Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating



Attribute-Based Encryption (ABE) is a promising new cryptographic technique which guarantees fine-grained access control of outsourced encrypted data in the cloud. With the help of ABE, the majority of security issues in accessing cloud data can be solved. However, a key limitation remains, namely policy updating. Whenever the access policy is updated, a common approach is to have the data owner retrieve the data and reencrypt it with new policy, before sending the new ciphertext back to the cloud. This straight-forward approach will lead to heavy computation and communication overhead. Although a number of other approaches have been proposed in this regard, they suffer from two limitations; namely, supporting only limited update-policy types or having weak security models. In order to address these limitations, we propose a novel solution to the attribute-based encryption access control system by introducing a dynamic policy-updating technique which we call DPU-CP-ABE. The scheme is proved to be adaptively secure under the standard model and can support any type of policy updating. In addition, our scheme can significantly reduce the computation and communication costs of updating ciphertext.



属性加密是一种新兴的加密技术, 它可以实现对外包至云端的加密数据的细粒度访问控制。 使用 ABE, 访问云端数据的主要安全性问题将会得到很好的解决。 然而, 策略更新仍然是 ABE 的一个关键性的局限。 当用户需要更新策略时, 常规的做法是让数据拥有者从云端取回该数据, 用新的策略加密后重新上传至云端。 很明显, 这种直接的做法会给数据拥有者带来繁重的计算及通信开销。 就这一问题曾有学者提出一些其他的方法, 但这些方法存在以下两点局限: 1, 支持更新策略的种类有限, 2, 安全模型较弱。 为了解决这两个局限性, 我们引入一种动态策略更新 (DPU-CP-ABE) 的方法, 提出了一种新的属性加密访问控制机制。 该方案可以支持任意形式的策略更新, 同时我们在标准模型下证明了该方案是自适应安全的。 此外, 我们的方案在更新密文时无需将密文下载、 重新加密及上传, 因此可以很明显的减少计算和通信开销。


  1. 1,

    我们提出的 DPU-CB-ABE 方案支持动态策略更新, 据我们所知, 这是第一个在标准模型下被证明具有自适应安全的密文策略属性加密方案。

  2. 2,

    我们的策略更新方案支持任意形式的细粒度访问控制策略。 在以前提出的密文代理方案里, 策略更新只能做到新策略比旧策略更严格。 此外, 虽然我们将策略更新的工作外包到云服务器, 但策略更新过程不会向云泄露任何敏感信息。

  3. 3,

    与常规的需要将密文下载、 重新加密及上传的更新方式相比, 我们设计的动态策略更新方案要高效的多。

This is a preview of subscription content, access via your institution.


  1. 1

    Sahai A, Waters B. Fuzzy identity-based encryption. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 457–473

    Google Scholar 

  2. 2

    Goyal V, Pandey O, Sahai A, et al. Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of 13th ACM Conference on Computer and Communications Security, Alexandria, 2006. 89–98

    Google Scholar 

  3. 3

    Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, 2007. 321–334

    Google Scholar 

  4. 4

    Hur J, Noh D K. Attribute-based access control with efficient revocation in data outsourcing systems. IEEE Trans Parall Distrib Syst, 2011, 22: 1214–1221

    Article  Google Scholar 

  5. 5

    Yang K, Jia X, Ren K, et al. Enabling efficient access control with dynamic policy updating for big data in the cloud. In: Proceedings of the IEEE International Conference on Infocom, Toronto, 2014. 2013–2021

    Google Scholar 

  6. 6

    Lewko A, Waters B. Decentralizing attribute-based encryption. In: Proceedings of 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, 2011. 568–588

    Google Scholar 

  7. 7

    Liu Z, Cao Z F, Huang Q, et al. Fully secure multi-authority ciphertext-policy attribute-based encryption without random oracles. In: Proceedings of 16th European Symposium on Research in Computer Security, Leuven, 2011. 278–297

    Google Scholar 

  8. 8

    Ruj S, Nayak A, Stojmenovic I. Dacc: distributed access control in clouds. In: Proceedings of the IEEE International Conference on Trustcom, Changsha, 2011. 91–98

    Google Scholar 

  9. 9

    Sahai A, Seyalioglu H, Waters B. Dynamic credentials and ciphertext delegation for attribute-based encryption. In: Proceedings of 32nd Annual Cryptology Conference, Santa Barbara, 2012. 199–217

    Google Scholar 

  10. 10

    Waters B. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Proceedings of 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, 2011. 53–70

    Google Scholar 

  11. 11

    Chase M. Multi-authority attribute based encryption. In: Proceedings of 4th Theory of Cryptography Conference, Amsterdam, 2007. 515–534

    Google Scholar 

  12. 12

    Beimel A. Secure schemes for secret sharing and key distribution. Dissertation for the Doctoral Degree. Haifa: Technion-Israel Institute of Technology, Faculty of Computer Science, 1996

    Google Scholar 

  13. 13

    Goldwasser S, Micali S, Rivest R L. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput, 1988, 17: 281–308

    MathSciNet  Article  MATH  Google Scholar 

  14. 14

    Yu S C, Wang C, Ren K, et al. Achieving secure, scalable, and fine-grained data access control in cloud computing. In: Proceedings of the IEEE International Conference on Infocom, San Diego, 2010. 1–9

    Google Scholar 

  15. 15

    Lewko A, Okamoto T, Sahai A, et al. Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Proceedings of 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, 2010. 62–91

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Zuobin Ying.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ying, Z., Li, H., Ma, J. et al. Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating. Sci. China Inf. Sci. 59, 042701 (2016).

Download citation


  • attribute-based encryption
  • ciphertext-policy
  • dynamic policy updating
  • adaptive secure
  • standard model


  • 属性加密
  • 密文策略
  • 动态策略更新
  • 自适应安全
  • 标准模型