Transcript

1

Attribute-based EncryptionPo-Wen Chi and Chin-Laung Lei, Member, IEEE

Abstract—Cloud storage services have become increasingly popular. Because of the importance of privacy, many cloud storage

encryption schemes have been proposed to protect data from those who do not have access. All such schemes assumed that cloud

storage providers are safe and cannot be hacked; however, in practice, some authorities (i.e., coercers) may force cloud storage

providers to reveal user secrets or confidential data on the cloud, thus altogether circumventing storage encryption schemes. In this

paper, we present our design for a new cloud storage encryption scheme that enables cloud storage providers to create convincing

fake user secrets to protect user privacy. Since coercers cannot tell if obtained secrets are true or not, the cloud storage providers

ensure that user privacy is still securely protected.

Index Terms—Deniable Encryption, Composite Order Bilinear Group, Attribute-Based Encryption, Cloud Storage.

1 INTRODUCTION

Cloud storage services have rapidly become increasinglypopular. Users can store their data on the cloud andaccess their data anywhere at any time. Because ofuser privacy, the data stored on the cloud is typicallyencrypted and protected from access by other users.Considering the collaborative property of the cloud data,attribute-based encryption (ABE) is regarded as one ofthe most suitable encryption schemes for cloud storage.There are numerous ABE schemes that have been pro-posed, including [1], [2], [3], [4], [5], [6], [7].

Most of the proposed schemes assume cloud storageservice providers or trusted third parties handling keymanagement are trusted and cannot be hacked; however,in practice, some entities may intercept communicationsbetween users and cloud storage providers and thencompel storage providers to release user secrets by us-ing government power or other means. In this case,encrypted data are assumed to be known and storageproviders are requested to release user secrets. As anexample, in 2010, without notifying its users, Google re-leased user documents to the FBI after receiving a searchwarrant [8]. In 2013, Edward Snowden disclosed the ex-istence of global surveillance programs that collect suchcloud data as emails, texts, and voice messages fromsome technology companies [9], [10]. Once cloud stor-age providers are compromised, all encryption schemeslose their effectiveness. Though we hope cloud storageproviders can fight against such entities to maintain userprivacy through legal avenues, it is seemingly more andmore difficult. As one example, Lavabit was an emailservice company that protected all user emails from

• The authors are with the Distributed Computing and Network Security(DCNS) Laboratory, Department of Electrical Engineering, National Tai-wan University, Taiwan.E-mail: {d99921015,cllei}@ntu.edu.tw

outside coercion; unfortunately, it failed and decided toshut down its email service [11].

Since it is difficult to fight against outside coercion,we aimed to build an encryption scheme that could helpcloud storage providers avoid this predicament. In ourapproach, we offer cloud storage providers means tocreate fake user secrets. Given such fake user secrets,outside coercers can only obtained forged data from auser’s stored ciphertext. Once coercers think the receivedsecrets are real, they will be satisfied and more impor-tantly cloud storage providers will not have revealed anyreal secrets. Therefore, user privacy is still protected.

This concept comes from a special kind of encryptionscheme called deniable encryption, first proposed in[12]. Deniable encryption involves senders and receiverscreating convincing fake evidence of forged data inciphertexts such that outside coercers are satisfied. Notethat deniability comes from the fact that coercers cannotprove the proposed evidence is wrong and thereforehave no reason to reject the given evidence. This ap-proach tries to altogether block coercion efforts sincecoercers know that their efforts will be useless. We makeuse of this idea such that cloud storage providers canprovide audit-free storage services. In the cloud storagescenario, data owners who store their data on the cloudare just like senders in the deniable encryption scheme.Those who can access the encrypted data play the role ofreceiver in the deniable encryption scheme, including thecloud storage providers themselves, who have system-wide secrets and must be able to decrypt all encrypteddata1.

In this work, we describe a deniable ABE scheme for

1. Some papers divide this role into service providers and trustedkey managers. More specifically, one is for cloud service operation,while the other is for key management and is assumed to be trusted.In this work we use cloud storage providers for both functions forsimplicity. Further, this is also a common case in practice. Note that itis not difficult to apply our scheme to an architecture that has thesetwo different roles defined.

Audit-Free Cloud Storage via Deniable

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

2

cloud storage services. We make use of ABE character-istics for securing stored data with a fine-grained accesscontrol mechanism and deniable encryption to preventoutside auditing. Our scheme is based on Waters cipher-text policy-attribute based encryption (CP-ABE) scheme[4]. We enhance the Waters scheme from prime orderbilinear groups to composite order bilinear groups. Bythe subgroup decision problem assumption, our schemeenables users to be able to provide fake secrets that seemlegitimate to outside coercers.

1.1 Previous Work on ABE

Sahai and Waters first introduced the concept of ABE inwhich data owners can embed how they want to sharedata in terms of encryption [1]. That is, only those whomatch the owner’s conditions can successfully decryptstored data. We note here that ABE is encryption forprivileges, not for users. This makes ABE a very usefultool for cloud storage services since data sharing is animportant feature for such services. There are so manycloud storage users that it is impractical for data ownersto encrypt their data by pairwise keys. Moreover, it isalso impractical to encrypt data many times for manypeople. With ABE, data owners decide only which kindof users can access their encrypted data. Users whosatisfy the conditions are able to decrypt the encrypteddata.

There are two types of ABE, CP-ABE and Key-PolicyABE (KP-ABE). The difference between these two lies inpolicy checking. KP-ABE is an ABE in which the policyis embedded in the user secret key and the attributeset is embedded in the ciphertext. Conversely, CP-ABEembeds the policy into the ciphertext and the user secrethas the attribute set. Goyal et al. proposed the first KP-ABE in [2]. They constructed an expressive way to relateany monotonic formula as the policy for user secretkeys. Bethencourt et al. proposed the first CP-ABE in[3]. This scheme used a tree access structure to expressany monotonic formula over attributes as the policy inthe ciphertext. The first fully expressive CP-ABE wasproposed by Waters in [4], which used Linear SecretSharing Schemes (LSSS) to build a ciphertext policy.Lewko et al. enhanced the Waters scheme to a fullysecure CP-ABE, though with some efficiency loss, in [13].Recently, Attrapadung et al. constructed a CP-ABE witha constant-size ciphertext in [14] and Tysowski et al.designed their CP-ABE scheme for resource-constrainedusers in [7].

1.2 Previous Work on Deniable Encryption

The concept of deniable encryption was first proposed in[12]. Like normal encryption schemes, deniable encryp-tion can be divided into a deniable shared key schemeand a public key scheme. Considering the cloud storagescenario, we focus our efforts on the deniable public keyencryption scheme.

There are some important deniable public key en-cryption schemes2. Canetti et al. used translucent setsto construct deniable encryption schemes in [12]. Atranslucent set is a set containing a trapdoor subset. Itis easy to randomly pick an element from the universalset or from the subset; however, without the trapdoor,it is difficult to determine if a given element belongsto the subset. Canetti et al. showed that any trapdoorpermutation can be used to construct the translucent set.To build a deniable public key encryption scheme froma translucent set, the translucent set is the public keyand the trapdoor is the private key. The translucent setis used to represent one encrypted bit. Elements in thesubset are represented by 1 whereas other non-subsetelements are represented by 0. The sender can encrypt1 by sending an element in the subset, but can claimthe element is chosen from the universal set (i.e., 0).The above is a basic sender-deniable scheme. Canettiet al. also proved that a sender-deniable scheme canbe transformed to a receiver-deniable scheme or a bi-deniable scheme with the help of intermediaries. Thereis research on how best to design a translucent set.Durmuth et al. designed the translucent set from thesamplable encryption in [15]. ONeill et al. designed thebi-translucent set from a lattice in [16], which can builda native bi-deniable scheme.

In addition to the bitranslucent set, there are otherproposed approaches to building deniable encryptionschemes. ONeill et al. proposed a new deniable methodthrough a simulatable public key system [16]. The sim-ulatable public key system provides an oblivious keygeneration function and an oblivious ciphertext function.When sending an encrypted bit, the sender will send aset of encrypted data which may be normally encryptedor oblivious. Therefore, the sender can claim some sentmessages are oblivious while actually they are not. Theidea can be applied to the receiver side such that thescheme is a bi-deniable scheme. In [17], Gasti et al.proposed another deniable scheme in which one public-private key pair is set up for each user while there areactually two pairs. The sender can send a true messageencrypted by one key with a fake message encryptedby the other key. The sender decides which key isreleased according to the coercer’s identity. Gasti et al.also applied this idea to cloud storage services. There arestill other deniable encryption schemes, including [18]and [19].

Aside from the above deniable schemes, there isresearch investigating the limitations of the deniableschemes. In [20]. Nielsen states that it is impossibleto encrypt unbounded messages by one short key innon-committing schemes, including deniable schemes.In [21], Bendlin et al. shows that noninteractive and fullyreceiver-deniable schemes cannot be achieved simultane-ously. We construct our scheme under these limitations.

2. For simplicity, in this paper deniable encryption means deniablepublic key encryption.

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

3

1.3 Our Contributions

In this work, we construct a deniable CP-ABE schemethat can make cloud storage services secure and audit-free. In this scenario, cloud storage service providers arejust regarded as receivers in other deniable schemes.

Unlike most previous deniable encryption schemes,we do not use translucent sets or simulatable publickey systems to implement deniability. Instead, we adoptthe idea proposed in [17] with some improvements.We construct our deniable encryption scheme througha multidimensional space. All data are encrypted intothe multidimensional space. Only with the correct com-position of dimensions is the original data obtainable.With false composition, ciphertexts will be decrypted topredetermined fake data. The information defining thedimensions is kept secret. We make use of compositeorder bilinear groups to construct the multidimensionalspace. We also use chameleon hash functions to makeboth true and fake messages convincing.

Our deniable ABE has the advantages described belowover previous deniable encryption schemes.

• Blockwise Deniable ABE. Most deniable public keyschemes (e.g., [12], [15], [16]) are bitwise, whichmeans these schemes can only process one bit atime; therefore, bitwise deniable encryption schemesare inefficient for real use, especially in the cloudstorage service case. To solve this problem, O’Neilet al. designed a hybrid encryption scheme thatsimultaneously uses symmetric and asymmetric en-cryption. They use a deniably encrypted plan-aheadsymmetric data encryption key, while real data areencrypted by a symmetric key encryption mecha-nism. This reduces the repeating number from theblock size to the key size. Though bitwise deniableencryption is more flexible than blockwise deniableencryption in ”cooking” fake data, when consider-ing cloud storage services, blockwise encryption ismuch more efficient in use.Unlike those techniques used in previous deniableencryption schemes, we build two encryption en-vironments at the same time, much like the ideaproposed in [17]. We build our scheme with multipledimensions while claiming there is only one dimen-sion. This approach removes obvious redundantparts in [17]. We apply this idea to an existingABE scheme by replacing prime order groups withcomposite order groups. Since the base ABE schemecan encrypt one block each time, our deniable CP-ABE is certainly a blockwise deniable encryptionscheme. Though the bilinear operation for the com-posite order group is slower than the prime ordergroup, there are some techniques that can convertan encryption scheme from composite order groupsto prime order groups for better computational per-formance, such as those described in [22] and [23].We use composite order groups to describe our ideain Section 4 and transform it to prime order groups

in Section 5.• Consistent Environment. Most of the previous

deniable encryption schemes are inter-encryption-independent. That is, the encryption parametersshould be totally different for each encryption op-eration. If two deniable encryptions are performedin the same environment, the latter encryption willlose deniability after the first encryption is coerced,because each coercion will reduce flexibility. Forexample, once coercers get private keys, which arethe most common receiver proofs, these keys shouldbe convincing not only under some particular files,but also under all related stored data. Otherwise,the coercers will know that these keys are fake;however, all proposed schemes only provide con-vincing proofs for particular transmissions. In thesecure cloud storage service, this is not practical. Itis impossible for a cloud storage service providerto prepare a unique encryption environment foreach file, much less to maintain the access controlmechanism at the same time.In this work, we build a consistent environmentfor our deniable encryption scheme. By consistentenvironment, we means that one encryption envi-ronment can be used for multiple encryption timeswithout system updates. The opened receiver proofshould look convincing for all ciphertexts under thisenvironment3, regardless of whether a ciphertextis normally encrypted or deniably encrypted. Thedeniability of our scheme comes from the secret ofthe subgroup assignment, which is determined onlyonce in the system setup phase. By the cancelingproperty and the proper subgroup assignment, wecan construct the released fake key to decrypt nor-mal ciphertexts correctly.

• Deterministic Decryption. Most deniable encryp-tion schemes have decryption error problems. Theseerrors come from the designed decryption mecha-nisms. For example, in [12], Canetti et al. uses thesubset decision mechanism for decryption. The re-ceiver determines the decrypted message accordingto the subset decision result. If the sender chooses anelement from the universal set but unfortunately theelement is located in the specific subset, then an er-ror occurs. The same error occurs in all translucent-set-based deniable encryption schemes. Another ex-ample is in [16], which uses a voting mechanism fordecryption. Decryption is correct if and only if thecorrect part overwhelms the false part. Otherwise,the receiver will get the error result.The concept of our deniable scheme is different thanthese schemes described above. Our scheme extendsa pairing ABE, which has a deterministic decryptionalgorithm, from the prime order group to the com-

3. The sender proof is still inter-independent, because receiver proofsare related to user keys whereas sender proofs are related to randomchoices for encryption.

VOL. XX, NO. 1, 2015IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

4

posite order group. The decryption algorithm in ourscheme is still deterministic; therefore, there is nodecryption errors using our scheme.

1.4 Organization

In additional to this introductory section, we introducepreliminaries used in this paper in Section 2. In Section 3,we formally define deniable CP-ABE and its properties.In Section 4, we show how to set up a basic deniable CP-ABE scheme and prove security, deniability and otherfeatures of our scheme. In Section 5, we transform ourbasic scheme from composite order groups to primeorder groups. We then enhance our scheme to be chosen-ciphertext attack (CCA) secure in Section 6. In section7, we implement our deniable schemes and evaluatetheir performance. Finally, we present our conclusionsin Section 8.

2 PRELIMINARIES

2.1 Prime Order Bilinear Groups

Let G and GT be two multiplicative cyclic groups ofprime order p, with map function e : G × G → GT . Letg be a generator of GG. G is a bilinear map group if G

and e have the following properties:

• Bilinearity: ∀u, v ∈ G and a, b ∈ Z , e(ua, vb) =e(u, v)ab.

• Non-degeneracy: e(g, g) 6= 1.• Computability: the group action in G and map

function e can be computed efficiently.

2.2 Waters CP-ABE

In this subsection, we provide an introduction to WatersCP-ABE [4]. Waters used LSSS to build an access controlmechanism. Here, we first review the definition of LSSS.

Definition 1 (LSSS: Linear Secret Sharing Schemes [24]):A secret sharing scheme Π over set of parties P is calledlinear (over Zp) if

1) The shares for each party form a vector over Zp.2) There exists a l × n matrix M called the share-

generating matrix for Π. For all i = 1, . . . , l, thei’th row of M is labeled by party ρ(i), whereρ is a mapping function from {1, . . . , l} to partyfield P . When considering column vector v =(s, r2, . . . , rn), where s ∈ Zp is the secret to beshared and r2, . . . , rn ∈ Zp are randomly chosen,Mv is the vector of l shares of secret s accordingto Π. The share (Mv)i belongs to party ρ(i).

According to the above definition, an LSSS scheme hasthe linear reconstruction property. That is, given LSSSΠ, access structure A, and valid shares of a secret s, scan be recovered by those who have authorized sets.In [24], Beimel shows that the recovery procedure istime polynomial in the size of M . In an ABE scheme,parties represent attributes. The Waters CP-ABE schemeis composed of the following algorithms:

• Setup() → (MSK,PK): This algorithm chooses abilinear group of prime order p with generator g,random elements α, a ∈ Zp, and hash function H :{0, 1}∗ → G. The public key PK is {g, e(g, g)α, ga}and the system secret key MSK is gα.

• Encrypt(PK, (M,ρ),M) → CT : Given message Mand LSSS access structure (M,ρ), this algorithm firstchooses a random vector −→v = (s, y2, . . . , yn) ∈Znp . Let M be a l × n matrix and Mi denotethe ith row of M . This algorithm calculates λi =−→v Mi, ∀i ∈ {1, . . . , l}. Further, this algorithm choosesr1, . . . , rl ∈ Zp. The output ciphertext will be:

CT = {Me(g, g)αs, gs, (gaλ1H(ρ(1))−r1 , gr1), . . . ,(gaλlH(ρ(l))−rl , grl)}

= {C,C′, (C1, D1), . . . , (Cl, Dl)},

with a description of (M,ρ).• KeyGen(MSK,S)→ SK : Given set S of attributes,

this algorithm chooses t ∈ Zp randomly and outputsthe private key as:

K = gα+at, L = gt, ∀x ∈ SKx = H(x)t.

• Decrypt(CT, SK)→M: Suppose that S satisfies theaccess structure and let I ⊂ {1, . . . , l} be defined asI = {i : ρ(i) ∈ S}. This algorithm finds a set ofconstants {wi ∈ Zp} such that

i∈I wiλi = s. Thedecryption algorithm computes

e(C′,K)/(∏

i∈I

(e(Ci, L)e(Di,Kρ(i)))wi) = e(g, g)αs

and derives M from the ciphertext.

The security of Waters CP-ABE scheme is based on thedecisional q-parallel bilinear BDHE assumption, which isdefined as follows:

Definition 2 (Decisional q-parallel BDHE Assumption):

Let a, s, b1, . . . , bqR←− Zp and g be a generator of G.

Given

D :=

g, gs, ga, . . . , g(aq), g(a

q+2), . . . , g(a2q)

∀1≤j≤qgs·bj , ga/bj , . . . , g(a

q/bj),

g(aq+2/bj), . . . , g(a

2q/bj)

∀1≤j,k≤q,k 6=j ga·s·bk/bj , . . . , gaq·s·bk/bj

and element T ∈ GT , we assume that for any PPTalgorithm A that outputs in {0, 1},

AdvA := |P [A(D, e(g, g)aq+1s) = 1]− P [A(D,T ) = 1]|

is negligible.

Theorem 1: Suppose the decisional q-parallel BDHEassumption holds, then no polynomial time adversarycan selectively break the Waters CP-ABE system in theCPA-model.

The proof can be found in [4] and is omitted here.

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

2168-7161 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

5

2.3 Composite Order Bilinear Groups

The composite order bilinear group was first introducedin [25]; we use it to construct our scheme. Here weprovide a brief introduction. Let G and GT be twomultiplicative cyclic groups of composite order N =p1p2 . . . pm, where p1, p2, . . . , pm are distinct primes, withbilinear map function e : G × G → GT . For eachprime pi, G has a subgroup Gpi of order pi. We letg1, g2, . . . , gm be the generators of these subgroups re-spectively. Each element in G can be expressed in theform of ga11 ga22 . . . gamm , where a1, a2, . . . , am ∈ ZN . If ai iscongruent to zero modulo pi, we say that this elementhas no Gpi component. We say an element is in

i∈S Gpi ,where S is a subset from 1 . . .m, if ∀i ∈ S, ai is notcongruent to zero modulo pi.

The most important property of the composite bilineargroups is orthogonality between all subgroups underbilinear map e. This means that if u ∈ Gpi , v ∈ Gpj andi 6= j, then e(u, v) = 1, where 1 is the identity element inGT .

The general complexity assumption used in the com-posite group is the subgroup decision assumption,stating that it is difficult to determine the existence ofa given subgroup in a random composite order groupelement without orthogonality testing. The general formof this assumption is described as follows, as defined in[23]:

Definition 3 (General Subgroup Decision Assumption):Let S0, S1, S2, . . . , Sk be non-empty subsets of 1, . . . ,msuch that for each 2 ≤ j ≤ k, either Sj ∩S0 = ∅ = Sj ∩S1

or Sj ∩ S0 6= ∅ 6= Sj ∩ S1. Given group generator G , wedefine the following distribution:

PP := {N = p1p2 . . . pm,G,GT , e}R←−− G

ZiR←−− GSi

∀i ∈ {1, . . . , k},D := {PP,Z2, . . . , Zk}.

We assume that for that for any PPT algorithm A withoutput in {0, 1},

AdvG,A := |P [A(D,Z0) = 1]− P [A(D,Z1) = 1]|

is negligible.This assumption also implies that it is hard to dis-

tinguish the outputs of the bilinear map function fromother elements when they contain at least one commonsubgroup.

2.4 Chameleon Hash

The idea behind the chameleon hash scheme was firstintroduced in [26]. Just like other common secure hashfunctions, a chameleon hash scheme has two key prop-erties, namely collision resistance and semantic secu-rity. Further, a chameleon hash scheme also providescollision forgery with a predetermined trapdoor. Theinput of a chameleon hash includes two parts, one beinginput message m and the other random string r. Therandom string r is used to provide a chance to adapt

the message for the hash value. The definitions of thethree aforementioned requirements, collision resistance,semantic security and collision forgery, are listed below.

Definition 4 (Collision Resistance): Given chameleonhash scheme {PK,SK,CH(·, ·)}, where PK is thepublic information, SK is the trapdoor and CH(·, ·) isthe hash function. Let m,m′ be two different messagesand r a random string. We call the scheme collisionresistant if for any probabilistic polynomial time(PPT) algorithm A, it is hard to output r′ such thatCH(m, r) = CH(m′, r′) without SK .

Definition 5 (Semantic Security): Given chameleonhash scheme {PK,SK,CH(·, ·)}, where PK is thepublic information, SK is the trapdoor and CH(·, ·)is the hash function. We call the scheme semanticallysecure if for all pairs of message m,m′ and randomstring r, the probability distribution of CH(m, r) andCH(m′, r) are computationally indistinguishable.

Definition 6 (Collision Forgery): Given chameleon hashscheme {PK,SK,CH(·, ·)}, where PK is the publicinformation, SK is the trapdoor and CH(·, ·) is the hashfunction. Let m,m′ be two different messages and r is arandom string. We call the scheme a collision forgeryscheme if there exists one PPT algorithm A that oninput SK , outputs a string r′ that satisfies CH(m, r) =CH(m′, r′).

In this paper, we use CH to denote the chameleonhash public information and CH(·, ·) to denote thechameleon hash operation.

3 DEFINITION

3.1 Deniable CP-ABE Scheme

Deniable encryption schemes may have different prop-erties and we provide an introduction to many of theseproperties below.

• ad hoc deniability vs. plan-ahead deniability: The for-mer can generate a fake message (from the entiremessage space) when coerced, whereas the latter re-quires a predetermined fake message for encryption.Undoubtedly, all bitwise encryption schemes are adhoc.

• sender-, receiver-, and bi-deniability: The prefix here ineach case implies the role that can fool the coercerwith convincing fake evidence. In sender-deniableencryption schemes and receiver-deniable schemes,it is assumed that the other entity cannot be coerced.Bi-deniability means both sender and receiver cangenerate fake evidence to pass third-party coercion.

• full deniability vs. multi-distributional deniability: Afully deniable encryption scheme is one in whichthere is only one set of algorithms, i.e., a key-generation algorithm, an encryption algorithm andso on. Senders, receivers and coercers know thisset of algorithms and a sender and a receiver canfool a coercer under this condition. As for multi-distributional deniable encryption schemes, thereare two sets of algorithms, one being a normal set,

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TCC.2015.2424882, IEEE Transactions on Cloud Computing

6

while the other is a deniable set. The outputs ofalgorithms in these two sets are computationally in-distinguishable. The normal set of algorithms cannotbe used to fool coercers, whereas the deniable setcan be used. A sender and a receiver can use thedeniable algorithm set, but claim that they use thenormal algorithm set to fool coercers..

• interactive encryption vs. non-interactive encryption:The difference between these two types of encryp-tion is that the latter scheme does not need interac-tion between sender and receiver.

According to the above definitions, the ideal deniableencryption scheme is ad hoc, full, bi-deniability and non-interactive deniability; however, there is research focusedon determining the limitations of the deniable schemes.IN [20], Nielsen stated that it is impossible to encrypt un-bounded messages by one short key in non-committingschemes, including deniable schemes. Since we wantour scheme to be blockwise deniable with a consistentencryption environment, we design our scheme to be aplan-ahead deniable encryption scheme. In [21], Bendlinet al. showed that non-interactive and fully receiver-deniable properties cannot be achieved simultaneously.We prefer our scheme to have the non-interactive prop-erty for ease of use. Therefore, our scheme is multi-distributional. In summary, our deniable scheme is plan-ahead, bi-deniable, and multi-distributional. Below, weprovide the definition of this kind of deniable CP-ABEscheme.

Definition 7 (Deniable CP-ABE): Our plan-ahead, bi-deniable, and multi-distributional CP-ABE scheme iscomposed of the following algorithms:

• Setup(1λ) → (PP,MSK): This algorithm takessecurity parameter λ as input and returns publicparameter PP and system master key MSK .

• KeyGen(MSK,S)→ SK : Given set of attributes Sand MSK , this algorithm outputs private key SK .

• Enc(PP,M, A) → C: This encryption algorithmtakes as input public parameter PP , message M,and LSSS access structure A = (M,ρ) over theuniverse of attributes. This algorithm encrypts Mand outputs a ciphertext C, which can be decryptedby those who possess an attribute set that satisfiesaccess structure A. Note that A is contained in C.

• Dec(PP, SK,C) → {M,⊥}: This decryption algo-rithm takes as input public parameter PP , privatekey SK with its attribute set S, and ciphertext Cwith its access structure A. If S satisfies A, thenthis algorithm returns M ; otherwise, this algorithmreturns ⊥.

• OpenEnc(PP,C,M) → PE : This algorithm is forthe sender to release encryption proof PE for (M,C).

• OpenDec(PP, SK,C,M) → PD : This algorithm isfor the receiver to release decryption proof PD for(M,C).

• Verify(PP,C,M,PE , PD) → {T, F}: This algorithmis used to verify the correctness of PE and PD.

• DenSetup(1λ) → (PP,MSK,PK): This algorithmtakes security parameter λ as input and returnspublic parameters PP , system master key MSK ,and system public key PK . PK is known by allsystem users and is kept secret to outsiders.

• DenKeyGen(MSK,S) → (SK,FK): Given set ofattributes S and MSK , this algorithm outputs pri-vate key SK as well as FK for the user, where FKwill be used for generating fake proof later.

• DenEnc(PP, PK,M,M′, A) → C′: Aside from theinputs of the normal encryption algorithm, this de-niable encryption algorithm needs public key PKand fake message M′. The output ciphertext mustbe indistinguishable from the output of Enc.

• DenOpenEnc(PP,C′,M′) → P ′E : This algorithm is

for the sender to release encryption proof P ′E for

fake message M ′. The output must be indistinguish-able from the result of OpenEnc and must pass theVerify algorithm.

• DenOpenDec(PP, SK,FK,C ′,M′) → P ′D: This al-

gorithm is for the receiver to release decryptionproof P ′

D for fake message M′. The output must beindistinguishable from the result of OpenDec andmust pass the Verify algorithm.

We require the following properties:

1) Security: The tuple {Setup,KeyGen,Enc,Dec}must form a secure CP-ABE scheme in a securitymodel. In this work, we propose a CPA securescheme and a CCA secure scheme. These twosecurity models are defined in Section 3.2.

2) Bi-deniability: The CP-ABE is bi-deniable if,given public parameter PP , the two distribu-tion tuples (M,C, PE , PD) and (M ′, C′, P ′

E , P′D)

are computational indistinguishable, where M,M ′

are claimed messages, C,C′ are normally anddeniably encrypted ciphertexts, respectively, andPE , PD, P

′E , P

′D are proofs generated from the nor-

mal and deniable open algorithms, respectively.That is, there is no PPT algorithm A for which

AdvA :=

P [A(PP, (M,C, PE , PD)) = 1]− P [A(PP, (M ′, C′, P ′

E , P′D)) = 1]

is non-negligible.3) Deniable Receiver Proof Consistency: The deni-

able CP-ABE is deniable receiver proof consistent ifa deniable receiver proof is convincing even whenconsidering all ciphertexts in the system. That is,given set of ciphertexts C, including normally en-crypted ciphertexts and deniably encrypted cipher-texts, normal proof PD and deniable proof P ′

D,there is no PPT algorithm A for which

AdvA := |P [A(C, PD) = 1]− P [A(C, P ′D) = 1]|

is non-negligible.

We note that the last requirement is unusual for deni-able encryption schemes. We build our scheme with thisrequirement for practicality. In a cloud storage service,

7

it is impractical to frequently update security parame-ters. Therefore, coercers are able to check proofs withall stored encrypted files. For normal provided proofs,there will be no problems. So, our scheme must ensuredeniable proofs to pass coercer checks, or coercers willknow cheating has occurred. We also note that not allstored files are deniably encrypted. Some files are nor-mally encrypted. A proposed receiver proof, regardlessof whether it is normal or deniable, should be convincingfor both normally and deniably encrypted files. We focuson receiver proofs instead of sender proofs because inmost cases, senders add randomness during encryption.Therefore, any two sender proofs are usually indepen-dent, and sender proof consistency is unnecessary. Forthe above reasons, we build our scheme such that itadheres to the Deniable Receiver Proof Consistencyrequirement.

3.1.1 Is a Confidential PK Practical?

In the above definition, our scheme assumes that PKwill be kept secret from the coercer. Some may argue thatit is impractical, stating that coercers can pretend to beusers in cloud storage services and obtain the PK . Oncethe PK is released to coercers, they can easily generatedeniably encrypted ciphertexts and use these ciphertextsto determine the types of receiver proofs. To addressthis question, we must return to the basic assumption ofdeniable encryption schemes, i.e., senders and receiverswant to hide their communication messages fromoutside coercers. Like all other cryptographic schemes,secrets must be assumed to be unknown to adversariesand our scheme is no exception. Therefore assumingthat the PK is kept secret to coercers is acceptable andunavoidable.

To keep PK secret, cloud service providers can in-tegrate deniable CP-ABE schemes with their own userauthentication mechanisms. Note that in our definition,a deniable CP-ABE scheme can enable cloud storageservice providers to offer two kinds of storage services,one being normal storage service, the other being audit-free storage service. So a user can choose to enjoynormal cloud storage services through a basic authenti-cation process or enjoy audit-free cloud storage servicesthrough a much more sincere authentication process.Therefore, we believe our idea can be used to buildpractical cloud storage services, especially for thosecommunities who currently have serious authenticationprocesses.

3.2 Chosen-Plaintext-Attack (CPA) Security Modeland Chosen-Ciphertext-Attack (CCA) Security Model

Here we describe the secure model for a CP-ABE scheme.An adversary is given a challenge question and is al-lowed to query an oracle for some information. Theadversary wins the game if it can correctly answerthe question. The formal security game is described asfollows:

• Setup: The challenger first runs Setup and outputsPP to the adversary.

• Phase 1: The adversary generates queries q1, . . . , qmto the challenger. Query qi can be one of the follow-ing two types of queries:

– Key query: the adversary chooses attribute setSi and obtains its private key from the chal-lenger.

– Decryption query: the adversary asks the chal-lenger to decrypt ciphertext Ci and obtains itsplaintext.

• Challenge: The adversary chooses two plaintextsM0,M1 for the challenger. The adversary also pro-vides a challenge access structure A∗, which cannotbe satisfied by the attributes used in q1, . . . , qm. Thechallenger randomly chooses one bit b ∈ {0, 1} andencrypts the message via Enc(PP,A∗,Mb) → C∗.The challenger sends C∗ to the adversary as thechallenge ciphertext.

• Phase 2: As in Phase 1, the adversary generatesqueries qm+1, . . . , qn to the challenger. Query qi canbe one of the following two types of queries:

– Key query: the adversary chooses attribute setSi and obtains its private key from the chal-lenger. Si cannot satisfy A∗.

– Decryption query: the adversary asks the chal-lenger to decrypt ciphertext Ci and obtains itsplaintext. Ci cannot be C∗.

• Guess: The adversary returns guess result b′ ∈{0, 1}. The adversary wins if b′ = b.

The advantage is defined as |P (b′ = b)− 12 |.

Definition 8: A CP-ABE scheme is CPA secure if allpolynomial time adversaries have at most a negligibleadvantage in the above game without any decryptionqueries.

Definition 9: A CP-ABE scheme is CCA secure if allpolynomial time adversaries have at most a negligibleadvantage in the above game.

4 DENIABLE CP-ABE CONSTRUCTION

To build an audit-free secure cloud storage service, weuse a deniable CP-ABE scheme as our core technology.We construct our basic deniable CP-ABE scheme, whichis based on [4], as follows:

• Setup(1λ)→ (PP,MSK): This algorithm generatesbilinear group G of order N = p1p2p3, wherep1, p2, p3 are distinct primes with bilinear map func-tion e : G × G → GT . GT is also order N . Welet Gp1 ,Gp2 ,Gp3 denote three orthogonal subgroupsin G of order p1, p2, p3, respectively. This algorithmthen picks generators g1 ∈ Gp1 , g3 ∈ Gp3 , andrandomly picks α, a ∈ ZN . This algorithm alsochooses hash function H1 : {0, 1}∗ → Gp3 . Public pa-rameter PP is {G, e,H1, g1g3, (g1g3)

a, e(g1g3, g1g3)α}

and system secret key MSK is (g1g3)α.

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

8

• KeyGen(MSK,S)→ SK : Given set S of attributes,this algorithm chooses t ∈ ZN randomly and out-puts private key SK as:

SK = {(g1g3)α+at, (g1g3)t, {H1(x)t}∀x∈S}

= {K,L, {Kx}∀x∈S}.

• Enc(PP,M, A = (M,ρ)) → C: Given messageM and LSSS access structure (M,ρ). Let M be al × n matrix and Mi denote the ith row of M . Thisalgorithm first chooses two random vectors −→v =(s, y2, . . . , yn) ∈ ZnN and −→r = (r1, . . . , rl) ∈ ZlN . Thisalgorithm then calculates λi =

−→v Mi, ∀i ∈ {1, . . . , l}.In addition, this algorithm sets up one-way hashfunction H(·, ·)4 with two inputs. Note that hashfunction H can be any kind of one-way function andis determined during encryption. Each transactionmay have different H . This algorithm flips two coinsb0, b1 and picks two random string t0, t1. The outputciphertext C will be:

C = {A0, A1, B, (C1, D1), . . . , (Cl, Dl), H, t0, t1, V },

where,

Ab0 =M· e(g1g3, g1g3)αs, A1−b0

R←− GT ,

B = (g1g3)s,

Ci = (g1g3)aλiH1(ρ(i))

−ri , Di = (g1g3)ri , i = 1 . . . l,

V = H(M, tb1) 6= H(A1−b0 · e(g1g3, g1g3)−αs, t1−b1).

Access structure A is also attached to C.• Dec(PP, SK,C)→ {M,⊥}: To decrypt ciphertext C

for access structure A = (M,ρ), this algorithm firstchecks if attribute set S of SK satisfies A. SupposeS satisfies A and let I ⊂ {1, 2, . . . , l} be defined asI = {i : ρ(i) ∈ S}. Then this algorithm finds a setof constants {w ∈ Zp} such that

i∈I wiλi = s. Thisalgorithm computes M0,M1 as follows:

M{0,1} = A{0,1} ·

i∈I(e(Ci, L)e(Di,Kρ(i)))wi

e(B,K)

This algorithm then calculates

vi,j = H(Mi, tj), ∀i, j ∈ {0, 1}.

If vi,j is equal to V , thenMi is the true message andis returned. Otherwise, this algorithm returns ⊥.

• OpenEnc(PP,C,M) → PE : This algorithm returnstwo coins b0, b1 as proof PE .

• OpenDec(PP, SK,C,M)→ PD : This algorithm di-rectly returns SK as proof PD since this is the mostpersuasive proof.

• Verify(PP,C,M, PE , PD) → {T, F}: To verify PEand PD , this algorithm first runs Dec(PP, PD, C)and checks if the output is equal to declared inputM. Then, this algorithm checks PE with correct

4. We use H to represent a hash function’s public information andH(·, ·) to represent the hash operation.

coins b0, b1 derived in the decryption process. If bothrequirements are satisfied, this algorithm returns T ;otherwise, it returns F .

• DenSetup(1λ) → (PP,MSK,PK): This algo-rithm runs Setup(1λ) and obtains PP . Sys-tem public key PK is {g2g3, (g2g3)

a, e(g3, g3)α,

e(g2g3, g2g3)α} and system secret key MSK is

{(g1g3)α, g1g2g3, (g1g2g3)α}.• DenKeyGen(MSK,S) → (SK,FK): This algo-

rithm runs KeyGen and obtains SK for S. Next,this algorithm picks t′ ∈ ZN and generates FK asfollows:

FK = {(g1g2g3)α+at′

, (g1g2g3)t′ , {H1(x)

t′}∀x∈S}= {K ′, L′, {K ′

x}∀x∈S}.

• DenEnc(PP, PK,M,M′, A = (M,ρ)) → C′: Thisalgorithm prepares λi, ∀i ∈ {1, . . . , l} just as the Encalgorithm does. This algorithm sets up chameleonhash function CH(·, ·). The chameleon hash functionis determined during encryption. Note that withoutthe trapdoor, a chameleon hash is just a one-wayhash function. That is, a sender can claim this isjust a normal hash function without any trapdoor.Output deniable ciphertext C′ will be:

C′ = {A′0, A

′1, B

′, (C′1, D

′1), . . . , (C

′l , D

′l), CH, t0, t1, V },

where,

A′b0 =M· e(g3, g3)

αs, A′1−b0 =M′ · e(g2g3, g2g3)

αs,B′ = (g2g3)

s,

C′i = (g2g3)

aλiH1(ρ(i))−ri , D′

i = (g1g3)ri , i = 1, . . . , l,

V = CH(M, tb1) = CH(M′, t1−b1).

Based on the property of the chameleon hash, thesender can easily find tb1 and t1−b1 satisfying theabove requirements.

• DenOpenEnc(PP,C′,M′) → P ′E : When the sender

tries to fool the coercer with the pre-determined fakemessage, this algorithm returns two coins 1−b1, 1−b2 as its proof P ′

E .• DenOpenDec(PP, SK,FK,C ′,M′) → P ′

D: This al-gorithm directly returns FK as proof P ′

D .

4.1 Correctness

In this subsection, we show the correctness of this deni-able CP-ABE scheme. There are four cases here:

1) When using ormal key SK to decrypt normallyencrypted ciphertext C, the decryption process willbe:

i∈I(e(Ci, L)e(Di,Kρ(i)))wi

e(B,K)

=

i∈I(e((g1g3)aλi , (g1g3)

t))wi

e((g1g3)s, (g1g3)α+at)

=e(g1g3, g1g3)

at∏

i∈Iλiwi

e(g1g3, g1g3)s(α+at)

= e(g1g3, g1g3)−αs.

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

9

With the hash function in C and V , the receivercan derive message M.

2) When using normal key SK to decrypt deniableciphertext C′ , the decryption process will be:

i∈I(e(C′i, L)e(D

′i,Kρ(i)))

wi

e(B′,K)

=

i∈I(e((g2g3)aλi , (g1g3)

t))wi

e((g2g3)s, (g1g3)α+at)

=e(g3, g3)

at∏

i∈Iλiwi

e(g3, g3)s(α+at)

= e(g3, g3)−αs.

With chameleon hash CH and V in C′, the receivercan derive true message M. Therefore, via thenormal key, the receiver can obtain the correct mes-sage regardless of whether the message is normallyencrypted.

3) When using deniable key FK to decrypt deniableciphertext C′, which is the case for fooling thecoercer, the decryption process will be:

i∈I(e(C′i, L

′)e(D′i,K

′ρ(i)))

wi

e(B′,K ′)

=

i∈I(e((g2g3)aλi , (g1g2g3)

t))wi

e((g2g3)s, (g1g2g3)α+at)

=e(g2g3, g2g3)

at∏

i∈Iλiwi

e(g2g3, g2g3)s(α+at)

= e(g2g3, g2g3)−αs.

With chameleon hash CH and V in C′, the receivercan derive fake messageM′. Therefore, the coercerwill be convinced by M and FK .

4) When using deniable key FK to decrypt normalciphertext C, which is the key compatible property,the decryption process will be:

i∈I(e(Ci, L′)e(Di,K

′ρ(i)))

wi

e(B,K ′)

=

i∈I(e((g1g3)aλi , (g1g2g3)

t))wi

e((g1g3)s, (g1g2g3)α+at)

=e(g1g3, g1g3)

at∏

i∈Iλiwi

e(g1g3, g1g3)s(α+at)

= e(g1g3, g1g3)−αs.

Therefore, correct messageM will be derived fromnormal ciphertext C, even though the key is deni-able.

From the above, our scheme has two important prop-erties. First, a user can obtain the true message with avalid secret key, regardless of whether the ciphertext isnormally encrypted or deniably encrypted. Second, thefake key can be used to decrypt the normally encryptedciphertext.

Theorem 2: Our CP-ABE system is receiver proof con-sistent.

Proof: In our scheme, we use keys as receiver proofssince keys are the most immediate proofs available. Asshown above, both PD and P ′

D can be used to ”correctly”

decrypt these ciphertexts. By ”correctly” here, we meanthat a ciphertext can be decrypted to a meaningfulmessage, which may be true or a pre-determined fakemessage. With PD , regardless of whether a messageis normally encrypted or deniably encrypted, the truemessage can be derived. As for P ′

D, the decryptionoutputs are true messages when they are normally en-crypted and are fake messages when true messages aredeniably encrypted. Therefore, anyone who can differ-entiate between (C1, . . . , Cn, PD) and (C1, . . . , Cn, P

′D)

can also differentiate between true and pre-determinedfake messages. In other words, these two tuples areindistinguishable.

4.2 Security Proof

To prove that our deniable encryption scheme is securerequires this scheme to be a valid encryption scheme.For a multi-distributional deniable encryption scheme,it is only necessary to prove the security from thenormal algorithm set. That is, we only need to provethe security of a scheme composed of the following fouralgorithms Setup, KeyGen, Enc, and Dec. As for thedeniable algorithms, since deniable keys and ciphertextsare indistinguishable from normal keys and ciphertexts,which will be proved in the next subsection, deniablealgorithms will be treated as normal algorithms whichare proved to be secure. In other words, if the normalalgorithm set can form a secure scheme, but the deniableset cannot, the security test will be a tool to distinguishthese two sets of algorithms and there will be no denia-bility in our scheme. For proving security, we will reduceWaters CP-ABE to our deniable ABE scheme.

Theorem 3: Our proposed CP-ABE scheme is CPA se-cure if Waters CP-ABE is CPA secure.

Proof: Let A be an adversary that breaks the abovedeniable CP-ABE scheme. We can construct algorithmB that can break Waters CP-ABE as follows. B is givenpublic parameters through the Waters CP-ABE scheme’sSetup algorithm from challenger X

PPp3 := {g3, ga33 , e(g3, g3)

α3},

with prime number p3, Gp3 , e(·, ·) and H1(·). Forconvenience, we use the suffix to represent different sub-groups in our proof. Algorithm B proceeds as follows.

• Setup: B first picks two different prime numbersp1 and p2. Next, B generates group G with orderN = p1p2p3. Note that the subgroup with p3 orderin G should be the same as Gp3 . B sets up PPp1with the Waters CP-ABE Setup algorithm from Gp1

and outputs {g1, ga11 , e(g1, g1)

α1}, where a1, α1 are inZp1 . Next, B shows

PP := {g1g3, ga11 ga33 , e(g1, g1)

α1e(g3, g3)α3}

to A with N , GN , e(·, ·) and H1(·). Note that e(·, ·)and H1(·) are the same with the given functionfrom X . Though a3 is secret and different from a1,

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

10

which comes from Zp3 and Zp1 respectively, ga11 ga33can be treated as (g1g3)

a, where a ∈ ZN from theChinese remainder theorem. For the same reason,e(g1, g1)

α1e(g3, g3)α3 can be treated as e(g1g3, g1g3)

α,where α ∈ ZN

• Phase 1: When B receives a key generation queryfor attribute set S from A, B simply relays the queryto X and obtains SKp3 = {Kp3 , Lp3 , {Kx}∀x∈S}. Bgenerates Kp1 , Lp1 with the same algorithm. Next,B replies A the secret key SK as follows:

SK = {Kp1Kp3 , Lp1Lp3 , {Kx}∀x∈S}.

• Challenge: A outputs two messages M0, M1 withaccess structure (M,ρ) to B. B directly relays M0,M1 and (M,ρ) to X as the challenge and obtains

{M∗·e(g3, g3)α3s3 , Bp3 , (C1,p3 , D1,p3), . . . , (Cl,p3 , Dl,p3)}

from X . M∗ ∈ {M0,M1} is chosen by X . B setupsa chameleon hash function CH and randomly picksb1, b2 from {0, 1}, {r1, . . . , rl}, s1 from Zp1 . B alsocalculates {λ′1, . . . , λ

′l}. Finally, B outputs C to A as

follows:

C = {A0, A1, B, (C1, D1), . . . , (Cl, Dl), CH, t0, t1, V },

where

Ab1 =M∗ · e(g1, g1)α1s1e(g3, g3)

α3s3 , A1−b1R←− GN ,

B = Bp3 · gs11 ,

Ci = Ci,p3 · ga1λ

i

1 , Di = Di,p3gr′i1 , ∀i ∈ {1, . . . , l},

V = CH(M0, tb2) = CH(M1, t1−b2).

Because of the Chinese remainder theorem, A willtreat C as a ciphertext that comes from secret s ∈ZN . Here, a chameleon hash function is used insteadof a normal hash function; however, to A, who hasno trapdoor for the chameleon hash function, thechameleon hash function is just a normal one-wayhash function.

• Phase 2: A submits key generation queries to B andB responds as shown in Phase 1.

• Guess: Finally, adversary A outputs guess b′ to Band B uses b′ to reply X .

If A achieves a non-negligible advantage against thedeniable scheme from our construction, B can use theoutput of A to also achieve a non-negligible advantageagainst the Waters ABE scheme in the CPA model.

Combined with Theorem 1, we have the followingtheorem:

Theorem 4: Our proposed CP-ABE scheme is CPA se-cure if the q-BDHI assumption holds.

4.3 Deniability Proof

To prove the deniability of our CP-ABE scheme, we mustshow (M,C, PE , PD) and (M ′, C′, P ′

E , P′D) are indistin-

guishable. Since M ,C,PE ,PD are pairwise independent

because of the security property, we need only show theindistinguishability between C and C′, PE and P ′

E , andPD and P ′

D.Lemma 1: Under the general subgroup decision as-

sumption, normal ciphertext C and deniable ciphertextC′ are indistinguishable.

Proof: We suppose there exists PPT attacker A whoachieves a non-negligible advantage in distinguishingthe deniable ciphertext from the normal ciphertext ofour scheme. We can create PPT algorithm B that has anon-negligible advantage against the general subgroupdecision assumption.B receives N = p1p2p3, g1g3, g2g3, T , where g1, g2, g3

belong to Gp1 , Gp2 , Gp3 respectively. B wants to know ifT belongs to Gp1,p3 or Gp2,p3 . B runs the DenSetup(1λ)algorithm and obtains PP, PK , and MSK . B then re-leases PP toA. Note that PK is unnecessary because thecoercer should not obtain the PK information. A sendskey queries to B with attribute sets and B replies to allqueries with normal keys via the KeyGen algorithm. Inthe challenge phase, B receives an encryption challengefrom A with an access structure and two messages Mand M′. The access structure cannot be satisfied by anyattribute sets that have been queried. B flips two coinsb0, b1 and returns the following ciphertext to A:

C = {A0, A1, B, (C1, D1), . . . , (Cl, Dl), CH, t0, t1, V },

where,

Ab0 =M· e(T, g1g3)α, A1−b0 =M′ · e(T, g2g3)

α,B = T,

Ci = T aMi,1H(ρ(i))−ri , Di = (g1g3)ri , i = 1, . . . , l,

V = CH(M, tb1) = CH(M′, t1−b1).

Mi,1 is the first element in the ith row of M . IfT = (g1g3)

s ∈ Gp1,p3 , then C is a normal ciphertext; ifT = (g2g3)

s ∈ Gp2,p3 , then C is a deniable ciphertext. Acan still send key queries to B and receive normal secretkeys. Finally A answers B if the ciphertext is deniable.If A has a non-negligible advantage over the ciphertextdecision problem, B can also have a non-negligible ad-vantage over the subgroup decision problem.

Lemma 2: Normal encryption proof PE and deniableencryption proof P ′

E are indistinguishable.Proof: Since the encryption proof is composed of

two random coins, PE and P ′E are indistinguishable. We

note that given ciphertext C, it is impossible to builda PPT algorithm that can correctly find PE with a non-negligible advantage because of the security property.

Lemma 3: Under the general subgroup decision as-sumption, normal decryption proof PD and deniabledecryption proof P ′

D are indistinguishable.Proof: In this scheme, we use private key SK as the

decryption proof. Therefore, this lemma is equal to theindistinguishability of SK and FK . The only differencebetween SK and FK is the existence of element g2.That is, the key decision problem is a subgroup decision

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

11

problem, which is hard according to the general sub-group decision assumption. Therefore, PD and P ′

D areindistinguishable.

From the three lemmas above, we yield the followingconclusion:

Theorem 5: Under the general subgroup decision as-sumption, our CP-ABE system is bi-deniable.

4.4 Decryption Errors

In section 1, we described why most deniable schemesmay cause decryption errors. Most of these schemesclaim their decryption error rates are small or negligible,but they cannot ensure that there are no errors whatso-ever in their schemes. In our scheme, a receiver usesa one-way function with a signature to obtain the truemessage. Both the one-way function and the signatureare generated by the sender. That is, the sender can avoidany decryption errors in encryption.

5 DENIABLE CP-ABE CONSTRUCTION FROM

PRIME ORDER BILINEAR GROUP

In the previous section, we described how to design adeniable CP-ABE scheme with composite order bilineargroups for building audit-free cloud storage services.Composite order bilinear groups have two attractiveproperties, namely projecting and cancelling, defined byFreeman in [22]. We make use of the cancelling propertyfor building a consistent environment; however, Free-man also pointed out the important problem of com-putational cost in regard to the composite order bilineargroup. The bilinear map operation of a composite orderbilinear group is much slower than the operation of aprime order bilinear group with the same security level.That is, in our scheme, a user will spend too much timein decryption when accessing files on the cloud. To makecomposite order bilinear group schemes more practical,Freeman converted [25], [27], and [28] into prime orderschemes. Meiklejohn et al. showed that both projectingand cancelling cannot be simultaneously achieved inprime order groups in [29].

For the same reason, we use a simulating tool pro-posed by Lewko in [23] to convert our composite orderbilinear group scheme to a prime order bilinear groupscheme. This tool is based on dual orthonormal basesand the subspace assumption. Different subgroups aresimulated as different orthonormal bases and therefore,by the orthogonal property, the bilinear operation willbe cancelled between different subgroups. Our formaldeniable CP-ABE construction method uses only the can-celling property of the composite order group. Therefore,Lewko’s tool will be suitable with our construction. Theconverting process is straightforward. First, we generatedual orthonormal bases (D,D∗) of Znp , where p is theprime order and n is the dimension. Each subgroup inthe public parameter has its own basis vector in D anduses the relative basis vector in D∗ when generating

keys. This step is slightly different from Lewko’s sys-tem; Lewko uses more than one basis to simulate onesubgroup because multiple key elements are combinedinto one. We simply make all key elements separate andtherefore only use one basis for one subgroup. Beforeexplaining our construction, we present some notationbelow.

• For v = (v1, . . . , vn) ∈ Znp and g ∈ G, we use gv todenote n-tuple of elements (gv1 , . . . , gvn).

• We use en to denote the product of the componen-twise pairings:

en(gv, gw) =

n∏

i=1

e(gvi , gwi) = e(g, g)v·w.

We next describe how to simulate our scheme withprime order bilinear groups.

• Setup(1λ)→ (PP,MSK): This algorithm generatesbilinear group G of prime order p with bilinear mapfunction e : G×G→ GT . GT is also of order p. Thisalgorithm generates dual orthonormal bases (D,D∗)from Z

3p. Let D = (d1,d2,d3) and D

∗ = (d∗1,d

∗2,d

∗3).

We then have the following property:

{

di · d∗j = 0(mod p), i 6= j

di · d∗j = ψ(mod p), i = j

.

The algorithm then picks generator g ∈ G andα, γ, a ∈ Zp. The algorithm also chooses hashfunction H1 : {0, 1}∗ → Gp. Public parameter PPis {G, e,H1, g

d1 , gad1 , gd3 , gad3,d3, e(g, g)ψ(α+γ)}

and system secret key MSK is{gd

1 , gad∗

1 , gαd∗

1 , gd∗

3 , gad∗

3 , gγd∗

3 ,d∗3}.

• KeyGen(MSK,S)→ SK : Given set S of attributes,this algorithm chooses t ∈ Zp randomly and outputsprivate key SK as:

SK =

{

g(α+at)d∗

1+(γ+at)d∗

3 , gt(d∗

1+d∗

3),

{H1(x)td∗

3}∀x∈S

}

= {K,L, {Kx}∀x∈S}.

• Enc(PP,M, A = (M,ρ)) → C: Given messageM and LSSS access structure (M,ρ). Let M be al × n matrix and Mi denote the ith row of M .This algorithm first chooses two random vectors−→v = (s, y2, . . . , yn) ∈ Z

np and −→r = (r1, . . . , rl) ∈ Z

lp.

This algorithm then calculates λi = −→v Mi, ∀i ∈{1, . . . , l}. In addition, the algorithm sets up a one-way hash function H(·, ·) with two inputs. Note thathash function H can be any one-way function andis determined during encryption. Each transactionmay have differentH . This algorithm flips two coinsb0, b1 and picks two random string t0, t1. Outputciphertext C will be:

C = {A0, A1, B, (C1, D1), . . . , (Cl, Dl), H, t0, t1, V },

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

12

where,

Ab0 =M· e(g, g)sψ(α+γ), A1−b0R←− GT ,

B = gs(d1+d3),

Ci = gaλi(d1+d3)H1(ρ(i))−rid3 , i = 1 . . . l,

Di = gri(d1+d3), i = 1 . . . l,

V = H(M, tb1) 6= H(A1−b0 · e(g, g)−sψ(α+γ), t1−b1).

Access structure A is also attached to C.• Dec(PP, SK,C)→ {M,⊥}: To decrypt ciphertext C

for access structure A = (M,ρ), this algorithm firstchecks if attribute set S of SK satisfies A. SupposeS satisfies A and let I ⊂ {1, 2, . . . , l} be defined asI = {i : ρ(i) ∈ S}. Then, this algorithm finds a setof constants {w ∈ Zp} such that

i∈I wiλi = s. Thealgorithm computes M0,M1 as follows:

M{0,1} = A{0,1} ·

i∈I(e(Ci, L)e(Di,Kρ(i)))wi

e(B,K)

This algorithm then calculates

vi,j = H(Mi, tj), ∀i, j ∈ {0, 1}.

If vi,j is equal to V , thenMi is the true message andis returned. Otherwise, this algorithm returns ⊥.

• DenSetup(1λ) → (PP,MSK,PK): Thisalgorithm runs Setup(1λ) and obtains PP .This algorithm randomly picks β ∈ Zp. Systempublic key PK is {gd2, gad2 , e(g, g)ψγ , e(g, g)ψβ}and system secret key MSK is{gd

1 , gad∗

1 , gαd∗

1 , gd∗

2 , gad∗

2 , gβd∗

2 , gd∗

3 , gad∗

3 , gγd∗

3 ,d∗3}.

• DenKeyGen(MSK,S) → (SK,FK): This algo-rithm runs KeyGen and obtains SK for S. Then,the algorithm picks t′ ∈ Zp and generates FK asfollows:

FK =

{

g(α+at′)d∗

1+(β+at′)d∗

2+(γ+at′)d∗

3 ,

gt′(d∗

1+d∗

2+d∗

3), {H1(x)t′d∗

3}∀x∈S

}

= {K ′, L′, {K ′x}∀x∈S}.

• DenEnc(PP, PK,M,M′, A = (M,ρ)) → C′: Thisalgorithm prepares λi, ∀i ∈ {1, . . . , l} as the Encalgorithm does. The algorithm sets up chameleonhash function CH(·, ·). The chameleon hash functionis determined during encryption. Note that withoutthe trapdoor, a chameleon hash is just a one-wayhash function. That is, a sender can claim this isjust a normal hash function without any trapdoor.Output deniable ciphertext C′ will be:

C′ = {A′0, A

′1, B

′, (C′1, D

′1), . . . , (C

′l , D

′l), CH, t0, t1, V },

where,

A′b0 =M· e(g, g)sψγ , A′

1−b0 =M′ · e(g, g)sψ(β+γ),

B′ = gs(d2+d3),

C′i = gaλi(d2+d3)H1(ρ(i))

−rid3 , i = 1 . . . l,

D′i = gri(d1+d3), i = 1 . . . l,

V = CH(M, tb1) = CH(M′, t1−b1).

Based on the property of the chameleon hash, thesender can easily find tb1 and t1−b1 to satisfy theabove requirements.

• DenOpenEnc, DenOpenDec, Verify, DenOpenEnc,DenOpenDec are the same as our basic scheme andtherefore not described here.

By this construction, we make different bases formdifferent subgroups. According to Definition 5 in [23],this approach follows the subgroup decision assumption.Therefore, bi-deniability also holds in this construction.

6 CCA SECURE DENIABLE CP-ABESCHEME

In [30], Boneh et al. proved that an IND-sID-CPA se-cure IBE scheme can be transformed into an IND-sID-CCA secure scheme with the help of one-time signa-ture scheme (G,Sign,Verify). The one-time signature isused to maintain the integrity of the ciphertext. Usingthe same technique, we can enhance our CPA securedeniable CP-ABE scheme to be a CCA secure deniableCP-ABE scheme, as demonstrated in [31]. We modify thefollowing algorithms for this enhancement:

• Setupcca(1λ)→ (PPcca,MSK): Aside from the orig-

inal Setup algorithm process, this algorithm addi-tionally chooses hash function H2 : {0, 1}∗ → Gp3

and randomly picks b ∈ ZN . This algorithm attaches(g1g3)

b, H2 to public parameter PP from the originalSetup algorithm as PPcca.

• Enccca(PPcca,M, A) → Ccca: The sender firstruns the original Enc algorithm and obtainsC = {A0, A1, B, (C1, D1), . . . , (Cl, Dl), H, t0, t1, V }.The sender generates B2 = (g1g3)

bs. The output Ccca

will be

Ccca =

A0, A1, B,B2,(C1, D1), . . . , (Cl, Dl),H, t0, t1, V, V2

,

where

V2 = H2

(

A0, A1, B,B2, (C1, D1), . . . ,(Cl, Dl), H, t0, t1, V

)s

.

• Deccca(PPcca, SK,Ccca)→M : The receiver first ver-ifies the following two equations:

e(B, (g1g3)b) =? e(B2, g1g3),

V3 = H2

(

A0, A1, B,B2, (C1, D1), . . . ,(Cl, Dl), H, t0, t1, V

)

,

e(V3, B2) =? e(V2, (g1g3)

b).

If the above two equations do not hold, this al-gorithm returns ⊥. Otherwise, we proceed as theoriginal algorithm.

• DenSetupcca(1λ) → (PPcca,MSK,PKcca): This al-

gorithm executes Setupcca and obtains PPcca,MSK .The algorithm also generates (g2g3)

b. PKcca is PK ,which is derived from DenSetup, and (g2g3)

b.

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

13

• DenEnccca(PPcca, PKcca,M,M′, A) → C′cca:

The sender first runs the originalDenEnc algorithm and obtains C′ ={A′

0, A′1, B

′, (C′1, D

′1), . . . , (C

′l , D

′l), CH, t0, t1, V }.

The sender generates B′2 = (g2g3)

bs. The outputCcca will be

C′cca =

A′0, A

′1, B

′, B′2,

(C′1, D

′1), . . . , (C

′l , D

′l),

CH, t0, t1, V, V2

,

where

V2 = H2

(

A′0, A

′1, B

′, B′2, (C

′1, D

′1), . . . ,

(C′l , D

′l), CH, t0, t1, V

)s

.

Theorem 6: Our enhanced scheme is CCA secure if ourbasic scheme is CPA secure.

Proof: The difference between the CPA and CCAmodels is that CCA allows the existence of a decryptionoracle. Therefore, we focus here on how to answerthe adversary’s decryption queries. When receiving adecryption query, the oracle proceeds as follows:

1) If e(B, (g1g3)b) = e(B2, g1g3) and e(V3, B2) =

e(V2, (g1g3)b) do not hold, return ⊥.

2) In phase 2, if both equations hold and the queriedciphertext is the same as the challenged ciphertext,return ⊥.

3) The oracle generates SK for a set S that cansatisfy the access structure in the ciphertext anddecrypt the ciphertext. Then, the oracle returns thedecryption result.

From theorem 4 and theorem 6, we have the followingconclusion:

Theorem 7: Our enhanced scheme is CCA secure if theq-BDHI assumption holds.

7 PERFORMANCE EVALUATION

In this section, we evaluate the performance of our ideaby implementing two deniable schemes: the compositeorder scheme and the prime order simulation scheme.We compare them with the Waters scheme [4]. We usethe Pairing Based Cryptography (PBC) library for cryp-tographic operations. We use type A1 pairing becausethis type of pairing can support both prime order andcomposite order groups. In our experiment, we set thesize of each prime to 512 bits, which is equal to 256bits of security [32]. Under this setting, the compositegroup order size is 1536 bits. However, when consideringsecurity, the composite order scheme with a group sizeof 1536 bits is equal to the prime order scheme witha group size of 512 bits. This is because a message isencrypted in one subgroup whose group size is 512 bits.

Our experiments focus on encryption and decryptionperformance. The Setup and KeyGen performance areskipped because these two algorithms are not time crit-ical. The four Open algorithms are low-cost algorithms

Fig. 1. Encryption benchmark.

Fig. 2. Decryption benchmark.

because these algorithms only return existing informa-tion. The cost of Verify algorithm is equal to that of Dec.Note that we do not distinguish deniable encryptionfrom normal encryption; their numbers of arithmetic op-erations and pairing operations are equal, and thereforethe normal one and the deniable one will have similarperformance. In our design, the encryption cost and thedecryption cost depend on required attribute numbers.For convenience, we make all attributes mandatory asour cryptographic policy. We run the experiments withdifferent attribute numbers, from 10 to 1000. Our exper-iments focus on one block encryption/decryption. Eachblock is set to 128 bytes because PBC reads around 130bytes to generate a GT element when the group size is512 bits5. A large file can be divided into multiple blocks,and all blocks can be protected by one secret s. BecauseGT multiplication and H are lightweight operations,we use one-block encryption/decryption to evaluate theperformance. The experiments are tested on a virtualmachine with 3.47 GHz CPU and 8 GB memory.

Figures 1 and 2 show the experiment results. As wecan see, encryption time and decryption time grow lin-early over the attribute number in all three schemes. Thecomposite order scheme is undoubtedly the most time-consuming scheme; its performance is almost unaccept-able for practical applications. The reason for this poor

5. In the composite order scheme, the group size is 1536 bits andPBC reads around 388 bytes to generate a GT element. For simplicity,our experiments fix a block size to 128 bytes in three schemes.

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015

14

performance is that all arithmetic and pairing operationsare executed in a group much larger than those for theother two schemes. As for the prime order simulationscheme, it takes little time to get the deniability featurefrom the Waters scheme and therefore, the prime ordersimulation scheme is suitable to be distributed to cloudstorage services for the deniability feature.

8 CONCLUSIONS

In this work, we proposed a deniable CP-ABE scheme tobuild an audit-free cloud storage service. The deniabilityfeature makes coercion invalid, and the ABE propertyensures secure cloud data sharing with a fine-grained ac-cess control mechanism. Our proposed scheme providesa possible way to fight against immoral interference withthe right of privacy. We hope more schemes can becreated to protect cloud user privacy.

REFERENCES

[1] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” inEurocrypt, 2005, pp. 457–473.

[2] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-basedencryption for fine-grained access control of encrypted data,” inACM Conference on Computer and Communications Security, 2006,pp. 89–98.

[3] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policyattribute-based encryption,” in IEEE Symposium on Security andPrivacy, 2007, pp. 321–334.

[4] B. Waters, “Ciphertext-policy attribute-based encryption: An ex-pressive, efficient, and provably secure realization,” in Public KeyCryptography, 2011, pp. 53–70.

[5] A. Sahai, H. Seyalioglu, and B. Waters, “Dynamic credentials andciphertext delegation for attribute-based encryption,” in Crypto,2012, pp. 199–217.

[6] S. Hohenberger and B. Waters, “Attribute-based encryption withfast decryption,” in Public Key Cryptography, 2013, pp. 162–179.

[7] P. K. Tysowski and M. A. Hasan, “Hybrid attribute- and re-encryption-based key management for secure and scalable mobileapplications in clouds.” IEEE T. Cloud Computing, pp. 172–186,2013.

[8] Wired. (2014) Spam suspect uses google docs; fbi happy. [Online].Available: http://www.wired.com/2010/04/cloud-warrant/

[9] Wikipedia. (2014) Global surveillance disclosures (2013present).[Online]. Available: http://en.wikipedia.org/wiki/Globalsurveillance disclosures (2013-present)

[10] ——. (2014) Edward snowden. [Online]. Available: http://en.wikipedia.org/wiki/Edward Snowden

[11] ——. (2014) Lavabit. [Online]. Available: http://en.wikipedia.org/wiki/Lavabit

[12] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky, “Deniableencryption,” in Crypto, 1997, pp. 90–104.

[13] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters,“Fully secure functional encryption: Attribute-based encryptionand (hierarchical) inner product encryption,” in Eurocrypt, 2010,pp. 62–91.

[14] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert,E. de Panafieu, and C. Rafols, “Attribute-based encryptionschemes with constant-size ciphertexts,” Theor. Comput. Sci., vol.422, pp. 15–38, 2012.

[15] M. Durmuth and D. M. Freeman, “Deniable encryption withnegligible detection probability: An interactive construction,” inEurocrypt, 2011, pp. 610–626.

[16] A. O’Neill, C. Peikert, and B. Waters, “Bi-deniable public-keyencryption,” in Crypto, 2011, pp. 525–542.

[17] P. Gasti, G. Ateniese, and M. Blanton, “Deniable cloud storage:sharing files via public-key deniability,” in WPES, 2010, pp. 31–42.

[18] M. Klonowski, P. Kubiak, and M. Kutylowski, “Practical deniableencryption,” in SOFSEM, 2008, pp. 599–609.

[19] M. H. Ibrahim, “A method for obtaining deniable public-keyencryption,” I. J. Network Security, vol. 8, no. 1, pp. 1–9, 2009.

[20] J. B. Nielsen, “Separating random oracle proofs from complexitytheoretic proofs: The non-committing encryption case,” in Crypto,2002, pp. 111–126.

[21] R. Bendlin, J. B. Nielsen, P. S. Nordholt, and C. Orlandi, “Lowerand upper bounds for deniable public-key encryption,” Cryp-tology ePrint Archive, Report 2011/046, 2011, http://eprint.iacr.org/.

[22] D. M. Freeman, “Converting pairing-based cryptosystems fromcomposite-order groups to prime-order groups,” in Eurocrypt,2010, pp. 44–61.

[23] A. B. Lewko, “Tools for simulating features of composite orderbilinear groups in the prime order setting,” in Eurocrypt, 2012,pp. 318–335.

[24] A. Beimel, “Secure schemes for secret sharing and key distribu-tion,” Ph.D. dissertation, Israel Institute of technology, 1996.

[25] D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-dnf formulason ciphertexts,” in TCC, 2005, pp. 325–341.

[26] H. Krawczyk and T. Rabin, “Chameleon signatures,” in NDSS,2000.

[27] D. Boneh, A. Sahai, and B. Waters, “Fully collusion resistant traitortracing with short ciphertexts and private keys,” in Eurocrypt,2006, pp. 573–592.

[28] J. Katz, A. Sahai, and B. Waters, “Predicate encryption support-ing disjunctions, polynomial equations, and inner products,” inEurocrypt, 2008, pp. 146–162.

[29] S. Meiklejohn, H. Shacham, and D. M. Freeman, “Limitations ontransformations from composite-order to prime-order groups: Thecase of round-optimal blind signatures,” in Asiacrypt, 2010, pp.519–538.

[30] D. Boneh, R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext se-curity from identity-based encryption,” SIAM J. Comput., vol. 36,no. 5, pp. 1301–1328, 2007.

[31] K. Liang, L. Fang, D. S. Wong, and W. Susilo, “A ciphertext-policy attribute-based proxy re-encryption with chosen-ciphertextsecurity,” IACR Cryptology ePrint Archive, vol. 2013, p. 236, 2013.

[32] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Recommen-dation for key management: Part 1: General (revision 3),” NIST,Tech. Rep., 2012.

Po-Wen Chi received his B.S. and M.S. in Elec-trical Engineering from National Taiwan Univer-sity in 2003 and 2005. He is currently a Ph.D.candidate in the Department of Electrical En-gineering at National Taiwan University. His re-search interests include network security, ap-plied cryptography, software-defined networking,and telecommunications.

Chin-Laung Lei received the B.S. degree inElectrical Engineering from the National TaiwanUniversity, Taipei, in 1980 and the Ph.D. degreein computer science from the University of Texasat Austin in 1986. From 1986 to 1988, he wasan assistant professor in the Computer and In-formation Science Department, Ohio State Uni-versity, Columbus. In 1988, he joined the fac-ulty of the Department of Electrical Engineering,National Taiwan University, where he is now aprofessor. He is a cowinner of the first IEEE LICS

test-of-time award, and has published more than 250 technical articlesin scientific journals and conference proceedings. His current researchinterests include network security, cloud computing, and multimediaQoE management.

IEEE Transactions on Cloud Computing VOL. XX, NO. 1, 2015


Top Related