# a hierarchical attribute-based encryption scheme

Post on 14-Dec-2016

215 views

Embed Size (px)

TRANSCRIPT

2013, Vol.18 No.3, 259-264

Article ID 1007-1202(2013)03-0259-06

DOI 10.1007/s11859-013-0925-9

A Hierarchical Attribute-Based Encryption Scheme

ZOU Xiubin

College of Computer and Mathematics, Jianghan University,

Wuhan 430056, Hubei, China

Wuhan University and Springer-Verlag Berlin Heidelberg 2013

Abstract: According to the relation of an attribute set and its sub-set, the author presents a hierarchical attribute-based encryption scheme in which a secret key is associated with an attribute set. A user can delegate the private key corresponding to any subset of an attribute set while he has the private key corresponding to the at-tribute set. Moreover, the size of the ciphertext is constant, but the size of private key is linear with the order of the attribute set in the hierarchical attribute-based encryption scheme. Lastly, we can also prove that this encryption scheme meets the security of IND-sSET- CPA in the standard model. Key words: attribute-based encryption; hierarchical attribute- based encryption; identity-based encryption (IBE); bilinear map CLC number: TP 309.7

Received date: 2012-08-12 Foundation item: Supported by the National Natural Science Foundation of China (60903175, 60703048) and the Natural Science Foundation of Hubei Province (2009CBD307, 2008CDB352) Biography: ZOU Xiubin, male, Lecturer, Ph.D., research direction: public key cryptosystem and its security analysis. E-mail: xbz1234@163.com

0 Introduction

Shamir[1] first presented the concept of identity- based encryption(IBE).When we encrypt information in the IBE scheme, we do not require the public key certifi-cate and only require an arbitrary and overt string e.g., identity and e-mail, etc.). This makes the IBE scheme have many applications in practice.

Sahai and Waters[2] proposed a fussy IBE scheme in which a descriptive attribute set could be considered as identity. For the secret key K corresponding to an attribute set , we can decrypt a ciphertext C by it, where C is produced by encrypting some plaintexts with the secret key K corresponding to an attribute set . We can decrypt the ciphertext C by the secret key K only if | | ,d where d is the minimum that those attribute sets(i.e. attribute set and attribute set ) overlap. Meanwhile, Sahai and Waters[2] proposed the concept of attribute-based encryption. However, their scheme belongs to an IBE scheme where ID is composed of several attributes. Their scheme is mainly constituted by threshold techniques. Moreover, it is resistant collu-sion attack and does not require random oracle(RO). Af-ter the concept of attribute-based encryption was pre-sented, there are many people who have made further research on it.

Now, more and more data are preserved in the third party Websites on the Internet for their being shared with people. To ensure the security of these data, we only encrypt them. However, this does not facilitate sharing. The simplest measure is to send the secret key to the people who need know those data. Nevertheless, it is not a best measure. To resolve this problem, Goyal

Wuhan University Journal of Natural Sciences 2013, Vol.18 No.3 260

et al [3] proposed an encryption system (hereinafter re-ferred GKPABE scheme) in which any data can encrypt and a good share way is provided. Goyal et al refer to this encryption as key-policy attribute-based encryption (KP-ABE). In a KP- ABE system, we can label any ci-phertext by some attribute set, whereas the secret key is associated with the access structure which permits users to decrypt the ciphertext.

In many cases, users need to formulate a policy that specifies who can access the data when they encrypts it. Only those qualified people can decrypt it later on. For example, to ensure that an important file is secure, a leader in a company encrypts it when he sends the file to the other people in the company. In addition, he formu-lates a secure policy which specifies how the file is read. For example, he draws up the following policy:

Department=sale department and position= gen-eral manager.

This policy tells us that a general manager from sale department can access the file. Therefore someone who is a general manager from sale department can decrypt the encrypted file and read it. To resolve this problem, Benthencourt et al [4] gave a ciphertext-policy attribute- based encryption scheme, which is referred to as the BCP-ABE scheme here. Some attributes are used to de-scribe a users qualification in BCP-ABE scheme, while the sender who encrypts data and formulates a measure for those who need to know the data. However, Goyal et al [3] and Bethencourt et al [4] only discussed the secu-rity of their scheme in the general cyclic group model. Cheung and Newport[5] presented a CP-ABE construction that supports the finite type access structure that is repre-sented by a union of different attributes.

Goyal et al [6] proposed a ciphertext policy ABE scheme which gave a secure proof in assumptions of number theory. Waters[7] put forward a new CP-ABE scheme (hereinafter referred to as WCPABE scheme). The WCPABE scheme makes attribute access structure be expressed with linear secret sharing scheme (LSSS) ma-trix. Doing so, Waterss construction method makes an attribute access structure be expressed freely. According to an attribute set and its subset, the author presents a hi-erarchical attribute-based encryption scheme in this paper. The secret key is associated with attribute set in this scheme. A user can delegate the key corresponding to any subset of an attribute set while he has the key corre-sponding to this attribute set S . Moreover, we can also prove that this encryption scheme meets the security of IND-sSET-CPA.

1 Preliminaries

1.1 Bilinear Map Boneh et al[8] introduced bilinear map. From then on,

the bilinear map had been applied in encryption, signature, and so on.

Definition 1 Let G and G be cyclic groups of order p, where p is a big prime number. We take an effec-tive computable map :e G G G as bilinear map that has the following properties:

Bilinear: , ,u v G , ,a b Z ( , ) ( , )a b abe u v e u v= .

Non-degeneracy: There exists a generator g G where ( , ) 1e g g .

Computable: , ,u v G ( , )e u v can be computed in the effective time. 1.2 d-wBDHI* Assumption (Weak Bilinear Diffie-Hellman Inversion Assumption)

Let g and h be generators in G . Let *p Z , d Z . We define - wBDHI *d problem as the fol-lowing:

Given2( ) ( ), , , , ,

d

g h g g g , compute 1( )( , ) de g h + . Set ( ) *

i

iy g G

= and , , 1 2( , , , ).g d dy y y y = The -l wBDHI * problem is simplified as follows:

Given , ,, , g dg h y , compute 1( )( , )

d

e g h +

. Algorithm A has advantage in solving the -d

wBDHI * problem if 1( )

, ,Pr[ ( , , ) ( , ) ]d

g dA g h y e g h

+

= .

Definition 2 If no polynomial time algorithm A has at least advantage in solving the - wBDHI *d problem in G , we say that the - wBDHI *d assump-tion holds in G . 1.3 Security Definition of ABE (or HABE) Scheme

We say that an IBE scheme or a HIBE scheme satis-fies IND-ID-CPA (or IND-sID-CPA) security if the ad-versary does not issue decryption queries. Boneh, Frank-lin[8]and Canetti et al[9] gave a general method which transforms an IND-ID-CPA (or IND-sID-CPA) secure IBE or HIBE scheme to an IND-ID-CCA (or IND-sID- CCA) secure one. Therefore we only prove that an IBE(or HIBE) scheme is IND-ID-CPA (or IND-sID-CPA) secure when it is presented.

Analogous to the definition of IND-ID-CCA (or IND-sID-CCA) security, we can give the definition of IND-Set-CCA (or IND-sSet-CCA) security. When an ABE(attribute-based encryption) scheme E or a HABE (hierarchical attribute-based encryption) scheme E is

ZOU Xiubin: A Hierarchical Attribute-Based Encryption Scheme

261

IND-Set-CCA (or IND-sSet-CCA) secure, we can give a definition by the following game which is carried on be-tween the adversary and the challenger. The game con-sists of initial phase, private query phase 1, challenge phase, private query phase 2, and guess phase.

Initial phase: Challenger runs setup algorithm and produces system parameters and main secret key. He then sends the system parameters to the adversary and reserves the main secret key for himself.

Private key query phase 1: The adversary adaptively issues queries ( 1 2, , , mq q q ), where iq ( 1, , )i m= is one of the following two queries.

Provided with an attribute set iS , the challenger runs the private key generating algorithm and gets a pri-vate key

iSK corresponding to attribute set iS . He then

sends iS

K to the adversary. Given an attribute set iS and a ciphertext iC , the

challenger first runs the private key generating algorithm and gets private key

iSK . He then runs decryption algo-

rithm and produces a plaintext from the ciphertext iC . Lastly, he sends the plaintext to the adversary.

Challenge phase: Once the adversary decides that private key query phase 1 is over, he will output an at-tribute set *S and two equivalent length plaintext

0 1,M M which he wishes to challenge. There is the only restriction that he does not issue private key query corre-sponding to the attribute set *S . The challenger ran-domly chooses {0,1}b and sets the challenged ci-phertext to be *Encrypt( , )bS M . Then, he sends the chal-lenged ciphertext to the adversary.

Private key query phase 2: Analogous to private key query phase 1, it is required that the attribute set iS do not equal to *S here.

Guess phase: Lastly, the adversary outputs a guess b about b. We define the advantage wh

Recommended