文件共享系统中属性可添加;撤销的属性基加密
(可编辑)
文件共享系统中属性可添加;撤销的属性基加密方案
中国 科 技 论 文 在 线////0>.
An Efficient Ciphertext-Policy Attribute-Based Encryption
Scheme with Attribute Adjunction/Revocation in Data
#
5 Sharing System*
Li Hui, Guo Lijun
State Key Lab of ISN, Xidian University
Abstract: Cloud computing is a computing paradigm which can provide data storage and computing
resources. But security and privacy issues have risen for its adoption. This paper presents an efficient,
10 flexible, and fine-grained scheme at the scenario of the ciphertext-policy attribute-based encryption
CP-ABE. This proposed scheme not only reduces the length of secret keys and ciphertexts, but also
ensures the security of backward and forward secrecy by adding the replacement of the random
parameters in attribute adjunction/revocation process. Therefore, the efficiency of key generation,
encryption, and decryption in our scheme is higher than the existed CP-ABE scheme’s. As more and
15 more businesses will be moved into the cloud, the paper presents a data sharing system based on the
proposed scheme, along with the security analysis and preliminary efficiency analysis about the
proposed scheme.
Key words: Cryptography; Attribute-Based Encryption; Cloud Computing; Attribute Adjunction;
Attribute Revocation; Data sharing20
0 Introduction
Cloud computing is an emerging paradigm which involves large-scale, distributed
computations on data from multiple sources. It is widely supported and applied with saving a lot
of cost. Cloud storage as a part of the cloud computing is more and more referred. It provides
25 users with online data storage service by working together with varieties of different types of
storage devices. Computation service can provide abundant computation power for users. The
users can save their investments significantly by moving their
businesses into the cloud. Cloud
computing paradigms such as service outsourcing offer attractive financial and technological
advantage. We can move data files into the cloud to achieve the data sharing. For example, in
30 electronic health record system EHR system, we can deploy EHR system in cloud computing
platform for its cost-effective services to realize the data sharing [1]. But it also brings forth many
new challenges for data security, access control and attribute adjunction/revocation when users
outsource their EHRs on cloud servers
To solve the above requirements, we require data files encryption in cloud-based data sharing
35 systems. Standard encryptions are not well suited for data sharing systems. Symmetric-Key
Encryption introduces complexity as additional mechanisms are required to apply access controlIn particular, all users use one shared key for encryption and decryption for one file. If the shared
keys are compromised, all data files are compromised. Public-Key Encryption introduces a high
complexity on key management system for distributing and managing
public keys. CP-ABE is a
40 novel cryptographic approach in which each user’s key is labeled with a set of attributes and the
ciphertext is associated with an access policy. A user can decrypt a ciphertext if and only if the
attribute set satisfies the access policy. Bethencourt et al. [2] designed an secure CP-ABE systemIn [2], the existing attribute revocation method is associating expiration time attributes to user
Foundations: Doctoral Fund of Ministry of Education of ChinaNo.202
Brief author introduction:Hui Li, received B.Sc. degree from Fudan University in 1990, M.Sc. and Ph.D. degrees
from xidian University in 1993 and 1998. In 2009, he was with Department of ECE, University of Waterloo as a
visiting scholar. He has been the director of International Affairs Office, the dean in the school of International
Education, and the professor in the school of Telecommunications Engineering, Xidian University, China. E-mail:
lihui@//.
- 1 - 中国 科 技 论 文 在 线////.
secret keys. However, this type of solutions requires interaction between users and the trust
45 authority TA, and is not able to efficiently revoke user attributes
on the fly. The paper [3]
introduced an attribute revocation method, but it cannot ensure the security of backward and
forward secrecy. In addition, the schemes only involve the attribute revocation, but don’t mention
the attribute adjunctionTo solve the above problems, we propose an efficient modified CP-ABE EM-ABE which is
50 more appropriate for attribute adjunction/revocation. It increases the efficiency of the existed
scheme, and solves the problem of attribute adjunction/revocation. Moreover, we can ensure the
backward and forward secrecy because we replace the random parameters in attribute
adjunction/revocation process. Finally, we detail an application in data sharing systems, and
analyze security and efficiency of our proposed scheme55 1 Related WorkSahai and Waters [4] introduced attribute-based encryption ABE for encrypted access
control. Goyal et al. [5] introduced the idea of a key-policy attribute-based encryption KP-ABE
system. Bethencourt et al. [2] proposed the first ciphertext-policy attribute-based encryption
CP-ABE construction, which is close to the real access control system. In CP-ABE, the attributes
60 are used to describe a user’s credential, and the data owner determines a policy under which users
can decrypt the data. The data owner may not know the exact identities of all other people who
should be able to access the data. A user whose attributes satisfies the access policy can decrypt
the ciphertext
Many scholars study how CP-ABE algorithm is applied to the ciphertext access control
65
because of its advantages. In these schemes, user managements, user adjunction /revocation in
particular, are extremely hard to realize. The issue of attribute revocation in CP-ABE was first
addressed in [6] as a rough idea. The paper appends to each of the identities or descriptive
attributes an expiration date. This idea requires the user to periodically go to the TA for key
reissuing. The rules of decryption are built into the encryption algorithm, and it can reduce the
70
frequent key issuing costs. The paper [7] proposed attribute-based proxy re-encryption by
translating one access control encryption into another one to achieve the revocation. But the
revocation of this scheme aims at the attribute sets, which are the users who have the same
attribute sets. The paper [3] introduced the scheme for attribute revocation with honest-but-curious
servers, and the data owner given parts of the work to cloud service provider CSP. But this
75
scheme only supports the “and” threshold, without providing the flexible access control. Our
scheme aims at the disadvantages of [3], and provides a variety of threshold gates access control
policy besides “and” threshold. Moreover, [3] didn’t involve the replacement of the random
parameters in attribute revocation, and was difficult to ensure the backward and forward secrecy[3] had a user list UL which can achieve temporary forward secrecy a revoked user cannot update
80
secret keys, but it is possible for a revoked user to obtain the updated ciphertext. Due to the fact
rs
that the revoked user has recovered eg, g before he was revoked and stored it, it will help to
rs
eg, g
decrypt the current ciphertext, because is not changed. We add the update of the
random parameters in our scheme, and it can guarantee forward secrecy. In practical application, it
is important to gunrantee the backward secrecy, such as in the transaction between enterprises and
85
enterprises. Backwards secrecy means the new user cannot decrypt the previous data encrypted
before he joins. [3]’s scheme didn’t involve itWe take some measures in attribute adjunction to
realize backward secrecyThe rest of this paper is organized as follows. Section 2 reviews some technique preliminaries
- 2 - 中国 科 技 论 文 在 线////.
pertaining to our construction. In Section 3, we describe our proposed
scheme which is more
90 efficient than the existed CP-ABE scheme. Section 4 presents our application in data sharing
systems. We then present the security and efficiency analysis comparing to the existed CP-ABE
scheme in Section 5. We conclude this paper in Section 6
2 Preliminaries
2.1 Bilinear Maps
95
The bilinear map constructs a relationship between two cryptographic groups in
attribute-based encryption. Let G and G be two multiplicative cyclic groups with the same
0 1
p g
prime order is a generator of G and a bilinear map e : GG G with the
0 0 0 1
following properties:
* a b ab
a Bilinearity: for all u,v ?G and a,b ?Z , we have
eu ,v eu,v
0 p
100
b Non-degeneracy: eg, g ?1eu,v u,v ?G
c Computability: is efficiently computable for
0
2.2 Complexity Assumptions
Decisional Bilinear Diffie-Hellman DBDH Assumption : The challenger randomly
g
a,b,c, zZ G
chooses and which is a generator ofThe DBDH assumption states that no
p 0
a b c abc
105
probabilistic polynomial-time algorithm B can distinguish the tupleAg , Bg ,Cg ,eg, g
a b c z
from the tuple with non-negligible advantageAg , Bg ,Cg ,eg, g
2.3 Ciphertext-Policy Attribute-Based Encryption CP-ABE
CP-ABE is a public key cryptography primitive for one-to-many communications. In
CP-ABE, a user’s private key will be associated with a set of
attributes expressed as strings. When
110
a party encrypts a message, they specify an associated access structure over attributes. If a user’s
attributes pass through the ciphertext’s access structures, the user will be able to decrypt the
corresponding ciphertext. A CP-ABE scheme is composed of four algorithms which can be
defined as follows:
Setup: generates a public key and a master key
115
KeyGen: generates a private key with a given set of
attributesEncryption: encrypts a file according to a policy, which is an expression in terms of
attributesDecryption: decrypts a file using a private key2.4 Proxy Re-Encryption PRE
120
Blaze et al. [8] proposed a cryptographic primitive in which a semi-trustable proxy is able to
convert a ciphertext encrypted under Alice’s public key into another ciphertext that can be opened
by Bob’s private key without seeing the underlying plaintext. A PRE
scheme allows the proxy,
rk pk
given the proxy re-encryption key , to translate ciphertexts under public key into
aba
ciphertexts under public key pk and vise versa. Please refer to [8] for more details on proxy
b
125
re-encryption schemes- 3 - 中国 科 技 论 文 在 线////.
2.5 Lazy Re-Encryption
In ciphertext access process, the operation of user revocation causes an issue that it inevitably
requires the data owner to re-encrypt all the data files accessible to the leaving user, or even needs
the data owner to stay online to update secret keys for user. They will introduce heavy
130
computation overhead and cumbersome online burden. The cloud servers are able to “aggregate”
multiple update/re-encryption operations into one if there is no access request occurring across
multiple successive user revocation events3 Our Proposed SchemeOur scheme is an efficiently modified attribute-based encryption EM-ABE, consisting of
135
eight algorithms: EMSetup, EMEncrypt, EMKeyGen, EMDecrypt, MinimalSet, ProxyKeyGen,
UpdateSK, UpdateFile. Some of these steps are similar to [9]’s. The last four algorithms used for
ver
attribute adjunction/revocation. Note that, we define a system version informationindicating the evolution of the system master key as follows: initially it is set to 1; when an
attribute revocation event occurs, it increases by 1. The public key, ciphertexts, user secret keys,
140
and proxy re-encryption PRE keys are all tagged with the version information indicating which
version of system master key they comply with. In attribute adjunction, it doesn’t involve the
change of version information. The TA should use the latest components in master key to generate
the user’s secret key. We define one secret attribute SA for the
purpose of key managementEvery user’s attribute set include SA in addition to his meaningful attributes. The SA will never be
145
updated which can guarantee that the cloud servers cannot obtain the whole secret key
components of a user. The cloud servers don’t access the file
contents without attributes satisfying
the access policy. We describe the four fundamental algorithms as follows:EMSetup. The setup algorithm takes as input a security parameterIt chooses a bilinear k
p
G e : GG G
group of prime order with a generator g, and a bilinear map
0 0 0 1
150
tZUn ?1,2, ?,
The attribute universe isIt choosesfor attributei , 1??in ,
ip? Z
and a random exponentThe public key PK as well as a system master key MK is
p
n
nt
i
PKG , e, g, eg, g , Tg MK?, ?tas following: While PK is publicly 0 ii
i ?1
i ?1
known to all the parties in the system, MK is kept as a secret by the Trusted Authority
TA
155EMKeyGen. The key generation algorithm takes as input a set of attributes S and outputs a
*
rZsecret key corresponding to S. It firstly chooses a random numberThen, it
p
?1
rtr
icomputes the key as: SKDg ,i ?S : Dg .
iEMEncryptThe encryption takes as input a access control tree , a message , and
T M
the public keyIt outputs a ciphertext as follows. First, it defines
a random
PK
160
q x
polynomial for each node of in the top-down manner starting from the root
T
x
x
r d k
nodeThe degree of the node is one less than the threshold value of that
x x
dk??1 rqs 0node, that isFor the root node , , which is a random number of
xx r
x q 0q indexx
Z parent xFor each non-root node , wherep x parent x
index x
represents xs ' parent and is xs ' unique index given by its parentis
Y
165
the set of leaf nodes inThe ciphertext is then constructed by giving
the tree access
T
~
q 0
?ss y
structure and compute: CTT,CM ?eg, g ,Cg ,y ?Y : CT T yy
EMDecrypt. The decryption algorithm takes as the ciphertext CT, the
user’s secret key SK,
and the public key PK. We first determine whether the set of attributes
satisfies the access
x iatt x
structure inIf the node is a leaf node, we denote , and compute T CT
- 4 - 中国 科 技 论 文 在 线////.1
tq 0 r t rq0
170 x
i x ieg, g , ifiS. Otherwise, DecryptNode ?CT,, SK x Then, it eC , D eg , g
ii
aggregates these pairing results in the bottom-up manner using the
polynomial
rs
interpolation technique. Finally, it may recover the blind factor Aeg, gThe
~
algorithm now decrypts by computing
C/ ?eC, DAM
In addition to the above fundamental algorithms, we add other four algorithms to realize
175
attribute adjunction /revocation. In attribute adjunction, we use the latest master key components
to generate secret keys to ensure backward secrecy, while we use new random numbers to ensure
the forward secrecy in attribute revocation process. We describe the four fundamental operations
used as follows: MinimalSet. The algorithm determines a minimal set of attributes without changing which the
180 revoked user cannot decrypt the ciphertext even if his set of attributes satisfies the access
control tree of the ciphertext. The minimal set can be obtained as follows:a construct the conjunctive normal form CNF of the tree access
structureb select the shortest clause P of the CNF formula except the SA, and compute
min
MinimalSetPS \ SA
min
185ProxyKeyGen. This algorithm outputs proxy re-encryption keys of attributes, each leaf node
and symmetric key for the data file between the old version and the new version. The TA do the
following operations:
' '
a randomly pick while attribute i ?MinimalSet , compute , and
tZrkt / t
'
ip ii
iiadd rk to attribute history list AHL'
ii' '
190 b randomly pick sZfor the root node and generate q 0 for each leaf node yY
p y
'
'
in the method of generating q 0 , compute ,rk s s rkq 0 / q 0 '
y '
yy
ss 00
yy
for each leaf node yY, and add rk , rk to leaf node history list '
'
ss 00
yy
LNHL
' '
c randomly pick k in key space for the data file, compute rkk / k ,
and send it
'
ff
f
kkff
195 to key history list KHL? UpdateSK. This algorithm translates the
secret key component of attribute in MinimalSet
i
from an old version into the latest version. Then it multiplies all the PRE keys between the old
version and the latest and obtains a single PRE key. It avoids the update of secret keys every
time the attribute revocation happens200 a If has the latest version, exiti
t rk rk rk ?rk
b Assume the latest definition of i is , and compute n n ' ' '' n ?1 n
i i ?i i ?i i ?i i ?i
?tt /
n
i
i
rk
n
c compute iiDD ,SK D
nn
?iti n
i
i
i ?MinimalSetUpdateFile. This algorithm translates the ciphertext
from an old version into the latest version205 Its implementation is
similar to UpdateSK n n
a Assume the latest definition of s and k are s and k respectively,
and compute
f f
n
,
rkrkrk rkss
n ' ' '' n ?1 n s ?s s ?s s ?s s ?s n
,
rkrk ?rk ?rkk / k n ' ' '' n ?1 n ff
kk kk k k k k
f f f f f f f f - 5 - private key Outsource encrypted data
中国 科 技 论 文 在 线////. n
rkrk ?rk ?rkq 0 / q 0 n ' ' '' n ?1 n
yy
q 0 ?q 0 q 0 ?q 0 q 0 ?q 0 q 0 ?q 0
y y y y y y y y
~
~
rk
n rk
n n
ss nss210 b compute , C C g
Crk ?C ?eg, g
n
kkf
f
rk
n
00
n yy
c For each i ?MinimalSet , if i has the latest version, computeCC ?
yy
?1
rk ? rk
nn
00 ii n yy
Otherwise, compute
CC ?
yy
4 Application in Data Sharing System
The proposed scheme has much potential in providing data security in distributed
215
environment. It can address the problems in cloud computing, for example, audit log, targeted
broadcast, and data sharing systems. We particularly focus on data sharing systems
In data sharing systems, the data owners store their files in the cloud, which can be assessed
by multiple users. The data owner generates the access policy, and encrypts files using EM-ABEThe access policies are generated wi