ✓ ✗ BGK [16] – [2I+2,I] ✗ ✓ Ours [2I+1,I] [0,1] ✓ ✓ Scheme Transformation [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Final decryption [#𝖯𝖺𝗂𝗋𝗂𝗇𝗀,#𝖤𝗑𝗉.] Outsourcing Revocation Waters [5] – [2I+1,I] ✗ ✗ GHW [11] [2I+1,I] [0,1] ✓ ✗ BGK [16] – [2I+2,I] ✗ ✓ Ours [2I+1,I] [0,1] ✓ ✓ View Large Table 3. Summary of key and ciphertext sizes. Waters [5] GHW [11] BGK [16] Ours Master Public Key [#G,#GT] [U+2,1] [2U+2,1] [2U+4,1] [U+2,16N2·κ] Master Secret Key [#G,#GT] [1,0] [1,0] [1,0] [1,16N2·κ] Transformation Key #G – S+2 – (S+2)·N Private Key [#G,#Zp] [S+2,0] [0,1] [(S+2)logn,0] [0,N] Key Update [#G,#Zp] – – [2(rlognr+r),0] [0,n−r] Decryption Key [#G,#Zp] [S+2,0] [0,1] [S+3,0] [0,1] ABE Ciphertext [#G,#GT] [2ℓ+1,1] [2ℓ+1,1] [2ℓ+2,1] [2ℓ+1,1] Transformed Ciphertext #GT – 2 – 2 Waters [5] GHW [11] BGK [16] Ours Master Public Key [#G,#GT] [U+2,1] [2U+2,1] [2U+4,1] [U+2,16N2·κ] Master Secret Key [#G,#GT] [1,0] [1,0] [1,0] [1,16N2·κ] Transformation Key #G – S+2 – (S+2)·N Private Key [#G,#Zp] [S+2,0] [0,1] [(S+2)logn,0] [0,N] Key Update [#G,#Zp] – – [2(rlognr+r),0] [0,n−r] Decryption Key [#G,#Zp] [S+2,0] [0,1] [S+3,0] [0,1] ABE Ciphertext [#G,#GT] [2ℓ+1,1] [2ℓ+1,1] [2ℓ+2,1] [2ℓ+1,1] Transformed Ciphertext #GT – 2 – 2 View Large Table 3. Summary of key and ciphertext sizes. Waters [5] GHW [11] BGK [16] Ours Master Public Key [#G,#GT] [U+2,1] [2U+2,1] [2U+4,1] [U+2,16N2·κ] Master Secret Key [#G,#GT] [1,0] [1,0] [1,0] [1,16N2·κ] Transformation Key #G – S+2 – (S+2)·N Private Key [#G,#Zp] [S+2,0] [0,1] [(S+2)logn,0] [0,N] Key Update [#G,#Zp] – – [2(rlognr+r),0] [0,n−r] Decryption Key [#G,#Zp] [S+2,0] [0,1] [S+3,0] [0,1] ABE Ciphertext [#G,#GT] [2ℓ+1,1] [2ℓ+1,1] [2ℓ+2,1] [2ℓ+1,1] Transformed Ciphertext #GT – 2 – 2 Waters [5] GHW [11] BGK [16] Ours Master Public Key [#G,#GT] [U+2,1] [2U+2,1] [2U+4,1] [U+2,16N2·κ] Master Secret Key [#G,#GT] [1,0] [1,0] [1,0] [1,16N2·κ] Transformation Key #G – S+2 – (S+2)·N Private Key [#G,#Zp] [S+2,0] [0,1] [(S+2)logn,0] [0,N] Key Update [#G,#Zp] – – [2(rlognr+r),0] [0,n−r] Decryption Key [#G,#Zp] [S+2,0] [0,1] [S+3,0] [0,1] ABE Ciphertext [#G,#GT] [2ℓ+1,1] [2ℓ+1,1] [2ℓ+2,1] [2ℓ+1,1] Transformed Ciphertext #GT – 2 – 2 View Large In tables, ‘#Pairing’ and ‘#Exp.’ denote the number of pairings and exponentiations, respectively, during ABE ciphertext transformation and final ciphertext decryption. For simplicity, we denote by U, S and I the number (not the set) of attributes existed in the system, attributes associate with the user and attributes (indexes) used in decryption, respectively. ℓ is the size of rows in the matrix A (i.e. an LSSS access structure). n is the number of total users and r is the number of revoked users. Denote by N the maximum times of user revocation. ‘# G’, ‘# GT’ and ‘# Zp’ denote the number of group elements in groups G, GT and Zp respectively. Let κ be the security parameter. In the cover-free set, it is naturally assumed that the size of set T is bounded by 2κ. That is log∣T∣≤κ in Table 3. The symbol ‘–’ denotes unavailability of that mode. From Table 2, we can see that our scheme and [11] both support decryption outsourcing, and the number of pairing and exponentiation operations are the same during transformation and final decryption. Moreover, our scheme supports user revocation. Through decryption outsourcing, the final decryption only needs one exponentiation operation. But, in the other two non-outsourcing schemes, decryption requires a large number of pairing and exponentiation operations, in proportion to the number of attributes used in decryption. Table 3 summarized the key sizes and ciphertext sizes. It is clear that outsourcing technique can significantly reduce the size of transformed ciphertext, which only contains two group elements of GT. Compared with the revocable ABE scheme of [16], the key size in our scheme is a bit large, especially the size of master secret key. In addition, the size of key update is linear to the number of non-revoked users. These issues can be alleviated in scenario where the number of system users is not very large. 5. CONCLUSION This paper proposed a CP-ABE scheme that supports both decryption outsourcing and user revocation. After partially decryption via a cloud server, the result ciphertext contains only two ElGamal-type group elements and the final decryption requires just one exponentiation operation. It significantly shortens the ABE ciphertext size and decryption time than that in normal revocable ABE scheme. However, this advantage comes at a cost on the other side. One is that the number of key update information is linear to the number of revoked users and the other is that the time of user revocation is bounded. These issues may limit our scheme to be used in a system with a small number of users. A future work is to resolve these problems without increasing the size of transformed ABE ciphertext and the time during final decryption. FUNDING This work was supported by the National Natural Science Foundation of China (Grant nos. 61502400 and 61602378), the Natural Science Basic Research Plan in Shaanxi Province of China (Grant no. 2016JM6033) and the Science Foundation of Sichuan Educational Committee (Grant no. 16ZB0140). REFERENCES 1 Sahai , A. and Waters , B. ( 2005 ) Fuzzy Identity-Based Encryption. Proc. EUROCRYPT 2005, Aarhus, Denmark, May 22–26, pp. 457–473. Springer-Verlag, Berlin. 2 Goyal , V. , Pandey , O. , Sahai , A. and Waters , B. ( 2006 ) Attribute-Based Encryption for Fine-grained Access Control of Encrypted Data. Proc. CCS 2006, Alexandria, VA, USA, October 30–November 3, pp. 89–98. ACM. 3 Bethencourt , J. , Sahai , A. and Waters , B. ( 2007 ) Ciphertext-Policy Attribute-Based Encryption. Proc. S&P 2007, Oakland, CA, USA, May 20–23, pp. 321–334. IEEE Computer Society. 4 Naor , M. and Nissim , K. ( 2000 ) Certificate revocation and certificate update . IEEE J. Sel. Areas in Commun. , 18 , 561 – 570 . Google Scholar CrossRef Search ADS 5 Waters , B. ( 2011 ) Ciphertext-Policy Attribute-based Encryption: An Expressive, Efficient, and Provably Secure Realization. Proc. PKC 2011, Taormina, Italy, March 6–9, pp. 53–70. Springer-Verlag, Berlin. 6 Shamir , A. ( 1984 ) Identity-Based Cryptosystems and Signature Schemes. Proc. CRYPTO 1984, Santa Barbara, CA, USA, August 19–22, pp. 47–53. Springer-Verlag, Berlin. 7 Gorbunov , S. , Vaikuntanathan , V. and Wee , H. ( 2015 ) Attribute-based encryption for circuits . J. ACM , 62 , 45:1 – 45:33 . Google Scholar CrossRef Search ADS 8 Herranz , J. , Laguillaumie , F. and Ràfols , C. ( 2010 ) Constant Size Ciphertexts in Threshold Attribute-Based Encryption. Proc. PKC 2010, Paris, France, May 26–28, pp. 19–34. Springer-Verlag, Berlin. 9 Attrapadung , N. , Herranz , J. , Laguillaumie , F. , Libert , B. , de Panafieu , E. and Ràfols , C. ( 2012 ) Attribute-based encryption schemes with constant-size ciphertexts . Theor. Comput. Sci. , 422 , 15 – 38 . Google Scholar CrossRef Search ADS 10 Hohenberger , S. and Waters , B. ( 2013 ) Attribute-Based Encryption with Fast Decryption. Proc. PKC 2013, Nara, Japan, February 26–March 1, pp. 162–179. Springer-Verlag, Berlin. 11 Green , M. , Hohenberger , S. and Waters , B. ( 2011 ) Outsourcing the Decryption of ABE Ciphertexts. Proc. 20th USENIX Security Symposium, San Francisco, CA, USA, August 8–12. USENIX Association. 12 Li , J. , Chen , X. , Li , J. , Jia , C. , Ma , J. and Lou , W. ( 2013 ) Fine-Grained Access Control System Based on Outsourced Attribute-based Encryption. Proc. ESORICS 2013, Egham, UK, September 9–13, pp. 592–609. Springer-Verlag, Berlin. 13 Zhang , R. , Ma , H. and Lu , Y. ( 2017 ) Fine-grained access control system based on fully outsourced attribute-based encryption . J. Syst. Softw. , 125 , 344 – 353 . Google Scholar CrossRef Search ADS 14 Yu , J. , Ren , K. and Wang , C. ( 2016 ) Enabling cloud storage auditing with verifiable outsourcing of key updates . IEEE Trans. Inf. Forensics Secur. , 11 , 1362 – 1375 . Google Scholar CrossRef Search ADS 15 Yu , J. , Ren , K. , Wang , C. and Varadharajan , V. ( 2015 ) Enabling cloud storage auditing with key-exposure resistance . IEEE Trans. Inf. Forensics Secur. , 10 , 1167 – 1179 . Google Scholar CrossRef Search ADS 16 Boldyreva , A. , Goyal , V. and Kumar , V. ( 2008 ) Identity-Based Encryption with Efficient Revocation. Proc. CCS 2008, Alexandria, VA, USA, October 27–31, pp. 417–426. ACM. 17 Libert , B. and Vergnaud , D. ( 2009 ) Adaptive-id Secure Revocable Identity-Based Encryption. Proc. CT-RSA 2009, San Francisco, CA, USA, April 20–24, pp. 1–15. Springer-Verlag, Berlin. 18 Sahai , A. , Seyalioglu , H. and Waters , B. ( 2012 ) Dynamic Credentials and Ciphertext Delegation for Attribute-Based Encryption. Proc. CRYPTO 2012, Santa Barbara, CA, USA, August 19–23, pp. 199–217. Springer-Verlag, Berlin. 19 Seo , J.H. and Emura , K. ( 2014 ) Revocable identity-based cryptosystem revisited: Security models and constructions . IEEE Trans. Inf. Forensics Secur. , 9 , 1193 – 1205 . Google Scholar CrossRef Search ADS 20 Cui , H. and Deng , R.H. ( 2016 ) Revocable and decentralized attribute-based encryption . Comput. J. , 59 , 1220 – 1235 . Google Scholar CrossRef Search ADS 21 Park , S. , Lee , K. and Lee , D.H. ( 2015 ) New constructions of revocable identity-based encryption from multilinear maps . IEEE Trans. Inf. Forensics Secur. , 10 , 1564 – 1577 . Google Scholar CrossRef Search ADS 22 Lee , K. , Lee , D.H. and Park , J.H. ( 2017 ) Efficient revocable identity-based encryption via subset difference methods . Des. Codes Cryptogr. , 85 , 39 – 76 . Google Scholar CrossRef Search ADS 23 Hur , J. and Noh , D.K. ( 2011 ) Attribute-based access control with efficient revocation in data outsourcing systems . IEEE Trans. Parallel Distrib. Syst. , 22 , 1214 – 1221 . Google Scholar CrossRef Search ADS 24 Jiang , Z.L. , Zhang , R. , Liu , Z. , Yiu , S. , Hui , L.C. , Wang , X. and Fang , J. ( 2016 ) A Revocable Outsourcing Attribute-Based Encryption Scheme. Proc. CloudComp 2016, Guangzhou, China, November 25–26, pp. 145–161. Springer-Verlag, Cham. 25 Cui , H. , Deng , R.H. , Li , Y. and Qin , B. ( 2016 ) Server-Aided Revocable Attribute-Based Encryption. Proc. ESORICS 2016, Part II, Heraklion, Greece, September 26–30, pp. 570–587. Springer-Verlag, Cham. 26 Erdös , P. , Frankl , P. and Füredi , Z. ( 1985 ) Families of finite sets in which no set is covered by the union of others . Isr. J. Math. , 51 , 79 – 89 . Google Scholar CrossRef Search ADS 27 Cramer , R. , Hanaoka , G. , Hofheinz , D. , Imai , H. , Kiltz , E. , Pass , R. , Shelat , A. and Vaikuntanathan , V. ( 2007 ) Bounded CCA2-Secure Encryption. Proc. ASIACRYPT 2007, Kuching, Malaysia, December 2–6, pp. 502–518. Springer-Verlag, Berlin. 28 Goldwasser , S. , Lewko , A.B. and Wilson , D.A. ( 2012 ) Bounded-Collusion IBE from Key Homomorphism. Proc. TCC 2012, Taormina, Sicily, Italy, March 19–21, pp. 564–581. Springer-Verlag, Berlin. 29 Tessaro , S. and Wilson , D.A. ( 2014 ) Bounded-Collusion Identity-Based Encryption from Semantically-Secure Public-Key Encryption: Generic Constructions with Short Ciphertexts. Proc. PKC 2014, Buenos Aires, Argentina, March 26–28, pp. 257–274. Springer-Verlag, Berlin. Appendix A. THE WATERS CP-ABE SCHEME The Waters CP-ABE scheme ABEW = ( 𝖲𝖾𝗍𝗎𝗉W, 𝖪𝖾𝗒𝖦𝖾𝗇W, 𝖤𝗇𝖼𝗋𝗒𝗉𝗍W, 𝖣𝖾𝖼𝗋𝗒𝗉𝗍W) is described in Fig. A1. Theorem A.1 ([5, Section 3.1]) The Waters CP-ABE scheme is selectively CPA-secure under the decisional q-parallel Bilinear Diffie–Hellman Exponent Assumption. Figure A1. View largeDownload slide The Waters CP-ABE scheme [5]. Figure A1. View largeDownload slide The Waters CP-ABE scheme [5]. Appendix B. A BOUNDED-COLLUSION IBE SCHEME FROM DBDH Cover free sets play an important role in BC-IBE [28, 29] as well as bounded CCA-secure encryption [27]. We first recall the definition of cover-free sets and then introduce a BC-IBE over bilinear groups. Cover-Free Sets: Let 2[n] be the set of subsets of [n]={1,…,n}. We say that ϕ:T→2[n] is (N,k)-cover free if ∣ϕ(t)∣=k for all t∈T and ϕ(tN)⊊⋃i=1N−1ϕ(ti) for all distinct t1,…,tN∈T, i.e. the set ϕ(tN) is not covered by the union of ϕ(t1),…,ϕ(tN−1). Observe that every subset ϕ(t) can be represented as an n-bit string t, where t[i]=1 if i∈ϕ(t) and t[i]=0 otherwise. Hence, without loss of generality, we can view ϕ as a map from T to {0,1}n instead of the set itself. The currently best-known construction of cover-free sets is justified by the following theorem. Theorem B.1 ([26, 27]) For any integer N≥1, there exists a polynomial-time algorithm to compute a (N,k)-cover free map ϕ:T→{0,1}n, where n=16N2log∣T∣and k=4Nlog∣T∣. Our construction is based on the following ElGamal-like cryptosystem PKE=(𝖲𝗒𝗌,𝖪𝗀,𝖤𝗇𝖼,𝖣𝖾𝖼). 𝖲𝗒𝗌(1κ) samples a description of bilinear groups D=(p,G,GT,g,e)←G(1κ), chooses a random exponent α∈Zp and returns the public parameter pp=(D,gα,gT), where gT=e(g,g)α. The key generation algorithm 𝖪𝗀(pp) samples a secret key sk←RZp and sets the public key as pk=gTsk. For a message M∈GT, the encryption algorithm 𝖤𝗇𝖼(pk,M) chooses a random exponent r∈Zp and returns the ciphertext c=(gTr,M·pkr). For a ciphertext c=(c1,c2), the decryption algorithm 𝖣𝖾𝖼(sk,(c1,c2)) returns M≔c2·c1−sk. The DBDH assumption demands that for any PPT algorithm, given (g,gα,gβ,gα,R) (where α,β,γ←RZp), it has negligible advantage to decide whether R=e(g,g)αβγ or a random element of group GT. Clearly, if we set gT=e(g,gα), pk=e(gα,gβ) and c1=e(gα,gγ), c2=M·R, we immediately show that the above ElGamal-like encryption scheme is CPA-secure under the DBDH assumption. Observe that the element gα is never used in the algorithms of key generation, encryption and decryption. Without explicitly state, we assume that pp does not contain gα. Moreover, if we remove it from public parameter, we get the standard ElGamal cryptosystem over group GT, in which the DDH problem is believed to be hard. Nevertheless, the auxiliary element gα is necessary in the security proof of our RO-ABE scheme. From the generic construction of BC-IBE scheme of [28, 29], we obtain the following BC-IBE scheme. Let pp=(D,gα,gT) be a public parameter generated by 𝖲𝗒𝗌(1κ). Theorem B.2 If the DBDH assumption holds and ϕis (N+1,k)-cover free, then the BC-IBE scheme as given in Fig. B1is selectively CPA-secure as long as the number of key extraction queries is no more than N ( N-selectively CPA-secure for short). Figure B1. View largeDownload slide Bounded-collusion IBE under DBDH assumption. Figure B1. View largeDownload slide Bounded-collusion IBE under DBDH assumption. Author notes Handling editor: Joseph Liu © The British Computer Society 2018. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)
TI - Bounded Revocable and Outsourceable ABE for Secure Data Sharing
JF - The Computer Journal
DO - 10.1093/comjnl/bxy063
DA - 2018-08-01
UR - https://www.deepdyve.com/lp/oxford-university-press/bounded-revocable-and-outsourceable-abe-for-secure-data-sharing-QvSDQo1dSB
SP - 1259
EP - 1268
VL - 61
IS - 8
DP - DeepDyve
ER -