Enhancing Attribute-Based Encryption with Attribute Hierarchy

Abstract

Attribute-based encryption (ABE) has been envisioned as a promising cryptographic primitive for realizing secure and flexible access control. However, ABE is being criticized for its high scheme overhead as extensive pairing operations are usually required. In this paper, we focus on improving the efficiency of ABE by leveraging a previously overlooked fact, i.e., the often-found hierarchical relationships among the attributes that are inherent to many access control scenarios. As the first research effort along this direction, we coin the notion of hierarchical ABE (HABE), which can be viewed as the generalization of traditional ABE in the sense that both definitions are equal when all attributes are independent. We further give a concrete HABE construction considering a tree hierarchy among the attributes, which is provably secure. More importantly, our construction exhibits significant improvements over the traditional ABE when attribute hierarchies exist.

Appendix: Proof of Theorem 1

Proof

Assume that an attacker \(\mathcal{A}\) breaks IND-sAtr-CPA with probability greater than ε within time t by making q _d private key extraction queries. Assume the attributes in universe form n trees. Denote depth of the i-th tree as ℓ _i for 1 ≤ i ≤ n, and let ℓ =  max {ℓ₁, ⋯ , ℓ _n }. We show that using \(\mathcal{A}\), one can construct a ℓ-wBDHI* attacker \(\mathcal{A}'\). Let g be a generator of G ₁ and \(y_i = g^{x^i}\). Suppose that \(\mathcal{A}'\) is given \((g, \hat{e}, G_1, G_2\), h, y ₁, ⋯, y _ℓ, T), where T is either \(\hat{e}(g, g)^{x^{\ell+1}}\) or \(\hat{e}(g, g)^\gamma\) for random γ ∈ Z _p , as an instance of the ℓ-wBDHI* problem. By ε′ and t′, we denote winning probability and running time of \(\mathcal{A}'\), respectively. \(\mathcal{A}\) is first given the attributes relationship trees for the access control system in advance. Then, algorithm \(\mathcal{A}'\) works by interacting with \(\mathcal{A}\) in a selective identity game as follows:

Suppose that \(\mathcal{A}\) outputs challenge attributes \(\textsf{U}^*\). Let \(\mid\textsf{U}^*\mid=\upsilon\) and \(\textsf{U}^*=(\omega^*_{i_1}\), ⋯, \(\omega^*_{i_{\upsilon}}\)) with the depth k ₁, ⋯, k _υ , respectively. The path for ω ^* is defined as \((\omega^*_{i0}, \cdots\), \(\omega^*_{i,k_i-1}\), ω ^*) with depth k _i from the root \(\omega^*_{i0}\) in the i-th tree. Upon receiving the challenge attributes, \(\mathcal{A}'\) sets g ₁ = y ₁, g ₂ = y _ℓ, and u _i  = y _{ℓ − i + 1} for 1 ≤ i ≤ ℓ.

For any \(i \not \in \{i_1, \cdots, i_{\upsilon}\}\), it chooses a _i from \(Z_p^*\) and set \(u_{i}'=g^{a_i}\).

For i ∈ {i ₁, ⋯ , i _υ }, let \(u_i'=g^{a_i}/\Pi_{\delta=1}^{k_i}y^{\omega_{i\delta}^*}_{{\ell-i+1}}\).

para=(g, e, G₁, G₂, g₁, g₂, d, (\(u_i')_{_{1 \leq i\leq n}}\), (u _i )_{1 ≤ i ≤ ℓ}) is given to \(\mathcal{A}\).

\(\mathcal{A}'\) answers \(\mathcal{A}\)’s attributes private key extraction queries as follows. Upon receiving a private key extraction query on \(\textsf{U}\), it constructs an attributes subset Γ from \(\textsf{U}\) such that the attributes in Γ cover attributes in \(\textsf{U}^*\). We also define Γ′ such that \(\Gamma \subseteq \Gamma'\subseteq \textsf{U}\) and |Γ′|=d − 1. Let S = Γ′ ∪ {0}. For each ω ∈ Γ′, a random value μ is chosen and let q(H(ω)) = μ.

Then, the d − 1 degree polynomial function q(z) could be determined from these d − 1 value together with q(0) = x. By using interpolation, for \(\omega \not \in S\), q(H(ω)) = Σ _{ω ∈ Γ′} Δ _ω,S(H(ω)) q(H(ω)) + Δ _0,S (H(ω))q(0). So, the simulator can calculate the private key for ω ∈ S as D _ω  = (d _i0, d _i , \(d_{i,k_i+1}\), ⋯ , \( d_{i\ell_i}\)), where \(d_{i0}\!=\!g_2^{q(H(\omega))}\) \((u'_i\Pi_{j=1}^{k_i}u_{j}^{\omega_{ij}})^{r}\), \(d_i\!=\!g^{r}\), \(d_{i,k_i+1}=\) \(u_{k_i+1}^{r}, \cdots, d_{i\ell_i}=u_{\ell_i}^{r}\) by choosing randomly \(r\in Z_p^*\). Thus, the simulator can calculate the private key D _ω for \(\omega \not \in S\) as follows:

For \((\omega_{j0}, \omega_{j1}, \cdots, \omega_{jt_j})\), if j ∈ {i ₁, ⋯, i _ℓ}, there is at least one 1 ≤ γ ≤ t _j , such that \(\omega_{j\gamma}\neq \omega^*_{j\gamma}\). It chooses \(r_j=\frac{ -\Delta_{0,S}(j\,)x}{a_j}+r'_j\) and outputs the simulated private key as \((g_2^{\Sigma_{i\in \Gamma'} \Delta_{i,S}(j\,) q(j\,)+\frac{-\Delta_{0,S}(j\,)b_{j\gamma}\omega^*_{j\gamma} \omega_{j\gamma}}{\omega^*_{j\gamma}-\omega_{j\gamma}}}\) \(g_1^{(1-\frac{\omega_{j\gamma}}{\omega^*_{j\gamma}})r'_{j}}\) \(g^{b_{j\gamma}\omega_{j\gamma}r_{j}}\) \(\prod_{k\neq \gamma,k=1}^{k_j} (g_1u_{jk})^{r'_{j}}\), \(g_2^{\frac{-\Delta_{0,S}(j\,)\omega^*_{j\gamma}}{\omega^*_{j\gamma}-\omega_{j\gamma}}}g^{r'_{j}}\), \(u_{k_j+1}^{r}\), ⋯, \(u_{\ell_j}^{r})\).

If \(j \not \in \{i_1, \cdots, i_\ell\}\), then let \(r_j=\frac{ -\Delta_{0,S}(j\,)x}{a_j}+r_j'\). Finally, it outputs the simulated private key as \((g_2^{\Sigma_{j\in \Gamma'} \Delta_{j,S}(i) q(j\,)}\) \(g_2^{\frac{-\Delta_{0,S}(j\,)}{a_j}}u_j^{r_j'}\) \(\prod_{\delta=1}^{k_j} (g_1u_{j\delta})^{r_{j\delta}}\), \(g_2^{\frac{-\Delta_{0,S}(j\,)}{a_j}}\) \(g^{r_j'}\), \(u_{k_j+1}^{r}\), ⋯, \(u_{\ell_j}^{r})\).

After these interactions, \(\mathcal{A}\) outputs two messages m ₀, m ₁ and \(\textsf{U}^*\). \(\mathcal{A}'\) picks a random bit b ∈ {0,1} and responds with the ciphertext as \(\mathcal{C}=(Tm_b, y_1, \{y_1^{a_{j}}\}_{1\leq j \leq v})\). The ciphertext is simulated correctly if \(T=e(g,g)^{x^{\ell+1}}\) because let s = x, the ciphertext could be written as \(\mathcal{C}=(m\hat{e}(g_1,g_2)^s\), g ^s, \(\{(u'_{j}\prod_{\delta=1}^{k_{\delta}}u_{\delta}^{\omega^*_{j}})^s\})\) for each \(\omega\in \textsf{U}\). \(\mathcal{A}\) issues more private key queries \(\textsf{U}\), restriction is that \(\textsf{U}\) is not covered by \(\textsf{U}^*\). \(\mathcal{A}'\) responds as before.

This completes the description of algorithm \(\mathcal{A}'\). Finally, \(\mathcal{A}\) outputs guess b′ with advantage ε′. If \(\mathcal{A}'\) does not abort, then, \(\mathcal{A}'\) outputs b′ as the result to the ℓ-wBDHI* problem. Since \(\mathcal{A}\) has an advantage ε in attacking the scheme, from the simulation, we can infer that \(\mathcal{A}'\) can solve the ℓ-wBDHI* problem with advantage ε′ ≈ ε. □