A hierarchical attribute-based encryption scheme

Download A hierarchical attribute-based encryption scheme

Post on 14-Dec-2016




0 download

Embed Size (px)


<ul><li><p>2013, Vol.18 No.3, 259-264 </p><p>Article ID 1007-1202(2013)03-0259-06 </p><p>DOI 10.1007/s11859-013-0925-9 </p><p>A Hierarchical Attribute-Based Encryption Scheme </p><p> ZOU Xiubin </p><p>College of Computer and Mathematics, Jianghan University, </p><p>Wuhan 430056, Hubei, China </p><p> Wuhan University and Springer-Verlag Berlin Heidelberg 2013 </p><p> Abstract: According to the relation of an attribute set and its sub-set, the author presents a hierarchical attribute-based encryption scheme in which a secret key is associated with an attribute set. A user can delegate the private key corresponding to any subset of an attribute set while he has the private key corresponding to the at-tribute set. Moreover, the size of the ciphertext is constant, but the size of private key is linear with the order of the attribute set in the hierarchical attribute-based encryption scheme. Lastly, we can also prove that this encryption scheme meets the security of IND-sSET- CPA in the standard model. Key words: attribute-based encryption; hierarchical attribute- based encryption; identity-based encryption (IBE); bilinear map CLC number: TP 309.7 </p><p>Received date: 2012-08-12 Foundation item: Supported by the National Natural Science Foundation of China (60903175, 60703048) and the Natural Science Foundation of Hubei Province (2009CBD307, 2008CDB352) Biography: ZOU Xiubin, male, Lecturer, Ph.D., research direction: public key cryptosystem and its security analysis. E-mail: xbz1234@163.com </p><p>0 Introduction </p><p>Shamir[1] first presented the concept of identity- based encryption(IBE).When we encrypt information in the IBE scheme, we do not require the public key certifi-cate and only require an arbitrary and overt string e.g., identity and e-mail, etc.). This makes the IBE scheme have many applications in practice. </p><p>Sahai and Waters[2] proposed a fussy IBE scheme in which a descriptive attribute set could be considered as identity. For the secret key K corresponding to an attribute set , we can decrypt a ciphertext C by it, where C is produced by encrypting some plaintexts with the secret key K corresponding to an attribute set . We can decrypt the ciphertext C by the secret key K only if | | ,d where d is the minimum that those attribute sets(i.e. attribute set and attribute set ) overlap. Meanwhile, Sahai and Waters[2] proposed the concept of attribute-based encryption. However, their scheme belongs to an IBE scheme where ID is composed of several attributes. Their scheme is mainly constituted by threshold techniques. Moreover, it is resistant collu-sion attack and does not require random oracle(RO). Af-ter the concept of attribute-based encryption was pre-sented, there are many people who have made further research on it. </p><p>Now, more and more data are preserved in the third party Websites on the Internet for their being shared with people. To ensure the security of these data, we only encrypt them. However, this does not facilitate sharing. The simplest measure is to send the secret key to the people who need know those data. Nevertheless, it is not a best measure. To resolve this problem, Goyal </p></li><li><p>Wuhan University Journal of Natural Sciences 2013, Vol.18 No.3 260 </p><p>et al [3] proposed an encryption system (hereinafter re-ferred GKPABE scheme) in which any data can encrypt and a good share way is provided. Goyal et al refer to this encryption as key-policy attribute-based encryption (KP-ABE). In a KP- ABE system, we can label any ci-phertext by some attribute set, whereas the secret key is associated with the access structure which permits users to decrypt the ciphertext. </p><p>In many cases, users need to formulate a policy that specifies who can access the data when they encrypts it. Only those qualified people can decrypt it later on. For example, to ensure that an important file is secure, a leader in a company encrypts it when he sends the file to the other people in the company. In addition, he formu-lates a secure policy which specifies how the file is read. For example, he draws up the following policy: </p><p>Department=sale department and position= gen-eral manager. </p><p>This policy tells us that a general manager from sale department can access the file. Therefore someone who is a general manager from sale department can decrypt the encrypted file and read it. To resolve this problem, Benthencourt et al [4] gave a ciphertext-policy attribute- based encryption scheme, which is referred to as the BCP-ABE scheme here. Some attributes are used to de-scribe a users qualification in BCP-ABE scheme, while the sender who encrypts data and formulates a measure for those who need to know the data. However, Goyal et al [3] and Bethencourt et al [4] only discussed the secu-rity of their scheme in the general cyclic group model. Cheung and Newport[5] presented a CP-ABE construction that supports the finite type access structure that is repre-sented by a union of different attributes. </p><p>Goyal et al [6] proposed a ciphertext policy ABE scheme which gave a secure proof in assumptions of number theory. Waters[7] put forward a new CP-ABE scheme (hereinafter referred to as WCPABE scheme). The WCPABE scheme makes attribute access structure be expressed with linear secret sharing scheme (LSSS) ma-trix. Doing so, Waterss construction method makes an attribute access structure be expressed freely. According to an attribute set and its subset, the author presents a hi-erarchical attribute-based encryption scheme in this paper. The secret key is associated with attribute set in this scheme. A user can delegate the key corresponding to any subset of an attribute set while he has the key corre-sponding to this attribute set S . Moreover, we can also prove that this encryption scheme meets the security of IND-sSET-CPA. </p><p>1 Preliminaries </p><p>1.1 Bilinear Map Boneh et al[8] introduced bilinear map. From then on, </p><p>the bilinear map had been applied in encryption, signature, and so on. </p><p>Definition 1 Let G and G be cyclic groups of order p, where p is a big prime number. We take an effec-tive computable map :e G G G as bilinear map that has the following properties: </p><p>Bilinear: , ,u v G , ,a b Z ( , ) ( , )a b abe u v e u v= . </p><p>Non-degeneracy: There exists a generator g G where ( , ) 1e g g . </p><p>Computable: , ,u v G ( , )e u v can be computed in the effective time. 1.2 d-wBDHI* Assumption (Weak Bilinear Diffie-Hellman Inversion Assumption) </p><p>Let g and h be generators in G . Let *p Z , d Z . We define - wBDHI *d problem as the fol-lowing: </p><p>Given2( ) ( ), , , , ,</p><p>d</p><p>g h g g g , compute 1( )( , ) de g h + . Set ( ) *</p><p>i</p><p>iy g G</p><p>= and , , 1 2( , , , ).g d dy y y y = The -l wBDHI * problem is simplified as follows: </p><p>Given , ,, , g dg h y , compute 1( )( , )</p><p>d</p><p>e g h +</p><p>. Algorithm A has advantage in solving the -d </p><p>wBDHI * problem if 1( )</p><p>, ,Pr[ ( , , ) ( , ) ]d</p><p>g dA g h y e g h</p><p>+</p><p>= . </p><p>Definition 2 If no polynomial time algorithm A has at least advantage in solving the - wBDHI *d problem in G , we say that the - wBDHI *d assump-tion holds in G . 1.3 Security Definition of ABE (or HABE) Scheme </p><p>We say that an IBE scheme or a HIBE scheme satis-fies IND-ID-CPA (or IND-sID-CPA) security if the ad-versary does not issue decryption queries. Boneh, Frank-lin[8]and Canetti et al[9] gave a general method which transforms an IND-ID-CPA (or IND-sID-CPA) secure IBE or HIBE scheme to an IND-ID-CCA (or IND-sID- CCA) secure one. Therefore we only prove that an IBE(or HIBE) scheme is IND-ID-CPA (or IND-sID-CPA) secure when it is presented. </p><p>Analogous to the definition of IND-ID-CCA (or IND-sID-CCA) security, we can give the definition of IND-Set-CCA (or IND-sSet-CCA) security. When an ABE(attribute-based encryption) scheme E or a HABE (hierarchical attribute-based encryption) scheme E is </p></li><li><p>ZOU Xiubin: A Hierarchical Attribute-Based Encryption Scheme </p><p>261</p><p>IND-Set-CCA (or IND-sSet-CCA) secure, we can give a definition by the following game which is carried on be-tween the adversary and the challenger. The game con-sists of initial phase, private query phase 1, challenge phase, private query phase 2, and guess phase. </p><p>Initial phase: Challenger runs setup algorithm and produces system parameters and main secret key. He then sends the system parameters to the adversary and reserves the main secret key for himself. </p><p>Private key query phase 1: The adversary adaptively issues queries ( 1 2, , , mq q q ), where iq ( 1, , )i m= is one of the following two queries. </p><p>Provided with an attribute set iS , the challenger runs the private key generating algorithm and gets a pri-vate key </p><p>iSK corresponding to attribute set iS . He then </p><p>sends iS</p><p>K to the adversary. Given an attribute set iS and a ciphertext iC , the </p><p>challenger first runs the private key generating algorithm and gets private key </p><p>iSK . He then runs decryption algo-</p><p>rithm and produces a plaintext from the ciphertext iC . Lastly, he sends the plaintext to the adversary. </p><p>Challenge phase: Once the adversary decides that private key query phase 1 is over, he will output an at-tribute set *S and two equivalent length plaintext </p><p>0 1,M M which he wishes to challenge. There is the only restriction that he does not issue private key query corre-sponding to the attribute set *S . The challenger ran-domly chooses {0,1}b and sets the challenged ci-phertext to be *Encrypt( , )bS M . Then, he sends the chal-lenged ciphertext to the adversary. </p><p>Private key query phase 2: Analogous to private key query phase 1, it is required that the attribute set iS do not equal to *S here. </p><p>Guess phase: Lastly, the adversary outputs a guess b about b. We define the advantage which the adversary has on attacking the ABE scheme E or HABE scheme E as follows: </p><p>Adversary1Adv Pr[ ]2</p><p>b b= = </p><p>We say that the ABE scheme E or the HABE scheme E is IND-Set-CCA secure if the adversary has the ad-vantage in upper game where AdversaryAdv . </p><p>The adversary pre-determines the attribute set which he plans on attacking the ABE scheme E or the HABE scheme E before the upper game starts. We think that the ABE scheme E or the HABE scheme E is IND- sSet-CCA secure. Moreover, it is said that the ABE scheme E or the HABE scheme E is IND-Set-CPA (or </p><p>IND-sSet-CPA) secure when the adversary does not issue decryption queries in the upper game. </p><p>2 New HABE Scheme </p><p>2.1 Construction of New HABE Scheme The new HABE scheme mainly consists of the fol-</p><p>lowing five algorithms: Setup( , ) :d The algorithm mainly generates the </p><p>system parameters. Randomly pick up a big prime num-ber p which meets | |p = , where is system security parameter. d is not only the maximum depth of the HABE scheme but also the order of the attribute full set U. Set </p><p>1 2{ , , , },dU a a a= where i pa Z for 1, ,i d= and 1 2, , , da a a are different with each other. Let function : {1,2, , }f U d and set ( )if a i= for 1, , .i d= </p><p>Randomly choose a generator g G , p Z and compute 1g g</p><p>= . Next, arbitrarily pick up 2 3 1, , ,g g h </p><p>2 , , .dh h G Set the system public parameters 1 2 3 1 2params ( , , , , , , , , )dg g g g h h h f= and system master </p><p>key 2mk g</p><p>= . KeyGen( )S : The algorithm generates the private </p><p>key SK corresponding to an attribute set ,1 ,2{ , ,j jS a a= ,| |, },j sa where .S U Set .R U S= Randomly </p><p>choose pr Z and compute 2 3 ( )( ( ) ,a r</p><p>S f aa R</p><p>K g g h</p><p>= ,1 ,2</p><p>,1 ,2,1 ( ) ,2 ( ), (( , ), ( , )j j</p><p>j j</p><p>r a r arj f a j f ag a h a h</p><p> ,| |</p><p>,| |,| | ( ), , ( , )))j S</p><p>j S</p><p>r aj s f aa h</p><p> . Delegate( , ) :SK S Taking the private key SK cor-</p><p>responding to attribute set S and an attribute set S as input, the algorithm generates the private key SK where </p><p>S S . Set ,1,12 3 ( ) ,1 ( ) ,2</p><p>( ( ) , , (( , ), ( ,jj</p><p>r aa r rS f a j f a j</p><p>a RK g g h g a h a </p><p>= ,2 ,| |</p><p>,2 ,| |( ) ,| | ( ) 0 1 ,1 2,1 ,2 2,2), , ( , ))) ( , , (( , ), ( , ), ,j j S</p><p>j j S</p><p>r a r af a j s f a j jh a h b b a b a b </p><p>= ,| | 2,| |( , )))j S Sa b where .R U S= Set S S = = </p><p>,1 ,2 ,{ , , , }.i i i la a a With the help of list ,1 2,1(( , ),ja b ,2 2,2 ,| | 2,| |( , ), , ( , ))j j S Sa b a b , we do not know r but easily </p><p>be aware of ,,( )</p><p>i k</p><p>i k</p><p>r af ah for 1,2, ,k l= . Let k be the </p><p>value of ,,( )</p><p>i k</p><p>i k</p><p>r af ah for 1,2, ,k l= . Randomly choose </p><p>pt Z and compute 0 0 ( ) 31</p><p>( ) ,l</p><p>a tk f a</p><p>k a Rb b h g</p><p>= </p><p> = </p><p>1 1tb b g = . </p><p>We delete , ,( , )j k j ka b from the list ,1 2,1 ,2(( , ), ( ,j ja b a 2,2 ,| | 2,| |), , ( , ))j S Sb a b if ,j ka ,1 ,2 ,{ , , , },i i i la a a where </p><p>1,2, ,| |k S= . Lastly, we get a new list named as ,1 2,1 ,2 2,2 ,| | 2,| |(( , ), ( , ), , ( , ))u u u S Sa b a b a b after the upper </p></li><li><p>Wuhan University Journal of Natural Sciences 2013, Vol.18 No.3 262 </p><p>disposals. We can compute ,1,12,1 2,1 ( ) 2,2 2,1</p><p>,uu</p><p>t af ab b h b b = = </p><p>,| |,2</p><p>,2 ,| |( ) 2,| | 2,| | ( ), , .u Su</p><p>u u S</p><p>t at af a S S f ah b b h</p><p> = Therefore, we can get </p><p>SK = 0 1 ,1 2,1 ,2 2,2 ,| | 2,| |( , , (( , ), ( , ), , ( , ))).u u u S Sb b a b a b a b Encrypt( , ) :S m Taking an attribute set S and a </p><p>plaintext m as input, the algorithm encrypts m . Set ,1 ,2 ,| |{ , , , }j j j SS a a a= . Randomly pick up pt Z and </p><p>get the ciphertext as follows: </p><p>1 2 3 ( )CT ( ( , ) , , ( ) )t t a t</p><p>f aa U S</p><p>e g g m g g h </p><p>= Decrypt( ,CT)SK : Inputting a private key SK and </p><p>a ciphertext CT , the algorithm decrypts ciphertext CT . Denote ,1 ,2 ,| |{ , , , }j j j Sa a a by S and set SK = </p><p>,1 ,2</p><p>,1 ,22 3 ( ) ,1 ( ) ,2 ( ) ,| |( ( ) , , (( , ), ( , ), , ( ,j j</p><p>j j</p><p>r a r aa r rf a j f a j f a j s</p><p>a U Sg g h g a h a h a </p><p> ,| |</p><p>,| |( ) 0 1 ,1 2,1 ,2 2,2 ,| | 2,| |))) ( , , (( , ), ( , ), , ( , )))j S</p><p>j S</p><p>r af a j j j S Sh b b a b a b a b</p><p>= and set the ciphertext 1 2 3CT ( , , )A A A= . </p><p>Therefore, set the plaintext 1 1 3 2( , ) / ( ,m A e b A e A= 0 )b . We can verify the decryption as follows: </p><p>1 1 3 2 0( , ) / ( , )A e b A e A b 1 2 3 ( )</p><p>2 3 ( )</p><p>( , ) ( , ( ) )</p><p>/ ( , ( ) )</p><p>t r a tf a</p><p>a U St a r</p><p>f aa U S</p><p>e g g m e g g h</p><p>e g g g h </p><p>= </p><p>1 2 3 ( )</p><p>2 3 ( )</p><p>( , ) ( , ( ))</p><p>/ ( ( , ) ( , ( )) )</p><p>t a t rf a</p><p>a U St a t r</p><p>f aa U S</p><p>e g g m e g g h</p><p>e g g e g g h</p><p>= </p><p>1 2 2( , ) / ( , )t te g g m e g g= </p><p>1 2 2( , ) / ( , )t te g g m e g g= </p><p>1 2 1 2( , ) / ( , )t te g g m e g g m= = </p><p>2.2 Analysis of System Security Theorem 1 Let G be a bilinear group of order p, </p><p>where p is a big prime number. The new HABE scheme is IND-SET-CPA secure if the - wBDHI *d assumption holds in G . </p><p>Proof Assume the adversary has advantage on attack the HABE scheme. The challenger solves the in </p><p>- wBDHI *d problem in G with the help of the ad-versary. </p><p>Let a generator ,g G *p Z and set ( )i</p><p>iy g</p><p>= . </p><p>LD is defined as the distribution of tuple 1( , , ,g h y </p><p>2 , , , )dy y T , where 1( )( , )</p><p>daT e g h+</p><p>= , while RD is done as the distribution of tuple 1 2( , , , , , , )dg h y y y T , where T G . Send 1 2( , , , , , , )dg h y y y T to the challenger. If </p><p>1 2( , , , , , , )dg h y y y T is taken from LD , the challenger outputs 1, while he outputs 0 if 1 2( , , , , , , )dg h y y y T is taken from RD . </p><p>Initial phase:...</p></li></ul>