Skip to main content

Server-Aided Revocable Attribute-Based Encryption Revised: Multi-User Setting and Fully Secure

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)

Abstract

Attribute-based encryption (ABE) is a promising cryptographic primitive achieving fine-grained access control on encrypted data. However, efficient user revocation is always essential to keep the system dynamic and protect data privacy. Cui et al. (ESORICS 2016) proposed the first server-aided revocable attribute-based encryption (SR-ABE) scheme, in which an untrusted server manages all the long-term transform keys and update keys generated by key generation center (KGC) in order to achieve efficient user revocation. So, there’s no need for any user to communicate with KGC to update his/her decryption key regularly. In addition, the most part of computational overhead of decryption is outsourced to the server and user keeps a small size of private key to decrypt the final ciphertext. Then, Qin et al.’s (CANS 2017) extended Cui et al.s’ work to be decryption key exposure resistant (DKER).

Unfortunately, current SR-ABE schemes could only be provably secure in one-user setting, which means there’s only one “target user” \(id^*\) with an attribute set \(S_{id^*}\) satisfying the access structure \((\mathbb {M}^*, \rho )\) in the challenge ciphertext, i.e., \(S_{id^*}\vDash (\mathbb {M}^*, \rho )\). However, a more reasonable security model, i.e., multi-user setting, requires that any user id in the system can be with an attribute set \(S_{id}\vDash (\mathbb {M}^*, \rho )\), and the adversary is allowed to query on any user’s private key \(SK_{id}\) and his/her long-term transform key \(PK_{id,S_{id}}\) as long as his/her identity id is revoked at or before the challenge time \(t^*\). How to construct a SR-ABE secure in multi-user setting is still an open problem.

In this paper, we propose the first SR-ABE scheme provably secure in multi-user setting. In addition, our SR-ABE is fully secure and decryption key exposure resistant. Our scheme is constructed based on dual system encryption methodology and novelly combines a variant of Lewko et al.’s work in EUROCRYPT 2010 and Lewko et al.’s work in TCC 2010. As a result, we solve the remaining open problem.

Keywords

  • Attribute-based encryption
  • Revocation
  • Server-aided
  • Multi-user setting
  • Fully secure

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_10
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.

References

  1. Attrapadung, N., Imai, H.: Attribute-based encryption supporting direct/indirect revocation modes. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 278–300. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10868-6_17

    CrossRef  Google Scholar 

  2. Beimel, A.: Secure schemes for secret sharing and key distribution. PhD thesis Israel institute of technology Technion (1996)

    Google Scholar 

  3. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy 2007, pp. 321–334 (2007)

    Google Scholar 

  4. Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. In: CCS 2008, pp. 417–426 (2008)

    Google Scholar 

  5. Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. IACR Cryptology ePrint Archive 2012, 52 (2012)

    Google Scholar 

  6. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13

    CrossRef  Google Scholar 

  7. Chen, J., Lim, H.W., Ling, S., Wang, H., Nguyen, K.: Revocable identity-based encryption from lattices. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 390–403. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_29

    CrossRef  Google Scholar 

  8. Cui, H., Deng, R.H., Li, Y., Qin, B.: Server-aided revocable attribute-based encryption. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 570–587. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_29

    CrossRef  Google Scholar 

  9. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: CCS 2006, pp. 89–98 (2006)

    Google Scholar 

  10. Katsumata, S., Matsuda, T., Takayasu, A.: Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance. In: PKC 2019, pp. 441–471 (2019)

    Google Scholar 

  11. Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4

    CrossRef  Google Scholar 

  12. Lewko, A.B., Sahai, A., Waters, B.: Revocation systems with very small private keys. In: IEEE Symposium on Security and Privacy, S&P 2010, pp. 273–285. IEEE Computer Society (2010)

    Google Scholar 

  13. Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_27

    CrossRef  Google Scholar 

  14. Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_12

    CrossRef  Google Scholar 

  15. Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: CRYPTO, pp. 41–62 (2001)

    Google Scholar 

  16. González-Nieto, J.M., Manulis, M., Sun, D.: Fully private revocable predicate encryption. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 350–363. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_26

    CrossRef  Google Scholar 

  17. Qin, B., Deng, R.H., Li, Y., Liu, S.: Server-aided revocable identity-based encryption. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 286–304. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_15

    CrossRef  Google Scholar 

  18. Qin, B., Zhao, Q., Zheng, D., Cui, H.: Server-aided revocable attribute-based encryption resilient to decryption key exposure. In: Capkun, S., Chow, S.S.M. (eds.) CANS 2017. LNCS, vol. 11261, pp. 504–514. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02641-7_25

    CrossRef  Google Scholar 

  19. Qin, B., Zhao, Q., Zheng, D., Cui, H.: (Dual) server-aided revocable attribute-based encryption with decryption key exposure resistance. Inf. Sci. 490, 74–92 (2019)

    CrossRef  Google Scholar 

  20. Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) CCS 2013, pp. 463–474. ACM (2013)

    Google Scholar 

  21. Sahai, A., Seyalioglu, H., Waters, B.: Dynamic credentials and ciphertext delegation for attribute-based encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 199–217. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_13

    CrossRef  Google Scholar 

  22. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27

    CrossRef  Google Scholar 

  23. Seo, J.H., Emura, K.: Revocable identity-based encryption revisited: security model and construction. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 216–234. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_14

    CrossRef  Google Scholar 

  24. Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36

    CrossRef  Google Scholar 

Download references

Acknowledgments

We thank anonymous reviewers for helpful feedback.

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Appendices

A Proof of Lemma 2

Proof

\(\mathcal {B}\) is given \((g, X_3, T)\) and simulates \(\mathbf {Game}_{Restricted}\) or \(\mathbf {Game}_{0}\) with \(\mathcal {A}\). It sets the public parameters as follows. It randomly picks \(a, \alpha ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\), returns the public parameters to \(\mathcal {A}\) as:

$$\begin{aligned} PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} , \end{aligned}$$
(27)

and keeps \(MSK=\{\alpha , X_3\}\) as secret. In this case, \(\mathcal {B}\) can answer any normal key query (including Create(id,S), Corrupt(id), TKeyUp(t), DecKG(id,t)) from \(\mathcal {A}\) by running the corresponding key generation algorithm with MSK.

\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \((M_0, M_1)\), a challenge access matrix \((\mathbb {M}^*, \rho )\) and a challenge time \(t^*\). To generate the challenge ciphertext \(CT^*\), \(\mathcal {B}\) will implicitly set \(g^s\) to be the \(G_{p_1}\) part of T (T is the product of \(g^s\) and possible an element of \(G_{p_2}\)). It randomly chooses \(v_2', \ldots , v_n' \in \mathbb {Z}_N\), \(r_i'\in \mathbb {Z}_N\) for \(i\in [1,l]\), \(\beta \in \{0, 1\}\) and sets \(\vec {v}'=(1,v_2', \ldots , v_n')^{\perp }\). Finally, \(\mathcal {B}\) generates the challenge ciphertext \(CT^*\) as:

$$\begin{aligned} CT^*=\left\{ \begin{aligned}&C=M_{\beta }\cdot e(g^{\alpha },T), \quad C_0=T,\quad C_t=T^{a_0t^*+b_0}\\&C_{i}=T^{a\mathbb {M}_{i}^* \vec {v}'}T^{-r_i's_{\rho (i)}},\quad D_i=g^{r_i'} \quad \forall i \end{aligned} \right\} . \end{aligned}$$
(28)

We note that this implicitly sets \(\vec {v} = (s, sv_2',\ldots , sv_n')\) and \(r_i=sr_i'\). Modulo \(p_1\), v is a random vector with first coordinate s and \(r_i\) is a random value. Thus, if \(T \in G_{p_1}\), \(CT^*\) is a properly distributed normal ciphertext. Otherwise, \(T \in G_{p_1p_2}\), we let \(g_{2}^c\) as the \(G_{p_2}\) part of T (i.e. \(T=g^sg_{2}^c\)). We then have a semi-functional ciphertext with \(z_{t^*}=a_0t^*+b_0\), \(u=ca\vec {v}'\), \(\gamma _{i}=-cr_i'\), and \(z_{\rho (i)}=s_{\rho (i)}\). By the Chinese Remainder Theorem, \(a_0,b_0,a, v_2', \ldots , v_n', r_i', s_{\rho (i)}\) modulo \(p_2\) are uncorrelated from these values modulo \(p_1\), so \(CT^*\) is a properly distributed semi-functional ciphertext. Therefore, \(\mathcal {B}\) can break Assumption 1 with advantage \(\epsilon \) by the output of \(\mathcal {A}\).    \(\square \)

B Proof of Lemma 4

Proof

\(\mathcal {B}\) is given \(( g, X_1X_2, X_3, Y_2Y_3, T)\) and simulates \(\mathbf {Game}_{k,1}\) or \(\mathbf {Game}_{k,2}\) with \(\mathcal {A}\). It randomly picks \(a, \alpha ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\) and returns the public parameters \(PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} \) to \(\mathcal {A}\).

The first \(k-1\) semi-functional keys of type 2, the normal keys \(> k\), and the challenge ciphertext are all constructed the same as the above lemma. Hence, the ciphertext is sharing the value ac in the \(G_{p_2}\) subgroup. However, this will not be correlated with the \(k^{th}\) key any way, so the value is random modulo \(p_2\). To answer the \(k^{th}\) key request, \(\mathcal {B}\) choose a random element \(R_3'\in G_{p_3}\) and set

  • \(SK_{id}=g^{\alpha }T^{a_1id+b_1} \cdot R_3'\);

  • For each \( x \in \mathsf {Path}(\mathsf {BT},\theta )\), fetch \(g_x\) from the node x, choose random elements \(t_x\in \mathbb {Z}_N\), \(R_{x,0}',\bar{R}_{x,0}', \{R_{x,i}'\}_{i\in S} \in G_{p_3}\), and an additional \(h_x \in \mathbb {Z}_N\), set

    $$\begin{aligned} \begin{aligned}&K_{x}=g^{\alpha }T^{a t_x}(T^{a_1id+b_1}/g_x)\cdot R_{x,0}' \cdot (Y_2Y_3)^{h_x},\qquad L_x=T^{t_x}\cdot \bar{R}_{x,0}',\\&K_{x,i}=T^{s_i t_x}R_{x,i}' \quad \forall i\in S; \end{aligned} \end{aligned}$$
    (29)
  • For each \( x \in \mathsf {KUNodes}(\mathsf {BT},\mathsf {RL},t)\), fetch \(g_x\) from the node x, choose random elements \(\hat{R}_{x,3},\bar{R}_{x,3} \in G_{p_3}\) and \(s_x' \in \mathbb {Z}_N\), set

    $$\begin{aligned} \begin{aligned}&Q_{x,0,t}=g^{\alpha }g_x\cdot (T^{a_0t+b_0})^{s_x'}\hat{R}_{x,3}, \quad Q_{x,1,t}=T^{s_x'}\bar{R}_{x,3}. \end{aligned} \end{aligned}$$
    (30)

Note that we add the \((Y_2Y_3)^{h_x}\) term. This randomizes the \(G_{p_2}\) part of \(K_x\), so the key is no longer nominally semi-functional. If we use the \(k^{th}\) key to decrypt the semi-functional ciphertext, the decryption would fail.

Thus, if \(T \in G_{p_1p_3}\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{k,2}\). Otherwise, \(T \in G\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{k,1}\). Therefore, \(\mathcal {B}\) can use the output of \(\mathcal {A}\) to gain advantage to \(\epsilon \) in breaking Assumption 2.    \(\square \)

C Proof of Lemma 5

Proof

\(\mathcal {B}\) is given \(( g, g^{\alpha }X_2, X_3, g^sY_2,Z_2, T)\) and simulates \(\mathbf {Game}_{q,2}\) or \(\mathbf {Game}_{Final}\) with \(\mathcal {A}\). It randomly picks \(a, ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\) and returns \(PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g^{\alpha }X_2)=e(g,g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} \) to \(\mathcal {A}\).

To make semi-functional keys of type 2, randomly choose \(f, r, z_{id},d', z_{t} \in \mathbb {Z}_N\), \(R_3'\in G_{p_3}\) and set

  • \(SK_{id}=g^{\alpha }(u^{id}h)^r \cdot R_3' \cdot Z_2^{fz_{id}}\);

  • For each \(x \in \mathsf {Path}(\mathsf {BT},\theta )\), fetch \( g_x\) from the node x, randomly choose \(t_x\in \mathbb {Z}_N\), \(R_{x,0}',\bar{R}_{x,0}, \{R_{x,i}\}_{i\in S} \in G_{p_3}\), set

    $$\begin{aligned} \begin{aligned}&K_{x}=g^{\alpha +at_xr }((u^{id}h)^r/g_x)\cdot R_{x,0}'\cdot Z_2^{d't_x+fz_{id}},\quad L_x=g^{t_xr}\cdot \bar{R}_{x,0}',\\&K_{x,i}=T_i^{t_x r}R_{x,i}' \quad \forall i\in S; \end{aligned} \end{aligned}$$
    (31)
  • For each \( x \in \mathsf {KUNodes}(\mathsf {BT},\mathsf {RL},t)\), fetch \(g_x\) from the node x, randomly choose \(\ s_x,\gamma _x' \in \mathbb {Z}_N\) and \(\hat{R}_{x,3}',\bar{R}_{x,3}' \in G_{p_3}\), set

    $$\begin{aligned} \begin{aligned}&Q_{x,0,t}=g^{\alpha }g_x\cdot (u_0^th_0)^{s_x}\hat{R}_{x,3}' \cdot Z_2^{\gamma _x' z_{t}}, \quad Q_{x,1,t}=g^{s_x}\bar{R}_{x,3}'\cdot Z_2^{\gamma _x' }. \end{aligned} \end{aligned}$$
    (32)

\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \((M_0, M_1)\), a challenge access matrix \((\mathbb {M}^*, \rho )\) and a challenge time \(t^*\). \(\mathcal {B}\) chooses \(u_2, \ldots , u_n, r_i' \in \mathbb {Z}_N\), a random bit \(\beta \in \{0, 1\}\) and sets \(\vec {u}'=(a,u_2, \ldots , u_n)\). Finally, \(\mathcal {B}\) generates the challenge ciphertext \(CT^*\) as:

$$\begin{aligned} CT^*=\left\{ \begin{aligned}&C=M_{\beta }\cdot T, C_0=g^sY_2, C_t=(g^sY_2)^{a_0t^*+b_0}\\&C_{i}=(g^sY_2)^{\mathbb {M}_{i}^* \vec {u}'}(g^sY_2)^{-r_i's_{\rho (i)}}, D_i=(g^sY_2)^{r_i'} \quad \forall i \end{aligned} \right\} . \end{aligned}$$
(33)

We set \(Y_2=g_2^c\), \(\vec {v} = sa^{-1}\vec {u}'\) and \(\vec {u}=c\vec {u}'\) (i.e., \(u_1=ac\)), so s is shared in the \(G_{p_1}\) and ca is shared in the \(G_{p_2}\). This implicitly sets \(u_1=ca\), \(r_i=sr_i'\) and \(\gamma _i=-cr_i'\).

Thus, if \(T =e(g,g)^{\alpha s}\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{q,2}\) and \(CT^*\) is a semi-functional ciphertext with encryption of \(M_{\beta }\). Otherwise, \(T \in G_T\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{Final}\) and \(CT^*\) is a semi-functional ciphertext with encryption of a random message in \(G_T\). Therefore, \(\mathcal {B}\) can use the output of \(\mathcal {A}\) to gain advantage to \(\epsilon \) in breaking Assumption 3.    \(\square \)

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Cheng, L., Meng, F. (2021). Server-Aided Revocable Attribute-Based Encryption Revised: Multi-User Setting and Fully Secure. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)