directly revocable key-policy attribute-based encryption with verifiable ciphertext delegation
TRANSCRIPT
Information Sciences 295 (2015) 221–231
Contents lists available at ScienceDirect
Information Sciences
journal homepage: www.elsevier .com/locate / ins
Directly revocable key-policy attribute-based encryptionwith verifiable ciphertext delegation
http://dx.doi.org/10.1016/j.ins.2014.10.0200020-0255/� 2014 Elsevier Inc. All rights reserved.
⇑ Corresponding author at: School of Computer and Information Technology, Beijing Jiaotong University, 100044 Beijing, China. Tel.: +86 13488E-mail address: [email protected] (Y. Shi).
Yanfeng Shi a,⇑, Qingji Zheng b, Jiqiang Liu a, Zhen Han a
a School of Computer and Information Technology, Beijing Jiaotong University, Chinab Department of Computer Science, University of Texas at San Antonio, USA
a r t i c l e i n f o a b s t r a c t
Article history:Received 5 September 2013Received in revised form 5 May 2014Accepted 12 October 2014Available online 18 October 2014
Keywords:Attribute-based encryptionVerifiable ciphertext delegationDirect revocation
Attribute-based encryption (ABE) enables an access control mechanism by specifyingaccess control policies among decryption keys and ciphertexts. In this paper, we proposea novel ABE variant, dubbed directly revocable key-policy ABE with verifiable ciphertext del-egation (drvuKPABE), which supports direct revocation and verifiable ciphertext delegation.The drvuKPABE offers the following features which are promising in the data sharing appli-cations: (1) it allows the trusted authority to revoke users by solely updating the revoca-tion list while mitigating the interaction with non-revoked users, which is unlikely toindirectly revokable ABE; (2) it allows the third party to update ciphertexts with publicinformation so that those non-revoked users cannot decrypt them; and (3) it enablesany auditor (authorized by data owners) to verify whether the untrusted third partyupdated ciphertexts correctly or not. We formalize the syntax and security properties fordrvuKPABE, and propose the construction based on the multilinear maps. Our solutionattains the security properties under the ðdþ 3Þ-Multilinear Decisional Diffie–Hellmanassumption in the random oracle model.
� 2014 Elsevier Inc. All rights reserved.
1. Introduction
Cloud computing allows data users to outsource/share their data while enjoying affordable price and high scalability.Despite numerous advantages, data outsourcing hinders data owners managing outsourced data: how to preserve theprivacy of outsourced data and enforce access control policies on accessing it. Fortunately, attribute-based encryption(ABE) can be the right cryptographic tool solving these concerns: Data owners can specify access control policy on outsour-ced data while encrypting it, and users can decrypt ciphertexts only if their attributes satisfy the access control policy.
However, pure ABE is not sufficient for data sharing applications since users’ access rights are not static: a user’s accessright might be revoked if he/she leaves the organization. The variant, revocable ABE, can be a good candidate to fulfill thisrequirement, while still raising two related challenges: (i) how to mitigate the interaction with non-revoked users when thetrusted authority revokes users? and (ii) how to forbid revoked users decrypting ciphertexts that were generated previously?To the best of our knowledge, revocable ABE in the literature cannot resolve these challenges simultaneously (The detail willbe discussed in Section 1.1).
787156.
222 Y. Shi et al. / Information Sciences 295 (2015) 221–231
Our contribution. We propose a novel cryptographic solution, dubbed directly revocable key-policy attribute-basedencryption with verifiable ciphertext delegation (drvuKPABE). The solution allows data owner to enforce access control policyon outsourced encrypted data while offering the promising properties as follows: (1) direct revocation: when revoking users,the trusted authority only needs to update the revocation list, without any interaction with non-revoked users; (2) cipher-text delegation: in order to assure that prior ciphertexts cannot be decrypted by revoked users, outsourced encrypted datacan be updated by an untrusted third party (e.g., storage provider) with public known information. In addition, since thethird party might be untrusted, it naturally leads to the third promising properties: (3) update verifiability: it allows anyauditor (e.g., authorized by data owners) to verify whether ciphertexts were updated correctly from some prior revocationlist to the current revocation list or not.
We formally define the syntax and security properties of drvuKPABE and present a provably secure construction satisfyingthem. Building on top of multilinear maps, our construction is proved secure under the ðdþ 3Þ-MDDH assumption (seeSection 2) in the random oracle model. For fairness, we summarize the properties of revocable KPABE schemes in Table 1.
1.1. Related work
Attributed-based encryption (ABE), first introduced in [23], is an effective cryptographic primitive to preserve datasecrecy and enforce fine-grained access control policy simultaneously. There are two flavors of ABE according to how theaccess control policy is enforced: Key Policy ABE (KPABE) schemes (e.g., [12]) enforce access control policies in the decryp-tion keys while Ciphertext Policy ABE (CPABE) schemes (e.g., [24,11,4,9,3]) enforce access control policies in the ciphertexts.Many variants of ABE have been proposed to providing promising properties, e.g., attribute-based keyword search [27],multi-authority attribute-based encryption [7,15] and attribute-based encryption with outsourcing decryption [14,13].Among these features, how to construct revocable ABE is an active research topic.
Existing solutions for revocable ABE can be classified into two categories 1 depending on how to integrate revocation infor-mation: directly revocable ABE (e.g., [20,11,2]) and indirectly revocable ABE (e.g., [21,25]). In the setting of directly revocableABE, the trusted authority makes the revocation list (i.e., listing all revoked users’ identities) public known so that users canintegrate revocation information into the ciphertext while encrypting data, by which any revoked user cannot decrypt cipher-texts even his/her owned credentials satisfy access control policies specified by ciphertexts. The advantage of this approach isthat there is no need for the trusted authority to update decryption keys owned by non-revoked users. In the setting ofindirectly revocable ABE, instead of publishing the revocation list, the trusted authority needs to communicate withnon-revoked users and distribute new decryption keys to them. Despite that there is no need for users to know the revocationlist when conducting encryption, this approach requires non-revoked users updating their decryption keys, which is undesirablein data sharing applications involving a large number of participants. Note that the mechanism in both approaches only assuresthat revoked users cannot decrypt ciphertexts generated after revocation. To prevent revoking users from decryptingciphertexts that can be decrypted before revocation, some other mechanisms, e.g. proxy re-encryption [17,19,26] and sharingsome secret key in advance [16], are introduced, which need the interaction between the proxy and the trusted authority(or data owners). Note that another work [22] considers the problem of updating ciphertexts in the setting of indirectlyrevocable ABE, where the third party (e.g., storage provider) can update stored ciphertexts without any interaction with eitherdata owners or the trusted authority as long as the revocation event happens.
Different from prior solutions, we consider verifiable ciphertext delegation underlying the setting of directly revocableABE, which enjoys the advantage that the trusted authority has no need to update decryption keys of non-revoked userswhile still being able to delegate the third party to update ciphertexts.
2. Preliminaries and notations
Let x R X denote selecting element x from the set X uniformly at random, and UAtt ¼ fat1; . . . ; atNg be the attribute uni-verse. Table 2 summaries the notations that are used through the paper.
Multilinear maps. The concept of multilinear maps was introduced in [6] and came to reality by the works [10,8]. Givensecurity parameter ‘ and an ‘-bit prime p, a dþ 3 multilinear map consists of dþ 3 groups (G0;G1; . . . ;Gdþ2) with order p, anddþ 2 mappings ei : G0 � Gi ! Giþ1; i ¼ 0; . . . ; dþ 1. The multilinear maps should satisfy the following properties with respectto i; i ¼ 0; . . . ; dþ 1: (i) given that g0 2 G0 is a generator of G0, then giþ1 ¼ eiðg0; giÞ is a generator of Giþ1; (ii) 8a; b 2 Zp;
eiðga0; g
bi Þ ¼ eiðg0; giÞ
ab; and (iii) ei can be efficiently computed.ðdþ 3Þ-Multilinear Decisional Diffie–Hellman assumption (ðdþ 3Þ-MDDH). Given the multilinear maps and
g0; gz00 ; . . . ; gzd
0 ; ga0; g
b0; g
c0; Z, where z0; . . . ; zd; a; b; c Zp and Z Gdþ2, there exists no probabilistic polynomial algorithm A
that can determine gz0 ...zdabcdþ2 9Z with a non-negligible advantage with respect to security parameter ‘, where the advantage
is defined as
1 Thefly. How
Pr A gz0 ...zdabcdþ2 ; g0; g
z00 ; . . . ; gzd
0 ; ga0; g
b0; g
c0
� �¼ 1
h i� Pr A Z; g0; g
z00 ; . . . ; gzd
0 ; ga0; g
b0; g
c0
� �¼ 1
� ���� ���:
re is another work [1] (i.e., hybrid approach) that allows data users/authority to choose the revocation types (i.e., direct or indirect revocation) on theever, the revocation manner cannot be changed after being chosen.
Table 1Property summary for revocable KPABE schemes in the literature and the solution in this paper. Direct revocation means that the trusted authority can solelyupdate revocation list and there is no need to update non-revoked users’ decryption key. Ciphertext delegation means that ciphertexts can be updated by thethird party correspondingly when the revocation list is updated. Update verifiability means that the process of the third party updating ciphertexts can beaccountable.
Scheme Direct revocation Ciphertext delegation Update verifiability Security assumption
Scheme 1 [2]p � � n-BDHE
Scheme 2 [2]p � � r-MEBDH
[1]p � � DBDH
[5] � � � DBDH[22] � p � Three static assumptionsOur solution
p p pðdþ 3Þ-MDDH
Table 2Notations.
Notation Description
‘;p ‘ is a security parameter and p is an ‘-bit primeG0; . . . ;Gdþ2 Cyclic groups of order pei : G0 � Gi ! Giþ1 Bilinear mapping from G0 and Gi to Giþ1
LSSSðM;pÞ A linear secret sharing scheme that is specified by matrix M and injective function pP An access control policyR Revocation listmax The maximum number of attributes that are associated to a ciphertext
Y. Shi et al. / Information Sciences 295 (2015) 221–231 223
Linear secret sharing scheme. A linear secret sharing scheme (LSSS) can be used to represent an access control policy P viaðM;pÞ, where M ¼ ðZpÞl�k is an l� k matrix with entries belonging to Zp and p : f1; . . . ; lg ! UAtt is an injective function thatmaps a row into an attribute. Given an attribute set S � UAtt, denote by FðS;PÞ ¼ 1 if S satisfies access control policy P. ALSSS consists of two algorithms:
ShareððM;pÞ; sÞ: this algorithm is to distribute secret value s to attributes specified by p as follows: by selectingv2; . . . ; vk
RZp, setting v ¼ ðs;v2; . . . ;vkÞ and computing kpðiÞ ¼ Mi � v where Mi is the ith row of M, it assigns secret share
kpðiÞ to the attribute pðiÞ.CombineðS; ðkpðiÞ; . . . ; kpðlÞÞ; ðM;pÞÞ: this algorithm is to assemble the secret value from secret shares associated with the
attributes as follows: selecting subset I ¼ fijpðiÞ 2 Sg such that the attribute set fpðiÞji 2 Ig satisfies access control policyðM;pÞ, and computing coefficients ci; i 2 I such that
Pi2IciMi ¼ ð1;0; . . . ;0Þ, it sets the recovered secret to be
Pi2IcikpðiÞ ¼ s.
The correctness of algorithm Combine is assured by the following lemma:
Lemma 1 [24]. Let ðM;pÞ be a LSSS representing an access control policy P. For all attributes in S that do not satisfy P, there is apolynomial-time algorithm that outputs vector w ¼ ðw1; . . . ;wkÞ 2 Zk
p such that w1 ¼ 1 and Mi �w ¼ 0 for all i 2 ½1; . . . ; l�, wherepðiÞ 2 S.
Subset cover. Let T be a full binary tree with n leaves (representing n users), where each nodes are labeled, depthðxÞ denotethe depth (i.e., number of hops from the root) of node x such that depthðrootÞ ¼ 0. Let pathðxÞ ¼ fxi0 ¼ root; . . . ; xidepthðxÞ ¼ xgdenote the path from the root to node x.
Given the full binary tree T, the subset cover technique [18] can be used to encode revoked users. Specifically, given a setof leaf nodes R (corresponding to a set of revoked users), coverðRÞ is defined as follows: 8x 2 R, mark all nodes of pathðxÞ andthen coverðRÞ is the set of unmarked nodes that are the direct children of marked nodes in T. Consider the example in Fig. 1where T contains 8 leaves x1; . . . ; x8. Given R ¼ fx1; x4g, by marking nodes in pathðx1Þ ¼ fx15; x13; x9; x1g andpathðx4Þ ¼ fx15; x13; x10; x4g, we can see that coverðRÞ ¼ fx2; x3; x14g. The leaves covered by the nodes in coverðRÞ are non-revoked users.
3. drvuKPABE: syntax and security
Directly revocable key-policy attribute-based encryption with verifiable ciphertext delegation (drvuKPABE) is a naturalextension for key-policy ABE where decryption keys are associated to access control policies and ciphertexts are associatedto attributes, while offering two promising properties when the user revocation happens: (i) there is no need to update non-revoked users’ decryption keys; and (ii) an untrusted third party is allowed to update ciphertexts with public information(without leaking any information of plaintext with respect to the ciphertext) and (iii) any auditor can verify whether thethird party has executed the ciphertexts update honestly or not.
Fig. 1. Subset cover technique to encode the revocation list. Given the revocation list R ¼ fx1; x4g, the nodes of pathðx1Þ and pathðx4Þ are marked (in graycolor), and then coverðRÞ ¼ fx2; x3; x14g (in red color). (For interpretation of the references to color in this figure legend, the reader is referred to the webversion of this article.)
224 Y. Shi et al. / Information Sciences 295 (2015) 221–231
Definition 1. A drvuKPABE scheme consists of seven algorithms as follows:ðpm;mkÞ Setupð1‘Þ: this algorithm is run by the trusted authority, who is responsible for managing users and issuing
decryption keys, to generate the master secret key mk and the public parameter pm. For brevity, we assume that thefollowing algorithms implicitly take pm as part of inputs.
sk KeyGenðmk;P; uidÞ: given the access control policy P, this algorithm is run by the trusted authority to generate thedecryption key sk for the user identified by uid.
cph Encðm; S;RÞ: this algorithm is to encrypt the message m and output a ciphertext cph, where S is an attribute set andR is the revocation list.fm;?g Decðcph; skÞ: this algorithm is to decrypt the ciphertext cph with the decryption key sk. The decryption can be
done successfully only if (i) the attribute set S associated to cph satisfies the access control policy P specified by thedecryption key; and (ii) the user identity specified by the decryption key has not been revoked according to the revocationlist specified by cph. Otherwise, it outputs an error message ?.
cph0 Updateðcph;R0Þ: this algorithm allows any third party to update ciphertext cph with respect to R to a newciphertext cph0 with respect to a new revocation list R0, where R � R0.f0;1g Verifyðcph; cph0Þ: this algorithm is run by any party (i.e., the data owner outsourcing cph) to verify whether cph0 is
updated correctly from cph when the revocation list R (specified by cph) is changed to R0 (specified by cph’). It outputs 1 if theupdate is correct, and 0 otherwise.
The correctness of a drvuKPABE scheme can be defined as follows: given ðpm;mkÞ Setupð1‘Þ, for any message m, anyattribute set S, and revocation lists R and R0 such that R � R0, let cph Encðm; S;RÞ and cph0 Updateðcph;R0Þ, thedrvuKPABE scheme is correct only if the following always holds: (i) 1 Verifyðcph; cph0Þ; (ii) given sk KeyGenðmk;P; uidÞwhere FðS;PÞ ¼ 1 and uid R R;Decðcph; skÞ ¼ m; and (iii) given sk KeyGenðmk;P; uidÞ where FðS;PÞ ¼ 1 and uid R R0 , thenDecðcph0; skÞ ¼ m.
The adversary model against drvuKPABE is the following: unauthorized data users (i.e., attributes do not satisfy the accesscontrol policy) and revoked data users (i.e., identities are shown in the revocation list) are malicious and try their best tolearn any information from ciphertexts. The party (i.e., cloud) that transforms ciphertexts when the revocation list wasupdated might be malicious in the sense that it can perform the ciphertext update dishonestly. Specifically, given a proba-bilistic polynomial time adversary A, a drvuKPABE is secure only if the following holds:
(i) Selective security against chosen-plaintext attack on original ciphertext. The adversary A (modeling unauthorized/revoked data users) cannot infer any information about the plaintext of an original ciphertext (i.e., without beingupdated) in the selective security model. This property is formalized by the selective security game on originalciphertext.
(ii) Selective security against chosen-plaintext attack on updated ciphertext. The adversary A (modeling revoked datausers) cannot infer any information about the plaintext of an updated ciphertext in the selective security model. Thisproperty is formalized by the selective security game on updated ciphertext.
(iii) Update verifiability. The adversary A (modeling any third party that updates ciphertexts) cannot update ciphertextsincorrectly without being caught. This property is formalized by the verifiability game.
3.1. Selective security game on original ciphertext
Setup: the adversary A chooses an attribute set S� and a revocation list R�, and sends them to the challenger. Thechallenger runs Setup to produce pm;mk, sends pm to A and keeps mk secret.Phase 1: A is allowed to query the following oracle in polynomially many times:
� OKeyGenðuid;PÞ: If FðS�;PÞ ¼ 1 and uid R R� simultaneously, then abort. Otherwise, the challenger runssk KeyGenðmk;P; uidÞ and returns sk to A.
Y. Shi et al. / Information Sciences 295 (2015) 221–231 225
Challenge: A chooses two message m0 and m1 of equal length, and sends them to the challenger. The challenger selectsr R f0;1g, runs cph� ¼ Encðmr; S
�;R�Þ and forwards cph� to A.Phase 2: A queries the oracle the same as in Phase 1.Guess: A outputs a guess r0. We say A wins this game if r ¼ r0.
Definition 2. A drvuKPABE scheme achieves selective security on original ciphertext if the advantage of any adversary Awinning the selective security on original ciphertext is negligible at most with respect to security parameter ‘, where theadvantage is defined as Pr½r0 ¼ r� � 1=2.
3.2. Selective security game on updated ciphertext
Setup: the adversary A chooses an attribute set S� and two revocation lists R and R� where R � R�, and sends them to thechallenger. The challenger runs Setup to produce pm;mk, sends pm to A and keeps mk secret.Phase 1: A is allowed to query the following oracle in polynomially many times:
� OKeyGenðuid;PÞ: If FðS�;PÞ ¼ 1 and uid R R� simultaneously, then abort. Otherwise, the challenger runssk KeyGenðmk;P; uidÞ and returns sk to A.
Challenge: A selects two message m0 and m1 of equal length, and sends them to the challenger. The challenger selectsr R f0;1g, runs cph ¼ Encðmr; S
�;RÞ and cph� Updateðcph;R�Þ, and forwards cph� to A.Phase 2: A queries the oracle the same as in Phase 1.Guess: A outputs a guess r0. We say A wins this game if r ¼ r0.
Definition 3. A drvuKPABE scheme achieves selective security on updated ciphertext if the advantage of any adversary Awinning the selective security on updated ciphertext is negligible at most with respect to security parameter ‘, where theadvantage is defined as Pr½r0 ¼ r� � 1=2.
3.3. Verifiability game
Setup: the adversary A chooses an attribute set S� and sends it to the challenger. The challenger runs Setup to producepm;mk and sends pm to A and keeps mk secret.Phase 1: A is allowed to query the following oracles in polynomially times:
� OKeyGenðuid;PÞ: the challenger runs sk KeyGenðmk;P; uidÞ and returns sk to A.Challenge: A selects a message m, and two revocation lists R and R�, where R � R�, and sends them to the challenger. Thechallenger runs cph ¼ Encðm; S�;RÞ and sends cph to A.Guess:A returns a updated ciphertext cph� to the challenger with respect to the revocation list R�. We say thatAwins thisgame if 1 Verifyðcph; cph�Þ and the distribution of Viewðcph�Þcph and cph0 are computationally distinguishable, wherecph0 Updateðcph;R�Þ produced by the challenger, and Viewðcph�Þcph is a random variable representing the challenger’sview regarding the Update algorithm with input cph and R�.
Definition 4. A drvuKPABE scheme achieves update verifiability if the probability of A winning the verifiability game isnegligible at most with respect to the security parameter ‘.
4. Main construction
High level idea. In order to construct drvuKPABE, there are mainly two challenges to be resolved: (i) how to make therevoked users’ credentials invalid without affecting other non-revoked users’ credentials? and (ii) how to allow any thirdparty (e.g., storage provider) to update ciphertexts with public information (i.e., publicly known revocation list)?
In order to resolve the first challenge, the intuition is to separate a user’s decryption key into two components, where oneis related to access control policy, and the other one is related to the user’s identity (meaning that the secret value should bedivided into two shares, which are distributed to two respective components). In addition, the ciphertext is composed of twoparts, where one is related to the attribute set, and the other is associated to the revocation list. Intuitively, only the attributeset satisfies the access control policy and the user’s identity is beyond the revocation list, the plaintext underlying the cipher-text can be recovered. The importance thing here is how to represent that the user’s identity is or is not in the revocation list.This naturally leads to the adoption of the subset cover technique. Generally speaking, given the revocation list R, the subsetcover coverðRÞ can be used to represent non-revoked users (i.e., the leaves that are rooted at nodes of the cover set). There-fore, combining with the multilinear mappings, the second component of the decryption key and second part of the cipher-text can be used to be computed together to recover some secret (indeed it is a function of the secret share generated by thetrusted authority).
226 Y. Shi et al. / Information Sciences 295 (2015) 221–231
In order to solve the second challenge, we utilize the one-way property of multilinear mappings, so that original cipher-texts are allowed to be updated as long as the revocation list changes. This works because nodes of the new subset cover(with respect to the new revocation list) are children of nodes in the prior subset cover (with respect to prior revocation).Note here we only consider the case that the user is changed from non-revoked status to revoked status. In this paper wecannot deal with the case that revoked users are changed to the non-revoked status.
drvuKPABE Construction we encode an access control policy with ðM;pÞ, where M is an l� k matrix. Let max be themaximum size of attributes allowed to associated with a ciphertext. Let 2d be the number of users and U be the useruniverse in the system so that jUj ¼ 2d and the depth for all leaves in the full binary tree T is d. The drvuKPABE
scheme can be constructed as follows:Setup(1‘): this algorithm initializes the public parameter and master key as follows:
� It generates a dþ 2 multilinear map: fei : G0 � Gi ! Giþ1ji ¼ 0; . . . ; dþ 1g, where (G0;G1; . . . ;Gdþ2) are cyclic group of order
p respectively. Let g0 be a generator of G0, such that giþ1 ¼ eiðg0; giÞ is the generator of Giþ1 for i ¼ 0; . . . ; dþ 1. Let a; b R Zp.� Let H1;H2 be two secure hash functions modeled as random oracles, such that H1 : f0;1g� ! Zp and H2 : f0;1g� ! G0.� Let max be the maximum number of attributes that can be associated to a ciphertext, and select hj
RGdþ1;0 6 j 6max.
Given y 2 Zp, define the function QðyÞ ¼Qmax
j¼0 hyj
j
� �.
It sets the public parameter and master key as
pm ¼ ðe0; . . . ; edþ1;G0; . . . ;Gdþ2; g0; . . . ; gdþ2; edþ1ðg0; gdþ1Þa; gb
0;H1;H2; h0; . . . ; hmaxÞ;mk ¼ ða; bÞ:
KeyGenðmk; ðM;pÞ; uidÞ: given the user identity uid 2 U, suppose pathðuidÞ ¼ fxi0 ; . . . ; xidg in the full binary tree T such thatxi0 ¼ root and xid ¼ uid (note that the height of the full binary tree is equal to the number of mappings in multilinear maps.Therefore the maximum number of users in the system is 2d). The decryption key for user uid can be generated as follows:
� Select a1;v2; v3; . . . ;vk R
Zp, and set a2 such that a ¼ a1 þ a2 mod p,� Let v ¼ ða1;v2; . . . ;vkÞ. For i ¼ 1; . . . ; l (note that M is an l� k matrix), compute kpðiÞ ¼ Mi � v, and set
Dð1Þi ¼ gkpðiÞdþ1QðH1ðpðiÞÞÞri ;Dð2Þi ¼ gri
0 by selecting ri R
Zp.� Given pathðuidÞ, let Pxi0
¼ e0 H2ðxi0 Þ; gb0
� �, and then compute Pxij
¼ ejðH2ðxij Þ; Pxij�1Þ for j ¼ 1; . . . ; d. Let
Dð3Þ ¼ ga2dþ1Pt
uid;Dð4Þ ¼ gt
0 by selecting t R Zp.
The decryption key is set to
sk ¼ uid; ðM;pÞ; Dð1Þi ;Dð2Þi
� �i2½1;l�
;Dð3Þ;Dð4Þ
:
Encðm; S;R): the message m 2 Gdþ2 can be encrypted as follows:
� Select s R Zp and set Cð1Þ ¼ medþ1ðg0; gdþ1Þas;Cð2Þ ¼ gs
0.� Given an attribute at 2 S, let Cð3Þat ¼ QðH1ðatÞÞs.� Suppose coverðRÞ is the cover set with respect to the revocation list R. Given x 2 coverðRÞ, let pathðxÞ ¼ fxi0 ; . . . ; xidepthðxÞ g such
that xi0 ¼ root and xidepthðxÞ ¼ x. Let Pxi0¼ e0 H2ðxi0 Þ; g
b0
� �. For j ¼ 1; . . . ; depthðxÞ, compute Pxij
¼ ejðH2ðxij Þ; Pxij�1Þ , and set
Cð4Þx ¼ Psx.
The ciphertext is set to
cph ¼ S;R;Cð1Þ;Cð2Þ; Cð3Þat
n oat2S
; Cð4Þx
n ox2coverðRÞ
:
Decðcph; skÞ: given cph and sk, the decryption can be done as follows:
� If either the user’s identity uid 2 R or the attribute set S does not satisfy the access control policy specified by ðM;pÞ, thenreturn ?. Otherwise, proceed as follows.� Since uid R R, there always exists a node x such that x 2 ðpathðuidÞ \ coverðRÞÞ. Suppose pathðuidÞ ¼ fxi0 ; . . . ; xidepthðxÞ ; . . . ; xidg
where xidepthðxÞ ¼ x and xid ¼ uid. Let P0xidepth ðxÞ¼ Cð4Þx and compute P0xijþ1
¼ ejþ1 H2ðxijþ1Þ; P0xij
for j ¼ depthðxÞ; . . . ; d� 1. Eventu-
ally, P0uid ¼ P0xid.
� Since the attribute set S satisfying the access control policy specified by ðM;pÞ, there exists ci’s such thatPpðiÞ2SciMi ¼ ð1; 0; . . . ;0Þ, and having
Y. Shi et al. / Information Sciences 295 (2015) 221–231 227
K ¼Y
pðiÞ2S
edþ1ðCð2Þ;Dð1Þi Þedþ1ðDð2Þi ;Cð3ÞpðiÞÞ
!ci
� edþ1ðCð2Þ;Dð3ÞÞedþ1 Dð4Þ; P0uid
� � :The message can be obtained by computing m ¼ Cð1Þ=K.
Updateðcph;R0Þ: given a new revocation list R0; cph can be updated as follows: suppose coverðR0Þ and coverðR0Þ are the coversets with respect to the revocation lists R0 and R, respectively. Given x0 2 coverðR0Þ,
� If there exists x 2 coverðRÞ such that x ¼ x0, then set eC ð4Þx0 ¼ Cð4Þx .� Otherwise, there exists x 2 coverðRÞ such that x is an ancestor of x0. Let pathðx0Þ ¼ pathðxÞ [ fxidepthðxÞþ1 ; . . . ; xdepthðx0 Þg where
xidepthðxÞ ¼ x and xidepthðx0 Þ ¼ x0, and set P0xidepth ðxÞ¼ Cð4Þx . For j ¼ depthðxÞ; . . . ; depthðx0Þ � 1, compute P0xijþ1
¼ ejþ1ðH2ðxijþ1Þ; P0xij
Þ. Even-
tually, set eC ð4Þx0 ¼ P0x0 .� Let eC ð1Þ ¼ Cð1Þ; eC ð2Þ ¼ Cð2Þ; eC ð3Þat ¼ Cð3Þat .
The updated ciphertext is set to
cph0 ¼ S;R0; eC ð1Þ; eC ð2Þ; eC ð3Þat
n oat2S
; eC ð4Þx0
n ox02coverðR0 Þ
:
Verify(cph; cph0): the verification of updating cph0 from cph can be done as follows:
� Verify whether the following equations hold simultaneously:
Cð1Þ ¼ eC ð1Þ; Cð2Þ ¼ eC ð2Þ;8at 2 S; Cð3Þat ¼ eC ð3Þat ;
8x 2 coverðRÞ \ coverðR0Þ; Cð4Þx ¼ eC ð4Þx :
If not, then output 0. Otherwise, proceed to the following step.� For i ¼ 1; . . . ; d, figure out nodes x01; . . . ; x0g such that x0j 2 coverðR0Þ � coverðRÞ and depthðx0jÞ ¼ i, select c1; . . . ; cg
RZp, and
verify
edepthðx0Þþ1 Cð2Þ;Ygi¼1
Pcix0
i
!¼ edepthðx0 Þþ1 g0;
Ygi¼0
eC ð4Þx0i
� �ci
!:
If there exists i;1 6 i 6 d, such that the above equation does not hold, then output 0. Otherwise, return 1.
The correctness of the decryption can be verified as follows:
K 0 ¼Y
pðiÞ2S
edþ1ðCð2Þ;Dð1Þi Þedþ1ðDð2Þi ; Cð3ÞpðiÞÞ
!ci
¼Y
pðiÞ2S
edþ1 gs0; g
kpðiÞdþ1QðpðiÞÞri
� �edþ1 gri
0 ;QðpðiÞÞs� �
0@ 1Aci
¼Y
pðiÞ2Sedþ1 gs
0; gkpðiÞdþ1
� �ci¼ edþ1ðg0; gdþ1Þ
PpðiÞ2ScikpðiÞs
¼ edþ1ðg0; gdþ1Þa1s;
K 00 ¼ edþ1ðCð2Þ;Dð3ÞÞedþ1ðDð4Þ; P0dÞ
¼edþ1 gs
0; ga2dþ1Pt
uid
� �edþ1 gt
0; Psuid
� � ¼ edþ1ðg0; gdþ1Þa2s;
K ¼ K 0K 00 ¼ edþ1ðg0; gdþ1Þa1sedþ1ðg0; gdþ1Þ
a2s ¼ edþ1ðg0; gdþ1Þas:
Therefore, we have Cð1Þ=K ¼ medþ1ðg0; gdþ1Þas=edþ1ðg0; gdþ1Þ
as ¼ m
5. Security analysis
In the following: we show that the proposed scheme achieves selective security against chosen-plaintext attack on ori-ginal ciphertext, selective security against chosen-plaintext attacks on updated ciphertext and update verifiability,respectively.
Theorem 1. Assume that ðdþ 3Þ-MDDH assumption holds, the proposed scheme achieves selective security against chosen-plaintext attack on original ciphertext in the random oracle model.
228 Y. Shi et al. / Information Sciences 295 (2015) 221–231
Proof. We prove it by showing that if there exists a probabilistic polynomial time adversary A breaking the selective secu-rity game on original ciphertext with advantage �, then we can construct a challenger solving ðdþ 3Þ-MDDH problem withadvantage �=2.
Given an instance of ðdþ 3Þ-MDDH problem ðg0; gz00 ; . . . ; gzd
0 ; ga0; g
b0; g
c0; ZÞwhere g0; g
z00 ; . . . ; gzd
0 ; ga0; g
b0; g
c0
RG0; Z
RGdþ2 and
z0; . . . ; zd; a; b; c are unknown, the challenger simulates the game as follows:Setup:A selects an attribute set S� and a revocation list R�, and sends them to the challenger. The challenger generates the
public parameters and master key as follows:
� Given the attribute set S�, let /ðyÞ ¼ ymax�jS�j �Q
at2S� ðy� H1ðatÞÞ. By being expanded, it can be written as /ðyÞ ¼Pmax
j¼0 /jyj
where /j is the coefficient of yj and therefore /j ¼ 0 for j ¼ 0; . . . ;max�jS�j.� Select u0; . . . ;umax
RZp, and define uðyÞ ¼
Pmaxj¼0 ujy
j.
� Apply multilinear mapping on gz00 ; . . . ; gzd
0 ; ga0 to obtain ga0
dþ1 so that a0 is implicitly set to z0z1 . . . zda.
� Let hj ¼ ga0/jþuj
dþ1 ;0 6 j 6 max, and define QðyÞ ¼ ga0/ðyÞþuðyÞdþ1 ¼
Qmaxj¼0 g
ða0/jþujÞyj
dþ1 .� Select z R Zp, and set the public parameters as
pm ¼ e0; . . . ; edþ1; g0; . . . ; gdþ1;G0; . . . ;Gdþ2; edþ1ðgb; ga0dþ1Þ; gbþz
0 ;H1;H2; h0; . . . ; hmax� �
by implicitly setting the master key a ¼ a0b and b ¼ bþ z.
Moreover, given the revocation list R�, let vR� ¼ fx 2 pathðuidÞjuid 2 R�g, and H1;H2 are simulated as follows:
� OH1 ðatÞ: if at has not been queried before, select u R Zp, set H1ðatÞ ¼ u, and add ðat;H1ðatÞÞ to the list LH1 . Otherwise,retrieve H1ðatÞ from LH1 with respect to at. It returns H1ðatÞ.� OH2 ðxÞ: given the label x that can be either the label for inner node or user identity with respect to leaf, the random oracle
works as follows:In the case of x 2 vR� : If x has not been queried before, select v R Zp, set H2ðxÞ ¼ g
zdepthðxÞ0 gv
0 , and add ðx;v ;H2ðxÞÞ to the listLH2 . Otherwise, retrieve H2ðxÞ from LH2 with respect to x.In the case of x R vR� : If x has not been queried before, select v R Zp, set H2ðxÞ ¼ gv
0 , and add ðx;v ;H2ðxÞÞ to the list LH2 .Otherwise, retrieve H2ðxÞ from LH2 with respect to x.It returns H2ðxÞ.
Phase 1: A can query the oracle in polynomial many times:
� OKeyGenðuid;PÞ: given user’s identity uid and the access control policy P specified by ðM;pÞ, the challenger proceeds as fol-lows:In the case of uid R R� and FðS�; PÞ ¼ 1 simultaneously, then abort.
In the case of uid 2 R�, it selects a1 R
Zp and computes Dð1Þi ;Dð2Þi as that specified by algorithm KeyGen. Suppose
pathðuidÞ ¼ ðx0; . . . ; xd ¼ uidÞ, and xj 2 vR� and H2ðxjÞ ¼ gzjþv j0 since uid 2 R�. It computes Puid ¼ g
ðPd
j¼0ðzjþv jÞÞðbþzÞ
dþ1 by applying
mappings on gz0þv00 ; . . . ; gzdþvd
0 ; gbþz0 . In addition, it chooses t0 R Zp, and sets
Dð3Þ ¼ gðz0z1 ...zdab�a1Þþ
Pd
j¼0ðzjþv jÞ
� �ðbþzÞðt0�aÞ
dþ1
Dð4Þ ¼ gt0�a0 ¼ gt0
0=ga0
by implicitly defining a2 ¼ a� a1 ¼ z0 . . . zdab� a1 and t ¼ t0 � a.In the case of FðS�;PÞ ¼ 0, it chooses a2
RZp and computes ðDð3Þ;Dð4ÞÞ as that specified by algorithm KeyGen. Since S� does
not satisfy the access structure ðM;pÞ, there exists a vector w ¼ ðw1; . . . ;wkÞ 2 Zkp such that w1 ¼ 1 and
8pðiÞ 2 S�;Mi �w ¼ 0. It chooses v 0i R
Zp for i ¼ 2; . . . ; k, and sets v0 ¼ ð0;v 02; . . . ;v 0kÞ. By implicitly settingv ¼ ða� a2Þwþ v0, it generates Dð1Þi and Dð2Þi as follows:– If pðiÞ 2 S�: it selects ri
RZp, and computes kpðiÞ ¼ Mi � v0 ¼ Mi � v;Dð1Þi ¼ g
kpðiÞdþ1QðH1ðpðiÞÞÞri and Dð2Þi ¼ gri
0 .– Otherwise pðiÞ R S�: it selects r0i
RZp and computes
Dð1Þi ¼ gkpðiÞdþ1QðH1ðpðiÞÞÞri ¼ gMi �½ða�a2Þwþv0 �
dþ1 � g½a0/ðH1ðpðiÞÞÞþuðH1ðpðiÞÞÞ�ri
dþ1 ¼g
Mi �v0þa0/ðH1ðpðiÞÞÞr0iþuðH1ðpðiÞÞÞr0idþ1
ga2Mi �wþbuðH1ðpðiÞÞÞMi �w=/ðH1ðpðiÞÞÞdþ1
Dð2Þi ¼ g�bMi �w=/ðH1ðpðiÞÞÞþr0
i0
by implicitly setting ri ¼ r0i � bMi �w=/ðH1ðpðiÞÞÞ.
Y. Shi et al. / Information Sciences 295 (2015) 221–231 229
Challenge: A selects two messages m0;m1 of equal-length and sends them to the challenger. The challenger choosesr R f0;1g, and computes the ciphertext as follows:
� Given every attribute at 2 S�, it computes Cð1Þ ¼ mrZ;Cð2Þ ¼ gc0 and Cð3Þat ¼ gcuðH1ðatÞÞ
dþ1 .� Given every x 2 coverðR�Þ, suppose pathðxÞ ¼ ðx0; . . . ; xdepthðxÞð¼ xÞÞ, then xi 2 vR� ; i ¼ 0; . . . ; depthðxÞ � 1, and x R vR� . It sets
Cð4Þx ¼ PcdepthðxÞ ¼ g
ðPdepthðxÞ�1
j¼0ðziþv iÞÞvdepthðxÞðbþzÞc
depthðxÞþ1 :
The challenger sends to A
cph� ¼ Cð1Þ;Cð2Þ; Cð3Þat
n oat2S�
; Cð4Þx
n ox2coverðRÞ
:
Guess: A outputs a guess r0. The challenger outputs Z ¼ gz0 ...zdabcdþ2 if r0 ¼ r. Otherwise, it outputs Z – gz0 ...zdabc
dþ2 .
This completes the simulation. In the challenge phase, if Z ¼ gz0 ...zdabcdþ2 , then cph� is indeed a valid ciphertext for mr. Then
the probability ofA outputting r ¼ r0 is 12þ �. If Z is an element randomly selected from Gdþ2, the probability ofA outputting
r ¼ r0 is 12. Therefore, the probability of the challenger correctly guessing Z9gz0 ...zdabc
dþ2 is 12
12þ �� �
þ 12
12 ¼ 1
2þ �2. That is, the
challenger solves the ðdþ 3Þ-MDDH problem with advantage �=2 if Awins the selective security game on original ciphertextwith advantage �. h
Theorem 2. Given the ðdþ 3Þ-MDDH assumption, the proposed scheme achieves selective security on updated ciphertext in therandom oracle model.
Proof. In Theorem 1, we show that any probabilistic polynomial time adversary A cannot learn any information from ori-ginal ciphertexts if either he is in the revocation list (i.e., uid 2 R) or the attribute set specified by the ciphertext does notmatch the access control policy specified by his decryption key. The strategy of proving this theorem is to argue that ifthe distribution of ciphertexts generated by algorithm Enc is identical to that of the ciphertexts generated by algorithmUpdate, then the proposed scheme achieves selective security on updated ciphertext. This argument is valid because wecan construct a simulator using the adversary A to break selective security on original ciphertext if it does not hold.
Now let us look at the distributions of original ciphertexts and updated ciphertexts, respectively, given the same messagem, attributes set S, and the revocation list R� (Suppose R� is changed from R, such that R � R�):
� The original ciphertext generated by algorithm Enc(m; S;R�) is:
cph� ¼ S;R�;C�ð1Þ; C�ð2Þ; C�ð3Þat
n oat2S
; C�ð4Þx0
n ox02coverðR�Þ
;
where C�ð1Þ ¼ medþ1ðg0; gdþ1Þas;C�ð2Þ ¼ gs
0;C�ð3Þat ¼ QðH1ðatÞÞs;C�ð4Þx0 ¼ Ps
x0 .� The original ciphertext generated by algorithm Enc(m; S;R) is:
cph ¼ S;R;Cð1Þ;Cð2Þ; Cð3Þat
n oat2S
; Cð4Þx
n ox2coverðRÞ
;
where Cð1Þ ¼ medþ1ðg0; gdþ1Þas0;Cð2Þ ¼ gs0
0 ;Cð3Þat ¼ QðH1ðatÞÞs
0;Cð4Þx ¼ Ps0
x .
Then the updated ciphertext generated by algorithm Updateðcph;R�Þ is:
cph0 ¼ S;R�; eC ð1Þ; eC ð2Þ; eC ð3Þat
n oat2S
; eC ð4Þx
n ox2coverðR�Þ
;
where eC ð1Þ ¼ medþ1ðg0; gdþ1Þas0; eC ð2Þ ¼ gs0
0 ;eC ð3Þat ¼ QðH1ðatÞÞs
0. For all x0 2 coverðRÞ \ coverðR�Þ; eC ð4Þx0 ¼ Ps0
x0 , and for allx0 2 coverðR�Þ � coverðRÞ; eC ð4Þx0 ¼ P0x0 ¼ Ps0
x0 .
We can see that the original ciphertext (i.e., cph�) and updated ciphertext (i.e., cph0) have exactly the same number ofterms. In addition, corresponding terms are randomized with random values s and s0, respectively. Therefore, originalciphertexts and updated ciphertexts have the identical distribution, meaning that A cannot distinguish whether theciphertext is generated from Enc algorithm or Update algorithm. That is, the advantage ofA in the selective security games onupdated ciphertext is as same as that of winning the selective security game on original ciphertext. Hence, if the adversarybreaks the selective security on updated ciphertext, then it can break the selective security game on original ciphertext,which therefore solves the ðdþ 3Þ-MDDH problem. h
230 Y. Shi et al. / Information Sciences 295 (2015) 221–231
Theorem 3. The proposed scheme achieves verifiability.
Proof. Suppose cph is the original ciphertext of message m with respect to revocation list R, denoted by
cph ¼ S;R;Cð1Þ;Cð2Þ; Cð3Þat
n oat2S
; Cð4Þx
n ox2coverðRÞ
:
Let cph� be the updated ciphertext returned by the adversary A, when the revocation list R is changed to R�, such thatR � R�, denoted by
cph� ¼ S;R�;fC� ð1Þ;fC� ð2Þ; fC� ð3Þat
n oat2S
; fC� ð4Þx
n ox2coverðR�Þ
:
Suppose cph0 is the updated ciphertext output by algorithm Update, denoted by
cph0 ¼ S;R�; eC 0 ð1Þ; eC 0 ð2Þ; f eC 0 ð3Þat gat2S;eC0 ð4Þx
n ox2coverðR�Þ
:
We claim that cph0 ¼ cph� in order to attain 1 Verifyðcph; cph�Þ (note 1 Verifyðcph; cph0Þ due to the correctness of thescheme). Suppose that Verifyðcph; cph�Þ outputs 1, then the following should hold:
Cð1Þ ¼ fC� ð1Þ; Cð2Þ ¼ fC� ð2Þ;Cð3Þat
n oat2S¼ fC� ð3Þat
n oat2S
;
Cð4Þx
n ox2coverðRÞ\coverðR�Þ
¼ fC� ð4Þx
n ox2coverðRÞ\coverðR�Þ
and
8j ¼ 1; . . . ; d; ejþ1 Cð2Þ;Ygi¼1
Pcix0
i
!¼ ejþ1 g0;
Ygi¼1
fC� ð4Þx0i
� �ci
!; ð1Þ
where x01; x02; . . . ; x0g
n o¼ coverðR�Þ � coverðRÞ are the nodes of depth j and c1; . . . ; cg 2 Zp are randomly selected by the chal-
lenger and unknown to A.Since 1 Verifyðcph; cph0Þ, the following should hold:
Cð1Þ ¼ eC0 ð1Þ;Cð2Þ ¼ eC 0 ð2Þ;Cð3Þat
n oat2S¼ eC 0 ð3Þat
n oat2S
;
Cð4Þx
n ox2coverðRÞ\coverðR�Þ
¼ eC 0 ð4Þx
n ox2coverðRÞ\coverðR�Þ
and
8j ¼ 1; . . . ; d; ejþ1 Cð2Þ;Ygi¼1
Pcix0
i
!¼ ejþ1 g0;
Ygi¼1
eC 0 ð4Þx0i
� �ci
!ð2Þ
where x01; x02; . . . ; x0g
n o¼ coverðR�Þ � coverðRÞ are the nodes of depth j and c1; . . . ; cg 2 Zp are random values the same as above
(Note that 8j; x01; x02; . . . ; x0g
n o¼ coverðR�Þ � coverðRÞ of depth j are the same as above because R;R� are public known).
In order to prove cph0 ¼ cph�, it needs to prove 8i;1 6 i 6 g;fC� ð4Þx0i¼ eC0 ð4Þx0
i. We prove this by showing that the probability offC� ð4Þx0i
¼ eC0 ð4Þx0ifor some i is negligible.
According to Eq. (1) and (2), the following holds
ejþ1 g0;Ygi¼1
eC 0 ð4Þx0i
� �ci
!¼ ejþ1 g0;
Ygi¼1
fC� ð4Þx0i
� �ci
!:
Then we have
Ygi¼1eC 0 ð4Þx0i
� �ci¼Ygi¼1
fC� ð4Þx0i
� �ci:
Assume there exists a subset I � ½1;g� such that 8t; t 2 I; eC ð4Þx0t– eC0 ð4Þx0t
. Therefore, we cancel the identical items at both sidesand get
Yt2I
eC 0 ð4Þx0t
� �ct
¼Yt2I
eC ð4Þx0t
� �ct
:
Y. Shi et al. / Information Sciences 295 (2015) 221–231 231
Suppose eC0 ð4Þx0t¼ gl0t
j and eC ð4Þx0t¼ glt
j for some unknown l0t ;lt 2 Zp and l0t – lt , then we have
Yt2Igct l0t�ltð Þj ¼ 1;
meaning thatP
t2Ict l0t � lt
� �¼ 0 mod p. Because ct is unknown to A, we can see that the probability of fC� x0t
– eC0 x0t is at most1=p, which is a negligible probability. That is, we show that 8i;1 6 i 6 g; eC ð4Þx0
i¼ eC0 ð4Þx0
i.
Therefore, we show that cph� ¼ cph0 in order to achieve 1 Verifyðcph; cph�Þ. That is, the adversary A cannot present anincorrect updated ciphertext while passing the verification. h
6. Conclusions
In this paper, we propose a novel ABE variant, called directly revocable key-policy ABE with verifiable ciphertext delega-tion. Our solution can be used in data sharing applications in the cloud setting, allowing (1) the trusted authority to revokeusers directly by updating the revocation list without any interaction with non-revoked users, (2) the third party (e.g., thestorage provider) to update ciphertexts in order to assure that revoked users cannot decrypt ciphertexts successfully, and (3)any auditor (e.g., authorized by data owners) to verify whether the untrusted third party updated ciphertexts correctly. Oneof our future work is to construct directly revocable ciphertext-policy ABE with verifiable ciphertext delegation.
Acknowledgment
We thank the anonymous reviewers for their valuable comments and suggestions. This work is supported by Program forNew Century Excellent Talents in University (NCET-11-0565), the Fundamental Research Funds for the Central Universities(2012JBZ010) and PCSIRT (No. IRT 201206).
References
[1] N. Attrapadung, H. Imai, Attribute-based encryption supporting direct/indirect revocation modes, in: IMA Int. Conf., 2009, pp. 278–300.[2] N. Attrapadung, H. Imai, Conjunctive broadcast and attribute-based encryption, in: Pairing-Based Cryptography–Pairing 2009, Springer, 2009, pp. 248–
265.[3] A. Balu, K. Kuppusamy, An expressive and provably secure ciphertext-policy attribute-based encryption, Inf. Sci. (2013).[4] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-based encryption, in: IEEE Symposium on Security and Privacy, 2007, pp. 321–334.[5] A. Boldyreva, V. Goyal, V. Kumar, Identity-based encryption with efficient revocation, in: ACM Conference on Computer and Communications Security,
2008, pp. 417–426.[6] D. Boneh, A. Silverberg, Applications of multilinear forms to cryptography, Contemp. Math. 324 (2002) 71–90.[7] M. Chase, Multi-authority attribute based encryption, in: TCC, 2007, pp. 515–534.[8] J.-S. Coron, T. Lepoint, M. Tibouchi, Practical multilinear maps over the integers, in: CRYPTO, 2013, pp. 476–493.[9] H. Deng, Q. Wu, B. Qin, J. Domingo-Ferrer, L. Zhang, J. Liu, W. Shi, Ciphertext-policy hierarchical attribute-based encryption with short ciphertexts, Inf.
Sci. (2014).[10] S. Garg, C. Gentry, S. Halevi, Candidate multilinear maps from ideal lattices, in: EUROCRYPT, 2013, pp. 1–17.[11] V. Goyal, A. Jain, O. Pandey, A. Sahai, Bounded ciphertext policy attribute based encryption, in: ICALP, Part II, Springer-Verlag, 2008, pp. 579–591.[12] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in: ACM Conference on Computer
and Communications Security, 2006, pp. 89–98.[13] M. Green, S. Hohenberger, B. Waters, Outsourcing the decryption of abe ciphertexts, in: USENIX Security Symposium, 2011, p. 3.[14] J. Lai, R.H. Deng, C. Guan, J. Weng, Attribute-based encryption with verifiable outsourced decryption, IEEE Trans. Inf. Forensic. Secur. 8 (8) (2013) 1343–
1354.[15] H. Lin, Z. Cao, X. Liang, J. Shao, Secure threshold multi authority attribute based encryption without a central authority, Inf. Sci. 180 (13) (2010) 2618–
2632.[16] Q. Liu, G. Wang, J. Wu, Time-based proxy re-encryption scheme for secure data sharing in a cloud environment, Inf. Sci. 258 (2014) 355–370.[17] Y. Ming, L. Fan, H. Jing-Li, W. Zhao-Li, An efficient attribute based encryption scheme with revocation for outsourced data sharing control, in: 2011 First
International Conference on Instrumentation, Measurement, Computer, Communication and Control, IEEE, 2011, pp. 516–520.[18] D. Naor, M. Naor, J. Lotspiech, Revocation and tracing schemes for stateless receivers, in: CRYPTO, 2001, pp. 41–62.[19] T. Naruse, M. Mohri, Y. Shiraishi, Attribute-based encryption with attribute revocation and grant function using proxy re-encryption and attribute key
for updating, in: Future Information Technology, Springer, 2014, pp. 119–125.[20] R. Ostrovsky, A. Sahai, B. Waters, Attribute-based encryption with non-monotonic access structures, in: Proceedings of the 14th ACM Conference on
Computer and Communications Security, ACM, 2007, pp. 195–203.[21] M. Pirretti, P. Traynor, P. McDaniel, B. Waters, Secure attribute-based systems, in: ACM Conference on Computer and Communications Security, 2006,
pp. 99–112.[22] A. Sahai, H. Seyalioglu, B. Waters, Dynamic credentials and ciphertext delegation for attribute-based encryption, in: CRYPTO, 2012, pp. 199–217.[23] A. Sahai, B. Waters, Fuzzy identity-based encryption, in: EUROCRYPT, 2005, pp. 457–473.[24] B. Waters, Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization, in: Public Key Cryptography, 2011,
pp. 53–70.[25] C.K. Wong, M.G. Gouda, S.S. Lam, Secure group communications using key graphs, IEEE ACM Trans. Netw. 8 (1) (2000) 16–30.[26] Y. Zhang, X. Chen, J. Li, H. Li, F. Li, Fdr-abe: attribute-based encryption with flexible and direct revocation, in: 2013 5th International Conference on
Intelligent Networking and Collaborative Systems (INCoS), IEEE, 2013, pp. 38–45.[27] Q. Zheng, S. Xu, G. Ateniese, Vabks: verifiable attribute-based keyword search over outsourced encrypted data, Cryptology ePrint Archive, Report 2013/
462, <http://eprint.iacr.org/>, 2013.