Constant Decryption-Cost Non-monotonic Ciphertext Policy Attribute-Based Encryption with Reduced Secret Key Size (and Dynamic Attributes)

Abstract

Attribute-based encryption, especially ciphertext policy attribute based encryption (CP-ABE), is a standard method for achieving access control using cryptography. The access control policy is determined by access structure in a CP-ABE scheme. If negative permission is required in the access control model, which is a quite common setting, then non-monotonic access structures must be allowed in the CP-ABE scheme.

In 2011, Chen et al. proposed a CP-ABE scheme with non-monotonic access structures that has constant decryption cost. However, it requires a secret key size linear to the number of total attributes, which is hard to implement when the resources are limited for both computation and storage. In this paper, we improve this scheme to get a CP-ABE scheme where access structure is non-monotonic AND-gate, while the secret key size is only linear to the number of attributes held by a user, without increasing the decryption cost. This scheme will be useful if the total attributes are much more than attributes for each user. Our scheme is provably secure for selective CPA-security under the decision n-BDHE assumption. We also show that our scheme can be naturally extended to supporting attribute addition and revocation, where the attribute set of each user can be updated dynamically, without any complicated proxy re-encryption or decryption procedure.

A Security for Our Dynamic Scheme

We shall give the security proof sketch for our dynamic scheme under generic group model. Since the challenged ciphertext \(C=M_\mu (\prod _{i\in X}H_i)^\kappa \), \(\mu \in \{0,1\}\), it suffices to show that given all information in the d-CPA-CP-ABE game for Adv, \((\prod _{i\in X}H_i)^\kappa \) is uniformly random under Adv’s view.

We first list all elements of \(\mathbb {G}\) and \(\mathbb {G}_T\) that Adv can get from the game, and then analyse the elements Adv can get from the oracles assumed by the generic group model. In the d-CPA-CP-ABE game, Adv is provided with (for each w at version number ver, we distinguish it among others by \(w_{ver}\)):

In \(\mathbb {G}\): \(a_1,...,a_n,b_1,...,b_n,w_1,...,w_{ver^*}\),

\(\{(v)_k,(p_1)_k,...,(p_n)_k,(t_1)_k,...,(t_{ver^*})_k|(v)_k... \text{ is } v,... \text{ in } \text{ the } k\text{-th } \text{ query }\}\),

\(k,u,\{z_i|i\in Z\}\).

In \(\mathbb {G}_T\): \(H_1,...,H_n\).

We can write each element by its exponent. For the given generator g of \(\mathbb {G}\), we write an element in \(\mathbb {G}\), \(g^i\) by i, and an element in \(\mathbb {G}_T\), \(e(g,g)^j\) by j. We need to include some new variables. We suppose that \(h_i=g^{\sigma _i}\), so \(H_i=e(g,g)^{\sigma _i}\). Also we suppose that \((v)_k=g^{\upsilon _k}\).

Then, we write the elements Adv can get by:

In \(\mathbb {G}\): 1, \(\alpha _1,...,\alpha _n,\beta _1,...,\beta _n,\omega _1,...,\omega _{ver^*}\),

\(\{\upsilon _k,\{\sigma _i-\upsilon _k(\alpha _i+\beta _i)|i=1,...,n\},\{\upsilon _k(\sum _{i\in S_j}\beta _i-\omega _j)|j=1,...,ver^*\}|k=1,...,s\}\), s is the number of total private key queries,

\(\kappa ,\kappa (\omega _{ver^*}+\sum _{i\in X}\alpha _i),\{\kappa \beta _i|i\in Z\}\).

In \(\mathbb {G}_T\): \(\sigma _1,...,\sigma _n\). Also the required \((\prod _{i\in X}H_i)^\kappa \) could be written by \(\kappa \sum _{i\in X}\sigma _i\).

The only restriction on them is that either \(X\not \subseteq S_{ver^*}\) or \(Y\cap S_{ver^*}\ne \emptyset \).

There are two kinds of oracles in the generic group model: one can call the mapping oracle e which maps two elements a, b in \(\mathbb {G}\) into element ab in \(\mathbb {G}_T\), and the group operation oracle which maps two elements a, b in \(\mathbb {G}\) (or \(\mathbb {G}_T)\) into an element \(a+b\) in \(\mathbb {G}\) (or \(\mathbb {G}_T\), respectively). We show that it is unable for Adv to get \(\kappa \sum _{i\in X}\sigma _i\) by these oracles. Without loss of generality, we assume that the mapping oracle is always called between two elements which Adv gotten from the game.

For each \(i\in X\), in order to get the term \(\kappa \sigma _i\), Adv must at least call the mapping oracle once with two elements, one has the term \(\kappa \) and the other has the term \(\sigma _i\). The only element contains term \(\kappa \) is \(\kappa \) itself, and the element contains the term \(\sigma _i\) is \(\sigma _i-\upsilon _k(\alpha _i+\beta _i)\) for any k. Then, Adv must further get the term \(\kappa \upsilon _k\alpha _i\) and \(\kappa \upsilon _k\beta _i\) from other mapping oracle calls. The former can only be get from \((\kappa (\omega _{ver^*}+\sum _{i\in X}\alpha _i),\upsilon _k)\), while the latter can only be get from \((\kappa ,\upsilon _k(\sum _{i\in S_j}\beta _i-\omega _j))\) for some j. Here, j must be equal to \(ver^*\), or there is no way for Adv to get rid of the term \(\kappa \upsilon _k\omega _j\).

Note that although Adv can the term \(\kappa \sigma _i\) for each \(i\in X\) from \((\kappa ,\sigma _i-\upsilon _k(\alpha _i+\beta _i))\) with different ks, but the additional terms in \((\kappa (\omega _{ver^*}+\sum _{i\in X}\alpha _i),\upsilon _k)\) requires that all k to be same.

We sum up all the oracle calls Adv must make, and get:

$$\begin{aligned}&\sum _{i\in X}\kappa (\sigma _i-\upsilon _k(\alpha _i+\beta _i))+\kappa \upsilon _k(\omega _{ver^*}+\sum _{i\in X}\alpha _i)+\kappa \upsilon _k(\sum _{i\in S_{ver^*}}\beta _i-\omega _{ver^*})\\ {}&\quad =\sum _{i\in X}\kappa \sigma _i+\sum _{i\in S_{ver^*}-X}\kappa \upsilon _k\beta _i-\sum _{i\in X-S_{ver^*}}\kappa \upsilon _k\beta _i. \end{aligned}$$

The additional term of \(\kappa \upsilon _k\beta _i\) must be gotten from mapping queries different from those above, which means that only from \((\kappa \beta _i,\upsilon _k)\) where \(i\in Z\). So we must have that \((S_{ver^*}-X)\cup (X-S_{ver^*})\subseteq Z\). But \(X\cap Z=\emptyset \), so we must have \(X-S_{ver^*}=\emptyset \), which means \(S_{ver^*}\subseteq X\). Also, \(Y\cap Z=\emptyset \), so \((S_{ver^*}-X)\cap Y=\emptyset \). But \(X\cap Y=\emptyset \), so \(S_{ver^*}\cap Y=\emptyset \). This contradicts with our requirement for \(S_{ver^*}\).

The only chance for Adv to get the hidden elements, is that there happen to be two same elements in two different oracle calls. Suppose that the number of total oracle calls is q, so the advantage for Adv cannot be greater than \(O(q^2/p)\).