文件共享系统中属性可添加;撤销的属性基加密方案（可编辑）

文件共享系统中属性可添加;撤销的属性基加密（可编辑） 文件共享系统中属性可添加;撤销的属性基加密方案 中国 科 技 论 文 在 线////0>. An Efficient Ciphertext-Policy Attribute-Based Encryption Scheme with Attribute Adjunction/Revocation in Data # 5 Sharing System* Li Hui, Guo Lijun State Key Lab of ISN, Xidian University Abstract: Cloud computing is a computing paradigm which can provide data storage and computing resources. But security and privacy issues have risen for its adoption. This paper presents an efficient, 10 flexible, and fine-grained scheme at the scenario of the ciphertext-policy attribute-based encryption CP-ABE. This proposed scheme not only reduces the length of secret keys and ciphertexts, but also ensures the security of backward and forward secrecy by adding the replacement of the random parameters in attribute adjunction/revocation process. Therefore, the efficiency of key generation, encryption, and decryption in our scheme is higher than the existed CP-ABE scheme’s. As more and 15 more businesses will be moved into the cloud, the paper presents a data sharing system based on the proposed scheme, along with the security analysis and preliminary efficiency analysis about the proposed scheme. Key words: Cryptography; Attribute-Based Encryption; Cloud Computing; Attribute Adjunction; Attribute Revocation; Data sharing20 0 Introduction Cloud computing is an emerging paradigm which involves large-scale, distributed computations on data from multiple sources. It is widely supported and applied with saving a lot of cost. Cloud storage as a part of the cloud computing is more and more referred. It provides 25 users with online data storage service by working together with varieties of different types of storage devices. Computation service can provide abundant computation power for users. The users can save their investments significantly by moving their businesses into the cloud. Cloud computing paradigms such as service outsourcing offer attractive financial and technological advantage. We can move data files into the cloud to achieve the data sharing. For example, in 30 electronic health record system EHR system, we can deploy EHR system in cloud computing platform for its cost-effective services to realize the data sharing [1]. But it also brings forth many new challenges for data security, access control and attribute adjunction/revocation when users outsource their EHRs on cloud servers To solve the above requirements, we require data files encryption in cloud-based data sharing 35 systems. Standard encryptions are not well suited for data sharing systems. Symmetric-Key Encryption introduces complexity as additional mechanisms are required to apply access controlIn particular, all users use one shared key for encryption and decryption for one file. If the shared keys are compromised, all data files are compromised. Public-Key Encryption introduces a high complexity on key management system for distributing and managing public keys. CP-ABE is a 40 novel cryptographic approach in which each user’s key is labeled with a set of attributes and the ciphertext is associated with an access policy. A user can decrypt a ciphertext if and only if the attribute set satisfies the access policy. Bethencourt et al. [2] designed an secure CP-ABE systemIn [2], the existing attribute revocation method is associating expiration time attributes to user Foundations: Doctoral Fund of Ministry of Education of ChinaNo.202 Brief author introduction:Hui Li, received B.Sc. degree from Fudan University in 1990, M.Sc. and Ph.D. degrees from xidian University in 1993 and 1998. In 2009, he was with Department of ECE, University of Waterloo as a visiting scholar. He has been the director of International Affairs Office, the dean in the school of International Education, and the professor in the school of Telecommunications Engineering, Xidian University, China. E-mail: lihui@//. - 1 - 中国 科 技 论 文 在 线////. secret keys. However, this type of solutions requires interaction between users and the trust 45 authority TA, and is not able to efficiently revoke user attributes on the fly. The paper [3] introduced an attribute revocation method, but it cannot ensure the security of backward and forward secrecy. In addition, the schemes only involve the attribute revocation, but don’t mention the attribute adjunctionTo solve the above problems, we propose an efficient modified CP-ABE EM-ABE which is 50 more appropriate for attribute adjunction/revocation. It increases the efficiency of the existed scheme, and solves the problem of attribute adjunction/revocation. Moreover, we can ensure the backward and forward secrecy because we replace the random parameters in attribute adjunction/revocation process. Finally, we detail an application in data sharing systems, and analyze security and efficiency of our proposed scheme55 1 Related WorkSahai and Waters [4] introduced attribute-based encryption ABE for encrypted access control. Goyal et al. [5] introduced the idea of a key-policy attribute-based encryption KP-ABE system. Bethencourt et al. [2] proposed the first ciphertext-policy attribute-based encryption CP-ABE construction, which is close to the real access control system. In CP-ABE, the attributes 60 are used to describe a user’s credential, and the data owner determines a policy under which users can decrypt the data. The data owner may not know the exact identities of all other people who should be able to access the data. A user whose attributes satisfies the access policy can decrypt the ciphertext Many scholars study how CP-ABE algorithm is applied to the ciphertext access control 65 because of its advantages. In these schemes, user managements, user adjunction /revocation in particular, are extremely hard to realize. The issue of attribute revocation in CP-ABE was first addressed in [6] as a rough idea. The paper appends to each of the identities or descriptive attributes an expiration date. This idea requires the user to periodically go to the TA for key reissuing. The rules of decryption are built into the encryption algorithm, and it can reduce the 70 frequent key issuing costs. The paper [7] proposed attribute-based proxy re-encryption by translating one access control encryption into another one to achieve the revocation. But the revocation of this scheme aims at the attribute sets, which are the users who have the same attribute sets. The paper [3] introduced the scheme for attribute revocation with honest-but-curious servers, and the data owner given parts of the work to cloud service provider CSP. But this 75 scheme only supports the “and” threshold, without providing the flexible access control. Our scheme aims at the disadvantages of [3], and provides a variety of threshold gates access control policy besides “and” threshold. Moreover, [3] didn’t involve the replacement of the random parameters in attribute revocation, and was difficult to ensure the backward and forward secrecy[3] had a user list UL which can achieve temporary forward secrecy a revoked user cannot update 80 secret keys, but it is possible for a revoked user to obtain the updated ciphertext. Due to the fact rs that the revoked user has recovered eg, g before he was revoked and stored it, it will help to rs eg, g decrypt the current ciphertext, because is not changed. We add the update of the random parameters in our scheme, and it can guarantee forward secrecy. In practical application, it is important to gunrantee the backward secrecy, such as in the transaction between enterprises and 85 enterprises. Backwards secrecy means the new user cannot decrypt the previous data encrypted before he joins. [3]’s scheme didn’t involve itWe take some measures in attribute adjunction to realize backward secrecyThe rest of this paper is organized as follows. Section 2 reviews some technique preliminaries - 2 - 中国 科 技 论 文 在 线////. pertaining to our construction. In Section 3, we describe our proposed scheme which is more 90 efficient than the existed CP-ABE scheme. Section 4 presents our application in data sharing systems. We then present the security and efficiency analysis comparing to the existed CP-ABE scheme in Section 5. We conclude this paper in Section 6 2 Preliminaries 2.1 Bilinear Maps 95 The bilinear map constructs a relationship between two cryptographic groups in attribute-based encryption. Let G and G be two multiplicative cyclic groups with the same 0 1 p g prime order is a generator of G and a bilinear map e : GG G with the 0 0 0 1 following properties: * a b ab a Bilinearity: for all u,v ?G and a,b ?Z , we have eu ,v eu,v 0 p 100 b Non-degeneracy: eg, g ?1eu,v u,v ?G c Computability: is efficiently computable for 0 2.2 Complexity Assumptions Decisional Bilinear Diffie-Hellman DBDH Assumption : The challenger randomly g a,b,c, zZ G chooses and which is a generator ofThe DBDH assumption states that no p 0 a b c abc 105 probabilistic polynomial-time algorithm B can distinguish the tupleAg , Bg ,Cg ,eg, g a b c z from the tuple with non-negligible advantageAg , Bg ,Cg ,eg, g 2.3 Ciphertext-Policy Attribute-Based Encryption CP-ABE CP-ABE is a public key cryptography primitive for one-to-many communications. In CP-ABE, a user’s private key will be associated with a set of attributes expressed as strings. When 110 a party encrypts a message, they specify an associated access structure over attributes. If a user’s attributes pass through the ciphertext’s access structures, the user will be able to decrypt the corresponding ciphertext. A CP-ABE scheme is composed of four algorithms which can be defined as follows: Setup: generates a public key and a master key 115 KeyGen: generates a private key with a given set of attributesEncryption: encrypts a file according to a policy, which is an expression in terms of attributesDecryption: decrypts a file using a private key2.4 Proxy Re-Encryption PRE 120 Blaze et al. [8] proposed a cryptographic primitive in which a semi-trustable proxy is able to convert a ciphertext encrypted under Alice’s public key into another ciphertext that can be opened by Bob’s private key without seeing the underlying plaintext. A PRE scheme allows the proxy, rk pk given the proxy re-encryption key , to translate ciphertexts under public key into aba ciphertexts under public key pk and vise versa. Please refer to [8] for more details on proxy b 125 re-encryption schemes- 3 - 中国 科 技 论 文 在 线////. 2.5 Lazy Re-Encryption In ciphertext access process, the operation of user revocation causes an issue that it inevitably requires the data owner to re-encrypt all the data files accessible to the leaving user, or even needs the data owner to stay online to update secret keys for user. They will introduce heavy 130 computation overhead and cumbersome online burden. The cloud servers are able to “aggregate” multiple update/re-encryption operations into one if there is no access request occurring across multiple successive user revocation events3 Our Proposed SchemeOur scheme is an efficiently modified attribute-based encryption EM-ABE, consisting of 135 eight algorithms: EMSetup, EMEncrypt, EMKeyGen, EMDecrypt, MinimalSet, ProxyKeyGen, UpdateSK, UpdateFile. Some of these steps are similar to [9]’s. The last four algorithms used for ver attribute adjunction/revocation. Note that, we define a system version informationindicating the evolution of the system master key as follows: initially it is set to 1; when an attribute revocation event occurs, it increases by 1. The public key, ciphertexts, user secret keys, 140 and proxy re-encryption PRE keys are all tagged with the version information indicating which version of system master key they comply with. In attribute adjunction, it doesn’t involve the change of version information. The TA should use the latest components in master key to generate the user’s secret key. We define one secret attribute SA for the purpose of key managementEvery user’s attribute set include SA in addition to his meaningful attributes. The SA will never be 145 updated which can guarantee that the cloud servers cannot obtain the whole secret key components of a user. The cloud servers don’t access the file contents without attributes satisfying the access policy. We describe the four fundamental algorithms as follows:EMSetup. The setup algorithm takes as input a security parameterIt chooses a bilinear k p G e : GG G group of prime order with a generator g, and a bilinear map 0 0 0 1 150 tZUn ?1,2, ?, The attribute universe isIt choosesfor attributei , 1??in , ip? Z and a random exponentThe public key PK as well as a system master key MK is p n nt i PKG , e, g, eg, g , Tg MK?, ?tas following: While PK is publicly 0 ii i ?1 i ?1 known to all the parties in the system, MK is kept as a secret by the Trusted Authority TA 155EMKeyGen. The key generation algorithm takes as input a set of attributes S and outputs a * rZsecret key corresponding to S. It firstly chooses a random numberThen, it p ?1 rtr icomputes the key as: SKDg ,i ?S : Dg . iEMEncryptThe encryption takes as input a access control tree , a message , and T M the public keyIt outputs a ciphertext as follows. First, it defines a random PK 160 q x polynomial for each node of in the top-down manner starting from the root T x x r d k nodeThe degree of the node is one less than the threshold value of that x x dk??1 rqs 0node, that isFor the root node , , which is a random number of xx r x q 0q indexx Z parent xFor each non-root node , wherep x parent x index x represents xs ' parent and is xs ' unique index given by its parentis Y 165 the set of leaf nodes inThe ciphertext is then constructed by giving the tree access T ~ q 0 ?ss y structure and compute: CTT,CM ?eg, g ,Cg ,y ?Y : CT T yy EMDecrypt. The decryption algorithm takes as the ciphertext CT, the user’s secret key SK, and the public key PK. We first determine whether the set of attributes satisfies the access x iatt x structure inIf the node is a leaf node, we denote , and compute T CT - 4 - 中国 科 技 论 文 在 线////.1 tq 0 r t rq0 170 x i x ieg, g , ifiS. Otherwise, DecryptNode ?CT,, SK x Then, it eC , D eg , g ii aggregates these pairing results in the bottom-up manner using the polynomial rs interpolation technique. Finally, it may recover the blind factor Aeg, gThe ~ algorithm now decrypts by computing C/ ?eC, DAM In addition to the above fundamental algorithms, we add other four algorithms to realize 175 attribute adjunction /revocation. In attribute adjunction, we use the latest master key components to generate secret keys to ensure backward secrecy, while we use new random numbers to ensure the forward secrecy in attribute revocation process. We describe the four fundamental operations used as follows: MinimalSet. The algorithm determines a minimal set of attributes without changing which the 180 revoked user cannot decrypt the ciphertext even if his set of attributes satisfies the access control tree of the ciphertext. The minimal set can be obtained as follows:a construct the conjunctive normal form CNF of the tree access structureb select the shortest clause P of the CNF formula except the SA, and compute min MinimalSetPS \ SA min 185ProxyKeyGen. This algorithm outputs proxy re-encryption keys of attributes, each leaf node and symmetric key for the data file between the old version and the new version. The TA do the following operations: ' ' a randomly pick while attribute i ?MinimalSet , compute , and tZrkt / t ' ip ii iiadd rk to attribute history list AHL' ii' ' 190 b randomly pick sZfor the root node and generate q 0 for each leaf node yY p y ' ' in the method of generating q 0 , compute ,rk s s rkq 0 / q 0 ' y ' yy ss 00 yy for each leaf node yY, and add rk , rk to leaf node history list ' ' ss 00 yy LNHL ' ' c randomly pick k in key space for the data file, compute rkk / k , and send it ' ff f kkff 195 to key history list KHL? UpdateSK. This algorithm translates the secret key component of attribute in MinimalSet i from an old version into the latest version. Then it multiplies all the PRE keys between the old version and the latest and obtains a single PRE key. It avoids the update of secret keys every time the attribute revocation happens200 a If has the latest version, exiti t rk rk rk ?rk b Assume the latest definition of i is , and compute n n ' ' '' n ?1 n i i ?i i ?i i ?i i ?i ?tt / n i i rk n c compute iiDD ,SK D nn ?iti n i i i ?MinimalSetUpdateFile. This algorithm translates the ciphertext from an old version into the latest version205 Its implementation is similar to UpdateSK n n a Assume the latest definition of s and k are s and k respectively, and compute f f n , rkrkrk rkss n ' ' '' n ?1 n s ?s s ?s s ?s s ?s n , rkrk ?rk ?rkk / k n ' ' '' n ?1 n ff kk kk k k k k f f f f f f f f - 5 - private key Outsource encrypted data 中国 科 技 论 文 在 线////. n rkrk ?rk ?rkq 0 / q 0 n ' ' '' n ?1 n yy q 0 ?q 0 q 0 ?q 0 q 0 ?q 0 q 0 ?q 0 y y y y y y y y ~ ~ rk n rk n n ss nss210 b compute , C C g Crk ?C ?eg, g n kkf f rk n 00 n yy c For each i ?MinimalSet , if i has the latest version, computeCC ? yy ?1 rk ? rk nn 00 ii n yy Otherwise, compute CC ? yy 4 Application in Data Sharing System The proposed scheme has much potential in providing data security in distributed 215 environment. It can address the problems in cloud computing, for example, audit log, targeted broadcast, and data sharing systems. We particularly focus on data sharing systems In data sharing systems, the data owners store their files in the cloud, which can be assessed by multiple users. The data owner generates the access policy, and encrypts files using EM-ABEThe access policies are generated wi