Achieving Revocable Fine-Grained Cryptographic Access Control over Cloud Data

Abstract

Attribute-based encryption (ABE) is well suited for fine-grained access control for data residing on a cloud server. However, existing approaches for user revocation are not satisfactory. In this work, we propose a new approach which works by splitting an authorized user’s decryption capability between the cloud and the user herself. User revocation is attained by simply nullifying the decryption ability at the cloud, requiring neither key update nor re-generation of cloud data. We propose a concrete scheme instantiating the approach, which features lightweight computation at the user side. This makes it possible for users to use resource-constrained devices such as mobile phones to access cloud data. We implement our scheme, and also empirically evaluate its performance.

Appendices

A Formulation of Security Notions

The definitional model for data privacy against cloud is captured in the following game between a challenger managing a SCSS system and an adversary who wants to break the system.

Definition 2

[Data Privacy Against Cloud] . A secure cloud storage system (SCSS) satisfies data privacy against cloud if for any PPT adversary, the probability of the following game returns 1 is \(1/2 + \nu (\kappa )\), where \(\nu (.)\) is a negligible function.

Setup. The challenger runs the Setup algorithm and gives the public parameters params to the adversary.

Phase 1. The adversary makes repeated queries to the server-side key generation oracle by submitting sets of attributes \(S_1, ..., S_{q_1}\). For each query, the challenger first runs the UsKGen algorithm to get a user-side public/private key pair; with the user-side public key and the attribute set \(S_i\), the challenger then runs the SsKGen algorithm to get a server-side key; the challenger returns the server-side key together with the user-side public key to the adversary.

Challenge. The adversary submits two equal length messages \(m_0\) and \(m_1\), together with a challenge access structure \(\mathbb {A}^*\). The challenger flips a random coin b, runs the Encrypt algorithm on \(m_b\) and \(\mathbb {A}^*\), and returns the ciphertext \(c^*\) to the adversary.

Phase 2. Phase 1 is repeated.

Guess. The adversary outputs a guess \(b'\) on b. If \(b'=b\), then the challenger returns 1; otherwise returns 0.

The formulation of data privacy against authorized users and of user revocation support bases on the same fact that without an appropriate server-side key, a user cannot decrypt even with her user private key. Following is the formal security model.

Definition 3

[Data Privacy against Users & Revocation Support] . A secure cloud storage system (SCSS) satisfies data privacy against users and user revocation support if for any PPT adversary, the probability of the following game returns 1 is \(1/2 + \nu (\kappa )\), where \(\nu (.)\) is a negligible function.

Init. The adversary declares the access structure \(\mathbb {A}^*\) he wants to be challenged upon.

Setup. The challenger runs the Setup algorithm and returns the public parameters params to the adversary.

Phase 1. The adversary makes repeated queries to the user-side key generation oracle (UsKGen), and the server-side key generation oracle (SsKGen). For the former, the challenger returns the resulting user-side key (both public and private) to the adversary; for the latter, the adversary submits sets of attributes \(S_1, ..., S_{q_1}\) with the restriction that each \(S_i\) does not satisfy \(\mathbb {A}^*\), and the challenger returns the resulting server-side key to the adversary.

Challenge. The adversary submits two equal length messages \(m_0\) and \(m_1\), together with the challenge access structure \(\mathbb {A}^*\). The challenger flips a random coin b, runs the Encrypt algorithm on \(m_b\) and \(\mathbb {A}^*\), and returns the ciphertext \(c^*\) to the adversary.

Phase 2. Phase 1 is repeated.

Guess. The adversary outputs a guess \(b'\) on b. If \(b'=b\), then the challenger returns 1; otherwise returns 0.

We stress that giving the server-side keys to the adversary models authorized users’s ability to get intermediate values from the Server (who uses the server-side keys). Intuitively, user revocation support (in which case the adversary does not have any server-side key) is implied by the fact the adversary even cannot decrypt the challenge ciphertext without appropriate server-side keys.

B Security Proof for Theorem 1

Proof

We prove that our scheme satisfies Definitions 2 and 3, respectively.

Satisfying Definition 2. The proof is much simpler than in [18], due to the use of semantically secure public-key encryption Enc, and the fact that the adversary does not have the private key. Satisfaction of Definition 2 is actually based on the DBDH (Decisional Bilinear Hiffie-Hellman) assumption, which states that it is infeasible to distinguish between \((g\in G_0,g^c,g^d,g^x,e(g,g)^{cdx}\in G_1)\) and \((g,g^c,g^d,g^x,Z\in _R G_1)\). The DBDH assumption clearly is weaker than the decisional q-BDHE assumption.

Suppose we have an adversary \(\mathcal {A}\) with non-negligible advantage \(\textsf {Adv}_{\mathcal {A}}\) in the game of Definition 2 against our scheme. We build a challenger \(\mathcal {C}\) breaking the DBDH assumption. Details follow.

Setup. The challenger takes in the DBDH challenge \((g,g^c,g^d,g^x, Z)\). The challenger implicitly sets \(z = cd\) by setting \(e(g,g)^z = e(g^c,g^d)\), and selects a random number in \(G_0\) as \(g^a\). In addition, the challenger programs the random oracle H by building a table as follows. Consider a call to H(s). If H(s) was already defined in the table, then simply return the same answer as before; otherwise, select a random value \(\tau _s \in Z_p\) and define \(H(s)=g^{\tau _s}\).

Phase 1. The challenger answers server-side key generation queries from the adversary. For a query, the challenger first generates a public/private key pair for Enc by executing UsKGen; then chooses \(z',t\in _R Z_p\) and a random \(K'\) from the range of Enc, and computes \(K = g^{z'}g^{at}, L=g^t, \forall s\in S: K_s = g^{\tau _st}\). We argue that the distribution of the simulated key \((K,K',L,\{ K_s\})\) so generated is computationally indistinguishable from the actual server-side key. First, due to the semantic security of Enc, the randomly chosen \(K'\) is indistinguishable from Enc(\(\alpha \)) in the actual key. Second, conditioned on the random \(K'\) replacing Enc(\(\alpha \)), the \(g^{z\alpha }\) in the actual K is no different from \(g^{z'}\) for a random \(z'\). Our argument thus holds.

Challenge. The challenger builds the challenge ciphertext. The challenger flips a coin b. Then it computes \(C=m_bZ\), and sets \(C'=g^x\). Suppose the challenge access structure is \(\mathbb {A}^* = (M^*,\rho ^*)\), where the share-generating matrix \(M^*\) has \(\ell ^*\) rows. The challenger computes the shares \(\{\lambda _i\}\) as usual according to \(M^*\), and then computes \(\forall i=1,\cdots ,\ell ^*, C_i =g^{a\lambda _i}(g^{x})^{\tau _{\rho ^*(i)}}\).

Phase 2. Same as Phase 1.

Guess. The adversary outputs a guess \(b'\) of b. If \(b=b'\) then the challenger outputs 1 to indicate that \(Z = e(g,g)^{cdx}\); otherwise, it outputs 0 to indicate that Z is a random element in \(G_1\).

When \(Z = e(g,g)^{cdx}\), then the above simulation by the challenger \(\mathcal {C}\) for the challenge ciphertext is perfect. Thus we have \(\Pr [\mathcal {C}(g,g^c,g^d,g^x,g^{cdx})=1]=\Pr [b'=b]=1/2+\textsf {Adv}_{\mathcal {A}}\). On the other hand, if Z is random number in \(G_1\), then \(m_b\) in the challenge ciphertext of the above simulation is completely hidden from the adversary. Thus we have \(\Pr [\mathcal {C}(g,g^c,g^d,g^x,T)=1]=\Pr [b'=b]=1/2\). Combined, we get \(|\Pr [\mathcal {C}(g,g^c,g^d,g^x,g^{cdx})=1] - \Pr [\mathcal {C}(g,g^c,g^d,g^x,T)=1]| = \textsf {Adv}_{\mathcal {A}}\). This completes the proof.

Satisfying Definition 3. We prove this by presenting a reduction from Waters’ scheme which is proved secure under the decisional q-BDHE assumption in [18] to ours. To this end, we first point out that the main differences between our scheme and Waters’ that are relevant to the proof here are the format of the server-side key in our scheme and of the private key in Waters’ scheme. In Waters’ scheme, the format of a private key is \((K=g^zg^{at},L=g^t, \{\forall s\in S: K_s = H(s)^t\})\). Bearing this difference in mind, we build an adversary \(\mathcal {B}\) against Waters’ scheme, given an adversary \(\mathcal {A}\) of our scheme. Details follow.

\(\mathcal {B}\) acts as the challenger in the game in Definition 3.

Init. \(\mathcal {A}\) declares a challenge access structure \(\mathbb {A}^*\) to \(\mathcal {B}\), who then declares \(\mathbb {A}^*\) to the challenger of Waters’ scheme.

Setup. \(\mathcal {B}\) takes in the public parameters of a Waters’ scheme, and gives them to \(\mathcal {A}\). \(\mathcal {B}\) also determines a standard public-key encryption scheme Enc and gives the description to \(\mathcal {A}\).

Phase 1. \(\mathcal {B}\) answers user-side key generation and server-side key generation queries from \(\mathcal {A}\). To answer a user-side key generation query, \(\mathcal {B}\) simply generates a public/private key pair according to Enc. To answer a server-side key generation query on a set S of attributes and a user public key \(U\!pk\), \(\mathcal {B}\) submits a key generation (KeyGen) query to the challenger of Waters’ scheme with S (if S does not satisfy \(\mathbb {A}^*\)), and as a response \(\mathcal {B}\) is returned a key of the form \((K=g^zg^{at},L=g^t, \{\forall s\in S: K_s = H(s)^t\})\). Then \(\mathcal {B}\) selects \(\alpha \in _R Z_p\), and computes \(\textsf {Enc}(U\!pk,\alpha )\) and sets the server-side key as \((K^{\alpha },\textsf {Enc}(Upk,\alpha ),L^{\alpha }, \{\forall s\in S: K_s^{\alpha }\})\). It can easily see that the resulting server-side key is valid with respect to our scheme.

Challenge. \(\mathcal {B}\) builds a challenge ciphertext under \(\mathbb {A}^*\), given \(m_0,m_1\) from \(\mathcal {A}\). To this end, \(\mathcal {B}\) submits \(m_0\) and \(m_1\) to the challenger of Waters’ scheme as a challenge, and gets back a challenge ciphertext \(c^*\). \(\mathcal {B}\) returns \(c^*\) as the challenge ciphertext to \(\mathcal {A}\).

Phase 2. Same as Phase 1.

Guess. \(\mathcal {A}\) outputs a guess \(b'\), which is also used by \(\mathcal {B}\) as the guess to the challenger of Waters’ scheme. It is easily seen that the simulation by \(\mathcal {B}\) is perfect, and the advantage of \(\mathcal {B}\) is at least that of \(\mathcal {A}\). This completes the proof. \(\Box \)