A Revocable Outsourced Data Accessing Control Scheme with Black-Box Traceability

Abstract

Ciphertext-policy attribute-based encryption (CP-ABE) is a promising solution to the fine-grained access control problem of encrypted data. Several CP-ABE-based cryptographic cloud storage systems have been proposed in recent years. However, existing CP-ABE schemes still have several limitations that make them not effective to be used in a practical application. Firstly, decryption privileges may be changed when the user revocation happens to prevent the leakage of encrypted data. Secondly, malicious users may delegate decryption keys to unauthorized users for profit. Thirdly, the complex operation of encryption and decryption may bring a huge computational cost and is usually considered to be a heavy burden for system users. Therefore, this paper proposes a new CP-ABE scheme ROBBT-CPABE, which can provide attribute revocation, black-box tracking, outsourcing encryption, and outsourcing decryption. By using the information distribution algorithm and the secure modular exponentiation outsourcing algorithm, the scheme can achieve attribute revocation and outsource some expensive encryption and decryption operations to the cloud server. Based on the construction of indistinguishable traceable ciphertext, the proposed scheme can support black-box tracking. Then the ROBBT-CPABE scheme is formally proved to be selective replay chosen ciphertext attack (RCCA) secure and black-box traceable secure. Performance analysis demonstrates the efficiency and practicality of ROBBT-CPABE.

A Black-Box Security Proof for ROBBT-CPABE

Definition 4

The generic bilinear group model [2]: We consider two random encodings \(\psi _0, \psi _1\) of a group \(Z_p^*\), that is injective maps \(\psi _0, \psi _1: Z_p^*\rightarrow {\{0,1}\}^m\) where \(m>3\log (p)\). Set \(G = {\psi _1}\left( x \right) ,x \in Z_p^ * ,{G_T} = {\psi _2}\left( x \right) ,x \in Z_p^ * \) and an oracle to compute a non-degenerate bilinear map \(e:G\times G\rightarrow G_T\). We refer to \(G_T\) as a generic bilinear group.

Theorem 3

ROBBT-CPABE is black-box traceable secure in the generic bilinear group model if the adversary \(\mathcal {A}\) queries at most q times in following games and wins the game with an advantage of \(\varepsilon =O(q^2/p)\).

Proof

\(\mathcal {A}\) can win the game with a negligible advantage when the order p of group is large enough. When \(\psi _0, \psi _1, G, G_T\) are generic bilinear groups, elements in G, \(G_T\) can be mapped to a random string by function \(\psi _0\), \(\psi _1\) where \(g = {\psi _1}(1),{g^x} = {\psi _1}(x),e{\left( {g,g} \right) ^y} = {\psi _2}\left( y \right) .\)

• Setup. Challenger \(\mathcal {C}\) randomly chooses \(\alpha ,a\in Z_p^*\). The public parameters are published as \(PK = \left( {g,e{{\left( {g,g} \right) }^\alpha },{g^a},{H_1},{H_2}} \right) \). \({g^\alpha }\) is kept as the master secret key MSK.

• Phase 1. Adversary \(\mathcal {A}\) is allowed to make \(q^\prime \) private key queries on adaptively chosen user attribute set \(S_1,\ldots ,S_{q^\prime }. \mathcal {C}\) runs KeyGen algorithm to generate corresponding key SK for \(\mathcal {A}\). And \(SK = {(z,K = {g^{\alpha I/z}}{g^{at}},L = {g^t},{K_x} = {H_2}{\left( {att\left( x \right) } \right) ^{{H_1}\left( {att\left( x \right) } \right) t}})_{x \in S}})\).

• Challenge. \(\mathcal {A}\) chooses a challenge access structure \(\mathbb {A}^*\) and sends to \(\mathcal {C}\). \(\mathcal {C}\) randomly chooses a massage \(m\in G_T, s\in Z_p^*\) and \(\mu \in {\{0,1}\}\). When \(\mu =0\), \(s^\prime =s\), else, random chooses \(s^\prime \in Z_p^*\). \(\mathcal {C}\) runs Encrypt algorithm, randomly chooses vector \(v=(s^\prime ,y_2,\ldots ,y_n)\in Z_p^{n+1}\) where \(s^\prime \) is the secret. Get \(\lambda =(\lambda _1,\lambda _2,\ldots ,\lambda _l)\in Z_p^{l\times 1}\) through \(\lambda _i=A_iv\). \(\mathcal {C}\) sends CT to \(\mathcal {A}\). And \(CT = (C = r \cdot e{\left( {g,g} \right) ^{\alpha s}},C' = {g^s},C'' = m \oplus R,{C_i} = {g^{a{\lambda _i}}}{H_2}{\left( {att\left( i \right) } \right) ^{ - {r_i}{H_1}\left( {att\left( i \right) } \right) }},{D_i} = {g^{{r_i}}}_{i \in S})\)

• Phase 2. The same thing as Phase 1. \(\mathcal {A}\) continues to access the key SK corresponding to the attribute set S, where the attribute set S has at least one query that satisfies the access strategy \(\mathbb {A}^*\).

• Guess. Only if the adversary \(\mathcal {A}\) can judge \(s^\prime =s\), we assume he/she wins the game. When the results of the two queries are consistent, the adversary can distinguish whether \(s^\prime =s\) holds or not, else, we say it is no ’unexpected collisions’. The probabilities of two types of unexpected collisions are discussed below.

In the first case, variables such as \(\alpha ,s\alpha ,at\) are unknown parameters for \(\mathcal {A}\). \(\mathcal {A}\)’s query process can be abstracted into a rational function \(\mathcal {F}(var)\) where var is the known parameters of \(\mathcal {A}\). An unexpected collision would occur when two queries correspond to two distinct formal rational functions. An unexpected collision would be when two queries corresponding to two distinct formal rational functions \(\mathcal {F}_1=\mathcal {F}_2\), but where due to the random choices of these variables’ values, we have that the values of \({\mathcal {F}_1|}_{s^\prime =s}\) and \({\mathcal {F}_2|}_{s^\prime =s}\) coincide. Since the unknown parameters are all exponentials, the known parameters can only be linearly transformed to construct a function of the form \(\mathcal {F}=\gamma s+\theta \), where \(\theta ,\gamma \) are constant and \(\gamma \ne 0\). It follows that \(\mathcal {F}_1-\mathcal {F}_2\) means that \(\mathcal {A}\) conducts a pair of \(\gamma s=\mathcal {F}_1-\mathcal {F}_2+\gamma s^\prime \) and \(\gamma s^\prime =\mathcal {F}_2-\mathcal {F}_1+\gamma s\) query. The following will prove that it is impossible for \(\mathcal {A}\) to create such a pair of queries in the game.

• Let a non-empty set \(\Gamma ={\{x:S_x\ }\}\), where \(S_x\) satisfies the access structure \(\mathbb {A}^*\). The adversary \(\mathcal {A}\) decrypts ciphertext with \([S{K_{{S_x}}} = \mathop \prod \limits _{i\in I,i \ne j} {(e({C_i},L)e({D_i},{K_{\rho \left( i \right) }}))^{{\omega _i}}} = e{(g,g)^{s'at}}]\), where \(\ s^\prime =\lambda _x\omega _x\). So, if \(\mathcal {A}\) want to get \(\gamma s=\gamma s^\prime \), he/she needs to make index \(\sum _{x\in \Gamma ^\prime }{(\xi _xat)}s=s^\prime at\), where \(\Gamma ^\prime \in \Gamma \). Since it is impossible for \(\mathcal {A}\) to eliminate index at, it is not possible to create a collision for \(\gamma s^\prime =\gamma s\).

In the second case, due to the nature of the system causing unexpected collisions, the outputs of the two queries of challenger \(\mathcal {C}\) are consistent. By the Schwartz-Zippel lemma [20, 21], the probability of this event is O(1/p). By a union bound, the probability that any such collision happens is at most \(O(q^2/p)\). Therefore, we can assume that such a collision does not occur and maintain \(1\ -\ O(q^2/p)\) of the probability mass. Thus, the probability of \(\mathcal {A}\) winning this game is negligible, when p is large enough.