Abstract
CiphertextPolicy AttributeBased Encryption (CPABE) is suitable for data access control on a cloud storage system. In CPABE, the data owner encrypts data under the access structure over attributes and a set of attributes assigned to users is embedded in user’s secret key. A user is able to decrypt if his attributes satisfy the ciphertext’s access structure. In CPABE, processes of user’s attribute revocation and grant are concentrated on the authority and the data owner. In this paper, we propose a ciphertextpolicy attributebased encryption scheme delegating attribute revocation processes to Cloud Server by proxy reencryption. The proposed scheme does not require generations of new secret key when granting attributes to a user and supports any Linear Secret Sharing Schemes (LSSS) access structure. We prove that the proposed scheme is secure against attack by unauthorized users and Cloud Server.
Similar content being viewed by others
Background
Sharing of data on a cloud storage has a risk of information leakage caused by service provider’s abuse. In order to protect data, the data owner encrypts data shared on the cloud storage so that only authorized users can decrypt.
CiphertextPolicy AttributeBased Encryption (CPABE) [1,2] is suitable for data access control in the cloud storage system. The authority manages the attributes in the system. The data owner chooses an access structure and encrypts message under the access structure. The set of attributes assigned to users is embedded in his secret key. A user is able to decrypt a ciphertext if his attributes satisfy the ciphertext’s access structure.
There are user’s attribute revocation and grant in CPABE. In simple processes of user’s attribute revocation, when his attributes are revoked, the data owner reencrypts the shared data so that revoked user cannot decrypt. Then, the authority redistributes new secret keys so that other users can decrypt. In simple processes of user’s attribute grant, the authority generates a new secret key. These simple processes are concentrated on the data owner and the authority.
Some attribute revocable CPABE schemes have been proposed [35]. Yu et al. [3] proposed a scheme combining CPABE with proxy reencryption. The authority can delegate reencryption and secret key update to proxy servers. However, this scheme has a limitation in access policy because it can only express “AND” policy. Hur et al. [4] proposed a scheme using key encryption keys (KEKs). A service provider distributes KEKs to each user. The service provider reencrypts a ciphertext by an attribute group key. Then, he encrypts attribute group key by using KEKs so that authorized user can decrypt. As the number of system users has increases, the number of KEKs also increases and management becomes complicated. Liang et al. [5] proposed a scheme using user information (UI). UI is generated by Revocation Tree and Revocation List. An authorized user can decrypt ciphertexts by using secret key and UI. In this scheme, users whose attributes are revoked lose the access rights to all shared data by attribute revocation processes.
Moreover, in these schemes [35], the authority needs to generate a new key when granting attribute to users.
In this paper, we propose a CPABE scheme delegating attribute revocation processes to Cloud Server by proxy reencryption and meets the following requirements.

1)
Support any Linear Secret Sharing Schemes (LSSS) access structure. In existing schemes, there are following three expression methods of the access structure: tree, vector and matrix.
The schemes using tree (for example the schemes of [1,4]) are not given the security proof under the standard model because they use hash functions for encryption.
The schemes using vector whose elements are combined by AND condition are given the security proof under the standard model (for example the scheme of [3]) but they cannot perform flexible access control because only “AND” can be used for decryption conditions.
By using matrix, for example a LSSS matrix, it is possible to use “AND” and “OR” for decryption conditions, that is, it is possible to perform a finegrained access control and give the security proof under the standard model [2,5]. However, the revocation function is not shown in [2], and the scheme of [5] can revoke the only specified users but cannot revoke the only specified attributes.

2)
Revoke the only specified attribute (attribute level user revocation). In the scheme of [5], users whose attributes are revoked lose the access rights to all shared data. To perform a finegrained access control of shared data, it is desirable to revoke the only specified attributes. The schemes of [3,4] meet this requirement.

3)
Does not require the generation of new secret key when granting attribute to user. In the way that the authority generates a new secret key and sends the key to a user every time it grants attributes to a user, the calculation amount of the authority is large in the case attributes are frequently granted. To avoid focusing the process of user’s attribute grant in the authority, we enable cloud servers to update user’s secret key. As far as we know, there is no scheme that meets this requirement.
We prove that the proposed scheme is secure under the standard model. We define attack model 1 as attack by unauthorized users and attack model 2 as attack by Cloud Server. We prove the proposed scheme is INDCPA secure in the standard model against each attack model.
Methods
Preliminaries
Bilinear Maps
Let G _{1}, G _{2} be two cyclic groups of prime order p. Let P be a generator of G _{1}. A bilinear map is a map e : G _{1} × G _{1} → G _{2} with the following properties:

1)
Bilinearity: for all P, Q ∈ G _{1} and a, b ∈ Z _{ p }, we have e(aP, bQ) → e(P, Q)^{ab}.

2)
Nondegeneracy: e(P, P) ≠ 1.

3)
Computability: There is an efficient algorithm tocompute e(P, Q) for all P, Q ∈ G _{1}.
Linear Secret Sharing Scheme (LSSS)
Definition 1 (Linear Secret Sharing Schemes (LSSS) [2,6]) A secretsharing scheme Π over a set of parties \( \mathcal{P} \) is called linear (over Z _{ p }) if

1)
The shares for each party form a vector over Z _{ p }.

2)
There exists a matrix an M with l rows and n columns called the sharegenerating matrix for Π. For all i = 1, …, l, te i’th row of M we let the function ρ defined the party labeling row i as ρ(i). When we consider the column vector v = (s, r _{2}, …, r _{ n }), where s ∈ Z _{ p } is the secret to be shared, and r _{2}, …, r _{ n } ∈ Z _{ p } are randomly chosen, then Mv is the vector of l shares of the secret s according to Π. The share (Mv)_{ i } belongs to party ρ(i).
Suppose that Π is an LSSS for the access structure \( \mathbb{A} \). Let \( \mathrm{S}\in \mathbb{A} \) be any authorized set, and let I ⊂ {1, 2, …, l}. Then, there exist constants {ω _{ i } ∈ Z _{ p }}_{ i ∈ I } such that, if {λ _{ i }} are valid shares of any secret s according to Π, then \( {\displaystyle \sum_{i\in I}}{\omega}_i{\lambda}_i=s \). Futhermore, there these constants {ω _{ i }} can be found in time polynomial in the size of the sharegenerating matrix M [6].
Decisional Parallel Bilinear DiffieHellman Exponent Assumption
Choose a group G _{1} of prime order p according to the security parameter. Let a, s, b _{1}, …, b _{ q } ∈ Z _{ p } be chosen at random and P ∈ G _{1} be a generator of G _{1}. If an adversary is given \( \overrightarrow{y}= \)
it must remain hard to distinguish \( e{\left(P,P\right)}^{a^{q+1}}\in {G}_2 \) from a random element in R ∈ G _{2}.
An algorithm \( \mathcal{A} \) that outputs z ∈ {0, 1} has advantage ϵ in solving decisional qparallel BDHE in G _{1} if
We say that the (decision) qparallel BDHE assumption holds if no polytime algorithm has a nonnegligible advantage in solving the decisional qparallel BDHE problem [2].
System Model and Definition
Model
There are four entities in the proposed scheme as follows.
User: The user downloads the shared data from Cloud Server.
Data owner: The data owner encrypts the shared data then uploads to Cloud Server.
Authority: The authority manages attributes in the system and publishes the parameters used for encryption. It generates a secret key that user’s attributes are embedded and PRE keys used for reencryption and updating secret key. The authority is trusted party.
Cloud Server: Cloud Server stores shared data. It reencrypts encrypted shared data and update secret key by using PRE keys received from the authority. Similar to previous schemes [3,4], we assume Cloud Server to be curiousbuthonest. That is, it will honestly execute the tasks assigned by legitimate parties in the system. However, it would like to learn information of encrypted shared data as much as possible.
Algorithm Definition
Our proposed scheme is composed of 8 algorithms: Auth.Setup, DO.Enc, Auth.Ext, U.Dec, Auth.ReKeyGen, C.ReEnc, C.ReKey, C.AddAtt.
Auth.Setup: The setup algorithm takes as input the security parameter and attribute universe description. It outputs the public parameters PK, master secret key MSK and the keys for granting an attribute J.
DO.Enc: The Encryption algorithm takes as input the public parameters PK, an LSSS access structure \( \mathbb{A} \), and a message ℳ. It outputs a ciphertext CT.
Auth.Ext: The key extraction algorithm takes as input the master key MK, and a set of attributes S. It outputs a secret key SK and t _{ ID }.
U.Dec: The decryption algorithm takes as input a secret key SK for a set S and a ciphertext CT for an access structure \( \mathbb{A} \). If the set of attributes S satisfies the access structure \( \mathbb{A} \), it outputs a message ℳ.
Auth.ReKeyGen: The reencryption key generation algorithm takes as input the master key MK and a set of attributes γ for update. It outputs the redefined master key MK′, the redefined public parameters PK′, and the PRE (Proxy ReEncryption) keys rk.
C.ReEnc: The reencryption algorithm takes as input an attribute y for update, the ciphertext component D _{ i } and a PRE key list RKL _{ y }. It outputs the reencryption ciphertext component \( {D}_i^{\mathit{\hbox{'}}} \).
C.ReKey: The key regeneration algorithm takes as input an attribute w for update, the secret key component K _{ w } and the PRE key list RKL _{ w }. It outputs the updated secret key component \( {K}_w^{\hbox{'}} \).
C.GrantAtt: The attribute grant algorithm takes as input an attribute v, the key for granting an attribute J _{ v }, t _{ ID } and the PRE key list RKL _{ v }. It outputs secret key component K _{ v } and redefines the key for granting an attribute \( {J}_v^{\boldsymbol{\hbox{'}}} \).
Security Definition
We prove that unauthorized users and Cloud Server cannot decrypt ciphertext CT that was encrypted by the proposed scheme. Since we assume Cloud Server is honest, we do not consider active attacks from Cloud Server by colluding with unauthorized or revoked users. We define two attack models and security models as follows.
Attack Model 1
In this model, we assume an attack by unauthorized users. Security in this model is defined with the following game.

Init. The adversary A submits the challenge access structure \( \mathbb{A} \) to the challenger C.

Setup. The challenger C runs setup algorithm and gives the public parameters PK to the adversary A.

Phase1. The adversary can issue following query.

Ext query : The adversary A submits a set of attributes S where S does not satisfy the access structure \( \mathbb{A} \) to the challenger. The challenger C gives secret key corresponding S.

Add query : The adversary A submits a set of attributes S′ where S ∪ S′ does not satisfy the challenge access structure \( \mathbb{A} \). The challenger C gives the secret key component K _{ x } corresponding to S′.


Challenge. The adversary A submits two equal length messages M _{0}, M _{1}. The challenger flips a random coin b, and encrypts M _{ b } under \( \mathbb{A} \). The challenger gives ciphertext CT to the adversary A.

Phase2. Phase1 is repeated.

Guess. The adversary A outputs his guess b′ of b.
The advantage of an adversary A in this game is defined as \( \Pr \left[{b}^{\hbox{'}}=b\right]\frac{1}{2} \).
Definition 2 A ciphertextpolicy attributebased encryption scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above game.
Attack Model 2
In this model, we assume an attack by Cloud Server. Security in this model is defined with the following game.

Init. The adversary A submits the challenge access structure \( \mathbb{A} \) and version number ver* to the challenger C.

Setup. The challenger C runs setup algorithm and gives the public parameters PK and PRE key and the keys for granting an attribute J to the adversary A.

Phase1. The adversary can issue following query.

K _{ x } query : The adversary A submits a set of attribute S. The challenger C gives secret key component K _{ x } corresponding to S to the adversary A.


Challenge. The adversary A submits two equal length messages M _{0}, M _{1}. The challenger flips a random coin b, and encrypts M _{ b } under \( \mathbb{A} \). The challenger gives ciphertext CT to the adversary A.

Phase2. Phase1 is repeated.

Guess. The adversary A outputs his guess b′ of b.
Definition 3 A ciphertextpolicy attributebased encryption scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above game.
Our Scheme
Overview
The proposed scheme is based on Waters’s scheme of CPABE [2]. Water’s scheme supports any LSSS access structure. We apply the idea of attribute revocation shown in [3] to the proposed scheme. In the proposed scheme, the attribute key is included in the ciphertext and secret key to delegate attribute revocation processes to Cloud Server. The attribute key is master key components corresponding to each attribute in the system. When user’s attributes are revoked, the authority redefines the attribute keys, and generates PRE keys for updating the attribute keys. Cloud Server reencrypts ciphertext and updates secret key by updating attribute key by using PRE key. Each attribute is associated with version number for updating attribute key.
Cloud Server keeps user list UL, reencryption key list RKL and the key for granting an attribute to secret key J. UL records user’s ID, user’s attribute information, secret key components, t _{ ID }. t _{ ID } is a random number that randomize each secret key to prevent users’ collusion attack. t _{ ID } should “bind” components of one user's key together so that they cannot be combined with another user's key components[2]. RKL records update history of attribute (version number) and PRE keys.
When granting attributes to users, Cloud Server generates user’s secret key components correspond to granting attribute from t _{ ID } and J, and sends secret key component to the user. The user joins secret key component to own secret key. Thus, it is possible to grant attributes to users without generation of new secret key by the authority.
Algorithm
Auth.Setup(U) The setup algorithm takes as input the number of system attributes U. It first chooses a group G _{1} of prime order p, a generator P ∈ G _{1}. It then chooses random group elements Q _{1}, …, Q _{ U } ∈ G _{1} that are associated with the U attributes in the system. In addition, it chooses two random α, a ∈ Z _{ p }, and random Att _{1}, …, Att _{ U } ∈ Z _{ p } as the attribute key.
The public parameters are
The master key is MK : = < α, Att _{1}, …, Att _{ U } >.
The keys for granting an attribute are J : = < {x, J _{ x } = 1/Att _{ x }}_{1 ≤ x ≤ U } >.
DO.Enc (PK, (M, ρ), ℳ) The Encryption algorithm takes as input the public parameters PK, an LSSS access structure (M, ρ), and a message ℳ. The function ρ associates rows of M to attributes. Let M be an l × n matrix. It first chooses a random vector \( \overrightarrow{v}=\left(s,{y}_2,\dots, {y}_n\right)\in {Z}_p \). For i = 1 to l, it computes \( {\lambda}_i:=\overrightarrow{v}\cdot {M}_i \). It then chooses random r _{1}, …, r _{ l } ∈ Z _{ p } and outputs the ciphertext
with (M, ρ).
Auth.Ext (MK, S) The key extraction algorithm takes as input the master key MK, and a set of attributes S. It first chooses a random t _{ ID } ∈ Z _{ p }. It then outputs t _{ ID } and the secret key
U.Dec (SK, CT) The decryption algorithm takes as input a secret key SK for a set S and a ciphertext CT for access structure (M, ρ). Suppose that S satisfies the access structure and let I be defined as I = {i : ρ(i) ∈ S}. Then, let {ω _{ i } ∈ Z _{ p }}_{ i ∈ I } be as set of consistants such that if {λ _{ i }} are valid shares of the secret s according to M, then \( {\displaystyle \sum_{i\in I}}{\omega}_i{\lambda}_i=s \).
The decryption algorithm first computes
It can then decrypt the message ℳ = C/e(P, P)^{αs}.
Auth.ReKeyGen(MK, γ) The reencryption key generation algorithm takes as input the master key MK and a set of attributes γ for update. For each x ∈ γ, it chooses random \( At{t}_x^{\mathit{\hbox{'}}}\in {Z}_p \) as the new attribute key, and computes \( {T}_x^{\hbox{'}}:=At{t}_x^{\hbox{'}}P \), \( r{k}_{x\to {x}^{\boldsymbol{\hbox{'}}}}:=\frac{At{t}_{\boldsymbol{x}}^{\boldsymbol{\hbox{'}}}}{At{t}_{\boldsymbol{x}}} \). It then replaces each Att _{ x } of the master key component with \( At{t}_x^{\boldsymbol{\hbox{'}}} \), and each T _{ x } of public parameter with \( {T}_x^{\boldsymbol{\hbox{'}}} \). It outputs the redefined the master key MK ', the redefined public parameters PK ', and the PRE keys rk := {x, rk _{ x }}_{ x ∈ γ }.
C.ReEnc( y(=ρ(i)), D _{ i }, RKL _{ y } ) The reencryption algorithm takes as input an attribute y(=ρ(i)) for update, the ciphertext component D _{ i } and a PRE key list RKL _{ y }. It first checks version of attribute y. If y has the latest version, it outputs ⊥ and exit. Let \( At{t}_{y^{(n)}} \) be defined as an attribute key of the latest version of attribute y. It computes \( r{k}_{y\leftrightarrow {y}^{(n)}}:=r{k}_{y\leftrightarrow {y}^{\hbox{'}}}\cdot r{k}_{y^{\hbox{'}}\leftrightarrow {y}^{\hbox{'}\hbox{'}}}\cdot \cdot \cdot r{k}_{y^{\left(n1\right)}\leftrightarrow {y}^{(n)}}=At{t}_{y^{(n)}}/At{t}_y \). Then, it outputs the reencrypted ciphertext component \( {D}_{\boldsymbol{i}}^{\boldsymbol{\hbox{'}}}:=r{k}_{y\leftrightarrow {y}^{(n)}}\cdot {D}_i=\left(At{t}_{y^{(n)}}/At{t}_y\right) \) \( \cdot {r}_iAt{t}_yP={r}_iAt{t}_{y^{(n)}}P \) .
C.ReKey (w, K _{ w,ID }, RKL _{ w }) The key regeneration algorithm takes as input an attribute w for update, the secret key component K _{ w } and the PRE key list RKL _{ w }. It first checks version of attribute w. If w has the latest version, it outputs ⊥ and exit. Let \( At{t}_{w^{(n)}} \) be defined as the attribute key for the latest version of attribute w. It computes \( r{k}_{w\leftrightarrow {w}^{(n)}}:=r{k}_{w\leftrightarrow {w}^{\hbox{'}}}\cdot r{k}_{w^{\hbox{'}}\leftrightarrow {w}^{\hbox{'}\hbox{'}}}\cdot \cdot \cdot r{k}_{w^{\left(n1\right)}\leftrightarrow {w}^{(n)}}=At{t}_{w^{(n)}}/At{t}_w \). It then outputs the updated secret key component \( {K}_w^{\hbox{'}}:=r{k}_{w\leftrightarrow {w}^{(n)}}^{1}\cdot {K}_w=\left(At{t}_w/At{t}_{w^{(n)}}\right)\cdot \left({\boldsymbol{t}}_{\boldsymbol{ID}}/At{t}_w\right){Q}_w=\left({\boldsymbol{t}}_{\boldsymbol{ID}}/At{t}_{w^{(n)}}\right){Q}_w \).
C.GrantAtt (v, J _{ v }, t _{ ID }, RKL _{ v }) The attribute grant algorithm takes as input an attribute v, the key for granting an attribute J _{ v }, t _{ ID } and the PRE key list RKL _{ v }. It first checks version of attribute v. Let \( At{t}_{v^{(n)}} \) be defined as the attribute key for the latest version of attribute v. It first computes \( r{k}_{v\leftrightarrow {v}^{(n)}}:=r{k}_{v\leftrightarrow {v}^{\hbox{'}}}\cdot r{k}_{v^{\hbox{'}}\leftrightarrow {v}^{\hbox{'}\hbox{'}}}\cdot \cdot \cdot r{k}_{v^{\left(n1\right)}\leftrightarrow {v}^{(n)}}=At{t}_{v^{(n)}}/At{t}_v \). It then outputs secret key component for \( {K}_v:={t}_{\boldsymbol{ID}}\cdot r{k}_{v\leftrightarrow {v}^{(n)}}^{1}\cdot {J}_v= \) \( {t}_{ID}\cdot \left(At{t}_v/At{t}_{v^{(n)}}\right)\cdot \left(1/At{t}_v\right){Q}_v=\left({t}_{ID}/At{t}_{v^{(n)}}\right){Q}_v \) and redefines the key for granting an attribute \( {J}_{\boldsymbol{v}}^{\boldsymbol{\hbox{'}}}:=r{k}_{v\leftrightarrow {v}^{(n)}}^{1}\cdot {J}_v=\left(1/At{t}_{v^{(n)}}\right){Q}_v \).
We show the flow of our scheme in Fig 1. In Fig 1, γ denotes a set of user u’s attributes which are revoked and β denotes a set of attributes that granting to user u.
Security Proof
We prove that unauthorized users and Cloud Server cannot decrypt ciphertext CT that was encrypted by using the proposed scheme.
Security Proof in the Attack Model 1
Theorem 1 Suppose the decisional qparallel BDHE assumption holds and a challenge matrix of size is l* × n* where l* × n* ≤ q, our scheme is INDCPA secure in the attack model 1.
Proof Suppose we have adversary A with nonnegligible advantage ϵ against our scheme in the attack model 1. Moreover, suppose it chooses a challenge matrix M* where both dimensions are at most q. We show how to build a simulator, B, that plays the decisional qparallel BDHE problem.
Init. The simulator takes in a qparallel BDHE challenge \( \overrightarrow{y},T \). The adversary gives the simulator B the challenge access structure (M*, ρ*), where M* has n* columns.
Setup. The simulator B generates the public parameter PK as follows. The simulator B chooses random α′ ∈ Z _{ p } and implicitly sets α = α′ + a ^{q + 1} by letting \( e{\left(P,P\right)}^{\alpha }=e\left(aP,{a}^qP\right)e{\left(P,P\right)}^{\alpha^{\hbox{'}}} \). It outputs public parameter Q _{1}, …, Q _{ U } as follows.

1.
For each x for 1 ≤ x ≤ U begin by choosing a random value z _{ x }

2.
Let X denote the set of indices i, such that ρ*(i) = x.

3.
The simulator B computes \( {Q}_x={z}_xP+{\displaystyle {\sum}_{i\in X}}\left\{\left({a}^2{M}_{i,1}^{*}/{b}_i\right)P+\left({a}^2{M}_{i,2}^{*}/{b}_i\right)P+\cdot \cdot \cdot +\left({a}^{n^{*}}{M}_{i,{n}^{*}}^{*}/{b}_i\right)P\right\} \)
Note that if X = ∅ then we have \( {Q}_x={g}^{z_x} \). Also note that the parameters are distributed randomly due to \( {g}^{z_x} \). The simulator B randomly chooses attribute keys t _{ x } ∈ Z _{ p } for 1 ≤ x ≤ U and computes public parameters Τ _{ x } = t _{ x } P. It gives the adversary A the public parameters PK := (P, e(P, P)^{α}, aP, Q _{1}, …, Q _{ U }, T _{1}, …, T _{ U }).
Phase1. The adversary A issues following queries:
Ext query : The adversary A submits a set of attributes S where S does not satisfy the access structure M* to the challenger. The simulator first chooses a random r ∈ Z _{ p }. Then it finds a vector \( \overrightarrow{w}=\left({w}_1,\dots, {w}_{n^{*}}\right)\in {Z}_p^{n^{*}} \) such that w _{1} = − 1 and for all i where ρ(i) ∈ S ' we have that \( \overrightarrow{w}\cdot {M}_i^{*}=0 \). The simulator B begins by implicitly defining t _{ ID } as
It performs this by setting \( L=rP+{\displaystyle {\sum}_{i=2,\dots, {n}^{*}}}{w}_i\left({a}^{q+1i}P\right) \) = t _{ ID } P. The simulator can compute K as
The simulator B computes K _{ x } ∀_{ x } ∈ S as follows.
Case 1. If there is no i such that ρ*(i) = x, it computes K _{ x } = (1/t _{ x }) ⋅ z _{ x } L.
Case 2. If there is i such that ρ*(i) = x.

1)
Let X be the set of all i such that ρ*(i) = x.

2)
It computes K _{ x } as
$$ {z}_xL+{\displaystyle \sum_{i\in X}}{\displaystyle \sum_{j=1,\dots, {n}^{*}}}{M}_{i,j}^{*}\left[\left({a}^j/{b}_i\right)rP+{\displaystyle \sum_{\begin{array}{c}\hfill k=1,\dots, {n}^{*}\hfill \\ {}\hfill k\ne j\hfill \end{array}}}{w}_k\left\{\left({a}^{q+1+jk}/{b}^i\right)P\right\}\right] $$ 
3)
It calculates \( {K}_x=\left(1/{t}_x\right){K}_x^{\hbox{'}} \).
It gives the adversary A secret key SK := (K, L, ∀ x ∈ S K _{ x }).
Add query : The adversary A submits a set of attributes S′ where S ∪ S′ does not satisfy the challenge access structure M*.The simulator B computes K _{ x } ∀_{ x } ∈ S′ as follows.
Case1. If there is no i such that ρ*(i) = x, it computes K _{ x } = (1/t _{ x }) ⋅ z _{ x } L.
Case2. If there is i such that ρ*(i) = x.

1)
Let X be the set of all i such that ρ*(i) = x.

2)
It computes \( {K}_x^{\hbox{'}} \) as
$$ {z}_xL+{\displaystyle \sum_{i\in X}}{\displaystyle \sum_{j=1,\dots, {n}^{*}}}{M}_{i,j}^{*}\left[\left({a}^j/{b}_i\right)rP+{\displaystyle \sum_{\begin{array}{c}\hfill k=1,\dots, {n}^{*}\hfill \\ {}\hfill k\ne j\hfill \end{array}}}{w}_k\left\{\left({a}^{q+1+jk}/{b}^i\right)P\right\}\right] $$ 
3)
It calculates \( {K}_x=\left(1/{t}_x\right){K}_x^{\hbox{'}} \).
It gives the adversary A the secret key component \( {\left\{{K}_x\right\}}_{\forall x\in {S}^{\hbox{'}}} \).
Challenge. The adversary A submits two equal length messages ℳ_{0}, ℳ_{1}. The simulator B flips a random coin b ∈ {0, 1}. It computes C = ℳ_{ b } T ⋅ e(sP, α ' P), C = sP. It choose random \( {y}_2^{\hbox{'}},\dots, {y}_{n^{*}}^{\hbox{'}}\in {Z}_p \) and the share the secret using the vector \( \overrightarrow{v}=\left(s,sa+{y}_2^{\hbox{'}},s{a}^2+{y}_3^{\hbox{'}},\dots, s{a}^{n1}+{y}_{n^{*}}^{\hbox{'}}\right)\in {Z}_p^{n^{*}} \). In addition, it choose random values \( {r}_1^{\hbox{'}},\dots, {r}_l^{\hbox{'}}\in {Z}_p \).
For i = 1, …, n*, we define R _{ i } as the set of all k ≠ i such that ρ*(i) = ρ*(k). The challenge ciphertext components are then generated as
It gives the adversary A the challenge ciphertext \( C{T}^{*}=\left(C,{C}^{\hbox{'}},\left({C}_1,{D}_1\right),\dots, \left({C}_{l^{*}},{D}_{l^{*}}\right)\right) \).
Phase2. Phase 1 is repeated.
Guess. The adversary A will eventually output a guess b′. of b. The simulator then outputs 0 to guess that \( T=e{\left(P,P\right)}^{a^{q+1}s} \) if b′. = b; otherwise, it outputs 1 to indicate that it believes T is a random group element R ∈ G _{2}.
When T is a tuple the simulator B gives a perfect simulation so we have that
When T is a random group element the message ℳ_{ b } is completely hidden from the adversary and we have \( \Pr =\left[\mathrm{B}\left(\overrightarrow{y},T=R\right)=0\right]=\frac{1}{2} \). Therefore, the simulator B can play the decisional qparallel BDHE game with nonnegligible advantage.
Security Proof in the Attack Model 2
Theorem 2 Suppose Waters’s scheme [2] is INDCPA secure, our scheme is also INDCPA secure in the attack model 2.
Proof Suppose we have adversary A with nonnegligible advantage ϵ against our scheme in the attack model 2. Moreover, suppose it chooses a challenge matrix M* where both dimensions are at most q. We prove there is an simulator B which has advantage at least ϵ against Waters’s scheme simulator (Given input, it responds according to algorithms of the Waters’s scheme).
Init. The adversary A submits the challenge access structure (M*, ρ*) where M* has n* columns and version number ver* to the simulator B. The simulator B submits the challenge access structure (M*, ρ*) to the Waters’s scheme simulator.
Setup. The simulator B receives public parameters PK ^{'} := (P, e(P, P)^{α}, aP, Q _{1}, …, Q _{ U }) from the Waters’s scheme simulator. It randomly chooses attribute keys t _{ x } ∈ Z _{ p } for 1 ≤ x ≤ U and computes public parameters Τ _{ x } = t _{ x } P. It computes the key for granting an attribute J := {(1/t _{1})Q _{1}, …, (1/t _{ U })Q _{ U }}. Then, the simulator B computes PRE keys and public parameters T _{ x } for each version as follows. For x (1 ≤ x ≤ U), for 1 ≤ k ≤ ver* − 1, the simulator B randomly chooses PRE keys \( r{k}_{x^{(k)}\to {x}^{\left(k+1\right)}}\in {Z}_p \) and computes public parameters \( {T}_{x^{\left(k+1\right)}}=r{k}_{x^{(k)}\leftrightarrow {x}^{\left(k+1\right)}}{T}_{x^{(k)}} \). (k + 1) and (k) denote the version number of PRE keys and public parameter. The simulator B gives the adversary A the public parameter PK := (P, e(P, P)^{α}, aP, Q _{1}, …, Q _{ U }, T _{1}, …, T _{ U }), the key for granting an attribute J and all PRE keys.
Phase1. The adversary A issues following queries:
K _{ x } query : The adversary A submits a set of attributes S for version k, 1 ≤ k ≤ ver* − 1. we denote \( {V}_{x^{(k)}}={\displaystyle \prod_{i=2}^k}r{k}_{x^{\left(i1\right)}\leftrightarrow {x}^{(i)}} \). The simulator B randomly chooses t _{ ID } ∈ Z _{ p } and computes \( \forall x\in S\ {K}_x=\left({t}_{ID}/{t}_x \cdot {V}_{x^{(k)}}\right){Q}_x \). It gives the adversary A the secret key components {K _{ x }}_{∀ x ∈ S }.
Challenge. The adversary A submits two equal length messages ℳ_{0}, ℳ_{1}, then the simulator B submits them to the Waters’s simulator. The Waters’s simulator flips a random coin b ∈ {0, 1} and computes ciphertest CT′ := (C, C′, (C _{1}, D _{1}), …, (C _{ l }, D _{ l })) ← Enc(PK, (M*, ρ*), ℳ_{ b }). The simulator B receives the ciphertext CT ^{'}, then it computes \( CT:=\Big(C,{C}^{\hbox{'}},\left({C}_1,{V}_{\rho {(1)}^{\left(ve{r}^{*}\right)}}{D}_1\right),\dots, \left({C}_l,{V}_{\rho {(l)}^{\left(ve{r}^{*}\right)}}{D}_l\right) \) from the ciphertext CT′. It gives the adversary A the cipertext CT.
Phase2. Phase 1 is repeated.
Guess. The adversary A outputs will eventually output a guess b′ of b. The simulator B outputs b′ as its guess.
The simulation above shows there is a simulator B that has advantage at least ϵ ageinst Waters’s scheme simulator if there is an adversary A that has advantage ϵ against our scheme.
Result and discussion
In Table 1, we give two comparisons of the proposed scheme with the schemes of [3,4] that can revoke the only specified attributes. The first comparison is in terms of the size of the public key (PK), the secret key (SK), the ciphertext (CT), and the reencryption key (RK). The second comparison is in terms of the computation amount of encryption (Enc), secret key generation (Ext), reencryption (Reenc), decryption (Dec), and secret key update (Rekey). As to the size of the public key, the scheme of [4] has the smallest one, followed by the proposed scheme. As for the size of the secret key, the proposed scheme has the smallest one. Both the proposed scheme and the scheme of [4] have equally the smallest size ciphertexts. As to the size of the reencryption key, if there are users more than the number of attributes, both the proposed scheme and the scheme of [3] have the equally smallest one.
As for the computation amount of encryption and decryption, the proposed scheme and the scheme of [4] have the equally smallest. As to the computation amount of secret key generation, the proposed scheme has the smallest. Finally, as to the computation amount of reencryption and secret key update, all schemes have the same.
The differences, in terms of the requirements in Section I, between the proposed scheme and the schemes of [35] are summarized as shown in Table 2.
Conclusion
This paper proposed a ciphertextpolicy attributebased encryption scheme delegating attribute revocation processes to Cloud Server by proxy reencryption. Cloud Server reencrypts a ciphertext and updates a secret key by updating attribute key with PRE key for updating the attribute keys.
The proposed scheme meets three requirements as follows; First, the proposed scheme supports any LSSS access structure. Second, the authority can only revoke specified attribute by updating attribute key included in ciphertext corresponding to his attributes which are revoked. Finally, when granting attributes to a user, generation of a new secret key becomes unnecessary because Cloud Server generates secret key components corresponding to granting attributes.
The proposed scheme is secure against attack by unauthorized users and Cloud Server. Our future direction is to implement the proposed scheme and confirm its feasibility.
References
Bethencourt J, Sahai A, Waters B (2007) Ciphertextpolicy attributebased encryption. In: Paper presented at the 2007 IEEE Symposium on Security and Privacy, Oakland., 20–23 May 2007
Waters B (2011) Ciphertextpolicy attributebased encryption: an expressive, efficient, and provably secure realization. In: Paper presented at the 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina., 6–9 March 2011
Yu S, Wang C, Ren K, Lou W (2010) Attribute based data sharing with attribute revocation. In: Paper presented at the 5th ACM Symposium on Information. Computer and Communications Security, Beijing, 13 April 2010
Hur J, Nor D.K (2011) Attributebased access control with efficient revocation in data outsourcing systems. doi:10.1109/TPDS.2010.203.
Liang X, Lu R, Lin X, Shen X (2011) Ciphertext policy attribute based encryption with efficient revocation. http://bbcr.uwaterloo.ca/~x27liang/papers/abe%20with%20revocation.pdf.
Beimei A (1996) Secure schemes for secret sharing and key distribution. Dissertation, Israel Institute of Technology.
Author information
Authors and Affiliations
Corresponding author
Additional information
Competing interests
The authors declare that they have no competing interests.
Authors’ contributions
TN designed the study and drafted the manuscript. MM and YS conceived of the study, participated in the design and drafting the article and revising it critically for intellectual content. They reviewed and approved the final, submitted version. All authors read and approved the manuscript.
Authors’ Information
TN received B.E. degree from Nagoya Institute of Technology, Japan, in 2013. He is a graduate student of the institute. His current research interests include information security, cryptography. He received DICOMO2013 symposium Paper Awards and Presentation Awards in 2013. He is a member of IPSJ.
MM received B.E. and M.E. degrees from Ehime University, Japan, in 1993 and 1995 respectively. She received Ph.D degree in Engineering from the University of Tokushima, Japan in 2002. From 1995 to 1998 she was an assistant professor at the Department of Management and Information Science, Kagawa junior college, Japan. From 1998 to 2002 she was a research associate of the Department of Information Science and Intelligent Systems, the University of Tokushima, Japan. From 2003 to 2008 she was a lecturer of the same department. Since 2008, she has been an associate professor at the Information and Multimedia Center, Gifu University, Japan. Her research interests are in coding theory, information security and cryptography. She is a member of IEEE and a senior member of IEICE.
YS received B.E. and M.E. degrees from Ehime University, Japan, and Ph.D degree from the University of Tokushima, Japan, in 1995, 1997, and 2000, respectively. From 2002 to 2006 he was a lecturer at the Department of Informatics, Kinki University, Japan. From 2006 to 2013 he was an associate professor at the Department of Computer Science and Engineering, Nagoya Institute of Technology, Japan. Since 2013, he has been an associate professor at the Department of Electrical and Electronic Engineering, Kobe University, Japan. His current research interests include information security, cryptography, computer network, and knowledge sharing and creation support. He received the SCIS 20th Anniversary Award and the SCIS Paper Award from ISEC group of IEICE in 2003 and 2006, respectively. He is a member of IEEE, ACM and a senior member of IEICE, IPSJ.
Masami Mohri and Yoshiaki Shiraishi. These authors contributed equally to this work
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0), which permits use, duplication, adaptation, distribution, and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Naruse, T., Mohri, M. & Shiraishi, Y. Provably secure attributebased encryption with attribute revocation and grant function using proxy reencryption and attribute key for updating. Hum. Cent. Comput. Inf. Sci. 5, 8 (2015). https://doi.org/10.1186/s1367301500270
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s1367301500270