2013, Vol.18 No.3, 259-264
Article ID 1007-1202(2013)03-0259-06
DOI 10.1007/s11859-013-0925-9
A Hierarchical Attribute-Based Encryption Scheme
□ ZOU Xiubin
College of Computer and Mathematics, Jianghan University,
Wuhan 430056, Hubei, China
© Wuhan University and Springer-Verlag Berlin Heidelberg 2013
Abstract: According to the relation of an attribute set and its sub-set, the author presents a hierarchical attribute-based encryption scheme in which a secret key is associated with an attribute set. A user can delegate the private key corresponding to any subset of an attribute set while he has the private key corresponding to the at-tribute set. Moreover, the size of the ciphertext is constant, but the size of private key is linear with the order of the attribute set in the hierarchical attribute-based encryption scheme. Lastly, we can also prove that this encryption scheme meets the security of IND-sSET- CPA in the standard model. Key words: attribute-based encryption; hierarchical attribute- based encryption; identity-based encryption (IBE); bilinear map CLC number: TP 309.7
Received date: 2012-08-12
Foundation item: Supported by the National Natural Science Foundation of China (60903175, 60703048) and the Natural Science Foundation of Hubei Province (2009CBD307, 2008CDB352) Biography: ZOU Xiubin, male, Lecturer, Ph.D., research direction: public key cryptosystem and its security analysis. E-mail: [email protected]
0 Introduction
Shamir[1] first presented the concept of identity- based encryption(IBE).When we encrypt information in the IBE scheme, we do not require the public key certifi-cate and only require an arbitrary and overt string e.g., identity and e-mail, etc.). This makes the IBE scheme have many applications in practice.
Sahai and Waters[2] proposed a fussy IBE scheme in which a descriptive attribute set could be considered as identity. For the secret key Kω corresponding to an attribute set ω , we can decrypt a ciphertext C by it, where C is produced by encrypting some plaintexts with the secret key Kω′ corresponding to an attribute set ω′ . We can decrypt the ciphertext C by the secret key Kω only if | | ,dω ω′ ∨ where d is the minimum that those attribute sets(i.e. attribute set ω and attribute set ω′ ) overlap. Meanwhile, Sahai and Waters[2] proposed the concept of attribute-based encryption. However, their scheme belongs to an IBE scheme where ID is composed of several attributes. Their scheme is mainly constituted by threshold techniques. Moreover, it is resistant collu-sion attack and does not require random oracle(RO). Af-ter the concept of attribute-based encryption was pre-sented, there are many people who have made further research on it.
Now, more and more data are preserved in the third party Websites on the Internet for their being shared with people. To ensure the security of these data, we only encrypt them. However, this does not facilitate sharing. The simplest measure is to send the secret key to the people who need know those data. Nevertheless, it is not a best measure. To resolve this problem, Goyal
Wuhan University Journal of Natural Sciences 2013, Vol.18 No.3 260
et al [3] proposed an encryption system (hereinafter re-
ferred GKPABE scheme) in which any data can encrypt and a good share way is provided. Goyal et al refer to this encryption as key-policy attribute-based encryption (KP-ABE). In a KP- ABE system, we can label any ci-phertext by some attribute set, whereas the secret key is associated with the access structure which permits users to decrypt the ciphertext.
In many cases, users need to formulate a policy that specifies who can access the data when they encrypts it. Only those qualified people can decrypt it later on. For example, to ensure that an important file is secure, a leader in a company encrypts it when he sends the file to the other people in the company. In addition, he formu-lates a secure policy which specifies how the file is read. For example, he draws up the following policy:
Department=“sale department” and position=“ gen-eral manager”.
This policy tells us that a general manager from sale department can access the file. Therefore someone who is a general manager from sale department can decrypt the encrypted file and read it. To resolve this problem, Benthencourt et al
[4] gave a ciphertext-policy attribute- based encryption scheme, which is referred to as the BCP-ABE scheme here. Some attributes are used to de-scribe a user’s qualification in BCP-ABE scheme, while the sender who encrypts data and formulates a measure for those who need to know the data. However, Goyal et al
[3] and Bethencourt et al [4] only discussed the secu-
rity of their scheme in the general cyclic group model. Cheung and Newport[5] presented a CP-ABE construction that supports the finite type access structure that is repre-sented by a union of different attributes.
Goyal et al
[6] proposed a ciphertext policy ABE scheme which gave a secure proof in assumptions of number theory. Waters[7] put forward a new CP-ABE scheme (hereinafter referred to as WCPABE scheme). The WCPABE scheme makes attribute access structure be expressed with linear secret sharing scheme (LSSS) ma-trix. Doing so, Waters’s construction method makes an attribute access structure be expressed freely. According to an attribute set and its subset, the author presents a hi-erarchical attribute-based encryption scheme in this paper. The secret key is associated with attribute set in this scheme. A user can delegate the key corresponding to any subset of an attribute set while he has the key corre-sponding to this attribute set S . Moreover, we can also prove that this encryption scheme meets the security of IND-sSET-CPA.
1 Preliminaries
1.1 Bilinear Map Boneh et al[8] introduced bilinear map. From then on,
the bilinear map had been applied in encryption, signature, and so on.
Definition 1 Let G and G′ be cyclic groups of order p, where p is a big prime number. We take an effec-tive computable map :e G G G′× → as bilinear map that has the following properties:
Bilinear: , ,u v G∀ ∈ , ,a b∀ ∈ Z
( , ) ( , )a b abe u v e u v= .
Non-degeneracy: There exists a generator g G∈ where ( , ) 1e g g ≠ .
Computable: , ,u v G∀ ∈ ( , )e u v can be computed in the effective time. 1.2 d-wBDHI* Assumption (Weak Bilinear Diffie-Hellman Inversion Assumption)
Let g and h be generators in G . Let *pα ∈ Z ,
d ∈ Z . We define - wBDHI *d problem as the fol-lowing:
Given2( ) ( ), , , , ,
d
g h g g gα α α , compute 1( )( , )
d
e g h α +
. Set ( ) *i
iy g Gα= ∈ and , , 1 2( , , , ).g d dy y y yα = The -l wBDHI * problem is simplified as follows:
Given , ,, , g dg h y α , compute 1( )( , )
d
e g h α +
. Algorithm A has advantage ε in solving the -d
wBDHI * problem if 1( )
, ,Pr[ ( , , ) ( , ) ]d
g dA g h y e g h αα
+
= ε≥ .
Definition 2 If no polynomial time algorithm A has at least advantage ε in solving the - wBDHI *d problem in G , we say that the - wBDHI *d assump-tion holds in G . 1.3 Security Definition of ABE (or HABE) Scheme
We say that an IBE scheme or a HIBE scheme satis-fies IND-ID-CPA (or IND-sID-CPA) security if the ad-versary does not issue decryption queries. Boneh, Frank-lin[8]and Canetti et al[9] gave a general method which transforms an IND-ID-CPA (or IND-sID-CPA) secure IBE or HIBE scheme to an IND-ID-CCA (or IND-sID- CCA) secure one. Therefore we only prove that an IBE(or HIBE) scheme is IND-ID-CPA (or IND-sID-CPA) secure when it is presented.
Analogous to the definition of IND-ID-CCA (or IND-sID-CCA) security, we can give the definition of IND-Set-CCA (or IND-sSet-CCA) security. When an ABE(attribute-based encryption) scheme E or a HABE (hierarchical attribute-based encryption) scheme E′ is
ZOU Xiubin: A Hierarchical Attribute-Based Encryption Scheme
261
IND-Set-CCA (or IND-sSet-CCA) secure, we can give a definition by the following game which is carried on be-tween the adversary and the challenger. The game con-sists of initial phase, private query phase 1, challenge phase, private query phase 2, and guess phase.
Initial phase: Challenger runs setup algorithm and produces system parameters and main secret key. He then sends the system parameters to the adversary and reserves the main secret key for himself.
Private key query phase 1: The adversary adaptively issues queries ( 1 2, , , mq q q ), where iq ( 1, , )i m= is one of the following two queries.
Provided with an attribute set iS , the challenger runs the private key generating algorithm and gets a pri-vate key
iSK corresponding to attribute set iS . He then sends
iSK to the adversary. Given an attribute set iS and a ciphertext iC , the
challenger first runs the private key generating algorithm and gets private key
iSK . He then runs decryption algo-rithm and produces a plaintext from the ciphertext iC . Lastly, he sends the plaintext to the adversary.
Challenge phase: Once the adversary decides that private key query phase 1 is over, he will output an at-tribute set *S and two equivalent length plaintext
0 1,M M which he wishes to challenge. There is the only restriction that he does not issue private key query corre-sponding to the attribute set *S . The challenger ran-domly chooses {0,1}b∈ and sets the challenged ci-phertext to be *Encrypt( , )bS M . Then, he sends the chal-lenged ciphertext to the adversary.
Private key query phase 2: Analogous to private key query phase 1, it is required that the attribute set iS do not equal to *S here.
Guess phase: Lastly, the adversary outputs a guess b′ about b. We define the advantage which the adversary has on attacking the ABE scheme E or HABE scheme E′ as follows:
Adversary
1Adv Pr[ ]
2b b′= = −
We say that the ABE scheme E or the HABE scheme E′ is IND-Set-CCA secure if the adversary has the ad-vantage ε in upper game where AdversaryAdv ε∧ .
The adversary pre-determines the attribute set which he plans on attacking the ABE scheme E or the HABE scheme E′ before the upper game starts. We think that the ABE scheme E or the HABE scheme E′ is IND- sSet-CCA secure. Moreover, it is said that the ABE scheme E or the HABE scheme E′ is IND-Set-CPA (or
IND-sSet-CPA) secure when the adversary does not issue decryption queries in the upper game.
2 New HABE Scheme
2.1 Construction of New HABE Scheme The new HABE scheme mainly consists of the fol-
lowing five algorithms: Setup( , ) :dλ The algorithm mainly generates the
system parameters. Randomly pick up a big prime num-ber p which meets | |p λ= , where λ is system security parameter. d is not only the maximum depth of the HABE scheme but also the order of the attribute full set U. Set
1 2{ , , , },dU a a a= where i pa ∈ Z for 1, ,i d= and
1 2, , , da a a are different with each other. Let function : {1,2, , }f U d→ and set ( )if a i= for 1, , .i d=
Randomly choose a generator g ∈ G , pα ∈ Z and compute 1g gα= . Next, arbitrarily pick up 2 3 1, , ,g g h
2 , , .dh h G∈ Set the system public parameters
1 2 3 1 2params ( , , , , , , , , )dg g g g h h h f= and system master key 2mk gα= .
KeyGen( )S : The algorithm generates the private key SK corresponding to an attribute set ,1 ,2{ , ,j jS a a=
,| |, },j sa where .S U⊂ Set .R U S= − Randomly
choose pr ∈ Z and compute 2 3 ( )( ( ) ,a rS f a
a R
K g g hα
∈
= ∏
,1 ,2
,1 ,2,1 ( ) ,2 ( ), (( , ), ( , )j j
j j
r a r arj f a j f ag a h a h⋅ ⋅ ,| |
,| |,| | ( ), , ( , )))j S
j S
r a
j s f aa h ⋅ .
Delegate( , ) :SK S ′ Taking the private key SK cor-
responding to attribute set S and an attribute set S ′ as input, the algorithm generates the private key SK ′ where
S S′⊂ . Set ,1
,12 3 ( ) ,1 ( ) ,2( ( ) , , (( , ), ( ,j
j
r aa r rS f a j f a j
a R
K g g h g a h aα ⋅
∈
= ∏
,2 ,| |
,2 ,| |( ) ,| | ( ) 0 1 ,1 2,1 ,2 2,2), , ( , ))) ( , , (( , ), ( , ), ,j j S
j j S
r a r a
f a j s f a j jh a h b b a b a b⋅ ⋅ =
,| | 2,| |( , )))j S Sa b where .R U S= − Set S SΛ ′= − =
,1 ,2 ,{ , , , }.i i i la a a With the help of list ,1 2,1(( , ),ja b
,2 2,2 ,| | 2,| |( , ), , ( , ))j j S Sa b a b , we do not know r but easily
be aware of ,
,( )i k
i k
r af ah for 1,2, ,k l= . Let kδ be the
value of ,
,( )i k
i k
r af ah for 1,2, ,k l= . Randomly choose
pt ∈ Z and compute 0 0 ( ) 31
( ) ,l
a tk f a
k a R
b b h gΛ
δ= ∈
′ = ∏ ∏
1 1tb b g′ = .
We delete , ,( , )j k j ka b from the list ,1 2,1 ,2(( , ), ( ,j ja b a
2,2 ,| | 2,| |), , ( , ))j S Sb a b if ,j ka ∈ ,1 ,2 ,{ , , , },i i i la a a where 1,2, ,| |k S= . Lastly, we get a new list named as
,1 2,1 ,2 2,2 ,| | 2,| |(( , ), ( , ), , ( , ))u u u S Sa b a b a b′ ′ after the upper
Wuhan University Journal of Natural Sciences 2013, Vol.18 No.3 262
disposals. We can compute ,1
,12,1 2,1 ( ) 2,2 2,1,u
u
t af ab b h b b′ ′= =
,| |,2
,2 ,| |( ) 2,| | 2,| | ( ), , .u Su
u u S
t at af a S S f ah b b h ′
′′ ′′ = Therefore, we can get
SK ′ = 0 1 ,1 2,1 ,2 2,2 ,| | 2,| |( , , (( , ), ( , ), , ( , ))).u u u S Sb b a b a b a b′ ′′ ′ ′ ′ ′
Encrypt( , ) :S m Taking an attribute set S and a plaintext m as input, the algorithm encrypts m . Set
,1 ,2 ,| |{ , , , }j j j SS a a a= . Randomly pick up pt ∈ Z and get the ciphertext as follows:
1 2 3 ( )CT ( ( , ) , , ( ) )t t a tf a
a U S
e g g m g g h∈ −
= ∏
Decrypt( ,CT)SK : Inputting a private key SK and a ciphertext CT , the algorithm decrypts ciphertext CT . Denote ,1 ,2 ,| |{ , , , }j j j Sa a a by S and set SK =
,1 ,2
,1 ,22 3 ( ) ,1 ( ) ,2 ( ) ,| |( ( ) , , (( , ), ( , ), , ( ,j j
j j
r a r aa r rf a j f a j f a j s
a U S
g g h g a h a h aα ⋅ ⋅
∈ −∏
,| |
,| |( ) 0 1 ,1 2,1 ,2 2,2 ,| | 2,| |))) ( , , (( , ), ( , ), , ( , )))j S
j S
r a
f a j j j S Sh b b a b a b a b⋅ =
and set the ciphertext 1 2 3CT ( , , )A A A= .
Therefore, set the plaintext 1 1 3 2( , ) / ( ,m A e b A e A=
0 )b . We can verify the decryption as follows:
1 1 3 2 0( , ) / ( , )A e b A e A b
1 2 3 ( )
2 3 ( )
( , ) ( , ( ) )
/ ( , ( ) )
t r a tf a
a U S
t a rf a
a U S
e g g m e g g h
e g g g hα∈ −
∈ −
= ∏∏
1 2 3 ( )
2 3 ( )
( , ) ( , ( ))
/ ( ( , ) ( , ( )) )
t a t rf a
a U S
t a t rf a
a U S
e g g m e g g h
e g g e g g hα
⋅
∈ −
⋅
∈ −
= ∏∏
1 2 2( , ) / ( , )t te g g m e g gα=
1 2 2( , ) / ( , )t te g g m e g gα=
1 2 1 2( , ) / ( , )t te g g m e g g m= =
2.2 Analysis of System Security Theorem 1 Let G be a bilinear group of order p,
where p is a big prime number. The new HABE scheme is IND-SET-CPA secure if the - wBDHI *d assumption holds in G .
Proof Assume the adversary has advantage ε on attack the HABE scheme. The challenger solves the in
- wBDHI *d problem in G with the help of the ad-versary.
Let a generator ,g G∈ *pα ∈ Z and set ( )i
iy g α= .
LD is defined as the distribution of tuple 1( , , ,g h y
2 , , , )dy y T , where 1( )( , )
daT e g h+
= , while RD is done
as the distribution of tuple 1 2( , , , , , , )dg h y y y T , where
T G′∈ . Send 1 2( , , , , , , )dg h y y y T to the challenger. If
1 2( , , , , , , )dg h y y y T is taken from LD , the challenger
outputs 1, while he outputs 0 if 1 2( , , , , , , )dg h y y y T is
taken from RD .
Initial phase: The adversary picks up an attribute set *
*,1, *,2 *,{ , , },lS a a a= where *,ia U∈ for 1, ,i l= and l d≤ .
Setup phase: The challenger firstly gets the system parameters about the - wBDHI *d problem, that is,
, ,G e′ , , ).g h d Set attribute full set 1 2{ , , , },dU a a a= where i pa ∈ Z for 1, ,i d= . In addition, 1 2, , , da a a are different from each other. Let f be the function in the upper algorithm Setup( , )dλ . The challenger ran-domly chooses pη ∈ Z and sets 1 ,g gα= 2 dg y=
d
g gη α η+= . Next, he picks up 1, , d pη η ∈ Z and computes 1/i
i d ih g yη− += for 1, ,i d= . He randomly
picks up pθ ∈ Z and computes ( ) 13
*d f a
a
a U S
g g yθ− +
∈ −
= ∏ .
Lastly, the challenger sends system parameters params =
1 2 3 1 2( , , , , , , , , )dg g g g h h h f to the adversary. Because
of the challenger not having 1dy + and 2 ( )d
g gα α η α+= = 1
1 ,d
dg g y gα αη αη+
+= he does not know the value of 2gα .
Query phase 1: The adversary issues sq queries of
private key. We only think about a query of private key corresponding to the attribute set S where | |S d≤ . Set
( ) ( *).R U S U S= − − The only restriction is that
R ≠ ∅ and S is not a subset of *S .Set ,1* { ,U S aχ− =
,2 ,| |, ,| | 1 ,, , , , }R R ua a a aχ χ χ χ+ and ,1 ,2{ , , ,U S a aφ φ− =
,| |, ,| | 1 ,, , }.R R va a aφ φ φ+ Set , ,i ia aχ φ= for 1,2, ,| |i R=
and have ,| | 1 , ,| | 1 ,{ , , } { , , } .R u R va a a aχ χ φ φ+ + = ∅ We
consider that the private key corresponding to attribute set ,S where ,1 ,2 ,| |, ,| | 1 ,{ , , , , , }R R vU S a a a a aφ φ φ φ φ+− =
can be deriveed from the private key corresponding to at-tribute set ,S where ,1 ,2 ,| |, ,| | 1{ , , , }.R RU S a a a aφ φ φ φ +− =
Therefore, we only debate the private key corresponding to attribute set ,S where ,1 ,2 ,| |, ,| | 1{ , , , }.R RU S a a a aφ φ φ φ +− =
We then get ,| | 2 ,| | 3 ,| |{ , , , }R R US a a aφ φ φ+ += , ,1{ , ,R aφ=
,| |}.Raφ
The challenger randomly chooses pr ∈ Z and com-
putes ,| | 1( )
,| | 1
Rf a
pR
r ra
φ
φ
α +
+
= + ∈ Z . He will generate a private
key as follows: ,| | 2
,| | 2
,| | 3 ,| |
,| | 3 ,| |
2 3 ( ) ,| | 2 ( )
,| | 3 ( ) ,| | ( )
( ( ) , , (( , ),
( , ), , ( , )))
R
R
R U
R U
r aa r rS f a R f a
a U S
r a r a
R f a U f a
K g g h g a h
a h a h
φ
φ
φ φ
φ φ
αφ
φ φ
+
+
+
+
⋅+
∈ −
⋅ ⋅+
= ∏
To generate the first part of SK , observe the following:
( )
( ) 1
3 ( ) 3 ( )
( ) 1*
( ) ( )
( ) ( / )f a
d f a
a r a rf a f a
a U S a U S
aa r rd f a
a U S a U S
g h g h
g y g yηθ− +
∈ − ∈ −
⋅− +
∈ − ∈ −
=
=
∏ ∏
∏ ∏
ZOU Xiubin: A Hierarchical Attribute-Based Encryption Scheme
263
( )
( ) 1*
( ) 1
( ) ( )
(1 / )
f aa U S
d f a
ar a r
a U S
rd f a
a U S
g y
y
θ η∈ −
− +
+ ⋅
∈ −
− +∈ −
= ∏
∏
( )
( ) 1*
( ) ( )f a
a U S
d f a
ar a r
a U S R
g yθ η
∈ −
− +
+ ⋅
∈ − −
= ∏
( ) 1
,| | 1
*( ) 1 ( ) 1
*
( / ) (1 / )d f a
R
a a r a rd f a d f a
a a R a a
y y yφ
− +
+
− + − += ∈ =∏ ∏
( )
( ) 1*
( ) ( )f a
a U S
d f a
ar a r
a U S R
g yθ η
∈ −
− +
+ ⋅
∈ − −
= ∏
,| | 1
( ) 1 ,| | 1
*( ) 1
*
( ) 1 / ( )R
d f a R
aa a r rd f a
a a R
y y φ
φ
+
− + +
−− +
= ∈∏
Moreover, we can get ,| | 1
,| | 1( ) 1( )R
R
a rd f ay φ
φ
+
+− + . ( ),| | 1
,| | 1,| | 1 ,| | 1 ,| | 1
,| | 1 ,| | 1 ,| | 1
( )
( ) 1 ( ) 1 ( ) 1( )
f a R
RR R R
R R R
r aa r a ard f a d f a d f ay y y
φ
φφ φ φ
φ φ φ
α +
++ + +
+ + +
+ ⋅⋅
− + − + − += = ( ),| | 1
,| | 1 ,| | 1
,| | 1 ,| | 1
( )( ) 1 1 ( ) 1
f a RR R
R R
r a r ad f a d d f ay y y
φφ φ
φ φ
α ++ +
+ +
+ ⋅ ⋅− + + − += =
Because of ( ) 1
*
*
( ) 1d f a
a a r
a a R
y− +
−
= ∈
=∏ , we can get value of
3 ( )( ) .a rf a
a U S
g h∈ −∏
( )
( )
( ) 1
,| | 1
,| | 1
3 ( )*
1 ( ) 1
( ) ( ) ( )
/
f aa U S
d f a
R
R
aa r r a rf a
a U S a U S R
r ad d f a
g h g y
y y φ
φ
θ η∈ −
− +
+
+
+ ⋅
∈ − ∈ − −
⋅+ − +
=∏ ∏
2 3 ( )( )a rf a
a U S
g g hα
∈ −∏
( )
( )
( ) 1
,| | 1
,| | 1
*
1 ( ) 1
( ) ( ) ( )
/
f ada U S
d f a
R
R
ar a r
a U S R
r ad d f a
g g y
y y φ
φ
θ ηα η α ∈ −
− +
+
+
+ ⋅+
∈ − −
⋅+ − +
= ∏
( )
( )
( ) 1
,| | 1
,| | 1
1*
1 ( ) 1
( ) ( )
/
f aa U S
d f a
R
R
aa r
da U S R
r ad d f a
y g g y
y y φ
φ
θ ηα η ∈ −
− +
+
+
+ ⋅⋅
+∈ − −
⋅+ − +
= ∏
( ),| | 1
( ),| | 1
( ) 1*
( ) ( )
f a R
f aRa U S
d f a
a raa
a U S R
g y
φ
φ
αθ α η η+
+∈ −
− +
+ ⋅ + ⋅ +
∈ − −
= ∏
Generate the second part of the private key SK . The
challenger can compute
( ),| | 1
,| | 1
( )f a R
R
rarg g
φ
φ
α +
++
= .
To generate the other part of the private key SK , we
can compute
( ),| | 1
,( ), , ,| | 1
, ,
( )
( ) ( ) 1( / )
f a R
if ai i R
i i
r ar a af a d f ah g y
φ
φφ φ φ
φ φ
αη
+
++ ⋅
⋅− +=
for | | 2, ,| | .i R U= +
Challenge phase: The adversary sends two equal length plaintexts 0 1,m m to challenger where 0 1,m m ∈
.G′ The challenger randomly picks up {0,1}b∈ and returns the following ciphertext:
( )*
1 2 1CT ( ( , ) ( , ), , )f a
a U S
at
be g g m e y h h hθ η
η ∈ −
+ ⋅= .
If ch g= , then
( ) ( )( )( )*
( ) 1 ( ) 1* *
/f a
f aa U S
ca a a
d f a d f aa U S a U S
h g y g yθ η
η θ∈ −
+ ⋅
− + − +∈ − ∈ −
=
∏ ∏
3 ( )*
c
af a
a U S
g h∈ −
=
∏
and
( )1
1 1 1( , ) ( , ) ( , ) ( , )d c
de g h e y h e y y e y gα η+
=
1 1 2( , ) ( , )c cde y y g e g gη= =
Consequently, for the selected attribute set *S , the challenger can produce an effective ciphertext corresponding
to bm , that is, 1 2 3 ( )*
CT ( , ) , , ( )c c a cb f a
a U S
m e g g g g h∈ −
=
∏
when tuple 1 2( , , , , , , )dg h y y y T is taken from distribu-tion LD . On the other hand, the ciphertext CT corre-sponding to bm is independent of b in the adversary’s view.
Query phase 2: The adversary issues private key queries. The only restriction is that the attribute sets in query phase 2 is different from the attribute ones in query phase 1.
Guess phase: The adversary outputs the guess b′ about b where {0,1}.b′∈ If b b′= , then the challenger outputs 1. It means that the tuple 1 2( , , , , , , )dg h y y y T is taken from the distribution LD . Otherwise, the chal-lenger output 0, that is, the tuple 1 2( , , , , , , )dg h y y y T is chosen from distribution RD . Denote 1 2, , , dy y y by V . We have that
1
Pr[Challenger( , , , ( , ) ) 0]
Pr[Challenger( , , , ) 0]
(1 / 2 ) 1 / 2
d
g h V e g h
g h V T
α
ε ε
+
= −=
+ − =≥
Consequently, the proof of the theorem is over. 2.3 Comparison of Time and Space Complexity
Typically, the application of a cryptography scheme depends on the length of ciphertext, and the time of en-cryption and that of decryption. There are the GKPABE scheme, the WCPABE scheme, and the ZHABE scheme, where the ZHABE scheme is the new HABE one pro-posed in this paper. This subsection will make comparison of their time and space complexity (Table 1).
As shown in Table 1, because the length of cipher-text, the time of encryption and decryption in the WCPABE scheme are larger than those in the other schemes, the WCPABE scheme is the worse in the three schemes. The time of encryption in GKPABE scheme is
Wuhan University Journal of Natural Sciences 2013, Vol.18 No.3 264
as large as that in the ZHABE scheme, while the time of decryption is larger than those in the ZHABE scheme. Moreover, the length of ciphertext in GKPABE scheme is
larger than that in the ZHABE scheme. Therefore, the ZHABE scheme is more practical than any other scheme among the above three schemes in real life.
Table 1 Three ABE schemes’ comparison in time and space complexity
Length of ciphertext Encryption Decryption
Name of scheme
Number of elements in
G
Number of elements
G′
Number of modular
exponentiation in G
Number of modular
exponentiation in G′
Number of modular
multiplication in G′
Number of modular
exponentiation in G′
Number of inverse
operation in G′
Number of bilinear map
operation
GKPABE scheme
| |S 1 | |S 1 | | 1S − | | 1S − 0 | | 1S −
WCPABE scheme
l +1 1 l +1 1 | | 1S − 1 1 2(| | 1) 1S − +
ZHABE scheme
2 1 | | 1l S− − 1 1 0 1 2
Note: l is the number of all the elements in universal set U of attribute and S is an attribute set that satisfies S U⊆ and | |l S≥
3 Conclusion
According to an attribute set and its subset, the au-thor presents a hierarchical attribute-based encryption scheme in this paper. The secret key is associated with an attribute set in this scheme. A user can delegate the key corresponding to any subset of an attribute set while he has the key corresponding to this attribute set. Moreover, we can also prove that this encryption scheme can meet the security of IND-sSET-CPA.
[1] Shamir A. Identity-based cryptosystems and signature schemes
[C]//Advances in Cryptology. New York: Springer-Verlag,
1985: 47-53.
[2] Sahai A, Waters B. Fuzzy identity-based encryption [C]// Ad-
vances in Cryptology Eurocrypt 2005. New York: Springer-
Verlag, 2005: 557-557.
[3] Goyal V, Pandey O, Sahai A, et al. Attribute-based encryption
for fine-grained access control of encrypted data [C]// Pro-
ceedings of the 13th ACM Conference on Computer and Com-
munications Security. New York: ACM Press, 2006: 89-98.
[4] Bethencourt J, Sahai A, Waters B. Ciphertext-policy attrib-
ute-based encryption [C]// 2007 IEEE Security and Privacy.
Washington D C: IEEE Press, 2007: 321-334.
[5] Cheung L, Newport C. Provably secure ciphertext policy ABE
[C]//Proceedings of the 14th ACM Conference on Computer
and Communications Security. New York: ACM Press, 2008:
456-465.
[6] Goyal V, Jain A, Pandey O, et al. Bounded ciphertext policy
attribute based encryption [J]. Automata, Languages and Pro-
gramming. New York :Springer-Verlag, 2008: 579-591.
[7] Waters B. Ciphertext-policy attribute-based encryption: An
expressive, efficient, and provably secure realization [C]// Pub-
lic Key Cryptography PKC 2011. New York: Springer-Verlag,
2011: 53-70.
[8] Boneh D, Franklin M. Identity-based encryption from the Weil
pairing [C]//Advances in Cryptology—CRYPTO 2001. New
York :Springer-Verlag, 2001: 213-229.
[9] Canetti R, Halevi S, Katz J. A forward-secure public-key en-
cryption scheme [C]//Advances in Cryptology Eurocrypt 2003.
New York: Springer-Verlag, 2003: 646-646.
□
References
