Information Sciences 276 (2014) 354–362

Contents lists available at ScienceDirect

Information Sciences

journal homepage: www.elsevier .com/locate / ins

An expressive and provably secure Ciphertext-PolicyAttribute-Based Encryption

0020-0255/$ - see front matter � 2013 Elsevier Inc. All rights reserved.http://dx.doi.org/10.1016/j.ins.2013.12.027

⇑ Corresponding author. Tel.: +91 9443841911.E-mail addresses: balusuriya@yahoo.co.in (A. Balu), kkdiksamy@yahoo.com (K. Kuppusamy).

A. Balu ⇑, K. KuppusamyDepartment of Computer Science and Engineering, Alagappa University, Karaikudi, India

a r t i c l e i n f o

Article history:Received 3 January 2012Received in revised form 3 December 2013Accepted 21 December 2013Available online 31 December 2013

Keywords:Attribute-Based EncryptionLinear integer secret sharingAccess controlCiphertext-Policy Attribute-BasedEncryption

a b s t r a c t

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) allows to encrypt data under anaccess policy, specified as a logical combination of attributes. Such ciphertexts can bedecrypted by anyone with a set of attributes that satisfy the access policy. We propose aCiphertext-Policy Attribute-Based Encryption, which is based on a recent secret sharingmethod called Linear Integer Secret Sharing Scheme (LISS). In this scheme, the encryptorcan specify the access policy in terms of LISS matrix M, over the attributes in the system.The scheme is selectively secure under Decisional Bilinear Diffie–Hellman (DBDH)assumption.

� 2013 Elsevier Inc. All rights reserved.

1. Introduction

Recently, much attention has been attracted by a new public key primitive called Attribute-Based Encryption (ABE). ABEhas significant advantage over the traditional PKC primitives as it achieves flexible many-to-many encryption instead ofmany-to-one. ABE is envisioned as an important tool for addressing the problem of secure and fine-grained data sharingand access control. In an ABE system, a user is identified by a set of attributes. In their seminal paper [16] they use biometricmeasurements as attributes in the following way. A secret key based on a set of attributes x, can decrypt a ciphertext en-crypted with a public key based on a set of attributes x0, only if the sets x and x0 overlap sufficiently as determined by athreshold value t. A party could encrypt a document to all users who have a certain set of attributes drawn from a pre-de-fined attribute universe. For example, one can encrypt a recruitment related document to all recruitment committee mem-bers in the Computer Science Department. In this case the document would be encrypted to the attribute subset ‘‘Faculty’’,‘‘CS Dept.’’, ‘‘Recruitment Committee’’, and only users with all of these three attributes in the University can hold the corre-sponding private keys and thus decrypt the document, while others cannot. There are two variants of ABE: Key-Policy basedABE (KP-ABE) [6] and Ciphertext-Policy based ABE (CP-ABE) [3]. In KP-ABE, the ciphertext is associated with a set of attri-butes and the secret key is associated with the access policy. The encryptor defines the set of descriptive attributes necessaryto decrypt the ciphertext. The trusted authority, who generates user’s secret key, defines the combination of attributes forwhich the secret key can be used. In CP-ABE, the idea is reversed: now the ciphertext is associated with the access policyand the encrypting party determines the policy under which the data can be decrypted, while the secret key is associatedwith a set of attributes.

A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362 355

1.1. Motivation

Up to date, in most of CP-ABE schemes, the secret exponent s is shared by Shamir’s secret sharing scheme. Recently,Waters [19] proposed three CP-ABE schemes, which are based on Linear Secret Sharing Scheme (LSSS). In 2006, Damgardand Thorbek [5] introduced the notion of Linear Integer Secret Sharing (LISS) scheme, and showed that the constructionof their scheme is suitable for any access structure. Access structure is represented using the Boolean operators AND, OR.In the access structure, the variable xi can appear more than once and there is no bound for the occurrence of the variable,where as in [19] there is a bound for the occurrence of a variable xi. In LISS, the focus has been on the advantages of secretsharing over integers opposed to secret sharing over finite groups or fields in LSSS. In LISS, the secret sharing cost is less.Using these advantages, it is very easy to express the access policy effectively and share the secret exponent s efficientlyin our CP-ABE construction.

1.2. Our contribution

We present a new scheme for constructing a Ciphertext-Policy ABE based on Linear Integer Secret Sharing Scheme (LISS),which allows to represent any attribute access policy by a distribution matrix M. Access policy can be expressed more effec-tively and efficiently by this scheme. In this scheme, the ciphertext is associated with a d� e distribution matrix M. The matrixM can be formulated by using three rules to represent the attributes present in the access policy. In our method, we allow therepetition of the same attributes in the access policy, where as in Water’s [19] method they have an exclusive method for therepetition of the attributes. The secrets can be selected from the publically known interval ½�2‘;2‘�. We use q as distributionvector and the secret can be shared by the components of M � q. Any one who satisfies the access policy, is able to decrypt theciphertext. We provide a solution that is secure under the Decisional Bilinear Diffie–Hellman assumption.

1.3. Related work

Sahai and Waters [16] have introduced Attribute-Based Encryption (ABE). Bethencourt et al. [3] has proposed the firstCiphertext-Policy ABE using threshold secret sharing to enforce the policy in the encryption phase. This method requirespolynomial interpolation to reconstruct the secret and secure in the generic group model. The CP-ABE proposed by Cheungand Newport [4], in which decryption policies are restricted to a single AND gate, and attributes are allowed to be eitherpositive or negative. In this method, the size of the ciphertext and secret key increases linearly with the total number ofattributes in the system. Goyal et al. [7] have given a ‘‘bounded’’ CP-ABE construction based on the tree-based accessstructure. The disadvantage of their scheme is that the depth of the access trees d under which messages can be encryptedis defined in the setup phase. Thus, the user who wants to encrypt a message is restricted to use only an access tree whichhas the depth d0 6 d. Water’s [19] presented three constructions, which are based Linear Secret Sharing Scheme (LSSS) andsecure under various difficulty assumption. Ciphertext and public parameters size have been increased in the DBDHassumption [19]. Ibraimi et al. [8] proposed a CP-ABE scheme in which the secrets can be split by Shamir’s Secret Sharingscheme or by Unanimous consent control by modular addition scheme. If the access policy contains OR and of operatorsthen, the whole secret s will be assigned to the attributes. Most of the ABE constructions have been proved to be selec-tively secure. Lewko et al. [9] first obtain full security by adapting the dual system encryption technique [18] to the ABEcase. Okamoto and Takashima [14] present a fully secure ABE scheme under a well-established assumption. The scheme in[10] is fully secure as well.

2. Preliminaries

2.1. Access structures

Definition 1 (Access structure). Let f1;2; . . . ng be a set of parties. A collection C # 2f1;2;...;ng is monotone if8B;C : if B 2 C and B # C then C 2 C. An access structure (respectively, monotone access structure) is a collection(respectively, monotone collection) A of non-empty subsets of f1;2 . . . ;ng i:e:; C # 2f1;2;...;ng n /. The sets in C are calledthe authorized sets, and the sets not in C are called the unauthorized sets.

2.2. Linear integer secret sharing

In the LISS scheme, the secret is an integer chosen from a (publicly known) interval, and each share is computed as aninteger linear combination of the secret and some random numbers chosen by the dealer. Reconstruction of the secret isdone by computing a linear combination with integer coefficients of the shares in a qualified set. Let P ¼ f1;2; . . . ;ng denotethe n share holders and D the dealer. Let C be a monotone access structure on P. Let ‘ be an integer constant. The dealer D

wants to share a secret s from the publicly known interval �2‘;2‘h i

to the shareholders P over C, such that every set of share-

holders A 2 C can reconstruct s, but a set of shareholders A R C get no or little information on s.

356 A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362

We say that a subset A # P is qualified if the parties in A jointly are allowed to reconstruct the secret s. In a LISS scheme,the shares consist of a collection of integers,fsigi2I , where for each i 2 I, the integer si belongs to exactly one party and si iscomputed by a linear integer combination of sand some randomness chosen by the dealer. Given a qualified subset of sharesfsigi2I0 , then the secret can be reconstructed by a linear combination s ¼

Pi2I0kisi, where fkigi2I0 are integer coefficients that

are determined by the index I0. We use a distribution matrix M 2 Zd�e and a corresponding surjective functionW : f1; . . . ; dg ! P. We say that the ith row is labeled by WðiÞ or owned by party PWðiÞ. We use a distribution vector

q ¼ ðs;q2; . . . ;qeÞ where s is the secret, and the q0is are uniformly random chosen integers in ½�2‘0þk;2‘0þk�, where k is thesecurity parameter and ‘0 is a constant. The dealer D calculates shares by

M � q ¼ ðs1; . . . ; sdÞT ð1Þ

where we denote each si as a share unit for 1 6 i 6 d andT denotes the transpose. The ith share unit is then given to theWðiÞ0th shareholder. If A # P is a set of shareholders, then MA denotes the restriction of M rows jointly owned by A.

Definition 2. A LISS scheme is correct, if the secret is reconstructed from shares fsi=i 2 Ag where A is a authorized set ofshareholders, by taking an integer linear combination of the shares, with coefficient that depend only on the index set A.

Definition 3. A LISS scheme is private, if for any two secrets s; s0 2 ½�2‘;2‘�, and independent random coins r; r0 and anyunauthorized set A of shareholders, the distribution of fsiðs; r; kÞ=i 2 Ag and fsiðs0; r0; kÞ=i 2 Ag are statistically indistinguish-able. More precisely, the statistical distance between the two distributions is negligible in k.

2.3. Integer span program

Definition 4. M¼ ðM;W; nÞ is called an Integer Span Program (ISP) if M 2 Zd�e and the d rows of M are labeled by asurjective function W : f1; . . . ; dg ! P. Finally n ¼ ð1;0;0; . . . 0ÞT 2 Ze is called the target vector. We define sizeðMÞ ¼ d,where d is the number of rows of M.

Definition 5. Let C be a monotone access and let M¼ ðM;W; nÞ be an integer span program. Then M is an ISP, if for allA # f1; . . . ;ng the following holds.

1. If A 2 C, then there is a vector k 2 Zd such that MTAk ¼ n.

2. If A R C, then there exists k ¼ ðk1; . . . ; keÞT 2 Ze such that MA � k ¼ 0 2 Zd with k1 ¼ 1, which is called the sweeping vectorfor A.

If we have an ISPM¼ ðM;W; nÞwhich computes C, we build a LISS scheme for C as follows: We use M as the distributionmatrix and ‘0 ¼ ‘þ dlog2ðkmaxðe� 1ÞÞe þ 1, where ‘ is the length of the secret and kmax ¼ maxfjaj=a is an entry in somesweeping vectorg.

Lemma. If A 2 C, then there exists a reconstruction vector kA such that MTAkA ¼ n.

Proof. We can reconstruct kA based on the induction in the number of variables (attributes) present in the formula P thatrepresents the access structure C.

If M 2 Zd�e, then we construct the reconstruction vector k 2 Zd for A 2 C, such that MT � k ¼ n.In the initial case, P ¼ x, there is only one party, and the distribution matrix is M = (1), i.e., the party gets the secret s, so

the reconstruction vector is k ¼ ð1ÞT .In the case of an OR-term, P ¼ Pa

WPb, then Ma and Mb be the matrices that represent the formulas Pa and Pb

respectively. It is obvious that one of the matrices is enough to reconstruct the secret. Take the reconstruction vectorbelonging to the matrix with which it is possible to reconstruct the secret, e.g., ka ¼ ðk1; . . . ; ktÞT . The new reconstructionvector for the OR-term is kOR ¼ ðk1; . . . ; kt; 0; . . . ;0Þ, we put zeros in the entries that represent the shares from Mb.

In the case where there is an AND-term P ¼ PaVPb, then let the matrices Ma and Mb represent the formulas Pa and Pb

respectively. By assumption each of the matrices Ma and Mb can reconstruct their part of the secret, let ka ¼ ðka1 ; . . . ; kat ÞT and

kb ¼ ðkb1; . . . ; kbt

ÞT be the reconstruction vector for the AND-term is:kAND ¼ ðka1 ; . . . ; kat ;�kb1

; . . . ;�kbtÞT , because, if we define

ka0 ¼ ðka1 ; . . . ; kat ;0; . . . ;0ÞT

kb0 ¼ ð0; . . . ;0; kb1 ; . . . ; kbt ÞT

we know that if M is the distribution matrix that represents the AND-term, then

A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362 357

ðM � qÞT � ka0 ¼ sþ q2

ðM � qÞT � kb0 ¼ q2

i.e., we have that

ðM � qÞT � ka0 � ðM � qÞT � kb0 ¼ ðM � qÞT � ðka0 � kb0 Þ ¼ ðM � qÞ

T � kAND ¼ sþ q2 � q2 ¼ s

which concludes the proof. h

2.3.1. Secret reconstructionAn authorized set A can compute the secret by taking a linear combination of their values, since there exists kA 2 ZdA such

that MTA � kA ¼ n (as per Definition 5).

With the secret shares of sA it is justified to reconstruct the secrets by the following way

sTA � kA ¼ ðMA � qÞT � kA ðby Eq: ð1ÞÞ

¼ qT � ðMTA � kAÞ ¼ qT � n ¼ s

2.4. Bilinear maps

Let G0; G1, be two multiplicative cyclic groups of prime order p. Let g be a generator of G0. Let e be a bilinear map,e : G0 � G0 ! G1. The bilinear map e has the following properties:

1. Bilinearity: for all u;v 2 G0, and a; b 2 Z�p, we have eðua;vbÞ ¼ eðu; vÞab.2. Non-degeneracy: eðg; gÞ – 1.

The map e is symmetric since eðga; gbÞ ¼ eðg; gÞab ¼ eðgb; gaÞ.

2.5. Decisional Bilinear Diffie–Hellman assumption

We define the Decisional Bilinear Diffie–Hellman problem as follows. A challenger chooses a group G0 is of prime order paccording to the security parameter. Let a; b; s 2 Z�p be chosen at random and g be a generator G0. The adversary givenðg; ga; gb; gsÞ must distinguish a valid tuple eðg; gÞabs 2 G1 from a random element Rin G1. An algorithm A that outputs{0,1} has advantage � in solving decisional BDH in G0 if

Pr½Aðg; ga; gb; gs;D ¼ eðg; gÞabsÞÞ ¼ 0� � Pr½Aðg; ga; gb; gs;D ¼ RÞ ¼ 0�P �

where Pr denotes the probability.

2.6. Ciphertext-Policy Attribute-Based Encryption

A Ciphertext-Policy Attribute-Based Encryption scheme consists of four fundamental algorithms: Setup, Key Generation,Encryption and Decryption. Let U be the set of attributes.

2.6.1. SetupThe setup algorithm takes no input other than the implicit security parameter. It outputs the public parameters PK and a

master key MK.

2.6.2. KeyGen (MK, S)The key generation algorithm takes as input the master key MK and a set of attributes S. It outputs a private key SK for the

attributes in S.

2.6.3. Encrypt (PK, P, m)The encryption algorithm takes as input the public parameters PK, the message m, and an access structure P over the

universe of attributes. The algorithm will encrypt m and produce a ciphertext CT such that only a user that possesses aset of attributes that satisfy the access structure will be able to decrypt the message. Assume that the ciphertext implicitlycontains P.

2.6.4. Decrypt (CT,SK)The decryption algorithm takes as input the ciphertext CT, which contains an access structure P, and a private key SK,

which is a private key for a set S of attributes. If the set S of attributes satisfies the access structure P then the algorithmwill decrypt the ciphertext and return a message m.

358 A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362

2.7. Security model for CP-ABE

The semantic security against chosen-plaintext attack (CPA) is modeled in the selective attribute model (sAtt), where theadversary must provide the challenge access tree he wishes to attack before he receives the public parameters from the chal-lenger. The game is carried out between a challenger and an adversary. Specifically, the game is as follows.

2.7.1. InitThe adversary chooses the challenge access policy s� and gives it to the challenger.

2.7.2. SetupThe challenger runs the Setup algorithm and gives the public parameters, PK to the adversary.

2.7.3. Phase1The adversary makes a secret key request to the KeyGen oracle for any attribute set x ¼ faj=aj 2 Ug with the restriction

that x not satisfying s�. The Challenger returns KeyGen ðMK;xÞ.

2.7.4. ChallengeThe adversary submits two equal length messages M0 and M1. The Challenger flips a random coin d, and encrypts Md un-

der s�. The ciphertext CT� is given to the adversary.

2.7.5. Phase 2The adversary can continue querying KeyGen with the same restriction as during Phase1.

2.7.6. GuessThe adversary outputs a guess d0 of d.

Definition 6. A ciphertext-policy attribute based encryption scheme is said to be secure against a chosen-plaintext attack(CPA) in the selective attribute model if any polynomial time adversaries have only a negligible advantage in the IND-sAtt-CPA game, where the advantage is defined to be � ¼ Pr½d0 ¼ d� � 1

2

�� ��.

3. Main construction

In our CP-ABE construction, it is required to convert the access policy into a distribution matrix M. The matrix M can beformulated using the following three rules [5]. After constructing the distribution matrix M, shares of the attributes are cal-culated using the distribution matrix M. Message m will be encrypted and then the attributes present in the access policy areencrypted using the corresponding attribute shares. Any one who satisfies the access policy is able to decrypt the ciphertext.

Now, we specify the method to form the access policy matrix M and then the construction of the encryption scheme.

3.1. Formation of access policy matrix M

Let Mu 2 Z1�1 be the matrix with single entry which is one, i.e., Mu ¼ ½1�. If we have a matrix Ma 2 Zda�ea then we can formca 2 Ze to represent the first column in Ma and Ra 2 Zðda�1Þ�ea to represent all but the first column in Ma.

3.1.1. Rule 1Each variable ai in the access policy P can be expressed by Mu.

3.1.2. Rule 2For any OR-term P ¼ Pa

WPb. Let Ma 2 Zda�ea and Mb 2 Zdb�eb be the matrices which express the formulas Pa and Pb

respectively. We can construct a matrix MOR 2 ZðdaþdbÞðeaþeb�1Þ expressing P, which is defined by letting the first column ofMOR be the concatenation of the two column vectors ca and cb, then letting the following da � 1 columns be the columnsof Ra expanded with eb succeeding zero entries, and the last db � 1 columns be the columns of Rb expanded with ea leadingzero entries. This is visualized by

MOR ¼ca Ra 0cb 0 Rb

3.1.3. Rule 3For any AND-term P ¼ Pa

VPb. Let Ma 2 Zda�ea and Mb 2 Zdb�eb be the matrices which express the formulas Pa and Pb

respectively. We can construct a matrix MAND 2 ZðdaþdbÞðeaþebÞ which expresses the access policy P. It is defined by lettingthe first column of MAND be the column vector ca expanded with eb succeeding zero entries, the next column to be the con-

A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362 359

catenation of ca and cb the following da � 1 columns be the columns of Ra expanded with eb succeeding zero entries, and thelast db � 1 columns be the columns of Rb expanded with ea leading zero entries. This is visualized by

MAND ¼ca ca Ra 00 cb 0 Rb

For example if we have an access policy P ¼ ða1V

a2ÞWða3

Va4Þ, then Pa ¼ ða1

Va2Þ; Pb ¼ ða3

Va4Þ.

Pa can be represented as Ma ¼1 10 1

� �and Pb can be represented as Mb ¼

1 10 1

� �by using AND-rule on

a1 and a2; a3 and a4 respectively. We can expressM by using OR-rule on Pa; Pb and their respective matrix Ma; Mb finally.

M ¼

1 1 00 1 01 0 10 0 1

0BBB@

1CCCA

Note that each attribute in the access policy owns the corresponding row in the resulting matrix M.If an attribute presents more than once in the access policy, then it owns more than one row in the resulting matrix M. For

example if we have an access policy K ¼ ða1V

a2ÞWða1

Va3Þ

Wða2

Va3Þ, then the matrixMis given by

1 1 0 00 1 0 01 0 1 00 0 1 01 0 0 10 0 0 1

0BBBBBBBB@

1CCCCCCCCA

where rows 1 and 3 are owned by attribute a1, rows 2 and 5 are owned by a2, and rows 4 and 6 are owned by attribute a3

finally. Also, the above access policy K represents the threshold 2 out of 3 access structure.In the above example the minimal sets which can reconstruct the secret are:

ða1; a2Þ; ða1; a3Þ; and ða2; a3Þ:

If the party possessing the attributes ða1; a2Þ want to reconstruct the secret, they need to use the reconstruction vectorgiven by k ¼ ð1;�1;0;0;0;0ÞT .

On the other hand, if the parties possessing the attributes ða2; a3Þ want to reconstruct the secret, they need to use thereconstruction vector given by k ¼ ð0;0;0;0;1;�1ÞT .

3.2. CP-ABE scheme

3.2.1. Setup ð1kÞThe setup algorithm chooses a group G0 of prime orderp and a generator g. Let U ¼ fa1; a2; . . . ; ang be the set of attributes.

It chooses random elements t1; t2; . . . ; tn; a 2 Zp. Let y ¼ eðg; gÞa, and Tj ¼ gtj ð1 6 j 6 nÞ.The Public Key is PK ¼ ðg; y; Tjð1 6 j 6 nÞÞ and the Master Secret Key is MK ¼ ða; tjð1 6 j 6 nÞÞ.

3.2.2. KeyGen (MK, S)This algorithm takes as input the master secret key and a set S of attributes and performs the following:

(a) Select random values a; r 2 Zp and compute d0 ¼ ga�ar .(b) For each attribute aj 2 S, compute dj ¼ gart�1

j .(c) The secret key is SK ¼ ðd0;8aj 2 S : djÞ.

3.2.3. Encrypt (PK, P, m)The encryption algorithm takes as input the public key, a message m 2 G1 to encrypt and the access policy P.

Step 1 Select a random element s 2 ½�2‘;2‘� and compute C0 ¼ gs. M is the distribution matrix constructed by the abovemethod for the access policy P. Choose q ¼ ðs;q2; . . . ;qeÞ

T , where q0is are uniformly random chosen integers in½�2‘0þk;2‘0þk�.Step 2 Compute M � q ¼ ðs1; . . . ; sdÞT .

(a) C0 ¼ m � ys ¼ m � eðg; gÞas.(b) For each attribute in P, compute Ci ¼ Tsi

i using the corresponding shares of the attribute ai.

The ciphertext is published as CT ¼ ðC0;C0;Ci; i ¼ 1 to dÞ along with M.

360 A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362

3.2.4. Decrypt (CT, SK)The decryption algorithm takes as input a ciphertext CT along with M and a private key for a set A # S. Suppose A satisfies

the access policy P, then there is a vector kA 2 ZdA such that MTAkA ¼ n (as per Definition 5). With this, it is possible to recon-

struct the secret usingP

i2Akisi ¼ s.The decryption algorithm computes

C 0

eðC0; d0ÞQ

i2AeðCi; ðdiÞki Þ� �

¼ m � eðg; gÞas

eðgs; ga�arÞQ

i2Ae Tsii ; gart�1

i

� �ki� �� �

¼ m � eðg; gÞas

eðgs; ga�arÞQ

i2Ae gtisi ; gart�1i

� �ki� �� �

¼ m � eðg; gÞas

eðgs; ga�arÞQ

i2Aeðg; gÞarsiki

� �

¼ m � eðg; gÞas

eðgs; ga�arÞQ

i2Aeðg; gÞars� �

¼ m � eðg; gÞas

ðeðgs; ga�arÞeðg; gÞarsÞ

¼ m

3.3. Security analysis

3.3.1. Theorem 1Suppose the Decisional Bilinear Diffie–Hellman assumption holds, then no polynomial adversary can selectively break our

system.

3.3.2. ProofSuppose we have an adversary Awith non-negligible advantage � in the selective security game against our construction.

We show how to use the adversary A to build a simulator B that is able to solve the DBDH assumption. The Challenger givesthe simulator B the DBDH challenge: ðg;A;B;C;DÞ ¼ ðg; ga; gb; gs;DÞ.

3.3.3. InitThe adversary chooses the challenge access policy ðM0; p�Þ and gives it to the simulator.

3.3.4. SetupThe simulator selects at random a0 2 Zp and implicitly sets a ¼ abþ a0 by letting eðg; gÞa ¼ eðga; gbÞeðg; gÞa

0. For all aj 2 U, it

chooses a random qj 2 Zp and set Tj ¼ g

1

M0i;j

qj

� �if aj R p�, otherwise Tj ¼ gqj .

The simulator B sends the public parameters to A.

3.3.5. Phase 1A makes secret key requests for any set of attributes x ¼ faj=aj 2 Ug with the restriction that aj2p�. On each request B

chooses a random variable v 2 Zp, and finds a vector k ¼ ðk1; k2; . . . ; keÞT 2 Ze such that M0 � k ¼ 0 with k1 ¼ 1. By the defini-tion of Sweeping vector, such a vector must exist. Simulator sets r value as v þ kjb.

Choose kj as k1 to compute,

d0 ¼ ga�aðvþk1bÞ ¼ gabþa0�av�ab ¼ ga0A�v

In calculating dj, we have the term M0i;ja � kjb and it gets canceled because of M0 � k ¼ 0

dj ¼ gaðvþkjbÞqjM0i;j ¼ AvM0i;jqj

d0 ¼ ga0A�v; dj ¼ AvM0i;jqj ; 8aj 2 x

Table 1Comparison of schemes.

Method CT PKS EN DE

GJPS [7] H U:n3:42max

� �H A:n3:42

max

� �H U:n3:42

max

� �H U:n3:42

max

� �Waters [19] Hðn2Þ Hðkmax:Aþ nmaxÞ Hðn2Þ Hðn:TÞOur method HðnÞ HðAÞ HðnÞ HðTÞ

A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362 361

3.3.6. ChallengeA submits two messages m0;m1 2 G1. The simulator flips a fair binary coin d, and returns the encryption of md. The

encryption of md can be done as follows:

C0 ¼ gs; C 0 ¼ mdDeðgs; ga0 Þ

The simulator will choose uniformly random integers z2; . . . ; zh in ½�2‘0þk;2‘0þk� and share the secret s using the vectorU ¼ ðs; z2; . . . ; zhÞ.

Create the distribution matrix M, for the access policy p�. Compute M �U and use the shares to encrypt the access policywith corresponding qj for the attributes present in the access policy p�; Cj ¼ T

sj

j .

3.3.7. Phase 2Same as Phase 1.

3.3.8. GuessA outputs a guess d0 of d. The simulator then outputs 0 to the guesses that D ¼ eðg; gÞabs if d0 ¼ d; otherwise, it outputs 1

to indicate that it believes D is random group element in G1.When D is a tuple, the simulator B gives a perfect simulation. So we have that Pr½Bðq;D ¼ eðg; gÞabsÞ ¼ 0� ¼ 1

2þ �.When D is a random group element, the message md is completely hidden from the adversary and we have

Pr½Bðq;D ¼ RÞ ¼ 0� ¼ 12.

4. Efficiency

In Table 1, we give the comparison with Goyal et al. [7], Waters [19] and our method in terms of Ciphertext size (CT),Private Key Size (PKS), Encryption time (EN), Decryption time (DE) based on DBDH assumption. Let n be the number of attri-butes present in the access policy, A be the number of attributes in user’s key, T be the number of nodes satisfied by a user’sattributes, U be the number of attributes defined in the system, nmax be the bound on the size of the access formula, kmaxbe the maximum number of times a single attribute will appear in a particular formula. Our CP-ABE method achieves sig-nificantly better performance than Waters [19] and GJPS [7] method.

5. Conclusion

We proposed a new type of Ciphertext-Policy Attribute-Based Encryption based on linear integer secret sharing scheme.This scheme is very expressive and provably secure under the Decisional Bilinear Diffie–Hellman assumption.

References

[3] J. Bethencourt, A. Sahai, B. Waters, Ciphertext policy attribute based encryption, in: IEEE Symposium on Security and privacy, 2007, pp. 321–334.[4] L. Cheung, C. Newport, Provably secure ciphertext policy ABE, in: Proceedings of the 14th ACM Conference on Computer and Communications security

CCS, 2007, pp. 456–465.[5] I. Damgard, R. Thorbek, Linear integer secret sharing and distributed exponentiation, in: PKC, 2006, pp. 75–90.[6] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for fine grained access control of encrypted data, in: ACM Conference on Computer

and Communication Security, 2006, pp. 89–98.[7] V. Goyal, A. Jain, O. Pandey, A. Sahai, Bounded ciphertext policy attribute based encryption, in: L. Aceto, I. Damgard, L.A. Goldberg, M.M. Halldorsson, A.

INgolfsdottir, I. Walukiewicz (Eds.), ICALP, 2008, pp 579–591.[8] L. Ibraimi, Q. Tang, P. Hartel, W. Jonker, Efficient and provable secure ciphertext-policy attribute based encryption schemes, in: F. Bao, H. Li, G. Wang

(Eds.), ISPEC, 2009, pp. 1–12.[9] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, B. Waters. Fully secure functional encryption: attribute-based encryption and (Hierarchical) inner

product encryption, In: H. Gilber (Ed.), EUROCRYPT, 2010, pp 62–91.[10] A. Lewko, B. Waters, Decentralizing attribute-based encryption, in: EUROCRYPT, 2011, pp. 568–588.[14] T. Okamoto, K. Takashima, Fully secure functional encryption with general relations from the decisional linear assumption, in: T. Rabin (Ed.), CRYPTO,

2010, pp. 191–208.[16] A. Sahai, B. Waters, Fuzzy identity-based encryption, in: R. Cramer (Ed.), EUROCRYPT, 2005, pp. 457–473.[18] B. Waters, Dual system encryption: realizing fully secure IBE and HIBE under simple assumption, in: S. Halevi (Ed.), CRYPTO, 2009, pp. 153–170.[19] B. Waters, Ciphertext policy attribute based encryption: an expressive, efficient, and provably secure realization, in: PKC, 2011, pp. 53–70.

362 A. Balu, K. Kuppusamy / Information Sciences 276 (2014) 354–362

Further Reading

[1] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert, E. Panafieu, C. Rafols, Attribute-based encryption schemes with constant-size ciphertexts, Theor.Comput. Sci. (2012) 15–38.

[2] A. Beimel, Secure Schemes for Secret Sharing and Key Distribution, Ph.D Thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.[11] A. Lewko, B. Waters, New proof methods for attribute-based encryption: achieving full security through selective techniques, in: CRYPTO, 2012, pp

180–198.[12] S. Liu, Y. Long, K. Chen, Key updating technique in identity-based encryption, Inform. Sci. 181 (2011) 2436–2440.[13] H.C. Lu, H.L. Fu, New bounds on the average information rate of secret-sharing schemes for graph-based weighted threshold access structures, Inform.

Sci. 240 (2013) 83–94.[15] B. Qin, Q.H. Wu, L. Zhang, O. Farras, J. Doming-Ferrer, Provably secure threshold public key encryption with adaptive security and short ciphertexts,

Inform. Sci. 200 (2012) 67–80.[17] L. Wang, J. Shao, Z. Cao, M. Mambo, A. Yamamura, L. Wang, Certifcate-based proxy decryption systems with revocability in the standard model,

Inform. Sci. 247 (2013) 188–201.[20] Z. Zhang, L. Zhu, L. Liao, M. Wang, Computationally sound symbolic security reduction analysis of the group key exchange protocols using bi-linear

pairings, Inform. Sci. 209 (2012) 93–112.