Abstract
Attribute-based encryption (ABE) is a promising cryptographic primitive achieving fine-grained access control on encrypted data. However, efficient user revocation is always essential to keep the system dynamic and protect data privacy. Cui et al. (ESORICS 2016) proposed the first server-aided revocable attribute-based encryption (SR-ABE) scheme, in which an untrusted server manages all the long-term transform keys and update keys generated by key generation center (KGC) in order to achieve efficient user revocation. So, there’s no need for any user to communicate with KGC to update his/her decryption key regularly. In addition, the most part of computational overhead of decryption is outsourced to the server and user keeps a small size of private key to decrypt the final ciphertext. Then, Qin et al.’s (CANS 2017) extended Cui et al.s’ work to be decryption key exposure resistant (DKER).
Unfortunately, current SR-ABE schemes could only be provably secure in one-user setting, which means there’s only one “target user” \(id^*\) with an attribute set \(S_{id^*}\) satisfying the access structure \((\mathbb {M}^*, \rho )\) in the challenge ciphertext, i.e., \(S_{id^*}\vDash (\mathbb {M}^*, \rho )\). However, a more reasonable security model, i.e., multi-user setting, requires that any user id in the system can be with an attribute set \(S_{id}\vDash (\mathbb {M}^*, \rho )\), and the adversary is allowed to query on any user’s private key \(SK_{id}\) and his/her long-term transform key \(PK_{id,S_{id}}\) as long as his/her identity id is revoked at or before the challenge time \(t^*\). How to construct a SR-ABE secure in multi-user setting is still an open problem.
In this paper, we propose the first SR-ABE scheme provably secure in multi-user setting. In addition, our SR-ABE is fully secure and decryption key exposure resistant. Our scheme is constructed based on dual system encryption methodology and novelly combines a variant of Lewko et al.’s work in EUROCRYPT 2010 and Lewko et al.’s work in TCC 2010. As a result, we solve the remaining open problem.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Attrapadung, N., Imai, H.: Attribute-based encryption supporting direct/indirect revocation modes. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 278–300. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10868-6_17
Beimel, A.: Secure schemes for secret sharing and key distribution. PhD thesis Israel institute of technology Technion (1996)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy 2007, pp. 321–334 (2007)
Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. In: CCS 2008, pp. 417–426 (2008)
Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. IACR Cryptology ePrint Archive 2012, 52 (2012)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Chen, J., Lim, H.W., Ling, S., Wang, H., Nguyen, K.: Revocable identity-based encryption from lattices. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 390–403. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_29
Cui, H., Deng, R.H., Li, Y., Qin, B.: Server-aided revocable attribute-based encryption. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 570–587. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_29
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: CCS 2006, pp. 89–98 (2006)
Katsumata, S., Matsuda, T., Takayasu, A.: Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance. In: PKC 2019, pp. 441–471 (2019)
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Lewko, A.B., Sahai, A., Waters, B.: Revocation systems with very small private keys. In: IEEE Symposium on Security and Privacy, S&P 2010, pp. 273–285. IEEE Computer Society (2010)
Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_27
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_12
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: CRYPTO, pp. 41–62 (2001)
González-Nieto, J.M., Manulis, M., Sun, D.: Fully private revocable predicate encryption. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 350–363. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_26
Qin, B., Deng, R.H., Li, Y., Liu, S.: Server-aided revocable identity-based encryption. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 286–304. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_15
Qin, B., Zhao, Q., Zheng, D., Cui, H.: Server-aided revocable attribute-based encryption resilient to decryption key exposure. In: Capkun, S., Chow, S.S.M. (eds.) CANS 2017. LNCS, vol. 11261, pp. 504–514. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02641-7_25
Qin, B., Zhao, Q., Zheng, D., Cui, H.: (Dual) server-aided revocable attribute-based encryption with decryption key exposure resistance. Inf. Sci. 490, 74–92 (2019)
Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) CCS 2013, pp. 463–474. ACM (2013)
Sahai, A., Seyalioglu, H., Waters, B.: Dynamic credentials and ciphertext delegation for attribute-based encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 199–217. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_13
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Seo, J.H., Emura, K.: Revocable identity-based encryption revisited: security model and construction. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 216–234. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_14
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36
Acknowledgments
We thank anonymous reviewers for helpful feedback.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Appendices
A Proof of Lemma 2
Proof
\(\mathcal {B}\) is given \((g, X_3, T)\) and simulates \(\mathbf {Game}_{Restricted}\) or \(\mathbf {Game}_{0}\) with \(\mathcal {A}\). It sets the public parameters as follows. It randomly picks \(a, \alpha ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\), returns the public parameters to \(\mathcal {A}\) as:
and keeps \(MSK=\{\alpha , X_3\}\) as secret. In this case, \(\mathcal {B}\) can answer any normal key query (including Create(id,S), Corrupt(id), TKeyUp(t), DecKG(id,t)) from \(\mathcal {A}\) by running the corresponding key generation algorithm with MSK.
\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \((M_0, M_1)\), a challenge access matrix \((\mathbb {M}^*, \rho )\) and a challenge time \(t^*\). To generate the challenge ciphertext \(CT^*\), \(\mathcal {B}\) will implicitly set \(g^s\) to be the \(G_{p_1}\) part of T (T is the product of \(g^s\) and possible an element of \(G_{p_2}\)). It randomly chooses \(v_2', \ldots , v_n' \in \mathbb {Z}_N\), \(r_i'\in \mathbb {Z}_N\) for \(i\in [1,l]\), \(\beta \in \{0, 1\}\) and sets \(\vec {v}'=(1,v_2', \ldots , v_n')^{\perp }\). Finally, \(\mathcal {B}\) generates the challenge ciphertext \(CT^*\) as:
We note that this implicitly sets \(\vec {v} = (s, sv_2',\ldots , sv_n')\) and \(r_i=sr_i'\). Modulo \(p_1\), v is a random vector with first coordinate s and \(r_i\) is a random value. Thus, if \(T \in G_{p_1}\), \(CT^*\) is a properly distributed normal ciphertext. Otherwise, \(T \in G_{p_1p_2}\), we let \(g_{2}^c\) as the \(G_{p_2}\) part of T (i.e. \(T=g^sg_{2}^c\)). We then have a semi-functional ciphertext with \(z_{t^*}=a_0t^*+b_0\), \(u=ca\vec {v}'\), \(\gamma _{i}=-cr_i'\), and \(z_{\rho (i)}=s_{\rho (i)}\). By the Chinese Remainder Theorem, \(a_0,b_0,a, v_2', \ldots , v_n', r_i', s_{\rho (i)}\) modulo \(p_2\) are uncorrelated from these values modulo \(p_1\), so \(CT^*\) is a properly distributed semi-functional ciphertext. Therefore, \(\mathcal {B}\) can break Assumption 1 with advantage \(\epsilon \) by the output of \(\mathcal {A}\). \(\square \)
B Proof of Lemma 4
Proof
\(\mathcal {B}\) is given \(( g, X_1X_2, X_3, Y_2Y_3, T)\) and simulates \(\mathbf {Game}_{k,1}\) or \(\mathbf {Game}_{k,2}\) with \(\mathcal {A}\). It randomly picks \(a, \alpha ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\) and returns the public parameters \(PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} \) to \(\mathcal {A}\).
The first \(k-1\) semi-functional keys of type 2, the normal keys \(> k\), and the challenge ciphertext are all constructed the same as the above lemma. Hence, the ciphertext is sharing the value ac in the \(G_{p_2}\) subgroup. However, this will not be correlated with the \(k^{th}\) key any way, so the value is random modulo \(p_2\). To answer the \(k^{th}\) key request, \(\mathcal {B}\) choose a random element \(R_3'\in G_{p_3}\) and set
-
\(SK_{id}=g^{\alpha }T^{a_1id+b_1} \cdot R_3'\);
-
For each \( x \in \mathsf {Path}(\mathsf {BT},\theta )\), fetch \(g_x\) from the node x, choose random elements \(t_x\in \mathbb {Z}_N\), \(R_{x,0}',\bar{R}_{x,0}', \{R_{x,i}'\}_{i\in S} \in G_{p_3}\), and an additional \(h_x \in \mathbb {Z}_N\), set
$$\begin{aligned} \begin{aligned}&K_{x}=g^{\alpha }T^{a t_x}(T^{a_1id+b_1}/g_x)\cdot R_{x,0}' \cdot (Y_2Y_3)^{h_x},\qquad L_x=T^{t_x}\cdot \bar{R}_{x,0}',\\&K_{x,i}=T^{s_i t_x}R_{x,i}' \quad \forall i\in S; \end{aligned} \end{aligned}$$(29) -
For each \( x \in \mathsf {KUNodes}(\mathsf {BT},\mathsf {RL},t)\), fetch \(g_x\) from the node x, choose random elements \(\hat{R}_{x,3},\bar{R}_{x,3} \in G_{p_3}\) and \(s_x' \in \mathbb {Z}_N\), set
$$\begin{aligned} \begin{aligned}&Q_{x,0,t}=g^{\alpha }g_x\cdot (T^{a_0t+b_0})^{s_x'}\hat{R}_{x,3}, \quad Q_{x,1,t}=T^{s_x'}\bar{R}_{x,3}. \end{aligned} \end{aligned}$$(30)
Note that we add the \((Y_2Y_3)^{h_x}\) term. This randomizes the \(G_{p_2}\) part of \(K_x\), so the key is no longer nominally semi-functional. If we use the \(k^{th}\) key to decrypt the semi-functional ciphertext, the decryption would fail.
Thus, if \(T \in G_{p_1p_3}\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{k,2}\). Otherwise, \(T \in G\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{k,1}\). Therefore, \(\mathcal {B}\) can use the output of \(\mathcal {A}\) to gain advantage to \(\epsilon \) in breaking Assumption 2. \(\square \)
C Proof of Lemma 5
Proof
\(\mathcal {B}\) is given \(( g, g^{\alpha }X_2, X_3, g^sY_2,Z_2, T)\) and simulates \(\mathbf {Game}_{q,2}\) or \(\mathbf {Game}_{Final}\) with \(\mathcal {A}\). It randomly picks \(a, ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\) and returns \(PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g^{\alpha }X_2)=e(g,g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} \) to \(\mathcal {A}\).
To make semi-functional keys of type 2, randomly choose \(f, r, z_{id},d', z_{t} \in \mathbb {Z}_N\), \(R_3'\in G_{p_3}\) and set
-
\(SK_{id}=g^{\alpha }(u^{id}h)^r \cdot R_3' \cdot Z_2^{fz_{id}}\);
-
For each \(x \in \mathsf {Path}(\mathsf {BT},\theta )\), fetch \( g_x\) from the node x, randomly choose \(t_x\in \mathbb {Z}_N\), \(R_{x,0}',\bar{R}_{x,0}, \{R_{x,i}\}_{i\in S} \in G_{p_3}\), set
$$\begin{aligned} \begin{aligned}&K_{x}=g^{\alpha +at_xr }((u^{id}h)^r/g_x)\cdot R_{x,0}'\cdot Z_2^{d't_x+fz_{id}},\quad L_x=g^{t_xr}\cdot \bar{R}_{x,0}',\\&K_{x,i}=T_i^{t_x r}R_{x,i}' \quad \forall i\in S; \end{aligned} \end{aligned}$$(31) -
For each \( x \in \mathsf {KUNodes}(\mathsf {BT},\mathsf {RL},t)\), fetch \(g_x\) from the node x, randomly choose \(\ s_x,\gamma _x' \in \mathbb {Z}_N\) and \(\hat{R}_{x,3}',\bar{R}_{x,3}' \in G_{p_3}\), set
$$\begin{aligned} \begin{aligned}&Q_{x,0,t}=g^{\alpha }g_x\cdot (u_0^th_0)^{s_x}\hat{R}_{x,3}' \cdot Z_2^{\gamma _x' z_{t}}, \quad Q_{x,1,t}=g^{s_x}\bar{R}_{x,3}'\cdot Z_2^{\gamma _x' }. \end{aligned} \end{aligned}$$(32)
\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \((M_0, M_1)\), a challenge access matrix \((\mathbb {M}^*, \rho )\) and a challenge time \(t^*\). \(\mathcal {B}\) chooses \(u_2, \ldots , u_n, r_i' \in \mathbb {Z}_N\), a random bit \(\beta \in \{0, 1\}\) and sets \(\vec {u}'=(a,u_2, \ldots , u_n)\). Finally, \(\mathcal {B}\) generates the challenge ciphertext \(CT^*\) as:
We set \(Y_2=g_2^c\), \(\vec {v} = sa^{-1}\vec {u}'\) and \(\vec {u}=c\vec {u}'\) (i.e., \(u_1=ac\)), so s is shared in the \(G_{p_1}\) and ca is shared in the \(G_{p_2}\). This implicitly sets \(u_1=ca\), \(r_i=sr_i'\) and \(\gamma _i=-cr_i'\).
Thus, if \(T =e(g,g)^{\alpha s}\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{q,2}\) and \(CT^*\) is a semi-functional ciphertext with encryption of \(M_{\beta }\). Otherwise, \(T \in G_T\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{Final}\) and \(CT^*\) is a semi-functional ciphertext with encryption of a random message in \(G_T\). Therefore, \(\mathcal {B}\) can use the output of \(\mathcal {A}\) to gain advantage to \(\epsilon \) in breaking Assumption 3. \(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Cheng, L., Meng, F. (2021). Server-Aided Revocable Attribute-Based Encryption Revised: Multi-User Setting and Fully Secure. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-88428-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88427-7
Online ISBN: 978-3-030-88428-4
eBook Packages: Computer ScienceComputer Science (R0)